feat: resolve MCP and semgrep dependency conflicts

[VirtualAgentics]

Description

This PR resolves critical dependency conflicts that were preventing semgrep security scanning from functioning properly. The changes include updating core dependencies to align with MCP requirements and pinning semgrep-compatible versions.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Documentation update

Related Issues

Resolves dependency conflicts that prevented semgrep security scanning from functioning.

Testing

• All existing tests pass
• Manual testing completed
• Smoke tests pass

Test Commands

# Security: Run dependency audit and ensure no hardcoded credentials in tests
pip-audit -r requirements.txt

# Run pre-commit hooks (if applicable)
pre-commit run --all-files

# Add any specific test commands you ran
python -m pytest
ruff check src
black src

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Additional Notes

• Updated pydantic from 2.9.2 to 2.12.3 for MCP compatibility
• Updated uvicorn from 0.30.6 to 0.38.0 for MCP compatibility
• Pinned semgrep-compatible versions: click==8.1.8, rich==13.5.3, tomli==2.0.2
• Created comprehensive ADR-0005 documenting the resolution process
• All changes maintain full backward compatibility

Breaking Changes

None - all changes maintain backward compatibility.

Performance Impact

Positive - newer pydantic and uvicorn versions include performance improvements.

Security Considerations

• Enables semgrep security scanning which was previously blocked
• No security implications from dependency updates
• All security tests pass

Summary by CodeRabbit

• Chores
  • Updated core dependencies to newer stable versions to improve compatibility and stability with the runtime.
  • Added new dependencies to support CLI utilities, enhanced console output, and TOML parsing; no functional or control-flow changes introduced.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Dependency updates: pyproject.toml raised versions for uvicorn[standard], fastapi, and pydantic; requirements.txt added click, rich, tomli, and tomli_w.

Changes

Cohort / File(s)	Summary
Project metadata updates pyproject.toml	Bumped dependency bounds: fastapi to >=0.118.1, uvicorn[standard] from 0.30.6 → 0.38.0, and pydantic from 2.9.2 → 2.12.3 (also updated dev ruff to 0.14.2).
Requirements additions requirements.txt	Added runtime/dev packages: click==8.1.8, rich==13.5.3, tomli==2.0.2, tomli_w==1.2.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "feat: resolve MCP and semgrep dependency conflicts" directly and clearly describes the primary objective of the changeset. The modifications across pyproject.toml and requirements.txt—updating pydantic, uvicorn, and pinning semgrep-compatible dependencies—are all focused on resolving the stated dependency conflicts. The title is concise, specific, and would allow a developer scanning commit history to immediately understand the purpose of these changes without ambiguity.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89da358 and 0a37de5.

📒 Files selected for processing (1)

• pyproject.toml (2 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

pyproject.toml (2)

63-78: Add semgrep and pinned dependency versions to dev extras for transparency.

The PR resolves semgrep dependency conflicts, but semgrep is not listed in the dev extras. Additionally, the four new dependencies in requirements.txt (click, rich, tomli, tomli_w) should be documented here with a comment explaining their semgrep compatibility role. This improves maintainability and ensures developers understand the dependency purpose.

Add the following to the dev extras after line 77 (before closing ]):

  "safety==3.6.2",
  "pip-audit==2.9.0",
+  "semgrep>=1.45.0",  # For security scanning; pinned deps below resolve conflicts
+  "click==8.1.8",  # Pinned for semgrep compatibility
+  "rich==13.5.3",  # Pinned for semgrep compatibility
+  "tomli==2.0.2",  # Pinned for semgrep compatibility
+  "tomli_w==1.2.0",  # Pinned for semgrep compatibility
]

Also, align the ruff version:

- "ruff==0.14.1",
+ "ruff==0.14.2",

---

3-3: Align target-version across tool configurations.

Line 3 specifies ["py312"] but line 53 allows ">=3.12". For consistency and to avoid confusion, consider whether the project should explicitly declare only py312 support or allow >=3.12. If >=3.12 is intentional (backward compatibility with future versions), the target-version in tool configs can remain py312 (the baseline). Document this intent in a comment.

Also applies to: 53-53

requirements.txt (1)

1-19: Reconcile version pinning with pyproject.toml and add hashes to requirements.txt.

The requirements.txt has a critical inconsistency: ruff is pinned to 0.14.2 while pyproject.toml specifies 0.14.1. Additionally, requirements.txt includes packages not declared in pyproject.toml (click, rich, tomli, tomli_w, orjson, httpx, starlette, filelock) without explanation.

Update ruff to match pyproject.toml (==0.14.1), clarify the role of requirements.txt (lock file vs. supplementary), and add SHA256 hashes to all entries per security guidelines:

fastapi==0.120.0 --hash=sha256:...
uvicorn[standard]==0.38.0 --hash=sha256:...
pydantic==2.12.3 --hash=sha256:...
...

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d479722 and c277959.

⛔ Files ignored due to path filters (2)

• CHANGELOG.md is excluded by !**/*.md and included by none
• docs/adr/ADR-0005-mcp-dependency-resolution.md is excluded by !docs/**, !**/*.md and included by none

📒 Files selected for processing (2)

• pyproject.toml (1 hunks)
• requirements.txt (1 hunks)

🧰 Additional context used

📓 Path-based instructions (7)

pyproject.toml

📄 CodeRabbit inference engine (.cursor/rules/cicd.mdc)

Pin Python dependencies with exact versions (==) or constrained ranges in pyproject.toml, including dev extras

pyproject.toml: Configure ruff, mypy (strict), and black (line length 88, target py310) in pyproject.toml as specified
Bump project version in pyproject.toml for breaking changes

pyproject.toml: Ruff configuration must select: E,F,I,B,UP,C4,PIE,SIM,T20,ASYNC,S,RUF,S603,SIM115,RUF006; with specified per-file ignores
Enable mypy plugin pydantic.mypy and override tests.* disallow_untyped_defs=false

Files:

• pyproject.toml

**/pyproject.toml

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

Pin Python dependencies in pyproject.toml (exact versions, ideally with hashes)

Files:

• pyproject.toml

**/*

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

Avoid committing content matching common secret patterns (e.g., sk-..., AKIA..., ghp_..., password='...')

Files:

• pyproject.toml
• requirements.txt

{requirements.txt,pyproject.toml,**/*.{yaml,yml}}

📄 CodeRabbit inference engine (CONTRIBUTING.md)

{requirements.txt,pyproject.toml,**/*.{yaml,yml}}: Keep dependencies secure and appropriately versioned in configuration files
Follow configuration best practices in config files
Assess security implications of configuration changes
Ensure proper formatting and structure in configuration files

Files:

• pyproject.toml
• requirements.txt

{pyproject.toml,requirements*.txt,Pipfile*,package*.json,pnpm-lock.yaml,uv.lock}

⚙️ CodeRabbit configuration file

{pyproject.toml,requirements*.txt,Pipfile*,package*.json,pnpm-lock.yaml,uv.lock}: Flag vulnerable or unpinned deps; suggest safer alternatives; check tool configs (ruff, mypy, pytest, coverage).

Files:

• pyproject.toml
• requirements.txt

requirements*.txt

📄 CodeRabbit inference engine (.cursor/rules/cicd.mdc)

Use requirements*.txt in workflows as cache key inputs and installation sources; keep them present and up to date

Files:

• requirements.txt

**/requirements.txt

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

Pin Python dependencies in requirements.txt (exact versions, include hashes)

Files:

• requirements.txt

🔇 Additional comments (1)

requirements.txt (1)

8-8: Address ruff version inconsistency and clarify purpose of four pinned packages.

The concerns identified are valid:

• Ruff version mismatch: requirements.txt pins 0.14.2 but pyproject.toml dev extras pin 0.14.1
• Missing packages: click, rich, tomli, tomli_w are pinned in requirements.txt but absent from pyproject.toml

Before reconciling these files, clarify whether the four packages are:

1. Runtime dependencies → add to dependencies list in pyproject.toml
2. Development/CI tools → add to dev extras in pyproject.toml with comment explaining purpose (e.g., semgrep, security scanning)
3. Pinned transitive dependencies for reproducibility → document their purpose and keep synchronized with pyproject.toml

Once clarified, ensure:

• Ruff version matches across both files
• All packages are consistently versioned and documented
• pyproject.toml reflects the full dependency graph for reproducibility