chore(deps): drop transitives from requirements.txt, split prod from dev

[timon0305]

Problem

requirements.txt listed 15 pinned packages, but only two are directly imported anywhere in the source: Flask (production) and pytest (test-only). The other 13 are transitive deps that pip resolves automatically. Side effects: production users following the README's pip install -r requirements.txt step get a test framework they don't need, and there was no clean place to declare dev-only deps.

Change

• requirements.txt: keep Flask==3.1.3 only.
• New requirements-dev.txt: -r requirements.txt + pytest==9.0.2.
• .github/workflows/ci.yml: split into two jobs:
  • prod-install-smoke — installs requirements.txt only and boots the app via test_client. Catches future PRs that add a direct third-party import without bumping requirements.txt.
  • pytest — installs requirements-dev.txt, runs the suite. Cache key now tracks both files.
• README.md: new Development section pointing at requirements-dev.txt for tests.

Test plan

• pip install -r requirements.txt from a clean venv → 7 packages auto-resolved (Flask + 6 transitives)
• python app.py --port 5701 on prod-only venv → boots, GET / / /api/projects / /api/search?q=x all 200, GET /api/sessions/x/y 404 as expected
• scripts/export.py --help and scripts/export.py list work on prod-only venv
• pip install -r requirements-dev.txt from a clean venv → 12 packages
• pytest tests/ on dev venv → 92/92 pass
• actionlint .github/workflows/ci.yml → exit 0

Closes #27

Summary by CodeRabbit

• Chores

  • Added production verification job in CI pipeline to validate app startup and root endpoint.
  • Separated development and production dependencies for clearer environment management.

• Documentation

  • Added Development section explaining how to run the test suite locally.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: de4ca542-278e-4472-bebf-e6e98bf2eab8

📥 Commits

Reviewing files that changed from the base of the PR and between 289c0da and 9eeefc7.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• README.md
• requirements-dev.txt
• requirements.txt

💤 Files with no reviewable changes (1)

• requirements.txt

---

📝 Walkthrough

Walkthrough

The PR separates production and development dependencies into two requirement files, creates a new requirements-dev.txt with pytest, strips requirements.txt to Flask only, adds a production smoke-test job to CI that verifies the app boots with production dependencies, and documents the development workflow in the README.

Changes

Dependency Separation and Verification

Layer / File(s)	Summary
Dependency Split requirements.txt, requirements-dev.txt	requirements.txt is simplified to Flask==3.1.3 only. New requirements-dev.txt includes -r requirements.txt and pytest==9.0.2, moving test framework to dev-only.
CI Smoke Test .github/workflows/ci.yml	New prod-install-smoke job installs production dependencies and runs an inline Python script to import the app, boot it, and assert the root endpoint returns 200. Existing pytest job now installs from requirements-dev.txt. Cache dependency paths expanded to include both requirement files.
Documentation README.md	Development section added with instructions to install dev dependencies and run pytest. Continuous integration section notes the separate smoke test that verifies production install.

Sequence Diagram

sequenceDiagram
    actor CI as CI Runner
    participant pip as pip
    participant Flask as Flask App
    participant Client as Test Client
    
    CI->>pip: pip install -r requirements.txt
    pip-->>Flask: Flask==3.1.3
    CI->>Flask: import app
    CI->>Flask: app.run() initialization
    Flask-->>CI: app ready
    CI->>Client: create test client
    Client->>Flask: GET /
    Flask-->>Client: HTTP 200
    Client-->>CI: assertion passed ✓

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• clean6378-max-it
• wpak-ai

Poem

🐰 Requirements split with careful care,
Flask stays, pytest needs its pair,
Smoke test boots the app so bright,
Production's clean, dependencies right!
Dev and prod now walk their own way,
Cleaner installs, hip-hip-hooray! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: removing transitive dependencies from requirements.txt and separating production from development dependencies.
Linked Issues check	✅ Passed	The pull request fully implements all coding requirements from issue #27: simplified requirements.txt to Flask only, added requirements-dev.txt with pytest, updated CI workflow with separate prod/dev jobs, added README development section, and implemented production smoke test.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #27 objectives. The modifications to CI, requirements files, and README are all necessary to complete the stated goals.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/requirements-cleanup-27

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}