# Extra dependencies for the injection benchmark ONLY.
# Kept SEPARATE from the main package deps (pyproject.toml / server/requirements.txt).
# Install into a venv:  pip install -r benchmarks/injection/requirements.txt
#
# Every system degrades gracefully: if an optional dep below fails to import,
# that system is reported as "not run" rather than failing the whole benchmark.
# So a partial install still produces a valid (smaller) results.json.

# --- Core (always needed) ---
numpy>=1.26,<2.0            # metrics + bootstrap resampling
python-dotenv==1.2.2        # load OPENAI_/ANTHROPIC_ keys; >=1.2.2 clears CVE-2026-28684

# --- Datasets ---
datasets==2.19.1            # deepset/prompt-injections, databricks-dolly-15k
huggingface-hub==0.30.2     # >=0.30 required by transformers>=4.53; datasets 2.19.1 allows it
requests>=2.31.0            # InjecAgent raw fetch (best-effort)

# --- ML baseline: protectai_deberta  AND  framework baseline: llm_guard ---
# llm-guard pins a strict transformers/torch range; these ranges are chosen so a
# single `pip install` co-resolves llm-guard, transformers, and torch in one venv
# (deberta-v3 text-classification works across this transformers range too).
# CPU torch wheel is large (~200MB); install takes a few minutes.
# IMPORTANT: transformers 5.x breaks llm-guard 0.3.x (import error), and
# llm-guard 0.3.15 requires torch>=2.4 and transformers>=4.43.4 — so cap
# transformers<5 and let llm-guard pull a compatible torch. deberta-v3
# text-classification works in this range.
# Security floor: >=4.53.0 clears every transformers advisory that has a fix
# below 5.x (CVE-2024-12720, CVE-2025-1194/3263/3264/3777/3933/5197/6051/6638/6921,
# PYSEC-2024-227/228/229, PYSEC-2025-40). The remaining advisories have no <5 fix
# and are documented as accepted benchmark-only risk in docs/security/vuln-triage.md.
torch>=2.4
transformers>=4.53.0,<5
sentencepiece==0.2.1        # deberta-v3 tokenizer needs this; >=0.2.1 clears CVE-2026-1260
llm-guard==0.3.15

# --- ML baseline: llama_prompt_guard_2 (no new deps) ---
# meta-llama/Llama-Prompt-Guard-2-86M is a transformers text-classification model that
# reuses the transformers + torch + sentencepiece already pinned above — nothing to add.
# It is a GATED Meta model: accept the license at
# https://huggingface.co/meta-llama/Llama-Prompt-Guard-2-86M and set HF_TOKEN in the env.
# Without that, the benchmark marks `llama_prompt_guard_2` as "not run" and proceeds.
# If the resolver still cannot satisfy llm-guard on your platform, drop it and
# rerun — the benchmark marks `llm_guard` as "not run" and proceeds.

# --- API systems: llm_judge_* and Aegis Stage 4 ---
openai>=1.60.0              # matches the repo's pinned floor
anthropic>=0.69            # <0.40 breaks against modern httpx (no 'proxies' kwarg)
