fix: preserve file: and git-hosted tarball URLs in lockfile

[zkochan]

Summary

• Fixes ERR_PNPM_FETCH_404 when pnpm install --frozen-lockfile runs against a project whose dependency uses a file: tarball (#11407).
• toLockfileResolution was dropping the tarball field for any resolution when lockfile-include-tarball-url=false (the default). For file: and git-hosted tarballs the URL cannot be reconstructed from package name + version + registry, so installs against the resulting lockfile fell back to the npm registry and 404'd. The check carried over from a v10 PR that was already reverted on the v10 branch but never propagated to v11.
• Added a recovery path in pkgSnapshotToResolution so lockfiles already written by v11.0.0–v11.0.2 (which lost their file: tarball field) still install — the tarball is rebuilt from the depPath's nonSemverVersion.
• The existing lockfileIncludeTarballUrl=false exclusion behavior for standard and non-standard registry URLs is preserved.

Test plan

• pnpm --filter @pnpm/lockfile.utils test — all 9 unit tests pass, including new coverage for file:, git-hosted, and registry tarballs in toLockfileResolution, plus the recovery path in pkgSnapshotToResolution.
• Manual end-to-end repro from the linked issue: a project with "test-package": "file:test-package-1.0.0.tgz" installs cleanly with the rebuilt bundle, both for fresh install and for --frozen-lockfile against a lockfile missing the tarball field.
• Existing exclude tarball URL when lockfileIncludeTarballUrl is false and exclude non-standard tarball URL when lockfileIncludeTarballUrl is false tests in installing/deps-installer/test/lockfile.ts still pass.