Merge branch 'main' into bound-cached-states

calbera · web-flow · commit d67a8e3e1412 · 2025-12-04T12:30:31.000-08:00
diff --git a/.github/workflows/berachain_release.asc b/.github/workflows/berachain_release.asc
@@ -1,13 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mDMEaIky1hYJKwYBBAHaRw8BAQdAnxP3mNWC+miF0OKvOg4+BzzswbrTWLbluSJU
-+NBib3q0H2NhbGJlcmEgPGNhbGJlcmFAYmVyYWNoYWluLmNvbT6ImQQTFgoAQRYh
-BPzFjSePGuMIYGS4P/GUiPGD4kvxBQJoiTLWAhsDBQkAdqcABQsJCAcCAiICBhUK
-CQgLAgQWAgMBAh4HAheAAAoJEPGUiPGD4kvxA9oBANZQa+Q6UlhDPLOOhchdPSi7
-lmBE+za+5u5Q3bA7ZO8rAP46R+a1AxHqeLrShhkTvJwTG+qGvfS/LtHfNYLHqOQw
-Bbg4BGiJMtYSCisGAQQBl1UBBQEBB0A6onCspxjhXI7X13LHlUYQxYVyzUDamgVP
++NBib3q0H2NhbGJlcmEgPGNhbGJlcmFAYmVyYWNoYWluLmNvbT6ImQQTFgoAQQIb
+AwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBPzFjSePGuMIYGS4P/GUiPGD
+4kvxBQJpCMZdBQkA9jqHAAoJEPGUiPGD4kvxkpkA/0uwFK4PSHs+exgROaFBOMEd
+39DWEizFfQQIbdCc/z//AQCgk/rLrY9LGOc3MLOKJAA8VxVskdZlYzAQ/6HgO+bD
+ALg4BGiJMtYSCisGAQQBl1UBBQEBB0A6onCspxjhXI7X13LHlUYQxYVyzUDamgVP
 hXYTLZ1QEAMBCAeIfgQYFgoAJhYhBPzFjSePGuMIYGS4P/GUiPGD4kvxBQJoiTLW
 AhsMBQkAdqcAAAoJEPGUiPGD4kvxWOAA/0IedfbPuCJU/IWo+gxCZMl9Fb7oVA4L
 v9lMBtnspGsxAQDRX3fFP/Bv96wHlUWQHg01TSaWNyTQa5dTpjEcLxnXCQ==
-=L8oL
+=Xha4
 -----END PGP PUBLIC KEY BLOCK-----
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -90,7 +90,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v5
         with:
-          go-version: "1.25.3"
+          go-version: "1.25.5"
           check-latest: true
           cache-dependency-path: "**/*.sum"
         if: ${{ !(matrix.args == 'test-forge-cover' || matrix.args == 'test-forge-fuzz') }}
@@ -154,7 +154,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v5
         with:
-          go-version: "1.25.3"
+          go-version: "1.25.5"
           check-latest: true
           cache-dependency-path: "**/*.sum"
       - name: Set up QEMU
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -72,7 +72,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.25.3"
+          go-version: "1.25.5"
         env:
           GOOS: ${{ matrix.configs.target-os }}
           GOARCH: ${{ matrix.configs.arch }}
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -722,7 +722,7 @@ func ProvideBlockchainService(
 ## Build Requirements
 
 ### Dependencies
-- Go 1.25.3+
+- Go 1.25.5+
 - Docker (for running EL clients)
 - Foundry (for Solidity contracts)
 - Make (GNU Make)
diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,7 @@
 ###           Stage 0 - Build Arguments             ###
 #######################################################
 
-ARG GO_VERSION=1.25.3
+ARG GO_VERSION=1.25.5
 ARG RUNNER_IMAGE=alpine:3.20
 ARG BUILD_TAGS="netgo,muslc,blst,bls12381,pebbledb"
 ARG NAME=beacond
diff --git a/README.md b/README.md
@@ -40,7 +40,7 @@ BeaconKit supports the following execution clients:
 **Prerequisites:**
 
 - [Docker](https://docs.docker.com/engine/install/)
-- [Golang 1.25.3+](https://go.dev/doc/install)
+- [Golang 1.25.5+](https://go.dev/doc/install)
 - [Foundry](https://book.getfoundry.sh/)
 
 Start by opening two terminals side-by-side:
diff --git a/cli/commands/genesis/deposit.go b/cli/commands/genesis/deposit.go
@@ -158,7 +158,7 @@ func AddGenesisDeposit(
 
 func makeOutputFilepath(rootDir, pubkey string) (string, error) {
 	writePath := filepath.Join(rootDir, "config", "premined-deposits")
-	if err := afero.NewOsFs().MkdirAll(writePath, os.ModePerm); err != nil {
+	if err := afero.NewOsFs().MkdirAll(writePath, 0o700); err != nil { //nolint:mnd // dir permissions.
 		return "", errors.Wrapf(
 			errors.New("could not create directory"), "%q: %w",
 			writePath,
diff --git a/cli/commands/initialize/initialize.go b/cli/commands/initialize/initialize.go
@@ -187,7 +187,7 @@ func InitCmd(creator clitypes.ChainSpecCreator, mm interface {
 
 			chainSpec, err := creator(context.GetViperFromCmd(cmd))
 			if err != nil {
-				return fmt.Errorf("faile to create chain spec: %w", err)
+				return fmt.Errorf("failed to create chain spec: %w", err)
 			}
 			appGenState := mm.DefaultGenesis(chainSpec)
 
diff --git a/cli/commands/jwt/jwt.go b/cli/commands/jwt/jwt.go
@@ -36,6 +36,9 @@ const (
 	FlagOutputPath        = "output-path"
 	FlagInputPath         = "input-path"
 	ConfigFolder          = "config"
+
+	secretDirPerms  os.FileMode = 0o700
+	secretFilePerms os.FileMode = 0o600
 )
 
 // Commands creates a new command for managing JWT secrets.
@@ -143,7 +146,7 @@ func generateAuthSecretInFile(cmd *cobra.Command, fileName string) error {
 	}
 
 	if !exists {
-		if err = fs.MkdirAll(fileDir, os.ModePerm); err != nil {
+		if err = fs.MkdirAll(fileDir, secretDirPerms); err != nil {
 			return err
 		}
 	}
@@ -153,12 +156,24 @@ func generateAuthSecretInFile(cmd *cobra.Command, fileName string) error {
 		return err
 	}
 
+	fileExists, err := afero.Exists(fs, fileName)
+	if err != nil {
+		return err
+	}
+
 	if err = afero.WriteFile(
-		fs, fileName, []byte(secret.Hex()), os.ModePerm,
+		fs, fileName, []byte(secret.Hex()), secretFilePerms,
 	); err != nil {
 		return err
 	}
 
+	// WriteFile only sets permissions on file creation, so explicitly chmod if the file already existed.
+	if fileExists {
+		if err = fs.Chmod(fileName, secretFilePerms); err != nil {
+			return err
+		}
+	}
+
 	cmd.Printf(
 		"Successfully wrote new JSON-RPC authentication secret to: %s",
 		fileName,
diff --git a/cli/commands/jwt/jwt_test.go b/cli/commands/jwt/jwt_test.go
@@ -106,6 +106,52 @@ func Test_NewGenerateJWTCommand(t *testing.T) {
 	})
 }
 
+func Test_GenerateJWTCommand_FilePermissions(t *testing.T) {
+	t.Parallel()
+
+	t.Run("new file should have 0600 permissions", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "jwt.hex")
+
+		cmd := jwt.NewGenerateJWTCommand()
+		cmd.SetArgs([]string{"--output-path", outputPath})
+		require.NoError(t, cmd.Execute())
+
+		info, err := os.Stat(outputPath)
+		require.NoError(t, err)
+		require.Equal(t, os.FileMode(0600), info.Mode().Perm(),
+			"new JWT file should have 0600 permissions")
+	})
+
+	t.Run("pre-existing file with permissive permissions should be fixed", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "jwt.hex")
+
+		// Create file with world-readable permissions
+		err := os.WriteFile(outputPath, []byte("old_content"), 0755)
+		require.NoError(t, err)
+
+		// Verify it has permissive permissions
+		info, err := os.Stat(outputPath)
+		require.NoError(t, err)
+		require.Equal(t, os.FileMode(0755), info.Mode().Perm())
+
+		// Run the generate command
+		cmd := jwt.NewGenerateJWTCommand()
+		cmd.SetArgs([]string{"--output-path", outputPath})
+		require.NoError(t, cmd.Execute())
+
+		// Verify permissions are now restricted
+		info, err = os.Stat(outputPath)
+		require.NoError(t, err)
+		require.Equal(t, os.FileMode(0600), info.Mode().Perm(),
+			"pre-existing JWT file should have permissions fixed to 0600")
+
+		// Also verify the content is valid
+		checkAuthFileIntegrity(t, outputPath)
+	})
+}
+
 func checkAuthFileIntegrity(tb testing.TB, fPath string) {
 	tb.Helper()
 	fs := afero.NewOsFs()
diff --git a/config/spec/creator.go b/config/spec/creator.go
@@ -92,14 +92,10 @@ func loadSpecData(path string) (*chain.SpecData, error) {
 		return nil, fmt.Errorf("failed to read config: %w", err)
 	}
 
-	// Ensure all required fields are set.
+	// Ensure all required fields are set, including embedded structs.
 	specData := chain.SpecData{}
-	specType := reflect.TypeOf(specData)
-	for i := range specType.NumField() {
-		tag := specType.Field(i).Tag.Get("mapstructure")
-		if !v.IsSet(tag) {
-			return nil, fmt.Errorf("missing required configuration for key: %s", tag)
-		}
+	if err := validateRequiredFields(reflect.TypeOf(specData), v, ""); err != nil {
+		return nil, err
 	}
 
 	// Define a decode hook to handle addresses and domain types.
@@ -113,3 +109,59 @@ func loadSpecData(path string) (*chain.SpecData, error) {
 
 	return &specData, nil
 }
+
+// validateRequiredFields validates that all fields with mapstructure tags are present in
+// the configuration. This includes fields in embedded structs.
+//
+//nolint:gocognit
+func validateRequiredFields(t reflect.Type, v *viper.Viper, prefix string) error {
+	// Handle pointer types
+	if t.Kind() == reflect.Ptr {
+		t = t.Elem()
+	}
+
+	// Only process struct types
+	if t.Kind() != reflect.Struct {
+		return nil
+	}
+
+	for i := range t.NumField() {
+		field := t.Field(i)
+		tag := field.Tag.Get("mapstructure")
+
+		// Skip fields without mapstructure tag
+		if tag == "" {
+			// Check if this is an embedded struct that might have its own fields
+			if field.Anonymous && field.Type.Kind() == reflect.Struct {
+				// For embedded structs without a tag, check their fields directly
+				if err := validateRequiredFields(field.Type, v, prefix); err != nil {
+					return err
+				}
+			}
+			continue
+		}
+
+		// Build the full key path
+		fullKey := tag
+		if prefix != "" {
+			fullKey = prefix + "." + tag
+		}
+
+		// For struct fields (embedded or not) with mapstructure tags, validate their sub-fields
+		if field.Anonymous || field.Type.Kind() == reflect.Struct {
+			// This is an embedded struct with its own mapstructure tag
+			// Validate its sub-fields with the tag as prefix
+			if err := validateRequiredFields(field.Type, v, tag); err != nil {
+				return err
+			}
+			continue
+		}
+
+		// Regular field - check if it's set in the config
+		if !v.IsSet(fullKey) {
+			return fmt.Errorf("missing required configuration for key: %s", fullKey)
+		}
+	}
+
+	return nil
+}
diff --git a/config/spec/creator_test.go b/config/spec/creator_test.go
@@ -21,10 +21,13 @@
 package spec_test
 
 import (
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/berachain/beacon-kit/cli/flags"
 	"github.com/berachain/beacon-kit/config/spec"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -127,3 +130,68 @@ func TestCreateChainSpec_File(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, devnetSpec, dcs, "the chain spec loaded from TOML does not match the devnet spec")
 }
+
+func TestCreateChainSpec_FieldValidation(t *testing.T) {
+	t.Parallel()
+
+	tempDir := t.TempDir()
+
+	// Read the valid spec file to use as a success case reference
+	validSpec, err := os.ReadFile("../../testing/files/spec.toml")
+	require.NoError(t, err)
+
+	tests := []struct {
+		name        string
+		specContent string
+		wantErr     string // empty means no error expected
+	}{
+		{
+			name:        "valid spec with block-delay-configuration",
+			specContent: string(validSpec),
+			wantErr:     "",
+		},
+		{
+			name:        "empty spec file",
+			specContent: "",
+			wantErr:     "missing required configuration for key:",
+		},
+		{
+			name: "partial block-delay-configuration",
+			specContent: `[block-delay-configuration]
+max-block-delay = 300_000_000_000
+`,
+			wantErr: "missing required configuration for key: block-delay-configuration.target-block-time",
+		},
+		{
+			name: "missing max-effective-balance after block-delay-configuration",
+			specContent: `[block-delay-configuration]
+max-block-delay = 300_000_000_000
+target-block-time = 2_000_000_000
+const-block-delay = 500_000_000
+consensus-update-height = 1
+consensus-enable-height = 2
+`,
+			wantErr: "missing required configuration for key: max-effective-balance",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			specFile := filepath.Join(tempDir, tt.name+".toml")
+			require.NoError(t, os.WriteFile(specFile, []byte(tt.specContent), 0600))
+
+			opts := dummyAppOptions{values: map[string]interface{}{
+				flags.ChainSpec:         "file",
+				flags.ChainSpecFilePath: specFile,
+			}}
+			_, createErr := spec.Create(opts)
+
+			if tt.wantErr == "" {
+				require.NoError(t, createErr)
+			} else {
+				require.Error(t, createErr)
+				assert.Contains(t, createErr.Error(), tt.wantErr)
+			}
+		})
+	}
+}
diff --git a/execution/client/client.go b/execution/client/client.go
@@ -22,6 +22,7 @@ package client
 
 import (
 	"context"
+	"fmt"
 	"math/big"
 	"sync"
 	"time"
@@ -68,6 +69,7 @@ func New(
 		cfg.RPCDialURL.String(),
 		jwtSecret,
 		cfg.RPCJWTRefreshInterval,
+		logger,
 	)
 
 	// Enforcing minimum rpc timeout
@@ -108,7 +110,12 @@ func (s *EngineClient) Name() string {
 
 // Start the engine client.
 func (s *EngineClient) Start(ctx context.Context) error {
-	// Start the Client.
+	// Initialize the JWT token before making any RPC calls
+	if err := s.Client.Initialize(); err != nil {
+		return fmt.Errorf("failed to initialize RPC client: %w", err)
+	}
+
+	// Start the Client background refresh loop.
 	go s.Client.Start(ctx)
 
 	s.logger.Info(
diff --git a/execution/client/ethclient/engine_test.go b/execution/client/ethclient/engine_test.go
@@ -154,6 +154,7 @@ type stubRPCClient struct {
 	t *testing.T
 }
 
+func (tc *stubRPCClient) Initialize() error     { return nil }
 func (tc *stubRPCClient) Start(context.Context) {}
 func (tc *stubRPCClient) Call(_ context.Context, target any, _ string, _ ...any) error {
 	tc.t.Helper()
diff --git a/execution/client/ethclient/rpc/client.go b/execution/client/ethclient/rpc/client.go
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum

Original file line number	Diff line number	Diff line change
`@@ -187,7 +187,7 @@ func InitCmd(creator clitypes.ChainSpecCreator, mm interface {`
`187`	`187`
`188`	`188`	`chainSpec, err := creator(context.GetViperFromCmd(cmd))`
`189`	`189`	`if err != nil {`
`190`		`- return fmt.Errorf("faile to create chain spec: %w", err)`
	`190`	`+ return fmt.Errorf("failed to create chain spec: %w", err)`
`191`	`191`	`}`
`192`	`192`	`appGenState := mm.DefaultGenesis(chainSpec)`
`193`	`193`