sensmetry
diff --git a/‎Cargo.lock‎
Lines changed: 11 additions & 0 deletions b/‎Cargo.lock‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎core/Cargo.toml‎
Lines changed: 2 additions & 2 deletions b/‎core/Cargo.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎core/src/commands/mod.rs‎
Lines changed: 2 additions & 0 deletions b/‎core/src/commands/mod.rs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎core/src/commands/publish.rs‎
Lines changed: 341 additions & 0 deletions b/‎core/src/commands/publish.rs‎
Lines changed: 341 additions & 0 deletions
@@ -45,7 +45,7 @@ log = { version = "0.4.29", default-features = false }
 pubgrub = { version = "0.3.0", default-features = false }
 # partialzip = { version = "5.0.0", default-features = false, optional = true }
 pyo3 = { version = "0.28.2", default-features = false, features = ["macros", "chrono", "indexmap"], optional = true }
-reqwest-middleware = { version = "0.5.1" }
+reqwest-middleware = { version = "0.5.1", features = ["multipart"] }
 semver = { version = "1.0.27", features = ["serde"] }
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = { version = "1.0.149", default-features = false, features = ["preserve_order"] }
@@ -67,7 +67,7 @@ tokio = { version = "1.50.0", default-features = false, features = ["rt", "io-ut
 bytes = { version = "1.11.1", default-features = false }
 toml_edit = { version = "0.25.4", features = ["serde"] }
 globset = { version = "0.4.18", default-features = false }
-reqwest = { version = "0.13.2", optional = true, features = ["rustls", "stream"] }
+reqwest = { version = "0.13.2", optional = true, features = ["rustls", "stream", "multipart"] }
 dunce = "1.0.5"
 
 [dev-dependencies]
 
@@ -10,6 +10,8 @@ pub mod include;
 pub mod info;
 pub mod init;
 pub mod lock;
+#[cfg(all(feature = "filesystem", feature = "networking"))]
+pub mod publish;
 pub mod remove;
 #[cfg(feature = "filesystem")]
 pub mod root;
 
@@ -0,0 +1,341 @@
+// SPDX-FileCopyrightText: © 2025 Sysand contributors <opensource@sensmetry.com>
+// SPDX-License-Identifier: MIT OR Apache-2.0
+
+use std::sync::Arc;
+
+use bytes::Bytes;
+use camino::Utf8Path;
+use thiserror::Error;
+use url::Url;
+
+use crate::{
+    auth::{GlobMapResult, HTTPAuthentication, StandardHTTPAuthentication},
+    project::{ProjectRead, local_kpar::LocalKParProject},
+};
+
+// Publish-only canonicalization rules for modern project IDs.
+// If additional surfaces need this behavior, extract to a shared module.
+fn is_ascii_alnum(byte: u8) -> bool {
+    byte.is_ascii_alphanumeric()
+}
+
+fn is_canonicalizable_field_with_allowed_separators(s: &str, allow_dot: bool) -> bool {
+    let bytes = s.as_bytes();
+    if !(3..=50).contains(&bytes.len()) {
+        return false;
+    }
+
+    if !is_ascii_alnum(bytes[0]) || !is_ascii_alnum(bytes[bytes.len() - 1]) {
+        return false;
+    }
+
+    for i in 1..(bytes.len() - 1) {
+        let b = bytes[i];
+        if is_ascii_alnum(b) {
+            continue;
+        }
+
+        let is_separator = b == b'-' || b == b' ' || (allow_dot && b == b'.');
+        if !is_separator {
+            return false;
+        }
+
+        if !is_ascii_alnum(bytes[i - 1]) || !is_ascii_alnum(bytes[i + 1]) {
+            return false;
+        }
+    }
+
+    true
+}
+
+fn is_canonicalizable_publisher_field_value(s: &str) -> bool {
+    is_canonicalizable_field_with_allowed_separators(s, false)
+}
+
+fn is_canonicalizable_name_field_value(s: &str) -> bool {
+    is_canonicalizable_field_with_allowed_separators(s, true)
+}
+
+fn canonicalize_modern_project_id_component(s: &str) -> String {
+    s.to_ascii_lowercase().replace(' ', "-")
+}
+
+#[derive(Error, Debug)]
+pub enum PublishError {
+    #[error("failed to read kpar file at `{0}`: {1}")]
+    KparRead(Box<str>, std::io::Error),
+
+    #[error("failed to open kpar project at `{0}`: {1}")]
+    KparOpen(Box<str>, String),
+
+    #[error("missing project info in kpar")]
+    MissingInfo,
+
+    #[error("missing project metadata in kpar")]
+    MissingMeta,
+
+    #[error("missing publisher in project info (required for publishing)")]
+    MissingPublisher,
+
+    #[error(
+        "publisher field `{0}` is invalid for modern project IDs: must be 3-50 characters, use only letters and numbers, may include single spaces or hyphens between words, and must start and end with a letter or number"
+    )]
+    NonCanonicalizablePublisher(Box<str>),
+
+    #[error(
+        "name field `{0}` is invalid for modern project IDs: must be 3-50 characters, use only letters and numbers, may include single spaces, hyphens, or dots between words, and must start and end with a letter or number"
+    )]
+    NonCanonicalizableName(Box<str>),
+
+    #[error(
+        "version field `{version}` is invalid for publishing: must be a valid Semantic Versioning 2.0 version ({source})"
+    )]
+    InvalidVersion {
+        version: Box<str>,
+        source: semver::Error,
+    },
+
+    #[error("invalid index URL `{url}` for publish endpoint: {reason}")]
+    InvalidIndexUrl { url: Box<str>, reason: String },
+
+    #[error(
+        "no bearer token credentials configured for publish URL `{0}`; set SYSAND_CRED_<X> and SYSAND_CRED_<X>_BEARER_TOKEN with a matching URL pattern"
+    )]
+    MissingCredentials(Box<str>),
+
+    #[error("HTTP request failed: {0}")]
+    Http(#[from] reqwest_middleware::Error),
+
+    #[error("server error ({0}): {1}")]
+    ServerError(u16, String),
+
+    #[error("authentication failed: {0}")]
+    AuthError(String),
+
+    #[error("conflict: package version already exists: {0}")]
+    Conflict(String),
+
+    #[error("bad request: {0}")]
+    BadRequest(String),
+}
+
+#[derive(Debug)]
+pub struct PublishResponse {
+    pub status: u16,
+    pub message: String,
+    pub is_new_project: bool,
+}
+
+fn build_upload_url(index_url: &str) -> Result<Url, PublishError> {
+    let mut upload_url = Url::parse(index_url).map_err(|e| PublishError::InvalidIndexUrl {
+        url: index_url.into(),
+        reason: e.to_string(),
+    })?;
+
+    {
+        let mut segments =
+            upload_url
+                .path_segments_mut()
+                .map_err(|_| PublishError::InvalidIndexUrl {
+                    url: index_url.into(),
+                    reason: "URL cannot be used as a hierarchical base URL".to_string(),
+                })?;
+        segments.pop_if_empty();
+        segments.extend(["api", "v1", "upload"]);
+    }
+
+    // Keep publish endpoint path stable even if user provided query/fragment in base URL.
+    upload_url.set_query(None);
+    upload_url.set_fragment(None);
+
+    Ok(upload_url)
+}
+
+pub fn do_publish_kpar<P: AsRef<Utf8Path>>(
+    kpar_path: P,
+    index_url: &str,
+    auth_policy: Arc<StandardHTTPAuthentication>,
+    client: reqwest_middleware::ClientWithMiddleware,
+    runtime: Arc<tokio::runtime::Runtime>,
+) -> Result<PublishResponse, PublishError> {
+    let kpar_path = kpar_path.as_ref();
+    let header = crate::style::get_style_config().header;
+
+    // Open and validate kpar
+    let kpar_project = LocalKParProject::new_guess_root(kpar_path)
+        .map_err(|e| PublishError::KparOpen(kpar_path.as_str().into(), e.to_string()))?;
+
+    let (info, meta) = kpar_project
+        .get_project()
+        .map_err(|e| PublishError::KparOpen(kpar_path.as_str().into(), e.to_string()))?;
+
+    let info = info.ok_or(PublishError::MissingInfo)?;
+    let _meta = meta.ok_or(PublishError::MissingMeta)?;
+
+    let publisher = info
+        .publisher
+        .as_deref()
+        .ok_or(PublishError::MissingPublisher)?;
+    let name = &info.name;
+    let version = &info.version;
+    if !is_canonicalizable_publisher_field_value(publisher) {
+        return Err(PublishError::NonCanonicalizablePublisher(
+            publisher.to_owned().into_boxed_str(),
+        ));
+    }
+    if !is_canonicalizable_name_field_value(name) {
+        return Err(PublishError::NonCanonicalizableName(
+            name.to_owned().into_boxed_str(),
+        ));
+    }
+    semver::Version::parse(version).map_err(|source| PublishError::InvalidVersion {
+        version: version.to_owned().into_boxed_str(),
+        source,
+    })?;
+    let normalized_publisher = canonicalize_modern_project_id_component(publisher);
+    let normalized_name = canonicalize_modern_project_id_component(name);
+    let purl = format!("pkg:sysand/{normalized_publisher}/{normalized_name}@{version}");
+
+    let publishing = "Publishing";
+    log::info!("{header}{publishing:>12}{header:#} `{name}` {version} to {index_url}");
+
+    let file_name = kpar_path
+        .file_name()
+        .unwrap_or(kpar_path.as_str())
+        .to_string();
+
+    // Read kpar file bytes
+    let file_bytes = std::fs::read(kpar_path)
+        .map_err(|e| PublishError::KparRead(kpar_path.as_str().into(), e))?;
+
+    let upload_url = build_upload_url(index_url)?;
+
+    match auth_policy.restricted.lookup(upload_url.as_str()) {
+        GlobMapResult::NotFound => {
+            return Err(PublishError::MissingCredentials(upload_url.as_str().into()));
+        }
+        GlobMapResult::Found(_, _) | GlobMapResult::Ambiguous(_) => {}
+    }
+
+    // Keep upload payload in `Bytes` so request retries clone cheaply.
+    let file_bytes = Bytes::from(file_bytes);
+
+    let request_builder = move |c: &reqwest_middleware::ClientWithMiddleware| {
+        let file_part = reqwest::multipart::Part::stream(file_bytes.clone())
+            .file_name(file_name.clone())
+            .mime_str("application/octet-stream")
+            .expect("valid mime type");
+
+        let form = reqwest::multipart::Form::new()
+            .text("purl", purl.clone())
+            .part("file", file_part);
+
+        c.post(upload_url.as_str()).multipart(form)
+    };
+
+    let response = runtime.block_on(async {
+        auth_policy
+            .with_authentication(&client, &request_builder)
+            .await
+    })?;
+
+    let status = response.status().as_u16();
+    let body = runtime.block_on(response.text()).unwrap_or_default();
+
+    match status {
+        200 => Ok(PublishResponse {
+            status,
+            message: body,
+            is_new_project: false,
+        }),
+        201 => Ok(PublishResponse {
+            status,
+            message: body,
+            is_new_project: true,
+        }),
+        401 | 403 => Err(PublishError::AuthError(body)),
+        409 => Err(PublishError::Conflict(body)),
+        400 | 404 => Err(PublishError::BadRequest(body)),
+        _ => Err(PublishError::ServerError(status, body)),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{
+        PublishError, build_upload_url, canonicalize_modern_project_id_component,
+        is_canonicalizable_name_field_value, is_canonicalizable_publisher_field_value,
+    };
+
+    #[test]
+    fn publisher_field_canonicalizability() {
+        assert!(is_canonicalizable_publisher_field_value("Acme Labs"));
+        assert!(is_canonicalizable_publisher_field_value("ACME-LABS-42"));
+        assert!(!is_canonicalizable_publisher_field_value("ab"));
+        assert!(!is_canonicalizable_publisher_field_value("Acme  Labs"));
+        assert!(!is_canonicalizable_publisher_field_value("Acme__Labs"));
+        assert!(!is_canonicalizable_publisher_field_value("Acme."));
+    }
+
+    #[test]
+    fn name_field_canonicalizability() {
+        assert!(is_canonicalizable_name_field_value("My.Project Alpha"));
+        assert!(is_canonicalizable_name_field_value("Alpha-2"));
+        assert!(!is_canonicalizable_name_field_value("ab"));
+        assert!(!is_canonicalizable_name_field_value("My..Project"));
+        assert!(!is_canonicalizable_name_field_value("My__Project"));
+        assert!(!is_canonicalizable_name_field_value(".Project"));
+    }
+
+    #[test]
+    fn canonicalize_modern_project_id_component_preserves_dot() {
+        assert_eq!(
+            canonicalize_modern_project_id_component("My.Project Alpha"),
+            "my.project-alpha"
+        );
+        assert_eq!(
+            canonicalize_modern_project_id_component("ACME LABS"),
+            "acme-labs"
+        );
+    }
+
+    #[test]
+    fn build_upload_url_appends_endpoint_path() {
+        assert_eq!(
+            build_upload_url("https://example.org").unwrap().as_str(),
+            "https://example.org/api/v1/upload"
+        );
+        assert_eq!(
+            build_upload_url("https://example.org/").unwrap().as_str(),
+            "https://example.org/api/v1/upload"
+        );
+        assert_eq!(
+            build_upload_url("https://example.org/index")
+                .unwrap()
+                .as_str(),
+            "https://example.org/index/api/v1/upload"
+        );
+        assert_eq!(
+            build_upload_url("https://example.org/index/")
+                .unwrap()
+                .as_str(),
+            "https://example.org/index/api/v1/upload"
+        );
+    }
+
+    #[test]
+    fn build_upload_url_strips_query_and_fragment() {
+        assert_eq!(
+            build_upload_url("https://example.org/index?x=1#frag")
+                .unwrap()
+                .as_str(),
+            "https://example.org/index/api/v1/upload"
+        );
+    }
+
+    #[test]
+    fn build_upload_url_rejects_non_hierarchical_url() {
+        let err = build_upload_url("mailto:test@example.org").unwrap_err();
+        assert!(matches!(err, PublishError::InvalidIndexUrl { .. }));
+    }
+}