test(install): port pnpm circular-peers, trust-policy, and peer-deps-warning

[jdx]

Summary

Three batches from pnpm/test/install/misc.ts ported into test/pnpm_install_misc.bats — closing the three "still need fixtures / pnpm-specific" gaps tracked in PNPM_TEST_IMPORT.md:

1. Circular peer deps (misc.ts:556, covers pnpm/pnpm#8720). Synthesizes a two-package workspace where each peer-depends on the other in lieu of pnpm's 100+-package real-world fixture. The regression guard is the resolver terminating against the 16-iteration fixed-point loop in aube-resolver/src/peer_context.rs. Probes for timeout / gtimeout (Linux / macOS-with-coreutils) and falls back to running uncovered when neither is on PATH.

2. Trust-policy block (misc.ts:578-643, 6 tests). Mirrored @pnpm/e2e.test-provenance from registry.npmjs.org at 0.0.0, 0.0.4 (with SLSA provenance + GitHub trustedPublisher) and 0.0.5 (no trust evidence — the downgrade pnpm's check is designed for). Re-uses the existing @pnpm.e2e/has-untrusted-optional-dep@1.0.0 fixture for the optional-dep test. pnpm exposes --trust-policy=… as a CLI flag; aube reads trustPolicy / trustPolicyExclude / trustPolicyIgnoreAfter from .npmrc / pnpm-workspace.yaml / AUBE_TRUST_POLICY only, so each port writes a small .npmrc instead of passing a flag. The prior PNPM_TEST_IMPORT.md note labeling trust-policy a "pnpm-specific feature" was wrong — aube has it via crates/aube-resolver/src/trust.rs; the only thing missing was the fixture.

3. Peer-deps-warning (misc.ts:541, covers pnpm/pnpm#8538). Strict-mode variant. pnpm asserts status=0 + the warning string — pnpm warns by default. aube is silent by default (matching bun/npm/yarn) and strict-peer-dependencies=true is the only mode that surfaces the same \"Issues with peer dependencies found\" line, routed through a hard-fail rather than warn-and-succeed. The regression guard — that the peer-deps diagnostic renderer doesn't crash when peers are missing — is preserved either way. @udecode/plate-* substituted with the mirrored @pnpm.e2e/abc-parent-with-missing-peers.

misc.ts port count: 10/37 → 18/37.

Test plan

• mise run test:bats test/pnpm_install_misc.bats — all 18 tests pass, including the new circular-peers, six trust-policy, and peer-deps-warning ports
• mise run test:bats test/peer_deps.bats — 15 tests still green (the existing strict-peer-dependencies coverage at peer_deps.bats:297 stays as the single-package counterpart to the new misc.ts:541 port)

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk: changes are limited to adding test cases and offline registry fixture data; no production logic is modified. Main risk is potential test flakiness from timeout availability and new trust-policy fixture assumptions.

Overview
Adds new pnpm-parity bats coverage in test/pnpm_install_misc.bats for circular peer dependency termination (aube install --lockfile-only), trust-policy enforcement (no-downgrade/off/exclude/ignore-after, including optional-dep behavior via .npmrc), and strict peer-dependency diagnostics (ensuring the warning renderer doesn’t crash).

Updates test/PNPM_TEST_IMPORT.md progress notes accordingly and mirrors a new offline registry fixture @pnpm/e2e.test-provenance (versions 0.0.0, 0.0.4, 0.0.5) to support the trust-policy test matrix.

^{Reviewed by Cursor Bugbot for commit ea11683. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

Ports eight tests from pnpm/test/install/misc.ts into test/pnpm_install_misc.bats: one circular-peer-deps termination guard, six trust-policy variants (no-downgrade, off, exclude-by-version, exclude-by-name, optional-dep, ignore-after), and one strict-peer-deps diagnostic render test. Extends the offline registry with @pnpm/e2e.test-provenance at three versions carrying the appropriate SLSA provenance / trustedPublisher metadata.

The timeout fallback logic (probe timeout → gtimeout → uncovered) and the trust-policy-ignore-after static-timestamp approach are both sound. The only minor discrepancy is that the PR description cites the port count as "10/37 → 18/37" while the committed PNPM_TEST_IMPORT.md correctly shows 12/37 → 20/37.

Confidence Score: 5/5

Safe to merge — no product code changed, tests are self-contained, and registry metadata is well-structured.

All changes are bats tests and offline registry fixtures. The circular-peers timeout probe, trust-policy .npmrc writes, and static publication timestamps for trust-policy-ignore-after are all correct. No P0 or P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
test/pnpm_install_misc.bats	Adds 8 new bats tests covering circular peer deps termination, six trust-policy variants, and strict-peer-deps warning rendering; logic is sound and the timeout fallback probe is correctly implemented.
test/PNPM_TEST_IMPORT.md	Updates port count from 12/37 to 20/37 and documents the three newly ported test groups; removes the stale "still need fixtures" note. Note: PR description prose cites 10/37 → 18/37, which is wrong — the actual change is 12 → 20.
test/registry/storage/@pnpm/e2e.test-provenance/package.json	New offline registry metadata for @pnpm/e2e.test-provenance at 0.0.0/0.0.4/0.0.5; 0.0.4 has SLSA provenance + trustedPublisher fields, 0.0.5 deliberately lacks them, dist-tags.latest correctly points to the untrusted version, and the publication timestamps are static 2025-11-09 dates suitable for trust-policy-ignore-after tests.

_{Reviews (5): Last reviewed commit: "test(install): port pnpm peer-deps-warni..." | Re-trigger Greptile}

[github-actions]

Benchmark changes

Versions:

• aube: 1.5.1 -> 1.5.2
• pnpm: 11.0.2 -> 11.0.3

Public ratios: warm installs vs Bun 4x -> 9x; warm installs vs pnpm 5x -> 13x.

Benchmark	aube	bun	pnpm
Fresh install (warm cache)	1021ms -> 225ms (-78%)	4134ms -> 2086ms (-50%)	4717ms -> 2849ms (-40%)
CI install (warm cache, GVS disabled)	2920ms -> 376ms (-87%)	3396ms -> 2040ms (-40%)	4864ms -> 2831ms (-42%)
CI install (cold cache, GVS disabled)	10801ms -> 4705ms (-56%)	10012ms -> 4983ms (-50%)	9722ms -> 4696ms (-52%)

ea11683 vs da78de8 | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.