feat(cli): emit pnpm's verbatim error for empty --allow-build values

[jdx]

Summary

Both --allow-build= (explicit empty equals) and bare --allow-build (no value, no following arg) now error with pnpm's byte-identical message:

The --allow-build flag is missing a package name. Please specify the package name(s) that are allowed to run installation scripts.

Previously, both forms exited non-zero — but with clap's default a value is required for '--allow-build <PKG>' instead of pnpm's wording. Scripts that grep pnpm's stderr for the verbatim error line wouldn't survive a swap to aube.

Implementation

A value_parser = parse_allow_build_value rejects the empty string with pnpm's exact text. clap's num_args = 0..=1 plus default_missing_value = "" route the bare form through the same validator, so a single source of truth covers both shapes.

fn parse_allow_build_value(s: &str) -> Result<String, String> {
    if s.is_empty() {
        Err("The --allow-build flag is missing a package name. \
             Please specify the package name(s) that are allowed to run installation scripts."
            .to_string())
    } else {
        Ok(s.to_string())
    }
}

Test plan

• Tightens the existing L164 port (which was loosely asserting --allow-build substring in clap's default error) to assert pnpm's verbatim wording. Renamed to reflect the actual contract.
• Adds a companion port for the explicit-empty --allow-build= form, asserting the same wording and that the manifest stays untouched.
• mise run test:bats test/lifecycle_scripts.bats — 31/31 green
• cargo test --workspace — 0 failures
• cargo clippy --all-targets -- -D warnings clean
• mise run render — regenerated aube.usage.kdl + docs/cli/add.md + docs/cli/commands.json

Sanity

$ aube add --allow-build=
error: invalid value '' for '--allow-build [<PKG>]': The --allow-build flag is missing a package name. Please specify the package name(s) that are allowed to run installation scripts.

$ aube add some-pkg --allow-build
error: invalid value '' for '--allow-build [<PKG>]': The --allow-build flag is missing a package name. Please specify the package name(s) that are allowed to run installation scripts.

$ aube add --allow-build=foo --allow-build=bar somepkg     # happy path still works
Resolving somepkg@latest...

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes aube add CLI parsing for --allow-build, including enforcing --allow-build=<pkg> and emitting a new error message for missing values, which may affect existing scripts that relied on clap’s previous parsing/error output.

Overview
Aligns aube add --allow-build with pnpm by rejecting both bare --allow-build and --allow-build= using pnpm’s byte-identical missing-package error.

Updates clap arg configuration to force --allow-build=<pkg> (via require_equals, num_args, and default_missing_value) and adds a dedicated validator, plus extends/adjusts Bats tests and regenerated CLI docs/usage artifacts to cover the new error behavior and prevent positional-arg swallowing.

^{Reviewed by Cursor Bugbot for commit f3bbe5c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR aligns aube add --allow-build validation with pnpm by adding require_equals = true, num_args = 0..=1, default_missing_value = "", and a value_parser to the clap arg definition. Both the bare --allow-build and explicit-empty --allow-build= forms now fail with pnpm's byte-identical error message, and the require_equals constraint prevents the silent positional-argument-swallowing behaviour that existed previously. Docs, usage KDL, and bats tests are all updated consistently.

Confidence Score: 5/5

Safe to merge — changes are limited to argument parsing and error messaging with no effect on install logic.

Only P2 findings present (one stale test comment). Core implementation is correct: the clap attribute combination of require_equals, default_missing_value, and value_parser is the idiomatic way to cover both empty-value forms, and all three new bats tests validate the expected behaviour end-to-end.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube/src/commands/add.rs	Adds require_equals, num_args = 0..=1, default_missing_value = "", and a value_parser to the --allow-build arg, plus the parse_allow_build_value validator that emits pnpm's verbatim error on empty input. Implementation is correct and well-commented.
test/lifecycle_scripts.bats	Updates the existing bare-flag test to assert pnpm's verbatim wording; adds two new tests for --allow-build= and the argument-swallowing regression. One stale comment ("Place the flag last") remains from the pre-require_equals era.
aube.usage.kdl	Regenerated long_help for --allow-build now documents require_equals, default_missing_value, and the pnpm-wording contract. No issues.
docs/cli/add.md	Two new paragraphs document the empty-flag validation and the require_equals rationale. Matches the KDL source.
docs/cli/commands.json	Generated file; help_long updated to match the new KDL content. No issues.

_{Reviews (2): Last reviewed commit: "fix(cli): require `=` syntax for --allow..." | Re-trigger Greptile}

[github-actions]

Benchmark changes

Versions:

• aube: 1.5.1 -> 1.5.2
• pnpm: 11.0.2 -> 11.0.3

Public ratios: warm installs vs Bun 4x -> 11x; warm installs vs pnpm 5x -> 13x.

Benchmark	aube	bun	pnpm
Fresh install (warm cache)	1021ms -> 198ms (-81%)	4134ms -> 2158ms (-48%)	4717ms -> 2563ms (-46%)
CI install (warm cache, GVS disabled)	2920ms -> 400ms (-86%)	3396ms -> 2048ms (-40%)	4864ms -> 2433ms (-50%)
CI install (cold cache, GVS disabled)	10801ms -> 4237ms (-61%)	10012ms -> 4468ms (-55%)	9722ms -> 4305ms (-56%)

f3bbe5c vs 60ff453 | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.