# F48 publish dry-run validation — 2026-05-06 This document captures the per-crate `cargo publish --dry-run` outcome on the V1-pre-cut workspace state. Run from `rust/` against the workspace at `version = "0.0.0"`. ## Tier 1 — leaves (no internal deps) ```text $ cargo publish --dry-run -p mxaccess-codec --allow-dirty Finished `dev` profile [unoptimized + debuginfo] target(s) Uploading mxaccess-codec v0.0.0 warning: aborting upload due to dry run ← OK $ cargo publish --dry-run -p mxaccess-rpc --allow-dirty ← OK $ cargo publish --dry-run -p mxaccess-asb-nettcp --allow-dirty ← OK ``` All three pass. The `cargo package` step assembles the source tarball without errors; `--dry-run` aborts only at the network upload step. ## Tiers 2 + 3 — dependent crates ```text $ cargo publish --dry-run -p mxaccess-galaxy --allow-dirty Caused by: no matching package named `mxaccess-codec` found location searched: crates.io index required by package `mxaccess-galaxy v0.0.0` ``` Identical "no matching package" failure for: - `mxaccess-galaxy`, `mxaccess-callback`, `mxaccess-asb` (tier 2) - `mxaccess-nmx`, `mxaccess`, `mxaccess-compat` (tier 3) This is **expected** — the workspace internal deps are pinned at `version = "0.0.0"` (placeholder for the as-yet-unpublished V1 cut). Cargo's registry lookup happens even with `--no-verify`, and `0.0.0` won't exist on crates.io until the leaves are actually published. The dependent crates will dry-run cleanly after each upstream tier lands. ## Package contents `cargo package -p --list` confirms each crate's tarball includes only source, tests, and fixture data — no captures, decompiled binaries, or accidental large files. | Crate | File count | Notes | |---|---|---| | `mxaccess-codec` | 27 | source + 2 round-trip fixture binaries (~1KB each) | | `mxaccess-rpc` | 16 | source only | | `mxaccess-asb-nettcp` | 12 | source only | | `mxaccess-galaxy` | 11 | source only | | `mxaccess-callback` | 9 | source only | | `mxaccess-asb` | 14 | source only | | `mxaccess-nmx` | 7 | source only | | `mxaccess` | 18 | source + 7 examples | | `mxaccess-compat` | varies | source + 5 live tests | ## What the actual V1 publish needs Per F48's "Resolves when": 1. Bump workspace version `0.0.0` → `0.1.0` in `rust/Cargo.toml` `[workspace.package]`. 2. For each crate's `[dependencies]` block, bump the workspace-internal `version = "0.0.0"` pins to `version = "0.1.0"` (path deps can stay). 3. Publish in tier order (1 → 2 → 3). Wait for crates.io to index each tier (~30–60s) before starting the next. 4. After all 9 are live, run `cargo install mxaccess` from a fresh checkout — should resolve cleanly without `--locked`. 5. Tag `git tag v0.1.0 && git push origin v0.1.0`. ## Open observations - The `--allow-dirty` flag was used because the workspace has uncommitted edits during this validation pass; the actual publish should run from a clean working tree without that flag. - `Cargo.lock` is included in the published tarball for binary-target crates (notably `mxaccess` ships examples). This is the cargo default for crates with executables; library-only crates don't need it but cargo includes it anyway under the modern resolver. - No `package.exclude` rules were tripped: the `tests/fixtures/m6-buffered/*.bin` files in `mxaccess-codec` are tiny (round-trip fixtures, not big captures) and are deliberately shipped because the parity tests reference them.