feat(pypi): restrict pip.parse hub visibility

[Harshal96]

Add a restrict_visibility_to attribute for bzlmod pip.parse so hub aliases are public only for packages listed in direct requirement files.

Keep all lockfile packages available to generated wheel repositories so transitive dependencies continue to resolve internally.

Fixes #3413

PR Instructions/requirements

• Title uses type: description format. See CONTRIBUTING.md for types.
  • Common types are: build, docs, feat, fix, refactor, revert, test
  • Update CHANGELOG.md as applicable
• Breaking changes include "!" after the type and a "BREAKING CHANGES:"
  section at the bottom.
  See CONTRIBUTING.md for our breaking changes process.
• Body text describes:
  • Why this change is being made, briefly.
  • Before and after behavior, as applicable
  • References issue number, as applicable
• Update docs and tests, as applicable
• Delete these instructions prior to sending the PR

[gemini-code-assist]

Code Review

This pull request introduces the restrict_visibility_to attribute to pip.parse, allowing users to limit public hub aliases to direct dependencies specified in requirement files. Transitive dependencies not included in these files are kept internal to the generated wheel repositories, preventing their use as direct dependencies. The changes include updates to documentation, the pip.parse extension, requirement parsing logic, and visibility rendering in the hub repository, along with new unit tests. I have no feedback to provide as there were no review comments.

[aignas]

Thank you for the contribution.

[aignas]

Should we key this by_platform as well?

[aignas]

This acts like a union. Is this the right thing to do here?

From the modeling perspective, the requirements may be different based on the target platform. That said, I think this approach is OK in the parse_requirements internals. Since we are asking the user to provide the source lock files.

[aignas]

I like adding this, but I imaging that we could repurpose this set of files for more labels.

1. Restrict visibility.
2. Create a @pypi//:lock.update target automatically that includes the srcs passed here as srcs passed to the lock file. This plumbing would be similar to what rules_jvm have with their repin.

We should also assume that we will need to support pyproject.toml files/file via the same interface in the future.

[aignas]

Should we create a separate function for this?

    exposed_requirements = parse_dep_srcs(module_ctx, pip_attr.restrict_visibility_to)

That way we make the code more maintainable and easier to test.

[aignas]

I would like this logic to be somewhere outside the parse_requirements.bzl file. Would it be possible to move it to hub_builder.bzl? The output of parse_requirements have this is_exposed flag (that is an internal implementation detail) and if we make the lock sources mandatory, then we would be able to drop that implementation detail, which actually makes the code a little bit more complex than it needs to be.

[aignas]

I don't like the double negatives, maybe the following is easier to read?

Suggested change

	if exposed_package_names != None and normalized_name not in exposed_package_names:
	if not (exposed_package_names and normalized_name in exposed_package_names):