feat(fetchers): PackageRegistryFetcher — PyPI, crates.io, npm metadata

[chaliy]

What

Add fetchers for package registry URLs (pypi.org, crates.io, npmjs.com), returning structured package metadata optimized for dependency evaluation.

Why

Agents evaluating dependencies need quick access to version, license, dependency tree, download stats, and README — without parsing noisy registry HTML. All three registries have clean JSON APIs. This directly supports the AGENTS.md requirement to "avoid adding dependencies with non-permissive licenses."

Requirements

PyPI (pypi.org/project/{name})

• Fetch via API: https://pypi.org/pypi/{name}/json
• Return: name, version, license, summary, dependencies (requires_dist), Python version support, download stats, project URLs

crates.io (crates.io/crates/{name})

• Fetch via API: https://crates.io/api/v1/crates/{name}
• Return: name, version, license, description, dependencies, downloads, repository URL, categories

npm (npmjs.com/package/{name})

• Fetch via API: https://registry.npmjs.org/{name}
• Return: name, version, license, description, dependencies, weekly downloads, repository URL

Common

• Format field: "package_registry"
• Include README content (all three APIs provide it)
• Highlight license prominently (agent workflow: license compliance check)
• Surface dependency count and notable dependencies

Design Notes

• Could be one fetcher with sub-matching or three separate fetchers
• All APIs are unauthenticated with generous rate limits
• Consider supporting version-specific URLs (e.g., pypi.org/project/{name}/{version})

Tier

2 — High-frequency agent need