feat(l1): fix EIP-8025 compliance

[jsign]

Summary

This branch fixes the EIP-8025 guest-program execution flow and aligns the SSZ-side NewPayloadRequest model with the Electra/CL spec.

At a high level, it adds a byte-oriented EIP-8025 execution entrypoint, moves execution requests into a typed SSZ container, and uses that typed representation to reconstruct the EL requests_hash correctly when converting a NewPayloadRequest into a block.

What changed

• Added execution_program_eip8025_bytes, which decodes and executes the EIP-8025 wire format directly:
  • [ssz_len: u32 LE][ssz_bytes][rkyv_bytes]
• Refactored the EIP-8025 validation flow so both entrypoints share the same logic for:
  • NewPayloadRequest -> Block conversion
  • block hash validation
  • blob versioned hash validation
  • stateless execution via execute_blocks
• Updated the EIP-8025 SSZ types in ethrex-common to better match the Electra consensus spec:
  • ExecutionPayload no longer carries deposit/withdrawal/consolidation request lists
  • NewPayloadRequest.execution_requests is now a typed ExecutionRequests container
  • spec constants were renamed/normalized for clarity
  • the consolidation request limit was corrected to the Electra value
• Added ExecutionRequests::to_encoded_requests() to convert the SSZ typed request container into the EIP-7685 encoded request list expected by compute_requests_hash
• Re-exported the new EIP-8025 byte entrypoint from ethrex-guest-program

Behavior notes

• Malformed EIP-8025 wire input still returns an error
• For well-formed input, the byte-entrypoint now always computes the new_payload_request_root
• If validation/execution fails after decoding, the byte-entrypoint returns ProgramOutput { valid: false, ... } instead of failing outright

Why this matters

This makes the EIP-8025 guest path closer to the consensus-side structure we actually need to prove against, while also giving us a direct raw-bytes execution entrypoint for the EIP-8025 wire format.

It also removes the mismatch between the SSZ request representation and the EL request-hash computation path by deriving requests_hash from a properly typed ExecutionRequests container.

External usage

I'm already using this PR branch into an ere-guests PR here: eth-act/ere-guests#39
This allowed ere-guests to basically remove a lot of wrapper code before calling the guest program regarding execution-payload->Block, output calculation, etc -- making now Ethrex own all that logic as expected.

[jsign]

Some renamings to conform to the consensus-spec names, but also some fixes that I'll comment in particular.

[jsign]

Note that the previous 1 value wasn't correct, this was fixed below L30 with value 2 as defined in the specs.

[jsign]

In the specs, ExecutionPayload does not have these three fields. They are actually part of the NewPayloadRequest.

[jsign]

This isn't strictly required so we can remove.

[jsign]

See my next comment to understand this.

[jsign]

The consensus-specs don't define execution_requests as a list of bytes, but an ExecutionRequests deserialized struct.

Fixing it here.

[jsign]

This is a new entrypoint which is aligned with the execution-specs.

In ere-guests now we use it to send raw bytes directly, removing a lot of "wrapper logic" we had in ere-guest guest program before calling Ethrex entry point.

[Copilot]

Pull request overview

This PR completes the EIP-8025 guest-program execution path and aligns the SSZ NewPayloadRequest model with the Electra/CL spec, including deriving the EL requests_hash from a typed ExecutionRequests container.

Changes:

• Added a raw-bytes EIP-8025 execution entrypoint ([ssz_len][ssz_bytes][rkyv_bytes]) and re-exported it for external consumers.
• Refactored EIP-8025 validation/execution to share common logic for NewPayloadRequest -> Block conversion, hash checks, and stateless execution.
• Updated SSZ types to match Electra and introduced ExecutionRequests::to_encoded_requests() for EIP-7685 requests_hash computation.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
crates/guest-program/src/lib.rs	Re-exports the new EIP-8025 bytes entrypoint under the L1 execution module.
crates/guest-program/src/l1/program.rs	Adds the bytes entrypoint, centralizes EIP-8025 validation/execution, and adjusts request-hash reconstruction.
crates/guest-program/src/l1/mod.rs	Re-exports execution_program_eip8025_bytes behind the eip-8025 feature.
crates/common/types/eip8025_ssz.rs	Aligns SSZ containers with Electra and adds typed ExecutionRequests plus EIP-7685 encoding conversion.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

ExecutionRequests::to_encoded_requests() currently always returns 3 EncodedRequests entries, even when a request list is empty (yielding a 1-byte [type] entry). Elsewhere in the repo the EIP-7685 rules are enforced such that entries with empty request_data must be excluded (see validate_execution_requests, which rejects len() < 2). Consider emitting only non-empty request types (and/or filtering out EncodedRequests where is_empty() is true) so the helper is spec-compliant if reused beyond compute_requests_hash.

[Copilot]

The byte entrypoint sets valid based on validate_eip8025_execution(...).is_ok() but there’s no test covering the post-decode failure path (i.e., decoding succeeds but validation fails and the function must still return Ok(ProgramOutput { valid: false, ... })). Adding a test that builds a minimally valid wire payload with an intentionally-invalid block_hash (or versioned-hash mismatch) would lock in the intended behavior and prevent regressions back to returning an error.

[greptile-apps]

Greptile Summary

This PR aligns the EIP-8025 SSZ types with the Electra consensus spec by moving execution requests out of ExecutionPayload into a typed ExecutionRequests container, adds a raw wire-format entrypoint (execution_program_eip8025_bytes), and shares the validation logic between both entrypoints via validate_eip8025_execution. The to_encoded_requests() method always emits 3 entries (one per request type), which is safe because compute_requests_hash already uses a > 1 length guard to skip empty-type entries, matching the EIP-7685 spec's get_execution_requests_list filter.

Confidence Score: 5/5

Safe to merge; all remaining findings are style/diagnostic P2 items with no correctness impact.

The SSZ type changes correctly mirror the Electra spec. compute_requests_hash's > 1 guard correctly handles the always-3-entries output of to_encoded_requests(). Request sizes verified in tests match EIP-6110/7002/7251 wire formats. MAX_CONSOLIDATION_REQUESTS_PER_PAYLOAD=2 is the correct Electra value. The only remaining findings are a stale comment and the intentional silent error conversion in the bytes entrypoint.

crates/guest-program/src/l1/program.rs — the is_ok() error swallowing in execution_program_eip8025_bytes may complicate future debugging.

Important Files Changed

Filename	Overview
crates/common/types/eip8025_ssz.rs	Removes deposit/withdrawal/consolidation from ExecutionPayload and moves them into a typed ExecutionRequests container; adds to_encoded_requests() that always emits 3 entries (handled correctly downstream by compute_requests_hash's > 1 guard); corrects MAX_CONSOLIDATION_REQUESTS_PER_PAYLOAD to 2 (Electra value); renames spec constants for clarity; removes now-unused ExecutionPayloadHeader and NewPayloadRequestHeader.
crates/guest-program/src/l1/program.rs	Extracts shared validation logic into validate_eip8025_execution; adds execution_program_eip8025_bytes for the raw wire-format entrypoint; the bytes entrypoint silently converts all validation/execution errors to valid:false (P2: internal errors become indistinguishable from protocol invalidity).
crates/guest-program/src/l1/mod.rs	Re-exports the new execution_program_eip8025_bytes function, gated correctly behind #[cfg(feature = "eip-8025")].
crates/guest-program/src/lib.rs	Adds a conditional re-export of execution_program_eip8025_bytes in the public execution module, consistently double-gated on not(l2) and eip-8025.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Wire bytes\nssz_len ++ ssz_bytes ++ rkyv_bytes] --> B[decode_eip8025]
    B --> C[NewPayloadRequest\nExecutionRequests\nExecutionWitness]
    C --> D[hash_tree_root\n→ request_root]
    C --> E[validate_eip8025_execution]
    E --> F[new_payload_request_to_block]
    F --> G[execution_requests\n.to_encoded_requests]
    G --> H[compute_requests_hash\nskips len==1 entries]
    H --> I[Block]
    I --> J{block_hash match?}
    J -- No --> K[Err block_hash mismatch]
    J -- Yes --> L[validate_versioned_hashes]
    L --> M{hashes match?}
    M -- No --> N[Err versioned hashes mismatch]
    M -- Yes --> O[execute_blocks]
    O --> P{ok?}
    P -- No / execution_program --> Q[Err propagated]
    P -- No / eip8025_bytes --> R[ProgramOutput\nvalid=false]
    P -- Yes --> S[ProgramOutput\nvalid=true]

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: crates/guest-program/src/l1/program.rs
Line: 100

Comment:
**Silent error swallowing on validation failure**

`validate_eip8025_execution(…).is_ok()` converts all errors — including internal panics turned into `Err`, OOM, or logic bugs — to `valid: false`. A caller of `execution_program_eip8025_bytes` can never distinguish "this payload was legitimately invalid per the protocol" from "an unexpected internal error occurred during execution." At minimum, consider logging or propagating the error variant so that operator-level diagnostics are possible when this runs outside a strict zkVM context.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: crates/guest-program/src/l1/program.rs
Line: 72

Comment:
**Misleading "consuming" comment**

The comment says "before consuming the payload", but `hash_tree_root` takes `&self` — it borrows, not consumes, `new_payload_request`. The comment was meaningful when the old code moved the value into `new_payload_request_to_block`; it is now misleading.

```suggestion
    // Compute the hash_tree_root of the payload before validation.
    let request_root = new_payload_request.hash_tree_root(&Sha2Hasher);
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "refactor(l1): streamline EIP-8025 execut..." | Re-trigger Greptile}

[greptile-apps]

Silent error swallowing on validation failure

validate_eip8025_execution(…).is_ok() converts all errors — including internal panics turned into Err, OOM, or logic bugs — to valid: false. A caller of execution_program_eip8025_bytes can never distinguish "this payload was legitimately invalid per the protocol" from "an unexpected internal error occurred during execution." At minimum, consider logging or propagating the error variant so that operator-level diagnostics are possible when this runs outside a strict zkVM context.

Prompt To Fix With AI

This is a comment left during a code review.
Path: crates/guest-program/src/l1/program.rs
Line: 100

Comment:
**Silent error swallowing on validation failure**

`validate_eip8025_execution(…).is_ok()` converts all errors — including internal panics turned into `Err`, OOM, or logic bugs — to `valid: false`. A caller of `execution_program_eip8025_bytes` can never distinguish "this payload was legitimately invalid per the protocol" from "an unexpected internal error occurred during execution." At minimum, consider logging or propagating the error variant so that operator-level diagnostics are possible when this runs outside a strict zkVM context.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Misleading "consuming" comment

The comment says "before consuming the payload", but hash_tree_root takes &self — it borrows, not consumes, new_payload_request. The comment was meaningful when the old code moved the value into new_payload_request_to_block; it is now misleading.

Suggested change

	// Compute the hash_tree_root before consuming the payload.
	// Compute the hash_tree_root of the payload before validation.
	let request_root = new_payload_request.hash_tree_root(&Sha2Hasher);

Prompt To Fix With AI

This is a comment left during a code review.
Path: crates/guest-program/src/l1/program.rs
Line: 72

Comment:
**Misleading "consuming" comment**

The comment says "before consuming the payload", but `hash_tree_root` takes `&self` — it borrows, not consumes, `new_payload_request`. The comment was meaningful when the old code moved the value into `new_payload_request_to_block`; it is now misleading.

```suggestion
    // Compute the hash_tree_root of the payload before validation.
    let request_root = new_payload_request.hash_tree_root(&Sha2Hasher);
```

How can I resolve this? If you propose a fix, please make it concise.

[avilagaston9]

Thanks for the PR! Looks good to me.

One thing: since execution_program is already under the eip-8025 feature flag, I'd keep only the bytes version and drop the typed one. I think there's no reason to maintain the typed entrypoint.

WDYT @ilitteri?

[jsign]

Yep, I was thinking about the same when making the PR but prefered to be conservative in removing existing APIs.

Leaving that decision to you guys!

[ilitteri]

I agree, let's keep the bytes version only.

[jsign]

Sounds good. I'll adjust and reping here when ready.

[jsign]

@avilagaston9 @ilitteri, all done see 0058d27

[jsign]

@ilitteri, is this mergeable? :)

[ilitteri]

@ilitteri, is this mergeable? :)

We need one more approval. I'd get it asap.