fix: raft HA production hardening — leader fencing, log compaction, election timeout, audit log (#3230)

* Fix raft leader handoff regression after SIGTERM

* fix: follower crash on restart when EVM is ahead of stale raft snapshot

Bug A: RecoverFromRaft crashed with "invalid block height" when the node
restarted after SIGTERM and the EVM state (persisted before kill) was ahead
of the raft FSM snapshot (which hadn't finished log replay yet). The function
now verifies the hash of the local block at raftState.Height — if it matches
the snapshot hash the EVM history is correct and recovery is safely skipped;
a mismatch returns an error indicating a genuine fork.

Bug B: waitForMsgsLanded used two repeating tickers with the same effective
period (SendTimeout/2 poll, SendTimeout timeout), so both could fire
simultaneously in select and the timeout would win even when AppliedIndex >=
CommitIndex. Replaced the deadline ticker with a one-shot time.NewTimer,
added a final check in the deadline branch, and reduced poll interval to
min(50ms, timeout/4) for more responsive detection.

Fixes the crash-restart Docker backoff loop observed in SIGTERM HA test
cycle 7 (poc-ha-2 never rejoining within the 300s kill interval).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): guard FSM apply callback with RWMutex to prevent data race

SetApplyCallback(nil) called from raftRetriever.Stop() raced with
FSM.Apply reading applyCh: wg.Wait() only ensures the consumer goroutine
exited, but the raft library can still invoke Apply concurrently.

Add applyMu sync.RWMutex to FSM; take write lock in SetApplyCallback and
read lock in Apply before reading the channel pointer.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(raft): add ResignLeader() public method on Node

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(node): implement LeaderResigner interface on FullNode

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(shutdown): resign raft leadership before cancelling context on SIGTERM

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(config): add election_timeout, snapshot_threshold, trailing_logs to RaftConfig; fix SnapCount default 0→3

Add three new Raft config parameters:
  - ElectionTimeout: timeout for candidate to wait for votes (defaults to 1s)
  - SnapshotThreshold: outstanding log entries that trigger snapshot (defaults to 500)
  - TrailingLogs: log entries to retain after snapshot (defaults to 200)

Fix critical default: SnapCount was 0 (broken, retains no snapshots) → 3

This enables control over Raft's snapshot frequency and recovery behavior to prevent
resync debt from accumulating unbounded during normal operation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): wire snapshot_threshold, trailing_logs, election_timeout into hashicorp/raft config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(raft): annotate FSM apply log and RaftApplyMsg with raft term for block provenance audit

Add Term field to RaftApplyMsg struct to track the raft term in which each
block was committed. Update FSM.Apply() debug logging to include both
raft_term and raft_index fields alongside block height and hash. This
enables better audit trails and debugging of replication issues.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(ci): fix gci comment alignment in defaults.go; remove boltdb-triggering tests

The gci formatter requires single space before inline comments (not aligned
double-space). Also removed TestNodeResignLeader_NotLeaderNoop and
TestNewNode_SnapshotConfigApplied which create real boltdb-backed raft nodes:
boltdb@v1.3.1 has an unsafe pointer alignment issue that panics under
Go 1.25's -checkptr. The nil-receiver test (TestNodeResignLeader_NilNoop)
is retained as it exercises the same guard without touching boltdb.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): suppress boltdb 'Rollback failed: tx closed' log noise

hashicorp/raft-boltdb uses defer tx.Rollback() as a safety net on every
transaction. When Commit() succeeds, the deferred Rollback() returns
bolt.ErrTxClosed and raft-boltdb logs it as an error — even though it is
the expected outcome of every successful read or write. The message has no
actionable meaning and floods logs at high block rates.

Add a one-time stdlib log filter (sync.Once in NewNode) that silently drops
lines containing 'tx closed' and forwards everything else to stderr.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): address PR review — shutdown wiring, error logging, snap docs, tests

- Call raftRetriever.Stop() in Syncer.Stop() so SetApplyCallback(nil) is
  actually reached and the goroutine is awaited before wg.Wait()
- Log leadershipTransfer error at warn level in Node.Stop() instead of
  discarding it silently
- Fix SnapCount comments in config.go: it retains snapshot files on disk
  (NewFileSnapshotStore retain param), not log-entry frequency
- Extract buildRaftConfig helper from NewNode to enable config wiring tests
- Add TestNodeResignLeader_NotLeaderNoop (non-nil node, nil raft → noop)
- Add TestNewNode_SnapshotConfigApplied (table-driven, verifies
  SnapshotThreshold and TrailingLogs wiring with custom and zero values)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): address code review issues — ShutdownTimeout, resign fence, election validation

- Add ShutdownTimeout field (default 5s) to raft Config so Stop() drains
  committed logs with a meaningful timeout instead of the 200ms SendTimeout
- Wrap ResignLeader() in a 3s goroutine+select fence in the SIGTERM handler
  so a hung leadership transfer cannot block graceful shutdown indefinitely
- Validate ElectionTimeout >= HeartbeatTimeout in RaftConfig.Validate() to
  prevent hashicorp/raft panicking at startup with an invalid config
- Fix stale "NewNode creates a new raft node" comment that had migrated onto
  buildRaftConfig after the function was extracted

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* style(raft): fix gci struct field alignment in node_test.go

gofmt/gci requires minimal alignment; excessive spaces in the
TestNewNode_SnapshotConfigApplied struct literal caused a lint failure.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* test: improve patch coverage for raft shutdown and resign paths

Add unit tests for lines flagged by Codecov:
- boltTxClosedFilter.Write: filter drops "tx closed", forwards others
- buildRaftConfig: ElectionTimeout > 0 applied, zero uses default
- FullNode.ResignLeader: nil raftNode no-op; non-leader raftNode no-op
- Syncer.Stop: raftRetriever.Stop is called when raftRetriever is set
- Syncer.RecoverFromRaft: GetHeader failure when local state is ahead of
  stale raft snapshot returns "cannot verify hash" error

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(config): reject negative ElectionTimeout in RaftConfig.Validate

A negative ElectionTimeout was silently ignored (buildRaftConfig only
applies values > 0), allowing a misconfigured node to start with the
library default instead of failing fast.  Add an explicit < 0 check
that returns an error; 0 remains valid as the "use library default"
sentinel.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): preserve stdlib logger writer in bolt filter; propagate ctx through ResignLeader

- suppressBoltNoise.Do now wraps log.Writer() instead of os.Stderr so any
  existing stdlib logger redirection is preserved rather than clobbered
- ResignLeader now accepts a context.Context: leadershipTransfer runs in a
  goroutine and a select abandons the caller at ctx.Done(), returning
  ctx.Err(); the goroutine itself exits once the inner raft transfer
  completes (bounded by ElectionTimeout)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(node): propagate context through LeaderResigner.ResignLeader interface

- LeaderResigner.ResignLeader() → ResignLeader(ctx context.Context) error
- FullNode.ResignLeader passes ctx down to raft.Node.ResignLeader
- run_node.go calls resigner.ResignLeader(resignCtx) directly — no wrapper
  goroutine/select needed; context.DeadlineExceeded vs other errors are
  logged distinctly
- Merge TestFullNode_ResignLeader_NilRaftNode and
  TestFullNode_ResignLeader_NonLeaderRaftNode into single table-driven test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): abdicate leadership when store is significantly behind raft state

When a node wins election but its local store is more than 1 block behind
the raft FSM state, RecoverFromRaft cannot replay the gap (it only handles
the single latest block in the raft snapshot). Previously the node would
log "recovery successful" and start leader operations anyway, then stall
block production while the executor repeatedly failed to sync the missing
blocks from a store that did not have them.

Fix: in DynamicLeaderElection.Run, detect diff < -1 at the
follower→leader transition and immediately transfer leadership to a
better-synced peer. diff == -1 is preserved: RecoverFromRaft can apply
exactly one block from the raft snapshot, so that path is unchanged.

Closes #3255

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): address julienrbrt review — logger, boltdb filter, ShutdownTimeout

- Remove stdlib log filter (boltTxClosedFilter / suppressBoltNoise): it
  redirected the global stdlib logger which is the wrong scope. raft-boltdb
  uses log.Printf directly with no Logger option, so the "tx closed" noise
  is now accepted as-is from stderr.

- Wire hashicorp/raft's internal hclog output through zerolog: set
  raft.Config.Logger to an hclog.Logger backed by the zerolog writer so
  all raft-internal messages appear in the structured log stream under
  component=raft-hashicorp.

- Remove ShutdownTimeout from public config: it was a second "how long to
  wait" knob that confused operators. ShutdownTimeout is now computed
  internally as 5 × SendTimeout at the initRaftNode call site.

- Delete TestRaftRetrieverStopClearsApplyCallback: tested an implementation
  detail (Stop clears the apply callback pointer) rather than observable
  behaviour. The stubRaftNode helper it defined is moved to syncer_test.go
  where it is still needed.

- Rename TestNewNode_SnapshotConfigApplied → TestBuildRaftConfig_SnapshotConfigApplied
  to reflect that it tests buildRaftConfig, not NewNode.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(ci): promote go-hclog to direct dep; fix gci alignment in syncer_test

go mod tidy promotes github.com/hashicorp/go-hclog from indirect to
direct now that pkg/raft/node.go imports it explicitly.

gci auto-formatted stubRaftNode method stubs in syncer_test.go.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): address coderabbitai feedback — ShutdownTimeout clamp, transfer error propagation, deterministic test

ShutdownTimeout zero-value panic (critical):
NewNode now clamps ShutdownTimeout to 5*SendTimeout when the caller passes
zero, preventing a panic in time.NewTicker inside waitForMsgsLanded. The
normal path through initRaftNode already sets it explicitly; this guard
protects direct callers (e.g. tests) that omit the field.

Leadership transfer error propagation (major):
When store-lag abdication calls leadershipTransfer() and it fails, the
error is now returned instead of being logged and silently continuing.
Continuing after a failed transfer left the node as leader-without-worker,
stalling the cluster.

Deterministic abdication test (major):
Replace time.Sleep(10ms) + t.Fatal-in-goroutine with channel-based
synchronization: leader runFn signals leaderStarted; the test goroutine
waits up to 50ms for that signal and calls t.Error (safe from goroutines)
if it arrives, then cancels the context either way.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs(changelog): add unreleased entries for raft HA hardening (#3230)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): wait for block-store sync before abdicating on leader election

When all nodes restart simultaneously their block stores can lag behind
the raft FSM height (block data arrives via p2p, not raft). With the
previous code every elected node saw diff < -1 and immediately called
leadershipTransfer(), creating an infinite hot-potato: no node ever
stabilised as leader and block production stalled.

Instead of abdicating immediately, the new waitForBlockStoreSync helper
polls IsSynced for up to ShutdownTimeout (default ~1s). The fastest-
syncing peer proceeds as leader; nodes that cannot catch up in time still
abdicate and yield to a better candidate. Leadership also checks mid-wait
so a lost-leadership event aborts the wait early.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): distinguish sync wait outcomes with syncResult enum

waitForBlockStoreSync previously returned bool, conflating three distinct
failure modes (ctx canceled, timeout, lost leadership). The caller in Run
then unconditionally called leadershipTransfer() on any false return, which
is wrong when leadership was already lost.

Introduce a syncResult enum (syncResultSynced, syncResultTimeout,
syncResultLostLeadership, syncResultCanceled) and update Run to handle each
case correctly:
- syncResultCanceled    → return ctx.Err()
- syncResultLostLeadership → continue without calling leadershipTransfer()
- syncResultTimeout     → leadershipTransfer() + continue as before
- syncResultSynced      → refresh raftState/diff and proceed

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(raft): fix gci alignment in syncResult const block

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: auricom

CHANGELOG.md

@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- Raft HA production hardening: leader fencing on SIGTERM, FSM data race, follower restart crash, log compaction config, and election timeout validation [#3230](https://github.com/evstack/ev-node/pull/3230)
+
 ### Changes
 
 - Improve P2P gossiping by switching pubsub internals from `GossipSub` to `FloodSub` [#3263](https://github.com/evstack/ev-node/pull/3263)

block/internal/syncing/raft_retriever.go

@@ -74,6 +74,7 @@ func (r *raftRetriever) Stop() {
 	r.mtx.Unlock()
 
 	r.wg.Wait()
+	r.raftNode.SetApplyCallback(nil)
 }
 
 // raftApplyLoop processes blocks received from raft

block/internal/syncing/syncer.go

@@ -247,6 +247,11 @@ func (s *Syncer) Stop(ctx context.Context) error {
 	if s.daFollower != nil {
 		s.daFollower.Stop()
 	}
+
+	if s.raftRetriever != nil {
+		s.raftRetriever.Stop()
+	}
+
 	s.wg.Wait()
 
 	// Skip draining if we're shutting down due to a critical error (e.g. execution
@@ -1240,7 +1245,26 @@ func (s *Syncer) RecoverFromRaft(ctx context.Context, raftState *raft.RaftBlockS
 	}
 
 	if currentState.LastBlockHeight > raftState.Height {
-		return fmt.Errorf("invalid block height: %d (expected %d)", raftState.Height, currentState.LastBlockHeight+1)
+		// Local EVM is ahead of the raft snapshot. This is expected on restart when
+		// the raft FSM hasn't finished replaying log entries yet (stale snapshot height),
+		// or when log entries were compacted and the FSM is awaiting a new snapshot from
+		// the leader. Verify that our local block at raftState.Height has the same hash
+		// to confirm shared history before skipping recovery.
+		localHeader, err := s.store.GetHeader(ctx, raftState.Height)
+		if err != nil {
+			return fmt.Errorf("local state ahead of raft snapshot (local=%d raft=%d), cannot verify hash: %w",
+				currentState.LastBlockHeight, raftState.Height, err)
+		}
+		localHash := localHeader.Hash()
+		if !bytes.Equal(localHash, raftState.Hash) {
+			return fmt.Errorf("local state diverged from raft at height %d: local hash %x != raft hash %x",
+				raftState.Height, localHash, raftState.Hash)
+		}
+		s.logger.Info().
+			Uint64("local_height", currentState.LastBlockHeight).
+			Uint64("raft_height", raftState.Height).
+			Msg("local state ahead of stale raft snapshot with matching hash; skipping recovery, raft will catch up")
+		return nil
 	}
 
 	return nil

block/internal/syncing/syncer_test.go

@@ -6,6 +6,7 @@ import (
 	"crypto/sha512"
 	"errors"
 	"math"
+	"sync"
 	"sync/atomic"
 	"testing"
 	"testing/synctest"
@@ -35,6 +36,30 @@ import (
 	"github.com/evstack/ev-node/types"
 )
 
+// stubRaftNode is a minimal RaftNode stub that records SetApplyCallback calls.
+type stubRaftNode struct {
+	mu        sync.Mutex
+	callbacks []chan<- raft.RaftApplyMsg
+}
+
+func (s *stubRaftNode) IsLeader() bool                                        { return false }
+func (s *stubRaftNode) HasQuorum() bool                                       { return false }
+func (s *stubRaftNode) GetState() *raft.RaftBlockState                        { return nil }
+func (s *stubRaftNode) Broadcast(context.Context, *raft.RaftBlockState) error { return nil }
+func (s *stubRaftNode) SetApplyCallback(ch chan<- raft.RaftApplyMsg) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.callbacks = append(s.callbacks, ch)
+}
+
+func (s *stubRaftNode) recordedCallbacks() []chan<- raft.RaftApplyMsg {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	out := make([]chan<- raft.RaftApplyMsg, len(s.callbacks))
+	copy(out, s.callbacks)
+	return out
+}
+
 // helper to create a signer, pubkey and address for tests
 func buildSyncTestSigner(tb testing.TB) (addr []byte, pub crypto.PubKey, signer signerpkg.Signer) {
 	tb.Helper()
@@ -422,6 +447,171 @@ func TestSyncer_RecoverFromRaft_KeepsStrictValidationAfterStateExists(t *testing
 	require.ErrorContains(t, err, "invalid chain ID")
 }
 
+// TestSyncer_RecoverFromRaft_LocalAheadOfStaleSnapshot tests Bug A: when the node
+// restarts and the EVM is ahead of the raft FSM snapshot (stale snapshot due to
+// timing or log compaction), RecoverFromRaft should skip recovery if the local
+// block at raftState.Height has a matching hash, rather than crashing.
+func TestSyncer_RecoverFromRaft_LocalAheadOfStaleSnapshot(t *testing.T) {
+	ds := dssync.MutexWrap(datastore.NewMapDatastore())
+	st := store.New(ds)
+
+	cm, err := cache.NewManager(config.DefaultConfig(), st, zerolog.Nop())
+	require.NoError(t, err)
+
+	addr, pub, signer := buildSyncTestSigner(t)
+	gen := genesis.Genesis{
+		ChainID:         "1234",
+		InitialHeight:   1,
+		StartTime:       time.Now().Add(-time.Second),
+		ProposerAddress: addr,
+	}
+
+	mockExec := testmocks.NewMockExecutor(t)
+	mockHeaderStore := extmocks.NewMockStore[*types.P2PSignedHeader](t)
+	mockDataStore := extmocks.NewMockStore[*types.P2PData](t)
+	s := NewSyncer(
+		st,
+		mockExec,
+		nil,
+		cm,
+		common.NopMetrics(),
+		config.DefaultConfig(),
+		gen,
+		mockHeaderStore,
+		mockDataStore,
+		zerolog.Nop(),
+		common.DefaultBlockOptions(),
+		make(chan error, 1),
+		nil,
+	)
+
+	// Build block at height 1 and persist it (simulates EVM block persisted before SIGTERM).
+	data1 := makeData(gen.ChainID, 1, 0)
+	headerBz1, hdr1 := makeSignedHeaderBytes(t, gen.ChainID, 1, addr, pub, signer, []byte("app1"), data1, nil)
+	dataBz1, err := data1.MarshalBinary()
+	require.NoError(t, err)
+
+	batch, err := st.NewBatch(t.Context())
+	require.NoError(t, err)
+	require.NoError(t, batch.SaveBlockDataFromBytes(hdr1, headerBz1, dataBz1, &hdr1.Signature))
+	require.NoError(t, batch.SetHeight(1))
+	require.NoError(t, batch.UpdateState(types.State{
+		ChainID:         gen.ChainID,
+		InitialHeight:   1,
+		LastBlockHeight: 1,
+		LastHeaderHash:  hdr1.Hash(),
+	}))
+	require.NoError(t, batch.Commit())
+
+	// Simulate EVM at height 1, raft snapshot stale at height 0 — but there is no
+	// block 0 to check, so use height 1 EVM vs stale snapshot at height 0.
+	// More realistic: EVM at height 2, raft snapshot at height 1.
+	// Build a second block and advance the store state to height 2.
+	data2 := makeData(gen.ChainID, 2, 0)
+	headerBz2, hdr2 := makeSignedHeaderBytes(t, gen.ChainID, 2, addr, pub, signer, []byte("app2"), data2, hdr1.Hash())
+	dataBz2, err := data2.MarshalBinary()
+	require.NoError(t, err)
+
+	batch2, err := st.NewBatch(t.Context())
+	require.NoError(t, err)
+	require.NoError(t, batch2.SaveBlockDataFromBytes(hdr2, headerBz2, dataBz2, &hdr2.Signature))
+	require.NoError(t, batch2.SetHeight(2))
+	require.NoError(t, batch2.UpdateState(types.State{
+		ChainID:         gen.ChainID,
+		InitialHeight:   1,
+		LastBlockHeight: 2,
+		LastHeaderHash:  hdr2.Hash(),
+	}))
+	require.NoError(t, batch2.Commit())
+
+	// Set lastState to height 2 (EVM is at 2).
+	s.SetLastState(types.State{
+		ChainID:         gen.ChainID,
+		InitialHeight:   1,
+		LastBlockHeight: 2,
+		LastHeaderHash:  hdr2.Hash(),
+	})
+
+	t.Run("matching hash skips recovery", func(t *testing.T) {
+		// raft snapshot is stale at height 1 (EVM is at 2); hash matches local block 1.
+		err := s.RecoverFromRaft(t.Context(), &raft.RaftBlockState{
+			Height: 1,
+			Hash:   hdr1.Hash(),
+			Header: headerBz1,
+			Data:   dataBz1,
+		})
+		require.NoError(t, err, "local ahead of stale raft snapshot with matching hash should not error")
+	})
+
+	t.Run("diverged hash returns error", func(t *testing.T) {
+		wrongHash := make([]byte, len(hdr1.Hash()))
+		copy(wrongHash, hdr1.Hash())
+		wrongHash[0] ^= 0xFF // flip a byte to produce a different hash
+
+		err := s.RecoverFromRaft(t.Context(), &raft.RaftBlockState{
+			Height: 1,
+			Hash:   wrongHash,
+			Header: headerBz1,
+			Data:   dataBz1,
+		})
+		require.Error(t, err)
+		require.ErrorContains(t, err, "diverged from raft")
+	})
+
+	t.Run("get header fails returns error", func(t *testing.T) {
+		// lastState is at height 2; raft snapshot at height 0.
+		// No block is stored at height 0, so GetHeader fails.
+		err := s.RecoverFromRaft(t.Context(), &raft.RaftBlockState{
+			Height: 0,
+			Hash:   make([]byte, 32),
+			Header: headerBz1,
+			Data:   dataBz1,
+		})
+		require.Error(t, err)
+		require.ErrorContains(t, err, "cannot verify hash")
+	})
+}
+
+func TestSyncer_Stop_CallsRaftRetrieverStop(t *testing.T) {
+	ds := dssync.MutexWrap(datastore.NewMapDatastore())
+	st := store.New(ds)
+
+	cm, err := cache.NewManager(config.DefaultConfig(), st, zerolog.Nop())
+	require.NoError(t, err)
+
+	raftNode := &stubRaftNode{}
+	s := NewSyncer(
+		st,
+		nil,
+		nil,
+		cm,
+		common.NopMetrics(),
+		config.DefaultConfig(),
+		genesis.Genesis{},
+		nil,
+		nil,
+		zerolog.Nop(),
+		common.DefaultBlockOptions(),
+		make(chan error, 1),
+		raftNode,
+	)
+
+	require.NotNil(t, s.raftRetriever, "raftRetriever should be set when raftNode is provided")
+
+	// Manually set cancel so Stop() doesn't bail out early (simulates having been started).
+	ctx, cancel := context.WithCancel(t.Context())
+	s.ctx = ctx
+	s.cancel = cancel
+
+	require.NoError(t, s.Stop(t.Context()))
+
+	// raftRetriever.Stop clears the apply callback (sets it to nil).
+	// The stub records each SetApplyCallback call; the last one should be nil.
+	callbacks := raftNode.recordedCallbacks()
+	require.NotEmpty(t, callbacks, "expected at least one callback registration")
+	assert.Nil(t, callbacks[len(callbacks)-1], "last callback should be nil after Stop")
+}
+
 func TestSyncer_processPendingEvents(t *testing.T) {
 	ds := dssync.MutexWrap(datastore.NewMapDatastore())
 	st := store.New(ds)

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/go-kit/kit v0.13.0
 	github.com/go-viper/mapstructure/v2 v2.5.0
 	github.com/goccy/go-yaml v1.19.2
+	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/hashicorp/raft v1.7.3
 	github.com/hashicorp/raft-boltdb v0.0.0-20251103221153-05f9dd7a5148
@@ -102,7 +103,6 @@ require (
 	github.com/googleapis/gax-go/v2 v2.20.0 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
-	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-metrics v0.5.4 // indirect
 	github.com/hashicorp/go-msgpack v0.5.5 // indirect

node/full.go

@@ -35,6 +35,7 @@ const (
 )
 
 var _ Node = &FullNode{}
+var _ LeaderResigner = &FullNode{}
 
 type leaderElection interface {
 	Run(ctx context.Context) error
@@ -154,8 +155,12 @@ func initRaftNode(nodeConfig config.Config, logger zerolog.Logger) (*raftpkg.Nod
 		Bootstrap:          nodeConfig.Raft.Bootstrap,
 		SnapCount:          nodeConfig.Raft.SnapCount,
 		SendTimeout:        nodeConfig.Raft.SendTimeout,
+		ShutdownTimeout:    5 * nodeConfig.Raft.SendTimeout,
 		HeartbeatTimeout:   nodeConfig.Raft.HeartbeatTimeout,
 		LeaderLeaseTimeout: nodeConfig.Raft.LeaderLeaseTimeout,
+		ElectionTimeout:    nodeConfig.Raft.ElectionTimeout,
+		SnapshotThreshold:  nodeConfig.Raft.SnapshotThreshold,
+		TrailingLogs:       nodeConfig.Raft.TrailingLogs,
 	}
 
 	if nodeConfig.Raft.Peers != "" {
@@ -384,3 +389,12 @@ func (n *FullNode) GetGenesisChunks() ([]string, error) {
 func (n *FullNode) IsRunning() bool {
 	return n.leaderElection.IsRunning()
 }
+
+// ResignLeader transfers raft leadership before the node shuts down.
+// It is a no-op when raft is not enabled or this node is not the leader.
+func (n *FullNode) ResignLeader(ctx context.Context) error {
+	if n.raftNode == nil {
+		return nil
+	}
+	return n.raftNode.ResignLeader(ctx)
+}

node/full_node_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	raftpkg "github.com/evstack/ev-node/pkg/raft"
 	"github.com/evstack/ev-node/pkg/service"
 )
 
@@ -82,3 +83,19 @@ func TestStartInstrumentationServer(t *testing.T) {
 		assert.NoError(err, "Pprof server shutdown should not return error")
 	}
 }
+
+func TestFullNode_ResignLeader_Noop(t *testing.T) {
+	cases := []struct {
+		name string
+		node *FullNode
+	}{
+		{name: "nil raftNode", node: &FullNode{}},
+		// Empty *raftpkg.Node has nil raft field so IsLeader() returns false.
+		{name: "non-leader raftNode", node: &FullNode{raftNode: &raftpkg.Node{}}},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.NoError(t, tc.node.ResignLeader(context.Background()))
+		})
+	}
+}

node/node.go

@@ -1,6 +1,8 @@
 package node
 
 import (
+	"context"
+
 	ds "github.com/ipfs/go-datastore"
 	"github.com/rs/zerolog"
 
@@ -21,6 +23,13 @@ type Node interface {
 	IsRunning() bool
 }
 
+// LeaderResigner is an optional interface implemented by nodes that participate
+// in Raft leader election. Callers should type-assert to this interface and call
+// ResignLeader before cancelling the node context on graceful shutdown.
+type LeaderResigner interface {
+	ResignLeader(ctx context.Context) error
+}
+
 type NodeOptions struct {
 	BlockOptions block.BlockOptions
 }

pkg/cmd/run_node.go

@@ -224,6 +224,22 @@ func StartNode(
 	select {
 	case <-quit:
 		logger.Info().Msg("shutting down node...")
+		// Proactively resign Raft leadership before cancelling the worker context.
+		// This gives the cluster a chance to elect a new leader before this node
+		// stops producing blocks, shrinking the unconfirmed-block window.
+		if resigner, ok := rollnode.(node.LeaderResigner); ok {
+			resignCtx, resignCancel := context.WithTimeout(context.Background(), 3*time.Second)
+			defer resignCancel()
+			if err := resigner.ResignLeader(resignCtx); err != nil {
+				if errors.Is(err, context.DeadlineExceeded) {
+					logger.Warn().Msg("leadership resign timed out")
+				} else {
+					logger.Warn().Err(err).Msg("leadership resign on shutdown failed")
+				}
+			} else {
+				logger.Info().Msg("leadership resigned before shutdown")
+			}
+		}
 		cancel()
 	case err := <-errCh:
 		if err != nil && !errors.Is(err, context.Canceled) {