# Runtime dependencies for the framework core.
# Pinned to the versions validated with the test suite.

# --- Web + security ---------------------------------------------------------
flask>=3.1,<4.0
cryptography>=46.0,<47.0
argon2-cffi>=25.1,<26.0
pyyaml>=6.0,<7.0

# --- Rate limiting (core/security.py; config/security.yaml: rate_limits) -----
# Guards /login, /register, /forgot, /set-password. Storage is per-process
# memory in v0.1.0 (foundation-II D2) — flask-limiter switches to Redis by
# changing rate_limits.storage_uri, no code change. Required unless you set
# rate_limits.enabled: false, which leaves those routes open to brute force.
flask-limiter>=4.0,<5.0

# --- Templating (mailer renders email.html with its own Jinja env; Flask also
#     uses Jinja, but the mailer depends on it directly, so pin it explicitly) -
jinja2>=3.1,<4.0

# --- HTTP client (registry_api: discovery, invoke, call) --------------------
requests>=2.32,<3.0

# --- Production WSGI server (Dockerfile / docker-compose serve app:app) ------
gunicorn>=23.0,<27.0

# --- Edge auth (Cloudflare Access). Imported lazily in core/security.py only
#     when CF_ACCESS_TEAM_DOMAIN / CF_ACCESS_AUD are set, but shipped as a
#     runtime dep so enabling edge auth never hits a missing-module error.
pyjwt>=2.8,<3.0