vibatchium 0.5.0__tar.gz

vibatchium-0.5.0/.github/workflows/publish.yml

@@ -0,0 +1,72 @@
+name: publish
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Verify tag matches pyproject version
+        run: |
+          tag="${GITHUB_REF_NAME#v}"
+          pyver=$(grep -E '^version = "' pyproject.toml | head -1 | sed -E 's/version = "([^"]+)"/\1/')
+          if [ "$tag" != "$pyver" ]; then
+            echo "::error::Git tag v$tag does not match pyproject.toml version $pyver"
+            exit 1
+          fi
+
+      - name: Build sdist + wheel
+        run: uv build
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  pypi:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1
+
+  release:
+    needs: pypi
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create "$GITHUB_REF_NAME" \
+            --title "$GITHUB_REF_NAME" \
+            --generate-notes \
+            dist/*

vibatchium-0.5.0/.github/workflows/test.yml

@@ -0,0 +1,81 @@
+name: tests
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  pytest:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install system deps (Xvfb + Chrome runtime)
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -yq xvfb libnss3 libatk-bridge2.0-0 libdrm2 \
+            libxkbcommon0 libxcomposite1 libxdamage1 libxfixes3 libxrandr2 \
+            libgbm1 libxss1 libasound2t64 || sudo apt-get install -yq libasound2
+
+      - name: Install vibatchium + extras
+        run: |
+          python -m pip install -U pip
+          # [all] = annotate + llm + liveview + secrets + rest. Required so
+          # the vault, live-view, and REST tests can actually run rather than
+          # crashing on ModuleNotFoundError. GPL/AGPL extras (stealth-mouse,
+          # nodriver) remain opt-in and are not exercised by the CI suite.
+          pip install -e ".[all]"
+          pip install pytest pytest-asyncio pytest-timeout
+
+      - name: Install patchright Chrome
+        run: |
+          patchright install chrome
+          patchright install-deps chrome || true
+
+      - name: Run tests under Xvfb
+        env:
+          PYTHONUNBUFFERED: "1"
+        run: |
+          xvfb-run -a -s "-screen 0 1920x1080x24" python -m pytest tests/ -v --tb=short --timeout=60
+
+      - name: MCP server smoke
+        run: |
+          xvfb-run -a -s "-screen 0 1920x1080x24" bash -c '
+            (echo "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2024-11-05\",\"capabilities\":{},\"clientInfo\":{\"name\":\"ci\",\"version\":\"1\"}}}";
+             sleep 0.3;
+             echo "{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\"}";
+             sleep 0.2;
+             echo "{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/list\"}";
+             sleep 1) | timeout 10 vb mcp | python -c "
+            import json, sys
+            for line in sys.stdin:
+                try:
+                    d = json.loads(line)
+                    if d.get(\"id\") == 2:
+                        tools = d.get(\"result\", {}).get(\"tools\", [])
+                        print(f\"MCP tool count: {len(tools)}\")
+                        assert len(tools) >= 60, f\"too few tools: {len(tools)}\"
+                except Exception:
+                    pass
+            "
+          '
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with: { python-version: "3.13" }
+      - run: pip install ruff
+      - run: ruff check vibatchium/ tests/

vibatchium-0.5.0/.gitignore

@@ -0,0 +1,31 @@
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+.venv/
+venv/
+.env
+.envrc
+
+# Patchium runtime
+.cache/
+*.sock
+screenshot*.png
+storage*.json
+
+# OS / IDE
+.DS_Store
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Build
+build/
+dist/
+.eggs/
+
+# Test
+.pytest_cache/
+.coverage
+htmlcov/

vibatchium-0.5.0/LICENSE

@@ -0,0 +1,17 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Copyright 2026 ClavIclar
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vibatchium-0.5.0/PKG-INFO

@@ -0,0 +1,155 @@
+Metadata-Version: 2.4
+Name: vibatchium
+Version: 0.5.0
+Summary: Patchwright stealth + Vibium-style LLM-friendly CLI for agentic browser automation.
+Project-URL: Homepage, https://github.com/trueoriginlabs/vibatchium
+Project-URL: Issues, https://github.com/trueoriginlabs/vibatchium/issues
+Project-URL: Source, https://github.com/trueoriginlabs/vibatchium
+Author: monodev-eth
+License: Apache-2.0
+License-File: LICENSE
+Keywords: agent,ai,automation,browser,mcp,patchright,playwright,stealth
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Internet :: WWW/HTTP :: Browsers
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.11
+Requires-Dist: click>=8.1.7
+Requires-Dist: mcp>=1.0.0
+Requires-Dist: patchright>=1.59.0
+Provides-Extra: all
+Requires-Dist: aiohttp>=3.9; extra == 'all'
+Requires-Dist: anthropic>=0.40; extra == 'all'
+Requires-Dist: fastapi>=0.110; extra == 'all'
+Requires-Dist: keyring>=24.0; extra == 'all'
+Requires-Dist: pillow>=10.0; extra == 'all'
+Requires-Dist: pynacl>=1.5; extra == 'all'
+Requires-Dist: uvicorn[standard]>=0.27; extra == 'all'
+Provides-Extra: annotate
+Requires-Dist: pillow>=10.0; extra == 'annotate'
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest-timeout>=2.3; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.6.0; extra == 'dev'
+Provides-Extra: liveview
+Requires-Dist: aiohttp>=3.9; extra == 'liveview'
+Provides-Extra: llm
+Requires-Dist: anthropic>=0.40; extra == 'llm'
+Provides-Extra: nodriver
+Requires-Dist: nodriver>=0.50.0; extra == 'nodriver'
+Provides-Extra: rest
+Requires-Dist: fastapi>=0.110; extra == 'rest'
+Requires-Dist: uvicorn[standard]>=0.27; extra == 'rest'
+Provides-Extra: secrets
+Requires-Dist: keyring>=24.0; extra == 'secrets'
+Requires-Dist: pynacl>=1.5; extra == 'secrets'
+Description-Content-Type: text/markdown
+
+# vibatchium
+
+**Agent-piloted browser automation that clears Cloudflare.**
+Patched Playwright + multi-session daemon + credential vault + vision clicking + prompt-injection safety. One MCP server, N parallel Chromes, persistent per-session profiles.
+
+```
+pipx install git+https://github.com/trueoriginlabs/vibatchium
+patchright install chrome
+vb setup        # auto-register with Codex / Claude Code / Cursor (idempotent)
+```
+
+> **Coding agents (Codex / Cursor / Claude Code):** read [`AGENTS.md`](AGENTS.md) first — it has the one-call recipes (`explore`, `research`) and the env-discovery traps to skip.
+
+```
+vb explore https://example.com                      # one-call: text + screenshot
+vb research --target https://example.com \          # parallel fan-out, N intents
+  --intent "pricing model" --intent "customers" --intent "tech stack"
+```
+
+**Status:** active development, alpha. PyPI version lags — install from source / git URL. 384 tests green. 31/31 on bot.sannysoft.com. Cleared HackerOne Cloudflare cold-launch. Apache-2.0 (GPL/AGPL only via opt-in extras).
+
+## Why vibatchium
+
+|  | Vibium | Patchwright | Browser-Use | vibatchium |
+|---|---|---|---|---|
+| LLM-friendly `@eN` refs + `map` / `diff map` | ✅ | ❌ | ❌ | ✅ |
+| Cloudflare CDP-leak patches | ❌ | ✅ | ❌ | ✅ |
+| **Multiple parallel browsers, one daemon** | ❌ | manual | ❌ | ✅ |
+| Per-session persistent profile (cookies, login) | ✅ | manual | manual | ✅ |
+| CDP-attach to manually-logged-in Chrome | ❌ | manual | ❌ | ✅ |
+| **Encrypted credential vault** (passwords + TOTP) | ❌ | ❌ | ❌ | ✅ |
+| **IMAP email-code polling** (2FA) | ❌ | ❌ | ❌ | ✅ |
+| Per-session proxy + WebRTC leak guard | ❌ | manual | ❌ | ✅ |
+| Vision-first clicking with spend cap | ❌ | ❌ | ✅ | ✅ |
+| **Prompt-injection classifier on scraped content** | ❌ | ❌ | ❌ | ✅ (0% FP / 204 samples) |
+| Live-view stream with takeover (WebSocket) | ❌ | ❌ | partial | ✅ |
+| Bearer-token REST shim + caps gating | ❌ | ❌ | manual | ✅ |
+| `research` command (parallel fan-out) | ❌ | ❌ | ❌ | ✅ |
+
+## Multi-session in 10 lines
+
+```
+vb session new work
+vb --session work start
+vb --session work go https://github.com           # log in by hand once
+vb session new banking
+vb --session banking start
+vb --session banking go https://bank.example.com
+vb --session work click @e3 &                     # truly parallel —
+vb --session banking fill @e5 hi &                # separate Chromes, no cookie bleed
+wait
+vb session list
+```
+
+Active-session resolution: `--session FLAG` → `$VIBATCHIUM_SESSION` env → `~/.config/vibatchium/active-session` → `default`. Cap via `VIBATCHIUM_MAX_SESSIONS=4` (default 4).
+
+## Documentation
+
+- [`AGENTS.md`](AGENTS.md) — coding-agent contract (Codex / Cursor / Claude Code)
+- [`docs/CAPABILITIES.md`](docs/CAPABILITIES.md) — per-verb reference (every CLI / MCP / REST verb)
+- [`docs/OPERATIONS.md`](docs/OPERATIONS.md) — operator playbook: env vars, recipes, anti-patterns from real runs
+- [`docs/STEALTH.md`](docs/STEALTH.md) — stealth posture, defender clearance, trade-offs
+
+## Server modes
+
+| Mode | Surface | Auth |
+|---|---|---|
+| `vb mcp` | stdio JSON-RPC; `--caps=...` gates the bucket set | n/a (stdio) |
+| `vb serve` | FastAPI on `127.0.0.1:8000`; every verb at `POST /v1/<verb>`; WebSocket live-view at `/v1/stream/<session>` | bearer token (`~/.cache/vibatchium/rest-token`, mode 0600) |
+
+**REST capability gating**: `vb serve --caps=core,nav,input,vision` restricts the HTTP surface the same way `mcp --caps` does. Without it, REST grants local-code-equivalent access (eval + secret_* + file-writing verbs all exposed) — safe for localhost dev, **not** for hosted/multi-tenant.
+
+## Attach mode — the practical Cloudflare workaround
+
+For DataDome / Kasada / hardened auth that walls cold-launch automation:
+
+```
+google-chrome --remote-debugging-port=9222 --user-data-dir=/tmp/cdp-profile &
+# log into the walled site by hand
+vb attach http://localhost:9222
+vb go https://target.example.com        # now reads as your real browser
+```
+
+Patchright's CDP-layer stealth still applies over `connect_over_cdp` — attach mode gets the same protocol-level patches as cold launch, plus your real-browser fingerprint and any cookies from the manual login.
+
+## Security model
+
+Credentials never appear in logs, HAR captures, observe cache, or agent-visible response fields (grep-tested in CI). Vault uses XSalsa20-Poly1305 with key from OS keyring or `VIBATCHIUM_SECRETS_KEY`. All vibatchium-written files are 0600; directories 0700.
+
+For the REST shim: without `--caps`, the bearer token grants every verb including `eval`, `secret_*`, and file-writing verbs. Local-code-equivalent — always pass `--caps=...` for hosted-mode. Live-view binds 127.0.0.1 only by default (`--insecure-public` to override).
+
+## Honest limits
+
+- **5+ concurrent sessions = 1-2GB RAM.** Each persistent-context Chrome is ~200-400MB. Bump cap with `VIBATCHIUM_MAX_SESSIONS=8`.
+- **Vision spend cap is process-wide.** N fan-out agents share one daily/lifetime budget.
+- **Init scripts don't work on patchright backend.** `chrome.runtime` stays `undefined` — accepted trade for stealth wins ([details](docs/STEALTH.md)).
+- **Login walls (X, LinkedIn) require attach mode.** Cold-launch fan-out can't defeat sites requiring authenticated sessions.
+- **Single daemon = single point of failure.** No HA built in.
+- **PyPI version (0.1.0) is stale.** Install from the git URL above for the current feature surface.
+
+## License
+
+Apache-2.0 (core). Optional extras pull their own licenses: `nodriver` (AGPL-3.0), `stealth-mouse` / CDP-Patches (GPL-3.0). Never required for the base install.

vibatchium-0.5.0/README.md

@@ -0,0 +1,103 @@
+# vibatchium
+
+**Agent-piloted browser automation that clears Cloudflare.**
+Patched Playwright + multi-session daemon + credential vault + vision clicking + prompt-injection safety. One MCP server, N parallel Chromes, persistent per-session profiles.
+
+```
+pipx install git+https://github.com/trueoriginlabs/vibatchium
+patchright install chrome
+vb setup        # auto-register with Codex / Claude Code / Cursor (idempotent)
+```
+
+> **Coding agents (Codex / Cursor / Claude Code):** read [`AGENTS.md`](AGENTS.md) first — it has the one-call recipes (`explore`, `research`) and the env-discovery traps to skip.
+
+```
+vb explore https://example.com                      # one-call: text + screenshot
+vb research --target https://example.com \          # parallel fan-out, N intents
+  --intent "pricing model" --intent "customers" --intent "tech stack"
+```
+
+**Status:** active development, alpha. PyPI version lags — install from source / git URL. 384 tests green. 31/31 on bot.sannysoft.com. Cleared HackerOne Cloudflare cold-launch. Apache-2.0 (GPL/AGPL only via opt-in extras).
+
+## Why vibatchium
+
+|  | Vibium | Patchwright | Browser-Use | vibatchium |
+|---|---|---|---|---|
+| LLM-friendly `@eN` refs + `map` / `diff map` | ✅ | ❌ | ❌ | ✅ |
+| Cloudflare CDP-leak patches | ❌ | ✅ | ❌ | ✅ |
+| **Multiple parallel browsers, one daemon** | ❌ | manual | ❌ | ✅ |
+| Per-session persistent profile (cookies, login) | ✅ | manual | manual | ✅ |
+| CDP-attach to manually-logged-in Chrome | ❌ | manual | ❌ | ✅ |
+| **Encrypted credential vault** (passwords + TOTP) | ❌ | ❌ | ❌ | ✅ |
+| **IMAP email-code polling** (2FA) | ❌ | ❌ | ❌ | ✅ |
+| Per-session proxy + WebRTC leak guard | ❌ | manual | ❌ | ✅ |
+| Vision-first clicking with spend cap | ❌ | ❌ | ✅ | ✅ |
+| **Prompt-injection classifier on scraped content** | ❌ | ❌ | ❌ | ✅ (0% FP / 204 samples) |
+| Live-view stream with takeover (WebSocket) | ❌ | ❌ | partial | ✅ |
+| Bearer-token REST shim + caps gating | ❌ | ❌ | manual | ✅ |
+| `research` command (parallel fan-out) | ❌ | ❌ | ❌ | ✅ |
+
+## Multi-session in 10 lines
+
+```
+vb session new work
+vb --session work start
+vb --session work go https://github.com           # log in by hand once
+vb session new banking
+vb --session banking start
+vb --session banking go https://bank.example.com
+vb --session work click @e3 &                     # truly parallel —
+vb --session banking fill @e5 hi &                # separate Chromes, no cookie bleed
+wait
+vb session list
+```
+
+Active-session resolution: `--session FLAG` → `$VIBATCHIUM_SESSION` env → `~/.config/vibatchium/active-session` → `default`. Cap via `VIBATCHIUM_MAX_SESSIONS=4` (default 4).
+
+## Documentation
+
+- [`AGENTS.md`](AGENTS.md) — coding-agent contract (Codex / Cursor / Claude Code)
+- [`docs/CAPABILITIES.md`](docs/CAPABILITIES.md) — per-verb reference (every CLI / MCP / REST verb)
+- [`docs/OPERATIONS.md`](docs/OPERATIONS.md) — operator playbook: env vars, recipes, anti-patterns from real runs
+- [`docs/STEALTH.md`](docs/STEALTH.md) — stealth posture, defender clearance, trade-offs
+
+## Server modes
+
+| Mode | Surface | Auth |
+|---|---|---|
+| `vb mcp` | stdio JSON-RPC; `--caps=...` gates the bucket set | n/a (stdio) |
+| `vb serve` | FastAPI on `127.0.0.1:8000`; every verb at `POST /v1/<verb>`; WebSocket live-view at `/v1/stream/<session>` | bearer token (`~/.cache/vibatchium/rest-token`, mode 0600) |
+
+**REST capability gating**: `vb serve --caps=core,nav,input,vision` restricts the HTTP surface the same way `mcp --caps` does. Without it, REST grants local-code-equivalent access (eval + secret_* + file-writing verbs all exposed) — safe for localhost dev, **not** for hosted/multi-tenant.
+
+## Attach mode — the practical Cloudflare workaround
+
+For DataDome / Kasada / hardened auth that walls cold-launch automation:
+
+```
+google-chrome --remote-debugging-port=9222 --user-data-dir=/tmp/cdp-profile &
+# log into the walled site by hand
+vb attach http://localhost:9222
+vb go https://target.example.com        # now reads as your real browser
+```
+
+Patchright's CDP-layer stealth still applies over `connect_over_cdp` — attach mode gets the same protocol-level patches as cold launch, plus your real-browser fingerprint and any cookies from the manual login.
+
+## Security model
+
+Credentials never appear in logs, HAR captures, observe cache, or agent-visible response fields (grep-tested in CI). Vault uses XSalsa20-Poly1305 with key from OS keyring or `VIBATCHIUM_SECRETS_KEY`. All vibatchium-written files are 0600; directories 0700.
+
+For the REST shim: without `--caps`, the bearer token grants every verb including `eval`, `secret_*`, and file-writing verbs. Local-code-equivalent — always pass `--caps=...` for hosted-mode. Live-view binds 127.0.0.1 only by default (`--insecure-public` to override).
+
+## Honest limits
+
+- **5+ concurrent sessions = 1-2GB RAM.** Each persistent-context Chrome is ~200-400MB. Bump cap with `VIBATCHIUM_MAX_SESSIONS=8`.
+- **Vision spend cap is process-wide.** N fan-out agents share one daily/lifetime budget.
+- **Init scripts don't work on patchright backend.** `chrome.runtime` stays `undefined` — accepted trade for stealth wins ([details](docs/STEALTH.md)).
+- **Login walls (X, LinkedIn) require attach mode.** Cold-launch fan-out can't defeat sites requiring authenticated sessions.
+- **Single daemon = single point of failure.** No HA built in.
+- **PyPI version (0.1.0) is stale.** Install from the git URL above for the current feature surface.
+
+## License
+
+Apache-2.0 (core). Optional extras pull their own licenses: `nodriver` (AGPL-3.0), `stealth-mouse` / CDP-Patches (GPL-3.0). Never required for the base install.

vibatchium-0.5.0/pyproject.toml

@@ -0,0 +1,120 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "vibatchium"
+version = "0.5.0"
+description = "Patchwright stealth + Vibium-style LLM-friendly CLI for agentic browser automation."
+readme = "README.md"
+requires-python = ">=3.11"
+license = { text = "Apache-2.0" }
+authors = [{ name = "monodev-eth" }]
+keywords = ["browser", "automation", "ai", "agent", "patchright", "stealth", "playwright", "mcp"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: Apache Software License",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Software Development :: Testing",
+    "Topic :: Internet :: WWW/HTTP :: Browsers",
+]
+dependencies = [
+    "patchright>=1.59.0",
+    "click>=8.1.7",
+    "mcp>=1.0.0",
+]
+
+[project.optional-dependencies]
+# Pillow is only needed for `screenshot --annotate`.
+annotate = ["pillow>=10.0"]
+# Claude observe→act LLM backend (heuristic backend is always available).
+llm = ["anthropic>=0.40"]
+# Humanized mouse trajectories — defeats Brotector / DataDome aggressive.
+# CDP-Patches is not on PyPI; the published wheel cannot list a git+https
+# direct dependency. Users who want stealth-mouse install it separately:
+#   pip install vibatchium
+#   pip install git+https://github.com/Kaliiiiiiiiii-Vinyzu/CDP-Patches.git@main
+# Wave 5.4: nodriver backend for the hardest Cloudflare gates. AGPL-3.0
+# (copyleft); commercial integrators should consult licensing.
+nodriver = ["nodriver>=0.50.0"]
+# Wave 6.1a: live-view server (WebSocket frame stream + takeover). Pulls
+# aiohttp for the HTTP+WS surface; ~5 MB install footprint.
+liveview = ["aiohttp>=3.9"]
+# Wave 6.3a: credential vault + TOTP. pynacl for XSalsa20-Poly1305 AEAD;
+# keyring for OS-native key storage (gnome-keyring, macOS Keychain, etc.).
+secrets = ["pynacl>=1.5", "keyring>=24.0"]
+# Wave 6.4a: REST shim — exposes daemon verbs over HTTP for non-shell clients
+# (Docker / hosted mode / language-agnostic agents). FastAPI + uvicorn.
+rest = ["fastapi>=0.110", "uvicorn[standard]>=0.27"]
+# Convenience meta-extras
+# `all` = every advertised feature except GPL/AGPL extras (stealth-mouse, nodriver).
+# Matches the README install guidance — keep these in sync.
+all = [
+    "pillow>=10.0",        # annotate
+    "anthropic>=0.40",     # llm + vision
+    "aiohttp>=3.9",        # liveview
+    "pynacl>=1.5",         # secrets vault
+    "keyring>=24.0",       # secrets vault key storage
+    "fastapi>=0.110",      # rest shim
+    "uvicorn[standard]>=0.27",  # rest shim
+]
+dev = ["pytest>=8.0", "pytest-asyncio>=0.23", "pytest-timeout>=2.3", "ruff>=0.6.0"]
+
+[project.scripts]
+vb = "vibatchium.cli:main"
+
+[project.urls]
+Homepage = "https://github.com/trueoriginlabs/vibatchium"
+Issues = "https://github.com/trueoriginlabs/vibatchium/issues"
+Source = "https://github.com/trueoriginlabs/vibatchium"
+
+[tool.hatch.build.targets.wheel]
+packages = ["vibatchium"]
+
+[tool.hatch.build.targets.sdist]
+include = [
+    "/vibatchium",
+    "/README.md",
+    "/LICENSE",
+    "/pyproject.toml",
+    "/tests",
+    "/.github",
+]
+exclude = [
+    "**/__pycache__",
+    "**/*.pyc",
+    "tests/**/*.png",
+    "tests/**/*.json",
+]
+
+[tool.hatch.envs.default]
+dependencies = [
+    "pytest>=8.0",
+    "pytest-asyncio>=0.23",
+    "pytest-timeout>=2.3",
+]
+
+[tool.ruff]
+line-length = 100
+target-version = "py311"
+
+[tool.ruff.lint]
+select = ["E", "F", "W", "B", "UP"]
+ignore = [
+    "E501",  # line too long — keep readability
+    "B008",  # function call in default arg — Click idiom
+    "E701",  # multi-statement on one line (colon) — guard-clause idiom
+    "E702",  # multi-statement on one line (semicolon) — compact assigns
+    "E731",  # lambda assignment — accepted for tiny inline transformers
+    "E402",  # module-level import not at top — needed for opt-in deferred imports
+]
+
+[tool.ruff.lint.per-file-ignores]
+"tests/*" = ["F841"]  # unused locals in tests are fine (assertion of "doesn't raise")
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+testpaths = ["tests"]