feat: implement recursive aggregation for devnet4

[GrapeBaBa]

No description provided.

[Copilot]

Pull request overview

This PR updates the devnet4 data model and signature flow by splitting validator keys into separate attestation vs proposal keys, removing proposer-attestation-in-block, and reworking how gossip signatures / aggregated payloads are stored and consumed across forkchoice, block production, networking, and tests.

Changes:

• Split validator keys into attestation_pubkey + proposal_pubkey, propagate through genesis config/state, key-manager, and JSON/YAML/spec fixture parsing.
• Simplify SignedBlock to wrap BeamBlock directly and verify proposer signatures over hash_tree_root(block) using the proposal key.
• Refactor attestation signature aggregation storage to be keyed by AttestationData, add recursive-aggregation plumbing, and adjust forkchoice/chain selection logic accordingly.

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkgs/types/src/zk.zig	Update STF prover input test to use SignedBlock and new message layout.
pkgs/types/src/validator.zig	Split validator pubkey into attestation/proposal keys; update JSON helpers.
pkgs/types/src/utils.zig	Update GenesisSpec to store dual pubkey arrays and adjust lifecycle helpers.
pkgs/types/src/state.zig	Build validators from dual pubkey arrays; update genesis-related tests/hashes.
pkgs/types/src/lib.zig	Re-export new SignedBlock and expose aggregateInnerMap.
pkgs/types/src/block_signatures_testing.zig	Remove prior aggregation algorithm test suite.
pkgs/types/src/block.zig	Replace (validator_id,data_root) maps with AttestationData-keyed structures; add inner-map aggregation helper; refactor computeAggregatedSignatures.
pkgs/types/src/aggregation.zig	Add recursive-aggregation API shape and INVERSE_PROOF_SIZE constant.
pkgs/state-transition/src/transition.zig	Verify proposer signature over block root using proposal pubkey; update attestation pubkey usage.
pkgs/state-transition/src/mock.zig	Generate mock chain using block-root proposer signing and new signature map layout.
pkgs/state-transition/src/lib.zig	Update tests to apply transitions with SignedBlock.message (no nested .block).
pkgs/spectest/src/runner/state_transition_runner.zig	Allow fixtures to provide dual pubkeys while retaining fallback for legacy pubkey.
pkgs/spectest/src/runner/fork_choice_runner.zig	Adjust aggregated payload storage API and validator parsing for dual pubkeys.
pkgs/node/src/validator_client.zig	Produce SignedBlock and sign block root with proposal key; stop skipping proposer attestations.
pkgs/node/src/testing.zig	Update node test context for dual pubkeys and proposer block-root signing.
pkgs/node/src/node.zig	Update gossip block handling for new SignedBlock layout.
pkgs/node/src/network.zig	Update fetched-block cache types and parent-root accessors for SignedBlock.
pkgs/node/src/forkchoice.zig	Replace old gossip-signature/root-indexing with AttestationData-keyed signature maps and new aggregation entrypoints.
pkgs/node/src/chain.zig	Change block production to select pre-aggregated proofs (greedy) from known payloads; update gossip/onBlock flows for new types.
pkgs/network/src/mock.zig	Update mock network cloning/tests for SignedBlock.
pkgs/network/src/interface.zig	Update gossip/req-resp message types to carry SignedBlock.
pkgs/network/src/ethlibp2p.zig	Update deserialization and logging for new block message layout.
pkgs/key-manager/src/lib.zig	Store per-validator dual keypairs; add block-root signing and dual pubkey extraction APIs.
pkgs/database/src/test_helpers.zig	Update helper block/state constructors for new validator and block types.
pkgs/database/src/rocksdb.zig	Store/load SignedBlock instead of SignedBlockWithAttestation; update tests accordingly.
pkgs/configs/src/lib.zig	Parse genesis YAML validators as structured entries containing both pubkeys.
pkgs/cli/test/fixtures/config.yaml	Update fixture genesis validators to structured dual-pubkey format.
pkgs/cli/src/node.zig	Wire dual pubkeys into chain options; load/store dual keypairs; update checkpoint verification + tests.
pkgs/cli/src/main.zig	Update CLI paths that build genesis specs from key-manager to use dual pubkeys.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

AggregatedSignatureProof.aggregate always calls xmss.aggregateSignatures(raw_xmss_pks, raw_xmss_sigs, ...), even when the aggregation is intended to be “children-only” (no raw XMSS signatures). The underlying XMSS FFI returns AggregationFailed when called with empty key/signature arrays, so any recursive aggregation step with xmss_participants == null will fail. Additionally, the function currently merges child participants into result.participants while proof_data only attests to the raw signatures, making the resulting proof unverifiable if child participants are included. Until the Rust bindings support recursive proof composition, consider explicitly rejecting any call with children.len > 0 (or keep participants limited to the raw set) rather than producing an inconsistent proof.

[Copilot]

computeAggregatedSignatures was substantially refactored (new signature map shape + optional recursive child proof selection), but the dedicated aggregation test suite (block_signatures_testing.zig) was removed in this PR. The remaining tests in block.zig cover SSZ encode/decode but not the aggregation selection/coverage logic. Please add updated tests for the new algorithm (including payload selection and the gossip/payload interaction) to prevent regressions.

[Copilot]

AggregateInnerMap allocates participants but never deinitializes it on the success path. participants_cleanup is set to false after calling AggregatedSignatureProof.aggregate, but aggregate no longer takes ownership of the passed-in bitfield, so this leaks the participants allocation. Consider replacing the participants_cleanup pattern with an unconditional defer participants.deinit(); (or otherwise explicitly deinit after aggregate succeeds).

[Copilot]

produceBlock iterates over forkChoice.latest_known_aggregated_payloads without holding forkChoice.signatures_mutex. Those payload maps are mutated under signatures_mutex elsewhere (e.g., promotion new→known, pruning, deinit), so this read-side iteration can race and potentially use invalid pointers. Please take signatures_mutex (or snapshot/copy the entries under the lock) while building entries.

[Copilot]

In the greedy selection loop, att_bits has errdefer att_bits.deinit(); and is then appended into agg_attestations before the (fallible) attestation_signatures.append(cloned_proof). If that later append fails, both the errdefer and the outer agg_att_cleanup will deinit the same att_bits, risking a double-free. A common pattern used elsewhere in this PR is to wrap in ?AggregationBits and set it to null immediately after transferring ownership to the list.

[Copilot]

Pull request overview

Copilot reviewed 31 out of 31 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The YAML parser now requires GENESIS_VALIDATORS entries to be maps containing attestation_pubkey/proposal_pubkey. That is a breaking change for existing configs that used a simple list of scalar pubkeys (and the function still accepts genesis_validators key but not its legacy scalar shape). If backwards compatibility is intended, extend parseValidatorEntriesFromYaml to accept list items that are either (a) scalar pubkey (treated as both attestation+proposal) or (b) map with both fields; otherwise, update the surrounding docs/comments and error names to explicitly indicate the legacy scalar form is no longer supported.

[Copilot]

This PR significantly changes the aggregation algorithm and inputs (new/known payloads + recursive merge). The previous dedicated aggregation test suite was removed (block_signatures_testing.zig), but an equivalent set of tests for the new behavior isn’t shown here. Please add/update unit tests covering: (1) gossip-only aggregation, (2) child-only aggregation (including multi-child), (3) overlap handling (children vs gossip), and (4) greedy selection priority (new_payloads preferred over known_payloads).

[Copilot]

SignaturesMap.get() returns an InnerMap by value, which makes it easy to accidentally copy the hash map struct and obscures the fact you’re reading shared storage. Prefer using getPtr() here (e.g., const inner_map = signatures_map.getPtr(group.data);) and then query via the pointer; it makes ownership clearer and avoids unnecessary copying of the AutoHashMap wrapper.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

pkgs/node/src/forkchoice.zig:1547

• aggregateUnlocked holds signatures_mutex for the entire function (via defer unlock), but the comment says the metrics update happens outside the lock scope. Either unlock before updating gauges (if that’s the intent) or adjust the comment to avoid misleading future changes—especially since aggregation work here can be relatively expensive.

        // Capture counts before lock is released
        new_payloads_count = self.latest_new_aggregated_payloads.count();
        gossip_sigs_count = self.attestation_signatures.count();

        // Update fork-choice store gauges after aggregation (outside lock scope)
        zeam_metrics.metrics.lean_latest_new_aggregated_payloads.set(@intCast(new_payloads_count));
        zeam_metrics.metrics.lean_gossip_signatures.set(@intCast(gossip_sigs_count));

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In genMockChain, all_pubkeys.* is freed via errdefer immediately after allocation, and the same slices are also freed again by the later defer if (should_free_genesis) once they’re moved into genesis_config. If an error occurs after should_free_genesis is set, this can double-free those slices. Fix by removing the errdefer after ownership transfer (or guard it with a flag), and let a single cleanup path own the frees.

[Copilot]

genGenesisState uses std.debug.assert to require validator_attestation_pubkeys.len == validator_proposal_pubkeys.len. In release builds assertions may be disabled, and the subsequent multi-slice for will silently iterate to the shorter length, producing a state with mismatched/ignored validators. Prefer returning a real error when the lengths differ (e.g., error.InvalidGenesisSpec) so this is enforced in all build modes.

Suggested change

	std.debug.assert(genesis.validator_attestation_pubkeys.len == genesis.validator_proposal_pubkeys.len);
	if (genesis.validator_attestation_pubkeys.len != genesis.validator_proposal_pubkeys.len) {
	return error.InvalidGenesisSpec;
	}

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In computeAggregatedSignatures, pk is created and then appended into sigmap_pks, but there is no errdefer pk.deinit() before the append. If sigmap_pks.append(...) fails, the public key handle will leak. Add an errdefer (and disable it after a successful append) to keep error paths leak-free.

Suggested change

	};
	vid_to_sigmap_idx[validator_id] = sigmap_sigs.items.len;
	try sigmap_sigs.append(allocator, sig);
	try sigmap_pks.append(allocator, pk);
	};
	var pk_added = false;
	errdefer if (!pk_added) pk.deinit();
	vid_to_sigmap_idx[validator_id] = sigmap_sigs.items.len;
	try sigmap_sigs.append(allocator, sig);
	try sigmap_pks.append(allocator, pk);
	pk_added = true;

[Copilot]

getOrCreateCachedKeyPair has errdefer cleanup for attestation_keypair but not for proposal_keypair. If cache.put(...) fails (OOM) after generating both keypairs, the proposal keypair will leak. Add symmetric error cleanup for proposal_keypair (or generate it as var with errdefer) before the cache.put call.

[Copilot]

AggregatedSignatureProof.aggregate allows the case xmss_participants == null with children.len >= 2, but it still unconditionally calls xmss.aggregateSignatures(...). The XMSS FFI aggregator fails on zero raw signatures, so this path will always error even though it passes the input validation. Either reject the no-raw case for now, or implement a non-FFI fallback (e.g., dummy proof_data / purely merging participants) until recursive aggregation is supported end-to-end.

[Copilot]

xmss.aggregateSignatures appends into result.proof_data and does not clear existing content (see xmss aggregation implementation). AggregatedSignatureProof.aggregate currently calls it without resetting result.proof_data, so re-aggregating into an existing result will produce an invalid proof by concatenating bytes. Consider clearing/reinitializing result.proof_data before the FFI call (the function already has an allocator parameter now, so it can safely reset the list).

[Copilot]

In AggregateInnerMap, sig/pk are created with errdefer ...deinit() and then appended into sigs/pks. If an error occurs after the append, the errdefer will still run and deinit the same handle that will later also be deinited by the arraylist cleanup, causing a double-deinit. Use a cleanup flag (set to false after successful append) or move the deinit responsibility exclusively to the list (no errdefer once appended).

[Copilot]

In computeAggregatedSignatures, sig is created with errdefer sig.deinit(); but then appended into sigmap_sigs. If a later try in this scope fails, the errdefer will deinit the signature even though the list cleanup will also deinit it, leading to a double-deinit. Use a cleanup flag (disable after successful append) or restructure to only deinit via the list.

[Copilot]

Pull request overview

Copilot reviewed 35 out of 36 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

xmss.aggregateSignatures appends into the provided result.proof_data list. If result is reused (or proof_data is non-empty), this will produce an invalid proof by concatenating multiple serializations. Clear/reset result.proof_data before the FFI call (and ideally document that the output list must start empty).

[Copilot]

This function appends serialized bytes into multisig_aggregated_signature without clearing it first. If the caller passes a non-empty list (or reuses the same list across calls), the output will contain concatenated proofs and verification will fail. Consider clearing the list at the start (or change the API to return a fresh list) and document the required precondition explicitly.

[Copilot]

total_child_pks is computed with sum() on an untrusted child_num_keys array from FFI. usize overflow can wrap in release builds, which can lead to constructing undersized slices and out-of-bounds reads/panics. Use checked accumulation (e.g., try_fold + checked_add) and return null on overflow/inconsistent inputs.

[Copilot]

The surrounding comment still says “SSZ encoding”, but this function now serializes the secret key using postcard (postcard::to_allocvec). Update the docstring/API naming so FFI callers don’t assume SSZ for private key bytes (and so it’s clear which encoding hashsig_keypair_from_ssz expects for the secret key).

[Copilot]

The epoch parameter is now forwarded to the Rust FFI as slot, and the underlying aggregation/verification APIs are slot-based. Renaming this parameter (and related comments/tests) to slot would avoid callers accidentally passing an epoch number and producing unverifiable signatures/proofs.

[Copilot]

Indexing all_pk_ptrs[pk_offset + j] can panic if child_num_keys is inconsistent with the provided child_all_pub_keys backing array (or if the sum/offset bookkeeping is wrong). Panics across extern "C" are highly undesirable; add explicit bounds checks (e.g., verify pk_offset + n <= all_pk_ptrs.len() before the inner loop) and return null on invalid inputs.

[Copilot]

Docstring says the secret key is SSZ-encoded, but the implementation now deserializes the secret key using postcard::from_bytes. This is an API contract mismatch for FFI callers; update the docs (and ideally the function name) to reflect the actual encoding used for the private key bytes.

[Copilot]

getOrCreateCachedKeyPair removes and deinitializes the cached keypairs when num_active_epochs increases. Because ValidatorKeys returned from the cache are bitwise copies into each KeyManager (and cached keys are intentionally not deinit’d on KeyManager.deinit), this can invalidate previously returned/borrowed key handles and lead to use-after-free if multiple test key managers exist concurrently or if a cached key is reused after the cache grows. Safer options are to never deinit cached entries (leak in tests), key the cache by (validator_id, num_active_epochs), or use reference-counted ownership so old handles remain valid.

[Copilot]

Pull request overview

Copilot reviewed 36 out of 37 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

new_payloads is moved into self.latest_new_aggregated_payloads while an errdefer still owns it. If results.toOwnedSlice() fails after the assignment, the errdefer deinitAggregatedPayloadsMap(&new_payloads) will run and free memory now referenced by self.latest_new_aggregated_payloads, leading to use-after-free/double-free later. Disarm the errdefer once ownership is transferred (e.g., via a moved flag or by assigning into a local and only moving into self after toOwnedSlice succeeds).

Suggested change

	self.latest_new_aggregated_payloads = new_payloads;
	self.latest_new_aggregated_payloads = new_payloads;
	new_payloads = .empty;

[Copilot]

std::mem::transmute between leansig_fast_keygen and leansig public key types is undefined behavior unless both types have an explicit layout guarantee (e.g., #[repr(transparent)] over the same field) and identical size/alignment. Prefer a safe conversion (serialize to bytes and re-parse), or introduce a shared type in a common crate and convert via From/Into; at minimum add compile-time size/alignment assertions and document the required repr guarantees.

[Copilot]

Same issue for signature conversion: transmute across crate-defined signature types is UB unless layout is guaranteed identical. Use a safe conversion path (bytes roundtrip) or a shared repr(transparent) type, and add size/alignment assertions if an unsafe cast is truly required.

[Copilot]

log_inv_rate comes from FFI input but is passed straight into rec_xmss_aggregate. Since callers can supply arbitrary values, validate it (e.g., enforce the documented range) and return null on invalid input to avoid panics or pathological resource use in the backend.

[Copilot]

log_inv_rate is documented as (1-4) but never validated before crossing the FFI boundary. Add an explicit range check early (and consider checked accumulation for total_child_pks to avoid overflow) so invalid caller input fails fast with AggregationFailed instead of risking undefined behavior or backend panics.

[Copilot]

Pull request overview

Copilot reviewed 37 out of 38 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

std::mem::transmute between leansig_fast_keygen and leansig public key/signature types is undefined behavior unless the two types have a guaranteed identical layout (e.g., #[repr(C)]) and identical validity invariants. Since these are distinct crate types with Rust default layout, this can silently break on compiler/dep updates.

Safer approach: convert across crates via bytes (e.g., to_bytes() on the fast-keygen type + from_bytes() on the leansig type), or add an explicit wrapper/newtype in a shared crate that defines the canonical representation.

[Copilot]

SigningError::SigningFailed lost the underlying error detail ({0:?}), which makes debugging signing failures through FFI much harder. Consider keeping the original error as a source (or at least include a short reason code/string) so callers can distinguish invalid epoch/message/key issues from internal failures.

[Copilot]

The public API still uses the name epoch for the slot-bound aggregation/verification parameter, but the underlying Rust FFI now takes slot. Keeping epoch here is easy to misuse (e.g., passing a real epoch number instead of the signing slot) and makes the existing tests/readers misleading.

Recommend renaming the parameter to slot throughout this module (including verifyAggregatedPayload and related tests) to match the FFI and prevent accidental signature verification against the wrong domain parameter.

[Copilot]

Pull request overview

Copilot reviewed 37 out of 38 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

PrivateKey::generate constrains R only as rand::CryptoRng, but XmssScheme::key_gen will typically require an RNG core (RngCore/Rng). With the current bound, this is likely to fail to compile (or unnecessarily restrict callers). Consider changing the bound to R: rand::RngCore + rand::CryptoRng (or rand::Rng + rand::CryptoRng) to match what key_gen expects.

[Copilot]

hashsig_keypair_generate seeds StdRng from a hashed seed phrase. StdRng's algorithm is explicitly not guaranteed to be stable across rand versions/platforms, which can break deterministic key generation (fixtures, interop, reproducible devnets). Prefer a fixed RNG (e.g. ChaCha from rand_chacha) or otherwise document and pin the exact RNG/rand version guarantee expected here.

[Copilot]

When collecting gossip signatures, sig is protected by errdefer, but pk is not. If any of the subsequent append calls fails, the function returns early and the freshly created pk will leak (it is not in sigmap_pks yet, so the deferred loop won’t deinit it). Add errdefer pk.deinit() (and consider a similar pattern for sig) before the first fallible operation after construction.

[Copilot]

In the child public-key construction loop, pk wrappers are appended to child_pk_wrappers without an errdefer pk.deinit(). If append fails, the newly created pk leaks because it’s not yet tracked by any deferred cleanup. Add errdefer pk.deinit() before the append, or append first via a helper that guarantees deinit on failure.

Suggested change

	try child_pk_wrappers.append(allocator, pk);
	child_pk_wrappers.append(allocator, pk) catch |err| {
	pk.deinit();
	return err;
	};

[anshalshukla]

@zclawz as a followup PR we can do parallel processing here something similar to how it can be done using rayon, this being a computationally expensive task. Create an issue for same no need to address it right now.

[zclawz]

Created #709 to track this — parallel processing for the expensive block computation in block.zig. Will be a follow-up after devnet4.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

[anshalshukla]

I would ideally want to use leansig here not the wrapper from leanMultisig but it's fine this way as well.

[g11tech]

this is 16? and are we not doing this as a config.yaml variable?
cc @anshalshukla

[anshalshukla]

@zclawz create a PR on top of main to address this comment

[g11tech]

add a todo: optimize this to have best entries in terms of moving the justification and finalization forward

[anshalshukla]

I think it is the case right now, the entries are sorted by target, and entries whose source doesn't match will get rejected so it will maximally include attestation_data that that are at current justified (finalisation candidate) and with closest (smallest, justification candidate) target slot

[g11tech]

great!

[zclawz]

Created PR #711 to address the review comment: #711

Fixes both issues:

• Corrected value from 8 → 16 (per leanSpec sync block pruning #536)
• Moved from constants.zig to ChainSpec config, readable from config.yaml as MAX_ATTESTATIONS_DATA