eth/protocols/wit, consensus/bor: WIT2 — BP-signed witness announcements with transitive relay and pre-import serving

[lucca30]

Summary

Adds WIT2 (witness protocol version 3): block producers sign a commitment over each witness, peers verify the signature and relay the announce at network-RTT speed without executing the block, and any peer that has fetched the body can serve it pre-import from an in-memory cache. The slow part of witness propagation — re-execution before relay — is removed from the critical path. Mixed mesh with WIT1 nodes is tolerated; no flag-day rollout required.

Devnet result (4 scenarios, post-fork-only window, hop-chain topology with +300 ms per-hop import knob):

• Stateless validator at hop 2 — milestone-vote lag p95 425 ms → 1.0 ms (−99.8%).
• Stateless validator at hop 3 — milestone-vote lag p95 719 ms → 260 ms (−64%).
• Mixed-version meshes (only stateless WIT2; only one BP WIT2): zero errors, no peer drops, full sample counts. Backward compatible.

What we're solving

Today on Polygon mainnet, witness propagation through a stateless validator that is multiple hops away from a block producer accumulates a per-hop ~500 ms execution gate: each intermediate node must finish executing the block before it will relay the witness downstream. This serialises along the path and shows up at the receiver as milestone-voting latency — slow milestone votes on a fraction of blocks at multi-hop stateless validators. Adding more peers does not help; the chain of dependencies is fan-in × execution time.

The deliverable is to detach announce from execute so witness availability propagates at gossip speed, while keeping the same byte-correctness guarantee (hash check at the requester, with on-chain blame) and the same content-correctness guarantee (state-root, with BP blame).

How the code achieves it

1. BP-signed witness commitment

The producer needs to commit to which witness bytes are correct without paying ~88 ms of single-thread keccak on the announce path (otherwise we re-introduce the same gate we're trying to remove, just on a different node). See Signing-scheme evaluation below — short version: chunked-parallel keccak at 1 MiB chunks beats the next-best viable candidate by a clear margin and keeps the WIT1 wire format intact.

• core/stateless/witness_commit.go::WitnessCommitHash(bytes) = keccak256(concat(per-1MiB-chunk-keccak)). Each 1 MiB chunk is hashed in parallel; final aggregate is one extra keccak over <1 KiB of chunk hashes. ~13.5 ms wall-clock for 50 MiB witnesses on 8 cores vs ~88 ms single-shot keccak — 6.5× speedup, no wire-format change. Producer and verifier agree on the chunk size as a protocol constant.
• Producer signs the commitment via consensus/bor.SignBytes reusing the engine's SignerFn, with a dedicated mimetype application/x-bor-wit2-announce and a domain-separated digest tag — replay-resistant at both the digest and signer-call levels.
• Operator note: validators running Clef must whitelist the new mimetype, otherwise the producer falls back to unsigned WIT1 announces.

2. Verify-and-relay without execution

• New protocol version WIT2 = 3 (eth/protocols/wit/protocol.go), new message SignedNewWitnessHashesMsg = 0x06 carrying up to 64 announcements per packet.
• eth/handler_wit2.go::handleSignedWitnessAnnouncements does ecrecover against the scheduled producer for the announced block; on success the announce is cached and immediately relayed to peers that have not seen this hash. No state execution is touched.
• Header-not-yet-local case is handled as a deferral (no strike, retry on the next packet for the same hash) so the block-cosend race does not punish honest relayers. Strikes (rate-limited disconnect at 5/min) are reserved for confirmed misbehaviour: bad signature, signer ≠ scheduled producer with a known header.

3. Pre-import serving cache

• pendingWitnessBodies (capacity 10) in the WIT2 handler is fed from the paged-fetch path the moment byte-correctness verification against the BP-signed WitnessHash passes — i.e. before chain write. handleGetWitness consults this cache before chain storage, so a peer that just received the body can serve it to a downstream stateless node before it has finished executing.
• Entries are gated on the BP-signed WitnessHash being on file — relayers never cache unverified bytes, and WIT1 fallback paths skip the cache entirely (no path to mix unsigned and signed bytes).

4. Blame model preserved

• Byte-correctness: requester verifies the body against the BP's signed WitnessHash; failure attaches to the server that returned the bytes.
• Content-correctness (state-root): same as today — failure attaches to the BP that signed.
• Conflicting WitnessHash for the same BlockHash is rejected via signedWitnessCache.putIfNewer, so a peer cannot equivocate witnesses across announcements.

5. Rate-limits & DoS shape

• Per-(blockHash, peer) relay rate-limit: 200 ms.
• Announcement TTL: 30 s.
• Per-peer token bucket: burst 256, refill 64/s.
• Strike disconnect at 5 invalid signed announces / minute.

6. Compatibility

• WIT1 peers continue using NewWitnessHashes. Mixed WIT1/WIT2 mesh is tolerated: WIT2 nodes downgrade to WIT1 wire when peering with WIT1 peers (relay handler skips peers with Version() < wit.WIT2).
• New WitnessHash field on WitnessMetadataResponse is set by WIT2 servers and ignored by WIT1 readers — wire forward-compatible.

Signing-scheme evaluation

Picking the right commitment function for the announce signature is load-bearing for the whole PR: too slow on the producer and we just move the per-hop gate from "execute the block" to "hash the witness"; too weak and we lose the byte-blame property that lets a downstream node disconnect a peer that returned tampered bytes. Four candidates were evaluated end-to-end on synthetic 1–50 MiB witnesses (Apple M4 Pro, Go 1.26.2, go test -benchtime=3s -count=3, median of three).

Candidates

Candidate	Mechanism	Wire change
A — current baseline	keccak256(canonical_RLP(witness)) single-thread	none
B — chunked-parallel keccak	keccak(chunk0_hash ‖ … ‖ chunkN_hash), chunks hashed concurrently	none
C — per-node Merkle	hash every state node, sort, build Merkle tree, sign root	none
D — intrinsic (drop separate hash)	sign nothing extra; rely on header.StateRoot to detect bad bytes	shrinks announce, bumps to WIT3

Result at 50 MiB — verifier wall-clock (best parallel config)

Candidate	Best wall-clock	Speedup vs A	Producer cost	Allocs/op	Notes
A	88.4 ms (1 thread)	1.0×	88 ms	1	scales 1× even on 12-core hardware
B (1 MiB chunks, 8 cores)	13.5 ms	6.5×	13.5 ms	16	wire identical, only producer's signing input changes
B (15 MiB pages, 4 cores)	26.7 ms	3.3×	27 ms	16	one chunk per wire page; less internal parallelism
C (per-node Merkle, 4 cores)	122 ms	0.7× (worse)	~50 ms (precomputed hashes)	614 k	Merkle build over 204k node hashes overwhelms the parallel keccak win
D (intrinsic, 4 cores)	44 ms	2.0×	0 ms	410 k	rejected — see below

Why D was rejected post-bench

D had the most attractive numbers (zero producer cost, 2× verifier speedup, no signature on the announce path) — but a peer can serve a truncated witness whose included nodes all hash consistently up to the BP-signed header.StateRoot. Branch nodes embed child references as 32-byte hashes inside their own bytes, so dropping a subtree leaves the parent branch nodes' hashes unchanged. The intrinsic walker has no way to distinguish "this hash-reference belongs to a path that was never touched and is intentionally absent" from "this hash-reference belongs to a path that was touched and was adversarially omitted" — only attempting execution would. That destroys pre-execute byte-blame, which is the whole reason WIT2 introduced a content commitment in the first place. A/B/C all preserve byte-blame because they sign over content; truncation changes the commitment, signature mismatch, peer dropped pre-execute.

Why B at 1 MiB chunks won

A chunk-size sweep at 50 MiB / 8 cores:

chunk size	wall-clock	aggregate throughput	speedup vs A
512 KiB	13.5 ms	3.9 GB/s	6.5×
1 MiB	13.8 ms	3.85 GB/s	6.4×
2 MiB	15.9 ms	3.3 GB/s	5.6×
4 MiB	17.1 ms	3.1 GB/s	5.2×
15 MiB (= one wire page)	27.7 ms	1.9 GB/s	3.2×

512 KiB shaves a tenth of a ms over 1 MiB at the cost of doubling the chunk count and the per-chunk overhead — 1 MiB is the knee of the curve. Below 512 KiB, per-chunk setup starts dominating. The 4 GB/s ceiling is the M4 Pro's aggregate keccak throughput across 8 P-cores; further parallelism doesn't help with the current keccak primitive.

Verifier-side scaling — B beats A non-trivially only ≥ 30 MiB

witness size	A (single-thread)	B (1 MiB chunks, 8 cores)
1 MiB	1.8 ms	1.8 ms (one chunk, no parallelism)
5 MiB	8.9 ms	4.0 ms (~2.2×)
15 MiB	26.6 ms	6.2 ms (~4.3×)
30 MiB	53.2 ms	9.1 ms (~5.8×)
50 MiB	88.4 ms	13.5 ms (~6.5×)

For the small witnesses Polygon emits today (typically 1–10 MiB) B is comparable to A; for the large witnesses we already see at the upper tail (30–50 MiB) B is the difference between the producer/verifier paying a ~90 ms gate vs ~14 ms. The fix is most impactful exactly where the problem is worst.

Why not C

C is dominated by every other viable candidate on these numbers: slower verifier than A (122 ms vs 88 ms), 91 MiB / 614 k allocations per verify at 50 MiB, no wire saving. C only becomes interesting if a future design needs sub-witness proofs (proving a specific node belongs to the committed set without sending the full body) — that's not on the roadmap, so C is a no-vote here.

Sensitivity caveats

• Synthetic 256-byte avg node size; real mainnet shape may shift C/D's relative position but not B vs A — B operates on contiguous bytes regardless of node distribution.
• Producer cost for B reuses the same parallel-keccak; not amortized into anything else, so it's a real wall-clock cost on the announce path. 14 ms is well under the per-hop savings (~500 ms) so the change is a net win even at 50 MiB.
• A faster hash primitive (BLAKE3 / KangarooTwelve) would push verifier toward ~5 ms but adds a non-Ethereum dependency; out of scope, can be re-evaluated separately if 14 ms is still too slow.

Full bench artifact (raw numbers, reproduction commands, allocation breakdown): agent-zero/investigations/witness-propagation/witness-commit-bench.md.

Local devnet validation

A 9-node hop-chain devnet on kurtosis-pos: 4 BPs full-mesh, two relay full-nodes (F1/F2) carrying a +300 ms per-hop import-delay knob to amplify the gate without heavy tx loads, and three stateless validators at hop distances 1 / 2 / 3 from the closest BP (S1 ↔ BP1, S2 ↔ F1, S3 ↔ F2). Topology was enforced post-launch via admin_removePeer after every node imported past Giugliano (block 128 + 72-block settle), so the measurement window is post-fork and post-prune only — pre-fork blocks (different code path) are excluded.

Four scenarios, ~30 measured blocks each:

#	Image map	Headline result
1	All 9 = bor:develop (control)	Reproduces the bug. S2 milestone-lag p95 425 ms / max 482 ms. S3 p95 719 ms / max 898 ms.
2	All 9 = bor:wit2	S2 p95 1.0 ms (−99.8%). S3 p95 260 ms (−64%). 700–1000 RX_SIGNED_ANNOUNCE per node confirms protocol active end-to-end.
3	S1/S2/S3 = bor:wit2, rest = bor:develop	Same lag as develop (no relay path for signed announces because intermediate hops are WIT1), but zero errors, no peer drops, full sample counts; WIT2 stateless nodes correctly downgrade to WIT1 wire and serve develop peers via the chain path.
4	BP1 = bor:wit2, rest = bor:develop	Same as scenario 3 from the other direction. BP1 served 195 witnesses on the WIT1 chain path; develop validators kept whitelisting milestones throughout.

F2 import-lag (the relay just before S3) shows the mechanism: median drops 805 → 305 ms in scenario 2 — one full per-hop inject overlapped with WIT2 announcement-driven pre-fetch, exactly what the design predicts.

S3's residual p95 of 260 ms in scenario 2 is the single +300 ms inject on F2 still in the critical path: WIT2 lets the F1 hop overlap, but F2 still has to receive and execute the block before serving S3. Without the artificial knob (i.e., on mainnet), the natural per-hop gate is ~50–100 ms and this residual shrinks proportionally.

Full report (per-scenario logs, lag tables, errors/warnings, peer-count snapshots, prune timestamps, image map): agent-zero/investigations/witness-propagation/devnet-validation-2026-04-30b.md.

Backward compatibility — explicit checks

Property	Check	Result
WIT2 binary in develop mesh	scenario 4 (BP1 only) and scenario 3 (S* only)	full sample counts, zero ERRORs, no peer isolation
WIT1 fallback path	pendingWitnessBodies skipped when no signed WitnessHash on file	gated check in eth/handler_wit2.go::resolveWitnessBytes
Mixed-version metadata	new WitnessHash field on WitnessMetadataResponse ignored by WIT1 readers	served-chain path serves both equally
Replay across forks/networks	mimetype + domain tag in consensus/bor.SignBytes	covered by consensus/bor/signbytes_test.go

Test plan

• Unit tests: core/stateless/witness_commit_test.go, witness_commit_bench_test.go, consensus/bor/signbytes_test.go, eth/handler_wit2_test.go, eth/handler_wit_test.go, eth/peerset_test.go, eth/protocols/wit/protocol_wit2_test.go, eth/fetcher/witness_manager_wit2_test.go.
• Local devnet validation, 4 scenarios, post-fork-only measurement window — see report above.
• Reviewers: confirm the chunk-size choice (1 MiB) for the parallel keccak — small enough to be useful on smaller witnesses, large enough to amortise goroutine overhead.
• Reviewers: confirm the cache capacity (10) for pendingWitnessBodies. We don't expect more than a few in-flight unique witnesses at a time, but worth a second opinion under burst conditions.
• Operator readiness: comms to validators running Clef about the new mimetype application/x-bor-wit2-announce.

Diffguard / quality-gate notes

• 3 unused symbols in eth/handler_wit2.go (errInvalidSigner, contextBackground, wit2SpanLookupMissMeter) — left over from earlier iterations; worth removing before merge.
• eth/handler_wit2.go is 504 lines (4 over the 500 threshold). Up to reviewers whether to split.
• WitnessCommitHash cognitive complexity is 18 vs the 10 threshold — driven by the parallel-keccak fan-out with bounded goroutines; not naturally simplifiable below ~12 without losing the parallelism. Open to suggestions.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[claude]

test

[claude]

Code Review

3 issues found. Checked for bugs and CLAUDE.md compliance.

---

1. Performance: redundant witness encoding

File: eth/fetcher/witness_manager.go L670-L680

verifyAgainstSignedHash (line 671) encodes the witness via encodedWitnessHash and computes WitnessCommitHash, then cacheVerifiedWitnessForServing (line 679) repeats the exact same EncodeRLP + WitnessCommitHash. Neither call reuses the other's result.

On a 50 MiB witness this adds ~100–300 ms of redundant CPU work per verified fetch — meaningful given WIT2's goal of eliminating per-hop latency.

Suggested fix: Have verifyAgainstSignedHash return the encoded bytes and hash on success, then pass them directly to parentCacheWitnessForServing instead of re-encoding.

---

2. Performance: unconditional encode+hash before signed-announcement check

File: eth/handler_wit.go L95-L119

EncodeRLP (line 96–97) and WitnessCommitHash (line 101) run before checking whether a signed announcement exists (line 102). On the WIT1 fallback path (default case, lines 112–118), the encoded bytes and hash are discarded.

Every witness broadcast — including from WIT1 peers — pays the full encode+hash cost (~150–450 ms on 50 MiB witnesses) even when the result is never used.

Suggested fix: Check signedWitnesses.get(hash) first. Only encode+hash when hasSigned is true. This mirrors the pattern already used in cacheVerifiedWitnessForServing in witness_manager.go (lines 697–701), which correctly checks before encoding.

---

3. Bug: peer dropped on local EncodeRLP failure

File: eth/fetcher/witness_manager.go L725-L730

When encodedWitnessHash fails (line 725–726), the non-empty peer string is passed to handleWitnessFetchFailureExt (line 728), which calls parentDropPeer(peer). An EncodeRLP failure on a successfully-decoded Witness is a local error (the peer delivered valid RLP that decoded fine), not evidence of peer misbehavior.

This is inconsistent with the pattern in cacheVerifiedWitnessForServing just below (line 704–705), which correctly logs the failure without dropping anyone.

Suggested fix: Change peer to "" on line 728:

m.handleWitnessFetchFailureExt(hash, "", fmt.Errorf("witness encode failed: %w", err), false)

[codecov]

Codecov Report

❌ Patch coverage is 60.72319% with 315 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.30%. Comparing base (1bf990d) to head (b3cb00e).

Files with missing lines	Patch %	Lines
eth/handler_wit2.go	58.55%	129 Missing and 14 partials ⚠️
eth/handler_wit.go	67.76%	43 Missing and 6 partials ⚠️
eth/handler.go	57.14%	22 Missing and 2 partials ⚠️
eth/peer_mock.go	0.00%	20 Missing ⚠️
eth/protocols/wit/peer.go	11.76%	15 Missing ⚠️
consensus/bor/bor.go	36.84%	10 Missing and 2 partials ⚠️
core/stateless/witness_commit.go	78.57%	10 Missing and 2 partials ⚠️
eth/protocols/wit/handlers.go	0.00%	12 Missing ⚠️
eth/peerset.go	56.52%	8 Missing and 2 partials ⚠️
eth/fetcher/witness_manager.go	88.40%	6 Missing and 2 partials ⚠️
... and 3 more

❌ Your patch check has failed because the patch coverage (60.72%) is below the target coverage (90.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff            @@
##           develop    #2208    +/-   ##
=========================================
  Coverage    52.29%   52.30%            
=========================================
  Files          884      886     +2     
  Lines       155571   156296   +725     
=========================================
+ Hits         81355    81745   +390     
- Misses       68989    69291   +302     
- Partials      5227     5260    +33     

Files with missing lines	Coverage Δ
accounts/accounts.go	100.00% <ø> (ø)
core/stateless/encoding.go	65.15% <100.00%> (+1.65%)	⬆️
eth/fetcher/block_fetcher.go	73.80% <100.00%> (+0.06%)	⬆️
eth/peer.go	95.80% <ø> (ø)
eth/protocols/wit/handler.go	26.66% <0.00%> (-0.74%)	⬇️
eth/protocols/wit/protocol.go	58.33% <83.33%> (+25.00%)	⬆️
eth/protocols/wit/broadcast.go	29.16% <0.00%> (-9.73%)	⬇️
eth/fetcher/witness_manager.go	88.61% <88.40%> (-2.26%)	⬇️
eth/peerset.go	63.66% <56.52%> (+5.45%)	⬆️
consensus/bor/bor.go	84.66% <36.84%> (-0.70%)	⬇️
... and 7 more

... and 21 files with indirect coverage changes

Files with missing lines	Coverage Δ
accounts/accounts.go	100.00% <ø> (ø)
core/stateless/encoding.go	65.15% <100.00%> (+1.65%)	⬆️
eth/fetcher/block_fetcher.go	73.80% <100.00%> (+0.06%)	⬆️
eth/peer.go	95.80% <ø> (ø)
eth/protocols/wit/handler.go	26.66% <0.00%> (-0.74%)	⬇️
eth/protocols/wit/protocol.go	58.33% <83.33%> (+25.00%)	⬆️
eth/protocols/wit/broadcast.go	29.16% <0.00%> (-9.73%)	⬇️
eth/fetcher/witness_manager.go	88.61% <88.40%> (-2.26%)	⬇️
eth/peerset.go	63.66% <56.52%> (+5.45%)	⬆️
consensus/bor/bor.go	84.66% <36.84%> (-0.70%)	⬇️
... and 7 more

... and 21 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lucca30]

Review responses

All 3 review issues addressed in 12368a3:

1. Redundant witness encoding — verifyAgainstSignedHash now returns the canonically-encoded body and signed hash on success; cacheVerifiedWitnessForServing reuses them directly instead of re-encoding (~14 ms saved per verified fetch on 50 MiB witnesses on the bench machine).
2. Unconditional encode+hash on WIT1 path — signedWitnesses.get(hash) is now hoisted above EncodeRLP/WitnessCommitHash in handleBroadcastWitness. WIT1 broadcasts (no signed announcement) short-circuit before paying the encode/hash cost.
3. Peer drop on local EncodeRLP failure — re-encoding RLP bytes the peer already delivered as valid is a local invariant violation, not peer misbehavior. Now logs without dropping, mirroring the cache path.

The wit2_test.go no-signed-hash regression test was retargeted onto verifyAgainstSignedHash where the invariant now lives.

CI status

• ✅ All review issues addressed.
• ⚠️ diffguard (Quality metrics) failed at install, not on this PR's diff: upstream tool break — *Language does not implement lang.Language (missing method DeadCodeDetector) in github.com/0xPolygon/diffguard@latest. Fix belongs in the diffguard repo.
• ⚠️ Kurtosis Stateless E2E Tests Test 4 (extreme network latency recovery) failed because validator node-2 stayed at block 397 while all other 8 nodes recovered fully (768+, milestone lag 0). This same test has flaked on develop recently (Apr 27, Apr 16). I'll retrigger.
• ⚠️ codecov patch coverage 52%: WIT2 protocol paths exercised by integration/devnet tests rather than unit tests; matches coverage profile of the existing WIT1 handler code.
• ⚠️ SonarCloud duplication 5.3%: concentrated in _test.go files (witness_manager_test.go, witness_manager_wit2_test.go) — table-driven test setup, not production-code duplication.

[lucca30]

Adversarial-review findings — addressed via TDD

Codex flagged 3 high-severity issues in an adversarial pass. For each I wrote a failing regression test first, then implemented the smallest correct fix, then confirmed all 919 tests across eth, eth/fetcher, eth/protocols/wit, consensus/bor, and core/stateless still pass. Pushed as 9485452.

#	Codex finding	Fix	Regression test
1	Header-race: signed announce arriving before header silently degrades to unsigned-fallback because AddKnownAnnounce was called before the verification gate, suppressing recovery via re-relay	Move AddKnownAnnounce into the acceptSignedAnnouncement success branch so the announce-known bit only reflects verified delivery. Re-receipt now drives recovery.	TestHandleSignedWitnessAnnouncementsBadSigDoesNotMarkAnnounceKnown
2	pendingWitnessBodies TTL never actually evicted: get() returned false on expiry but left entries in the map; gcLocked only ran from put(). Up to 10 × ~50 MiB blobs could persist indefinitely past the 30s TTL.	get() now upgrades to a write lock and deletes the expired entry (re-checking the entry pointer under the write lock to avoid clobbering a concurrent put).	TestPendingWitnessBodyCacheGetEvictsExpired
3	verifyAgainstSignedHash dropped the byte-server on every signed-hash mismatch, but the announcement only proves some BP signed some hash. A faulty/malicious scheduled producer signing bogus could weaponise this to disconnect honest peers serving canonical witnesses.	On mismatch, reject the bytes (no serving cache) and back off the request without dropping the byte-server. Existing TestProcessWitnessResponseDropsOnHashMismatch was replaced — its policy reversed — with TestProcessWitnessResponseDoesNotDropOnByteMismatch. TODO comment for the proper long-term fix (signer quarantine), which needs (signer, relayer) provenance the manager doesn't currently track.	TestProcessWitnessResponseDoesNotDropOnByteMismatch

What's still out of scope (filed as TODOs at the call site, not in this PR)

• Signer quarantine ban-list (real long-term fix for finding 3) — requires plumbing announcement signer + relayer pair through to the witness manager.
• Deferred-announce queue with chain-head drain (more complete fix for finding 1) — re-gossip already drives recovery in practice; the queue is overkill for this PR.
• Byte-budgeted witness body cache cap (finding 2 follow-up) — current capacity-10 cap with working TTL eviction is enough to close the leak.

[lucca30]

Adversarial review — all 4 items now closed

Pushed b3cb00e: deferred-announce queue closes the cosend race.

Codex finding	Status	Test
Header-race: announce arriving before header silently downgrades to WIT1 fallback	done	TestDeferredSignedAnnounceDrainedAfterHeaderArrives
pendingWitnessBodies TTL never evicts	done	TestPendingWitnessBodyCacheGetEvictsExpired
AddKnownAnnounce set on rejected announces	done	TestHandleSignedWitnessAnnouncementsBadSigDoesNotMarkAnnounceKnown
Honest byte-server dropped on bad commitment	done	TestProcessWitnessResponseDoesNotDropOnByteMismatch

A small in-memory cache (capacity 256, TTL 30s) holds signed announcements whose producer-binding could not be checked at receive time because the matching block header wasn't local yet. handler.Start subscribes to ChainHeadEvent; on each new block, drainDeferredAnnouncesFor(blockHash) re-runs verification, caches the announcement on success, credits the original sender as announce-known, and relays. Mirrors the existing pendingWitnessBodyCache lifecycle.

isScheduledProducer was also tightened: header presence is now checked first regardless of consensus engine. The previous non-bor early-return skipped the header check entirely, which was incorrect on its own — an announce we can't tie to a local block is unverifiable here.

920/920 tests pass across eth, eth/fetcher, eth/protocols/wit, consensus/bor, core/stateless. go build ./... clean.

Still deferred (not adversarial-review-flagged): signer-quarantine ban-list (needs signer/relayer provenance plumbed to the witness manager — TODO at the call site); byte-budgeted cap on pendingWitnessBodies (count cap of 10 with working TTL is bounded; future-proofing item).

[sonarqubecloud]

Quality Gate failed

Failed conditions
4.8% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.