fix(deps): clear golden-image Trivy CRITICAL/HIGH (litellm, starlette, pyjwt, python-multipart) (#320)

## Problem

The **agentex** golden image (built in `scaleapi/agentex` from this
workspace's `uv.lock` via `uv export --package agentex-backend`) fails
the Trivy `CRITICAL,HIGH` gate on four Python advisories:

| Package | CVE | Severity | Fixed in |
|---|---|---|---|
| litellm | CVE-2026-49468 — auth bypass via Host-header injection |
**CRITICAL** | 1.84.0 |
| starlette | CVE-2026-48818 / CVE-2026-54283 | HIGH | 1.3.1 |
| pyjwt | CVE-2026-48526 — auth bypass via forged token | HIGH | 2.13.0
|
| python-multipart | CVE-2026-53539 — quadratic querystring parsing |
HIGH | 0.0.32 |

## Changes

**1. Re-locked to the fixed versions** (`uv lock --upgrade-package …`):

```
litellm           1.83.14 -> 1.89.1
starlette          0.52.1 -> 1.3.1
pyjwt              2.12.1 -> 2.13.0
python-multipart   0.0.27 -> 0.0.32
fastapi            0.135.1 -> 0.137.1   # >=0.133 drops the starlette<1 cap, enabling the 1.x line
```

**2. Raised the security floors so a re-resolve can't regress below the
patched versions** — not just the lock:
- `[tool.uv].override-dependencies` (these override `agentex-sdk`'s
`fastapi<0.116` cap): `starlette>=1.3.1`, `python-multipart>=0.0.32`.
- `agentex-backend` package metadata: `litellm>=1.84.0`, and
`python-multipart>=0.0.32`. The package floor matters because a
**standalone** install of `agentex-backend` (outside the workspace
override) would otherwise still be free to pick a vulnerable
0.0.27–0.0.31.

**3. Added `httpx2` to the `test` group.** starlette 1.3.1 deprecates
using `httpx` with `starlette.testclient` in favor of the new `httpx2`
package (`StarletteDeprecationWarning` on `TestClient` use — and a hard
error if warnings are ever escalated).
`agentex/tests/unit/api/test_health_interceptor.py` uses
`starlette.testclient.TestClient`, so `httpx2>=2.4.0,<3` is now in the
test deps. `httpx[http2]` is kept (used directly elsewhere in tests).

## Verification

- ✅ **CI**: `Run Unit and Integration Tests` + `Verify OpenAPI spec is
up to date` both green (the fastapi 0.135→0.137 bump did not shift the
generated OpenAPI spec; starlette 0.x→1.x + litellm 1.83→1.89 are
runtime-compatible with the app and `agentex-sdk`).
- ✅ **Targeted runtime test**: synced a venv from this lock and ran
`test_health_interceptor.py` → **9 passed**. Confirmed `TestClient` +
the health interceptor work under starlette 1.3.1 with `httpx2`
(verified `GET /healthz` → 200, no deprecation warning when `httpx2` is
present).
- ✅ **Image build**: built the agentex golden image with this lock (+
the scale.com base route from scaleapi/agentex#406). `uv export` +
install resolved cleanly; verified the installed versions inside the
image are `litellm 1.89.1 / starlette 1.3.1 / pyjwt 2.13.0 /
python-multipart 0.0.32 / fastapi 0.137.1`.
- ✅ **Runtime**: container boots clean (`restarts=0`), uvicorn runs,
`GET /healthz` → `{"status":"ok"}` 200.
- ✅ **Trivy scan of the built image**: **all four Python CVEs are gone**
(litellm / starlette / pyjwt / python-multipart no longer flagged). The
only remaining gate-blocking findings are the base image's pip/urllib3
`CVE-2026-44432` family (`py3-pip-wheel`, `py3.12-pip`,
`py3.12-pip-base`, all r0→r1) — that's the base-route issue tracked by
scaleapi/agentex#406, **not** a Python-dep issue. (Note: the scale.com
PTC currently still serves the r0-cached base, so it needs a cache
refresh to r1 before the gate goes fully green.)

## Related / sync

- Base-image route fix (the `py3-pip-wheel` HIGH on agentex +
agentex-auth): **scaleapi/agentex#406** (`golden/chainguard/*` →
`golden/scale.com/*` PTC).
- This is the source side; the `agentex` repo's `public` submodule bumps
to this commit once merged, then the golden image rebuild picks up the
fixed deps.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: scale-ballen

agentex/pyproject.toml

@@ -7,7 +7,7 @@ requires-python = ">=3.12,<3.13"
 readme = "README.md"
 dependencies = [
     "fastapi>=0.115.0",
-    "litellm>=1.83.7,<2",
+    "litellm>=1.84.0,<2",  # >=1.84.0 clears CVE-2026-49468 (CRITICAL auth bypass)
     "python-dotenv>=1.2.2,<2",
     "temporalio>=1.18.0,<2",
     "uvicorn[standard]>=0.35.0,<0.36",
@@ -17,7 +17,7 @@ dependencies = [
     "alembic>=1.13.3,<2",
     "psycopg2-binary>=2.9.9,<3",
     "docker>=7.1.0,<8",
-    "python-multipart>=0.0.27",
+    "python-multipart>=0.0.32",  # >=0.0.32 clears CVE-2026-53539 (quadratic querystring parsing)
     "aiodocker>=0.23.0,<0.24",
     "kubernetes-asyncio>=31.1.0,<32",
     "aiohttp>=3.10.9,<4",
@@ -48,7 +48,8 @@ test = [
     "pytest-asyncio>=1.0.0,<2",
     "pytest-cov>=5.0.0,<6",
     "testcontainers>=4.0.0,<5",
-    "httpx[http2]>=0.27.0,<0.29", # for test client
+    "httpx[http2]>=0.27.0,<0.29", # async client used directly in tests
+    "httpx2>=2.4.0,<3", # starlette 1.3.1 testclient backend (httpx is deprecated for it)
     "factory-boy>=3.3.0,<4", # for test data factories
     "greenlet>=3.2.3",
     "asyncpg>=0.29.0",

pyproject.toml

@@ -23,14 +23,17 @@ environments = [
     "sys_platform == 'darwin'",
 ]
 
-# Override agentex-sdk's fastapi<0.116 pin to allow starlette CVE-2025-62727 fix
+# Override agentex-sdk's fastapi<0.116 pin to allow the starlette 1.x line, which
+# carries the fixes for CVE-2026-48818 / CVE-2026-54283 (and CVE-2025-62727).
+# python-multipart>=0.0.32 clears CVE-2026-53539. Keep these floors at the patched
+# minimums so a re-resolve can't regress below them.
 override-dependencies = [
     "fastapi>=0.135.0",
-    "starlette>=0.52.0",
+    "starlette>=1.3.1",
     "httpx[http2]>=0.28.1,<0.29",
     "langchain-core>=1.3.3",
     "mako>=1.3.12",
-    "python-multipart>=0.0.27",
+    "python-multipart>=0.0.32",
 ]
 
 [tool.uv.workspace]