feat: gate skip-app-hash-validation behind //go:build shadow via ConsensusPolicy

[bdchatham]

Why

Shadow nodes need to bypass header / state hash checks to validate alternate execution engines (e.g., Giga V2) against canonical-chain blocks. The previous shape exposed --skip-app-hash-validation as a runtime CLI flag on every seid binary, which made the production validator one config edit away from accepting bad blocks.

Approach

The build tag is the toggle — there is no runtime knob.

// types/consensus_policy_default.go (//go:build !shadow)
type ConsensusPolicy struct{}
func (ConsensusPolicy) SkipAppHashValidation() bool { return false }

// types/consensus_policy_shadow.go (//go:build shadow)
type ConsensusPolicy struct{}
func (ConsensusPolicy) SkipAppHashValidation() bool { return true }

ConsensusPolicy is an empty struct in both builds; the method returns a different constant per build and the compiler folds it. Bypass branches DCE in production. There is no Go API in either build to construct a policy with the opposite behavior.

Block.ValidateBasic is split: shape-only checks stay there for deserializers, hash-integrity checks move to Block.ValidateHashes(policy). validateBlock(state, block, policy) plumbs the policy to BlockExecutor, threaded from node.New down. Production start.go passes DefaultConsensusPolicy() unconditionally — no cobra, no AppOptions, no viper.

This eliminates two failure modes the runtime-flag shape allowed: (1) production binary accepting bad blocks via flag flip, (2) shadow binary silently behaving like production when the operator forgets to pass the flag.

Coverage

All 6 hash gates from the original implementation (commits 9fa70d2ff, 4ce5ed348, d9b7f9283) are preserved: AppHash, LastCommitHash, DataHash, EvidenceHash, ValidatorsHash, NextValidatorsHash. SkipLastResultsHashValidation is left as-is — that's a first-class production feature gated on gigaExecutorConfig.Enabled, different security model.

.github/workflows/ecr.yml publishes sei-chain:shadow-<sha> alongside the existing prod and mock_balances images.

Verification

• strings seid-default | grep skip-app-hash → 0 hits (no flag, no string in either binary)
• go build ./... and go build -tags shadow ./... both clean

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	May 6, 2026, 11:17 PM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.04%. Comparing base (0c26364) to head (721d5ff).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3401      +/-   ##
==========================================
- Coverage   59.04%   59.04%   -0.01%     
==========================================
  Files        2105     2105              
  Lines      173297   173269      -28     
==========================================
- Hits       102327   102300      -27     
+ Misses      62091    62090       -1     
  Partials     8879     8879              

Flag	Coverage Δ
sei-db	70.41% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
sei-cosmos/server/start.go	23.48% <ø> (ø)
sei-tendermint/internal/consensus/replay.go	68.16% <ø> (-0.97%)	⬇️
sei-tendermint/internal/state/execution.go	80.14% <ø> (-0.44%)	⬇️
sei-tendermint/internal/state/validation.go	100.00% <ø> (ø)
sei-tendermint/node/node.go	64.64% <ø> (-0.37%)	⬇️
sei-tendermint/node/public.go	63.15% <ø> (ø)
sei-tendermint/rpc/test/helpers.go	75.40% <ø> (ø)
sei-tendermint/test/e2e/node/main.go	0.00% <ø> (ø)
sei-tendermint/types/block.go	86.12% <ø> (-0.07%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.