apollo_consensus_orchestrator: add SNIP-35 fee_proposal validation

Author: sirandreww-starkware

crates/apollo_consensus_orchestrator/src/sequencer_consensus_context.rs

@@ -784,6 +784,7 @@ impl ConsensusContext for SequencerConsensusContext {
                         .map(GasPrice)
                         .unwrap_or(self.l2_gas_price),
                     starknet_version: StarknetVersion::LATEST,
+                    fee_actual: self.compute_fee_actual(),
                 };
                 self.validate_current_round_proposal(
                     init,
@@ -1079,6 +1080,7 @@ impl ConsensusContext for SequencerConsensusContext {
                 .map(GasPrice)
                 .unwrap_or(self.l2_gas_price),
             starknet_version: StarknetVersion::LATEST,
+            fee_actual: self.compute_fee_actual(),
         };
         self.validate_current_round_proposal(
             init,

crates/apollo_consensus_orchestrator/src/test_utils.rs

@@ -430,11 +430,12 @@ pub(crate) fn proposal_init(height: BlockNumber, round: u32) -> ProposalInit {
         l1_data_gas_price_wei,
         starknet_version: starknet_api::block::StarknetVersion::LATEST,
         version_constant_commitment: Default::default(),
-        // Match the proposer's default-fallback fee_proposal: empty sliding window →
-        // `compute_fee_actual` returns `None` → `compute_snip35_fee_proposal` falls back to
-        // `self.l2_gas_price` (= `min_gas_price` = 8 gwei). Validator-side tests reuse this
-        // helper to fabricate an init that matches what the proposer emits, so proposer and
-        // validator agree on the proposal commitment hash.
+        // SNIP-35: required because LATEST >= V0_14_3. Match the proposer's default-fallback
+        // fee_proposal: empty sliding window → `compute_fee_actual` returns `None` →
+        // `compute_snip35_fee_proposal` falls back to `self.l2_gas_price`
+        // (= `min_gas_price` = 8 gwei). Validator-side tests reuse this helper to fabricate
+        // an init that matches what the proposer emits, so proposer and validator agree on
+        // the proposal commitment hash.
         fee_proposal_fri: Some(GasPrice(8_000_000_000)),
     }
 }

crates/apollo_consensus_orchestrator/src/validate_proposal.rs

@@ -42,7 +42,7 @@ use crate::metrics::{
     CONSENSUS_PROPOSAL_FIN_MISMATCH,
 };
 use crate::sequencer_consensus_context::{BuiltProposals, SequencerConsensusContextDeps};
-use crate::snip35::proposal_commitment_from;
+use crate::snip35::{fee_proposal_bounds, proposal_commitment_from, FEE_PROPOSAL_MARGIN_PPT};
 use crate::utils::{
     convert_to_sn_api_block_info,
     get_l1_prices_in_fri_and_wei,
@@ -78,6 +78,9 @@ pub(crate) struct ProposalInitValidation {
     pub l1_da_mode: L1DataAvailabilityMode,
     pub l2_gas_price_fri: GasPrice,
     pub starknet_version: StarknetVersion,
+    /// SNIP-35: fee_actual from the sliding window. `None` during initiation, before the window
+    /// has accumulated `FEE_PROPOSAL_WINDOW_SIZE` entries.
+    pub fee_actual: Option<GasPrice>,
 }
 
 /// Parameters for deadline and cancellation handling during proposal finalization.
@@ -333,6 +336,52 @@ async fn is_proposal_init_valid(
             ),
         ));
     }
+
+    // SNIP-35: fee_proposal is required iff Starknet version >= V0_14_3.
+    let snip35_active = init_proposed.starknet_version >= StarknetVersion::V0_14_3;
+    match (init_proposed.fee_proposal_fri, snip35_active) {
+        (Some(_), false) => {
+            return Err(ValidateProposalError::InvalidProposalInit(
+                init_proposed.clone(),
+                proposal_init_validation.clone(),
+                format!(
+                    "fee_proposal must be absent before V0_14_3, got Some at version {}",
+                    init_proposed.starknet_version
+                ),
+            ));
+        }
+        (None, true) => {
+            return Err(ValidateProposalError::InvalidProposalInit(
+                init_proposed.clone(),
+                proposal_init_validation.clone(),
+                format!(
+                    "fee_proposal is required at V0_14_3+, got None at version {}",
+                    init_proposed.starknet_version
+                ),
+            ));
+        }
+        _ => {}
+    }
+
+    // SNIP-35: validate fee_proposal is within the configured margin of fee_actual.
+    // During initiation (fee_actual is None, <window_size blocks), bounds are not enforced.
+    if let (Some(fee_actual), Some(fee_proposal)) =
+        (proposal_init_validation.fee_actual, init_proposed.fee_proposal_fri)
+    {
+        let (lower_bound, upper_bound) = fee_proposal_bounds(fee_actual, FEE_PROPOSAL_MARGIN_PPT);
+        if fee_proposal.0 < lower_bound || fee_proposal.0 > upper_bound {
+            return Err(ValidateProposalError::InvalidProposalInit(
+                init_proposed.clone(),
+                proposal_init_validation.clone(),
+                format!(
+                    "Fee proposal out of SNIP-35 bounds: fee_actual={}, fee_proposal={}, allowed \
+                     range=[{lower_bound}, {upper_bound}]",
+                    fee_actual.0, fee_proposal.0
+                ),
+            ));
+        }
+    }
+
     Ok(())
 }
 

crates/apollo_consensus_orchestrator/src/validate_proposal_test.rs

@@ -103,6 +103,7 @@ fn create_proposal_validate_arguments()
         l1_da_mode: L1DataAvailabilityMode::Blob,
         l2_gas_price_fri: VersionedConstants::latest_constants().min_gas_price,
         starknet_version: StarknetVersion::LATEST,
+        fee_actual: None,
     };
     let proposal_id = ProposalId(1);
     let timeout = TIMEOUT;