# Minimal runtime deps for the Workweaver Nitro Enclave signing child.
# Every dep is a supply-chain surface — keep this list tight.
#
# Pinning policy:
#   - cryptography pinned to a major.minor for reproducible EIF measurements.
#   - cbor2 pinned for CBOR/COSE_Sign1 attestation document construction.
#   - py_ecc pinned for BLS12_381 (G2 ProofOfPossession profile) signing.
#   - coincurve pinned for BIP340 Schnorr signing.
#   - boto3 pinned for KMS Decrypt with attestation document recipient.
#   - No transitive deps with C extensions outside cryptography + coincurve.
#
# Refresh procedure (#4154 follow-up):
#   1. Bump versions here.
#   2. Re-run ops/enclave/build.sh.
#   3. Publish the regenerated PCR0..PCR8 values to the deployment-owned
#      expected_pcrs configuration consumed by NitroAttestationVerifier.
#   4. Land the dependency and deployment PCR refresh in lockstep when strict
#      attestation is enabled for the target environment.

# Core crypto primitives baked into the EIF
cryptography==48.0.0

# CBOR encoder used for COSE_Sign1 attestation envelope production +
# parent-side strict verification (also imported in the parent backend).
# Pinned to 6.1.1 to address CVE-2025-68131 + CVE-2026-26209.
cbor2==6.1.1

# BLS12_381 (G2 ProofOfPossession) signatures — issue #4216 sub-deliverable (c).
py_ecc==8.0.0

# BIP340 Schnorr signatures via libsecp256k1 — issue #4216 sub-deliverable (c).
# Pinned to 20.0.0 (21.0.0 has a cffi LICENSE packaging bug).
coincurve==20.0.0

# AWS KMS client used for in-enclave master key bootstrap — issue #4216
# sub-deliverable (a). Uses the KMS Decrypt + Recipient (attestation
# document) flow; never authenticated by an IAM role on the parent.
boto3==1.42.19
