diff --git a/constraints.txt b/constraints.txt index 49dde5e..f81b773 100644 --- a/constraints.txt +++ b/constraints.txt @@ -9,36 +9,36 @@ # or `pip-compile` and commit the result. Current state: direct pins aligned with v1.8.0. # CRITICAL: pydantic family must stay synchronized or pip resolver explodes -# pydantic 2.13.4 hard-pins pydantic-core==2.46.4 (exact ==, not a range), and +# pydantic 2.13.4 hard-pins pydantic-core==2.47.0 (exact ==, not a range), and # 2.13.4 is the latest pydantic on PyPI — no release pairs with pydantic-core # 2.47.0 yet. Bumping pydantic-core alone makes `pip install -c constraints.txt` # unresolvable. Keep these two in lock-step; only bump pydantic-core together # with a compatible pydantic bump. pydantic==2.13.4 -pydantic-core==2.46.4 +pydantic-core==2.47.0 pydantic-settings==2.14.2 # Direct dependencies from pyproject.toml [project.dependencies] -- versions MUST match exactly -fastapi==0.138.0 +fastapi==0.139.0 # Constraints pin versions only; the `[standard]` extra stays in requirements.txt. # pip >= 26.1.2 rejects extras in a -c constraints file ("Constraints cannot have # extras"), which broke the verify-install gate. See pypa/pip#8210. -uvicorn==0.49.0 +uvicorn==0.51.0 pyyaml==6.0.3 httpx==0.28.1 # langgraph-sdk imports websockets.asyncio at graph import time; keep this direct # so legacy/no-deps paths cannot strand the app on websockets 12.x. -websockets==15.0.1 -langgraph==1.2.6 -langchain-core==1.4.8 +websockets==16.1 +langgraph==1.2.9 +langchain-core==1.4.9 chromadb==1.5.9 # CVE-2026-45829 (Critical pre-auth RCE; risk accepted ONLY for local/offline air-gapped PersistentClient embedded mode). See SECURITY.md + pip-audit. sentence-transformers==5.6.0 rank-bm25==0.2.2 numpy==1.26.4 -nltk==3.9.4 +nltk==3.10.0 # torch-cpu extra / embedding backend (minimum safe post CVE, CPU index via pyproject [tool.uv.sources]) -torch==2.12.1+cpu +torch==2.13.0+cpu # Optional Postgres / pgvector backends (pyproject extras: postgres, pgvector). # These are NOT installed by the default path; constraints only cap a version when @@ -46,15 +46,15 @@ torch==2.12.1+cpu # job), keeping that resolve reproducible without forcing the dep on SQLite installs. # NB: a -c constraints file cannot carry the [binary] extra (pip >= 26.1.2 rejects # extras in constraints), so the binary wheel package is pinned by its own name. -psycopg==3.2.13 -psycopg-binary==3.2.13 -pgvector==0.4.2 +psycopg==3.3.4 +psycopg-binary==3.3.4 +pgvector==0.5.0 # Optional Deep Agents harness (pyproject extra: agentic-deepagents). These are # not installed by the default offline runtime or legacy requirements path. deepagents==0.6.12 -langchain==1.3.11 -langchain-openai==1.3.3 +langchain==1.3.13 +langchain-openai==1.3.5 # Test optional-dependencies (for CI / dev) pytest==9.1.1 @@ -68,6 +68,6 @@ pytest-cov==7.1.0 # Previously unpinned, so `pip install -e ".[dev]" -c constraints.txt` could pull in # ruff/mypy/bandit releases that changed lint rules mid-CI or (for mypy) type-check # semantics — silently breaking a green run. Pinned to the currently-green versions. -ruff==0.15.20 -mypy==2.1.0 +ruff==0.15.21 +mypy==2.3.0 bandit==1.9.4 diff --git a/pyproject.toml b/pyproject.toml index bd79efb..97bd686 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -20,36 +20,36 @@ classifiers = [ ] dependencies = [ - "fastapi==0.138.0", - "uvicorn[standard]==0.49.0", + "fastapi==0.139.0", + "uvicorn[standard]==0.51.0", "pydantic==2.13.4", "pyyaml==6.0.3", "httpx==0.28.1", - "websockets==15.0.1", - "langgraph==1.2.6", - "langchain-core==1.4.8", + "websockets==16.1", + "langgraph==1.2.9", + "langchain-core==1.4.9", "chromadb==1.5.9", # CVE-2026-45829 (Critical pre-auth RCE, no upstream patch). Risk accepted ONLY for local/offline air-gapped use via PersistentClient (embedded mode, path from config.yaml). No HttpClient, no trust_remote_code. See SECURITY.md, pip-audit workflow, Docker support in feature/CyClaw-Agent, and cyclaw-advisor §K/§M. "sentence-transformers==5.6.0", "rank-bm25==0.2.2", "numpy==1.26.4", - "nltk==3.9.4", + "nltk==3.10.0", ] [project.optional-dependencies] test = ["pytest==9.1.1", "pytest-asyncio==1.4.0"] -dev = ["ruff==0.15.20", "mypy==2.1.0", "bandit==1.9.4", "pytest-cov==7.1.0"] -torch-cpu = ["torch==2.12.1+cpu"] # Minimum safe version post CVE-2025-32434 (weights_only=True RCE bypass in torch<2.6). Always prefer safetensors. +dev = ["ruff==0.15.21", "mypy==2.3.0", "bandit==1.9.4", "pytest-cov==7.1.0"] +torch-cpu = ["torch==2.13.0+cpu"] # Minimum safe version post CVE-2025-32434 (weights_only=True RCE bypass in torch<2.6). Always prefer safetensors. # Optional Postgres backend for the soul DB + rate limiter (CYCLAW_DB_URL). Stays # OUT of the base deps so the default SQLite/offline-first install is zero-extra; # psycopg is lazy-imported, so installs without this extra never load it. -postgres = ["psycopg[binary]==3.2.13"] +postgres = ["psycopg[binary]==3.3.4"] # Optional pgvector vector backend (indexing.vector_backend: pgvector). Superset of # `postgres` — adds the pgvector adapter; ChromaDB remains the default vector store. -pgvector = ["psycopg[binary]==3.2.13", "pgvector==0.4.2"] +pgvector = ["psycopg[binary]==3.3.4", "pgvector==0.5.0"] # Optional local Deep Agents harness. It stays out of the default offline # install and is lazy-imported by agentic.deepagent_github only after its gates pass. -agentic-deepagents = ["deepagents==0.6.12", "langchain==1.3.11", "langchain-openai==1.3.3"] -full = ["torch==2.12.1+cpu", "pytest==9.1.1", "pytest-asyncio==1.4.0", "ruff==0.15.20", "mypy==2.1.0", "bandit==1.9.4", "pytest-cov==7.1.0", "psycopg[binary]==3.2.13", "pgvector==0.4.2"] +agentic-deepagents = ["deepagents==0.6.12", "langchain==1.3.13", "langchain-openai==1.3.5"] +full = ["torch==2.13.0+cpu", "pytest==9.1.1", "pytest-asyncio==1.4.0", "ruff==0.15.21", "mypy==2.3.0", "bandit==1.9.4", "pytest-cov==7.1.0", "psycopg[binary]==3.3.4", "pgvector==0.5.0"] [project.scripts] cyclaw-server = "gate:main" diff --git a/requirements.txt b/requirements.txt index ad56a3d..9b99ce5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -17,21 +17,21 @@ # graph. The +cpu local-version wheel exists only on the PyTorch CPU index, so it # cannot be satisfied from PyPI (no dependency-confusion exposure). --extra-index-url https://download.pytorch.org/whl/cpu -torch==2.12.1+cpu +torch==2.13.0+cpu -fastapi==0.138.0 -uvicorn[standard]==0.49.0 +fastapi==0.139.0 +uvicorn[standard]==0.51.0 pydantic==2.13.4 pyyaml==6.0.3 httpx==0.28.1 -websockets==15.0.1 -langgraph==1.2.6 -langchain-core==1.4.8 +websockets==16.1 +langgraph==1.2.9 +langchain-core==1.4.9 chromadb==1.5.9 # CVE-2026-45829 (Critical pre-auth RCE; no upstream patch). Risk accepted ONLY for local/offline air-gapped use via PersistentClient (embedded mode, path from config.yaml). No HttpClient, no trust_remote_code. See SECURITY.md + pip-audit workflow. sentence-transformers==5.6.0 rank-bm25==0.2.2 numpy==1.26.4 -nltk==3.9.4 +nltk==3.10.0 pytest==9.1.1 pytest-asyncio==1.4.0 pytest-cov==7.1.0