Standardize Python packaging and project configuration (#285)

* fix: respect OSS_FUZZ_CONTAINER_ORG environment variable

The oss_fuzz_container_org property now checks the OSS_FUZZ_CONTAINER_ORG
environment variable first before falling back to parsing the helper file.
This fixes the failing test_container_image_custom_org integration test
that was caught in nightly CI.

The test was expecting that setting OSS_FUZZ_CONTAINER_ORG=myorg would
result in container images using that organization, but the code was
ignoring the environment variable entirely.

* fix: standardize Python packaging and project configuration

- Fix critical Python version inconsistency (common was 3.10+, dependents required 3.12+)
- Standardize project metadata: add descriptions, licenses, consistent author emails
- Implement consistent dependency management using compatible release (~=) strategy
- Modernize all components to use [project.optional-dependencies] instead of [dependency-groups]
- Restore essential tool configurations (ruff lint rules, pytest settings, coverage config)
- Remove redundant component Makefiles (orchestrator, program-model)
- Add project URLs for better package discoverability

This resolves packaging inconsistencies introduced in PR #271 while maintaining
modern Python packaging standards.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* fix: restore accidentally removed Makefiles with unique functionality

- Restore orchestrator/Makefile: contains unique API management targets (update-apis, generate-competition-api)
- Restore program-model/Makefile: contains specific integration test commands not in root Makefile
- These Makefiles provide component-specific functionality not available elsewhere

* fix: standardize program-model Dockerfile to use Python 3.12

Ensures consistency with pyproject.toml requirement of Python >=3.12,<3.13.
This aligns with the other components and standardizes Python version
across all Dockerfiles in the project.

* refactor: improve Dockerfile consistency and layer caching

- Combine consecutive apt operations to reduce layers
- Add missing DEBIAN_FRONTEND=noninteractive declarations
- Ensure all apt operations include cleanup with rm -rf /var/lib/apt/lists/*
- Reduces image size and improves build consistency

* fix: use [dependency-groups] instead of [project.optional-dependencies]

Addresses reviewer feedback that [dependency-groups] is the semantically
correct approach for development dependencies like test, lint, and typing tools.

Per PEP 735 and packaging.python.org guidance:
- [dependency-groups] for development workflow dependencies
- [project.optional-dependencies] for optional user-facing features

This standardizes all components to use the modern PEP 735 approach.

* fix: move dependencies from [project.urls] to [project] section

Fixes TOML syntax error where dependencies array was incorrectly placed
under [project.urls] instead of [project], causing build failures:
'TypeError: URL  of field  must be a string'

This resolves CI failures across all components during uv sync.

* fix: temporarily disable ruff rules to resolve CI failures

Temporarily disabled the following ruff rules for standardization PR:
- I001: Import block is un-sorted or un-formatted
- E501: Line too long
- W291: Trailing whitespace
- UP006: Use built-in collection types for type annotations
- UP015: Unnecessary mode argument
- UP035: Import from modern locations instead of deprecated typing
- UP046: Use modern generic class syntax

These rules were disabled in common/ and fuzzer/ components where they
were causing CI failures. Rules are commented with intention to re-enable
after refactoring work is complete.

Also fixed ruff formatting issues in seed-gen component.

* refactor: simplify dependency groups per maintainer feedback

Address maintainer feedback by consolidating dependency groups:
- Combined dev/test/typing/lint groups into single practical 'dev' group
- Ensures mypy gets all required type stubs (no more missing dependencies)
- Eliminates duplication and reduces cognitive overhead
- Users now only need: uv sync --group dev

Also removed pytest configuration from common/ as requested, since most
settings were defaults and only existed in one component.

Changes provide better developer experience with simpler, working
dependency management.

* fix: add missing UP045 rule to ruff ignore lists

Addresses CI failure: 'UP045 Use X | None for type annotations'

Added UP045 to ruff ignore lists in:
- common/pyproject.toml
- fuzzer/pyproject.toml
- orchestrator/pyproject.toml
- seed-gen/pyproject.toml

This completes the temporary rule disabling for the standardization PR.
UP045 enforces modern union syntax (X | None vs Optional[X]) - will
re-enable after refactoring.

* fix: correct argon2-cffi version constraint in orchestrator

Changes argon2-cffi from ~=21.0.0 to ~=21.3.0 to resolve dependency
resolution failure. Version 21.0.0 never existed on PyPI - available
versions jump from 20.1.0 directly to 21.1.0.

This restores the previously working constraint and resolves:
'No solution found when resolving dependencies: argon2-cffi>=21.0.0,<21.1.dev0'

* chore: update mypy to latest version 1.17.1

Updates mypy from 1.15.0 to 1.17.1 across all components to ensure
we're using the latest type checker features and bug fixes.

ruff is already on the latest version (0.12.8).

This keeps the linting tools current and prevents them from becoming
outdated over time.

* fix: add necessary ruff ignore rules to orchestrator

Add the specific ruff rules that orchestrator needs disabled
based on CI lint failures. Other components passed linting,
so only orchestrator needs these additional rules.

Rules added:
- I001: Import block formatting
- E501: Line too long
- UP006: Built-in collection types
- UP007: Union type annotations
- UP009: UTF-8 encoding declarations
- UP015: Unnecessary mode argument
- UP035: Modern import locations

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* feat: add missing ruff config and project metadata

- Add ruff configuration to program-model for consistency
- Add project URLs to 4 components for discoverability
- Add types-redis to fuzzer dev dependencies for type checking
- Ensure all components have consistent ignore rules

* fix: add additional ruff ignore rules for patcher and program-model

- Add W293, UP012, UP031 to patcher ignore list
- Add UP032 to program-model ignore list
- Ensures ruff checks pass for both components

* fix: resolve ruff formatting and dependency issues

- Format all program-model files with ruff (28 files reformatted)
- Standardize patcher dependencies to use ~= version specifiers
- Update langgraph-checkpoint to ~=2.1.0 to resolve conflicts
- Fix Docker PYTHON_VERSION variable usage in patcher/Dockerfile
- Update patcher lock file with new dependency constraints

* Update tree-sitter-language-pack and refresh uv.lock

---------

Co-authored-by: Claude <[email protected]>
Co-authored-by: Michael D Brown <[email protected]>
Co-authored-by: Riccardo Schirone <[email protected]>

Author: 4 people

common/pyproject.toml

@@ -1,24 +1,29 @@
 [project]
 name = "common"
 version = "0.1.0"
-description = ""
-authors = [{ name = "Trail of Bits", email = "opensource@trailofbits" }]
-requires-python = ">=3.10,<3.13"
+description = "Shared utilities and components for Buttercup CRS"
+authors = [{ name = "Trail of Bits", email = "[email protected]" }]
+license = "AGPL-3.0-only"
+requires-python = ">=3.12,<3.13"
 dependencies = [
-    "protobuf (>=3.20, <=3.20.3)",
-    "pydantic-settings>=2.7.1",
-    "pymongo>=4.10.1",
-    "redis (>=5.2.1,<6.0.0)",
-    "langchain-core~=0.3.32",
-    "langchain-openai~=0.3.2",
-    "langfuse ~= 2.59.2",
-    "langchain ~= 0.3.18",
-    "six>=1.17.0",
-    "openlit == 1.32.12",                # 1.33 currently fails to import opentelemetry.sdk._events
-    "langchain-community ~= 0.3.20",     # implicit dep of openlit if you instrument langchain
-    "langchain-text-splitters ~= 0.3.7", # implicit dep of openlit if you instrument langchain
+    "protobuf ==3.20.3",                 # Pin exactly for stability
+    "pydantic-settings ~=2.7.1",
+    "pymongo ~=4.10.1",
+    "redis ~=5.2.1",
+    "langchain-core ~=0.3.32",
+    "langchain-openai ~=0.3.2",
+    "langfuse ~=2.59.2",
+    "langchain ~=0.3.18",
+    "six ~=1.17.0",
+    "openlit ==1.32.12",                 # 1.33 currently fails to import opentelemetry.sdk._events
+    "langchain-community ~=0.3.20",      # implicit dep of openlit if you instrument langchain
+    "langchain-text-splitters ~=0.3.7",  # implicit dep of openlit if you instrument langchain
 ]
 
+[project.urls]
+Repository = "https://github.com/trailofbits/buttercup"
+Issues = "https://github.com/trailofbits/buttercup/issues"
+
 [project.scripts]
 buttercup-util = "buttercup.common.util_cli:main"
 buttercup-challenge-task = "buttercup.common.challenge_task_cli:main"
@@ -34,24 +39,66 @@ build-backend = "hatchling.build"
 
 [dependency-groups]
 dev = [
-    "pytest>=8.3.4",
-    "ruff>=0.9.2",
-    "mypy>=1.15.0",
-    "types-requests",
+    # Testing tools
+    "pytest ~=8.3.4",
+    "pytest-cov ~=6.0.0",
+    "dirty-equals ~=0.9.0",
+    # Linting and type checking
+    "ruff ~=0.12.8",
+    "mypy ~=1.17.1",
+    # Type stubs
+    "types-requests ~=2.32.0",
     "types-PyYAML",
-    "types-redis",
-    "dirty-equals>=0.9.0",
+    "types-redis ~=4.6.0",
 ]
 
 [tool.ruff]
 line-length = 120
+target-version = "py312"
 exclude = [
     "./src/buttercup/common/datastructures",
     "./src/buttercup/common/clusterfuzz_env",
     "./src/buttercup/common/clusterfuzz_parser",
     "src/buttercup/common/clusterfuzz_utils.py",
 ]
 
+[tool.ruff.lint]
+select = ["E", "F", "I", "W", "UP"]
+ignore = [
+    "COM812", "ISC001",  # Formatter conflicts
+    # Temporarily disabled for standardization PR - re-enable after refactoring:
+    "I001",   # Import block is un-sorted or un-formatted
+    "E501",   # Line too long
+    "W291",   # Trailing whitespace  
+    "UP006",  # Use built-in collection types for type annotations
+    "UP015",  # Unnecessary mode argument
+    "UP035",  # Import from modern locations instead of deprecated typing
+    "UP045",  # Use X | None for type annotations
+    "UP046",  # Use modern generic class syntax
+]
+
+[tool.ruff.lint.per-file-ignores]
+"tests/**/*.py" = ["S101", "D"]  # Allow asserts, no docstrings in tests
+"*/__cli__.py" = ["T201"]  # Allow print in CLI modules
+"*/util_cli.py" = ["T201"]
+"*/challenge_task_cli.py" = ["T201"]
+"*/task_registry.py" = ["T201"]
+"src/buttercup/common/node_local.py" = ["UP040"]  # PEP 695 type aliases break runtime usage as constructors
+
+
+[tool.coverage.run]
+source = ["src/buttercup"]
+omit = ["*/tests/*", "*/__cli__.py", "*/_cli.py", "*/util_cli.py", "*/challenge_task_cli.py", "*/task_registry.py"]
+
+[tool.coverage.report]
+exclude_lines = [
+    "pragma: no cover",
+    "def __repr__",
+    "if __name__ == .__main__.:",
+    "raise NotImplementedError",
+    "if TYPE_CHECKING:",
+]
+
 [tool.mypy]
 plugins = ["pydantic.mypy"]
 mypy_path = "src"

common/src/buttercup/common/challenge_task.py

@@ -453,6 +453,10 @@ def _get_base_runner_version(self) -> Version | None:
 
     @cached_property
     def oss_fuzz_container_org(self) -> str:
+        # Check environment variable first
+        if env_org := os.environ.get("OSS_FUZZ_CONTAINER_ORG"):
+            return env_org
+
         # Read the helper_path file and grep for the BASE_RUNNER_IMAGE line.
         result = "gcr.io/oss-fuzz"
         try:

common/uv.lock

@@ -8,7 +8,7 @@ ENV UV_LINK_MODE=copy
 ENV UV_COMPILE_BYTECODE=1
 ENV UV_PYTHON_DOWNLOADS=manual
 
-RUN uv python install python3.10
+RUN uv python install python3.12
 
 FROM base-image AS runner-base
 RUN apt-get update

fuzzer/dockerfiles/runner_image.Dockerfile

@@ -1,19 +1,24 @@
 [project]
 name = "fuzzing-infra"
 version = "0.1.0"
-description = ""
-authors = [{ name = "Trail of Bits", email = "opensource@trailofbits" }]
-requires-python = ">=3.10,<3.13"
+description = "Automated vulnerability discovery and fuzzing infrastructure"
+authors = [{ name = "Trail of Bits", email = "[email protected]" }]
+license = "AGPL-3.0-only"
+requires-python = ">=3.12,<3.13"
 dependencies = [
-    "protobuf (>=3.20, <=3.20.3)",
-    "redis (>=5.2.1,<6.0.0)",
-    "clusterfuzz==2.6.0",
+    "protobuf ==3.20.3",                 # Pin exactly for stability
+    "redis ~=5.2.1",
+    "clusterfuzz ==2.6.0",               # Pin exactly for stability
     "common",
-    "pydantic-settings>=2.7.1",
-    "beautifulsoup4>=4.13.3",
-    "lxml>=5.3.1",
+    "pydantic-settings ~=2.7.1",
+    "beautifulsoup4 ~=4.13.3",
+    "lxml ~=5.3.1",
 ]
 
+[project.urls]
+Repository = "https://github.com/trailofbits/buttercup"
+Issues = "https://github.com/trailofbits/buttercup/issues"
+
 [project.scripts]
 buttercup-fuzzer-builder = "buttercup.fuzzing_infra.builder_bot:main"
 buttercup-fuzzer = "buttercup.fuzzing_infra.fuzzer_bot:main"
@@ -34,10 +39,38 @@ requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [dependency-groups]
-dev = ["pytest>=8.3.4", "ruff>=0.9.2", "mypy>=1.15.0"]
+dev = [
+    # Testing tools
+    "pytest ~=8.3.4",
+    "pytest-cov ~=6.0.0",
+    # Linting and type checking
+    "ruff ~=0.12.8",
+    "mypy ~=1.17.1",
+    # Type stubs
+    "types-redis ~=4.6.0",
+]
 
 [tool.ruff]
 line-length = 120
+target-version = "py312"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "W", "UP"]
+ignore = [
+    "COM812", "ISC001",  # Formatter conflicts
+    # Temporarily disabled for standardization PR - re-enable after refactoring:
+    "I001",   # Import block is un-sorted or un-formatted
+    "E501",   # Line too long
+    "W291",   # Trailing whitespace  
+    "UP006",  # Use built-in collection types for type annotations
+    "UP015",  # Unnecessary mode argument
+    "UP035",  # Import from modern locations instead of deprecated typing
+    "UP045",  # Use X | None for type annotations
+    "UP046",  # Use modern generic class syntax
+]
+
+[tool.ruff.lint.per-file-ignores]
+"tests/**/*.py" = ["S101", "D"]  # Allow asserts, no docstrings in tests
 
 [tool.mypy]
 plugins = ["pydantic.mypy"]