[ANE-2458] Enable path dependency analysis by default

[zlav]

Overview

Flips the default for path dependency license scanning from off to on. The legacy --experimental-analyze-path-dependencies flag is kept as a hidden no-op that emits a deprecation warning. A new --disable-path-dependency-scans flag is introduced for opt-out.

Acceptance criteria

• Running fossa analyze on a project containing path dependencies in a supported ecosystem (Go replace directives, PDM path = ..., Cargo path = ...) now triggers a CLI license scan and upload without any extra flag.
• Running fossa analyze --disable-path-dependency-scans restores the previous default behavior (skip license scanning of path deps).
• Running fossa analyze --experimental-analyze-path-dependencies prints a deprecation notice but does not change behavior (path deps are scanned either way).
• The previous "NOTE: path dependency detected..." nudge is no longer emitted, since the feature is on by default.

Testing plan

1. Build with cabal build spectrometer — succeeds.
2. Build the test suite with cabal build unit-tests — succeeds.
3. Manually inspect fossa analyze --help to confirm --disable-path-dependency-scans is listed and --experimental-analyze-path-dependencies is hidden.
4. Run fossa analyze on a Go project with a replace directive pointing at a local path and confirm the path dep is license-scanned without passing any flag.
5. Run fossa analyze --disable-path-dependency-scans on the same project and confirm no path dep scan occurs.
6. Run fossa analyze --experimental-analyze-path-dependencies on the same project and confirm a deprecation warning is printed.

Risks

• This is a user-visible default change. Organizations whose FOSSA endpoint has orgSupportsPathDependencyScans enabled will start uploading path dependency license data without explicitly opting in. The code path already gates on orgSupportsPathDependencyScans, so orgs without the feature are unaffected.
• Users who relied on the "nudge" log line to discover the feature will no longer see it. Docs have been updated to reflect the new default.

Metrics

• N/A — this is a default-flip for an existing feature. Observed usage of --disable-path-dependency-scans post-release would indicate friction; if we see widespread opt-out, we should revisit.

References

• ANE-2458: Enable path dependency support by default.

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • Existing App.Fossa.PathDependencySpec continues to cover the core enrichment logic. The CLI-flag flip is exercised indirectly via fixtureStrategyConfig.resolvePathDependencies = True, which now matches the new default.
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • No new docs pages added; existing pages updated in place.
• If this change is externally visible, I updated Changelog.md.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json...
  • Not applicable; no config file schema changes.
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

[zlav]

Scan: analyzers that find path deps that don't get uploaded

Research only — no code changes. Two groups below.

Emit UnresolvedPathType → flow through PathDependency.enrich → uploaded

• Cargo — src/Strategy/Cargo.hs:450-451
• Go (go list) — src/Strategy/Go/GoListPackages.hs:310
• PDM — src/Strategy/Python/PDM/Pdm.hs:147, src/Strategy/Python/PDM/PdmLock.hs:93
• uv — src/Strategy/Python/Uv.hs:192, 201

Detect path / local deps but DO NOT emit UnresolvedPathType (so they never reach the enrich/upload step)

• pnpm — src/Strategy/Node/Pnpm/PnpmLock.hs:506-507: withoutLocalPackages strips all UserType deps from the graph before submission.
• npm — src/Strategy/Node/Npm/PackageLock.hs:162: workspace packages and file:-prefixed versions are filtered out.
• Yarn v2 — src/Strategy/Node/YarnV2/Resolvers.hs:252, 259, 266, 274, 281, 287: file:, link:, portal:, exec:, lib:, patch: resolvers are all routed through unsupportedResolver and dropped.
• Bun — src/Strategy/Node/Bun/BunLock.hs:268, 287-297: isUnsupportedRef returns Nothing for workspace:, file:, link:, root:, module:, ./, ../ entries.
• Poetry — src/Strategy/Python/Poetry/Common.hs:53: supportedPyProjectDep (PyProjectPoetryPathDependencySpec _) = False explicitly drops path deps.
• Legacy Go Gomod parser — src/Strategy/Go/Gomod.hs:416-422: nonLocalPackage filters out replace ... => ./local entries. (GoListPackages, the default, handles these as UnresolvedPathType, so this only matters for the legacy fallback.)
• Ruby Bundler — src/Strategy/Ruby/GemfileLock.hs:109-110: PATH sections are attached as OtherRemote labels (remote path goes into dependencyLocations) but the dep stays GemType, never UnresolvedPathType.

Implication for this PR

Flipping the default to on only broadens coverage for the four ecosystems in the first group. The Node ecosystems (pnpm/npm/yarn v2/bun), Poetry, Bundler PATH sources, and the legacy Gomod path would need analyzer-side work to emit UnresolvedPathType before path-dep upload would apply to them. Out of scope for this PR, but worth a follow-up ticket if we want parity.