@aztec/p2p 0.0.1-commit.3895657bc → 0.0.1-commit.3e3d0c9cd

package/src/client/factory.ts

@@ -17,7 +17,11 @@ import { AttestationPool, type AttestationPoolApi } from '../mem_pools/attestati
 import type { MemPools } from '../mem_pools/interface.js';
 import type { TxPoolV2 } from '../mem_pools/tx_pool_v2/interfaces.js';
 import { AztecKVTxPoolV2 } from '../mem_pools/tx_pool_v2/tx_pool_v2.js';
-import { createTxValidatorForTransactionsEnteringPendingTxPool } from '../msg_validators/index.js';
+import {
+  createCheckAllowedSetupCalls,
+  createTxValidatorForTransactionsEnteringPendingTxPool,
+  getDefaultAllowedSetupFunctions,
+} from '../msg_validators/index.js';
 import { DummyP2PService } from '../services/dummy_service.js';
 import { LibP2PService } from '../services/index.js';
 import { createFileStoreTxSources } from '../services/tx_collection/file_store_tx_source.js';
@@ -75,6 +79,33 @@ export async function createP2PClient(
   const rollupAddress = inputConfig.l1Contracts.rollupAddress.toString().toLowerCase().replace(/^0x/, '');
   const txFileStoreBasePath = `aztec-${inputConfig.l1ChainId}-${inputConfig.rollupVersion}-0x${rollupAddress}`;
 
+  const allowedInSetup = [
+    ...(await getDefaultAllowedSetupFunctions()),
+    ...(inputConfig.txPublicSetupAllowListExtend ?? []),
+  ];
+  const checkAllowedSetupCalls = createCheckAllowedSetupCalls(
+    archiver,
+    allowedInSetup,
+    () => epochCache.getEpochAndSlotInNextL1Slot().ts,
+  );
+
+  const createTxValidator = async () => {
+    // We accept transactions if they are not expired by the next slot and block number (checked based on the ExpirationTimestamp field)
+    const currentBlockNumber = await archiver.getBlockNumber();
+    const { ts: nextSlotTimestamp } = epochCache.getEpochAndSlotInNextL1Slot();
+    const l1Constants = await archiver.getL1Constants();
+    return createTxValidatorForTransactionsEnteringPendingTxPool(
+      worldStateSynchronizer,
+      nextSlotTimestamp,
+      BlockNumber(currentBlockNumber + 1),
+      {
+        rollupManaLimit: l1Constants.rollupManaLimit,
+        maxBlockL2Gas: config.validateMaxL2BlockGas,
+        maxBlockDAGas: config.validateMaxDABlockGas,
+      },
+    );
+  };
+
   const txPool =
     deps.txPool ??
     new AztecKVTxPoolV2(
@@ -83,16 +114,8 @@ export async function createP2PClient(
       {
         l2BlockSource: archiver,
         worldStateSynchronizer,
-        createTxValidator: async () => {
-          // We accept transactions if they are not expired by the next slot and block number (checked based on the ExpirationTimestamp field)
-          const currentBlockNumber = await archiver.getBlockNumber();
-          const { ts: nextSlotTimestamp } = epochCache.getEpochAndSlotInNextL1Slot();
-          return createTxValidatorForTransactionsEnteringPendingTxPool(
-            worldStateSynchronizer,
-            nextSlotTimestamp,
-            BlockNumber(currentBlockNumber + 1),
-          );
-        },
+        checkAllowedSetupCalls,
+        createTxValidator,
       },
       telemetry,
       {

package/src/client/p2p_client.ts

@@ -669,20 +669,28 @@ export class P2PClient extends WithTracer implements P2P {
   }
 
   /**
-   * Returns true if the prune crossed a checkpoint boundary.
-   * If the old and new checkpoint numbers are the same, the prune is within a single checkpoint.
-   * If they differ, the prune spans across checkpoints (epoch prune).
+   * Returns true if the prune is an epoch prune (new checkpoint number is less than old).
+   * If the checkpoint number stays the same or increases, the prune is within a checkpoint.
    */
   private async isEpochPrune(newCheckpoint: CheckpointId): Promise<boolean> {
     const tips = await this.l2Tips.getL2Tips();
     const oldCheckpointNumber = tips.checkpointed.checkpoint.number;
-    if (oldCheckpointNumber <= CheckpointNumber.ZERO) {
+    if (oldCheckpointNumber <= CheckpointNumber.INITIAL) {
       return false;
     }
-    const isEpochPrune = oldCheckpointNumber !== newCheckpoint.number;
-    this.log.info(
-      `Detected epoch prune: ${isEpochPrune}. Old checkpoint: ${oldCheckpointNumber}, new checkpoint: ${newCheckpoint.number}`,
-    );
+    const newCheckpointNumber = newCheckpoint.number;
+    // We check that the new checkpoint number is less than the old checkpoint number in order to consider it an epoch prune.
+    // To be more certain that it is an epoch prune, we will check that at least 2 checkpoints were removed.
+    // This means we should avoid thinking checkpoints removed by L1 re-orgs are epoch prunes
+    const thresholdForEpochPrune = CheckpointNumber(oldCheckpointNumber - 2);
+    const isEpochPrune = newCheckpointNumber <= thresholdForEpochPrune;
+    if (isEpochPrune) {
+      this.log.info(`Detected epoch prune to ${newCheckpointNumber}`, {
+        oldCheckpointNumber,
+        newCheckpointNumber,
+        thresholdForEpochPrune,
+      });
+    }
     return isEpochPrune;
   }
 

package/src/config.ts

@@ -43,6 +43,12 @@ export interface P2PConfig
   /** Maximum transactions per block for validation. Overrides maxTxsPerBlock for gossip validation when set. */
   validateMaxTxsPerBlock?: number;
 
+  /** Maximum L2 gas per block for validation. When set, txs exceeding this limit are rejected. */
+  validateMaxL2BlockGas?: number;
+
+  /** Maximum DA gas per block for validation. When set, txs exceeding this limit are rejected. */
+  validateMaxDABlockGas?: number;
+
   /** A flag dictating whether the P2P subsystem should be enabled. */
   p2pEnabled: boolean;
 
@@ -208,6 +214,16 @@ export const p2pConfigMappings: ConfigMappingsType<P2PConfig> = {
       'Maximum transactions per block for validation. Overrides maxTxsPerBlock for gossip validation when set.',
     parseEnv: (val: string) => (val ? parseInt(val, 10) : undefined),
   },
+  validateMaxL2BlockGas: {
+    env: 'VALIDATOR_MAX_L2_BLOCK_GAS',
+    description: 'Maximum L2 gas per block for validation. When set, txs exceeding this limit are rejected.',
+    parseEnv: (val: string) => (val ? parseInt(val, 10) : undefined),
+  },
+  validateMaxDABlockGas: {
+    env: 'VALIDATOR_MAX_DA_BLOCK_GAS',
+    description: 'Maximum DA gas per block for validation. When set, txs exceeding this limit are rejected.',
+    parseEnv: (val: string) => (val ? parseInt(val, 10) : undefined),
+  },
   p2pEnabled: {
     env: 'P2P_ENABLED',
     description: 'A flag dictating whether the P2P subsystem should be enabled.',

package/src/mem_pools/tx_pool/eviction/fee_payer_balance_eviction_rule.ts

@@ -32,10 +32,11 @@ export class FeePayerBalanceEvictionRule implements EvictionRule {
 
       if (context.event === EvictionEvent.BLOCK_MINED) {
         const blockNumber = context.block.getBlockNumber();
+        const blockHash = await context.block.hash();
         // Ensure world state is synced to this block before accessing the snapshot.
         // This handles the race where a block is added to the archiver
         // but the world state hasn't synced it yet.
-        await this.worldState.syncImmediate(blockNumber);
+        await this.worldState.syncImmediate(blockNumber, blockHash);
         return await this.evictForFeePayers(context.feePayers, this.worldState.getSnapshot(blockNumber), txPool);
       }
 

package/src/mem_pools/tx_pool/priority.ts

@@ -1,3 +1,4 @@
+import { minBigint } from '@aztec/foundation/bigint';
 import { Buffer32 } from '@aztec/foundation/buffer';
 import type { Tx } from '@aztec/stdlib/tx';
 
@@ -11,10 +12,9 @@ export function getPendingTxPriority(tx: Tx): string {
 }
 
 /**
- * Returns the priority of a tx.
+ * Returns the priority of a tx based on the L2 priority fee only, capped by the max fees per gas.
  */
 export function getTxPriorityFee(tx: Tx): bigint {
-  const priorityFees = tx.getGasSettings().maxPriorityFeesPerGas;
-  const totalFees = priorityFees.feePerDaGas + priorityFees.feePerL2Gas;
-  return totalFees;
+  const { maxPriorityFeesPerGas: priorityFees, maxFeesPerGas } = tx.getGasSettings();
+  return minBigint(maxFeesPerGas.feePerL2Gas, priorityFees.feePerL2Gas);
 }

package/src/mem_pools/tx_pool/tx_pool_test_suite.ts

@@ -204,7 +204,9 @@ export function describeTxPool(getTxPool: () => TxPool) {
 
   it('returns pending tx hashes sorted by priority', async () => {
     const withPriorityFee = (tx: Tx, fee: number) => {
-      unfreeze(tx.data.constants.txContext.gasSettings).maxPriorityFeesPerGas = new GasFees(fee, fee);
+      const gs = unfreeze(tx.data.constants.txContext.gasSettings);
+      gs.maxPriorityFeesPerGas = new GasFees(fee, fee);
+      gs.maxFeesPerGas = new GasFees(fee, fee);
       return tx;
     };
 

package/src/mem_pools/tx_pool_v2/eviction/fee_payer_balance_eviction_rule.ts

@@ -29,7 +29,8 @@ export class FeePayerBalanceEvictionRule implements EvictionRule {
 
       if (context.event === EvictionEvent.BLOCK_MINED) {
         const blockNumber = context.block.getBlockNumber();
-        await this.worldState.syncImmediate(blockNumber);
+        const blockHash = await context.block.hash();
+        await this.worldState.syncImmediate(blockNumber, blockHash);
         return await this.evictForFeePayers(context.feePayers, this.worldState.getSnapshot(blockNumber), pool);
       }
 

package/src/mem_pools/tx_pool_v2/interfaces.ts

@@ -72,6 +72,8 @@ export type TxPoolV2Dependencies = {
   worldStateSynchronizer: WorldStateSynchronizer;
   /** Factory that creates a validator for re-validating pool transactions using metadata */
   createTxValidator: () => Promise<TxValidator<TxMetaData>>;
+  /** Checks whether a tx's setup-phase calls are on the allow list. Precomputed at receipt time. */
+  checkAllowedSetupCalls: (tx: Tx) => Promise<boolean>;
 };
 
 /**

package/src/mem_pools/tx_pool_v2/tx_metadata.ts

@@ -67,6 +67,9 @@ export type TxMetaData = {
   /** Timestamp by which the transaction must be included (for expiration checks) */
   readonly expirationTimestamp: bigint;
 
+  /** Whether the tx's setup-phase calls pass the allow list check. Computed at receipt time. */
+  readonly allowedSetupCalls: boolean;
+
   /** Validator-compatible data, providing the same access patterns as Tx.data */
   readonly data: TxMetaValidationData;
 
@@ -84,8 +87,12 @@ export type TxState = 'pending' | 'protected' | 'mined' | 'deleted';
  * Builds TxMetaData from a full Tx object.
  * Extracts all relevant fields for efficient in-memory storage and querying.
  * Fr values are captured in closures for zero-cost re-validation.
+ *
+ * @param allowedSetupCalls - Whether the tx's setup-phase calls pass the allow list.
+ *   For gossip/RPC txs this is always `true` (already validated by PhasesTxValidator).
+ *   For req/resp txs this should be computed by the caller using the phases validator.
  */
-export async function buildTxMetaData(tx: Tx): Promise<TxMetaData> {
+export async function buildTxMetaData(tx: Tx, allowedSetupCalls: boolean = true): Promise<TxMetaData> {
   const txHashObj = tx.getTxHash();
   const txHash = txHashObj.toString();
   const txHashBigInt = txHashObj.toBigInt();
@@ -112,6 +119,7 @@ export async function buildTxMetaData(tx: Tx): Promise<TxMetaData> {
     feeLimit,
     nullifiers,
     expirationTimestamp,
+    allowedSetupCalls,
     receivedAt: 0,
     estimatedSizeBytes,
     data: {
@@ -304,6 +312,7 @@ export function stubTxMetaData(
     nullifiers?: string[];
     expirationTimestamp?: bigint;
     anchorBlockHeaderHash?: string;
+    allowedSetupCalls?: boolean;
   } = {},
 ): TxMetaData {
   const txHashBigInt = Fr.fromHexString(txHash).toBigInt();
@@ -320,6 +329,7 @@ export function stubTxMetaData(
     feeLimit: overrides.feeLimit ?? 100n,
     nullifiers: overrides.nullifiers ?? [`0x${normalizedTxHash.slice(2)}null1`],
     expirationTimestamp,
+    allowedSetupCalls: overrides.allowedSetupCalls ?? true,
     receivedAt: 0,
     estimatedSizeBytes: 0,
     data: stubTxMetaValidationData({ expirationTimestamp }),

package/src/mem_pools/tx_pool_v2/tx_pool_v2.ts

@@ -11,7 +11,14 @@ import { type TelemetryClient, getTelemetryClient } from '@aztec/telemetry-clien
 import EventEmitter from 'node:events';
 
 import { PoolInstrumentation, PoolName } from '../instrumentation.js';
-import type { AddTxsResult, TxPoolV2, TxPoolV2Config, TxPoolV2Dependencies, TxPoolV2Events } from './interfaces.js';
+import type {
+  AddTxsResult,
+  PoolReadAccess,
+  TxPoolV2,
+  TxPoolV2Config,
+  TxPoolV2Dependencies,
+  TxPoolV2Events,
+} from './interfaces.js';
 import type { TxState } from './tx_metadata.js';
 import { TxPoolV2Impl } from './tx_pool_v2_impl.js';
 
@@ -165,6 +172,11 @@ export class AztecKVTxPoolV2 extends (EventEmitter as new () => TypedEventEmitte
     return this.#queue.put(() => Promise.resolve(this.#impl.getLowestPriorityPending(limit)));
   }
 
+  /** Returns read-only access to the pool. Used for testing. */
+  getPoolReadAccess(): PoolReadAccess {
+    return this.#impl.getPoolReadAccess();
+  }
+
   // === Configuration ===
 
   updateConfig(config: Partial<TxPoolV2Config>): Promise<void> {

package/src/mem_pools/tx_pool_v2/tx_pool_v2_impl.ts

@@ -62,6 +62,7 @@ export class TxPoolV2Impl {
   #l2BlockSource: L2BlockSource;
   #worldStateSynchronizer: WorldStateSynchronizer;
   #createTxValidator: TxPoolV2Dependencies['createTxValidator'];
+  #checkAllowedSetupCalls: TxPoolV2Dependencies['checkAllowedSetupCalls'];
 
   // === In-Memory Indices ===
   #indices: TxPoolIndices = new TxPoolIndices();
@@ -93,6 +94,7 @@ export class TxPoolV2Impl {
     this.#l2BlockSource = deps.l2BlockSource;
     this.#worldStateSynchronizer = deps.worldStateSynchronizer;
     this.#createTxValidator = deps.createTxValidator;
+    this.#checkAllowedSetupCalls = deps.checkAllowedSetupCalls;
 
     this.#config = { ...DEFAULT_TX_POOL_V2_CONFIG, ...config };
     this.#archive = new TxArchive(archiveStore, this.#config.archivedTxLimit, log);
@@ -354,6 +356,7 @@ export class TxPoolV2Impl {
 
     // Check if already in pool
     if (this.#indices.has(txHashStr)) {
+      this.#log.verbose(`canAddPendingTx: tx ${txHashStr} already in pool`);
       return 'ignored';
     }
 
@@ -362,26 +365,37 @@ export class TxPoolV2Impl {
     const poolAccess = this.#createPreAddPoolAccess();
     const preAddResult = await this.#evictionManager.runPreAddRules(meta, poolAccess);
 
-    return preAddResult.shouldIgnore ? 'ignored' : 'accepted';
+    if (preAddResult.shouldIgnore) {
+      this.#log.verbose(`canAddPendingTx: tx ${txHashStr} ignored by pre-add rule`, {
+        reason: preAddResult.reason?.message ?? 'no reason provided',
+      });
+      return 'ignored';
+    }
+    return 'accepted';
   }
 
   async addProtectedTxs(txs: Tx[], block: BlockHeader, opts: { source?: string }): Promise<void> {
     const slotNumber = block.globalVariables.slotNumber;
 
+    // Precompute setup-call allow-list flags outside the store transaction
+    const allowedFlags = await Promise.all(txs.map(tx => this.#checkAllowedSetupCalls(tx)));
+
     await this.#store.transactionAsync(async () => {
-      for (const tx of txs) {
+      for (let i = 0; i < txs.length; i++) {
+        const tx = txs[i];
         const txHash = tx.getTxHash();
         const txHashStr = txHash.toString();
         const isNew = !this.#indices.has(txHashStr);
         const minedBlockId = await this.#getMinedBlockId(txHash);
 
         if (isNew) {
+          const meta = await buildTxMetaData(tx, allowedFlags[i]);
           // New tx - add as mined or protected (callback emitted by #addTx)
           if (minedBlockId) {
-            await this.#addTx(tx, { mined: minedBlockId }, opts);
+            await this.#addTx(tx, { mined: minedBlockId }, opts, meta);
             this.#indices.setProtection(txHashStr, slotNumber);
           } else {
-            await this.#addTx(tx, { protected: slotNumber }, opts);
+            await this.#addTx(tx, { protected: slotNumber }, opts, meta);
           }
         } else {
           // Existing tx - update protection and mined status
@@ -976,7 +990,8 @@ export class TxPoolV2Impl {
 
       try {
         const tx = Tx.fromBuffer(buffer);
-        const meta = await buildTxMetaData(tx);
+        const allowedSetupCalls = await this.#checkAllowedSetupCalls(tx);
+        const meta = await buildTxMetaData(tx, allowedSetupCalls);
         loaded.push({ tx, meta });
       } catch (err) {
         this.#log.warn(`Failed to deserialize tx ${txHashStr}, deleting`, { err });

package/src/msg_validators/attestation_validator/README.md

@@ -0,0 +1,49 @@
+# Attestation Validation
+
+This module validates `CheckpointAttestation` gossipsub messages. Attestations are signatures from committee members endorsing a checkpoint proposal.
+
+**Topic**: `checkpoint_attestation` | **Snappy size limit**: 5 KB
+
+## Stage 1: AttestationValidator (Gossipsub Validation)
+
+| # | Rule | Consequence | Severity | File |
+|---|------|-------------|----------|------|
+| 1 | **Slot timeliness**: `currentSlot` or `nextSlot`. Previous slot within 500ms: IGNORE. Older: REJECT. | REJECT or IGNORE | HighToleranceError | `attestation_validator.ts` |
+| 2 | **Attester signature**: `getSender()` must recover valid address | REJECT | LowToleranceError | same |
+| 3 | **Attester in committee**: recovered address in committee for slot | REJECT | HighToleranceError | same |
+| 4 | **Proposer exists**: `getProposerAttesterAddressInSlot` must return defined | REJECT | HighToleranceError | same |
+| 5 | **Proposer signature**: `getProposer()` must recover valid address | REJECT | LowToleranceError | same |
+| 6 | **Proposer matches expected**: recovered proposer = expected for slot | REJECT | HighToleranceError | same |
+| 7 | **NoCommitteeError**: committee unavailable | REJECT | LowToleranceError | same |
+
+**Fisherman mode extension** (`FishermanAttestationValidator`): if a checkpoint proposal for the same archive exists in pool, the attestation's `ConsensusPayload` must `.equals()` the stored proposal's payload. On mismatch: REJECT + LowToleranceError.
+
+## Stage 2: Pool Admission
+
+| # | Rule | Consequence |
+|---|------|-------------|
+| 8 | Sender recoverable (pool-side) | Silent drop |
+| 9 | Not a duplicate (same slot + proposalId + signer) | IGNORE |
+| 10 | Per-signer cap: `MAX_ATTESTATIONS_PER_SLOT_AND_SIGNER` = 3 | IGNORE |
+
+Own attestations added via `addOwnCheckpointAttestations` bypass the per-signer cap.
+
+## Stage 3: Equivocation Detection
+
+When a signer's attestation count for a slot reaches exactly 2 (different proposals): `duplicateAttestationCallback` fires -> `WANT_TO_SLASH_EVENT` with `OffenseType.DUPLICATE_ATTESTATION`. Attestation still ACCEPTED and rebroadcast. Callback fires once (not again at count 3+).
+
+## Validation at L1 Checkpoint Submission (Archiver)
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Each attestation must have recoverable signature (or address-only is allowed but does not count toward quorum) | Checkpoint rejected as invalid | `archiver/src/modules/validation.ts` |
+| Attestation at index `i` must correspond to committee member at index `i` | Checkpoint rejected as invalid | same |
+| Valid attestation count >= floor(committee * 2/3) + 1 | Checkpoint rejected as invalid | same |
+| No committee / escape hatch open | Accepted unconditionally | same |
+
+Note: `skipValidateCheckpointAttestations` config flag bypasses all archiver attestation validation.
+
+## Gossipsub Topic Scoring
+
+P3 enabled with expected messages per slot = `targetCommitteeSize`. Conservative threshold (30% of convergence value). Max P3 penalty = -34 per topic.
+

package/src/msg_validators/proposal_validator/README.md

@@ -0,0 +1,123 @@
+# Proposal Validation
+
+This module validates `BlockProposal` and `CheckpointProposal` gossipsub messages. Both share the same base `ProposalValidator` (neither subclass overrides `validate()`), with checkpoint-specific logic layered on top in the gossipsub handler.
+
+## BlockProposal
+
+**Topic**: `block_proposal` | **Snappy size limit**: 10 MB
+
+### Stage 1: Gossipsub Validation (ProposalValidator)
+
+File: `proposal_validator.ts`
+
+| # | Rule | Consequence | Severity |
+|---|------|-------------|----------|
+| 1 | **Slot check**: must be `currentSlot` or `nextSlot`. Previous slot within 500ms tolerance: IGNORE. | REJECT | HighToleranceError |
+| 2 | **Signature**: `getSender()` must recover a valid address. If `signedTxs` present, its recovered sender must match. | REJECT | MidToleranceError |
+| 3 | **Txs permitted**: if `disableTransactions`, must have 0 txHashes and 0 embedded txs | REJECT | MidToleranceError |
+| 4 | **Max txs**: `txHashes.length <= maxTxsPerBlock` | REJECT | MidToleranceError |
+| 5 | **Embedded txs in txHashes**: every embedded tx's hash must appear in `txHashes` | REJECT | MidToleranceError |
+| 6 | **Proposer check**: signer must match expected proposer for slot (skipped if committee size = 0) | REJECT | MidToleranceError |
+| 7 | **Tx hash integrity**: each embedded tx's recomputed hash must match declared hash | REJECT | LowToleranceError |
+| 8 | **NoCommitteeError**: epoch cache cannot determine committee | REJECT | LowToleranceError |
+
+Deserialization guards: `BlockProposal.fromBuffer` and `SignedTxs.fromBuffer` both enforce `txCount <= MAX_TXS_PER_BLOCK` (65536). Violation -> REJECT + LowToleranceError.
+
+### Stage 2: Mempool (Attestation Pool)
+
+| # | Rule | Consequence |
+|---|------|-------------|
+| 9 | **Duplicate**: same archive root already stored | IGNORE (no penalty) |
+| 10 | **Per-position cap**: max 3 proposals per (slot, indexWithinCheckpoint) | REJECT + HighToleranceError |
+| 11 | **Equivocation**: >1 distinct proposal for same (slot, index) | ACCEPT (rebroadcast for detection). At count=2: `duplicateProposalCallback` fires -> slash event (`OffenseType.DUPLICATE_PROPOSAL`, configured via `slashDuplicateProposalPenalty`) |
+
+### Stage 3: Validator-Client Processing (BlockProposalHandler)
+
+Only runs on validator nodes. Non-validator nodes use a default handler that triggers tx collection without deep validation.
+
+| # | Rule | Failure Reason |
+|---|------|----------------|
+| 12 | Signature re-check | `invalid_proposal` |
+| 13 | ProposalValidator re-run | `invalid_proposal` |
+| 14 | Self-proposal filter | Ignored silently |
+| 15 | Parent block exists (`lastArchive.root` matches known block or genesis) | `parent_block_not_found` |
+| 16 | Parent block slot <= proposal slot | `parent_block_wrong_slot` |
+| 17 | Block number not already in archiver | `block_number_already_exists` |
+| 18 | Checkpoint number consistency (multiple sub-rules for first/non-first blocks) | `invalid_proposal` |
+| 19 | Global variables consistency (non-first block: chainId, version, slot, timestamp, coinbase, feeRecipient, gasFees match parent) | `global_variables_mismatch` |
+| 20 | L1-to-L2 message hash matches `proposal.inHash` | `in_hash_mismatch` |
+| 21 | All txs referenced by `txHashes` obtainable | `txs_not_available` |
+| 22 | **Re-execution**: processed tx count matches `txHashes.length` | `timeout` (ReExTimeoutError) |
+| 23 | **Re-execution**: no failed txs | `failed_txs` (ReExFailedTxsError) -- **SLASHABLE** |
+| 24 | **Re-execution**: archive root and header match proposal | `state_mismatch` (ReExStateMismatchError) -- **SLASHABLE** |
+
+**Escape hatch**: during escape hatch periods (`isEscapeHatchOpenAtSlot`), re-execution and slashing are both disabled, and the proposal is rejected locally.
+
+**Conditional re-execution**: rules 22-24 only run when at least one condition is true: `fishermanMode` enabled, `slashBroadcastedInvalidBlockPenalty > 0` with `validatorReexecute`, committee membership with `validatorReexecute`, `alwaysReexecuteBlockProposals`, or `blobClient.canUpload()`.
+
+**Slashing**: only `state_mismatch` and `failed_txs` trigger on-chain slashing (`OffenseType.BROADCASTED_INVALID_BLOCK_PROPOSAL`, gated by `slashBroadcastedInvalidBlockPenalty > 0`). Unknown errors during re-execution do NOT slash.
+
+**Embedded tx validation**: txs in `signedTxs` are validated via `createTxValidatorForBlockProposalReceivedTxs` (well-formedness only) when stored in the tx pool. Invalid embedded txs are rejected from the pool but do not cause the block proposal itself to be rejected at gossipsub level.
+
+### Gossipsub Topic Scoring
+
+| Parameter | Effect |
+|-----------|--------|
+| P4 (invalidMessageDeliveries) | weight = -20, decay over 4 slots |
+| P3 (meshMessageDeliveries) | Enabled only when `expectedBlockProposalsPerSlot > 0` (MBPS mode) |
+| P1/P2 | Only active when P3 is enabled |
+
+---
+
+## CheckpointProposal
+
+**Topic**: `checkpoint_proposal` | **Snappy size limit**: 10 MB
+
+### Stage 1: Gossipsub Validation (ProposalValidator)
+
+Same `ProposalValidator.validate()` as BlockProposal (shared implementation, neither subclass overrides it). See BlockProposal Stage 1 rules 1-8.
+
+### Stage 2: Embedded Block Proposal Validation (if `lastBlock` present)
+
+The checkpoint's embedded `lastBlock` is extracted via `getBlockProposal()` and validated through `BlockProposalValidator.validate()` plus block mempool checks.
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Block proposal must pass `BlockProposalValidator.validate()` | If REJECT: entire checkpoint REJECTED | `libp2p_service.ts` |
+| Block proposal must not exceed per-position cap (3) | Checkpoint REJECTED + HighToleranceError | same |
+| Block equivocation detected (>1 proposals for same slot+index) | Checkpoint REJECTED (block itself is ACCEPT for re-broadcast) | same |
+
+### Stage 3: Mempool (Attestation Pool)
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Duplicate (same archive ID) | IGNORE (no penalty). Embedded block still processed if valid. | `attestation_pool.ts` |
+| Per-slot cap: `MAX_CHECKPOINT_PROPOSALS_PER_SLOT` = 5 | REJECT + HighToleranceError. Embedded block still processed. | same |
+
+### Stage 4: Equivocation Detection
+
+When >1 checkpoint proposals exist for same slot (count > 1): ACCEPT (re-broadcast). At count == 2 (exactly): `duplicateProposalCallback` fires. Proposal NOT further processed. Callback fires only once per equivocation pair.
+
+### Stage 5: Validator-Client Consensus Validation
+
+Determines whether the validator signs an attestation.
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Escape hatch open | No attestation | `validator-client/src/validator.ts` |
+| Signature invalid (re-check) | No attestation | same |
+| Self-proposal | No attestation (ignored) | same |
+| `feeAssetPriceModifier` outside [-100, +100] bps | No attestation | same |
+| Not in committee (unless fisherman mode) | No attestation | same |
+| Checkpoint header mismatch (computed vs proposal) | No attestation | same |
+| Archive root mismatch | No attestation | same |
+| Epoch out hash mismatch | No attestation | same |
+| Last block not found / not matching | No attestation | same |
+| Already attested to this or earlier slot | No attestation (unless `attestToEquivocatedProposals`) | same |
+
+**`skipCheckpointProposalValidation` config**: when true, the re-execution checks (header/archive/epoch hash) are all skipped. Signature, fee modifier, committee, escape hatch, and equivocation checks still apply.
+
+### Gossipsub Topic Scoring
+
+P3 enabled with expected rate of 1 message per slot. P4 weight = -20, max P3 penalty = -34 per topic.
+

package/src/msg_validators/tx_validator/README.md

@@ -75,10 +75,12 @@ This validator is invoked on **every** transaction potentially entering the pend
 - Startup hydration — revalidating persisted non-mined txs on node restart
 
 Runs:
-- DoubleSpend, BlockHeader, GasLimits, Timestamp
+- DoubleSpend, BlockHeader, GasLimits, Timestamp, AllowedSetupCalls
 
 Operates on `TxMetaData` (pre-built by the pool) rather than full `Tx` objects.
 
+The `AllowedSetupCallsMetaValidator` checks a precomputed boolean flag (`TxMetaData.allowedSetupCalls`) rather than re-running the full `PhasesTxValidator`. This flag is computed by `createCheckAllowedSetupCalls` when the tx first enters the pool (via `addProtectedTxs` or startup hydration), so the pool migration validator can reject txs with disallowed setup calls without needing the full `Tx` object or its dependencies.
+
 ## Individual Validators
 
 | Validator | What it checks | Benchmarked verification duration |
@@ -92,6 +94,7 @@ Operates on `TxMetaData` (pre-built by the pool) rather than full `Tx` objects.
 | `GasTxValidator` | Gas limits are within bounds (delegates to `GasLimitsValidator`), max fee per gas meets current block fees, and fee payer has sufficient FeeJuice balance | 1.02 ms |
 | `GasLimitsValidator` | Gas limits are >= fixed minimums and <= AVM max processable L2 gas. Used standalone in pool migration; also called internally by `GasTxValidator` | 3–10 us |
 | `PhasesTxValidator` | Public function calls in setup phase are on the allow list | 10.12–13.12 us |
+| `AllowedSetupCallsMetaValidator` | Checks the precomputed `allowedSetupCalls` flag on `TxMetaData`. Used in pool migration instead of the full `PhasesTxValidator` | — |
 | `BlockHeaderTxValidator` | Transaction's anchor block hash exists in the archive tree | 98.88 us |
 | `TxProofValidator` | Client proof verifies correctly | ~250ms |
 
@@ -108,6 +111,7 @@ Operates on `TxMetaData` (pre-built by the pool) rather than full `Tx` objects.
 | Gas (balance + limits) | Stage 1 | Optional* | — | Yes | — |
 | GasLimits (standalone) | — | — | — | — | Yes |
 | Phases | Stage 1 | Yes | — | Yes | — |
+| AllowedSetupCalls | — | — | — | — | Yes |
 | BlockHeader | Stage 1 | Yes | — | Yes | Yes |
 | Proof | Stage 2 | Optional** | Yes | — | — |
 

package/src/msg_validators/tx_validator/factory.ts

@@ -58,7 +58,7 @@ import { DoubleSpendTxValidator, type NullifierSource } from './double_spend_val
 import { GasLimitsValidator, GasTxValidator } from './gas_validator.js';
 import { MetadataTxValidator } from './metadata_validator.js';
 import { NullifierCache } from './nullifier_cache.js';
-import { PhasesTxValidator } from './phases_validator.js';
+import { AllowedSetupCallsMetaValidator, PhasesTxValidator } from './phases_validator.js';
 import { SizeTxValidator } from './size_validator.js';
 import { TimestampTxValidator } from './timestamp_validator.js';
 import { TxPermittedValidator } from './tx_permitted_validator.js';
@@ -97,6 +97,7 @@ export function createFirstStageTxValidationsForGossipedTransactions(
   txsPermitted: boolean,
   allowedInSetup: AllowedElement[] = [],
   bindings?: LoggerBindings,
+  gasLimitOpts?: { rollupManaLimit?: number; maxBlockL2Gas?: number; maxBlockDAGas?: number },
 ): Record<string, TransactionValidator> {
   const merkleTree = worldStateSynchronizer.getCommitted();
 
@@ -158,6 +159,7 @@ export function createFirstStageTxValidationsForGossipedTransactions(
         ProtocolContractAddress.FeeJuice,
         gasFees,
         bindings,
+        gasLimitOpts,
       ),
       severity: PeerErrorSeverity.MidToleranceError,
     },
@@ -278,6 +280,9 @@ export function createTxValidatorForAcceptingTxsOverRPC(
     timestamp,
     blockNumber,
     txsPermitted,
+    rollupManaLimit,
+    maxBlockL2Gas,
+    maxBlockDAGas,
   }: {
     l1ChainId: number;
     rollupVersion: number;
@@ -287,6 +292,9 @@ export function createTxValidatorForAcceptingTxsOverRPC(
     timestamp: UInt64;
     blockNumber: BlockNumber;
     txsPermitted: boolean;
+    rollupManaLimit: number;
+    maxBlockL2Gas?: number;
+    maxBlockDAGas?: number;
   },
   bindings?: LoggerBindings,
 ): TxValidator<Tx> {
@@ -317,7 +325,11 @@ export function createTxValidatorForAcceptingTxsOverRPC(
 
   if (!skipFeeEnforcement) {
     validators.push(
-      new GasTxValidator(new DatabasePublicStateSource(db), ProtocolContractAddress.FeeJuice, gasFees, bindings),
+      new GasTxValidator(new DatabasePublicStateSource(db), ProtocolContractAddress.FeeJuice, gasFees, bindings, {
+        rollupManaLimit,
+        maxBlockL2Gas,
+        maxBlockDAGas,
+      }),
     );
   }
 
@@ -403,6 +415,7 @@ export async function createTxValidatorForTransactionsEnteringPendingTxPool(
   worldStateSynchronizer: WorldStateSynchronizer,
   timestamp: bigint,
   blockNumber: BlockNumber,
+  gasLimitOpts: { rollupManaLimit?: number; maxBlockL2Gas?: number; maxBlockDAGas?: number },
   bindings?: LoggerBindings,
 ): Promise<TxValidator<TxMetaData>> {
   await worldStateSynchronizer.syncImmediate();
@@ -419,9 +432,29 @@ export async function createTxValidatorForTransactionsEnteringPendingTxPool(
     },
   };
   return new AggregateTxValidator<TxMetaData>(
-    new GasLimitsValidator<TxMetaData>(bindings),
+    new GasLimitsValidator<TxMetaData>({ ...gasLimitOpts, bindings }),
     new TimestampTxValidator<TxMetaData>({ timestamp, blockNumber }, bindings),
     new DoubleSpendTxValidator<TxMetaData>(nullifierSource, bindings),
     new BlockHeaderTxValidator<TxMetaData>(archiveSource, bindings),
+    new AllowedSetupCallsMetaValidator<TxMetaData>(bindings),
   );
 }
+
+/**
+ * Creates a function that checks whether a tx's setup-phase calls are on the allow list.
+ *
+ * Uses the `PhasesTxValidator` on the full Tx. The result is stored as a boolean
+ * flag in `TxMetaData.allowedSetupCalls` at receipt time, so the pending pool
+ * migration validator can check it without needing the full Tx or its dependencies.
+ */
+export function createCheckAllowedSetupCalls(
+  contractDataSource: ContractDataSource,
+  setupAllowList: AllowedElement[],
+  getTimestamp: () => UInt64,
+): (tx: Tx) => Promise<boolean> {
+  return async (tx: Tx) => {
+    const validator = new PhasesTxValidator(contractDataSource, setupAllowList, getTimestamp());
+    const result = await validator.validateTx(tx);
+    return result.result === 'valid';
+  };
+}