# ICDEV™ Framework Dependencies
# Install: pip install -r requirements.txt

# === Core (required) ===
pyyaml>=6.0
jinja2>=3.1
flask>=3.0

# === BDD/TDD ===
pytest>=8.0
pytest-cov>=5.0
behave>=1.2
schemathesis>=3.0             # Property-based API contract tests (tests/api/test_contract.py)

# === Code Quality ===
ruff>=0.12               # Ultra-fast Python linter (replaces flake8+isort+black)
pydantic>=2.0            # Test data validation (TestResult, E2ETestResult models)

# === Compliance ===
# cyclonedx-bom>=4.0     # SBOM generation (install when needed)
# oscal-pydantic>=1.0    # OSCAL Pydantic models for type-safe validation (optional, D303)

# === Search & Embeddings ===
openai>=1.0              # For embeddings (semantic search)
python-dotenv>=1.0       # .env file loading
numpy>=1.26              # Embedding math
rank_bm25>=0.2           # BM25 keyword search

# === IQE: Intent Query Engine ===
lark>=1.2                # PEG/EBNF parser for IQE intent grammar (tools/iqe/)

# === Network Design Canvas ===
defusedxml>=0.7          # Safe XML parsing for STIG import (XXE protection)
networkx>=3.2            # Graph analysis for topology NL query engine

# === Network Diagram OCR Fallback (optional, air-gap safe) ===
# pytesseract>=0.3       # OCR via Tesseract binary (requires system Tesseract)
# rapidocr-onnxruntime>=1.3  # Pure Python OCR via ONNX (no system deps)

# === Security Scanning ===
# bandit>=1.7             # Python SAST (install per project)
# pip-audit>=2.6          # Dependency auditing (install per project)
# detect-secrets>=1.4     # Secret detection (install per project)

# === Infrastructure ===
# boto3>=1.34             # AWS SDK for Bedrock/GovCloud (install when needed)

# === Monitoring ===
requests>=2.31           # HTTP client for ELK/Splunk/Prometheus APIs

# === SaaS Multi-Tenancy (Phase 21) ===
# PostgreSQL is the primary backend (ICDEV_STORAGE_BACKEND=postgresql).
# SQLite is a local fallback only. psycopg2-binary is required.
psycopg2-binary>=2.9        # PostgreSQL adapter — primary DB backend
# PyJWT>=2.12.0          # JWT validation for OAuth 2.0/OIDC auth (CVE-2026-32597)
# cryptography>=42.0     # RSA license keys, artifact signing, TLS
# gunicorn>=22.0         # Production WSGI server for API gateway (Linux only)
# redis>=5.0             # Rate limiting, session cache, pub/sub

# === Redaction & Data Protection (Phase 70) ===
# NER: Uses Ollama qwen3.5 (air-gap safe, no spaCy dependency)
# Presidio/spaCy incompatible with Python 3.14 — NOT used
faker>=33.0              # Realistic surrogate generation for reversible anonymization

# === RAG: PDF extraction air-gap baseline (OPT-33) ===
# pypdf is the always-available PyPDFProvider in tools/rag/pdf_provider.py.
# Without it, air-gap deployments have NO PDF extraction path because the
# Anthropic/Google providers are gated by check_availability() and the LLaVA
# vision provider needs Ollama running with llava pulled.
pypdf>=4.0               # Pure-Python PDF text extraction — air-gap baseline
fpdf2>=2.7               # Pure-Python PDF generation — network migration phase reports (air-gap safe, no C)

# === Security: pinned to patch CVEs (see pip-audit) ===
black>=26.3.1            # CVE-2026-32274: path traversal
filelock>=3.20.3         # CVE-2025-68146, CVE-2026-22701: TOCTOU race
Pillow>=12.1.1           # CVE-2026-25990: OOB write in PSD loader
pyOpenSSL>=26.0.0        # CVE-2026-27448, CVE-2026-27459: callback bypass
setuptools>=78.1.1       # CVE-2025-47273: path traversal

# === Process Management ===
psutil>=5.9              # Cross-platform process utilities (pid_exists, kill_process, find_pids_by_cmdline)
                         # musl/Alpine: musllinux wheel available for 5.9.8+; air-gap safe

feedparser>=6.0          # air-gap compat verified 2026-04-15
pyais>=2.0               # AIS (Automatic Identification System) NMEA decoder — air-gap safe, no system deps

# === HashiCorp Vault / OpenBao backend (FathomDesk Phase 2D) — OPTIONAL ===
# Only needed when ICDEV_SECRET_BACKEND=vault. Delegates per-user credential
# storage to an external Vault via KV v2 HTTP API. Defaults (ICDEV_SECRET_
# BACKEND=local) keep credentials encrypted inside the FathomDesk DB.
hvac>=2.0                    # HashiCorp Vault KV client (vault_resolver.py)
cachetools>=5.3              # TTLCache for vault_resolver 5-min secret cache

# === Data Mesh optional deps (install as needed) ===
# datacontract-cli>=0.10.0          # ODCS contract linting/testing
# openlineage-python>=1.16.0        # OpenLineage standard emission
# pyiceberg>=0.7.0                  # Apache Iceberg table format (requires pyarrow)
# boto3>=1.34.0                     # AWS DataZone CSP bridge
# azure-purview-catalog>=1.0.0      # Azure Purview CSP bridge
# google-cloud-dataplex>=2.0.0      # GCP Dataplex CSP bridge

# === Billing (FathomDesk Phase 5B) — OPTIONAL ===
# Stripe Checkout + webhooks + invoices. Lazy-imported; the /api/billing/*
# endpoints degrade gracefully with a 501 when stripe isn't installed.
# Operator installs on connected deployments; air-gap skips (/api/billing/tier
# direct-set path still works for operator-mode tier assignment).
# stripe>=11.0
