feat: remove fetch depth limit for dependency resolution

Real package managers (pip, npm, Maven) don't have depth limits - they
resolve the full dependency tree. We have other safeguards:
- Loop prevention via fetch_attempted set
- Timeout via auto_fetch_timeout setting
- Dependency trees are finite

backend/app/dependencies.py

@@ -896,7 +896,6 @@ async def resolve_dependencies_with_fetch(
     base_url: str,
     storage: "S3Storage",
     registry_clients: Dict[str, "RegistryClient"],
-    max_fetch_depth: int = 10,
 ) -> DependencyResolutionResponse:
     """
     Resolve all dependencies for an artifact recursively, fetching missing ones from upstream.
@@ -916,7 +915,6 @@ async def resolve_dependencies_with_fetch(
         base_url: Base URL for download URLs
         storage: S3 storage for caching fetched artifacts
         registry_clients: Map of system project to registry client {"_pypi": PyPIRegistryClient}
-        max_fetch_depth: Maximum depth for auto-fetching (prevents runaway fetching)
 
     Returns:
         DependencyResolutionResponse with all resolved artifacts and fetch status
@@ -924,7 +922,6 @@ async def resolve_dependencies_with_fetch(
     Raises:
         DependencyNotFoundError: If the root artifact cannot be found (even after fetch attempt)
         CircularDependencyError: If circular dependencies are detected
-        DependencyConflictError: If conflicting versions are required
     """
     # Track fetched artifacts for response
     fetched_artifacts: List[ResolvedArtifact] = []
@@ -1024,7 +1021,6 @@ async def resolve_dependencies_with_fetch(
         dep_package: str,
         constraint: str,
         required_by: str,
-        fetch_depth: int,
     ) -> Optional[Tuple[str, str, int]]:
         """
         Try to fetch a missing dependency from upstream registry.
@@ -1039,13 +1035,6 @@ async def resolve_dependencies_with_fetch(
             )
             return None
 
-        # Check fetch depth
-        if fetch_depth > max_fetch_depth:
-            logger.info(
-                f"Max fetch depth ({max_fetch_depth}) exceeded for {dep_project}/{dep_package}"
-            )
-            return None
-
         # Build fetch key for loop prevention
         fetch_key = f"{dep_project}/{dep_package}@{constraint}"
         if fetch_key in fetch_attempted:
@@ -1105,7 +1094,6 @@ async def resolve_dependencies_with_fetch(
         size: int,
         required_by: Optional[str],
         depth: int = 0,
-        fetch_depth: int = 0,
     ):
         """Recursively resolve dependencies with fetch capability."""
         if depth > MAX_DEPENDENCY_DEPTH:
@@ -1178,7 +1166,6 @@ async def resolve_dependencies_with_fetch(
                     dep.dependency_package,
                     dep.version_constraint,
                     pkg_key,
-                    fetch_depth + 1,
                 )
 
                 if fetched:
@@ -1193,7 +1180,6 @@ async def resolve_dependencies_with_fetch(
                         constraint=dep.version_constraint,
                         required_by=pkg_key,
                         fetch_attempted=was_attempted,
-                        fetch_error="Max fetch depth exceeded" if was_attempted and fetch_depth >= max_fetch_depth else None,
                     ))
                     continue
 
@@ -1244,7 +1230,6 @@ async def resolve_dependencies_with_fetch(
                 dep_size,
                 pkg_key,
                 depth + 1,
-                fetch_depth + 1 if dep_artifact_id in [f.artifact_id for f in fetched_artifacts] else fetch_depth,
             )
 
         visiting.remove(artifact_id)

backend/app/routes.py

@@ -7093,7 +7093,6 @@ async def resolve_artifact_dependencies(
                 base_url=base_url,
                 storage=storage,
                 registry_clients=registry_clients,
-                max_fetch_depth=settings.auto_fetch_max_depth,
             )
         else:
             # Fast, synchronous resolution without network calls