fix(bazel): keep pypi generation explicit

- remove Bazel PyPI auto-manifest config and dispatch

- drop live no-ecosystem constructed test and clean PyPI type imports

Author: simonhj

src/commands/manifest/README.md

@@ -43,9 +43,9 @@ socket manifest bazel [options] [DIR=.]
 
 > **Upload**: This subcommand only generates manifests. To generate and
 > upload in one step, use `socket scan create --auto-manifest .` — it
-> detects the workspace, generates Bazel Maven manifests by default, and
-> uploads the result. Bazel PyPI auto-manifest generation requires an explicit
-> `defaults.manifest.bazel.ecosystem` config value that includes `pypi`.
+> detects the workspace, generates Bazel Maven manifests, and uploads the
+> result. Generate Bazel PyPI manifests explicitly with `socket manifest bazel
+> --ecosystem pypi`, then scan the generated output with `socket scan create`.
 
 ### Examples
 
@@ -89,7 +89,7 @@ When `--ecosystem pypi` is selected, the command:
   `requirements.txt` cannot represent both versions, and silently
   picking one would produce a misleading SBOM.
 
-### Unsupported PyPI Forms (Phase 02.1)
+### Unsupported PyPI Forms
 
 The PyPI extractor is intentionally narrow in this phase:
 
@@ -101,8 +101,9 @@ The PyPI extractor is intentionally narrow in this phase:
 - **Private corpus validation** requires authenticated GitHub access.
   When credentials are unavailable, the bazel-bench harness's private
   PyPI case skips cleanly with a distinct reason rather than failing.
-- **Whole-repo extraction.** Phase 02.1 is Tier 2 whole-repo scope.
-  Per-target PyPI slicing is deferred to Phase 4.
+- **Whole-repo extraction.** The initial PyPI implementation emits one
+  whole-workspace manifest. Per-target PyPI slicing is not currently
+  supported.
 
 ### Cross-Language Edges
 

src/commands/manifest/bazel/cmd-manifest-bazel.mts

@@ -187,23 +187,10 @@ async function run(
     sockJson?.defaults?.manifest?.bazel,
   )
 
-  let { bazel, bazelFlags, bazelOutputBase, bazelRc, ecosystem, out, verbose } =
-    cli.flags
+  const { ecosystem } = cli.flags
+  let { bazel, bazelFlags, bazelOutputBase, bazelRc, out, verbose } = cli.flags
 
   // Set defaults for any flag/arg that is not given. Check socket.json first.
-  // The meow flag is isMultiple: true, so cli.flags.ecosystem is
-  // string[] | undefined. The SocketJson schema allows either a single
-  // string or an array, so normalize a string default to a one-element
-  // array before assigning.
-  if (!ecosystem) {
-    const rawEcosystem = sockJson.defaults?.manifest?.bazel?.ecosystem
-    if (rawEcosystem) {
-      ecosystem = Array.isArray(rawEcosystem)
-        ? [...rawEcosystem]
-        : [rawEcosystem as string]
-      logger.info(`Using default --ecosystem from ${SOCKET_JSON}:`, ecosystem)
-    }
-  }
   if (!bazel) {
     const defaultBazel =
       sockJson.defaults?.manifest?.bazel?.bazel ??

src/commands/manifest/bazel/extract_bazel_to_pypi.constructed.test.mts

@@ -125,32 +125,3 @@ describe.skipIf(isSandboxed())(
     }, 60000)
   },
 )
-
-describe('extract_bazel_to_pypi — sandbox fallback', () => {
-  it('returns noEcosystemFound when explicit mode has no Python rules', async () => {
-    const { writeFileSync } = await import('node:fs')
-    const noRulesDir = mkdtempSync(path.join(os.tmpdir(), 'no-python-rules-'))
-    try {
-      // Write a minimal MODULE.bazel so workspace detection passes.
-      writeFileSync(
-        path.join(noRulesDir, 'MODULE.bazel'),
-        'module(name="test")\n',
-        'utf8',
-      )
-      const result = await extractBazelToPypi({
-        bazelFlags: undefined,
-        bazelOutputBase: undefined,
-        bazelRc: undefined,
-        bin: undefined,
-        cwd: noRulesDir,
-        out: noRulesDir,
-        verbose: false,
-        explicitEcosystem: true,
-      })
-      expect(result.noEcosystemFound).toBe(true)
-      expect(result.ok).toBe(false)
-    } finally {
-      rmSync(noRulesDir, { recursive: true, force: true })
-    }
-  }, 60000)
-})

src/commands/manifest/bazel/extract_bazel_to_pypi.mts

@@ -33,6 +33,10 @@ import {
 import { getErrorCause } from '../../../utils/errors.mts'
 
 import type { PypiHubCandidate } from './bazel-pypi-discovery.mts'
+import type {
+  ExtractedPypiPackage,
+  ReachedPypiLabel,
+} from './bazel-pypi-parser.mts'
 import type { BazelQueryOptions } from './bazel-query-runner.mts'
 
 export type ExtractBazelToPypiOptions = {
@@ -306,10 +310,7 @@ async function resolveHubLockfile(
   },
   cwd: string,
   verbose: boolean,
-): Promise<
-  | Map<string, import('./bazel-pypi-parser.mts').ExtractedPypiPackage>
-  | undefined
-> {
+): Promise<Map<string, ExtractedPypiPackage> | undefined> {
   const resolved =
     hubInfo.requirementsLockPath ??
     resolveRequirementsLockPath(hubInfo.requirementsLockLabel, cwd)
@@ -331,7 +332,7 @@ async function queryReachedPypiLabels(
   hubName: string,
   queryOpts: BazelQueryOptions,
   verbose: boolean,
-): Promise<Array<import('./bazel-pypi-parser.mts').ReachedPypiLabel>> {
+): Promise<ReachedPypiLabel[]> {
   const queryStr = 'deps(kind("py_library|py_binary|py_test", //...))'
   const result = await runBazelQuery(queryStr, queryOpts, 'label')
   if (result.code !== 0) {
@@ -350,16 +351,11 @@ async function queryReachedPypiLabels(
 // entries. For each reached label, if the lockfile missed it, resolve the
 // actual target via `--output=build` and extract pypi_name/pypi_version.
 async function buildSpokeTagLookup(
-  reached: Array<import('./bazel-pypi-parser.mts').ReachedPypiLabel>,
+  reached: ReachedPypiLabel[],
   queryOpts: BazelQueryOptions,
   verbose: boolean,
-): Promise<
-  Map<string, import('./bazel-pypi-parser.mts').ExtractedPypiPackage>
-> {
-  const lookup = new Map<
-    string,
-    import('./bazel-pypi-parser.mts').ExtractedPypiPackage
-  >()
+): Promise<Map<string, ExtractedPypiPackage>> {
+  const lookup = new Map<string, ExtractedPypiPackage>()
   for (const label of reached) {
     // Only query the spoke if we haven't already resolved it.
     if (lookup.has(label.normalizedName)) {

src/commands/manifest/bazel/extract_bazel_to_pypi.test.mts

@@ -1,4 +1,10 @@
-import { existsSync, mkdtempSync, readFileSync, rmSync } from 'node:fs'
+import {
+  existsSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+  writeFileSync,
+} from 'node:fs'
 import os from 'node:os'
 import path from 'node:path'
 
@@ -128,7 +134,6 @@ describe('extractBazelToPypi', () => {
 
     // Create a requirements_lock.txt in the temp dir.
     const lockPath = path.join(tmp, 'requirements_lock.txt')
-    const { writeFileSync } = await import('node:fs')
     writeFileSync(lockPath, 'requests==2.33.1\n', 'utf8')
 
     const result = await extractBazelToPypi({
@@ -178,7 +183,6 @@ describe('extractBazelToPypi', () => {
         stderr: '',
       })
 
-    const { writeFileSync } = await import('node:fs')
     writeFileSync(
       path.join(tmp, 'requirements_lock.txt'),
       'requests==2.33.1\n',
@@ -273,7 +277,6 @@ describe('extractBazelToPypi', () => {
         stderr: '',
       })
 
-    const { writeFileSync } = await import('node:fs')
     writeFileSync(
       path.join(tmp, 'requirements_lock.txt'),
       'requests==2.33.1\n',
@@ -324,7 +327,6 @@ describe('extractBazelToPypi', () => {
         stderr: '',
       })
 
-    const { writeFileSync } = await import('node:fs')
     writeFileSync(
       path.join(tmp, 'requirements_lock.txt'),
       'charset-normalizer==3.4.7\n',
@@ -389,7 +391,6 @@ describe('extractBazelToPypi', () => {
         stderr: '',
       })
 
-    const { writeFileSync } = await import('node:fs')
     writeFileSync(
       path.join(tmp, 'requirements_lock.txt'),
       'requests==2.33.1\n',
@@ -426,7 +427,6 @@ describe('extractBazelToPypi', () => {
       ]),
     )
 
-    const { writeFileSync } = await import('node:fs')
     writeFileSync(
       path.join(tmp, 'requirements_lock.txt'),
       'foo-bar==1.0.0\nFoo_Bar==2.0.0\n',
@@ -469,7 +469,6 @@ describe('extractBazelToPypi', () => {
       stderr: '',
     })
 
-    const { writeFileSync } = await import('node:fs')
     writeFileSync(
       path.join(tmp, 'requirements_lock.txt'),
       'requests==2.33.1\n',

src/commands/manifest/generate_auto_manifest.mts

@@ -3,7 +3,6 @@ import path from 'node:path'
 import { logger } from '@socketsecurity/registry/lib/logger'
 
 import { extractBazelToMaven } from './bazel/extract_bazel_to_maven.mts'
-import { extractBazelToPypi } from './bazel/extract_bazel_to_pypi.mts'
 import { convertGradleToMaven } from './convert_gradle_to_maven.mts'
 import { convertSbtToMaven } from './convert_sbt_to_maven.mts'
 import { handleManifestConda } from './handle-manifest-conda.mts'
@@ -87,14 +86,6 @@ export async function generateAutoManifest({
 
   if (!sockJson?.defaults?.manifest?.bazel?.disabled && detected.bazel) {
     const bazelConfig = sockJson?.defaults?.manifest?.bazel
-    type EcosystemOutcome = {
-      ecosystem: 'maven' | 'pypi'
-      ok: boolean
-      noEcosystemFound?: boolean
-      hardFailure?: boolean
-      manifestPath?: string | undefined
-    }
-    const outcomes: EcosystemOutcome[] = []
 
     logger.log(
       'Detected a Bazel workspace, extracting Maven dependencies via bazel query...',
@@ -109,63 +100,15 @@ export async function generateAutoManifest({
       outLayout: 'flat',
       verbose: Boolean(bazelConfig?.verbose) || verbose,
     })
-    outcomes.push({
-      ecosystem: 'maven',
-      noEcosystemFound: Boolean(mavenResult.noEcosystemFound),
-      ok: mavenResult.ok,
-      manifestPath: mavenResult.manifestPath,
-    })
-
-    const configuredEcosystems = bazelConfig?.ecosystem
-    const requestedEcosystems = Array.isArray(configuredEcosystems)
-      ? configuredEcosystems
-      : configuredEcosystems
-        ? [configuredEcosystems]
-        : []
-    const shouldRunPypi = requestedEcosystems.includes('pypi')
-
-    if (shouldRunPypi) {
-      logger.log('Extracting PyPI dependencies via bazel query...')
-      const pypiResult = await extractBazelToPypi({
-        bazelFlags: bazelConfig?.bazelFlags,
-        bazelOutputBase: bazelConfig?.bazelOutputBase,
-        bazelRc: bazelConfig?.bazelRc,
-        bin: bazelConfig?.bazel ?? bazelConfig?.bin,
-        cwd,
-        explicitEcosystem: true,
-        out: bazelConfig?.out ?? cwd,
-        outLayout: 'flat',
-        verbose: Boolean(bazelConfig?.verbose) || verbose,
-      })
-      outcomes.push({
-        ecosystem: 'pypi',
-        ok: pypiResult.ok,
-        noEcosystemFound: Boolean(pypiResult.noEcosystemFound),
-        manifestPath: pypiResult.manifestPath,
-      })
-    } else if (verbose) {
-      logger.info(
-        'Skipping Bazel PyPI auto-manifest extraction; set defaults.manifest.bazel.ecosystem to include "pypi" to opt in.',
-      )
-    }
-
-    // Auto-manifest outcome matrix: hard failures are fatal, no-discovery is
-    // informational, and successes are returned only when nothing hard-failed.
-    const successes = outcomes.filter(o => o.ok && o.manifestPath)
-    const hardFailures = outcomes.filter(o => !o.ok && !o.noEcosystemFound)
-    const noDiscoveries = outcomes.filter(o => o.noEcosystemFound)
 
-    if (hardFailures.length) {
-      const ecosystems = hardFailures.map(f => f.ecosystem).join(', ')
+    if (!mavenResult.ok && !mavenResult.noEcosystemFound) {
       throw new Error(
-        `Bazel auto-manifest generation failed for ecosystem(s): ${ecosystems}`,
+        'Bazel auto-manifest generation failed for ecosystem(s): maven',
       )
     }
-    if (successes.length) {
-      for (const s of successes) {
-        generatedFiles.push(s.manifestPath!)
-      }
-    } else if (noDiscoveries.length === outcomes.length) {
+    if (mavenResult.ok && mavenResult.manifestPath) {
+      generatedFiles.push(mavenResult.manifestPath)
+    } else if (mavenResult.noEcosystemFound) {
       logger.info('No supported Bazel Maven ecosystem detected.')
     }
   }