fix(update): unlock new-package deps via repo requires for --with-deps

`expand_with_direct_dependencies` only walked the lock map, so an
allow-listed package not yet in the lock (a freshly added root require)
contributed nothing to the unlock cascade. The resolver then kept
transitive deps pinned to their lock versions and bailed when the new
package's require could not be satisfied. Mirror Composer's
`PoolBuilder::loadPackage` by also walking inline / composer-repo
require lists for not-yet-locked packages.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/crates/mozart/src/commands/require.rs b/crates/mozart/src/commands/require.rs
index 24812fc..45ad759 100644
--- a/crates/mozart/src/commands/require.rs
+++ b/crates/mozart/src/commands/require.rs
@@ -730,10 +730,16 @@ pub async fn execute(
         let newly_required: Vec<String> =
             additions.iter().map(|(name, _, _)| name.clone()).collect();
 
+        let repo_requires = super::update::collect_repo_requires(&raw.repositories);
         let allow_list = if with_all_deps {
-            super::update::expand_with_all_dependencies(newly_required, lock)
+            super::update::expand_with_all_dependencies(newly_required, lock, &repo_requires)
         } else if with_deps {
-            super::update::expand_with_direct_dependencies(newly_required, lock, &IndexSet::new())
+            super::update::expand_with_direct_dependencies(
+                newly_required,
+                lock,
+                &IndexSet::new(),
+                &repo_requires,
+            )
         } else {
             // Default for `require`: only the newly added packages are allowed to change.
             additions.iter().map(|(name, _, _)| name.clone()).collect()