@aztec/validator-ha-signer 0.0.1-commit.96bb3f7 → 0.0.1-commit.9d2bcf6d

package/README.md

@@ -9,39 +9,21 @@ Distributed locking and slashing protection for Aztec validators running in high
 - **Automatic Retry**: Failed signing attempts are cleared, allowing other nodes to retry
 - **PostgreSQL Backend**: Shared database for coordination across nodes
 
-## Quick Start
+## Integration with Validator Client
 
-### Option 1: Automatic Migrations (Simplest)
+The HA signer is automatically integrated into the validator client when `VALIDATOR_HA_SIGNING_ENABLED=true` is set. The validator client will:
 
-```typescript
-import { createHASigner } from '@aztec/validator-ha-signer/factory';
+1. Create the HA signer using `createHASigner()` from the factory
+2. Wrap the base keystore with `HAKeyStore` to provide HA-protected signing
+3. Automatically start/stop the signer lifecycle
 
-// Migrations run automatically on startup
-const { signer, db } = await createHASigner({
-  databaseUrl: process.env.DATABASE_URL,
-  enabled: true,
-  nodeId: 'validator-node-1',
-  pollingIntervalMs: 100,
-  signingTimeoutMs: 3000,
-});
+No manual integration is required when using the validator client.
 
-// Start background cleanup tasks
-signer.start();
+## Manual Usage
 
-// Sign with protection
-const signature = await signer.signWithProtection(
-  validatorAddress,
-  messageHash,
-  { slot: 100n, blockNumber: 50n, dutyType: 'BLOCK_PROPOSAL' },
-  async root => localSigner.signMessage(root),
-);
+For advanced use cases or testing, you can use the HA signer directly. **Note**: Database migrations must be run separately before creating the signer (see [Database Migrations](#database-migrations) below).
 
-// Cleanup on shutdown
-await signer.stop();
-await db.close();
-```
-
-### Option 2: Manual Migrations (Recommended for Production)
+### Basic Usage
 
 ```bash
 # 1. Run migrations separately (once per deployment)
@@ -54,7 +36,7 @@ import { createHASigner } from '@aztec/validator-ha-signer/factory';
 
 const { signer, db } = await createHASigner({
   databaseUrl: process.env.DATABASE_URL,
-  enabled: true,
+  haSigningEnabled: true,
   nodeId: 'validator-node-1',
   pollingIntervalMs: 100,
   signingTimeoutMs: 3000,
@@ -63,6 +45,14 @@ const { signer, db } = await createHASigner({
 // Start background cleanup tasks
 signer.start();
 
+// Sign with protection
+const signature = await signer.signWithProtection(
+  validatorAddress,
+  messageHash,
+  { slot: 100n, blockNumber: 50n, blockIndexWithinCheckpoint: 0, dutyType: 'BLOCK_PROPOSAL' },
+  async root => localSigner.signMessage(root),
+);
+
 // On shutdown
 await signer.stop();
 await db.close();
@@ -73,7 +63,7 @@ await db.close();
 If you need custom pool configuration (e.g., max connections, idle timeout) or want to share a connection pool across multiple components:
 
 > **Note**: You still need to run migrations separately before using this approach.
-> See [Option 2](#option-2-manual-migrations-recommended-for-production) above.
+> See [Database Migrations](#database-migrations) below.
 
 ```typescript
 import { PostgresSlashingProtectionDatabase } from '@aztec/validator-ha-signer/db';
@@ -91,11 +81,11 @@ const db = new PostgresSlashingProtectionDatabase(pool);
 await db.initialize();
 
 const signer = new ValidatorHASigner(db, {
-  enabled: true,
+  haSigningEnabled: true,
   nodeId: 'validator-node-1',
   pollingIntervalMs: 100,
   signingTimeoutMs: 3000,
-  maxStuckDutiesAgeMs: 72000,
+  maxStuckDutiesAgeMs: 144000,
 });
 
 // Start background cleanup tasks
@@ -111,11 +101,15 @@ await pool.end(); // You manage the pool lifecycle
 Set via environment variables or config object:
 
 - `VALIDATOR_HA_DATABASE_URL`: PostgreSQL connection string (e.g., `postgresql://user:pass@host:port/db`)
-- `SLASHING_PROTECTION_ENABLED`: Whether slashing protection is enabled (default: true)
-- `SLASHING_PROTECTION_NODE_ID`: Unique identifier for this validator node
-- `SLASHING_PROTECTION_POLLING_INTERVAL_MS`: How often to check duty status (default: 100)
-- `SLASHING_PROTECTION_SIGNING_TIMEOUT_MS`: Max wait for in-progress signing (default: 3000)
-- `SLASHING_PROTECTION_MAX_STUCK_DUTIES_AGE_MS`: Max age of stuck duties before cleanup (default: 72000)
+- `VALIDATOR_HA_SIGNING_ENABLED`: Whether HA signing / slashing protection is enabled (default: false)
+- `VALIDATOR_HA_NODE_ID`: Unique identifier for this validator node (required when enabled)
+- `VALIDATOR_HA_POLLING_INTERVAL_MS`: How often to check duty status (default: 100)
+- `VALIDATOR_HA_SIGNING_TIMEOUT_MS`: Max wait for in-progress signing (default: 3000)
+- `VALIDATOR_HA_MAX_STUCK_DUTIES_AGE_MS`: Max age of stuck duties before cleanup (default: 2 \* aztecSlotDuration)
+- `VALIDATOR_HA_POOL_MAX`: Maximum number of connections in the pool (default: 10)
+- `VALIDATOR_HA_POOL_MIN`: Minimum number of connections in the pool (default: 0)
+- `VALIDATOR_HA_POOL_IDLE_TIMEOUT_MS`: Idle timeout for pool connections (default: 10000)
+- `VALIDATOR_HA_POOL_CONNECTION_TIMEOUT_MS`: Connection timeout (default: 0, no timeout)
 
 ## Database Migrations
 
@@ -170,9 +164,20 @@ When multiple validator nodes attempt to sign:
 
 1. First node acquires lock and signs
 2. Other nodes receive `DutyAlreadySignedError` (expected)
-3. If different data detected: `SlashingProtectionError` (likely for block builder signing)
+3. If different data detected: `SlashingProtectionError` (prevents slashing)
 4. Failed attempts are auto-cleaned, allowing retry
 
+### Signing Context
+
+All signing operations require a `SigningContext` that includes:
+
+- `slot`: The slot number
+- `blockNumber`: The block number within the checkpoint
+- `blockIndexWithinCheckpoint`: The index of the block within the checkpoint (use `-1` for N/A contexts)
+- `dutyType`: The type of duty (e.g., `BLOCK_PROPOSAL`, `CHECKPOINT_ATTESTATION`, `AUTH_REQUEST`)
+
+Note: `AUTH_REQUEST` duties bypass HA protection since signing multiple times is safe for authentication requests.
+
 ## Development
 
 ```bash

package/dest/config.d.ts

@@ -1,30 +1,33 @@
+import type { L1ContractAddresses } from '@aztec/ethereum/l1-contract-addresses';
 import { type ConfigMappingsType } from '@aztec/foundation/config';
+import { EthAddress } from '@aztec/foundation/eth-address';
+import { z } from 'zod';
 /**
- * Configuration for the slashing protection service
+ * Configuration for the Validator HA Signer
+ *
+ * This config is used for distributed locking and slashing protection
+ * when running multiple validator nodes in a high-availability setup.
  */
-export interface SlashingProtectionConfig {
-    /** Whether slashing protection is enabled */
-    enabled: boolean;
+export interface ValidatorHASignerConfig {
+    /** Whether HA signing / slashing protection is enabled */
+    haSigningEnabled: boolean;
+    /** L1 contract addresses (rollup address required) */
+    l1Contracts: Pick<L1ContractAddresses, 'rollupAddress'>;
     /** Unique identifier for this node */
     nodeId: string;
     /** How long to wait between polls when a duty is being signed (ms) */
     pollingIntervalMs: number;
     /** Maximum time to wait for a duty being signed to complete (ms) */
     signingTimeoutMs: number;
-    /** Maximum age of a stuck duty in ms */
-    maxStuckDutiesAgeMs: number;
-}
-export declare const slashingProtectionConfigMappings: ConfigMappingsType<SlashingProtectionConfig>;
-export declare const defaultSlashingProtectionConfig: SlashingProtectionConfig;
-/**
- * Configuration for creating an HA signer with PostgreSQL backend
- */
-export interface CreateHASignerConfig extends SlashingProtectionConfig {
+    /** Maximum age of a stuck duty in ms (defaults to 2x hardcoded Aztec slot duration if not set) */
+    maxStuckDutiesAgeMs?: number;
+    /** Optional: clean up old duties after this many hours (disabled if not set) */
+    cleanupOldDutiesAfterHours?: number;
     /**
      * PostgreSQL connection string
      * Format: postgresql://user:password@host:port/database
      */
-    databaseUrl: string;
+    databaseUrl?: string;
     /**
      * PostgreSQL connection pool configuration
      */
@@ -37,11 +40,62 @@ export interface CreateHASignerConfig extends SlashingProtectionConfig {
     /** Connection timeout in milliseconds (default: 0, no timeout) */
     poolConnectionTimeoutMs?: number;
 }
-export declare const createHASignerConfigMappings: ConfigMappingsType<CreateHASignerConfig>;
+export declare const validatorHASignerConfigMappings: ConfigMappingsType<ValidatorHASignerConfig>;
+export declare const defaultValidatorHASignerConfig: ValidatorHASignerConfig;
 /**
  * Returns the validator HA signer configuration from environment variables.
  * Note: If an environment variable is not set, the default value is used.
  * @returns The validator HA signer configuration.
  */
-export declare function getConfigEnvVars(): CreateHASignerConfig;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvY29uZmlnLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFDTCxLQUFLLGtCQUFrQixFQUt4QixNQUFNLDBCQUEwQixDQUFDO0FBRWxDOztHQUVHO0FBQ0gsTUFBTSxXQUFXLHdCQUF3QjtJQUN2Qyw2Q0FBNkM7SUFDN0MsT0FBTyxFQUFFLE9BQU8sQ0FBQztJQUNqQixzQ0FBc0M7SUFDdEMsTUFBTSxFQUFFLE1BQU0sQ0FBQztJQUNmLHNFQUFzRTtJQUN0RSxpQkFBaUIsRUFBRSxNQUFNLENBQUM7SUFDMUIsb0VBQW9FO0lBQ3BFLGdCQUFnQixFQUFFLE1BQU0sQ0FBQztJQUN6Qix3Q0FBd0M7SUFDeEMsbUJBQW1CLEVBQUUsTUFBTSxDQUFDO0NBQzdCO0FBRUQsZUFBTyxNQUFNLGdDQUFnQyxFQUFFLGtCQUFrQixDQUFDLHdCQUF3QixDQTJCekYsQ0FBQztBQUVGLGVBQU8sTUFBTSwrQkFBK0IsRUFBRSx3QkFFN0MsQ0FBQztBQUVGOztHQUVHO0FBQ0gsTUFBTSxXQUFXLG9CQUFxQixTQUFRLHdCQUF3QjtJQUNwRTs7O09BR0c7SUFDSCxXQUFXLEVBQUUsTUFBTSxDQUFDO0lBQ3BCOztPQUVHO0lBQ0gsMERBQTBEO0lBQzFELFlBQVksQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUN0Qix5REFBeUQ7SUFDekQsWUFBWSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3RCLG9EQUFvRDtJQUNwRCxpQkFBaUIsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUMzQixrRUFBa0U7SUFDbEUsdUJBQXVCLENBQUMsRUFBRSxNQUFNLENBQUM7Q0FDbEM7QUFFRCxlQUFPLE1BQU0sNEJBQTRCLEVBQUUsa0JBQWtCLENBQUMsb0JBQW9CLENBMkJqRixDQUFDO0FBRUY7Ozs7R0FJRztBQUNILHdCQUFnQixnQkFBZ0IsSUFBSSxvQkFBb0IsQ0FFdkQifQ==
+export declare function getConfigEnvVars(): ValidatorHASignerConfig;
+export declare const ValidatorHASignerConfigSchema: z.ZodObject<{
+    haSigningEnabled: z.ZodBoolean;
+    l1Contracts: z.ZodObject<{
+        rollupAddress: z.ZodType<EthAddress, z.ZodTypeDef, EthAddress>;
+    }, "strip", z.ZodTypeAny, {
+        rollupAddress: EthAddress;
+    }, {
+        rollupAddress: EthAddress;
+    }>;
+    nodeId: z.ZodString;
+    pollingIntervalMs: z.ZodNumber;
+    signingTimeoutMs: z.ZodNumber;
+    maxStuckDutiesAgeMs: z.ZodOptional<z.ZodNumber>;
+    cleanupOldDutiesAfterHours: z.ZodOptional<z.ZodNumber>;
+    databaseUrl: z.ZodOptional<z.ZodString>;
+    poolMaxCount: z.ZodOptional<z.ZodNumber>;
+    poolMinCount: z.ZodOptional<z.ZodNumber>;
+    poolIdleTimeoutMs: z.ZodOptional<z.ZodNumber>;
+    poolConnectionTimeoutMs: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    haSigningEnabled: boolean;
+    l1Contracts: {
+        rollupAddress: EthAddress;
+    };
+    nodeId: string;
+    pollingIntervalMs: number;
+    signingTimeoutMs: number;
+    maxStuckDutiesAgeMs?: number | undefined;
+    cleanupOldDutiesAfterHours?: number | undefined;
+    databaseUrl?: string | undefined;
+    poolMaxCount?: number | undefined;
+    poolMinCount?: number | undefined;
+    poolIdleTimeoutMs?: number | undefined;
+    poolConnectionTimeoutMs?: number | undefined;
+}, {
+    haSigningEnabled: boolean;
+    l1Contracts: {
+        rollupAddress: EthAddress;
+    };
+    nodeId: string;
+    pollingIntervalMs: number;
+    signingTimeoutMs: number;
+    maxStuckDutiesAgeMs?: number | undefined;
+    cleanupOldDutiesAfterHours?: number | undefined;
+    databaseUrl?: string | undefined;
+    poolMaxCount?: number | undefined;
+    poolMinCount?: number | undefined;
+    poolIdleTimeoutMs?: number | undefined;
+    poolConnectionTimeoutMs?: number | undefined;
+}>;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvY29uZmlnLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxFQUFFLG1CQUFtQixFQUFFLE1BQU0sdUNBQXVDLENBQUM7QUFDakYsT0FBTyxFQUNMLEtBQUssa0JBQWtCLEVBTXhCLE1BQU0sMEJBQTBCLENBQUM7QUFDbEMsT0FBTyxFQUFFLFVBQVUsRUFBRSxNQUFNLCtCQUErQixDQUFDO0FBRzNELE9BQU8sRUFBRSxDQUFDLEVBQUUsTUFBTSxLQUFLLENBQUM7QUFFeEI7Ozs7O0dBS0c7QUFDSCxNQUFNLFdBQVcsdUJBQXVCO0lBQ3RDLDBEQUEwRDtJQUMxRCxnQkFBZ0IsRUFBRSxPQUFPLENBQUM7SUFDMUIsc0RBQXNEO0lBQ3RELFdBQVcsRUFBRSxJQUFJLENBQUMsbUJBQW1CLEVBQUUsZUFBZSxDQUFDLENBQUM7SUFDeEQsc0NBQXNDO0lBQ3RDLE1BQU0sRUFBRSxNQUFNLENBQUM7SUFDZixzRUFBc0U7SUFDdEUsaUJBQWlCLEVBQUUsTUFBTSxDQUFDO0lBQzFCLG9FQUFvRTtJQUNwRSxnQkFBZ0IsRUFBRSxNQUFNLENBQUM7SUFDekIsa0dBQWtHO0lBQ2xHLG1CQUFtQixDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQzdCLGdGQUFnRjtJQUNoRiwwQkFBMEIsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUNwQzs7O09BR0c7SUFDSCxXQUFXLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDckI7O09BRUc7SUFDSCwwREFBMEQ7SUFDMUQsWUFBWSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3RCLHlEQUF5RDtJQUN6RCxZQUFZLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDdEIsb0RBQW9EO0lBQ3BELGlCQUFpQixDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQzNCLGtFQUFrRTtJQUNsRSx1QkFBdUIsQ0FBQyxFQUFFLE1BQU0sQ0FBQztDQUNsQztBQUVELGVBQU8sTUFBTSwrQkFBK0IsRUFBRSxrQkFBa0IsQ0FBQyx1QkFBdUIsQ0FpRXZGLENBQUM7QUFFRixlQUFPLE1BQU0sOEJBQThCLEVBQUUsdUJBRTVDLENBQUM7QUFFRjs7OztHQUlHO0FBQ0gsd0JBQWdCLGdCQUFnQixJQUFJLHVCQUF1QixDQUUxRDtBQUVELGVBQU8sTUFBTSw2QkFBNkI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7RUFlRSxDQUFDIn0=

package/dest/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,kBAAkB,EAKxB,MAAM,0BAA0B,CAAC;AAElC;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,6CAA6C;IAC7C,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,sEAAsE;IACtE,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oEAAoE;IACpE,gBAAgB,EAAE,MAAM,CAAC;IACzB,wCAAwC;IACxC,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED,eAAO,MAAM,gCAAgC,EAAE,kBAAkB,CAAC,wBAAwB,CA2BzF,CAAC;AAEF,eAAO,MAAM,+BAA+B,EAAE,wBAE7C,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,wBAAwB;IACpE;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,0DAA0D;IAC1D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC;AAED,eAAO,MAAM,4BAA4B,EAAE,kBAAkB,CAAC,oBAAoB,CA2BjF,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,oBAAoB,CAEvD"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uCAAuC,CAAC;AACjF,OAAO,EACL,KAAK,kBAAkB,EAMxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAG3D,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACtC,0DAA0D;IAC1D,gBAAgB,EAAE,OAAO,CAAC;IAC1B,sDAAsD;IACtD,WAAW,EAAE,IAAI,CAAC,mBAAmB,EAAE,eAAe,CAAC,CAAC;IACxD,sCAAsC;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,sEAAsE;IACtE,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oEAAoE;IACpE,gBAAgB,EAAE,MAAM,CAAC;IACzB,kGAAkG;IAClG,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,gFAAgF;IAChF,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,0DAA0D;IAC1D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC;AAED,eAAO,MAAM,+BAA+B,EAAE,kBAAkB,CAAC,uBAAuB,CAiEvF,CAAC;AAEF,eAAO,MAAM,8BAA8B,EAAE,uBAE5C,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,uBAAuB,CAE1D;AAED,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAeE,CAAC"}

package/dest/config.js

@@ -1,35 +1,46 @@
-import { booleanConfigHelper, getConfigFromMappings, getDefaultConfig, numberConfigHelper } from '@aztec/foundation/config';
-export const slashingProtectionConfigMappings = {
-    enabled: {
-        env: 'SLASHING_PROTECTION_ENABLED',
-        description: 'Whether slashing protection is enabled',
-        ...booleanConfigHelper(true)
+import { booleanConfigHelper, getConfigFromMappings, getDefaultConfig, numberConfigHelper, optionalNumberConfigHelper } from '@aztec/foundation/config';
+import { EthAddress } from '@aztec/foundation/eth-address';
+import { z } from 'zod';
+export const validatorHASignerConfigMappings = {
+    haSigningEnabled: {
+        env: 'VALIDATOR_HA_SIGNING_ENABLED',
+        description: 'Whether HA signing / slashing protection is enabled',
+        ...booleanConfigHelper(false)
+    },
+    l1Contracts: {
+        description: 'L1 contract addresses (rollup address required)',
+        nested: {
+            rollupAddress: {
+                description: 'The Ethereum address of the rollup contract (must be set programmatically)',
+                parseEnv: (val)=>EthAddress.fromString(val)
+            }
+        }
     },
     nodeId: {
-        env: 'SLASHING_PROTECTION_NODE_ID',
+        env: 'VALIDATOR_HA_NODE_ID',
         description: 'The unique identifier for this node',
         defaultValue: ''
     },
     pollingIntervalMs: {
-        env: 'SLASHING_PROTECTION_POLLING_INTERVAL_MS',
+        env: 'VALIDATOR_HA_POLLING_INTERVAL_MS',
         description: 'The number of ms to wait between polls when a duty is being signed',
         ...numberConfigHelper(100)
     },
     signingTimeoutMs: {
-        env: 'SLASHING_PROTECTION_SIGNING_TIMEOUT_MS',
+        env: 'VALIDATOR_HA_SIGNING_TIMEOUT_MS',
         description: 'The maximum time to wait for a duty being signed to complete',
         ...numberConfigHelper(3_000)
     },
     maxStuckDutiesAgeMs: {
-        env: 'SLASHING_PROTECTION_MAX_STUCK_DUTIES_AGE_MS',
-        description: 'The maximum age of a stuck duty in ms',
-        // hard-coding at current 2 slot duration. This should be set by the validator on init
-        ...numberConfigHelper(72_000)
-    }
-};
-export const defaultSlashingProtectionConfig = getDefaultConfig(slashingProtectionConfigMappings);
-export const createHASignerConfigMappings = {
-    ...slashingProtectionConfigMappings,
+        env: 'VALIDATOR_HA_MAX_STUCK_DUTIES_AGE_MS',
+        description: 'The maximum age of a stuck duty in ms (defaults to 2x Aztec slot duration)',
+        ...optionalNumberConfigHelper()
+    },
+    cleanupOldDutiesAfterHours: {
+        env: 'VALIDATOR_HA_OLD_DUTIES_MAX_AGE_H',
+        description: 'Optional: clean up old duties after this many hours (disabled if not set)',
+        ...optionalNumberConfigHelper()
+    },
     databaseUrl: {
         env: 'VALIDATOR_HA_DATABASE_URL',
         description: 'PostgreSQL connection string for validator HA signer (format: postgresql://user:password@host:port/database)'
@@ -55,10 +66,27 @@ export const createHASignerConfigMappings = {
         ...numberConfigHelper(0)
     }
 };
+export const defaultValidatorHASignerConfig = getDefaultConfig(validatorHASignerConfigMappings);
 /**
  * Returns the validator HA signer configuration from environment variables.
  * Note: If an environment variable is not set, the default value is used.
  * @returns The validator HA signer configuration.
  */ export function getConfigEnvVars() {
-    return getConfigFromMappings(createHASignerConfigMappings);
+    return getConfigFromMappings(validatorHASignerConfigMappings);
 }
+export const ValidatorHASignerConfigSchema = z.object({
+    haSigningEnabled: z.boolean(),
+    l1Contracts: z.object({
+        rollupAddress: z.instanceof(EthAddress)
+    }),
+    nodeId: z.string(),
+    pollingIntervalMs: z.number().min(0),
+    signingTimeoutMs: z.number().min(0),
+    maxStuckDutiesAgeMs: z.number().min(0).optional(),
+    cleanupOldDutiesAfterHours: z.number().min(0).optional(),
+    databaseUrl: z.string().optional(),
+    poolMaxCount: z.number().min(0).optional(),
+    poolMinCount: z.number().min(0).optional(),
+    poolIdleTimeoutMs: z.number().min(0).optional(),
+    poolConnectionTimeoutMs: z.number().min(0).optional()
+});

package/dest/db/postgres.d.ts

@@ -1,14 +1,26 @@
+/**
+ * PostgreSQL implementation of SlashingProtectionDatabase
+ */
+import { SlotNumber } from '@aztec/foundation/branded-types';
 import { EthAddress } from '@aztec/foundation/eth-address';
-import type { Pool } from 'pg';
+import type { QueryResult, QueryResultRow } from 'pg';
 import type { SlashingProtectionDatabase, TryInsertOrGetResult } from '../types.js';
 import type { CheckAndRecordParams, DutyType } from './types.js';
+/**
+ * Minimal pool interface for database operations.
+ * Both pg.Pool and test adapters (e.g., PGlite) satisfy this interface.
+ */
+export interface QueryablePool {
+    query<R extends QueryResultRow = any>(text: string, values?: any[]): Promise<QueryResult<R>>;
+    end(): Promise<void>;
+}
 /**
  * PostgreSQL implementation of the slashing protection database
  */
 export declare class PostgresSlashingProtectionDatabase implements SlashingProtectionDatabase {
     private readonly pool;
     private readonly log;
-    constructor(pool: Pool);
+    constructor(pool: QueryablePool);
     /**
      * Verify that database migrations have been run and schema version matches.
      * Should be called once at startup.
@@ -21,6 +33,9 @@ export declare class PostgresSlashingProtectionDatabase implements SlashingProte
      *
      * @returns { isNew: true, record } if we successfully inserted and acquired the lock
      * @returns { isNew: false, record } if a record already exists. lock_token is empty if the record already exists.
+     *
+     * Retries if no rows are returned, which can happen under high concurrency
+     * when another transaction just committed the row but it's not yet visible.
      */
     tryInsertOrGetExisting(params: CheckAndRecordParams): Promise<TryInsertOrGetResult>;
     /**
@@ -29,7 +44,7 @@ export declare class PostgresSlashingProtectionDatabase implements SlashingProte
      *
      * @returns true if the update succeeded, false if token didn't match or duty not found
      */
-    updateDutySigned(validatorAddress: EthAddress, slot: bigint, dutyType: DutyType, signature: string, lockToken: string): Promise<boolean>;
+    updateDutySigned(rollupAddress: EthAddress, validatorAddress: EthAddress, slot: SlotNumber, dutyType: DutyType, signature: string, lockToken: string, blockIndexWithinCheckpoint: number): Promise<boolean>;
     /**
      * Delete a duty record.
      * Only succeeds if the lockToken matches (caller must be the one who created the duty).
@@ -37,7 +52,7 @@ export declare class PostgresSlashingProtectionDatabase implements SlashingProte
      *
      * @returns true if the delete succeeded, false if token didn't match or duty not found
      */
-    deleteDuty(validatorAddress: EthAddress, slot: bigint, dutyType: DutyType, lockToken: string): Promise<boolean>;
+    deleteDuty(rollupAddress: EthAddress, validatorAddress: EthAddress, slot: SlotNumber, dutyType: DutyType, lockToken: string, blockIndexWithinCheckpoint: number): Promise<boolean>;
     /**
      * Convert a database row to a ValidatorDutyRecord
      */
@@ -51,5 +66,19 @@ export declare class PostgresSlashingProtectionDatabase implements SlashingProte
      * @returns the number of duties cleaned up
      */
     cleanupOwnStuckDuties(nodeId: string, maxAgeMs: number): Promise<number>;
+    /**
+     * Cleanup duties with outdated rollup address.
+     * Removes all duties where the rollup address doesn't match the current one.
+     * Used after a rollup upgrade to clean up duties for the old rollup.
+     * @returns the number of duties cleaned up
+     */
+    cleanupOutdatedRollupDuties(currentRollupAddress: EthAddress): Promise<number>;
+    /**
+     * Cleanup old signed duties.
+     * Removes only signed duties older than the specified age.
+     * Does not remove 'signing' duties as they may be in progress.
+     * @returns the number of duties cleaned up
+     */
+    cleanupOldDuties(maxAgeMs: number): Promise<number>;
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicG9zdGdyZXMuZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9kYi9wb3N0Z3Jlcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFJQSxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0sK0JBQStCLENBQUM7QUFHM0QsT0FBTyxLQUFLLEVBQUUsSUFBSSxFQUFlLE1BQU0sSUFBSSxDQUFDO0FBRTVDLE9BQU8sS0FBSyxFQUFFLDBCQUEwQixFQUFFLG9CQUFvQixFQUFFLE1BQU0sYUFBYSxDQUFDO0FBUXBGLE9BQU8sS0FBSyxFQUFFLG9CQUFvQixFQUFXLFFBQVEsRUFBdUMsTUFBTSxZQUFZLENBQUM7QUFFL0c7O0dBRUc7QUFDSCxxQkFBYSxrQ0FBbUMsWUFBVywwQkFBMEI7SUFHdkUsT0FBTyxDQUFDLFFBQVEsQ0FBQyxJQUFJO0lBRmpDLE9BQU8sQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFTO0lBRTdCLFlBQTZCLElBQUksRUFBRSxJQUFJLEVBRXRDO0lBRUQ7Ozs7O09BS0c7SUFDRyxVQUFVLElBQUksT0FBTyxDQUFDLElBQUksQ0FBQyxDQWdDaEM7SUFFRDs7Ozs7T0FLRztJQUNHLHNCQUFzQixDQUFDLE1BQU0sRUFBRSxvQkFBb0IsR0FBRyxPQUFPLENBQUMsb0JBQW9CLENBQUMsQ0F3QnhGO0lBRUQ7Ozs7O09BS0c7SUFDRyxnQkFBZ0IsQ0FDcEIsZ0JBQWdCLEVBQUUsVUFBVSxFQUM1QixJQUFJLEVBQUUsTUFBTSxFQUNaLFFBQVEsRUFBRSxRQUFRLEVBQ2xCLFNBQVMsRUFBRSxNQUFNLEVBQ2pCLFNBQVMsRUFBRSxNQUFNLEdBQ2hCLE9BQU8sQ0FBQyxPQUFPLENBQUMsQ0FrQmxCO0lBRUQ7Ozs7OztPQU1HO0lBQ0csVUFBVSxDQUNkLGdCQUFnQixFQUFFLFVBQVUsRUFDNUIsSUFBSSxFQUFFLE1BQU0sRUFDWixRQUFRLEVBQUUsUUFBUSxFQUNsQixTQUFTLEVBQUUsTUFBTSxHQUNoQixPQUFPLENBQUMsT0FBTyxDQUFDLENBaUJsQjtJQUVEOztPQUVHO0lBQ0gsT0FBTyxDQUFDLFdBQVc7SUFpQm5COztPQUVHO0lBQ0csS0FBSyxJQUFJLE9BQU8sQ0FBQyxJQUFJLENBQUMsQ0FHM0I7SUFFRDs7O09BR0c7SUFDRyxxQkFBcUIsQ0FBQyxNQUFNLEVBQUUsTUFBTSxFQUFFLFFBQVEsRUFBRSxNQUFNLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUk3RTtDQUNGIn0=
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicG9zdGdyZXMuZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9kYi9wb3N0Z3Jlcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7R0FFRztBQUNILE9BQU8sRUFBZSxVQUFVLEVBQUUsTUFBTSxpQ0FBaUMsQ0FBQztBQUUxRSxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0sK0JBQStCLENBQUM7QUFJM0QsT0FBTyxLQUFLLEVBQUUsV0FBVyxFQUFFLGNBQWMsRUFBRSxNQUFNLElBQUksQ0FBQztBQUV0RCxPQUFPLEtBQUssRUFBRSwwQkFBMEIsRUFBRSxvQkFBb0IsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQVVwRixPQUFPLEtBQUssRUFBRSxvQkFBb0IsRUFBVyxRQUFRLEVBQXVDLE1BQU0sWUFBWSxDQUFDO0FBRy9HOzs7R0FHRztBQUNILE1BQU0sV0FBVyxhQUFhO0lBQzVCLEtBQUssQ0FBQyxDQUFDLFNBQVMsY0FBYyxHQUFHLEdBQUcsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLE1BQU0sQ0FBQyxFQUFFLEdBQUcsRUFBRSxHQUFHLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUM3RixHQUFHLElBQUksT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDO0NBQ3RCO0FBRUQ7O0dBRUc7QUFDSCxxQkFBYSxrQ0FBbUMsWUFBVywwQkFBMEI7SUFHdkUsT0FBTyxDQUFDLFFBQVEsQ0FBQyxJQUFJO0lBRmpDLE9BQU8sQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFTO0lBRTdCLFlBQTZCLElBQUksRUFBRSxhQUFhLEVBRS9DO0lBRUQ7Ozs7O09BS0c7SUFDRyxVQUFVLElBQUksT0FBTyxDQUFDLElBQUksQ0FBQyxDQWdDaEM7SUFFRDs7Ozs7Ozs7T0FRRztJQUNHLHNCQUFzQixDQUFDLE1BQU0sRUFBRSxvQkFBb0IsR0FBRyxPQUFPLENBQUMsb0JBQW9CLENBQUMsQ0FvRHhGO0lBRUQ7Ozs7O09BS0c7SUFDRyxnQkFBZ0IsQ0FDcEIsYUFBYSxFQUFFLFVBQVUsRUFDekIsZ0JBQWdCLEVBQUUsVUFBVSxFQUM1QixJQUFJLEVBQUUsVUFBVSxFQUNoQixRQUFRLEVBQUUsUUFBUSxFQUNsQixTQUFTLEVBQUUsTUFBTSxFQUNqQixTQUFTLEVBQUUsTUFBTSxFQUNqQiwwQkFBMEIsRUFBRSxNQUFNLEdBQ2pDLE9BQU8sQ0FBQyxPQUFPLENBQUMsQ0FzQmxCO0lBRUQ7Ozs7OztPQU1HO0lBQ0csVUFBVSxDQUNkLGFBQWEsRUFBRSxVQUFVLEVBQ3pCLGdCQUFnQixFQUFFLFVBQVUsRUFDNUIsSUFBSSxFQUFFLFVBQVUsRUFDaEIsUUFBUSxFQUFFLFFBQVEsRUFDbEIsU0FBUyxFQUFFLE1BQU0sRUFDakIsMEJBQTBCLEVBQUUsTUFBTSxHQUNqQyxPQUFPLENBQUMsT0FBTyxDQUFDLENBcUJsQjtJQUVEOztPQUVHO0lBQ0gsT0FBTyxDQUFDLFdBQVc7SUFtQm5COztPQUVHO0lBQ0csS0FBSyxJQUFJLE9BQU8sQ0FBQyxJQUFJLENBQUMsQ0FHM0I7SUFFRDs7O09BR0c7SUFDRyxxQkFBcUIsQ0FBQyxNQUFNLEVBQUUsTUFBTSxFQUFFLFFBQVEsRUFBRSxNQUFNLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUk3RTtJQUVEOzs7OztPQUtHO0lBQ0csMkJBQTJCLENBQUMsb0JBQW9CLEVBQUUsVUFBVSxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FHbkY7SUFFRDs7Ozs7T0FLRztJQUNHLGdCQUFnQixDQUFDLFFBQVEsRUFBRSxNQUFNLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUl4RDtDQUNGIn0=

package/dest/db/postgres.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"postgres.d.ts","sourceRoot":"","sources":["../../src/db/postgres.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAG3D,OAAO,KAAK,EAAE,IAAI,EAAe,MAAM,IAAI,CAAC;AAE5C,OAAO,KAAK,EAAE,0BAA0B,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAQpF,OAAO,KAAK,EAAE,oBAAoB,EAAW,QAAQ,EAAuC,MAAM,YAAY,CAAC;AAE/G;;GAEG;AACH,qBAAa,kCAAmC,YAAW,0BAA0B;IAGvE,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B,YAA6B,IAAI,EAAE,IAAI,EAEtC;IAED;;;;;OAKG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAgChC;IAED;;;;;OAKG;IACG,sBAAsB,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAwBxF;IAED;;;;;OAKG;IACG,gBAAgB,CACpB,gBAAgB,EAAE,UAAU,EAC5B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,QAAQ,EAClB,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAkBlB;IAED;;;;;;OAMG;IACG,UAAU,CACd,gBAAgB,EAAE,UAAU,EAC5B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,QAAQ,EAClB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAiBlB;IAED;;OAEG;IACH,OAAO,CAAC,WAAW;IAiBnB;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAG3B;IAED;;;OAGG;IACG,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI7E;CACF"}
+{"version":3,"file":"postgres.d.ts","sourceRoot":"","sources":["../../src/db/postgres.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAe,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAE1E,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAI3D,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,IAAI,CAAC;AAEtD,OAAO,KAAK,EAAE,0BAA0B,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAUpF,OAAO,KAAK,EAAE,oBAAoB,EAAW,QAAQ,EAAuC,MAAM,YAAY,CAAC;AAG/G;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,CAAC,SAAS,cAAc,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7F,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACtB;AAED;;GAEG;AACH,qBAAa,kCAAmC,YAAW,0BAA0B;IAGvE,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B,YAA6B,IAAI,EAAE,aAAa,EAE/C;IAED;;;;;OAKG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAgChC;IAED;;;;;;;;OAQG;IACG,sBAAsB,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAoDxF;IAED;;;;;OAKG;IACG,gBAAgB,CACpB,aAAa,EAAE,UAAU,EACzB,gBAAgB,EAAE,UAAU,EAC5B,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,0BAA0B,EAAE,MAAM,GACjC,OAAO,CAAC,OAAO,CAAC,CAsBlB;IAED;;;;;;OAMG;IACG,UAAU,CACd,aAAa,EAAE,UAAU,EACzB,gBAAgB,EAAE,UAAU,EAC5B,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,QAAQ,EAClB,SAAS,EAAE,MAAM,EACjB,0BAA0B,EAAE,MAAM,GACjC,OAAO,CAAC,OAAO,CAAC,CAqBlB;IAED;;OAEG;IACH,OAAO,CAAC,WAAW;IAmBnB;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAG3B;IAED;;;OAGG;IACG,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI7E;IAED;;;;;OAKG;IACG,2BAA2B,CAAC,oBAAoB,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnF;IAED;;;;;OAKG;IACG,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAIxD;CACF"}

package/dest/db/postgres.js

@@ -1,9 +1,12 @@
 /**
  * PostgreSQL implementation of SlashingProtectionDatabase
- */ import { randomBytes } from '@aztec/foundation/crypto/random';
+ */ import { BlockNumber, SlotNumber } from '@aztec/foundation/branded-types';
+import { randomBytes } from '@aztec/foundation/crypto/random';
 import { EthAddress } from '@aztec/foundation/eth-address';
 import { createLogger } from '@aztec/foundation/log';
-import { CLEANUP_OWN_STUCK_DUTIES, DELETE_DUTY, INSERT_OR_GET_DUTY, SCHEMA_VERSION, UPDATE_DUTY_SIGNED } from './schema.js';
+import { makeBackoff, retry } from '@aztec/foundation/retry';
+import { CLEANUP_OLD_DUTIES, CLEANUP_OUTDATED_ROLLUP_DUTIES, CLEANUP_OWN_STUCK_DUTIES, DELETE_DUTY, INSERT_OR_GET_DUTY, SCHEMA_VERSION, UPDATE_DUTY_SIGNED } from './schema.js';
+import { getBlockIndexFromDutyIdentifier } from './types.js';
 /**
  * PostgreSQL implementation of the slashing protection database
  */ export class PostgresSlashingProtectionDatabase {
@@ -27,10 +30,10 @@ import { CLEANUP_OWN_STUCK_DUTIES, DELETE_DUTY, INSERT_OR_GET_DUTY, SCHEMA_VERSI
             }
             dbVersion = result.rows[0].version;
         } catch  {
-            throw new Error('Database schema not initialized. Please run migrations first: aztec migrate up --database-url <url>');
+            throw new Error('Database schema not initialized. Please run migrations first: aztec migrate-ha-db up --database-url <url>');
         }
         if (dbVersion < SCHEMA_VERSION) {
-            throw new Error(`Database schema version ${dbVersion} is outdated (expected ${SCHEMA_VERSION}). Please run migrations: aztec migrate up --database-url <url>`);
+            throw new Error(`Database schema version ${dbVersion} is outdated (expected ${SCHEMA_VERSION}). Please run migrations: aztec migrate-ha-db up --database-url <url>`);
         }
         if (dbVersion > SCHEMA_VERSION) {
             throw new Error(`Database schema version ${dbVersion} is newer than expected (${SCHEMA_VERSION}). Please update your application.`);
@@ -44,21 +47,45 @@ import { CLEANUP_OWN_STUCK_DUTIES, DELETE_DUTY, INSERT_OR_GET_DUTY, SCHEMA_VERSI
    *
    * @returns { isNew: true, record } if we successfully inserted and acquired the lock
    * @returns { isNew: false, record } if a record already exists. lock_token is empty if the record already exists.
+   *
+   * Retries if no rows are returned, which can happen under high concurrency
+   * when another transaction just committed the row but it's not yet visible.
    */ async tryInsertOrGetExisting(params) {
         // create a token for ownership verification
         const lockToken = randomBytes(16).toString('hex');
-        const result = await this.pool.query(INSERT_OR_GET_DUTY, [
-            params.validatorAddress.toString(),
-            params.slot.toString(),
-            params.blockNumber.toString(),
-            params.dutyType,
-            params.messageHash,
-            params.nodeId,
-            lockToken
+        // Use fast retries with custom backoff: 10ms, 20ms, 30ms (then stop)
+        const fastBackoff = makeBackoff([
+            0.01,
+            0.02,
+            0.03
         ]);
+        // Get the normalized block index using type-safe helper
+        const blockIndexWithinCheckpoint = getBlockIndexFromDutyIdentifier(params);
+        const result = await retry(async ()=>{
+            const queryResult = await this.pool.query(INSERT_OR_GET_DUTY, [
+                params.rollupAddress.toString(),
+                params.validatorAddress.toString(),
+                params.slot.toString(),
+                params.blockNumber.toString(),
+                blockIndexWithinCheckpoint,
+                params.dutyType,
+                params.messageHash,
+                params.nodeId,
+                lockToken
+            ]);
+            // Throw error if no rows to trigger retry
+            if (queryResult.rows.length === 0) {
+                throw new Error('INSERT_OR_GET_DUTY returned no rows');
+            }
+            return queryResult;
+        }, `INSERT_OR_GET_DUTY for node ${params.nodeId}`, fastBackoff, this.log, true);
         if (result.rows.length === 0) {
-            // This shouldn't happen - the query always returns either the inserted or existing row
-            throw new Error('INSERT_OR_GET_DUTY returned no rows');
+            // this should never happen as the retry function should throw if it still fails after retries
+            throw new Error('INSERT_OR_GET_DUTY returned no rows after retries');
+        }
+        if (result.rows.length > 1) {
+            // this should never happen if database constraints are correct (PRIMARY KEY should prevent duplicates)
+            throw new Error(`INSERT_OR_GET_DUTY returned ${result.rows.length} rows (expected exactly 1).`);
         }
         const row = result.rows[0];
         return {
@@ -71,19 +98,23 @@ import { CLEANUP_OWN_STUCK_DUTIES, DELETE_DUTY, INSERT_OR_GET_DUTY, SCHEMA_VERSI
    * Only succeeds if the lockToken matches (caller must be the one who created the duty).
    *
    * @returns true if the update succeeded, false if token didn't match or duty not found
-   */ async updateDutySigned(validatorAddress, slot, dutyType, signature, lockToken) {
+   */ async updateDutySigned(rollupAddress, validatorAddress, slot, dutyType, signature, lockToken, blockIndexWithinCheckpoint) {
         const result = await this.pool.query(UPDATE_DUTY_SIGNED, [
             signature,
+            rollupAddress.toString(),
             validatorAddress.toString(),
             slot.toString(),
             dutyType,
+            blockIndexWithinCheckpoint,
             lockToken
         ]);
         if (result.rowCount === 0) {
             this.log.warn('Failed to update duty to signed status: invalid token or duty not found', {
+                rollupAddress: rollupAddress.toString(),
                 validatorAddress: validatorAddress.toString(),
                 slot: slot.toString(),
-                dutyType
+                dutyType,
+                blockIndexWithinCheckpoint
             });
             return false;
         }
@@ -95,18 +126,22 @@ import { CLEANUP_OWN_STUCK_DUTIES, DELETE_DUTY, INSERT_OR_GET_DUTY, SCHEMA_VERSI
    * Used when signing fails to allow another node/attempt to retry.
    *
    * @returns true if the delete succeeded, false if token didn't match or duty not found
-   */ async deleteDuty(validatorAddress, slot, dutyType, lockToken) {
+   */ async deleteDuty(rollupAddress, validatorAddress, slot, dutyType, lockToken, blockIndexWithinCheckpoint) {
         const result = await this.pool.query(DELETE_DUTY, [
+            rollupAddress.toString(),
             validatorAddress.toString(),
             slot.toString(),
             dutyType,
+            blockIndexWithinCheckpoint,
             lockToken
         ]);
         if (result.rowCount === 0) {
             this.log.warn('Failed to delete duty: invalid token or duty not found', {
+                rollupAddress: rollupAddress.toString(),
                 validatorAddress: validatorAddress.toString(),
                 slot: slot.toString(),
-                dutyType
+                dutyType,
+                blockIndexWithinCheckpoint
             });
             return false;
         }
@@ -116,9 +151,11 @@ import { CLEANUP_OWN_STUCK_DUTIES, DELETE_DUTY, INSERT_OR_GET_DUTY, SCHEMA_VERSI
    * Convert a database row to a ValidatorDutyRecord
    */ rowToRecord(row) {
         return {
+            rollupAddress: EthAddress.fromString(row.rollup_address),
             validatorAddress: EthAddress.fromString(row.validator_address),
-            slot: BigInt(row.slot),
-            blockNumber: BigInt(row.block_number),
+            slot: SlotNumber.fromString(row.slot),
+            blockNumber: BlockNumber.fromString(row.block_number),
+            blockIndexWithinCheckpoint: row.block_index_within_checkpoint,
             dutyType: row.duty_type,
             status: row.status,
             messageHash: row.message_hash,
@@ -147,4 +184,27 @@ import { CLEANUP_OWN_STUCK_DUTIES, DELETE_DUTY, INSERT_OR_GET_DUTY, SCHEMA_VERSI
         ]);
         return result.rowCount ?? 0;
     }
+    /**
+   * Cleanup duties with outdated rollup address.
+   * Removes all duties where the rollup address doesn't match the current one.
+   * Used after a rollup upgrade to clean up duties for the old rollup.
+   * @returns the number of duties cleaned up
+   */ async cleanupOutdatedRollupDuties(currentRollupAddress) {
+        const result = await this.pool.query(CLEANUP_OUTDATED_ROLLUP_DUTIES, [
+            currentRollupAddress.toString()
+        ]);
+        return result.rowCount ?? 0;
+    }
+    /**
+   * Cleanup old signed duties.
+   * Removes only signed duties older than the specified age.
+   * Does not remove 'signing' duties as they may be in progress.
+   * @returns the number of duties cleaned up
+   */ async cleanupOldDuties(maxAgeMs) {
+        const cutoff = new Date(Date.now() - maxAgeMs);
+        const result = await this.pool.query(CLEANUP_OLD_DUTIES, [
+            cutoff
+        ]);
+        return result.rowCount ?? 0;
+    }
 }