fix: declare anthropic and tree-sitter-zig, guard against dep drift#30
Merged
joshbouncesecurity merged 1 commit intomasterfrom Apr 19, 2026
Merged
Conversation
PR #25 claimed to remove `anthropic` from pyproject.toml but left four files still using it (`utilities/context_enhancer.py`, `utilities/finding_verifier.py`, `utilities/agentic_enhancer/agent.py`, `report/generator.py`). Every clean install fails at `from utilities ...` because `utilities/__init__.py` eagerly loads `context_enhancer`. The upstream merge also added a Zig parser that imports `tree_sitter_zig` without declaring it. - Re-declare `anthropic>=0.40.0` and add `tree-sitter-zig>=0.20.0` to pyproject.toml so the declared deps match actual imports. - Delete requirements.txt — it was a hand-maintained duplicate of pyproject.toml's deps, and the drift is exactly what let #25 slip through CI. Single source of truth now. - Update CI to install via `pip install -e ".[dev]"` so pyproject.toml is exercised on every run. - Add `tests/test_declared_dependencies.py`: a static check that every third-party import under the packaged dirs maps to a declared dependency, plus a smoke test that each packaged top-level module imports cleanly. Catches the regression class directly. - Update README install instructions to match. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
joshbouncesecurity
added a commit
that referenced
this pull request
Apr 19, 2026
Final step of the SDK migration tracked in issue #35. Removes "anthropic>=0.40.0" from pyproject.toml now that no Python code under libs/openant-core/ still imports it. Cleanup alongside the dep drop: - `utilities/context_enhancer.py`: remove the now-orphaned `import anthropic`. PR #34 took it out of `_build_error_info`; PR #36 removed `shared_client`. The import line was kept alive across both as a staging measure. - `openant/cli.py` (cmd_report_data): replace the last `anthropic.Anthropic()` instantiation — used for the HTML report's remediation-guidance LLM call — with `AnthropicClient(model=MODEL_AUXILIARY).analyze_sync(...)`. Usage tracking is now automatic via the global TokenTracker; cost display pulls from `client.get_last_call()`. Neither PR #36 nor #37 touched this site because it was outside their scope; the dep-drift test (PR #30) surfaced it when pyproject.toml's dependency list shrank. - `utilities/rate_limiter.py`: update the module docstring's example. The pre-migration example showed `except anthropic.RateLimitError as e: retry_after = e.response.headers.get(...)`. That code path no longer exists — rate-limit detection is centralised in `llm_client._run_query`, which raises `utilities.sdk_errors.RateLimitError` after notifying the global limiter. Example updated to match. Verification: - `grep -rn '^import anthropic\|^from anthropic' libs/openant-core/` returns zero hits. - `grep -rn 'anthropic\.' libs/openant-core/` returns only a historical docstring reference in `sdk_errors.py`. - `tests/test_declared_dependencies.py` passes — the regression guard from PR #30 now enforces that no undeclared imports exist with anthropic gone. - `tests/test_sdk_errors.py` (12) + `tests/test_sdk_error_surfacing.py` (9) all pass. - `import openant, core, utilities, parsers, prompts, context, report` all succeed. End state: zero `anthropic` Python dep, all LLM traffic routes through the Claude Agent SDK via `utilities.llm_client`. Step 8 (end-to-end verification with a live API key) is the only remaining non-user-action item in the plan. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced Apr 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
anthropicand addtree-sitter-ziginpyproject.tomlso declared deps match actual imports; a cleanpip install -e .no longer crashesopenant parseatfrom utilities ....libs/openant-core/requirements.txtand switch CI topip install -e ".[dev]"— a single source of truth for deps, and the codepath that just broke is now exercised on every CI run.tests/test_declared_dependencies.py: a static check that every third-party import under the packaged dirs maps to a declared dependency, plus a smoke test that each packaged top-level module imports cleanly.Why
PR #25 ("migrate all LLM calls to Claude Agent SDK") dropped
anthropicfrompyproject.tomlbut left four files still using it live:utilities/context_enhancer.py(not even mentioned in the PR body),utilities/finding_verifier.py,utilities/agentic_enhancer/agent.py, andreport/generator.py— the factory-basedcreate_anthropic_client()callsites were cleaned up, but directanthropic.Anthropic()fallbacks andexcept anthropic.RateLimitErrorhandlers were left in place. Becauseutilities/__init__.pyeagerly loadscontext_enhancer, any clean install blows up at import time.The bug stayed hidden because CI installed from
requirements.txt(which still pinnedanthropic==0.75.0), dev venvs already hadanthropicfrom before the migration, and the three manual smoke-tests in #25's own test plan were never checked off. The upstream merge (#29) then added a Zig parser that importstree_sitter_zigwithout declaring it — same bug pattern, same reason nobody noticed.Test plan
pytest libs/openant-core/tests/test_declared_dependencies.pypasses (8/8).test_parser_adapter.py,test_token_tracker.pysampled).pip install -e .into a fresh managed venv (~/.openant/venv/) —import openant, core, utilities, parsers, prompts, context, reportall succeed.openant --help(via the Go CLI driving the managed venv) runs.Follow-ups (not in this PR)
anthropic.Anthropic()instantiations andanthropic.*Errorcatches in the four files above withclaude-agent-sdkequivalents. Thenanthropiccan actually come out ofpyproject.toml.🤖 Generated with Claude Code