Layr-Labs
diff --git a/‎docs/avs/task/TaskMailbox.md‎
Lines changed: 36 additions & 8 deletions b/‎docs/avs/task/TaskMailbox.md‎
Lines changed: 36 additions & 8 deletions
diff --git a/‎docs/core/ReleaseManager.md‎
Lines changed: 30 additions & 7 deletions b/‎docs/core/ReleaseManager.md‎
Lines changed: 30 additions & 7 deletions
diff --git a/‎pkg/bindings/ITaskMailbox/binding.go‎
Lines changed: 32 additions & 1 deletion b/‎pkg/bindings/ITaskMailbox/binding.go‎
Lines changed: 32 additions & 1 deletion
@@ -36,12 +36,23 @@ The `TaskMailbox`'s responsibilities are broken down into the following concepts
 * [Fee Management](#fee-management)
 * [Task Hooks and AVS Integration](#task-hooks-and-avs-integration)
 
+### Immutable Configuration
+
+The `TaskMailbox` contract has the following immutable parameters set at deployment:
+
+* **BN254_CERTIFICATE_VERIFIER**: Address of the BN254 certificate verifier contract
+* **ECDSA_CERTIFICATE_VERIFIER**: Address of the ECDSA certificate verifier contract  
+* **MAX_TASK_SLA**: Maximum allowed task SLA duration (typically set to `DEALLOCATION_DELAY / 2`)
+
+The `MAX_TASK_SLA` parameter is particularly important as it ensures AVSs can still slash operators in case of stake deallocation during inflight tasks. By limiting task SLAs to half the deallocation delay, the system guarantees that operators cannot avoid slashing by deallocating their stake while a task is still pending.
+
 ## Parameterization
 
 The `TaskMailbox` uses the following key parameters:
 
 * **Fee Split**: Configurable percentage (0-10000 basis points) that determines how task fees are split between the protocol fee collector and the AVS fee collector
 * **Task SLA**: Service Level Agreement duration (in seconds) set per executor operator set, defining how long operators have to complete a task
+* **MAX_TASK_SLA**: Maximum allowed task SLA duration (immutable, set at deployment)
 * **Consensus Thresholds**: Configurable per operator set, defining the required stake proportion for result verification
 
 ---
@@ -50,6 +61,16 @@ The `TaskMailbox` uses the following key parameters:
 
 Tasks in the TaskMailbox system follow a well-defined lifecycle with specific states and transitions. Each task is uniquely identified by a hash computed from the task parameters, block context, and a global counter.
 
+### Certificate Staleness Protection
+
+When creating a task, the system checks that the operator table reference timestamp is fresh enough to remain valid for the entire task SLA duration. This prevents tasks from being created with stale operator sets that might change before the task completes. The check ensures:
+
+```
+block.timestamp + taskSLA <= operatorTableReferenceTimestamp + maxStaleness
+```
+
+If `maxStaleness` is 0 (unconfigured), this check is skipped. Otherwise, if the certificate would become stale before the task SLA expires, the transaction reverts with `CertificateStale()`.
+
 **State Variables:**
 * `_globalTaskCount`: Counter ensuring unique task hashes
 * `_tasks`: Mapping from task hash to task details
@@ -81,12 +102,14 @@ function createTask(TaskParams memory taskParams) external nonReentrant returns
 Creates a new task in the system. The method performs several validations and operations:
 
 1. Validates that the executor operator set is registered and has a valid configuration
-2. Calls the AVS task hook for pre-creation validation
-3. Calculates the task fee using the AVS task hook
-4. Generates a unique task hash
-5. Transfers the fee from the caller to the TaskMailbox
-6. Stores the task with its current configuration snapshot
-7. Calls the AVS task hook for post-creation handling
+2. Validates that the task SLA does not exceed MAX_TASK_SLA
+3. Checks certificate staleness to ensure the operator table reference timestamp is fresh enough for the task SLA
+4. Calls the AVS task hook for pre-creation validation
+5. Calculates the task fee using the AVS task hook
+6. Generates a unique task hash
+7. Transfers the fee from the caller to the TaskMailbox
+8. Stores the task with its current configuration snapshot
+9. Calls the AVS task hook for post-creation handling
 
 *Effects*:
 * Increments `_globalTaskCount`
@@ -98,6 +121,8 @@ Creates a new task in the system. The method performs several validations and op
 *Requirements*:
 * Executor operator set must be registered
 * Executor operator set must have valid task configuration
+* Task SLA must not exceed MAX_TASK_SLA (reverts with `TaskSLAExceedsMaximum`)
+* Certificate must not be stale (reverts with `CertificateStale` if maxStaleness is exceeded)
 * Task payload must not be empty
 * Fee transfer must succeed
 * AVS validation must pass
@@ -205,7 +230,7 @@ function setExecutorOperatorSetTaskConfig(
 
 Configures how tasks should be executed by a specific operator set. The configuration includes:
 - **Task Hook**: AVS-specific contract for custom validation and handling
-- **Task SLA**: Time limit for task completion
+- **Task SLA**: Time limit for task completion (must not exceed MAX_TASK_SLA)
 - **Fee Token**: Token used for task fees (can be zero address for no fees). **Fees will not be collected if this is the zero address.**
 - **Fee Collector**: Address to receive AVS portion of fees
 - **Curve Type**: Cryptographic curve used by operators (BN254 or ECDSA)
@@ -221,6 +246,7 @@ Configures how tasks should be executed by a specific operator set. The configur
 * Caller must be the operator set owner (verified via certificate verifier)
 * Task hook must not be zero address
 * Task SLA must be greater than zero
+* Task SLA must not exceed MAX_TASK_SLA (reverts with `TaskSLAExceedsMaximum`)
 * Consensus type and curve type must be valid
 * Consensus value must be properly formatted
 
@@ -500,4 +526,6 @@ The TaskMailbox implements several security measures:
 2. **Certificate Verification**: Results must include valid consensus proofs verified by the appropriate certificate verifier
 3. **Fee Safety**: Uses OpenZeppelin's `SafeERC20` for all token transfers
 4. **Access Control**: Operator set owners control their configurations; contract owner controls global parameters
-5. **Timestamp Validation**: Tasks cannot be verified at their creation timestamp to prevent same-block manipulation
+5. **Timestamp Validation**: Tasks cannot be verified at their creation timestamp to prevent same-block manipulation
+6. **Task SLA Limits**: MAX_TASK_SLA immutable constant prevents excessively long task durations
+7. **Certificate Staleness Protection**: Ensures operator table reference timestamps are fresh enough for the task SLA duration
@@ -31,6 +31,7 @@ An AVS in the context of `ReleaseManager` is defined as the `address` of the con
 
 * **Latest Release Validity**: Only the latest release for an operator set is considered valid. Previous releases become obsolete as soon as a new release is published.
 * **Upgrade Deadlines**: The `upgradeByTime` timestamp (in Unix time) is a suggested deadline and is not enforced on-chain or off-chain. It serves as a communication mechanism for AVSs to indicate when operators should complete their upgrades.
+* **Instant Upgrades**: When `upgradeByTime` is set to 0, this signals an instant upgrade requirement.
 * **Multiple Releases in Same Block**: If multiple releases are published in the same block with the same `upgradeByTime`, the last transaction processed in that block will determine the latest valid release.
 
 ---
@@ -58,7 +59,8 @@ struct Artifact {
 /**
  * @notice Represents a release containing multiple artifacts and an upgrade deadline.
  * @param artifacts Array of artifacts included in this release.
- * @param upgradeByTime Timestamp by which operators must upgrade to this release.
+ * @param upgradeByTime Timestamp by which operators must upgrade to this release. 
+ *                      A value of 0 signals an instant upgrade requirement.
  */
 struct Release {
     Artifact[] artifacts;
@@ -90,6 +92,7 @@ mapping(bytes32 operatorSetKey => Release[]) internal _operatorSetReleases;
 ```solidity
 /**
  * @notice Publishes a new release for an operator set.
+ * @dev If the upgradeByTime is 0, the release is meant to signal an instant upgrade.
  * @param operatorSet The operator set this release is for.
  * @param release The release that was published.
  * @return releaseId The index of the newly published release.
@@ -107,6 +110,8 @@ _Note: this method can be called directly by an AVS, or by a caller authorized b
 
 AVSs use this method to publish new software releases for their operator sets. Each release contains one or more artifacts that represent the software components operators must run (e.g., validator clients, network monitors, etc.). The AVS specifies a deadline (`upgradeByTime`) by which all operators in the operator set must upgrade to the new release.
 
+**Special Case - Instant Upgrades**: Setting `upgradeByTime` to 0 signals that this is an instant upgrade that operators should apply immediately. This is typically used for critical security patches or emergency updates.
+
 The `releaseId` returned is the zero-based index of the release in the operator set's release array. This ID can be used to query the release later using [`getRelease`](#getrelease).
 
 *Effects*:
@@ -117,7 +122,8 @@ The `releaseId` returned is the zero-based index of the release in the operator
 
 *Requirements*:
 * Caller MUST be authorized, either as the AVS itself or an admin/appointee (see [`PermissionController.md`](../permissions/PermissionController.md))
-* `release.upgradeByTime` MUST be greater than or equal to the current block timestamp
+* Operator set MUST have published metadata URI via `updateOperatorSetMetadataURI`
+* `release.upgradeByTime` MUST be either 0 (instant upgrade) or greater than or equal to the current block timestamp
 ---
 
 ### View Functions
@@ -149,6 +155,7 @@ Returns the total number of releases that have been published for the specified
 ```solidity
 /**
  * @notice Returns a specific release by index.
+ * @dev If the upgradeByTime is 0, the release is meant to signal an instant upgrade.
  * @param operatorSet The operator set to query.
  * @param releaseId The id of the release to get.
  * @return The release at the specified index.
@@ -166,13 +173,15 @@ Retrieves a specific release by its ID for a given operator set. The `releaseId`
 
 *Returns*:
 * The complete `Release` struct including all artifacts and the upgrade deadline
+* If `upgradeByTime` is 0, this indicates an instant upgrade requirement
 * Reverts if `releaseId` is out of bounds
 
 #### `getLatestRelease`
 
 ```solidity
 /**
  * @notice Returns the latest release for an operator set.
+ * @dev If the upgradeByTime is 0, the release is meant to signal an instant upgrade.
  * @param operatorSet The operator set to query.
  * @return The id of the latest release.
  * @return The latest release.
@@ -188,14 +197,16 @@ function getLatestRelease(
 Retrieves the most recently published release for an operator set. This is typically the release that operators should be running or upgrading to.
 
 *Returns*:
-* The latest `Release` struct from the operator set's release array
-* Reverts if no releases have been published for the operator set
+* The release ID and the latest `Release` struct from the operator set's release array
+* If `upgradeByTime` is 0, this indicates an instant upgrade requirement
+* Reverts with `NoReleases()` if no releases have been published for the operator set
 
 #### `getLatestUpgradeByTime`
 
 ```solidity
 /**
  * @notice Returns the upgrade by time for the latest release.
+ * @dev If the upgradeByTime is 0, the release is meant to signal an instant upgrade.
  * @param operatorSet The operator set to query.
  * @return The upgrade by time for the latest release.
  */
@@ -204,14 +215,15 @@ function getLatestUpgradeByTime(
 ) 
     external 
     view 
-    returns (uint256)
+    returns (uint32)
 ```
 
 A convenience function that returns just the upgrade deadline from the latest release. This can be useful for quickly checking when operators must complete their upgrades.
 
 *Returns*:
 * The `upgradeByTime` timestamp from the latest release
-* Reverts if no releases have been published for the operator set
+* A value of 0 indicates an instant upgrade requirement
+* Reverts with `NoReleases()` if no releases have been published for the operator set
 
 #### `isValidRelease`
 
@@ -238,6 +250,17 @@ Checks whether a given release ID corresponds to the latest release for an opera
 *Returns*:
 * `true` if the `releaseId` matches the latest release index
 * `false` if the `releaseId` refers to an older release
-* Reverts if the operator set has no releases
+* Reverts with `NoReleases()` if the operator set has no releases
+
+---
+
+## Error Definitions
+
+The `ReleaseManager` defines the following custom errors:
+
+* `MustPublishMetadataURI()`: Thrown when attempting to publish a release for an operator set that hasn't published its metadata URI via `updateOperatorSetMetadataURI`.
+* `InvalidUpgradeByTime()`: Thrown when the `upgradeByTime` is in the past (not including 0, which is valid for instant upgrades).
+* `InvalidMetadataURI()`: Thrown when the metadata URI is empty.
+* `NoReleases()`: Thrown when querying release information for an operator set that has no published releases.
 
 ---