feat(core): implement attester_duties, sync_committee_duties, attestation_data handlers (#451)

* feat(core): implement validatorapi node_version handler

Threads the Handler through Axum state via AppState<H> + with_state,
wires the node_version route to the real handler, and adds a TestHandler
mock that future PRs will extend per-endpoint.

* fix: linter

* feat(core): implement validatorapi proposer_duties handler (#450)

Re-uses the auto-generated pluto_eth2api envelopes
(GetProposerDutiesResponseResponse, GetVersionResponseResponse) as the
on-the-wire shape rather than hand-rolling parallel types. node_version
is migrated to the same pattern; the body.rs hand-rolled wrapper module
is removed.

* refactor(core): use dynamic dispatch for validatorapi Handler

Drops the per-handler generic parameter and routes through
Arc<dyn Handler> via AppState. The Handler trait is object-safe
(Send + Sync + 'static + async_trait-generated methods), so this
is a pure type change with no surface impact.

* feat(core): scaffold validatorapi Component handler

Adds the Handler impl that the router has been calling through.
node_version returns the obolnetwork/pluto/{version}-{commit}/{arch}-{os}
identity string; proposer_duties calls the upstream beacon node and
rewrites known DV root public keys to this node's public share so the
validator client sees keys matching its keystore. The remaining 17
trait methods are unimplemented!() stubs that land per-PR as their
router handlers are ported.

* feat(core): implement validatorapi attester_duties handler

Wires POST /eth/v1/validator/duties/attester/{epoch}: dual-format
(numeric or string-encoded) validator index body, upstream call,
pubshare swap.

* feat(core): implement validatorapi sync_committee_duties handler

Wires POST /eth/v1/validator/duties/sync/{epoch}, reusing the
ValIndexes dual-format body extractor.

* feat(core): implement validatorapi attestation_data handler

Wires GET /eth/v1/validator/attestation_data. The Component now
holds an Arc<MemDB> and awaits unsigned attestation data from the
local DutyDB rather than hitting upstream.

* fix(core): address PR #451 review feedback

Bug fixes (must-fix per review):

- attestation_data: wrap MemDB::await_attestation in tokio::time::timeout
  (24s) so a request for a slot that never produces consensus output
  cannot hold a handler task indefinitely. delete_duty now records
  evicted keys per duty type and notifies waiters, so await_data returns
  Error::AwaitDutyExpired immediately when the awaited duty is gone
  instead of spinning until the timeout fires. Maps to 408 on the wire.
- Stop leaking upstream BlindedBlock400Response Debug output (incl.
  stacktraces) into the client-visible ApiError.message. The variant
  payload is now attached as `source` for debug logs; the message stays
  generic.

Hardening:

- new_insecure is gated behind #[cfg(test)] so the insecure_test flag
  cannot reach production builds.
- new_router applies DefaultBodyLimit::max(64 KiB) on the two
  POST /duties/{attester,sync}/{epoch} routes — defends against the
  Vec<u64> parse amplification on the ValIndexes deserializer.
- All upstream eth2_cl calls are wrapped in tokio::time::timeout(12s)
  so a hanging beacon node cannot stall handler tasks.
- proposer_duties / attester_duties / sync_committee_duties propagate
  upstream BadRequest as 400 and ServiceUnavailable as 503 instead of
  collapsing every non-Ok variant to 502 — the VC can now back off on
  upstream syncing instead of treating it as a gateway failure.
- swap_attester_pubshares / swap_sync_committee_pubshares now return
  500 (cluster misconfig) instead of 502 when a pubshare is missing —
  the upstream returned well-formed data, the failure is local.

ValIndexes:

- Replace #[serde(untagged)] with a streaming Visitor that validates
  each element via SeqAccess::next_element. Avoids the speculative
  Vec<u64> parse and the serde Content cache. Now accepts mixed
  numeric/string elements and rejects negative integers.
- Hard cap at 8192 indices per request.

ApiError:

- with_boxed_source for sources that aren't std::error::Error (e.g.
  anyhow::Error from auto-gen request builders).

Router:

- attestation_data uses Result<Query<...>, QueryRejection> so 4xx
  responses from missing/malformed query params share the same
  { code, message } envelope as the rest of the router.

Tests (+13):

- attestation_data: timeout when data never arrives; 408 when duty is
  evicted while a waiter is parked; cancellation cleanup when the
  handler future is dropped; negative lookup on wrong committee_index.
- Status-mapping helpers: confirm upstream Debug output is never
  serialized into the message.
- Router: ApiError envelope on bad query; oversized body rejection;
  ValIndexes empty/mixed/oversized/negative cases.

Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>

* fix(core): bound dutydb eviction state with high-water marks

The evicted_* HashSets in MemDB were insert-only: delete_duty added an
entry per evicted slot/aggregation/contrib key and nothing ever removed
them, so on a long-running node they grew without bound (one entry per
12s slot, forever). Charon's Go dutydb keeps no eviction record at all
and relies on the per-request context timeout.

Because the deadliner expires duties in non-decreasing slot order and
store() refuses already-expired duties, the highest evicted slot is
sufficient: any awaited slot <= the mark that is not currently stored
will never be stored. Replace the three slot-keyed sets with O(1)
Option<u64> high-water marks (attester/proposer/sync-contribution),
preserving the immediate-AwaitDutyExpired fast path.

Aggregated attestations are awaited by root only (no slot at await
time), so they cannot consult a slot mark; drop their eviction tracking
and let an evicted root rely on the request timeout, matching Go.

Add a regression test asserting an evicted slot and any older slot fail
fast with AwaitDutyExpired without parking.

Co-Authored-By: varex83 <ivan@nethermind.io>

* fix(core): return {code,message} envelope for malformed duties body

attester_duties and sync_committee_duties extracted the body as bare
`Json<ValIndexes>`, so a malformed body produced axum's default
plain-text rejection — 400 for a JSON syntax error but 422 for a wrong
type — instead of the router's standard {code,message} envelope. Charon's
unmarshal returns a uniform 400 with its apiError body for every request
body parse failure.

Extract as `Result<Json<ValIndexes>, JsonRejection>` and map through a new
json_rejection_to_api_error, mirroring the existing query-rejection path.
Genuine parse failures normalise to 400; the DefaultBodyLimit size cap
still surfaces as 413 (Pluto's DoS defense), preserved explicitly. Add a
router test asserting the 400 envelope for a wrong-shape body.

Co-Authored-By: varex83 <ivan@nethermind.io>

* fix(core): align validatorapi with Charon (timeout, content-type)

Addresses inline review comments from @iamquang95 on PR #451.

UPSTREAM_REQUEST_TIMEOUT was 12s — set to 10s to match Charon's
defaultRequestTimeout (core/validatorapi/router.go:61).

POST /eth/v1/validator/duties/{attester,sync}/{epoch} now matches
Charon's content-type policy via a new enforce_json_content_type
middleware layered onto duties_post:

- missing Content-Type → treated as application/json (Charon parity)
- application/json → passes through to the existing Json extractor
- anything else → 415 Unsupported Media Type with the offending value

Previously axum's Json extractor rejected a missing header with
MissingJsonContentType, which json_rejection_to_api_error normalised
to 400 — diverging from Charon, which lets VCs that don't set the
header through. Non-JSON Content-Type was also collapsed to 400; it
is now the 415 Charon returns.

Updated json_rejection_to_api_error doc comment: it no longer sees
content-type rejections (the middleware intercepts them upstream).

Tests (+2):

- attester_duties_accepts_missing_content_type asserts 200 when
  Content-Type is absent.
- attester_duties_rejects_non_json_content_type asserts 415 with the
  offending media type echoed in the message.

Co-Authored-By: varex83 <ivan@nethermind.io>

---------

Co-authored-by: Bohdan Ohorodnii <273991985+varex83agent@users.noreply.github.com>
Co-authored-by: varex83 <ivan@nethermind.io>

Author: 3 people

Cargo.lock

@@ -106,6 +106,7 @@ tree_hash_derive = "0.12"
 tar = "0.4"
 flate2 = "1.1"
 wiremock = "0.6"
+tower = "0.5"
 sysinfo = "0.33"
 quick-xml = { version = "0.39", features = ["serialize"] }
 

Cargo.toml

@@ -56,6 +56,7 @@ pluto-testutil.workspace = true
 pluto-tracing.workspace = true
 tokio = { workspace = true, features = ["test-util"] }
 wiremock.workspace = true
+tower = { workspace = true, features = ["util"] }
 
 [build-dependencies]
 pluto-build-proto.workspace = true

crates/core/Cargo.toml

@@ -49,6 +49,12 @@ pub enum Error {
     #[error("dutydb shutdown: query could not be answered")]
     Shutdown,
 
+    /// The awaited duty was evicted before its unsigned data became
+    /// available. Distinct from `Shutdown` so callers can map this to a
+    /// timeout-style error rather than a service-down error.
+    #[error("dutydb: awaited duty expired before data was stored")]
+    AwaitDutyExpired,
+
     /// Two validators share the same `(slot, committee_index, valIdx)` with
     /// different public keys.
     #[error(
@@ -177,6 +183,17 @@ struct ContribKey {
     root: phase0::Root,
 }
 
+/// Per-poll outcome handed back by an `await_data` lookup closure.
+enum Lookup<V> {
+    /// The awaited value is now present — return it to the caller.
+    Found(V),
+    /// The awaited duty has been evicted; the lookup will never succeed.
+    /// `await_data` returns [`Error::AwaitDutyExpired`].
+    Evicted,
+    /// Neither stored nor evicted yet — park on the notify and retry.
+    Pending,
+}
+
 struct State {
     attestation_duties: HashMap<AttKey, phase0::AttestationData>,
     attestation_pub_keys: HashMap<PkKey, PubKey>,
@@ -190,6 +207,27 @@ struct State {
     contrib_duties: HashMap<ContribKey, altair::SyncCommitteeContribution>,
     contrib_keys_by_slot: HashMap<u64, Vec<ContribKey>>,
 
+    /// Highest slot whose attester duty has been evicted by the deadliner.
+    /// Because the deadliner expires duties in non-decreasing slot order and
+    /// `store()` refuses already-expired duties (`AddOutcome::AlreadyExpired`),
+    /// any awaited slot `<=` this mark that is not currently stored will never
+    /// be stored. Tracking only the high-water mark — rather than the set of
+    /// every evicted slot, which would grow without bound for the lifetime of
+    /// the node — lets `await_attestation` return `AwaitDutyExpired`
+    /// immediately for a gone duty while keeping the bookkeeping O(1) in
+    /// memory.
+    max_evicted_attestation_slot: Option<u64>,
+    /// Highest slot whose proposer duty has been evicted. See
+    /// [`max_evicted_attestation_slot`](Self::max_evicted_attestation_slot).
+    max_evicted_proposer_slot: Option<u64>,
+    /// Highest slot whose sync-contribution duty has been evicted. See
+    /// [`max_evicted_attestation_slot`](Self::max_evicted_attestation_slot).
+    max_evicted_contrib_slot: Option<u64>,
+    // NB: there is no eviction mark for aggregated attestations. They are
+    // awaited by root only (`await_agg_attestation` has no slot), so there is
+    // no slot to compare against a high-water mark; an evicted root relies on
+    // the caller's request timeout instead, matching Charon's Go dutydb which
+    // keeps no eviction record at all.
     deadliner_rx: tokio::sync::mpsc::Receiver<Duty>,
 }
 
@@ -225,6 +263,9 @@ impl MemDB {
                 aggregation_keys_by_slot: HashMap::new(),
                 contrib_duties: HashMap::new(),
                 contrib_keys_by_slot: HashMap::new(),
+                max_evicted_attestation_slot: None,
+                max_evicted_proposer_slot: None,
+                max_evicted_contrib_slot: None,
                 deadliner_rx,
             }),
             attestation_notify: Notify::new(),
@@ -272,7 +313,6 @@ impl MemDB {
                     Some(UnsignedDutyData::Proposal(p)) => state.store_proposal(p)?,
                     Some(_) => return Err(Error::InvalidVersionedProposal),
                 }
-                self.proposer_notify.notify_waiters();
             }
             DutyType::Attester => {
                 for (pubkey, data) in &unsigned_set {
@@ -282,7 +322,6 @@ impl MemDB {
                     };
                     state.store_attestation(*pubkey, att)?;
                 }
-                self.attestation_notify.notify_waiters();
             }
             DutyType::Aggregator => {
                 for data in unsigned_set.values() {
@@ -292,7 +331,6 @@ impl MemDB {
                     };
                     state.store_agg_attestation(agg)?;
                 }
-                self.aggregation_notify.notify_waiters();
             }
             DutyType::SyncContribution => {
                 for data in unsigned_set.values() {
@@ -302,24 +340,54 @@ impl MemDB {
                     };
                     state.store_sync_contribution(contrib)?;
                 }
-                self.contrib_notify.notify_waiters();
             }
             _ => return Err(Error::UnsupportedDutyType),
         }
-
-        // Drain all expired duties that the deadliner has sent.
+        // Wake the matching notify for the duty we just stored, plus
+        // anything we drain below. `notify_waiters` is cheap if no one is
+        // parked and just bumps a counter, so calling it under the write
+        // lock is harmless — woken tasks block on `state.read()` until we
+        // drop.
+        self.wake(duty.duty_type);
+
+        // Drain all expired duties that the deadliner has sent. Waiters
+        // whose duty just expired need to see `Lookup::Evicted` and exit,
+        // not re-park — so we wake the matching notify after each eviction.
         while let Ok(expired) = state.deadliner_rx.try_recv() {
+            let duty_type = expired.duty_type.clone();
             state.delete_duty(expired)?;
+            self.wake(duty_type);
         }
 
         Ok(())
     }
 
+    /// Wakes the [`Notify`] paired with `duty_type`. No-op for duty types
+    /// the DB doesn't track (e.g. `Exit`, `BuilderRegistration`).
+    fn wake(&self, duty_type: DutyType) {
+        let notify = match duty_type {
+            DutyType::Proposer => &self.proposer_notify,
+            DutyType::Attester => &self.attestation_notify,
+            DutyType::Aggregator => &self.aggregation_notify,
+            DutyType::SyncContribution => &self.contrib_notify,
+            _ => return,
+        };
+        notify.notify_waiters();
+    }
+
     /// Blocks until a proposal for the given slot is available, then returns
     /// it.
     pub async fn await_proposal(&self, slot: u64) -> Result<VersionedProposal> {
-        self.await_data(&self.proposer_notify, |s| s.proposer_duties.get(&slot))
-            .await
+        self.await_data(&self.proposer_notify, |s| {
+            if let Some(v) = s.proposer_duties.get(&slot) {
+                Lookup::Found(v.clone())
+            } else if s.max_evicted_proposer_slot.is_some_and(|hw| slot <= hw) {
+                Lookup::Evicted
+            } else {
+                Lookup::Pending
+            }
+        })
+        .await
     }
 
     /// Blocks until attestation data for the given slot and committee index is
@@ -333,8 +401,19 @@ impl MemDB {
             slot,
             committee_index,
         };
-        self.await_data(&self.attestation_notify, |s| s.attestation_duties.get(&key))
-            .await
+        self.await_data(&self.attestation_notify, |s| {
+            if let Some(v) = s.attestation_duties.get(&key) {
+                Lookup::Found(v.clone())
+            } else if s
+                .max_evicted_attestation_slot
+                .is_some_and(|hw| key.slot <= hw)
+            {
+                Lookup::Evicted
+            } else {
+                Lookup::Pending
+            }
+        })
+        .await
     }
 
     /// Blocks until an aggregated attestation for the given slot and
@@ -347,7 +426,14 @@ impl MemDB {
             root: attestation_root,
         };
         self.await_data(&self.aggregation_notify, |s| {
-            s.aggregation_duties.get(&key).map(|a| &a.0)
+            // Awaited by root only, so there is no slot to test against an
+            // eviction high-water mark: an evicted root relies on the caller's
+            // request timeout to terminate (matching Charon's Go dutydb).
+            if let Some(v) = s.aggregation_duties.get(&key) {
+                Lookup::Found(v.0.clone())
+            } else {
+                Lookup::Pending
+            }
         })
         .await
     }
@@ -365,31 +451,43 @@ impl MemDB {
             subcommittee_index,
             root: beacon_block_root,
         };
-        self.await_data(&self.contrib_notify, |s| s.contrib_duties.get(&key))
-            .await
+        self.await_data(&self.contrib_notify, |s| {
+            if let Some(v) = s.contrib_duties.get(&key) {
+                Lookup::Found(v.clone())
+            } else if s.max_evicted_contrib_slot.is_some_and(|hw| slot <= hw) {
+                Lookup::Evicted
+            } else {
+                Lookup::Pending
+            }
+        })
+        .await
     }
 
     // A single Notify per duty type wakes all waiters on every store, not only
     // those whose key matches. The number of concurrent waiters per duty type
     // is small (one per validator), so the extra wakeups are cheap. A keyed
     // notify (HashMap<Key, Sender>) would avoid them but adds complexity that
     // isn't worth it here.
+    //
+    // `delete_duty` also wakes the notify so waiters whose duty just expired
+    // exit immediately via the `Lookup::Evicted` branch, instead of parking
+    // for another `notify_waiters` call or for the per-request timeout in
+    // the caller.
     async fn await_data<V>(
         &self,
         notify: &Notify,
-        lookup: impl for<'s> Fn(&'s State) -> Option<&'s V>,
-    ) -> Result<V>
-    where
-        V: Clone,
-    {
+        lookup: impl Fn(&State) -> Lookup<V>,
+    ) -> Result<V> {
         loop {
             let notified = notify.notified();
             tokio::pin!(notified);
 
             {
                 let state = self.state.read().await;
-                if let Some(v) = lookup(&state) {
-                    return Ok(v.clone());
+                match lookup(&state) {
+                    Lookup::Found(v) => return Ok(v),
+                    Lookup::Evicted => return Err(Error::AwaitDutyExpired),
+                    Lookup::Pending => {}
                 }
             }
 
@@ -571,12 +669,20 @@ impl State {
         Ok(())
     }
 
+    /// Raises an eviction high-water mark to `slot` if `slot` is newer (or the
+    /// mark is unset). The deadliner expires duties in non-decreasing slot
+    /// order, so in practice this only ever moves the mark forward.
+    fn bump_high_water(mark: &mut Option<u64>, slot: u64) {
+        *mark = Some(mark.map_or(slot, |current| current.max(slot)));
+    }
+
     fn delete_duty(&mut self, duty: Duty) -> Result<()> {
         let slot = duty.slot.inner();
         info!(slot, duty_type = %duty.duty_type, "dutydb: deleting expired duty");
         match duty.duty_type {
             DutyType::Proposer => {
                 self.proposer_duties.remove(&slot);
+                Self::bump_high_water(&mut self.max_evicted_proposer_slot, slot);
             }
             DutyType::BuilderProposer => return Err(Error::DeprecatedDutyBuilderProposer),
             DutyType::Attester => {
@@ -589,8 +695,11 @@ impl State {
                         });
                     }
                 }
+                Self::bump_high_water(&mut self.max_evicted_attestation_slot, slot);
             }
             DutyType::Aggregator => {
+                // No eviction mark: aggregated attestations are awaited by root
+                // only, so there is nothing for a slot high-water mark to gate.
                 if let Some(keys) = self.aggregation_keys_by_slot.remove(&slot) {
                     for key in keys {
                         self.aggregation_duties.remove(&key);
@@ -603,6 +712,7 @@ impl State {
                         self.contrib_duties.remove(&key);
                     }
                 }
+                Self::bump_high_water(&mut self.max_evicted_contrib_slot, slot);
             }
             _ => return Err(Error::UnknownDutyType),
         }
@@ -1166,6 +1276,67 @@ mod tests {
         assert!(db.pub_key_by_attestation(SLOT, 0, 0).await.is_err());
     }
 
+    /// After a slot is evicted, `await_attestation` must return
+    /// `AwaitDutyExpired` immediately (not park until the request timeout) for
+    /// that slot AND for any older slot — the eviction state is a single
+    /// high-water mark, so it stays O(1) in memory rather than accumulating one
+    /// entry per evicted slot for the lifetime of the node.
+    #[tokio::test]
+    async fn await_attestation_expired_after_eviction_high_water() {
+        let deadliner = far_future_handle();
+        let (trim_tx, trim_rx) = channel::<Duty>(64);
+        let db = make_db_with_deadliner(deadliner, trim_rx);
+
+        const SLOT: u64 = 123;
+
+        let mut set = UnsignedDataSet::new();
+        set.insert(
+            random_core_pub_key(),
+            UnsignedDutyData::Attestation(att_data(SLOT, 0, 0)),
+        );
+        db.store(Duty::new(SlotNumber::new(SLOT), DutyType::Attester), set)
+            .await
+            .unwrap();
+
+        // Evict SLOT, then trigger expiry processing with an unrelated store.
+        trim_tx
+            .send(Duty::new(SlotNumber::new(SLOT), DutyType::Attester))
+            .await
+            .expect("trim_tx should be open");
+        let mut set2 = UnsignedDataSet::new();
+        set2.insert(
+            random_core_pub_key(),
+            UnsignedDutyData::Proposal(Box::new(phase0_proposal(SLOT.saturating_add(1), 0))),
+        );
+        db.store(
+            Duty::new(SlotNumber::new(SLOT.saturating_add(1)), DutyType::Proposer),
+            set2,
+        )
+        .await
+        .unwrap();
+
+        // The evicted slot resolves to AwaitDutyExpired without parking.
+        let timeout = std::time::Duration::from_secs(5);
+        let evicted = tokio::time::timeout(timeout, db.await_attestation(SLOT, 0))
+            .await
+            .expect("await must not park for an evicted slot");
+        assert!(
+            matches!(evicted, Err(Error::AwaitDutyExpired)),
+            "evicted slot: expected AwaitDutyExpired, got {evicted:?}"
+        );
+
+        // An older, never-stored slot is also below the high-water mark: its
+        // deadline has necessarily passed too, so it must fail fast rather than
+        // park — and we keep no per-slot record to answer this.
+        let older = tokio::time::timeout(timeout, db.await_attestation(SLOT.saturating_sub(1), 0))
+            .await
+            .expect("await must not park for a slot below the eviction high-water");
+        assert!(
+            matches!(older, Err(Error::AwaitDutyExpired)),
+            "older slot: expected AwaitDutyExpired, got {older:?}"
+        );
+    }
+
     #[tokio::test]
     async fn agg_attestation_two_roots_same_slot() {
         const SLOT: u64 = 300;