chore: migrate from Poetry to uv

[devin-ai-integration]

Migrate from Poetry to uv

This PR migrates the project from Poetry to uv for dependency management, offering faster installation times and improved reproducibility.

Changes

• Replace Poetry with uv for dependency management
• Update Dockerfile to use uv for dependency installation
• Add requirements.txt and requirements.dev.txt files
• Update documentation with uv setup instructions
• Add migration guide for existing developers

Development Workflow Changes

• Dependencies are now managed with uv pip install instead of poetry install
• Virtual environments are created with uv venv
• Pre-commit hooks updated to use uv

Docker Build Process Updates

• Removed Poetry-specific commands and configurations
• Added --system flag for uv installations in containers
• Updated multi-stage build process to use requirements files

CI/CD Pipeline Updates

• Dependencies installed using uv pip install --system
• Virtual environments not used in Docker containers
• Pre-commit hooks ensure code quality

Testing

✅ Successfully tested:

• Virtual environment creation with uv venv
• Dependency installation with uv pip install
• All required packages installed correctly
• FastAPI and other core dependencies working

Link to Devin run: https://app.devin.ai/sessions/2430149b78eb49f6bff9c52e97afdb17
Requested by: [email protected]

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add "(aside)" to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[semgrep-code-assistant-ws]

Risk: Affected versions of virtualenv are vulnerable to Improper Neutralization of Special Elements used in a Command ('Command Injection') / Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). virtualenv allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing.

Fix: Upgrade this library to at least version 20.26.6 at llm-gateway/requirements.dev.txt:70.

Reference(s): GHSA-rqc4-2hc7-8c8v, CVE-2024-53899

_{💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-9be743e1-05bf-d877-55ed-816b77b3322e.}

[semgrep-code-assistant-ws]

Semgrep identified an issue, but thinks it may be safe to ignore.

AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.

Why this might be safe to ignore:

The finding is in a test file (checks_test.go), which suggests it is not part of production code. Test files often contain hardcoded values for testing purposes, and this AWS Access Key ID is unlikely to be a real credential. Therefore, it is not a security risk in this context.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detected-aws-access-key-id-value.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-assistant-ws]

Semgrep identified an issue, but thinks it may be safe to ignore.

AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.

Why this might be safe to ignore:

The matched code is in a test file (checks_test.go), which suggests that this AWS Access Key ID is likely a placeholder or test value. Test files are not typically exposed to production environments, making this finding not reasonably exploitable.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detected-aws-access-key-id-value.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-assistant-ws]

Semgrep identified an issue, but thinks it may be safe to ignore.

AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.

Why this might be safe to ignore:

The matched code is in a test file (checks_test.go), which suggests it is not used in production. Test files often contain hardcoded values for testing purposes, and this AWS Access Key ID is unlikely to be a real credential.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detected-aws-access-key-id-value.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[6]

wow! this is cool