# ICDEV™ Framework Dependencies
# Install: pip install -r requirements.txt

# === Core (required) ===
pyyaml>=6.0
jinja2>=3.1
flask>=3.0

# === BDD/TDD ===
pytest>=8.0
pytest-cov>=5.0
behave>=1.2
schemathesis>=3.0             # Property-based API contract tests (tests/api/test_contract.py)

# === Code Quality ===
ruff>=0.12               # Ultra-fast Python linter (replaces flake8+isort+black)
pydantic>=2.0            # Test data validation (TestResult, E2ETestResult models)

# === Compliance ===
# cyclonedx-bom>=4.0     # SBOM generation (install when needed)
# oscal-pydantic>=1.0    # OSCAL Pydantic models for type-safe validation (optional, D303)

# === Search & Embeddings ===
openai>=1.0              # For embeddings (semantic search)
python-dotenv>=1.0       # .env file loading
numpy>=1.26              # Embedding math
rank_bm25>=0.2           # BM25 keyword search

# === IQE: Intent Query Engine ===
lark>=1.2                # PEG/EBNF parser for IQE intent grammar (tools/iqe/)

# === Network Design Canvas ===
defusedxml>=0.7          # Safe XML parsing for STIG import (XXE protection)
networkx>=3.2            # Graph analysis for topology NL query engine

# === Network Diagram OCR Fallback (optional, air-gap safe) ===
# pytesseract>=0.3       # OCR via Tesseract binary (requires system Tesseract)
# rapidocr-onnxruntime>=1.3  # Pure Python OCR via ONNX (no system deps)

# === Security Scanning ===
# bandit>=1.7             # Python SAST (install per project)
# pip-audit>=2.6          # Dependency auditing (install per project)
# detect-secrets>=1.4     # Secret detection (install per project)

# === Infrastructure ===
# boto3>=1.34             # AWS SDK for Bedrock/GovCloud (install when needed)

# === Monitoring ===
requests>=2.31           # HTTP client for ELK/Splunk/Prometheus APIs

# === SaaS Multi-Tenancy (Phase 21) — OPTIONAL, not needed for air-gap/local ===
# All imports are guarded with try/except; code falls back to SQLite without PG.
# Install only if running SaaS multi-tenant mode with PostgreSQL + Redis:
#   pip install psycopg2-binary PyJWT cryptography gunicorn redis
# psycopg2-binary>=2.9   # PostgreSQL adapter for per-tenant databases
# PyJWT>=2.12.0          # JWT validation for OAuth 2.0/OIDC auth (CVE-2026-32597)
# cryptography>=42.0     # RSA license keys, artifact signing, TLS
# gunicorn>=22.0         # Production WSGI server for API gateway (Linux only)
# redis>=5.0             # Rate limiting, session cache, pub/sub

# === Redaction & Data Protection (Phase 70) ===
# NER: Uses Ollama qwen3.5 (air-gap safe, no spaCy dependency)
# Presidio/spaCy incompatible with Python 3.14 — NOT used
faker>=33.0              # Realistic surrogate generation for reversible anonymization

# === RAG: PDF extraction air-gap baseline (OPT-33) ===
# pypdf is the always-available PyPDFProvider in tools/rag/pdf_provider.py.
# Without it, air-gap deployments have NO PDF extraction path because the
# Anthropic/Google providers are gated by check_availability() and the LLaVA
# vision provider needs Ollama running with llava pulled.
pypdf>=4.0               # Pure-Python PDF text extraction — air-gap baseline

# === Security: pinned to patch CVEs (see pip-audit) ===
black>=26.3.1            # CVE-2026-32274: path traversal
filelock>=3.20.3         # CVE-2025-68146, CVE-2026-22701: TOCTOU race
Pillow>=12.1.1           # CVE-2026-25990: OOB write in PSD loader
pyOpenSSL>=26.0.0        # CVE-2026-27448, CVE-2026-27459: callback bypass
setuptools>=78.1.1       # CVE-2025-47273: path traversal

feedparser>=6.0          # air-gap compat verified 2026-04-15
pyais>=2.0               # AIS (Automatic Identification System) NMEA decoder — air-gap safe, no system deps

# === HashiCorp Vault / OpenBao backend (FathomDesk Phase 2D) — OPTIONAL ===
# Only needed when ICDEV_SECRET_BACKEND=vault. Delegates per-user credential
# storage to an external Vault via KV v2 HTTP API. Defaults (ICDEV_SECRET_
# BACKEND=local) keep credentials encrypted inside the FathomDesk DB.
# hvac>=2.0

# === Billing (FathomDesk Phase 5B) — OPTIONAL ===
# Stripe Checkout + webhooks + invoices. Lazy-imported; the /api/billing/*
# endpoints degrade gracefully with a 501 when stripe isn't installed.
# Operator installs on connected deployments; air-gap skips (/api/billing/tier
# direct-set path still works for operator-mode tier assignment).
# stripe>=11.0
