Fallback Inbox contract changes

[philippecamacho]

Closes https://app.asana.com/1/1208976916964769/project/1209423958092927/task/1211849813289225?focus=true

This PR:

• Make changes to the Inbox contract so that it allows two batchers. The specification of this contract change can be found at https://eng-wiki.espressosys.com/mainch36.html#:Components:Base%20Layer%20Batch%20Validation:Batch%20Inbox%20Contract (see paragraph "Allowing different batchers")
• Extend the CI test suite to run L1 contract tests
• Remove the concept of preapproved batcher key and replace it with the non TEE batcher key, while introducing the TEE batcher key.
• Remove test TestRotateBatcherKey as the batcher key rotation will happen in the Inbox contract.
• NOT RELATED to the fallback inbox contract changes, but the circle ci tests that are failing have been deactivated for now. We can reactivate them later once they pass.

This PR does not:

• Implement the full fallback mechanism. This will be addressed in another PR.

Key places to review:

• Focus on the smart contract changes, in particular packages/contracts-bedrock/test/L1/BatchInbox.t.sol.

How to test this PR:

cd packages/contracts-bedrock/
forge test  --match-path test/L1/BatchInbox.t.sol

Things tested

• The core logic of the new inbox contract with about handling two batchers and allowing to switch from one to another. See packages/contracts-bedrock/test/L1/BatchInbox.t.sol.

[shenkeyao]

Why do we have AllocTypeEspresso when we also have *WithEnclave and *WithoutEnclave?

[shenkeyao]

Oh AllocTypeEspresso isn't introduced in this PR. @QuentinI looks like these three types were added from these two PRs on the same day: #110 and #144. Maybe there was some merge weirdness and we only wanted to keep the With and Without types?

[QuentinI]

Yeah, I think this is merge shenanigans... Non-prefixed type shouldn't exist.

[shenkeyao]

LGTM

[QuentinI]

I don't think it matters that much, but I'd put this function and the new variables into batch authenticator contract to keep BatchInbox surface area minimal, as it's part of the original OP's derivation pipeline.

[QuentinI]

I don't think this works unfortunately, as derivation pipeline checks that transaction is from one specific batcherAddress that is defined by RollupConfig, let's call it Batch Sender Address for clarity.

I think what we need to do is either keep this as-is and either

• make a similar change to batch authenticator and require fallback batcher to authenticate the batch with the batch inbox before posting
• skip any sort of authentication when activeIsTee is false

Both approaches require both TEE and fallback batcher sharing Batch Sender Address, which is... not great.
The first one will at least cleanly separate who can post batches at any given moment - when non-TEE batcher is active, only its batches will be approved. However, this comes at cost of fallback batcher needing to be a modified batcher (essentially our batcher in non-TEE mode)
The second approach will allow through both batchers when activeIsTee is false, but the fallback batcher can be an unmodified OP batcher.

As an alternative, we can make yet another change to the derivation pipeline and introduce a second batcher address there, this would allow us to have our cake and eat it too in terms of batcher modifications (the code as written in this PR would just work and batchers won't need to share Batch Sender Address), but at the cost of yet another change to the derivation pipeline, which I imagine would become even harder to upstream.

[philippecamacho]

This is a great catch. I think the better alternative is to modify the derivation pipeline, because it reflects the introduction of a new batcher in the design and at some point we want to be able to support permissionless batching, so why not start moving in that direction anyways. Also IIRC, during the technical meetings we discussed that it would be undesirable to have the two batchers share the same key / identity.

[QuentinI]

at some point we want to be able to support permissionless batching

Oh, right, I failed to considered that. Yeah, then "don't make more changes to the pipeline" ship has already sailed and we can just as well do it.