Merge pull request #19 from bnb-chain/feat/audit-remediation-v2

jardenx · web-flow · commit 9a19a1cb94b9 · 2026-04-15T19:10:37.000+08:00
feat: audit remediation v2 — SDK alignment with contract security fixes
diff --git a/.gitignore b/.gitignore
@@ -73,4 +73,7 @@ Thumbs.db
 **/node_modules/
 
 .agent-data/
-.storage/
+.storage/
+
+.env.*
+!.env.example
diff --git a/README.md b/README.md
@@ -91,7 +91,7 @@ Together, they enable agents to negotiate pricing, accept jobs, deliver work, an
 | **Escrow**          | Payment tokens locked in the ERC-8183 contract until the job is settled                                                                                                                                                                                   |
 | **Negotiation**     | Off-chain HTTP exchange where client and agent agree on price, terms, and deliverables. The agreed price is then used to set the on-chain budget. Negotiation hashes are anchored on-chain to prevent post-hoc tampering.                                 |
 | **Service Price**   | The agent's asking price for a job, configured via `SERVICE_PRICE` env var or `APEXConfig.service_price`. Returned in negotiation responses and `/status`.                                                                                                |
-| **Budget**          | The amount of payment tokens a client locks in escrow for a job via `setBudget()` + `fund()`. The SDK automatically rejects jobs where `budget < service_price`.                                                                                          |
+| **Budget**          | The agreed price set by the client via `setBudget()` and locked in escrow via `fund()`. The SDK automatically rejects jobs where `budget < service_price`.                                                                                                |
 | **Deliverable**     | The work output, stored off-chain (IPFS); only the content hash goes on-chain                                                                                                                                                                             |
 | **Evaluator**       | A contract that verifies deliverables and triggers settlement (currently UMA OOv3)                                                                                                                                                                        |
 | **Assertion**       | An on-chain claim by the evaluator that the deliverable is valid, initiated by the provider after submitting work (provider pays the UMA bond)                                                                                                            |
diff --git a/bnbagent/apex/README.md b/bnbagent/apex/README.md
@@ -476,7 +476,7 @@ contract. Inherits `ContractClientMixin` for nonce management and retries.
 | `create_job(provider, evaluator, expired_at, ...)` | Create a new job. Returns job ID + tx hash. |
 | `fund(job_id, expected_budget)` | Fund a job with BEP-20 tokens. |
 | `fund_with_permit(job_id, budget, opt_params, deadline, v, r, s)` | Fund a job using ERC-2612 permit (approve + fund in one tx). |
-| `set_budget(job_id, amount)` | Adjust the job budget. |
+| `set_budget(job_id, amount)` | Set the job budget (client-only). Provider proposes price via `/negotiate`. |
 | `set_provider(job_id, provider)` | Assign a provider agent. |
 | `submit(job_id, deliverable_hash, ...)` | Submit deliverables (provider). |
 | `complete(job_id)` | Mark job as complete (requester). |
diff --git a/bnbagent/apex/abis/APEXEvaluator.json b/bnbagent/apex/abis/APEXEvaluator.json
@@ -89,6 +89,27 @@
     "name": "InvalidInitialization",
     "type": "error"
   },
+  {
+    "inputs": [
+      {
+        "internalType": "uint256",
+        "name": "jobId",
+        "type": "uint256"
+      },
+      {
+        "internalType": "uint256",
+        "name": "expiredAt",
+        "type": "uint256"
+      },
+      {
+        "internalType": "uint256",
+        "name": "minRequired",
+        "type": "uint256"
+      }
+    ],
+    "name": "JobExpiryTooSoon",
+    "type": "error"
+  },
   {
     "inputs": [
       {
@@ -461,6 +482,31 @@
     "name": "Paused",
     "type": "event"
   },
+  {
+    "anonymous": false,
+    "inputs": [
+      {
+        "indexed": true,
+        "internalType": "address",
+        "name": "token",
+        "type": "address"
+      },
+      {
+        "indexed": true,
+        "internalType": "address",
+        "name": "to",
+        "type": "address"
+      },
+      {
+        "indexed": false,
+        "internalType": "uint256",
+        "name": "amount",
+        "type": "uint256"
+      }
+    ],
+    "name": "TokensRescued",
+    "type": "event"
+  },
   {
     "anonymous": false,
     "inputs": [
@@ -1233,4 +1279,4 @@
     "stateMutability": "pure",
     "type": "function"
   }
-]
+]
diff --git a/bnbagent/apex/abis/ERC8183.json b/bnbagent/apex/abis/ERC8183.json
@@ -342,6 +342,12 @@
         "name": "client",
         "type": "address"
       },
+      {
+        "indexed": true,
+        "internalType": "address",
+        "name": "provider",
+        "type": "address"
+      },
       {
         "indexed": false,
         "internalType": "uint256",
@@ -1407,4 +1413,4 @@
     "stateMutability": "view",
     "type": "function"
   }
-]
+]
diff --git a/bnbagent/apex/client.py b/bnbagent/apex/client.py
@@ -149,7 +149,7 @@ def set_budget(
         amount: int,
         opt_params: bytes = b"",
     ) -> dict[str, Any]:
-        """Set the budget for a job. Must be called before fund()."""
+        """Set the budget for a job (client-only). Provider proposes price via /negotiate."""
         fn = self.contract.functions.setBudget(job_id, amount, opt_params)
         return self._send_tx(fn)
 
@@ -389,7 +389,7 @@ def get_job_funded_events(
         """
         event_filter = {}
         if provider:
-            event_filter["client"] = Web3.to_checksum_address(provider)
+            event_filter["provider"] = Web3.to_checksum_address(provider)
 
         logs = self.contract.events.JobFunded().get_logs(
             from_block=from_block,
@@ -401,6 +401,7 @@ def get_job_funded_events(
             {
                 "jobId": log["args"]["jobId"],
                 "client": log["args"]["client"],
+                "provider": log["args"]["provider"],
                 "amount": log["args"]["amount"],
                 "blockNumber": log["blockNumber"],
                 "transactionHash": log["transactionHash"].hex(),
diff --git a/examples/agent-server/scripts/register.py b/examples/agent-server/scripts/register.py
@@ -23,7 +23,8 @@
 from dotenv import load_dotenv
 
 # Load .env from project root (one level up from scripts/)
-load_dotenv(Path(__file__).resolve().parent.parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent.parent / env_file)
 
 
 def main():
diff --git a/examples/agent-server/src/service.py b/examples/agent-server/src/service.py
@@ -33,7 +33,8 @@
 from ddgs import DDGS
 
 # Load .env from project root (one level up from src/)
-load_dotenv(Path(__file__).resolve().parent.parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent.parent / env_file)
 
 # SDK imports
 from bnbagent.apex.config import APEXConfig
diff --git a/examples/agent-server/src/service_mount.py b/examples/agent-server/src/service_mount.py
@@ -32,7 +32,8 @@
 from ddgs import DDGS
 
 # Load .env from project root (one level up from src/)
-load_dotenv(Path(__file__).resolve().parent.parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent.parent / env_file)
 
 # SDK imports
 from bnbagent.apex.config import APEXConfig
diff --git a/examples/client-workflow/scripts/discover_agent.py b/examples/client-workflow/scripts/discover_agent.py
@@ -19,7 +19,8 @@
 from dotenv import load_dotenv
 
 # Load .env from demo root directory (.env next to scripts/)
-load_dotenv(Path(__file__).resolve().parent.parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent.parent / env_file)
 
 
 def discover_agents(name_filter: str = "") -> list:
diff --git a/examples/client-workflow/scripts/run_demo.py b/examples/client-workflow/scripts/run_demo.py
@@ -41,7 +41,8 @@
 from web3 import Web3
 
 # Load env from demo root directory (.env next to scripts/)
-load_dotenv(Path(__file__).resolve().parent.parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent.parent / env_file)
 
 # SDK imports — use public API paths (bnbagent.* and bnbagent.apex.*)
 from bnbagent import APEXClient, APEXStatus
@@ -637,7 +638,7 @@ async def main():
     # ══════════════════════════════════════════════════════════════════════
     banner(3, total_steps, f"Set Budget: {BUDGET / 10**18} U tokens")
 
-    result = apex.set_budget(job_id, BUDGET)
+    result = apex.set_budget(job_id, BUDGET)  # client-only; provider proposes via /negotiate
     print(f"  Budget set to {BUDGET / 10**18} U tokens for Job #{job_id}")
     print(tx_link(result["transactionHash"]))
     print("  Waiting for confirmation...")
diff --git a/examples/getting-started/README.md b/examples/getting-started/README.md
@@ -13,6 +13,18 @@ cp .env.example .env
 # Edit .env: add your PRIVATE_KEY
 ```
 
+## Environment Files
+
+Multiple environments are supported via `ENV_FILE`:
+
+| File | Environment | Usage |
+|------|-------------|-------|
+| `.env` | Default | `uv run python step4_create_job.py` |
+| `.env.qa` | QA (dev testing) | `ENV_FILE=.env.qa uv run python step4_create_job.py` |
+| `.env.testnet` | BSC Testnet | `ENV_FILE=.env.testnet uv run python step4_create_job.py` |
+
+All scripts default to `.env` if `ENV_FILE` is not set.
+
 ## Steps
 
 | Step | Script | What it does |
@@ -31,8 +43,11 @@ Run all 5 steps automatically in a single command:
 
 ```bash
 # Full flow (includes ~30min liveness wait for settlement)
-uv run python examples/getting-started/test_quickstart_e2e.py
+uv run python test_quickstart_e2e.py
 
 # Quick validation (skip settlement wait)
-uv run python examples/getting-started/test_quickstart_e2e.py --skip-settle
+uv run python test_quickstart_e2e.py --skip-settle
+
+# Run against QA environment
+ENV_FILE=.env.qa uv run python test_quickstart_e2e.py
 ```
diff --git a/examples/getting-started/step1_setup_wallet.py b/examples/getting-started/step1_setup_wallet.py
@@ -20,7 +20,8 @@
 from dotenv import load_dotenv
 
 # Load .env from this script's directory
-load_dotenv(Path(__file__).resolve().parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent / env_file)
 
 
 def main():
diff --git a/examples/getting-started/step2_run_agent.py b/examples/getting-started/step2_run_agent.py
@@ -18,12 +18,14 @@
 """
 
 import logging
+import os
 from pathlib import Path
 
 from dotenv import load_dotenv
 
 # Load .env from this script's directory
-load_dotenv(Path(__file__).resolve().parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent / env_file)
 
 from bnbagent.apex.server import create_apex_app
 
diff --git a/examples/getting-started/step3_register_agent.py b/examples/getting-started/step3_register_agent.py
@@ -22,7 +22,8 @@
 from dotenv import load_dotenv
 
 # Load .env from this script's directory
-load_dotenv(Path(__file__).resolve().parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent / env_file)
 
 
 def main():
diff --git a/examples/getting-started/step4_create_job.py b/examples/getting-started/step4_create_job.py
@@ -28,7 +28,8 @@
 from dotenv import load_dotenv
 
 # Load .env from this script's directory
-load_dotenv(Path(__file__).resolve().parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent / env_file)
 
 
 def main():
@@ -208,13 +209,13 @@ def main():
     # =========================================================
 
     print("-" * 50)
-    print("4d: Setting budget...")
+    print("4d: Setting budget (client sets agreed price before funding)...")
     print("-" * 50)
 
     budget = 1 * 10**18  # 1 U token
     print(f"Budget: {budget / 10**18} U")
 
-    result = apex.set_budget(job_id, budget)
+    result = apex.set_budget(job_id, budget)  # client-only
     print(f"TX: https://testnet.bscscan.com/tx/{result['transactionHash']}")
     print()
 
diff --git a/examples/getting-started/step5_settle_job.py b/examples/getting-started/step5_settle_job.py
@@ -23,7 +23,8 @@
 from dotenv import load_dotenv
 
 # Load .env from this script's directory
-load_dotenv(Path(__file__).resolve().parent / ".env")
+env_file = os.path.basename(os.environ.get("ENV_FILE", ".env"))
+load_dotenv(Path(__file__).resolve().parent / env_file)
 
 
 def main():
diff --git a/examples/getting-started/test_quickstart_e2e.py b/examples/getting-started/test_quickstart_e2e.py
diff --git a/tests/test_apex_client.py b/tests/test_apex_client.py
diff --git a/tests/test_apex_job_ops.py b/tests/test_apex_job_ops.py
