fix: block outgoing messages during entire doppelgänger protection window

Fixes critical bug where outgoing messages were not blocked during grace
period, allowing competition with potential twin operators and defeating
the purpose of doppelgänger protection.

Problem:
- is_monitoring() returned false during grace period
- Message sender only checked is_monitoring()
- Node sent messages during grace period, competing with potential twins
- Validation masked duplicate messages (only one propose per round accepted)
- Twin detection could fail

Solution:
- Add is_active() method checking both GracePeriod and Monitoring states
- Update message sender to use is_active() instead of is_monitoring()
- Block ALL outgoing messages during entire protection window
- Keep is_monitoring() for detection logic (only active after grace period)

Behavior:
- GracePeriod: Block outgoing messages, skip twin detection
- Monitoring: Block outgoing messages, actively detect twins
- Completed: Allow messages, skip detection

This addresses feedback in PR #692 discussion r2459937843 about validation
masking and the need to focus on message blocking during startup.

Tests:
- Added test_state_is_active() to verify state machine behavior
- Added test_service_is_active_during_grace_period() for service API
- All 9 operator_doppelganger tests passing

Author: diegomrsantos

anchor/message_sender/src/network.rs

@@ -53,11 +53,13 @@ impl<S: SlotClock + 'static, D: DutiesProvider> MessageSender for Arc<NetworkMes
         committee_id: CommitteeId,
         additional_message_callback: Option<Box<MessageCallback>>,
     ) -> Result<(), Error> {
-        // Check if in doppelgänger monitoring period - silently drop
+        // Check if doppelgänger protection is active - block outgoing messages
+        // This includes both grace period (waiting for old messages to expire) and
+        // monitoring period (actively detecting twins)
         if let Some(dg) = &self.doppelganger_service
-            && dg.is_monitoring()
+            && dg.is_active()
         {
-            trace!("Dropping message send - in doppelgänger monitoring period");
+            trace!("Dropping message send - doppelgänger protection active");
             return Ok(());
         }
 
@@ -106,11 +108,13 @@ impl<S: SlotClock + 'static, D: DutiesProvider> MessageSender for Arc<NetworkMes
     }
 
     fn send(&self, message: SignedSSVMessage, committee_id: CommitteeId) -> Result<(), Error> {
-        // Check if in doppelgänger monitoring period - silently drop
+        // Check if doppelgänger protection is active - block outgoing messages
+        // This includes both grace period (waiting for old messages to expire) and
+        // monitoring period (actively detecting twins)
         if let Some(dg) = &self.doppelganger_service
-            && dg.is_monitoring()
+            && dg.is_active()
         {
-            trace!("Dropping message send - in doppelgänger monitoring period");
+            trace!("Dropping message send - doppelgänger protection active");
             return Ok(());
         }
 

anchor/operator_doppelganger/src/service.rs

@@ -66,11 +66,19 @@ impl DoppelgangerState {
         Self::GracePeriod
     }
 
-    /// Check if actively monitoring
+    /// Check if actively monitoring (excludes grace period)
     const fn is_monitoring(self) -> bool {
         matches!(self, Self::Monitoring)
     }
 
+    /// Check if doppelgänger protection is active (includes grace period and monitoring)
+    ///
+    /// Returns `true` during the entire protection window (grace period + monitoring).
+    /// Use this to block outgoing messages during startup to prevent competition with twins.
+    const fn is_active(self) -> bool {
+        matches!(self, Self::GracePeriod | Self::Monitoring)
+    }
+
     /// Transition from grace period to monitoring
     fn end_grace_period(&mut self) {
         *self = Self::Monitoring;
@@ -247,6 +255,17 @@ impl OperatorDoppelgangerService {
     pub fn is_monitoring(&self) -> bool {
         self.state.read().is_monitoring()
     }
+
+    /// Check if doppelgänger protection is active
+    ///
+    /// Returns `true` during the entire protection window (grace period + monitoring).
+    /// Returns `false` after monitoring completes.
+    ///
+    /// Use this to determine if outgoing messages should be blocked to prevent
+    /// competition with potential twin operators during startup.
+    pub fn is_active(&self) -> bool {
+        self.state.read().is_active()
+    }
 }
 
 #[cfg(test)]
@@ -392,6 +411,43 @@ mod tests {
         assert!(!state.is_monitoring());
     }
 
+    #[test]
+    fn test_state_is_active() {
+        let mut state = DoppelgangerState::new();
+
+        // Grace period: is_active should be true, is_monitoring should be false
+        assert!(state.is_active(), "Should be active during grace period");
+        assert!(
+            !state.is_monitoring(),
+            "Should not be monitoring during grace period"
+        );
+
+        // Transition to monitoring
+        state.end_grace_period();
+        assert!(state.is_active(), "Should be active during monitoring");
+        assert!(state.is_monitoring(), "Should be monitoring");
+
+        // Complete monitoring
+        state.end_monitoring();
+        assert!(!state.is_active(), "Should not be active after completion");
+        assert!(
+            !state.is_monitoring(),
+            "Should not be monitoring after completion"
+        );
+    }
+
+    #[test]
+    fn test_service_is_active_during_grace_period() {
+        let service = create_service();
+
+        // Start in grace period - should be active but not monitoring
+        assert!(service.is_active(), "Should be active during grace period");
+        assert!(
+            !service.is_monitoring(),
+            "Should not be monitoring during grace period"
+        );
+    }
+
     #[test]
     fn test_service_creation() {
         let service = create_service();