diff --git a/app-libs/parentchain-specs/src/lib.rs b/app-libs/parentchain-specs/src/lib.rs
index cf7c91757..ffb73f62c 100644
--- a/app-libs/parentchain-specs/src/lib.rs
+++ b/app-libs/parentchain-specs/src/lib.rs
@@ -92,14 +92,14 @@ impl MinimalChainSpec {
 	}
 
 	pub fn is_known_production_chain(genesis_hash: Hash) -> bool {
-		match genesis_hash.into() {
+		matches!(
+			genesis_hash.into(),
 			POLKADOT_RELAY_GENESIS_HASH_HEX
-			| ASSET_HUB_POLKADOT_GENESIS_HASH_HEX
-			| KUSAMA_RELAY_GENESIS_HASH_HEX
-			| ASSET_HUB_KUSAMA_GENESIS_HASH_HEX
-			| INTEGRITEE_KUSAMA_GENESIS_HASH_HEX
-			| INTEGRITEE_POLKADOT_GENESIS_HASH_HEX => true,
-			_ => false,
-		}
+				| ASSET_HUB_POLKADOT_GENESIS_HASH_HEX
+				| KUSAMA_RELAY_GENESIS_HASH_HEX
+				| ASSET_HUB_KUSAMA_GENESIS_HASH_HEX
+				| INTEGRITEE_KUSAMA_GENESIS_HASH_HEX
+				| INTEGRITEE_POLKADOT_GENESIS_HASH_HEX
+		)
 	}
 }
diff --git a/app-libs/stf/src/stf_sgx.rs b/app-libs/stf/src/stf_sgx.rs
index 2cf40c8ea..c8ebe2ac3 100644
--- a/app-libs/stf/src/stf_sgx.rs
+++ b/app-libs/stf/src/stf_sgx.rs
@@ -381,10 +381,10 @@ fn retire_account<NodeMetadataRepository>(
 			call: TrustedCall::force_unshield_all(enclave_signer_account(), account.clone(), None),
 			nonce: *enclave_nonce, //nonce will no longer increase as we bypass signature check
 			delegate: None,
-			signature: fake_signature.clone(),
+			signature: fake_signature,
 		};
 		// Replace with `inspect_err` once it's stable.
-		tcs.execute(calls, shard, node_metadata_repo.clone())
+		tcs.execute(calls, shard, node_metadata_repo)
 			.map_err(|e| {
 				error!(
 					"Failed to force-unshield native for {:?}: {:?}",
diff --git a/app-libs/stf/src/trusted_call.rs b/app-libs/stf/src/trusted_call.rs
index 4dec1e308..2c1de3568 100644
--- a/app-libs/stf/src/trusted_call.rs
+++ b/app-libs/stf/src/trusted_call.rs
@@ -1225,9 +1225,9 @@ fn may_execute(tcs: &TrustedCallSigned) -> bool {
 				TrustedCall::balance_shield(..) => true,
 				TrustedCall::balance_shield_through_enclave_bridge_pallet(..) => true,
 				TrustedCall::assets_shield(..) => true,
+				// permissioned calls are ok
+				TrustedCall::timestamp_set(..) => true,
 				TrustedCall::force_unshield_all(..) => true,
-				// this would cause nonce clashes during retirement. safer to filter
-				TrustedCall::timestamp_set(..) => false,
 				// everything else is disabled during maintenance mode
 				_ => false,
 			}
@@ -1235,16 +1235,14 @@ fn may_execute(tcs: &TrustedCallSigned) -> bool {
 	}
 	if MinimalChainSpec::is_known_production_chain(
 		shielding_target_genesis_hash().unwrap_or_default(),
+	) && matches!(
+		tcs.call,
+		TrustedCall::waste_time(..)
+			| TrustedCall::note_bloat(..)
+			| TrustedCall::spam_extrinsics(..)
 	) {
-		if matches!(
-			tcs.call,
-			TrustedCall::waste_time(..)
-				| TrustedCall::note_bloat(..)
-				| TrustedCall::spam_extrinsics(..)
-		) {
-			warn!("preventing execution of call {:?} on production chain", tcs.call);
-			return false
-		}
+		warn!("preventing execution of call {:?} on production chain", tcs.call);
+		return false
 	}
 	true
 }
diff --git a/core-primitives/stf-executor/src/executor.rs b/core-primitives/stf-executor/src/executor.rs
index 1de21ae51..5b1555060 100644
--- a/core-primitives/stf-executor/src/executor.rs
+++ b/core-primitives/stf-executor/src/executor.rs
@@ -289,29 +289,6 @@ where
 			},
 		);
 
-		if maintenance_mode {
-			info!("Maintenance mode is active.");
-			let mut extrinsic_call_backs: Vec<ParentchainCall> = Vec::new();
-			Stf::maintenance_mode_tasks(
-				&mut state,
-				&shard,
-				*header.number(),
-				&mut extrinsic_call_backs,
-				self.node_metadata_repo.clone(),
-			)
-			.map_err(|e| error!("maintenance_mode tasks failed: {:?}", e))
-			.ok();
-			info!(
-				"maintenance tasks have triggered {} parentchain calls",
-				extrinsic_call_backs.len()
-			);
-			// we're hacking our unshielding calls into the queue
-			executed_and_failed_calls.push(ExecutedOperation::success(
-				H256::default(),
-				TrustedOperationOrHash::Hash(H256::default()),
-				extrinsic_call_backs,
-			));
-		}
 		// Iterate through all calls until time is over.
 		for trusted_call_signed in trusted_calls.into_iter() {
 			// Break if allowed time window is over.
@@ -336,6 +313,33 @@ where
 			};
 		}
 
+		// Execute maintenance tasks if maintenance mode is active
+		// This has to execute after the top-pool calls because enclave signer nonce clashes can occur otherwise (e.g. shielding calls).
+		// the risk of overdue block production is minimal as all user calls are filtered during maintenance mode anyway
+		if maintenance_mode {
+			info!("Maintenance mode is active.");
+			let mut extrinsic_call_backs: Vec<ParentchainCall> = Vec::new();
+			Stf::maintenance_mode_tasks(
+				&mut state,
+				&shard,
+				*header.number(),
+				&mut extrinsic_call_backs,
+				self.node_metadata_repo.clone(),
+			)
+			.map_err(|e| error!("maintenance_mode tasks failed: {:?}", e))
+			.ok();
+			info!(
+				"maintenance tasks have triggered {} parentchain calls",
+				extrinsic_call_backs.len()
+			);
+			// we're hacking our unshielding calls into the queue
+			executed_and_failed_calls.push(ExecutedOperation::success(
+				H256::default(),
+				TrustedOperationOrHash::Hash(H256::default()),
+				extrinsic_call_backs,
+			));
+		}
+
 		Stf::on_finalize(&mut state).unwrap_or_else(|e| {
 			error!("on_finalize failed: {:?}", e);
 		});