Crate aube_scripts 

Lifecycle script runner for aube.

Security model:

• Scripts from the root package (the project’s own package.json) run by default. They’re written by the user, so they’re trusted the same way a user trusts aube run <script>.
• Scripts from installed dependencies (e.g. node-gyp postinstall from a native module) are SKIPPED by default. A package runs its lifecycle scripts only if the active BuildPolicy allows it — configured via pnpm.allowBuilds in package.json, allowBuilds in pnpm-workspace.yaml, or the escape-hatch --dangerously-allow-all-builds flag.
• --ignore-scripts forces everything off, matching pnpm/npm.

Re-exports

pub use policy::AllowDecision;

pub use policy::BuildPolicy;

pub use policy::BuildPolicyError;

Modules

policy

Allowlist/denylist policy for running dependency lifecycle scripts.

Structs

ScriptSettings

Settings that affect every package-script shell aube spawns.

Enums

Error

LifecycleHook

Lifecycle hooks that aube install runs against the root package’s scripts field, in this order: preinstall → (dependencies link) → install → postinstall → prepare. Matches pnpm / npm.

Constants

DEP_LIFECYCLE_HOOKS

Dependency lifecycle hooks, in the order aube runs them for each allowlisted package. prepare is intentionally omitted — it’s meant for the root package and git-dep preparation, not installed tarballs.

Functions

child_stderr

Returns a Stdio suitable for a child process’s stderr. When silent mode is active, this dups the saved real-stderr fd so the child bypasses the /dev/null redirect on fd 2. Otherwise returns Stdio::inherit().

default_install_script

Default install command for a materialized dependency directory. Thin wrapper around implicit_install_script that supplies has_binding_gyp by stat’ing <package_dir>/binding.gyp.

exit_code_from_status

Translate child ExitStatus to a parent exit code.

has_dep_lifecycle_work

True if run_dep_hook would actually execute something for this package across any of the dependency lifecycle hooks. Callers use this to skip fan-out work for packages that have nothing to run — including the implicit node-gyp rebuild default.

implicit_install_script

Single source of truth for the implicit node-gyp rebuild fallback: returns Some("node-gyp rebuild") when the package ships a binding.gyp at its root AND the manifest leaves both install and preinstall empty (either one is the author’s explicit opt-out from the default).

prepend_path

Prepend bin_dir to the current PATH using the platform’s path separator (: on Unix, ; on Windows).

run_dep_hook

Run a lifecycle hook against an installed dependency’s package directory. Mirrors run_root_hook but spawns inside package_dir (the actual linked package directory, e.g. node_modules/.aube/<dep_path>/node_modules/<name>). The manifest is the dependency’s own package.json, not the project root’s.

run_root_hook

Run a lifecycle hook against the root package, if a script for it is defined. Returns Ok(false) if the hook wasn’t defined (no-op), Ok(true) if it ran successfully.

run_script

Run a single npm-style script line through sh -c with the usual environment ($PATH extended with node_modules/.bin, INIT_CWD, npm_lifecycle_event, npm_package_name, npm_package_version).

set_saved_stderr_fd

Called once by aube after it saves + redirects fd 2. Passing the caller-owned saved fd here means child processes spawned via child_stderr() will write to the real terminal stderr instead of /dev/null.

set_script_settings

Replace the process-wide script settings snapshot. CLI commands call this after resolving .npmrc / workspace settings for the active project.

shell_quote_arg

Shell-quote one arg for safe splicing into a shell command line.

spawn_shell

Spawn a shell command line. On Unix we go through sh -c, on Windows through cmd.exe /d /s /c — matching what npm passes in @npmcli/run-script.