test(l1): bal-devnet-4 follow-up regression guards + doc polish

Follow-up to PR #6518 addressing the test-gap list documented in the
session-3 review. Covers every remaining item in TODO.md except the
upstream zkevm@v0.4.x fixture re-enable (tracked externally).

Tests (10 new):

- `test_cpsb_clamp_to_one_for_tiny_gas_limit`,
  `test_cpsb_30m_bin_boundary` — cpsb quantization boundaries. Guards
  against an off-by-one in the `if quantized > CPSB_OFFSET` branch and
  against bin boundary regressions in the 5M-30M range.

- `test_change_variants_rlp_roundtrip_index_above_u16_max` — RLP
  round-trip for all 4 BAL change variants at index 70_000, guarding
  against an accidental revert to the pre-devnet-4 `u16` type that
  would silently truncate high indices.

- `amsterdam_create_intrinsic_matches_vm_dimensions` — mempool
  admission for Amsterdam CREATE txs must match the VM's `(regular,
  state)` split (TX_BASE + REGULAR_GAS_CREATE +
  STATE_BYTES_PER_NEW_ACCOUNT * cpsb), not the legacy 53000.

- `test_intrinsic_parity_plain_transfer` /
  `test_intrinsic_parity_create_tx` /
  `test_intrinsic_parity_with_calldata_and_access_list` /
  `test_intrinsic_parity_eip7702_auth_list` — parity between the
  standalone `intrinsic_gas_dimensions` helper (used by mempool and
  payload builder) and `VM::get_intrinsic_gas` (used during execution).
  Run across Prague / Osaka / Amsterdam at 30M and 120M block gas
  limits.

- `test_call_to_empty_account_with_value_retains_parent_state_gas` —
  EIP-8037 CALL-to-empty-with-value charges new-account state gas in
  the caller's frame, retained across successful parent continuation.
  Pairs with the existing `test_child_charge_then_revert_returns_state_gas_to_parent`
  for the revert direction.

Code polish:

- Clarifying comment on the `frame_outstanding_delta` invariant in
  `credit_state_gas_refund` (`crates/vm/levm/src/vm.rs`). The
  subtraction is fragile — documenting why it must read
  `state_gas_spill_outstanding` and not `state_gas_spill`.

- `debug_assert!` guards on tx count vs `u32::MAX` at each block-exec
  entry (`execute_block`, `execute_block_pipeline`), keeping the
  EIP-7928 `BlockAccessIndex` invariant explicit rather than implicit
  in the ~10 downstream `u32::try_from(...).unwrap_or(u32::MAX)` sites.

Docs:

- `docs/roadmaps/forks-roadmap.md` — EIP-7976 / EIP-7981 flipped
  🔴→✅, EIP-8037 status line expanded (dynamic cpsb, clamp-and-spill,
  2D inclusion, same-tx SELFDESTRUCT refund), priority note updated
  for bal-devnet-4 + PR #6518.

All 478 tests pass. No behavior changes — these are regression guards
and documentation for the bal-devnet-4 work landed in PR #6518.

Author: edg-l

crates/vm/backends/levm/mod.rs

@@ -158,6 +158,15 @@ impl LEVM {
         let chain_config = db.store.get_chain_config()?;
         let is_amsterdam = chain_config.is_amsterdam_activated(block.header.timestamp);
 
+        // EIP-7928 BlockAccessIndex is uint32. Block validity forbids >= 2^32 txs
+        // long before we'd reach this point, but guard the invariant explicitly
+        // so any upstream bug that inflates tx counts panics in debug instead of
+        // silently producing a `u32::MAX` index.
+        debug_assert!(
+            block.body.transactions.len() < u32::MAX as usize,
+            "tx count overflows u32 BlockAccessIndex"
+        );
+
         // Enable BAL recording for Amsterdam+ forks
         if is_amsterdam {
             db.enable_bal_recording();
@@ -332,6 +341,12 @@ impl LEVM {
         let chain_config = db.store.get_chain_config()?;
         let is_amsterdam = chain_config.is_amsterdam_activated(block.header.timestamp);
 
+        // EIP-7928 BlockAccessIndex invariant — see `execute_block` for rationale.
+        debug_assert!(
+            block.body.transactions.len() < u32::MAX as usize,
+            "tx count overflows u32 BlockAccessIndex"
+        );
+
         let transactions_with_sender =
             block
                 .body

crates/vm/levm/src/vm.rs

@@ -704,6 +704,15 @@ impl<'a> VM<'a> {
         // so a grandparent revert's reservoir math sees only un-cancelled spill. The
         // second portion accumulates into `state_gas_credit_against_drain` and appears
         // in the revert formula as the subtraction term.
+        //
+        // Invariant (crucial for reservoir correctness):
+        //   `state_gas_spill_outstanding - snapshot` counts only spill increments that
+        //   happened INSIDE the current frame (or its subtree, propagated up on revert).
+        //   It excludes the parent's pre-child spills because those are baked into the
+        //   snapshot captured at child-frame entry. Therefore `applied_to_spill` never
+        //   double-cancels a spill that's already been accounted for at a grandparent
+        //   boundary. Changing this subtraction, or reading `state_gas_spill` instead,
+        //   breaks `sstore_restoration_create_init_revert`.
         let frame_outstanding_delta = self
             .state_gas_spill_outstanding
             .saturating_sub(self.current_call_frame.state_gas_spill_outstanding_snapshot);

docs/roadmaps/forks-roadmap.md

@@ -33,12 +33,12 @@
 | **2780** | Reduce Intrinsic Transaction Gas | 🔴 Not implemented (21000 → 4500) · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/1940) | 🔴 | 🔴 | CFI |
 | **7904** | General Repricing | 🔴 Not implemented · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/1879) | ⚠️ PR #9619 (Draft) | 🔴 | CFI |
 | **7954** | Increase Max Contract Size | 🔴 Not implemented (24KiB → 32KiB) · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/2028) | ⚠️ PR #8760 (Draft) | 🔴 | CFI |
-| **7976** | Increase Calldata Floor Cost | 🔴 Not implemented · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/1942) | 🔴 | 🔴 | CFI |
-| **7981** | Increase Access List Cost | 🔴 Not implemented · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/1943) | 🔴 | 🔴 | CFI |
-| **8037** | State Creation Gas Cost Increase | ✅ Implemented ([#6271] merged, PR [#6216] open) · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/2040) | ✅ bal@v5.4.0 | ⚠️ PR [#6216] | CFI |
+| **7976** | Increase Calldata Floor Cost | ✅ Implemented (PR #6518, bal@v5.7.0) · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/1942) | 🔴 | 🔴 | CFI |
+| **7981** | Increase Access List Cost | ✅ Implemented (PR #6518, bal@v5.7.0) · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/1943) | 🔴 | 🔴 | CFI |
+| **8037** | State Creation Gas Cost Increase | ✅ Implemented (dynamic cpsb, clamp-and-spill, 2D inclusion, same-tx SELFDESTRUCT refund — PR #6518 on bal@v5.7.0) · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/2040) | ✅ bal@v5.4.0 | ⚠️ PR [#6216] | CFI |
 | **8038** | State-Access Gas Cost Update | 🔴 Not implemented · [exec-specs tracking](https://github.com/ethereum/execution-specs/issues/1941) | 🔴 | 🔴 | CFI |
 
-> **Priority note:** All core devnet EIPs are merged. EIP-8037 fully implemented with reservoir model, nested revert fixes, and CREATE collision escrow. BAL optimizations shipped: parallel execution ([#6233]), batched reads + parallel state root ([#6227]). bal-devnet-3 tracking PR [#6216] open with bal@v5.4.0 fixtures, Amsterdam consume-engine hive tests in CI. **Up next:** merge PR [#6216], EIP-7954 ([#6214]). Remaining gas repricing EIPs are **low priority** — no other client has started them. Monitor CFI decisions at ACDE calls.
+> **Priority note:** All core devnet EIPs are merged. EIP-8037 fully implemented with reservoir model, clamp-and-spill refunds, 2D inclusion check, and same-tx SELFDESTRUCT refund. EIP-7976 + EIP-7981 shipped with bal-devnet-4 rollup. BAL optimizations shipped: parallel execution ([#6233]), batched reads + parallel state root ([#6227]), shadow-recorder missing-entry detection (PR #6518). bal-devnet-4 tracking PR #6518 open with bal@v5.7.0 fixtures, Amsterdam consume-engine hive 1342/1342 passing. **Up next:** merge PR #6518, EIP-7954 ([#6214]). Remaining gas repricing EIPs are **low priority** — no other client has started them. Monitor CFI decisions at ACDE calls.
 
 ### Other Amsterdam EIPs
 

test/tests/blockchain/mempool_tests.rs

@@ -97,6 +97,57 @@ fn create_transaction_intrinsic_gas() {
     assert_eq!(intrinsic_gas, expected_gas_cost);
 }
 
+/// EIP-8037 / bal-devnet-4: Amsterdam CREATE tx intrinsic must match the VM
+/// charge, not the legacy `TX_CREATE_GAS_COST = 53000`. The regular portion
+/// drops to `TX_GAS_COST + REGULAR_GAS_CREATE = 30000` and a state portion
+/// (`STATE_BYTES_PER_NEW_ACCOUNT * cpsb`) is folded in. Mempool admission
+/// must return the total so txs whose `gas_limit` is below the VM intrinsic
+/// are rejected before they enter the pool, and txs above it aren't
+/// spuriously rejected.
+#[test]
+fn amsterdam_create_intrinsic_matches_vm_dimensions() {
+    use ethrex_levm::gas_cost::{
+        REGULAR_GAS_CREATE, STATE_BYTES_PER_NEW_ACCOUNT, cost_per_state_byte,
+    };
+
+    let (mut config, header) = build_basic_config_and_header(true, true);
+    // Activate Amsterdam at genesis. Intermediate forks must also be active
+    // so `config.fork(timestamp)` returns Amsterdam, not an earlier variant.
+    config.cancun_time = Some(0);
+    config.prague_time = Some(0);
+    config.osaka_time = Some(0);
+    config.bpo1_time = Some(0);
+    config.bpo2_time = Some(0);
+    config.amsterdam_time = Some(0);
+
+    let tx = Transaction::EIP1559Transaction(EIP1559Transaction {
+        nonce: 0,
+        max_priority_fee_per_gas: 0,
+        max_fee_per_gas: 0,
+        gas_limit: 1_000_000,
+        to: TxKind::Create,
+        value: U256::zero(),
+        data: Bytes::default(),
+        access_list: Default::default(),
+        ..Default::default()
+    });
+
+    let cpsb = cost_per_state_byte(header.gas_limit);
+    let expected = TX_GAS_COST + REGULAR_GAS_CREATE + STATE_BYTES_PER_NEW_ACCOUNT * cpsb;
+
+    let intrinsic_gas = transaction_intrinsic_gas(&tx, &header, &config).expect("intrinsic gas");
+    assert_eq!(
+        intrinsic_gas, expected,
+        "Amsterdam CREATE intrinsic must be TX_BASE + REGULAR_GAS_CREATE + \
+         STATE_BYTES_PER_NEW_ACCOUNT * cpsb, not the legacy 53000"
+    );
+    // Guard against regression to the legacy 53000 constant.
+    assert_ne!(
+        intrinsic_gas, TX_CREATE_GAS_COST,
+        "Amsterdam CREATE must NOT use legacy TX_CREATE_GAS_COST"
+    );
+}
+
 #[test]
 fn transaction_intrinsic_data_gas_pre_istanbul() {
     let (config, header) = build_basic_config_and_header(false, false);

test/tests/levm/eip7928_tests.rs

@@ -456,6 +456,35 @@ fn test_code_change_rlp_roundtrip() {
     assert_eq!(change, decoded);
 }
 
+/// EIP-7928 widened `BlockAccessIndex` from `uint16` to `uint32`. Round-trip
+/// each change variant at an index above `u16::MAX` to guard against an
+/// accidental revert to the old narrower type (would silently truncate
+/// indices for blocks with > 65535 slots referenced).
+#[test]
+fn test_change_variants_rlp_roundtrip_index_above_u16_max() {
+    use ethrex_rlp::{decode::RLPDecode, encode::RLPEncode};
+    let idx: u32 = 70_000;
+    assert!(idx > u32::from(u16::MAX));
+
+    let storage = StorageChange::new(idx, U256::from(0xdead_beef_u64));
+    assert_eq!(
+        StorageChange::decode(&storage.encode_to_vec()).unwrap(),
+        storage
+    );
+
+    let balance = BalanceChange::new(idx, U256::from(1u64) << 128);
+    assert_eq!(
+        BalanceChange::decode(&balance.encode_to_vec()).unwrap(),
+        balance
+    );
+
+    let nonce = NonceChange::new(idx, u64::MAX);
+    assert_eq!(NonceChange::decode(&nonce.encode_to_vec()).unwrap(), nonce);
+
+    let code = CodeChange::new(idx, bytes::Bytes::from_static(&[0xde, 0xad]));
+    assert_eq!(CodeChange::decode(&code.encode_to_vec()).unwrap(), code);
+}
+
 // ==================== RLP Encoding Hex Validation Tests ====================
 // These tests verify specific RLP hex encodings for cross-implementation compatibility
 

test/tests/levm/eip8037_refund_tests.rs

@@ -148,6 +148,21 @@ fn call_bytecode(target: Address) -> Vec<u8> {
     b
 }
 
+/// CALL to `target` transferring `value` wei. No args, no return capture.
+/// When `target` doesn't exist in pre-state and `value > 0`, Amsterdam charges
+/// `state_gas_new_account` in the caller's frame.
+fn call_with_value_bytecode(target: Address, value: u8) -> Vec<u8> {
+    // retLen retOffset argsLen argsOffset value target GAS CALL POP
+    let mut b = vec![0x60, 0x00, 0x60, 0x00, 0x60, 0x00, 0x60, 0x00]; // 4x PUSH1 0
+    b.extend_from_slice(&[0x60, value]); // PUSH1 <value>
+    b.push(0x73); // PUSH20
+    b.extend_from_slice(target.as_bytes());
+    b.push(0x5a); // GAS
+    b.push(0xf1); // CALL
+    b.push(0x50); // POP
+    b
+}
+
 // ==================== Test runner ====================
 
 struct TestRunner {
@@ -553,6 +568,58 @@ fn test_ancestor_absorbed_refund_refills_reservoir() {
 ///   parent.state_gas_left += child.state_gas_used - child.state_gas_refund
 /// Tx succeeds at top level (parent returns from CALL with FAIL and STOPs). The
 /// parent must reclaim B's state-gas consumption so it's not burned.
+/// EIP-8037 CALL-to-empty-account with value transfer charges
+/// `state_gas_new_account` in the CALLER's frame (parent). When the parent
+/// continues and the transaction succeeds, that state gas is retained in net
+/// `state_gas_used`. The child frame has no code and returns success
+/// immediately, so no child revert is involved — this test guards the
+/// "parent charged, parent succeeds" path against regressions that would
+/// incorrectly refund new-account state gas on child return.
+#[test]
+fn test_call_to_empty_account_with_value_retains_parent_state_gas() {
+    use ethrex_levm::gas_cost::{STATE_BYTES_PER_NEW_ACCOUNT, cost_per_state_byte};
+
+    let addr_a = Address::from_low_u64_be(CONTRACT_A);
+    let empty_target = Address::from_low_u64_be(0xDEAD); // not in pre-state
+
+    // A: CALL(value=1, target=empty_addr) then STOP.
+    let mut code_a = call_with_value_bytecode(empty_target, 1);
+    code_a.extend(stop());
+
+    let report = TestRunner::new(addr_a)
+        .with_account(
+            Address::from_low_u64_be(SENDER),
+            eoa(U256::from(10u64).pow(18.into())),
+        )
+        // A must have balance to transfer.
+        .with_account(
+            addr_a,
+            Account::new(
+                U256::from(10u64).pow(18.into()),
+                Code::from_bytecode(Bytes::from(code_a), &NativeCrypto),
+                1,
+                FxHashMap::default(),
+            ),
+        )
+        .run();
+
+    assert!(
+        report.is_success(),
+        "top-level tx must succeed: {:?}",
+        report.result
+    );
+
+    let cpsb = cost_per_state_byte(GAS_LIMIT * 2);
+    let expected_state_gas = STATE_BYTES_PER_NEW_ACCOUNT * cpsb;
+
+    assert_eq!(
+        report.state_gas_used, expected_state_gas,
+        "parent frame must retain state_gas_new_account after CALL-to-empty + success \
+         (got {}, expected {})",
+        report.state_gas_used, expected_state_gas
+    );
+}
+
 #[test]
 fn test_child_charge_then_revert_returns_state_gas_to_parent() {
     use ethrex_levm::gas_cost::{STATE_BYTES_PER_STORAGE_SET, cost_per_state_byte};