fix: replace PARTIAL_SUCCESS with SUCCESS/FAILED/ERROR execution status and harden auth

[chrisli30]

• docs: add wallet salt index migration runbook with verified Base apply
• docs: move wallet salt index runbook to avs-infra repo
• fix: refuse zero-address subject in API key auth flow
• refactor: replace PARTIAL_SUCCESS with clear SUCCESS/FAILED/ERROR execution status (refactor: replace PARTIAL_SUCCESS with clear SUCCESS/FAILED/ERROR execution status #521)

[claude]

Code Review

This PR bundles two independent fixes — a security hardening in the auth flow and a semantic cleanup of execution statuses. Both are well-reasoned. Some observations below.

---

aggregator/auth.go — zero-address defense

The three-layer guard (GetSignatureFormat → GetKey → verifyAuth) is the right defense-in-depth approach. A few notes:

Minor: redundant conversion in GetSignatureFormat

// auth.go:332 area
if common.HexToAddress(walletAddress) == (common.Address{}) {

walletAddress was already validated by common.IsHexAddress just above and is never used again in this function. Consider saving to a named variable (matching the style of GetKey's ownerAddress) so the intent is clearer, though this is cosmetic.

Tests are solid — TestVerifyAuth_RejectsZeroAddressSubject correctly simulates the real bypass path by minting a JWT with authkey metadata, which matches how the actual auth path works. Good coverage of all three injection points.

---

core/taskengine/vm.go — PARTIAL_SUCCESS removal

The conceptual change is correct: branch skips are expected behavior, not warnings. Collapsing "some failed" and "all failed" into a single FAILED status is cleaner. A few things worth flagging:

1. ExecutionError is dead code in the result analysis path

AnalyzeExecutionResult never returns ExecutionError — the constant is defined in the iota but only appears in convertToExecutionStatus. The actual ERROR status is set directly on execution.Status in executor.go:668 and engine.go:3096, bypassing convertToExecutionStatus entirely:

// executor.go:668
execution.Status = avsproto.ExecutionStatus_EXECUTION_STATUS_ERROR

So case ExecutionError in convertToExecutionStatus (vm.go:3330) is unreachable. This isn't a runtime bug, but it creates a misleading API — a caller reading AnalyzeExecutionResult's return type would expect to handle ExecutionError but never actually receives it. Options:

• Remove ExecutionError from the ExecutionResultStatus iota and document that ERROR is set only on the proto status directly, OR
• Have AnalyzeExecutionResult return ExecutionError when len(v.ExecutionLogs) == 0 (currently returns ExecutionFailed), reserving that path for the system-level case

2. Silently ignored failed steps with empty error messages

// vm.go:3241
if !step.Success && step.Error != "" {
    failedStepNames = append(failedStepNames, getStepDisplayName(step))
}

A step with success=false and step.Error == "" is neither counted as failed nor as successful — it's invisible to AnalyzeExecutionResult. If any node can produce success=false with an empty error string (e.g., a soft failure with no message), the overall status will be SUCCESS even though a step didn't succeed. Worth verifying this can't happen, or changing the condition to !step.Success only.

3. switch resultStatus blocks have no ExecutionError case

In engine.go (~line 3073) and executor.go (~line 652), the switch only handles ExecutionSuccess and ExecutionFailed. If ExecutionError were ever returned by AnalyzeExecutionResult in the future, it would silently fall through without logging. A default case with a warning log would make this more robust.

---

core/taskengine/vm_runner_rest.go — email notification

The switch resultStatus blocks at lines ~923 and ~941 have no default or ExecutionError case. Since resultStatus in this function is set only from the local failed bool (only ever ExecutionSuccess or ExecutionFailed), ExecutionError is unreachable here. No bug, but a default guard would make that explicit.

---

pkg/erc4337/preset/builder_execution_success_test.go

The withdrawalAmount.Sign() > 0 guard is reasonable for a flaky integration test, but the else branch only logs — it doesn't call t.Skip(). This means the test passes silently if the precondition isn't met, giving false confidence in CI. Consider:

} else {
    t.Skip("balance already below reserve; skipping withdrawal test")
}

---

Proto changes

Reserving value 4 with both reserved 4; and reserved "EXECUTION_STATUS_PARTIAL_SUCCESS"; is correct practice. The generated avs.pb.go correctly reflects this. The migration doc (docs/changes/0001-execution-status-redesign.md) is clear and well-structured — the table format is a nice touch.

---

Summary

Area	Verdict
Zero-address auth fix	✅ Correct and well-tested
ExecutionError dead code in result path	⚠️ Confusing, low risk
Silent ignore of success=false + empty error	⚠️ Latent bug risk, worth verifying
Branch-skip → SUCCESS semantic change	✅ Correct, breaking change documented
Proto reservation of value 4	✅ Correct
Integration test else branch	🔹 Minor: use t.Skip instead of just logging

The core logic is sound. The two items worth a follow-up before merging to main are the ExecutionError dead-code confusion and the step-failure filter condition.

[Copilot]

Pull request overview

Updates execution outcome semantics across the AVS proto + taskengine to remove ambiguous “partial success”, and hardens the aggregator auth flow against zero-address subjects.

Changes:

• Redesign execution status to SUCCESS / FAILED / ERROR, reserving the old PARTIAL_SUCCESS wire value.
• Refactor taskengine execution analysis + tests to treat branch/conditional skips as SUCCESS and step failures as FAILED.
• Add defense-in-depth validation to reject the zero address throughout the API key auth flow, plus tests.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
protobuf/avs.proto	Replaces PARTIAL_SUCCESS with reserved value + adds ERROR.
protobuf/avs.pb.go	Regenerated Go bindings reflecting the new enum semantics.
core/taskengine/vm.go	Refactors execution result analysis and status conversion.
core/taskengine/executor.go	Uses new AnalyzeExecutionResult signature; attempts to set ERROR on VM-level failure.
core/taskengine/engine.go	Same as executor.go for SimulateTask.
core/taskengine/vm_runner_rest.go	Updates UI/email status text + icons to remove partial success.
core/taskengine/vm_scheduler_fix_test.go	Updates branch-workflow expectations to SUCCESS with empty error.
core/taskengine/executor_test.go	Updates branch-workflow expectations to SUCCESS with empty error.
core/taskengine/partial_success_test.go	Renames/updates tests to FAILED semantics and new return signature.
docs/changes/0001-execution-status-redesign.md	Adds migration notes and rationale for the status redesign.
aggregator/auth.go	Rejects zero-address wallet/subject in GetSignatureFormat, GetKey, and verifyAuth.
aggregator/auth_test.go	Adds tests asserting zero-address rejection at all three auth steps.
pkg/erc4337/preset/builder_execution_success_test.go	Makes withdrawal conditional when balance is already below reserve.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When vm.Run() returns a non-nil runTaskErr (system-level failure), the execution should be marked as EXECUTION_STATUS_ERROR regardless of whether AnalyzeExecutionResult already populated execution.Error. As written, the ERROR status is only set when execution.Error == "", so VM crashes/compilation errors that also produce an AnalyzeExecutionResult message (e.g., "no execution steps found") will incorrectly remain FAILED and may never surface as ERROR.

Suggested change

	execution.Status = avsproto.ExecutionStatus_EXECUTION_STATUS_ERROR
	}
	}
	execution.Status = avsproto.ExecutionStatus_EXECUTION_STATUS_ERROR

[Copilot]

The system-level runErr path should set the execution status to EXECUTION_STATUS_ERROR even if execution.Error is already populated by AnalyzeExecutionResult. With the current guard (only setting ERROR when execution.Error == ""), VM-level failures can be misreported as FAILED (e.g., "no execution steps found"), which conflicts with the new SUCCESS/FAILED/ERROR semantics.

[Copilot]

This test can now become a no-op success: if primary balance is already below the reserve, it logs and skips the withdrawal entirely, but still passes without exercising the reimbursement-skip behavior described by the test name. Consider using t.Skip in the withdrawalAmount <= 0 branch (or explicitly funding the wallet / adjusting the reserve) so CI doesn’t report a false positive when the precondition isn’t met.

[Copilot]

The markdown table under “Decision” uses a double leading pipe (|| ...) on the header and rows, which renders as an extra empty first column in many markdown renderers. Use a standard table format with a single leading pipe (| Scenario | ... |) so the table displays correctly in GitHub.