fix(lockfile): preserve package and bun lock compatibility

[jdx]

Summary

• Preserve existing top-level package.json key order when commands rewrite dependency sections.
• Parse Bun lockfile local tarball entries whose package ident omits the file: prefix.
• Accept abbreviated git commit SHAs from existing Bun GitHub-shorthand lockfile entries during checkout verification.

Details

aube add already preserved manifest order by editing the parsed raw package.json object and syncing only dependency sections. This PR moves that targeted raw-JSON dependency-section writer into the shared command helpers so add, remove, and update --latest use the same order-preserving path.

remove still prunes pnpm/aube sidecar metadata, but now applies those removals directly to the parsed raw JSON object instead of replacing unrelated fields from the typed PackageJson.extra map. That keeps existing key positions and avoids churn in unrelated or nested manifest data.

The Bun regression matrix also exposed two plain-install failures not covered by the currently open lockfile PRs:

• Bun can write local tarball package entries as local-helper@tarballs/local-helper-1.0.0.tgz while the workspace dependency remains file:tarballs/local-helper-1.0.0.tgz. Aube now recognizes that prefixless .tgz ident as LocalSource::Tarball instead of treating it as a registry version.
• Bun records GitHub shorthand lock entries with abbreviated commit IDs. Aube's clone verifier now accepts a checked-out full SHA when it starts with the abbreviated lockfile SHA, while still rejecting non-hex refs and mismatched SHAs.

I checked the other open lockfile PRs before adding these: #337 covers pnpm scalar platform fields, and #338 covers package-lock git resolved URLs plus pnpm/Bun scalar platform metadata. Those fixes are intentionally not duplicated here.

Validation

• cargo fmt --check
• cargo build
• cargo test -p aube write_manifest_dep_sections
• cargo test -p aube-lockfile test_parse_prefixless_local_tarball
• cargo test -p aube-lockfile test_parse_github_dep
• cargo test -p aube-store git_commit_matches_abbreviated_sha
• mise run test:bats test/remove.bats
• mise run test:bats test/update.bats
• Bun regression matrix from johnpyp/2026-04-23-aube-bun-lock-regression-matrix against target/debug/aube; github-shorthand and local-tarball now pass plain install as plain-aube-unchanged
• pre-commit hook: cargo fmt and cargo clippy for staged Rust files

---

Note

Medium Risk
Medium risk because it changes how package.json is rewritten across multiple commands and relaxes git checkout verification to accept abbreviated SHAs, which could affect correctness of dependency updates and git-sourced installs.

Overview
Improves compatibility and reduces churn when working with Bun and when editing package.json.

Commands that mutate dependencies (add, remove, update --latest) now update only the dependency sections in the existing parsed package.json object (via shared helpers) so top-level key order is preserved and empty dep sections are removed without reserializing unrelated fields; remove also prunes pnpm/aube sidecar metadata directly in raw JSON to avoid reordering.

Bun lockfile parsing now treats prefixless local tarball idents (e.g. pkg@tarballs/foo.tgz without file:) as LocalSource::Tarball, and git dependency checkouts now accept abbreviated hex SHAs by verifying the full HEAD starts with the requested short SHA. Added targeted unit tests and a bats test to lock in these behaviors.

^{Reviewed by Cursor Bugbot for commit edcf920. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR addresses three independent compatibility gaps: it centralizes the order-preserving manifest writer so add, remove, and update --latest all use the same in-place JSON-object updater; it extends the Bun lockfile parser to recognize prefixless .tgz paths as LocalSource::Tarball; and it relaxes git checkout verification to accept abbreviated hex SHAs stored in Bun's GitHub-shorthand lock entries.

The refactoring in remove.rs deliberately calls both the typed prune_sidecar_entries (to keep the in-memory PackageJson consistent for re-resolution) and the new prune_sidecar_entries_json (to apply the same pruning to the raw JSON before the atomic write). This dual-layer approach is correct and intentional given the two-pass design. New unit and integration tests cover all three changes.

Confidence Score: 5/5

Safe to merge — no logic errors or security concerns found; changes are narrow, well-scoped, and backed by new unit and bats tests.

All three independent fixes are self-contained and covered by targeted regression tests. The refactoring consolidates existing logic without behavioral changes to the add path. The git_commit_matches helper correctly guards against non-hex refs and length-based collisions. No P1 or P0 findings were identified.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/bun.rs	Adds prefixless local tarball classification before the link: branch; new unit test exercises the path. Logic is sound — path_looks_like_tarball only inspects the extension, so the check is safe for any raw_version that ends with .tgz/.tar.gz.
crates/aube-store/src/lib.rs	Introduces git_commit_matches to accept abbreviated hex SHAs (≥7 chars, <40) from Bun lockfiles; replaces three literal equality comparisons. Well-tested with unit assertions covering match, mismatch, and non-hex refs.
crates/aube/src/commands/mod.rs	Promotes write_manifest_json_for_add logic to shared helpers update_manifest_json_object, write_manifest_dep_sections, and sync_manifest_dep_sections; moves sync_dep_section here too. Two new unit tests verify key-order preservation and empty-section removal.
crates/aube/src/commands/add.rs	Replaces the local write_manifest_json_for_add call with super::write_manifest_dep_sections; deletes the now-redundant private function and sync_dep_section. Straightforward refactor.
crates/aube/src/commands/remove.rs	Switches manifest write from write_manifest_json (full serialization) to update_manifest_json_object to preserve key order. Adds prune_sidecar_entries_json which operates on the raw JSON map, while the existing typed prune_sidecar_entries still runs to keep the in-memory manifest consistent for the re-resolution step. Both layers are intentional and necessary.
crates/aube/src/commands/update.rs	One-line change: replaces write_manifest_json with write_manifest_dep_sections for the --latest path to gain key-order preservation. No logic change.
test/remove.bats	Adds a bats integration test that verifies top-level key order is preserved after aube remove, using node -e to inspect the resulting JSON object key sequence.

_{Reviews (3): Last reviewed commit: "fix(lockfile): preserve manifest and bun..." | Re-trigger Greptile}