security: Update LangChain to 1.x to fix critical vulnerabilities

Fixed 5 security vulnerabilities (3 HIGH, 1 MEDIUM + 1 HIGH RCE):
- GHSA-6qv9-48xg-fc7f (HIGH): Template injection in langchain-core
- GHSA-c67j-w6g6-q2cm (HIGH): Serialization injection enabling secret extraction
- GHSA-m42m-m8cr-8m58 (HIGH): XXE vulnerability in langchain-text-splitters
- GHSA-wwqv-p2pp-99h5 (HIGH): RCE in langgraph-checkpoint deserialization
- GHSA-428g-f7cq-pgp5 (MEDIUM): DoS in marshmallow Schema.load

Final dependency versions:
- langchain: 0.1.0 → 1.0.0 (major upgrade)
- langchain-core: 0.1.0 → 1.2.5 (both 0.3.81 and 1.2.5+ have fixes)
- langchain-text-splitters: added at 0.3.9+
- langgraph: 0.1.0 → 1.0.0 (major upgrade, required for checkpoint 3.x)
- langgraph-checkpoint: added at 3.0.0+ (RCE fix)
- marshmallow: added at 4.1.2+

This is a major version upgrade (0.x → 1.x) due to dependency constraints.
LangGraph 1.0+ requires langchain-core 1.x, which is compatible with
langchain 1.x. Both 0.3.81 and 1.2.5+ contain the security patches.

Breaking changes expected - comprehensive testing required.

Also resolves tenacity conflict with google-genai, enabling future
migration from deprecated google-generativeai.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

Author: 2 people

pyproject.toml

@@ -61,7 +61,7 @@ dependencies = [
 anthropic = ["anthropic>=0.25.0,<1.0.0"]
 openai = ["openai>=1.12.0,<2.0.0"]
 # Note: google-generativeai is deprecated but still works; google-genai requires
-# tenacity>=9.1.2 which conflicts with langchain<0.3.0. Will migrate when langchain updates.
+# tenacity>=9.1.2 (now compatible with langchain>=0.3.0). Ready to migrate.
 google = ["google-generativeai>=0.3.0,<1.0.0"]
 llm = [
     "anthropic>=0.25.0,<1.0.0",
@@ -76,9 +76,12 @@ memdocs = [
 
 # LangChain ecosystem for agents/workflows
 agents = [
-    "langchain>=0.1.0,<0.3.0",
-    "langchain-core>=0.1.0,<0.3.0",
-    "langgraph>=0.1.0,<0.2.0",
+    "langchain>=1.0.0,<2.0.0",
+    "langchain-core>=1.2.5,<2.0.0",  # 1.2.5+ has security fixes
+    "langchain-text-splitters>=0.3.9,<0.4.0",
+    "langgraph>=1.0.0,<2.0.0",  # 1.0+ required for langgraph-checkpoint 3.0 (RCE fix)
+    "langgraph-checkpoint>=3.0.0,<4.0.0",  # Security: GHSA-wwqv-p2pp-99h5 (RCE fix)
+    "marshmallow>=4.1.2,<5.0.0",  # Security: GHSA-428g-f7cq-pgp5
 ]
 
 # CrewAI for role-based multi-agent systems
@@ -150,10 +153,13 @@ full = [
     "google-generativeai>=0.3.0,<1.0.0",
     # MemDocs integration
     "memdocs>=1.0.0",
-    # Agents
-    "langchain>=0.1.0,<0.3.0",
-    "langchain-core>=0.1.0,<0.3.0",
-    "langgraph>=0.1.0,<0.2.0",
+    # Agents (updated for security fixes)
+    "langchain>=1.0.0,<2.0.0",
+    "langchain-core>=1.2.5,<2.0.0",  # 1.2.5+ has security fixes
+    "langchain-text-splitters>=0.3.9,<0.4.0",
+    "langgraph>=1.0.0,<2.0.0",  # 1.0+ required for langgraph-checkpoint 3.0 (RCE fix)
+    "langgraph-checkpoint>=3.0.0,<4.0.0",  # Security: GHSA-wwqv-p2pp-99h5 (RCE fix)
+    "marshmallow>=4.1.2,<5.0.0",  # Security: GHSA-428g-f7cq-pgp5
     # Plugins
     "python-docx>=0.8.11,<1.0.0",
     "pyyaml>=6.0,<7.0",
@@ -167,10 +173,13 @@ all = [
     "google-generativeai>=0.3.0,<1.0.0",
     # MemDocs integration
     "memdocs>=1.0.0",
-    # Agents
-    "langchain>=0.1.0,<0.3.0",
-    "langchain-core>=0.1.0,<0.3.0",
-    "langgraph>=0.1.0,<0.2.0",
+    # Agents (updated for security fixes)
+    "langchain>=1.0.0,<2.0.0",
+    "langchain-core>=1.2.5,<2.0.0",  # 1.2.5+ has security fixes
+    "langchain-text-splitters>=0.3.9,<0.4.0",
+    "langgraph>=1.0.0,<2.0.0",  # 1.0+ required for langgraph-checkpoint 3.0 (RCE fix)
+    "langgraph-checkpoint>=3.0.0,<4.0.0",  # Security: GHSA-wwqv-p2pp-99h5 (RCE fix)
+    "marshmallow>=4.1.2,<5.0.0",  # Security: GHSA-428g-f7cq-pgp5
     # Plugins
     "python-docx>=0.8.11,<1.0.0",
     "pyyaml>=6.0,<7.0",