feat: Revisit Hash On-Init for AllBlocksHasher

* Move the `AllPreviousBlocksRootHashHasherSnapshot` to internal protos
* All blocks hasher general cleanup and hardening
* Configuration property for optional hashing from history
* Remove time-based `AllPreviousBlocksRootHashHasherSnapshot`
  persistence and make it block based (configurable)
* Consolidate verification additions from #2535 and #2666

Signed-off-by: Atanas Atanasov <a.v.atanasov98@gmail.com>

Author: ata-nas

block-node/block-verification/src/main/java/module-info.java

@@ -21,7 +21,6 @@
     requires org.hiero.block.node.app.config;
     requires org.hiero.block.node.base;
     requires com.github.spotbugs.annotations;
-    requires org.antlr.antlr4.runtime;
 
     provides org.hiero.block.node.spi.BlockNodePlugin with
             VerificationServicePlugin;

block-node/block-verification/src/main/java/org/hiero/block/node/verification/AllBlocksHasherHandler.java

@@ -12,15 +12,18 @@
 ///
 /// @param allBlocksHasherFilePath path to the root hash file for all previous blocks
 /// @param allBlocksHasherEnabled whether the all-blocks hasher is enabled
+/// @param rebuildAllBlocksHasherFromStore whether to rebuild the all-blocks hasher from the store in case we are not
+///     starting from genesis or we have no available persisted data
 /// @param allBlocksHasherPersistenceInterval how often (in blocks) the hasher persists its state
 /// @param tssParametersFilePath path where TSS parameters (ledger ID, address book, WRAPS VK)
 ///     are persisted across restarts as a serialized `LedgerIdPublicationTransactionBody`.
 ///     Written when block 0 is processed. Loaded on startup to restore full TSS state.
 @ConfigData("verification")
 public record VerificationConfig(
-        @Loggable @ConfigProperty(defaultValue = "/opt/hiero/block-node/verification/rootHashOfAllPreviousBlocks.bin") Path allBlocksHasherFilePath,
-        @Loggable @ConfigProperty(defaultValue = "true") boolean allBlocksHasherEnabled,
-        @Loggable @ConfigProperty(defaultValue = "10") int allBlocksHasherPersistenceInterval,
-        @Loggable @ConfigProperty(defaultValue = "/opt/hiero/block-node/verification/tss-parameters.bin") Path tssParametersFilePath) {}
+    @Loggable @ConfigProperty(defaultValue = "/opt/hiero/block-node/verification/rootHashOfAllPreviousBlocks.bin") Path allBlocksHasherFilePath,
+    @Loggable @ConfigProperty(defaultValue = "false") boolean allBlocksHasherEnabled,
+    @Loggable @ConfigProperty(defaultValue = "false") boolean rebuildAllBlocksHasherFromStore,
+    @Loggable @ConfigProperty(defaultValue = "100") int allBlocksHasherPersistenceInterval,
+    @Loggable @ConfigProperty(defaultValue = "/opt/hiero/block-node/verification/tss-parameters.bin") Path tssParametersFilePath) {}
 
 // spotless:on

block-node/block-verification/src/main/java/org/hiero/block/node/verification/VerificationConfig.java

@@ -167,8 +167,6 @@ public void init(BlockNodeContext context, ServiceBuilder serviceBuilder) {
         // initialize metrics
         initMetrics(context);
         LOGGER.log(DEBUG, "VerificationServicePlugin initialized successfully.");
-        // initialize all previous blocks hasher if enabled and available
-        initAllBlocksHasherIfEnabled();
     }
 
     private void initAllBlocksHasherIfEnabled() {
@@ -195,13 +193,14 @@ private void initAllBlocksHasherIfEnabled() {
     /// {@inheritDoc}
     @Override
     public void start() {
+        // initialize and start all previous blocks hasher if enabled and available
+        initAllBlocksHasherIfEnabled();
+        allBlocksHasherHandler.start();
         // register to listen to incoming block items
         // specify that we are cpu intensive and should be run on a separate non-virtual thread
         context.blockMessaging().registerBlockItemHandler(this, true, VerificationServicePlugin.class.getSimpleName());
         // we do not need to unregister the handler as it will be unregistered when the message service is stopped
         LOGGER.log(DEBUG, "VerificationServicePlugin started successfully.");
-
-        allBlocksHasherHandler.start();
     }
 
     // ==== BlockItemHandler Methods ===================================================================================
@@ -281,7 +280,7 @@ public void handleBlockItemsReceived(BlockItems blockItems) {
                         this.previousVerifiedBlockNumber = currentBlockNumber;
                         // Update streamingHasherAllPreviousBlocks
                         allBlocksHasherHandler.appendLatestHashToAllPreviousBlocksStreamingHasher(
-                                this.previousBlockHash.toByteArray());
+                                this.previousBlockHash.toByteArray(), notification.blockNumber());
                     } else {
                         LOGGER.log(INFO, "Verification failed for block={0}", currentBlockNumber);
                         sendFailureNotification(currentBlockNumber, BlockSource.PUBLISHER);
@@ -308,17 +307,22 @@ public void handleBlockItemsReceived(BlockItems blockItems) {
     }
 
     private Bytes getRootOfAllPreviousBlocks() {
+        final Bytes rootHash;
         if (allBlocksHasherHandler != null && allBlocksHasherHandler.isAvailable()) {
             if (allBlocksHasherHandler.getNumberOfBlocks() != currentBlockNumber
                     && (currentBlockNumber <= previousVerifiedBlockNumber || previousVerifiedBlockNumber == -1)) {
                 // Backfill, re-send, or startup: defer to the block footer's values.
                 // Forward gaps fall through to computeRootHash() instead — returning the wrong
                 // root so verification fails and forces the publisher to resend the missing block.
-                return null;
+                rootHash = null;
+            } else {
+                final byte[] computedRootHash = allBlocksHasherHandler.computeRootHash();
+                rootHash = computedRootHash == null ? null : Bytes.wrap(computedRootHash);
             }
-            return Bytes.wrap(allBlocksHasherHandler.computeRootHash());
+        } else {
+            rootHash = null;
         }
-        return null;
+        return rootHash;
     }
 
     private void persistTssParameters() {
@@ -420,7 +424,7 @@ public void handleBackfilled(BackfilledBlockNotification notification) {
                             this.previousBlockHash = backfillNotification.blockHash();
                             this.previousVerifiedBlockNumber = notification.blockNumber();
                             allBlocksHasherHandler.appendLatestHashToAllPreviousBlocksStreamingHasher(
-                                    backfillNotification.blockHash().toByteArray());
+                                    backfillNotification.blockHash().toByteArray(), backfillNotification.blockNumber());
                         }
                     }
                     // send the verification notification for the backfilled block

block-node/block-verification/src/main/java/org/hiero/block/node/verification/VerificationServicePlugin.java

@@ -2,11 +2,18 @@
 package org.hiero.block.node.verification.session.impl;
 
 import static java.lang.System.Logger.Level.INFO;
+import static java.lang.System.Logger.Level.WARNING;
 import static org.hiero.block.common.hasher.HashingUtilities.getBlockItemHash;
+import static org.hiero.block.common.hasher.HashingUtilities.hashInternalNode;
+import static org.hiero.block.common.hasher.HashingUtilities.hashInternalNodeSingleChild;
+import static org.hiero.block.common.hasher.HashingUtilities.hashLeaf;
 import static org.hiero.block.common.hasher.HashingUtilities.noThrowSha384HashOf;
 
 import com.hedera.cryptography.tss.TSS;
 import com.hedera.hapi.block.stream.BlockProof;
+import com.hedera.hapi.block.stream.MerklePath;
+import com.hedera.hapi.block.stream.SiblingNode;
+import com.hedera.hapi.block.stream.StateProof;
 import com.hedera.hapi.block.stream.output.BlockFooter;
 import com.hedera.hapi.block.stream.output.BlockHeader;
 import com.hedera.hapi.node.transaction.SignedTransaction;
@@ -163,15 +170,30 @@ public VerificationNotification finalizeVerification(Bytes rootHashOfAllBlockHas
         // while we don't have state management, use the start of block state root hash from the footer
         Bytes startOfBlockStateRootHash = this.blockFooter.startOfBlockStateRootHash();
 
-        // for now, we only support TSS based signature proofs, we expect only 1 of these.
-        // @todo(2019) extend to support other proof types as well
-        BlockProof tssBasedProof = getSingle(blockProofs, BlockProof::hasSignedBlockProof);
-        if (tssBasedProof != null) {
-            return getVerificationResult(
-                    tssBasedProof, previousBlockHashToUse, rootOfAllPreviousBlockHashes, startOfBlockStateRootHash);
+        try {
+            // Try direct TSS proof first (most common case)
+            BlockProof tssBasedProof = getSingle(blockProofs, BlockProof::hasSignedBlockProof);
+            if (tssBasedProof != null) {
+                return getVerificationResult(
+                        tssBasedProof, previousBlockHashToUse, rootOfAllPreviousBlockHashes, startOfBlockStateRootHash);
+            }
+
+            // Try indirect (state) proof — used when TSS signing was delayed
+            BlockProof stateBasedProof = getSingle(blockProofs, BlockProof::hasBlockStateProof);
+            if (stateBasedProof != null) {
+                return getStateProofVerificationResult(
+                        stateBasedProof,
+                        previousBlockHashToUse,
+                        rootOfAllPreviousBlockHashes,
+                        startOfBlockStateRootHash);
+            }
+        } catch (final IllegalStateException e) {
+            LOGGER.log(WARNING, "Block [{0}] has malformed proof structure: %s".formatted(e.getMessage()), e);
+            return new VerificationNotification(
+                    false, FailureType.BAD_BLOCK_PROOF, blockNumber, null, null, blockSource);
         }
 
-        // was not able to finalize verification yet
+        // No supported proof type found
         return null;
     }
 
@@ -227,6 +249,184 @@ protected Boolean verifySignature(@NonNull Bytes hash, @NonNull Bytes signature)
         }
     }
 
+    /// Verifies a block using an indirect (state) proof. A state proof proves that the target
+    /// block's root hash is embedded in a later directly-signed block's merkle tree, forming
+    /// a chain: target block hash -> merkle siblings -> signed block root -> TSS signature.
+    ///
+    /// @param blockProof the block proof containing a state proof
+    /// @param previousBlockHash the previous block hash
+    /// @param rootOfAllPreviousBlockHashes the root hash of all previous block hashes
+    /// @param startOfBlockStateRootHash the start of block state root hash
+    /// @return VerificationNotification indicating the result of the verification
+    protected VerificationNotification getStateProofVerificationResult(
+            BlockProof blockProof,
+            Bytes previousBlockHash,
+            Bytes rootOfAllPreviousBlockHashes,
+            Bytes startOfBlockStateRootHash) {
+
+        final Bytes blockRootHash = HashingUtilities.computeFinalBlockHash(
+                blockHeader.blockTimestamp(),
+                previousBlockHash,
+                rootOfAllPreviousBlockHashes,
+                startOfBlockStateRootHash,
+                inputTreeHasher,
+                outputTreeHasher,
+                consensusHeaderHasher,
+                stateChangesHasher,
+                traceDataHasher);
+
+        final boolean verified = verifyStateProof(blockRootHash, blockProof.blockStateProof());
+
+        return new VerificationNotification(
+                verified,
+                verified ? null : FailureType.BAD_BLOCK_PROOF,
+                blockNumber,
+                blockRootHash,
+                verified ? new BlockUnparsed(blockItems) : null,
+                blockSource);
+    }
+
+    /// Walks the merkle path chain in a state proof to reconstruct the directly-signed block's
+    /// root hash, then verifies the TSS signature on that root.
+    ///
+    /// A valid block state proof contains 3 paths:
+    ///
+    ///     - Path 0: timestamp leaf of the signed block
+    ///     - Path 1: sibling hashes from the target block through all `gap` (i.e. not directly signed) blocks to
+    ///     the signed block
+    ///     - Path 2: terminal (empty)
+    ///
+    ///
+    /// Path 1's siblings are laid out as groups:
+    ///
+    ///     - Per gap block (4 siblings): prevBlockRootsHash (right), depth5Node2 (right), depth4Node2 (right),
+    /// _already-hashed_ timestamp (left)
+    ///     - Final signed block (3 siblings): prevBlockRootsHash (right), depth5Node2 (right), depth4Node2 (right)
+    ///
+    ///
+    /// @param blockRootHash the computed root hash of the target block
+    /// @param stateProof the state proof to verify
+    /// @return true if the proof chain and TSS signature are valid
+    protected boolean verifyStateProof(@NonNull Bytes blockRootHash, @NonNull StateProof stateProof) {
+        List<MerklePath> paths = stateProof.paths();
+        if (paths.size() != 3) {
+            LOGGER.log(WARNING, "Block {0} state proof has {1} paths, expected 3", blockNumber, paths.size());
+            return false;
+        }
+
+        MerklePath timestampPath = paths.get(0);
+        MerklePath siblingPath = paths.get(1);
+        MerklePath terminalPath = paths.get(2);
+
+        if (!terminalPath.siblings().isEmpty() || terminalPath.hasTimestampLeaf()) {
+            LOGGER.log(WARNING, "Block {0} state proof path 2 (terminal) is unexpectedly non-empty", blockNumber);
+            return false;
+        }
+
+        if (!timestampPath.hasTimestampLeaf()) {
+            LOGGER.log(WARNING, "Block {0} state proof path 0 (timestamp) is missing timestamp leaf", blockNumber);
+            return false;
+        }
+        if (!stateProof.hasSignedBlockProof()) {
+            LOGGER.log(WARNING, "Block {0} state proof is missing signed block proof", blockNumber);
+            return false;
+        }
+
+        List<SiblingNode> siblings = siblingPath.siblings();
+        int totalSiblings = siblings.size();
+        // Must have at least 3 (signed block siblings) and remainder must be groups of 4 (gap blocks)
+        if (totalSiblings < 3 || (totalSiblings - 3) % 4 != 0) {
+            LOGGER.log(
+                    WARNING,
+                    "Block {0} state proof sibling count {1} is invalid (need >= 3, remainder must be multiple of 4)",
+                    blockNumber,
+                    totalSiblings);
+            return false;
+        }
+        // Starting hash must be present and non-empty to avoid propagating incorrect hashes
+        if (!siblingPath.hasHash() || siblingPath.hash().length() == 0) {
+            LOGGER.log(
+                    WARNING, "Block {0} state proof path 1 (sibling) has missing or empty starting hash", blockNumber);
+            return false;
+        }
+        for (SiblingNode sibling : siblings) {
+            if (sibling.hash().length() == 0) {
+                LOGGER.log(WARNING, "Block {0} state proof contains a sibling node with an empty hash", blockNumber);
+                return false;
+            }
+        }
+
+        // siblingPath.hash() is the previous block's (T-1) root hash. Walking the siblings in groups
+        // first reconstructs the target block T's root hash, then each subsequent gap block's root hash,
+        // until we reach the signed block. After the first iteration, current equals T's reconstructed
+        // root hash — verify it matches the independently computed blockRootHash to ensure block content integrity.
+        byte[] current = siblingPath.hash().toByteArray();
+        int index = 0;
+        boolean firstIteration = true;
+
+        // Process gap blocks (including the target block itself) — each contributes 4 siblings
+        while (totalSiblings - index > 3) {
+            SiblingNode prevBlockRootsHash = siblings.get(index);
+            SiblingNode depth5Node2Sibling = siblings.get(index + 1);
+            SiblingNode depth4Node2Sibling = siblings.get(index + 2);
+            SiblingNode hashedTimestampSibling = siblings.get(index + 3);
+
+            byte[] depth5Node1 = combineSibling(current, prevBlockRootsHash);
+            byte[] depth4Node1 = combineSibling(depth5Node1, depth5Node2Sibling);
+            byte[] depth3Node1 = combineSibling(depth4Node1, depth4Node2Sibling);
+            byte[] depth2Node2 = hashInternalNodeSingleChild(depth3Node1);
+            // The timestamp sibling hash is already hashLeaf(rawTimestamp) — a 48-byte node value.
+            // Combine as depth2Node1 (left) with depth2Node2 (right) to reconstruct the gap block root.
+            current = hashInternalNode(hashedTimestampSibling.hash().toByteArray(), depth2Node2);
+
+            if (firstIteration) {
+                // current now holds the reconstructed target block root hash; verify it matches
+                // the hash computed from the actual block content we received.
+                final Bytes reconstructed = Bytes.wrap(current);
+                if (!blockRootHash.equals(reconstructed)) {
+                    LOGGER.log(
+                            WARNING,
+                            "Block {0} state proof integrity check failed: hash reconstructed from path 1 siblings"
+                                    + " [{1}] does not match block root hash computed from block content [{2}]",
+                            blockNumber,
+                            reconstructed,
+                            blockRootHash);
+                    return false;
+                }
+                firstIteration = false;
+            }
+
+            index += 4;
+        }
+
+        // Process the signed block's 3 siblings
+        byte[] depth5Node1 = combineSibling(current, siblings.get(index));
+        byte[] depth4Node1 = combineSibling(depth5Node1, siblings.get(index + 1));
+        byte[] depth3Node1 = combineSibling(depth4Node1, siblings.get(index + 2));
+
+        // Reconstruct the signed block's root hash using Path 0's raw timestamp bytes
+        byte[] depth2Node2 = hashInternalNodeSingleChild(depth3Node1);
+        byte[] hashedTimestampLeaf = hashLeaf(timestampPath.timestampLeaf().toByteArray());
+        byte[] signedBlockRoot = hashInternalNode(hashedTimestampLeaf, depth2Node2);
+
+        // Verify TSS signature on the signed block's root hash
+        return verifySignature(
+                Bytes.wrap(signedBlockRoot), stateProof.signedBlockProof().blockSignature());
+    }
+
+    /// Combines the current hash with a sibling node, respecting the sibling's position.
+    ///
+    /// @param current the current hash being walked up the tree
+    /// @param sibling the sibling node with position and hash
+    /// @return the parent hash
+    private static byte[] combineSibling(byte[] current, SiblingNode sibling) {
+        if (sibling.isLeft()) {
+            return hashInternalNode(sibling.hash().toByteArray(), current);
+        } else {
+            return hashInternalNode(current, sibling.hash().toByteArray());
+        }
+    }
+
     /// Extracts a [LedgerIdPublicationTransactionBody] from a signed transaction, if present.
     /// Pure parsing — no side effects.
     ///
@@ -255,14 +455,13 @@ private LedgerIdPublicationTransactionBody findLedgerIdPublication(Bytes signedT
         return body.ledgerIdPublicationOrThrow();
     }
 
-    public static <T> T getSingle(List<T> list, Predicate<T> predicate) {
+    /// Returns the single element matching the predicate, or null if none match.
+    private <T> T getSingle(List<T> list, Predicate<T> predicate) {
         List<T> filtered = list.stream().filter(predicate).toList();
-
-        if (filtered.size() != 1) {
-            throw new IllegalStateException(String.format(
-                    "Expected exactly 1 element matching predicate [%s], but found %d.", predicate, filtered.size()));
+        if (filtered.size() > 1) {
+            throw new IllegalStateException(
+                    "Expected at most 1 element matching predicate, but found " + filtered.size());
         }
-
-        return filtered.get(0);
+        return filtered.isEmpty() ? null : filtered.get(0);
     }
 }