fix(scripts): match URL source build approvals

[jdx]

Summary

• make non-registry build approvals use pnpm-style source keys like dep@https://example.com/pkg.tgz
• keep install, ignored-builds, and GVS hash policy checks source-aware after the key shape change
• add tests for raw remote-tarball approval keys and both source-spec union orders
• document exact non-registry source keys in lifecycle-script and generated settings docs

Context

#858 landed the source-specific build approval machinery while this PR was open. This follow-up aligns the approval key with pnpm-authored URL keys and covers the review-requested union-order case.

Validation

• mise run render
• cargo fmt --check
• cargo test -p aube-lockfile source_approval_key
• cargo test -p aube-scripts policy
• cargo check -p aube
• cargo clippy -p aube-lockfile -p aube-scripts -p aube --all-targets -- -D warnings

This PR was generated by Codex.

---

Note

Medium Risk
Changes how source-backed packages match allowBuilds, which is security-sensitive; misaligned keys could skip or run unintended lifecycle scripts until configs are updated to pnpm-style source keys.

Overview
Non-registry dependency build approvals now use pnpm-style source keys (registry_name@<source specifier>) instead of lockfile dep_path bases with peer suffixes stripped.

LockedPackage::source_approval_key() returns an owned Option<String> built from registry_name() and LocalSource::specifier() (e.g. pkg@file:vendor/pkg, pkg@https://example.com/pkg.tgz). Install lifecycle policy, ignored-builds, unreviewed-build reporting, and graph-hash allow checks pass that key into BuildPolicy::decide_package via as_deref() where needed.

Build policy gains tests that allowBuilds keys mixing semver and URL/source specs in a || union are rejected (both orderings).

Docs (lifecycle-scripts, generated allowBuilds settings) note exact non-registry source keys. Bats expectations for strict-dep-builds output use file:… paths instead of file+ lockfile tails.

^{Reviewed by Cursor Bugbot for commit c4ae746. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

Warning

Review limit reached

@jdx, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 5 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4a3b2209-990c-4e66-bc08-cb025ab93135

📥 Commits

Reviewing files that changed from the base of the PR and between 40f66e4 and c4ae746.

📒 Files selected for processing (10)

• crates/aube-lockfile/src/lib.rs
• crates/aube-scripts/src/policy.rs
• crates/aube-settings/settings.toml
• crates/aube/src/commands/ignored_builds.rs
• crates/aube/src/commands/install/lifecycle.rs
• crates/aube/src/commands/install/link.rs
• crates/aube/src/commands/install/materialize.rs
• docs/package-manager/lifecycle-scripts.md
• docs/settings/index.md
• test/lifecycle_scripts.bats

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR aligns non-registry build approval keys with the pnpm source-specifier format (pkg@file:vendor/pkg, pkg@https://example.com/pkg.tgz) by switching source_approval_key() from returning a dep_path fragment (&str) to building the pnpm-style key from registry_name() and LocalSource::specifier() (Option<String>).

• All decide_package call sites (install lifecycle, ignored-builds, link, materialize) are updated to store the now-owned key in a local variable and pass .as_deref().
• expand_spec already rejects || unions mixing semver and source-spec tokens; two new tests verify both orderings.
• Bats expectations and docs are updated to reference the new file: key format.

Confidence Score: 5/5

The key format change is correctly propagated to all call sites and the new format is properly recognized by the source-key routing in sort_entries and decide_package.

The change is mechanical and well-tested: source_approval_key() now returns owned pnpm-style strings, every caller was updated with .as_deref(), two new unit tests cover the union-rejection cases, and bats expectations match the new output. No decision logic was altered.

No files require special attention — the one minor redundancy in lifecycle.rs has no correctness impact.

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/lib.rs	Changes source_approval_key() return type from Option<&str> to Option<String>, building pnpm-style keys via registry_name()@source.specifier(); new tests cover directory and remote-tarball variants
crates/aube-scripts/src/policy.rs	Adds two tests confirming that `
crates/aube/src/commands/install/lifecycle.rs	All three decide_package call sites updated to store source_approval_key() in a local source_key variable and pass .as_deref(); minor: the unreviewed_dep_builds path calls source_approval_key() a second time for spec_key instead of reusing the already-computed value
crates/aube/src/commands/ignored_builds.rs	Correctly extracts source_key into a local variable and passes .as_deref() to decide_package
test/lifecycle_scripts.bats	Updates three assert_output expectations from file+ lockfile-hash fragments to file:./path pnpm-style specifiers, matching the new key format
crates/aube/src/commands/install/link.rs	One-line fix: adds .as_deref() to adapt the now-owned Option<String> to the Option<&str> expected by decide_package
crates/aube/src/commands/install/materialize.rs	Same one-line .as_deref() fix as in link.rs for the GVS prewarm materializer's policy check
crates/aube-settings/settings.toml	Docs-only: adds mention of exact non-registry source keys as valid allowBuilds key examples

_{Reviews (3): Last reviewed commit: "fix(scripts): match URL source build app..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 406d59e. Configure here.}