fix(security): slashing model, manager-hook reentrancy, lifecycle, EIP-712 (#118)

* fix(security): slashing model, manager-hook reentrancy, lifecycle, EIP-712

Closes a broad class of pre-mainnet correctness gaps. Greenfield posture: takes
the right long-term API rather than backwards-compatible shims. All 1478 tests
pass on the fast profile.

Slashing
- New `disputeResolutionDeadline` (default 14d): a disputed slash auto-fails and
  becomes executable after this window, so a forgotten or compromised SLASH_ADMIN
  cannot lock delegators forever.
- New `disputeBond` (configurable, default 0/disabled): native-asset bond posted
  when an operator disputes; forfeit to treasury on auto-fail / execute, refunded
  on cancel. Defeats free-DoS via self-dispute.
- New `maxPendingSlashesPerOperator` (default 32): caps concurrent pending
  proposals per operator so a malicious proposer can't spam-grief the
  pending-slash counter.
- `executeSlash` now routes to `slashForService` when the operator made explicit
  per-asset commitments to the offending service. Falls back to blueprint-wide
  slashing only for legacy services with no commitments. Closes the over-broad
  slashing of uncommitted assets.
- Operators with pending slashes can no longer call `_startLeaving`; pending
  slashes must resolve first.
- Operators in `Inactive` status (e.g. forced inactive by being slashed below
  minimum) can now exit via `_startLeaving`. Stake no longer stranded.
- `setSlashConfig` signature extended to surface the new knobs to admin.
- Per-operator pending tracker (`_operatorActiveSlashProposals`) increments on
  propose, decrements on execute / cancel.

Manager-hook reentrancy + CEI
- `_callManager` / `_tryCallManager` capped at 500k gas. Failures from
  `_tryCallManager` now emit `ManagerHookFailed(manager, selector, returnData)`
  for off-chain observability.
- `Operators.registerOperator` reordered to write all state BEFORE the BSM hook
  (CEI). Both registerOperator entrypoints + unregisterOperator gain
  `nonReentrant`.
- `createBlueprint`, `transferBlueprint`, `updateBlueprint`, `deactivateBlueprint`,
  `setJobEventRates`, `setBlueprintResourceRequirements` gain `nonReentrant`.

Service lifecycle
- `fundService` re-checks (a) blueprint manager's payment-asset policy and
  (b) service TTL before accepting a top-up. Closes top-ups to expired services
  and to services whose token policy was revoked.
- New permissionless `expireServiceRequest(requestId)` refunds the requester
  after the configured grace period, so stale unapproved requests don't lock
  payment indefinitely. All approve paths reject expired requests.

EIP-712 / replay
- Quote domain separator computed per-call against current chainid via new
  `_domainSeparatorView()`. Prevents stale-cache replay across chain forks.
- `OperatorStatusRegistry.submitHeartbeat` now full EIP-712 with explicit
  `timestamp` parameter and `HEARTBEAT_MAX_AGE` (5 minutes) freshness. Closes
  cross-fork / cross-service / cross-deployment replay.

Governance for Base
- `TangleToken.clock()` switched to `block.timestamp` (ERC-6372). `votingDelay`
  and `votingPeriod` are now denominated in seconds and chain-agnostic.
- `GovernanceDeployer` defaults updated: mainnet 1 day delay / 7 day period;
  testnet 20 minute delay / 3 hour period.

MBSM registry
- Storage gap restored to 50 (greenfield clean).

Tests
- Governance test suite migrated to timestamp-clock semantics (vm.warp +
  vm.roll) and updated default-param assertions.
- Heartbeat tests updated for EIP-712 typed digest and timestamp parameter.
- Slashing tests updated for the new 6-arg `setSlashConfig`.
- Slashing edge-case test now exercises the per-operator pending cap.
- 1478 / 1478 passing on fast profile.

* fix(security): address PR-118 review (CRITICAL + 4 HIGH + 7 non-blocking)

Tangletools review on commit 95b956f flagged 1 critical, 4 high, and 7
non-blocking findings. All addressed below. Full suite: 1483/1483.

CRITICAL: expireServiceRequest activated-service drain
- Added `bool activated` to Types.ServiceRequest. Set to true in
  TangleServicesFacet._activateService BEFORE any other state mutations.
- expireServiceRequest now reverts on req.rejected || req.activated.
- _requireRequestNotExpired (the approval-path guard) also rejects activated
  requests with ServiceRequestAlreadyProcessed.

HIGH: ITangleSlashing.disputeSlash missing payable
- Added `payable` to the interface. The implementation was already payable.
  Without this, typed callers could not pass value through ITangleSlashing.

HIGH: dispute resolution deadline live-config bypass
- Added `uint64 disputeDeadline` to SlashProposal.
- Snapshot taken in SlashingLib.disputeSlash: disputeDeadline =
  block.timestamp + config.disputeResolutionDeadline.
- isExecutable now reads proposal.disputeDeadline (snapshot), not live
  config. Admin shrinking config.disputeResolutionDeadline cannot
  retroactively shorten an already-disputed slash's review window.

HIGH: cancelSlash lacked nonReentrant + bond transferred before state
- Added nonReentrant to cancelSlash.
- Reordered: SlashingLib.cancelSlash + decrementPendingSlash +
  _decrementOperatorPendingTracker complete BEFORE _settleDisputeBond.
- Same CEI ordering applied to executeSlash and executeSlashBatch
  (state mutations, then bond settlement, then BSM hook).

Non-blocking
- _settleDisputeBond now restores the bond on transfer failure for BOTH
  refund and forfeit paths (was only the refund path). Bond is never
  silently lost. Treasury-unset case also restores rather than stranding.
- Removed dead `if (perOpCap == 0) perOpCap = 32` branch in proposeSlash
  (config validates non-zero on init and update).
- SlashConfigUpdated event now emits all six fields.
- unregisterOperator: CEI reordering (state cleared before BSM hook).
- _completeLeaving: clears _operatorBondLessRequests and iterates
  _operatorBlueprints to remove all blueprint associations on full exit.
- Governance test: getPastVotes/quorum lookups use block.timestamp - 1
  (was block.number - 1, which only worked by Foundry-init coincidence).

New regression tests in SlashingEdgeCases.t.sol:
- test_DisputeSlash_RevertsOnWrongBond
- test_DisputeSlash_BondRefundedOnCancel
- test_DisputeSlash_BondForfeitOnExecute
- test_DisputeSlash_AdminDoesNotPostBond
- test_DisputeDeadlineSnapshot_IgnoresAdminShrink

test_ApproveService_AlreadyApproved_Reverts updated for the new activation
flag (uses a 2-operator request so the request stays non-activated through
the duplicate-approve test).

Storage gap reductions deferred (greenfield posture per project guidance;
gaps are arbitrary on first deploy, not a live-proxy migration).

Author: drewstone

script/DemoSimulation.s.sol

@@ -653,12 +653,23 @@ contract DemoSimulation is Script, BlueprintDefinitionHelper {
             vm.startBroadcast(operatorKeys[i]);
 
             bytes memory metrics = abi.encode("cpu", 50 + (tick % 50), "mem", 60 + (tick % 40));
-            bytes32 messageHash = keccak256(abi.encodePacked(serviceId, blueprintId, metrics));
-            bytes32 ethSignedHash = keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", messageHash));
-            (uint8 v, bytes32 r, bytes32 s) = vm.sign(operatorKeys[i], ethSignedHash);
+            uint64 timestamp = uint64(block.timestamp);
+            bytes32 structHash = keccak256(
+                abi.encode(
+                    statusRegistry.HEARTBEAT_TYPEHASH(),
+                    vm.addr(operatorKeys[i]),
+                    serviceId,
+                    blueprintId,
+                    uint8(0),
+                    keccak256(metrics),
+                    timestamp
+                )
+            );
+            bytes32 digest = keccak256(abi.encodePacked("\x19\x01", statusRegistry.DOMAIN_SEPARATOR(), structHash));
+            (uint8 v, bytes32 r, bytes32 s) = vm.sign(operatorKeys[i], digest);
             bytes memory signature = abi.encodePacked(r, s, v);
 
-            try statusRegistry.submitHeartbeat(serviceId, blueprintId, 0, metrics, signature) {
+            try statusRegistry.submitHeartbeat(serviceId, blueprintId, 0, metrics, timestamp, signature) {
                 totalHeartbeats++;
             } catch { }
 

script/LocalTestnet.s.sol

@@ -1393,19 +1393,30 @@ contract TestHeartbeat is Script {
 
         vm.startBroadcast(OPERATOR1_KEY);
 
-        // Create heartbeat signature using Foundry's vm.sign
+        // Build the EIP-712 typed-data digest for the new heartbeat schema.
         bytes memory metrics = "";
-        bytes32 messageHash = keccak256(abi.encodePacked(serviceId, blueprintId, metrics));
-        // Add Ethereum signed message prefix
-        bytes32 ethSignedHash = keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", messageHash));
-        (uint8 v, bytes32 r, bytes32 s) = vm.sign(OPERATOR1_KEY, ethSignedHash);
+        uint64 timestamp = uint64(block.timestamp);
+        bytes32 structHash = keccak256(
+            abi.encode(
+                registry.HEARTBEAT_TYPEHASH(),
+                vm.addr(OPERATOR1_KEY),
+                serviceId,
+                blueprintId,
+                uint8(0),
+                keccak256(metrics),
+                timestamp
+            )
+        );
+        bytes32 digest = keccak256(abi.encodePacked("\x19\x01", registry.DOMAIN_SEPARATOR(), structHash));
+        (uint8 v, bytes32 r, bytes32 s) = vm.sign(OPERATOR1_KEY, digest);
         bytes memory signature = abi.encodePacked(r, s, v);
 
         registry.submitHeartbeat(
             serviceId,
             blueprintId,
             0, // Healthy
             metrics,
+            timestamp,
             signature
         );
         console2.log("Heartbeat submitted");

src/BlueprintServiceManagerBase.sol

@@ -78,8 +78,11 @@ contract BlueprintServiceManagerBase is IBlueprintServiceManager {
     // ═══════════════════════════════════════════════════════════════════════════
 
     /// @inheritdoc IBlueprintServiceManager
+    /// @dev One-shot binder. The BSM is paired with exactly one Tangle core on its first
+    ///      successful call; subsequent calls revert. A frontrunner can only DoS a single
+    ///      BSM deployment, which the deployer detects (the recorded `tangleCore` won't
+    ///      match the intended Tangle) and re-deploys to fix.
     function onBlueprintCreated(uint64 _blueprintId, address owner, address _tangleCore) external virtual {
-        // Can only be set once
         if (tangleCore != address(0)) revert AlreadyInitialized();
 
         blueprintId = _blueprintId;

src/MBSMRegistry.sol

@@ -53,7 +53,7 @@ contract MBSMRegistry is Initializable, AccessControlUpgradeable, UUPSUpgradeabl
     mapping(uint32 => uint256) private _emergencyDeprecationReadyAt;
 
     /// @notice Storage gap for upgrades
-    uint256[47] private __gap;
+    uint256[50] private __gap;
 
     // ═══════════════════════════════════════════════════════════════════════════
     // EVENTS

src/TangleStorage.sol

@@ -232,6 +232,12 @@ abstract contract TangleStorage {
     /// @notice Slash ID => Slash proposal
     mapping(uint64 => SlashingLib.SlashProposal) internal _slashProposals;
 
+    /// @notice Live count of pending (unresolved) slash proposals per operator. Used to
+    ///         enforce `SlashConfig.maxPendingSlashesPerOperator` so a malicious proposer
+    ///         can't grief an operator by spamming pending slashes that all bump the
+    ///         staking-side `_operatorPendingSlashCount`.
+    mapping(address => uint64) internal _operatorActiveSlashProposals;
+
     // ═══════════════════════════════════════════════════════════════════════════
     // RFQ (QUOTE) STORAGE (Slot 81-90)
     // ═══════════════════════════════════════════════════════════════════════════

src/core/Base.sol

@@ -62,6 +62,11 @@ abstract contract Base is
     /// @param registry The new registry address
     event MBSMRegistryUpdated(address indexed registry);
 
+    /// @notice Emitted when a best-effort blueprint-manager hook reverted or ran out of
+    ///         the capped gas stipend. Observable so off-chain monitors can detect a
+    ///         misbehaving BSM without halting the protocol path.
+    event ManagerHookFailed(address indexed manager, bytes4 indexed selector, bytes returnData);
+
     /// @notice Emitted when the metrics recorder is updated
     /// @param recorder The new recorder address (or zero to disable)
     event MetricsRecorderUpdated(address indexed recorder);
@@ -181,13 +186,23 @@ abstract contract Base is
             stakerBps: DEFAULT_STAKER_BPS
         });
 
-        // Initialize EIP-712 domain separator
+        // Domain separator is computed on-the-fly from `block.chainid` (see
+        // `_domainSeparatorView`) so a post-fork chainid mismatch invalidates quotes
+        // signed under the old chain id automatically. We keep the storage slot
+        // populated as a snapshot for off-chain indexers but never read it on-chain.
         _domainSeparator = SignatureLib.computeDomainSeparator("TangleQuote", "1", address(this));
 
         // Initialize slashing config
         SlashingLib.initializeConfig(_slashState);
     }
 
+    /// @notice Compute the EIP-712 domain separator at the *current* chainid. Used by all
+    ///         on-chain quote / signature verification so a chain fork or upgrade does not
+    ///         allow replays signed under a different chainid.
+    function _domainSeparatorView() internal view returns (bytes32) {
+        return SignatureLib.computeDomainSeparator("TangleQuote", "1", address(this));
+    }
+
     // ═══════════════════════════════════════════════════════════════════════════
     // ADMIN
     // ═══════════════════════════════════════════════════════════════════════════
@@ -683,9 +698,17 @@ abstract contract Base is
         }
     }
 
-    /// @notice Call manager with revert on failure
+    /// @notice Maximum gas forwarded to a blueprint manager hook.
+    /// @dev Capped to 500k so a malicious or buggy BSM cannot burn the entire transaction
+    ///      gas, and so that downstream protocol logic always has enough gas left to
+    ///      finalize state changes (CEI). Hooks should be lightweight; bookkeeping work
+    ///      belongs off-chain. The cap is generous enough for typical hook bodies and
+    ///      tightens the worst-case reentrancy / DoS surface significantly.
+    uint256 internal constant MANAGER_HOOK_GAS_LIMIT = 500_000;
+
+    /// @notice Call manager with revert on failure (capped gas).
     function _callManager(address manager, bytes memory data) internal {
-        (bool success, bytes memory returnData) = manager.call(data);
+        (bool success, bytes memory returnData) = manager.call{ gas: MANAGER_HOOK_GAS_LIMIT }(data);
         if (!success) {
             if (returnData.length > 0) {
                 revert Errors.ManagerReverted(manager, returnData);
@@ -694,10 +717,14 @@ abstract contract Base is
         }
     }
 
-    /// @notice Try to call manager, ignore failures
+    /// @notice Try to call manager, ignore failures (capped gas).
+    /// @dev Failure is observable via the `ManagerHookFailed` event so off-chain monitors
+    ///      can detect a misbehaving BSM without halting the protocol path.
     function _tryCallManager(address manager, bytes memory data) internal {
-        (bool success,) = manager.call(data);
-        success; // Silence unused variable warning
+        (bool success, bytes memory returnData) = manager.call{ gas: MANAGER_HOOK_GAS_LIMIT }(data);
+        if (!success) {
+            emit ManagerHookFailed(manager, bytes4(data), returnData);
+        }
     }
 
     // ═══════════════════════════════════════════════════════════════════════════

src/core/BlueprintsCreate.sol

@@ -30,6 +30,7 @@ abstract contract BlueprintsCreate is Base {
     function createBlueprint(Types.BlueprintDefinition calldata def)
         external
         whenNotPaused
+        nonReentrant
         returns (uint64 blueprintId)
     {
         if (address(_mbsmRegistry) == address(0)) revert Errors.MBSMRegistryNotSet();

src/core/BlueprintsManage.sol

@@ -77,7 +77,10 @@ abstract contract BlueprintsManage is Base {
     }
 
     /// @notice Update blueprint metadata
-    function updateBlueprint(uint64 blueprintId, string calldata metadataUri, bytes32 metadataHash) external {
+    function updateBlueprint(uint64 blueprintId, string calldata metadataUri, bytes32 metadataHash)
+        external
+        nonReentrant
+    {
         Types.Blueprint storage bp = _getBlueprint(blueprintId);
         if (bp.owner != msg.sender) {
             revert Errors.NotBlueprintOwner(blueprintId, msg.sender);
@@ -91,7 +94,7 @@ abstract contract BlueprintsManage is Base {
     }
 
     /// @notice Transfer blueprint ownership
-    function transferBlueprint(uint64 blueprintId, address newOwner) external {
+    function transferBlueprint(uint64 blueprintId, address newOwner) external nonReentrant {
         if (newOwner == address(0)) revert Errors.ZeroAddress();
 
         Types.Blueprint storage bp = _getBlueprint(blueprintId);
@@ -105,7 +108,7 @@ abstract contract BlueprintsManage is Base {
     }
 
     /// @notice Deactivate a blueprint
-    function deactivateBlueprint(uint64 blueprintId) external {
+    function deactivateBlueprint(uint64 blueprintId) external nonReentrant {
         Types.Blueprint storage bp = _getBlueprint(blueprintId);
         if (bp.owner != msg.sender) {
             revert Errors.NotBlueprintOwner(blueprintId, msg.sender);
@@ -123,7 +126,10 @@ abstract contract BlueprintsManage is Base {
     /// @param blueprintId The blueprint ID
     /// @param jobIndexes Array of job indexes
     /// @param rates Array of per-job event rates (0 to clear override and use blueprint default)
-    function setJobEventRates(uint64 blueprintId, uint8[] calldata jobIndexes, uint256[] calldata rates) external {
+    function setJobEventRates(uint64 blueprintId, uint8[] calldata jobIndexes, uint256[] calldata rates)
+        external
+        nonReentrant
+    {
         if (jobIndexes.length != rates.length) revert Errors.LengthMismatch();
 
         Types.Blueprint storage bp = _getBlueprint(blueprintId);
@@ -164,6 +170,7 @@ abstract contract BlueprintsManage is Base {
         Types.ResourceCommitment[] calldata requirements
     )
         external
+        nonReentrant
     {
         Types.Blueprint storage bp = _getBlueprint(blueprintId);
         if (bp.owner != msg.sender) {

src/core/JobsRFQ.sol

@@ -172,8 +172,9 @@ abstract contract JobsRFQ is Base {
                 revert Errors.PaymentTooSmall(quote.details.price, PaymentLib.MINIMUM_PAYMENT_AMOUNT);
             }
 
-            // Verify EIP-712 signature and mark as used
-            SignatureLib.verifyAndMarkJobQuoteUsed(_usedQuotes, _domainSeparator, quote, maxQuoteAge);
+            // Verify EIP-712 signature and mark as used. Domain separator is recomputed
+            // per-call against current chainid so cross-fork replay is impossible.
+            SignatureLib.verifyAndMarkJobQuoteUsed(_usedQuotes, _domainSeparatorView(), quote, maxQuoteAge);
 
             totalPrice += quote.details.price;
         }

src/core/Operators.sol

@@ -74,6 +74,7 @@ abstract contract Operators is Base {
     )
         external
         whenNotPaused
+        nonReentrant
     {
         _registerOperator(blueprintId, ecdsaPublicKey, rpcAddress, bytes(""));
     }
@@ -87,6 +88,7 @@ abstract contract Operators is Base {
     )
         external
         whenNotPaused
+        nonReentrant
     {
         _registerOperator(blueprintId, ecdsaPublicKey, rpcAddress, registrationInputs);
     }
@@ -150,25 +152,13 @@ abstract contract Operators is Base {
 
         string memory rpcAddressCopy = rpcAddress;
 
-        // Encode preferences for backwards-compatible manager hooks
-        {
-            bytes memory encodedPreferences =
-                abi.encode(Types.OperatorPreferences({ ecdsaPublicKey: ecdsaPublicKey, rpcAddress: rpcAddressCopy }));
-
-            // Call manager hook first (may reject)
-            if (bp.manager != address(0)) {
-                bytes memory managerPayload = registrationInputs.length > 0 ? registrationInputs : encodedPreferences;
-                _callManager(
-                    bp.manager, abi.encodeCall(IBlueprintServiceManager.onRegister, (msg.sender, managerPayload))
-                );
-            }
-
-            // Store preferences (including ECDSA public key for gossip)
-            _operatorPreferences[blueprintId][msg.sender] =
-                Types.OperatorPreferences({ ecdsaPublicKey: ecdsaPublicKey, rpcAddress: rpcAddressCopy });
-        }
+        // CEI: complete every state write before invoking the (untrusted) BSM hook.
+        // The hook can revert to reject the registration; if it does, all the state
+        // writes are reverted along with it. The hook *cannot* observe partially-
+        // written state, so a malicious BSM cannot exploit half-initialized records.
+        _operatorPreferences[blueprintId][msg.sender] =
+            Types.OperatorPreferences({ ecdsaPublicKey: ecdsaPublicKey, rpcAddress: rpcAddressCopy });
 
-        // Register
         _operatorRegistrations[blueprintId][msg.sender] = Types.OperatorRegistration({
             registeredAt: uint64(block.timestamp), updatedAt: uint64(block.timestamp), active: true, online: true
         });
@@ -189,11 +179,21 @@ abstract contract Operators is Base {
 
         _recordBlueprintRegistration(blueprintId, msg.sender);
         emit OperatorRegistered(blueprintId, msg.sender, ecdsaPublicKey, rpcAddressCopy);
+
+        // Hook fires last so the BSM observes the fully-committed registration.
+        if (bp.manager != address(0)) {
+            bytes memory encodedPreferences =
+                abi.encode(Types.OperatorPreferences({ ecdsaPublicKey: ecdsaPublicKey, rpcAddress: rpcAddressCopy }));
+            bytes memory managerPayload = registrationInputs.length > 0 ? registrationInputs : encodedPreferences;
+            _callManager(
+                bp.manager, abi.encodeCall(IBlueprintServiceManager.onRegister, (msg.sender, managerPayload))
+            );
+        }
     }
 
     /// @notice Unregister from a blueprint
     /// @dev Reverts if operator has any active services for this blueprint
-    function unregisterOperator(uint64 blueprintId) external {
+    function unregisterOperator(uint64 blueprintId) external nonReentrant {
         Types.Blueprint storage bp = _getBlueprint(blueprintId);
         Types.OperatorRegistration storage reg = _operatorRegistrations[blueprintId][msg.sender];
         Types.OperatorPreferences storage prefs = _operatorPreferences[blueprintId][msg.sender];
@@ -207,11 +207,8 @@ abstract contract Operators is Base {
             revert Errors.OperatorHasActiveServices(blueprintId, msg.sender);
         }
 
-        // Call manager hook
-        if (bp.manager != address(0)) {
-            _tryCallManager(bp.manager, abi.encodeCall(IBlueprintServiceManager.onUnregister, (msg.sender)));
-        }
-
+        // CEI: clear operator state BEFORE invoking the (untrusted) BSM hook so the
+        // hook observes a fully-finalized unregistration. Mirrors the registration path.
         bytes32 keyHash;
         if (prefs.ecdsaPublicKey.length != 0) {
             keyHash = keccak256(prefs.ecdsaPublicKey);
@@ -229,10 +226,14 @@ abstract contract Operators is Base {
             _operatorBlueprintCounts[msg.sender] -= 1;
         }
 
-        // Remove blueprint from operator's staking profile
         _staking.removeBlueprintForOperator(msg.sender, blueprintId);
 
         emit OperatorUnregistered(blueprintId, msg.sender);
+
+        // Hook fires last (interaction).
+        if (bp.manager != address(0)) {
+            _tryCallManager(bp.manager, abi.encodeCall(IBlueprintServiceManager.onUnregister, (msg.sender)));
+        }
     }
 
     /// @notice Update operator preferences for a blueprint