feat(sdks): sealevel fee support svm sdk [IGNORE FOR NOW]

[xeno097]

Description

Implements Phase 2 of the SVM fee system: full SDK support for deploying and managing fee programs on Solana/SVM chains via the IRawFeeArtifactManager interface.

Requires #8642 (SVM fee program implementation) to be merged first. The fee program binary is temporarily injected via a droppable commit (0ae46733a6) that should be
removed once the program lands on main.

What's included:

• Readers and writers for all 6 fee types: linear, regressive, progressive, offchainQuotedLinear, routing, crossCollateralRouting. Each type has a dedicated reader/writer following the existing artifact pattern. Leaf types
  (linear/regressive/progressive) share an abstract base to avoid duplication.
• Instruction builders for all 18 fee program instructions: deployment/management instructions (InitFee, SetRoute, SetCrossCollateralRoute, UpdateFeeParams, SetBeneficiary, TransferOwnership, AddQuoteSigner, RemoveQuoteSigner,
  SetWildcardQuoteSigners, SetMinIssuedAt, RemoveRoute, RemoveCrossCollateralRoute) and runtime instructions (QuoteFee, SubmitQuote transient/standing, CloseTransientQuote, PruneExpiredQuotes, GetQuoteAccountMetas,
  GetSubmitQuoteAccountMetas).
• PDA derivation functions for FeeAccount, RouteDomain, CrossCollateralRoute, TransientQuote, and StandingQuote PDAs.
• Borsh codecs and account decoders for all fee program account types (FeeAccount, RouteDomain, CrossCollateralRoute, TransientQuote, StandingQuotePda).
• SvmFeeArtifactManager implementing IRawFeeArtifactManager, wired into SvmProtocolProvider.createFeeArtifactManager().
• Shared utilities: fee strategy mapping between provider-sdk and on-chain formats, wildcard signer computation, H160 signer conversion with validation, canonical BTreeSet encoding.
• Stress tests that discovered on-chain limits via binary search:
  • InitFee max signers: 41 (tx size)
  • SetRoute max signers: 42 (tx size)
  • SetWildcardQuoteSigners max signers: 47 (tx size)
  • Incremental AddQuoteSigner: 409 (CU/heap)
  • Standing quotes per domain PDA: 113 (BTreeMap heap, Leaf and CC identical)

Drive-by changes

• Breaking: ProtocolProvider.createFeeArtifactManager() now requires a FeeReadContext parameter to ensure routed fee types receive domain/router context for non-enumerable route PDA discovery. All protocol SDK implementations
  (tron, radix, cosmos, aleo, starknet) updated to accept the new parameter.
• Added ByteCursor.readI64LE() and i64le() encoder for signed 64-bit integer support.
• Added @noble/curves as a devDependency in svm-sdk for secp256k1 quote signing in stress tests.

Related issues

• Depends on feat(sealevel): sealevel token program fee support [IGNORE FOR NOW] #8642 (SVM fee program)
• Follows feat(provider-sdk, deploy-sdk): initial fee support on multi-vm #8627 (multi-VM fee type system in provider-sdk/deploy-sdk)

Backward compatibility

No — ProtocolProvider.createFeeArtifactManager() has a new required FeeReadContext parameter. This is a major version bump for @hyperlane-xyz/provider-sdk and @hyperlane-xyz/deploy-sdk. All downstream protocol SDK consumers need
to pass the context. The deploy-sdk factories (createFeeReader, createFeeWriter) already had context and now thread it through.

Testing

E2E tests (32 tests across 6 suites, all in CI):

• fee-linear: 4 tests (create/read, no-op update, param update, beneficiary update)
• fee-regressive: 4 tests (shared leaf suite)
• fee-progressive: 4 tests (shared leaf suite)
• fee-offchain-quoted-linear: 8 tests (shared leaf suite + signer create/add/remove + empty signer roundtrip)
• fee-routing: 6 tests (create/read, add route, update params, change strategy type, remove route, offchainQuotedLinear route with signers)
• fee-cross-collateral-routing: 5 tests (create/read, add pair, update params, change strategy, remove pair)

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.02%. Comparing base (2496363) to head (22a40cd).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8647      +/-   ##
==========================================
- Coverage   79.33%   73.02%   -6.32%     
==========================================
  Files         143        7     -136     
  Lines        4278      708    -3570     
  Branches      436       32     -404     
==========================================
- Hits         3394      517    -2877     
+ Misses        855      190     -665     
+ Partials       29        1      -28     

Flag	Coverage Δ
solidity	?
tron-sdk	73.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
core	∅ <ø> (∅)
hooks	∅ <ø> (∅)
isms	∅ <ø> (∅)
token	∅ <ø> (∅)
middlewares	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[devin-ai-integration]

Devin Review found 4 potential issues.

View 5 additional findings in Devin Review.

[devin-ai-integration]

🔴 Unchecked as FeeStrategyKind cast on raw byte from on-chain data

c.readU8() returns number, but the cast as FeeStrategyKind narrows it to 0 | 1 | 2 without any validation. If the on-chain account contains a strategy kind value outside that range (e.g., a newer program version adds kind 3), the cast silently accepts it, violating the SvmFeeDataStrategy discriminated union type. Downstream pattern-match code in fee-strategy-utils.ts:35-46 uses an exhaustive never check that would throw at runtime, but the cast hides the real error origin. Per REVIEW.md mandatory type cast audit: every as must be flagged, and the only acceptable cast requires a // CAST: comment explaining why it's unavoidable.

Suggested change

	const kind = c.readU8() as FeeStrategyKind;
	const kind = c.readU8();
	if (kind !== 0 && kind !== 1 && kind !== 2) {
	throw new Error(`Unknown FeeDataStrategy kind: ${kind}`);
	}

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 Unsafe as C type cast bypasses generic constraint in leaf fee reader

The object literal is cast as C where C extends LeafFeeConfig. The constructed object only has { type, owner, beneficiary, maxFee, halfAmount }, but LeafFeeConfig is a union that includes OffchainQuotedLinearFeeConfig which additionally requires quoteSigners: string[]. While current subclasses only instantiate C with types that match this shape, the cast circumvents TypeScript's ability to catch future misuse if a new leaf type with extra required fields is added. Per REVIEW.md mandatory type cast audit: "as X — flag it. The fix is almost always to fix the function signature, add a type guard, or restructure the code." No // CAST: comment is present.

Prompt for agents

In typescript/svm-sdk/src/fee/leaf-fee.ts line 91, the object literal is cast `as C`. The REVIEW.md mandates no `as` casts without a `// CAST:` comment. The fix is to either: (1) add a `// CAST: C is constrained to Linear/Regressive/Progressive which all share this exact shape; OffchainQuotedLinear has its own reader` comment if the cast is truly unavoidable, or (2) restructure to avoid the cast entirely, e.g. by having each concrete reader build its own config object and returning it without a cast.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🟡 Non-null assertions router! without provable non-nullness on preceding line

On lines 302 and 305, router! is used after const [domainStr, router] = key.split(':') on line 293. TypeScript types the second destructured element as string | undefined since split returns string[] and destructuring beyond the array length yields undefined. While the key format ${domain}:${router} guarantees a colon exists, the non-null assertion is not provably safe from the immediately preceding line — it depends on reasoning about how the key was constructed several lines earlier. Per REVIEW.md: "! (non-null assertion) — flag unless the value is provably non-null on the preceding line."

Suggested change

	routerToBytes(router!),
	),
	],
	annotation: `Remove CC route for domain ${domainStr} router ${router!.slice(0, 10)}...`,
	routerToBytes(router ?? ''),
	),
	],
	annotation: `Remove CC route for domain ${domainStr} router ${(router ?? '').slice(0, 10)}...`,

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 Fee program binary added to program-bytes generator with fallback path mechanism

In scripts/generate-program-bytes.mjs, the new tokenFee entry was added at line 28, and lines 36-48 introduce a fallback mechanism that checks LOCAL_SO_DIR (so-binaries/) when the primary path (rust/sealevel/target/deploy/) doesn't have the binary. This is a deviation from the existing pattern where all programs came from the same build directory. The fallback could mask build issues if a stale local binary is used instead of a freshly compiled one. The check-program-bytes-hash.mjs script should catch staleness via the source hash, but only if it covers the fee program sources.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[hyper-gonk]

Node Services Docker Image Built Successfully

Service	Tag
node-services	22a40cd-20260422-202056

Full image paths

ghcr.io/hyperlane-xyz/hyperlane-node-services:22a40cd-20260422-202056