# ══════════════════════════════════════════════════════════
# ICOA — Python version lock (single source of truth)
# ══════════════════════════════════════════════════════════
# This is a pip *constraints* file (pip install -c constraints.txt ...).
# It does NOT install anything — it only pins the version of whatever the
# host setup (src/commands/env.ts) or the sandbox image (docker/Dockerfile)
# actually requests, INCLUDING transitive dependencies.
#
# Why this file exists — anti version-drift:
#   Before this, the same package was pinned in two places (env.ts manifest
#   + Dockerfile) and they drifted (e.g. gmpy2 was >=2.2.0 on the host but
#   ==2.1.5 in the image). Both paths now share THIS file, so a version is
#   declared exactly once. Edit a pin here and both host + container follow.
#
# Tested on Python 3.12 (host target 3.12.13 / sandbox ubuntu:24.04 = 3.12).
# Keep entries == exact. Any change here should be re-verified on WSL +
# Ubuntu + macOS before publish (see CLAUDE.md cross-platform baseline).
# ══════════════════════════════════════════════════════════

# ── CTF Core ──
pwntools==4.12.0
pycryptodome==3.20.0
z3-solver==4.13.0.0  # 4.12.6→4.13.0.0: angr's claripy hard-pins this exact ver (see big-trees note)

# ── Web & Network ──
requests==2.31.0
beautifulsoup4==4.12.3
flask==3.0.0
scapy==2.5.0
paramiko==3.4.0

# ── Crypto & Math ──
sympy==1.12
gmpy2==2.3.0        # reconciled: was env.ts >=2.2.0 vs Dockerfile ==2.1.5
cryptography==42.0.0

# ── Binary & RE ──
capstone==5.0.6      # 5.0.1→5.0.6: angr 9.2.217 hard-pins capstone==5.0.6 exactly
ropper==1.13.8
ROPgadget==7.4
pefile==2024.8.26    # 2023.2.7→2024.8.26: volatility3 2.28.0 needs pefile>=2024.8.26

# ── Data & Forensics ──
pillow==10.2.0
numpy==1.26.4
python-magic==0.4.27
yara-python==4.5.0

# ── Tools ──
uncompyle6==3.9.1
pyserial==3.5
ipython==9.6.0      # was floating; pinned to current 3.12-compatible release

# ── Large dependency trees: angr / volatility3 / sqlmap ──
# WARNING (was the v2.19.240 bug): a pip constraints file pins the ENTIRE
# resolution graph, including every transitive dep — they do NOT "float". So
# the exact pins above MUST agree with whatever these trees hard-pin, or pip
# dies with ResolutionImpossible. angr 9.2.217 hard-pins capstone==5.0.6 and
# (via claripy) z3-solver==4.13.0.0; volatility3 2.28.0 needs pefile>=2024.8.26.
# The Binary&RE / CTF-core pins above are set to satisfy all three.
# When bumping angr/volatility3: re-resolve on a clean macOS + Ubuntu, then sync
# the same numbers in src/commands/env.ts (PYTHON_LIBS) and docker/Dockerfile.
angr==9.2.217
sqlmap==1.10.5
volatility3==2.28.0

# ── Intentionally NOT pinned (float to latest) ──
# Dockerfile-only pip installs with no host equivalent to resolve against.
# When a drift incident hits one of them, add a verified == pin above.
#   one_gadget
#   seccomp-tools
#   pngcheck
#   rsactftool
