fix(deps): require anyio>=4.10 so the daytona SDK imports

[xdotli]

Problem

httpx-ws (a transitive dep of the daytona SDK) needs anyio.AsyncContextManagerMixin, which was added in anyio 4.9. The lock pinned anyio 4.8.0, so on release/0.7:

>>> from daytona import Daytona
AttributeError: module 'anyio' has no attribute 'AsyncContextManagerMixin'

This breaks all live Daytona sandbox use whenever the sandbox-daytona extra is installed — i.e. every Daytona-backed eval on release/0.7.

Fix

• Bump the floor anyio>=4.0 → anyio>=4.9.
• Refresh the lock surgically (uv lock --upgrade-package anyio): anyio 4.8.0 → 4.14.0 (also drops the now-unneeded sniffio sub-dep). No other packages move.

Verification

With sandbox-daytona synced:

• from daytona import Daytona ✅
• import benchflow ✅

Notes

• Diff is minimal: pyproject.toml (specifier) + uv.lock (anyio stanza only).
• main is affected identically (also locks anyio 4.8.0) and can cherry-pick this commit.
• Extracted from the unpushed chore/0.7-strip-shapes branch, where this fix was bundled inside a larger OSWorld-evaluator commit; split out here so it can land independently.

[greptile-apps]

Greptile Summary

This PR fixes a hard import failure of the daytona SDK on release/0.7 by tightening the anyio lower-bound from >=4.0 to >=4.10 (the version that introduced AsyncContextManagerMixin, required by the transitive httpx-ws dependency) and refreshing only the anyio entry in the lock file.

• pyproject.toml: Constraint changed to anyio>=4.10 with an inline comment explaining the httpx-ws/AsyncContextManagerMixin requirement.
• uv.lock: anyio resolved version moves 4.8.0 → 4.14.0; sniffio is removed as a sub-dependency (anyio 4.14 no longer pulls it in). No other packages are affected.

Note: the PR description still references >=4.9, but the committed code correctly uses >=4.10, consistent with where AsyncContextManagerMixin was actually introduced.

Confidence Score: 5/5

Safe to merge — the change is a minimal, targeted dependency floor bump that directly fixes a hard import failure with no other packages affected.

The fix is surgical: only the anyio specifier and its single lock entry change. The chosen floor (4.10) correctly matches where AsyncContextManagerMixin was introduced, and the resolved version (4.14.0) is well above that floor. No logic code is touched, and the lock diff confirms no transitive packages were moved other than the removal of sniffio, which anyio 4.14 no longer depends on.

No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Floor constraint tightened from anyio>=4.0 to anyio>=4.10 with an explanatory comment; fixes the un-importable daytona SDK issue.
uv.lock	Surgical lock refresh: anyio bumped 4.8.0→4.14.0, sniffio sub-dep removed (no longer required by anyio 4.14), requires-dist specifier updated to >=4.10; no other packages changed.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[benchflow\nsandbox-daytona extra] -->|imports| B[daytona SDK]
    B -->|transitive dep| C[httpx-ws]
    C -->|requires| D[anyio.AsyncContextManagerMixin]
    D -->|introduced in| E[anyio 4.10.0]

    subgraph before["Before (broken)"]
        F["anyio>=4.0\nlock: 4.8.0\n❌ no AsyncContextManagerMixin"]
    end

    subgraph after["After (fixed)"]
        G["anyio>=4.10\nlock: 4.14.0\n✅ AsyncContextManagerMixin present"]
    end

    F -.->|AttributeError on import| B
    G -.->|import succeeds| B

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[benchflow\nsandbox-daytona extra] -->|imports| B[daytona SDK]
    B -->|transitive dep| C[httpx-ws]
    C -->|requires| D[anyio.AsyncContextManagerMixin]
    D -->|introduced in| E[anyio 4.10.0]

    subgraph before["Before (broken)"]
        F["anyio>=4.0\nlock: 4.8.0\n❌ no AsyncContextManagerMixin"]
    end

    subgraph after["After (fixed)"]
        G["anyio>=4.10\nlock: 4.14.0\n✅ AsyncContextManagerMixin present"]
    end

    F -.->|AttributeError on import| B
    G -.->|import succeeds| B

Loading

_{Reviews (2): Last reviewed commit: "fix(deps): require anyio 4.10 for Dayton..." | Re-trigger Greptile}

[greptile-apps]

AsyncContextManagerMixin was introduced in anyio 4.10.0, not 4.9. The official anyio changelog lists it under the 4.10.0 release. Setting the floor to anyio>=4.9 still allows a resolver to pick anyio==4.9.x, which would reproduce the exact AttributeError: module 'anyio' has no attribute 'AsyncContextManagerMixin' this PR is trying to prevent.

Suggested change

	# httpx-ws (transitive via the daytona SDK) needs anyio>=4.9 for
	# AsyncContextManagerMixin; anyio 4.8 makes the daytona SDK un-importable.
	"anyio>=4.9",
	# httpx-ws (transitive via the daytona SDK) needs anyio>=4.10 for
	# AsyncContextManagerMixin (added in 4.10.0); anyio 4.8/4.9 makes the
	# daytona SDK un-importable.
	"anyio>=4.10",

[bingran-you]

Automation update (2026-06-24): pushed f23ecf2d to address the Greptile dependency-floor finding.

What changed:

• raised the declared anyio floor from >=4.9 to >=4.10 in pyproject.toml;
• updated the corresponding uv.lock package metadata specifier;
• kept the locked runtime at anyio==4.14.0, so the lock remains surgical.

Validation on the updated PR head:

• uv lock --locked -> passed
• uv sync --extra dev --extra sandbox-daytona --locked -> passed
• uv run python -m pytest tests/test_cli_daytona.py -q -> 4 passed
• uv run ruff check pyproject.toml tests/test_cli_daytona.py src/benchflow/sandbox/daytona.py src/benchflow/cli/main.py -> passed
• uv run python - <<'PY' ... import anyio; import daytona ... PY -> AsyncContextManagerMixin present and daytona import OK

I also tried a targeted uv run ty check src/benchflow/sandbox/daytona.py src/benchflow/cli/main.py tests/test_cli_daytona.py; it still fails on pre-existing release-branch Daytona typing issues unrelated to this dependency-only diff, so I did not widen this PR.

Labels are now set to bug / P1 / area:sandbox / review:pending. Still needs normal human review/CI before merge.

[bingran-you]

Additional workflow note: GitHub currently reports no checks on this PR because the branch targets release/0.7, while .github/workflows/test.yml only runs on PRs targeting main. I added status:blocked so this does not look merge-ready until a human decides whether to retarget/recreate this through main or run an equivalent release-line validation path.

[bingran-you]

Triage: the greptile P1 (anyio>=4.9 still allows 4.9.x, reproducing the AsyncContextManagerMixin AttributeError) is already resolved on the current head — pyproject.toml:13 pins anyio>=4.10 with an explanatory comment, matching the PR title and the anyio 4.10.0 changelog. The finding was against an earlier commit.

Diff vs release/0.7 is the single intended one-line floor bump (anyio>=4.0 → >=4.10). Content looks merge-ready; no CI checks are reported on this branch (release/0.7 base) — worth confirming the 0.7 line's required checks run before merge. cc @xdotli (release/0.7 owner).

[bingran-you]

Automation user-simulation review (2026-06-26): dependency fix is valid; process gate remains.

I tested the PR in an isolated worktree with a fresh sandbox-daytona sync:

uv sync --project /tmp/benchflow-pr-sims/pr826 --extra sandbox-daytona --extra dev --locked
uv run --project /tmp/benchflow-pr-sims/pr826 python - <<'PY'
import anyio
from daytona import Daytona
import benchflow
print('anyio_mixin', hasattr(anyio, 'AsyncContextManagerMixin'))
print('daytona_import', Daytona.__name__)
print('benchflow_import', benchflow.__version__)
PY
# anyio_mixin True
# daytona_import Daytona
# benchflow_import 0.6.2

A separate subagent also reproduced the dependency-floor behavior: anyio==4.8.0 fails on direct from daytona import Daytona, while anyio==4.10.0 succeeds. The diff is dependency metadata only (pyproject.toml + uv.lock), and I do not see a thermo-nuclear code-quality or CLI/SDK regression blocker.

Remaining gate is procedural: this targets release/0.7, and GitHub is still not reporting the normal PR check suite for that base. Keep status:blocked until the release-line owner either runs/records equivalent validation or retargets/recreates the fix through the checked path.

[bingran-you]

Users Simulation refresh (2026-06-26): dependency fix still validates; process gate remains.

The isolated PR simulation confirmed the intended fix: anyio>=4.10 is sufficient for the Daytona SDK import path, benchflow.sandbox.daytona imports cleanly, build_sync_client(api_key="dummy-key") constructs without creating a sandbox, and the CLI help paths still load.

Checks recorded:

uv sync --locked --extra dev --extra sandbox-daytona
uv run python -c 'from importlib import metadata; import anyio; print(metadata.version("anyio"), hasattr(anyio, "AsyncContextManagerMixin"))'
uv run python -c 'import benchflow.sandbox.daytona as d; print(hasattr(d, "build_sync_client"))'
uv run benchflow --help
uv run benchflow sandbox --help
uv run benchflow eval --help
uv run python -m pytest tests/test_base_install_imports.py tests/test_cli_daytona.py tests/test_cli_misc.py tests/test_env_setup.py -k 'daytona_module_imports_without_tenacity or daytona_without_sdk_fails_fast_with_install_hint or environment_list_uses_daytona_import_compat or test_benchflow_version_flag or test_benchflow_run_command_is_removed'

No thermo-nuclear code-quality blocker found in the two-file dependency diff. I left status:blocked in place because this PR targets release/0.7 and GitHub still reports no normal checks for that base; that is a release-line process gate, not a simulation failure in the dependency fix.

[bingran-you]

Users Simulation automation review (2026-06-27T12:21Z): ready for this simulation scope.

The dependency bump fixes the Daytona SDK import path. In a clean PR worktree, anyio exposed AsyncContextManagerMixin, from daytona import Daytona imported cleanly, and BenchFlow CLI smoke paths still worked.

Commands/evidence:

• uv lock --check
• uv sync --extra sandbox-daytona --locked
• Python import smoke for anyio, benchflow, and daytona.Daytona
• uv run benchflow --help
• uv run benchflow sandbox list with and without shared Daytona credentials; without creds it exited through the guarded auth path, with creds it reached the live API and listed sandboxes.
• uv run benchflow tasks init ..., uv run benchflow tasks check ..., uv run benchflow hub check --level inventory --tasks-per-dataset 1 --limit 1
• uv run pytest tests/test_cli_daytona.py -q
• uv run ruff check src/benchflow/cli/main.py src/benchflow/sandbox/daytona.py

Residual risk: I did not run a live Daytona create/exec or model-backed rollout; this validates the import/auth/listing regression surface rather than full sandbox lifecycle.