# Updated: 2026-04-29 — Release 0.4.18: dev → main sync (PR #1015) — file jail OCR/STT, scope enforcement + fail-closed require_scope, SSRF guard scaffolding, PII tightening, rate-limiter race fix + ReDoS bounds, audit-log scrubbing, dynamic cookie Secure flag, nonce-based CSP, plus bus mutation leakage and token-usage propagation fixes. [project] name = "pocketpaw" version = "0.4.18" description = "The AI agent that runs on your laptop, not a datacenter. OpenClaw alternative with one-command install." readme = "README.md" license = "MIT" requires-python = ">=3.11" keywords = [ "ai", "agent", "telegram", "assistant", "automation", "browser", "llm", "ollama", "openai", "anthropic", "self-hosted", "local-first", "privacy" ] authors = [ { name = "PocketPaw Team", email = "hello@pocketpaw.ai" } ] classifiers = [ "Development Status :: 4 - Beta", "Environment :: Console", "Intended Audience :: End Users/Desktop", "Intended Audience :: Developers", "License :: OSI Approved :: MIT License", "Operating System :: OS Independent", "Operating System :: MacOS", "Operating System :: Microsoft :: Windows", "Operating System :: POSIX :: Linux", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", "Programming Language :: Python :: 3.13", "Topic :: Home Automation", "Topic :: Scientific/Engineering :: Artificial Intelligence", "Topic :: Internet :: WWW/HTTP :: Browsers", "Typing :: Typed", ] dependencies = [ # Config "pydantic>=2.10.0", "pydantic-settings>=2.1.0", # HTTP client (used everywhere) "httpx>=0.26.0", # LLM Clients "openai>=1.60.0", "anthropic>=0.45.0", # Agent Backend (recommended default) "claude-agent-sdk>=0.1.56", # Dashboard (default mode — must be in core so `pip install pocketpaw` just works) "uvicorn[standard]>=0.31.1", "jinja2>=3.1.0", "fastapi>=0.134.0", # fastapi 0.134.0 first allowed starlette 1.0.0 (dropped upper bound) "qrcode[pil]>=7.4", "python-multipart>=0.0.22", # Logging & CLI "rich>=13.0.0", "click>=8.0", # Scheduling "apscheduler>=3.10.0", "python-dateutil>=2.8.0", # Credential Encryption "cryptography>=46.0.0", # Image basics "pillow>=10.0.0", # Soul Protocol — runtime imports from soul_protocol.spec.journal and # soul_protocol.engine.journal for fleet installer event emission (#947). # Promoted from optional extra to base dep in v0.3.1 integration work; # the runtime now takes a hard dependency on the journal primitives. "soul-protocol[engine]>=0.3.1", ] [project.optional-dependencies] # --- Feature extras --- vector = ["chromadb", "bm25s"] knowledge = ["trafilatura", "bm25s", "pypdf"] databases = [ "sqlalchemy[asyncio]>=2.0.0", "asyncpg>=0.29.0", # PostgreSQL "aiomysql>=0.2.0", # MySQL / MariaDB "aiosqlite>=0.20.0", # SQLite ] postgresql = ["sqlalchemy[asyncio]>=2.0.0", "asyncpg>=0.29.0"] mysql = ["sqlalchemy[asyncio]>=2.0.0", "aiomysql>=0.2.0"] mongodb = ["motor>=3.3.0", "beanie>=1.26.0"] graph = ["networkx>=3.0"] dashboard = [ # Kept for backward compat — dashboard deps are now in core. # Users with `pip install pocketpaw[dashboard]` in scripts won't break. ] telegram = [ "python-telegram-bot>=21.0", ] browser = [ "playwright>=1.50.0", ] desktop = [ "psutil>=5.9.0", "pyautogui>=0.9.54", ] openai-agents = [ "openai-agents>=0.2.0", ] google-adk = [ "google-adk>=1.0.0", ] copilot-sdk = [ "github-copilot-sdk>=0.1.0", ] deep-agents = [ "deepagents>=0.1.0", "langchain-mcp-adapters>=0.1.0", ] litellm = [ "litellm>=1.40.0", ] memory = [ "mem0ai>=0.1.115", "ollama>=0.6.1", ] soul = [ "soul-protocol[engine]>=0.3.0", ] # --- Channel extras --- discord = [ "discord-cli-agent>=0.7.0", ] slack = [ "slack-bolt>=1.20.0", ] whatsapp-personal = [ "neonize>=0.3.14", ] matrix = [ "matrix-nio>=0.24.0", ] teams = [ "botbuilder-core>=4.16.0", "botbuilder-integration-aiohttp>=4.16.0", ] gchat = [ "google-api-python-client>=2.100.0", "google-auth>=2.25.0", ] drive = [ # Google Drive SourceAdapter (zero-copy live federation) — see # src/pocketpaw/connectors/drive/. The client itself runs on httpx (core # dep), but we ship the Google SDK alongside for parity with gchat and # for future DriveIngestAdapter bulk-sync work. "google-api-python-client>=2.100.0", "google-auth>=2.25.0", "google-auth-oauthlib>=1.2.0", ] # --- Tool extras --- image = [ "google-genai>=1.0.0", ] extract = [ "html2text>=2020.1.16", ] voice = [ "elevenlabs>=1.0.0", ] ocr = [ "pytesseract>=0.3.10", ] sarvam = [ "sarvamai>=0.1.25", ] mcp = [ "mcp>=1.0.0", ] # --- Composite extras (flattened — no recursive self-references) --- recommended = [ # browser "playwright>=1.50.0", # memory "mem0ai>=0.1.115", "ollama>=0.6.1", # desktop "psutil>=5.9.0", "pyautogui>=0.9.54", ] channels = [ # telegram "python-telegram-bot>=21.0", # discord "discord-cli-agent>=0.7.0", # slack "slack-bolt>=1.20.0", ] all-channels = [ # telegram "python-telegram-bot>=21.0", # discord "discord-cli-agent>=0.7.0", # slack "slack-bolt>=1.20.0", # whatsapp-personal "neonize>=0.3.14", # matrix "matrix-nio>=0.24.0", # teams "botbuilder-core>=4.16.0", "botbuilder-integration-aiohttp>=4.16.0", # gchat + drive "google-api-python-client>=2.100.0", "google-auth>=2.25.0", "google-auth-oauthlib>=1.2.0", ] all-tools = [ # browser "playwright>=1.50.0", # desktop "psutil>=5.9.0", "pyautogui>=0.9.54", # image "google-genai>=1.0.0", # extract "html2text>=2020.1.16", # voice "elevenlabs>=1.0.0", # ocr "pytesseract>=0.3.10", # sarvam "sarvamai>=0.1.25", # mcp "mcp>=1.0.0", # memory "mem0ai>=0.1.115", "ollama>=0.6.1", # graph "networkx>=3.0", # soul "soul-protocol[engine]>=0.3.0", ] all-backends = [ "pocketpaw[openai-agents,google-adk,copilot-sdk,deep-agents,litellm]", ] enterprise = [ # MongoDB (async ODM) "motor>=3.3.0", "beanie>=1.26.0", # Auth (user management + OAuth2 + JWT with Beanie backend) "fastapi-users[beanie,oauth]>=13.0.0", "pwdlib[argon2]>=0.2.0", # Real-time (Socket.IO compat for enterprise multi-user) "python-socketio>=5.11.0", # Rate limiting "slowapi>=0.1.9", # File storage (S3 + GCS) "boto3>=1.34.0", "google-cloud-storage>=2.14.0", # Voice/video tokens "livekit-api>=0.6.0", # Redis (session cache, pub/sub) "redis[hiredis]>=5.0.0", # OAuth integrations (Google APIs) "google-api-python-client>=2.100.0", "google-auth>=2.25.0", "google-auth-oauthlib>=1.2.0", "pocketpaw[soul]" ] all = [ # browser "playwright>=1.50.0", # memory "mem0ai>=0.1.115", "ollama>=0.6.1", # desktop "psutil>=5.9.0", "pyautogui>=0.9.54", # channels "python-telegram-bot>=21.0", "discord-cli-agent>=0.7.0", "slack-bolt>=1.20.0", "neonize>=0.3.14", "matrix-nio>=0.24.0", "botbuilder-core>=4.16.0", "botbuilder-integration-aiohttp>=4.16.0", "google-api-python-client>=2.100.0", "google-auth>=2.25.0", "google-auth-oauthlib>=1.2.0", # tools "google-genai>=1.0.0", "html2text>=2020.1.16", "elevenlabs>=1.0.0", "pytesseract>=0.3.10", "sarvamai>=0.1.25", "mcp>=1.0.0", # soul "soul-protocol[engine]>=0.3.0", # backends "openai-agents>=0.2.0", "google-adk>=1.0.0", "github-copilot-sdk>=0.1.0", "deepagents>=0.1.0", "langchain-mcp-adapters>=0.1.0", ] dev = [ # all deps (flattened from [all]) "playwright>=1.50.0", "mem0ai>=0.1.115", "ollama>=0.6.1", "psutil>=5.9.0", "pyautogui>=0.9.54", "python-telegram-bot>=21.0", "discord-cli-agent>=0.7.0", "slack-bolt>=1.20.0", "neonize>=0.3.14", "matrix-nio>=0.24.0", "botbuilder-core>=4.16.0", "botbuilder-integration-aiohttp>=4.16.0", "google-api-python-client>=2.100.0", "google-auth>=2.25.0", "google-genai>=1.0.0", "html2text>=2020.1.16", "elevenlabs>=1.0.0", "pytesseract>=0.3.10", "sarvamai>=0.1.25", "mcp>=1.0.0", "openai-agents>=0.2.0", "google-adk>=1.0.0", "github-copilot-sdk>=0.1.0", "deepagents>=0.1.0", "langchain-mcp-adapters>=0.1.0", # dev tools "pytest>=8.0.0", "pytest-asyncio>=0.23.0,<1.0.0", # pinned: incompatible with pytest-asyncio 1.x until asyncio.run() call sites are migrated "pytest-playwright>=0.4.0", "ruff>=0.4.0", "mypy>=1.8.0", ] [project.scripts] pocketpaw = "pocketpaw.__main__:main" [project.urls] Homepage = "https://pocketpaw.xyz" Repository = "https://github.com/pocketpaw/pocketpaw" Issues = "https://github.com/pocketpaw/pocketpaw/issues" Documentation = "https://pocketpaw.xyz/introduction" Discord = "https://discord.gg/asRrtm95Zc" Twitter = "https://twitter.com/prakashd88" [build-system] requires = ["hatchling"] build-backend = "hatchling.build" [tool.hatch.metadata] allow-direct-references = true [tool.hatch.build.targets.wheel] only-include = ["src/pocketpaw", "ee"] [tool.hatch.build.targets.wheel.sources] "src" = "" [tool.ruff] line-length = 100 target-version = "py311" [tool.ruff.lint] select = ["E", "F", "I", "UP"] [dependency-groups] dev = [ # all deps (flattened from [all]) "playwright>=1.50.0", "mem0ai>=0.1.115", "ollama>=0.6.1", "psutil>=5.9.0", "pyautogui>=0.9.54", "python-telegram-bot>=21.0", "discord-cli-agent>=0.7.0", "slack-bolt>=1.20.0", "neonize>=0.3.14", "matrix-nio>=0.24.0", "botbuilder-core>=4.16.0", "botbuilder-integration-aiohttp>=4.16.0", "google-api-python-client>=2.100.0", "google-auth>=2.25.0", "google-genai>=1.0.0", "html2text>=2020.1.16", "elevenlabs>=1.0.0", "pytesseract>=0.3.10", "sarvamai>=0.1.25", "mcp>=1.0.0", "openai-agents>=0.2.0", "google-adk>=1.0.0", "github-copilot-sdk>=0.1.0", "deepagents>=0.1.0", "langchain-mcp-adapters>=0.1.0", # dev tools "pytest>=8.0.0", "pytest-asyncio>=0.23.0,<1.0.0", # pinned: incompatible with pytest-asyncio 1.x until asyncio.run() call sites are migrated "ruff>=0.4.0", "mypy>=1.8.0", "pytest-playwright>=0.7.2", ] [tool.pytest.ini_options] asyncio_mode = "auto" testpaths = ["tests"] addopts = "--ignore=tests/cloud --ignore=tests/e2e" markers = [ "enforce_scope: opt a test out of the global _TESTING_FULL_ACCESS bypass so require_scope fails closed as in production", ]