The inclusion of files under qt/aqt is handled by qt/pyproject.toml,
not qt/hatch_build.py, which works with the files under out/qt/_aqt.
Excluding qt/aqt/data and all files ending in .ui in qt/pyproject.toml
fixes the issue, since the other unwanted files (**/*.scss, **/*.ts, and
**/tsconfig*) all reside under qt/aqt/data.
Fixes: 04996c77f3
We can't show an AnkiWeb page for a locally-installed add-on, and
having a custom config action is the only way we can easily expose
this for older clients as well.
Re: #4158
* Launcher: Run `uv python install` before running `uv sync`
* Less copy/paste.
* Minor readability improvements
* Make sure we check file presence before attempting to read
---------
Co-authored-by: Damien Elmes <gpg@ankiweb.net>
* Feat/Add legacy evaluate config bool
* Minor tweaks based on PR suggestions (dae)
New enabling command:
from anki.config import Config
mw.col.set_config_bool(Config.Bool.FSRS_LEGACY_EVALUATE, True)
While something we probably don't want to encourage much of, this
may enable some previously-unshared add-ons.
https://forums.ankiweb.net/t/bundling-numpy-in-an-add-on/62669/5
The 'uv add' command is transaction, so if an add-on tries to inject
incompatible dependencies into the environment, the venv will be
left as-is. And each Anki upgrade/downgrade resets the requirements,
so the requested packages shouldn't cause errors down the line.
Sample add-on:
import subprocess
from aqt import mw
from aqt.operations import QueryOp
from aqt.qt import QAction
from aqt.utils import showInfo
def ensure_spacy(col):
print("trying to import spacy")
try:
import spacy
print("successful import")
return
except Exception as e:
print("error importing:", e)
print("attempting add")
try:
from aqt.package import add_python_requirements as add
except Exception as e:
raise Exception(f"package unavailable, can't install: {e}")
# be explicit about version, or Anki beta users will get
# a beta wheel that may break
(success, output) = add(["spacy==3.8.7", "https://github.com/explosion/spacy-models/releases/download/ko_core_news_sm-3.8.0/ko_core_news_sm-3.8.0-py3-none-any.whl"])
if not success:
raise Exception(f"adding failed: {output}")
print("success")
# alterantively:
# from aqt.package import venv_binary
# subprocess.run([venv_binary("spacy"), "download", "ko_core_news_sm"], check=True)
# print("model added")
# large packages will freeze for a while on first import on macOS
import spacy
print("spacy import successful")
def activate_spacy():
def on_success(res):
mw.progress.single_shot(1000, lambda: showInfo("Spacy installed"))
QueryOp(parent=mw, op=ensure_spacy, success=on_success).with_progress("Installing spacy...").run_in_background()
action = QAction("Activate Spacy", mw)
action.triggered.connect(activate_spacy)
mw.form.menuTools.addAction(action)
We need to exec() Python from a GUI context so that the app name and
icon are inherited from our launcher bundle. And we need to munge
sys.argv[0] prior to main window instantiation so that we don't get
app menu entries like "Hide -c". We do that in the launcher instead
of __init__.py so that older versions display correctly too.
* CHANGE right-click in the editor to show option to open folder in linux
* FIX checks
* Use heuristics
* ./ninja format
* Use fallback from main instead of xdg-open
- Launcher can now be accessed via Tools>Upgrade/Downgrade
- Anki closes automatically on update
- When launcher not available, show update link like in the past
- It appears that access to the modern console host requires an app
to be built with the windows console subsystem, so we introduce an
extra anki-console.exe binary to relaunch ourselves with. Solves
https://forums.ankiweb.net/t/new-online-installer-launcher/62745/50
- Windows now requires you to close the terminal like on a Mac,
as I couldn't figure out how to have it automatically close. Suggestions
welcome!
- Reduce the amount of duplicate/near-duplicate code in the various
platform files, and improve readability
- Add a helper to install the current code into the launcher env
- Fix cargo test failing to build on ARM64 Windows
- Use --locked to assert that the lockfile won't change, so we need
to explicitly 'uv lock' when making changes. Still trying to get to
the bottom of why the lockfile sometimes has editable entries, which
break things when switching between platforms.
- Exclude __pycache__ from wheels
- Move the typing stubs to our dev deps
(https://github.com/ankitects/anki/pull/4074#pullrequestreview-2948088436)
- Handle beta/rc tags in .version when launching Anki
- Update pyproject.toml/.python_version if distributed version newer
- Support prerelease marker to opt in to betas
- Check for updates when using uv sync
- Avoid system Python by default, as it can cause breakages
(e.g. ARM Python installed on Windows)
* Migrate build system to uv
Closes#3787, and is a step towards #3081 and #4022
This change breaks our PyOxidizer bundling process. While we probably
could update it to work with the new venvs & lockfile, my intention
is to use this as a base to try out a uv-based packager/installer.
Some notes about the changes:
- Use uv for python download + venv installation
- Drop python/requirements* in favour of pyproject files / uv.lock
- Bumped to latest Python 3.9 version. The move to 3.13 should be
a fairly trivial change when we're ready.
- Dropped the old write_wheel.py in favour of uv/hatchling. This has
the unfortunate side-effect of dropping leading zeros in our wheels,
which we could try hack around in the future.
- Switch to Qt 6.7 for the dev repo, as it's the first PyQt version
with a Linux/ARM WebEngine wheel.
- Unified our macOS deployment target with minimum required for ARM.
- Dropped unused fluent python files
- Dropped unused python license generation
- Dropped helpers to run under Qt 5, as our wheels were already
requiring Qt 6 to install.
* Build action to create universal uv binary
* Drop some PyOxidizer-related files
* Use Windows ARM64 cargo/node binaries during build
We can't provide ARM64 wheels to users yet due to #4079, but we can
at least speed up the build.
The rustls -> native-tls change on Windows is because ring requires
clang to compile for ARM64, and I figured it's best to keep our Windows
deps consistent. We already built the wheels with native-tls.
* Make libankihelper a universal library
We were shipping a single arch library in a purelib, leading to
breakages when running on a different platform.
* Use Python wheel for mpv/lame on Windows/Mac
This is convenient, but suboptimal on a Mac at the moment. The first
run of mpv will take a number of seconds for security checks to run,
and our mpv code ends up timing out, repeating the process each time.
Our installer stub will need to invoke mpv once first to get it validated.
We could address this by distributing the audio with the installer/stub,
or perhaps by putting the binaries in a .pkg file that's notarized+stapled
and then included in the wheel.
* Add some helper scripts to build a fully-locked wheel
* Initial macOS launcher prototype
* Add a hidden env var to preload our libs and audio helpers on macOS
* qt/bundle -> qt/launcher
- remove more of the old bundling code
- handle app icon
* Fat binary, notarization & dmg
* Publish wheels on testpypi for testing
* Use our Python pin for the launcher too
* Python cleanups
* Extend launcher to other platforms + more
- Switch to Qt 6.8 for repo default, as 6.7 depends on an older
libwebp/tiff which is unavailable on newer installs
- Drop tools/mac-x86, as we no longer need to test against Qt 5
- Add flags to cross compile wheels on Mac and Linux
- Bump glibc target to 2_36, building on Debian Stable
- Increase mpv timeout on macOS to allow for initial gatekeeper checks
- Ship both arm64 and amd64 uv on Linux, with a bash stub to pick
the appropriate arch.
* Fix pylint on Linux
* Fix failure to run from /usr/local/bin
* Remove remaining pyoxidizer refs, and clean up duplicate release folder
* Rust dep updates
- Rust 1.87 for now (1.88 due out in around a week)
- Nom looks involved, so I left it for now
- prost-reflect depends on a new prost version that got yanked
* Python 3.13 + dep updates
Updated protoc binaries + add helper in order to try fix build breakage.
Ended up being due to an AI-generated update to pip-system-certs that
was not reviewed carefully enough:
https://gitlab.com/alelec/pip-system-certs/-/issues/36
The updated mypy/black needed some tweaks to our files.
* Windows compilation fixes
* Automatically run Anki after installing on Windows
* Touch pyproject.toml upon install, so we check for updates
* Update Python deps
- urllib3 for CVE
- pip-system-certs got fixed
- markdown/pytest also updated
* Treat play_file() and co as internal routines without protection
Our code and add-ons need a way to play audio from arbitrary locations. I propose we treat the _tag API as suitable for user input, and the _file API for internal use.
* Mention basename in the *_file() paths
We were (partially) doing this for MpvManager, but not for
Windows' SimpleMpvPlayer. By passing a media file starting
with a special scheme, a malicious actor could have caused a file to
be written to the filesystem on Windows.
Thanks once again to Michael Lappas for the report.
* add left margin to browser when sidebar is closed
* listen for event instead of explicit user action
* refresh sidebar on visibility change
* Add a margin on macOS even when not collapsed
---------
Co-authored-by: Damien Elmes <gpg@ankiweb.net>
Instantiating `MPV(MPVBase)` triggers multiple synchronous `command()` calls to the mpv process during callback registration. These calls block the main thread and degrade startup performance. This change defers registration via `taskman.run_in_background`.
* use non breaking spaces for names on about page
* Update qt/aqt/about.py
Co-authored-by: llama <gh@siid.sh>
---------
Co-authored-by: llama <gh@siid.sh>
(originally merged into a PR branch)
* Make URL schemes dialog more ergonomic
* add name to contributors list
* Title Case
* Tweak build instructions so Cursor picks them up
* Use a warning icon for the URL scheme pop-up
* Default to cancelling
mpv looks for ytdl on the path, which includes the CWD on Windows.
A malicious shared deck could place an executable called yt-dlp.exe in the
media folder, which mpv would then helpfully invoke the first time
a YouTube link was encountered.
A big thank you to Michael Lappas for the report.
Currently, if a user tries to close Preview which was opened inside Browse, the "parent" Browse window itself gets closed
Co-authored-by: beyondcompute <beyondcompute@users.noreply.github.com>
* Add a way to pass information from browser_will_search to browser_did_search without having it going to the backend
* Allow None for SearchContext.properties
* Adding myself in CONTRIBUTORS
* Rename SearchContext.properties to SearchContext.addon_metadata
* Revert "Adding myself in CONTRIBUTORS"
This reverts commit a993577279.
* Reapply "Adding myself in CONTRIBUTORS"
This reverts commit f3ce51c83d.
* Enable Cmd+W shortcut in "Edit Current" on Mac
* Enable Cmd+W shortcut in "Fields" editor on Mac
* Enable Cmd+W shortcut in "Cards" editing on Mac
* Enable Cmd+W shortcut in "Sync" tab modal on Mac
* Enable Cmd+W shortcut in "Custom Study" tab modal on Mac
* Enable Cmd+W shortcut in Settings view on Mac
* Enable Cmd+W shortcut in Export dialogs on Mac
* Enable Cmd+W shortcut for getText dialog on Mac
* Enable Cmd+W shortcut in "Change Deck" on Mac
* Enable Cmd+W shortcut in Reposition dialog on Mac
* Enable Cmd+W shortcut in "Grade Now" dialog on Mac
* Enable Cmd+W shortcut in "Reset…" dialog on Mac
* Remove duplicate camelCase variant of add_close_shortcut (dae)
- The camelCase variant will remain accessible with a warning.
- The removed setattr line is legacy cruft, and wasn't doing anything.
* NF: replace `disabled` by `enabled`
This allows to remove the negations and, in my opinion, make the code
easier to understand and edit.
* Cloze button get disabled outside of cloze field
More specifically, if the user focus in a field that is not a cloze
field, the button are still there but appear as disabled. The shortcut
instead of adding the cloze context shows an alert explaining why this
can't be done.
While this message is already displayed when the user tries to add a
note with cloze in non-cloze field, I suspect it will save time to
stop the user as soon as possible from making mistake. This should
make very clear what is authorized and what is not.
It'll also be a reminder of whether the current field is a cloze or
not.
In order to do this, I added a back-end method (that I expect we may
reuse in ankidroid) to get the index of the fields used in cloze. This
set is sent to the note editor, which propagates it where needed.
In mathjax, the cloze symbol is removed when the selected field is not
a cloze field.
* Revert "Sanitize field content in editor"
This reverts commit 1c156905f8.
* Use CSP to block inline JS content in editor
This blocks inline scripts, scripts in the media folder, and
handlers like onclick in the editor. This is nicer than the previous
solution - it doesn't make any permanent changes, and leaves other
content like SVGs alone. Thanks to Nil Admirari for the suggestion.
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* Avoid set_kind() race condition in legacy stats webview
Replacing the web view is a hacky workaround, but likely a reasonable compromise for a legacy view that we do not want to maintain a separate Qt form for.
* Slightly refactor AnkiWebView subclass creation and tweak inline comment
+ Extend create_ankiwebview_subclass() with the ability to set any
init time AnkiWebView argument
+ Introduce some nice-to-haves in terms of static type checking support
and IDE autocompletion
+ Mark helper function as private to discourage add-on use
* Drop `AnkiWebView.set_kind` completely
There no longer is an Anki-internal use case for changing the web view kind after initializing a web view, and add-ons almost certainly do not have any use for it either.
Given that setting the kind after web view construction can lead to known race conditions with `domDone` signals, we should remove this method to discourage uses like this in both Anki code and add-on consumers.
There currenty only seems to be one add-on calling `set_kind()`, so this seem like a justifiable API change.
---------
Co-authored-by: llama <100429699+iamllama@users.noreply.github.com>
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* revert impl
* set page background colour after setPage in AnkiWebView.set_kind
* Sanitize field content in editor
The editor already strips script tags from fields, but was allowing
through Javascript in things like onclick handlers. We block this now,
as the editor context has access to internal APIs that we don't want to
expose to untrusted third-party code.
* Require an auth token for API access
We were previously inspecting the referrer, but that is spoofable,
and doesn't guard against other processes on the machine.
To accomplish this, we use a request interceptor to automatically
add an auth token to webviews with the right context. Some related
changes were required:
- We avoid storing _page, which was leading to leaks & warning on exit
- At webview creation (or set_kind() invocation), we assign either
an authenticated or unauthenticated web profile.
- Some of our screens initialize the AnkiWebView when calling, e.g.,
aqt.forms.stats.Ui_Dialog(). They then immediately call .set_kind().
This reveals a race condition in our DOM handling code: the webview
initialization creates an empty page with the injected script, which
causes a domDone signal to be sent back. This signal arrives after
we've created another page with .set_kind(), causing our code to think
the DOM is ready when it's not. Then when we try to inject the dynamic
styling, we get an error, as the DOM is not ready yet. In the absence
of better solutions, I've added a hack to set_kind() to deal with this
for now.
* Provide AnkiWebPage init defaults for existing add-on callers
* Inject bridge script when profile set-up skipped
Some add-ons fully override AnkiWebPage.__init__ and thus depend on _setupBridge injecting the JS bridge script.
With this change we account for these cases, while giving add-ons the opportunity to look for solutions that do not require overriding AnkiWebPage.__init__ completely.
* Add some missed pages/endpoints (thanks to iamllama)
* Avoid sending API key for remote resources
Thanks to Abdo for the report
---------
Co-authored-by: Aristotelis P <201596065+aps-amboss@users.noreply.github.com>
* Add checkbox
* Working in editor
* Toolbar webview
* Other webviews
* Even more webviews
* Move to profile settings
* Add to contributors [skip ci]
* Fix checks
* Fix checks
* Better?
* Remove unneded
* Remove checkbox and a few other things
* How the hell did that happen
* Undo FTL changes (dae)
* Remove superfluous config entry (dae)
* Add comment about profile keys (dae)
* fix: correct typo and adjust indentation in docstring
Fixed a small typo in the webview_did_inject_style_into_page docstring and adjusted indentation for consistency.
* Update CONTRIBUTORS
