fix(keyshare): align halt failure propagation and dkg timeout budget

agent/flow-trace/04_DKG_AND_COMPUTATION.md

@@ -44,7 +44,12 @@ CiphernodeSelected event arrives at ThresholdKeyshare
 │   │     → These collectors start immediately so early peer keys/shares can
 │   │       be buffered while this node is still finishing earlier DKG phases
 │   │
-│   └─ Each collector has a timeout (60s for keys, 120s for shares)
+│   └─ Collector timeouts are derived from the DKG stage budget:
+│         ├─ shared base window from `E3_DKG_WINDOW_SECS` (default 7200s,
+│         │  matching current production `Enclave` deployment config)
+│         ├─ EncryptionKeyCollector cutoff at 10% of the DKG window
+│         ├─ ThresholdShareCollector cutoff at 60% of the DKG window
+│         └─ per-collector env vars still override these derived defaults
 ```
 
 ### Step 2: C0 Proof Generation → EncryptionKeyCreated
@@ -106,9 +111,14 @@ EncryptionKeyCollector waits for EncryptionKeyCreated from ALL N parties
 │
 ├─ On each arrival: store (party_id → bfv_public_key)
 │
-├─ On TIMEOUT (60s):
-│   └─ Publish EncryptionKeyCollectionFailed
-│   └─ ThresholdKeyshare actor stops
+├─ On TIMEOUT (derived DKG-phase cutoff):
+│   └─ Send EncryptionKeyCollectionFailed to parent ThresholdKeyshare
+│      ├─ ThresholdKeyshare republishes EncryptionKeyCollectionFailed for telemetry
+│      ├─ ThresholdKeyshare emits E3Failed {
+│      │    failed_at_stage: CommitteeFinalized,
+│      │    reason: InsufficientCommitteeMembers
+│      │  }
+│      └─ ThresholdKeyshare actor stops
 │
 └─ When ALL N collected:
     └─ Send AllEncryptionKeysCollected to parent ThresholdKeyshare
@@ -294,9 +304,14 @@ ThresholdShareCollector waits for ThresholdShareCreated from ALL N parties
 │   │   → This node only extracts what's encrypted for it
 │   └─ Forwards filtered share to ThresholdShareCollector
 │
-├─ On TIMEOUT (120s):
-│   └─ Publish ThresholdShareCollectionFailed
-│   └─ ThresholdKeyshare actor stops
+├─ On TIMEOUT (derived DKG-phase cutoff):
+│   └─ Send ThresholdShareCollectionFailed to parent ThresholdKeyshare
+│      ├─ ThresholdKeyshare republishes ThresholdShareCollectionFailed for telemetry
+│      ├─ ThresholdKeyshare emits E3Failed {
+│      │    failed_at_stage: CommitteeFinalized,
+│      │    reason: InsufficientCommitteeMembers
+│      │  }
+│      └─ ThresholdKeyshare actor stops
 │
 └─ When ALL N shares collected:
     ├─ Send AllThresholdSharesCollected to ThresholdKeyshare

crates/keyshare/src/decryption_key_shared_collector.rs

@@ -16,19 +16,6 @@ use tracing::{info, warn};
 
 use crate::ThresholdKeyshare;
 
-const DEFAULT_COLLECTION_TIMEOUT: Duration = Duration::from_secs(3600);
-const COLLECTION_TIMEOUT_ENV: &str = "E3_DECRYPTION_KEY_SHARED_COLLECTION_TIMEOUT_SECS";
-
-fn collection_timeout() -> Duration {
-    match std::env::var(COLLECTION_TIMEOUT_ENV)
-        .ok()
-        .and_then(|v| v.parse::<u64>().ok())
-    {
-        Some(0) | None => DEFAULT_COLLECTION_TIMEOUT,
-        Some(secs) => Duration::from_secs(secs),
-    }
-}
-
 enum CollectorState {
     Collecting,
     Finished,
@@ -76,6 +63,7 @@ pub struct DecryptionKeySharedCollector {
     parent: Addr<ThresholdKeyshare>,
     state: CollectorState,
     shares: HashMap<u64, DecryptionKeyShared>,
+    timeout: Duration,
     timeout_handle: Option<SpawnHandle>,
 }
 
@@ -84,13 +72,15 @@ impl DecryptionKeySharedCollector {
         parent: Addr<ThresholdKeyshare>,
         expected_parties: HashSet<u64>,
         e3_id: E3id,
+        timeout: Duration,
     ) -> Addr<Self> {
         let collector = Self {
             e3_id,
             expected: expected_parties,
             parent,
             state: CollectorState::Collecting,
             shares: HashMap::new(),
+            timeout,
             timeout_handle: None,
         };
         collector.start()
@@ -102,14 +92,13 @@ impl Actor for DecryptionKeySharedCollector {
 
     fn started(&mut self, ctx: &mut Self::Context) {
         ctx.set_mailbox_capacity(MAILBOX_LIMIT);
-        let timeout = collection_timeout();
         info!(
             e3_id = %self.e3_id,
             "DecryptionKeySharedCollector started, expecting {} parties, timeout {:?}",
             self.expected.len(),
-            timeout
+            self.timeout
         );
-        let handle = ctx.notify_later(DecryptionKeySharedCollectionTimeout, timeout);
+        let handle = ctx.notify_later(DecryptionKeySharedCollectionTimeout, self.timeout);
         self.timeout_handle = Some(handle);
     }
 }

crates/keyshare/src/encryption_key_collector.rs

@@ -19,19 +19,6 @@ use e3_trbfv::PartyId;
 use e3_utils::MAILBOX_LIMIT;
 use tracing::{info, warn};
 
-const DEFAULT_COLLECTION_TIMEOUT: Duration = Duration::from_secs(600);
-const COLLECTION_TIMEOUT_ENV: &str = "E3_ENCRYPTION_KEY_COLLECTION_TIMEOUT_SECS";
-
-fn collection_timeout() -> Duration {
-    match std::env::var(COLLECTION_TIMEOUT_ENV)
-        .ok()
-        .and_then(|v| v.parse::<u64>().ok())
-    {
-        Some(0) | None => DEFAULT_COLLECTION_TIMEOUT,
-        Some(secs) => Duration::from_secs(secs),
-    }
-}
-
 use crate::ThresholdKeyshare;
 
 /// State of the collector
@@ -90,17 +77,24 @@ pub struct EncryptionKeyCollector {
     parent: Addr<ThresholdKeyshare>,
     state: CollectorState,
     keys: HashMap<PartyId, Arc<EncryptionKey>>,
+    timeout: Duration,
     timeout_handle: Option<SpawnHandle>,
 }
 
 impl EncryptionKeyCollector {
-    pub fn setup(parent: Addr<ThresholdKeyshare>, total: u64, e3_id: E3id) -> Addr<Self> {
+    pub fn setup(
+        parent: Addr<ThresholdKeyshare>,
+        total: u64,
+        e3_id: E3id,
+        timeout: Duration,
+    ) -> Addr<Self> {
         let collector = Self {
             e3_id,
             todo: (0..total).collect(),
             parent,
             state: CollectorState::Collecting,
             keys: HashMap::new(),
+            timeout,
             timeout_handle: None,
         };
         collector.start()
@@ -112,14 +106,13 @@ impl Actor for EncryptionKeyCollector {
 
     fn started(&mut self, ctx: &mut Self::Context) {
         ctx.set_mailbox_capacity(MAILBOX_LIMIT);
-        let timeout = collection_timeout();
         info!(
             e3_id = %self.e3_id,
             "EncryptionKeyCollector started, scheduling timeout in {:?}",
-            timeout
+            self.timeout
         );
 
-        let handle = ctx.notify_later(EncryptionKeyCollectionTimeout, timeout);
+        let handle = ctx.notify_later(EncryptionKeyCollectionTimeout, self.timeout);
         self.timeout_handle = Some(handle);
     }
 }

crates/keyshare/src/lib.rs

@@ -10,6 +10,7 @@ pub mod ext;
 mod repo;
 mod threshold_keyshare;
 mod threshold_share_collector;
+mod timeout_policy;
 pub use encryption_key_collector::{
     AllEncryptionKeysCollected, EncryptionKeyCollector, ExpelPartyFromKeyCollection,
 };