peregrine/environment.yml
pyr0ball 88b6943527 merge: feat/122-rate-limiting into freeze/rc-1
Per-user LLM rate limiting via slowapi: cloud-aware key function,
4 endpoint limits, demo bypass, SSRF and path traversal already in
fix/ci-ruff-lint merge.

Closes: #122
2026-06-14 12:41:18 -07:00

95 lines
4.7 KiB
YAML

name: cf
# Recreate: conda env create -f environment.yml
# Update pinned snapshot: conda env export --no-builds > environment.yml
channels:
- conda-forge
- defaults
dependencies:
- python=3.12
- pip
- pip:
# ── Web UI ────────────────────────────────────────────────────────────────
- streamlit>=1.35
- watchdog # live reload
- reportlab>=4.0 # PDF cover letter export
- pandas>=2.0
- pyarrow # streamlit data tables
- streamlit-paste-button>=0.1.0
# ── Job scraping ──────────────────────────────────────────────────────────
- python-jobspy>=1.1
- playwright # browser automation (run: playwright install chromium)
- selenium
- undetected-chromedriver
- webdriver-manager
- beautifulsoup4
- requests>=2.33.0 # CVE-2026-25645
- curl_cffi>=0.15.0 # CVE-2026-33752
- fake-useragent # company scraper rotation
# ── LLM / AI backends ─────────────────────────────────────────────────────
- openai>=1.55.0,<2.0.0 # >=1.55 required for httpx 0.28 compat; <2.0 for langchain-openai
- anthropic>=0.80 # direct Anthropic API fallback
- ollama # Python client for Ollama management
- langchain>=0.2
- langchain-openai
- langchain-anthropic
- langchain-ollama
- langchain-community
- langchain-google-genai
- google-generativeai
- tiktoken
# ── Resume matching ───────────────────────────────────────────────────────
- scikit-learn>=1.3
- rapidfuzz
- lib-resume-builder-aihawk
# ── Notion integration ────────────────────────────────────────────────────
- notion-client>=3.0
# ── Calendar integrations ─────────────────────────────────────────────────
- caldav>=1.3
- icalendar>=5.0
- google-api-python-client>=2.0
- google-auth>=2.0
# ── Document handling ─────────────────────────────────────────────────────
- pypdf>=6.12.0 # 12 CVEs in 6.7.x (CVE-2026-27628 through CVE-2026-48156)
- pdfminer-six
- pyyaml>=6.0
- python-dotenv>=1.2.2 # CVE-2026-28684
# ── Auth / licensing ──────────────────────────────────────────────────────
- PyJWT>=2.13.0 # 2.11 has sig bypass CVEs (PYSEC-2026-120/175-179); used for cloud session routing
# ── Rate limiting ─────────────────────────────────────────────────────────
- slowapi>=0.1.9 # per-user rate limiting on LLM endpoints
# ── Utilities ─────────────────────────────────────────────────────────────
- sqlalchemy
- tqdm
- loguru
- rich
- tenacity
- httpx
# ── Security pins (transitive deps with known CVEs) ───────────────────────
- starlette>=1.0.1 # PYSEC-2026-161 (FastAPI foundation)
- python-multipart>=0.0.27 # CVE-2026-40347/42561 file upload parsing
- aiohttp>=3.14.0 # 12 CVEs (CVE-2026-34513 through CVE-2026-34993)
- tornado>=6.5.5 # CVE-2026-35536
- cryptography>=46.0.7 # PYSEC-2026-35/36
- langsmith>=0.8.0 # CVE-2026-41182/45134
- gitpython>=3.1.50 # CVE-2026-42215/42284/44244
- lxml>=6.1.0 # PYSEC-2026-87 (XXE)
- idna>=3.15 # CVE-2026-45409
- markdownify>=0.14.1 # CVE-2025-46656
# ── Testing ───────────────────────────────────────────────────────────────
- pytest>=9.0
- pytest-cov
- pytest-mock
# Documentation
- mkdocs>=1.5
- mkdocs-material>=9.5