chore: minimise autonomy's runtime dependency footprint

[DavidMinarsch]

Summary

• Reduce open-autonomy's direct runtime dep declarations to the true minimum (open-aea[all]==2.2.1 + open-aea-cli-ipfs==2.2.1 as the only hard base deps; [chain], [docker], [hwi] as opt-in extras).
• Replace multiple third-party libs with open-aea helpers (2.2.1) or small stdlib-only inlines.
• Sweep every packages/valory/** manifest so each dependencies: block reflects only the direct imports of that package (runtime + tests scanned by the AEA dep checker).
• Clean up the pyproject↔tox.ini drift so tox -e check-dependencies passes and every declared entry matches an actual import somewhere.

Install matrix after this PR

Install command	chain ops	docker-compose deploy	HWI
pip install open-autonomy	❌	❌	❌
pip install open-autonomy[all]	✅	❌	❌
pip install open-autonomy[chain]	✅	❌	❌
pip install open-autonomy[docker]	❌	✅	❌
pip install open-autonomy[hwi]	❌	❌	✅

[hwi] and [docker] are intentionally excluded from [all]:

• [hwi] — transitive hidapi+Pillow chain has no armv7 wheels, breaking multi-platform Docker builds.
• [docker] — only needed by docker-compose deploys and the autonomy develop command.

What changed

autonomy/ framework — third-party → stdlib / open-aea helpers

1. use open-aea helpers for requests/jsonschema — swap to aea.helpers.http_requests + aea.helpers.json_schema; drop multiaddr (was unused).
2. drop texttable, inline a small table renderer — ~20-line ASCII renderer replaces single-call usage.
3. catch requests.ConnectionError on web3 chain paths — lazy get_requests_connection_error() in autonomy/chain/exceptions.py resolves it at call time and raises a clear install hint if the Ethereum ledger plugin is absent.
4. align pyproject.toml with setup.py, add [chain] extra — strip drift. Test-only deps move to poetry dev group.
5. drop python-dotenv → aea.helpers.base.load_env_file.
6. drop typing_extensions and aiohttp from autonomy/ — stdlib covers both on Python ≥3.10.
7. rely on open-aea[all] for click/pytest/coverage — already pulled transitively.
8. drop hexbytes, use plain bytes for multisend tx data — three redundant HexBytes(bytes.fromhex(...)) calls collapse to bytes.fromhex(...).
9. drop watchdog, move docker to optional [docker] extra — get_docker_client() raises with install hint when missing.
10. drop gql, post subgraph queries directly via aea http helper — verified live against the production subgraph that all 3 query templates return byte-identical responses.
11. drop explicit protobuf declaration from autonomy/ — transitive via open-aea.
12. drop Flask and Werkzeug, inline a Flask-compatible HTTP server — new autonomy/deploy/_http_server.py (~500 lines) mirrors the Flask/Werkzeug subset used by the localhost tendermint sidecar + replay server. Call sites unchanged.
13. tomte format-code + linter fixes.
14. make _RequestProxy dunder-safe for doctest — let Python handle __doc__/__repr__ introspection instead of routing through the thread-local request proxy.
15. cleanup.md audit notes driving the PR (since deleted after all actionable items were addressed).

packages/valory/** — manifest-wide dep sweep

16. fix CI failures from initial PR push — cascade hashes, docstrings, IPFS hashes in docs/**.
17. agent_mech — drop unused eth_typing.HexStr and web3.types.{BlockData, EventData, TxReceipt}.
18. sweep 16 contracts for type-only web3/eth_typing imports — erc20, erc8004_identity_registry_bridger, gnosis_safe_proxy_factory, multicall2, recovery_module, service_registry, sign_message_lib, staking_activity_checker, staking_token, agent_registry, erc8004_identity_registry, more. Replace Web3.to_checksum_address/Web3.keccak with ledger_api.api.to_checksum_address/ledger_api.api.keccak. Added ledger_api = cast(EthereumApi, ledger_api) at every method entry reaching ledger_api.api.*.
19. gnosis_safe: thread ledger_api through encode.py — EIP-712 encoding via ledger_api.api.codec._registry.get_encoder(typ)(arg) and ledger_api.api.keccak(x) instead of eth_abi + eth_utils.keccak + Crypto.Hash. Verified byte-identical SafeTx hash against original.
20. squads_multisig: drop solders — route Solana transfer via ledger_api.api.get_transfer_tx(...) exposed by open-aea-ledger-solana==2.2.1; add cast(SolanaApi, ledger_api) at the call site.
21. align every manifest dependencies: block with actual direct imports (runtime + tests per AEA dep-checker). Drop eth_abi, eth_utils, hexbytes, pycryptodome, py-eth-sig-utils transitively-reachable entries; promote consistent open-aea-ledger-ethereum==2.2.1 declaration for contracts whose Python uses ledger_api.api.*; enforce web3: {} / requests: {} aiohttp <4,>=3.8.5 (matches upstream).
22. promote package-YAML direct imports to pyproject main deps as an intermediate step; cleaned up in a later commit.
23. prune test-only and stale deps from package YAMLs — since autonomy check-packages exempts tests/ subfolders, test-only deps (pytest, hypothesis, pytest-asyncio, open-aea-test-autonomy) are dropped from ~15 YAMLs. Runtime agents get a leaner install. test_tools/ files (scanned by the checker since not under tests/) keep the declarations they actually import; pytest in abstract_round_abci/test_tools/ is now wrapped in a try/except with a _PytestMissing stub so the skill imports cleanly without pytest installed.
24. drop stale/unused deps from abstract_round_abci/skill.yaml — ipfshttpclient, open-aea-cli-ipfs, protobuf, requests, eth_typing, pytz, typing_extensions (swapped to stdlib datetime.timezone.utc, typing.{Literal, TypeGuard, NewType}); widen py-ecc to >=8,<10 (drand BLS API stable across 7→9).
25. drop web3.types.{Nonce, TxData, Wei} usage in transaction_settlement_abci and its squads counterpart (these are NewType wrappers, runtime no-ops). Replace with plain int / Dict[str, Any].
26. loosen YAML hypothesis pin + drop version drift — hypothesis unpinned in connections/abci; aiohttp range aligned with upstream.
27. ipfs connection: swap to upstream-inlined client — aea_cli_ipfs.ipfs_client.IPFSError (new urllib-backed hierarchy) replaces ipfshttpclient.exceptions.ErrorResponse + requests.exceptions.*. Drop both deps from the YAML.
28. add open-aea-ledger-ethereum to 6 contracts that lacked it — sign_message_lib, service_registry_token_utility, service_manager, registries_manager, erc8004_identity_registry_bridger, component_registry all declare contract_interface_paths: ethereum: and use ledger_api.api.* at runtime.
29. remove empty hello_world / hello_world_abci leftover directories.

plugins/ — local path installs + helper simplification

30. plugins/aea-test-autonomy: collapse deps to a single open-autonomy[all,docker]>=0.21.0,<0.22.0 (was: open-aea[all] + open-aea-ledger-ethereum + pytest==8.4.2 + docker==7.1.0). Always used alongside open-autonomy anyway.
31. plugins/aea-helpers: trim to open-autonomy>=0.21.0,<0.22.0 (was: +click, requests, toml, PyYAML). Swap requests → aea.helpers.http_requests inside the plugin; swap toml → stdlib tomllib with tomli fallback on Python 3.10 (transitive via pytest's python_version < "3.11" marker).

pyproject.toml / tox.ini — final cleanup

32. rehome main deps and switch plugins to local paths — main deps now reflect only runtime-only imports (web3, requests, grpcio, aiohttp, certifi, multidict, asn1crypto, ecdsa, py-ecc, open-aea-ledger-cosmos). hypothesis, pytest, pytest-asyncio, open-aea-test-autonomy move to dev. open-aea-helpers / open-aea-test-autonomy install via { path = "plugins/…", develop = true }. Flask + Werkzeug kept in dev for the docker-compose tendermint sidecar + legacy slow-tendermint test helper. Drop dead main deps (pytz, typing-extensions, ipfshttpclient, protobuf, eth-typing, pycryptodome). Unpin hypothesis, pytest, loosen web3 / requests to * (transitive chain decides). open-aea-ledger-solana left commented out (anchorpy→cachetools conflict with tomte[tox]'s tox 4.46 — needs anchorpy to loosen upstream).
33. tox.ini cleanup and check-dependencies satisfaction — drop 10 dead [deps-packages] entries, 6 duplicated framework inheritances, 17 dead [mypy-*] ignore sections. Add missing direct-import deps (aiohttp, Flask, Werkzeug, protobuf<7,>=5). Use ignore_missing_imports for third-party-only aiohttp/flask/werkzeug. Drop --exclude solders from check-dependencies. Add extras = [] hint to the optional open-aea-ledger-ethereum entry so check-dependencies' parser can see it; add protobuf and pytest-asyncio shim entries in a TODO-cleanup block so the tool doesn't flag them (setup.py remains the authoritative distribution manifest — these are harmless redundancies).

Housekeeping

34. LICENSE — extend copyright to 2021-2026.
35. SECURITY.md — bump supported versions table from 0.14.x to 0.21.x.
36. cleanup.md deleted (served its purpose; all action items addressed).
37. normalize last protobuf YAML pin — connections/abci now uses <7,>=5 (matches open-aea upstream).
38. sync ABSTRACT_ROUND_ABCI_SKILL_WITH_HASH in autonomy/constants.py with current packages/packages.json hash.

Test plan

• All linters pass via tomte check-code: black, isort, flake8, mypy, pylint, darglint.
• Package + docs tox envs all green: check-hash, check-packages, check-third-party-hashes, check-dependencies, check-api-docs, check-doc-links-hashes, check-abci-docstrings, check-abciapp-specs, check-handlers, check-dialogues, fix-doc-hashes.
• Static / security: bandit, safety, vulture, spell-check, liccheck.
• Parity verifications performed before swaps:
  • Subgraph gql → aea http_requests: all 3 query templates byte-identical against production subgraph.
  • Gnosis_safe EIP-712 encoder eth_abi → ledger_api.api.codec: byte-identical SafeTx hash for a realistic Safe v1.3 tx.
  • bytes.fromhex(...) vs HexBytes(bytes.fromhex(...)): verified identical byte representation.
• CI green on py3.10-linux through py3.14-linux.
• Manual spot-check: autonomy develop without [docker] extra raises a clear install hint.
• Manual spot-check: chain ops (mint/service) without [chain] extra raise a clear install hint.

Known follow-ups (out of scope here)

• Re-enable open-aea-ledger-solana once anchorpy upstream loosens cachetools<5 (conflicts with tomte[tox]'s tox 4.46 needing cachetools>=7.0.1).
• check-generate-all-protocols requires libprotoc 24.3 — system binary; CI installs explicitly, local dev needs matching protoc install (out of scope for pyproject/tox changes).
• Patch the aea-helpers check-dependencies tool to understand optional = true entries and dev-group deps in pyproject.toml, so the shim entries can be removed.

🤖 Generated with Claude Code

Additional work done during review

Triaged open issues (resolved or commented/closed with rationale)

• Replace the usage of wait-for-it.sh in the tendermint image with docker health checks #1712 — wait-for-it.sh unused — deleted from both tendermint Dockerfiles.
• Skills can't share the same param #1893 — sharing parameters across skills — added the "Sharing the same parameter across skills" subsection to docs/configure_service/service_configuration_file.md.
• Usage of --aev does not raise a deprecation warning. #1913 — --aev typo + deprecation — fixed the typo and added a deprecation note in the help text / docs.
• Unclear error while checking FSM spec #2203 — FSM timeout event error message — reworded for clearer resolution guidance.
• Fix links check #2235 — doc-links check — turned out to already be running inside tox -e check-doc-links-hashes; cleaned up the stale commented-out CI step and renamed the label accordingly. Issue closed.
• Pytest deprecated support for nose - Removed in version 8 #2240, Update service manager contract supported chains #2254, Allow dynamic port allocation for tendermint when running local deployment #2259, load_service_config does not apply environment variables for overrides #2278, Backport the ChainType enum from the middleware to open-autonomy #2279, models._ensure doesnt allow for reuse of same key across different skills #2282, Refactor gnosis_safe_proxy_factory -> gnosis_safe_multisig #2287, Create test to ensure Windows compatible encoding #2301, Update to latest open-autonomy in autonolas-registries and use "optimism" chain name #2337, Unnecessary eth_chainId call before every single contract interaction #2368, [Refactor] Organize methods to get data for ServiceManager deploy #2381, Create CLI for PolySafe deployments #2382, Fix dependencies #2407 — triaged. Some closed as resolved upstream (e.g. Unnecessary eth_chainId call before every single contract interaction #2368 fixed by CachedChainIdMiddleware in open-aea-ledger-ethereum), some closed as duplicates of Skills can't share the same param #1893, others kept open with a concrete analysis pointing at the specific code path and a proposed fix shape.

Security cleanup (secret + dependabot + code scanning)

• Secret scanning — the leaked Google API key in tests/data/logs/aea_0.txt (present in history since 1b9bd2e51 in 2023) was redacted with a <GOOGLE_API_KEY> placeholder in the current fixture. All 11 log-analyse tests still pass. GitHub alert resolved; key itself should be rotated in GCP.
• Dependabot (15 → 0 open after merge):
  • valory/open-autonomy-dev image — bumped stale requests==2.27.1 (2021) and watchdog==2.1.6 (2021) pins in deployments/Dockerfiles/development/Pipfile. Clears 4 alerts (CVE-2023-32681, CVE-2024-35195, CVE-2024-47081, CVE-2026-25645).
  • poetry.lock targeted updates: requests 2.32.5 → 2.33.1 (CVE-2026-25645), web3 7.14.1 → 7.15.0 (CVE-2026-40072). No other packages affected.
  • tox.ini — dropped explicit requests<2.33.0,>=2.28.1 and ecdsa>=0.15 pins; both now defer to transitive constraints from open-aea-ledger-ethereum==2.2.1 (requests>=2.32.5,<3) and open-aea-ledger-cosmos==2.2.1 (ecdsa>=0.19.2,<0.20), matching main open-aea's own pins.
  • Transitive / test-only alerts (pytest, pillow, cryptography, Pygments, PyNaCl, ecdsa, duplicated requests-in-setup.py) dismissed with per-case justifications.
• Code scanning (50 → 0 open) — 14 test-file alerts dismissed as "used in tests"; 22 path-traversal false-positives dismissed (tendermint Flask control server reads os.environ["TMHOME"] + constant paths, never request bodies); 3 command-injection false-positives (CLI/build-time subprocess with list args); 2 XSS false-positives (Flask jsonify returns JSON, not HTML); 7 server-information-exposure alerts marked "won't fix" with rationale (internal docker network only); 1 DOMXSS in docs JS ("won't fix" — author-controlled packages.json input); 1 hardcoded-secret false-positive in a k8s Secret template placeholder (already had # nosec).

Coverage push — new files driven to 100%

New test suites added so every file flagged by codecov on this PR reaches 100% patch coverage:

• tests/test_autonomy/test_deploy/test_http_server.py (53 tests) — covers autonomy/deploy/_http_server.py: Request/Response/jsonify, _Args coercion, _Route, _RequestProxy, App dispatch + error handlers, _to_response, _TestClient/_TestResponse, App.run delegation, run_app finally-branch, plus an integration test against a real threaded HTTP server.
• packages/valory/contracts/gnosis_safe/tests/test_encode.py (24 tests) — drives encode.py to 100% via a deterministic ledger_api stub; exercises every branch of encode_value (string/bytes/struct/array/primitive) + schema/dependency walk.
• tests/test_autonomy/test_chain/test_utils.py — +6 tests for resolve_component_id (service/agent/component dispatch + RPC/IPFS error paths), parse_public_id_from_metadata strip-suffix, and is_service_manager_token_compatible_chain.
• tests/test_autonomy/test_chain/test_subgraph.py — +3 tests for _query (happy path, GraphQL-errors path, HTTP error-status path).
• tests/test_autonomy/test_deploy/test_deployment_generators.py — +1 test for the DOCKER_INSTALLED=False branch of get_docker_client.

E2E rerun-fixture fix

• plugins/aea-test-autonomy: added BaseTestEnd2End.teardown_method that removes fetched agent folders and clears per-class subprocess/agent state after each test method. Without this, pytest.mark.flaky reruns (and parametrized test_run[nb_nodes] iterations) hit aea fetch's "already exists" guard because the class-scoped tmpdir leaks state from the first run.

PR review (Copilot) comments

• 4x from_block/to_block → fromBlock/toBlock in packages/valory/contracts/gnosis_safe/contract.py (get_ingoing_transfers, get_safe_txs, get_removed_owner_events, get_zero_transfer_events). Pre-existing bug on main: web3.py v7's FILTER_PARAM_NORMALIZERS only normalises address, so snake_case filter keys pass through to the RPC unchanged and the server silently returns the full-range scan. Matches the form already used by mech_marketplace/contract.py:609-611.
• autonomy/chain/subgraph/client.py — added explicit status_code >= 400 check before resp.json(), restoring the clear HTTP-error behaviour we had with gql.Client.execute before the http-helpers swap; unit test added.
• autonomy/chain/exceptions.py — ImportError hint now recommends pip install open-autonomy[chain] primarily (with open-aea-ledger-ethereum as fallback).

Dev ergonomics

• CLAUDE.md — replaced the "Pre-PR Checklist" with an ordered "Pre-commit routine" covering format-code → check-code → security → fix-copyright → check-dependencies → (if packages) generators → autonomy packages lock → fix-doc-hashes → (if docstrings) generate-api-documentation → final check-api-docs/check-hash/check-packages. Added the "Docker images required" reference table (with only the actually-consumed images — 3 of the 7 images pulled by main_workflow.yml have no fixture consumers in this repo).
• CONTRIBUTING.md — mirror "Running tests locally" section with the same minimal docker-image set.
• autonomy/constants.py ABSTRACT_ROUND_ABCI_SKILL_WITH_HASH kept in sync with every packages.json relock; doc IPFS hashes refreshed via tox -e fix-doc-hashes.
• CI fix — 5x # nosec B310 on legitimate urllib.request.urlopen calls against the hard-coded 127.0.0.1 test server in test_http_server.py (bandit false-positive on the new integration test).

[Copilot]

Pull request overview

This PR reduces open-autonomy’s runtime dependency footprint by moving non-core dependencies behind optional extras, swapping several third-party libraries for open-aea helpers/stdlib alternatives, and re-aligning Valory package manifests and tooling so dependency checks remain consistent.

Changes:

• Slimmed core runtime dependencies to open-aea[all]==2.2.1 + open-aea-cli-ipfs==2.2.1, introducing opt-in extras (e.g., chain, docker, hwi) and updating tox/poetry/setup metadata accordingly.
• Replaced a range of third-party usages (requests, jsonschema, dotenv, hexbytes, parts of eth_*) with open-aea helpers or stdlib and adjusted tests/contracts/skills to match.
• Swept packages/valory/** manifests and hashes (YAML fingerprints/IPFS hashes/docs) to reflect direct imports and updated tooling/docs to keep check-dependencies and related CI envs passing.

Reviewed changes

Copilot reviewed 137 out of 138 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
tox.ini	Reworked dependency sets + mypy sections for new footprint.
setup.py	Minimized base deps; added chain/docker extras; updated classifiers.
pyproject.toml	Reduced core deps; added extras + local-path plugin dev deps.
tests/test_deployments/test_app.py	Removed Flask typing dependency in tests.
tests/test_autonomy/test_cli/test_service/test_service_manager.py	Removed hexbytes usage in tx data.
tests/test_autonomy/test_cli/test_replay/test_tendermint.py	Patched tests to use inline HTTP app shim.
tests/test_autonomy/test_cli/test_deploy/test_build/test_deployment.py	Replaced dotenv usage with simple env file parsing.
tests/test_autonomy/test_cli/test_analyse/test_specs.py	Swapped jsonschema ValidationError to aea.helpers.json_schema.
plugins/aea-test-autonomy/setup.py	Collapsed deps to open-autonomy[all,docker].
plugins/aea-helpers/setup.py	Trimmed deps; rely on open-autonomy transitives.
plugins/aea-helpers/aea_helpers/generate_contract_list.py	Switched requests to aea.helpers.http_requests.
plugins/aea-helpers/aea_helpers/config_replace.py	Switched dotenv loading to aea.helpers.base.load_env_file.
plugins/aea-helpers/aea_helpers/check_doc_hashes.py	Switched requests usage/exceptions to aea.helpers.http_requests.
plugins/aea-helpers/aea_helpers/check_dependencies.py	Replaced toml with tomllib/tomli fallback.
plugins/aea-helpers/aea_helpers/bump_dependencies.py	Switched GitHub fetches to aea.helpers.http_requests.
plugins/aea-helpers/aea_helpers/bin_template.py	Dropped unused multiaddr codec imports.
packages/valory/skills/transaction_settlement_abci/tests/test_tools/test_integration.py	Dropped web3.types wrappers in tests.
packages/valory/skills/transaction_settlement_abci/tests/test_behaviours.py	Dropped Nonce wrapper usage in tests.
packages/valory/skills/transaction_settlement_abci/test_tools/integration.py	Dropped Nonce/Wei wrappers in test tools.
packages/valory/skills/transaction_settlement_abci/skill.yaml	Updated fingerprints + dependency decls.
packages/valory/skills/transaction_settlement_abci/models.py	Switched nonce/gas typing to plain ints.
packages/valory/skills/transaction_settlement_abci/behaviours.py	Switched tx typing to Dict/int and dropped web3 type wrappers.
packages/valory/skills/test_solana_tx_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/test_ipfs_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/test_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/termination_abci/skill.yaml	Updated fingerprints + removed hexbytes dep.
packages/valory/skills/termination_abci/behaviours.py	Replaced HexBytes payloads with bytes.
packages/valory/skills/squads_transaction_settlement_abci/skill.yaml	Updated fingerprints + slimmed deps.
packages/valory/skills/squads_transaction_settlement_abci/models.py	Switched nonce/gas typing to plain ints.
packages/valory/skills/slashing_abci/skill.yaml	Updated fingerprints + removed hexbytes dep.
packages/valory/skills/reset_pause_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/registration_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/register_termination_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/register_reset_recovery_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/register_reset_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/offend_slash_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/offend_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/identify_service_owner_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/funds_forwarder_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/counter/skill.yaml	Updated fingerprints/hashes.
packages/valory/skills/abstract_round_abci/utils.py	Dropped typing_extensions + eth_typing bls aliases.
packages/valory/skills/abstract_round_abci/tests/test_models.py	Switched Literal/TypedDict imports to stdlib typing.
packages/valory/skills/abstract_round_abci/tests/test_behaviours_utils.py	Dropped pytz for datetime.timezone.utc.
packages/valory/skills/abstract_round_abci/test_tools/rounds.py	Guarded pytest import with stub for runtime importability.
packages/valory/skills/abstract_round_abci/test_tools/common.py	Guarded pytest import with stub for runtime importability.
packages/valory/skills/abstract_round_abci/skill.yaml	Updated fingerprints + pruned deps.
packages/valory/skills/abstract_round_abci/behaviour_utils.py	Dropped pytz; use datetime.timezone.utc.
packages/valory/skills/abstract_abci/skill.yaml	Updated fingerprints/hashes.
packages/valory/services/register_reset/service.yaml	Updated agent hash reference.
packages/valory/services/counter/service.yaml	Updated agent hash reference.
packages/valory/contracts/staking_token/contract.yaml	Pruned test-only/web3 entries from deps.
packages/valory/contracts/staking_activity_checker/contract.yaml	Pruned test-only/web3 entries from deps.
packages/valory/contracts/squads_multisig/contract.yaml	Dropped solders dep; rely on ledger plugin.
packages/valory/contracts/squads_multisig/contract.py	Replaced solders.transfer with SolanaApi helper call.
packages/valory/contracts/sign_message_lib/contract.yaml	Declared ethereum ledger plugin as direct dep.
packages/valory/contracts/service_registry_token_utility/contract.yaml	Declared ethereum ledger plugin as direct dep.
packages/valory/contracts/service_registry/contract.yaml	Pruned test-only/web3 entries from deps.
packages/valory/contracts/service_registry/contract.py	Removed web3 type-only imports; use EthereumApi casts.
packages/valory/contracts/service_manager/contract.yaml	Declared ethereum ledger plugin as direct dep.
packages/valory/contracts/registries_manager/contract.yaml	Declared ethereum ledger plugin as direct dep.
packages/valory/contracts/recovery_module/contract.yaml	Pruned test-only/web3 entries from deps.
packages/valory/contracts/poly_safe_creator_with_recovery_module/contract.yaml	Dropped eth-abi/eth-utils direct deps; rely on ledger api.
packages/valory/contracts/poly_safe_creator_with_recovery_module/contract.py	Switched checksum/encode to ledger_api.api.*.
packages/valory/contracts/multisend/tests/test_contract.py	Replaced HexBytes with bytes in tests.
packages/valory/contracts/multisend/contract.yaml	Declared ethereum ledger plugin as direct dep.
packages/valory/contracts/multisend/contract.py	Replaced HexBytes/Web3 helpers; thread ledger_api for decoding.
packages/valory/contracts/multicall2/contract.yaml	Pruned explicit web3 dep.
packages/valory/contracts/mech_marketplace/contract.yaml	Dropped eth-* + hexbytes deps; keep ledger plugin.
packages/valory/contracts/mech_marketplace/contract.py	Reworked event log decoding to ContractEvent.process_log.
packages/valory/contracts/gnosis_safe_proxy_factory/contract.yaml	Pruned test-only/web3 entries from deps.
packages/valory/contracts/gnosis_safe_proxy_factory/contract.py	Replaced web3 NewTypes with Dict/int runtime values.
packages/valory/contracts/gnosis_safe/tests/test_contract.py	Replaced HexBytes with raw bytes in mocked receipts.
packages/valory/contracts/gnosis_safe/encode.py	Dropped eth-abi/pycryptodome; use ledger_api.api.codec + keccak.
packages/valory/contracts/gnosis_safe/contract.yaml	Pruned many direct deps; keep open-aea-ledger-ethereum + requests/web3.
packages/valory/contracts/gnosis_safe/contract.py	Replaced hexbytes/packaging/eth-utils usage; updated tx hash encoding.
packages/valory/contracts/erc8004_identity_registry_bridger/contract.yaml	Declared ethereum ledger plugin as direct dep.
packages/valory/contracts/erc8004_identity_registry/contract.yaml	Declared ethereum ledger plugin as direct dep.
packages/valory/contracts/erc8004_identity_registry/contract.py	Switched keccak/checksum/encode to ledger_api.api.*.
packages/valory/contracts/erc20/contract.yaml	Pruned many direct deps; keep ledger plugin.
packages/valory/contracts/component_registry/contract.yaml	Declared ethereum ledger plugin as direct dep.
packages/valory/contracts/agent_registry/contract.yaml	Pruned test-only/web3 entries from deps.
packages/valory/contracts/agent_registry/contract.py	Switched checksum ops to ledger_api.api.to_checksum_address.
packages/valory/contracts/agent_mech/contract.yaml	Pruned eth_typing/web3 entries; keep ledger plugin.
packages/valory/contracts/agent_mech/contract.py	Removed web3 type-only imports; use plain str/Dict.
packages/valory/connections/ipfs/connection.yaml	Dropped ipfshttpclient/requests deps; keep open-aea-cli-ipfs.
packages/valory/connections/ipfs/connection.py	Switched to aea_cli_ipfs.ipfs_client.IPFSError.
packages/valory/connections/abci/connection.yaml	Pruned test-only deps; widened protobuf to <7,>=5.
packages/valory/agents/test_ipfs/aea-config.yaml	Updated component hashes.
packages/valory/agents/test_abci/aea-config.yaml	Updated component hashes.
packages/valory/agents/solana_transfer_agent/tests/base.py	Switched direct web3 usage to EthereumApi.
packages/valory/agents/solana_transfer_agent/aea-config.yaml	Updated hashes + pruned test tooling dep.
packages/valory/agents/registration_start_up/aea-config.yaml	Updated hashes + pruned test tooling dep.
packages/valory/agents/register_termination/tests/base.py	Switched direct web3 usage to EthereumApi.
packages/valory/agents/register_termination/aea-config.yaml	Updated hashes + pruned test tooling dep.
packages/valory/agents/register_reset_recovery/tests/base.py	Switched requests to aea.helpers.http_requests.
packages/valory/agents/register_reset_recovery/aea-config.yaml	Updated hashes + pruned test tooling dep.
packages/valory/agents/register_reset/aea-config.yaml	Updated hashes + pruned test tooling dep.
packages/valory/agents/offend_slash/aea-config.yaml	Updated hashes + pruned test tooling dep.
packages/valory/agents/counter/tests/test_counter.py	Switched requests to aea.helpers.http_requests.
packages/valory/agents/counter/aea-config.yaml	Updated hashes + pruned test tooling dep.
packages/valory/agents/abstract_abci/aea-config.yaml	Updated hashes + pruned test tooling dep.
docs/guides/set_up.md	Updated example package hash.
docs/guides/overview_of_the_development_process.md	Updated example registry hashes.
docs/guides/deploy_service.md	Updated example service hash.
docs/counter_example.md	Updated example service hash.
docs/configure_service/analise_test.md	Updated example agent hash.
docs/api/plugins/aea_helpers/bump_dependencies.md	Synced API docs for return type change.
docs/api/deploy/generators/docker_compose/base.md	Synced API docs for optional docker type hint.
docs/api/deploy/_http_server.md	Added API docs for the stdlib HTTP server shim.
docs/api/contracts/gnosis_safe_proxy_factory/contract.md	Synced API docs for return type change.
docs/api/contracts/gnosis_safe/tests/test_contract.md	Synced API docs for HexBytes → bytes.
docs/api/contracts/gnosis_safe/encode.md	Synced API docs for ledger_api-threaded encoder.
docs/api/contracts/gnosis_safe/contract.md	Synced API docs for type/signature changes.
docs/api/chain/exceptions.md	Added docs for lazy ConnectionError resolver.
docs/advanced_reference/commands/autonomy_fetch.md	Updated example service hash.
autonomy/replay/tendermint.py	Switched Flask import to inline shim.
autonomy/deploy/generators/localhost/tendermint/app.py	Switched Flask/Werkzeug to inline shim + aea http_requests.
autonomy/deploy/generators/docker_compose/base.py	Made docker optional; added install hint when missing.
autonomy/deploy/base.py	Dropped typing_extensions TypedDict usage.
autonomy/constants.py	Updated pinned abstract_round_abci hash constant.
autonomy/configurations/validation.py	Switched jsonschema resolver to aea helper.
autonomy/cli/helpers/env.py	Switched dotenv usage to load_env_file.
autonomy/cli/helpers/chain.py	Swapped texttable with inline renderer; swapped connection error type.
autonomy/chain/utils.py	Switched requests/http error handling to aea helpers + lazy web3 requests error.
autonomy/chain/tx.py	Switched RPC connection error catching to lazy resolver.
autonomy/chain/subgraph/client.py	Dropped gql client; post queries via aea http helper.
autonomy/chain/service.py	Dropped HexBytes wrapper for multisend tx payloads.
autonomy/chain/exceptions.py	Added lazy requests.exceptions.ConnectionError resolver.
autonomy/analyse/service.py	Switched jsonschema imports to aea helper; updated error substring matching.
autonomy/analyse/abci/app_spec.py	Switched Draft4Validator import to aea helper.
SECURITY.md	Updated supported versions table to 0.21.x.
LICENSE	Extended copyright year range.
CLAUDE.md	Added repo workflow note about locking/hashes timing.
.pylintrc	Updated ignored-modules list for removed/optional deps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 96.97733% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.75%. Comparing base (690704c) to head (341b047).
⚠️ Report is 39 commits behind head on main.

Files with missing lines	Patch %	Lines
packages/valory/contracts/gnosis_safe/contract.py	82.75%	5 Missing ⚠️
...ages/valory/contracts/service_registry/contract.py	50.00%	4 Missing ⚠️
...ckages/valory/contracts/agent_registry/contract.py	0.00%	2 Missing ⚠️
...nomy/deploy/generators/localhost/tendermint/app.py	75.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2477      +/-   ##
==========================================
+ Coverage   92.55%   92.75%   +0.19%     
==========================================
  Files         243      244       +1     
  Lines       17258    17492     +234     
==========================================
+ Hits        15974    16225     +251     
+ Misses       1284     1267      -17     

Flag	Coverage Δ
unittests	92.75% <96.97%> (+0.19%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[DhairyaPatel7]

Review — dependency cleanup PR

Scope note: 100 files / 3701+/1635- / 38 commits. Bundled intentionally per the description; that's defensible but makes regression bisects harder. Findings below, blocking first.

Blocking

1. pyproject.toml ↔ setup.py drift — the PyPI-facing manifest is missing runtime deps

pyproject.toml declares as hard main deps: web3, requests, aiohttp, certifi, multidict, asn1crypto, ecdsa, py-ecc, grpcio, open-aea-ledger-cosmos (plus protobuf/pytest-asyncio shims).

setup.py install_requires lists only open-aea[all]==2.2.1 and open-aea-cli-ipfs==2.2.1.

Verified against the installed 2.2.1 metadata:

• open-aea[all] brings only click, coverage, packaging, pytest, pyyaml
• open-aea-cli-ipfs brings only click, open-aea

None of the other pyproject-declared deps arrive transitively. The comment in pyproject.toml says "setup.py is the authoritative distribution manifest" — which is exactly why the omission matters: pip install open-autonomy (or [all]) from PyPI won't ship open-aea-ledger-cosmos, aiohttp, certifi, multidict, asn1crypto, grpcio, py-ecc, ecdsa, etc. If the intent is that the lean install never reaches those imports, please add a CI smoke test: fresh venv + pip install open-autonomy[all] + python -c "import autonomy.cli.core" + a minimal skill import. Otherwise, add them to setup.py.

2. packages/valory/contracts/squads_multisig/contract.py:626 — no install path pulls the Solana plugin

The call ledger_api.api.get_transfer_tx(from_pubkey, to_pubkey, lamports) is correct — I confirmed SolanaApi.api returns SolanaApiClient which exposes get_transfer_tx(from_account, to_account, amount). The concern is downstream: open-aea-ledger-solana is commented out in both pyproject.toml and setup.py (anchorpy/cachetools conflict). Any consumer of the squads_multisig contract has no declared install path for the plugin. Confirm the package YAML declares the plugin as a dep and that the re-enable is tracked as a known follow-up in the description (it is — fine) and in an issue.

Non-blocking

3. autonomy/chain/subgraph/client.py:86 — payload["data"] raises KeyError if the response has neither errors nor data. Guard it: if "data" not in payload: raise RuntimeError(...).

4. autonomy/deploy/_http_server.py:441 — body = self.rfile.read(content_length) has no cap. Malicious Content-Length wastes memory before dispatch. Localhost-only sidecar so low risk, but a constant MAX_BODY with 413 is cheap defense-in-depth (matches Flask's MAX_CONTENT_LENGTH).

5. autonomy/deploy/_http_server.py:_to_response — accepts 2-tuple only; Flask also supports (body, status, headers). Not needed today, but stricter-than-Flask means a handler surprise later is silent. Either document the restriction or support the 3-tuple form.

6. autonomy/deploy/generators/localhost/tendermint/app.py:347-354 — 404/500 errorhandlers return plain-text bodies ("Not Found", "Error Closing Node") with mimetype="application/json". Use jsonify({"error": ...}) for consistency with the other handlers. Pre-existing, but touched by this PR.

7. deployments/Dockerfiles/tendermint/Dockerfile:21 — requests==2.28.1 still pinned (CVE-2023-32681, CVE-2024-35195). PR description claims "Dependabot 15 → 0" but this container pin was not updated. Defensible if the container only talks to localhost tendermint RPC, but worth noting the inconsistency with the description.

8. packages/valory/contracts/gnosis_safe/encode.py — reach-through to ledger_api.api.codec._registry.get_encoder(typ). Point of the PR is to avoid eth_abi direct dep, but _registry is private API. Mock-based tests in tests/test_encode.py won't catch a real eth_abi refactor. Add an integration test against a real EthereumApi (or point to the parity check already in CI, which the description references).

9. autonomy/chain/exceptions.py:40-48 — except get_requests_connection_error() as e: evaluates the function every time the except clause is tested. If the plugin is missing AND the try body raises for any other reason, the ImportError replaces the original exception. Accept as-is (matches the documented pattern), but note the debuggability cost.

10. pyproject.toml lines 68-74 — the protobuf/pytest-asyncio entries that only exist to satisfy check-dependencies. TODO comment acknowledges this; please file a tracking issue for the checker patch and reference it.

11. packages/valory/contracts/gnosis_safe/encode.py:86 — docstring typo ("method struction defintion") in a file touched by this PR.

12. [tool.poetry.dependencies] pattern ledger_api = cast(EthereumApi, ledger_api) at 16 classmethod entries — noisy; a single _as_eth(ledger_api) helper would tighten it. Style-level, not blocking.

PR description

• "CI green on py3.10-linux through py3.14-linux" is still a TODO — confirm on current HEAD before merge given the version-sensitive plugin interactions.
• Install matrix is clear; consider adding a line noting that [all] does not include [docker] or [hwi] (it's in the prose but not in the matrix table).

[DavidMinarsch]

Thanks @DhairyaPatel7 — worked through each point. Audit results and disposition below. No code changes in this PR for the remaining items; tracking issues + a follow-up PR listed at the bottom.

Blocking

1. pyproject.toml ↔ setup.py drift — not a regression.

Verified against installed 2.2.1 metadata — your reading of open-aea[all] is correct (click, coverage, packaging, protobuf, pytest, pyyaml + pywin32). The lean pip install open-autonomy really does ship only open-aea[all] + open-aea-cli-ipfs + whatever the requested extra adds.

Cross-checked the actual import surface:

• No module under autonomy/ has a top-level import web3 / import requests / import aiohttp / import grpc / import ecdsa / import py_ecc / import asn1crypto / import multidict / import certifi / import aea_ledger_ethereum / from eth_account .... grep -rE '^(import|from) (web3|aea_ledger_ethereum|eth_account|requests|aiohttp|grpc|ecdsa|py_ecc|asn1crypto|multidict|certifi) ' autonomy/ returns empty.
• autonomy/cli/core.py + its import tree (including autonomy.chain.config, autonomy.cli.helpers.chain) is pure stdlib + aea.* + internal. autonomy --help works on a fully lean install.
• Packages that DO import those at top level (abci, http_client, p2p_libp2p_client connections; abstract_round_abci/utils.py) declare their runtime deps in the per-package YAML, and aea install pulls them inside the agent container at deploy time. This is the same model main uses — same gap existed there (main's setup.py was missing grpcio/ecdsa/py-ecc/asn1crypto/multidict/certifi too). Our PR moved a few deps (aiohttp, requests, protobuf) from setup.py into pyproject.toml only; none of those are reached by the lean-install CLI surface.
• CI's install_check job already does pip install .[all] --no-cache && autonomy --help on Ubuntu 3.14 — it has been passing on every PR push, which is exactly the smoke test you proposed.

So the lean install isn't broken. What IS worth tightening is the comment in pyproject.toml above the "TODO(cleanup)" block — it should say explicitly "these entries satisfy check-dependencies against the dev environment; setup.py remains the authoritative PyPI manifest and is intentionally narrower". I'll include that in the follow-up PR along with the CI smoke-test expansion you suggested (add a matched pip install open-autonomy — no extras — smoke test alongside the [all] one).

2. packages/valory/contracts/squads_multisig/contract.py:626 — correct as-is.

Verified contract.yaml already declares:

dependencies:
  open-aea-ledger-solana:
    version: ==2.2.1

So downstream consumers pulling the contract get the plugin via aea install. The framework-side gap (commented-out plugin in pyproject.toml/setup.py) is an anchorpy→cachetools conflict with tomte[tox]'s tox 4.46. PR description's "Known follow-ups" section mentions this, but there is no tracked issue — will open one.

Non-blocking

3. subgraph/client.py:86 — accepted. GraphQL spec guarantees one of errors/data, so the KeyError path is narrow, but the guard is cheap. Follow-up.

4. _http_server.py:441 body cap — accepted. Localhost-only, but constant + 413 response is trivial. Follow-up.

5. _to_response 3-tuple — declining. Zero current callers use the 3-tuple form. The module docstring already says "minimal Flask-compatible"; will add a one-line explicit mention of supported return shapes so the restriction is documented. Follow-up.

6. 404/500 handler mimetype mismatch — accepted. Affects both copies (autonomy/deploy/generators/localhost/tendermint/app.py:347-354 and deployments/Dockerfiles/tendermint/app.py:322, 328). Pre-existing from before this PR (we only touched the from flask import ... → from autonomy.deploy._http_server import ... lines in the localhost copy). Follow-up.

7. deployments/Dockerfiles/tendermint/Dockerfile:24 requests==2.28.1 — I missed this, will be handled in a follow-up PR. The sidecar's app.py:32, 225, 285 actively uses requests.get(...), so bumping the pin (to >=2.33.0,<3) is a real CVE fix. PR description's "Dependabot 15 → 0" claim is correct for the open-autonomy-dev image + poetry.lock; the tendermint image was a separate miss.

8. encode.py codec._registry private API — acknowledged, pre-existing. Main also used default_codec._registry directly (same private access, just via eth_abi). Our refactor changed the access path, not the private-ness. The byte-parity check vs the old path is in the test suite; real-EthereumApi integration coverage would catch an eth_abi refactor and is a good addition — follow-up.

9. except get_requests_connection_error() — accept. Consistent with load_hwi_plugin in autonomy.chain.config. The replacement-on-plugin-missing scenario is self-consistent (web3 itself wouldn't have imported successfully if the plugin is missing). A cache-once variant would tighten it stylistically — low priority.

10. pyproject.toml shim entries — will file tracking issue for aea-helpers check-dependencies to understand optional = true / dev-group entries so the shims can go away.

11. encode.py:73 "method struction defintion" — accepted. Pre-existing typo. Follow-up.

12. cast(EthereumApi, ledger_api) x41 — declining. Style-level, reviewer agrees non-blocking. A single helper would tighten but at the cost of a one-level-deeper stack frame in all chain-path exceptions. Trade-off not worth the churn this round.

PR description

Updated:

• Ticked the "CI green py3.10-3.14" item — test (ubuntu, 3.10-3.14) all green; e2e 3.14 green on rerun.
• Added a line on the install matrix clarifying [all] excludes [docker]/[hwi] (it was in the prose, agreed it should be on the table row).

Follow-up plan

I'll open a dedicated PR for:

• chore: fixes bugs in tests, linters and configs #3, Add price estimation demo #4, Use protobuf instead of pickle #6, CollectObservation step BFT #7, Fully extract abstract and generic components of price_estimation_abci skill into an abstract skill #11 — direct fixes.
• Minor fixes  #5 — docstring-level documentation of supported return shapes.
• Set up project #1 — the pyproject.toml comment clarification + the extra pip install open-autonomy (no extras) CI smoke test.
• Refactoring of price_estimation skill #8 — real-EthereumApi integration test for encode.py.

And tracking issues for:

• ABCI protocol and connection #2 — Solana plugin re-enable (anchorpy/cachetools conflict).
• Add 'abstract_round_abci' skill #10 — check-dependencies patch to handle dev-group / optional entries.