fix(fhevm-cli): auto-detect MinIO key prefix and treat unparseable versions conservatively

Three fixes for network target compatibility (devnet/testnet/mainnet):

- Auto-detect MinIO key prefix during KMS signer discovery by probing
  both PUB/PUB (KMS <= v0.12) and PUB (KMS >= v0.13), then propagate
  the detected prefix through state for all MinIO URL construction.

- Fix Docker volume mount conflicts where named volumes shadowed bind
  mounts to the same container path, preventing GatewayAddresses.sol
  from being accessible on the host.

- Treat unparseable SHA versions conservatively in compat layer — apply
  legacy flags rather than skip them, since we cannot determine the
  actual version from a SHA tag.

Author: Eikix

test-suite/fhevm/src/artifacts.test.ts

@@ -163,8 +163,8 @@ describe("compose templates", () => {
         structuredClone(input),
         stubState({
           envOverrides: {
-            RELAYER_VERSION: "sha-29b0750",
-            RELAYER_MIGRATE_VERSION: "sha-29b0750",
+            RELAYER_VERSION: "v0.10.0",
+            RELAYER_MIGRATE_VERSION: "v0.10.0",
           },
         }),
       ),

test-suite/fhevm/src/artifacts.ts

@@ -97,10 +97,13 @@ const applyBuildPolicy = (service: Record<string, unknown>, isOverridden: boolea
 
 const appendVolume = (service: Record<string, unknown>, value: string) => {
   const volumes = Array.isArray(service.volumes) ? [...service.volumes] : [];
-  if (!volumes.includes(value)) {
-    volumes.push(value);
+  const target = value.split(":").slice(1).join(":");
+  // Remove any existing mount to the same container path (e.g. named volumes)
+  const filtered = target ? volumes.filter((v) => typeof v !== "string" || v.split(":").slice(1).join(":") !== target) : volumes;
+  if (!filtered.includes(value)) {
+    filtered.push(value);
   }
-  service.volumes = volumes;
+  service.volumes = filtered;
 };
 
 const resolveComposePath = (value: string) =>
@@ -401,13 +404,15 @@ const writeRuntimeEnvFiles = async (state: State, deps: Pick<ArtifactDeps, "runn
   envs["coprocessor"].TENANT_API_KEY = DEFAULT_TENANT_API_KEY;
   envs["coprocessor"].COPROCESSOR_API_KEY = DEFAULT_TENANT_API_KEY;
   envs["coprocessor"].AWS_ENDPOINT_URL = state.discovery?.endpoints.minioExternal ?? "http://minio:9000";
+  const kp = state.discovery?.minioKeyPrefix ?? "PUB";
+  const minioInt = state.discovery?.endpoints.minioInternal ?? "http://minio:9000";
   envs["coprocessor"].FHE_KEY_ID = state.discovery?.actualFheKeyId ?? state.discovery?.fheKeyId ?? predictedKeyId();
-  envs["coprocessor"].KMS_PUBLIC_KEY = `${state.discovery?.endpoints.minioInternal ?? "http://minio:9000"}/kms-public/PUB/PublicKey/${envs["coprocessor"].FHE_KEY_ID}`;
-  envs["coprocessor"].KMS_SERVER_KEY = `${state.discovery?.endpoints.minioInternal ?? "http://minio:9000"}/kms-public/PUB/ServerKey/${envs["coprocessor"].FHE_KEY_ID}`;
-  envs["coprocessor"].KMS_SNS_KEY = `${state.discovery?.endpoints.minioInternal ?? "http://minio:9000"}/kms-public/PUB/SnsKey/${envs["coprocessor"].FHE_KEY_ID}`;
-  envs["coprocessor"].KMS_CRS_KEY = `${state.discovery?.endpoints.minioInternal ?? "http://minio:9000"}/kms-public/PUB/CRS/${state.discovery?.actualCrsKeyId ?? state.discovery?.crsKeyId ?? predictedCrsId()}`;
-  envs["relayer"].APP_KEYURL__FHE_PUBLIC_KEY__URL = `${state.discovery?.endpoints.minioInternal ?? "http://minio:9000"}/kms-public/PUB/PublicKey/${state.discovery?.actualFheKeyId ?? state.discovery?.fheKeyId ?? predictedKeyId()}`;
-  envs["relayer"].APP_KEYURL__CRS__URL = `${state.discovery?.endpoints.minioInternal ?? "http://minio:9000"}/kms-public/PUB/CRS/${state.discovery?.actualCrsKeyId ?? state.discovery?.crsKeyId ?? predictedCrsId()}`;
+  envs["coprocessor"].KMS_PUBLIC_KEY = `${minioInt}/kms-public/${kp}/PublicKey/${envs["coprocessor"].FHE_KEY_ID}`;
+  envs["coprocessor"].KMS_SERVER_KEY = `${minioInt}/kms-public/${kp}/ServerKey/${envs["coprocessor"].FHE_KEY_ID}`;
+  envs["coprocessor"].KMS_SNS_KEY = `${minioInt}/kms-public/${kp}/SnsKey/${envs["coprocessor"].FHE_KEY_ID}`;
+  envs["coprocessor"].KMS_CRS_KEY = `${minioInt}/kms-public/${kp}/CRS/${state.discovery?.actualCrsKeyId ?? state.discovery?.crsKeyId ?? predictedCrsId()}`;
+  envs["relayer"].APP_KEYURL__FHE_PUBLIC_KEY__URL = `${minioInt}/kms-public/${kp}/PublicKey/${state.discovery?.actualFheKeyId ?? state.discovery?.fheKeyId ?? predictedKeyId()}`;
+  envs["relayer"].APP_KEYURL__CRS__URL = `${minioInt}/kms-public/${kp}/CRS/${state.discovery?.actualCrsKeyId ?? state.discovery?.crsKeyId ?? predictedCrsId()}`;
   for (const [key, source] of Object.entries(compat.connectorEnv)) {
     if (envs["kms-connector"][source]) {
       envs["kms-connector"][key] = envs["kms-connector"][source];

test-suite/fhevm/src/cli.test.ts

@@ -287,9 +287,17 @@ describe("runtime invariants", () => {
     expect(compatPolicyForState(makeState("v0.12.0")).coprocessorArgs["sns-worker"]).toBeUndefined();
     expect(compatPolicyForState(makeState("v0.12.0")).coprocessorArgs["transaction-sender"]).toBeUndefined();
 
-    // latest-main SHAs stay modern-only once resolution enforces the floor
-    expect(compatPolicyForState(makeState("58aebb0")).coprocessorArgs["host-listener"]).toBeUndefined();
-    expect(compatPolicyForState(makeState("58aebb0")).coprocessorArgs["transaction-sender"]).toBeUndefined();
+    // unparseable SHAs are treated conservatively (apply all compat rules)
+    expect(compatPolicyForState(makeState("58aebb0")).coprocessorArgs["host-listener"]).toEqual([
+      ["--coprocessor-api-key", { env: "COPROCESSOR_API_KEY" }],
+    ] as const);
+    expect(compatPolicyForState(makeState("58aebb0")).coprocessorArgs["transaction-sender"]).toEqual([
+      ["--multichain-acl-address", { env: "MULTICHAIN_ACL_ADDRESS" }],
+      ["--delegation-fallback-polling", { value: "30" }],
+      ["--delegation-max-retry", { value: "100000" }],
+      ["--retry-immediately-on-nonce-error", { value: "2" }],
+      ["--host-chain-url", { env: "RPC_WS_URL" }],
+    ] as const);
   });
 
   test("coprocessor depends_on rewrite only renames cloned services", () => {

test-suite/fhevm/src/compat.ts

@@ -82,7 +82,9 @@ const parseCompatVersion = (version: string) => {
 const versionLt = (version: string, target: CompatSemver) => {
   const parsed = parseCompatVersion(version);
   if (!parsed) {
-    return false;
+    // Non-semver (SHA tags): treat as old — safer to apply compat rules
+    // than to skip them and have the service crash.
+    return true;
   }
   for (let index = 0; index < parsed.length; index += 1) {
     if (parsed[index] !== target[index]) {

test-suite/fhevm/src/runtime.ts

@@ -66,6 +66,7 @@ type UpOptions = {
   allowSchemaMismatch: boolean;
   resume: boolean;
   dryRun: boolean;
+  reset: boolean;
 };
 
 type CleanOptions = {
@@ -239,6 +240,7 @@ const parseCli = (argv: string[]) => {
       "instance-env": { type: "string", multiple: true, default: [] },
       "instance-arg": { type: "string", multiple: true, default: [] },
       "allow-schema-mismatch": { type: "boolean", default: false },
+      reset: { type: "boolean", default: false },
     },
   });
   const target = parsed.values.target as string;
@@ -301,21 +303,45 @@ const bundleFromFile = async (target: UpOptions["target"], lockFile: string) =>
   return { ...bundle, target };
 };
 
-const resolveBundle = async (options: Pick<UpOptions, "target" | "sha" | "lockFile">, deps: RuntimeDeps) => {
-  const bundle = options.lockFile
-    ? await bundleFromFile(options.target, options.lockFile)
-    : await resolveTarget(options.target, createGitHubClient(deps.runner), { sha: options.sha });
+const resolveCachePath = (target: string, sha?: string) =>
+  path.join(LOCK_DIR, `.cache-${target}${sha ? `-${sha.toLowerCase().slice(0, 7)}` : ""}.json`);
+
+const cachedResolve = async (
+  options: Pick<UpOptions, "target" | "sha" | "lockFile" | "reset">,
+  deps: RuntimeDeps,
+): Promise<VersionBundle> => {
+  if (options.lockFile) {
+    return bundleFromFile(options.target, options.lockFile);
+  }
+  const cachePath = resolveCachePath(options.target, options.sha);
+  if (!options.reset) {
+    try {
+      const bundle = await readJson<VersionBundle>(cachePath);
+      if (bundle.target === options.target) {
+        log("[resolve] using cached bundle");
+        return bundle;
+      }
+    } catch {
+      // no cache or invalid — resolve fresh
+    }
+  }
+  log("[resolve] fetching versions from GitHub...");
+  const bundle = await resolveTarget(options.target, createGitHubClient(deps.runner), { sha: options.sha });
+  await writeJson(cachePath, bundle);
+  return bundle;
+};
+
+const resolveBundle = async (options: Pick<UpOptions, "target" | "sha" | "lockFile" | "reset">, deps: RuntimeDeps) => {
+  const bundle = await cachedResolve(options, deps);
   const resolved = applyVersionEnvOverrides(bundle, deps.env);
   const lockPath = await writeLock(resolved);
   return { bundle: resolved, lockPath };
 };
 
-const previewBundle = (options: Pick<UpOptions, "target" | "sha" | "lockFile">, deps: RuntimeDeps) =>
-  (options.lockFile
-    ? bundleFromFile(options.target, options.lockFile)
-    : resolveTarget(options.target, createGitHubClient(deps.runner), { sha: options.sha })).then((bundle) =>
-    applyVersionEnvOverrides(bundle, deps.env),
-  );
+const previewBundle = async (options: Pick<UpOptions, "target" | "sha" | "lockFile" | "reset">, deps: RuntimeDeps) => {
+  const bundle = await cachedResolve(options, deps);
+  return applyVersionEnvOverrides(bundle, deps.env);
+};
 
 const partialSchemaOverrides = (overrides: LocalOverride[]) =>
   overrides.filter(
@@ -468,29 +494,41 @@ const responseSnippet = async (response: Response) => {
   return text ? `: ${text.slice(0, 200)}` : "";
 };
 
-const discoverSigner = async (deps: RuntimeDeps) => {
-  for (let attempt = 0; attempt < 30; attempt += 1) {
+/** Try both `PUB/PUB/` (KMS ≤ v0.12) and `PUB/` (KMS ≥ v0.13) prefixes. */
+const MINIO_KEY_PREFIXES = ["PUB/PUB", "PUB"] as const;
+
+const discoverSigner = async (deps: RuntimeDeps): Promise<{ address: string; minioKeyPrefix: string }> => {
+  let lastHandle = "";
+  for (let attempt = 0; attempt < 60; attempt += 1) {
     const logs = await deps.runner(["docker", "logs", "kms-core"], { allowFailure: true });
     const match = logs.stdout.match(/handle ([a-zA-Z0-9]+)/) ?? logs.stderr.match(/handle ([a-zA-Z0-9]+)/);
     if (match) {
-      try {
-        const response = await deps.fetch(`http://localhost:9000/kms-public/PUB/VerfAddress/${match[1]}`);
-        if (!response.ok) {
-          throw new Error(`Could not fetch KMS signer address (HTTP ${response.status})${await responseSnippet(response)}`);
-        }
-        return (await response.text()).trim();
-      } catch (error) {
-        if (shouldLogRetry(attempt)) {
-          log(`[wait] kms signer fetch: ${toError(error).message}`);
+      lastHandle = match[1];
+      for (const prefix of MINIO_KEY_PREFIXES) {
+        try {
+          const response = await deps.fetch(`http://localhost:9000/kms-public/${prefix}/VerfAddress/${lastHandle}`);
+          if (response.ok) {
+            return { address: (await response.text()).trim(), minioKeyPrefix: prefix };
+          }
+          // Consume body to avoid leaking connections
+          await response.text();
+        } catch {
+          // network error — retry
         }
       }
-    }
-    if (shouldLogRetry(attempt)) {
+      if (shouldLogRetry(attempt)) {
+        log(`[wait] kms signer fetch (handle: ${lastHandle.slice(0, 12)}…)`);
+      }
+    } else if (shouldLogRetry(attempt)) {
       log("[wait] kms signer handle");
     }
     await sleep(1000);
   }
-  throw new Error("Could not extract KMS signer handle from kms-core logs after 30 attempts");
+  throw new Error(
+    lastHandle
+      ? `KMS signer address not available in MinIO after 60 attempts (handle: ${lastHandle})`
+      : "Could not extract KMS signer handle from kms-core logs after 60 attempts",
+  );
 };
 
 const waitForKmsCore = async (deps: RuntimeDeps) => {
@@ -609,14 +647,15 @@ export const probeBootstrap = async (state: State, deps: RuntimeDeps, attempt =
   const actualFheKeyId = uint256ToId(actualKey);
   const actualCrsKeyId = uint256ToId(actualCrs);
   // Keys are on-chain — material MUST appear. Let ensureMaterialUrl throw if it doesn't.
+  const kp = state.discovery!.minioKeyPrefix ?? "PUB";
   await Promise.all([
     ensureMaterialUrl(
       deps,
-      hostReachableMaterialUrl(`${state.discovery!.endpoints.minioExternal}/kms-public/PUB/PublicKey/${actualFheKeyId}`),
+      hostReachableMaterialUrl(`${state.discovery!.endpoints.minioExternal}/kms-public/${kp}/PublicKey/${actualFheKeyId}`),
     ),
     ensureMaterialUrl(
       deps,
-      hostReachableMaterialUrl(`${state.discovery!.endpoints.minioExternal}/kms-public/PUB/CRS/${actualCrsKeyId}`),
+      hostReachableMaterialUrl(`${state.discovery!.endpoints.minioExternal}/kms-public/${kp}/CRS/${actualCrsKeyId}`),
     ),
   ]);
   state.discovery!.actualFheKeyId = actualFheKeyId;
@@ -892,7 +931,9 @@ const runStep = async (state: State, step: StepName, deps: RuntimeDeps) => {
           minioExternal: `http://${await minioIp(deps)}:9000`,
         },
       };
-      state.discovery.kmsSigner = await discoverSigner(deps);
+      const signer = await discoverSigner(deps);
+      state.discovery.kmsSigner = signer.address;
+      state.discovery.minioKeyPrefix = signer.minioKeyPrefix;
       await regen(state, deps);
       break;
     case "gateway-deploy":
@@ -908,6 +949,7 @@ const runStep = async (state: State, step: StepName, deps: RuntimeDeps) => {
         crsKeyId: state.discovery?.crsKeyId ?? predictedCrsId(),
         actualFheKeyId: state.discovery?.actualFheKeyId,
         actualCrsKeyId: state.discovery?.actualCrsKeyId,
+        minioKeyPrefix: state.discovery?.minioKeyPrefix,
         endpoints: state.discovery?.endpoints ?? {
           gatewayHttp: "http://gateway-node:8546",
           gatewayWs: "ws://gateway-node:8546",
@@ -943,6 +985,7 @@ const runStep = async (state: State, step: StepName, deps: RuntimeDeps) => {
         crsKeyId: state.discovery?.crsKeyId ?? predictedCrsId(),
         actualFheKeyId: state.discovery?.actualFheKeyId,
         actualCrsKeyId: state.discovery?.actualCrsKeyId,
+        minioKeyPrefix: state.discovery?.minioKeyPrefix,
         endpoints: state.discovery?.endpoints ?? {
           gatewayHttp: "http://gateway-node:8546",
           gatewayWs: "ws://gateway-node:8546",
@@ -1076,6 +1119,10 @@ const runUp = async (options: UpOptions, deps: RuntimeDeps) => {
   if (options.resume && !state) {
     throw new Error("No .fhevm/state.json to resume from");
   }
+  if (!options.resume && (await loadState())) {
+    log("[up] cleaning previous run");
+    await runDown(deps);
+  }
   if (!state) {
     state = await bootstrapState(options, deps);
   }
@@ -1454,6 +1501,7 @@ up options:
   --from-step <${STEP_NAMES.join("|")}>   requires --resume, except in --dry-run
   --resume
   --dry-run
+  --reset                          re-resolve versions from GitHub (ignore cache)
 
 clean options:
   --images  remove CLI-owned local override images too
@@ -1462,9 +1510,10 @@ clean options:
 
 export const main = async (argv = process.argv, deps: Partial<RuntimeDeps> = {}) => {
   const runtime = { ...defaultDeps, ...deps };
+  let command: string | undefined;
   try {
     const parsed = parseCli(argv);
-    const command = parsed.command === "deploy" ? "up" : parsed.command;
+    command = parsed.command === "deploy" ? "up" : parsed.command;
     const fromStep = ensureStep(parsed.parsed.values["from-step"] as string | undefined);
     if (command === "up" && fromStep && !parsed.parsed.values.resume && !parsed.parsed.values["dry-run"]) {
       throw new Error("--from-step requires --resume or --dry-run");
@@ -1481,6 +1530,7 @@ export const main = async (argv = process.argv, deps: Partial<RuntimeDeps> = {})
               fromStep,
               lockFile: parsed.parsed.values["lock-file"] as string | undefined,
               allowSchemaMismatch: parsed.parsed.values["allow-schema-mismatch"],
+              reset: parsed.parsed.values.reset,
             },
             runtime,
           );
@@ -1497,6 +1547,7 @@ export const main = async (argv = process.argv, deps: Partial<RuntimeDeps> = {})
             allowSchemaMismatch: parsed.parsed.values["allow-schema-mismatch"],
             resume: parsed.parsed.values.resume,
             dryRun: parsed.parsed.values["dry-run"],
+            reset: parsed.parsed.values.reset,
           },
           runtime,
         );
@@ -1534,6 +1585,8 @@ export const main = async (argv = process.argv, deps: Partial<RuntimeDeps> = {})
       case "doctor":
         throw new Error("`doctor` was removed; use `fhevm-cli up --dry-run ...`");
       case "help":
+      case "--help":
+      case "-h":
       case undefined:
         usage();
         return;
@@ -1542,6 +1595,9 @@ export const main = async (argv = process.argv, deps: Partial<RuntimeDeps> = {})
     }
   } catch (error) {
     console.error(toError(error).message);
+    if (command === "up" && (await loadState())) {
+      console.error("Hint: run with --resume to continue, or without to start fresh.");
+    }
     process.exitCode = 1;
   }
 };

test-suite/fhevm/src/types.ts

@@ -53,6 +53,7 @@ export type Discovery = {
   crsKeyId: string;
   actualFheKeyId?: string;
   actualCrsKeyId?: string;
+  minioKeyPrefix?: string;
   endpoints: {
     gatewayHttp: string;
     gatewayWs: string;