Fix seid static-link paths for missing .a files

[masih]

The static-build path for seid was broken in two ways that masked each other and only surfaced when goreleaser first tried it:

• The sei-wasmd v152/v155 archives were named libwasmvmstatic.a, but link_muslc.go wants -lwasmvm_muslc — so the linker said "cannot find -lwasmvm155_muslc" and never noticed the static.a files were also wrong (Mach-O arm64, not Linux musl ELF).
• sei-wasmvm/internal/api was missing libwasmvmstatic_darwin.a entirely.

Fixes:

• Rename the misnamed Mach-O archives to libwasmvm*static_darwin.a to match link_mac_static.go.
• Add libwasmvm{152,155}_muslc{,.aarch64}.a from the sei-wasmd v0.3.6 release, with SHA256s pinned via Go tests.
• Add libwasmvmstatic_darwin.a, produced reproducibly by the new macos-static target rather than someone's laptop.

CI:

• cross-arch-build.yml: new linux-amd64-static job that asserts the resulting seid is actually statically linked. Would have caught this at PR time.
• libwasmvm.yml: add release-build-macos-static to the matrix so the darwin static archive can be regenerated on demand.

Additionally, add tests that assert the consistency of shasums for checked in .a files. The missing files are ported over from:

• https://github.com/sei-protocol/sei-wasmd/releases/tag/v0.3.6

Add tests to programmatically assert existence of linked libraries across the entire codebase.

Note: for internal/api/libwasmvm I stripped off debugging info to reduce the size of the .a file since GitHub does not accept sole files with size over 100MiB.

Relates to: PLT-41

---

Note

Medium Risk
Medium risk because it changes the static-linking artifact set and adds CI/test enforcement around cgo linking; mistakes here can break release builds across platforms.

Overview
Fixes the seid static-link path by ensuring the vendored libwasmvm archives actually match the link_*.go cgo -l... directives (and aren’t wrong-arch/misnamed).

Adds Go tests to (1) verify every link_*.go resolves to a real lib*.{a,so,dylib} in sei-wasmd v152/v155 and sei-wasmvm/internal/api, (2) fail on orphaned library artifacts, and (3) pin SHA256 checksums for the v152/v155 musl static archives.

Updates CI to build macOS static libwasmvm via a new release-build-macos-static workflow matrix entry.

^{Reviewed by Cursor Bugbot for commit e799e33. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	May 16, 2026, 7:38 AM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.37%. Comparing base (823a78d) to head (5d56365).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3426      +/-   ##
==========================================
+ Coverage   59.29%   59.37%   +0.07%     
==========================================
  Files        2125     2112      -13     
  Lines      175629   173527    -2102     
==========================================
- Hits       104144   103028    -1116     
+ Misses      62404    61517     -887     
+ Partials     9081     8982      -99     

Flag	Coverage Δ
sei-chain-pr	53.00% <ø> (?)
sei-db	70.41% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 151 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cursor]

PR Summary

Low Risk
Low risk: changes are limited to CI workflow matrix updates and new Go tests that validate presence and checksums of checked-in native archives, without touching runtime logic.

Overview
Fixes the static-link artifact workflow by expanding CI’s libwasmvm build matrix to include release-build-macos-static, enabling reproducible generation of the macOS static archive.

Adds guardrail tests to prevent future broken static builds: a repo-level test (link_directives_test.go) that ensures every link_*.go #cgo LDFLAGS: ... -l<name> resolves to a real lib<name>.{a,so,dylib} in the same directory (and flags orphaned artifacts), plus per-version checksum tests in sei-wasmd (v152/v155) that pin SHA256s for the vendored static archives.

^{Reviewed by Cursor Bugbot for commit 5d56365. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 5d56365. Configure here.}

[cursor]

Missing "lib" prefix guard causes potential panic

Low Severity

TestArtifactsHaveNoOrphans documents that it processes "every lib*.{a,so,dylib}" but only filters by extension, not by the "lib" prefix. The slice name[len("lib") : len(name)-len(ext)] assumes the filename starts with "lib" and is long enough. A non-lib-prefixed file with a library extension (e.g. ab.a) would cause a slice-bounds panic since len("lib") exceeds len(name)-len(ext). Adding a strings.HasPrefix(name, "lib") guard would match the documented intent and prevent a test-suite crash.

 

^{Reviewed by Cursor Bugbot for commit 5d56365. Configure here.}

[cursor]

Custom stripSuffix reimplements strings.TrimSuffix

Low Severity

The stripSuffix helper has identical semantics to strings.TrimSuffix from the standard library — both check if the string ends with the suffix and return it stripped, or the original string unchanged. Replacing it with strings.TrimSuffix removes unnecessary code and is more idiomatic Go.

 

^{Reviewed by Cursor Bugbot for commit 5d56365. Configure here.}