fix(install): handle workspace scripts and pnpm aliases

[jdx]

Summary

• Run workspace importer lifecycle hooks during recursive workspace installs, not just root hooks.
• Merge build-script allowlists from linked workspace manifests so member onlyBuiltDependencies can approve their dependency builds.
• Write pnpm-lock.yaml npm aliases in pnpm's native shape while keeping aube-lock.yaml's internal aliasOf round-trip.

Root Cause

aube install collected all workspace importers for resolution/linking, but lifecycle execution and build policy construction still used only the root manifest. The pnpm writer also reused aube's internal alias metadata in pnpm-lock.yaml, which produced extra aliasOf fields instead of pnpm's native <real>@<version> alias encoding.

Validation

• cargo fmt --check
• cargo test -p aube-lockfile write_pnpm_lockfile_uses_native_alias_shape -- --nocapture
• cargo test -p aube-lockfile npm_alias -- --nocapture
• mise run test:bats test/lifecycle_scripts.bats --filter 'workspace install runs member postinstall hooks|workspace member onlyBuiltDependencies'
• mise run test:bats test/install.bats --filter 'npm-alias'
• cargo clippy -p aube -p aube-lockfile --all-targets -- -D warnings

Note: the full test/lifecycle_scripts.bats file still has two unrelated existing/environment failures in this checkout: dep postinstall can invoke a transitive-dep bin by bare name and the registry-backed aube add --allow-build=<pkg> writes to workspace root under --filter.

---

Note

Medium Risk
Changes installation-time lifecycle execution and build-policy merging across workspace members, which can affect which scripts run (and in what order) during workspace installs. Also changes pnpm-lock.yaml alias serialization, which could impact lockfile round-trips and dependency resolution if edge cases were missed.

Overview
During recursive/workspace installs, aube install now runs project lifecycle hooks (preinstall/install/postinstall/prepare) for each linked workspace importer (in dependency order) instead of only the workspace root, and it builds the dependency build-script policy by merging pnpm.allowBuilds/onlyBuiltDependencies/neverBuiltDependencies across all participating manifests (with deny winning on conflicts).

pnpm-lock.yaml writing now emits npm aliases in pnpm’s native encoding (alias version: points at <real>@<resolved> and lockfile keys/snapshots use the real package name), while keeping aube’s internal aliasOf metadata for non-pnpm-lock.yaml outputs; parsing is hardened to resolve alias targets even when peer suffixes are present. Adds targeted Rust unit tests plus Bats integration tests covering workspace lifecycle execution and member onlyBuiltDependencies behavior.

^{Reviewed by Cursor Bugbot for commit 5701829. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes three related issues in workspace installs: lifecycle hooks now run for every physical workspace importer in topological dependency order rather than only the root; build policy (allowBuilds/onlyBuiltDependencies/neverBuiltDependencies) is now merged across all linked workspace manifests with deny-wins semantics; and the pnpm lockfile writer emits npm aliases in pnpm's native real@version shape instead of leaking aube's internal aliasOf field. The changes are well-tested with new Rust unit tests and bats integration tests covering the key scenarios including peer-suffix alias deps.

Confidence Score: 5/5

Safe to merge; only finding is a P2 quality concern about silent cycle handling in the topological sort.

All three bug fixes are correctly implemented, well-tested, and the logic is sound. The single comment is a P2 about missing diagnostics in an edge case (cyclic workspace deps) that pnpm itself would reject as invalid. No P0 or P1 issues found.

No files require special attention; the topological sort fallback in mod.rs at the cycle-detection boundary is the only item worth revisiting.

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/pnpm.rs	Adds native pnpm alias encoding (alias → real@version) to the pnpm-lock.yaml writer; introduces peerless_dep_path/peerless_alias_target helpers for peer-context alias lookup in both write and parse paths; guards alias_of emission on non-pnpm lockfiles; new regression test for the native shape with peer-suffix dep entries.
crates/aube/src/commands/install/lifecycle.rs	Refactors build policy construction into build_policy_from_manifest_sources, merging pnpm.allowBuilds/onlyBuiltDependencies/neverBuiltDependencies across all workspace importers with deny-wins semantics; adds merge_allow_build helper and unit test for conflict resolution.
crates/aube/src/commands/install/mod.rs	Moves preinstall lifecycle hook execution to run for every physical workspace importer (not just root), backed by a new topological sort (order_lifecycle_manifests) and importer_project_dir helper; post-install hooks similarly updated; build policy now uses lifecycle_manifests instead of root manifest alone. Silent cycle fallback in topological sort is a minor concern.
test/lifecycle_scripts.bats	Adds two bats integration tests: one verifying workspace member postinstall hooks run after member deps are linked, and one verifying that a member's onlyBuiltDependencies allowlist permits a local file dep's postinstall.

_{Reviews (3): Last reviewed commit: "fix(install): run workspace lifecycle sc..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f362657. Configure here.}