refactor: bump go-header and use DeleteRange method for rollback

[julienrbrt]

Closes: #2631

Blocked on celestiaorg/go-header#347

[github-actions]

The latest Buf updates on your PR. Results from workflow CI and Release / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Sep 9, 2025, 3:36 PM

[gemini-code-assist]

Summary of Changes

Hello @julienrbrt, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the rollback functionality by integrating a new, more granular method from an updated external dependency. The change improves how historical data is managed during rollback, ensuring more precise state restoration. It also includes necessary dependency management updates to facilitate this refactor.

Highlights

• Dependency Update: The pull request updates the go-header dependency, specifically to utilize a new DeleteRange method for rollback operations.
• Rollback Logic Refactor: The rollback mechanism in both evm/single and testapp applications has been refactored to use the more precise DeleteRange method instead of the older DeleteTo method for managing header and data store states.
• Temporary Module Replacement: A temporary replace directive has been added to the go.mod files, pointing to a specific commit in a forked go-header repository. This is a temporary measure until the upstream change is merged.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[julienrbrt]

@tac0turtle could you check if you still get the error in EVM?

[gemini-code-assist]

Code Review

This pull request updates the go-header dependency and refactors the rollback logic to use the new DeleteRange method instead of DeleteTo. This change appears to correctly implement the rollback to delete blocks after a specific height. However, I've found a critical issue in the rollback command where a uint64 underflow can occur if the node is at genesis height, potentially leading to unintended data deletion. I've also suggested a minor refactoring to reduce code duplication in the rollback logic. Please address the critical issue before merging.

[gemini-code-assist]

There are a couple of points to address in this block:

1. Critical Bug: There's a potential for unintended data deletion. When the rollback command is run without a --height flag on a node at genesis (height 0), the height variable at line 61 becomes (2^64)-1 due to uint64 underflow. Consequently, height+1 in DeleteRange wraps to 0, which would cause all headers and data to be deleted from the stores. A check should be added around line 61 to prevent rollbacks from height 0.

2. Code Duplication (Medium): The logic for rolling back headerStore and dataStore is identical. You could refactor this into a generic helper function to reduce code duplication, especially since the same logic is present in apps/testapp/cmd/rollback.go.

For example, you could define a generic function:

func rollbackStore[H header.Header[H]](ctx context.Context, store header.Store[H], height uint64, name string) error {
	if err := store.DeleteRange(ctx, height+1, store.Height()); err != nil {
		return fmt.Errorf("failed to rollback %s state: %w", name, err)
	}
	return nil
}

[gemini-code-assist]

There are a couple of points to address in this block:

1. Critical Bug: There's a potential for unintended data deletion. When the rollback command is run without a --height flag on a node at genesis (height 0), the height variable at line 61 becomes (2^64)-1 due to uint64 underflow. Consequently, height+1 in DeleteRange wraps to 0, which would cause all headers and data to be deleted from the stores. A check should be added around line 61 to prevent rollbacks from height 0.

2. Code Duplication (Medium): The logic for rolling back headerStore and dataStore is identical. You could refactor this into a generic helper function to reduce code duplication, especially since the same logic is present in apps/evm/single/cmd/rollback.go.

For example, you could define a generic function:

func rollbackStore[H header.Header[H]](ctx context.Context, store header.Store[H], height uint64, name string) error {
	if err := store.DeleteRange(ctx, height+1, store.Height()); err != nil {
		return fmt.Errorf("failed to rollback %s state: %w", name, err)
	}
	return nil
}

[claude]

Code Review for PR #2638

Overview

This PR addresses a critical bug in the rollback functionality by updating the go-header dependency and switching from DeleteTo to DeleteRange method. The changes look correct and necessary to fix the rollback verification issues.

✅ Code Quality and Best Practices

Positive aspects:

• Clear Intent: The method name change from DeleteTo to DeleteRange is more explicit about what range of headers/data is being deleted
• Consistent Application: The changes are applied consistently across both evm/single and testapp applications
• Proper Error Handling: Existing error wrapping patterns are maintained
• Semantic Correctness: The logic DeleteRange(ctx, height+1, store.Height()) correctly deletes from height+1 to the current head, which is semantically clearer than the previous DeleteTo(ctx, height)

Code Quality Score: ✅ Good

⚠️ Potential Issues and Considerations

1. Temporary Dependency Replace:

   • The PR uses a temporary replace directive pointing to github.com/julienrbrt/go-header
   • This creates a dependency on an external fork until the upstream PR is merged
   • Recommendation: Ensure the upstream PR (feat: Add DeleteRange method to Store celestiaorg/go-header#347) gets merged promptly to avoid long-term fork dependency

2. Mock Generation:

   • The mock files show new DeleteRange methods but still retain the old DeleteTo methods
   • Recommendation: Run make mock-gen to ensure mocks are fully updated and remove any unused DeleteTo references if appropriate

🔍 Security Concerns

Low Risk Areas:

• The rollback functionality is an administrative operation
• No credential exposure or malicious code patterns detected
• The range calculation height+1 to store.Height() appears safe from off-by-one errors

🚀 Performance Considerations

Potential Improvements:

• The new DeleteRange method likely has better performance characteristics than the previous DeleteTo as it's more explicit about the operation
• No performance regressions expected

🧪 Test Coverage Concerns

Critical Gap Identified:

• No test coverage found for the rollback functionality with either DeleteTo or DeleteRange methods
• This is a significant concern for such critical functionality

Recommendations:

1. Add integration tests for the rollback command that verify:

   • Headers are correctly deleted from the specified height
   • Data store rollback works correctly
   • Rollback can be performed multiple times safely
   • Edge cases (rolling back to height 0, current height, etc.)

2. Add unit tests for the specific DeleteRange logic to ensure the range calculation is correct

📝 Additional Recommendations

1. Documentation: Consider adding a comment explaining why height+1 is used as the start of the deletion range
2. Error Context: The error messages could be more specific about what height range failed to delete
3. Validation: Consider adding validation to ensure height < store.Height() before attempting rollback

Summary

This is a necessary bug fix that addresses a critical issue in the rollback functionality. The code changes are semantically correct and follow the project's conventions. However, the lack of test coverage is a significant concern that should be addressed.

Status: ✅ Approve with recommendations

The changes are correct and should be merged once the upstream dependency is available, but please prioritize adding comprehensive test coverage for this critical functionality.

[claude]

Code Review: Refactor rollback to use DeleteRange method

Summary

This PR updates the rollback functionality to use the new DeleteRange method from the go-header library instead of the deprecated DeleteTo method. The change addresses a critical issue where DeleteTo was performing the reverse operation, causing verification issues during broadcast after rollback.

✅ Code Quality & Best Practices

Good practices observed:

• Semantic correctness: The change from DeleteTo(height) to DeleteRange(height+1, store.Height()) is semantically correct - it deletes entries from height+1 to the current height, preserving data up to the rollback target
• Consistent application: The change is applied consistently across both header store and data store operations in both affected files
• Error handling: Existing error handling patterns are preserved with descriptive error messages
• Go module management: Proper use of replace directives with TODO comments for tracking upstream dependency resolution

🔍 Code Changes Analysis

Main Logic Changes (rollback.go files)

The change from:

• headerStore.DeleteTo(goCtx, height) → headerStore.DeleteRange(goCtx, height+1, headerStore.Height())
• dataStore.DeleteTo(goCtx, height) → dataStore.DeleteRange(goCtx, height+1, dataStore.Height())

Analysis: This change is semantically correct. The new implementation:

• Preserves data up to and including the target height
• Deletes only the data that should be rolled back (height+1 onwards)
• Uses the current store height as the upper bound for deletion

🐛 Potential Issues & Recommendations

1. Edge Case Handling

Issue: What happens when height+1 > store.Height()?
Recommendation: Consider adding validation to prevent invalid rollback attempts.

2. Atomic Operations

Issue: If header store rollback succeeds but data store rollback fails, the system could be in an inconsistent state.
Recommendation: Consider implementing transaction-like semantics or at least document the recovery procedure for partial failures.

3. Mock Generation

Positive: The mock file correctly includes the new DeleteRange method, ensuring tests can still pass.

🔒 Security Considerations

• No security concerns identified - this is a refactoring that improves correctness
• The change reduces the risk of data integrity issues during rollback operations

⚡ Performance Considerations

• Performance impact: Minimal - DeleteRange with explicit bounds should be as efficient as DeleteTo
• Memory usage: No significant change in memory usage patterns
• The explicit range specification may actually be more efficient in some storage implementations

🧪 Test Coverage Recommendations

The PR includes updated mocks but consider adding/updating:

1. Unit tests for edge cases:

   • Rollback to current height
   • Rollback to height greater than current height
   • Rollback with empty stores

2. Integration tests to verify:

   • Successful rollback and subsequent operations
   • Partial failure scenarios
   • Data integrity after rollback

📋 Dependencies & Deployment

Temporary dependency: Using a fork of go-header until upstream PR is merged

• Risk level: Low (temporary fork with clear migration path)
• Monitoring needed: Track feat: Add DeleteRange method to Store celestiaorg/go-header#347 for merge status
• Action item: Remove replace directives once upstream PR is merged

✅ Overall Assessment

This is a well-executed refactoring that:

• ✅ Fixes a critical correctness issue
• ✅ Maintains code consistency
• ✅ Follows Go module best practices
• ✅ Includes proper mock updates

Recommendation: APPROVE with the edge case validation suggestion as a minor improvement.

📝 Minor Suggestions

1. Add height validation as suggested above
2. Consider adding a comment explaining the rollback logic for future maintainers

Great work on identifying and fixing this critical issue! 🎯

[claude]

Code Review: Refactor rollback to use DeleteRange method

Summary

This PR updates the rollback commands to use DeleteRange instead of DeleteTo from the go-header library, fixing verification issues that occur when trying to broadcast after a rollback.

✅ Positive Aspects

1. Correct API Usage

• The change from DeleteTo(ctx, height) to DeleteRange(ctx, height+1, store.Height()) is semantically correct
• DeleteRange is more explicit about what's being deleted (from height+1 to current height), which is the intended rollback behavior
• This aligns better with the typical range deletion semantics where you specify start and end bounds

2. Comprehensive Coverage

• All rollback commands are consistently updated across both evm/single and testapp applications
• Go modules and checksums are properly updated to use the temporary fork
• Mock generation includes the new DeleteRange method

3. Good Test Coverage

• The existing rollback tests in pkg/store/store_test.go provide excellent coverage including:
  • Basic rollback functionality
  • Edge cases (same height, higher height rollbacks)
  • DA included height validation
  • Error conditions (batch errors, height retrieval errors)
  • Invalid data handling

🔍 Technical Analysis

API Correctness:

// Before: DeleteTo deletes everything UP TO height (inclusive)
headerStore.DeleteTo(ctx, height)

// After: DeleteRange deletes from height+1 to current height (exclusive end)
headerStore.DeleteRange(ctx, height+1, headerStore.Height())

The new approach is more explicit and avoids the ambiguity of what "DeleteTo" means.

Math Validation:

• For rollback to height 5 with current height 10:
  • Old: DeleteTo(ctx, 5) - unclear semantics
  • New: DeleteRange(ctx, 6, 10) - clearly deletes heights 6,7,8,9

⚠️ Areas of Concern

1. Temporary Dependency (Low Risk)

• Using a fork of go-header (github.com/julienrbrt/go-header) until the upstream PR is merged
• The TODO comment indicates this will be cleaned up after feat: Add DeleteRange method to Store celestiaorg/go-header#347
• Recommendation: Ensure the upstream PR is merged promptly and this dependency is updated

2. Error Handling (Minor)

• The rollback commands don't validate that height+1 <= headerStore.Height() before calling DeleteRange
• If height equals current height, DeleteRange(ctx, height+1, height) might have undefined behavior
• However, this appears to be handled correctly by the underlying implementation

3. No Integration Tests for New API

• While unit tests exist for the store's rollback functionality, there are no specific tests for the new DeleteRange API usage in the rollback commands
• Recommendation: Consider adding integration tests that verify the rollback commands work correctly with the new API

🚀 Performance Considerations

• DeleteRange with explicit bounds should be more efficient than DeleteTo as it avoids potential ambiguity in implementation
• No negative performance impact expected

🔒 Security Analysis

• No security concerns identified
• The change maintains the same permission model and validation logic (DA included height checks remain intact)

📋 Recommendations

1. Monitor Upstream Dependency: Track the go-header PR and update the dependency once merged
2. Consider Integration Test: Add a simple integration test for rollback commands with the new API
3. Documentation: Consider updating any documentation that references the rollback behavior if it exists

✅ Overall Assessment

This is a well-executed refactor that:

• Fixes a real issue with rollback functionality
• Uses clearer, more explicit API semantics
• Maintains comprehensive test coverage
• Follows the project's modular architecture patterns

Recommendation: APPROVE ✅

The changes are correct, well-tested, and improve the codebase. The temporary dependency is acceptable given the clear migration path.

[claude]

Code Review: Rollback Refactor with DeleteRange Method

Summary

This PR addresses a critical bug in the rollback functionality by switching from DeleteTo to DeleteRange method and bumping the go-header dependency. The changes look good overall but I have some observations and suggestions.

✅ Positive Aspects

1. Correct Logic Fix: The change from DeleteTo(height) to DeleteRange(height+1, store.Height()) properly addresses the semantic issue where DeleteTo was deleting the wrong direction.

2. Consistent Implementation: The fix is consistently applied across both testapp and evm applications, maintaining uniformity.

3. Proper Dependency Management: Using a temporary replace directive with a clear TODO comment indicating the upstream PR dependency is a good practice.

🔍 Areas for Improvement

1. Error Handling Enhancement

The current error handling could be more robust:

// Current
if err := headerStore.DeleteRange(goCtx, height+1, headerStore.Height()); err != nil {
    return fmt.Errorf("failed to rollback header sync service state: %w", err)
}

// Suggested improvement - validate range first
currentHeight := headerStore.Height()
if height+1 > currentHeight {
    return fmt.Errorf("rollback height %d is already at or beyond current height %d", height, currentHeight)
}
if err := headerStore.DeleteRange(goCtx, height+1, currentHeight); err != nil {
    return fmt.Errorf("failed to rollback header sync service state from %d to %d: %w", height+1, currentHeight, err)
}

2. Edge Case Considerations

• What happens if height+1 == store.Height()? The range would be empty - consider adding validation.
• What if height+1 > store.Height()? This could cause issues.

3. Mock Generation

The generated mock in test/mocks/external/hstore.go adds the new DeleteRange method correctly. Consider running tests to ensure the mock generation is complete across all affected interfaces.

🧪 Testing Recommendations

1. Add integration tests for edge cases:

   • Rollback to current height
   • Rollback beyond available height
   • Rollback with empty stores

2. Test the dependency replacement to ensure the forked version works correctly.

🔒 Security Considerations

• Validation: Add bounds checking before calling DeleteRange to prevent potential panics or unexpected behavior.
• Atomic Operations: Consider if the rollback operations need to be atomic (both header and data stores succeed or both fail).

📋 Minor Issues

1. Consistency: Both applications use identical rollback logic - consider extracting this into a shared package to reduce duplication.

2. Logging: Consider adding debug logs to track the rollback range for troubleshooting.

🏗️ Performance Considerations

The DeleteRange approach should be more efficient than the previous DeleteTo method since it targets the specific range that needs deletion rather than potentially scanning unnecessary data.

✅ Overall Assessment

This is a solid bug fix that addresses a critical issue in the rollback functionality. The implementation is correct and consistent. The main suggestions are around defensive programming (input validation) and potential code reuse opportunities.

Recommendation: Approve with minor suggestions for enhancement.

Note: Make sure to remove the temporary replace directive once celestiaorg/go-header#347 is merged and released.

[claude]

Code Review

✅ Positive Aspects

Clear Bug Fix: This PR addresses a critical issue where DeleteTo was behaving in reverse, causing verification problems after rollback operations. The semantic change from DeleteTo(height) to DeleteRange(height+1, store.Height()) makes the intent much clearer.

Consistent Application: The fix is properly applied across all rollback commands (testapp and evm/single), ensuring consistency across the codebase.

Proper Dependency Management: The temporary fork usage with clear TODO comments shows good dependency management practices while waiting for upstream merge.

---

🔍 Detailed Analysis

Code Quality & Best Practices

• ✅ Semantic Clarity: DeleteRange(height+1, store.Height()) is much more explicit than DeleteTo(height) about what range is being deleted
• ✅ Error Handling: Existing error handling patterns are preserved
• ✅ Code Style: Changes follow existing Go conventions and project patterns from CLAUDE.md

Logic Correctness

The mathematical change is sound:

• Before: DeleteTo(height) - unclear semantics leading to wrong behavior
• After: DeleteRange(height+1, store.Height()) - explicitly deletes everything after the rollback target height

This correctly preserves blocks 0 through height while removing blocks height+1 and above.

Dependencies & Security

• ✅ Temporary Fork: Using a personal fork with clear TODO is appropriate for unmerged upstream changes
• ✅ Version Pinning: Specific commit hash provides reproducible builds
• ⚠️ Upstream Dependency: Blocked on feat: Add DeleteRange method to Store celestiaorg/go-header#347 - ensure this gets merged promptly to remove the fork dependency

Test Coverage

• ⚠️ Missing Tests: No new tests added to verify the rollback behavior works correctly with the new method
• ⚠️ Integration Testing: Would benefit from integration tests that verify rollback doesn't cause verification issues

---

📋 Recommendations

High Priority

1. Add Integration Tests: Create tests that verify rollback works correctly and doesn't cause verification issues when broadcasting after rollback
2. Test Edge Cases:
   • Rollback to height 0
   • Rollback when store is empty
   • Rollback to current height

Medium Priority

1. Documentation: Consider adding a comment explaining the +1 offset in the rollback logic
2. Error Messages: The error messages could be more specific about what range failed to delete

Low Priority

1. Upstream Merge: Track feat: Add DeleteRange method to Store celestiaorg/go-header#347 to remove fork dependency

---

✅ Overall Assessment

This is a well-executed bug fix that addresses a critical rollback issue. The semantic improvement from DeleteTo to DeleteRange with explicit bounds makes the code much more maintainable.

Ready to merge after addressing test coverage concerns and ensuring the upstream PR gets merged to remove the fork dependency.

Impact: Critical - fixes rollback verification issues
Risk: Low - straightforward semantic fix with clear intent

[claude]

Pull Request Review

Summary

This PR refactors the rollback commands to use the new DeleteRange method instead of the deprecated DeleteTo method from go-header. The change corrects the semantic behavior where DeleteTo was deleting in the wrong direction, causing verification issues after rollback.

Code Quality & Best Practices ✅

Positive aspects:

• Clear semantic improvement: DeleteRange(height+1, headerStore.Height()) is much clearer than DeleteTo(height) - it explicitly shows we're deleting from height+1 to the current height
• Consistent application: The change is applied consistently across both testapp and evm/single rollback commands
• Proper temporary replacement: Uses a temporary replace directive in go.mod with clear TODO comment indicating it will be removed after upstream merge
• Generated mocks updated: The mock files are properly updated to include the new DeleteRange method

Minor considerations:

• The arithmetic height+1 could benefit from a comment explaining why we start from height+1 rather than height (we want to keep the block at the target height)

Correctness & Bug Fixes ✅

Fixed the core issue:

• Before: DeleteTo(height) was semantically incorrect - it deleted blocks in the wrong direction
• After: DeleteRange(height+1, currentHeight) correctly deletes blocks from height+1 up to the current height, preserving the block at the target height

Consistent with internal store implementation:
Looking at pkg/store/store.go:267-350, the internal Rollback method correctly implements this logic by iterating from currentHeight down to height+1, deleting each block. The new header/data store calls now match this semantic.

Performance Considerations ✅

Improvements:

• DeleteRange is likely more efficient than DeleteTo as it can batch delete operations
• Single method call instead of potentially multiple internal operations
• No performance regressions expected

Security Concerns ✅

No security issues identified:

• The change maintains the same access patterns and validation
• Rollback operations are still properly authenticated through the CLI commands
• No new attack vectors introduced
• The DA included height validation from the store layer still applies

Test Coverage ⚠️

Current test coverage:

• The pkg/store/store_test.go has comprehensive rollback tests including edge cases, error handling, and DA height validation
• However, the rollback CLI commands themselves lack direct unit tests

Recommendations:

1. Add integration tests for the rollback CLI commands to ensure the header/data store integration works correctly
2. Add a test case that verifies blocks can be properly retrieved after rollback (to ensure the fix for verification issues is working)
3. Consider adding a test that simulates the original issue (verification failure after rollback) to prevent regression

Additional Observations

Dependency management:

• The temporary replace directive is properly documented and will be removed after upstream merge
• All go.mod files are consistently updated

Code maintainability:

• The change is minimal and focused, reducing risk of introducing new bugs
• Clear commit message explaining the refactor purpose

Recommendations

1. Add CLI rollback integration tests - The most important gap in test coverage
2. Consider adding inline comments explaining why we use height+1 as the start of the range
3. Test the verification issue fix - Ensure that after rollback, nodes can properly broadcast and verify blocks

Approval Status: ✅ Approved with Recommendations

This is a solid refactor that fixes a critical semantic bug in the rollback functionality. The implementation is correct and follows Go best practices. The main area for improvement is test coverage for the CLI commands themselves.

The change correctly addresses the issue described in #2631 and should resolve the verification problems after rollback operations.

[julienrbrt]

@claude shut up

[claude]

Claude finished @julienrbrt's task —— View job

---

Understood! I'll stop providing additional reviews on this PR.