feat(pnpm): catch up with pnpm 11 parity

[jdx]

Summary

• add pnpm 11 lockfile parity for hosted git metadata and non-derivable tarball URLs
• preserve hosted git tarball integrity through resolver output
• honor auditConfig.ignoreGhsas / ignoreCves and align publish JSON output with npm/pnpm shape
• accept NPM_ID_TOKEN for publish provenance detection
• clean up one clippy assertion on current main

Validation

• cargo fmt --check
• cargo check
• cargo test -p aube-lockfile writer_
• cargo test -p aube configured_audit_ignores_reads_ghsa_and_legacy_cve_keys
• cargo test -p aube publish_json_single_uses_npm_compatible_object_shape
• cargo clippy --all-targets -- -D warnings

This PR was generated by Codex.

---

Note

Medium Risk
Lockfile parse/write and resolver/git integrity paths affect installs and third-party pnpm lockfiles; publish JSON shape is a breaking change for consumers expecting a one-element array.

Overview
This PR brings pnpm 11 lockfile parity and several CLI/registry behaviors in line with npm/pnpm.

Lockfile (aube-lockfile) adds gitHosted / registry_git_hosted, preserves non-derivable registry tarball URLs (e.g. GitHub Packages), and improves git resolution round-trips via git_commits_match, importer dep_path rekeys, and fuller commit hashes from dep-path keys. Resolver/store reuse codeload cache integrity sidecars, carry git integrity into locked packages, and centralize SHA-512 in aube-store (drops base64 from aube-resolver).

CLI: audit merges auditConfig.ignoreGhsas / ignoreCves with --ignore; publish --json emits a single npm-shaped object (array only for multi-package publishes) with id, shasum, integrity, unpackedSize, etc.; provenance accepts NPM_ID_TOKEN; pack tracks unpacked_size for that JSON.

^{Reviewed by Cursor Bugbot for commit 0e86bad. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds pnpm 11 lockfile parity across several dimensions: gitHosted now flows through RemoteTarballSource.git_hosted and LockedPackage.registry_git_hosted; non-derivable registry tarball URLs (e.g. GitHub Packages) are preserved without requiring lockfileIncludeTarballUrl; transitive git deps gain full commit SHAs from dep-path keys via git_commit_from_dep_path_version; and the resolver reuses prior lockfile integrity for git deps via codeload sidecar files.

• Lockfile: gitHosted round-trips for RemoteTarball, Git, and registry-keyed entries; dep-path rekeys are now propagated to DirectDep references; git resolution commit matching is tightened via git_commits_match.
• CLI: aube audit now merges auditConfig.ignoreGhsas/ignoreCves from package.json with --ignore; aube publish --json emits a plain object for a single package and an array for multiple, matching npm/pnpm shape; NPM_ID_TOKEN is accepted as an OIDC token for Trusted Publishing.
• Store: sha512_integrity is centralised in aube_store; codeload cache writes integrity sidecar files so warm-cache re-runs keep the same lockfile integrity.

Confidence Score: 5/5

Safe to merge; the lockfile read/write paths have comprehensive new tests and the changes are well-contained.

The gitHosted flag is correctly threaded through all three LockedPackage shapes (Git, RemoteTarball, registry-keyed), dep-path rekeys propagate to DirectDep references, and the codeload integrity sidecar mechanism ensures warm-cache re-runs emit consistent lockfiles. Each behavioral change is backed by a dedicated round-trip test. The audit and publish changes are straightforward and similarly tested.

The new fuzzy git-resolution matching in crates/aube-lockfile/src/pnpm/read.rs and the codeload fast-path in crates/aube-resolver/src/local_source.rs are the most complex paths; they have good test coverage but are worth a careful read during merge.

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/pnpm/read.rs	Added fuzzy git resolution matching via git_commits_match, dep-path rekey propagation to DirectDep references, and full-SHA promotion from dep-path version fragment; logic is complex but well-exercised by new tests.
crates/aube-lockfile/src/pnpm/write.rs	Added gitHosted emission for Git, RemoteTarball, registry url-keyed, and registry non-derivable-tarball cases; tarball_url_is_hosted_git extended to include npm.pkg.github.com; existing tests verify round-trip fidelity.
crates/aube-lockfile/src/pnpm/tests.rs	377 lines of new tests covering gitHosted emission, direct/transitive git resolution integrity, non-derivable registry tarball URL preservation, and round-trip of registry-keyed gitHosted flag.
crates/aube-lockfile/src/source.rs	Added git_commits_match function and git_hosted field to RemoteTarballSource; helper correctly handles full-SHA / abbreviated-SHA prefix pairs while rejecting ambiguous two-abbreviated-SHA comparisons.
crates/aube-resolver/src/local_source.rs	Added codeload cache-hit fast path that skips re-download when git.integrity is already known; fresh-fetch path writes integrity to sidecar and returns it; attach_integrity_to_git_source guard correctly prevents overwriting existing integrity.
crates/aube-resolver/src/resolve/driver.rs	Added attach_integrity_to_git_source (only fills missing integrity, never clobbers) and existing_local_source_integrity_matches_* helpers for lockfile-reuse path; new tests verify all edge cases.
crates/aube-store/src/git.rs	Added codeload_cache_integrity, codeload_integrity_path, and read_codeload_integrity helpers; extract_codeload_tarball_at now writes and backfills sidecar integrity files on every successful extraction.
crates/aube/src/commands/audit.rs	Added configured_audit_ignores that merges auditConfig.ignoreGhsas/ignoreCves from package.json with CLI --ignore; tested with a dedicated unit test.
crates/aube/src/commands/publish.rs	Reshaped --json output to emit a plain object for single publish and array for multiple; added NPM_ID_TOKEN env var fallback for OIDC trusted publishing; publish_outcomes_json now consistently uses object shape for single-package workspace publishes.
crates/aube-lockfile/src/lib.rs	Added registry_git_hosted: bool field to LockedPackage and re-exported git_commits_match; field carries gitHosted for registry-keyed entries that carry no LocalSource.

_{Reviews (10): Last reviewed commit: "fix(lockfile): guard git metadata fallba..." | Re-trigger Greptile}

[jdx]

Addressed the remaining summary feedback: 923a200 makes recursive --json emit the single-object shape when exactly one workspace package is selected, while keeping arrays for true multi-package fanout, and updates the generated CLI help to call out the multi-package array case.

This comment was generated by Codex.

[jdx]

Also addressed Greptile's minor note in d18b175: registry_tarball_url_is_not_derivable now strips query strings and fragments before matching the standard /-/<name>-<version>.tgz suffix, with a writer regression test for signed/query tarball URLs.

This comment was generated by Codex.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 05b69ab. Configure here.}

[jdx]

Addressed Greptile feedback in 0e86bad: pnpm resolution.repo is now preserved verbatim instead of being normalized through parse_git_spec, and the roundtrip regression asserts git+ssh:// survives parse/write. The parser also updates direct dependency keys when resolution metadata refines a git source, keeping the graph internally consistent.

This comment was generated by Codex.