feat: auto-detect dependency changes and reinstall openant#36
Merged
ar7casper merged 6 commits intoMay 12, 2026
Merged
Conversation
joshbouncesecurity
requested review from
ar7casper,
dgeyshis,
shahar-davidson,
sounil and
yotamleo
as code owners
Contributor
Author
Manual verificationAfter installing this branch:
|
Contributor
Author
Local test resultsBuilt the Go CLI from this branch on Windows and exercised the deps-hash flow. (Note: I needed Commands run: Outcome:
Sample output of the post-install run for transparency: The |
Closed
21 tasks
ar7casper
reviewed
May 12, 2026
ar7casper
force-pushed
the
release/2026-05-12
branch
from
21cd56f to
463e9d0
Compare
Hash pyproject.toml (SHA-256) after each pip install and store in ~/.openant/venv/.deps-hash. On every CLI invocation, EnsureRuntime compares the stored hash with the current file and re-runs `pip install -e` when they differ. This prevents stale venv issues when dependencies change (e.g. swapping anthropic for claude-agent-sdk) — previously the user had to manually uninstall and reinstall. Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
… stale-trigger tests - Record the pyproject.toml hash even when openant is already importable so existing users aren't forced into a one-time reinstall after upgrading to the auto-detect-deps build. - Extract depsStalenessAt(corePath, hashPath) and readHashAt/writeHashAt helpers so the stale-detection logic is unit-testable without invoking pip or touching the real ~/.openant/venv directory. - Add tests covering the modified-pyproject trigger, fresh-state behavior, matching-hash short-circuit, missing pyproject, and empty stored hash.
If writeStoredHash fails after a successful install, the next run would otherwise see no stored hash and trigger a redundant reinstall. Surface the failure as a warning on stderr — consistent with the existing warning in CheckDepsStale — so users can spot a misbehaving venv directory.
If the venv directory does not yet exist (e.g. user runs against a system Python without the managed venv), writeStoredHash would fail every run and trigger a redundant reinstall on the next call. Have writeHashAt MkdirAll its parent first so the marker file always lands successfully.
Extract checkDepsStaleWith so the core-locator is injected rather than called directly, removing the os.Chdir in TestCheckDepsStale_SkipsWhenCoreNotFound (Chdir mutates process-wide CWD and breaks if any sibling test adds t.Parallel). Also document the concurrent-install race as a known limitation. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
joshbouncesecurity
force-pushed
the
feat/issue16-14-auto-detect-deps
branch
from
9eae267 to
fbb4877
Compare
…ce-reinstall When the hash file was missing and openant was already importable, CheckOpenantInstalled was re-seeding it immediately, causing CheckDepsStale to see a matching hash and skip the reinstall. This broke the documented behaviour where deleting .deps-hash triggers a reinstall. Aligns with origin/master which uses a plain early return. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
joshbouncesecurity
force-pushed
the
feat/issue16-14-auto-detect-deps
branch
from
71d3437 to
77a919a
Compare
ar7casper
added a commit
that referenced
this pull request
May 13, 2026
Covers the seven PRs in this release: - #35: parse --level default → reachable (CLI consistency with scan + Python CLI) - #36: auto-detect dep changes via ~/.openant/venv/.deps-hash - #37: lazy JS parser npm bootstrap on first use - #39: TypeScript/NestJS DI-aware call resolution (constructor + field + functional inject()) - #40: --language auto opt-in for openant init + non-git path support + shared config/languages.json - #49: Express anonymous route handler extraction (route_handler / route_middleware) - #50: --llm-reachability opt-in stage + cross-parser call_graph.json contract Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Go CLI now hashes
pyproject.tomlafterpip install -eand re-runs install automatically when dependencies change. Prevents stale venv issues aftergit pullintroduces new dependencies.Addresses item 14 from #16 (does not close the issue).
Test plan
pyproject.tomlskip the install.pyproject.toml(e.g., adding a dep) causes the next CLI invocation to reinstall automatically.~/.openant/venv/.deps-hashand re-running causes a reinstall and recreates the hash.