feat(pnpmfile): support esm pnpmfiles

[jdx]

Summary

• prefer .pnpmfile.mjs over .pnpmfile.cjs during default pnpmfile discovery
• load ESM pnpmfiles with dynamic import while preserving CommonJS require() support
• document the new default lookup order and cover .mjs afterAllResolved/readPackage hooks

Validation

• cargo test -p aube pnpmfile::tests
• cargo build -p aube
• mise run test:bats test/pnpmfile.bats
• mise run docs:build
• cargo fmt --check
• git diff --check

---

Note

Medium Risk
Changes how pnpmfile hooks are discovered and executed (including dynamic ESM loading), which can affect dependency resolution behavior during installs if projects rely on existing hook semantics.

Overview
Adds support for ESM pnpmfiles by discovering and preferring .pnpmfile.mjs over .pnpmfile.cjs, while still honoring pnpmfilePath overrides.

Updates the Node hook shims to dynamically load .mjs via import() (and .cjs via require()), including a fallback when an ESM default export lacks hooks. Documentation/CLI help text and bats/unit tests are updated to reflect the new lookup order and to cover .mjs for both afterAllResolved and readPackage.

^{Reviewed by Cursor Bugbot for commit 38f6eb1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds ESM pnpmfile support by preferring .pnpmfile.mjs over .pnpmfile.cjs during default discovery and loading .mjs files via dynamic import() while keeping CommonJS require() for .cjs files. The shared LOAD_PNPMFILE_JS helper eliminates the previous duplication between the two shims, the loadPnpmfile export-resolution logic correctly handles named-only, default-only, and mixed export shapes, and all docs/help text are updated consistently throughout.

Confidence Score: 5/5

Safe to merge — no logical, security, or behavioural regressions identified.

All changed code paths are well-tested (three new unit tests + three new bats integration tests), the JS export-resolution logic handles every realistic ESM export shape correctly, and the docs/help text are updated consistently. No P0 or P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube/src/pnpmfile.rs	Core ESM pnpmfile support: adds shared LOAD_PNPMFILE_JS helper (dynamic import for .mjs, require for .cjs), updates detect() to prefer .pnpmfile.mjs, refactors both shims to use the shared loader, and adds three new unit tests covering .mjs-only and precedence scenarios.
test/pnpmfile.bats	Adds three bats integration tests: .mjs priority over .cjs, named-hooks-win-when-default-has-no-hooks warning path, and readPackage from an .mjs default export — all scenarios align with the new shim logic.
crates/aube-manifest/src/workspace.rs	Doc comment on pnpmfile_path field updated to reflect new .mjs-preferred, .cjs-fallback default discovery order.
crates/aube-settings/settings.toml	Description and docs for pnpmfilePath updated to remove CJS-specific language and document the new .mjs → .cjs lookup order.
crates/aube/src/commands/install/mod.rs	Help text and doc comments for --ignore-pnpmfile updated to mention both .pnpmfile.mjs and .pnpmfile.cjs.
aube.usage.kdl	Help string for --ignore-pnpmfile updated to reference both .mjs and .cjs.
docs/cli/commands.json	Generated CLI help text for --ignore-pnpmfile regenerated to match the new wording.
docs/cli/install.md	Generated docs for --ignore-pnpmfile updated to mention both file types.
docs/settings/index.md	Settings docs for pnpmfilePath updated to describe the .mjs-preferred default discovery order.

_{Reviews (4): Last reviewed commit: "fix(pnpmfile): avoid esm readPackage sta..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ed973b7. Configure here.}