feat: gate block-validation bypasses behind //go:build mock_block_validation#3401
Merged
Conversation
|
The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3401 +/- ##
==========================================
+ Coverage 59.10% 59.11% +0.01%
==========================================
Files 2106 2108 +2
Lines 173525 173535 +10
==========================================
+ Hits 102558 102589 +31
+ Misses 62093 62073 -20
+ Partials 8874 8873 -1
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
b20f4d8 to
5908b0a
Compare
ded86df to
955ee32
Compare
masih
reviewed
May 7, 2026
b1436be to
b7400cc
Compare
04980b1 to
69fd340
Compare
69fd340 to
3a97819
Compare
blindchaser
reviewed
May 7, 2026
blindchaser
reviewed
May 7, 2026
blindchaser
reviewed
May 7, 2026
…ensusPolicy
Replaces the runtime --skip-app-hash-validation CLI flag with a
build-tag-gated ConsensusPolicy value owned by BlockExecutor. The
seid validator binary built without -tags shadow cannot bypass
AppHash, LastCommitHash, DataHash, EvidenceHash, ValidatorsHash, or
NextValidatorsHash checks — the flag, the bypass field, and the
bypass branches do not exist in the production binary. The shadow
binary always runs in shadow mode; there is no runtime knob.
Why no runtime config
Earlier drafts threaded a CLI flag and AppOptions value into a
ConsensusPolicy{skipAppHashValidation bool} struct. That worked but
left an operator footgun: a shadow binary would silently behave like
production unless the operator remembered to pass the flag, then fail
on the first AppHash mismatch and surprise the operator.
The build tag IS the toggle. The shadow binary's purpose is to
shadow-sync, period. ConsensusPolicy carries no fields; the method
SkipAppHashValidation() returns a different constant in each build
and the compiler folds it.
Refactor
- types.ConsensusPolicy is an empty struct in both builds. Method
set differs: default returns false, shadow returns true.
DefaultConsensusPolicy() is the only constructor.
- Block.ValidateBasic now does shape-only validation. The 3 hash
checks (LastCommitHash / DataHash / EvidenceHash) move into a new
Block.ValidateHashes(policy) gated by SkipAppHashValidation.
Deserialization paths (BlockFromProto, light-client, store load)
call ValidateBasic and pick up the shape-only contract.
- validateBlock(state, block, policy) plumbs the policy to the
AppHash / ValidatorsHash / NextValidatorsHash gates.
- BlockExecutor carries policy as a struct field; NewBlockExecutor
takes it as a constructor arg.
- node.New / makeNode / Handshaker thread the policy through.
- sei-cosmos/server/start.go passes tmtypes.DefaultConsensusPolicy()
unconditionally. No CLI flag, no viper, no AppOptions.
What stays unchanged
tmtypes.SkipLastResultsHashValidation remains a global atomic.Bool
flipped from gigaExecutorConfig.Enabled. Giga is a first-class
runtime-togglable production feature with intentional gas-accounting
divergence; that bypass is not in scope.
Empirical proof
- strings seid-default | grep skip-app-hash → 0 hits
- strings seid-shadow | grep skip-app-hash → 0 hits
(the flag literal never existed since we never registered it)
- Both builds clean: go build ./... and go build -tags shadow ./...
- Original 6 hash gates (AppHash, LastCommitHash, DataHash,
EvidenceHash, ValidatorsHash, NextValidatorsHash from commits
9fa70d2, 4ce5ed3, d9b7f9283) preserved.
Workflow
.github/workflows/ecr.yml adds sei-chain:shadow-<sha> mirroring the
existing mock_balances build-tag pattern.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3a97819 to
7182fd9
Compare
blindchaser
approved these changes
May 7, 2026
arajasek
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
A node running an alternate execution engine (e.g., Giga V2) needs to bypass certain header-hash checks to validate against canonical-chain blocks. The previous shape exposed
--skip-app-hash-validationas a runtime CLI flag on every seid binary, which made the production validator one config edit away from accepting bad blocks.Approach
The build tag
mock_block_validationis the toggle — there is no runtime knob.ConsensusPolicyis an empty struct in both builds; methods return different constants per build and the compiler folds them. Bypass branches DCE in production. There is no Go API in either build to construct a policy with the opposite behavior.Block.ValidateBasic(policy)wraps the gated hash checks inif !policy.Skip*() { ... }in-place — no structural changes to the function body.validateBlock(state, block, policy)carries the policy fromBlockExecutordown. Productionstart.gopassesDefaultConsensusPolicy()unconditionally — no cobra, no AppOptions, no viper.Naming
mock_block_validationmatches the repo's existingmock_balancesprecedent — both are mock build tags for engineering / debug binaries. Underscore form is required for valid Go build tags. Image tag uses hyphen for readability:sei-chain:mock-block-validation-<sha>.Per-check flags, narrow scope
The original
ftr-skip-apphashbranch gated 6 hash checks under one umbrella flag; this PR ships 2:SkipLastResultsHashValidationglobal, set fromgigaExecutorConfig.Enabled— a first-class production runtime feature with intentional gas-accounting divergence, different security model.If a non-gated check fails on a candidate node, that's actionable signal — either a real bug in the setup or a wire-format incompatibility worth investigating, not silently bypassed.
CI
.github/workflows/ecr.ymladds a single new build step alongside the existingmock_balancesand production builds, mirroring the same pattern. Every push produces:sei-chain:<sha>— productionsei-chain:mock-<sha>— mock_balances (unchanged)sei-chain:mock-block-validation-<sha>— newVerification
strings seid-default | grep skip-app-hash→ 0 hits (no flag, no string in either binary)go build ./...andgo build -tags mock_block_validation ./...both cleanOut of scope
ftr-skip-apphash(libevmone runtime + ubuntu 24.04 base for GLIBCXX) are giga-runtime support and ship as a separate PR.BlockValidatorinterface that hides per-step validation behind a strategy-pattern abstraction was discussed and deferred — defensible refactor when there's a second consumer.