fix: Avoid dependency conflicts from bundled metadata DLLs

[hatayama]

Summary

• Prevent consuming Unity projects from implicitly referencing bundled metadata validation DLLs from Unity CLI Loop.
• Keep Unity CLI Loop metadata validation working through explicit editor-only package references.

User Impact

• Projects that install packages such as MemoryPack can keep their own System.Runtime.CompilerServices.Unsafe dependency without Unity CLI Loop bundled DLLs being selected accidentally.
• This reduces dependency clashes without changing the public workflow.

Changes

• Move the bundled metadata validation dependency DLLs under the editor metadata validation package area.
• Mark those DLLs as explicitly referenced only so Unity does not expose them as implicit project references.
• Give the bundled dependency assemblies private package-specific identities and update their internal references to match.
• Remove the orphaned Plugins metadata left after moving the DLLs.
• Add package metadata tests for the explicit-reference flags, private assembly identities, and orphaned metadata removal.

Verification

• Unity compile via the project-local CLI: 0 errors, 0 warnings
• Kensho project compile via the project-local CLI: 0 errors, 0 warnings
• npm --prefix Packages/src/Cli~ run lint
• npm --prefix Packages/src/Cli~ run build
• npm --prefix Packages/src/Cli~ run test:cli
• npm --prefix Packages/src/Cli~ run test:cli -- --runTestsByPath src/tests/package-metadata.test.ts
• codex-review --mode branch main

Closes #1284

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds test-only constants for Unity dependency .dll.meta paths and private assembly identities, repo-relative helpers to read Unity asset text and DLL bytes, and Jest tests that (1) assert each dependency meta file contains isExplicitlyReferenced: 1, (2) verify DLL bytes include declared assembly reference names, and (3) expect loading an orphaned Plugins.meta path to throw.

Changes

Package metadata tests

Layer / File(s)	Summary
Test data: meta paths and private assembly list Packages/src/Cli~/src/__tests__/package-metadata.test.ts	Defines explicit dependency .dll.meta paths and a structured list of private assembly identities with expected referenced assembly names.
Repo-relative Unity asset loaders Packages/src/Cli~/src/__tests__/package-metadata.test.ts	Adds loadUnityPackageText(relativePath) and loadUnityPackageBytes(relativePath) helpers to read checked-in Unity asset text and raw DLL bytes from stable repo-relative locations.
Meta explicit-reference tests and orphaned path error Packages/src/Cli~/src/__tests__/package-metadata.test.ts	Adds a Jest test asserting each listed .dll.meta contains isExplicitlyReferenced: 1 and a test expecting reading an orphaned Plugins.meta path to throw.
Private assembly DLL bytes reference test Packages/src/Cli~/src/__tests__/package-metadata.test.ts	Adds a Jest test that loads configured private assembly DLL bytes and asserts the bytes contain the primary assembly identity and all declared referenced assembly names.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR addresses issue #1284 by marking bundled CodeAnalysis plugin DLLs as explicitly referenced only and adding metadata regression tests, preventing implicit exposure that caused compilation conflicts.
Out of Scope Changes check	✅ Passed	All changes are scoped to test additions verifying metadata validation settings for bundled DLLs, directly supporting the linked issue objective of preventing package conflicts.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title mentions 'bundled metadata DLLs' but the PR's primary objective is to prevent package conflicts by marking CodeAnalysis DLLs as explicitly referenced only, not about avoiding dependency conflicts in general.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-1284-memorypack-unsafe

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 4 files

_{Re-trigger cubic}