fix(python): address review feedback for pyproject.toml provider

- Add TOML parse error checking (align with CargoProvider pattern)
- Exclude optional and dev/test group dependencies (production only)
- Preserve Poetry version constraints in dependency strings
- Fix ignore matching bug: use getName() instead of getCoordinates()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ruromero

src/main/java/io/github/guacsec/trustifyda/providers/PythonProvider.java

@@ -170,7 +170,7 @@ private void handleIgnoredDependencies(String manifestContent, Sbom sbom) {
     Set<String> ignoredDepsNoVersions =
         ignoredDeps.stream()
             .filter(dep -> dep.getVersion().trim().equals("*"))
-            .map(PackageURL::getCoordinates)
+            .map(PackageURL::getName)
             .collect(Collectors.toSet());
 
     sbom.setBelongingCriteriaBinaryAlgorithm(Sbom.BelongingCondition.NAME);

src/main/java/io/github/guacsec/trustifyda/providers/PythonPyprojectProvider.java

@@ -75,6 +75,9 @@ protected Set<PackageURL> getIgnoredDependencies(String manifestContent) {
 
   List<String> parseDependencyStrings() throws IOException {
     TomlParseResult toml = Toml.parse(manifest);
+    if (toml.hasErrors()) {
+      throw new IOException("Invalid pyproject.toml format: " + toml.errors().get(0).getMessage());
+    }
     List<String> deps = new ArrayList<>();
 
     // [project.dependencies] - PEP 621
@@ -85,48 +88,40 @@ List<String> parseDependencyStrings() throws IOException {
       }
     }
 
-    // [project.optional-dependencies] - PEP 621
-    TomlTable optionalDeps = toml.getTable("project.optional-dependencies");
-    if (optionalDeps != null) {
-      for (String group : optionalDeps.keySet()) {
-        TomlArray groupDeps = optionalDeps.getArray(group);
-        if (groupDeps != null) {
-          for (int i = 0; i < groupDeps.size(); i++) {
-            deps.add(groupDeps.getString(i));
-          }
-        }
-      }
-    }
-
-    // [tool.poetry.dependencies]
+    // [tool.poetry.dependencies] - production only
     TomlTable poetryDeps = toml.getTable("tool.poetry.dependencies");
     if (poetryDeps != null) {
       for (String name : poetryDeps.keySet()) {
         if (!"python".equalsIgnoreCase(name)) {
-          deps.add(name);
+          deps.add(poetryDepToRequirement(name, poetryDeps, name));
         }
       }
     }
 
-    // [tool.poetry.group.*.dependencies]
-    TomlTable poetryGroups = toml.getTable("tool.poetry.group");
-    if (poetryGroups != null) {
-      for (String groupName : poetryGroups.keySet()) {
-        TomlTable groupTable = poetryGroups.getTable(groupName);
-        if (groupTable != null) {
-          TomlTable groupDeps = groupTable.getTable("dependencies");
-          if (groupDeps != null) {
-            for (String name : groupDeps.keySet()) {
-              if (!"python".equalsIgnoreCase(name)) {
-                deps.add(name);
-              }
-            }
-          }
+    return deps;
+  }
+
+  /**
+   * Converts a Poetry dependency entry to a pip-compatible requirement string. Poetry deps can be a
+   * simple string ({@code name = "^1.0"}), a table ({@code name = {version = "^1.0"}}), or just a
+   * name when the version is unresolvable.
+   */
+  private static String poetryDepToRequirement(String name, TomlTable table, String key) {
+    if (table.isString(key)) {
+      String version = table.getString(key);
+      if (version != null && !version.isEmpty() && !"*".equals(version)) {
+        return name + version;
+      }
+    } else if (table.isTable(key)) {
+      TomlTable depTable = table.getTable(key);
+      if (depTable != null) {
+        String version = depTable.getString("version");
+        if (version != null && !version.isEmpty() && !"*".equals(version)) {
+          return name + version;
         }
       }
     }
-
-    return deps;
+    return name;
   }
 
   static String extractDepFromTomlLine(String line) {

src/test/java/io/github/guacsec/trustifyda/providers/Python_Pyproject_Provider_Test.java

@@ -50,12 +50,12 @@ void test_parse_pep621_dependencies() throws IOException {
   }
 
   @Test
-  void test_parse_pep621_optional_dependencies() throws IOException {
+  void test_parse_pep621_excludes_optional_dependencies() throws IOException {
     Path pyprojectPath =
         Path.of("src/test/resources/tst_manifests/pip/pip_pyproject_toml_no_ignore/pyproject.toml");
     var provider = new PythonPyprojectProvider(pyprojectPath);
     List<String> deps = provider.parseDependencyStrings();
-    assertThat(deps).contains("click==8.0.4");
+    assertThat(deps).doesNotContain("click==8.0.4");
   }
 
   @Test
@@ -64,7 +64,7 @@ void test_parse_poetry_dependencies() throws IOException {
         Path.of("src/test/resources/tst_manifests/pip/pip_pyproject_toml_poetry/pyproject.toml");
     var provider = new PythonPyprojectProvider(pyprojectPath);
     List<String> deps = provider.parseDependencyStrings();
-    assertThat(deps).contains("anyio", "flask", "requests");
+    assertThat(deps).contains("anyio^3.6.2", "flask^2.0.3", "requests^2.25.1");
   }
 
   @Test
@@ -77,12 +77,12 @@ void test_parse_poetry_excludes_python() throws IOException {
   }
 
   @Test
-  void test_parse_poetry_group_dependencies() throws IOException {
+  void test_parse_poetry_excludes_dev_group_dependencies() throws IOException {
     Path pyprojectPath =
         Path.of("src/test/resources/tst_manifests/pip/pip_pyproject_toml_poetry/pyproject.toml");
     var provider = new PythonPyprojectProvider(pyprojectPath);
     List<String> deps = provider.parseDependencyStrings();
-    assertThat(deps).contains("click");
+    assertThat(deps).doesNotContain("click", "click^8.0.4");
   }
 
   @Test