pyapp

Use when building standalone Python executables with PyApp, bundling Python runtimes, preparing air-gapped or multi-architecture binaries, patching PyApp defaults, or compiling single-binary assets.

9 stars

Best use case

pyapp is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when building standalone Python executables with PyApp, bundling Python runtimes, preparing air-gapped or multi-architecture binaries, patching PyApp defaults, or compiling single-binary assets.

Teams using pyapp should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/pyapp/SKILL.md --create-dirs "https://raw.githubusercontent.com/cofin/flow/main/plugins/flow/skills/pyapp/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/pyapp/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How pyapp Compares

Feature / AgentpyappStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when building standalone Python executables with PyApp, bundling Python runtimes, preparing air-gapped or multi-architecture binaries, patching PyApp defaults, or compiling single-binary assets.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# PyApp Standalone Binaries

Enable building self-contained, air-gapped, multi-architecture standalone executables for any Python application using **PyApp** and **uv**.

---

## Overview

Standard `pyapp` installation bootstraps the environment on first run, which usually requires internet access. For **air-gapped** or **network-isolated** environments, you must embed the entire Python distribution and its dependencies ahead of time.

This skill documents the **Bundle-Patch-Compile** workflow:

1. **Bundle**: Download a standalone Python build, install dependencies into its `site-packages`, and repackage.
2. **Patch**: Modify the PyApp source code to enforce custom install locations or isolation defaults.
3. **Compile**: Compile the patched PyApp binary with the bundled distribution embedded.

---

## Architecture & Philosophy

### The Packaged Distribution

Instead of installing at runtime, we build a **hybrid distribution**:

* A basic standalone Python distribution (e.g., from `python-build-standalone`).
* Pre-populated `site-packages` via `uv pip install --target`.
* This avoids running any package managers on first execution.

---

<workflow>

## Configuration

### 1. Standard Settings

In your `pyproject.toml`, configure the Hatch target or custom builder to use specific variables.

<example>

```toml
[tool.hatch.build.targets.binary]
scripts = ["myapp"]
pyapp-version = "v0.29.0"

[tool.hatch.build.targets.binary.env]
PYAPP_DISTRIBUTION_EMBED = "1"
PYAPP_FULL_ISOLATION = "1"
PYAPP_ALLOW_UPDATES = "1"
```

</example>

---

## Step-by-Step Workflow

### Phase 1: Bundling (Prep the Runtime)

To enable fully offline operations, follow these steps using an automation script (see `scripts/bundler.py`):

1. **Download Standalone Python**: Acquire a compatible `install_only_stripped` version for the Target Rust arch (e.g., `x86_64-unknown-linux-gnu`).
2. **Install Deps Off-Target**: Use `uv pip install` with specific cross-compilation flags:
    * `--target <extracted_python_site_packages>`
    * `--python-platform <uv_supported_platform>`
    * `--upgrade`
3. **Repackage**: Compress the resulting layout back into a `.tar.gz`.

### Phase 2: PyApp Patching (Enforce Paths)

By default, PyApp stores user data in standard local data folders. If you require strict isolation (e.g., `~/.myapp`), you can **patch the PyApp source code** just before `cargo build`:

<example>

```python
# Conceptual example of patching src/app.rs
import re
content = app_rs.read_text()
pattern = re.compile(r"platform_dirs\(\)\s*\.data_local_dir\(\)...")
replacement = "std::path::PathBuf::from(\"~/.myapp\")"
app_rs.write_text(pattern.sub(replacement, content))
```

</example>

### Phase 3: Compiling

To maintain maximum glibc backward-compatibility (e.g., supporting RHEL 7+ / manylinux2014 baseline):

* Use **Zig** as the linker trigger: `cargo zigbuild --release --target <target>.2.17`

</workflow>

---

## CI/CD Integration

Ensure your GitHub Action includes:

1. An upstream build step creating target-agnostic `.whl` files.
2. A cross-target build matrix (`x86_64-linux-gnu`, `aarch64-linux-gnu`, `aarch64-apple-darwin`, etc.).
3. Zig setup steps for robust glibc pin targeting.

> [!TIP]
> Always test inside a non-networked container:
> `docker run --network none -v $(pwd):/app ubuntu:20.04 /app/myapp-binary --help`

---

## Provided Resources

* **Bundler Template**: `scripts/bundler.py` (in this skill directory)
* **CI Matrix Action Example**: `examples/release-action.yml` (in this skill directory)

## Shared Styleguide Baseline

* Use shared styleguides for generic language/framework rules to reduce duplication in this skill.
* [General Principles](https://github.com/cofin/flow/blob/main/templates/styleguides/general.md)
* [Python](https://github.com/cofin/flow/blob/main/templates/styleguides/languages/python.md)
* [Docker](https://github.com/cofin/flow/blob/main/templates/styleguides/tools/docker.md)
* Keep this skill focused on tool-specific workflows, edge cases, and integration details.

<guardrails>
## Guardrails

* **Use non-root user in production images** -- When containerizing the resulting binary, ensure it runs as a non-privileged user to minimize security risks.
* **Prefer multi-stage Docker builds** -- Separate the build environment (with Cargo and Zig) from the final runtime image to keep the production artifact small.
* **Target specific glibc versions with Zig** -- Use `cargo zigbuild --target <arch>.2.17` to ensure compatibility with older Linux distributions (e.g., RHEL 7+).
* **Embed all dependencies for air-gapped use** -- Set `PYAPP_DISTRIBUTION_EMBED = "1"` to ensure the binary is fully self-contained and does not require internet access on first run.
* **Validate binary size** -- Monitor the size of the embedded distribution; strip unnecessary symbols and files (e.g., `.pyc`, `__pycache__`, tests) to keep the executable manageable.
</guardrails>

<validation>
## Validation Checkpoint

* [ ] Binary runs successfully in a network-isolated (`--network none`) environment
* [ ] glibc compatibility is verified using `ldd --version` on the target platform
* [ ] No root privileges are required to execute the binary
* [ ] All required Python dependencies are included in the embedded `site-packages`
* [ ] Binary size is within the expected range for the bundled distribution
* [ ] Custom install paths (if patched) are correctly respected by the application
</validation>

Related Skills

flow-memory-keeper

9
from cofin/flow

Use at task, phase, flow, sync, archive, finish, revise, or failure checkpoints to keep Flow specs clean, capture learnings and failures, elevate durable patterns, and refine this skill with project-specific nuances

vue

9
from cofin/flow

Use when editing Vue projects, .vue files, vue.config.js, Vue 3 components, Composition API, <script setup>, SFC state, deployment workflows, or Vue CI configuration.

vite

9
from cofin/flow

Use when editing Vite projects, vite.config.ts, vite.config.js, Vite plugins, HMR, asset bundling, frontend build settings, deployment config, or Litestar/Vite integration.

uvicorn

9
from cofin/flow

Use when deploying ASGI apps with uvicorn, editing uvicorn CLI commands, Config or Server usage, workers, reload, event loop selection, SSL, lifespan, logging, or development server behavior.

tracer

9
from cofin/flow

Use when tracing execution paths, mapping dependencies, understanding unfamiliar code, following data flow, investigating end-to-end behavior, debugging call chains, or deciding which files to read next.

testing

9
from cofin/flow

Use when writing or refactoring tests, editing test_*.py, *.test.ts, *.spec.ts, conftest.py, vitest.config.ts, pytest fixtures, mocks, coverage, async tests, anyio, or test failure debugging.

terraform

9
from cofin/flow

Use when creating, adopting, refactoring, or operating Terraform, *.tf files, .terraform.lock.hcl, terragrunt.hcl, root modules, backends, state, workspaces, imports, CI plan/apply, tests, or policy checks.

tanstack

9
from cofin/flow

Use when editing TanStack code, @tanstack imports, useQuery, createRouter, React Query, TanStack Router, Table, Form, Store, file-based routing, data fetching, or SPA state management.

tailwind

9
from cofin/flow

Use when styling with Tailwind CSS, editing tailwind.config.ts, tailwind.config.js, @tailwind directives, utility classes, responsive layouts, @apply, cn(), @theme config, dark mode, or forms.

svelte

9
from cofin/flow

Use when editing Svelte components, .svelte files, svelte.config.js, Svelte 5 runes, $state, $derived, SvelteKit, component state, or migrating away from Svelte 4 patterns.

sqlserver

9
from cofin/flow

Use when writing T-SQL, editing SQL Server .sql files, using sqlcmd, SQL Server connection strings, stored procedures, execution plans, indexes, Always On, JSON, security, or connector code.

sqlalchemy

9
from cofin/flow

Use when editing SQLAlchemy code, sqlalchemy imports, mapped_column, DeclarativeBase, ORM models, relationships, select() queries, async sessions, engines, events, or migrations.