A passthrough Anthropic client that routes Fable inference to a human over email (a 'meat proxy').
Project description
fable-meat-proxy 🥩
A drop-in replacement for the Anthropic Python client where Fable's inference is performed by a human.
Every real model passes straight through to the genuine anthropic.Anthropic client.
But when you select Fable (model="claude-fable-5", an exact allowlist — see
FABLE_MODELS), the proxy instead emails the prompt to your American friend, blocks
while polling Gmail for their reply, and returns that reply as a normal Anthropic
Message. A meat proxy: the model is a person.
The reply is authenticated: every prompt carries an unguessable token, and a reply is
accepted only if it proves it received that email — a forged From: header is not
enough (see Security).
flowchart TD
A[client.messages.create] --> B{model in<br/>Fable allowlist?}
B -- no --> C[real anthropic.Anthropic] --> D[API response]
B -- yes --> E[email prompt + token via Gmail API] --> F[friend pastes into Fable]
F --> G[friend replies to email] --> H[poll thread, verify token, parse reply] --> I[Message]
Install
pip install -e . # runtime
pip install -e '.[dev]' # + pytest
Configure
Copy .env.example to .env and fill it in:
| Variable | Purpose |
|---|---|
FABLE_FRIEND_EMAIL |
Required. Where Fable prompts are sent. |
FABLE_GMAIL_CREDENTIALS |
OAuth client secret (Desktop app) from Google Cloud. |
FABLE_GMAIL_TOKEN |
Where the minted OAuth token is cached. |
FABLE_REPLY_TIMEOUT_BUSINESS_DAYS |
Block this many business days for a reply (default 7, weekends skipped). |
FABLE_REPLY_TIMEOUT_SECONDS |
Optional raw-seconds override of the deadline (tests/demos). |
FABLE_POLL_INTERVAL |
Seconds between Gmail polls (default 120; from_env floors it at 5). |
FABLE_MODELS |
Comma-separated exact model allowlist routed to the human (default claude-fable-5). |
ANTHROPIC_API_KEY |
Standard key for the real (non-Fable) passthrough. |
One-time Gmail auth
-
In Google Cloud Console, enable the Gmail API and create an OAuth client ID of type Desktop app. Download it as
credentials.json. -
Run the OAuth flow once to mint
token.json:fable-meat-auth
Least-privilege scopes are requested: gmail.send + gmail.readonly (send the
prompt, read the reply thread — no modify/label/delete). The minted token.json
holds a refresh token, so it's a secret: it's written 0600 and gitignored.
Use
from fable_meat_proxy import Anthropic
client = Anthropic() # config + Gmail service resolved from the environment
# Real model: ordinary API call.
client.messages.create(
model="claude-opus-4-8", max_tokens=1024,
messages=[{"role": "user", "content": "hi"}],
)
# Fable: emails your friend, blocks until they reply, returns their answer.
msg = client.messages.create(
model="claude-fable-5", max_tokens=1024,
messages=[{"role": "user", "content": "Write a haiku about meat."}],
)
print(msg.content[0].text) # whatever your friend pasted back
Async works the same way via AsyncAnthropic (blocking Gmail calls run in a thread,
polling uses asyncio.sleep):
from fable_meat_proxy import AsyncAnthropic
client = AsyncAnthropic()
msg = await client.messages.create(model="claude-fable-5", max_tokens=1024, messages=[...])
Your friend receives a formatted email (system prompt + conversation), pastes it into Fable, and replies with Fable's output as the plain-text body. The text above the quoted original is taken as the answer. They must leave the quoted original (which carries the verification token) in place.
Security
Because the "model" is reachable by email, the proxy treats inbound replies as untrusted:
- Reply authentication. Each request embeds an unguessable token (in the body and
the
Message-ID). A reply counts only if it echoes that token — via the quoted original or theIn-Reply-To/Referencesheaders — and comes from the configured friend's exact address. SpoofingFrom:alone is rejected. (The token only ever reaches the friend's inbox, so an attacker who hasn't seen the email can't reproduce it.) This is application-layer defence on top of Gmail's own DKIM/DMARC filtering. - Exact model routing. Only models in the
FABLE_MODELSallowlist take the human path. A substring likenot-fablecan't divert a private prompt to email. - No Fable bypass.
stream=…,with_raw_response,with_streaming_response, andcount_tokensreject Fable models rather than silently hitting the real API. - Reply parsing. Attachments are ignored when picking the answer body; the HTML
fallback strips comments and hidden (
display:none/visibility:hidden) text. - Secrets.
token.jsonis created0600with no create→chmod race, and an existing world/group-readable token is tightened before use. Scopes are least-privilege (gmail.send+gmail.readonly). - Prompt injection. The outgoing email marks the conversation as untrusted and tells the human not to follow instructions embedded in it.
How it works
client.py— the wrappingAnthropic/AsyncAnthropic; routes on an exact model allowlist, delegates everything else (.models,.beta, …) to the real client. Fable routing applies tomessages.create/messages.stream/messages.count_tokens.meat.py— the human backend: mint a per-request token → format → send → block on a verified reply → build aMessage.gmail_transport.py— OAuth (with0600token handling), send, thread polling, and token-authenticated reply matching, with transient-error retries (HTTP 429/5xx and network errors) using exponential backoff.timing.py— business-day deadline arithmetic for the (slow, human) reply timeout.parsing.py— render the outgoing email (with the verification token); extract the reply (text/plain, skipping attachments, with a hardened HTML fallback) and strip quoted text.errors.py—FableMeatError,FableReplyTimeout(also aTimeoutError),FableConfigError.
Test
pytest
68 tests run offline — they mock the Gmail service and the real Anthropic client and
cover routing (exact allowlist), sync + async paths, reply authentication (token in body
and threading headers, spoof rejection), reply parsing (plain/HTML/quote-stripping,
attachment skipping, hidden-text removal), polling, business-day deadlines,
transient-error retries, streaming/count_tokens rejection, secret-file permissions,
delegation, config, and Message construction. The Gmail OAuth round-trip itself needs
your real credentials.
Logging uses the standard logging module under the fable_meat_proxy logger (no
handlers are installed by the library — configure your own to see send/poll/reply events).
Caveats
- Latency is measured in human attention span. Calls block up to 7 business days by default. The process must stay alive for the duration — for long waits, run it under a durable worker rather than an interactive script.
- Streaming for Fable raises
NotImplementedError(a human reply arrives all at once);count_tokensraisesFableMeatErrorfor Fable models. - Tool use and token accounting are not modeled for Fable (usage is reported as zero). Non-Fable models keep the full real SDK behaviour.
- Reply authentication assumes the friend leaves the quoted original (or proper threading headers) intact; a reply that strips both can't be verified and will wait until the deadline.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fable_meat_proxy-0.2.0.tar.gz.
File metadata
- Download URL: fable_meat_proxy-0.2.0.tar.gz
- Upload date:
- Size: 29.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
301b933aec9436834a059978708d94c079eac6e161025e394b201a10d04164e1
|
|
| MD5 |
c6e360b5f8880411b70efdcb413f8dac
|
|
| BLAKE2b-256 |
bcbda934b2fd4104bd9e1d6d343f09c485796ad53448eaafc673f73c91c13ff7
|
Provenance
The following attestation bundles were made for fable_meat_proxy-0.2.0.tar.gz:
Publisher:
release.yml on plwp/fable-meat-proxy
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
fable_meat_proxy-0.2.0.tar.gz -
Subject digest:
301b933aec9436834a059978708d94c079eac6e161025e394b201a10d04164e1 - Sigstore transparency entry: 2002074528
- Sigstore integration time:
-
Permalink:
plwp/fable-meat-proxy@b1503cb4dc9c256c1d397207ae39a63fd9e9620c -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/plwp
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@b1503cb4dc9c256c1d397207ae39a63fd9e9620c -
Trigger Event:
push
-
Statement type:
File details
Details for the file fable_meat_proxy-0.2.0-py3-none-any.whl.
File metadata
- Download URL: fable_meat_proxy-0.2.0-py3-none-any.whl
- Upload date:
- Size: 22.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bcbfdaf596a839bd625dc28e99f73a8d086cc2b06920352e1620ddf49fc77a49
|
|
| MD5 |
89e43aa2907ae0992cf09b4118abb1da
|
|
| BLAKE2b-256 |
e51e4df8f6cc878e56bbb25f15e929013baef1aaa205abefeeba83e283ece024
|
Provenance
The following attestation bundles were made for fable_meat_proxy-0.2.0-py3-none-any.whl:
Publisher:
release.yml on plwp/fable-meat-proxy
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
fable_meat_proxy-0.2.0-py3-none-any.whl -
Subject digest:
bcbfdaf596a839bd625dc28e99f73a8d086cc2b06920352e1620ddf49fc77a49 - Sigstore transparency entry: 2002074677
- Sigstore integration time:
-
Permalink:
plwp/fable-meat-proxy@b1503cb4dc9c256c1d397207ae39a63fd9e9620c -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/plwp
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@b1503cb4dc9c256c1d397207ae39a63fd9e9620c -
Trigger Event:
push
-
Statement type: