test(lockfile): cover remote tarball fallback lookup

[jdx]

Summary

• exercise the remote tarball package fallback with a contextual URL key
• keep the roundtrip integrity assertion in place for the merged parser fix

Tests

• cargo fmt --check
• cargo test -p aube-lockfile remote_tarball_integrity
• git diff --check origin/main..HEAD

---

Note

Low Risk
Test-only lockfile fixture change; no production code in this diff.

Overview
Updates the remote_tarball_integrity_survives_lockfile_reuse_roundtrip fixture so the remote tarball demo entry uses pnpm’s peer-context dep-path form (…tgz(react@18.2.0)) in both packages and snapshots, instead of the bare URL key.

The test still checks that integrity and RemoteTarballSource survive parse/write, but now also covers fallback lookup when the lockfile keys the same tarball URL with a peer suffix.

^{Reviewed by Cursor Bugbot for commit f216149. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR extends the remote_tarball_integrity_survives_lockfile_reuse_roundtrip test by adding a (react@18.2.0) peer-context suffix to the packages: and snapshots: keys in the lockfile fixture, so the initial exact-key lookup fails and the URL-matching fallback path in read.rs is exercised.

• The importer's version: field is left without a context suffix, matching how pnpm writes it; only the packages/snapshot keys carry the suffix, which is the scenario that triggers the fallback at raw.packages.iter().find_map(…).
• The existing integrity-roundtrip assertions (sha512-demo and the tarball: URL) are retained, verifying that the fallback correctly picks up the resolution block and propagates integrity through a write/re-read cycle.

Confidence Score: 5/5

Test-only change; no production code is touched.

The diff touches a single test fixture by adding a peer-context suffix to two YAML keys. The assertions remain identical in intent (integrity and tarball URL survive a write/re-read cycle), and the change deliberately routes execution through the URL-based fallback lookup that already exists in the parser, providing coverage that was previously absent for that code path.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/pnpm/tests.rs	Extends the remote-tarball roundtrip test to use a packages/snapshots key that carries a peer-context suffix (react@18.2.0), forcing the URL-based fallback lookup in read.rs (lines 277-292) instead of the direct key lookup.

_{Reviews (1): Last reviewed commit: "test(lockfile): cover remote tarball fal..." | Re-trigger Greptile}