fix(resolver): honor config.audit.block-insecure security-advisory filter

Mozart silently ignored the `security-advisories` block on inline
`type: package` repositories and the `config.audit.block-insecure`
audit flag, so a `composer update` succeeded with packages a Composer
run would have refused to load. Mirror Composer's
`SecurityAdvisoryPoolFilter` for the slice that feeds the pool:

- Plumb a `security-advisories` field through `RawRepository` and a
  `block_insecure` flag through `ResolveRequest`, lifted off
  `composer.json`'s `config.audit.block-insecure`.
- Collect every advisory's `affectedVersions` constraint at resolve
  time. When `block_insecure` is set and an inline package's
  normalized version satisfies the constraint, drop it from the pool
  before solving — root requires with no unaffected candidate then
  fail with the standard "could not be resolved" error.

1 files changed, 2 insertions, 0 deletions

diff --git a/crates/mozart/src/commands/init.rs b/crates/mozart/src/commands/init.rs
index 1a6df37..209be4b 100644
--- a/crates/mozart/src/commands/init.rs
+++ b/crates/mozart/src/commands/init.rs
@@ -707,6 +707,7 @@ fn parse_repositories(repos: &[String]) -> anyhow::Result<Vec<RawRepository>> {
                 only: None,
                 exclude: None,
                 canonical: None,
+                security_advisories: None,
             });
         } else {
             // Plain URL
@@ -717,6 +718,7 @@ fn parse_repositories(repos: &[String]) -> anyhow::Result<Vec<RawRepository>> {
                 only: None,
                 exclude: None,
                 canonical: None,
+                security_advisories: None,
             });
         }
     }