test(install): port four allowBuilds review tests from pnpm lifecycleScripts.ts

[jdx]

Summary

Four ports from pnpm/test/install/lifecycleScripts.ts into test/lifecycle_scripts.bats, bumping the row in PNPM_TEST_IMPORT.md from 8/21 → 12/21:

1. misc.ts:226 — aube add under strictDepBuilds=true against an unreviewed registry build script fails. Asserts the dep + lockfile + review placeholder are still written so the user can flip and re-run.
2. misc.ts:260 — auto-populated allowBuilds review placeholder lands in package.json#aube.allowBuilds when no workspace yaml is present.
3. misc.ts:268 — placeholder merges with pre-existing allowBuilds entries in pnpm-workspace.yaml without clobbering them.
4. misc.ts:303 — strictDepBuilds=true still fails when side-effects are already cached in the store (regression for pnpm/pnpm#11035).

Aube divergences (translated, not silently elided)

• Placeholder format: aube writes the literal boolean false; pnpm writes the string "set this to true or false". Same review-required semantic — aube's value is more directly readable by automation.
• Strict-dep-builds error: aube reads dependencies with build scripts must be reviewed before install; pnpm reads Ignored build scripts:.
• Setting surface: aube has no --config.strict-dep-builds=true CLI flag; the test reads it via .npmrc (appended to preserve the registry= line that _common_setup writes when AUBE_TEST_REGISTRY is set).

Remaining tests classified

Updates the doc row to split the 9 untouched cases into actionable buckets so future port PRs don't re-discover the same blockers:

• Fixture/setup blocked: rollback-dep-on-build-failure (108), node-gyp on PATH (128), repeat-install warning preservation (245 — aube short-circuits at the freshness check), git-dep prepare under dangerouslyAllowAllBuilds (336).
• Aube-feature blocked: --allow-build=<pkg> CLI flag (149, 164, 347), verify-deps-before-run recursion (179, 200), selective aube rebuild <pkg> (282).
• Already covered: installation-fails-on-lifecycle-script-error (17 — aube's lifecycle_scripts.bats:187 covers the same contract).

Test plan

• mise run test:bats test/lifecycle_scripts.bats — 25/25 green (21 prior + 4 new)
• cargo fmt --check

---

Note

Medium Risk
Touches lifecycle-script gating by changing how unreviewed allowBuilds entries are written and by adding a flag that can enable dependency scripts during aube add, so mistakes could inadvertently run builds or persist approvals in the wrong config file.

Overview
Adds aube add --allow-build=<pkg> to pre-approve specific dependency lifecycle scripts by writing allowBuilds.<pkg>=true to the workspace YAML (or package.json#aube.allowBuilds) before install, with a hard error if the package is explicitly denied and a clap-level conflict with --no-save.

Changes strict-dep-builds seeding from allowBuilds: false to pnpm’s canonical review placeholder string ("set this to true or false"), updates parsing/serialization to preserve string values verbatim across JSON/YAML, and teaches build-policy parsing to treat the placeholder as “unreviewed” without emitting warnings.

Updates approve-builds, install paths, CLI docs/spec (aube.usage.kdl, docs/cli/add.md, commands.json), and expands Bats coverage around placeholder seeding/merging, strictDepBuilds behavior, and --allow-build conflicts (including --filter root writes).

^{Reviewed by Cursor Bugbot for commit d13f310. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR introduces aube add --allow-build=<pkg> for selectively pre-approving dependency lifecycle scripts, replaces the install-time allowBuilds seed value from false to pnpm's canonical "set this to true or false" placeholder string (via the new AllowBuildsWriteMode enum), and ports 7 pnpm lifecycleScripts.ts tests plus adds 2 aube-specific regression tests (workspace-filter path and --no-save conflict). The previously flagged issue of the conflict check running after update_manifest_for_add has been fixed — apply_allow_build_flags now runs before any manifest mutation in both the direct and filtered code paths.

Confidence Score: 5/5

Safe to merge — no P0/P1 issues found; the prior conflict-ordering bug has been addressed and is pinned by a new test.

All changes are well-covered by unit and bats tests (25/25 green per the PR). The AllowBuildsWriteMode refactor is a clean enum-for-bool replacement with no hidden branching changes. The namespace handling in pnpm_allow_builds() correctly merges both pnpm.* and aube.* sources, so the conflict check in apply_allow_build_flags is complete. No security-sensitive code paths are affected.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-manifest/src/workspace.rs	Introduces AllowBuildsWriteMode enum and ALLOW_BUILDS_REVIEW_PLACEHOLDER constant; replaces the bool parameter in add_to_allow_builds/write_allow_builds_yaml with the enum; adds verbatim string handling for YAML to match the JSON side; well-covered by existing + new unit tests.
crates/aube-manifest/src/lib.rs	Adds Value::String arm to AllowBuildRaw::from_json with a clear regression comment; pnpm_allow_builds() already reads from both pnpm.* and aube.* namespaces so the conflict check in apply_allow_build_flags is complete; new round-trip unit test is well-targeted.
crates/aube/src/commands/add.rs	Adds allow_build: Vec<String> to AddArgs, implements apply_allow_build_flags, and correctly places the conflict check + approval write BEFORE update_manifest_for_add in both the direct and run_filtered paths, addressing the ordering bug from the prior review.
crates/aube-scripts/src/policy.rs	Adds a continue branch for the canonical placeholder string in BuildPolicy, keeping placeholder-seeded packages out of the allowed-builds set without emitting a spurious UnsupportedValue warning; other strings still warn as before.
test/lifecycle_scripts.bats	Adds 9 new bats tests covering: allowBuilds placeholder seeding, merge with existing approvals, strictDepBuilds failures, cached-side-effects regression, --allow-build flag (selective approval, bare flag rejection, workspace-filter path, --no-save conflict, explicit-false conflict); quote-agnostic grep patterns used where serializer quoting style may vary.
test/approve_builds.bats	One existing test updated: assertion string changed from false boolean to the canonical placeholder string, matching the new ReviewPlaceholder write mode.
aube.usage.kdl	Adds --allow-build <PKG> flag definition with long help text describing the pnpm mirror, conflict with --no-save, and the explicit-deny guard.
test/PNPM_TEST_IMPORT.md	Updates ported-test count from 8/21 to 15/21 and fills in actionable buckets for the remaining 6 cases; PR title says 'four ports' but the doc and diff reflect 7 newly-ported pnpm cases (226, 260, 268, 303, 149, 164, 347).
crates/aube/src/commands/install/mod.rs	Mechanical update: two call-sites of add_to_allow_builds switched from false to AllowBuildsWriteMode::ReviewPlaceholder; no logic change.
crates/aube/src/commands/approve_builds.rs	Two call-sites updated to AllowBuildsWriteMode::Approve; no logic change.

_{Reviews (5): Last reviewed commit: "fix(cli): apply --allow-build in the wor..." | Re-trigger Greptile}

[github-actions]

Benchmark changes

Versions:

• aube: 1.5.1 -> 1.5.2
• pnpm: 11.0.2 -> 11.0.3

Public ratios: warm installs vs Bun 4x -> 9x; warm installs vs pnpm 5x -> 11x.

Benchmark	aube	bun	pnpm
Fresh install (warm cache)	1021ms -> 244ms (-76%)	4134ms -> 2121ms (-49%)	4717ms -> 2640ms (-44%)
CI install (warm cache, GVS disabled)	2920ms -> 907ms (-69%)	3396ms -> 2254ms (-34%)	4864ms -> 2431ms (-50%)
CI install (cold cache, GVS disabled)	10801ms -> 4043ms (-63%)	10012ms -> 4229ms (-58%)	9722ms -> 4909ms (-50%)

d13f310 vs 400c56a | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit a135cfd. Configure here.}