fix(resolver): exclude provenance churn packages

[jdx]

Summary

• Add built-in trustPolicyExclude entries for npm packages with known provenance metadata churn that caused benchmark fixture resolution to fail.
• Merge user-provided trustPolicyExclude entries on top of the built-in defaults.
• Add a focused vlt benchmark fixture regression test using the cheaper svelte fixture. Heavier next, vue, large, and babylon cases were removed after they pushed serial BATS past the 20-minute CI timeout.

Validation

• cargo test -p aube-resolver trust
• cargo build
• mise run test:bats test/vlt_benchmarks.bats
• Commit hook: cargo fmt --check, targeted cargo clippy, shfmt, shellcheck

CI note

The previous run timed out in bats-serial: next took about 3.7-3.9 minutes, vue about 3.1-4.2 minutes, and large about 3.5-5.3 minutes before the job was cancelled. The reduced fixture keeps coverage for the benchmark install variations without carrying those expensive cases in serial CI.

[greptile-apps]

Greptile Summary

This PR adds a DEFAULT_TRUST_POLICY_EXCLUDES list of six high-churn npm packages that are unconditionally exempted from trustPolicy checks, wires them into TrustExcludeRules::default() and DependencyPolicy::default(), and introduces with_defaults_and_user_rules so user-configured excludes layer on top. It also adds a svelte benchmark fixture and a BATS test suite skeleton.

Confidence Score: 5/5

Safe to merge; no correctness or security defects in the changed code paths.

All P1+ gates pass. The trust logic change is deliberate and well-documented. The two comments are P2 design/coverage observations that don't block correctness.

test/vlt_benchmarks.bats — the PR description promises five fixture tests but only one is present.

Important Files Changed

Filename	Overview
crates/aube-resolver/src/trust.rs	Adds DEFAULT_TRUST_POLICY_EXCLUDES constant, a non-empty Default impl, from_name_excludes helper (already using NameMatcher::compile), and with_defaults_and_user_rules combinator; includes a covering unit test.
crates/aube/src/commands/install/settings.rs	Threads user rules through with_defaults_and_user_rules so built-in excludes are always prepended; rename of local variable to user_rules is clear and accurate.
crates/aube-settings/settings.toml	Documentation update clarifying that an empty trustPolicyExclude list only disables user rules, not built-in defaults.
docs/settings/index.md	Matches the settings.toml doc update; accurate description of the new behaviour.
test/vlt_benchmarks.bats	New BATS suite with well-structured variation helpers, but contains only the svelte test despite the PR description claiming coverage for next, vue, large, and babylon as well.
fixtures/vlt-benchmarks/svelte/package.json	Straightforward SvelteKit demo package.json used as a benchmark fixture; lists vite and other packages with known provenance churn, validating the new default exclusions.

_{Reviews (4): Last reviewed commit: "test(install): trim vlt benchmark fixtur..." | Re-trigger Greptile}