fix(opchild): validate attestor packet origin

[beer-1]

Description

Closes: N/A

This PR binds opchild attestor-set update packets to the configured canonical IBC origin before applying validator updates.

Changes:

• Validate attestor update packet channel version, source/destination ports, configured source channel, destination channel connection state, and L1 client ID before processing packet data.
• Add basic channel-open validation for a single connection hop and the expected counterparty opinit port.
• Add keeper-level and IBC-module regression tests for invalid packet origins.

Why:

• Previously, opchild.OnRecvPacket forwarded only packet data into the attestor update path. The handler verified bridge_id, but did not bind the packet to the configured L1 client/channel origin.

Validation:

• GOTOOLCHAIN=go1.24.13 go test ./x/opchild/... -count=1

Breaking change: No.

---

Author Checklist

I have...

• included the correct type prefix in the PR title
• confirmed ! in the type prefix if API or client breaking change: N/A, not breaking
• targeted the correct branch
• provided a link to the relevant issue or specification: N/A
• reviewed "Files changed" and left comments if necessary: N/A
• included the necessary unit and integration tests
• updated the relevant documentation or specification, including comments for documenting Go code: N/A
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed all author checklist items have been addressed
• reviewed state machine logic, API design and naming, documentation is accurate, tests and test coverage

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Enhanced validation of inter-blockchain communication (IBC) channel initialization to ensure proper connection configuration.
  • Added packet origin verification for attestor set updates to reject packets from unauthorized sources.
  • Improved error handling for invalid IBC packet submissions.

[coderabbitai]

Walkthrough

The PR adds packet origin validation to the OPchild IBC module for attestor set updates. It introduces a new validation method that verifies channel state, connection openness, and client ID matching; constrains channel handshakes to single-hop connections; integrates validation into the receive packet flow; and provides comprehensive tests covering validation logic and integration scenarios.

Changes

Packet Origin Validation

Layer / File(s)	Summary
Error Definition x/opchild/types/errors.go	Introduces ErrInvalidPacketOrigin sentinel error registered under code 34.
Validation Logic and Tests x/opchild/keeper/attestor.go, x/opchild/keeper/attestor_test.go	Implements ValidateAttestorSetUpdatePacketOrigin method checking channel version, ports, bridge configuration, IBC keeper state, connection openness, and client ID. Adds test constants, setupAttestorPacketOrigin helper, and Test_ValidateAttestorSetUpdatePacketOrigin table-driven test covering success and nine failure scenarios.
Channel Handshake Constraints x/opchild/ibc_module.go	OnChanOpenInit and OnChanOpenTry now enforce exactly one connectionHop and matching counterparty PortId, returning wrapped IBC errors on mismatch.
Receive Packet Integration x/opchild/ibc_module.go	OnRecvPacket calls ValidateAttestorSetUpdatePacketOrigin before packet processing; returns error acknowledgement if validation fails.
IBC Module Integration Tests x/opchild/ibc_module_test.go	Adds shared test constants (testL1ClientID, testConnectionID, testSourceChannel, testDestChannel), setupAttestorSetUpdateOrigin helper for seeding IBC state, updates OnRecvPacket_AttestorSetUpdate test to initialize BridgeInfo and origin state, adds Test_IBCModule_OnRecvPacket_InvalidOrigin table-driven test for origin validation failures, and updates Test_IBCModule_OnRecvPacket_InvalidData with origin state setup.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A rabbit hops through channels deep,
Validating every leap,
Checking origins with care,
IBC handshakes everywhere!
Connections OPEN, clients matched,
Attestor packets, safely hatched. 🎯

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding validation for attestor packet origin in the opchild module.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/opchild-attestor-packet-origin

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

x/opchild/ibc_module_test.go (1)

43-100: ⚡ Quick win

Add regression cases for the new handshake guard branches.

OnChanOpenInit and OnChanOpenTry now enforce single connection hop and counterparty port matching, but these new failure paths are not asserted here. Adding explicit negative test cases for both guards in both methods will prevent silent regressions.

Also applies to: 102-144

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@x/opchild/ibc_module_test.go` around lines 43 - 100, Add negative regression
tests that exercise the new handshake guard branches in the IBC module: for
ibcModule.OnChanOpenInit add explicit cases that (1) pass multiple connection
hops (e.g., []string{"conn-0", "conn-1"}) and assert an error mentioning
single-hop requirement and (2) pass a Counterparty with a mismatched PortID
(e.g., channeltypes.NewCounterparty("wrong-port", "chan-x")) and assert an error
about counterparty port mismatch; do the same for ibcModule.OnChanOpenTry
(create tests calling OnChanOpenTry with multiple connection hops and with a
counterparty port that does not equal opchildtypes.PortID) and assert the
appropriate errors so these new guards are covered and cannot regress.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@x/opchild/ibc_module_test.go`:
- Around line 43-100: Add negative regression tests that exercise the new
handshake guard branches in the IBC module: for ibcModule.OnChanOpenInit add
explicit cases that (1) pass multiple connection hops (e.g., []string{"conn-0",
"conn-1"}) and assert an error mentioning single-hop requirement and (2) pass a
Counterparty with a mismatched PortID (e.g.,
channeltypes.NewCounterparty("wrong-port", "chan-x")) and assert an error about
counterparty port mismatch; do the same for ibcModule.OnChanOpenTry (create
tests calling OnChanOpenTry with multiple connection hops and with a
counterparty port that does not equal opchildtypes.PortID) and assert the
appropriate errors so these new guards are covered and cannot regress.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f4472b41-bfa6-46fb-a0c9-fa0546ebcc7b

📥 Commits

Reviewing files that changed from the base of the PR and between f0b6618 and bf0a154.

📒 Files selected for processing (5)

• x/opchild/ibc_module.go
• x/opchild/ibc_module_test.go
• x/opchild/keeper/attestor.go
• x/opchild/keeper/attestor_test.go
• x/opchild/types/errors.go

[codecov]

Codecov Report

❌ Patch coverage is 65.57377% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.51%. Comparing base (f0b6618) to head (bf0a154).

Files with missing lines	Patch %	Lines
x/opchild/ibc_module.go	20.00%	8 Missing and 4 partials ⚠️
x/opchild/keeper/attestor.go	80.43%	6 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #196      +/-   ##
==========================================
+ Coverage   43.33%   43.51%   +0.18%     
==========================================
  Files          74       74              
  Lines        7424     7485      +61     
==========================================
+ Hits         3217     3257      +40     
- Misses       3614     3628      +14     
- Partials      593      600       +7     

Files with missing lines	Coverage Δ
x/opchild/keeper/attestor.go	69.56% <80.43%> (+5.43%)	⬆️
x/opchild/ibc_module.go	82.55% <20.00%> (-13.22%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[traviolus]

LGTM