alembic>=1.16.5
annotated-types==0.7.0
aiofiles>=24.1.0
aiohttp>=3.9.0
anyio>=4.5.0
astroid>=3.3.8
bandit==1.9.2
black==26.3.1  # CVE-2026-32274 (arbitrary file writes via cache filename)
certifi==2026.1.4
cffi>=2.0.0
coverage>=7.0.0
click>=8.1.8
cryptography==46.0.7  # CVE-2026-34073 (buffer overflow), CVE-2026-39892 (DNS name constraints)
dill==0.4.0
defusedxml>=0.7.1
dnspython>=2.7.0
email_validator==2.1.1
fastapi==0.129.0
gevent==25.9.1
greenlet>=3.1.0
h11>=0.16.0
httpcore>=1.0.6
httptools==0.7.1
httpx>=0.27.2
idna==3.11
iniconfig>=2.1.0
isort>=5.0.0
itsdangerous==2.2.0
Jinja2>=3.1.6
Mako==1.3.11  # CVE in 1.3.x for path traversal via double-slash URI prefix in TemplateLookup
MarkupSafe==3.0.2
mccabe==0.7.0
orjson==3.11.6  # CVE-2025-67221 (no recursion limit on deeply nested JSON)
packaging>=24.0
Pillow>=11.0.0
platformdirs>=4.0.0
pluggy>=1.0.0
psycopg2-binary==2.9.10
argon2-cffi==25.1.0
bcrypt>=4.0.0
pycparser==2.23
pydantic>=2.9.0,<2.13.0
pydantic-extra-types==2.11.0
pydantic-settings==2.13.0
PyJWT==2.12.0  # CVE-2026-32597 (accepts unknown crit header extensions)
pylint>=3.0.0
pytest>=7.0.0
pytest-asyncio>=0.21.0
pytest-cov>=4.0.0
pytest-xdist>=3.0.0
python-dotenv==1.2.2  # CVE-2026-28684 (symlink following in set_key)
python-multipart>=0.0.20
PyYAML==6.0.2
setuptools>=80.9.0
sniffio==1.3.1
SQLAlchemy==2.0.43
# SECURITY NOTE: Starlette 0.49.1 fixes CVE-2025-62727 (DoS via crafted Range headers)
# FastAPI 0.121.1 now supports starlette<0.51.0
# Upgrading to allow starlette 0.49.1+ which fixes the CVE
starlette>=0.48.0,<0.53.0
tomlkit==0.14.0
typing_extensions>=4.12.2
ujson==5.12.0  # CVE-2026-32874 (memory leak DoS), CVE-2026-32875 (integer overflow)
uvicorn==0.40.0
watchfiles==1.1.0
websockets==16.0
zope.event==6.1
zope.interface==8.2
Babel==2.18.0
reportlab==4.4.4
safety==3.7.0
safety-schemas==0.0.16
semgrep>=1.95.0
# pip-audit is intentionally NOT in this file. It requires tomli>=2.2.1
# while semgrep (above) pins tomli~=2.0.1, making the combined resolver
# graph unsolvable on a clean install. Instead, the security workflow
# (.github/workflows/security.yml) and `make install-dev` install it in
# a separate `pip install pip-audit` step, which uses an independent
# resolver pass — pip then bumps tomli with a non-fatal warning rather
# than failing. Remove this comment and add `pip-audit>=2.10.0` once
# semgrep relaxes its tomli pin upstream.

# Note: On OpenBSD 7.7, coverage.py C tracer requires gcc and py3-cffi
# Install with: doas pkg_add gcc py3-cffi
# The install-dev target will automatically handle C tracer setup
playwright==1.58.0  # Cross-browser UI testing (preferred for Linux/macOS/Windows)
selenium>=4.0.0  # Web automation framework (fallback for OpenBSD/FreeBSD where Playwright unavailable)
webdriver-manager>=4.0.0
requests>=2.32.0  # For UI test health checks
urllib3>=2.5.0  # Security fix for CVE-2024-37891 (SSRF vulnerability)

# OpenTelemetry for observability
# Note: Using minimum versions to allow pip to resolve compatible version sets
# Instrumentation packages and exporters must be compatible with the resolved API/SDK version
opentelemetry-api>=1.12.0
opentelemetry-sdk>=1.12.0
opentelemetry-instrumentation>=0.48b0
opentelemetry-instrumentation-fastapi>=0.48b0
opentelemetry-instrumentation-sqlalchemy>=0.48b0
opentelemetry-instrumentation-requests>=0.48b0
opentelemetry-instrumentation-logging>=0.48b0
opentelemetry-exporter-otlp>=1.12.0
opentelemetry-exporter-prometheus>=0.48b0
