feat(cli): add --lockfile-dir / lockfileDir setting

[jdx]

Summary

Mirrors pnpm's --lockfile-dir: relocates aube-lock.yaml to a different directory than the project root. The project becomes an importer keyed by its relative path from the lockfile directory.

Resolves the --lockfile-dir divergence noted in the misc.ts port TODO (pnpm/test/install/misc.ts:112).

Implementation

A thin importer-key shim around the existing aube-lockfile read/write API. The install pipeline keeps treating the project as the . root importer in-memory; the relative key only appears in the on-disk lockfile, transparent to every downstream consumer (resolver, linker, scripts runner).

Three local helpers in install/mod.rs:

• parse_lockfile_dir_remapped — reads from lockfile_dir, remaps the project's relative-path importer back to . for the in-memory graph.
• parse_lockfile_dir_remapped_with_kind — same, plus preserves the detected kind.
• write_lockfile_dir_remapped — writes to lockfile_dir, remaps . to the relative-path key on the way out. Hard-errors if the in-memory graph is missing the . importer (defensive guard against silent data loss in future code paths).

When lockfile_dir == project_root, both shims short-circuit (no clone, no map mutation), so the default install path is unchanged.

Path-resolution (pnpm parity):

• create_dir_all before canonicalize, so --lockfile-dir <missing> materializes the directory instead of aborting with ENOENT.
• Both cwd and lockfile_dir canonicalized before equality / pathdiff, so symlinks and ./project/..-style inputs don't break key derivation.
• Importer key normalized to forward slashes, so a Windows-written lockfile is portable to Unix CI.

Scope

Single-project lockfile relocation. Multi-project shared lockfiles outside a pnpm-workspace.yaml workspace are explicitly out of scope: pointing two unrelated projects at the same --lockfile-dir would have the second install orphan-strip the first project's package entries when re-resolving. An upfront read-side guard (guard_against_foreign_importers) detects this configuration and fails loudly with a message pointing the user at workspaces or per-project lockfile dirs. Workspace installs (legitimate multi-importer cases) are unaffected because the guard is gated on a non-. importer key, which only happens when --lockfile-dir points outside the project root.

Wired through the install path's main read/write sites (8 call sites). Two boundaries deferred to follow-up PRs:

• sharedWorkspaceLockfile=false per-project lockfile writes (line ~4118) still target project_root — combining --lockfile-dir with workspace-shared lockfiles needs a separate design decision.
• merge_git_branch_lockfiles flow likewise targets project_root.

Settings

Layer	Key
CLI	--lockfile-dir <PATH>
Env	AUBE_LOCKFILE_DIR, npm_config_lockfile_dir, NPM_CONFIG_LOCKFILE_DIR
.npmrc	lockfile-dir, lockfileDir
pnpm-workspace.yaml	lockfileDir

Relative paths resolve against the project root (pnpm convention).

Test plan

• New: test/lockfile_dir.bats (5 tests — write, importer key, auto-mkdir on missing dir, foreign-importer guard, warm read).
• New: misc.ts:112 port in test/pnpm_install_misc.bats (bumps the misc.ts port to 13/37, drops --lockfile-dir from the documented-divergences list).
• mise run test:bats test/install.bats (61/61) — no regressions.
• mise run test:bats test/lockfile_settings.bats test/workspace.bats — no regressions.
• cargo test --workspace — all green (after sorting --lockfile-dir alphabetically before --lockfile-only to satisfy cli_ordering_tests::test_cli_ordering).
• cargo clippy -p aube --all-targets -- -D warnings clean.

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes where aube install reads/writes lockfiles and how importer keys are mapped, which could affect install reproducibility and overwrite behavior if path handling is wrong. Guardrails and tests reduce risk, but this touches core install/lockfile I/O paths.

Overview
Adds --lockfile-dir <PATH> (and lockfileDir setting) to relocate aube-lock.yaml to an arbitrary directory, mirroring pnpm.

aube install now resolves/canonicalizes the target directory, creates it if missing, and remaps lockfile importers keys between . in-memory and the project’s relative-path key on disk; lockfile read/write/detect call sites are updated to use the relocated directory.

Includes a fail-fast guard that errors if the relocated lockfile already contains importers from other projects (multi-project shared lockfiles outside a workspace remain unsupported), plus new Bats coverage and CLI/settings documentation updates.

^{Reviewed by Cursor Bugbot for commit bd65f92. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

Adds pnpm-compatible --lockfile-dir / lockfileDir to relocate aube-lock.yaml outside the project root, recording the project under a relative-path importer key; includes canonicalization, auto-mkdir, and a foreign-importer guard that prevents multi-project shared lockfiles outside workspaces.

• guard_against_foreign_importers silently passes a foreign "." importer: the filter excludes "." from the foreign-key check, but when importer_key != "." any existing "." entry represents the lockfile directory's own project root. The guard passes, the remap shim finds no importer_key match, and the subsequent write removes the lockfile-dir project's "." entry — exactly the orphan-strip scenario the guard is designed to prevent.
• Docs actively contradict the guard: both settings.toml and docs/settings/index.md state "several unrelated projects can share a single committed lockfile without declaring a pnpm-workspace.yaml" — the configuration guard_against_foreign_importers hard-errors on.

Confidence Score: 3/5

Not safe to merge as-is: the foreign-importer guard has a logic hole that allows silent lockfile corruption, and the docs describe a multi-project sharing use-case the implementation actively rejects.

Two P1 findings: a guard bypass that can corrupt a legitimate project's lockfile entry, and documentation that directly contradicts runtime behavior. Both affect the correctness and safety of the core feature being added.

crates/aube/src/commands/install/mod.rs (guard filter) and crates/aube-settings/settings.toml + docs/settings/index.md (doc contradiction)

Important Files Changed

Filename	Overview
crates/aube/src/commands/install/mod.rs	Core implementation: adds lockfile-dir resolution, importer-key remapping shims, and foreign-importer guard; the guard incorrectly excludes "." from foreign-importer detection, allowing silent data corruption when the lockfile directory is itself a project root.
crates/aube-settings/settings.toml	Adds lockfileDir setting definition; documentation contradicts the guard's behavior by claiming multi-project shared lockfiles are supported when they are actively rejected at runtime.
docs/settings/index.md	Mirrors the incorrect multi-project sharing claim from settings.toml; users who follow this docs example will hit a hard error on the second project's install.
crates/aube-manifest/src/workspace.rs	Adds lockfile_dir: Option field to WorkspaceConfig with correct serde default; straightforward.
test/lockfile_dir.bats	New Bats test file covering write, importer-key format, auto-mkdir, foreign-importer guard, and warm read round-trip; well-structured and covers the primary scenarios.
aube.usage.kdl	Adds --lockfile-dir flag definition in alphabetical order between --ignore-scripts and --lockfile-only; correct.
test/pnpm_install_misc.bats	Ports pnpm/test/install/misc.ts:112 as a Bats test; increments ported-count from 21→22 and removes the documented-divergences entry.
docs/cli/install.md	Adds --lockfile-dir CLI docs entry in correct alphabetical position; accurate description.
docs/cli/commands.json	Adds lockfile-dir to the install command's JSON spec with correct arg definition; auto-generated, no issues.
test/PNPM_TEST_IMPORT.md	Updates port tracking: 21→22 ported, removes --lockfile-dir from documented divergences, adds #431 reference; accurate bookkeeping.

_{Reviews (3): Last reviewed commit: "fix(cli): address cursor review on --loc..." | Re-trigger Greptile}

[github-actions]

Benchmark changes

Versions:

• aube: 1.5.1 -> 1.5.2
• pnpm: 11.0.2 -> 11.0.3

Public ratios: warm installs vs Bun 4x -> 3x; warm installs vs pnpm 5x -> 7x.

Benchmark	aube	bun	pnpm
Fresh install (warm cache)	1021ms -> 770ms (-25%)	4134ms -> 2500ms (-40%)	4717ms -> 5162ms (+9%)
CI install (warm cache, GVS disabled)	2920ms -> 2528ms (-13%)	3396ms -> 2834ms (-17%)	4864ms -> 5334ms (+10%)
CI install (cold cache, GVS disabled)	10801ms -> 7814ms (-28%)	10012ms -> 9787ms (-2%)	9722ms -> 9391ms (-3%)

bd65f92 vs 63fcb9a | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.

[greptile-apps]

"." is incorrectly excluded from foreign-importer detection

When importer_key != ".", a "." entry already in the lockfile means the lockfile directory is itself a project root (someone ran aube install there without --lockfile-dir). That entry is foreign and should be rejected, but the current filter silently exempts it. The guard then passes, parse_lockfile_dir_remapped finds no importer_key match (since the disk has "."), and write_lockfile_dir_remapped removes the old "." entry and replaces it with the subdirectory project — silently orphan-stripping exactly the project the guard is designed to protect.

Suggested change

	.filter(|k| *k != "." && *k != importer_key)
	.filter(|k| *k != importer_key)

[greptile-apps]

Docs claim multi-project sharing is supported; implementation rejects it

The sentence "so several unrelated projects can share a single committed lockfile without declaring a pnpm-workspace.yaml" describes exactly the configuration that guard_against_foreign_importers hard-errors on. A user who sets lockfileDir based on this description will hit the "lockfile already records importers from other projects" error the first time a second project tries to install. The same incorrect text is mirrored verbatim into docs/settings/index.md.

This sentence should be replaced with a note that lockfileDir is for single-project relocation only, and multi-project shared lockfiles require a pnpm-workspace.yaml workspace.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit bd65f92. Configure here.}

[cursor]

Guard allows "." importer through, missing foreign project

Medium Severity

The guard_against_foreign_importers filter excludes "." from the foreign-importer check (*k != "."). When lockfile_dir already contains a lockfile from a standalone project (which uses "." as its importer key), the guard silently passes. Both projects then alternate overwriting each other's lockfile data — the exact data-loss scenario the guard exists to prevent. Filtering "." serves no purpose here: workspace installs skip the guard entirely (lockfile_importer_key == "."), and --lockfile-dir installs always write non-"." keys.

 

^{Reviewed by Cursor Bugbot for commit bd65f92. Configure here.}