fix(test-suite): hard-cut main targets at simple acl

Author: Eikix

test-suite/fhevm/ARCHITECTURE.md

@@ -5,9 +5,9 @@ This is the high-level shape of the Bun-based `fhevm-cli`.
 ```mermaid
 flowchart TD
   A["fhevm-cli up"] --> B["Resolve target"]
-  B --> B1["latest-main: walk main SHAs until complete image set, but not before acfa977"]
+  B --> B1["latest-main: walk main SHAs until complete image set, but not before 803f104"]
   B --> B2["latest-release: latest stable release"]
-  B --> B3["sha: exact repo-owned SHA, fail if any package tag is missing"]
+  B --> B3["sha: exact repo-owned SHA on main, fail if any package tag is missing or if it predates 803f104"]
   B --> B4["devnet/testnet/mainnet: GitOps bundles"]
   B1 --> C["Lock resolved bundle"]
   B2 --> C

test-suite/fhevm/README.md

@@ -38,15 +38,15 @@ bun test
 ## Targets
 
 - `latest-release`: latest stable fhevm release plus checked-in companion defaults
-- `latest-main`: newest complete repo-owned main SHA bundle at or after the tenant-refactor floor (`acfa977`)
+- `latest-main`: newest complete repo-owned main SHA bundle at or after the simple-ACL floor (`803f104`)
 - `sha`: exact repo-owned SHA bundle plus `latest-release` companions
 - `devnet`
 - `testnet`
 - `mainnet`
 
 Only `devnet`, `testnet`, and `mainnet` resolve from GitOps. Non-network targets do not.
 `latest-main` is intentionally modern-only; if the resolver cannot find a complete image set after the floor, it fails instead of walking into older protocol behavior.
-`sha` requires `--sha <git-sha>` and fails fast unless every repo-owned package is available at that 7-character SHA tag.
+`sha` requires `--sha <git-sha>` and fails fast unless every repo-owned package is available at that 7-character SHA tag, the SHA is on `main`, and it is at or after the simple-ACL floor.
 
 ## Pinning an Exact Version Bundle
 

test-suite/fhevm/src/cli.test.ts

@@ -100,13 +100,13 @@ const latestMainPackageResponses = (tag: string) =>
   );
 
 describe("resolveTarget", () => {
-  test("latest-main walks back to the first complete sha bundle after the tenant floor", async () => {
+  test("latest-main walks back to the first complete sha bundle after the simple-acl floor", async () => {
     const gh = createGitHubClient(
       fakeRunner({
         "gh api repos/zama-ai/fhevm/commits?sha=main&per_page=100&page=1":
           JSON.stringify([
             { sha: "1111111000000000000000000000000000000000" },
-            { sha: "acfa9775818406a119b53d2beb05a04742a49473" },
+            { sha: "803f1048727eabf6d8b3df618203e3c7dda77890" },
             { sha: "2222222000000000000000000000000000000000" },
           ]),
         ...latestMainPackageResponses("1111111"),
@@ -118,13 +118,13 @@ describe("resolveTarget", () => {
     expect(bundle.env.CORE_VERSION).toBe("v0.13.0");
   });
 
-  test("latest-main rejects complete bundles older than the tenant floor", async () => {
+  test("latest-main rejects complete bundles older than the simple-acl floor", async () => {
     const gh = createGitHubClient(
       fakeRunner({
         "gh api repos/zama-ai/fhevm/commits?sha=main&per_page=100&page=1":
           JSON.stringify([
             { sha: "1111111000000000000000000000000000000000" },
-            { sha: "acfa9775818406a119b53d2beb05a04742a49473" },
+            { sha: "803f1048727eabf6d8b3df618203e3c7dda77890" },
             { sha: "2222222000000000000000000000000000000000" },
           ]),
         ...latestMainPackageResponses("2222222"),
@@ -136,14 +136,52 @@ describe("resolveTarget", () => {
   });
 
   test("sha resolves an explicit complete repo-owned image set", async () => {
-    const gh = createGitHubClient(fakeRunner(latestMainPackageResponses("1234abc")));
+    const gh = createGitHubClient(
+      fakeRunner({
+        "gh api repos/zama-ai/fhevm/commits?sha=main&per_page=100&page=1":
+          JSON.stringify([
+            { sha: "1234abc999999999999999999999999999999999" },
+            { sha: "803f1048727eabf6d8b3df618203e3c7dda77890" },
+          ]),
+        ...latestMainPackageResponses("1234abc"),
+      }),
+    );
     const bundle = await resolveTarget("sha", gh, { sha: "1234abc999999999999999999999999999999999" });
     expect(bundle.lockName).toBe("sha-1234abc.json");
     expect(bundle.env.GATEWAY_VERSION).toBe("1234abc");
     expect(bundle.env.CORE_VERSION).toBe("v0.13.0");
     expect(bundle.sources).toContain("requested-sha=1234abc999999999999999999999999999999999");
   });
 
+  test("sha rejects commits older than the simple-acl floor", async () => {
+    const gh = createGitHubClient(
+      fakeRunner({
+        "gh api repos/zama-ai/fhevm/commits?sha=main&per_page=100&page=1":
+          JSON.stringify([
+            { sha: "803f1048727eabf6d8b3df618203e3c7dda77890" },
+            { sha: "1234abc999999999999999999999999999999999" },
+          ]),
+        ...latestMainPackageResponses("1234abc"),
+      }),
+    );
+    await expect(resolveTarget("sha", gh, { sha: "1234abc" })).rejects.toThrow(
+      "sha target 1234abc predates the simple-ACL cutover and is unsupported",
+    );
+  });
+
+  test("sha rejects non-main commits even if images exist", async () => {
+    const gh = createGitHubClient(
+      fakeRunner({
+        "gh api repos/zama-ai/fhevm/commits?sha=main&per_page=100&page=1":
+          JSON.stringify([{ sha: "803f1048727eabf6d8b3df618203e3c7dda77890" }]),
+        ...latestMainPackageResponses("1234abc"),
+      }),
+    );
+    await expect(resolveTarget("sha", gh, { sha: "1234abc" })).rejects.toThrow(
+      "sha target 1234abc is unsupported; only main commits at or after 803f104 are supported",
+    );
+  });
+
   test("sha rejects missing repo-owned images", async () => {
     const responses = latestMainPackageResponses("1234abc");
     responses["gh api /orgs/zama-ai/packages/container/fhevm%2Fcoprocessor%2Fsns-worker/versions?per_page=100&page=1"] =
@@ -232,6 +270,10 @@ describe("runtime invariants", () => {
       ["--tenant-api-key", "TENANT_API_KEY"],
     ]);
     expect(compatPolicyForState(makeState("v0.11.0")).coprocessorArgs["transaction-sender"]).toEqual([
+      ["--multichain-acl-address", "MULTICHAIN_ACL_ADDRESS"],
+      ["--delegation-fallback-polling", "30"],
+      ["--delegation-max-retry", "100000"],
+      ["--retry-immediately-on-nonce-error", "2"],
       ["--host-chain-url", "RPC_WS_URL"],
     ]);
 

test-suite/fhevm/src/compat.ts

@@ -8,8 +8,6 @@ export type CompatPolicy = {
   connectorEnv: Record<string, string>;
 };
 
-export const requiresMultichainAclAddress = (_state: Pick<State, "target" | "versions">) => true;
-
 const COMPAT_PROFILES = {
   "legacy-coprocessor-api-keys": {
     coprocessorArgs: {
@@ -31,11 +29,23 @@ const COMPAT_PROFILES = {
     },
     connectorEnv: {},
   },
+  "legacy-tx-sender-gateway-flags": {
+    coprocessorArgs: {
+      "transaction-sender": [
+        ["--multichain-acl-address", "MULTICHAIN_ACL_ADDRESS"],
+        ["--delegation-fallback-polling", "30"],
+        ["--delegation-max-retry", "100000"],
+        ["--retry-immediately-on-nonce-error", "2"],
+      ],
+    },
+    connectorEnv: {},
+  },
 } as const satisfies Record<string, CompatPolicy>;
 
 const COMPAT_RULES = {
   coprocessor: [
     { before: [0, 12, 0] as CompatSemver, profile: "legacy-coprocessor-api-keys" },
+    { before: [0, 12, 0] as CompatSemver, profile: "legacy-tx-sender-gateway-flags" },
     { before: [0, 11, 1] as CompatSemver, profile: "legacy-tx-sender-host-chain-url" },
   ],
   connector: [{ before: [0, 11, 0] as CompatSemver, profile: "legacy-connector-chain-id" }],
@@ -63,6 +73,9 @@ const versionLt = (version: string, target: CompatSemver) => {
   return false;
 };
 
+export const requiresMultichainAclAddress = (state: Pick<State, "versions">) =>
+  versionLt(state.versions.env.COPROCESSOR_TX_SENDER_VERSION ?? "", [0, 12, 0]);
+
 export const compatPolicyForState = (state: State): CompatPolicy => {
   const policy: CompatPolicy = { coprocessorArgs: {}, connectorEnv: {} };
   for (const rule of COMPAT_RULES.coprocessor) {

test-suite/fhevm/src/runtime.ts

@@ -1,7 +1,7 @@
+import { requiresMultichainAclAddress } from "./compat";
 import path from "node:path";
 import { parseArgs } from "node:util";
 
-import { requiresMultichainAclAddress } from "./compat";
 import type {
   Discovery,
   InstanceOverride,

test-suite/fhevm/src/versions.ts

@@ -304,7 +304,7 @@ const bundleFromFiles = async (client: GitHubClient, target: VersionTarget, file
 
 const REPO_TAG = /^[0-9a-f]{7}$/;
 const SHA_REF = /^(?:[0-9a-f]{7}|[0-9a-f]{40})$/i;
-const LATEST_MAIN_MIN_SHA = "acfa9775818406a119b53d2beb05a04742a49473";
+const SIMPLE_ACL_MIN_SHA = "803f1048727eabf6d8b3df618203e3c7dda77890";
 
 const repoPackageName = (pkg: string) => decodeURIComponent(pkg);
 
@@ -322,6 +322,14 @@ const missingRepoPackages = (packageTags: Record<string, Set<string>>, tag: stri
 
 const shortSha = (value: string) => value.toLowerCase().slice(0, 7);
 
+const simpleAclFloor = (commits: string[]) => {
+  const floor = commits.indexOf(SIMPLE_ACL_MIN_SHA);
+  if (floor < 0) {
+    throw new Error(`simple-acl floor ${SIMPLE_ACL_MIN_SHA} was not found in fetched main history`);
+  }
+  return floor;
+};
+
 const presetBundle = (
   target: "latest-release" | "latest-main" | "sha",
   repoVersion: string,
@@ -378,14 +386,20 @@ export const resolveTarget = async (
     if (missing.length) {
       throw new Error(`Could not find a complete sha image set for ${tag}; missing: ${missing.join(", ")}`);
     }
+    const commits = await client.mainCommits(1000);
+    const floor = simpleAclFloor(commits);
+    const index = commits.findIndex((sha) => sha.startsWith(tag));
+    if (index < 0) {
+      throw new Error(`sha target ${tag} is unsupported; only main commits at or after ${SIMPLE_ACL_MIN_SHA.slice(0, 7)} are supported`);
+    }
+    if (index > floor) {
+      throw new Error(`sha target ${tag} predates the simple-ACL cutover and is unsupported`);
+    }
     return presetBundle(target, tag, `sha-${tag}.json`, [`requested-sha=${requested.toLowerCase()}`]);
   }
   const packageTags = await repoPackageTags(client);
   const commits = await client.mainCommits(1000);
-  const floor = commits.indexOf(LATEST_MAIN_MIN_SHA);
-  if (floor < 0) {
-    throw new Error(`latest-main floor ${LATEST_MAIN_MIN_SHA} was not found in fetched main history`);
-  }
+  const floor = simpleAclFloor(commits);
   const short = commits.slice(0, floor + 1).map((sha) => sha.slice(0, 7)).find((sha) =>
     Object.values(packageTags).every((set) => set.has(sha) && REPO_TAG.test(sha)),
   );