Fix uv PEX builder for VCS and direct URL requirements

[seungwoo-ji-03]

When the uv PEX builder extracts pinned requirements from a PEX-native
lockfile, it previously formatted every package as name==version.
That breaks direct references (e.g. git+https://..., direct HTTPS URLs,
and file:// URLs), because uv then tries to resolve them via indexes.

Use the lockfile's top-level requirements array—where PEX preserves
original PEP 508 requirement strings—to detect direct references
(name @ url). For those packages, emit name @ <artifact url> (using
the first artifact URL from locked_requirements) so uv fetches from the
original source.

Also harden lockfile parsing against malformed inputs:

• Handle artifacts: null and artifacts: [null] safely.
• Catch TypeError and AttributeError in the parsing path so malformed
  lockfile shapes gracefully fall back to transitive uv resolution.

Follow-up to #23197 (reported by @benjyw).

LLM Disclosure

Code was written by the author. Claude was used to help identify edge cases.

[benjyw]

Can you back this assumption up? Even if true today, Pex doesn't guarantee it. And it seems unnecessary to assume this when each requirement string is easy to parse correctly using packaging.requirements

[benjyw]

And we already depend on packaging, so this wouldn't introduce a new requirement

[jsirois]

I didn't pay attention to the initial PR, but this one alerted me to the fact you're parsing a Pex lock file, which I won't support. Presumably you know that and are willing to suffer breakage. Did you also know about pex3 lock export?. That exports to requirements.txt (hashed) and pylock.toml (PEP-751). If you did know about it, did you find it too slow / slower than your hand rolled parse? This would be the format you want to feed uv with barring some egregious blunder on my part making the export slow somehow.

I retro-noted this here: https://github.com/pantsbuild/pants/pull/23197/changes#r3042523328

The larger lesson is I hustled to give Pants all the tools it needed to start using uv from really any angle whatsoever. If you find yourself reaching for parsing or patching or doing much more work than calling tools, you're probably off base at this point. I may have missed something over the last 2 years setting up for this, but I don't think so.