Add validation to reject fileSha256 in non-MCPB packages

rdimitrov · rdimitrov · commit dde346c334b5 · 2025-10-09T00:31:08.000+03:00
Signed-off-by: Radoslav Dimitrov &lt;radoslav@stacklok.com&gt;
diff --git a/internal/validators/registries/npm.go b/internal/validators/registries/npm.go
@@ -41,6 +41,11 @@ func ValidateNPM(ctx context.Context, pkg model.Package, serverName string) erro
 		return ErrMissingVersionForNPM
 	}
 
+	// Validate that MCPB-specific fields are not present
+	if pkg.FileSHA256 != "" {
+		return fmt.Errorf("NPM packages must not have 'fileSha256' field - this is only for MCPB packages")
+	}
+
 	// Validate that the registry base URL matches NPM exactly
 	if pkg.RegistryBaseURL != model.RegistryURLNPM {
 		return fmt.Errorf("registry type and base URL do not match: '%s' is not valid for registry type '%s'. Expected: %s",
diff --git a/internal/validators/registries/nuget.go b/internal/validators/registries/nuget.go
@@ -28,6 +28,11 @@ func ValidateNuGet(ctx context.Context, pkg model.Package, serverName string) er
 		return ErrMissingIdentifierForNuget
 	}
 
+	// Validate that MCPB-specific fields are not present
+	if pkg.FileSHA256 != "" {
+		return fmt.Errorf("NuGet packages must not have 'fileSha256' field - this is only for MCPB packages")
+	}
+
 	// Validate that the registry base URL matches NuGet exactly
 	if pkg.RegistryBaseURL != model.RegistryURLNuGet {
 		return fmt.Errorf("registry type and base URL do not match: '%s' is not valid for registry type '%s'. Expected: %s",
diff --git a/internal/validators/registries/oci.go b/internal/validators/registries/oci.go
@@ -96,6 +96,9 @@ func ValidateOCI(ctx context.Context, pkg model.Package, serverName string) erro
 	if pkg.Version != "" {
 		return fmt.Errorf("OCI packages must not have 'version' field - include version in 'identifier' instead (e.g., 'docker.io/owner/image:1.0.0')")
 	}
+	if pkg.FileSHA256 != "" {
+		return fmt.Errorf("OCI packages must not have 'fileSha256' field - this is only for MCPB packages")
+	}
 
 	// Parse the canonical OCI reference from the identifier
 	ociRef, err := ParseOCIReference(pkg.Identifier)
diff --git a/internal/validators/registries/pypi.go b/internal/validators/registries/pypi.go
@@ -39,6 +39,11 @@ func ValidatePyPI(ctx context.Context, pkg model.Package, serverName string) err
 		return ErrMissingVersionForPyPi
 	}
 
+	// Validate that MCPB-specific fields are not present
+	if pkg.FileSHA256 != "" {
+		return fmt.Errorf("PyPI packages must not have 'fileSha256' field - this is only for MCPB packages")
+	}
+
 	// Validate that the registry base URL matches PyPI exactly
 	if pkg.RegistryBaseURL != model.RegistryURLPyPI {
 		return fmt.Errorf("registry type and base URL do not match: '%s' is not valid for registry type '%s'. Expected: %s",

Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,9 @@ func ValidateOCI(ctx context.Context, pkg model.Package, serverName string) erro`
`96`	`96`	`if pkg.Version != "" {`
`97`	`97`	`return fmt.Errorf("OCI packages must not have 'version' field - include version in 'identifier' instead (e.g., 'docker.io/owner/image:1.0.0')")`
`98`	`98`	`}`
	`99`	`+ if pkg.FileSHA256 != "" {`
	`100`	`+ return fmt.Errorf("OCI packages must not have 'fileSha256' field - this is only for MCPB packages")`
	`101`	`+ }`
`99`	`102`
`100`	`103`	`// Parse the canonical OCI reference from the identifier`
`101`	`104`	`ociRef, err := ParseOCIReference(pkg.Identifier)`