requirements.txt should pin all dependencies

- need a bare-dependencies.txt for unpinned, direct dependencies
- create requirements.txt from pip freeze after creating clean venv from bare-dependencies.txt
- build image from requirements.txt (all deps pinned)