add AN compatibility for v0.44.9

[j1010001]

adding AN compatibility on top of: #8272

Summary by CodeRabbit

• New Features

  • Added account restriction system to prevent restricted accounts from initiating transactions unless payer is the service account
  • Introduced service account override capability for authorization verification
  • Added support for EIP-7702 code authorizations in EVM transactions
  • Added computation remaining query capability to meter interface

• Bug Fixes

  • Improved EVM withdrawal balance validation with clearer error messaging
  • Enhanced error handling consistency across transaction processing
  • Fixed genesis state commitments for test consistency

• Chores

  • Updated golangci-lint configuration to v2 format
  • Updated dependencies across modules including Cadence, OpenTelemetry, and Go utilities
  • Adjusted test fixture balances and state commitments

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

This PR updates linting configuration from golangci-lint v1.63.4 to v2.7.1, adds transaction access methods to the Execution Node provider, implements account restriction enforcement throughout the FVM execution layer, expands the computation metering API with per-kind remaining capacity queries, introduces EVM allow-listing and SetCode authorization support, refactors machine account balance validation, and updates multiple dependencies.

Changes

Cohort / File(s)	Summary
CI and Linting Configuration .custom-gcl.yml, .github/workflows/ci.yml, .golangci.yml	Upgraded golangci-lint from v1.63.4 to v2.7.1 with migrated v2 configuration format, updated action usage to v9, enabled gosec and structwrite linters, consolidated exclusions, and reorganized settings structure
Transaction Access Layer engine/access/rpc/backend/transactions/provider/execution_node.go, engine/access/rpc/backend/transactions/transactions_functional_test.go	Added TransactionsByBlockID and TransactionResultsByBlockID public methods; standardized error handling to use rpc.ConvertError; added functional tests for Execution Node error scenarios
Restricted Accounts Implementation fvm/blueprints/contracts.go, fvm/environment/contract_updater.go, fvm/environment/contract_updater_test.go, fvm/environment/env.go, fvm/environment/transaction_info.go, fvm/errors/codes.go, fvm/errors/execution.go, fvm/transactionInvoker.go, fvm/transactionStorageLimiter.go, fvm/transactionStorageLimiter_test.go, fvm/transactionVerifier.go, fvm/fvm_test.go, fvm/fvm_blockcontext_test.go, module/trace/constants.go	Added RestrictedAccountsPath constant; introduced GetRestrictedAccounts API across Environment, ContractUpdater, and related interfaces; enforced restrictions in transaction verification and storage limit checks; implemented service account override for authorization bypass
Computation Metering API cmd/util/ledger/util/nop_meter.go, fvm/environment/meter.go, fvm/meter/computation_meter.go, fvm/storage/state/execution_state.go, fvm/storage/state/transaction_state.go, fvm/evm/backends/wrappedEnv.go, fvm/evm/handler/handler.go	Added ComputationRemaining(kind) method across all meter implementations; updated batch gas validation to per-transaction checks using remaining computation capacity
EVM Allow-Listing & Authorization fvm/evm/emulator/emulator.go, fvm/evm/types/call.go	Introduced EOA allow-list with temporary gating that restricts transactions to authorized addresses; added SetCodeAuthorizations support for EIP-7702 code authorizations on DirectCall
EVM Balance & Value Handling fvm/evm/impl/impl.go, fvm/evm/types/balance.go, fvm/evm/types/errors.go, fvm/evm/emulator/state/collection.go	Enhanced balance validation with AttoFlowBalanceIsValidForFlowVault predicate; refactored value conversion in withdraw function with overflow checks; updated error messaging; changed ByteStringValue.Storable maxInlineSize parameter type from uint64 to uint32
EVM Query & Offline Support fvm/evm/offchain/query/view.go, fvm/evm/offchain/query/view_test.go	Added SetCodeAuthorization parameter to DryCall signature for EIP-7702 support
EVM Cadence Interface fvm/evm/stdlib/contract.cdc, fvm/evm/stdlib/contract_test.go	Disabled EVM deposits, withdrawals, deployments, and calls with panic messages; added reclaimFundsFromAttackerEOAs function for account-gated fund recovery
EVM Testing fvm/evm/emulator/emulator_test.go, fvm/evm/evm_test.go, fvm/evm/handler/handler_test.go, fvm/evm/testutils/backend.go	Expanded withdrawal tests with edge cases (rounding, minimum transfers, overflow); added batch overflow test; introduced computationRemaining hook to test meter
Machine Account Balance Refactoring module/epochs/machine_account.go, module/epochs/machine_account_test.go	Consolidated soft/hard minimum balance logic into unified recommended balances with explicit refill targets; removed SoftMinBalance fields from MachineAccountValidatorConfig; updated validation and error messaging
Version & System Collection engine/common/version/version_control.go, model/access/systemcollection/system_collection.go, model/access/systemcollection/system_collection_test.go	Added cadence version overrides for 0.37.11, 0.42.3, 0.44.0, 0.44.1, 0.44.7, 0.44.9; introduced explicit version boundaries for Mainnet; updated TestVersioned_ByHeight
State Management & Indexing engine/execution/state/bootstrap/bootstrap_test.go, module/state_synchronization/indexer/indexer_core.go, module/state_synchronization/indexer/indexer_core_test.go, state/protocol/datastore/validity.go, storage/light_transaction_results.go	Updated genesis state commitment hex values in bootstrap tests; added idempotent reindex handling for already-indexed blocks; improved mock expectations with MatchLock support; expanded documentation
Mock Implementations fvm/environment/mock/contract_updater.go, fvm/environment/mock/contract_updater_stubs.go, fvm/environment/mock/environment.go, fvm/environment/mock/meter.go	Added GetRestrictedAccounts and ComputationRemaining methods to all relevant mock types with proper testify/mock wiring and return value handling
Testing Utilities utils/unittest/execution_state.go, utils/unittest/fixtures.go, utils/unittest/mocks/matchers.go	Updated genesis state commitment hex constants; increased MachineAccountFixture balance from 0.5 to 5.0 Flow; introduced MatchLock matcher utility for lock context assertions
Dependency Updates go.mod, insecure/go.mod, integration/go.mod	Updated cadence (v1.8.3→v1.8.10), atree (v0.11.0→v0.12.0), OpenTelemetry (1.37.0→1.38.0), and golang.org/x packages across crypto, sync, net, sys, term, text, tools, mod; added golang.org/x/telemetry as indirect dependency

Sequence Diagrams

sequenceDiagram
    participant Invoker as Transaction<br/>Invoker
    participant Env as Environment
    participant Limiter as Storage<br/>Limiter
    participant Verifier as Transaction<br/>Verifier
    participant Meter as Computation<br/>Meter

    Invoker->>Env: GetRestrictedAccounts()
    Env-->>Invoker: map[address]struct{}
    
    alt Payer equals Service Account
        Invoker->>Limiter: CheckStorageLimits<br/>(restrictedAccounts=nil)
    else Payer is Restricted
        Invoker-->>Invoker: Return AccountRestrictedError
    else Payer not Service
        Invoker->>Limiter: CheckStorageLimits<br/>(restrictedAccounts)
        Limiter->>Limiter: For each storage change,<br/>check if address in restrictedAccounts
        alt Address Restricted
            Limiter-->>Invoker: AccountRestrictedError
        end
    end
    
    Note over Invoker,Meter: Service Account Override
    Invoker->>Verifier: CheckAuthorization(chain, ...)
    Verifier->>Verifier: If all of (first auth,<br/>payer, proposer) ==<br/>service account:<br/>filter to service sigs only
    Verifier-->>Invoker: Authorization result

Loading

sequenceDiagram
    participant Handler as EVM<br/>Handler
    participant Meter as Computation<br/>Meter
    participant Executor as Transaction<br/>Executor

    loop For each transaction in batch
        Handler->>Meter: ComputationRemaining(kind)
        Meter-->>Handler: remaining uint64
        
        alt remaining < tx.Gas()
            Handler-->>Handler: Return<br/>ErrInsufficientComputation
        else Sufficient gas available
            Handler->>Handler: remainingGasLimit -=<br/>tx.Gas()
            Handler->>Executor: Execute transaction
        end
    end

Loading

sequenceDiagram
    participant Emulator as EVM<br/>Emulator
    participant AllowList as Allow-List<br/>Check
    participant UTXO as UTXO<br/>Processor

    Emulator->>AllowList: Check if signer<br/>in allowListEOAs
    
    alt Signer Authorized
        Emulator->>UTXO: ProcessTransaction
        UTXO-->>Emulator: Result
    else Signer Not Authorized
        Emulator-->>Emulator: Return invalid result:<br/>"EVM transactions are<br/>temporarily disabled"
    end

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

This PR introduces multiple significant features (account restrictions, service account overrides, EVM allow-listing, computation metering API), modifies core transaction verification and storage validation logic, spans 70+ heterogeneous files with varied change patterns (new interfaces, method implementations, test coverage, configuration updates), and requires careful verification of authorization, restriction enforcement, and metering semantics across interconnected components.

Possibly related PRs

• [Access] Add endpoints to get transaction and results by block #8240: Adds REST handlers and proxy methods for retrieving transactions and results by block ID, complementing the ENTransactionProvider methods added in this PR.
• [Access] Add compatibility override for v0.44.7 #8281: Makes overlapping changes across multiple fvm files including restricted accounts logic, computation metering APIs, version overrides, and extensive test coverage aligned with this PR's scope.

Suggested reviewers

• peterargue
• vishalchangrani
• UlyanaAndrukhiv

Poem

🐰 A rabbit hops through code so vast,
New restrictions, meters unsurpassed!
Allow-lists guard the EVM's way,
While service accounts hold their sway. 🌟
Computation flows, accounts confined,
A safer Flow for all mankind!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 30.77% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'add AN compatibility for v0.44.9' directly and specifically describes the main change in the changeset - adding Account Node compatibility for version 0.44.9.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[j1010001]

obsoleted by #8284