Background

Currently, when we build a crate in the workspace, Cargo still prefers local path dependencies. This means we might accidentally publish a crate that only works inside our workspace but fails for downstream users, because it relies on unpublished changes in sibling crates.

To catch this before release, we need a CI job (and a corresponding just recipe) that:

1. Packages the crate (cargo package)
2. Unpacks the tarball
3. Builds it in isolation with --locked, ensuring it resolves dependencies strictly from crates.io

This simulates exactly how downstream users will consume our crates.

Proposed changes

• Add a command to our justfile recipe (just check-publish <crate>) to package, unpack, and rebuild the crate tarball.

- Add a CI job that runs for each crate targeted for release.
- Integrate this check into the release workflow so that every crate we publish has been validated against the registry, not just the workspace. We need to label-gate this check to only run for PRs with the release label.

Edit: We don't want to run this for every release, just as a convenient manual check.

Example justfile snippet

# Usage: just check-publish crate-name
check-publish crate:
    cargo package -p {{crate}}
    pkg=$(ls target/package/{{crate}}-*.crate | tail -n1); \
    tmp=$(mktemp -d); \
    tar -xzf "$$pkg" -C "$$tmp"; \
    export CARGO_HOME="$$tmp/cargo-home"; \
    export RUSTUP_HOME="$$tmp/rustup-home"; \
    cargo build --locked --manifest-path "$$tmp"/{{crate}}-*/Cargo.toml