build: add pyproject.toml and Python packaging infrastructure (closes #45)

[bradjin8]

Closes #45 .

Problem

The project had no pyproject.toml, setup.py, or setup.cfg, making it a non-installable Python package. This forced scripts/export.py to use a fragile sys.path.insert(0, project_root) hack to import shared modules, and blocked using proper console-script entry points. It also made pywebview (a desktop-only system dependency) silently entangled with the web-server install path.

Changes

pyproject.toml (new)

• Build backend: hatchling>=1.21 (modern flat-layout support; no src/ restructuring needed)
• Project metadata: name, version, description, license, authors, requires-python = ">=3.11"
• Runtime deps bounded on both sides: flask>=3.0,<4, fpdf2>=2.7,<3 — deterministic CI resolution and early detection of breaking major releases
• Optional extras:
  • [desktop] — pywebview>=5.0,<6 (heavy system libs intentionally excluded from web-server and CI installs)
  • [dev] — pytest>=8,<9, mypy>=1.10,<2
• Console scripts: cursor-chat-export = "scripts.export:main" (primary CLI), cursor-chat-browser = "launcher:main" (desktop, requires [desktop])
• Explicit wheel include list: api/, models/, scripts/, services/, utils/, app.py, launcher.py
• [tool.mypy] config mirroring CI flags; exclude for venv//build//dist/ so local mypy . matches CI output

requirements.txt (updated)

• Added header comment declaring pyproject.toml as the canonical source of truth; existing lower-bound pins retained for backward compatibility

Verification

pip install -e ".[dev]"   # → Successfully built cppa-cursor-browser-0.1.0
cursor-chat-export --help  # → prints full usage, exit 0
python -m unittest discover tests -v  # → Ran 262 tests … OK (skipped=2)
mypy --ignore-missing-imports --no-strict-optional --pretty .
# → 1 pre-existing error (os.uname POSIX-only on Windows); zero errors on Linux CI

Notes

• The sys.path.insert hack in scripts/export.py is intentionally left in place for this PR — it will be removed when the export script is refactored to delegate to the service layer (issue Export Script Reimplements Service Layer (~700 LOC) #42 , planned Wednesday).
• Upper bounds on requirements.txt and the lock file generation are tracked separately in issue Unbounded Dependency Pins in requirements.txt #47 .

Summary by CodeRabbit

• New Features

  • Two command-line tools added for export and browser launch

• Chores

  • Centralized packaging and build configuration with bundled assets
  • Runtime dependencies bounded and a desktop optional extra
  • Development extras and type-checker configuration added

• Documentation

  • Requirements file updated as a compatibility/install guidance shim

• Tests

  • CI expanded to include Python 3.10 in test matrix

• Behavior

  • Desktop launcher exits with clear guidance if GUI dependency is missing

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5574fa94-08e8-460e-9a37-62c1bd5ef488

📥 Commits

Reviewing files that changed from the base of the PR and between cebefce and 84366c4.

📒 Files selected for processing (2)

• pyproject.toml
• requirements.txt

🚧 Files skipped from review as they are similar to previous changes (2)

• requirements.txt
• pyproject.toml

---

📝 Walkthrough

Walkthrough

Adds a Hatch-based pyproject.toml (requires-python >=3.10) with bounded runtime deps and extras, registers two console scripts, configures wheel/sdist include lists and MyPy settings, updates requirements.txt guidance, guards pywebview import in launcher.main(), and expands CI matrix to include Python 3.10.

Changes

Python packaging infrastructure setup

Layer / File(s)	Summary
Package metadata, dependencies, and entry points pyproject.toml, requirements.txt	Declares project metadata and requires-python = ">=3.10", runtime dependencies (flask, fpdf2, pillow), optional extras (desktop, dev), and console scripts cursor-chat-export and cursor-chat-browser. requirements.txt kept with guidance to mirror pyproject.toml and pywebview moved to .[desktop].
Build inclusion lists and MyPy configuration pyproject.toml	Configures Hatch wheel and sdist include lists (application modules, templates/, static/, tests/, and distribution files) and adds MyPy settings (ignore_missing_imports, no_strict_optional, pretty) with exclude patterns for venv/build/dist.
Desktop launcher import guard launcher.py	Defers pywebview import into launcher.main() and raises a SystemExit with instructions to install the .[desktop] extra if missing.
CI matrix update .github/workflows/tests.yml	Adds Python 3.10 to the unit-test matrix (now 3.10, 3.11, 3.12, 3.13).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• cppalliance/cppa-cursor-browser#19: Also modified the GitHub Actions unit-test Python matrix.

Suggested reviewers

• wpak-ai

Poem

A rabbit hops with eager cheer, 🐇
Pyproject lands and paths grow clear.
Extras tucked and scripts set right,
Launcher guards the desktop flight—
Install, run, the package near. 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: adding pyproject.toml and Python packaging infrastructure to make the repo installable.
Linked Issues check	✅ Passed	All acceptance criteria from issue #45 are addressed: pyproject.toml created with metadata, runtime/dev dependencies declared with bounds, console-script entry points defined, pip install works, and requirements.txt retained with documentation.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #45 packaging infrastructure: pyproject.toml setup, requirements.txt updates, CI Python version alignment, and launcher.py optional import handling for desktop extra.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/missing-pyproject-toml-and-packaging

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Around line 50-59: The wheel package currently omits the Flask runtime asset
directories; update the wheel target's include list in pyproject.toml to add the
"templates/" and "static/" directories so that app.py's Flask configuration
(static_folder="static", template_folder="templates") and calls like
render_template() and send_from_directory() will find the runtime assets after
installation.

In `@requirements.txt`:
- Around line 6-11: Remove the desktop-only dependency pywebview from
requirements.txt so CI/web-server installs and pip install -r requirements.txt
no longer pull GUI libraries; update requirements.txt to exclude the line
"pywebview>=5.0" and ensure README or the header comments point users to install
desktop extras with pip install -e ".[desktop]" (pywebview is only used by
launcher.py, so keep it in [project.optional-dependencies].desktop in
pyproject.toml).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 02b8e2e4-795d-454a-af85-a0a9e0afa29b

📥 Commits

Reviewing files that changed from the base of the PR and between 91a8d6e and f7af02d.

📒 Files selected for processing (2)

• pyproject.toml
• requirements.txt

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Around line 18-21: The project dependencies list in pyproject.toml does not
explicitly constrain Pillow, allowing resolvers to pick known-vulnerable
versions; update project.dependencies (the dependencies array containing
"flask>=3.0,<4" and "fpdf2>=2.7,<3") to include an explicit safe Pillow
constraint such as "pillow>=10.0.0,<11" (or "pillow>=10.0.0" if you prefer no
upper bound) so transitive resolution cannot select vulnerable Pillow releases.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2e83303a-5bcb-45e5-a35f-3b64f3ed1c1e

📥 Commits

Reviewing files that changed from the base of the PR and between f7af02d and 72d63ec.

📒 Files selected for processing (2)

• pyproject.toml
• requirements.txt

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/tests.yml (1)

43-49: ⚡ Quick win

Consider adding a step to verify package installation.

The manual dependency installation approach means CI doesn't verify that pip install -e . succeeds or that the console-script entry points (cursor-chat-export, cursor-chat-browser) are installed and functional. While the pywebview exclusion is reasonable (system dependencies), a lightweight packaging verification step would catch include-list errors, import issues, or broken entry points.

📦 Proposed addition: package installation test

Add a step after line 49 to verify the package installs and entry points are callable:

      - name: Verify package installation
        run: |
          python -m pip install -e .
          cursor-chat-export --help
          # cursor-chat-browser requires pywebview, skip here

This ensures packaging config remains valid across Python versions without adding heavy dependencies.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests.yml around lines 43 - 49, Add a CI step after the
dependency install that verifies the package installs and entry points work: run
python -m pip install -e . and invoke the console script cursor-chat-export
--help (skip cursor-chat-browser due to pywebview) so
installation/import/entry-point failures surface as job failures; place this new
step after the existing "Install runtime + test dependencies" step and ensure
failures are not ignored so the workflow fails on packaging errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Around line 18-21: Add an explicit Pillow constraint to the dependencies list
to avoid transitive installation of vulnerable Pillow releases: update the
dependencies array (near the existing "flask" and "fpdf2" entries) to include a
safe Pillow version constraint such as "pillow>=10.0" (or a later safe minimum)
so that the "fpdf2" dependency cannot pull in vulnerable 9.x releases; ensure
the new entry is added alongside "fpdf2>=2.7,<3" in the same dependencies block.

---

Nitpick comments:
In @.github/workflows/tests.yml:
- Around line 43-49: Add a CI step after the dependency install that verifies
the package installs and entry points work: run python -m pip install -e . and
invoke the console script cursor-chat-export --help (skip cursor-chat-browser
due to pywebview) so installation/import/entry-point failures surface as job
failures; place this new step after the existing "Install runtime + test
dependencies" step and ensure failures are not ignored so the workflow fails on
packaging errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: da2b3d37-ea68-4784-b35d-d4ec871da793

📥 Commits

Reviewing files that changed from the base of the PR and between d9aa73a and cebefce.

📒 Files selected for processing (4)

• .github/workflows/tests.yml
• launcher.py
• pyproject.toml
• requirements.txt