fix(collector): validate offer terms against deadline, not block.timestamp

Collection-window and duration checks now use the offer's acceptance
deadline as the reference point instead of `block.timestamp`, making
validation time-independent: if terms pass here they remain valid for
any acceptance on or before `deadline`. Callers still enforce
`block.timestamp <= deadline` at the acceptance entry point.

- `_requireValidCollectionWindowParams` takes a `_deadline` parameter
  and becomes `pure`. `_endsAt > block.timestamp` becomes
  `_deadline < _endsAt`; `_endsAt - block.timestamp >= min + WINDOW`
  becomes `min + WINDOW <= _endsAt - _deadline`.
- `_requireValidTerms` propagates `_deadline` to the window check.
- Accept/update call sites pass the RCA/RCAU deadline.
- Interface: replace `RecurringCollectorAgreementElapsedEndsAt` with
  `RecurringCollectorAgreementEndsBeforeDeadline(deadline, endsAt)`.

Prerequisite for hash-keyed terms storage, where a single stored hash
must remain validatable without re-checking against wall clock on every
read.

Author: RembrandtK

packages/horizon/contracts/payments/collectors/RecurringCollector.sol

@@ -274,7 +274,7 @@ contract RecurringCollector is
         );
 
         _requireValidTerms(
-            _rca.endsAt, _rca.minSecondsPerCollection, _rca.maxSecondsPerCollection,
+            _rca.deadline, _rca.endsAt, _rca.minSecondsPerCollection, _rca.maxSecondsPerCollection,
             _rca.payer, _rca.conditions, _rca.maxOngoingTokensPerSecond
         );
 
@@ -809,18 +809,23 @@ contract RecurringCollector is
 
     /**
      * @notice Requires that the collection window parameters are valid.
-     *
+     * @dev Validated against `_deadline` (the offer's acceptance deadline) rather than
+     * `block.timestamp`, making this check time-independent: if terms pass here they remain
+     * valid for any acceptance that happens on or before `_deadline`. Callers must enforce
+     * `block.timestamp <= _deadline` at the acceptance entry point.
+     * @param _deadline The offer's acceptance deadline
      * @param _endsAt The end time of the agreement
      * @param _minSecondsPerCollection The minimum seconds per collection
      * @param _maxSecondsPerCollection The maximum seconds per collection
      */
     function _requireValidCollectionWindowParams(
+        uint64 _deadline,
         uint64 _endsAt,
         uint32 _minSecondsPerCollection,
         uint32 _maxSecondsPerCollection
-    ) private view {
-        // Agreement needs to end in the future
-        require(_endsAt > block.timestamp, RecurringCollectorAgreementElapsedEndsAt(block.timestamp, _endsAt));
+    ) private pure {
+        // Agreement must end after the deadline
+        require(_deadline < _endsAt, RecurringCollectorAgreementEndsBeforeDeadline(_deadline, _endsAt));
 
         // Collection window needs to be at least MIN_SECONDS_COLLECTION_WINDOW
         require(
@@ -833,19 +838,21 @@ contract RecurringCollector is
             )
         );
 
-        // Agreement needs to last at least one min collection window
+        // Even if accepted at the deadline at least one min collection window must remain
         require(
-            _endsAt - block.timestamp >= _minSecondsPerCollection + MIN_SECONDS_COLLECTION_WINDOW,
+            _minSecondsPerCollection + MIN_SECONDS_COLLECTION_WINDOW <= _endsAt - _deadline,
             RecurringCollectorAgreementInvalidDuration(
                 _minSecondsPerCollection + MIN_SECONDS_COLLECTION_WINDOW,
-                _endsAt - block.timestamp
+                _endsAt - _deadline
             )
         );
     }
 
     /**
      * @notice Validates offer terms: collection window, eligibility support, and overflow.
-     * @dev Called by _validateAndStoreAgreement and _validateAndStoreUpdate.
+     * @dev Called by _validateAndStoreAgreement and _validateAndStoreUpdate. Time-independent —
+     * validates against the offer's deadline so the check is stable across the offer's lifetime.
+     * @param _deadline The offer's acceptance deadline
      * @param _endsAt The end time of the agreement
      * @param _minSecondsPerCollection The minimum seconds per collection
      * @param _maxSecondsPerCollection The maximum seconds per collection
@@ -854,14 +861,15 @@ contract RecurringCollector is
      * @param _maxOngoingTokensPerSecond The maximum ongoing tokens per second
      */
     function _requireValidTerms(
+        uint64 _deadline,
         uint64 _endsAt,
         uint32 _minSecondsPerCollection,
         uint32 _maxSecondsPerCollection,
         address _payer,
         uint16 _conditions,
         uint256 _maxOngoingTokensPerSecond
     ) private view {
-        _requireValidCollectionWindowParams(_endsAt, _minSecondsPerCollection, _maxSecondsPerCollection);
+        _requireValidCollectionWindowParams(_deadline, _endsAt, _minSecondsPerCollection, _maxSecondsPerCollection);
         _requirePayerToSupportEligibilityCheck(_payer, _conditions);
         // Reverts on overflow — rejecting excessive terms that could prevent collection
         _maxOngoingTokensPerSecond * _maxSecondsPerCollection * 1024;
@@ -1058,7 +1066,7 @@ contract RecurringCollector is
         RecurringCollectorStorage storage $ = _getStorage();
 
         _requireValidTerms(
-            _rcau.endsAt, _rcau.minSecondsPerCollection, _rcau.maxSecondsPerCollection,
+            _rcau.deadline, _rcau.endsAt, _rcau.minSecondsPerCollection, _rcau.maxSecondsPerCollection,
             _agreement.payer, _rcau.conditions, _rcau.maxOngoingTokensPerSecond
         );
 

packages/horizon/test/unit/payments/recurring-collector/acceptValidation.t.sol

@@ -69,20 +69,20 @@ contract RecurringCollectorAcceptValidationTest is RecurringCollectorSharedTest
         _recurringCollector.accept(rca, signature);
     }
 
-    // ==================== endsAt validation (L545) ====================
+    // ==================== endsAt validation ====================
 
-    function test_Accept_Revert_WhenEndsAtInPast() public {
+    function test_Accept_Revert_WhenEndsAtNotAfterDeadline() public {
         IRecurringCollector.RecurringCollectionAgreement memory rca = _makeValidRCA();
-        rca.endsAt = uint64(block.timestamp); // endsAt == now, fails "endsAt > block.timestamp"
+        rca.endsAt = rca.deadline; // endsAt == deadline, fails "endsAt > deadline"
 
         _recurringCollectorHelper.authorizeSignerWithChecks(rca.payer, SIGNER_KEY);
         (, bytes memory signature) = _recurringCollectorHelper.generateSignedRCA(rca, SIGNER_KEY);
         _setupValidProvision(rca.serviceProvider, rca.dataService);
 
         vm.expectRevert(
             abi.encodeWithSelector(
-                IRecurringCollector.RecurringCollectorAgreementElapsedEndsAt.selector,
-                block.timestamp,
+                IRecurringCollector.RecurringCollectorAgreementEndsBeforeDeadline.selector,
+                rca.deadline,
                 rca.endsAt
             )
         );
@@ -142,12 +142,12 @@ contract RecurringCollectorAcceptValidationTest is RecurringCollectorSharedTest
 
     function test_Accept_Revert_WhenDurationTooShort() public {
         IRecurringCollector.RecurringCollectionAgreement memory rca = _makeValidRCA();
-        // Need: endsAt - now >= minSecondsPerCollection + MIN_SECONDS_COLLECTION_WINDOW
+        // Need: endsAt - deadline >= minSecondsPerCollection + MIN_SECONDS_COLLECTION_WINDOW
         // Set duration just under the minimum
         uint32 minWindow = _recurringCollector.MIN_SECONDS_COLLECTION_WINDOW();
         rca.minSecondsPerCollection = 600;
         rca.maxSecondsPerCollection = 600 + minWindow; // valid window
-        rca.endsAt = uint64(block.timestamp + rca.minSecondsPerCollection + minWindow - 1); // 1 second too short
+        rca.endsAt = rca.deadline + rca.minSecondsPerCollection + minWindow - 1; // 1 second too short
 
         _recurringCollectorHelper.authorizeSignerWithChecks(rca.payer, SIGNER_KEY);
         (, bytes memory signature) = _recurringCollectorHelper.generateSignedRCA(rca, SIGNER_KEY);
@@ -157,7 +157,7 @@ contract RecurringCollectorAcceptValidationTest is RecurringCollectorSharedTest
             abi.encodeWithSelector(
                 IRecurringCollector.RecurringCollectorAgreementInvalidDuration.selector,
                 rca.minSecondsPerCollection + minWindow,
-                rca.endsAt - block.timestamp
+                uint256(rca.endsAt - rca.deadline)
             )
         );
         vm.prank(rca.dataService);

packages/interfaces/contracts/horizon/IRecurringCollector.sol

@@ -316,11 +316,11 @@ interface IRecurringCollector is IAuthorizable, IAgreementCollector {
     error RecurringCollectorAgreementAddressNotSet();
 
     /**
-     * @notice Thrown when accepting or upgrading an agreement with an elapsed endsAt
-     * @param currentTimestamp The current timestamp
+     * @notice Thrown when an agreement's endsAt is not strictly after its acceptance deadline.
+     * @param deadline The offer acceptance deadline
      * @param endsAt The agreement end timestamp
      */
-    error RecurringCollectorAgreementElapsedEndsAt(uint256 currentTimestamp, uint64 endsAt);
+    error RecurringCollectorAgreementEndsBeforeDeadline(uint64 deadline, uint64 endsAt);
 
     /**
      * @notice Thrown when accepting or upgrading an agreement with an elapsed endsAt