fix: fail pk and plaintext ag err path [skip-line-limit]

agent/flow-trace/00_INDEX.md

@@ -176,8 +176,8 @@ _Found during source-code cross-referencing of these trace documents._
 | 4   | `activate()` calls `register()` → `registerOperator()` which has `require(!registered, AlreadyRegistered())`. So activate **reverts** for already-registered operators. It only works for re-registration after deregistration.                                | BondingRegistry.sol:308           | 01_REGISTRATION |
 | 5   | `E3Requested` event is `(uint256 e3Id, E3 e3, IE3Program indexed e3Program)` — seed and params are inside the E3 struct, not separate parameters.                                                                                                              | IEnclave.sol:82                   | 03_E3_REQUEST   |
 | 6   | `finalizeCommittee()` checks `>=` deadline, not `>`.                                                                                                                                                                                                           | CiphernodeRegistryOwnable.sol     | 03_E3_REQUEST   |
-| 7   | `publishCommittee()` is now permissionless. The effective access control is the C5 proof verification plus the single-publish guard `publicKeyHashes[e3Id] == 0`; the old `onlyOwner` note is obsolete.                                                        | CiphernodeRegistryOwnable.sol     | 04_DKG          |
-| 8   | `CommitteePublished` event emits `(e3Id, nodes, publicKey, proof)` — full PK bytes and C5 proof, not just pkHash.                                                                                                                                              | CiphernodeRegistryOwnable.sol     | 04_DKG          |
+| 7   | `publishCommittee()` is now permissionless. The effective access control is DKG proof verification plus the single-publish guard `publicKeyHashes[e3Id] == 0`; the old `onlyOwner` note is obsolete.                                                        | CiphernodeRegistryOwnable.sol     | 04_DKG          |
+| 8   | `CommitteePublished` event emits `(e3Id, nodes, publicKey, pkCommitment, proof)` — full PK bytes, pkCommitment, and proof bytes (DkgAggregator when proof aggregation is enabled), not just pkHash.                                                                                                                                              | CiphernodeRegistryOwnable.sol     | 04_DKG          |
 | 9   | `_validateNodeEligibility` calls `bondingRegistry.getTicketBalanceAtBlock()` (not `ticketToken.getPastVotes()` directly).                                                                                                                                      | CiphernodeRegistryOwnable.sol:668 | 03_E3_REQUEST   |
 | 10  | Lane A slashing uses **attestation-based** verification (committee quorum votes), not direct ZK proof re-verification on-chain. `proposeSlash()` decodes voter addresses, agrees, data hashes, and ECDSA signatures — not ZK proofs.                           | SlashingManager.sol               | 05_FAILURE      |
 
@@ -186,8 +186,10 @@ _Found during source-code cross-referencing of these trace documents._
 | #   | Concern                                  | Severity | Detail                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | --- | ---------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | 1   | **Deregister-before-slash race**         | Accepted | SlashingManager Lane B (evidence+appeal) has a window during which the operator can deregister and claim their exit. If they do, the slash executes against 0 funds. The contract comments acknowledge this as an accepted tradeoff for the appeal window design.                                                                                                                                                                                                                                                                                                                           |
-| 2   | **Committee publication decentralized**  | Resolved | `publishCommittee()` is permissionless. Off-chain role selection chooses the active aggregator, while on-chain C5 proof verification and the single-publish guard prevent invalid or duplicate committee publication.                                                                                                                                                                                                                                                                                                                                                                       |
+| 2   | **Committee publication decentralized**  | Resolved | `publishCommittee()` is permissionless. Off-chain role selection chooses the active aggregator, while on-chain DKG proof verification and the single-publish guard prevent invalid or duplicate committee publication.                                                                                                                                                                                                                                                                                                                                                                       |
 | 3   | **`gracePeriod` is dead code**           | Medium   | `gracePeriod` is stored and validated during config updates but never actually used in any timeout check. Either the deadlines already bake in sufficient buffer, or this is a missing feature.                                                                                                                                                                                                                                                                                                                                                                                             |
 | 4   | **`activate` CLI command is misleading** | Low      | Named "activate" but actually calls "register" — will fail for already-registered operators. There's no standalone way to trigger re-evaluation of active status; instead, `_updateOperatorStatus()` runs automatically inside `addTicketBalance()`, `bondLicense()`, etc.                                                                                                                                                                                                                                                                                                                  |
 | 5   | **Active-job load balancing bug fixed**  | Info     | The Rust `NodeStateStore.available_tickets()` subtracts `active_jobs` from total tickets, reducing the chance of busy nodes being selected for new E3s. Previously, the `Sortition` actor's `Handler<EnclaveEvent>` was missing match arms for `E3Failed` and `E3StageChanged`, causing these events to fall to the default `_ => ()` — the typed handlers for decrementing jobs were dead code. This has been fixed: E3Failed and E3StageChanged are now routed to their handlers, and `finalized_committees` is cleaned up in `decrement_jobs_for_e3` to prevent unbounded memory growth. |
 | 6   | **Committee member expulsion**           | Info     | `SlashingManager` can call `expelCommitteeMember()` mid-DKG. The `Sortition` actor enriches the raw `CommitteeMemberExpelled` event with the expelled member's `party_id` (resolved from its stored `Committee` list) and re-publishes it. `ThresholdKeyshare` then uses the enriched `party_id` to update its collectors, potentially completing DKG with fewer parties. `ThresholdKeyshare` itself does not hold committee state.                                                                                                                                                         |
+| 7   | **PublicKeyAggregator failure bridge fixed** | Info  | `PublicKeyAggregator` now routes `ComputeRequestError` for `ZkRequest::DkgAggregation` and converts mixed Some/None honest NodeFold proof sets into `E3Failed { failed_at_stage: CommitteeFinalized, reason: DKGInvalidShares }`, preventing PK aggregation stalls that previously surfaced only as `EnclaveError`. |
+| 8   | **ThresholdPlaintextAggregator failure bridge fixed** | Info | `ThresholdPlaintextAggregator` now routes `ComputeRequestError` for `CalculateThresholdDecryption` and `DecryptionAggregation`, and fatal C6/C7/decryption-aggregation checks now emit `E3Failed { failed_at_stage: CiphertextReady, reason: DecryptionInvalidShares }` instead of halting locally under `trap()`. |

agent/flow-trace/04_DKG_AND_COMPUTATION.md

@@ -44,7 +44,12 @@ CiphernodeSelected event arrives at ThresholdKeyshare
 │   │     → These collectors start immediately so early peer keys/shares can
 │   │       be buffered while this node is still finishing earlier DKG phases
 │   │
-│   └─ Each collector has a timeout (60s for keys, 120s for shares)
+│   └─ Collector timeouts are derived from the DKG stage budget:
+│         ├─ shared base window from `E3_DKG_WINDOW_SECS` (default 7200s,
+│         │  matching current production `Enclave` deployment config)
+│         ├─ EncryptionKeyCollector cutoff at 10% of the DKG window
+│         ├─ ThresholdShareCollector cutoff at 60% of the DKG window
+│         └─ per-collector env vars still override these derived defaults
 ```
 
 ### Step 2: C0 Proof Generation → EncryptionKeyCreated
@@ -106,9 +111,14 @@ EncryptionKeyCollector waits for EncryptionKeyCreated from ALL N parties
 │
 ├─ On each arrival: store (party_id → bfv_public_key)
 │
-├─ On TIMEOUT (60s):
-│   └─ Publish EncryptionKeyCollectionFailed
-│   └─ ThresholdKeyshare actor stops
+├─ On TIMEOUT (derived DKG-phase cutoff):
+│   └─ Send EncryptionKeyCollectionFailed to parent ThresholdKeyshare
+│      ├─ ThresholdKeyshare republishes EncryptionKeyCollectionFailed for telemetry
+│      ├─ ThresholdKeyshare emits E3Failed {
+│      │    failed_at_stage: CommitteeFinalized,
+│      │    reason: InsufficientCommitteeMembers
+│      │  }
+│      └─ ThresholdKeyshare actor stops
 │
 └─ When ALL N collected:
     └─ Send AllEncryptionKeysCollected to parent ThresholdKeyshare
@@ -161,11 +171,27 @@ ThresholdKeyshare receives AllEncryptionKeysCollected
     │  │  Output: esi_sss[num_ciphertexts][N]                   │
     │  └─────────────────────────────────────────────────────────┘
 ```
+    │
+    ├─ ThresholdKeyshare tracks the correlation id for both TrBFV requests:
+    │   ├─ `GenPkShareAndSkSss`
+    │   └─ `GenEsiSss`
+    │   → If the worker returns `ComputeRequestError` for either request,
+    │     `ThresholdKeyshare` now emits `E3Failed {
+    │       failed_at_stage: CommitteeFinalized,
+    │       reason: DKGInvalidShares
+    │     }` and stops instead of remaining stuck in `GeneratingThresholdShare`
 
 ### Step 5: Encrypt & Broadcast Shares (with C1, C2, C3 Proofs)
 
 ```
 Both GenPkShareAndSkSss and GenEsiSss complete
+    │
+    ├─ `ThresholdKeyshare` tracks the `CalculateDecryptionKey` correlation id:
+    │   → `ComputeRequestError` for this request now emits
+    │     `E3Failed {
+    │       failed_at_stage: CommitteeFinalized,
+    │       reason: DKGInvalidShares
+    │     }` and stops before C4 proof dispatch
 │
 ├─ handle_shares_generated():
 │   │
@@ -294,9 +320,14 @@ ThresholdShareCollector waits for ThresholdShareCreated from ALL N parties
 │   │   → This node only extracts what's encrypted for it
 │   └─ Forwards filtered share to ThresholdShareCollector
 │
-├─ On TIMEOUT (120s):
-│   └─ Publish ThresholdShareCollectionFailed
-│   └─ ThresholdKeyshare actor stops
+├─ On TIMEOUT (derived DKG-phase cutoff):
+│   └─ Send ThresholdShareCollectionFailed to parent ThresholdKeyshare
+│      ├─ ThresholdKeyshare republishes ThresholdShareCollectionFailed for telemetry
+│      ├─ ThresholdKeyshare emits E3Failed {
+│      │    failed_at_stage: CommitteeFinalized,
+│      │    reason: InsufficientCommitteeMembers
+│      │  }
+│      └─ ThresholdKeyshare actor stops
 │
 └─ When ALL N shares collected:
     ├─ Send AllThresholdSharesCollected to ThresholdKeyshare
@@ -533,8 +564,21 @@ ThresholdKeyshare receives AllThresholdSharesCollected
 │   │          e3_id, party_id, signed_proof(C5)
 │   │        }
 │   │
-│   └─ 5. Publish PublicKeyAggregated {
-│         e3_id, aggregate_pk, pk_hash, node_list
+│   ├─ 5. DKG AGGREGATION REQUEST (when proof aggregation is enabled):
+│   │     ├─ PublicKeyAggregator buffers one optional NodeFold proof per honest party from
+│   │     │   DKGRecursiveAggregationComplete
+│   │     ├─ Dispatches ComputeRequest::zk(ZkRequest::DkgAggregation {
+│   │     │     node_fold_proofs, c5_proof, party_ids, params_preset
+│   │     │   })
+│   │     ├─ Tracks the in-flight correlation id
+│   │     ├─ ComputeRequestError now emits
+│   │     │   E3Failed { failed_at_stage: CommitteeFinalized, reason: DKGInvalidShares }
+│   │     └─ A mixed Some/None honest NodeFold-proof set is treated as the same terminal DKG
+│   │         failure instead of only surfacing as EnclaveError telemetry
+│   │
+│   └─ 6. Publish PublicKeyAggregated {
+│         e3_id, pubkey: aggregate_pk, pk_commitment, nodes,
+│         dkg_aggregator_proof
 │       }
 │
 └─ CiphernodeRegistrySolWriter receives PublicKeyAggregated:
@@ -641,6 +685,13 @@ EnclaveSolReader decodes CiphertextOutputPublished event
     │   │  │                                                     │
     │   │  │  Output: Vec<decryption_share_polynomial>           │
     │   │  └─────────────────────────────────────────────────────┘
+      │
+      ├─ `ThresholdKeyshare` tracks the `CalculateDecryptionShare` correlation id:
+      │   → `ComputeRequestError` for this request now emits
+      │     `E3Failed {
+      │       failed_at_stage: CiphertextReady,
+      │       reason: DecryptionInvalidShares
+      │     }` and stops before C6 proof generation
     │
     ├─ REQUEST C6 PROOF:
     │   Publish ShareDecryptionProofPending {
@@ -714,6 +765,12 @@ EnclaveSolReader decodes CiphertextOutputPublished event
 │   │   │  │  Output: plaintext_bytes                            │
 │   │   │  └─────────────────────────────────────────────────────┘
 │   │
+│   ├─ ThresholdPlaintextAggregator tracks the `CalculateThresholdDecryption` correlation id:
+│   │   ├─ `ComputeRequestError` now emits
+│   │   │   `E3Failed { failed_at_stage: CiphertextReady, reason: DecryptionInvalidShares }`
+│   │   └─ Fatal C6 filtering failures (too few honest shares or post-proof commitment
+│   │       mismatches) emit the same terminal failure instead of only trapping locally
+│   │
 │   ├─ REQUEST C7 PROOF:
 │   │   Publish AggregationProofPending {
 │   │     proof_request: DecryptedSharesAggregationProofRequest,
@@ -733,7 +790,23 @@ EnclaveSolReader decodes CiphertextOutputPublished event
 │   │        e3_id, party_id, signed_proof(C7)
 │   │      }
 │   │
-│   └─ Publish PlaintextAggregated { e3_id, decrypted_output }
+│   ├─ DECRYPTION AGGREGATION REQUEST:
+│   │   ├─ ThresholdPlaintextAggregator stores the signed C7 proofs plus the honest C6 inner
+│   │   │   proofs for the first `T + 1` parties after sorting by `party_id`
+│   │   ├─ Dispatches ComputeRequest::zk(ZkRequest::DecryptionAggregation {
+│   │   │     c6_total_slots, jobs, params_preset
+│   │   │   })
+│   │   ├─ Each job folds the selected C6 proofs for one ciphertext index and checks them
+│   │   │   against the matching C7 proof inside `DecryptionAggregator`
+│   │   ├─ Tracks the in-flight correlation id
+│   │   ├─ ComputeRequestError, missing C6 inner proofs, or C7/decryption-aggregator proof-count
+│   │   │   mismatches now emit
+│   │   │   `E3Failed { failed_at_stage: CiphertextReady, reason: DecryptionInvalidShares }`
+│   │   └─ On success, stores `decryption_aggregator_proofs`
+│   │
+│   └─ Publish PlaintextAggregated {
+│         e3_id, decrypted_output, decryption_aggregator_proofs
+│       }
 │
 └─ EnclaveSolWriter receives PlaintextAggregated:
   ├─ Requires EffectsEnabled

crates/aggregator/Cargo.toml

@@ -29,3 +29,6 @@ e3-zk-helpers = { workspace = true }
 e3-utils = { workspace = true }
 serde = { workspace = true }
 tracing = { workspace = true }
+
+[dev-dependencies]
+e3-test-helpers = { workspace = true }