Files
alembic/requirements.txt
andrew 2641a1b874 P2 cleanups: pin deps, prune job-run rows, unmask non-secret creds, enforce allowlist at login
- R11: pin requirements.txt to the versions running in the image, so a rebuild
  can't pull a breaking upstream release. Documented how to upgrade.
- R12: log rotation now also prunes job_runs rows older than 90 days (nulling
  the manual_imports FK reference first), so the table doesn't grow without
  bound. dedup/genre candidates are review state and left alone.
- U5: credential form shows non-secret fields (URLs, usernames, prefs) as plain
  text so they can be verified while typing; only real secrets stay masked.
  Dashboard IP card reworded from gluetun-specific to generic "Outbound IP".
- S9: enforce ALLOWED_EMAIL at the OIDC callback, before any user row or session
  is created, instead of only on later requests.

Verified: pinned build resolves; prune deletes only old rows and keeps the
manual_imports record; credentials page renders text+password inputs; a
disallowed email gets 403 with no user row, an allowed one succeeds.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-10 15:44:31 -06:00

25 lines
608 B
Plaintext

# Pinned to the versions currently running in the image. Rebuilds are then
# reproducible: a breaking upstream release can't be pulled in on the next
# `docker build`. To upgrade, bump a pin here deliberately, rebuild, and test.
# Control-plane app
fastapi==0.139.0
uvicorn[standard]==0.51.0
jinja2==3.1.6
python-multipart==0.0.32
pydantic==2.13.4
pydantic-settings==2.14.2
sqlalchemy==2.0.51
apscheduler==3.11.3
authlib==1.7.2
itsdangerous==2.2.0
cryptography==49.0.0
httpx==0.28.1
# Pipeline scripts (migrated from /opt/sldl)
beets==2.12.0
mutagen==1.48.1
numpy==2.4.6
pyacoustid==1.3.1
requests==2.34.2