test: permit system design validation

[mrq1911]

No description provided.

[github-actions]

Crate versions that have been updated:

• runtime-integration-tests: v1.76.1 -> v1.77.0

Runtime version has not been increased.

[Copilot]

Pull request overview

Adds integration tests to validate intended design properties of the EVM permit system (shared EIP-712 domain + nonce space between CALLPERMIT and dispatch_permit), and updates the integration-tests crate metadata/deps.

Changes:

• Add new evm_permit.rs tests covering shared domain acceptance, nonce-based replay protection, and fee-currency override behavior.
• Bump runtime-integration-tests crate version to 1.77.0.
• Remove pallet-proxy from integration-tests dependencies and update Cargo.lock accordingly.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File	Description
integration-tests/src/evm_permit.rs	Adds new permit-system design validation tests around shared domain/nonce and fee currency override.
integration-tests/Cargo.toml	Bumps crate version and removes pallet-proxy dependency.
Cargo.lock	Reflects the integration-tests version bump and the removed pallet-proxy dependency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

pallet-proxy was removed from this crate’s dependencies, but integration-tests/src/evm.rs still references pallet_proxy::Call::proxy (e.g. around lines ~5318 and ~5448). This will fail to compile unless the dependency is restored (or the tests are refactored to avoid direct pallet_proxy references).

Suggested change

	pallet-hsm = { workspace = true }
	pallet-hsm = { workspace = true }
	pallet-proxy = { workspace = true }

[Copilot]

This test name/comment claims a permit is accepted by both CALLPERMIT and dispatch_permit, but the test only exercises dispatch_permit (it only generates the digest via the CALLPERMIT helper). Consider either (a) renaming the test to reflect what’s actually being verified (CALLPERMIT-domain permit validates on dispatch_permit), or (b) extending it to actually submit via the CALLPERMIT precompile as well (likely with a fresh nonce/permit for the second path).

Suggested change

	fn permit_is_accepted_by_both_callpermit_and_dispatch_permit_by_design() {
	// The CALLPERMIT precompile and dispatch_permit share the same EIP-712 domain
	// and nonce space. A permit signed once can be submitted via either interface.
	// This is by design — dispatch_permit is a self-relay path, not a separate trust domain.
	fn callpermit_domain_permit_is_accepted_by_dispatch_permit_by_design() {
	// The CALLPERMIT precompile and dispatch_permit share the same EIP-712 domain
	// and nonce space. This test verifies that a permit signed for that shared
	// domain is accepted by dispatch_permit, which is a self-relay path rather
	// than a separate trust domain.

[Copilot]

This test description says it prevents permit reuse “across submission paths”, but it only checks replay rejection within the dispatch_permit unsigned validation path (no CALLPERMIT submission is attempted). Either rename to match the current coverage, or add an assertion that the same signed permit is also rejected when routed through the CALLPERMIT precompile (to truly validate the shared nonce space across both interfaces).

Suggested change

	fn shared_nonce_prevents_permit_reuse_across_submission_paths() {
	// The shared nonce space ensures a permit can only be used once, regardless
	// of which interface it was submitted through. This is the intended replay protection.
	fn shared_nonce_prevents_dispatch_permit_replay() {
	// The shared nonce space ensures the same signed permit cannot be replayed
	// through the dispatch_permit submission path. This validates replay protection here.