Merge pull request #407 from valory-xyz/chore/audit-findings

Chore/audit findings

Author: DIvyaNautiyal07

README.md

@@ -4,7 +4,7 @@
 
 <h1 align="center" style="margin-bottom: 0;">
     Autonolas AI Mechs
-    <br><a href="https://github.com/valory-xyz/mech/blob/main/LICENSE"><img alt="License: Apache-2.0" src="https://img.shields.io/github/license/valory-xyz/mech"></a>
+    <br><a href="./LICENSE"><img alt="License: Apache-2.0" src="https://img.shields.io/github/license/valory-xyz/mech"></a>
     <a href="https://pypi.org/project/open-autonomy/0.10.7/"><img alt="Framework: Open Autonomy 0.10.7" src="https://img.shields.io/badge/framework-Open%20Autonomy%200.10.7-blueviolet"></a>
     <!-- <a href="https://github.com/valory-xyz/mech/releases/latest">
     <img alt="Latest release" src="https://img.shields.io/github/v/release/valory-xyz/mech"> -->

packages/packages.json

@@ -5,15 +5,15 @@
         "contract/valory/complementary_service_metadata/0.1.0": "bafybeibjk5gdgc54wx5bz4fl2666urmfj6mx3ocqxyumqpj7wq5fdg4diu",
         "contract/valory/hash_checkpoint/0.1.0": "bafybeihidmyihq36u77psqksococh2tynwjnvkblfzikt6ud62eihdxiyi",
         "contract/valory/balance_tracker/0.1.0": "bafybeiao53oacmcgykb3swd2dtjie7laro4yfhisqh5he25pc23txximkq",
-        "connection/valory/websocket_client/0.1.0": "bafybeihstod655uvf4ekfgwtijlfnbgxe6zmadrqg62rbrv4glnd6l5bqu",
-        "skill/valory/contract_subscription/0.1.0": "bafybeiecobgr3blemmc2rz22mknszsgmpxhs7s2y6nj7cthce5gead7ksm",
-        "skill/valory/mech_abci/0.1.0": "bafybeie2s4spx53biagc6in6pspzgdeydbovefww7nsl7wouemippykmti",
-        "skill/valory/task_submission_abci/0.1.0": "bafybeic246jx7ih67zy3uzr2y6kjv6c77ejmo4qizam5k7yv5cwg4gnu4q",
-        "skill/valory/task_execution/0.1.0": "bafybeibdjmdnmmtbzudux4li4xejurvytxtwantxncwdzwrkkr4gdwv4ba",
-        "skill/valory/websocket_client/0.1.0": "bafybeig3pxibli47glqffa7dtzkwpm2ubvyurwyshpetsc2jpwxqpbtxzu",
-        "skill/valory/delivery_rate_abci/0.1.0": "bafybeihapprjbkenbuqeyvqp55hgxt6s7ejqtno45a75rbt2asmk4gc2gy",
-        "agent/valory/mech/0.1.0": "bafybeiefdaor4jgm7n6nztchbz5lpcvczcdjcooa6dsilwke627ogf7uw4",
-        "service/valory/mech/0.1.0": "bafybeidecjut2vvzbb4weqnxwlqy2etyd7vzh6plrgsxhvwvwtws4q6fdm"
+        "connection/valory/websocket_client/0.1.0": "bafybeid4cnbjpmzcsw3usg7umufgqyod2u3xfw5uso3vukt3n5hfuxvdea",
+        "skill/valory/contract_subscription/0.1.0": "bafybeibtcbtgm5ptzn6srfts3lxts5722sygmkypcknv5ocmydqwcvgeem",
+        "skill/valory/mech_abci/0.1.0": "bafybeigcesydxepnt2sedg4izpkquq5stpgsupap5p4kfjpdykcwzp3awa",
+        "skill/valory/task_submission_abci/0.1.0": "bafybeiafalxj2depsfv4qjkocdjgmxj6kfyrb6qx32o3nl2aoueafth6si",
+        "skill/valory/task_execution/0.1.0": "bafybeihxsuebduuthk2vpqjhbgjwlud7ang54afqgrwjq4ty4j6qnvelee",
+        "skill/valory/websocket_client/0.1.0": "bafybeie63j65ffblz6g6oiaynjpz4ae5mgyjz2w6o5ovqitzdbnvqzlhzu",
+        "skill/valory/delivery_rate_abci/0.1.0": "bafybeifstz7s3bwkpgnvvqyhro6f6rvgfjbgyepywcqrtvpnnrhjynfkym",
+        "agent/valory/mech/0.1.0": "bafybeigcrjni65cwu7rkopvve4k3pv4kx4s77g7wmi3ox2htm4dzg2blme",
+        "service/valory/mech/0.1.0": "bafybeibu5evuo7fotkltxt62uixkaycg7hjnghdaz367nf4xfxxj7g35q4"
     },
     "third_party": {
         "protocol/open_aea/signing/1.0.0": "bafybeifsjmldwyki3beqyvdt5lzenrg6wyrqaar5plc5rpnvtc4zlentye",

packages/valory/agents/mech/aea-config.yaml

@@ -13,7 +13,7 @@ connections:
 - valory/ipfs:0.1.0:bafybeihpmn5ur4m6sxbgh4whcp33earzbcn2yd4q4eo6cwdkfkznvdpcqe
 - valory/ledger:0.19.0:bafybeidxzeygks5zcky4u2ztcdufzptssgf6uqytxofnn6yta7qq6jsim4
 - valory/p2p_libp2p_client:0.1.0:bafybeielj3jso3wvrarp5n5rq7llpw4vgxybqiyensgjalb5ubfiawwhhu
-- valory/websocket_client:0.1.0:bafybeihstod655uvf4ekfgwtijlfnbgxe6zmadrqg62rbrv4glnd6l5bqu
+- valory/websocket_client:0.1.0:bafybeid4cnbjpmzcsw3usg7umufgqyod2u3xfw5uso3vukt3n5hfuxvdea
 contracts:
 - valory/olas_mech:0.1.0:bafybeifebpsueu5hvsmd6qjtaxiyjfbuug3bggzj3obc6tjeju6inazhrq
 - valory/complementary_service_metadata:0.1.0:bafybeibjk5gdgc54wx5bz4fl2666urmfj6mx3ocqxyumqpj7wq5fdg4diu
@@ -39,16 +39,16 @@ protocols:
 skills:
 - valory/abstract_abci:0.1.0:bafybeie7omzycvazfg6edexn2k3fteuey3alopfmlwye6e44exfcxv5apa
 - valory/abstract_round_abci:0.1.0:bafybeicehi2yqab3lldm7qzoqev3tmqrdk275sbtcabneyorhmzft76z7m
-- valory/contract_subscription:0.1.0:bafybeiecobgr3blemmc2rz22mknszsgmpxhs7s2y6nj7cthce5gead7ksm
-- valory/mech_abci:0.1.0:bafybeie2s4spx53biagc6in6pspzgdeydbovefww7nsl7wouemippykmti
+- valory/contract_subscription:0.1.0:bafybeibtcbtgm5ptzn6srfts3lxts5722sygmkypcknv5ocmydqwcvgeem
+- valory/mech_abci:0.1.0:bafybeigcesydxepnt2sedg4izpkquq5stpgsupap5p4kfjpdykcwzp3awa
 - valory/registration_abci:0.1.0:bafybeihjgfzqvuymqgku6mwqih7hlvqwr2tmdjrip3m6unt5l4e55bshkm
 - valory/reset_pause_abci:0.1.0:bafybeih6bjalcohxytg6hj3doy5dhkxonrxpqgcnclyf6tnmuyfbom2usy
-- valory/delivery_rate_abci:0.1.0:bafybeihapprjbkenbuqeyvqp55hgxt6s7ejqtno45a75rbt2asmk4gc2gy
-- valory/task_execution:0.1.0:bafybeibdjmdnmmtbzudux4li4xejurvytxtwantxncwdzwrkkr4gdwv4ba
-- valory/task_submission_abci:0.1.0:bafybeic246jx7ih67zy3uzr2y6kjv6c77ejmo4qizam5k7yv5cwg4gnu4q
+- valory/delivery_rate_abci:0.1.0:bafybeifstz7s3bwkpgnvvqyhro6f6rvgfjbgyepywcqrtvpnnrhjynfkym
+- valory/task_execution:0.1.0:bafybeihxsuebduuthk2vpqjhbgjwlud7ang54afqgrwjq4ty4j6qnvelee
+- valory/task_submission_abci:0.1.0:bafybeiafalxj2depsfv4qjkocdjgmxj6kfyrb6qx32o3nl2aoueafth6si
 - valory/termination_abci:0.1.0:bafybeiarjw4hhu2vf56yxqb4jh3kmk4hfxvqahygn6scc3rfnlogjkwwpe
 - valory/transaction_settlement_abci:0.1.0:bafybeigivknq755rbnelrdemaz3vm4x7jkofvaskm34uh36pbbg6uiquo4
-- valory/websocket_client:0.1.0:bafybeig3pxibli47glqffa7dtzkwpm2ubvyurwyshpetsc2jpwxqpbtxzu
+- valory/websocket_client:0.1.0:bafybeie63j65ffblz6g6oiaynjpz4ae5mgyjz2w6o5ovqitzdbnvqzlhzu
 default_ledger: ethereum
 required_ledgers:
 - ethereum

packages/valory/connections/websocket_client/connection.py

@@ -324,6 +324,7 @@ async def disconnect(self) -> None:
 
         await self._manager.remove_all_subscriptions()
         self._outbox.empty()
+        self._executor.shutdown(wait=True)
         self.state = ConnectionStates.disconnected
 
     async def send(self, envelope: Envelope) -> None:

packages/valory/connections/websocket_client/connection.yaml

@@ -8,8 +8,10 @@ license: Apache-2.0
 aea_version: '>=2.0.0, <3.0.0'
 fingerprint:
   __init__.py: bafybeicyrebbic2h3ytyxeg776zelg2bpshcepnkm4qc5oypqqqfq3sqmq
-  connection.py: bafybeihik3gv2zftd2th6xbgxtwuqb4evtlh52eg4cpf6cmdcunp7lbzgi
+  connection.py: bafybeifu3gxrbg73jeflw2ikdsa4zpjqwfet7d4nlgtwzyhwabxlasscvy
   readme.md: bafybeihg5yfzgqvg5ngy7r2o5tfeqnelx2ffxw4po5hmheqjfhumpmxpoq
+  tests/__init__.py: bafybeia7z63pmadvj2btahsfl6jsjo6yaolsxlb2xrtv5ml3ht3epyy2ya
+  tests/test_connection.py: bafybeighfdovrztpnicd7chmbothp62k3roaaevxp3ajelprjn4gh5eizy
 fingerprint_ignore_patterns: []
 connections: []
 protocols:

packages/valory/connections/websocket_client/tests/__init__.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# ------------------------------------------------------------------------------
+#
+#   Copyright 2023-2026 Valory AG
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+# ------------------------------------------------------------------------------
+
+"""Tests for the websocket_client connection."""

packages/valory/connections/websocket_client/tests/test_connection.py

@@ -0,0 +1,81 @@
+# -*- coding: utf-8 -*-
+# ------------------------------------------------------------------------------
+#
+#   Copyright 2023-2026 Valory AG
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+# ------------------------------------------------------------------------------
+
+"""Tests for the WebSocketClient connection."""
+
+# pylint: skip-file
+
+from unittest.mock import AsyncMock, MagicMock
+
+import pytest
+
+from packages.valory.connections.websocket_client.connection import WebSocketClient
+
+
+@pytest.fixture
+def connection() -> WebSocketClient:
+    """Create a WebSocketClient with mocked internals for disconnect testing."""
+    conn = WebSocketClient.__new__(WebSocketClient)
+    conn._executor = MagicMock()
+    conn._outbox = MagicMock()
+    conn._manager = AsyncMock()
+    conn._state = MagicMock()
+    conn.logger = MagicMock()
+    return conn
+
+
+class TestDisconnectShutdownExecutor:
+    """Tests that disconnect() properly releases the ThreadPoolExecutor."""
+
+    @pytest.mark.asyncio
+    async def test_disconnect_shuts_down_executor(
+        self, connection: WebSocketClient
+    ) -> None:
+        """disconnect() calls executor.shutdown(wait=True) to release thread resources."""
+        await connection.disconnect()
+
+        connection._executor.shutdown.assert_called_once_with(wait=True)
+
+    @pytest.mark.asyncio
+    async def test_disconnect_order_of_operations(
+        self, connection: WebSocketClient
+    ) -> None:
+        """disconnect() removes subscriptions and empties outbox before shutting down the executor."""
+        call_order = []
+
+        async def track_remove() -> None:
+            call_order.append("remove_subscriptions")
+
+        def track_empty() -> None:
+            call_order.append("empty_outbox")
+
+        def track_shutdown(wait: bool = False) -> None:
+            call_order.append("shutdown_executor")
+
+        connection._manager.remove_all_subscriptions = track_remove
+        connection._outbox.empty = track_empty
+        connection._executor.shutdown = track_shutdown
+
+        await connection.disconnect()
+
+        assert call_order == [
+            "remove_subscriptions",
+            "empty_outbox",
+            "shutdown_executor",
+        ]

packages/valory/services/mech/service.yaml

@@ -7,7 +7,7 @@ license: Apache-2.0
 fingerprint:
   README.md: bafybeihppqns2lwn5vehtqh2wu4tjyf76dbzxc26nlfws4sc5hcbjbalma
 fingerprint_ignore_patterns: []
-agent: valory/mech:0.1.0:bafybeiefdaor4jgm7n6nztchbz5lpcvczcdjcooa6dsilwke627ogf7uw4
+agent: valory/mech:0.1.0:bafybeigcrjni65cwu7rkopvve4k3pv4kx4s77g7wmi3ox2htm4dzg2blme
 number_of_agents: 4
 deployment:
   agent:

packages/valory/skills/contract_subscription/skill.yaml

@@ -14,12 +14,12 @@ fingerprint:
   models.py: bafybeibrvcmamdis6n57ivrtl7l45544bhrl6nz26iiz7ehq2idwmrd4v4
 fingerprint_ignore_patterns: []
 connections:
-- valory/websocket_client:0.1.0:bafybeihstod655uvf4ekfgwtijlfnbgxe6zmadrqg62rbrv4glnd6l5bqu
+- valory/websocket_client:0.1.0:bafybeid4cnbjpmzcsw3usg7umufgqyod2u3xfw5uso3vukt3n5hfuxvdea
 contracts: []
 protocols:
 - valory/websocket_client:0.1.0:bafybeig6omutaqt5rbvidju4zc7pwwdi6tkagwu3dwiirosadyoo534v3q
 skills:
-- valory/websocket_client:0.1.0:bafybeig3pxibli47glqffa7dtzkwpm2ubvyurwyshpetsc2jpwxqpbtxzu
+- valory/websocket_client:0.1.0:bafybeie63j65ffblz6g6oiaynjpz4ae5mgyjz2w6o5ovqitzdbnvqzlhzu
 behaviours:
   contract_subscriptions:
     args: {}

packages/valory/skills/delivery_rate_abci/behaviours.py

@@ -21,9 +21,6 @@
 from abc import ABC
 from typing import Any, Dict, Generator, List, Optional, Set, Type, cast
 
-from packages.valory.contracts.olas_mech.contract import (
-    OlasMechContract,
-)
 from packages.valory.contracts.gnosis_safe.contract import (
     GnosisSafeContract,
     SafeOperation,
@@ -32,6 +29,9 @@
     MultiSendContract,
     MultiSendOperation,
 )
+from packages.valory.contracts.olas_mech.contract import (
+    OlasMechContract,
+)
 from packages.valory.protocols.contract_api import ContractApiMessage
 from packages.valory.skills.abstract_round_abci.base import AbstractRound
 from packages.valory.skills.abstract_round_abci.behaviours import (
@@ -43,8 +43,8 @@
     UpdateDeliveryRatePayload,
 )
 from packages.valory.skills.delivery_rate_abci.rounds import (
-    SynchronizedData,
     DeliveryRateUpdateAbciApp,
+    SynchronizedData,
     UpdateDeliveryRateRound,
 )
 from packages.valory.skills.transaction_settlement_abci.payload_tools import (
@@ -179,6 +179,7 @@ def get_delivery_rate_update_txs(
                 self.context.logger.warning(
                     f"Could not get delivery_rate update tx for {mech_address}."
                 )
+                continue
 
             txs.append(tx)