revert header change

Author: tac0turtle

block/internal/common/replay.go

@@ -185,19 +185,10 @@ func (s *Replayer) replayBlock(ctx context.Context, height uint64) error {
 		return fmt.Errorf("failed to execute transactions: %w", err)
 	}
 	newAppHash := result.UpdatedStateRoot
-	if len(result.NextProposerAddress) > 0 {
-		if len(header.NextProposerAddress) == 0 {
-			return fmt.Errorf("next proposer mismatch at height %d: header empty, execution %x", height, result.NextProposerAddress)
-		}
-		if !bytes.Equal(header.NextProposerAddress, result.NextProposerAddress) {
-			return fmt.Errorf("next proposer mismatch at height %d: header %x, execution %x",
-				height,
-				header.NextProposerAddress,
-				result.NextProposerAddress,
-			)
-		}
-	} else if len(header.NextProposerAddress) > 0 && !bytes.Equal(header.NextProposerAddress, header.ProposerAddress) {
-		return fmt.Errorf("next proposer mismatch at height %d: header %x, execution unchanged", height, header.NextProposerAddress)
+
+	newState, err := prevState.NextState(header.Header, newAppHash, result.NextProposerAddress)
+	if err != nil {
+		return fmt.Errorf("calculate next state: %w", err)
 	}
 
 	// The result of ExecuteTxs (newAppHash) should match the stored state at this height.
@@ -224,18 +215,11 @@ func (s *Replayer) replayBlock(ctx context.Context, height uint64) error {
 			return err
 		}
 		if len(expectedState.NextProposerAddress) > 0 {
-			expectedNextProposer := header.NextProposerAddress
-			if len(expectedNextProposer) == 0 {
-				expectedNextProposer = result.NextProposerAddress
-			}
-			if len(expectedNextProposer) == 0 {
-				expectedNextProposer = header.ProposerAddress
-			}
-			if !bytes.Equal(expectedNextProposer, expectedState.NextProposerAddress) {
+			if !bytes.Equal(newState.NextProposerAddress, expectedState.NextProposerAddress) {
 				return fmt.Errorf("next proposer mismatch at height %d: expected %x got %x",
 					height,
 					expectedState.NextProposerAddress,
-					expectedNextProposer,
+					newState.NextProposerAddress,
 				)
 			}
 		}
@@ -251,12 +235,6 @@ func (s *Replayer) replayBlock(ctx context.Context, height uint64) error {
 			Msg("replayBlock: ExecuteTxs completed (no stored state to verify against)")
 	}
 
-	// Calculate new state
-	newState, err := prevState.NextState(header.Header, newAppHash)
-	if err != nil {
-		return fmt.Errorf("calculate next state: %w", err)
-	}
-
 	// Persist the new state
 	batch, err := s.store.NewBatch(ctx)
 	if err != nil {

block/internal/executing/executor.go

@@ -572,13 +572,6 @@ func (e *Executor) ProduceBlock(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("failed to apply block: %w", err)
 	}
-	if !bytes.Equal(newState.NextProposerAddress, header.ProposerAddress) {
-		header.NextProposerAddress = append([]byte(nil), newState.NextProposerAddress...)
-		header.InvalidateHash()
-	} else if len(header.NextProposerAddress) > 0 {
-		header.NextProposerAddress = nil
-		header.InvalidateHash()
-	}
 
 	// set the DA height in the sequencer
 	newState.DAHeight = e.sequencer.GetDAHeight()
@@ -861,19 +854,9 @@ func (e *Executor) ApplyBlock(ctx context.Context, header types.Header, data *ty
 		e.sendCriticalError(fmt.Errorf("failed to execute transactions: %w", err))
 		return types.State{}, fmt.Errorf("failed to execute transactions: %w", err)
 	}
-	if len(result.NextProposerAddress) > 0 {
-		if len(header.NextProposerAddress) == 0 {
-			header.NextProposerAddress = append([]byte(nil), result.NextProposerAddress...)
-		} else if !bytes.Equal(header.NextProposerAddress, result.NextProposerAddress) {
-			return types.State{}, fmt.Errorf("next proposer mismatch: header %x, execution %x", header.NextProposerAddress, result.NextProposerAddress)
-		}
-		header.InvalidateHash()
-	} else if len(header.NextProposerAddress) > 0 && !bytes.Equal(header.NextProposerAddress, header.ProposerAddress) {
-		return types.State{}, fmt.Errorf("next proposer mismatch: header %x, execution unchanged", header.NextProposerAddress)
-	}
 
 	// Create new state
-	newState, err := currentState.NextState(header, result.UpdatedStateRoot)
+	newState, err := currentState.NextState(header, result.UpdatedStateRoot, result.NextProposerAddress)
 	if err != nil {
 		return types.State{}, fmt.Errorf("failed to create next state: %w", err)
 	}

block/internal/executing/executor_logic_test.go

@@ -69,14 +69,13 @@ func TestProduceBlock_EmptyBatch_SetsEmptyDataHash(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, 0, len(data.Txs))
 	assert.EqualValues(t, common.DataHashForEmptyTxs, sh.DataHash)
-	assert.Empty(t, sh.NextProposerAddress)
 
 	state, err := fx.MemStore.GetState(context.Background())
 	require.NoError(t, err)
 	assert.Equal(t, fx.Exec.genesis.ProposerAddress, state.NextProposerAddress)
 }
 
-func TestProduceBlock_CommitsExecutionNextProposer(t *testing.T) {
+func TestProduceBlock_PersistsExecutionNextProposer(t *testing.T) {
 	fx := setupTestExecutor(t, 1000)
 	defer fx.Cancel()
 
@@ -100,7 +99,6 @@ func TestProduceBlock_CommitsExecutionNextProposer(t *testing.T) {
 	header, data, err := fx.MemStore.GetBlockData(context.Background(), 1)
 	require.NoError(t, err)
 	require.NoError(t, header.ValidateBasicWithData(data))
-	assert.Equal(t, nextAddr, header.NextProposerAddress)
 
 	state, err := fx.MemStore.GetState(context.Background())
 	require.NoError(t, err)

block/internal/syncing/syncer.go

@@ -837,19 +837,9 @@ func (s *Syncer) ApplyBlock(ctx context.Context, header types.Header, data *type
 		s.sendCriticalError(fmt.Errorf("failed to execute transactions: %w", err))
 		return types.State{}, fmt.Errorf("failed to execute transactions: %w", err)
 	}
-	if len(result.NextProposerAddress) > 0 {
-		if len(header.NextProposerAddress) == 0 {
-			return types.State{}, fmt.Errorf("next proposer mismatch: header empty, execution %x", result.NextProposerAddress)
-		}
-		if !bytes.Equal(header.NextProposerAddress, result.NextProposerAddress) {
-			return types.State{}, fmt.Errorf("next proposer mismatch: header %x, execution %x", header.NextProposerAddress, result.NextProposerAddress)
-		}
-	} else if len(header.NextProposerAddress) > 0 && !bytes.Equal(header.NextProposerAddress, header.ProposerAddress) {
-		return types.State{}, fmt.Errorf("next proposer mismatch: header %x, execution unchanged", header.NextProposerAddress)
-	}
 
 	// Create new state
-	newState, err := currentState.NextState(header, result.UpdatedStateRoot)
+	newState, err := currentState.NextState(header, result.UpdatedStateRoot, result.NextProposerAddress)
 	if err != nil {
 		return types.State{}, fmt.Errorf("failed to create next state: %w", err)
 	}

block/internal/syncing/syncer_test.go

@@ -214,17 +214,15 @@ func TestSyncer_ValidateBlock_UsesStateNextProposer(t *testing.T) {
 	require.Contains(t, err.Error(), "unexpected proposer")
 }
 
-func TestSyncer_ApplyBlockRejectsExecutionNextProposerMismatch(t *testing.T) {
+func TestSyncer_ApplyBlockPersistsExecutionNextProposer(t *testing.T) {
 	addr, _, _ := buildSyncTestSigner(t)
-	headerNext := []byte("header-next-proposer")
 	execNext := []byte("execution-next-proposer")
 
 	mockExec := testmocks.NewMockExecutor(t)
 	data := makeData("tchain", 1, 1)
 	header := types.Header{
-		BaseHeader:          types.BaseHeader{ChainID: "tchain", Height: 1, Time: uint64(time.Now().UnixNano())},
-		ProposerAddress:     addr,
-		NextProposerAddress: headerNext,
+		BaseHeader:      types.BaseHeader{ChainID: "tchain", Height: 1, Time: uint64(time.Now().UnixNano())},
+		ProposerAddress: addr,
 	}
 	currentState := types.State{AppHash: []byte("app0"), NextProposerAddress: addr}
 
@@ -240,9 +238,9 @@ func TestSyncer_ApplyBlockRejectsExecutionNextProposerMismatch(t *testing.T) {
 		logger: zerolog.Nop(),
 	}
 
-	_, err := s.ApplyBlock(t.Context(), header, data, currentState)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "next proposer mismatch")
+	newState, err := s.ApplyBlock(t.Context(), header, data, currentState)
+	require.NoError(t, err)
+	require.Equal(t, execNext, newState.NextProposerAddress)
 }
 
 func TestProcessHeightEvent_SyncsAndUpdatesState(t *testing.T) {

client/crates/types/src/proto/evnode.v1.messages.rs

@@ -65,9 +65,6 @@ pub struct Header {
     /// Chain ID the block belongs to
     #[prost(string, tag = "12")]
     pub chain_id: ::prost::alloc::string::String,
-    /// Proposer address selected by this block's execution result for the next block.
-    #[prost(bytes = "vec", tag = "13")]
-    pub next_proposer_address: ::prost::alloc::vec::Vec<u8>,
 }
 /// SignedHeader is a header with a signature and a signer.
 #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]

client/crates/types/src/proto/evnode.v1.services.rs

@@ -439,9 +439,6 @@ pub struct Header {
     /// Chain ID the block belongs to
     #[prost(string, tag = "12")]
     pub chain_id: ::prost::alloc::string::String,
-    /// Proposer address selected by this block's execution result for the next block.
-    #[prost(bytes = "vec", tag = "13")]
-    pub next_proposer_address: ::prost::alloc::vec::Vec<u8>,
 }
 /// SignedHeader is a header with a signature and a signer.
 #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]

docs/adr/adr-023-execution-owned-proposer-rotation.md

@@ -27,11 +27,11 @@ An empty `NextProposerAddress` from `ExecuteTxs` means the proposer is unchanged
 
 When execution returns a non-empty next proposer:
 
-- The producing node commits it to `Header.NextProposerAddress` before signing the header.
-- Syncing nodes require the signed header value to match the execution result.
 - `State.NextProposerAddress` is updated and used as the expected signer for `LastBlockHeight + 1`.
+- Full nodes validate the next block signer against the previous state's `NextProposerAddress`.
+- Header encoding remains unchanged. `Header.ProposerAddress` continues to identify the signer of the current block only.
 
-`Header.NextProposerAddress` lets header-only paths and DA envelope validation see proposer transitions without replaying execution first. The execution result remains the authority; mismatches between the signed header and execution are invalid.
+The execution result is the authority for proposer rotation. Header-only paths cannot derive proposer transitions without either replaying execution or using a future proof/certificate mechanism. This preserves header compatibility while keeping the rotation rule deterministic for full nodes.
 
 ## EVM System Contract Model
 
@@ -47,7 +47,7 @@ The security council or multisig becomes the authority for proposer updates. It
 
 The system contract must restrict writes to the configured authority. Unauthorized proposer updates are consensus-critical because they determine who can sign the next block.
 
-ev-node validates the execution output against the signed header. A malicious proposer cannot advertise one next proposer in the header while execution derives another.
+ev-node validates each block's signer against the proposer address stored in the previous state. A malicious proposer cannot rotate the next signer through node-local configuration; the rotation must be derived from execution.
 
 If the execution interface returns an empty proposer, ev-node treats the proposer as unchanged. At startup, empty execution info falls back to genesis so existing execution implementations remain usable.
 
@@ -60,13 +60,14 @@ Positive:
 - Proposer rotation becomes deterministic execution state.
 - EVM chains can use a system contract and multisig-controlled rotation.
 - Existing chains keep working when execution returns an empty proposer.
-- Header verification can follow rotations once the rotating block is known.
+- Existing header encoding remains compatible because no new header field is required.
 
 Negative:
 
 - The execution API changes and all execution adapters must return `ExecuteResult`.
 - Proposer updates become consensus-critical execution outputs.
 - ev-reth needs a separate system-contract design and implementation.
+- Header-only/light-client paths cannot follow proposer rotation without execution replay or a later proof design.
 
 ## Alternatives Considered
 
@@ -78,6 +79,6 @@ Node-local proposer configuration:
 
 - Rejected. Nodes could disagree about the active proposer unless every operator updates configuration at the same time.
 
-Execution-only proposer without header commitment:
+Header commitment for next proposer:
 
-- Rejected. Syncing nodes can replay execution, but header and DA envelope paths benefit from having the selected next proposer committed in the signed header when it changes.
+- Rejected for the first version. It would expose rotations to header-only paths, but it changes the signed header and hash encoding. Keeping rotation in execution/state avoids a header compatibility break.

proto/evnode/v1/evnode.proto

@@ -38,10 +38,7 @@ message Header {
   bytes validator_hash = 11;
   // Chain ID the block belongs to
   string chain_id = 12;
-  // Proposer address selected by this block's execution result for the next block.
-  bytes next_proposer_address = 13;
-
-  reserved 5, 7, 9;
+  reserved 5, 7, 9, 13;
 }
 
 // SignedHeader is a header with a signature and a signer.

types/header.go

@@ -1,7 +1,6 @@
 package types
 
 import (
-	"bytes"
 	"context"
 	"encoding"
 	"errors"
@@ -43,7 +42,8 @@ var (
 	// ErrNoProposerAddress is returned when the proposer address is not set.
 	ErrNoProposerAddress = errors.New("no proposer address")
 
-	// ErrProposerVerificationFailed is returned when the proposer verification fails.
+	// ErrProposerVerificationFailed is deprecated. Proposer authorization is
+	// enforced through State validation because proposer rotation is execution-owned.
 	ErrProposerVerificationFailed = errors.New("proposer verification failed")
 
 	// ErrInvalidTimestamp is returned when the timestamp is invalid.
@@ -82,11 +82,6 @@ type Header struct {
 	// pubkey can't be recovered by the signature (e.g. ed25519).
 	ProposerAddress []byte // original proposer of the block
 
-	// NextProposerAddress is selected by executing this block and becomes the
-	// proposer expected for the next block. Empty means the current proposer
-	// remains active.
-	NextProposerAddress []byte
-
 	// Legacy holds fields that were removed from the canonical header JSON/Go
 	// representation but may still be required for backwards compatible binary
 	// serialization (e.g. legacy signing payloads).
@@ -129,19 +124,9 @@ func (h *Header) Time() time.Time {
 
 // Verify verifies the header.
 func (h *Header) Verify(untrstH *Header) error {
-	expectedProposer := h.ProposerAddress
-	if len(h.NextProposerAddress) > 0 {
-		expectedProposer = h.NextProposerAddress
-	}
-	if !bytes.Equal(untrstH.ProposerAddress, expectedProposer) {
-		return &header.VerifyError{
-			Reason: fmt.Errorf("%w: expected proposer (%X) got (%X)",
-				ErrProposerVerificationFailed,
-				expectedProposer,
-				untrstH.ProposerAddress,
-			),
-		}
-	}
+	// Proposer rotation is execution/state-owned. The trusted header alone no
+	// longer contains enough information to authorize the signer of the next
+	// header, so full nodes enforce proposer validity through State validation.
 	return nil
 }
 
@@ -279,7 +264,6 @@ func (h Header) Clone() Header {
 	clone.AppHash = cloneBytes(h.AppHash)
 	clone.ValidatorHash = cloneBytes(h.ValidatorHash)
 	clone.ProposerAddress = cloneBytes(h.ProposerAddress)
-	clone.NextProposerAddress = cloneBytes(h.NextProposerAddress)
 	clone.Legacy = h.Legacy.Clone()
 	clone.cachedHash = nil