package command is broken for composer-driven projects

[grayside]

In #288 and #289 we worked to align the packaging operation with some of the more fiddly issues introduced by Composer-driven dependency management, as well as relying on composer autoloading of libraries. Unfortunately our testing missed some pretty common project use cases and the current behavior is buggy on several points.

1. The project composer.json does not make it into the package

We are reading the Drupal project composer.json and outputting it again. Instead, we need the project-level composer.json to be placed in the package. This can be fixed with a one-line change in package.js Line 20.

2. If (1) were working, flat packaging would break

We support a flat packaging model by default, intended to support hosting platforms such as Pantheon. However, in a flat structure we have nowhere to put a project-level composer.json or vendor directory.

Luckily, as the reality of composer-based builds has sunk in Pantheon and other platforms are now supporting a subdirectory docroot structure. We can commit to the idea of a multi-level structure and update Gadget to generate D8 projects using one.

3. The composer install to strip dev dependencies might run composer update

Missing lockfile causes composer update to run, losing hand-edited vendor hacks, potentially upgrading packages, and of course, taking a long time.

[grayside]

1. Copy composer.json, composer.lock, and vendor/ into the package root.
2. Copy the docroot one level deeper than root of package.