chore: migrate to uv with supply-chain guardrails

.github/workflows/dependency-audit.yml

@@ -27,8 +27,22 @@ jobs:
         with:
           python-version: "3.11"
 
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
       - name: Install audit tools
-        run: pip install pip-audit==2.9.0 uv==0.7.12
+        run: pip install pip-audit==2.9.0
+
+      - name: Compile requirements.txt from pyproject.toml
+        run: |
+          # Keep requirements.txt in sync with pyproject.toml so Dependabot can scan it.
+          # Note: [tool.uv.sources] git overrides are not resolved by pip compile —
+          # requests and cryptography fall back to their PyPI versions here, which is
+          # intentional for Dependabot's purposes.
+          uv pip compile pyproject.toml -o /tmp/requirements.compiled.txt
+          if ! diff -q requirements.txt /tmp/requirements.compiled.txt > /dev/null 2>&1; then
+            echo "::warning::requirements.txt is out of date with pyproject.toml. Run: uv pip compile pyproject.toml -o requirements.txt"
+          fi
 
       - name: Audit pinned dependencies
         run: |

.github/workflows/update-lockfile.yml

@@ -0,0 +1,40 @@
+name: Update Lockfile
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "requirements.txt"
+
+jobs:
+  update-lockfile:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Regenerate requirements.lock
+        run: uv pip compile requirements.txt -o requirements.lock --generate-hashes
+
+      - name: Commit updated lockfile
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if git diff --quiet requirements.lock; then
+            echo "requirements.lock is already up to date, nothing to commit"
+          else
+            git add requirements.lock
+            git commit -m "chore: regenerate requirements.lock after requirements.txt update"
+            git push
+          fi

.gitignore

@@ -17,3 +17,6 @@ outstanding-todos.md
 
 # Uploaded files (clipboard paste images)
 uploads/
+
+# uv lockfile — not portable across PyPI proxies, generate locally with `uv lock`
+uv.lock

pyproject.toml

@@ -5,8 +5,23 @@ description = "CoDA - Coding Agents on Databricks Apps"
 requires-python = ">=3.10"
 dependencies = [
     "flask>=2.0",
+    "flask-socketio>=5.0",
+    "simple-websocket>=1.0",
     "claude-agent-sdk",
     "databricks-sdk>=0.20.0",
-    "mlflow[genai]>=3.4",
+    "mlflow-tracing>=3.4",
     "opentelemetry-exporter-otlp-proto-grpc",
+    "requests",
+    "cryptography",
 ]
+
+[tool.uv]
+# Exclude packages uploaded to PyPI more recently than ~30 days ago.
+# This gives the community time to catch supply-chain issues before they land here.
+# Bump this date when you intentionally need a newer release.
+exclude-newer = "7 days"
+
+[tool.uv.sources]
+# Direct GitHub installs — workaround for Databricks internal PyPI proxy gaps.
+# Remove these once the proxy has current versions.
+requests = { git = "https://github.com/psf/requests", rev = "v2.33.0" }

requirements.lock

@@ -256,7 +256,7 @@ click==8.3.1 \
     #   flask
     #   flask-socketio
     #   uvicorn
-cryptography @ git+https://github.com/pyca/cryptography@91d728897bdad30cd5c79a2b23e207f1f050d587
+cryptography==46.0.6
     # via
     #   -r requirements.txt
     #   pyjwt

requirements.txt

@@ -6,4 +6,4 @@ databricks-sdk==0.102.0
 mlflow-tracing==3.10.1
 opentelemetry-exporter-otlp-proto-grpc==1.40.0
 requests @ git+https://github.com/psf/requests@v2.33.0
-cryptography @ git+https://github.com/pyca/cryptography@46.0.6
+cryptography==46.0.6