Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 16 additions & 16 deletions constraints.txt
Original file line number Diff line number Diff line change
Expand Up @@ -9,52 +9,52 @@
# or `pip-compile` and commit the result. Current state: direct pins aligned with v1.8.0.

# CRITICAL: pydantic family must stay synchronized or pip resolver explodes
# pydantic 2.13.4 hard-pins pydantic-core==2.46.4 (exact ==, not a range), and
# pydantic 2.13.4 hard-pins pydantic-core==2.47.0 (exact ==, not a range), and
# 2.13.4 is the latest pydantic on PyPI — no release pairs with pydantic-core
# 2.47.0 yet. Bumping pydantic-core alone makes `pip install -c constraints.txt`
# unresolvable. Keep these two in lock-step; only bump pydantic-core together
# with a compatible pydantic bump.
pydantic==2.13.4
pydantic-core==2.46.4
pydantic-core==2.47.0
pydantic-settings==2.14.2

# Direct dependencies from pyproject.toml [project.dependencies] -- versions MUST match exactly
fastapi==0.138.0
fastapi==0.139.0
# Constraints pin versions only; the `[standard]` extra stays in requirements.txt.
# pip >= 26.1.2 rejects extras in a -c constraints file ("Constraints cannot have
# extras"), which broke the verify-install gate. See pypa/pip#8210.
uvicorn==0.49.0
uvicorn==0.51.0
pyyaml==6.0.3
httpx==0.28.1
# langgraph-sdk imports websockets.asyncio at graph import time; keep this direct
# so legacy/no-deps paths cannot strand the app on websockets 12.x.
websockets==15.0.1
langgraph==1.2.6
langchain-core==1.4.8
websockets==16.1
langgraph==1.2.9
langchain-core==1.4.9
chromadb==1.5.9 # CVE-2026-45829 (Critical pre-auth RCE; risk accepted ONLY for local/offline air-gapped PersistentClient embedded mode). See SECURITY.md + pip-audit.
sentence-transformers==5.6.0
rank-bm25==0.2.2
numpy==1.26.4
nltk==3.9.4
nltk==3.10.0

# torch-cpu extra / embedding backend (minimum safe post CVE, CPU index via pyproject [tool.uv.sources])
torch==2.12.1+cpu
torch==2.13.0+cpu

# Optional Postgres / pgvector backends (pyproject extras: postgres, pgvector).
# These are NOT installed by the default path; constraints only cap a version when
# the package IS pulled in (via `pip install 'cyclaw[postgres]'` / the postgres CI
# job), keeping that resolve reproducible without forcing the dep on SQLite installs.
# NB: a -c constraints file cannot carry the [binary] extra (pip >= 26.1.2 rejects
# extras in constraints), so the binary wheel package is pinned by its own name.
psycopg==3.2.13
psycopg-binary==3.2.13
pgvector==0.4.2
psycopg==3.3.4
psycopg-binary==3.3.4
pgvector==0.5.0

# Optional Deep Agents harness (pyproject extra: agentic-deepagents). These are
# not installed by the default offline runtime or legacy requirements path.
deepagents==0.6.12
langchain==1.3.11
langchain-openai==1.3.3
langchain==1.3.13
langchain-openai==1.3.5

# Test optional-dependencies (for CI / dev)
pytest==9.1.1
Expand All @@ -68,6 +68,6 @@ pytest-cov==7.1.0
# Previously unpinned, so `pip install -e ".[dev]" -c constraints.txt` could pull in
# ruff/mypy/bandit releases that changed lint rules mid-CI or (for mypy) type-check
# semantics — silently breaking a green run. Pinned to the currently-green versions.
ruff==0.15.20
mypy==2.1.0
ruff==0.15.21
mypy==2.3.0
bandit==1.9.4
24 changes: 12 additions & 12 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,36 +20,36 @@ classifiers = [
]

dependencies = [
"fastapi==0.138.0",
"uvicorn[standard]==0.49.0",
"fastapi==0.139.0",
"uvicorn[standard]==0.51.0",
"pydantic==2.13.4",
"pyyaml==6.0.3",
"httpx==0.28.1",
"websockets==15.0.1",
"langgraph==1.2.6",
"langchain-core==1.4.8",
"websockets==16.1",
"langgraph==1.2.9",
"langchain-core==1.4.9",
"chromadb==1.5.9", # CVE-2026-45829 (Critical pre-auth RCE, no upstream patch). Risk accepted ONLY for local/offline air-gapped use via PersistentClient (embedded mode, path from config.yaml). No HttpClient, no trust_remote_code. See SECURITY.md, pip-audit workflow, Docker support in feature/CyClaw-Agent, and cyclaw-advisor §K/§M.
"sentence-transformers==5.6.0",
"rank-bm25==0.2.2",
"numpy==1.26.4",
"nltk==3.9.4",
"nltk==3.10.0",
]

[project.optional-dependencies]
test = ["pytest==9.1.1", "pytest-asyncio==1.4.0"]
dev = ["ruff==0.15.20", "mypy==2.1.0", "bandit==1.9.4", "pytest-cov==7.1.0"]
torch-cpu = ["torch==2.12.1+cpu"] # Minimum safe version post CVE-2025-32434 (weights_only=True RCE bypass in torch<2.6). Always prefer safetensors.
dev = ["ruff==0.15.21", "mypy==2.3.0", "bandit==1.9.4", "pytest-cov==7.1.0"]
torch-cpu = ["torch==2.13.0+cpu"] # Minimum safe version post CVE-2025-32434 (weights_only=True RCE bypass in torch<2.6). Always prefer safetensors.
# Optional Postgres backend for the soul DB + rate limiter (CYCLAW_DB_URL). Stays
# OUT of the base deps so the default SQLite/offline-first install is zero-extra;
# psycopg is lazy-imported, so installs without this extra never load it.
postgres = ["psycopg[binary]==3.2.13"]
postgres = ["psycopg[binary]==3.3.4"]
# Optional pgvector vector backend (indexing.vector_backend: pgvector). Superset of
# `postgres` — adds the pgvector adapter; ChromaDB remains the default vector store.
pgvector = ["psycopg[binary]==3.2.13", "pgvector==0.4.2"]
pgvector = ["psycopg[binary]==3.3.4", "pgvector==0.5.0"]
# Optional local Deep Agents harness. It stays out of the default offline
# install and is lazy-imported by agentic.deepagent_github only after its gates pass.
agentic-deepagents = ["deepagents==0.6.12", "langchain==1.3.11", "langchain-openai==1.3.3"]
full = ["torch==2.12.1+cpu", "pytest==9.1.1", "pytest-asyncio==1.4.0", "ruff==0.15.20", "mypy==2.1.0", "bandit==1.9.4", "pytest-cov==7.1.0", "psycopg[binary]==3.2.13", "pgvector==0.4.2"]
agentic-deepagents = ["deepagents==0.6.12", "langchain==1.3.13", "langchain-openai==1.3.5"]
full = ["torch==2.13.0+cpu", "pytest==9.1.1", "pytest-asyncio==1.4.0", "ruff==0.15.21", "mypy==2.3.0", "bandit==1.9.4", "pytest-cov==7.1.0", "psycopg[binary]==3.3.4", "pgvector==0.5.0"]

[project.scripts]
cyclaw-server = "gate:main"
Expand Down
14 changes: 7 additions & 7 deletions requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -17,21 +17,21 @@
# graph. The +cpu local-version wheel exists only on the PyTorch CPU index, so it
# cannot be satisfied from PyPI (no dependency-confusion exposure).
--extra-index-url https://download.pytorch.org/whl/cpu
torch==2.12.1+cpu
torch==2.13.0+cpu

fastapi==0.138.0
uvicorn[standard]==0.49.0
fastapi==0.139.0
uvicorn[standard]==0.51.0
pydantic==2.13.4
pyyaml==6.0.3
httpx==0.28.1
websockets==15.0.1
langgraph==1.2.6
langchain-core==1.4.8
websockets==16.1
langgraph==1.2.9
langchain-core==1.4.9
chromadb==1.5.9 # CVE-2026-45829 (Critical pre-auth RCE; no upstream patch). Risk accepted ONLY for local/offline air-gapped use via PersistentClient (embedded mode, path from config.yaml). No HttpClient, no trust_remote_code. See SECURITY.md + pip-audit workflow.
sentence-transformers==5.6.0
rank-bm25==0.2.2
numpy==1.26.4
nltk==3.9.4
nltk==3.10.0
pytest==9.1.1
pytest-asyncio==1.4.0
pytest-cov==7.1.0
Expand Down
Loading