feat(resolver): honour audit.block-abandoned config

Read `config.audit.block-abandoned` from composer.json (defaults to
false) and propagate it to the resolver. When set, the pool builder
skips packages whose `abandoned` field is truthy (`true` or a non-empty
replacement string), matching `SecurityAdvisoryPoolFilter`'s behavior in
`Composer\DependencyResolver`. With no candidates left, a root require
that only matches abandoned versions fails resolution with exit 2.

1 files changed, 4 insertions, 0 deletions

diff --git a/crates/mozart/src/commands/remove.rs b/crates/mozart/src/commands/remove.rs
index 9c5f7fa..dc20a21 100644
--- a/crates/mozart/src/commands/remove.rs
+++ b/crates/mozart/src/commands/remove.rs
@@ -276,6 +276,7 @@ pub async fn execute(
             .collect(),
         locked_package_names: indexmap::IndexSet::new(),
         locked_packages: Vec::new(),
+        block_abandoned: false,
     };
 
     // Print header messages
@@ -554,6 +555,7 @@ async fn remove_unused(
             .collect(),
         locked_package_names: indexmap::IndexSet::new(),
         locked_packages: Vec::new(),
+        block_abandoned: false,
     };
 
     console.info("Resolving dependencies to detect unused packages...");
@@ -908,6 +910,7 @@ mod tests {
             root_conflict: IndexMap::new(),
             locked_package_names: IndexSet::new(),
             locked_packages: Vec::new(),
+            block_abandoned: false,
         };
         let resolved = resolve(&request)
             .await
@@ -965,6 +968,7 @@ mod tests {
             root_conflict: IndexMap::new(),
             locked_package_names: IndexSet::new(),
             locked_packages: Vec::new(),
+            block_abandoned: false,
         };
         let resolved2 = resolve(&request2)
             .await