@aztec/validator-ha-signer 0.0.1-commit.d431d1c → 0.0.1-commit.d939eb5aa

package/src/db/types.ts

@@ -1,14 +1,17 @@
-import type { BlockNumber, CheckpointNumber, IndexWithinCheckpoint, SlotNumber } from '@aztec/foundation/branded-types';
-import type { EthAddress } from '@aztec/foundation/eth-address';
+import { BlockNumber, CheckpointNumber, type IndexWithinCheckpoint, SlotNumber } from '@aztec/foundation/branded-types';
+import { EthAddress } from '@aztec/foundation/eth-address';
 import type { Signature } from '@aztec/foundation/eth-signature';
+import { DutyType } from '@aztec/stdlib/ha-signing';
 
 /**
  * Row type from PostgreSQL query
  */
 export interface DutyRow {
+  rollup_address: string;
   validator_address: string;
   slot: string;
   block_number: string;
+  checkpoint_number: string;
   block_index_within_checkpoint: number;
   duty_type: DutyType;
   status: DutyStatus;
@@ -22,24 +25,35 @@ export interface DutyRow {
 }
 
 /**
- * Row type from INSERT_OR_GET_DUTY query (includes is_new flag)
+ * Plain-primitive representation of a duty record suitable for serialization
+ * (e.g. msgpackr for LMDB). All domain types are stored as their string/number
+ * equivalents. Timestamps are Unix milliseconds.
  */
-export interface InsertOrGetRow extends DutyRow {
-  is_new: boolean;
+export interface StoredDutyRecord {
+  rollupAddress: string;
+  validatorAddress: string;
+  slot: string;
+  blockNumber: string;
+  checkpointNumber: string;
+  blockIndexWithinCheckpoint: number;
+  dutyType: DutyType;
+  status: DutyStatus;
+  messageHash: string;
+  signature?: string;
+  nodeId: string;
+  lockToken: string;
+  /** Unix timestamp in milliseconds when signing started */
+  startedAtMs: number;
+  /** Unix timestamp in milliseconds when signing completed */
+  completedAtMs?: number;
+  errorMessage?: string;
 }
 
 /**
- * Type of validator duty being performed
+ * Row type from INSERT_OR_GET_DUTY query (includes is_new flag)
  */
-export enum DutyType {
-  BLOCK_PROPOSAL = 'BLOCK_PROPOSAL',
-  CHECKPOINT_PROPOSAL = 'CHECKPOINT_PROPOSAL',
-  ATTESTATION = 'ATTESTATION',
-  ATTESTATIONS_AND_SIGNERS = 'ATTESTATIONS_AND_SIGNERS',
-  GOVERNANCE_VOTE = 'GOVERNANCE_VOTE',
-  SLASHING_VOTE = 'SLASHING_VOTE',
-  AUTH_REQUEST = 'AUTH_REQUEST',
-  TXS = 'TXS',
+export interface InsertOrGetRow extends DutyRow {
+  is_new: boolean;
 }
 
 /**
@@ -50,16 +64,24 @@ export enum DutyStatus {
   SIGNED = 'signed',
 }
 
+// Re-export DutyType from stdlib
+export { DutyType };
+
 /**
- * Record of a validator duty in the database
+ * Rich representation of a validator duty, with branded types and Date objects.
+ * This is the common output type returned by all SlashingProtectionDatabase implementations.
  */
 export interface ValidatorDutyRecord {
+  /** Ethereum address of the rollup contract */
+  rollupAddress: EthAddress;
   /** Ethereum address of the validator */
   validatorAddress: EthAddress;
   /** Slot number for this duty */
   slot: SlotNumber;
-  /** Block number for this duty */
+  /** Block number for this duty (0 for non-block-proposal duties) */
   blockNumber: BlockNumber;
+  /** Checkpoint number for this duty (0 for attestation and vote duties) */
+  checkpointNumber: CheckpointNumber;
   /** Block index within checkpoint (0, 1, 2... for block proposals, -1 for other duty types) */
   blockIndexWithinCheckpoint: number;
   /** Type of duty being performed */
@@ -78,15 +100,42 @@ export interface ValidatorDutyRecord {
   startedAt: Date;
   /** When the duty signing was completed (success or failure) */
   completedAt?: Date;
-  /** Error message if status is 'failed' */
+  /** Error message (currently unused) */
   errorMessage?: string;
 }
 
+/**
+ * Convert a {@link StoredDutyRecord} (plain-primitive wire format) to a
+ * {@link ValidatorDutyRecord} (rich domain type).
+ *
+ * Shared by LMDB and any future non-Postgres backend implementations.
+ */
+export function recordFromFields(stored: StoredDutyRecord): ValidatorDutyRecord {
+  return {
+    rollupAddress: EthAddress.fromString(stored.rollupAddress),
+    validatorAddress: EthAddress.fromString(stored.validatorAddress),
+    slot: SlotNumber.fromString(stored.slot),
+    blockNumber: BlockNumber.fromString(stored.blockNumber),
+    checkpointNumber: CheckpointNumber.fromString(stored.checkpointNumber),
+    blockIndexWithinCheckpoint: stored.blockIndexWithinCheckpoint,
+    dutyType: stored.dutyType,
+    status: stored.status,
+    messageHash: stored.messageHash,
+    signature: stored.signature,
+    nodeId: stored.nodeId,
+    lockToken: stored.lockToken,
+    startedAt: new Date(stored.startedAtMs),
+    completedAt: stored.completedAtMs !== undefined ? new Date(stored.completedAtMs) : undefined,
+    errorMessage: stored.errorMessage,
+  };
+}
+
 /**
  * Duty identifier for block proposals.
  * blockIndexWithinCheckpoint is REQUIRED and must be >= 0.
  */
 export interface BlockProposalDutyIdentifier {
+  rollupAddress: EthAddress;
   validatorAddress: EthAddress;
   slot: SlotNumber;
   /** Block index within checkpoint (0, 1, 2...). Required for block proposals. */
@@ -99,6 +148,7 @@ export interface BlockProposalDutyIdentifier {
  * blockIndexWithinCheckpoint is not applicable (internally stored as -1).
  */
 export interface OtherDutyIdentifier {
+  rollupAddress: EthAddress;
   validatorAddress: EthAddress;
   slot: SlotNumber;
   dutyType:
@@ -158,8 +208,10 @@ export function getBlockIndexFromDutyIdentifier(duty: DutyIdentifier): number {
  * Additional parameters for checking and recording a new duty
  */
 interface CheckAndRecordExtra {
-  /** Block number for this duty */
-  blockNumber: BlockNumber | CheckpointNumber;
+  /** Block number for this duty (0 for non-block-proposal duties) */
+  blockNumber: BlockNumber;
+  /** Checkpoint number for this duty (0 for attestation and vote duties) */
+  checkpointNumber: CheckpointNumber;
   /** The signing root (hash) for this duty */
   messageHash: string;
   /** Identifier for the node that acquired the lock */

package/src/factory.ts

@@ -1,11 +1,17 @@
 /**
  * Factory functions for creating validator HA signers
  */
+import { DateProvider } from '@aztec/foundation/timer';
+import { createStore } from '@aztec/kv-store/lmdb-v2';
+import type { LocalSignerConfig, ValidatorHASignerConfig } from '@aztec/stdlib/ha-signing';
+import { getTelemetryClient } from '@aztec/telemetry-client';
+
 import { Pool } from 'pg';
 
-import type { ValidatorHASignerConfig } from './config.js';
+import { LmdbSlashingProtectionDatabase } from './db/lmdb.js';
 import { PostgresSlashingProtectionDatabase } from './db/postgres.js';
-import type { CreateHASignerDeps, SlashingProtectionDatabase } from './types.js';
+import { HASignerMetrics } from './metrics.js';
+import type { CreateHASignerDeps, CreateLocalSignerWithProtectionDeps, SlashingProtectionDatabase } from './types.js';
 import { ValidatorHASigner } from './validator_ha_signer.js';
 
 /**
@@ -23,7 +29,6 @@ import { ValidatorHASigner } from './validator_ha_signer.js';
  * ```typescript
  * const { signer, db } = await createHASigner({
  *   databaseUrl: process.env.DATABASE_URL,
- *   haSigningEnabled: true,
  *   nodeId: 'validator-node-1',
  *   pollingIntervalMs: 100,
  *   signingTimeoutMs: 3000,
@@ -55,6 +60,10 @@ export async function createHASigner(
   if (!databaseUrl) {
     throw new Error('databaseUrl is required for createHASigner');
   }
+
+  const telemetryClient = deps?.telemetryClient ?? getTelemetryClient();
+  const dateProvider = deps?.dateProvider ?? new DateProvider();
+
   // Create connection pool (or use provided pool)
   let pool: Pool;
   if (!deps?.pool) {
@@ -75,8 +84,88 @@ export async function createHASigner(
   // Verify database schema is initialized and version matches
   await db.initialize();
 
+  // Create metrics
+  const metrics = new HASignerMetrics(telemetryClient, signerConfig.nodeId);
+
   // Create signer
-  const signer = new ValidatorHASigner(db, { ...signerConfig, databaseUrl });
+  const signer = new ValidatorHASigner(db, signerConfig, { metrics, dateProvider });
 
   return { signer, db };
 }
+
+/**
+ * Create a local (single-node) signing protection signer backed by LMDB.
+ *
+ * This provides double-signing protection for nodes that are NOT running in a
+ * high-availability (multi-node) setup. It prevents a proposer from sending two
+ * proposals for the same slot if the node crashes and restarts mid-proposal.
+ *
+ * When `config.dataDirectory` is set, the protection database is persisted to disk
+ * and survives crashes/restarts. When unset, an ephemeral in-memory store is
+ * used which protects within a single run but not across restarts.
+ *
+ * @param config - Local signer config
+ * @param deps - Optional dependencies (telemetry, date provider).
+ * @returns An object containing the signer and database instances.
+ */
+export async function createLocalSignerWithProtection(
+  config: LocalSignerConfig,
+  deps?: CreateLocalSignerWithProtectionDeps,
+): Promise<{
+  signer: ValidatorHASigner;
+  db: SlashingProtectionDatabase;
+}> {
+  const telemetryClient = deps?.telemetryClient ?? getTelemetryClient();
+  const dateProvider = deps?.dateProvider ?? new DateProvider();
+
+  const kvStore = await createStore('signing-protection', LmdbSlashingProtectionDatabase.SCHEMA_VERSION, {
+    dataDirectory: config.dataDirectory,
+    dataStoreMapSizeKb: config.signingProtectionMapSizeKb ?? config.dataStoreMapSizeKb,
+    l1Contracts: config.l1Contracts,
+  });
+
+  const db = new LmdbSlashingProtectionDatabase(kvStore, dateProvider);
+
+  const signerConfig = {
+    ...config,
+    nodeId: config.nodeId || 'local',
+  };
+
+  const metrics = new HASignerMetrics(telemetryClient, signerConfig.nodeId, 'LocalSigningProtectionMetrics');
+
+  const signer = new ValidatorHASigner(db, signerConfig, { metrics, dateProvider });
+
+  return { signer, db };
+}
+
+/**
+ * Create an in-memory LMDB-backed SlashingProtectionDatabase that can be shared across
+ * multiple validator nodes in the same process. Used for testing HA setups.
+ */
+export async function createSharedSlashingProtectionDb(
+  dateProvider: DateProvider = new DateProvider(),
+): Promise<SlashingProtectionDatabase> {
+  const kvStore = await createStore('shared-signing-protection', LmdbSlashingProtectionDatabase.SCHEMA_VERSION, {
+    dataStoreMapSizeKb: 1024 * 1024,
+  });
+  return new LmdbSlashingProtectionDatabase(kvStore, dateProvider);
+}
+
+/**
+ * Create a ValidatorHASigner backed by a pre-existing SlashingProtectionDatabase.
+ * Used for testing HA setups where multiple nodes share the same protection database.
+ */
+export function createSignerFromSharedDb(
+  db: SlashingProtectionDatabase,
+  config: Pick<
+    ValidatorHASignerConfig,
+    'nodeId' | 'pollingIntervalMs' | 'signingTimeoutMs' | 'maxStuckDutiesAgeMs' | 'l1Contracts'
+  >,
+  deps?: CreateLocalSignerWithProtectionDeps,
+): { signer: ValidatorHASigner; db: SlashingProtectionDatabase } {
+  const telemetryClient = deps?.telemetryClient ?? getTelemetryClient();
+  const dateProvider = deps?.dateProvider ?? new DateProvider();
+  const metrics = new HASignerMetrics(telemetryClient, config.nodeId, 'SharedSigningProtectionMetrics');
+  const signer = new ValidatorHASigner(db, config, { metrics, dateProvider });
+  return { signer, db };
+}

package/src/metrics.ts

@@ -0,0 +1,138 @@
+import {
+  Attributes,
+  type Histogram,
+  Metrics,
+  type TelemetryClient,
+  type UpDownCounter,
+  createUpDownCounterWithDefault,
+} from '@aztec/telemetry-client';
+
+export type HACleanupType = 'stuck' | 'old' | 'outdated_rollup';
+
+/**
+ * Metrics for HA signer tracking signing operations, lock acquisition, and cleanup.
+ */
+export class HASignerMetrics {
+  // Signing lifecycle metrics
+  private signingDuration: Histogram;
+  private signingSuccessCount: UpDownCounter;
+  private dutyAlreadySignedCount: UpDownCounter;
+  private slashingProtectionCount: UpDownCounter;
+  private signingErrorCount: UpDownCounter;
+
+  // Lock acquisition metrics
+  private lockAcquiredCount: UpDownCounter;
+
+  // Cleanup metrics
+  private cleanupStuckDutiesCount: UpDownCounter;
+  private cleanupOldDutiesCount: UpDownCounter;
+  private cleanupOutdatedRollupDutiesCount: UpDownCounter;
+
+  constructor(
+    client: TelemetryClient,
+    private nodeId: string,
+    name = 'HASignerMetrics',
+  ) {
+    const meter = client.getMeter(name);
+
+    // Signing lifecycle
+    this.signingDuration = meter.createHistogram(Metrics.HA_SIGNER_SIGNING_DURATION);
+    this.signingSuccessCount = createUpDownCounterWithDefault(meter, Metrics.HA_SIGNER_SIGNING_SUCCESS_COUNT);
+    this.dutyAlreadySignedCount = createUpDownCounterWithDefault(meter, Metrics.HA_SIGNER_DUTY_ALREADY_SIGNED_COUNT);
+    this.slashingProtectionCount = createUpDownCounterWithDefault(meter, Metrics.HA_SIGNER_SLASHING_PROTECTION_COUNT);
+    this.signingErrorCount = createUpDownCounterWithDefault(meter, Metrics.HA_SIGNER_SIGNING_ERROR_COUNT);
+
+    // Lock acquisition
+    this.lockAcquiredCount = createUpDownCounterWithDefault(meter, Metrics.HA_SIGNER_LOCK_ACQUIRED_COUNT);
+
+    // Cleanup
+    this.cleanupStuckDutiesCount = createUpDownCounterWithDefault(meter, Metrics.HA_SIGNER_CLEANUP_STUCK_DUTIES_COUNT);
+    this.cleanupOldDutiesCount = createUpDownCounterWithDefault(meter, Metrics.HA_SIGNER_CLEANUP_OLD_DUTIES_COUNT);
+    this.cleanupOutdatedRollupDutiesCount = createUpDownCounterWithDefault(
+      meter,
+      Metrics.HA_SIGNER_CLEANUP_OUTDATED_ROLLUP_DUTIES_COUNT,
+    );
+  }
+
+  /**
+   * Record a successful signing operation.
+   * @param dutyType - The type of duty signed
+   * @param durationMs - Duration from start of signWithProtection to completion
+   */
+  public recordSigningSuccess(dutyType: string, durationMs: number): void {
+    const attributes = {
+      [Attributes.HA_DUTY_TYPE]: dutyType,
+      [Attributes.HA_NODE_ID]: this.nodeId,
+    };
+    this.signingSuccessCount.add(1, attributes);
+    this.signingDuration.record(durationMs, attributes);
+  }
+
+  /**
+   * Record a DutyAlreadySignedError (expected in HA; another node signed first).
+   * @param dutyType - The type of duty
+   */
+  public recordDutyAlreadySigned(dutyType: string): void {
+    const attributes = {
+      [Attributes.HA_DUTY_TYPE]: dutyType,
+      [Attributes.HA_NODE_ID]: this.nodeId,
+    };
+    this.dutyAlreadySignedCount.add(1, attributes);
+  }
+
+  /**
+   * Record a SlashingProtectionError (attempted to sign different data for same duty).
+   * @param dutyType - The type of duty
+   */
+  public recordSlashingProtection(dutyType: string): void {
+    const attributes = {
+      [Attributes.HA_DUTY_TYPE]: dutyType,
+      [Attributes.HA_NODE_ID]: this.nodeId,
+    };
+    this.slashingProtectionCount.add(1, attributes);
+  }
+
+  /**
+   * Record a signing function failure (lock will be deleted for retry).
+   * @param dutyType - The type of duty
+   */
+  public recordSigningError(dutyType: string): void {
+    const attributes = {
+      [Attributes.HA_DUTY_TYPE]: dutyType,
+      [Attributes.HA_NODE_ID]: this.nodeId,
+    };
+    this.signingErrorCount.add(1, attributes);
+  }
+
+  /**
+   * Record lock acquisition.
+   * @param acquired - Whether a new lock was acquired (true) or existing record found (false)
+   */
+  public recordLockAcquire(acquired: boolean): void {
+    if (acquired) {
+      const attributes = {
+        [Attributes.HA_NODE_ID]: this.nodeId,
+      };
+      this.lockAcquiredCount.add(1, attributes);
+    }
+  }
+
+  /**
+   * Record cleanup metrics.
+   * @param type - Type of cleanup
+   * @param count - Number of duties cleaned up
+   */
+  public recordCleanup(type: HACleanupType, count: number): void {
+    const attributes = {
+      [Attributes.HA_NODE_ID]: this.nodeId,
+    };
+
+    if (type === 'stuck') {
+      this.cleanupStuckDutiesCount.add(count, attributes);
+    } else if (type === 'old') {
+      this.cleanupOldDutiesCount.add(count, attributes);
+    } else if (type === 'outdated_rollup') {
+      this.cleanupOutdatedRollupDutiesCount.add(count, attributes);
+    }
+  }
+}

package/src/slashing_protection_service.ts

@@ -7,6 +7,8 @@
 import { type Logger, createLogger } from '@aztec/foundation/log';
 import { RunningPromise } from '@aztec/foundation/promise';
 import { sleep } from '@aztec/foundation/sleep';
+import type { DateProvider } from '@aztec/foundation/timer';
+import type { BaseSignerConfig } from '@aztec/stdlib/ha-signing';
 
 import {
   type CheckAndRecordParams,
@@ -16,7 +18,13 @@ import {
   getBlockIndexFromDutyIdentifier,
 } from './db/types.js';
 import { DutyAlreadySignedError, SlashingProtectionError } from './errors.js';
-import type { SlashingProtectionDatabase, ValidatorHASignerConfig } from './types.js';
+import type { HASignerMetrics } from './metrics.js';
+import type { SlashingProtectionDatabase } from './types.js';
+
+export interface SlashingProtectionServiceDeps {
+  metrics: HASignerMetrics;
+  dateProvider: DateProvider;
+}
 
 /**
  * Slashing Protection Service
@@ -39,11 +47,16 @@ export class SlashingProtectionService {
   private readonly signingTimeoutMs: number;
   private readonly maxStuckDutiesAgeMs: number;
 
+  private readonly metrics: HASignerMetrics;
+  private readonly dateProvider: DateProvider;
+
   private cleanupRunningPromise: RunningPromise;
+  private lastOldDutiesCleanupAtMs?: number;
 
   constructor(
     private readonly db: SlashingProtectionDatabase,
-    private readonly config: ValidatorHASignerConfig,
+    private readonly config: BaseSignerConfig,
+    deps: SlashingProtectionServiceDeps,
   ) {
     this.log = createLogger('slashing-protection');
     this.pollingIntervalMs = config.pollingIntervalMs;
@@ -51,11 +64,9 @@ export class SlashingProtectionService {
     // Default to 144s (2x 72s Aztec slot duration) if not explicitly configured
     this.maxStuckDutiesAgeMs = config.maxStuckDutiesAgeMs ?? 144_000;
 
-    this.cleanupRunningPromise = new RunningPromise(
-      this.cleanupStuckDuties.bind(this),
-      this.log,
-      this.maxStuckDutiesAgeMs,
-    );
+    this.cleanupRunningPromise = new RunningPromise(this.cleanup.bind(this), this.log, this.maxStuckDutiesAgeMs);
+    this.metrics = deps.metrics;
+    this.dateProvider = deps.dateProvider;
   }
 
   /**
@@ -67,7 +78,6 @@ export class SlashingProtectionService {
    * 2. If insert succeeds, we acquired the lock - return the lockToken
    * 3. If a record exists, handle based on status:
    *    - SIGNED: Throw appropriate error (already signed or slashing protection)
-   *    - FAILED: Delete the failed record
    *    - SIGNING: Wait and poll until status changes, then handle result
    *
    * @returns The lockToken that must be used for recordSuccess/deleteDuty
@@ -76,7 +86,7 @@ export class SlashingProtectionService {
    */
   async checkAndRecord(params: CheckAndRecordParams): Promise<string> {
     const { validatorAddress, slot, dutyType, messageHash, nodeId } = params;
-    const startTime = Date.now();
+    const startTime = this.dateProvider.now();
 
     this.log.debug(`Checking duty: ${dutyType} for slot ${slot}`, {
       validatorAddress: validatorAddress.toString(),
@@ -89,10 +99,11 @@ export class SlashingProtectionService {
 
       if (isNew) {
         // We successfully acquired the lock
-        this.log.info(`Acquired lock for duty ${dutyType} at slot ${slot}`, {
+        this.log.verbose(`Acquired lock for duty ${dutyType} at slot ${slot}`, {
           validatorAddress: validatorAddress.toString(),
           nodeId,
         });
+        this.metrics.recordLockAcquire(true);
         return record.lockToken;
       }
 
@@ -107,6 +118,7 @@ export class SlashingProtectionService {
             existingNodeId: record.nodeId,
             attemptingNodeId: nodeId,
           });
+          this.metrics.recordSlashingProtection(dutyType);
           throw new SlashingProtectionError(
             slot,
             dutyType,
@@ -116,15 +128,17 @@ export class SlashingProtectionService {
             record.nodeId,
           );
         }
+        this.metrics.recordDutyAlreadySigned(dutyType);
         throw new DutyAlreadySignedError(slot, dutyType, record.blockIndexWithinCheckpoint, record.nodeId);
       } else if (record.status === DutyStatus.SIGNING) {
         // Another node is currently signing - check for timeout
-        if (Date.now() - startTime > this.signingTimeoutMs) {
+        if (this.dateProvider.now() - startTime > this.signingTimeoutMs) {
           this.log.warn(`Timeout waiting for signing to complete for duty ${dutyType} at slot ${slot}`, {
             validatorAddress: validatorAddress.toString(),
             timeoutMs: this.signingTimeoutMs,
             signingNodeId: record.nodeId,
           });
+          this.metrics.recordDutyAlreadySigned(dutyType);
           throw new DutyAlreadySignedError(slot, dutyType, record.blockIndexWithinCheckpoint, 'unknown (timeout)');
         }
 
@@ -149,10 +163,11 @@ export class SlashingProtectionService {
    * @returns true if the update succeeded, false if token didn't match
    */
   async recordSuccess(params: RecordSuccessParams): Promise<boolean> {
-    const { validatorAddress, slot, dutyType, signature, nodeId, lockToken } = params;
+    const { rollupAddress, validatorAddress, slot, dutyType, signature, nodeId, lockToken } = params;
     const blockIndexWithinCheckpoint = getBlockIndexFromDutyIdentifier(params);
 
     const success = await this.db.updateDutySigned(
+      rollupAddress,
       validatorAddress,
       slot,
       dutyType,
@@ -162,7 +177,7 @@ export class SlashingProtectionService {
     );
 
     if (success) {
-      this.log.info(`Recorded successful signing for duty ${dutyType} at slot ${slot}`, {
+      this.log.verbose(`Recorded successful signing for duty ${dutyType} at slot ${slot}`, {
         validatorAddress: validatorAddress.toString(),
         nodeId,
       });
@@ -184,10 +199,17 @@ export class SlashingProtectionService {
    * @returns true if the delete succeeded, false if token didn't match
    */
   async deleteDuty(params: DeleteDutyParams): Promise<boolean> {
-    const { validatorAddress, slot, dutyType, lockToken } = params;
+    const { rollupAddress, validatorAddress, slot, dutyType, lockToken } = params;
     const blockIndexWithinCheckpoint = getBlockIndexFromDutyIdentifier(params);
 
-    const success = await this.db.deleteDuty(validatorAddress, slot, dutyType, lockToken, blockIndexWithinCheckpoint);
+    const success = await this.db.deleteDuty(
+      rollupAddress,
+      validatorAddress,
+      slot,
+      dutyType,
+      lockToken,
+      blockIndexWithinCheckpoint,
+    );
 
     if (success) {
       this.log.info(`Deleted duty ${dutyType} at slot ${slot} to allow retry`, {
@@ -213,7 +235,20 @@ export class SlashingProtectionService {
    * Start running tasks.
    * Cleanup runs immediately on start to recover from any previous crashes.
    */
-  start() {
+  /**
+   * Start the background cleanup task.
+   * Also performs one-time cleanup of duties with outdated rollup addresses.
+   */
+  async start() {
+    // One-time cleanup at startup: remove duties from previous rollup versions
+    const numOutdatedRollupDuties = await this.db.cleanupOutdatedRollupDuties(this.config.l1Contracts.rollupAddress);
+    if (numOutdatedRollupDuties > 0) {
+      this.log.info(`Cleaned up ${numOutdatedRollupDuties} duties with outdated rollup address at startup`, {
+        currentRollupAddress: this.config.l1Contracts.rollupAddress.toString(),
+      });
+      this.metrics.recordCleanup('outdated_rollup', numOutdatedRollupDuties);
+    }
+
     this.cleanupRunningPromise.start();
     this.log.info('Slashing protection service started', { nodeId: this.config.nodeId });
   }
@@ -236,15 +271,38 @@ export class SlashingProtectionService {
   }
 
   /**
-   * Cleanup own stuck duties
+   * Periodic cleanup of stuck duties and optionally old signed duties.
+   * Runs in the background via RunningPromise.
    */
-  private async cleanupStuckDuties() {
-    const numDuties = await this.db.cleanupOwnStuckDuties(this.config.nodeId, this.maxStuckDutiesAgeMs);
-    if (numDuties > 0) {
-      this.log.info(`Cleaned up ${numDuties} stuck duties`, {
+  private async cleanup() {
+    // 1. Clean up stuck duties (our own node's duties that got stuck in 'signing' status)
+    const numStuckDuties = await this.db.cleanupOwnStuckDuties(this.config.nodeId, this.maxStuckDutiesAgeMs);
+    if (numStuckDuties > 0) {
+      this.log.verbose(`Cleaned up ${numStuckDuties} stuck duties`, {
         nodeId: this.config.nodeId,
         maxStuckDutiesAgeMs: this.maxStuckDutiesAgeMs,
       });
+      this.metrics.recordCleanup('stuck', numStuckDuties);
+    }
+
+    // 2. Clean up old signed duties if configured
+    // we shouldn't run this as often as stuck duty cleanup.
+    if (this.config.cleanupOldDutiesAfterHours !== undefined) {
+      const maxAgeMs = this.config.cleanupOldDutiesAfterHours * 60 * 60 * 1000;
+      const nowMs = this.dateProvider.now();
+      const shouldRun =
+        this.lastOldDutiesCleanupAtMs === undefined || nowMs - this.lastOldDutiesCleanupAtMs >= maxAgeMs;
+      if (shouldRun) {
+        const numOldDuties = await this.db.cleanupOldDuties(maxAgeMs);
+        this.lastOldDutiesCleanupAtMs = nowMs;
+        if (numOldDuties > 0) {
+          this.log.verbose(`Cleaned up ${numOldDuties} old signed duties`, {
+            cleanupOldDutiesAfterHours: this.config.cleanupOldDutiesAfterHours,
+            maxAgeMs,
+          });
+          this.metrics.recordCleanup('old', numOldDuties);
+        }
+      }
     }
   }
 }