adds missing check for Seal.FinalState

[AlexHentschel]

first AI DRAFT - Only partially REVIEWED by human

goal: fix missing check for Seal.FinalState; details see: https://github.com/onflow/flow-go-internal/issues/7214

Overview

• added a single localized check at the top of validateSeal method that retrieves the verified final state from executionResult.FinalStateCommitment() and rejects seals with mismatching Seal.FinalState by returning an engine.NewInvalidInputErrorf
• ErrNoChunks (prohibited by constructor flow.NewExecutionResult) is treated as an exception per high-assurance convention. Updated godoc to explain rationale.

Summary by CodeRabbit

• Bug Fixes

  • Strengthened validation to reject seals whose reported final-state commitment does not match the computed expected commitment.

• Tests

  • Added test to verify detection and rejection of seals with tampered final-state commitments.

• Chores

  • Updated ignore patterns to exclude local AI notes directory.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 997b5afd-d55c-4fb4-b0bc-66c80638b663

📥 Commits

Reviewing files that changed from the base of the PR and between d4f066a and d0f1bb0.

📒 Files selected for processing (2)

• module/validation/seal_validator.go
• module/validation/seal_validator_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• module/validation/seal_validator_test.go
• module/validation/seal_validator.go

---

📝 Walkthrough

Walkthrough

This PR adds final-state integrity validation to the seal validator: validateSeal derives the expected final-state commitment from the execution result, returns an irrecoverable error if derivation fails, and rejects seals whose FinalState does not match; includes a test and a .gitignore update.

Changes

Seal Final-State Integrity Validation

Layer / File(s)	Summary
Seal FinalState commitment check module/validation/seal_validator.go	Imports the irrecoverable exception module and adds an upfront check in validateSeal that computes the execution result's final-state commitment and returns an irrecoverable error if derivation fails, or an engine.InvalidInputError if seal.FinalState mismatches.
Test seal FinalState validation module/validation/seal_validator_test.go	New test TestSealInvalidFinalState mutates the seal's FinalState and verifies that sealValidator.Validate rejects the candidate block with an invalid-input error.
Repository configuration update .gitignore	Adds ai-notes/ to the ignore rules.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rabbit checks the final state with care,
Seal commitments matching everywhere,
No fuzzy logic here, just integrity tight,
And ai-notes tucked away, out of sight! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'adds missing check for Seal.FinalState' accurately reflects the main change across all modified files: adding validation for Seal.FinalState integrity in the seal validator.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alex/seal-validation_final-state

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[codecov-commenter]

Codecov Report

❌ Patch coverage is 60.00000% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
module/validation/seal_validator.go	60.00%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!