docs(packaging): switch install docs to pyproject workflows

CONTRIBUTING.md

@@ -14,7 +14,7 @@ Thank you for your interest in contributing to the OWASP AIBOM Generator! This p
 
    ```bash
    # Local Python setup
-   pip install -r requirements.txt
+   pip install .[dev]
    ```
 
 ## Development Workflow
@@ -128,6 +128,7 @@ aibom-generator/
 │   └── templates/            # HTML templates
 ├── tests/                    # Unit and integration tests
 └── requirements.txt
+└── pyproject.toml
 ```
 
 ### Key Concepts
@@ -141,7 +142,7 @@ aibom-generator/
 
 ```bash
 # Install test dependencies
-pip install -r requirements.txt
+pip install .[dev]
 
 # Run all tests
 pytest
@@ -158,7 +159,7 @@ pytest tests/test_validation.py -v
 ### Local Development (Recommended)
 
 ```bash
-pip install -r requirements.txt
+pip install .[dev]
 
 # Run API server
 python -m uvicorn src.main:app --reload --port 7860
@@ -167,6 +168,19 @@ python -m uvicorn src.main:app --reload --port 7860
 python -m src.cli --model_id "microsoft/DialoGPT-medium"
 ```
 
+## Updating Dependencies
+
+`pyproject.toml` is the source of truth for all dependencies. `requirements.txt` is a generated artifact derived from it and must be kept in sync.
+
+After adding or removing a dependency in `pyproject.toml`, regenerate `requirements.txt` and sync the lock file:
+
+```bash
+uv pip compile pyproject.toml -o requirements.txt
+uv lock
+```
+
+Commit `pyproject.toml`, `requirements.txt`, and `uv.lock` together.
+
 ## Areas Welcoming Contributions
 
 We especially welcome contributions in these areas:

requirements.txt

@@ -1,27 +1,237 @@
-huggingface_hub>=0.19.0
-transformers>=4.36.0
-torch>=2.0.0
-fastapi>=0.104.0
-uvicorn>=0.24.0
-pydantic>=2.4.0
-requests>=2.31.0
-python-dotenv>=1.0.0
-PyYAML>=6.0.1
-flask>=2.3.0
-gunicorn>=21.2.0
-cyclonedx-python-lib>=4.0.0
-packageurl-python>=0.17.6
-python-multipart
-jinja2>=3.0.0
-datasets>=2.0.0
-beautifulsoup4>=4.11.0
-nltk>=3.8.0
-python-dateutil>=2.8.0
-jsonschema>=4.17.0
-sentencepiece>=0.1.99
-
-# Test dependencies
-pytest>=7.0.0
-pytest-mock>=3.10.0
-pytest-cov>=4.0.0
-gguf>=0.6.0
+# This file was autogenerated by uv via the following command:
+#    uv pip compile pyproject.toml -o requirements.txt
+aiohappyeyeballs==2.6.1
+    # via aiohttp
+aiohttp==3.13.5
+    # via fsspec
+aiosignal==1.4.0
+    # via aiohttp
+annotated-doc==0.0.4
+    # via
+    #   fastapi
+    #   typer
+annotated-types==0.7.0
+    # via pydantic
+anyio==4.13.0
+    # via
+    #   httpx
+    #   starlette
+attrs==26.1.0
+    # via
+    #   aiohttp
+    #   jsonschema
+    #   referencing
+beautifulsoup4==4.14.3
+    # via owasp-aibom-generator (pyproject.toml)
+blinker==1.9.0
+    # via flask
+boolean-py==5.0
+    # via license-expression
+certifi==2026.2.25
+    # via
+    #   httpcore
+    #   httpx
+    #   requests
+charset-normalizer==3.4.7
+    # via requests
+click==8.3.2
+    # via
+    #   flask
+    #   typer
+    #   uvicorn
+datasets==4.8.4
+    # via owasp-aibom-generator (pyproject.toml)
+dill==0.4.1
+    # via
+    #   datasets
+    #   multiprocess
+fastapi==0.135.3
+    # via owasp-aibom-generator (pyproject.toml)
+filelock==3.28.0
+    # via
+    #   datasets
+    #   huggingface-hub
+    #   torch
+flask==3.1.3
+    # via owasp-aibom-generator (pyproject.toml)
+frozenlist==1.8.0
+    # via
+    #   aiohttp
+    #   aiosignal
+fsspec==2026.2.0
+    # via
+    #   datasets
+    #   huggingface-hub
+    #   torch
+gunicorn==25.3.0
+    # via owasp-aibom-generator (pyproject.toml)
+h11==0.16.0
+    # via
+    #   httpcore
+    #   uvicorn
+hf-xet==1.4.3
+    # via huggingface-hub
+httpcore==1.0.9
+    # via httpx
+httpx==0.28.1
+    # via
+    #   owasp-aibom-generator (pyproject.toml)
+    #   datasets
+    #   huggingface-hub
+huggingface-hub==1.10.2
+    # via
+    #   owasp-aibom-generator (pyproject.toml)
+    #   datasets
+    #   tokenizers
+    #   transformers
+idna==3.11
+    # via
+    #   anyio
+    #   httpx
+    #   requests
+    #   yarl
+itsdangerous==2.2.0
+    # via flask
+jinja2==3.1.6
+    # via
+    #   owasp-aibom-generator (pyproject.toml)
+    #   flask
+    #   torch
+jsonschema==4.26.0
+    # via owasp-aibom-generator (pyproject.toml)
+jsonschema-specifications==2025.9.1
+    # via jsonschema
+license-expression==30.4.4
+    # via owasp-aibom-generator (pyproject.toml)
+markdown-it-py==4.0.0
+    # via rich
+markupsafe==3.0.3
+    # via
+    #   flask
+    #   jinja2
+    #   werkzeug
+mdurl==0.1.2
+    # via markdown-it-py
+mpmath==1.3.0
+    # via sympy
+multidict==6.7.1
+    # via
+    #   aiohttp
+    #   yarl
+multiprocess==0.70.19
+    # via datasets
+networkx==3.6.1
+    # via torch
+numpy==2.4.4
+    # via
+    #   datasets
+    #   pandas
+    #   transformers
+packageurl-python==0.17.6
+    # via owasp-aibom-generator (pyproject.toml)
+packaging==26.1
+    # via
+    #   datasets
+    #   gunicorn
+    #   huggingface-hub
+    #   transformers
+pandas==3.0.2
+    # via datasets
+propcache==0.4.1
+    # via
+    #   aiohttp
+    #   yarl
+pyarrow==23.0.1
+    # via datasets
+pydantic==2.13.0
+    # via
+    #   owasp-aibom-generator (pyproject.toml)
+    #   fastapi
+pydantic-core==2.46.0
+    # via pydantic
+pygments==2.20.0
+    # via rich
+python-dateutil==2.9.0.post0
+    # via pandas
+python-multipart==0.0.26
+    # via owasp-aibom-generator (pyproject.toml)
+pyyaml==6.0.3
+    # via
+    #   owasp-aibom-generator (pyproject.toml)
+    #   datasets
+    #   huggingface-hub
+    #   transformers
+referencing==0.37.0
+    # via
+    #   jsonschema
+    #   jsonschema-specifications
+regex==2026.4.4
+    # via transformers
+requests==2.33.1
+    # via
+    #   owasp-aibom-generator (pyproject.toml)
+    #   datasets
+rich==15.0.0
+    # via typer
+rpds-py==0.30.0
+    # via
+    #   jsonschema
+    #   referencing
+safetensors==0.7.0
+    # via transformers
+sentencepiece==0.2.1
+    # via owasp-aibom-generator (pyproject.toml)
+setuptools==81.0.0
+    # via torch
+shellingham==1.5.4
+    # via typer
+six==1.17.0
+    # via python-dateutil
+soupsieve==2.8.3
+    # via beautifulsoup4
+starlette==1.0.0
+    # via fastapi
+sympy==1.14.0
+    # via torch
+tokenizers==0.22.2
+    # via transformers
+torch==2.11.0
+    # via owasp-aibom-generator (pyproject.toml)
+tqdm==4.67.3
+    # via
+    #   datasets
+    #   huggingface-hub
+    #   transformers
+transformers==5.5.4
+    # via owasp-aibom-generator (pyproject.toml)
+typer==0.24.1
+    # via
+    #   huggingface-hub
+    #   transformers
+typing-extensions==4.15.0
+    # via
+    #   aiosignal
+    #   anyio
+    #   beautifulsoup4
+    #   fastapi
+    #   huggingface-hub
+    #   pydantic
+    #   pydantic-core
+    #   referencing
+    #   starlette
+    #   torch
+    #   typing-inspection
+typing-inspection==0.4.2
+    # via
+    #   fastapi
+    #   pydantic
+urllib3==2.6.3
+    # via requests
+uvicorn==0.44.0
+    # via owasp-aibom-generator (pyproject.toml)
+werkzeug==3.1.8
+    # via flask
+xxhash==3.6.0
+    # via datasets
+yarl==1.23.0
+    # via aiohttp