Polyforge SDK Security Flaw: Unused 'cryptography' Dependency Exposes Users to Unnecessary Attack Surface

A significant security oversight has been identified in the Polyforge SDK, where a declared runtime dependency on the complex `cryptography` package is never actually used by the software. This unnecessary inclusion creates a persistent and avoidable attack surface for all users of the SDK. The `cryptography` module, a native C extension with a documented history of critical vulnerabilities, is listed in the `pyproject.toml` file but is never imported or utilized anywhere in the SDK's source code, which relies solely on `httpx` for HTTP operations.

The core problem is that any future vulnerability discovered in the `cryptography` library will automatically affect every installation of the Polyforge SDK, despite the library's functionality being entirely superfluous. This issue is not new; a previous security audit had already flagged an older version of `cryptography` for six known vulnerabilities. While the version number was subsequently updated, the fundamental problem—the dependency itself—was never removed, leaving the risk in place. Furthermore, this bloat forces users to install `cryptography` and all its transitive compiled dependencies needlessly.

This pattern represents a persistent failure in dependency hygiene, directly increasing the security risk profile for downstream applications. It signals a potential weakness in the project's security review and maintenance processes, where critical audit findings are only partially addressed. The lingering dependency acts as dormant, exploitable code within the environment, waiting for the next CVE to turn it into an active liability for the entire user base.