Gateway Scalability Analysis (Post-Centralized Mode Removal)

Architecture Summary

After PR #537, the gateway is pure two-phase consensus. No WASM execution, no single-phase path. The flow is:

Request → Parse → BlockCache + PolicyConfig RPC → Queue on-chain create →
BLS init → PREPARE broadcast (quorum) → Median consensus →
COMMIT broadcast (ALL operators) → BLS aggregate →
Return offchain response → Background on-chain submit

Bottleneck Inventory

CRITICAL — Directly impacts per-request latency

┌─────┬──────────────────┬────────────────────────────┬──────────────────────────────────────────────────────────────────────────────┐
│ # │ Bottleneck │ Location │ Description │
├─────┼──────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ │ Commit phase │ │ broadcast_evaluate_and_sign uses while let Some(result) = │
│ C1 │ waits for ALL │ operator.rs:1770-1802 │ futures.next().await — no quorum check. A single slow operator delays the │
│ │ operators │ │ entire response even when quorum stake is met. The Prepare phase has quorum │
│ │ │ │ early-exit (broadcast_fetch_policy_data_unified), but Commit does not. │
├─────┼──────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ │ ECDSA signer │ │ build_fetch_policy_data_request calls load_ecdsa(signer) every invocation. │
│ C2 │ re-loaded from │ common.rs:314-316 │ The signer is already loaded at startup as self.task_generator_signer in │
│ │ config per task │ │ handler/mod.rs:407. │
├─────┼──────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ │ PolicyConfig RPC │ │ get_policy_config_for_client makes an on-chain call per task. For repeat │
│ C3 │ per task (no │ common.rs:121-124 │ policy clients (the common case under load), this is redundant. PolicyConfig │
│ │ cache) │ │ only changes on setPolicy calls. │
├─────┼──────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ │ 2N RwLock │ │ Both unified broadcast methods read total_stake.read().await (every loop │
│ C4 │ acquisitions per │ operator.rs:1979,2039-2044 │ iteration) and operator_stake.read().await (every response). With N │
│ │ broadcast │ │ operators, that's 2N+ async lock acquisitions. │
└─────┴──────────────────┴────────────────────────────┴──────────────────────────────────────────────────────────────────────────────┘

HIGH — Impacts throughput under concurrent load

┌─────┬──────────────────────────┬──────────────────────┬───────────────────────────────────────────────────────────────────────────┐
│ # │ Bottleneck │ Location │ Description │
├─────┼──────────────────────────┼──────────────────────┼───────────────────────────────────────────────────────────────────────────┤
│ H1 │ gateway_tasks RwLock │ sync.rs:98, │ Every task creation acquires cs.gateway_tasks.write().await — a tokio │
│ │ write in hot path │ channel.rs:70 │ RwLock that serializes all concurrent task creations on the same chain. │
├─────┼──────────────────────────┼──────────────────────┼───────────────────────────────────────────────────────────────────────────┤
│ │ Client-controlled │ │ request.id.unwrap_or(Uuid::new_v4()) uses client-provided ID if present. │
│ H2 │ request ID → │ handler/mod.rs:1681 │ task_id(Some(&request_id.to_string())) derives task_id from it. Same │
│ │ deterministic task_id │ │ client ID = same task_id = BLS aggregation slot collision. │
├─────┼──────────────────────────┼──────────────────────┼───────────────────────────────────────────────────────────────────────────┤
│ H3 │ Cold block cache on │ block_cache.rs:77 │ First request after startup triggers cache miss → RPC with 3 retries │
│ │ first request │ │ (100-800ms backoff). No eager pre-warm. │
└─────┴──────────────────────────┴──────────────────────┴───────────────────────────────────────────────────────────────────────────┘

MEDIUM — Dead code / resource waste

┌─────┬────────────────────────────────┬────────────────────────┬────────────────────────────────────────────────────────────────────┐
│ # │ Issue │ Location │ Description │
├─────┼────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────────────┤
│ │ │ │ ChainService.data_provider and GatewayServiceImpl.data_provider │
│ M1 │ data_provider field is dead │ handler/mod.rs:119-121 │ are stored but never read after centralized mode removal. Each │
│ │ code │ │ ChainService initializes a full DataProvider (WASM cache, IPFS │
│ │ │ │ client) that's never used — wasted memory and startup time. │
├─────┼────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────────────┤
│ M2 │ data_provider_config on │ handler/mod.rs:178 │ Used only to initialize dead data_provider instances for │
│ │ GatewayServiceImpl │ │ additional chains. │
├─────┼────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────────────┤
│ M3 │ DataProviderHandle and │ handler/mod.rs:22,547 │ Import and usage exist only for initializing the dead │
│ │ PolicyTaskDataProvider trait │ │ data_provider field. │
├─────┼────────────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────────────────┤
│ M4 │ fetch_task_config_parallel │ common.rs:32-88 │ Marked deprecated but still present. Not called — can be removed. │
│ │ deprecated function │ │ │
└─────┴────────────────────────────────┴────────────────────────┴────────────────────────────────────────────────────────────────────┘

LOW — Minor inefficiencies

┌─────┬──────────────────────────┬──────────────────────────┬────────────────────────────────────────────────────────────────────────┐
│ # │ Issue │ Location │ Description │
├─────┼──────────────────────────┼──────────────────────────┼────────────────────────────────────────────────────────────────────────┤
│ L1 │ No startup validation of │ handler/mod.rs:1050-1130 │ Operators loaded from chain registry with no connectivity check. Bad │
│ │ operator reachability │ │ sockets discovered at first task. │
├─────┼──────────────────────────┼──────────────────────────┼────────────────────────────────────────────────────────────────────────┤
│ │ No chain RPC circuit │ │ Per-operator circuit breakers exist but no chain-level RPC circuit │
│ L2 │ breaker │ Throughout │ breaker. If Sepolia goes down, every block cache refresh and policy │
│ │ │ │ config fetch hangs to timeout. │
└─────┴──────────────────────────┴──────────────────────────┴────────────────────────────────────────────────────────────────────────┘

Proposed Changes

Tier 1: High-Impact, Low-Risk

1. C1 — Quorum-based early exit for Commit phase

• Add quorum_numbers: &[u8] and quorum_threshold: u8 params to broadcast_evaluate_and_sign trait method and impl
• Replace while let Some with the same quorum-checking loop pattern used in broadcast_with_unified_quorum
• Exit as soon as stake-weighted quorum is met
• Update all 6 test mock implementations

2. C2 — Pass pre-loaded ECDSA signer

• Change build_fetch_policy_data_request param from signer: &EcdsaKey to ecdsa_signer: &PrivateKeySigner
• Remove load_ecdsa() call inside the function
• Pass &self.task_generator_signer from sync.rs caller

3. C3 — Moka cache for PolicyConfig

• Add PolicyConfigCache (moka already a dep) to ChainService with 30s TTL, 256 max capacity
• Check cache before RPC in fetch_task_config_with_cache
• Insert on RPC success

4. C4 — Snapshot stake data once per broadcast

• In both broadcast_with_unified_quorum and broadcast_fetch_policy_data_unified, read total_stake and operator_stake into local HashMaps
  before the loop
• Use snapshots for all quorum calculations within the broadcast

5. H1 — Replace gateway_tasks RwLock with DashMap

• Change type from Arc<tokio::sync::RwLock<HashMap<String, HashSet>>> to Arc<DashMap<String, HashSet>>
• Update all read/write sites (sync.rs, channel.rs, handler/mod.rs watcher dedup, cleanup)

6. H2 — Always auto-generate request IDs

• In rpc_handler, always use Uuid::new_v4() regardless of client-provided id
• Log warning if client sent one

Tier 2: Cleanup

7. M1-M3 — Remove dead data_provider field

• Remove data_provider from ChainService and GatewayServiceImpl
• Remove DataProviderHandle, PolicyTaskDataProvider trait import
• Remove data_provider_config from GatewayServiceImpl
• Remove initialization code in both new() and init_additional_chain()

8. M4 — Remove deprecated fetch_task_config_parallel

9. H3 — Pre-warm block caches at startup

• Call block_cache.refresh() in Gateway::from_multi_chain_config() before returning

❯ do we still need 3. C3 — Moka cache for PolicyConfig
- Add PolicyConfigCache (moka already a dep) to ChainService with 30s TTL, 256 max capacity
- Check cache before RPC in fetch_task_config_with_cache
- Insert on RPC success?

⏺ Good question. Let me trace exactly where PolicyConfig is used in the task flow to see if caching it actually matters.

Searched for 1 pattern (ctrl+o to expand)

⏺ The PolicyConfig from the RPC call is used for:

1. Line 369/872/926: Passed to broadcast_two_phase_and_aggregate → forwarded to build_fetch_policy_data_request so operators get
   policyParams in the Prepare phase
2. Line 1128: Cloned into ConsensusCommitRequest.policy_config for the Commit phase
3. Line 723: tr.policy_config.expireAfter — but this comes from the TaskResponse, not the fetched config

The key question: does the gateway actually need to fetch PolicyConfig from chain, or do operators fetch it themselves during Prepare?

Read 1 file (ctrl+o to expand)

⏺ ★ Insight ─────────────────────────────────────
The gateway uses PolicyConfig for exactly two things:

1. policyParams (line 328) — extracted and sent to operators so they know which identity/confidential domains to resolve
2. policy_config.clone() (line 1128) — forwarded to operators in ConsensusCommitRequest so they can sign ECDSA attestations with the
   correct expireBlock

Both of these are read by operators, not by the gateway. The gateway is just a pass-through. The question is whether the RPC call to
fetch PolicyConfig is avoidable.
─────────────────────────────────────────────────

The answer: yes, a cache still helps — but the argument is simpler than I originally presented. The get_policy_config_for_client RPC call
hits the chain every time, and the result is used only as a pass-through to operators. Under load with the same policy client, 100
tasks/sec makes 100 identical RPC calls returning the same bytes. A 30s Moka cache eliminates 99 of them.

That said, you could also argue: let operators fetch their own PolicyConfig. They already have the policy_client address from the task.
The gateway could skip this RPC entirely and let operators resolve policyParams themselves during Prepare. But that's a protocol change,
not a perf optimization.

Bottom line: C3 (Moka cache) is still worthwhile — it eliminates the most expensive per-task RPC call on the gateway's critical path with
zero risk. But it's lower priority than C1/C2/C4 which are pure code changes with no new dependencies.

Want me to keep C3 in the plan, or skip it and let operators self-resolve PolicyConfig as a future protocol change? I'll proceed with all
the changes either way — just confirming your preference on this one.

✻ Sautéed for 48s

❯ we should have operators fetch policy config not gateway. let's moveto operators

⏺ That's the right architectural call — the gateway is just passing through PolicyConfig to operators anyway. Let me trace the full impact
of removing the gateway's PolicyConfig fetch.

Searched for 4 patterns (ctrl+o to expand)

❯ and put the caching optimization there for operators

⏺ ★ Insight ─────────────────────────────────────
This is a larger change than it first appears. PolicyConfig flows through several layers:

• Gateway fetches it via get_policy_config_for_client RPC, extracts policyParams for Prepare request, and passes the full PolicyConfig
  into ConsensusCommitRequest for the Commit phase
• Operator receives PolicyConfig in ConsensusCommitRequest and uses it in builder.rs:1491 to build TaskResponse.policyConfig
• Operator also fetches PolicyConfig independently during Prepare phase when it calls fetch_policy_data

If operators already fetch PolicyConfig during Prepare, the gateway's fetch is truly redundant — operators can use their own-fetched copy
in Commit phase too. The Moka cache then belongs on the operator side.
─────────────────────────────────────────────────

Let me verify that operators do fetch PolicyConfig themselves during Prepare:

Searched for 2 patterns (ctrl+o to expand)

⏺ Operators have get_policy_config at core.rs:436 — they already fetch it from chain. Let me check where it's called during the Prepare and
Commit flows:

Searched for 1 pattern, read 1 file (ctrl+o to expand)

❯ don't leave out anything as FUTURE TODOs. Handle EVERYTHING here

⏺ Understood — no future TODOs, handle everything in this PR. Let me trace the full picture of PolicyConfig flow so I make the right
changes.

Searched for 1 pattern, read 2 files (ctrl+o to expand)

⏺ Now let me check where operators call get_policy_config — is it during Prepare, Commit, or both?

Searched for 2 patterns (ctrl+o to expand)

⏺ Interesting — get_policy_config is defined on the trait but never called in the operator codebase. The operator currently receives
PolicyConfig from the gateway via ConsensusCommitRequest.policy_config. Let me verify this is the only source:

Searched for 2 patterns (ctrl+o to expand)

⏺ ★ Insight ─────────────────────────────────────
Here's the full picture:

• ConsensusCommitRequest.policy_config (line 380 in rpc_server.rs) — sent from gateway to operators in Commit phase
• builder.rs:1491 — operator copies request.policy_config into TaskResponse.policyConfig
• core.rs:436 — get_policy_config() exists on the trait but is never called — dead code from before the gateway started passing it

So the change is: operator fetches PolicyConfig during Commit phase (using the existing but unused get_policy_config()), and gateway
stops passing it. The gateway only needs the block number, not PolicyConfig.
Gateway side (stop fetching PolicyConfig):

1. fetch_task_config_with_cache returns (PolicyConfig, u64) → change to just return u64 (block number)
2. sync.rs / channel.rs — stop destructuring (policy_config, block), just use block
3. broadcast_two_phase_and_aggregate — remove policy_config: &PolicyConfig param
4. build_fetch_policy_data_request — remove policy_config param (policyParams was passed to operators)
5. ConsensusCommitRequest.policy_config — remove field
6. Watcher handler — also fetches PolicyConfig; stop doing that

Operator side (self-fetch PolicyConfig):

1. In Commit handler (builder.rs:~1480), call self.get_policy_config(request.policy_client) to fetch PolicyConfig
2. Add Moka cache in operator's OperatorContext for PolicyConfig (30s TTL)
3. In Prepare handler, also pass policyParams from self-fetched PolicyConfig (instead of gateway sending it)

Aggregator types:

1. ConsensusCommitRequest — remove policy_config field
2. PreparePhaseFetchRequest — remove policy_params field (operators fetch their own)

This is a significant refactor that touches multiple crates. Want me to proceed with the full scope, or should we split this into a
separate PR from the other perf changes (C1, C2, C4, H1, H2, M1-M4)?

 Gateway Tier 1 Performance Optimizations

 Context

 After centralised mode removal (PR #537), the gateway's task processing flow has several bottlenecks that limit latency and
 throughput. The gateway also retains dead code (data_provider, deprecated functions) and fetches PolicyConfig from chain even though
 operators can self-resolve it. This plan addresses all identified issues in a single PR.

 Changes

 C1: Commit phase quorum-based early exit

 broadcast_evaluate_and_sign waits for ALL eligible operators. Add stake-weighted quorum checking so it exits as soon as threshold is
 met (same pattern as broadcast_fetch_policy_data_unified).

 Files:
 - crates/gateway/src/task/operator.rs — trait signature (~line 481): add quorum_numbers: &[u8], quorum_threshold: u8
 - crates/gateway/src/task/operator.rs — impl (~line 1679): rewrite loop with quorum + stake snapshot
 - crates/gateway/src/rpc/api/sync.rs (~line 1276): pass quorum params to broadcast_evaluate_and_sign
 - crates/gateway/tests/{common/mod,chain_routing,error_response,send_task,create_task_proof_cid,secrets_encrypted}.rs — update mock
 signatures (add 2 params)

 C2: Pass pre-loaded ECDSA signer

 build_fetch_policy_data_request calls load_ecdsa(signer) on every task. The signer is already loaded at startup as
 self.task_generator_signer.

 Files:
 - crates/gateway/src/rpc/api/common.rs (~line 295): change signer: &EcdsaKey → ecdsa_signer: &PrivateKeySigner, remove load_ecdsa()
 call
 - crates/gateway/src/rpc/api/sync.rs (~line 1034): change cs.task_submitter.signer() → &self.task_generator_signer

 C3: Move PolicyConfig fetching from gateway to operator

 The gateway fetches PolicyConfig via RPC then passes it through to operators. Operators have get_policy_config() on their trait but
 never call it. Move the fetch to operators, eliminate the gateway RPC call from the critical path.

 Gateway side — stop fetching PolicyConfig:
 - crates/gateway/src/rpc/api/common.rs:
   - fetch_task_config_with_cache → return only u64 (block number), remove get_policy_config_for_client call
   - Rename to fetch_block_number_with_cache (clearer intent)
   - Remove fetch_task_config_parallel (deprecated, unused)
   - build_fetch_policy_data_request → remove policy_config param, remove policy_params field from PreparePhaseFetchRequest
 - crates/gateway/src/rpc/api/sync.rs:
   - Destructure only block number, not (policy_config, block)
   - Remove policy_config param from broadcast_two_phase_and_aggregate
   - Remove policy_config from ConsensusCommitRequest construction
 - crates/gateway/src/rpc/api/channel.rs: same as sync.rs
 - crates/gateway/src/handler/mod.rs: watcher handler — stop calling get_policy_config_for_client

 Aggregator types:
 - crates/aggregator/src/rpc_server.rs:
   - PreparePhaseFetchRequest — remove policy_params: Option<Bytes> field
   - ConsensusCommitRequest — remove policy_config: BindingPolicyConfig field

 Operator side — self-fetch PolicyConfig with Moka cache:
 - crates/operator/src/builder.rs Commit handler (newt_evaluateAndSign):
   - Call self.get_policy_config(request.policy_client) to fetch PolicyConfig
   - Use it for TaskResponse.policyConfig instead of request.policy_config
   - Need to pass chain_ctx (for correct RPC URL) to get_policy_config
 - crates/operator/src/core.rs:
   - Add Moka cache to OperatorContext struct: policy_config_cache: moka::future::Cache<Address, PolicyConfig> (30s TTL)
   - Modify get_policy_config to check cache first, insert on miss
   - get_policy_config needs rpc_url param (per-chain in multichain mode)

 C4: Snapshot stake data once per broadcast

 Both broadcast_with_unified_quorum and broadcast_fetch_policy_data_unified read total_stake.read().await and
 operator_stake.read().await on every response.

 File: crates/gateway/src/task/operator.rs
 - In both methods: snapshot stake into local HashMaps before the loop
 - Replace all in-loop .read().await with snapshot lookups

 H1: Replace gateway_tasks RwLock with DashMap

 Files:
 - crates/gateway/src/handler/mod.rs — change type to Arc<DashMap<String, HashSet<TaskId>>>, update 3 sites (cleanup, watcher dedup,
 init)
 - crates/gateway/src/rpc/api/sync.rs — 2 write sites (task tracking + cleanup closure)
 - crates/gateway/src/rpc/api/channel.rs — 1 write site
 - crates/gateway/src/rpc/api/events.rs — 1 read site

 H2: Always auto-generate request IDs

 File: crates/gateway/src/handler/mod.rs (~line 1681)
 - Change request.id.unwrap_or(Uuid::new_v4()) to always Uuid::new_v4()
 - Log warning if client sent one

 M1: Remove dead data_provider code

 After centralised mode removal, data_provider on ChainService and GatewayServiceImpl is never read.

 File: crates/gateway/src/handler/mod.rs
 - Remove data_provider field from ChainService and GatewayServiceImpl
 - Remove data_provider_config field from GatewayServiceImpl
 - Remove DataProviderBuilder, DataProviderHandle, PolicyTaskDataProvider imports
 - Remove initialization code (~lines 524-549, 934-955)
 - Remove from Clone impl

 H3: Pre-warm block caches at startup

 File: crates/gateway/src/lib.rs or handler/mod.rs
 - After ChainService creation, call block_cache.refresh().await
 - Also for source_block_cache if present
 - Fail startup if RPC unreachable

 Execution Order

 1. M1 (dead code removal) — reduces noise for subsequent changes
 2. C3 (PolicyConfig move to operator) — largest architectural change, do while mind is fresh
 3. C2 (signer caching) — small, isolated
 4. C4 (stake snapshot) — operator.rs only
 5. C1 (commit quorum early exit) — builds on C4's snapshot pattern
 6. H1 (DashMap) — mechanical type replacement
 7. H2 (request ID) — one-line change
 8. H3 (block cache pre-warm) — startup path only

 Verification

 1. cargo check --workspace — compilation
 2. cargo clippy -p newton-prover-gateway -p newton-prover-operator -- -D warnings
 3. make fmt
 4. cargo test -p newton-prover-gateway — unit tests
 5. make e2e scenario=basic — end-to-end with operators self-fetching PolicyConfig
 6. make e2e scenario=privacy — privacy path still works

⏺ Plan approved. Let me create tasks and start executing. I'll work through the 8 changes in order.

╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌
Gateway Tier 2 Reliability Optimizations

Context

After Tier 1 perf optimizations (PR #538), the gateway's hot path is fast but fragile under adverse conditions. Misconfigured operators
aren't detected until the first task fails. Unreachable chain RPCs cause cascading timeouts. Full batch queues silently delay tasks until
they expire. These reliability improvements catch failures early and degrade gracefully.

Changes

B9: Startup operator reachability check

After initialize_operator_pool loads operators from on-chain registries, send a lightweight RPC ping to each operator. Log warnings for
unreachable operators and pre-open their circuit breakers so the first real task doesn't waste time on known-dead operators.

Files:

• crates/gateway/src/handler/mod.rs — after initialize_operator_pool() call (~line 384), add a health check loop
• crates/gateway/src/task/operator.rs — add health_check() method to OperatorPool trait and OperatorPoolImpl

Approach:

• Use existing broadcast_first_success pattern with a simple newt_health or newt_getPublicKey RPC call
• Timeout: 5s per operator (not blocking — run all in parallel with FuturesUnordered)
• On failure: log warning, pre-open circuit breaker via record_failure() N times to trip threshold
• On success: log info with operator latency
• Don't fail startup — just warn. Zero operators reachable = warn loudly but continue (chain watcher may still route tasks)

B10: Contract existence validation at startup

Verify critical contracts exist on-chain before accepting requests. Catches stale deployment JSONs and wrong-chain configs at startup.

Files:

• crates/gateway/src/handler/mod.rs — in new() after contracts loaded, add validation
• Helper function: validate_contract_exists(provider, address, name) -> Result<()>

Contracts to validate:

• TaskManager (required — gateway submits tasks here)
• IdentityRegistry (required on all chains per architecture)
• ConfidentialDataRegistry (required on all chains)

Approach:

• provider.get_code(address).await — if empty bytes, fail startup with clear error
• Skip validation for Address::ZERO (legitimately unconfigured optional contracts)
• Validate for both primary chain and additional chains in init_additional_chain()

B11: Chain-level RPC circuit breaker

Wrap BlockCache with a circuit breaker so repeated RPC failures cause fast rejection instead of timeout-per-request.

Files:

• crates/gateway/src/block_cache.rs — add circuit breaker state to BlockCache
• Reuse OperatorCircuitBreaker from task/circuit_breaker.rs (same state machine)

Approach:

• Add rpc_circuit_breaker: OperatorCircuitBreaker to BlockCache struct
• In refresh(): on success → record_success(), on failure → record_failure()
• In get_block_number(): if circuit open → return Err immediately (fail fast)
• Config: failure_threshold=3, timeout=30s (half-open retests after 30s)
• This protects all callers of fetch_block_number_cached() — the entire task creation path

B12: Backpressure signaling (HTTP 503)

When the batch submitter queue is near capacity, reject new task requests with HTTP 503 + Retry-After header instead of silently queuing
and letting tasks expire with TaskCreatedBlockTooOld.

Files:

• crates/gateway/src/handler/mod.rs — in handle_request(), check queue depth before processing newt_createTask / newt_sendTask
• crates/gateway/src/rpc/api/batch_submitter.rs — expose is_near_capacity() method
• crates/gateway/src/error.rs — add ServiceOverloaded error variant

Approach:

• BatchTransactionSubmitter::is_near_capacity() → true when queue_depth() > capacity * 0.8
• In handle_request() for newt_createTask and newt_sendTask: check cs.batch_tx_submitter.is_near_capacity()
• If true, return GatewayError::ServiceOverloaded which maps to HTTP 503
• Include Retry-After: 2 header in the 503 response
• Metric: inc_gateway_backpressure_rejections(chain_id) for monitoring

Execution Order

1. B10 (contract validation) — smallest, most isolated
2. B9 (operator health check) — builds on existing circuit breaker
3. B11 (RPC circuit breaker) — adds state to BlockCache
4. B12 (backpressure 503) — touches HTTP handler

Verification

1. cargo check --workspace
2. cargo clippy -p newton-prover-gateway -- -D warnings
3. make fmt
4. cargo test -p newton-prover-gateway
5. Manual: start gateway with one operator down → verify warning log + circuit breaker pre-opened
6. Manual: start gateway with wrong contract address → verify startup failure with clear error

From our original analysis, the Tier 3 architectural improvements are:

┌─────┬───────────────────────────────────────────────────────────────┬───────────────────────────────────┬────────────┐
│ # │ Change │ Impact │ Complexity │
├─────┼───────────────────────────────────────────────────────────────┼───────────────────────────────────┼────────────┤
│ T10 │ Streaming consensus: incremental median during Prepare │ Shaves 1-10ms from consensus step │ Medium │
├─────┼───────────────────────────────────────────────────────────────┼───────────────────────────────────┼────────────┤
│ T11 │ Request deduplication for identical tasks │ Burst traffic reduction │ Medium │
├─────┼───────────────────────────────────────────────────────────────┼───────────────────────────────────┼────────────┤
│ T12 │ Concurrent operator requests via HTTP/2 multiplexing │ Higher per-operator throughput │ Medium │
├─────┼───────────────────────────────────────────────────────────────┼───────────────────────────────────┼────────────┤
│ T13 │ Parallelize BLS signature verification in aggregate_responses │ CPU-bound aggregation speedup │ Low-medium │
└─────┴───────────────────────────────────────────────────────────────┴───────────────────────────────────┴────────────┘

★ Insight ─────────────────────────────────────
Tier 3 reality check: These are diminishing returns compared to Tier 1+2. The consensus computation (T10) takes 1-10ms — negligible vs.
the 100-30000ms broadcast phases. Request dedup (T11) helps under burst but adds complexity. HTTP/2 concurrent requests (T12) requires
rethinking the per-operator sequential worker. BLS parallelization (T13) is the simplest win — spawn_blocking for CPU-bound verification.

The highest ROI for Tier 3 is T13 (BLS parallelization) followed by T11 (request dedup), then T12 (concurrent operator requests). T10 is
barely worth the complexity.
─────────────────────────────────────────────────

Do you want to proceed with all four, or focus on the highest-impact ones (T13 + T11)?

we don;'t need T11 (request dedup) because task request id is created always by gateway. LEt's do Parallelize BLS signature verification
in aggregate_responses and then look into Concurrent operator requests via HTTP/2 multiplexing

⏺ You're right — since we always auto-generate unique request IDs (H2 from Tier 1), dedup is unnecessary. Let me start with T13 (BLS
parallelization), then T12 (concurrent operator requests).

Let me create a new branch for Tier 3 off the current tier 2:

⏺ Bash(git checkout -b perf/gateway-tier3-parallelism)
⎿  Switched to a new branch 'perf/gateway-tier3-parallelism'

⏺ Let me explore the BLS aggregation code to understand what's CPU-bound and where parallelization helps:

Searched for 2 patterns (ctrl+o to expand)

⏺ Let me read the core aggregate_responses implementation and process_signed_response to understand the sequential flow:

Read 2 files (ctrl+o to expand)

⏺ Now let me read the aggregate_responses function in the core that processes multiple responses:

Read 1 file (ctrl+o to expand)

⏺ ★ Insight ─────────────────────────────────────
Now I understand the full aggregate_responses flow. The CPU-bound work is:

1. Lines 1785-1794: compute_consensus_digest for each response (hash computation) — sequential loop
2. Lines 1923-1953: update_aggregated_operators for each response (BLS signature aggregation) — sequential loop, but this mutates shared
   state (aggregated_operators_map), so it can't easily be parallelized

The first loop (digest computation) is embarrassingly parallel — each compute_consensus_digest is independent. The second loop (BLS
aggregation) is inherently sequential because each call mutates the running aggregate.

However, looking more carefully: the real bottleneck is the two RPC calls at lines 1894-1907 (get_operators_avs_state_at_block and
get_quorums_avs_state_at_block). These are async I/O, not CPU-bound. The digest computation loop with 5-10 operators takes <1ms. The BLS
aggregation loop is also fast.

T13 has diminishing returns for the current operator count. The digest computation is O(N) where N is typically 5-10 operators —
sub-millisecond. Parallelizing it would save microseconds.
─────────────────────────────────────────────────

The real opportunity is actually in the first loop (lines 1785-1794) — we can compute all digests in parallel using rayon or
tokio::task::spawn_blocking. But with 5-10 operators, the overhead of spawning tasks exceeds the savings.

Let me look at T12 (concurrent operator requests) instead — that has much higher impact because it affects the 100-30000ms broadcast
phases:

Read 1 file (ctrl+o to expand)

⏺ ★ Insight ─────────────────────────────────────
The sequential bottleneck is real but not where I expected. Each OperatorWorker processes messages one at a time (while let Some(msg) =
self.rx.recv().await at line 608). This means if operator A is handling a Prepare request (which takes 5-30 seconds), a Commit request
for a DIFFERENT task must wait in the mpsc queue until Prepare finishes.

However, this only matters when multiple tasks are in-flight concurrently to the same operator. HTTP/2 multiplexing is already enabled at
the transport layer (http2_prior_knowledge() on the reqwest client). The issue is the OperatorWorker serializes at the application
layer.

But wait — looking at the broadcast pattern: each broadcast creates fresh oneshot channels per operator. The worker processes them
sequentially, but since Prepare and Commit for the SAME task are always sequential (Prepare finishes before Commit starts), the
single-worker model doesn't bottleneck a single task flow. It only bottlenecks when multiple concurrent tasks compete for the same
operator.

For the current architecture (one gateway serving 10+ tps), concurrent operator requests would help. The fix: replace the sequential
while let loop with a semaphore-bounded spawn per request.
─────────────────────────────────────────────────

This is a meaningful change that affects the core worker model. Let me think about the approach and whether it's safe:

Read 1 file (ctrl+o to expand)

⏺ Now I have the full picture. The change is: replace the sequential while let loop with a semaphore-bounded concurrent model. Each
incoming request gets its own spawned task, but a semaphore limits concurrency per operator (e.g., max 4 concurrent requests).

Key safety considerations:

• Circuit breaker state is already Arc — safe for concurrent access
• Metrics use AtomicU64 — safe for concurrent updates
• OperatorClient::call() uses a shared reqwest::Client — HTTP/2 multiplexing handles this
• The only concern: ordering. But task ordering between Prepare and Commit is enforced by the gateway (Commit only starts after Prepare
  quorum), not by the worker.

Add the max_concurrent_requests field to the worker struct and thread it through spawn:

Now to answer your earlier question:

★ Insight ─────────────────────────────────────
Why default 4, and how to set it smartly?

The default of 4 is based on:

• Two-phase protocol: each task sends 2 requests to each operator (Prepare + Commit), so 4 concurrent = 2 tasks overlapping on the same
  operator
• HTTP/2 default: most HTTP/2 implementations support 100+ concurrent streams, so 4 is conservative
• Operator capacity: operators run single-threaded Rego evaluation (CPU-bound), so too much concurrency causes contention without
  throughput gain

Smart sizing formula: max_concurrent_requests = ceil(target_tps / num_operators) * 2

• If you want 50 tps with 5 operators: each operator handles 10 tasks/sec, each task = 2 phases → 20 concurrent requests peak → set to
  ~8-10
• With 10 gateway replicas: each gateway sees 5 tps → 1 task/operator/sec → 2 concurrent → default 4 is fine
• The real constraint is operator-side: how many concurrent requests can the operator process without degrading latency

For production with 10 replicas, 4 is reasonable. If operators have headroom, bump to 8.

★ Insight ─────────────────────────────────────
The "right" default depends on what bottleneck you're solving for.

The two-phase protocol means each task generates exactly 2 sequential operator requests (Prepare, then Commit). The question is: how many
different tasks should overlap on the same operator from a single gateway?

Key variables:

• T = target tps per gateway instance
• N = number of operators
• P = average Prepare phase latency (e.g., 2-5s)
• C = average Commit phase latency (e.g., 1-3s)
• R = number of gateway replicas

Per-operator concurrent requests from one gateway:
At steady state, each gateway has T/N tasks per second per operator. Each task occupies the operator for P + C seconds total (though
Prepare and Commit don't overlap for the same task). So the average in-flight requests per operator per gateway is:

in_flight = (T / N) * (P + C)

Example: 10 tps per gateway, 5 operators, 4s average (P+C):
in_flight = (10 / 5) * 4 = 8

So max_concurrent_requests = 8 would be right for this scenario.

With 10 replicas, each gateway handles total_tps / 10:

• 100 total tps / 10 replicas = 10 tps per gateway
• 10 tps / 5 operators * 4s = 8 concurrent per gateway
• Total per operator: 10 * 8 = 80 concurrent (HTTP/2 handles this fine)

The default 4 is conservative — it assumes ~5 tps per gateway with fast operators (~2s P+C). For production with higher throughput
targets, it should be 8-12.
─────────────────────────────────────────────────

My recommendation: change the default to 8. It handles up to 10 tps/gateway with 5 operators at 4s latency, which matches your production
topology (10 replicas, ~100 tps aggregate target). 4 is too conservative and would cause head-of-line blocking under your actual load.

Want me to bump the default to 8?

Now I have the full picture. Let me trace the exact timeline and identify every blocking point.

Gateway Two-Phase Consensus: Streaming Pipeline Analysis

Current Sequential Timeline

      ┌─── Client Request ───┐
      │                      │
 t=0  │ Block fetch (cache)  │ ~0ms    (lock-free ArcSwap read)
      │ Build Prepare RPC    │ ~1ms    (EIP712 hash + ECDSA sign)
      │                      │
 t=1  ├─── PREPARE PHASE ────┤
      │                      │
      │ → broadcast to N ops │ ~0ms    (non-blocking try_send)
      │ ← wait for quorum    │ 100-30000ms  ⬛ NETWORK + OPERATOR WORK
      │                      │
 t=2  ├─── CONSENSUS ────────┤
      │                      │
      │ Median computation   │ 1-10ms  (CPU, fast)
      │ Collect partials     │ <1ms    (iterate prepare responses)
      │                      │
 t=3  ├─── COMMIT PHASE ─────┤
      │                      │
      │ Build Commit RPC     │ <1ms    (serialization)
      │ → broadcast to ops   │ ~0ms    (non-blocking try_send)
      │ ← wait for quorum    │ 100-30000ms  ⬛ NETWORK + OPERATOR WORK
      │                      │
 t=4  ├─── BLS AGGREGATE ────┤
      │                      │
      │ Compute digests      │ <1ms    (hash per response)
      │ Fetch operator state │ 10-100ms ⬛ RPC CALL (BLOCKING!)
      │ Fetch quorum state   │ 10-100ms ⬛ RPC CALL (BLOCKING!)
      │ Aggregate signatures │ <1ms    (BLS point addition)
      │                      │
 t=5  ├─── RETURN ───────────┤
      │ Build response       │ 1-10ms
      └──────────────────────┘

Client-facing latency = t1 + t2 + t3 + t4 + t5

Where:

• t1 (Prepare) = dominant — operator WASM execution + network
• t2 (Consensus) = negligible (1-10ms)
• t3 (Commit) = dominant — operator policy eval + BLS sign + network
• t4 (BLS Aggregate) = 10-100ms wasted on two sequential RPC calls that could be pre-fetched
• t5 (Response) = negligible

★ Insight ─────────────────────────────────────
Three concrete streaming opportunities, in order of impact:

1. Pre-fetch operator/quorum registry state during Commit broadcast (~10-100ms saved)
   The two RPC calls in aggregate_responses (get_operators_avs_state_at_block and get_quorums_avs_state_at_block) depend only on
   task_created_block and quorum_numbers — both known BEFORE Commit starts. These can run in parallel with the Commit broadcast, so by the
   time Commit responses arrive, the state is already fetched.

2. Streaming BLS aggregation during Commit (merges t3+t4 into one phase)
   Instead of collecting all Commit responses into a Vec then calling aggregate_responses, process each response as it arrives — compute
   digest and accumulate BLS signature immediately. When quorum is met, the aggregation result is ready instantly. This eliminates the
   sequential aggregation step entirely.

3. Policy-aware single-phase fast path (halves latency for deterministic policies)
   The two-phase protocol exists because operators independently fetch time-varying data (oracle prices) that may differ. But for policies
   that use only deterministic data sources (identity, confidential, allowlist — no WASM data fetching), all operators will produce
   identical results. For these policies, skip Prepare entirely and go straight to Commit — operators evaluate + BLS sign in one round-trip.
   ─────────────────────────────────────────────────

Proposed Streaming Architecture

Level 1: Pre-fetch operator state (easy, ~10-100ms)

CURRENT: PROPOSED:

Commit broadcast ────────── wait Commit broadcast ────────── wait
│ │
↓ Pre-fetch state ────────────┤
Fetch operator state ────── wait │
Fetch quorum state ──────── wait ↓
│ Aggregate (state ready) ─── done
Aggregate ────────────────── done

In broadcast_two_phase_and_aggregate, spawn the state fetch before starting the Commit broadcast:

// Start pre-fetching operator/quorum state — runs in parallel with Commit broadcast.
// These depend on aggregator_block + quorum_numbers, both known before Commit starts.
let prefetch_handle = {
let aggregator = cs.aggregator.clone();
let quorum_nums = quorum_numbers.to_vec();
tokio::spawn(async move {
aggregator.prefetch_operator_state(aggregator_block, &quorum_nums).await
})
};

// Commit broadcast (runs in parallel with prefetch)
let commit_responses = cs.operator_pool.broadcast_evaluate_and_sign(...).await?;

// State already fetched (or nearly done) — no RPC wait
let prefetched_state = prefetch_handle.await??;
let response = cs.aggregator.aggregate_with_prefetched_state(
task_id, commit_responses, prefetched_state
).await?;

Level 2: Streaming BLS during Commit (medium, eliminates aggregate step)

Instead of the current pattern:
broadcast_evaluate_and_sign → Vec
aggregate_responses(Vec) → BlsAggregationServiceResponse

Merge them into a single streaming pipeline:
broadcast_and_aggregate → BlsAggregationServiceResponse

Each Commit response is immediately fed into the BLS aggregation:
loop {
response = next_commit_response().await;
// Immediately compute digest + accumulate BLS signature
aggregation_state.process_response(response, &operator_state)?;
// Check if quorum met with current aggregate
if aggregation_state.is_quorum_met() {
break; // Aggregation result ready NOW
}
}
return aggregation_state.finalize();

This means the BLS aggregation result is available the exact moment quorum is met — zero additional processing time.

Level 3: Single-phase fast path for deterministic policies (halves latency)

For policies with no time-varying data sources, the Prepare phase is redundant — operators will produce identical policyTaskData. The
gateway could detect this and skip straight to a combined Prepare+Commit call:

CURRENT (two-phase, all policies):
Prepare (5-30s) → Consensus → Commit (5-30s) = 10-60s

PROPOSED (fast path, deterministic policies):
CombinedEvaluateAndSign (5-30s) = 5-30s (50% reduction!)

Detection: add a deterministic: bool flag to the policy metadata. When true, operators fetch + evaluate + sign in a single RPC call. The
gateway skips Prepare entirely.

This is a protocol-level change that requires a new operator RPC method (newt_evaluateTask — combined fetch + evaluate + sign). It should
be a follow-up after Levels 1 and 2.

Recommendation

┌───────────────────────────┬───────────────────────────┬────────────────────────┬──────────────┐
│ Level │ Impact │ Complexity │ Priority │
├───────────────────────────┼───────────────────────────┼────────────────────────┼──────────────┤
│ 1: Pre-fetch state │ 10-100ms saved │ Low │ Do now │
├───────────────────────────┼───────────────────────────┼────────────────────────┼──────────────┤
│ 2: Streaming BLS │ Eliminates aggregate step │ Medium │ Do now │
├───────────────────────────┼───────────────────────────┼────────────────────────┼──────────────┤
│ 3: Single-phase fast path │ 50% latency reduction │ High (protocol change) │ Follow-up PR │
└───────────────────────────┴───────────────────────────┴────────────────────────┴──────────────┘

Levels 1+2 can be done on the current branch. Level 3 requires a new operator RPC method and policy metadata — it's the biggest win but
needs design discussion.

Want me to implement Levels 1 and 2?

✻ Baked for 2m 24s

❯ Pre-fetch operator/quorum registry state during Commit broadcast (~10-100ms saved) --> for this, why not just fetch once in Operator
registry every epoch, and use that? what are risks? I thought we already do this

Searched for 2 patterns (ctrl+o to expand)

⏺ Let me check the EigenSDK AvsRegistryServiceChainCaller cache:

Read 1 file (ctrl+o to expand)

⏺ ★ Insight ─────────────────────────────────────
You're right — we already have a cache. The AvsRegistryServiceChainCaller has an operator_state_cache with:

• Per-quorum caching (operator_state_cache.get(quorum_num))
• Block-based validity: entry.block_num >= block_num (serves cached data for same or newer blocks)
• TTL-based expiry: CACHE_TTL_SECS

So get_operators_avs_state_at_block is already fast on cache hit. The 10-100ms I estimated was the cold/miss case. In production, the
cache is warm from the previous task, so these calls are likely <1ms.
─────────────────────────────────────────────────

Let me verify the TTL and check if it's the same for quorum state:

Searched for 1 pattern (ctrl+o to expand)

⏺ 300 seconds (5 minutes) TTL. Both operator state and quorum state use the same cache with the same TTL.

So here's the reality:

Level 1 (pre-fetch) is unnecessary. The operator/quorum registry state is already cached with a 5-minute TTL. After the first task warms
the cache, subsequent tasks hit the cache in <1ms. The 10-100ms RPC call only happens once every 5 minutes or on the very first request
(which is already handled by the startup pre-warm in Tier 1).

Risks of relying on the cache:

• Stale operator set: If an operator registers or deregisters mid-epoch, the cache serves stale data for up to 5 minutes. BLS aggregation
  could use wrong APK → InvalidQuorumApkHash. This is already documented in lessons.md as a known issue ("Operator registry cache is
  static... restart the gateway after deregistering an operator").
• Block number mismatch: The cache uses entry.block_num >= block_num, meaning it can serve data from a NEWER block when asked for a
  historical block. This is a known gotcha from lessons.md.

These risks already exist and are accepted. The pre-fetch optimization would have the same risks since it would hit the same cache.

Bottom line: Level 1 is already solved by the existing cache. Skip it entirely.

That leaves:

• Level 2 (Streaming BLS during Commit) — merges Commit + Aggregate, saves the sequential aggregation step
• Level 3 (Single-phase fast path for deterministic policies) — 50% latency reduction, protocol change

For Level 2, given that aggregate_responses is mostly cache hits + fast CPU work (<5ms total with warm cache), the win is also marginal.
The real dominance is the two network-bound phases.

Level 3 is by far the biggest win. Halving latency for deterministic policies (identity, confidential, allowlist — the majority of
production use cases) from 2 round-trips to 1 is a fundamentally larger improvement than shaving milliseconds off the aggregation step.

Want me to design Level 3 (single-phase fast path) as the next optimization? Or do you still want Level 2 first?

✻ Worked for 1m 29s

no Level 3 (single-phase fast path) is too unreliable because we have to trust the developer that they correctly set that param on the
poilcy or policy data contract. also, policy can always change what policy data(s) to use

⏺ You're right — trusting a developer-set flag is fragile. Policy clients can change their policyData references at any time, and a
previously-deterministic policy could start using time-varying data sources without updating the flag. The gateway would skip consensus
when it shouldn't, producing mismatched BLS signatures.

So the honest assessment:

The two-phase sequential pipeline is fundamentally correct for the problem it solves — you can't skip Prepare when you don't know if
operators will agree. And the remaining optimizations (Level 1 pre-fetch, Level 2 streaming BLS) save at most 5-10ms on a 5-30 second
pipeline — not meaningful.

The real latency bottleneck is operator processing time during both phases (WASM execution, on-chain data fetching, Rego evaluation, BLS
signing), not gateway architecture. The gateway is already doing the right thing: non-blocking broadcast, quorum-based early exit, stake
snapshots, concurrent per-operator requests.

At this point, the gateway optimizations across all three tiers are solid:

┌─────────────────────────────────┬────────────────────────────────────────────────────┐
│ What we optimized │ Where the time goes now │
├─────────────────────────────────┼────────────────────────────────────────────────────┤
│ Gateway overhead between phases │ <10ms (negligible) │
├─────────────────────────────────┼────────────────────────────────────────────────────┤
│ Lock contention │ Eliminated (DashMap, stake snapshots) │
├─────────────────────────────────┼────────────────────────────────────────────────────┤
│ Redundant RPC calls │ Eliminated (PolicyConfig to operator, block cache) │
├─────────────────────────────────┼────────────────────────────────────────────────────┤
│ Tail latency │ Reduced (quorum early exit in both phases) │
├─────────────────────────────────┼────────────────────────────────────────────────────┤
│ Head-of-line blocking │ Eliminated (concurrent operator requests) │
├─────────────────────────────────┼────────────────────────────────────────────────────┤
│ Remaining: operator processing │ 5-30 seconds per phase — this is the next frontier │
└─────────────────────────────────┴────────────────────────────────────────────────────┘

The next meaningful improvement would be operator-side optimization — faster WASM execution, faster Rego evaluation, operator-side
caching of policy data/rules, or reducing the work operators do per task. That's a different domain from gateway architecture.

Want to shift focus to operator-side performance, or is there anything else on the gateway side you want to explore?

❯ what about concurrency in terms of multiple tasks being processed? does gateway already support concurrent tasks in parallel?

⏺ Yes — let me trace exactly how concurrent tasks flow through the gateway to verify there are no hidden serialization points.

Searched for 1 pattern (ctrl+o to expand)

⏺ Let me trace the concurrency model from HTTP request arrival through to completion:

Read 1 file (ctrl+o to expand)

⏺ ★ Insight ─────────────────────────────────────
Yes, the gateway is fully concurrent for multiple tasks. Here's why:

Axum's concurrency model: Each HTTP request to /rpc is handled by its own tokio task. Axum spawns a task per connection, and within each
connection, each request is processed concurrently. There's no global mutex or serialization point at the HTTP layer.

The full concurrency trace for 3 simultaneous tasks:

Task A (t=0): rpc_handler → create_task → broadcast_two_phase_and_aggregate
↓
Prepare broadcast (async, waits on operators)
↓
Task B (t=0): rpc_handler → create_task → broadcast_two_phase_and_aggregate
↓
Prepare broadcast (async, waits on operators)
↓
Task C (t=0): rpc_handler → create_task → broadcast_two_phase_and_aggregate
↓
Prepare broadcast (async, waits on operators)

All three tasks proceed through their two-phase pipeline independently and concurrently. While Task A is waiting for Prepare responses,
Tasks B and C are also broadcasting and waiting — they don't block each other.

Every shared resource is concurrent-safe:

• DashMap for gateway_tasks — lock-free per-key
• DashMap for aggregator.task_states — lock-free per-task
• ArcSwap for block_cache — lock-free reads
• Arc with per-operator workers — concurrent dispatch (Tier 3)
• Arc with mpsc channels — non-blocking send
• Operator stake snapshots — local per-broadcast, no contention
  ─────────────────────────────────────────────────

There are zero serialization points between concurrent tasks. The only shared contention point was gateway_tasks with RwLock, which we
already replaced with DashMap in Tier 1.

The sendTask async path (channel.rs) is even more concurrent — it spawns the entire two-phase pipeline into a background tokio::spawn and
returns immediately with a task ID, so the HTTP handler is freed instantly.

One area worth examining: the batch submitter's mpsc channel. When many tasks complete BLS aggregation simultaneously, they all send to
the same combined_tx channel. But mpsc::send is non-blocking until the channel is full (capacity = 240), and we added backpressure 503 in
Tier 2 to handle that. So this is already covered.

The gateway's concurrent task processing is solid. No hidden bottlenecks.