Relayer remote message-id denylist via AW registry

[nambrot]

Summary

• add relayer blacklistUrl config support end-to-end (TS config + Rust settings)
• implement runtime remote denylist polling in relayer (startup + 60s refresh)
• merge remote message IDs with existing inline pattern blacklist rules
• keep previous blacklist on fetch/parse failure (warn-only)
• remove hardcoded customBlacklist.ts message-id list from infra config
• add relayer tests for remote fetch/parse/merge behavior

Validation

• cargo fmt --package relayer
• cargo check -p relayer
• cargo test -p relayer test_fetch_remote_message_ids_ -- --nocapture
• cargo test -p relayer test_merge_message_blacklists_ -- --nocapture

Sibling PRs / Context

• Registry schema/types PR: Add denylist schema/types for AW operational registry hyperlane-registry#1420
• AW registry data repo (initial commit to main): hyperlane-xyz/aw-registry@9136bc0

These three changes are intended to roll out together for ENG-3512.

[coderabbitai]

Warning

Rate limit exceeded

@nambrot has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 8 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c94344dc-61d6-42c2-9222-d1fd9173ca60

📥 Commits

Reviewing files that changed from the base of the PR and between b9c6844 and afbd7f8.

📒 Files selected for processing (9)

• .changeset/short-lamps-own.md
• rust/main/agents/relayer/src/msg/db_loader.rs
• rust/main/agents/relayer/src/relayer.rs
• rust/main/agents/relayer/src/relayer/tests.rs
• rust/main/agents/relayer/src/settings/mod.rs
• typescript/infra/config/environments/mainnet3/agent.ts
• typescript/infra/config/environments/mainnet3/customBlacklist.ts
• typescript/infra/src/config/agent/relayer.ts
• typescript/sdk/src/metadata/agentConfig.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/eng-3512-remote-message-id-denylist-via-dedicated-aw-registry-repo

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: eeb6de3baf

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Load remote blacklist before starting message processing

Relayer::run initializes message_blacklist from inline config and only spawns run_remote_blacklist_updater asynchronously here, then continues booting processors immediately. Because this commit removed the local customBlacklist.ts message-id entries, denylisted IDs now depend on that remote fetch; on restart, any queued denylisted message can be processed before the first HTTP refresh completes (or if the first refresh fails), which regresses blacklist enforcement at startup.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Do not require unused context in remote denylist entries

RemoteDenylistEntry makes context mandatory even though the updater only uses message_id; fetch_remote_message_ids deserializes the full struct, so any external payload entry missing context (or setting it null) causes the entire refresh to fail and keeps the previous blacklist. This creates avoidable fragility against schema drift in an external registry field the relayer does not consume.

Useful? React with 👍 / 👎.

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🚩 Single malformed entry in remote JSON aborts entire fetch

In fetch_remote_message_ids at rust/main/agents/relayer/src/relayer.rs:975-985, the .collect::<Result<HashSet<H256>>>() short-circuits on the first H256 parse error, discarding all valid entries from that fetch cycle. The error is caught at line 946 and the previous blacklist is preserved. This fail-safe approach means a single malformed messageId in the remote JSON prevents any updates. Consider whether a .filter_map with per-entry logging would be more resilient, especially if the remote list is managed by multiple contributors.

---

Was this helpful? React with 👍 or 👎 to provide feedback.