Avoid duplicate on-chain HTLC claims after replay

[joostjager]

Fixes #4572

[ldk-reviews-bot]

👋 I see @valentinewallace was un-assigned.
If you'd like another reviewer assignment, please click here.

[codecov]

Codecov Report

❌ Patch coverage is 99.08537% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.16%. Comparing base (42e198c) to head (37d6b77).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/chain/channelmonitor.rs	93.54%	2 Missing ⚠️
lightning/src/chain/onchaintx.rs	99.55%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4583      +/-   ##
==========================================
+ Coverage   87.15%   87.16%   +0.01%     
==========================================
  Files         161      161              
  Lines      109251   109512     +261     
  Branches   109251   109512     +261     
==========================================
+ Hits        95215    95459     +244     
- Misses      11560    11575      +15     
- Partials     2476     2478       +2     

Flag	Coverage Δ
fuzzing-fake-hashes	31.17% <55.29%> (+0.01%)	⬆️
fuzzing-real-hashes	22.92% <0.00%> (-0.01%)	⬇️
tests	86.23% <99.08%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-claude-review-bot]

I've completed a thorough re-review of the entire PR diff, including deep analysis of:

1. ClaimId::from_htlcs sorting change: Verified that from_htlcs is only called for NEW claims (line 922 in generate_claim), never to recompute existing stored ClaimIds. Deserialized ClaimIds in pending_claim_requests and claimable_outpoints are used as raw bytes and never regenerated. No serialization compatibility issue.

2. is_htlc_output_spent_on_chain: Confirmed that commitment_tx_output_idx in htlcs_resolved_on_chain and htlc.transaction_output_index both refer to the commitment transaction output index. Since only one commitment transaction can confirm per funding output, indices are unambiguous.

3. Three-layer dedup in update_claims_view_from_requests: The ordering (is_outpoint_spend_waiting_threshold_conf → claimable_outpoints → locktimed_packages) is correct because ContentiousOutpoint events remove their outpoints from claimable_outpoints, so there's no overlap between checks 1 and 2.

4. contains_outpoint vs old exact match: The change from locked_package.outpoints() == req.outpoints() to locked_package.contains_outpoint(outpoint) is intentional — a single-outpoint ClaimRequest should be detected as already covered by a multi-outpoint aggregated timelocked package.

5. CSV delay window behavior: Verified that between ANTI_REORG_DELAY (OnchainTxHandler cleanup) and BREAKDOWN_TIMEOUT (ChannelMonitor HTLCSpendConfirmation threshold), replayed preimage claims intentionally create live conflicting claims (kept as retry state in case of reorg). After CSV delay passes, htlcs_resolved_on_chain provides final suppression. The test correctly covers this with a reload step to verify persisted state.

6. Integration test do_test_duplicate_delayed_holder_htlc_claims_after_claim_funds_replay: Verified provide_payment_preimage_unsafe_legacy exists and is an appropriate test API. The reload-then-replay pattern correctly verifies persisted resolution state.

No issues found.

[TheBlueMatt]

Does this break for reorgs where a counterparty's transaction gets unconfirmed? ie if we have a event awaiting confirmations for the counterparty claiming an outpoint, but then that gets reorg'd out and not replayed, do we still manage to broadcast our own claim (and RBF it)?

I assume that this case is only reachable if we receive a preimage after a counterparty's timeout claim is confirming?

[joostjager]

I think on a reorg the item in onchain_events_awaiting_threshold_conf is revived again? Basically the claim is passed around to different data structures, but never lost?

[TheBlueMatt]

So why exactly do we need the duplicate?

[joostjager]

It stems from OnchainTxHandler not persisting state

[TheBlueMatt]

Same issue as the previous commit - does this break broadcasting our conflicting claim on reorg?

[joostjager]

Hm, here indeed a claim is never submitted and also cannot be resurrected.

[joostjager]

Now only checking for deeply confirmed outpoints, but need to look at the consequences of that.