Module sidecars 

Per-ecosystem fixups for the integrity sidecars that package managers verify at build/install time.

Patching a file inside a package directory leaves the ecosystem’s own checksum metadata pointing at the pre-patch hash. The next cargo build, pip check, or nuget restore then either fails (“checksum changed”) or flags the install as tampered. This module owns the post-apply rewrites that keep those sidecars consistent with what we just wrote to disk.

Coverage in this revision:

• Cargo ([cargo::fixup]): rewrite .cargo-checksum.json so cargo build accepts the patched sources.
• NuGet ([nuget::fixup]): delete .nupkg.metadata (we cannot honestly recompute contentHash without the original .nupkg; deletion is the “unknown” state vs. tampering-flag for a stale hash). A signed-package .nupkg.sha512 marker surfaces an advisory ALONGSIDE the metadata deletion.
• PyPI / gem / Go: advisory only — emit a structured advisory so downstream tooling consequences are programmatic. Full sidecar rewrites land in follow-ups.

All ecosystems return a SidecarRecord via dispatch_fixup. The record is the canonical JSON-envelope shape — see types for field documentation and stability guarantees.

Re-exports

pub use types::SidecarAdvisory;

pub use types::SidecarAdvisoryCode;

pub use types::SidecarFile;

pub use types::SidecarFileAction;

pub use types::SidecarRecord;

pub use types::SidecarSeverity;

Modules

types

Typed schema for the JSON-envelope sidecars[] field.

Enums

SidecarError

Errors a sidecar fixup can return. Each is best-effort: a failing sidecar does NOT undo the patch (the patched bytes are already on disk). The boundary in apply_package_patch converts these to a SidecarRecord carrying SidecarAdvisoryCode::SidecarFixupFailed so consumers see a uniform shape.

Functions

dispatch_fixup

Run the post-apply integrity fixup for the package’s ecosystem.