[ANE-2877] Support PEP 621 project.dependencies in Poetry 2.x strategy

[zlav]

Overview

Poetry 2.x introduced PEP 621 support, allowing production dependencies to be declared in [project].dependencies (PEP 508 strings) instead of the legacy [tool.poetry.dependencies] (TOML tables). FOSSA's Poetry strategy only read the latter, causing production deps to be missed entirely for Poetry 2.x projects using the standard format.

Customer BIS reported that their pymedal>=2.3.4 dependency declared under [project].dependencies was invisible to FOSSA. The [project] section was already being parsed into PyProjectMetadata but was never consumed by the Poetry strategy -- only by PDM.

This fix wires PEP 621 [project].dependencies into both the lock-file and no-lock-file code paths, while preserving full backward compatibility with legacy [tool.poetry.dependencies].

Key changes:

• allPoetryProductionDeps now merges PEP 621 deps with legacy Poetry deps (legacy takes precedence for dedup, since they can carry richer metadata like explicit sources)
• pyProjectDeps includes PEP 621 deps as production dependencies in the no-lock-file fallback path
• Shared reqName helper extracted to Strategy.Python.Util (previously duplicated in PDM)

Acceptance criteria

• Poetry 2.x projects using [project].dependencies (PEP 621) have their production deps correctly detected
• Legacy Poetry projects using [tool.poetry.dependencies] continue to work unchanged
• Mixed-format projects (deps in both sections) correctly deduplicate with Poetry-style entries taking precedence

Testing plan

• New unit tests for PEP 621 [project].dependencies detection (CommonSpec.hs)
• New unit tests for mixed-format deduplication (Poetry-style wins)
• New unit tests for allPoetryProductionDeps with PEP 621 deps
• New test fixtures: pep621/pyproject.toml and pep621-mixed/pyproject.toml
• Existing Poetry unit tests continue to pass
• Integration test for Poetry strategy passes
• CI build and formatter checks pass

Risks

Minimal -- the change is additive. Legacy [tool.poetry.dependencies] behavior is completely unchanged. PEP 621 deps are merged via Map.union where legacy entries take precedence, so existing projects cannot regress.

Metrics

N/A

References

• ANE-2877
• Poetry 2.0 Announcement
• PEP 621 Specification
• Poetry pyproject.toml docs

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • Unit tests for PEP 621 dep detection, mixed-format dedup, and allPoetryProductionDeps.
• If this PR introduced a user-visible change, I added documentation into docs/.
  • No user-facing documentation needed -- this fixes an existing gap in dependency detection.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command.
  • N/A
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
  • N/A