fix(platform-wallet): fall back to persister for chainlocked asset-lock tx records

[QuantumExplorer]

Issue being fixed or feature implemented

Follow-up to #3617. CodeRabbit's review on the rust-dashcore bump flagged a real architectural concern that I scoped out of that PR (thread): five asset-lock proof lookup sites in wallet/asset_lock/sync/{proof,recovery}.rs resolve a transaction record from the in-memory transactions() map keyed by (account_index, txid). With upstream's keep-finalized-transactions Cargo feature OFF (the default), chainlocked records are evicted from that map and only their txids retained in finalized_txids for dedup. The chain-lock height / block hash that an asset-lock proof needs is no longer reachable through the wallet-info API.

The narrow failure mode is "first lookup happens after the chainlock-eviction window." wait_for_proof polls and normally observes InstantSend / InBlock state while the record is still present, but a tx that's already chain-locked at the moment the proof flow starts (e.g. crash recovery resuming an asset lock that chain-locked while we were down) hits the missing-record path.

What was done?

Added a persister fallback. The persister received the full record on the chainlock-transition store call before eviction, so it can answer the lookup.

Trait surface

• New PlatformWalletPersistence::get_core_tx_record(wallet_id, txid) -> Result<Option<TransactionRecord>, PersistenceError> in traits.rs with a default Ok(None) impl. Backward-compatible: persisters that don't index records by txid (the in-tree NoPlatformPersistence, no-op test stubs in the wider tree) need no change. Persisters whose backing store keys records by txid (SqliteWalletPersister in evo-tool, the SwiftData iOS persister) should override; until then those callers see the same behavior as before this PR (None response, caller's existing not-found path applies).

• New WalletPersister::get_core_tx_record(txid) pub(crate) per-wallet passthrough in persister.rs.

Lookup helper

• New record_or_persister(in_memory, persister, txid) -> Option<TransactionRecord> pub(super) helper in proof.rs. Returns the in-memory record if present, otherwise queries the persister. Persister errors are logged at debug and surfaced as None so a transient backend failure doesn't turn into a hard error in the proof flow.

Five sites switched to the helper

Site	Before	After
validate_or_upgrade_proof	Errored with "tx not found in account" if evicted	Falls back to persister; error message broadened to "in-memory or persister"
upgrade_to_chain_lock_proof	Errored on missing	Falls back to persister; if neither has it, falls through to wait_for_chain_lock (SPV-driven)
wait_for_chain_lock	Poll loop checked in-memory only	Poll loop also checks persister so a chainlock arriving between polls and being evicted is still observed
wait_for_proof	Same	Same fix
resolve_status_from_info	Associated fn, no persister access	Converted to method (&self) to use the persister

How Has This Been Tested?

5 new unit tests in proof.rs::tests covering the helper:

• record_or_persister_prefers_in_memory_when_present — in-memory hit short-circuits; persister never consulted
• record_or_persister_falls_back_to_persister_on_miss — chain-lock-eviction recovery path
• record_or_persister_returns_none_when_neither_has_it — both miss → None
• record_or_persister_default_persister_returns_none — confirms the trait default impl works for backends that don't override
• record_or_persister_swallows_backend_errors_as_none — transient backend failures don't escalate

Fake PlatformWalletPersistence implementations (FakeRecordStore keyed by txid, ErroringStore always-fails) added inline.

cargo test -p platform-wallet --lib
test result: ok. 120 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

cargo check --workspace --all-targets and cargo clippy -p platform-wallet --all-targets both clean.

Breaking Changes

None. The new trait method has a default Ok(None) impl. The five call sites have a slightly more permissive error path (persister fallback before erroring), but the success contract is unchanged.

Follow-up not in this PR

Downstream persisters (the SwiftData iOS persister, the evo-tool SqliteWalletPersister) need to override get_core_tx_record to actually benefit from this fallback. Until they do, the trait's default Ok(None) keeps the previous behavior (caller's existing not-found path applies). Filing those overrides will close the loop on the original CodeRabbit finding for production builds.

[coderabbitai]

Warning

Rate limit exceeded

@QuantumExplorer has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 45 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f46b576e-a6b2-4bf4-9866-aa0c046bd52d

📥 Commits

Reviewing files that changed from the base of the PR and between 8156ecc and 74f6b3f.

📒 Files selected for processing (8)

• packages/rs-platform-wallet-ffi/src/persistence.rs
• packages/rs-platform-wallet/src/changeset/traits.rs
• packages/rs-platform-wallet/src/wallet/asset_lock/sync/proof.rs
• packages/rs-platform-wallet/src/wallet/asset_lock/sync/recovery.rs
• packages/rs-platform-wallet/src/wallet/persister.rs
• packages/swift-sdk/Sources/SwiftDashSDK/Persistence/Models/PersistentTransaction.swift
• packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletPersistenceHandler.swift
• packages/swift-sdk/SwiftExampleApp/SwiftExampleApp/Views/StorageRecordDetailViews.swift

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/asset-lock-proof-persister-fallback

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

Review Gate

Commit: 74f6b3f5

• ⏳ Debounce: 14m ago (need 30m)

• ✅ CI checks: builds passed, 0/0 tests passed

• ✅ CodeRabbit review: comment found

• ✅ Off-peak hours: off-peak (11:07 AM PT Thursday)

• Run review now (check to override)

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/25512794779
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "35b1ecf7baf930357d5c45653ca12438079f24f802e7686d752c183af634d520"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[thepastaclaw]

Code Review

The persister fallback is a good narrow fix for chainlocked asset-lock records that have been evicted from the in-memory wallet map, and the helper itself is covered by focused unit tests. I did not find a consensus or safety blocker. The remaining review points are follow-through/behavioral: the in-tree FFI/Swift persistence surface still cannot answer the new lookup, the missing-record path in upgrade_to_chain_lock_proof now waits for timeout instead of failing fast, and one recovery callsite hides backend errors / does persister I/O while holding the wallet-manager write lock.

Reviewed commit: 757f035

🟡 3 suggestion(s) | 💬 1 nitpick(s)

GitHub rejected the inline review payload for this run (HTTP 422), so I’m posting the verified findings as a top-level review rather than dropping the dispatcher-required review.

🟡 suggestion: FFI / Swift persister does not yet override `get_core_tx_record` — iOS recovery path remains inert

packages/rs-platform-wallet-ffi/src/persistence.rs:63-312

The new PlatformWalletPersistence::get_core_tx_record lookup is the entire point of this PR's chainlock-eviction recovery, but FFIPersister (the only in-tree persister used by Swift/iOS, at packages/rs-platform-wallet-ffi/src/persistence.rs:312) does not override it and the C PersistenceCallbacks vtable exposes no lookup hook. Result: every FFI/Swift-backed wallet inherits the trait's default Ok(None), so once the in-memory transactions() map evicts a chainlocked record, all five updated asset-lock call sites still resolve to None and the chainlock recovery path the PR adds is unreachable on iOS.

The PR description acknowledges this and points to follow-up PRs for SqliteWalletPersister and the SwiftData persister, so this is intentional groundwork rather than a defect — flagging because the in-tree FFI surface needs a paired callback (and FFIPersister impl) before this PR's intent applies to the iOS build, and the Ok(None) default gives no compile-time signal driving that follow-through. Until then, the only behavior change visible to FFI consumers is the fast-fail → full-timeout regression noted separately on upgrade_to_chain_lock_proof.

🟡 suggestion: `upgrade_to_chain_lock_proof`: missing record now waits the full timeout instead of erroring fast

packages/rs-platform-wallet/src/wallet/asset_lock/sync/proof.rs:185-204

Previously this function returned AssetLockProofWait("Transaction X not found in account Y") immediately when the in-memory lookup missed. After the change, a miss yields in_memory = None; if the persister also returns None (which is the case for any backend that hasn't overridden get_core_tx_record — i.e. all in-tree backends today), record_or_persister returns None, the match falls to None => None, height becomes None, and the code dispatches to wait_for_chain_lock(...) which polls until height_timeout elapses and errors with FinalityTimeout.

Because the function already validated tracked_asset_locks.get(out_point) above, the asset lock is known-tracked, so silently waiting is mostly consistent with this function's documented "otherwise wait" semantics. But it does change the fast-fail behavior for genuinely-unknown txids (e.g. wallet-state mismatch, post-wipe race) and — combined with the FFI gap above — means production iOS callers always wait the full chainlock timeout instead of recovering. Either preserve a fast-fail when both lookups miss, or document the timeout-on-miss behavior on the function so callers size timeouts accordingly.

🟡 suggestion: Recovery path silently downgrades status on transient persister error

packages/rs-platform-wallet/src/wallet/asset_lock/sync/recovery.rs:100-115

record_or_persister logs persister errors at debug and surfaces them as None, which is the right call inside the wait_for_chain_lock / wait_for_proof poll loops (the next tick retries). But resolve_status_from_info is a one-shot recovery call: a transient backend error here makes the lock silently classify as AssetLockStatus::Broadcast even when the underlying tx is actually chain-locked. The follow-up resume_asset_lock then takes the wasteful Broadcast → wait_for_proof path instead of constructing a ChainAssetLockProof directly. The user eventually recovers, but the failure is invisible to operators. Either log at warn/error from this call site, or distinguish "persister returned None" from "persister failed" in resolve_status_from_info so a real backend error is visible.

💬 nitpick: `recover_asset_lock_blocking` now holds the wallet manager write lock across persister I/O

packages/rs-platform-wallet/src/wallet/asset_lock/sync/recovery.rs:47-89

recover_asset_lock_blocking acquires self.wallet_manager.blocking_write() and then calls self.resolve_status_from_info(&info.core_wallet, ...). After this PR, resolve_status_from_info can fall through to record_or_persister, which performs a synchronous self.persister.get_core_tx_record(...) lookup on miss — disk I/O, FFI callbacks, or arbitrary backend logic, now all serialized behind the wallet-manager write lock. Consider snapshotting the in-memory result, dropping wm, then doing the persister fallback (and, if needed, re-acquiring) so the lock-hold time stays bounded to the in-memory lookup as before.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

- [SUGGESTION] packages/rs-platform-wallet-ffi/src/persistence.rs:63: FFI / Swift persister does not yet override `get_core_tx_record` — iOS recovery path remains inert
  The new `PlatformWalletPersistence::get_core_tx_record` lookup is the entire point of this PR's chainlock-eviction recovery, but `FFIPersister` (the only in-tree persister used by Swift/iOS, at packages/rs-platform-wallet-ffi/src/persistence.rs:312) does not override it and the C `PersistenceCallbacks` vtable exposes no lookup hook. Result: every FFI/Swift-backed wallet inherits the trait's default `Ok(None)`, so once the in-memory `transactions()` map evicts a chainlocked record, all five updated asset-lock call sites still resolve to `None` and the chainlock recovery path the PR adds is unreachable on iOS. The PR description acknowledges this and points to follow-up PRs for `SqliteWalletPersister` and the SwiftData persister, so this is intentional groundwork rather than a defect — flagging because the in-tree FFI surface needs a paired callback (and `FFIPersister` impl) before this PR's intent applies to the iOS build, and the `Ok(None)` default gives no compile-time signal driving that follow-through. Until then, the only behavior change visible to FFI consumers is the fast-fail → full-timeout regression noted separately on `upgrade_to_chain_lock_proof`.
- [SUGGESTION] packages/rs-platform-wallet/src/wallet/asset_lock/sync/proof.rs:185: `upgrade_to_chain_lock_proof`: missing record now waits the full timeout instead of erroring fast
  Previously this function returned `AssetLockProofWait("Transaction X not found in account Y")` immediately when the in-memory lookup missed. After the change, a miss yields `in_memory = None`; if the persister also returns `None` (which is the case for any backend that hasn't overridden `get_core_tx_record` — i.e. all in-tree backends today), `record_or_persister` returns `None`, the match falls to `None => None`, `height` becomes `None`, and the code dispatches to `wait_for_chain_lock(...)` which polls until `height_timeout` elapses and errors with `FinalityTimeout`. Because the function already validated `tracked_asset_locks.get(out_point)` above, the asset lock is known-tracked, so silently waiting is mostly consistent with this function's documented "otherwise wait" semantics. But it does change the fast-fail behavior for genuinely-unknown txids (e.g. wallet-state mismatch, post-wipe race) and — combined with the FFI gap above — means production iOS callers always wait the full chainlock timeout instead of recovering. Either preserve a fast-fail when both lookups miss, or document the timeout-on-miss behavior on the function so callers size timeouts accordingly.
- [SUGGESTION] packages/rs-platform-wallet/src/wallet/asset_lock/sync/recovery.rs:100: Recovery path silently downgrades status on transient persister error
  `record_or_persister` logs persister errors at `debug` and surfaces them as `None`, which is the right call inside the `wait_for_chain_lock` / `wait_for_proof` poll loops (the next tick retries). But `resolve_status_from_info` is a one-shot recovery call: a transient backend error here makes the lock silently classify as `AssetLockStatus::Broadcast` even when the underlying tx is actually chain-locked. The follow-up `resume_asset_lock` then takes the wasteful `Broadcast → wait_for_proof` path instead of constructing a `ChainAssetLockProof` directly. The user eventually recovers, but the failure is invisible to operators. Either log at `warn`/`error` from this call site, or distinguish "persister returned None" from "persister failed" in `resolve_status_from_info` so a real backend error is visible.

[QuantumExplorer]

@thepastaclaw thanks for the review. Three of the four are addressed in 372697d, the fourth was a staleness artifact:

#1 — FFI not wired (stale). The review pulled commit 757f035c, which was indeed groundwork-only. The follow-on commits on this same PR (d8de2c2 + 8e9b75d) added on_get_core_tx_record_fn + on_get_core_tx_record_free_fn to PersistenceCallbacks, the matching FFIPersister override, the Swift coreTxRecord lookup that walks PersistentTransaction by txid, and plumbing for the consensus-encoded transaction bytes (so the synthesized TransactionRecord carries a real Transaction body, not a placeholder). The recovery path now reaches the iOS build.

#2 — fast-fail regression. Restored. upgrade_to_chain_lock_proof returns the same AssetLockProofWait("Transaction X not found in account Y") pre-PR callers expected when both the in-memory map and the persister miss. The "persister returned a non-chainlocked record" case still falls through to wait_for_chain_lock (correct — the tx exists, just hasn't chainlocked yet).

#3 — silent error downgrade. Split the helper:

• record_or_persister now returns Result<Option<TransactionRecord>, PersistenceError>.
• record_or_persister_or_log is the new poll-loop variant — same Option return, logs persister errors at warn (was debug) before downgrading to None.
• The two poll-loop sites (wait_for_chain_lock, wait_for_proof) use _or_log.
• The two fast-fail sites propagate Err as a distinct "Persister lookup for tx X failed" message.
• resolve_status_with_in_memory (the renamed one-shot recovery site) logs at error and degrades — preserves recovery's "always make some progress" semantics while making the failure visible.

#4 — lock held across persister I/O. Restructured recover_asset_lock_blocking into three phases: lock-held slot claim + in-memory snapshot, lock-released status resolution (including persister fallback), lock-held commit with a tracked_asset_locks.contains_key re-check for the race. Persister I/O no longer serializes other wallet-manager writers.

Tests updated: record_or_persister_propagates_backend_errors replaces the old "swallows" test; new record_or_persister_or_log_swallows_backend_errors_as_none covers the poll-loop variant. 121/121 pass. iOS xcframework builds end-to-end.

[QuantumExplorer]

Self Reviewed

[thepastaclaw]

Thanks — I re-checked the current head (372697d0) against the four review points.

• chore: synchronize packages dependency versions #1 confirmed stale: the current branch wires on_get_core_tx_record_fn / free callback through the FFI vtable and Swift handler, and reconstructs a real consensus-decoded transaction record for the fallback.
• feat: enable mainnet for dashmate #2 looks fixed: upgrade_to_chain_lock_proof now fast-fails when both in-memory and persister lookup miss, while still waiting when the tx exists but is not chainlocked yet.
• docs: improved sidebar and usage in DAPI client #3 looks fixed: the one-shot paths surface/log persister errors, while only the poll-loop helper downgrades a transient backend error for that tick.
• chore: update webpack to version 5 in DPP #4 looks fixed: recover_asset_lock_blocking snapshots under the lock, resolves status without holding the wallet-manager write lock, then re-checks before commit.

I also ran cargo test -p platform-wallet --lib (121/121 pass) and cargo clippy -p platform-wallet --all-targets (passes). Tiny cleanup note: both commands still warn about an unused ManagedWalletInfo import in recovery.rs, but that’s not related to the original review points.