feat(cli): aube add accepts git-spec arguments

[jdx]

Summary

• New git-spec branch in parse_pkg_spec routes bare user/repo, github:/gitlab:/bitbucket:, git+https://, git+ssh://, scp form, and aliased myname@<git-spec> through a manifest-write path that skips the registry packument fetch and version-resolution loop. The chained aube install clones the repo and writes the lockfile entry on its own.
• Manifest-key heuristic uses the trailing path segment of the parsed clone URL with .git stripped: kevva/is-negative -> is-negative, git+https://github.com/owner/some-pkg.git -> some-pkg. When the package's published name differs from the repo (e.g. microsoft/vscode-typescript publishes as typescript), users supply the alias explicitly via aube add typescript@microsoft/vscode-typescript.
• Three network-gated end-to-end ports in test/pnpm_update_slow.bats restore the dropped kevva/is-negative assertions for pnpm/test/update.ts:143/170/197 — each exercises aube add kevva/is-negative alongside registry deps and confirms the github shorthand survives aube update --latest / -E / -L <name>.

Completes the GitHub-shorthand work end-to-end. The parser-side prerequisite landed in #472 (parse_git_spec recognizes bare user/repo, update.rs skips git specs in the manifest-rewrite loop); this PR is the CLI add path.

Test plan

• cargo test --workspace — 611+ tests pass
• cargo clippy --all-targets -- -D warnings — clean
• cargo fmt --check — clean
• 11 new unit tests in commands::add::tests covering bare shorthand, github: protocol, git+https:// (with and without .git), committish preservation, aliased forms (bare + protocol), scoped pkg / relative path / single-token negatives, scp form
• mise run test:bats test/pnpm_install_misc.bats — 30/30 (bare aube add regression — aube add with no args still errors as before)
• mise run test:bats test/pnpm_update.bats — 22/22 offline tests pass
• AUBE_NETWORK_TESTS=1 mise run test:bats test/pnpm_update_slow.bats — 4/4 (existing regression guard + 3 new restored ports)

---

Note

Medium Risk
Adds new parsing and manifest-write behavior for git-based dependencies, which changes how aube add interprets common user/repo-style inputs and bypasses registry resolution; mistakes here could write incorrect dependency keys/specs to package.json. Coverage includes new unit tests and network-gated end-to-end bats tests to reduce regression risk.

Overview
aube add now recognizes git dependency specs (e.g. bare user/repo, github:/gitlab:/bitbucket:, git+https:///git+ssh://, scp form, and myalias@<git-spec>), derives a manifest key from the repo URL’s last path segment, and writes the verbatim git spec into package.json for install-time resolution.

The add pipeline skips registry packument fetch/version resolution and catalog handling for git specs, reuses a shared helper to consistently scrub/insert the dependency into the correct dep section, and adds unit + network-gated bats tests to validate that git shorthands survive aube update --latest flows.

^{Reviewed by Cursor Bugbot for commit 7249ec4. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR completes the GitHub-shorthand (user/repo, github:, gitlab:, bitbucket:, git+https://, git+ssh://, SCP form) end-to-end by wiring the new parse path into aube add, writing the verbatim spec to package.json, and skipping the packument/registry loop entirely. The apply_dep_to_section refactor cleanly consolidates the three manifest-write paths (registry, workspace, git) into one place.

Confidence Score: 5/5

Safe to merge — no logic or data-integrity regressions found; changes are well-isolated and covered by unit + bats tests.

All findings are P2 (style/test-coverage); no P0 or P1 issues identified. The git-spec parsing, manifest-write path, section-scrub logic, and catalog-bypass warning are all correct.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube/src/commands/add.rs	Adds git-spec parsing to parse_pkg_spec, introduces git_spec_manifest_key for URL→repo-segment derivation, applies apply_dep_to_section refactor across registry/workspace/git paths, and adds apply_git_spec_to_manifest with --save-catalog warning. Logic is correct; 11 new unit tests cover the key forms.
test/pnpm_update_slow.bats	Three new network-gated end-to-end tests restore kevva/is-negative assertions from pnpm/test/update.ts:143/170/197; teardown correctly adds @pnpm.e2e/foo to the git-restore list. Test structure and assertions are sound.
test/PNPM_TEST_IMPORT.md	Status entries for update.ts:14/143/170/197 and the parser-side work updated from 'partially landed' to 'done'; accurately reflects what this PR delivers.

_{Reviews (4): Last reviewed commit: "test: restore @pnpm.e2e/foo dist-tag in ..." | Re-trigger Greptile}

[github-actions]

Benchmark changes

Public ratios: warm installs vs Bun 7x -> 8x; warm installs vs pnpm 11x -> 13x.

Benchmark	aube	bun	pnpm
Fresh install (warm cache)	332ms -> 202ms (-39%)	2242ms -> 1655ms (-26%)	3500ms -> 2606ms (-26%)
CI install (warm cache, GVS disabled)	930ms -> 433ms (-53%)	1447ms -> 1855ms (+28%)	2475ms -> 2487ms (+0%)
CI install (cold cache, GVS disabled)	4364ms -> 3969ms (-9%)	4083ms -> 3981ms (-2%)	5380ms -> 5037ms (-6%)

7249ec4 vs 56a5651 | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.

[jdx]

Addressed all three review comments in 8a7485a:

1. Greptile P2 (--save-catalog silently ignored for git specs): apply_git_spec_to_manifest now tracing::warn!s when opts.save_catalog.is_some(), with the rationale (catalogs only apply to versioned registry deps).
2. Greptile P2 (discarded _name binding): replaced if let Some(_name) = git_spec_manifest_key(after) with if git_spec_manifest_key(after).is_some() and added a comment explaining the alias is the manifest key.
3. Cursor low (triplicated scrub-and-insert): extracted apply_dep_to_section(manifest, name, spec, opts) helper, replaced all three call sites (registry, workspace:, git-spec). Net -33 LOC, dep-section rules live in one place.

Verified: cargo build/clippy/fmt clean, cargo test -p aube commands::add 25 pass, mise run test:bats test/pnpm_update.bats 22/22, mise run test:bats test/pnpm_install_misc.bats 30/30.

Written with Claude.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8a7485a. Configure here.}

[jdx]

Addressed Cursor's medium-severity finding in 192cabe: added @pnpm.e2e/foo/package.json to the slow file's teardown git checkout list, mirroring the existing entries for bar / dep-of-pkg-with-1-dep / qar. The third slow test mutates foo's latest dist-tag via add_dist_tag but the restore step was missing — would leave the on-disk fixture polluted across runs.

The other Cursor comment ("Triplicated dependency scrub-and-insert") is a stale re-attachment from commit 46e550e — it was already addressed by the apply_dep_to_section extraction in 8a7485a (which got -33 LOC consolidating all three call sites into the helper).

Written with Claude.

[jdx]

Superseded by #483 — same feature (aube add accepting git specs), more recent iteration with full review coverage. Closing in favor of that PR.

Written with Claude.