fix(lockfile): preserve remote tarball integrity

[jdx]

Summary

• hydrate direct remote tarball deps from their pnpm resolution block, matching the existing git hydration path
• preserve both LockedPackage.integrity and RemoteTarballSource.integrity on parse/write round-trip
• add a pnpm v11.5 regression covering HTTPS tarball lockfile reuse

Tests

• cargo fmt --check
• cargo test -p aube-lockfile pnpm::tests::remote_tarball_integrity_survives_lockfile_reuse_roundtrip
• cargo test -p aube-lockfile pnpm::tests
• git diff --check

This PR was generated by Codex.

---

Note

Low Risk
Scoped to pnpm lockfile read/hydration for direct remote tarballs; behavior mirrors existing git hydration with a focused regression test.

Overview
Direct HTTPS tarball dependencies in pnpm-lock.yaml now pull integrity (and tarball metadata) from the matching packages: resolution block when the importer entry alone is not enough—using the same lookup pattern already used for git deps (match by package name + tarball URL).

LockedPackage.integrity and RemoteTarballSource.integrity are kept on parse → write reuse so lockfile regeneration does not drop checksums for registry-style tarball URLs.

A regression test covers a direct tarball importer spec and asserts the written lockfile still contains integrity and the tarball URL.

^{Reviewed by Cursor Bugbot for commit 850f2aa. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a round-trip regression where direct HTTPS tarball dependencies in pnpm lockfiles lost their sha512 integrity hash after a parse → write cycle. The fix mirrors the existing git-dep hydration path: both a new RemoteTarball fallback arm (for cases where canonical key lookup misses) and an extension of the matches! guard ensure integrity flows from the packages: resolution block into both LockedPackage.integrity and RemoteTarballSource.integrity.

• read.rs: Adds a LocalSource::RemoteTarball arm to the or_else fallback that matches packages by name + tarball URL, and expands the matches! predicate to also copy integrity for remote tarball sources.
• tests.rs: Adds a regression test with a synthetic pnpm v9 lockfile containing a direct HTTPS tarball dep; asserts both struct fields and the written YAML preserve sha512-*.

Confidence Score: 5/5

Safe to merge — the fix is narrowly scoped to hydrating remote tarball integrity from the packages block, mirrors the already-established git handling, and the new regression test confirms the primary parse→write round-trip works correctly.

Both changes are additive and confined to the lockfile reader: the new RemoteTarball fallback arm follows the same structure as the Git arm it sits next to, and the matches! expansion is a one-operator change with no side effects on other source types. The write path was already correct; only the read side was missing the integrity assignment.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/pnpm/read.rs	Adds RemoteTarball fallback arm (mirroring existing Git arm) and expands the matches! guard to copy integrity for remote tarball packages; logic is sound and consistent with the established pattern.
crates/aube-lockfile/src/pnpm/tests.rs	New regression test covers parse → write round-trip for a direct HTTPS tarball dep and asserts both struct-level and YAML-level integrity preservation.

_{Reviews (2): Last reviewed commit: "fix(lockfile): preserve remote tarball i..." | Re-trigger Greptile}