Per-user LLM rate limiting via slowapi: cloud-aware key function, 4 endpoint limits, demo bypass, SSRF and path traversal already in fix/ci-ruff-lint merge. Closes: #122
95 lines
4.7 KiB
YAML
95 lines
4.7 KiB
YAML
name: cf
|
|
# Recreate: conda env create -f environment.yml
|
|
# Update pinned snapshot: conda env export --no-builds > environment.yml
|
|
channels:
|
|
- conda-forge
|
|
- defaults
|
|
dependencies:
|
|
- python=3.12
|
|
- pip
|
|
- pip:
|
|
# ── Web UI ────────────────────────────────────────────────────────────────
|
|
- streamlit>=1.35
|
|
- watchdog # live reload
|
|
- reportlab>=4.0 # PDF cover letter export
|
|
- pandas>=2.0
|
|
- pyarrow # streamlit data tables
|
|
- streamlit-paste-button>=0.1.0
|
|
|
|
# ── Job scraping ──────────────────────────────────────────────────────────
|
|
- python-jobspy>=1.1
|
|
- playwright # browser automation (run: playwright install chromium)
|
|
- selenium
|
|
- undetected-chromedriver
|
|
- webdriver-manager
|
|
- beautifulsoup4
|
|
- requests>=2.33.0 # CVE-2026-25645
|
|
- curl_cffi>=0.15.0 # CVE-2026-33752
|
|
- fake-useragent # company scraper rotation
|
|
|
|
# ── LLM / AI backends ─────────────────────────────────────────────────────
|
|
- openai>=1.55.0,<2.0.0 # >=1.55 required for httpx 0.28 compat; <2.0 for langchain-openai
|
|
- anthropic>=0.80 # direct Anthropic API fallback
|
|
- ollama # Python client for Ollama management
|
|
- langchain>=0.2
|
|
- langchain-openai
|
|
- langchain-anthropic
|
|
- langchain-ollama
|
|
- langchain-community
|
|
- langchain-google-genai
|
|
- google-generativeai
|
|
- tiktoken
|
|
|
|
# ── Resume matching ───────────────────────────────────────────────────────
|
|
- scikit-learn>=1.3
|
|
- rapidfuzz
|
|
- lib-resume-builder-aihawk
|
|
|
|
# ── Notion integration ────────────────────────────────────────────────────
|
|
- notion-client>=3.0
|
|
|
|
# ── Calendar integrations ─────────────────────────────────────────────────
|
|
- caldav>=1.3
|
|
- icalendar>=5.0
|
|
- google-api-python-client>=2.0
|
|
- google-auth>=2.0
|
|
|
|
# ── Document handling ─────────────────────────────────────────────────────
|
|
- pypdf>=6.12.0 # 12 CVEs in 6.7.x (CVE-2026-27628 through CVE-2026-48156)
|
|
- pdfminer-six
|
|
- pyyaml>=6.0
|
|
- python-dotenv>=1.2.2 # CVE-2026-28684
|
|
|
|
# ── Auth / licensing ──────────────────────────────────────────────────────
|
|
- PyJWT>=2.13.0 # 2.11 has sig bypass CVEs (PYSEC-2026-120/175-179); used for cloud session routing
|
|
|
|
# ── Rate limiting ─────────────────────────────────────────────────────────
|
|
- slowapi>=0.1.9 # per-user rate limiting on LLM endpoints
|
|
|
|
# ── Utilities ─────────────────────────────────────────────────────────────
|
|
- sqlalchemy
|
|
- tqdm
|
|
- loguru
|
|
- rich
|
|
- tenacity
|
|
- httpx
|
|
|
|
# ── Security pins (transitive deps with known CVEs) ───────────────────────
|
|
- starlette>=1.0.1 # PYSEC-2026-161 (FastAPI foundation)
|
|
- python-multipart>=0.0.27 # CVE-2026-40347/42561 file upload parsing
|
|
- aiohttp>=3.14.0 # 12 CVEs (CVE-2026-34513 through CVE-2026-34993)
|
|
- tornado>=6.5.5 # CVE-2026-35536
|
|
- cryptography>=46.0.7 # PYSEC-2026-35/36
|
|
- langsmith>=0.8.0 # CVE-2026-41182/45134
|
|
- gitpython>=3.1.50 # CVE-2026-42215/42284/44244
|
|
- lxml>=6.1.0 # PYSEC-2026-87 (XXE)
|
|
- idna>=3.15 # CVE-2026-45409
|
|
- markdownify>=0.14.1 # CVE-2025-46656
|
|
|
|
# ── Testing ───────────────────────────────────────────────────────────────
|
|
- pytest>=9.0
|
|
- pytest-cov
|
|
- pytest-mock
|
|
# Documentation
|
|
- mkdocs>=1.5
|
|
- mkdocs-material>=9.5
|