fix(sequencer): enforce build-frame deadlines and align attestation/publish windows (#23776)

## Summary

Fixes timing bugs in block building and validation, now that proposer
pipelining is the only production mode. Found via an audit of the
sequencer timetable, checkpoint proposal job, validator client, proposal
handler, and p2p proposal/attestation validators.

### The frame bug (main fix)

Under pipelining the proposer job runs with `slotNow = N-1` (build slot)
and `targetSlot = N`. The job passed `targetSlot` to `setState` for
build-frame states, so `Sequencer.setState` measured the
`assertTimeLeft` deadlines against
`getSlotStartBuildTimestamp(targetSlot)` — one full Aztec slot (72s)
later than the build frame. The build-frame deadlines
(`INITIALIZING_CHECKPOINT`, `CREATING_BLOCK`, `ASSEMBLING_CHECKPOINT`,
`COLLECTING_ATTESTATIONS`, `PUBLISHING_CHECKPOINT`, …) were therefore
checked ~72s too late and never fired. Now these states are measured
against `slotNow`. `targetSlot` is still used for headers, signing, and
`sendRequestsAt`.

### Aligning the attestation / publish windows around L1 geometry

- The checkpoint attestation/publish deadline and the p2p attestation
acceptance window are now derived from `ethereumSlotDuration` — **one
Ethereum slot (12s) before the last L1 block of the target slot**, the
latest a checkpoint can be submitted and still land on L1 in its slot.
Previously the deadline used the configurable `l1PublishingTime` and the
p2p window was only `2 * p2pPropagationTime` (~4.5s into the target
slot). This also unifies the deadline with the publisher's send lead
(`sendRequestsAt` already targets one Ethereum slot before the target
slot start).
- Validators (in `validateCheckpointProposal`) keep validating/attesting
checkpoint proposals until that L1 publish deadline instead of the
target-slot start, so attestations stay useful right up to the
proposer's real publish cutoff. Block-proposal re-execution deadlines
are intentionally left at the target-slot start.

### Why no test caught the frame bug

The job timing test built the job with `slotNow === targetSlot` (so the
two frames coincided) and stubbed `setStateFn` with a no-op, mocking
away the very `assertTimeLeft` enforcement where the frame matters. This
PR adds:

- A contract test asserting every build-frame state is set against the
build slot (`slotNow`), not the target slot.
- A behavioral test with a real enforcing `setStateFn`: a checkpoint
whose assembly crosses the build-frame deadline is now correctly
abandoned. Both fail on the pre-fix code and pass after the fix.
- Updated stdlib/timetable, clock-tolerance, attestation-validator,
proposal-handler, and validator tests for the realigned windows
(including an `l1PublishingTime != ethereumSlotDuration` case proving
the deadline is now Ethereum-slot-based).

No constants were removed and no broader cleanup was done; that is
deferred.

## Test plan

- `yarn build` green; touched packages lint/format clean.
- `@aztec/stdlib` timetable, `@aztec/sequencer-client` (incl.
`timetable`, `checkpoint_proposal_job.timing`, `sequencer-publisher`),
`@aztec/validator-client` (incl. `proposal_handler`, `validator`), and
`@aztec/p2p` `msg_validators` suites pass.

Author: spalladino

yarn-project/p2p/src/msg_validators/attestation_validator/attestation_validator.test.ts

@@ -97,7 +97,8 @@ describe('CheckpointAttestationValidator', () => {
 
   it('accepts attestation for current slot inside the straggler window', async () => {
     // Attestation is for slot 98 (current wallclock slot), but targetSlot is 99 (pipelining).
-    // attestationWindowIntoTargetSlot = 2*p2p = 4s ⇒ straggler grace 4s+500ms disparity.
+    // attestationWindowIntoTargetSlot now spans target-slot start to the L1 publish deadline:
+    // aztecSlotDuration - 2*ethereumSlotDuration = 72 - 24 = 48s ⇒ straggler grace 48s+500ms.
     const header = CheckpointHeader.random({ slotNumber: SlotNumber(98) });
     const mockAttestation = makeCheckpointAttestation({
       header,
@@ -119,7 +120,39 @@ describe('CheckpointAttestationValidator', () => {
       epoch: EpochNumber(1),
       slot: SlotNumber(98),
       ts: 1000n,
-      nowMs: 1003000n, // 3000ms elapsed, within 4500ms straggler grace
+      nowMs: 1003000n, // 3000ms elapsed, within 48500ms straggler grace
+    });
+    epochCache.isInCommittee.mockResolvedValue(true);
+    epochCache.getProposerAttesterAddressInSlot.mockResolvedValue(proposer.address);
+
+    const result = await validator.validate(mockAttestation);
+    expect(result).toEqual({ result: 'accept' });
+  });
+
+  it('accepts attestation arriving well into the target slot (previously rejected past ~4.5s)', async () => {
+    // 30s into the target slot — past the old 4.5s window, well within the new 48.5s window.
+    const header = CheckpointHeader.random({ slotNumber: SlotNumber(98) });
+    const mockAttestation = makeCheckpointAttestation({
+      header,
+      attesterSigner: attester,
+      proposerSigner: proposer,
+    });
+
+    epochCache.getTargetAndNextSlot.mockReturnValue({
+      targetSlot: SlotNumber(99),
+      nextSlot: SlotNumber(100),
+    });
+    epochCache.getSlotNow.mockReturnValue(SlotNumber(98));
+    epochCache.getL1Constants.mockReturnValue({
+      slotDuration: 72,
+      ethereumSlotDuration: 12,
+    } as any);
+
+    epochCache.getEpochAndSlotNow.mockReturnValue({
+      epoch: EpochNumber(1),
+      slot: SlotNumber(98),
+      ts: 1000n,
+      nowMs: 1030000n, // 30s elapsed — accepted now, would have been rejected pre-fix
     });
     epochCache.isInCommittee.mockResolvedValue(true);
     epochCache.getProposerAttesterAddressInSlot.mockResolvedValue(proposer.address);
@@ -151,7 +184,7 @@ describe('CheckpointAttestationValidator', () => {
       epoch: EpochNumber(1),
       slot: SlotNumber(99),
       ts: 1000n,
-      nowMs: 1005000n, // 5000ms elapsed, past 4500ms straggler cutoff
+      nowMs: 1049000n, // 49s elapsed, past the 48.5s straggler cutoff (48s window + 500ms disparity)
     });
     epochCache.isInCommittee.mockResolvedValue(true);
 

yarn-project/p2p/src/msg_validators/clock_tolerance.test.ts

@@ -260,10 +260,11 @@ describe('clock_tolerance', () => {
   });
 
   describe('PipeliningWindow.acceptsAttestation', () => {
-    // Config: 72s slot, 2s p2p.
-    // Under early pipelining, attestationWindowIntoTargetSlot = 2*p2p = 4s,
-    // giving straggler attestations 4s+500ms grace after the receiver rolls
-    // into the next slot.
+    // Config: 72s slot, 12s Ethereum slot.
+    // attestationWindowIntoTargetSlot now spans target-slot start to the L1 publish deadline:
+    // aztecSlotDuration - 2*ethereumSlotDuration = 72 - 24 = 48s, giving straggler attestations
+    // 48s + 500ms grace after the receiver rolls into the target slot, so the proposer can keep
+    // collecting useful attestations until right before the publish deadline.
     let epochCache: ReturnType<typeof mock<EpochCacheInterface>>;
     let pipeliningWindow: PipeliningWindow;
 
@@ -282,34 +283,31 @@ describe('clock_tolerance', () => {
         epoch: 1 as any,
         slot: SlotNumber(100),
         ts: 1000n,
-        nowMs: 1003000n, // 3000ms elapsed, within 4500ms straggler grace
+        nowMs: 1003000n, // 3000ms elapsed, within 48500ms straggler grace
       });
 
       expect(pipeliningWindow.acceptsAttestation(SlotNumber(100))).toBe(true);
     });
 
-    it('rejects a current-slot attestation past the straggler window', () => {
+    it('accepts an attestation arriving well into the target slot (previously rejected past ~4.5s)', () => {
       epochCache.getEpochAndSlotNow.mockReturnValue({
         epoch: 1 as any,
         slot: SlotNumber(100),
         ts: 1000n,
-        nowMs: 1005000n, // 5000ms elapsed, past 4500ms cutoff
+        nowMs: 1030000n, // 30s into the target slot — past the old 4.5s window, within the new 48.5s
       });
 
-      expect(pipeliningWindow.acceptsAttestation(SlotNumber(100))).toBe(false);
+      expect(pipeliningWindow.acceptsAttestation(SlotNumber(100))).toBe(true);
     });
 
-    it('scales the straggler window with p2pPropagationTime', () => {
-      // With p2pPropagationTime = 4, straggler window = 8s + 500ms disparity.
-      const longer = new PipeliningWindow(epochCache, { l1PublishingTime: 12, p2pPropagationTime: 4 });
+    it('rejects a current-slot attestation past the L1 publish deadline window', () => {
       epochCache.getEpochAndSlotNow.mockReturnValue({
         epoch: 1 as any,
         slot: SlotNumber(100),
         ts: 1000n,
-        nowMs: 1007000n,
+        nowMs: 1049000n, // 49s elapsed, past the 48.5s cutoff (48s window + 500ms disparity)
       });
 
-      expect(longer.acceptsAttestation(SlotNumber(100))).toBe(true);
       expect(pipeliningWindow.acceptsAttestation(SlotNumber(100))).toBe(false);
     });
   });

yarn-project/sequencer-client/src/sequencer/README.md

@@ -94,11 +94,17 @@ These constants come from `@aztec/stdlib/timetable` (see `stdlib/src/timetable/i
 | `WAITING_FOR_TXS`           | `initializeDeadline + checkpointInitializationTime`                         |
 | `CREATING_BLOCK`            | same as `WAITING_FOR_TXS`                                                   |
 | `WAITING_UNTIL_NEXT_BLOCK`  | same as `WAITING_FOR_TXS`                                                   |
-| `ASSEMBLING_CHECKPOINT`     | `aztecSlotDuration` (assembly completes by the build-slot boundary)         |
+| `ASSEMBLING_CHECKPOINT`     | `aztecSlotDuration + pipeliningAttestationGracePeriod`                      |
 | `COLLECTING_ATTESTATIONS`   | same as `ASSEMBLING_CHECKPOINT`                                             |
-| `PUBLISHING_CHECKPOINT`     | `2 * aztecSlotDuration - l1PublishingTime` (extends into the target slot)   |
+| `PUBLISHING_CHECKPOINT`     | `2 * aztecSlotDuration - ethereumSlotDuration` (extends into the target slot) |
 
-`ASSEMBLING_CHECKPOINT` and `COLLECTING_ATTESTATIONS` must be *entered* before the build-slot boundary; once entered, attestation collection itself has its own `checkpointAttestationDeadline = 2 * aztecSlotDuration - l1PublishingTime`, so a late attestation arriving after the boundary is still accepted. The publishing deadline extends into the target slot because that is when the L1 tx is actually submitted.
+In production-like timing, `pipeliningAttestationGracePeriod` is zero, so `ASSEMBLING_CHECKPOINT` and
+`COLLECTING_ATTESTATIONS` must be *entered* before the build-slot boundary. Local networks with
+`l1PublishingTime < ethereumSlotDuration` can use the target-slot attestation window as grace while preserving the
+L1-geometry publishing cutoff. Once entered, attestation collection itself has its own
+`checkpointAttestationDeadline = 2 * aztecSlotDuration - ethereumSlotDuration`, so a late attestation arriving after
+the boundary is still accepted. The publishing deadline extends into the target slot because that is when the L1 tx is
+actually submitted.
 
 ## Example: 72 s slot, 8 s sub-slots
 
@@ -208,7 +214,9 @@ The current sub-slot is dropped without committing anything. The loop retries on
 
 ### Build slot ends before attestations arrive
 
-`assertTimeLeft` will reject `PUBLISHING_CHECKPOINT` if the attestation deadline has passed; the slot is abandoned, and `checkpoint-publish-failed` is emitted. The `PUBLISHING_CHECKPOINT` deadline allows spillover into the target slot (`2 * aztecSlotDuration - l1PublishingTime`) precisely to absorb a small overrun.
+`assertTimeLeft` will reject `PUBLISHING_CHECKPOINT` if the attestation deadline has passed; the slot is abandoned, and
+`checkpoint-publish-failed` is emitted. The `PUBLISHING_CHECKPOINT` deadline allows spillover into the target slot
+(`2 * aztecSlotDuration - ethereumSlotDuration`) precisely to absorb a small overrun.
 
 ### Pipelined parent fails on L1
 
@@ -230,4 +238,6 @@ aztecSlotDuration ≥ checkpointInitializationTime
 
 Block duration should be ≥ `minExecutionTime` (otherwise no sub-slot ever has enough headroom). `p2pPropagationTime` should be measured against the deployment's actual p2p latency: it directly determines how much of each slot is spent on the cooldown.
 
-`l1PublishingTime` should fit inside the Ethereum slot the target slot maps to. The default of 12 s lines up with one Ethereum slot; congested deployments may need to increase it (which only affects the `PUBLISHING_CHECKPOINT` deadline, not the number of blocks built).
+`l1PublishingTime` should fit inside the Ethereum slot the target slot maps to. The default of 12 s lines up with one
+Ethereum slot; fast local networks may reduce it to use the target-slot attestation window as assembly and attestation
+grace.

yarn-project/sequencer-client/src/sequencer/checkpoint_proposal_job.timing.test.ts

@@ -11,7 +11,7 @@ import { type P2P, P2PClientState } from '@aztec/p2p';
 import type { SlasherClientInterface } from '@aztec/slasher';
 import { AztecAddress } from '@aztec/stdlib/aztec-address';
 import type { L2Block, L2BlockSink, L2BlockSource, ProposedCheckpointSink } from '@aztec/stdlib/block';
-import type { L1RollupConstants } from '@aztec/stdlib/epoch-helpers';
+import { type L1RollupConstants, getSlotStartBuildTimestamp } from '@aztec/stdlib/epoch-helpers';
 import { GasFees } from '@aztec/stdlib/gas';
 import type {
   BlockBuilderOptions,
@@ -301,8 +301,9 @@ describe('CheckpointProposalJob Timing Tests', () => {
   }
 
   /** Create a TimingTestCheckpointProposalJob with current mocks */
-  function createJob(): TimingTestCheckpointProposalJob {
-    const setStateFn = jest.fn();
+  function createJob(
+    setStateFn: (state: SequencerState, slot?: SlotNumber, timeReferenceSlot?: SlotNumber) => void = jest.fn(),
+  ): TimingTestCheckpointProposalJob {
     const eventEmitter = new EventEmitter() as TypedEventEmitter<SequencerEvents>;
 
     return new TimingTestCheckpointProposalJob(
@@ -1138,4 +1139,89 @@ describe('CheckpointProposalJob Timing Tests', () => {
       expect(publisher.sendRequestsAt).toHaveBeenCalledWith(targetSlot);
     });
   });
+
+  describe('Build-frame deadline enforcement', () => {
+    // Regression coverage for the frame bug: build-frame state deadlines must be measured against
+    // the build slot (`slotNow`), not the target slot. Passing `targetSlot` shifted every deadline a
+    // full Aztec slot into the future (frame B), so they never fired.
+
+    // States the job owns and sets while building inside the build frame. Their deadlines must be
+    // enforced against `slotNow`.
+    const buildFrameStates = [
+      SequencerState.INITIALIZING_CHECKPOINT,
+      SequencerState.WAITING_FOR_TXS,
+      SequencerState.CREATING_BLOCK,
+      SequencerState.WAITING_UNTIL_NEXT_BLOCK,
+      SequencerState.ASSEMBLING_CHECKPOINT,
+      SequencerState.COLLECTING_ATTESTATIONS,
+      SequencerState.PUBLISHING_CHECKPOINT,
+    ];
+
+    it('passes the target slot to observers and the build slot to deadline checks for build-frame states', async () => {
+      const { blocks, txs } = await createTestBlocksAndTxs(2);
+      mockP2pWithTxs(txs);
+      // Force a single WAITING_FOR_TXS poll before the first block by reporting no pending txs once.
+      p2p.getPendingTxCount.mockResolvedValueOnce(0);
+      checkpointBuilder.seedBlocks(
+        blocks,
+        blocks.map((_, i) => [txs[i]]),
+      );
+      checkpointBuilder.setExecutionDurations([5, 5]);
+
+      validatorClient.collectAttestations.mockResolvedValue(getAttestations(blocks[1]));
+
+      setTimeInSlot(1);
+
+      const observedSlots = new Map<
+        SequencerState,
+        { slot: SlotNumber | undefined; timeReferenceSlot: SlotNumber | undefined }
+      >();
+      const setStateFn = jest.fn((state: SequencerState, slot?: SlotNumber, timeReferenceSlot?: SlotNumber) => {
+        observedSlots.set(state, { slot, timeReferenceSlot });
+      });
+
+      const job = createJob(setStateFn);
+      await job.execute();
+      await job.awaitPendingSubmission();
+
+      // The build and target slot differ, so the bug would be observable.
+      expect(Number(targetSlot)).toBe(Number(slotNumber) + PROPOSER_PIPELINING_SLOT_OFFSET);
+
+      for (const state of buildFrameStates) {
+        expect(observedSlots.has(state)).toBe(true);
+        expect(observedSlots.get(state)?.slot).toBe(targetSlot);
+        expect(observedSlots.get(state)?.timeReferenceSlot).toBe(slotNumber);
+      }
+    });
+
+    it('abandons the slot when a build-frame deadline is missed (assembly past the build-slot boundary)', async () => {
+      const { blocks, txs } = await createTestBlocksAndTxs(1);
+      mockP2pWithTxs(txs);
+      checkpointBuilder.seedBlocks(blocks, [[txs[0]]]);
+      // Single block runs 50s -> 80s (in the build frame), so ASSEMBLING_CHECKPOINT is entered at
+      // ~80s into the build frame, past its deadline (checkpointAssemblyDeadline = 72s in frame A).
+      checkpointBuilder.setExecutionDurations([30]);
+
+      validatorClient.collectAttestations.mockResolvedValue(getAttestations(blocks[0]));
+
+      setTimeInSlot(50);
+
+      // Enforcing setStateFn mirroring Sequencer.setState: measures the deadline against the
+      // explicit time reference slot when one is provided.
+      const setStateFn = (state: SequencerState, slot?: SlotNumber, timeReferenceSlot?: SlotNumber) => {
+        const slotForTiming = timeReferenceSlot ?? slot;
+        if (slotForTiming !== undefined) {
+          const ref = getSlotStartBuildTimestamp(slotForTiming, l1Constants);
+          timetable.assertTimeLeft(state, dateProvider.nowInSeconds() - ref);
+        }
+      };
+
+      const job = createJob(setStateFn);
+      const checkpoint = await job.execute();
+
+      // Past the build-frame assembly deadline: the SequencerTooSlowError is caught inside
+      // proposeCheckpoint, which returns undefined, so no checkpoint is produced.
+      expect(checkpoint).toBeUndefined();
+    });
+  });
 });

yarn-project/sequencer-client/src/sequencer/checkpoint_proposal_job.ts

@@ -149,7 +149,7 @@ export class CheckpointProposalJob implements Traceable {
     private readonly metrics: SequencerMetrics,
     private readonly checkpointMetrics: CheckpointProposalJobMetricsRecorder,
     protected readonly eventEmitter: TypedEventEmitter<SequencerEvents>,
-    private readonly setStateFn: (state: SequencerState, slot?: SlotNumber) => void,
+    private readonly setStateFn: (state: SequencerState, slot?: SlotNumber, timeReferenceSlot?: SlotNumber) => void,
     public readonly tracer: Tracer,
     bindings?: LoggerBindings,
     private readonly proposedCheckpointData?: ProposedCheckpointData,
@@ -328,7 +328,8 @@ export class CheckpointProposalJob implements Traceable {
   private async enqueueCheckpointForSubmission(result: CheckpointProposalResult): Promise<void> {
     const { checkpoint, attestations, attestationsSignature } = result;
 
-    this.setStateFn(SequencerState.PUBLISHING_CHECKPOINT, this.targetSlot);
+    // Build-frame deadlines are measured against `slotNow`; observers still see `targetSlot`.
+    this.setStateFn(SequencerState.PUBLISHING_CHECKPOINT, this.targetSlot, this.slotNow);
     const aztecSlotDuration = this.l1Constants.slotDuration;
     const submissionSlotStart = Number(getTimestampForSlot(this.targetSlot, this.l1Constants));
     const txTimeoutAt = new Date((submissionSlotStart + aztecSlotDuration) * 1000);
@@ -518,7 +519,7 @@ export class CheckpointProposalJob implements Traceable {
       const feeRecipient = this.validatorClient.getFeeRecipientForAttestor(this.attestorAddress);
 
       // Start the checkpoint
-      this.setStateFn(SequencerState.INITIALIZING_CHECKPOINT, this.targetSlot);
+      this.setStateFn(SequencerState.INITIALIZING_CHECKPOINT, this.targetSlot, this.slotNow);
       this.logCheckpointEvent('slot-started', `Starting checkpoint proposal for slot ${this.targetSlot}`, {
         buildSlot: this.slotNow,
         submissionSlot: this.targetSlot,
@@ -671,7 +672,7 @@ export class CheckpointProposalJob implements Traceable {
 
       // Assemble and broadcast the checkpoint proposal, including the last block that was not
       // broadcasted yet, and wait to collect the committee attestations.
-      this.setStateFn(SequencerState.ASSEMBLING_CHECKPOINT, this.targetSlot);
+      this.setStateFn(SequencerState.ASSEMBLING_CHECKPOINT, this.targetSlot, this.slotNow);
       const checkpoint = await checkpointBuilder.completeCheckpoint();
 
       // Final validation: per-block limits are only checked if the operator set them explicitly.
@@ -963,7 +964,7 @@ export class CheckpointProposalJob implements Traceable {
   /** Sleeps until it is time to produce the next block in the slot */
   @trackSpan('CheckpointProposalJob.waitUntilNextSubslot')
   private async waitUntilNextSubslot(nextSubslotStart: number) {
-    this.setStateFn(SequencerState.WAITING_UNTIL_NEXT_BLOCK, this.targetSlot);
+    this.setStateFn(SequencerState.WAITING_UNTIL_NEXT_BLOCK, this.targetSlot, this.slotNow);
     this.log.verbose(`Waiting until time for the next block at ${nextSubslotStart}s into slot`, {
       slot: this.targetSlot,
     });
@@ -1034,7 +1035,7 @@ export class CheckpointProposalJob implements Traceable {
         `Building block ${blockNumber} at index ${indexWithinCheckpoint} for slot ${this.targetSlot} with ${availableTxs} available txs`,
         { slot: this.targetSlot, blockNumber, indexWithinCheckpoint },
       );
-      this.setStateFn(SequencerState.CREATING_BLOCK, this.targetSlot);
+      this.setStateFn(SequencerState.CREATING_BLOCK, this.targetSlot, this.slotNow);
 
       // Per-block limits are operator overrides (from SEQ_MAX_L2_BLOCK_GAS etc.) further capped
       // by remaining checkpoint-level budgets inside CheckpointBuilder before each block is built.
@@ -1205,7 +1206,7 @@ export class CheckpointProposalJob implements Traceable {
       }
 
       // Wait a bit before checking again
-      this.setStateFn(SequencerState.WAITING_FOR_TXS, this.targetSlot);
+      this.setStateFn(SequencerState.WAITING_FOR_TXS, this.targetSlot, this.slotNow);
       this.log.verbose(
         `Waiting for enough txs to build block ${blockNumber} at index ${indexWithinCheckpoint} in slot ${this.targetSlot} (have ${availableTxs} but need ${minTxs})`,
         { blockNumber, slot: this.targetSlot, indexWithinCheckpoint },
@@ -1221,7 +1222,7 @@ export class CheckpointProposalJob implements Traceable {
     broadcast: CheckpointProposalBroadcast,
   ): Promise<{ attestations: CommitteeAttestationsAndSigners; attestationsSignature: Signature } | undefined> {
     const { proposal, blockProposedAt } = broadcast;
-    this.setStateFn(SequencerState.COLLECTING_ATTESTATIONS, this.targetSlot);
+    this.setStateFn(SequencerState.COLLECTING_ATTESTATIONS, this.targetSlot, this.slotNow);
     const attestations = await this.waitForAttestations(proposal);
     if (!attestations) {
       return undefined;

yarn-project/sequencer-client/src/sequencer/events.ts

@@ -10,6 +10,7 @@ export type SequencerEvents = {
     newState: SequencerState;
     secondsIntoSlot?: number;
     slot?: SlotNumber;
+    timeReferenceSlot?: SlotNumber;
   }) => void;
   /**
    * Emitted by the sequencer once it has decided it is going to attempt to build a