feat(yarn): support berry patch protocol

[jdx]

Summary

• parse Yarn Berry patch: resolution entries into aube's patched dependency map instead of skipping them
• feed lockfile-declared patches into install/link materialization so local Yarn patch files are applied
• preserve patch: specs when writing Berry lockfiles and document the supported protocol
• add a Yarn patch fixture plus parser, writer, loader, and install regression coverage

Validation

• cargo test -p aube-lockfile test_parse_berry_patch_protocol
• cargo test -p aube-lockfile test_write_berry_roundtrips_patch_protocol
• cargo test -p aube load_reads_lockfile_patched_dependencies
• cargo build -p aube
• ./test/bats/bin/bats test/import.bats --filter 'aube install applies yarn berry patch protocol'
• cargo fmt --check
• git diff --check
• cargo clippy --all-targets -- -D warnings

---

Note

Medium Risk
Adds support for Yarn Berry patch: dependencies, affecting lockfile parsing/writing and patch application during install; risk is mainly incorrect patch resolution or caching causing wrong package contents to be linked.

Overview
Adds end-to-end support for Yarn Berry patch: protocol entries: the Berry parser now records patched packages into LockfileGraph.patched_dependencies (skipping builtin patches), and the Berry writer preserves patch: specs in headers/resolutions and dependency maps for round-trip fidelity.

Install/link now passes lockfile-declared patched dependencies into load_patches_for_linker, which merges lockfile + manifest/workspace patch sources and caches by (cwd, patched_dependencies) so Yarn patch files are applied during materialization. Adds unit/integration coverage plus a fixtures/import-yarn-patch fixture, updates docs to list patch: as supported, and adds a bats regression test verifying the patch is applied at runtime.

^{Reviewed by Cursor Bugbot for commit 35f9255. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds end-to-end support for Yarn Berry's patch: protocol: the parser extracts local patch paths from lockfile resolution entries into LockfileGraph.patched_dependencies, the writer preserves the original manifest spec (including ::version=…&hash=…) via a patch_specs side-map, and load_patches_for_linker merges lockfile-declared patches into the materializer.

• Parse: patch_protocol_path extracts the project-relative path from the #-fragment; built-in patches (~builtin<…>) return None and are skipped. Both the is_safe_patch_rel path guard and split_patch_key validation apply to lockfile-sourced paths.
• Write: patch_spec_matches checks whether a manifest spec's path matches the stored lockfile path; when it matches, berry_exact_spec returns the full manifest spec so the header round-trips without duplication.
• Install: All three load_patches_for_linker call sites now pass graph.patched_dependencies; the static cache key widens to (PathBuf, BTreeMap<String,String>) so different patch sets remain independent.

Confidence Score: 5/5

Safe to merge; the new patch-loading path goes through the same safety guards as the existing pnpm/bun patch code, and both issues raised in prior rounds are addressed

Built-in patch detection and path-traversal guards are correctly wired end-to-end. The patch_specs mechanism reliably preserves the full manifest spec for the typical Yarn-generated case where both the lockfile and package.json use the same path format. The remaining ./-normalization edge case degrades to the old behaviour rather than causing a hard failure or data loss

No files require special attention; both observations are in the round-trip writer path and do not affect patch application at install time

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/yarn/berry.rs	Core parse/write changes: adds patch_protocol_path, patch_spec_matches, patch_spec_path, and extends berry_exact_spec/write_berry_dep_map to preserve patch specs; builtin patch detection and path safety guards are in place
crates/aube/src/patches.rs	Extends load_patches_for_linker to accept lockfile_patched_dependencies, merges them at lowest priority, widens the cache key; is_safe_patch_rel guard applies to all paths including lockfile-sourced ones
crates/aube-lockfile/src/yarn/tests.rs	Adds test_parse_berry_patch_protocol, test_parse_berry_skips_builtin_patch_protocol, and test_write_berry_roundtrips_patch_protocol covering parse, builtin skip, and round-trip write
crates/aube/src/commands/install/mod.rs	Two call sites updated to pass graph.patched_dependencies; all three callers now use the lockfile-aware version
fixtures/import-yarn-patch/yarn.lock	Fixture lockfile omits the ::version=...&hash=... suffix and ./ prefix that real Yarn Berry writes; consistent with the fixture package.json so tests pass
test/import.bats	Integration test verifies patched is-number behaviour (only true for 42) after aube install

_{Reviews (3): Last reviewed commit: "fix(yarn): handle berry patch edge cases" | Re-trigger Greptile}