chore: minimise runtime dependency footprint#436
Merged
DhairyaPatel7 merged 13 commits intomainfrom Apr 24, 2026
Merged
Conversation
…_api.api.*
Mirrors the "sweep 16 contracts for type-only web3/eth_typing imports"
pattern from open-autonomy PR #2477. Custom mech contracts now reach
through the ledger_api surface provided by open-aea-ledger-ethereum==2.2.1
instead of importing web3 / eth_abi / eth_utils / hexbytes directly.
- olas_mech/contract.py:
* drop eth_typing, eth_utils, hexbytes, web3 imports; add Union
* pad_address_for_topic returns bytes (was HexBytes)
* Web3.to_checksum_address -> ledger_api.api.to_checksum_address
(adds cast(EthereumApi, ledger_api) where missing)
* event.topic + event.process_log(log) replaces
event_abi_to_log_topic + get_event_data(w3.codec, event_abi, log)
* BlockIdentifier / FilterParams / TxReceipt annotations replaced
with Union[int, str] / Dict[str, Any]
* entry.transactionHash.to_0x_hex() -> "0x" + entry["transactionHash"].hex()
* get_event_entries now takes a ContractEvent instance, not an ABI dict
- hash_checkpoint/contract.py:
* drop dead `from web3.types import BlockIdentifier, TxReceipt`
(never used).
- contract.yaml blocks pruned of deps now transitively reachable via
open-aea-ledger-ethereum==2.2.1:
* olas_mech: drop web3, eth-abi, eth-utils, hexbytes, eth_typing
* hash_checkpoint: drop web3
* balance_tracker: drop web3 (no Python usage)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- websocket_client/handlers.py: remove dead `from web3 import Web3` and `from web3.types import TxReceipt` — neither is referenced in the file after the imports. - websocket_client/skill.yaml: drop web3 (no longer imported). - task_execution/skill.yaml: drop eth-abi (no Python usage). - task_submission_abci/skill.yaml: drop web3 (no Python usage). contract_subscription is intentionally left alone — it uses Web3.HTTPProvider at runtime. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… 0.21.19
Drop entries that no longer have callers after the contract/skill sweep
and the open-autonomy 0.21.19 bump:
eth-abi, eth-utils, eth_typing, hexbytes, ipfshttpclient,
packaging, py-eth-sig-utils, pycryptodome, pytz, typing_extensions,
werkzeug, attrs.
Widen ranges to match the post-2477 vendored package declarations:
protobuf: <6,>=5 -> <7,>=5 (matches abci connection)
py-ecc: ==8.0.0 -> <10,>=8 (matches abstract_round_abci;
drand BLS API stable across 7→9)
No change to connections / contracts / protocols / skills references.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Drop direct deps reachable transitively via open-aea[all]==2.2.1 / open-aea-ledger-ethereum==2.2.1 / open-autonomy==0.21.19, and deps whose last import site was removed in earlier commits: pyproject.toml: ipfshttpclient, eth_typing, hexbytes, packaging, pytz, typing_extensions, toml, eth-abi, eth-utils, pycryptodome, multiaddr, werkzeug, attrs, py-eth-sig-utils, protobuf tox.ini: Drop 4 now-dead [mypy-*] ignore_missing_imports sections for toml, ipfshttpclient, eth_abi, py_eth_sig_utils. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mech-family repos (mech, mech-predict, mech-server, mech-agents-fun, mech-interact, mech-client) have never verified that their third_party packages.json hashes match upstream source-of-truth. Agent repos (trader, optimus, meme-ooorr, IEKit, market-creator) all run `aea-ci check-third-party-hashes` in CI against valory-xyz/open-autonomy and valory-xyz/open-aea tags. Mirror that check on mech, pinned to open-autonomy@0.21.19 and open-aea@2.2.1 (the baseline this PR brings the repo to). Wired into the copyright_and_dependencies_check job, right after tox -e check-dependencies, so CI catches drift on every PR. Verified locally: all 27 third-party hashes consistent with both upstreams. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After the contract/skill/agent cleanup, regenerate all affected custom package fingerprints and cascading hash pins via `autonomy packages lock`: contract/valory/olas_mech/0.1.0 contract/valory/balance_tracker/0.1.0 contract/valory/hash_checkpoint/0.1.0 skill/valory/task_execution/0.1.0 skill/valory/task_submission_abci/0.1.0 skill/valory/websocket_client/0.1.0 skill/valory/delivery_rate_abci/0.1.0 skill/valory/contract_subscription/0.1.0 skill/valory/mech_abci/0.1.0 agent/valory/mech/0.1.0 service/valory/mech/0.1.0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`uv lock` removed 7 packages no longer reachable from the trimmed [project.dependencies]: base58 (transitive via py-eth-sig-utils), ipfshttpclient, multiaddr, netaddr (transitive), py-eth-sig-utils, pytz, toml. Fixes the lock_check CI job that runs `uv lock --check` — the previous commit trimmed pyproject.toml but forgot to update uv.lock. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merged
5 tasks
Addresses the code-actionable comments from the 2026-04-23 review round: - olas_mech/contract.py: reintroduce `BlockIdentifier = Union[int, str]` as a local module alias so the public signatures keep their intent- documenting name without reintroducing the `web3.types` import. Every existing caller in mech passes either an `int` block number or the literal strings "earliest" / "latest", so the alias is strictly sufficient coverage. Verified against web3 7.14 that `event.topic` / `event.process_log()` preserve the semantics of the previous `event_abi_to_log_topic` + `get_event_data` pair. No behaviour change; this is a naming/documentation improvement. - task_execution/utils/ipfs.py: drop the runtime dependency on `py-multibase` and `py-multicodec`. Callers now reach through `aea.helpers.multiformat.multibase_decode` and `aea.helpers.multiformat.multicodec_remove_prefix` introduced in open-aea#861 (merged 2026-04-07) and vendored in `open-aea==2.2.1`. The new API expects bytes input, so the call-site encodes the incoming CID string as ASCII. Cross-validated byte-for-byte against the legacy libraries on a real mech CID. Tests updated to patch the new symbol targets. - Strip `py-multibase` / `py-multicodec` from the three skill yamls that declared them (`task_execution`, `task_submission_abci`, `delivery_rate_abci`) plus the agent `aea-config.yaml`, `pyproject.toml` and `tox.ini [deps-packages]`. Drop the two now-unneeded `[mypy-*]` ignore sections. `uv.lock` loses 5 packages (2 direct + 3 transitives: morphys, python-baseconv, varint). - websocket_client/handlers.py: reorder imports so stdlib (`enum`, `typing`) is grouped at the top, followed by third-party (`aea.*`) and then first-party (`packages.*`), per PEP 8 / isort `profile=black` conventions. Note: this file sits outside the repo's `SERVICE_SPECIFIC_PACKAGES` lint scope, which is why the existing ordering wasn't caught by local or CI isort-check. Verified locally before push: `uv lock --check`, `tox -e check-hash`, `check-packages`, `check-dependencies`, `check-third-party-hashes` (27/27 consistent), `check-doc-hashes`, `check-abci-docstrings`, `check-abciapp-specs`, `check-handlers`, `liccheck`, `tomte check-code` (black, isort, flake8, mypy, pylint, darglint), `tomte check-copyright`, `tomte check-doc-links`, `tomte check-security` (bandit + safety), plus `pytest` for the impacted skill tests (295 pass). `tomte check-spelling` diverges locally for pre-existing reasons unrelated to this change — CI's mdspell run is green at HEAD. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DhairyaPatel7
added a commit
to valory-xyz/mech-predict
that referenced
this pull request
Apr 23, 2026
Back-port of mech valory-xyz#436 patterns via mech tag bump v0.31.2 → v0.31.3. Third-party sync: olas_mech contract + 6 skill hashes bumped to mech@v0.31.3, automatically inheriting the BlockIdentifier alias in olas_mech/contract.py, the aea.helpers.multiformat migration in task_execution/utils/ipfs.py, py-multibase/py-multicodec drops from task_execution + task_submission_abci + delivery_rate_abci skill yamls, and websocket_client/handlers.py PEP 8 reorder. No local file edits to third-party packages. Repo-local migration (scripts/publish_metadata.py): - Drop `from multibase import multibase` + `from multicodec import multicodec` - Reach through aea.helpers.multiformat.multibase_decode + aea.helpers.multiformat.multicodec_remove_prefix (inlined in open-aea==2.2.1 via valory-xyz/open-aea#861). The new multibase_decode signature takes bytes, so the call-site ASCII-encodes the CID string returned by `to_v1(...)`. Local drops now possible because third-party skills no longer declare py-multibase / py-multicodec and the repo-local script no longer needs them either: - pyproject.toml: drop py-multibase / py-multicodec - tox.ini [deps-packages]: drop py-multibase / py-multicodec - tox.ini: drop [mypy-multibase.*] / [mypy-multicodec.*] ignore sections Dead-pyproject-dep audit (0 imports + 0 YAML refs): - jsonschema: no imports anywhere in packages/, scripts/, benchmark/; only string literal occurrences in docstrings. Dropped. `uv.lock` loses 5 packages (py-multibase, py-multicodec + 3 transitives: morphys, python-baseconv, varint). Verified locally: uv lock --check, tox -e check-hash, check-packages, check-dependencies, check-third-party-hashes (39/39 consistent with open-autonomy@0.21.19 + open-aea@2.2.1 + mech@0.31.3), liccheck, tox -e bandit -e safety, mypy (36 files, no issues), pylint (10.00/10), darglint, plus `uv run black --check / isort --check-only / flake8` on customs + scripts + benchmark scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per David's review comment on PR #436 (2026-04-24): every dev-section package (not just a subset) should sit in the lint scope. Previously SERVICE_SPECIFIC_PACKAGES covered 6 of the 11 dev Python packages; this commit adds the 5 that were missing: - contracts/balance_tracker - contracts/complementary_service_metadata - contracts/hash_checkpoint - skills/delivery_rate_abci - skills/websocket_client Pre-existing violations surfaced by the expanded scope, fixed in this commit: flake8: - websocket_client/behaviours.py: dropped 8 unused imports (`json`, `re`, `abc.ABC`, `typing.Dict/Set/Type`, `aea.mail.base.Envelope`, `WebsocketClientDialogue`) - websocket_client/handlers.py: dropped 3 unused imports (`json`, `time`, `aea.protocols.base.Message`) - balance_tracker/contract.py: dropped 2 unused imports (`typing.Any`, `cast`) - delivery_rate_abci/models.py: dropped 1 unused import (`typing.List`) - delivery_rate_abci/tests/test_behaviours.py: `_i`/`_j` for unused loop control variables (B007) docstrings: - websocket_client/behaviours.py: added 4 missing method docstrings (D102) on the subscription-status properties - websocket_client/dialogues.py: collapsed multiline module docstring to one-liner (D200) mypy: - websocket_client/behaviours.py: `_last_subscription_check: Optional[float]` instead of inferred `None` (was being reassigned to a float). - websocket_client/behaviours.py: three helper methods (`_create_subscription`, `_check_subscription`, `_ws_send`) had `Generator[None, None, WebsocketClientMessage]` return type but no `yield` statements — they're plain functions that `put_message` and return. Retyped to `None`. - delivery_rate_abci/tests/test_behaviours.py: loosened `_run_generator` parameter to `Generator[Any, Any, Any]` (it's a test helper that drives any behaviour generator); annotated `tx_gen` and stub function attributes with explicit types. darglint: - delivery_rate_abci/behaviours.py + task_submission_abci/behaviours.py: added `:yield:` lines to `_get_safe_tx_hash` sphinx docstrings (DAR301). - task_submission_abci/tests/conftest.py: `_make_full_ctx` had `**overrides` + 4 kwargs undocumented; filled in the `:param:` / `:return:` block. autonomy packages lock regenerated all hashes touched by the above. Verified locally before push: tomte check-code (black-check, isort-check, flake8, mypy, pylint, darglint — all OK), uv lock --check, tox -e check-hash, check-packages, check-dependencies, check-third-party-hashes (27/27 consistent), liccheck, check-abci-docstrings, check-abciapp-specs, check-handlers, plus pytest for the four impacted skill test suites (549 pass). Downstream impact (follow-up): mech-server / mech-predict / mech-agents-fun all sync these skills + contracts as third-party from mech. Once this merges, cut v0.31.4 and cascade the new hashes (similar to the v0.31.3 cascade on 2026-04-23). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CI copyright check failed on the previous commit (97d4f2f) for the 5 delivery_rate_abci .py files I reformatted via black + fixed lint issues in. Headers were still `Copyright 2025 Valory AG`; tomte check-copyright requires 2025-2026 since the files were last modified in 2026. Local tomte check-copyright in the previous round did not catch this because mech's SERVICE_SPECIFIC_PACKAGES scope for other linters doesn't overlap with the --exclude-part list passed to check-copyright (which is filename-token-based, not directory-based); this skipped the delivery_rate_abci dir in the earlier audit pass. The pyproject fix is unchanged; only the 5 header years bump. Verified locally: `tomte check-copyright --author valory <full exclude-part list from CI>` passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to 836990a. The sed that bumped `Copyright 2025` → `2025-2026` on 5 delivery_rate_abci/*.py files modified their content; I didn't re-run `autonomy packages lock` after it, so the fingerprints in `skills/delivery_rate_abci/skill.yaml` still pointed at the pre-sed content. CI caught it via `autonomy packages lock --check` on HEAD — check-hash failed on delivery_rate_abci. This commit regenerates the full fingerprint cascade: delivery_rate_abci → mech_abci → agent/mech → service/mech hashes all update together. Verified locally: `tox -e check-hash` passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…cation Per David's review comment on PR #436 (2026-04-24): mech is a framework/lib repo (its skills + contracts are synced as third_party into the agent/app repos mech-server, mech-predict, mech-agents-fun, mech-interact). Framework/lib repos should pin OA / open-aea / plugins exactly but use ranges for everything else, matching the ranges declared upstream in open-autonomy. Ranges sourced from open-autonomy v0.21.19 pyproject.toml [tool.poetry.dependencies]. Three scopes updated to stay in sync (pyproject.toml, tox.ini [deps-packages], agent aea-config.yaml): Pin → range conversions (12 deps): requests==2.32.5 → requests>=2.32.5 hypothesis==6.21.6 → hypothesis>=6 certifi==2026.2.25 → certifi (unpinned, match OA) multidict==6.7.1 → multidict (unpinned, match OA) py-ecc==8.0.0 → py-ecc<10,>=8 (matches OA; reverts the earlier cleanup pass's narrow pin) openapi-core==0.22.0 → openapi-core<0.23,>=0.22 pebble==5.1.3 → pebble<6,>=5.1 PyYAML==6.0.1 → PyYAML>=6 pytest-asyncio==1.3.0 → pytest-asyncio>=1.3 prometheus_client==0.23.1 → dropped; already declared once as prometheus-client>=0.23.1,<0.24 (duplicate entry collapsed) Stays pinned (OA / open-aea / plugins — framework contract): open-autonomy==0.21.19 open-aea-ledger-ethereum==2.2.1 open-aea-ledger-cosmos==2.2.1 open-aea-test-autonomy==0.21.19 open-aea-cli-ipfs==2.2.1 open-aea-helpers==0.21.19 Not in OA upstream; kept narrow-pinned or narrow-ranged: openai==1.30.2 (mech-specific AI dep, no upstream anchor) grpcio==1.78.0 (OA also pins exactly at 1.78.0) Agent aea-config.yaml `dependencies:` block updated to the same ranges so the agent-as-union-of-component-deps invariant holds. tox.ini [deps-packages] mirrored. uv.lock regenerated; 119 packages resolve unchanged. Verified locally: uv lock --check, tox -e check-hash, check-packages, check-dependencies, check-third-party-hashes (27/27 consistent), liccheck, tomte check-copyright, tomte check-code (black, isort, flake8, mypy, pylint, darglint — all OK), check-abci-docstrings, check-abciapp-specs, check-handlers. Downstream propagation: the mech-family agent repos (mech-server, mech-predict, mech-agents-fun, mech-interact) are agent/app repos under David's taxonomy and keep exact pins throughout — no range conversion required there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DhairyaPatel7
added a commit
to valory-xyz/mech-predict
that referenced
this pull request
Apr 24, 2026
Cascade from mech valory-xyz#436 review round (2026-04-24). mech tags v0.31.2 and v0.31.3 were deleted; new v0.31.2 cut at 46b4ba7. This commit bumps the pin, re-syncs new third-party hashes, and applies the "mech-family = framework/lib" classification (non-OA → ranges, OA/OAEA/plugins → exact pins). Third-party sync: olas_mech contract + 6 skills + 3 contracts (complementary_service_metadata, balance_tracker, hash_checkpoint) all bumped to mech@v0.31.2 (new). Upstream pin 0.31.3 → 0.31.2 in [testenv:check-third-party-hashes]. Pin → range conversions (pyproject.toml + tox.ini [deps-packages]): # Core framework-lib deps requests==2.32.5 → requests>=2.32.5 hypothesis==6.21.6 → hypothesis>=6 certifi==2026.2.25 → certifi multidict==6.7.1 → multidict pytest-asyncio==1.3.0 → pytest-asyncio>=1.3 pebble==5.1.3 → pebble>=5.1,<5.2 (upper bound excludes LGPL 5.2.0) openapi-core==0.22.0 → openapi-core<0.23,>=0.22 python-dotenv==0.21.1 → python-dotenv>=0.21 # Custom-tool AI / data deps openai==1.93.0 → openai>=1.93,<2 langchain==1.2.10 → langchain>=1.2,<2 langchain-core==1.2.17 → langchain-core>=1.2,<2 langchain-tavily==0.2.17 → langchain-tavily>=0.2,<0.3 langchain-text-splitters==1.1.1 → langchain-text-splitters>=1.1,<2 langgraph==1.0.10 → langgraph>=1,<2 google-generativeai==0.8.6 → google-generativeai>=0.8,<0.9 google-api-python-client==2.95.0 → google-api-python-client>=2.95,<3 googlesearch-python==1.2.3 → googlesearch-python>=1.2,<2 beautifulsoup4==4.12.2 → beautifulsoup4>=4.12,<5 tiktoken==0.12.0 → tiktoken>=0.12,<0.13 python-dateutil==2.8.2 → python-dateutil>=2.8,<3 markdownify==0.11.6 → markdownify>=0.11,<0.14 tavily-python==0.3.3 → tavily-python>=0.3,<0.4 docstring-parser==0.17.0 → docstring-parser>=0.17,<0.18 faiss-cpu==1.13.2 → faiss-cpu>=1.13,<2 moviepy==1.0.3 → moviepy>=1,<2 httpx==0.25.2 → httpx>=0.25,<0.26 tqdm==4.67.1 → tqdm>=4.67,<5 fastapi==0.110.3 → fastapi>=0.110,<0.115 pandas==2.3.3 → pandas>=2.3,<3 marisa-trie==1.3.1 → marisa-trie>=1.3,<2 Stays pinned (OA / open-aea / plugins — framework contract): open-autonomy[all]==0.21.19 open-aea-ledger-ethereum==2.2.1 open-aea-ledger-cosmos==2.2.1 open-aea-test-autonomy==0.21.19 open-aea-cli-ipfs==2.2.1 open-aea-helpers==0.21.19 grpcio==1.78.0 (OA also pins exactly) Kept narrow-pinned (liccheck compat): lxml[html-clean]==6.0.2 — newer 6.x patch versions rename the `html-clean` extra to `html_clean` and mismatch liccheck's pkg_resources lookup. readability-lxml==0.8.1 — newer 0.8.4.1 requests `lxml[html_clean]` (underscore) which lxml 6.0.2 declares as `html-clean` (hyphen); pkg_resources fails the normalisation. replicate==0.15.7 — 0.15.8 shipped without the license classifier metadata liccheck requires. Verified locally: uv lock --check, tox -e check-hash, check-packages, check-dependencies, check-third-party-hashes (39/39 consistent with open-autonomy@0.21.19 + open-aea@2.2.1 + mech@0.31.2), tox -e liccheck, tox -p -e bandit -e safety, tox -e mypy, tox -e pylint (10.00/10), tox -p -e black-check -e isort-check -e flake8 -e darglint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adamantios
previously approved these changes
Apr 24, 2026
- Trim [deps-packages] to match pyproject.toml — drop 12 pins that the pyproject cleanup already moved to transitive (ipfshttpclient, eth_typing, hexbytes, packaging, pytz, typing_extensions, toml, eth-abi, eth-utils, pycryptodome, multiaddr, py-eth-sig-utils). Keep werkzeug + attrs: declared by third-party http_server/connection.yaml, aea-helpers check-dependencies requires them. - Sync protobuf: widen tox.ini (both [deps-packages] L33 and [testenv:check-hash] L245) from >=5,<6 to <7,>=5 so all three scopes — aea-config.yaml, tox.ini, pyproject.toml (transitive via open-autonomy[all]) — agree. The <7,>=5 range matches the upstream connection/valory/abci declaration (pulled from OA 0.21.19), which is what the agent actually ships with. No package hashes move — tox.ini edits are outside packages/. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DIvyaNautiyal07
approved these changes
Apr 24, 2026
Adamantios
approved these changes
Apr 24, 2026
6 tasks
DhairyaPatel7
added a commit
to valory-xyz/mech-predict
that referenced
this pull request
Apr 27, 2026
Per @DavidMinarsch's classification on mech valory-xyz#436 (valory-xyz#436 (comment)): mech-predict is an agent repo (app), so non-OA/OAEA/plugin deps must have exact pins throughout — ranges are reserved for framework/lib repos. Reverts the widening from 36fc86a back to exact pins, restoring the state from c94aae5: - requests / hypothesis / pytest-asyncio / certifi / multidict / pebble / python-dotenv / openapi-core: ranges -> exact pins. - AI/data libs (openai, anthropic, langchain*, langgraph*, tiktoken, google-generativeai, google-api-python-client, googlesearch-python, beautifulsoup4, python-dateutil, markdownify, tavily-python, docstring-parser, faiss-cpu, moviepy, httpx, tqdm) : ranges -> exact pins. - mirror tox.ini [deps-packages] (incl. fastapi, langchain-text-splitters, marisa-trie, langgraph-prebuilt to match aea-config exactness). - pre-existing ranges that aea-config also keeps as ranges (aiohttp, py-ecc, ecdsa, web3, pytest, pypdf2, jsonschema, asn1crypto, protobuf, openfactverification-kongzii, prometheus-client, google-api-core, numpy, scipy, pandas) stay as ranges. - exception pins kept under their explanatory comments: lxml[html-clean] (extras-name normalisation), readability-lxml (lxml-html-clean transitive), replicate (license metadata). Resolves Divya's scope-creep concern and David's agent-repo policy in one pass; no end-to-end tool re-run needed because the pinned versions are exactly the ones that previously shipped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DhairyaPatel7
added a commit
to valory-xyz/mech-agents-fun
that referenced
this pull request
Apr 27, 2026
Per @DavidMinarsch's classification on mech #436 (valory-xyz/mech#436 (comment)): mech-agents-fun is an agent repo (app), so non-OA/OAEA/plugin deps must have exact pins throughout — ranges are reserved for framework/lib repos. Reverts the widening from 6d4c5be and the aea-config sync from a8f9326 back to exact pins: - aea-config.yaml: openai, replicate, moviepy, anthropic, google-api-python-client, tiktoken, requests, httpx, google-genai, pillow, pebble, hypothesis -> exact pins (mirrors the original pre-cleanup state). - pyproject.toml + tox.ini [deps-packages]: same set + requests, pytest-asyncio, certifi, multidict, pytest, openapi-core, prometheus-client, python-dotenv -> exact pins. - Pre-existing legitimate ranges that aea-config also keeps as ranges (aiohttp, py-ecc, ecdsa, web3, openapi-spec-validator, jsonschema, asn1crypto, protobuf, pyyaml) stay as ranges. - tox.ini: keep both `prometheus-client` and `prometheus_client` (underscore) — task_execution/task_submission_abci skill YAMLs declare the underscore form, and aea-helpers check-dependencies is name-strict. Re-lock agent + service hashes after the aea-config edit. Resolves Divya's scope-creep concern and David's agent-repo policy in one pass; no end-to-end tool re-run needed because the pinned versions are exactly the ones that previously shipped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DhairyaPatel7
added a commit
to valory-xyz/optimus
that referenced
this pull request
Apr 27, 2026
…leanup Per @DavidMinarsch's classification on mech #436 (valory-xyz/mech#436 (comment)): optimus is an agent repo (app), so non-OA/OAEA/plugin deps must have exact pins throughout — ranges are reserved for framework/lib repos. - tox.ini [testenv:check-third-party-hashes]: bumped upstreams to open-autonomy@0.21.19, mech-interact@0.28.0, genai@6.1.0, kv-store@0.4.0, funds-manager@2.3.0 (open-aea@2.2.1 unchanged). - pyproject.toml + tox.ini: OA pins 0.21.18 -> 0.21.19; non-OA deps exact-pinned (typing_extensions, certifi, pydantic, w3multicall, requests, openapi-spec-validator, hexbytes); kept aea-config-style ranges for aiohttp/jsonschema/asn1crypto/protobuf/py-ecc; dropped dead `toml` dep; added `gql==3.5.0` (declared in third-party YAML). - packages/packages.json: 33 third-party hashes refreshed from the authoritative upstream tags (mech-interact@0.28.0 et al.). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
14 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wave 1 of the fleet-wide dependency-minimisation pass (tracking
open-autonomy#2477)
applied to
mech.olas_mech,hash_checkpoint,balance_tracker) reach throughledger_api.api.*instead of directweb3/eth_abi/eth_utils/hexbytes/eth_typingimports.All of those imports are gone from
olas_mech/contract.py; the deadweb3.typesimport is removed fromhash_checkpoint/contract.py;the unused
web3YAML dep is pruned frombalance_tracker.web3/eth-abiimports and YAML declarationsremoved from
websocket_client,task_execution,task_submission_abci.contract_subscriptionis intentionally left alone — it usesWeb3.HTTPProviderat runtime.agents/mech/aea-config.yamldep block trimmed of14 deps that no longer have callers.
protobufwidened to<7,>=5and
py-eccto<10,>=8to match the post-2477 vendored packages.4 dead
[mypy-*]ignore sections dropped.tox -e check-third-party-hashesenv mirrors theagent-repo pattern, pinned to
open-autonomy@0.21.19+open-aea@2.2.1. Wired intocommon_checks.yamlso the repo nowverifies its
third_partyhashes against upstream on every PR.HexBytes regression check (from mech PR #435)
OA PR 2477 removed the
HexBytes(data)coercion frommultisend.encode_data. This surfaced in mech asTypeError: can't concat str to byteson every delivery cycle.PR #435 fixed the
two helpers that returned hex strings (
hash_checkpoint.get_checkpoint_data,complementary_service_metadata.get_update_hash_tx_data). This PRbuilds on that fix — the
bytes.fromhex(...)idiom is now the normacross every affected helper in
olas_mech/contract.pytoo.Test plan
tox -e check-hash— verified locallytox -e check-packages— verified locallytox -e check-dependencies— verified locally (no issues)tox -e check-third-party-hashes— verified locally (27/27 consistent)tox -e black-checktox -e isort-checktox -e flake8tox -e mypy— 64 files, no issuestox -e pylinttox -e darglintregression fixed by PR Fix/multisend str vs bytes #435 is retained, no new bytes/str footguns
introduced)
Related
🤖 Generated with Claude Code