fix(deps): upgrade ev-node to v1.0.0 and fix broken metrics

[auricom]

The core/da subpackage and the separate da/jsonrpc module were removed in ev-node v1.0.0 and consolidated into the main module under pkg/da/types and pkg/da/jsonrpc. The jsonrpc.Client API also changed: NewClient dropped logger/retry args and the DA abstraction was replaced by Blob/Header fields.

Without this fix ev-metrics fails to compile against a v1.0.0 ev-node server, causing both ev_metrics_block_time_seconds and ev_metrics_submission_duration_seconds to go dark.

• Update import paths: core/da → pkg/da/types, da/jsonrpc → pkg/da/jsonrpc
• Simplify NewClient call (4 args instead of 7)
• Rewrite GetBlobsAtHeight using Blob.GetAll
• Rewrite VerifyBlobAtHeight using NewBlobV0 + Blob.Get by commitment
• Remove ev-node/core and ev-node/da direct deps from go.mod

Overview

Summary by CodeRabbit

• Chores
  • Upgraded Go version to 1.25.6
  • Updated multiple dependencies, including core modules, for improved stability and security

[coderabbitai]

Warning

Rate limit exceeded

@auricom has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 29 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8df55855-1cbb-41fe-a257-5fdab44fbaab

📥 Commits

Reviewing files that changed from the base of the PR and between 49231f8 and d7bea75.

📒 Files selected for processing (1)

• Dockerfile

📝 Walkthrough

Walkthrough

This PR consolidates the evstack/ev-node modules into a single v1.0.0 dependency, updates Go to 1.25.6, upgrades various dependencies, and refactors the Celestia client to use the new ev-node JSON-RPC blob API instead of the prior DA ID/commitment workflow.

Changes

Dependency Consolidation & Celestia Client Migration

Layer / File(s)	Summary
Dependency Upgrade go.mod	Go bumped to 1.25.6; ev-node consolidated from separate /core and /da modules to unified v1.0.0; direct dependencies (cobra, grpc, protobuf, golang.org/x/sync) upgraded; indirect dependencies (fatih/color, filecoin-project/go-jsonrpc, celestiaorg/go-square/merkle, celestiaorg/nmt, google/flatbuffers, hashicorp/*, ipfs/go-log, uber/zap, golang.org/x/*, google.golang.org/genproto) added or updated.
Import Path Update cmd/monitor.go	coreda import path changed from github.com/evstack/ev-node/core/da to github.com/evstack/ev-node/pkg/da/types to align with consolidated module structure.
Client API Migration internal/clients/celestia/client.go	NewClient refactored to use new jsonrpc.NewClient signature; GetBlobsAtHeight now uses libshare.NewNamespaceFromBytes, c.Blob.GetAll, and maps "blob: not found" to nil; VerifyBlobAtHeight now uses jsonrpc.NewBlobV0 and c.Blob.Get instead of prior c.DA.Commit + c.DA.GetIDs enumeration pattern.
Cleanup pkg/exporters/drift/drift.go, pkg/metrics/metrics_test.go	Import reordering in drift.go; indentation fix in metrics_test.go.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Poem

🐰 A bunny hops through upgraded lands,
Where modules merge and APIs expand,
From core to blobs, the new way's clear,
Dependencies bloom, fresh and dear!
Cosmos grows, one hop per year. 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: upgrading ev-node to v1.0.0 and fixing broken metrics due to import path changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch auricom/fix_ev_node_v1.0.0

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/clients/celestia/client.go (1)

21-39: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Persist the Celestia auth token for the timestamp lookup.

GetBlockTimestamp() makes a manual HTTP POST to c.url but the wrapper only stores the URL. On a standard Celestia node, the RPC API requires authentication unless the operator explicitly enables --rpc.skip-auth, so block-timestamp calls will fail with authentication errors on secured deployments even though blob operations succeed through jsonrpc.NewClient(...). This breaks ev_metrics_block_time_seconds metrics whenever the --celestia-token flag is actually required.

Add a token field to the Client struct, store it in NewClient, and apply it as an Authorization: Bearer <token> header in the GetBlockTimestamp HTTP request (lines 211–215).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/clients/celestia/client.go` around lines 21 - 39, Add a token field
to the Client struct, set it in NewClient (store the passed token), and update
GetBlockTimestamp to include the Authorization: Bearer <token> header when
making the manual HTTP POST to c.url (use c.token). Specifically: modify type
Client to include token string, assign token in NewClient, and in
GetBlockTimestamp add the HTTP header "Authorization: Bearer <token>" on the
request so authenticated Celestia RPC calls succeed.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 16: The grpc dependency version in go.mod (google.golang.org/grpc
v1.79.2) is vulnerable; update the module requirement to v1.79.3 or later by
changing the google.golang.org/grpc entry in go.mod and run `go get`/`go mod
tidy` to regenerate the lockfile and verify builds; ensure any references to
grpc in build/test CI use the updated module version and run tests to confirm no
regressions.

---

Outside diff comments:
In `@internal/clients/celestia/client.go`:
- Around line 21-39: Add a token field to the Client struct, set it in NewClient
(store the passed token), and update GetBlockTimestamp to include the
Authorization: Bearer <token> header when making the manual HTTP POST to c.url
(use c.token). Specifically: modify type Client to include token string, assign
token in NewClient, and in GetBlockTimestamp add the HTTP header "Authorization:
Bearer <token>" on the request so authenticated Celestia RPC calls succeed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 15fb352b-bf46-4abc-8c2d-4509875ca582

📥 Commits

Reviewing files that changed from the base of the PR and between 80b4b4c and 49231f8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• cmd/monitor.go
• go.mod
• internal/clients/celestia/client.go
• pkg/exporters/drift/drift.go
• pkg/metrics/metrics_test.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check the current state of go.mod to confirm v1.79.2 is present
head -n 30 go.mod | tail -n 20

Repository: evstack/ev-metrics

Length of output: 717

---

🌐 Web query:

GO-2026-4762 GHSA-p77j-4mvh-x3m3 gRPC vulnerability

💡 Result:

GO-2026-4762 (GHSA-p77j-4mvh-x3m3, CVE-2026-33186) is an authorization bypass vulnerability in the gRPC-Go library (google.golang.org/grpc).[1][2][3] Published on March 27, 2026.[1][2] The gRPC-Go server accepts HTTP/2 requests with a:path pseudo-header missing the leading slash (e.g., "Service/Method" instead of "/Service/Method"). It routes these to the correct handler, but authorization interceptors (like google.golang.org/grpc/authz) check the raw non-canonical path. Deny rules for canonical paths (starting with /) fail to match, bypassing authorization if a fallback allow rule exists.[3][4][5] Impacted servers use path-based authorization interceptors (e.g., grpc/authz or custom using info.FullMethod) with deny rules for canonical paths and default allow.[3][6] Exploitable by sending raw HTTP/2 frames with malformed:path to the gRPC server.[3] Fixed in v1.79.3 (or later): rejects non-leading-slash:path with codes.Unimplemented before interceptors/handlers.[1][2][3] Upgrade to google.golang.org/grpc v1.79.3+. Workarounds: validating interceptor to reject/normalize paths, proxy enforcement of HTTP/2 compliance, default-deny policies.[3][6][7] Affected symbols: Server.Serve, Server.ServeHTTP, Server.handleStream.[2]

Citations:

• 1: https://pkg.go.dev/vuln/GO-2026-4762
• 2: https://test.osv.dev/vulnerability/GO-2026-4762
• 3: GHSA-p77j-4mvh-x3m3
• 4: https://cve.circl.lu/vuln/ghsa-p77j-4mvh-x3m3
• 5: https://advisories.gitlab.com/golang/google.golang.org/grpc/CVE-2026-33186/
• 6: https://test.osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3
• 7: https://www.yazoul.net/advisory/cve/cve-2026-33186-grpc-go-authorization-bypass-patch-critical-flaw

---

🌐 Web query:

google.golang.org/grpc v1.79.3 security fix release notes

💡 Result:

google.golang.org/grpc (grpc-go) v1.79.3 security fix release notes (as stated by the grpc-go project): - Server: fix an authorization bypass where malformed HTTP/2:path headers missing the leading slash could bypass path-based restricted “deny” rules in interceptors such as grpc/authz. In v1.79.3, any request with a non-canonical path is immediately rejected with an Unimplemented error. [1] Context / vulnerability description (CVE-2026-33186) from NVD: - The gRPC-Go server could accept requests where:path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server routed these correctly, authorization interceptors evaluated the raw, non-canonical path string, so canonical “deny” rules (starting with /) could fail to match, potentially allowing bypass (e.g., when a fallback allow exists). The fix ensures requests whose:path does not start with a leading slash are immediately rejected with codes.Unimplemented. [2] When to upgrade: - Upgrade to google.golang.org/grpc v1.79.3 (or newer) to obtain the fix. [1][2]

Citations:

• 1: https://github.com/grpc/grpc-go/releases/tag/v1.79.3
• 2: https://nvd.nist.gov/vuln/detail/CVE-2026-33186

---

Upgrade gRPC-Go to patch authorization bypass vulnerability.

google.golang.org/grpc v1.79.2 is affected by GO-2026-4762 / GHSA-p77j-4mvh-x3m3 (CVE-2026-33186), an authorization bypass vulnerability where malformed HTTP/2 :path headers can bypass path-based authorization checks in interceptors. Upgrade to v1.79.3 or later before merging.

Suggested fix

-	google.golang.org/grpc v1.79.2
+	google.golang.org/grpc v1.79.3

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	google.golang.org/grpc v1.79.2
	google.golang.org/grpc v1.79.3

🧰 Tools

🪛 OSV Scanner (2.3.6)

[CRITICAL] 16-16: google.golang.org/grpc 1.79.2: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

---

[CRITICAL] 16-16: google.golang.org/grpc 1.79.2: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 16, The grpc dependency version in go.mod
(google.golang.org/grpc v1.79.2) is vulnerable; update the module requirement to
v1.79.3 or later by changing the google.golang.org/grpc entry in go.mod and run
`go get`/`go mod tidy` to regenerate the lockfile and verify builds; ensure any
references to grpc in build/test CI use the updated module version and run tests
to confirm no regressions.