[guardian] drive committee handoff each leader tick

The guardian's committee is set once at ProvisionerInit and can never
change, so signature verification fails as soon as hashi rotates past
the bootstrap epoch. The guardian-side fix (new `UpdateCommittee` RPC
and `current_committee_epoch` reporting) lands in the stacked PR
underneath this one. This PR wires the hashi-server side that drives
the handoff.

- Each leader tick spawns a bounded one-shot reconcile task. It reads
  the guardian's `current_committee_epoch`, and for each missing step
  fans out `SignCommitteeTransition` across the OUTGOING committee,
  aggregates a BLS cert with each member's historical per-epoch BLS
  signing key from `db.signing_keys`, and sends an `UpdateCommittee`
  to advance the guardian by one epoch.
- The new committee in the transition is reconstructed by each signer
  from on-chain state at `from_epoch + 1` — no committee bytes travel
  on the inter-node wire, so the leader can't get peers to sign
  attacker-crafted committees.
- Idempotency lives on the guardian side, so leader churn / lost RPC
  results are safe — the next leader simply repeats.
- New metric `hashi_guardian_current_committee_epoch` mirrors the
  guardian's reported epoch.

Author: 0xsiddharthks

crates/hashi-types/proto/sui/hashi/v1alpha/bridge_service.proto

@@ -25,6 +25,9 @@ service BridgeService {
   rpc SignWithdrawalTxSigning(SignWithdrawalTxSigningRequest) returns (SignWithdrawalTxSigningResponse);
   // Step 4: Sign committee approval to confirm a processed withdrawal on-chain.
   rpc SignWithdrawalConfirmation(SignWithdrawalConfirmationRequest) returns (SignWithdrawalConfirmationResponse);
+  // Sign a committee transition from `from_epoch` to `from_epoch + 1` so the
+  // leader can aggregate a certificate to advance the guardian's committee.
+  rpc SignCommitteeTransition(SignCommitteeTransitionRequest) returns (SignCommitteeTransitionResponse);
 }
 
 message GetServiceInfoRequest {}
@@ -186,3 +189,16 @@ message SignGuardianWithdrawalRequestRequest {
 message SignGuardianWithdrawalRequestResponse {
   MemberSignature member_signature = 1;
 }
+
+// Peers reconstruct the same `CommitteeTransition` from on-chain state at
+// `from_epoch + 1` and BLS-sign it with their historical epoch-`from_epoch`
+// signing key. No new committee bytes on the wire — peers can't be tricked
+// into signing an attacker-crafted committee.
+message SignCommitteeTransitionRequest {
+  // The outgoing committee's epoch. Implies new_epoch = from_epoch + 1.
+  uint64 from_epoch = 1;
+}
+
+message SignCommitteeTransitionResponse {
+  MemberSignature member_signature = 1;
+}

crates/hashi-types/src/proto/generated/sui.hashi.v1alpha.fds.bin

@@ -175,6 +175,21 @@ pub struct SignGuardianWithdrawalRequestResponse {
     #[prost(message, optional, tag = "1")]
     pub member_signature: ::core::option::Option<MemberSignature>,
 }
+/// Peers reconstruct the same `CommitteeTransition` from on-chain state at
+/// `from_epoch + 1` and BLS-sign it with their historical epoch-`from_epoch`
+/// signing key. No new committee bytes on the wire — peers can't be tricked
+/// into signing an attacker-crafted committee.
+#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
+pub struct SignCommitteeTransitionRequest {
+    /// The outgoing committee's epoch. Implies new_epoch = from_epoch + 1.
+    #[prost(uint64, tag = "1")]
+    pub from_epoch: u64,
+}
+#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
+pub struct SignCommitteeTransitionResponse {
+    #[prost(message, optional, tag = "1")]
+    pub member_signature: ::core::option::Option<MemberSignature>,
+}
 /// Generated client implementations.
 pub mod bridge_service_client {
     #![allow(
@@ -505,6 +520,37 @@ pub mod bridge_service_client {
                 );
             self.inner.unary(req, path, codec).await
         }
+        /// Sign a committee transition from `from_epoch` to `from_epoch + 1` so the
+        /// leader can aggregate a certificate to advance the guardian's committee.
+        pub async fn sign_committee_transition(
+            &mut self,
+            request: impl tonic::IntoRequest<super::SignCommitteeTransitionRequest>,
+        ) -> std::result::Result<
+            tonic::Response<super::SignCommitteeTransitionResponse>,
+            tonic::Status,
+        > {
+            self.inner
+                .ready()
+                .await
+                .map_err(|e| {
+                    tonic::Status::unknown(
+                        format!("Service was not ready: {}", e.into()),
+                    )
+                })?;
+            let codec = tonic_prost::ProstCodec::default();
+            let path = http::uri::PathAndQuery::from_static(
+                "/sui.hashi.v1alpha.BridgeService/SignCommitteeTransition",
+            );
+            let mut req = request.into_request();
+            req.extensions_mut()
+                .insert(
+                    GrpcMethod::new(
+                        "sui.hashi.v1alpha.BridgeService",
+                        "SignCommitteeTransition",
+                    ),
+                );
+            self.inner.unary(req, path, codec).await
+        }
     }
 }
 /// Generated server implementations.
@@ -586,6 +632,15 @@ pub mod bridge_service_server {
             tonic::Response<super::SignWithdrawalConfirmationResponse>,
             tonic::Status,
         >;
+        /// Sign a committee transition from `from_epoch` to `from_epoch + 1` so the
+        /// leader can aggregate a certificate to advance the guardian's committee.
+        async fn sign_committee_transition(
+            &self,
+            request: tonic::Request<super::SignCommitteeTransitionRequest>,
+        ) -> std::result::Result<
+            tonic::Response<super::SignCommitteeTransitionResponse>,
+            tonic::Status,
+        >;
     }
     #[derive(Debug)]
     pub struct BridgeServiceServer<T> {
@@ -1075,6 +1130,57 @@ pub mod bridge_service_server {
                     };
                     Box::pin(fut)
                 }
+                "/sui.hashi.v1alpha.BridgeService/SignCommitteeTransition" => {
+                    #[allow(non_camel_case_types)]
+                    struct SignCommitteeTransitionSvc<T: BridgeService>(pub Arc<T>);
+                    impl<
+                        T: BridgeService,
+                    > tonic::server::UnaryService<super::SignCommitteeTransitionRequest>
+                    for SignCommitteeTransitionSvc<T> {
+                        type Response = super::SignCommitteeTransitionResponse;
+                        type Future = BoxFuture<
+                            tonic::Response<Self::Response>,
+                            tonic::Status,
+                        >;
+                        fn call(
+                            &mut self,
+                            request: tonic::Request<
+                                super::SignCommitteeTransitionRequest,
+                            >,
+                        ) -> Self::Future {
+                            let inner = Arc::clone(&self.0);
+                            let fut = async move {
+                                <T as BridgeService>::sign_committee_transition(
+                                        &inner,
+                                        request,
+                                    )
+                                    .await
+                            };
+                            Box::pin(fut)
+                        }
+                    }
+                    let accept_compression_encodings = self.accept_compression_encodings;
+                    let send_compression_encodings = self.send_compression_encodings;
+                    let max_decoding_message_size = self.max_decoding_message_size;
+                    let max_encoding_message_size = self.max_encoding_message_size;
+                    let inner = self.inner.clone();
+                    let fut = async move {
+                        let method = SignCommitteeTransitionSvc(inner);
+                        let codec = tonic_prost::ProstCodec::default();
+                        let mut grpc = tonic::server::Grpc::new(codec)
+                            .apply_compression_config(
+                                accept_compression_encodings,
+                                send_compression_encodings,
+                            )
+                            .apply_max_message_size_config(
+                                max_decoding_message_size,
+                                max_encoding_message_size,
+                            );
+                        let res = grpc.unary(method, req).await;
+                        Ok(res)
+                    };
+                    Box::pin(fut)
+                }
                 _ => {
                     Box::pin(async move {
                         let mut response = http::Response::new(

crates/hashi-types/src/proto/generated/sui.hashi.v1alpha.rs

@@ -17,6 +17,8 @@ use crate::withdrawals::WithdrawalTxSigning;
 use hashi_types::bitcoin_txid::BitcoinTxid;
 use hashi_types::proto::GetServiceInfoRequest;
 use hashi_types::proto::GetServiceInfoResponse;
+use hashi_types::proto::SignCommitteeTransitionRequest;
+use hashi_types::proto::SignCommitteeTransitionResponse;
 use hashi_types::proto::SignDepositConfirmationRequest;
 use hashi_types::proto::SignDepositConfirmationResponse;
 use hashi_types::proto::SignGuardianWithdrawalRequestRequest;
@@ -133,6 +135,33 @@ impl BridgeService for HttpService {
         }))
     }
 
+    /// Validate and BLS-sign a `CommitteeTransition` from `from_epoch` to
+    /// `from_epoch + 1` for the guardian. The transition's `new_committee`
+    /// is reconstructed deterministically from on-chain state — clients
+    /// cannot supply it on the wire.
+    #[tracing::instrument(
+        level = "info",
+        skip_all,
+        fields(from_epoch = tracing::field::Empty, caller = tracing::field::Empty),
+    )]
+    async fn sign_committee_transition(
+        &self,
+        request: Request<SignCommitteeTransitionRequest>,
+    ) -> Result<Response<SignCommitteeTransitionResponse>, Status> {
+        let caller = authenticate_caller(&request)?;
+        tracing::Span::current().record("caller", tracing::field::display(&caller));
+        let from_epoch = request.get_ref().from_epoch;
+        tracing::Span::current().record("from_epoch", from_epoch);
+        let member_signature = self
+            .inner
+            .validate_and_sign_committee_transition(from_epoch)
+            .map_err(|e| Status::failed_precondition(e.to_string()))?;
+        tracing::info!(from_epoch, "Signed committee transition");
+        Ok(Response::new(SignCommitteeTransitionResponse {
+            member_signature: Some(member_signature),
+        }))
+    }
+
     /// Validate and BLS-sign a `StandardWithdrawalRequest` for the guardian.
     #[tracing::instrument(
         level = "info",

crates/hashi/src/grpc/bridge_service.rs

@@ -58,4 +58,15 @@ impl GuardianClient {
             .await?;
         Ok(response.into_inner())
     }
+
+    pub async fn update_committee(
+        &self,
+        request: hashi_types::proto::SignedCommitteeTransition,
+    ) -> Result<hashi_types::proto::UpdateCommitteeResponse, tonic::Status> {
+        let response = self
+            .guardian_service_client()
+            .update_committee(request)
+            .await?;
+        Ok(response.into_inner())
+    }
 }