chore: merge upstream main 2026-06-25#272
Conversation
…1397) ## Summary Implements the rate-limit knobs from the [iRaaS Downside Protection doc](https://app.notion.com/p/matterlabs/iRaas-Downside-Protection-366a48363f23806a9c9bcdee3b212db2). The doc's tiered shape (global cap, M-bucket shared across listed methods, per-method overrides) maps directly onto a typed enum on `RpcConfig`: ```rust pub enum RateLimits { None, Tiered { global_rps, m_rps, m_methods, custom_methods }, } ``` Operators set every value via YAML or env vars; default `None` is a no-op deploy. - Bin uses smart-config's tagged enum (`#[config(tag = "type")]`), so env vars flatten: ``` RPC_RATE_LIMITS_TYPE=Tiered RPC_RATE_LIMITS_GLOBAL_RPS=1000 RPC_RATE_LIMITS_M_RPS=200 RPC_RATE_LIMITS_M_METHODS=eth_call,eth_estimateGas,... RPC_RATE_LIMITS_CUSTOM_METHODS=eth_getLogs=200,eth_simulateV1=1,... ``` - Internal: middleware switches from `Arc<HashMap<String, RateLimiter>>` to a typed `Limiter` built from a `Limits` spec. `RateLimits::into_limits` resolves the enum. - Drops `RpcRateLimit`, `build_limiters`, and the `rate_limits_within_global` validator. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…#1396) ## Summary Add `method_filter: HashSet<String>` on `RpcConfig`. Listed methods get -32601 \"Method disabled\" + `warn` log before any rate-limit check. New `MethodFiltering` middleware sits between `Monitoring` and `RateLimiting`. - Default empty → deploy is a no-op. - YAML lists or comma-separated env vars (`RPC_METHOD_FILTER=eth_newFilter,…`). - Typical use case: filter the stateful filter family (`eth_newFilter`, `eth_getFilterChanges`, …) when running behind a load balancer without sticky sessions. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary - Remove the `consensus_node` integration test module and its restarted-node catchup tests. - Remove the now-unused multi-node consensus test harness and private fixed-port launcher helper. - Unlink the consensus test module from the integration test suite. Validation: `cargo check -p zksync_os_integration_tests --tests`
…startup (matter-labs#1405) An external node started before its main node panics in `load_remote_config`, which k8s turns into `CrashLoopBackOff` — so it picks the main node up minutes late instead of seconds. Now all main-node RPC goes through one `MainNodeClient` that retries while the main node is unreachable. Errors the main node **answers** with (e.g. an old node missing a method) aren't retried, so the bytecode-supplier fallback still works. The EN waits for its main node instead of crashing. Also: collapse 3 ad-hoc RPC client builds into one; drop a priority-tree check already enforced by config validation. No tests — it's trivial retry/classification logic. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## Summary After the migrationNumber was advanced on L1 past the node's cursor, the binary search done by the l1_watcher started failing because `migrationNumber` function did not exist pre-v31 in ChainAssetHandler. This PR properly handles the scenario where the method is missing. <!-- If your change is *breaking* (semver-major), please UNCOMMENT and fill out the sections below. These are required for PRs whose title is marked as breaking via conventional commits (e.g. `feat!: ...`, `fix!: ...`). Make sure that the contents are _actually_ helpful for people who can be self-hosting our software. --> <!-- ## Breaking Changes - Who is affected? (e.g. protocol in general, EN users, main node) - What exactly is breaking? (changed DB schema or wiring protocol, added configs) - Are there migration steps required for consumers? - Links to any related docs / migration guides. ## Rollout Instructions - Order of operations (deploy backend, then clients, etc). - Monitoring / alerting to watch during rollout. - Rollback plan (what to revert, how to mitigate if things go wrong). -->
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9a60069b40
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| /// Rate limits for incoming JSON-RPC requests. | ||
| #[config(nest)] | ||
| pub rate_limits: RpcRateLimitsConfig, |
There was a problem hiding this comment.
When DEBUG_RPC_RATE_LIMITS or PUBLIC_RPC_RATE_LIMITS is set, scripts/explorer/blockscout/deploy-zksys-en-rpc.sh still emits the old shape rpc.rate_limits: {method: rps} (see lines 489-494), but this change makes rpc.rate_limits a tagged nested enum that requires type: Tiered with global_rps / m_rps / custom_methods. Those generated configs will no longer deserialize into the intended limits, so the explorer RPC deployment either fails startup or loses the configured protection whenever rate limits are used.
Useful? React with 👍 / 👎.
| let inner = self.inner.clone(); | ||
| async move { inner.notification(n).await } |
There was a problem hiding this comment.
For filtered methods sent as JSON-RPC notifications (no id), this path forwards directly to the inner service without checking self.filter, so a disabled stateful method such as eth_newFilter can still execute if the client omits the request id. Since notifications cannot return the -32601 error, the middleware should mirror the rate-limit notification handling and drop matching notifications before calling inner.notification.
Useful? React with 👍 / 👎.
Co-authored-by: Cursor <cursoragent@cursor.com>
|
@codex review Addressed the two prior P2 findings: explorer zksys EN RPC config now emits upstream's tagged Tiered rate-limit shape while preserving legacy method=rps semantics, and method_filter now drops filtered JSON-RPC notifications instead of forwarding them. |
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cce327b273
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| for method, rps in instance["rate_limits"].items(): | ||
| rate_lines.append(f" {q(method)}: {rps}") | ||
| rate_lines.append(f" {q(method)}: {rps}") |
There was a problem hiding this comment.
* global rate limits
When PUBLIC_RPC_RATE_LIMITS or DEBUG_RPC_RATE_LIMITS contains a legacy global entry such as *=500, this loop now writes "*" under custom_methods while global_rps remains the unlimited sentinel. RateLimits::into_limits() only treats global_rps as the global bucket, so the generated per-method bucket named * never matches any JSON-RPC method and the public EN silently loses the intended global cap.
Useful? React with 👍 / 👎.
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
|
@codex review Addressed the additional rate-limit finding: |
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
|
Codex Review: Didn't find any major issues. Can't wait for the next one! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
|
@codex review Latest head includes only scoped clippy/test cleanup after your no-major-issues review: completed test mock trait method, moved test module to the file bottom, and applied mechanical clippy fixes. Prior rate-limit and notification findings remain addressed. |
|
Codex Review: Didn't find any major issues. Delightful! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
@codex review Addressed Codex Security finding f7086e17c7548191b7af8d25010f655e: now enforces for direct notifications and for notification entries inside JSON-RPC batches by decomposing batches through the same filtered call/notification paths. Remote fmt and patched clippy pass on the latest head. |
4 participants
Summary
matter-labs/maininto Syscoinmainthroughupstream/main.RateLimitsand method filtering.Test plan
cargo fmt --all -- --checkon remote server with pinned Rust toolchain.zksync-osbuild path on remote server viascripts/gateway-launch/run-os-server-with-patched-zksync-os.sh merge-check-20260625 -- build.scripts/gateway-launch/run-os-server-with-patched-zksync-os.sh merge-check-20260625-clippy -- clippy --all-targets --all-features --workspace --exclude zksync_os_integration_tests -- -D warnings.scripts/gateway-launch/run-os-server-with-patched-zksync-os.sh merge-check-20260625-test -- nextest run --workspace --exclude zksync_os_integration_tests.cargo fmt --all -- --checkand patched clippy after RPC batch method-filter hardening.