fix(resolver): pin hosted git tarball integrity

[jdx]

Summary

• compute and persist SHA-512 SRI for hosted git codeload tarballs
• verify pinned git tarball bytes before extraction
• include integrity in codeload cache keys when present

Test plan

• cargo check -q
• cargo test -p aube-lockfile git_resolution_integrity_roundtrips
• cargo test -p aube-store codeload_cache_paths_include_integrity_when_present
• cargo test -p aube-resolver local_source
• cargo clippy --all-targets -- -D warnings

---

Note

Medium Risk
Changes fetch/verify/cache behavior for git codeload dependencies; wrong integrity handling could break installs or cache hits, but scope is limited to the codeload fast path with new tests.

Overview
Adds optional SHA-512 SRI on GitSource for hosted codeload git tarballs (not plain git clone), wired through pnpm lockfile read/write and LockedPackage.integrity.

Resolver and install fetch now verify downloaded codeload bytes against a pinned integrity when present, otherwise compute SRI via new sha512_integrity, persist it on the git source, and pass integrity into extract / cache lookup. Codeload cache keys mix in integrity when set so different tarball hashes do not share a directory; cache reuse on the fast path only runs when integrity is already known.

Other lockfile backends (bun, npm, yarn) initialize integrity: None on git sources. Minor test/style tweaks (is_none_or, contains_key) are unrelated.

^{Reviewed by Cursor Bugbot for commit 7a80a54. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds optional SHA-512 SRI pinning for hosted codeload git tarballs: the resolver computes and writes integrity to the lockfile on first fetch, subsequent runs verify the pinned value before extraction, and the codeload cache key now incorporates integrity when present. Only the pnpm backend round-trips the field; bun, npm, and yarn parsers hard-code integrity: None.

• GitSource gains integrity: Option<String>; all 16 construction sites updated; pnpm read/write paths persist the value and the new round-trip test exercises both LockedPackage.integrity and GitSource.integrity.
• Resolver & installer share the same pattern: verify pinned bytes, compute hash when absent, pass Some(integrity) into extract_codeload_tarball so the BLAKE3 cache key always includes the digest; cache-hit fast path is gated on integrity.is_some() so fresh lockfiles skip the lookup rather than matching an integrity-free entry.
• codeload_cache_paths mixing in integrity when Some is backward-compatible: None leaves the key identical to the pre-PR value.

Confidence Score: 5/5

Safe to merge — integrity verification is additive and the existing git-clone fallback is untouched.

All changed paths are well-scoped to the codeload fast path. The integrity field is optional throughout, so existing lockfiles without it degrade gracefully. The resolver correctly persists computed integrity to the lockfile, and both the resolver and install paths verify pinned values before extraction. Cache key changes are backward-compatible.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/source.rs	Adds integrity: Option<String> field to GitSource; all existing construction sites updated with integrity: None — clean structural change.
crates/aube-store/src/git.rs	Adds integrity: Option<&str> to extract_codeload_tarball, codeload_cache_lookup, and codeload_cache_paths; mixes integrity bytes into the BLAKE3 cache key when Some. Key is backward-compatible with None (no-op branch).
crates/aube-store/src/integrity.rs	Adds sha512_integrity(data) helper: single SHA-512 pass over bytes, returns SRI-formatted string. Simple and correct.
crates/aube-resolver/src/local_source.rs	Adds integrity.is_some() guard on cache-hit fast path; verifies pinned integrity before extraction; computes integrity when absent; always passes Some(integrity) to extract_codeload_tarball. Git-clone fallback correctly emits integrity: None.
crates/aube/src/commands/install/fetch.rs	Mirrors resolver changes: integrity.is_some() guard on cache lookup, pinned integrity verified before extract, freshly computed integrity used for cache key. Computed integrity is not written back to the lockfile (resolver is authoritative), but this is by design.
crates/aube-lockfile/src/pnpm/read.rs	Also sets local_pkg.integrity from res.integrity for git sources; duplicates the value already placed on GitSource.integrity by local_source_from_resolution, but intentional per the round-trip test.
crates/aube-lockfile/src/pnpm/write.rs	Git resolution block now emits integrity: g.integrity instead of hard-coded None, completing the read→write round-trip.
crates/aube-lockfile/src/pnpm/tests.rs	Adds git_resolution_integrity_roundtrips covering write→read cycle for pnpm git integrity; asserts both LockedPackage.integrity and GitSource.integrity are preserved.
crates/aube-store/src/lib.rs	Exports sha512_integrity; updates test call-sites to pass integrity: None; adds codeload_cache_paths_include_integrity_when_present test verifying distinct cache dirs per distinct integrity value.

_{Reviews (2): Last reviewed commit: "fix(resolver): avoid redundant codeload ..." | Re-trigger Greptile}

[jdx]

Addressed the review feedback by verifying codeload bytes only when a lockfile-pinned integrity exists. First-time codeload fetches now compute the SHA-512 pin for persistence/cache keying without immediately re-verifying against itself.

Validated with:

• cargo fmt --check
• cargo clippy --all-targets -- -D warnings
• cargo test

This comment was generated by Codex.