fix(storage): scope BlockSignatures synthesis to slot-0 anchor only

Reviewers (Claude, Greptile, Codex) on PR #371 flagged that the new
synthesize-on-read fallback was too broad: it covered *any* block whose
`BlockSignatures` row was missing, not just the slot-0 anchor. The
documented invariant is that non-genesis blocks have entries in all
three tables (CLAUDE.md), so a missing signature row for slot > 0 is
storage corruption, not a valid placeholder case — but `get_signed_block`
was hiding it by fabricating a `SignedBlock` with empty
`attestation_signatures`, regardless of what the body actually carried.

Guard the synthesis on `header.slot == 0`. For any other slot, fall
back to returning `None` (the pre-existing "block not found" semantics).
Update the doc on `get_signed_block` to make the scoping explicit.

Also add direct coverage for the synthesis path:

- `attestation::tests::blank_xmss_signature_has_expected_ssz_offsets`
  reads the three SSZ offsets back out of `blank_xmss_signature()` and
  asserts every non-offset byte is zero — catches a one-off in any of
  the three constants that would silently break inner-`Signature`
  decoding without changing the outer length.
- `storage::store::tests::get_signed_block_synthesizes_blank_signatures_for_genesis_anchor`
  exercises the synthesis path directly against a `from_anchor_state`
  store.
- `storage::store::tests::get_signed_block_returns_none_for_non_genesis_with_missing_signatures`
  hand-inserts a slot-1 header without its signature row and confirms
  the new guard returns `None`.
- The RPC test for the genesis-finalized-block endpoint now asserts the
  response body equals the expected SSZ encoding and the Content-Type
  header, matching the adjacent `test_get_latest_finalized_block` (per
  Greptile Issue 2).

Cosmetic: move `empty_block_signatures` below the `use` block in
`storage/src/store.rs` to follow the file's existing layout.

Author: MegaRedHand

crates/common/types/src/attestation.rs

@@ -306,4 +306,36 @@ mod tests {
         let b = bits(24, &[0, 1, 16]);
         assert!(!bits_is_subset(&a, &b));
     }
+
+    /// Guard the three SSZ offsets at fixed byte positions so a one-off in any
+    /// constant doesn't silently produce a blob that still has the right outer
+    /// length but decodes incorrectly at the inner `Signature` container level.
+    #[test]
+    fn blank_xmss_signature_has_expected_ssz_offsets() {
+        let sig = blank_xmss_signature();
+        let bytes: Vec<u8> = sig.into_iter().collect();
+
+        assert_eq!(bytes.len(), SIGNATURE_SIZE);
+        assert_eq!(
+            u32::from_le_bytes(bytes[0..4].try_into().unwrap()),
+            SIGNATURE_PATH_OFFSET,
+        );
+        assert_eq!(
+            u32::from_le_bytes(bytes[32..36].try_into().unwrap()),
+            SIGNATURE_HASHES_OFFSET,
+        );
+        assert_eq!(
+            u32::from_le_bytes(bytes[36..40].try_into().unwrap()),
+            SIGNATURE_PATH_SIBLINGS_OFFSET,
+        );
+
+        // Everything outside the three offset slots must be zero — the
+        // placeholder is "all-zero hashes" once the offsets locate them.
+        for (i, b) in bytes.iter().enumerate() {
+            let in_offset_slot = matches!(i, 0..4 | 32..36 | 36..40);
+            if !in_offset_slot {
+                assert_eq!(*b, 0, "non-offset byte at index {i} should be zero");
+            }
+        }
+    }
 }

crates/net/rpc/src/lib.rs

@@ -559,6 +559,12 @@ mod tests {
 
     #[tokio::test]
     async fn test_get_latest_finalized_block_serves_genesis_with_placeholder_signature() {
+        use ethlambda_types::{
+            attestation::blank_xmss_signature,
+            block::{BlockSignatures, SignedBlock},
+        };
+        use libssz::SszEncode;
+
         // Genesis-anchored store: `init_store` writes the header + state but no
         // `BlockSignatures` row. `get_signed_block` synthesizes an empty
         // `BlockSignatures` so peers can still receive the genesis block on
@@ -568,6 +574,21 @@ mod tests {
         let backend = Arc::new(InMemoryBackend::new());
         let store = Store::from_anchor_state(backend, state);
 
+        // The body the endpoint serves must round-trip to a `SignedBlock`
+        // matching the genesis header paired with the synthetic blank
+        // signatures — same shape `get_signed_block` builds in storage.
+        let genesis_block = store
+            .get_signed_block(&store.latest_finalized().root)
+            .expect("genesis served via get_signed_block");
+        let expected = SignedBlock {
+            message: genesis_block.message.clone(),
+            signature: BlockSignatures {
+                attestation_signatures: Default::default(),
+                proposer_signature: blank_xmss_signature(),
+            },
+        };
+        let expected_ssz = expected.to_ssz();
+
         let app = build_api_router(store);
 
         let response = app
@@ -581,5 +602,12 @@ mod tests {
             .unwrap();
 
         assert_eq!(response.status(), StatusCode::OK);
+        assert_eq!(
+            response.headers().get(header::CONTENT_TYPE).unwrap(),
+            SSZ_CONTENT_TYPE
+        );
+
+        let body = response.into_body().collect().await.unwrap().to_bytes();
+        assert_eq!(body.as_ref(), expected_ssz.as_slice());
     }
 }

crates/storage/src/store.rs

@@ -1,6 +1,22 @@
 use std::collections::{BTreeMap, HashMap, HashSet, VecDeque};
 use std::sync::{Arc, LazyLock, Mutex};
 
+use crate::api::{StorageBackend, StorageWriteBatch, Table};
+
+use ethlambda_types::{
+    attestation::{AttestationData, HashedAttestationData, bits_is_subset, blank_xmss_signature},
+    block::{
+        AggregatedSignatureProof, AttestationSignatures, Block, BlockBody, BlockHeader,
+        BlockSignatures, SignedBlock,
+    },
+    checkpoint::Checkpoint,
+    primitives::{H256, HashTreeRoot as _},
+    signature::ValidatorSignature,
+    state::{ChainConfig, State, anchor_pair_is_consistent},
+};
+use libssz::{SszDecode, SszEncode};
+use tracing::info;
+
 /// The tree hash root of an empty block body.
 ///
 /// Used to detect genesis/anchor blocks that have no attestations,
@@ -19,22 +35,6 @@ fn empty_block_signatures() -> BlockSignatures {
     }
 }
 
-use crate::api::{StorageBackend, StorageWriteBatch, Table};
-
-use ethlambda_types::{
-    attestation::{AttestationData, HashedAttestationData, bits_is_subset, blank_xmss_signature},
-    block::{
-        AggregatedSignatureProof, AttestationSignatures, Block, BlockBody, BlockHeader,
-        BlockSignatures, SignedBlock,
-    },
-    checkpoint::Checkpoint,
-    primitives::{H256, HashTreeRoot as _},
-    signature::ValidatorSignature,
-    state::{ChainConfig, State, anchor_pair_is_consistent},
-};
-use libssz::{SszDecode, SszEncode};
-use tracing::info;
-
 /// Checkpoints to update in the forkchoice store.
 ///
 /// Used with `Store::update_checkpoints` to update head and optionally
@@ -981,12 +981,16 @@ impl Store {
 
     /// Get a signed block by combining header, body, and signatures.
     ///
-    /// Returns None if the header or body (for non-empty bodies) is missing.
+    /// Returns None if the header or body (for non-empty bodies) is missing,
+    /// or if the signature row is missing for any block other than the
+    /// slot-0 anchor.
     ///
-    /// Signatures are absent for genesis-style anchor blocks (no proposer ever
-    /// signed them). To keep BlocksByRoot symmetric with the fork-choice view
-    /// for peers, synthesize empty `BlockSignatures` when the header exists
-    /// but no signature row was written.
+    /// Signatures are absent for genesis-style anchor blocks (no proposer
+    /// ever signed them). To keep BlocksByRoot symmetric with the
+    /// fork-choice view for peers, synthesize empty `BlockSignatures` for
+    /// the slot-0 case only; for any other slot the missing-signature
+    /// state is treated as storage corruption and surfaces as `None`
+    /// rather than as a fabricated block.
     pub fn get_signed_block(&self, root: &H256) -> Option<SignedBlock> {
         let view = self.backend.begin_read().expect("read view");
         let key = root.to_ssz();
@@ -1006,7 +1010,12 @@ impl Store {
             Some(sig_bytes) => {
                 BlockSignatures::from_ssz_bytes(&sig_bytes).expect("valid signatures")
             }
-            None => empty_block_signatures(),
+            // Synthesis only covers the genesis-style anchor (slot 0). Any other
+            // missing-signature case is a storage corruption that should surface
+            // as `None` rather than fabricating a block whose `attestation_signatures`
+            // list is empty regardless of what the body actually carries.
+            None if header.slot == 0 => empty_block_signatures(),
+            None => return None,
         };
 
         let block = Block::from_header_and_body(header, body);
@@ -2312,4 +2321,52 @@ mod tests {
         assert_eq!(buf.total_signatures(), 2); // slot 2 (1) + slot 3 (1)
         assert_eq!(buf.len(), 2);
     }
+
+    /// `Store::from_anchor_state` writes the header but no `BlockSignatures`
+    /// row for the slot-0 anchor. `get_signed_block` must synthesize an empty
+    /// `BlockSignatures` so the genesis block can still be served on
+    /// BlocksByRoot / `/lean/v0/blocks/finalized`.
+    #[test]
+    fn get_signed_block_synthesizes_blank_signatures_for_genesis_anchor() {
+        let backend: Arc<dyn StorageBackend> = Arc::new(InMemoryBackend::new());
+        let store = Store::from_anchor_state(backend, State::from_genesis(0, vec![]));
+
+        let head_root = store.head();
+        let signed = store
+            .get_signed_block(&head_root)
+            .expect("genesis block must be retrievable with synthetic signatures");
+
+        assert_eq!(signed.message.slot, 0);
+        assert_eq!(signed.signature.proposer_signature, blank_xmss_signature());
+        assert_eq!(signed.signature.attestation_signatures.len(), 0);
+    }
+
+    /// The synthesis branch must be confined to the slot-0 anchor: a
+    /// non-genesis block whose `BlockSignatures` row is missing is treated
+    /// as storage corruption and surfaces as `None`, not a fabricated block.
+    #[test]
+    fn get_signed_block_returns_none_for_non_genesis_with_missing_signatures() {
+        let backend: Arc<dyn StorageBackend> = Arc::new(InMemoryBackend::new());
+
+        // Hand-insert a slot-1 header (and empty body, via `EMPTY_BODY_ROOT`)
+        // but skip the `BlockSignatures` row. This mimics the corruption case
+        // the guard is meant to catch, without going through the normal
+        // `insert_signed_block` write path which always writes all three rows.
+        let header = BlockHeader {
+            slot: 1,
+            proposer_index: 0,
+            parent_root: H256::ZERO,
+            state_root: H256::ZERO,
+            body_root: *EMPTY_BODY_ROOT,
+        };
+        let root = header.hash_tree_root();
+        let mut batch = backend.begin_write().expect("write batch");
+        batch
+            .put_batch(Table::BlockHeaders, vec![(root.to_ssz(), header.to_ssz())])
+            .expect("put header");
+        batch.commit().expect("commit");
+
+        let store = Store::from_anchor_state(backend, State::from_genesis(0, vec![]));
+        assert!(store.get_signed_block(&root).is_none());
+    }
 }