feat(genesis-tool): verify Governance owner + isInitialized post-genesis (#104)

* feat(genesis-tool): verify Governance owner + isInitialized post-genesis

Generating a sealed genesis.json silently accepted a wrong `governanceOwner`
in the config — the field was passed to `Genesis.initialize` but never read
back from chain state. Because `Governance.renounceOwnership` is disabled, a
typo or zero address would lock the executor set for the chain's lifetime
with no recovery path.

Add two on-chain probes that run as part of `verify_result`:
- `Governance.owner()` must equal the config's `governanceOwner`
- `Governance.isInitialized()` must be `true`

Covered by unit tests that plant minimal stub bytecode in an InMemoryDB,
so the mismatch path is exercised without needing forge output or a full
GenesisConfig.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(genesis-tool): extend `verify` subcommand with Governance owner check

The post-generation self-check added in the previous commit caught a wrong
`governanceOwner` at generation time, but anyone running `genesis-tool verify`
against a sealed `genesis.json` later (CI release gate, third-party operator,
ceremony witness) had no way to detect the same problem on the saved artifact.

Add the same on-chain probes to `verify_genesis_file`:
- `Governance.isInitialized()` must be true
- `Governance.owner()` must be non-zero
- If `--config-file <path>` is provided, the owner must also equal the
  config's `governanceOwner`. The config is read loosely (as serde_json::Value)
  so verify stays decoupled from GenesisConfig's full schema and keeps working
  if new required fields are added later.

Governance errors are accumulated into the existing `VerifyResult.errors`
vector rather than short-circuiting; one verify invocation should surface
every problem, not just the first.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ByteYue

genesis-tool/src/main.rs

@@ -72,6 +72,13 @@ enum Commands {
         /// Path to the genesis.json file to verify
         #[arg(short, long)]
         genesis_file: String,
+
+        /// Optional path to the genesis config used to produce the artifact.
+        /// When provided, `Governance.owner()` must equal the config's
+        /// `governanceOwner`. Without it we only check the on-chain owner is
+        /// non-zero and `isInitialized()` is true.
+        #[arg(short, long)]
+        config_file: Option<String>,
     },
 }
 
@@ -132,8 +139,8 @@ async fn main() -> Result<()> {
         Commands::Generate { byte_code_dir, config_file, output } => {
             run_generate(byte_code_dir, config_file, output).await
         }
-        Commands::Verify { genesis_file } => {
-            run_verify(genesis_file)
+        Commands::Verify { genesis_file, config_file } => {
+            run_verify(genesis_file, config_file.as_deref())
         }
     };
 
@@ -184,10 +191,10 @@ async fn run_generate(byte_code_dir: &str, config_file: &str, output: &str) -> R
     Ok(())
 }
 
-fn run_verify(genesis_file: &str) -> Result<()> {
+fn run_verify(genesis_file: &str, config_file: Option<&str>) -> Result<()> {
     info!("Starting Gravity Genesis Verify");
-    
-    let result = verify::verify_genesis_file(genesis_file)?;
+
+    let result = verify::verify_genesis_file(genesis_file, config_file)?;
     verify::print_verify_summary(&result);
 
     if result.success {

genesis-tool/src/post_genesis.rs

@@ -1,15 +1,24 @@
+use alloy_sol_macro::sol;
+use alloy_sol_types::SolCall;
 use revm::{DatabaseRef, InMemoryDB, db::BundleState};
-use revm_primitives::{ExecutionResult, SpecId, TxEnv, hex};
+use revm_primitives::{Address, ExecutionResult, SpecId, TxEnv, hex};
 use tracing::{error, info};
 
 use crate::{
     execute::{prepare_env, resolve_block_timestamp},
     genesis::{
         GenesisConfig, call_get_active_validators, print_active_validators_result,
     },
-    utils::execute_revm_sequential,
+    utils::{GOVERNANCE_ADDR, execute_revm_sequential, new_system_call_txn},
 };
 
+sol! {
+    interface IGovernance {
+        function owner() external view returns (address);
+        function isInitialized() external view returns (bool);
+    }
+}
+
 /// Generic template for handling execution results
 ///
 /// This function provides a common structure for all print_* functions,
@@ -97,16 +106,246 @@ fn verify_active_validators(db: impl DatabaseRef, bundle_state: BundleState, con
     )
 }
 
+/// Verify that `Governance.owner()` and `Governance.isInitialized()` reflect
+/// the values the config asked for. Without this, a typo or zero address in
+/// `governanceOwner` is silently baked into a sealed genesis artifact and
+/// only surfaces after launch — when `renounceOwnership` is already disabled
+/// and the executor set is unmanageable for the lifetime of the chain.
+fn verify_governance_owner(
+    db: impl DatabaseRef,
+    bundle_state: BundleState,
+    config: &GenesisConfig,
+) -> Result<(), String> {
+    let expected_owner: Address = config
+        .governance_owner
+        .parse()
+        .map_err(|e| format!("Invalid governanceOwner address in config {:?}: {}", config.governance_owner, e))?;
+    verify_governance_owner_at(
+        db,
+        bundle_state,
+        expected_owner,
+        config.chain_id,
+        resolve_block_timestamp(config),
+    )
+}
+
+/// Primitive-typed variant of `verify_governance_owner`. Exists so unit tests
+/// can drive the on-chain check without constructing a full `GenesisConfig`.
+fn verify_governance_owner_at(
+    db: impl DatabaseRef,
+    bundle_state: BundleState,
+    expected_owner: Address,
+    chain_id: u64,
+    block_timestamp_secs: u64,
+) -> Result<(), String> {
+    let owner_txn = new_system_call_txn(
+        GOVERNANCE_ADDR,
+        IGovernance::ownerCall {}.abi_encode().into(),
+    );
+
+    execute_verification(
+        db,
+        bundle_state,
+        owner_txn,
+        "governance owner",
+        chain_id,
+        block_timestamp_secs,
+        |result| {
+            handle_execution_result(result, "Governance.owner()", |output_bytes| {
+                let decoded = IGovernance::ownerCall::abi_decode_returns(output_bytes, false)
+                    .map_err(|e| format!("Failed to decode Governance.owner(): {:?}", e))?;
+                let actual_owner = decoded._0;
+                if actual_owner != expected_owner {
+                    let msg = format!(
+                        "Governance owner mismatch: config governanceOwner={:?}, on-chain owner()={:?}",
+                        expected_owner, actual_owner
+                    );
+                    error!("❌ {}", msg);
+                    return Err(msg);
+                }
+                info!("✅ Governance.owner() = {:?} matches config", actual_owner);
+                Ok(())
+            })
+        },
+    )
+}
+
+/// Verify `Governance.isInitialized() == true` so a missing/skipped Genesis
+/// initialize call cannot ship as a "valid" artifact.
+fn verify_governance_initialized(
+    db: impl DatabaseRef,
+    bundle_state: BundleState,
+    config: &GenesisConfig,
+) -> Result<(), String> {
+    verify_governance_initialized_at(
+        db,
+        bundle_state,
+        config.chain_id,
+        resolve_block_timestamp(config),
+    )
+}
+
+fn verify_governance_initialized_at(
+    db: impl DatabaseRef,
+    bundle_state: BundleState,
+    chain_id: u64,
+    block_timestamp_secs: u64,
+) -> Result<(), String> {
+    let txn = new_system_call_txn(
+        GOVERNANCE_ADDR,
+        IGovernance::isInitializedCall {}.abi_encode().into(),
+    );
+
+    execute_verification(
+        db,
+        bundle_state,
+        txn,
+        "governance isInitialized",
+        chain_id,
+        block_timestamp_secs,
+        |result| {
+            handle_execution_result(result, "Governance.isInitialized()", |output_bytes| {
+                let decoded = IGovernance::isInitializedCall::abi_decode_returns(output_bytes, false)
+                    .map_err(|e| format!("Failed to decode Governance.isInitialized(): {:?}", e))?;
+                if !decoded._0 {
+                    let msg = "Governance.isInitialized() returned false — Genesis.initialize did not run".to_string();
+                    error!("❌ {}", msg);
+                    return Err(msg);
+                }
+                info!("✅ Governance.isInitialized() = true");
+                Ok(())
+            })
+        },
+    )
+}
+
 pub fn verify_result(
     db: InMemoryDB,
     bundle_state: BundleState,
     config: &GenesisConfig,
 ) -> Result<(), String> {
     verify_active_validators(db.clone(), bundle_state.clone(), config)?;
+    verify_governance_initialized(db.clone(), bundle_state.clone(), config)?;
+    verify_governance_owner(db.clone(), bundle_state.clone(), config)?;
     // Add more verification steps as needed:
     // - verify_jwks()
     // - verify_epoch_config()
     // - verify_randomness_config()
     // etc.
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use revm_primitives::{AccountInfo, Bytecode, Bytes, U256};
+
+    // The verifier hits Governance via the SYSTEM_CALLER account. revm needs
+    // that caller to exist (with enough nonce headroom) before it will run
+    // the call; otherwise the txn aborts before our stub bytecode executes
+    // and we'd be testing the wrong thing.
+    fn plant_system_caller(db: &mut InMemoryDB) {
+        let info = AccountInfo {
+            balance: U256::from(1_000_000_000_000_000_000_u128),
+            nonce: 1,
+            code_hash: revm_primitives::KECCAK_EMPTY,
+            code: None,
+        };
+        db.insert_account_info(crate::utils::SYSTEM_CALLER, info);
+    }
+
+    /// Plant raw EVM bytecode at `addr`. The bytecode ignores calldata, so the
+    /// same stub works for any function selector — sufficient for tests that
+    /// only call one method per planted contract.
+    fn plant_code(db: &mut InMemoryDB, addr: Address, code: Vec<u8>) {
+        let bytecode = Bytecode::new_raw(Bytes::from(code));
+        let info = AccountInfo {
+            balance: U256::ZERO,
+            nonce: 1,
+            code_hash: bytecode.hash_slow(),
+            code: Some(bytecode),
+        };
+        db.insert_account_info(addr, info);
+    }
+
+    /// Stub bytecode that always ABI-returns `addr` as a 32-byte word.
+    /// PUSH20 addr; PUSH1 0; MSTORE; PUSH1 32; PUSH1 0; RETURN
+    fn stub_returning_address(addr: Address) -> Vec<u8> {
+        let mut code = Vec::with_capacity(29);
+        code.push(0x73);
+        code.extend_from_slice(addr.as_slice());
+        code.extend_from_slice(&[0x60, 0x00, 0x52, 0x60, 0x20, 0x60, 0x00, 0xf3]);
+        code
+    }
+
+    /// Stub bytecode that always ABI-returns a single uint256 word `value`.
+    fn stub_returning_uint(value: u8) -> Vec<u8> {
+        vec![0x60, value, 0x60, 0x00, 0x52, 0x60, 0x20, 0x60, 0x00, 0xf3]
+    }
+
+    #[test]
+    fn governance_owner_matches_passes() {
+        let owner: Address = "0x000000000000000000000000000000000000dEaD"
+            .parse()
+            .unwrap();
+        let mut db = InMemoryDB::default();
+        plant_system_caller(&mut db);
+        plant_code(&mut db, GOVERNANCE_ADDR, stub_returning_address(owner));
+
+        let result = verify_governance_owner_at(db, BundleState::default(), owner, 1337, 1_700_000_000);
+        assert!(result.is_ok(), "expected Ok, got {:?}", result);
+    }
+
+    #[test]
+    fn governance_owner_mismatch_fails() {
+        let on_chain: Address = "0x000000000000000000000000000000000000dEaD"
+            .parse()
+            .unwrap();
+        let expected: Address = "0x000000000000000000000000000000000000bEEf"
+            .parse()
+            .unwrap();
+        let mut db = InMemoryDB::default();
+        plant_system_caller(&mut db);
+        plant_code(&mut db, GOVERNANCE_ADDR, stub_returning_address(on_chain));
+
+        let result =
+            verify_governance_owner_at(db, BundleState::default(), expected, 1337, 1_700_000_000);
+        let err = result.expect_err("expected Err on owner mismatch");
+        assert!(
+            err.to_lowercase().contains("mismatch"),
+            "error should mention mismatch, got: {}",
+            err
+        );
+        // The error must surface BOTH addresses so a CI log makes the gap
+        // diagnosable without re-running the tool.
+        assert!(err.contains("dead"), "error should include on-chain owner, got: {}", err);
+        assert!(err.contains("beef"), "error should include expected owner, got: {}", err);
+    }
+
+    #[test]
+    fn governance_initialized_true_passes() {
+        let mut db = InMemoryDB::default();
+        plant_system_caller(&mut db);
+        plant_code(&mut db, GOVERNANCE_ADDR, stub_returning_uint(1));
+
+        let result =
+            verify_governance_initialized_at(db, BundleState::default(), 1337, 1_700_000_000);
+        assert!(result.is_ok(), "expected Ok, got {:?}", result);
+    }
+
+    #[test]
+    fn governance_initialized_false_fails() {
+        let mut db = InMemoryDB::default();
+        plant_system_caller(&mut db);
+        plant_code(&mut db, GOVERNANCE_ADDR, stub_returning_uint(0));
+
+        let result =
+            verify_governance_initialized_at(db, BundleState::default(), 1337, 1_700_000_000);
+        let err = result.expect_err("expected Err when isInitialized=false");
+        assert!(
+            err.contains("initialize did not run") || err.contains("returned false"),
+            "error should explain the missing initialize, got: {}",
+            err
+        );
+    }
+}