Add missing metrics from leanMetrics spec

[pablodeymo]

Closes #76

Summary

Implements all remaining metrics from the leanMetrics specification that were missing in ethlambda. This brings our metric coverage from 21 to 34 metrics, and also updates 3 existing metrics to match the latest upstream spec.

New Metrics (13)

PQ Signature — Individual Attestations (6)

Metric	Type	Instrumentation Point
lean_pq_sig_attestation_signatures_total	Counter	After each successful secret_key.sign() in key_manager.rs
lean_pq_sig_attestation_signatures_valid_total	Counter	After signature.is_valid() returns true in on_gossip_attestation()
lean_pq_sig_attestation_signatures_invalid_total	Counter	When signature.is_valid() returns false in on_gossip_attestation()
lean_pq_sig_attestation_signing_time_seconds	Histogram	Wraps the secret_key.sign() call
lean_pq_sig_attestation_verification_time_seconds	Histogram	Wraps the signature.is_valid() call
lean_pq_sig_aggregated_signatures_verification_time_seconds	Histogram	Wraps both verify_aggregated_signature() call sites (block verification + gossip aggregated attestation)

PQ Signature — Aggregation (1)

Metric	Type	Instrumentation Point
lean_pq_sig_aggregated_signatures_building_time_seconds	Histogram	Wraps each aggregate_signatures() call inside aggregate_committee_signatures()

Fork Choice — Store State (5)

Metric	Type	Instrumentation Point
lean_gossip_signatures	Gauge	Updated after insert_gossip_signature(), delete_gossip_signatures()
lean_latest_new_aggregated_payloads	Gauge	Updated after insert_new_aggregated_payloads_batch(), promote_new_aggregated_payloads()
lean_latest_known_aggregated_payloads	Gauge	Updated after promote_new_aggregated_payloads()
lean_committee_signatures_aggregation_time_seconds	Histogram	Wraps the entire aggregate_committee_signatures() function (after the early return for empty sigs)
lean_fork_choice_reorg_depth	Histogram	Observed when a reorg is detected in update_head()

Validator (1)

Metric	Type	Instrumentation Point
lean_is_aggregator	Gauge	Set once at node start in BlockChain::spawn() (1 = true, 0 = false)

Updated Existing Metrics (3)

Metric	Change	Reason
lean_attestations_valid_total / lean_attestations_invalid_total	Changed from IntCounterVec with source label to plain IntCounter (no labels)	Upstream spec dropped the source=block,gossip label
lean_fork_choice_block_processing_time_seconds	Extended buckets from [0.005, 0.01, 0.025, 0.05, 0.1, 1.0] to [..., 1.0, 1.25, 1.5, 2.0, 4.0]	Upstream added upper buckets for slow block processing
lean_connected_peers (docs only)	Updated client label set to include ethlambda, grandine, lighthouse	Upstream expanded the client list

Design Decisions

1. Gossip signatures count: AtomicUsize instead of table scan

The lean_gossip_signatures gauge needs the count of entries in the RocksDB GossipSignatures table. A naive implementation would call prefix_iterator().count() on every gossip attestation — this is a full table scan with O(N) cost per attestation, leading to O(N²) per slot on aggregator nodes.

Instead, we maintain an AtomicUsize counter on the Store struct that is:

• Seeded from a one-time DB scan at startup (count_gossip_signatures()) to correctly reflect pre-existing entries after a node restart
• Incremented by 1 on insert_gossip_signature() (only if the key is new — a point read guards against counter inflation from duplicate upserts)
• Decremented by keys.len() on delete_gossip_signatures() (using saturating_sub)
• Decremented by pruned on prune_gossip_signatures() (using saturating_sub)

This makes the count O(1). We use Ordering::Relaxed since the counter is only used for metrics (no correctness dependency on exact ordering). The saturating_sub prevents silent wraparound if any future code path introduces a double-decrement.

2. Timing guard placement in aggregate_committee_signatures

The time_committee_signatures_aggregation() guard is created after the gossip_sigs.is_empty() early return check, not before. This avoids polluting the histogram with near-zero durations when there are no signatures to aggregate (the common case for non-aggregator nodes or between aggregation events).

3. is_reorg() → reorg_depth() refactor

Refactored is_reorg(old_head, new_head, store) -> bool to reorg_depth(old_head, new_head, store) -> Option<u64>. The function already walked the chain ancestry — now it counts steps while walking. Returns Some(depth) for reorgs and None for no-reorg or missing headers. The caller uses if let Some(depth) to emit both the existing lean_fork_choice_reorgs_total counter and the new lean_fork_choice_reorg_depth histogram. The walk is bounded to MAX_REORG_DEPTH = 128 to prevent unbounded traversal in pathological cases.

4. Skipped metrics

Two metrics from the upstream spec were intentionally skipped:

• lean_attestation_committee_subnet — ethlambda has no committee subdivision (all validators attest to the same data)
• lean_attestation_committee_count — same reason; there are no attestation committees

These can be added as static values (subnet=0, count=1) if the spec requires them in the future.

5. Histogram buckets match upstream exactly

All histogram buckets were updated to match the upstream leanMetrics spec, including metrics that already existed but had different bucket boundaries (e.g., fork_choice_block_processing gained 4 upper buckets).

Files Changed

File	Lines	What
crates/blockchain/src/metrics.rs	+177 -9	13 new metric functions, 2 updated (attestation counters + bucket change)
crates/blockchain/src/store.rs	+54 -35	Instrumentation: timing wrappers, gauge updates, reorg_depth refactor with bounded walk
crates/blockchain/src/key_manager.rs	+9 -3	Signing timing + attestation signature counter
crates/blockchain/src/lib.rs	+1	set_is_aggregator() call at startup
crates/storage/src/store.rs	+62 -1	AtomicUsize gossip sig counter (DB-seeded, upsert-safe, saturating sub), PayloadBuffer::len(), count accessors
docs/metrics.md	+23 -13	Synced with upstream spec (pinned to commit 2719baad), all new metrics marked ✅

How to Test

1. Unit tests: cargo test --workspace --release — all pass, no new test failures
2. Lint: cargo clippy --workspace -- -D warnings — clean
3. Devnet verification: Start a multi-client devnet with --is-aggregator flag, then scrape /metrics and verify:
   • PQ signature counters increment on attestation signing/verification
   • Gossip signatures gauge reflects the number of pending individual signatures
   • Aggregated payloads gauges update at intervals 0/2/4
   • Reorg depth histogram populates on fork choice reorgs (if any occur)
   • lean_is_aggregator is 1 for aggregator nodes, 0 for non-aggregators

[github-actions]

🤖 Kimi Code Review

Review Summary

This PR adds comprehensive metrics collection to ethlambda, focusing on signature operations, attestation processing, and fork-choice behavior. The implementation is generally well-structured and follows Rust best practices.

Issues Found

1. Atomic Counter Synchronization Issue (crates/storage/src/store.rs:580-585)

The prune_gossip_signatures method uses fetch_sub with Ordering::Relaxed, but the actual pruning happens via database operations that could fail. If the database transaction fails after fetch_sub, the counter will be incorrectly decremented.

Fix: Move the counter update after successful database operations:

let pruned = self.prune_by_slot(...);
// After successful pruning
self.gossip_signatures_count.fetch_sub(pruned, Ordering::Relaxed);

2. Inconsistent Metric Naming (crates/blockchain/src/metrics.rs:124)

The histogram bucket configuration for lean_fork_choice_block_processing_time_seconds was extended but the buckets seem excessive for block processing times. Consider if 4-second buckets are realistic for your use case.

3. Potential Overflow in Reorg Depth (crates/blockchain/src/store.rs:1236-1258)

The reorg_depth function could theoretically overflow if the chain is extremely deep. While unlikely, consider adding a reasonable upper bound check.

4. Missing Error Handling for Metrics (crates/blockchain/src/key_manager.rs:105-114)

The timing guard for attestation signing could be dropped on error, but the counter increment happens regardless. Consider moving the counter increment inside the success path.

Positive Aspects

1. Atomic Operations: Good use of AtomicUsize for thread-safe counter updates
2. Lazy Initialization: Proper use of LazyLock for metric registration
3. Consistent Naming: Metric names follow the leanMetrics specification
4. Comprehensive Coverage: All major operations have corresponding metrics
5. Documentation: The metrics.md file is well-maintained and accurate

Security Considerations

No security vulnerabilities identified. The metrics collection is read-only and doesn't affect consensus logic.

Performance Impact

The metrics collection adds minimal overhead:

• Atomic operations for counters
• Timing guards that only record on drop
• No blocking operations in hot paths

Suggested Minor Improvements

1. Consider using Ordering::Release/Acquire instead of Relaxed for the gossip signatures counter to ensure visibility across threads
2. Add debug assertions to verify counter consistency in test builds
3. Consider batching metric updates where possible to reduce atomic operations

Overall, this is a solid implementation that provides valuable observability without compromising correctness or performance.

---

Automated review by Kimi (Moonshot AI) · custom prompt

[github-actions]

🤖 Codex Code Review

1. Potential counter underflow / drift in persisted stores (correctness + observability)
   In storage, gossip_signatures_count is initialized to 0 on startup, but GossipSignatures entries may already exist in DB. Later fetch_sub(pruned) / fetch_sub(count) can wrap to a huge usize if subtraction exceeds current value.

   • Init at zero: store.rs
   • Subtractions: store.rs, store.rs
   • Increment on every insert (including overwrite case): store.rs
     Suggested fix: initialize from actual table cardinality at Store::new, and use saturating decrement logic (or recompute gauge from DB when updating metrics).

2. Reorg depth can report 0 for same-slot head switch (metric semantic bug)
   reorg_depth returns Some(0) when old_head and new_head differ but have the same slot, because depth is incremented only after stepping to parent. That makes lean_fork_choice_reorg_depth inconsistent with “depth in blocks” (should be at least 1 for a head replacement).

   • Logic: store.rs, store.rs
     Suggested fix: return depth + 1 on divergence at/above target slot, or redefine depth explicitly and document bucket 0.

Overall, the PR is solid from a consensus/security perspective: no obvious fork-choice, attestation validation, justification/finalization, state transition, XMSS verification, or SSZ correctness regressions in this diff. I did not run tests in this review pass.

---

Automated review by OpenAI Codex · custom prompt

[github-actions]

🤖 Claude Code Review

Now I have all the information I need to write a thorough review.

---

Code Review: PR 192 — Add missing metrics from leanMetrics spec

Overall this is a well-executed metrics instrumentation PR. The design decisions are sound, the reorg_depth refactor is clean, and the RAII timing guards are placed correctly. A few issues worth addressing before merging.

---

Bug: lean_gossip_signatures gauge not updated after finalization-triggered pruning

prune_gossip_signatures is called from within update_checkpoints (storage store.rs:466) when finalization advances. That path correctly decrements gossip_signatures_count: Arc<AtomicUsize>. However, the corresponding Prometheus gauge push — metrics::update_gossip_signatures(store.gossip_signatures_count()) — is only placed at:

• blockchain/store.rs:401 (after insert_gossip_signature)
• blockchain/store.rs:212 (after delete_gossip_signatures)

The call at blockchain/store.rs:578:

store.update_checkpoints(ForkCheckpoints::new(store.head(), justified, finalized));

...can trigger pruning when finalization advances, but no gauge update follows it. After a finalization event, lean_gossip_signatures will report a stale (too-high) value until the next attestation insert or aggregation cycle.

Fix: Add metrics::update_gossip_signatures(store.gossip_signatures_count()) after line 578 when finalized is Some(_).

---

gossip_signatures_count initializes to 0 on restart

gossip_signatures_count: Arc::new(AtomicUsize::new(0)) starts cold every time the node restarts. If there are pre-existing signatures in RocksDB from a previous run (e.g., crash between aggregation intervals), lean_gossip_signatures will report 0 at startup, then drift upward as new signatures are inserted and downward as they're deleted/pruned — never reflecting the true on-disk count until everything inserted during the current run is eventually removed.

This is bounded in practice (gossip sigs are pruned on the next finalization), but worth documenting or fixing by scanning the GossipSignatures table on Store::new().

---

delete_gossip_signatures counter assumes all keys exist

// crates/storage/src/store.rs
let count = keys.len();
// ... RocksDB delete_batch (silent no-op for missing keys) ...
self.gossip_signatures_count.fetch_sub(count, Ordering::Relaxed);

delete_batch silently succeeds for keys that don't exist, but the AtomicUsize is always decremented by keys.len(). If a key is deleted twice (e.g., via a future code path), the counter wraps to usize::MAX and count as i64 becomes a large positive value, making the gauge meaningless. In practice, keys_to_delete is derived from actual store contents, so this is safe today. Worth adding a doc comment on this assumption.

---

Reorg depth of 0 for same-slot forks

When old_head and new_head are at the same slot but on different branches, the while-loop in reorg_depth immediately hits current_header.slot <= target_slot with depth = 0, returning Some(0). This calls:

metrics::observe_fork_choice_reorg_depth(0)  // observe(0.0)

The histogram buckets start at 1.0, so 0.0 goes into the +Inf bucket without appearing in any labelled bucket. More importantly, a depth-0 reorg is semantically ambiguous — conceptually, replacing one block at slot N with another block at slot N is a 1-block reorg. Consider returning Some(1) for this case, or returning None (treating it as not a depth-based reorg) and relying on lean_fork_choice_reorgs_total for the count.

---

Minor: usize as i64 cast in gauge updates

// metrics.rs
LEAN_GOSSIP_SIGNATURES.set(count as i64);

On a 64-bit platform, if count ever exceeds i64::MAX (≈9.2 × 10¹⁸), the cast silently wraps to a negative value. While impossible for gossip signature counts in practice, the idiomatic safer form is count.try_into().unwrap_or(i64::MAX) or a #[allow(clippy::cast_possible_wrap)] annotation. Affects update_gossip_signatures, update_latest_new_aggregated_payloads, update_latest_known_aggregated_payloads.

---

What looks good

• The is_reorg → reorg_depth refactor is minimal and clean: one let mut depth = 0 + one depth += 1 + then_some(depth). Reuses the existing chain walk with zero added branches.
• The AtomicUsize design for gossip signature counting is the right call over a table scan — O(1) vs O(N) per attestation on an aggregator node.
• Timing guard placement is correct throughout: the RAII guard in key_manager.rs is scoped to the block so it drops before ? propagates; the time_committee_signatures_aggregation guard is placed after the early-return, avoiding histogram pollution from the common no-op path.
• Removing the source=block,gossip label from attestation counters correctly tracks the upstream spec change.
• LazyLock-based static pattern is consistent with existing metrics code in the crate.

---

Automated review by Claude (Anthropic) · custom prompt

[greptile-apps]

Greptile Summary

This PR brings ethlambda's metric coverage from 21 to 34 metrics by instrumenting PQ signature operations, fork-choice store state gauges, committee aggregation timing, and the lean_is_aggregator startup gauge, while also aligning three existing metrics with the upstream leanMetrics spec. The changes are well-structured overall, with a thoughtful O(1) gossip-signature counter design (DB-seeded AtomicUsize with upsert-safe read-before-write) and a clean refactor of is_reorg → reorg_depth.

Key findings:

• lean_gossip_signatures gauge staleness after pruning: prune_gossip_signatures (called inside update_checkpoints) correctly decrements the atomic counter but no metrics::update_gossip_signatures() call follows in update_head. After any finalization-driven prune event the Prometheus gauge will remain inflated until the next insert or delete.
• MAX_REORG_DEPTH cutoff creates false-positive reorg events: When the 128-hop walk limit is reached, reorg_depth returns Some(128), causing inc_fork_choice_reorgs() and observe_fork_choice_reorg_depth(128) to fire even when the outcome of the walk is inconclusive. A node catching up from a large head gap (e.g., after restart) would permanently inflate the lean_fork_choice_reorgs_total counter.
• The inc_pq_sig_attestation_signatures() counter fires only on successful signing (correctly gated by ?), and the valid/invalid split for gossip attestation verification is correct.
• The delete_gossip_signatures decrement uses keys.len() unconditionally (keys that no longer exist in the DB won't produce extra DB entries but will over-decrement the counter), mitigated by saturating_sub — this is an accepted trade-off documented in the PR.

Confidence Score: 3/5

• Safe to merge with fixes — issues are metrics-only and don't affect consensus correctness, but two logic bugs will cause observable metric inaccuracies in production.
• Score reduced from 5 due to two concrete logic bugs: (1) lean_gossip_signatures gauge goes stale after every finalization-driven prune event, and (2) the MAX_REORG_DEPTH cutoff in reorg_depth unconditionally fires reorg metrics for inconclusive chain walks, permanently inflating lean_fork_choice_reorgs_total on nodes that experience large head jumps. Neither bug affects consensus, but both will degrade observability reliability.
• crates/blockchain/src/store.rs — both logic issues are in this file (update_head missing gauge push after update_checkpoints, and reorg_depth MAX_REORG_DEPTH false-positive return).

Important Files Changed

Filename	Overview
crates/blockchain/src/store.rs	Adds timing guards, gauge updates, and refactors is_reorg → reorg_depth; two logic issues found: lean_gossip_signatures gauge not pushed after pruning, and MAX_REORG_DEPTH cutoff causes false-positive reorg events and counter inflation.
crates/storage/src/store.rs	Adds AtomicUsize gossip_signatures_count with DB-seeded startup value, upsert-safe point-read guard in insert_gossip_signature, and saturating_sub in delete/prune paths — the atomic counter logic is correct, but the corresponding Prometheus gauge push is missing from the pruning path (tracked in blockchain/store.rs comment).
crates/blockchain/src/metrics.rs	Adds 13 new metric functions and updates 2 existing counters (label removal) and 1 histogram (extended buckets); all registrations are lazy-static and consistent with the spec, no issues found.
crates/blockchain/src/key_manager.rs	Wraps secret_key.sign() with time_pq_sig_attestation_signing() guard and increments inc_pq_sig_attestation_signatures() only on success; instrumentation is correct.
crates/blockchain/src/lib.rs	Single-line addition of metrics::set_is_aggregator(is_aggregator) at node startup; straightforward and correct.
docs/metrics.md	Documentation synced to leanMetrics spec commit 2719baad; all 13 new metrics marked ✅, updated bucket sets and removed source label match the implementation.

Sequence Diagram

sequenceDiagram
    participant GossipHandler
    participant BlockchainStore
    participant StorageStore
    participant AtomicCounter
    participant PrometheusGauge

    Note over GossipHandler,PrometheusGauge: Gossip attestation path
    GossipHandler->>BlockchainStore: on_gossip_attestation()
    BlockchainStore->>BlockchainStore: time_pq_sig_attestation_verification()
    BlockchainStore->>BlockchainStore: inc_pq_sig_attestation_signatures_valid/invalid()
    BlockchainStore->>StorageStore: insert_gossip_signature()
    StorageStore->>StorageStore: read check (is_new?)
    StorageStore->>AtomicCounter: fetch_add(1) if is_new
    BlockchainStore->>PrometheusGauge: update_gossip_signatures(count)

    Note over GossipHandler,PrometheusGauge: Aggregation cycle
    BlockchainStore->>BlockchainStore: aggregate_committee_signatures()
    BlockchainStore->>BlockchainStore: time_pq_sig_aggregated_signatures_building()
    BlockchainStore->>StorageStore: delete_gossip_signatures(keys)
    StorageStore->>AtomicCounter: saturating_sub(keys.len())
    BlockchainStore->>PrometheusGauge: update_gossip_signatures(count)

    Note over GossipHandler,PrometheusGauge: Finalization / pruning path (gauge NOT updated)
    BlockchainStore->>StorageStore: update_checkpoints()
    StorageStore->>StorageStore: prune_gossip_signatures(slot)
    StorageStore->>AtomicCounter: saturating_sub(pruned)
    Note right of PrometheusGauge: ❌ No gauge push here — stale value until next insert/delete

Loading

_{Last reviewed commit: 17f10ea}

[greptile-apps]

gossip_signatures_count is initialized to 0, but the GossipSignatures RocksDB table may already contain entries from a previous run. After a restart:

1. Counter starts at 0.
2. Finalization at startup fires prune_gossip_signatures(finalized_slot) (line 466), which calls fetch_sub(pruned, ...) at line 584.
3. If pruned > 0 for pre-existing entries, fetch_sub wraps around to usize::MAX - pruned + 1.
4. The metric then reports a large negative gauge value (e.g., -5 when cast to i64), corrupting observability data.

AtomicUsize::fetch_sub does not panic on underflow—it silently wraps—so this is a silent data corruption of the metric.

Fix: Initialize the counter from the existing DB count at startup:

// In Store::init_store() or the constructor
let initial_count = self.count_gossip_signatures(); // scan table once
gossip_signatures_count: Arc::new(AtomicUsize::new(initial_count))

Alternatively, if an O(N) startup scan is undesirable, persist the count in a separate metadata key and restore it on initialization.

Prompt To Fix With AI

This is a comment left during a code review.
Path: crates/storage/src/store.rs
Line: 355

Comment:
`gossip_signatures_count` is initialized to `0`, but the `GossipSignatures` RocksDB table may already contain entries from a previous run. After a restart:

1. Counter starts at `0`.
2. Finalization at startup fires `prune_gossip_signatures(finalized_slot)` (line 466), which calls `fetch_sub(pruned, ...)` at line 584.
3. If `pruned > 0` for pre-existing entries, `fetch_sub` wraps around to `usize::MAX - pruned + 1`.
4. The metric then reports a large negative gauge value (e.g., `-5` when cast to `i64`), corrupting observability data.

`AtomicUsize::fetch_sub` does not panic on underflow—it silently wraps—so this is a silent data corruption of the metric.

**Fix:** Initialize the counter from the existing DB count at startup:

```rust
// In Store::init_store() or the constructor
let initial_count = self.count_gossip_signatures(); // scan table once
gossip_signatures_count: Arc::new(AtomicUsize::new(initial_count))
```

Alternatively, if an O(N) startup scan is undesirable, persist the count in a separate metadata key and restore it on initialization.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

put_batch is an upsert — if a signature for the same (validator_id, data_root) key already exists, it updates the existing entry without adding a new row. However, the counter is always incremented unconditionally at line 1069.

If insert_gossip_signature is called twice for the same key (e.g., duplicate gossip message before network-layer deduplication), the database will have 1 entry but the counter will be 2. When the entry is later deleted via delete_gossip_signatures, only one decrement happens, leaving the counter permanently inflated by 1. This causes permanent metric drift.

Fix: Check whether the key is new before incrementing:

let is_new = !self.backend.begin_read()
    .expect("read")
    .get(Table::GossipSignatures, &encode_signature_key(&key))
    .expect("get")
    .is_some();

// ... existing write logic ...

if is_new {
    self.gossip_signatures_count.fetch_add(1, Ordering::Relaxed);
}

Alternatively, add a guard in callers of insert_gossip_signature to ensure it is never called twice for the same key.

Prompt To Fix With AI

This is a comment left during a code review.
Path: crates/storage/src/store.rs
Line: 1069

Comment:
`put_batch` is an upsert — if a signature for the same `(validator_id, data_root)` key already exists, it updates the existing entry without adding a new row. However, the counter is always incremented unconditionally at line 1069.

If `insert_gossip_signature` is called twice for the same key (e.g., duplicate gossip message before network-layer deduplication), the database will have 1 entry but the counter will be 2. When the entry is later deleted via `delete_gossip_signatures`, only one decrement happens, leaving the counter permanently inflated by 1. This causes permanent metric drift.

**Fix:** Check whether the key is new before incrementing:

```rust
let is_new = !self.backend.begin_read()
    .expect("read")
    .get(Table::GossipSignatures, &encode_signature_key(&key))
    .expect("get")
    .is_some();

// ... existing write logic ...

if is_new {
    self.gossip_signatures_count.fetch_add(1, Ordering::Relaxed);
}
```

Alternatively, add a guard in callers of `insert_gossip_signature` to ensure it is never called twice for the same key.

How can I resolve this? If you propose a fix, please make it concise.

[MegaRedHand]

LGTM. Left some comments

[pablodeymo]

@greptile-apps review the PR again please

[greptile-apps]

lean_gossip_signatures gauge not updated after pruning

update_checkpoints (called on line 56) internally calls prune_gossip_signatures, which correctly decrements the gossip_signatures_count atomic in crates/storage/src/store.rs. However, the Prometheus gauge lean_gossip_signatures is only pushed via metrics::update_gossip_signatures() from two call sites:

1. After insert_gossip_signature in on_gossip_attestation
2. After delete_gossip_signatures in aggregate_committee_signatures

There is no push after the finalization-driven pruning path. This means every time update_checkpoints prunes stale gossip signatures (e.g., on finality advancement), the gauge will report an inflated count until the next individual attestation insert or aggregation-cycle delete. On a quiet node that received no new gossip between two finalization events the gauge could stay inflated indefinitely.

Fix: add a metric push right after update_checkpoints returns:

store.update_checkpoints(ForkCheckpoints::head_only(new_head));
metrics::update_gossip_signatures(store.gossip_signatures_count());

Prompt To Fix With AI

This is a comment left during a code review.
Path: crates/blockchain/src/store.rs
Line: 56

Comment:
**`lean_gossip_signatures` gauge not updated after pruning**

`update_checkpoints` (called on line 56) internally calls `prune_gossip_signatures`, which correctly decrements the `gossip_signatures_count` atomic in `crates/storage/src/store.rs`. However, the Prometheus gauge `lean_gossip_signatures` is only pushed via `metrics::update_gossip_signatures()` from two call sites:

1. After `insert_gossip_signature` in `on_gossip_attestation`
2. After `delete_gossip_signatures` in `aggregate_committee_signatures`

There is no push after the finalization-driven pruning path. This means every time `update_checkpoints` prunes stale gossip signatures (e.g., on finality advancement), the gauge will report an inflated count until the next individual attestation insert or aggregation-cycle delete. On a quiet node that received no new gossip between two finalization events the gauge could stay inflated indefinitely.

Fix: add a metric push right after `update_checkpoints` returns:

```rust
store.update_checkpoints(ForkCheckpoints::head_only(new_head));
metrics::update_gossip_signatures(store.gossip_signatures_count());
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

MAX_REORG_DEPTH cutoff may produce false reorg events

When the walk reaches 128 parent hops without finding the target slot, the function unconditionally returns Some(128). The caller (update_head) then calls both metrics::inc_fork_choice_reorgs() and metrics::observe_fork_choice_reorg_depth(128), counting this as a confirmed reorg.

The original is_reorg had no depth limit — it continued walking and could correctly conclude "no reorg" even for long chains. With the new limit, any scenario where old_head and new_head are more than 128 slots apart (e.g., a node catching up from behind, or a one-time large jump in head) will be mis-classified as a reorg of depth 128. The lean_fork_choice_reorgs_total counter will be permanently inflated on nodes that experience long-range head updates.

A safer approach is to return None at the depth limit (treating the outcome as "unknown / not a verified reorg"), consistent with the existing behaviour at the bottom of the loop when chain headers are missing:

if depth >= MAX_REORG_DEPTH {
    warn!(depth, "Reorg depth exceeded maximum, stopping walk");
    return None; // Cannot confirm reorg; avoid false-positive count
}

Prompt To Fix With AI

This is a comment left during a code review.
Path: crates/blockchain/src/store.rs
Line: 1270-1273

Comment:
**`MAX_REORG_DEPTH` cutoff may produce false reorg events**

When the walk reaches 128 parent hops without finding the target slot, the function unconditionally returns `Some(128)`. The caller (`update_head`) then calls both `metrics::inc_fork_choice_reorgs()` and `metrics::observe_fork_choice_reorg_depth(128)`, counting this as a confirmed reorg.

The original `is_reorg` had no depth limit — it continued walking and could correctly conclude "no reorg" even for long chains. With the new limit, any scenario where `old_head` and `new_head` are more than 128 slots apart (e.g., a node catching up from behind, or a one-time large jump in head) will be mis-classified as a reorg of depth 128. The `lean_fork_choice_reorgs_total` counter will be permanently inflated on nodes that experience long-range head updates.

A safer approach is to return `None` at the depth limit (treating the outcome as "unknown / not a verified reorg"), consistent with the existing behaviour at the bottom of the loop when chain headers are missing:

```rust
if depth >= MAX_REORG_DEPTH {
    warn!(depth, "Reorg depth exceeded maximum, stopping walk");
    return None; // Cannot confirm reorg; avoid false-positive count
}
```

How can I resolve this? If you propose a fix, please make it concise.