Skip to content

feat: auto-detect dependency changes and reinstall openant#36

Draft
joshbouncesecurity wants to merge 4 commits intoknostic:masterfrom
joshbouncesecurity:feat/issue16-14-auto-detect-deps
Draft

feat: auto-detect dependency changes and reinstall openant#36
joshbouncesecurity wants to merge 4 commits intoknostic:masterfrom
joshbouncesecurity:feat/issue16-14-auto-detect-deps

Conversation

@joshbouncesecurity
Copy link
Copy Markdown
Contributor

@joshbouncesecurity joshbouncesecurity commented May 4, 2026

Summary

The Go CLI now hashes pyproject.toml after pip install -e and re-runs install automatically when dependencies change. Prevents stale venv issues after git pull introduces new dependencies.

Addresses item 14 from #16 (does not close the issue).

Test plan

  • First run after a fresh checkout installs the venv as before.
  • Subsequent runs with unchanged pyproject.toml skip the install.
  • Modifying pyproject.toml (e.g., adding a dep) causes the next CLI invocation to reinstall automatically.

@joshbouncesecurity @claude
feat: auto-detect dependency changes and reinstall openant (#23)
5476adc 
Hash pyproject.toml (SHA-256) after each pip install and store in
~/.openant/venv/.deps-hash. On every CLI invocation, EnsureRuntime
compares the stored hash with the current file and re-runs
`pip install -e` when they differ.

This prevents stale venv issues when dependencies change (e.g.
swapping anthropic for claude-agent-sdk) — previously the user had
to manually uninstall and reinstall.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@joshbouncesecurity joshbouncesecurity marked this pull request as draft May 4, 2026 18:06
@joshbouncesecurity
fix(cli): avoid spurious reinstall on first run after upgrade and add…
bb772e0 
… stale-trigger tests

- Record the pyproject.toml hash even when openant is already importable so
  existing users aren't forced into a one-time reinstall after upgrading to
  the auto-detect-deps build.
- Extract depsStalenessAt(corePath, hashPath) and readHashAt/writeHashAt
  helpers so the stale-detection logic is unit-testable without invoking
  pip or touching the real ~/.openant/venv directory.
- Add tests covering the modified-pyproject trigger, fresh-state behavior,
  matching-hash short-circuit, missing pyproject, and empty stored hash.
@joshbouncesecurity
fix(cli): warn instead of silently swallowing deps-hash write failures
4fa4c60 
If writeStoredHash fails after a successful install, the next run would
otherwise see no stored hash and trigger a redundant reinstall. Surface
the failure as a warning on stderr — consistent with the existing warning
in CheckDepsStale — so users can spot a misbehaving venv directory.
@joshbouncesecurity
fix(cli): create deps-hash parent directory before writing
0c33a6a 
If the venv directory does not yet exist (e.g. user runs against a system
Python without the managed venv), writeStoredHash would fail every run and
trigger a redundant reinstall on the next call. Have writeHashAt MkdirAll
its parent first so the marker file always lands successfully.
@joshbouncesecurity
Copy link
Copy Markdown
Contributor Author

joshbouncesecurity commented May 4, 2026

Manual verification

After installing this branch:

  • First run: openant --version triggers initial pip install. Confirm ~/.openant/venv/.deps-hash is created.
  • Second run, no changes: openant --version skips install — should be near-instant with no install message.
  • Pyproject changed: edit libs/openant-core/pyproject.toml (e.g., add a comment), re-run: prints "Dependencies changed, updating..." and reinstalls.
  • Hash file deleted: rm ~/.openant/venv/.deps-hash then re-run: reinstalls and recreates the hash.
  • Read-only venv parent: if ~/.openant/venv/ doesn't exist (e.g., custom OPENANT_PYTHON), the helper now MkdirAll's it instead of erroring.

@joshbouncesecurity
Copy link
Copy Markdown
Contributor Author

joshbouncesecurity commented May 4, 2026

Local test results

Built the Go CLI from this branch on Windows and exercised the deps-hash flow. (Note: I needed OPENANT_PYTHON pointing at Scripts/python.exe because the managed-venv path uses bin/python which is the documented Windows limitation, unrelated to this PR.)

Commands run:

go build -o openant.exe ./
# Hash exists from prior install
ls ~/.openant/venv/.deps-hash      # present, sha256 = f251e66e...

# Delete hash to simulate "first run / hash missing"
rm ~/.openant/venv/.deps-hash
OPENANT_PYTHON=...Scripts/python.exe ./openant.exe parse <fixture>
# -> ran install, recreated .deps-hash

# Run again with hash present and no pyproject change
./openant.exe parse <fixture>
# -> NO install message, jumped straight to parser

Outcome:

  • First run / hash missing: install ran, .deps-hash (re)created ✅
  • Second run, no changes: skipped install, near-instant ✅
  • Pyproject-changed and hash-deleted paths: I tested the hash-deleted path (covers the same code path as pyproject-changed since both produce a hash mismatch). Did not edit pyproject.toml to avoid touching the worktree.
  • (n/a) Read-only-venv-parent MkdirAll branch: not exercised — the venv parent already existed.

Sample output of the post-install run for transparency:

Creating managed Python environment at ~/.openant/venv/...
Installing openant from ...libs/openant-core...
[Reachability Filter] ...  -> 5 units written

The .deps-hash was correctly written after the install completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sounil sounil Awaiting requested review from sounil sounil is a code owner

@shahar-davidson shahar-davidson Awaiting requested review from shahar-davidson shahar-davidson is a code owner

@yotamleo yotamleo Awaiting requested review from yotamleo yotamleo is a code owner

@dgeyshis dgeyshis Awaiting requested review from dgeyshis dgeyshis is a code owner

@ar7casper ar7casper Awaiting requested review from ar7casper ar7casper is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joshbouncesecurity