Add Bazel PyPI manifest extraction

[Simon (simonhj)]

This PR makes Bazel manifest creation Python-aware.

This builds on the Maven Bazel work from #1312, which closes an inline-declaration gap that exists in rules_jvm_external: Bazel can resolve Maven artifacts that do not exist in a checked-in Maven manifest. Python is different. rules_python commonly resolves packages from a checked-in pinned requirements or lock file and exposes those packages as Bazel labels.

It works like this: a Bazel Python rule points to a checked-in requirements file. Bazel reads that file and makes the declared packages available as dependencies in the configured pip hub. Future Bazel build targets can then directly declare dependencies on those Python packages.

What this PR does is emit a generated requirements.txt that contains only the pinned Python packages reachable from Bazel Python rules. It does not mutate or remove entries from the user's checked-in requirements file. The value is scoping the generated manifest to Bazel's reached package set instead of assuming every checked-in requirement is used by Bazel Python targets.

This functionality does not kick in automatically, since I'm not fully convinced it won't cause more harm than good or cause confusion. It has to be manually enabled with socket manifest bazel --ecosystem pypi. socket scan create --auto-manifest continues to generate Bazel Maven manifests only.

Worked out example

Suppose a repo has a pinned Python requirements file with both application dependencies and development/tooling dependencies:

# requirements.txt
certifi==2024.8.30
charset-normalizer==3.4.0
idna==3.10
pluggy==1.5.0
pytest==8.3.3
requests==2.32.3
ruff==0.6.9
urllib3==2.2.2

The Bazel module wires that requirements file into rules_python:

# MODULE.bazel
bazel_dep(name = "rules_python", version = "1.5.0")

pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
pip.parse(
    hub_name = "pypi",
    python_version = "3.12",
    requirements_lock = "//:requirements.txt",
)
use_repo(pip, "pypi")

Now Bazel makes those packages available as labels under the @pypi hub. But the actual Python code only depends on requests:

# app/BUILD.bazel
load("@rules_python//python:defs.bzl", "py_binary")

py_binary(
    name = "server",
    srcs = ["server.py"],
    deps = ["@pypi//requests"],
)

Running the new opt-in extractor:

socket manifest bazel . --ecosystem pypi

asks Bazel which Python dependencies are reachable from Python rules in the repo:

bazel query 'deps(kind("py_library|py_binary|py_test", //...))'

The extractor then filters that Bazel result to labels from the discovered @pypi hub, maps those labels back to pinned versions from requirements.txt, and writes a generated Socket manifest:

# .socket/bazel-manifests/requirements.txt
certifi==2024.8.30
charset-normalizer==3.4.0
idna==3.10
requests==2.32.3
urllib3==2.2.2

requests is included because //app:server depends on it. certifi, charset-normalizer, idna, and urllib3 are included because Bazel reaches them through requests' transitive dependency graph. pytest, pluggy, and ruff are not included because no Bazel Python target reaches them.

That scoping is the point of the PR: Socket scans the Python dependency set that Bazel can actually reach, not every package that happens to be present in the checked-in requirements file.

Summary of changes

• add socket manifest bazel --ecosystem pypi support for whole-repo Bazel PyPI requirements.txt generation
• discover rules_python pip hubs via Bazel command output first, with bounded static fallback paths
• keep Bazel PyPI generation explicit; socket scan create --auto-manifest continues to generate Bazel Maven only
• add bounded verbose diagnostics for Bazel subprocess, discovery, extraction, and empty-result triage
• document the new command surface and add exact constructed-fixture oracle coverage

---

Note

Medium Risk
Adds a new Bazel PyPI extraction path and new Bazel subprocess commands/diagnostics, which could affect manifest generation behavior and error handling in Bazel workspaces. PyPI generation is opt-in, limiting blast radius, but the Bazel query runner changes impact all Bazel-based extraction.

Overview
Enables opt-in PyPI manifest extraction for Bazel workspaces via socket manifest bazel --ecosystem pypi, generating a reached-set requirements.txt by discovering rules_python pip hubs, querying Python target deps, and resolving pinned versions from requirements_lock.txt (with spoke-tag fallback and conflict detection).

Updates socket manifest bazel to support repeatable --ecosystem selection (defaulting to Maven-only), and refactors Maven extraction to report noEcosystemFound so auto-manifest can distinguish "no Bazel Maven present" from hard failures.

Improves Bazel diagnostics and compatibility by switching Bzlmod repo enumeration to bazel mod dump_repo_mapping, adding bazel mod show_extension plumbing for pip hub metadata, and emitting bounded --verbose subprocess traces (argv/cwd/duration/status/output sizes + stderr tail). Documentation, changelog, and tests are updated, including a PyPI fixture oracle.

^{Reviewed by Cursor Bugbot for commit 1b767d4. Configure here.}

[Martin Torp (mtorp)]

A few small follow-ups from review, plus a request to bump the CLI version since this adds a user-visible feature.

[Martin Torp (mtorp)]

Could you bump the CLI version (currently 1.1.100 in package.json) as part of this PR? This adds a new user-visible feature (socket manifest bazel --ecosystem pypi and the existing Unreleased CHANGELOG entry), so it should land with a version bump rather than piggybacking on the next unrelated release.

[Martin Torp (mtorp)]

Approving. Nice piece of work — the layered discovery (Bazel command → bounded static parsing fallback), DoS guards (file-size caps, candidate caps, bounded regexes), and the noEcosystemFound / evaluateEcosystemOutcomes outcome model are all well done. Tests, typecheck, and lint are clean.

The inline comments are nits; please address them and the version bump before merging.