fix(resolver): accept abbreviated git commit SHAs in user specs

[jdx]

Summary

• github:owner/repo#<short> (and other git specs that use an abbreviated hex commit) now install instead of erroring with aube requires a full 40-character SHA.
• The lockfile records the canonical 40-character SHA even when the user-written specifier was abbreviated, matching pnpm's behavior.

Details

git_resolve_ref previously rejected hex prefixes upfront because git ls-remote only advertises branches and tags, so an abbreviated commit SHA never matched. But git_shallow_clone already checks abbreviated commits out fine via git fetch + git checkout <prefix>. The fix is to let the prefix flow through git_resolve_ref unchanged and recover the canonical full SHA from the post-checkout git rev-parse HEAD that git_shallow_clone already runs for verification.

git_shallow_clone now returns (PathBuf, String) where the second element is the 40-char HEAD SHA. resolve_git_source uses that to populate GitSource.resolved, so the lockfile pins the canonical form regardless of what the user wrote.

Reported in #345.

Test plan

• cargo test (workspace, all green)
• cargo clippy --all-targets -- -D warnings
• cargo fmt --check
• Manual: aube install on package.json with "vfs": "github:collinstevens/vfs#0b6ea53" (abbreviated) → installs, lockfile pins 0b6ea539609031977983f0b2393ebe81ee28c8ec
• Manual: aube install on the same with the full 40-char SHA → still installs

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes git ref resolution and clone caching semantics, which can affect reproducibility and cache reuse for git dependencies. Risk is mitigated by explicit HEAD verification and new tests covering abbreviated-SHA behavior.

Overview
Git dependencies now accept abbreviated commit SHAs. git_resolve_ref no longer errors on 7–39 char hex prefixes and instead passes them through for git_shallow_clone to resolve.

Lockfile and cache are canonicalized to full SHAs. git_shallow_clone now returns (clone_dir, head_sha) from rev-parse HEAD, the resolver writes that full SHA into GitSource.resolved, and the clone cache directory is best-effort re-keyed from the abbreviated input to the canonical SHA to avoid re-cloning.

Adds targeted tests for offline full-SHA resolution and prefix matching, and updates install-time git cloning call sites for the new return type.

^{Reviewed by Cursor Bugbot for commit 414f7bb. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR allows abbreviated git commit SHAs (≥7 hex chars) in dependency specs by passing them through git_resolve_ref unchanged, then recovering the canonical 40-char SHA from git rev-parse HEAD post-checkout. The new canonicalize_clone_dir helper re-keys the abbreviated-SHA cache entry to its full-SHA counterpart so the installer's subsequent git_shallow_clone call (using the lockfile-pinned full SHA) hits the fast path without a redundant network clone.

Confidence Score: 5/5

Safe to merge — logic is correct, edge cases are well-handled, and the previously flagged lower-bound mismatch was fixed in the current commit.

No P0 or P1 issues found. The re-keying strategy in canonicalize_clone_dir correctly addresses the double-clone concern from prior review threads. Races are documented as best-effort and are consistent with the existing design. The lower bound of 7 is properly aligned between looks_hex and git_commit_matches.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-store/src/lib.rs	Core change: git_resolve_ref passes abbreviated hex SHAs (≥7 chars) through unchanged; git_shallow_clone signature changes to Result<(PathBuf, String), Error> and adds canonicalize_clone_dir to re-key abbreviated-SHA cache entries to their canonical full-SHA path after checkout, fixing the resolver→installer double-clone. Well-commented and the previous lower-bound mismatch (4→7) is correctly aligned with git_commit_matches.
crates/aube-resolver/src/local_source.rs	Updated to destructure the new (clone_dir, resolved) tuple from git_shallow_clone; resolved (the canonical 40-char HEAD SHA) now populates GitSource.resolved so the lockfile always pins the full form.
crates/aube/src/commands/install/mod.rs	Trivial API adapter: destructures the new tuple return, discards _head_sha (the installer already has the full SHA from the lockfile, so canonicalize_clone_dir is a no-op here).

_{Reviews (3): Last reviewed commit: "review: re-key git clone cache to canoni..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1655684. Configure here.}