resource_auditor: audit PyPI resources that exist as formulae

[botantony]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?

---

• AI was used to generate or assist with generating this PR. Please specify below how you used AI to help you, and what steps you have taken to manually verify the changes.

---

Some widely-used PyPI packages are available in Homebrew as dependencies for other Python-based formulae. We encourage their use either because they take a lot of time to build (f.e. pydantic or scipy) or we don't want to do hundreds of revision bumps when new security updates come out (f.e. cryptography or certifi). The problem I see with new contributors is that they don't know it. A lot of the time, they read the cookbook, create a Python-based formula, and it passes audit and tests. They did nothing wrong, but a maintainer still have to point out, "Hey, numpy takes a lot of time to build, and it exists as a formula, let's use it instead". I'd rather add an audit for such cases and make exceptions for formulae where it cannot be used

I'd also take a look at Python for Formula Authors but it should be revised in another PR

[Copilot]

Pull request overview

Adds/renames a PyPI resource audit in ResourceAuditor and integrates it into FormulaAuditor to (a) validate resource names against PyPI filenames and (b) flag certain PyPI resources that should be replaced by Homebrew dependencies, with tap-level exceptions.

Changes:

• Rename audit_resource_name_matches_pypi_package_name_in_url to audit_pypi_resources and extend it to flag dependency-replacement candidates.
• Add pypi_resources_allowlist tap audit exception handling to skip the PyPI resource audit for specific resources.
• Extend formula_auditor_spec with new examples covering dependency-replacement reporting, allowlist behavior, and skipping top-level formula PyPI URLs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
Library/Homebrew/test/formula_auditor_spec.rb	Adds spec coverage for dependency-replacement auditing and allowlist behavior.
Library/Homebrew/resource_auditor.rb	Implements audit_pypi_resources, adds a dependency candidate set, and emits a new audit message.
Library/Homebrew/formula_auditor.rb	Wires tap exceptions into resource auditing by conditionally extending the except list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[botantony]

formula audit failure is expected, if we agree to merge this I'll review failing formulae and either add them to the exception list or replace resources with dependencies

[MikeMcQuaid]

Thanks! Looks good so far, a few suggestions.

[MikeMcQuaid]

Looks good! A few more style tweaks. Also worth opening the homebrew/core PR to add the JSON file and linking it here.

[MikeMcQuaid]

Looks good when Homebrew/homebrew-core#272423 is also 🟢 and has no review comments!