feat: seed Orchard shielded pool at genesis with fast, observable sync

[shumkov]

Issue being fixed or feature implemented

Continues the work from #3714 / #3769: make it possible to exercise wallet shielded-note sync at scale (≈1,000,000 notes) on a local devnet, and make that sync both fast and observable.

When drive-abci is built with --cfg create_sdk_test_data, the Orchard shielded pool is pre-populated at genesis with ≈1,000,000 notes (a handful owned across two deterministic ZIP-32 test wallets). Standing that data up surfaced two further needs that this PR also addresses: cold sync of a million notes had to be made fast enough to iterate on, and the long-running sync needed real progress feedback in the wallet UI.

What was done?

Genesis seeding of the shielded pool (drive-abci, dashmate, Dockerfile, scripts/)

• InitChain pre-populates the Orchard pool under create_sdk_test_data. Filler notes (random-valid cmx + opaque ciphertext) plus a few real owned notes encrypted to fixed ZIP-32 test wallets, all driven by a single seeded RNG for byte-identical re-runs.
• Bulk-seed path rewritten onto GroveDB append_many_raw with a single end-of-bake commit_mmr, batched for fast bake at N=1M.
• Pre-baked snapshot: a snapshot-bake CLI dumps the seeded shielded subtree to a file at image-build time; InitChain applies it via the DRIVE_SHIELDED_SNAPSHOT env var (fast genesis), with a runtime fallback to live seeding when the snapshot is absent.
• Allow create_sdk_test_data on Devnet, not just Regtest.
• dashmate gains a generic buildArgs map on the docker-build schema (with a config migration to backfill it); setup_local_network.sh sets SDK_TEST_DATA=true and CARGO_BUILD_PROFILE=release; env generation forwards build args into compose.

Faster note sync (platform-wallet, rs-sdk)

• Multi-chunk fetch (max_query_chunks, v1 = 4) — up to ~8192 notes per request, ~122 requests for 1M notes.
• WAL + synchronous=NORMAL + temp_store=MEMORY PRAGMAs on the file-backed commitment-tree store, removing the per-cmx fsync bottleneck.
• Pull-based streaming sync that interleaves SDK network fetch with wallet tree-append, fetching up to max_concurrent = 16 chunks concurrently across the network's nodes.

Observable sync — dual progress bars (platform-wallet, platform-wallet-ffi, rs-sdk, swift-sdk)

• Two distinct progress signals: downloaded (per-chunk network progress) and checked (cumulative leaves committed to the local Pallas/Orchard tree), each reported against the on-chain total as denominator.
• The on-chain total note count is extracted "for free" from the note-fetch proof itself (the CommitmentTree parent element is already in the proof), so no extra round-trip is needed for the progress denominator.
• New FFI EventHandlerCallbacks slots plumb both signals to the host; the Swift example app renders a dual ProgressView and preserves cold-sync timing (elapsed / last / longest).

Devnet wiring (swift-sdk, rs-sdk-ffi)

• Overridable DAPI + quorum URLs and devnet support so the wallet can target a local seeded devnet, with DAPI fan-out auto-discovery.

Correctness fixes (platform-wallet)

• "Clear" now performs a true cold reset: it empties the shared commitment tree (not just per-subwallet state), so a post-clear resync rebuilds from position 0 instead of gate-skipping into a still-full tree.
• clear() is now fallible and all-or-nothing: it resets the store first and returns early on failure, only dropping the in-memory account/persister registries once both store resets succeed — so a failed clear can't silently turn future syncs into no-ops while the host keeps its state. The failure propagates through the FFI so the host doesn't wipe its own state on a Rust-side error.

Proof verification (drive, rs-drive-proof-verifier)

• verify_shielded_encrypted_notes returns the on-chain total_count extracted from the same proof, with an explicit root-hash equality check between the note sub-proof and the count sub-proof.

How Has This Been Tested?

• drive-abci shielded genesis tests: cargo test -p drive-abci --lib create_genesis_state::test::shielded (with --cfg create_sdk_test_data) — wallet derivation, note generator, determinism, per-wallet decrypt, cross-wallet privacy, aggregate balance, and Drive integration.
• drive proof-verifier tests: cargo test -p drive --lib verify::shielded::verify_shielded_encrypted_notes — total_count extraction across full and subset verification modes.
• platform-wallet coordinator clear() tests: success path (tree emptied + registries dropped) and the failure-path regression guard (forced store-reset failure leaves registries populated and returns Err).
• dashmate config schema-walker unit tests.
• cargo fmt --all and cargo clippy clean across the touched crates.
• On device: a cold sync of ≈1,000,000 notes against an SDK_TEST_DATA-seeded devnet recovers the expected per-wallet balances, with the dual progress bars climbing coherently (Checked ≤ Downloaded ≤ total) and "Clear" triggering a true cold rebuild from 0.
• Live-network/at-scale runs ship as examples/ binaries and --ignored tests under the shielded feature rather than in the default CI path.

Breaking Changes

No consensus-breaking changes. Some non-consensus SDK/FFI surface changed (the note-fetch result now carries total_count; new shielded progress callbacks on EventHandlerCallbacks; coordinator.clear() is now fallible). These are pre-release internal/host-facing API changes and do not warrant a ! per the repo's breaking-change convention.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Pre-baked shielded-pool snapshots with a bake CLI for fast genesis and runtime auto-detection/fallback when absent.
  • Streaming shielded-note sync with per-chunk progress, preserved on-chain total-count, and progress callbacks for hosts.
  • Host-visible shielded sync progress/state and timing exposed to UI (live scanned/committed counts, elapsed, last/longest run).

• Documentation

  • Detailed genesis snapshot design and shielded-seeder performance guides.

• Chores

  • Docker build-arg and local devnet build guidance for enabling SDK test data and build-profile control.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds an offline shielded-pool snapshot bake/apply pipeline, Docker/dashmate build-arg plumbing, streaming SDK shielded sync with progress events, proof total_count extraction, wallet event/FFI progress plumbing, store reset and tuned SQLite open, SwiftUI timing/progress UI, docs, examples, and benchmarks.

Changes

Shielded Genesis Snapshot & Progress Tracking

Layer / File(s)

Summary

End-to-end snapshot, streaming sync, and progress plumbing Dockerfile, packages/rs-drive-abci/src/shielded_snapshot/*, packages/rs-drive-abci/src/main.rs, packages/rs-drive-abci/Cargo.toml, packages/rs-drive-abci/src/execution/platform_events/initialization/create_genesis_state/test/shielded.rs, packages/rs-drive-abci/src/execution/platform_events/initialization/create_genesis_state/test/mod.rs, docs/genesis-snapshot-design.md, docs/shielded-seeder-performance.md, packages/dashmate/*, packages/dashmate/src/*, scripts/setup_local_network.sh, packages/rs-sdk/src/platform/shielded/notes_sync/*, packages/rs-sdk/src/platform/shielded/*, packages/rs-drive/src/verify/shielded/*, packages/rs-drive-proof-verifier/src/*, packages/rs-platform-wallet/src/wallet/shielded/*, packages/rs-platform-wallet/src/manager/*, packages/rs-platform-wallet-ffi/src/*, packages/swift-sdk/*, packages/wasm-sdk/src/queries/shielded.rs, packages/rs-platform-wallet/examples/*, tests/benches/*

Implements snapshot dump/apply and SnapshotBake CLI; adds Dockerfile bake stage and compose overrides; forwards dashmate buildArgs into compose builds; adds streaming shielded sync (reorder buffer, stream driver, fetch_chunk returns total_count), progress callback plumbing across SDK → coordinator → PlatformEventManager → FFI → Swift, proof verifier and Drive changes to extract/return on-chain total_count, rs-drive-abci snapshot module (dump/apply, header/checksum/ingest/verify), deterministic shielded seeding and tests, tuned SQLite open and reset_commitment_tree, benchmarks/examples, and documentation/migrations.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• Pre-populate the shielded pool with large N (e.g. 1M notes) at devnet genesis for sync/scale testing #3714: implements the offline genesis seeding workflow (dump/apply and bake) described in the issue.

Suggested labels

ready for final review

Suggested reviewers

• QuantumExplorer
• thepastaclaw

Poem

🐰 In docker kitchens snapshots bake,
SSTs and checksums never break.
Streams report each scanned delight,
Swift timers glow through day and night.
Hops of joy — the seed takes flight.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/sheilded_test_data

[coderabbitai]

🧹 Nitpick comments (1)

packages/rs-platform-wallet/src/wallet/shielded/coordinator.rs (1)

880-905: 💤 Low value

Platform-specific test behavior.

This test relies on Unix file handle semantics: remove_dir_all unlinks the directory but the already-open SQLite handle continues working on the orphaned inode. When reset_commitment_tree tries to reopen the path, it fails because the path no longer exists.

On Windows, remove_dir_all would likely fail while files are open, causing this test to behave differently or fail.

Consider adding a brief comment noting this is Unix-specific, or gating the test with #[cfg(unix)] if Windows CI is expected.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-platform-wallet/src/wallet/shielded/coordinator.rs` around lines
880 - 905, The test clear_failure_preserves_registries relies on Unix-specific
semantics where removing the directory (std::fs::remove_dir_all) unlinks the
path while an open SQLite handle keeps working, causing reset_commitment_tree's
subsequent Connection::open(path) to fail; update the test by either adding a
clear comment stating it's Unix-specific and why, or gate the test with
#[cfg(unix)] (or an appropriate platform check) so Windows CI doesn't run it,
referencing the test name clear_failure_preserves_registries, the use of
std::fs::remove_dir_all, reset_commitment_tree and coordinator.clear() so the
change is applied in the correct place.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/rs-platform-wallet/src/wallet/shielded/coordinator.rs`:
- Around line 880-905: The test clear_failure_preserves_registries relies on
Unix-specific semantics where removing the directory (std::fs::remove_dir_all)
unlinks the path while an open SQLite handle keeps working, causing
reset_commitment_tree's subsequent Connection::open(path) to fail; update the
test by either adding a clear comment stating it's Unix-specific and why, or
gate the test with #[cfg(unix)] (or an appropriate platform check) so Windows CI
doesn't run it, referencing the test name clear_failure_preserves_registries,
the use of std::fs::remove_dir_all, reset_commitment_tree and
coordinator.clear() so the change is applied in the correct place.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59abb91d-622e-42f6-8ddd-08d20f32c922

📥 Commits

Reviewing files that changed from the base of the PR and between f9f5f42 and ef371a9.

📒 Files selected for processing (1)

• packages/rs-platform-wallet/src/wallet/shielded/coordinator.rs

[thepastaclaw]

Code Review

Latest delta (ef371a9..3fdc1b5) is a single test-gating change (#[cfg(unix)] + explanatory comment) on the shielded coordinator's clear-failure test — no production code touched. Carried-forward prior findings: none (the ef371a9 review had none, and the test-gate delta cannot resurrect anything). Cumulative re-review surfaced two would-be blocking findings from codex agents, but both fail verification: (1) the EventHandlerCallbacks ABI-growth concern is explicitly documented as an accepted in-tree-only limitation (event_handler.rs:18-35, committed in f9f5f42); (2) the clear() 'data loss' narrative misreads the doc — 'in-memory state' refers to accounts/persisters, and the best-effort cleanup with retry-on-error is the documented design, with the subwallet BTreeMap being volatile working state rather than authoritative persistence. Prior findings status: none to reconcile (STILL VALID/FIXED/OUTDATED/DEFERRED N/A).

[thepastaclaw]

Code Review

Latest delta (3fdc1b5..0cfb3a5) is documentation-only cleanup. Cumulative re-review at head surfaces one valid user-visible regression flagged by codex-general in the dual-progress reporting: on resumed/multi-subwallet syncs the new tree-progress ('checked') counter can begin ahead of the SDK's 'downloaded' counter because their baselines diverge (pre-stream tree_size vs aligned_start), contradicting the PR's documented Checked ≤ Downloaded ≤ total invariant. No security, consensus, or FFI defects.

🔴 1 blocking

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/shielded/sync.rs`:
- [BLOCKING] packages/rs-platform-wallet/src/wallet/shielded/sync.rs:318-376: Resumed shielded sync reports `checked` ahead of `downloaded`, breaking the documented progress invariant
  `leaves_committed` is seeded with the pre-stream `tree_size` (sync.rs:323) and emitted as the 'checked' value via `on_tree_progress(leaves_committed, total_target)` on every batch (sync.rs:374-376). The SDK's 'downloaded' callback, by contrast, reports `state.start_index + state.cumulative_scanned` (sync_shielded_notes.rs:312-318), where `state.start_index == aligned_start` and `aligned_start = (min(watermarks) / CHUNK_SIZE) * CHUNK_SIZE` (sync.rs:221) — i.e. the rewound MIN across subwallets, not the current shared `tree_size`.

  Whenever `tree_size > aligned_start` — which is the normal case for a multi-subwallet bind (subwallet A is synced to tree_size, subwallet B binds with watermark 0, so aligned_start collapses to 0), or any resume where the shared tree has been advanced past this subwallet's chunk-aligned start by a prior pass — the very first emitted progress event has `checked = tree_size` while `downloaded = aligned_start + chunk` is much smaller. The gate `global_pos < tree_size` (sync.rs:355-357) keeps `leaves_committed` pinned at `tree_size` until the stream catches up, so the inequality `checked > downloaded` persists for most of the pass.

  This directly violates the `Checked ≤ Downloaded ≤ total` invariant the PR advertises and the comment at sync_shielded_notes.rs:313-314 ("so the 'Downloaded' bar shares the 'Checked' baseline") explicitly relies on, and will render the dual progress bars incoherently on every non-cold sync. Fix by aligning the two baselines — e.g. start `leaves_committed` at `aligned_start` (or the wallet's resume position) and only count delta appends, or have the SDK report `downloaded` from `tree_size` for the gate-skipped region.

[thepastaclaw]

Code Review

Cumulative incremental review. Prior blocking finding (Checked > Downloaded on resumed multi-subwallet syncs) is FIXED at af24380 — the host-visible downloaded value is now clamped up to the pre-stream tree_size baseline before crossing into the host callback, restoring Checked ≤ Downloaded. One new in-scope suggestion in the latest delta: the Downloaded ≤ total half of the same advertised invariant can still be violated transiently because total_target is seeded at 0 and grown from batch.total_count.max(), while the numerators are floored at tree_size; a first batch proven by a lagging node with total_count < tree_size will read downloaded > total until a fresher chunk arrives. No new blockers; no new FFI, security, or consensus issues.

🟡 1 suggestion(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/shielded/sync.rs`:
- [SUGGESTION] packages/rs-platform-wallet/src/wallet/shielded/sync.rs:237-240: Seed `total_target` from `tree_size` so the denominator can't fall below the floored numerators on resumed syncs
  The clamp added at sync.rs:276-280 fixes `Checked ≤ Downloaded`, but the `Downloaded ≤ total` half of the advertised invariant can still be violated on a resume. `total_target` starts at 0 here and is updated via `total_target = total_target.max(batch.total_count)` at line 361. Meanwhile both numerators are now floored at `tree_size`: `leaves_committed` is initialized to `tree_size` (line 341) and the forwarded `downloaded` is `downloaded.max(tree_baseline)` where `tree_baseline = tree_size` (lines 277-279).

  The shielded note count is append-only, so a node that returns `batch.total_count < tree_size` is simply lagging behind the block height at which our prior sync committed `tree_size` leaves. Because the SDK explicitly allows different chunks to come back at different heights and only takes the max (sync_shielded_notes.rs:303-306), the first emitted callback in a resumed sync that races a slightly-behind node reports `checked = tree_size`, `downloaded = tree_size`, and `total = batch.total_count < tree_size` — both numerators briefly exceed the denominator until a fresher chunk arrives. Practical impact is a UI glitch (progress bar reads > 100%) rather than a correctness issue, but it directly contradicts the `Checked ≤ Downloaded ≤ total` contract the PR documents.

  Seeding `total_target` from `tree_size` is safe because the on-chain count is monotonic and can never legitimately be below what we've already committed locally.

[thepastaclaw]

Code Review

Incremental review against prior commit af24380. The single carried-forward prior finding (sync.rs:237-240 progress-denominator seeded from 0) is FIXED at head 2b312ab: total_target is now seeded from tree_size at sync.rs:247, with an expanded comment explaining the rationale, and is still raised via .max(batch.total_count) at sync.rs:368. The latest delta introduces no new in-scope findings; the only candidate (Codex FFI ptr::read on growing vtables) is a pre-existing structural FFI pattern unrelated to this PR's stated goal.

[thepastaclaw]

Code Review

Reconciled the prior no-issue review at 2b312ab against current head 57af181: there are no carried-forward prior findings. The latest delta (gating shielded snapshot tooling behind create_sdk_test_data) is a clean, scope-correct refactor with no defects. Cumulative review of the current head surfaces one in-scope FFI lifecycle suggestion — platform_wallet_manager_destroy does not stop the new shielded sync thread, relying on the in-tree Swift wrapper's deinit ordering for soundness — and one minor doc-consistency nitpick. The codex coordinator clear() finding does not hold up against the documented contract and the regression test that was added with it.

🟡 1 suggestion(s)

1 additional finding(s) omitted (not in diff).

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet-ffi/src/manager.rs`:
- [SUGGESTION] packages/rs-platform-wallet-ffi/src/manager.rs:351-358: platform_wallet_manager_destroy does not stop shielded sync / identity sync / event adapter
  `platform_wallet_manager_destroy` only calls `manager.platform_address_sync().stop()` and then drops the manager. The full lifecycle stop sequence lives in `PlatformWalletManager::shutdown` (manager/mod.rs:295), which also stops `identity_sync_manager`, `shielded_sync_manager`, and cancels/awaits the `event_adapter` task. The shielded sync background thread (added in this PR series) can therefore still be alive after destroy returns and can fire `on_shielded_sync_*` callbacks against an `EventHandlerCallbacks.context` pointer whose Swift owner has already been freed by a host that follows only the exported destroy contract. In practice the in-tree Swift wrapper mitigates this by stopping shielded sync in `PlatformWalletManager.deinit` before calling destroy, so the deployed consumer is safe — but the C ABI itself is unsound by convention. Calling `manager.shutdown().await` from destroy (block_on'd on the FFI runtime, mirroring the other entrypoints) closes the gap without changing the Swift call sequence.

[QuantumExplorer]

Re: the review-summary suggestion that platform_wallet_manager_destroy doesn't stop shielded/identity sync or the event-adapter task — addressed in b635ffe. destroy now runs the full idempotent PlatformWalletManager::shutdown() via runtime().block_on(manager.shutdown()) before dropping the manager, so no background task can outlive it and fire a callback against a freed EventHandlerCallbacks.context. The FFI runtime() is multi-threaded, so block_on awaiting the event-adapter join task can't deadlock. No Swift change — shutdown() is idempotent, so it composes with the existing deinit sequence.

(This finding had no inline thread since manager.rs wasn't in the diff at review time; noting the disposition here instead.)

[thepastaclaw]

Code Review

Cumulative incremental review of PR #3732 at head b635ffe vs prior review at 57af181. The only latest delta is the destroy-path change in packages/rs-platform-wallet-ffi/src/manager.rs that now calls runtime().block_on(manager.shutdown()) instead of stopping only platform-address sync. Prior finding classification: STILL VALID — the new call invokes the exact code the prior reviewer suggested, but PlatformWalletManager::shutdown() only calls cancel-only stop() on the three sync managers and joins just the event-adapter task. An in-flight identity-sync or shielded-sync pass that started before destroy() can keep running and fire persister callbacks (identity_sync.rs:581 calls self.persister.store() directly, bypassing the event adapter), so the same FFI use-after-free window the prior review called out is not actually closed. Codex's separate shielded coordinator clear() finding is a false positive (registries are preserved on failure per the documented contract). One carried-forward blocking finding; no new in-scope findings in the latest delta.

🔴 1 blocking

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet-ffi/src/manager.rs`:
- [BLOCKING] packages/rs-platform-wallet-ffi/src/manager.rs:351-366: [carried-forward, STILL VALID] manager_destroy still returns before in-flight sync passes have drained their FFI callbacks
  The new `runtime().block_on(manager.shutdown())` matches the prior review's suggested patch verbatim, but `PlatformWalletManager::shutdown()` (packages/rs-platform-wallet/src/manager/mod.rs:295-307) does not provide a real quiescence barrier for the sync managers. `PlatformAddressSyncManager::stop()` (platform_address_sync.rs:226-236), `IdentitySyncManager::stop()` (identity_sync.rs:431-441), and `ShieldedSyncManager::stop()` (shielded_sync.rs:278-295, which explicitly documents itself as 'Cancel-only: this requests cancellation and returns immediately. A pass already inside `sync_now` / `coordinator.sync()` keeps running to completion (including its persister-callback fan-out)') only cancel the loop's `CancellationToken` and return. `shutdown()` then awaits only `event_adapter_join`, not the sync-manager background-task handles, so a pass that was already inside `sync_now()` when `stop()` was called can finish after `shutdown()` returns. The platform-address summary callback at platform_address_sync.rs:282-283 goes through `event_manager`, which is at least drained via the event-adapter join, but identity sync calls `self.persister.store(sentinel, cs.into())` directly at identity_sync.rs:581 (and the shielded coordinator persister fan-out is likewise direct), bypassing the adapter. Per the Swift side (PlatformWalletManager.deinit calls `platform_wallet_manager_destroy(handle)` and then releases the `eventHandler`/`persistenceHandler` objects, which are passed to Rust via `Unmanaged.passUnretained(...).toOpaque()`), once `destroy` returns the host can free the persister context while an in-flight identity-sync or shielded-sync pass is still about to fire `persister.store(...)` through that pointer — exactly the use-after-free hazard the prior review flagged. To truly close the window, `shutdown()` needs to wait for in-flight passes to drain (use `ShieldedSyncManager::quiesce()` for shielded, and add equivalent quiesce/await-handle barriers for the address and identity sync managers) before returning.

[thepastaclaw]

Code Review

Cumulative incremental review of head 7b36f29. The latest delta is Swift-only: it replaces a boolean suppression flag with a monotonic generation counter snapshotted on the FFI thread, correctly closing the same-actor-turn restart race for the shielded completion event. However, the prior b635ffe blocking finding — manager_destroy returns before in-flight identity/shielded sync passes drain their FFI callbacks — remains STILL VALID: PlatformWalletManager::shutdown() still calls cancel-only stop() on all three sync managers instead of awaiting quiesce(), so identity_sync's direct persister.store(...) and shielded coordinator's persister fan-out can fire callbacks through Unmanaged.passUnretained Swift contexts after destroy returns and ARC releases them. One new minor finding in the latest delta: the two shielded progress callbacks do not snapshot the generation counter like the completion callback does, so a stale main-actor progress Task can repopulate the UI mirrors after stopShieldedSync/clearShielded reset them.

Reviewed commit: 7b36f29

_Note: Inline posting failed (command failed (1): python3 scripts/review_poster.py dashpay/platform 3732 7b36f29
STDOUT:

STDERR:
Traceback (most recent call last):
File "/Users/claw/.openclaw/workspace/scripts/review_poster.py", line 754, in
result = post_review(repo, pr_number, h), so I posted the same verified findings as a top-level review body._

🔴 1 blocking | 🟡 1 suggestion(s)

Verified findings

blocking: [carried-forward, STILL VALID] shutdown() is cancel-only — manager_destroy can return while in-flight sync passes still hold Swift-owned callback contexts

packages/rs-platform-wallet/src/manager/mod.rs (line 295)

Re-validation of the b635ffe prior blocking finding against current head 7b36f29: STILL VALID. The latest delta is Swift-only (a generation counter for the shielded completion event) and does not change the Rust shutdown contract.

Current code at packages/rs-platform-wallet/src/manager/mod.rs:295-307:

pub async fn shutdown(&self) {
    self.platform_address_sync_manager.stop();
    self.identity_sync_manager.stop();
    #[cfg(feature = "shielded")]
    self.shielded_sync_manager.stop();
    self.event_adapter_cancel.cancel();
    if let Some(handle) = self.event_adapter_join.lock().await.take() { ... }
}

All three stop() methods are explicitly cancel-only:

• PlatformAddressSyncManager::stop() (platform_address_sync.rs:227-236) — takes the cancel token and returns.
• IdentitySyncManager::stop() (identity_sync.rs:432-441) — takes the cancel token and returns.
• ShieldedSyncManager::stop() (shielded_sync.rs:278-295) — docstring explicitly says **Cancel-only**: this requests cancellation and returns immediately. A pass already inside sync_now / coordinator.sync() keeps running to completion (including its persister-callback fan-out).

shutdown() awaits only event_adapter_join; it never awaits any sync-manager JoinHandle and never spins on is_syncing. ShieldedSyncManager::quiesce() (shielded_sync.rs:314-321) — the real barrier — exists and is correctly used by platform_wallet_manager_shielded_sync_stop / _clear (rs-platform-wallet-ffi/src/shielded_sync.rs:86-95) and by clear_shielded (mod.rs:280-286), but is NOT used here. Identity sync and platform-address sync have no quiesce equivalent at all, even though IdentitySyncManager::sync_now calls self.persister.store(...) directly (identity_sync.rs:575-587), bypassing the wallet-event adapter that shutdown does drain.

platform_wallet_manager_destroy (packages/rs-platform-wallet-ffi/src/manager.rs:351-366) runs runtime().block_on(manager.shutdown()) and its own doc-comment claims 'no task may be left alive to fire a callback against freed memory' — but shutdown() does not enforce that for identity/shielded passes already past their cancel check.

Swift PlatformWalletManager.deinit (packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManager.swift:151-157) calls platform_wallet_manager_destroy(handle) and then ARC releases the eventHandler / persistenceHandler objects whose pointers were passed across the FFI via Unmanaged.passUnretained(...).toOpaque() (e.g. PlatformWalletPersistenceHandler.swift:924-927, PlatformWalletManagerAddressSync.swift:40-50). Once destroy returns and ARC frees those Swift objects, an in-flight identity-sync or shielded-sync pass can dereference the now-dangling context: *mut c_void on its next persistence callback — a cross-language use-after-free at the FFI boundary, not just a stale-UI issue.

The new Swift generation gate does not address this: it only filters the @MainActor-side completion hop after the FFI callback has already executed. The unsafe access (Unmanaged.fromOpaque(context).takeUnretainedValue() and the identity-sync direct persister fan-out which never goes through the Swift event handler at all) happens earlier on the FFI thread, before any @mainactor task would run.

Fix shape: make shutdown() a real quiescence barrier. Add quiesce() to IdentitySyncManager and PlatformAddressSyncManager mirroring ShieldedSyncManager::quiesce (raise a quiescing gate, cancel, await is_syncing falling), then have shutdown() await quiesce() on all three before tearing down the event adapter. After that, manager_destroy returning genuinely means 'no Rust task will fire another callback through the host context pointer', which is the invariant the FFI's own comment block claims to provide.

suggestion: Shielded progress and tree-progress callbacks lack the generation guard the completion callback now has

packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedSync.swift (line 653)

The latest delta added a monotonic generation snapshot to shieldedSyncCompletedCallback (line 646) so a trailing main-actor hop after stopShieldedSync / clearShielded is dropped. The two progress callbacks immediately below — shieldedSyncProgressCallback (656-672) and shieldedTreeProgressCallback (680-696) — still just do Task { @MainActor [weak manager] in manager?.handleShieldedSyncProgress(...) } with no generation snapshot and no guard.

Rust-side platform_wallet_manager_shielded_sync_stop correctly uses quiesce() (rs-platform-wallet-ffi/src/shielded_sync.rs:86-95), so when stopShieldedSync() returns, no further Rust-side dispatches will happen. But a progress callback that fired during the quiesce window enqueues a Task onto the main actor; that task can land AFTER stopShieldedSync() calls resetCurrentShieldedProgress() (line 247) or clearShielded() does the same (line 279), re-publishing stale currentShielded* values from the just-stopped pass and undoing the reset on the UI.

This is the same same-turn race the completion fix was written to address, just on a different surface. Apply the same pattern: snapshot handler.manager?.shieldedSyncGeneration.current() in the FFI trampoline before enqueueing, then have the @mainactor handler drop if the snapshot mismatches the current generation.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

- [BLOCKING] In `packages/rs-platform-wallet/src/manager/mod.rs`:295-307: [carried-forward, STILL VALID] shutdown() is cancel-only — manager_destroy can return while in-flight sync passes still hold Swift-owned callback contexts
  Re-validation of the b635ffe8 prior blocking finding against current head 7b36f29bb0: STILL VALID. The latest delta is Swift-only (a generation counter for the shielded completion event) and does not change the Rust shutdown contract.

Current code at packages/rs-platform-wallet/src/manager/mod.rs:295-307:

```rust
pub async fn shutdown(&self) {
    self.platform_address_sync_manager.stop();
    self.identity_sync_manager.stop();
    #[cfg(feature = "shielded")]
    self.shielded_sync_manager.stop();
    self.event_adapter_cancel.cancel();
    if let Some(handle) = self.event_adapter_join.lock().await.take() { ... }
}

All three stop() methods are explicitly cancel-only:

• PlatformAddressSyncManager::stop() (platform_address_sync.rs:227-236) — takes the cancel token and returns.
• IdentitySyncManager::stop() (identity_sync.rs:432-441) — takes the cancel token and returns.
• ShieldedSyncManager::stop() (shielded_sync.rs:278-295) — docstring explicitly says **Cancel-only**: this requests cancellation and returns immediately. A pass already inside sync_now / coordinator.sync() keeps running to completion (including its persister-callback fan-out).

shutdown() awaits only event_adapter_join; it never awaits any sync-manager JoinHandle and never spins on is_syncing. ShieldedSyncManager::quiesce() (shielded_sync.rs:314-321) — the real barrier — exists and is correctly used by platform_wallet_manager_shielded_sync_stop / _clear (rs-platform-wallet-ffi/src/shielded_sync.rs:86-95) and by clear_shielded (mod.rs:280-286), but is NOT used here. Identity sync and platform-address sync have no quiesce equivalent at all, even though IdentitySyncManager::sync_now calls self.persister.store(...) directly (identity_sync.rs:575-587), bypassing the wallet-event adapter that shutdown does drain.

platform_wallet_manager_destroy (packages/rs-platform-wallet-ffi/src/manager.rs:351-366) runs runtime().block_on(manager.shutdown()) and its own doc-comment claims 'no task may be left alive to fire a callback against freed memory' — but shutdown() does not enforce that for identity/shielded passes already past their cancel check.

Swift PlatformWalletManager.deinit (packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManager.swift:151-157) calls platform_wallet_manager_destroy(handle) and then ARC releases the eventHandler / persistenceHandler objects whose pointers were passed across the FFI via Unmanaged.passUnretained(...).toOpaque() (e.g. PlatformWalletPersistenceHandler.swift:924-927, PlatformWalletManagerAddressSync.swift:40-50). Once destroy returns and ARC frees those Swift objects, an in-flight identity-sync or shielded-sync pass can dereference the now-dangling context: *mut c_void on its next persistence callback — a cross-language use-after-free at the FFI boundary, not just a stale-UI issue.

The new Swift generation gate does not address this: it only filters the @MainActor-side completion hop after the FFI callback has already executed. The unsafe access (Unmanaged.fromOpaque(context).takeUnretainedValue() and the identity-sync direct persister fan-out which never goes through the Swift event handler at all) happens earlier on the FFI thread, before any @mainactor task would run.

Fix shape: make shutdown() a real quiescence barrier. Add quiesce() to IdentitySyncManager and PlatformAddressSyncManager mirroring ShieldedSyncManager::quiesce (raise a quiescing gate, cancel, await is_syncing falling), then have shutdown() await quiesce() on all three before tearing down the event adapter. After that, manager_destroy returning genuinely means 'no Rust task will fire another callback through the host context pointer', which is the invariant the FFI's own comment block claims to provide.

• [SUGGESTION] In packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedSync.swift:653-697: Shielded progress and tree-progress callbacks lack the generation guard the completion callback now has
  The latest delta added a monotonic generation snapshot to shieldedSyncCompletedCallback (line 646) so a trailing main-actor hop after stopShieldedSync / clearShielded is dropped. The two progress callbacks immediately below — shieldedSyncProgressCallback (656-672) and shieldedTreeProgressCallback (680-696) — still just do Task { @MainActor [weak manager] in manager?.handleShieldedSyncProgress(...) } with no generation snapshot and no guard.

Rust-side platform_wallet_manager_shielded_sync_stop correctly uses quiesce() (rs-platform-wallet-ffi/src/shielded_sync.rs:86-95), so when stopShieldedSync() returns, no further Rust-side dispatches will happen. But a progress callback that fired during the quiesce window enqueues a Task onto the main actor; that task can land AFTER stopShieldedSync() calls resetCurrentShieldedProgress() (line 247) or clearShielded() does the same (line 279), re-publishing stale currentShielded* values from the just-stopped pass and undoing the reset on the UI.

This is the same same-turn race the completion fix was written to address, just on a different surface. Apply the same pattern: snapshot handler.manager?.shieldedSyncGeneration.current() in the FFI trampoline before enqueueing, then have the @mainactor handler drop if the snapshot mismatches the current generation.

</details>

[QuantumExplorer]

Re the review of 7b36f29 (both findings landed in the review body since inline posting failed — noting disposition here):

Blocking — shutdown() cancel-only: already fixed in 0cfe6c85, which post-dates the reviewed head 7b36f29b. shutdown() now quiesce().awaits all three sync managers (added a quiescing gate + quiesce() to IdentitySyncManager and PlatformAddressSyncManager mirroring ShieldedSyncManager::quiesce) before cancelling+joining the event adapter — exactly the "Fix shape" suggested. I also moved PlatformAddressSyncManager's is_syncing.store(false) to after its completion dispatch so the drain covers the host callback. So manager_destroy returning now genuinely means no Rust task will fire another callback through a host context pointer. (5 tests added there.)

Suggestion — progress callbacks lack the generation guard: fixed in be33d4128f. shieldedSyncProgressCallback / shieldedTreeProgressCallback now snapshot shieldedSyncGeneration on the FFI thread before enqueueing, and handleShieldedSyncProgress / handleShieldedTreeProgress guard on it, so a stale progress hop after stop/clear can't re-publish phantom currentShielded* over the reset mirrors. 4 tests added.

[thepastaclaw]

Code Review

The most recent commit (0cfe6c8) cleanly fixes the prior blocking FFI use-after-free on shutdown by adding quiesce() barriers to IdentitySyncManager and PlatformAddressSyncManager and wiring them into PlatformWalletManager::shutdown ahead of the event-adapter join. Two in-scope suggestions remain: the two shielded progress trampolines on the Swift side still lack the generation snapshot that this PR's earlier commit added to the completion trampoline (asymmetry introduced by this PR), and the new shielded-snapshot header is not injective over the parent leaf's flags. No in-scope blocking issues.

🟡 2 suggestion(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedSync.swift`:
- [SUGGESTION] packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedSync.swift:656-697: Shielded progress callbacks lack the generation guard the completion callback now has
  `shieldedSyncCompletedCallback` (line 638-650) snapshots `handler.manager?.shieldedSyncGeneration.current()` on the FFI thread before the @MainActor hop, and the @MainActor handler drops the event if the snapshot no longer matches — the same-actor-turn restart fix added by commit 7b36f29bb0. The two sibling trampolines `shieldedSyncProgressCallback` (656-672) and `shieldedTreeProgressCallback` (680-696) still do a bare `Task { @MainActor [weak manager] in manager?.handleShieldedSync...(...) }` with no generation snapshot, and `handleShieldedSyncProgress` / `handleShieldedTreeProgress` write to `currentShielded*` mirrors with no generation check either.

  The new Rust-side `ShieldedSyncManager::quiesce()` drains in-flight passes before `platform_wallet_manager_shielded_sync_stop` / `_clear` return, so this is no longer an FFI UAF — but a progress callback that fired and enqueued its main-actor Task before quiesce observed `is_syncing == false` can still land after `resetCurrentShieldedProgress()` runs (around lines 247 / 279), republishing stale `currentShielded*` values from the just-stopped pass and undoing the UI reset. This is the same boundary-crossing race the completion fix was written to address, on a different surface.

  Apply the same snapshot+guard pattern symmetrically: take `handler.manager?.shieldedSyncGeneration.current()` on the FFI thread before enqueueing the Task, pass it through to the @MainActor handler, and drop when the snapshot mismatches the current generation.

In `packages/rs-drive-abci/src/shielded_snapshot/mod.rs`:
- [SUGGESTION] packages/rs-drive-abci/src/shielded_snapshot/mod.rs:375-385: Snapshot header flags_byte is not injective over parent-leaf flags
  On dump (lines 375-385) the encoding maps `None`, `Some(vec![])`, and `Some(vec![0])` all to `flags_byte = 0`; on apply (lines 534-538) `0` decodes back to `None`. That loses information from the parent `Element::CommitmentTree` leaf's `Option<Vec<u8>>` flags during serialization, so `apply_shielded_snapshot()` cannot always reconstruct the original parent leaf bytes. If the source tree ever carries a one-byte zero flags vector or an empty flags vector, the snapshot-applied genesis will write a different parent leaf than the live-seeded tree, changing the parent Merk serialization even though the subtree checksum and `combined_root` cross-validation still pass — `combined_root` covers the rebuilt CommitmentTree, not the parent-leaf flags bytes.

  Impact in practice is bounded because (a) this tooling is now gated behind `create_sdk_test_data` and (b) the parent leaf's flags are realistically `None` or a single non-zero byte today, but the snapshot's stated contract is a faithful round-trip of the seeded pool. An explicit presence/length discriminator (e.g. a separate `flags_present: u8` plus the byte, or sentinel-encoded as `0xFF` for `None`) avoids overloading `0`. The existing `Inconsistent` error on `flags.len() > 1` already shows the format is intentionally narrow; this fix tightens the same narrow path without widening it.

[thepastaclaw]

Code Review

Incremental review at be33d41. The only delta vs 0cfe6c8 is Swift-only: both shielded progress trampolines (shieldedSyncProgressCallback, shieldedTreeProgressCallback) now snapshot shieldedSyncGeneration.current() on the FFI thread before the @mainactor hop and the handlers gate on the snapshot, mirroring the completion-trampoline pattern. Four new XCTest cases cover stale-drop and current-publish on both surfaces. The prior progress-callback finding is RESOLVED. One carried-forward suggestion on the shielded snapshot header's non-injective flags_byte encoding remains valid but is bounded to create_sdk_test_data-gated tooling. No new in-scope defects in the delta.

🟡 1 suggestion(s)

1 additional finding(s)

suggestion: Snapshot header `flags_byte` is not injective over parent-leaf flags

packages/rs-drive-abci/src/shielded_snapshot/mod.rs (line 375)

Verified at be33d41. The dump-side encoder at lines 375-385 collapses three distinct parent Element::CommitmentTree flag states — None, Some(vec![]), and Some(vec![0]) — all to flags_byte = 0. The apply-side decoder at lines 534-538 unconditionally maps 0 back to None, then feeds that into replace_commitment_tree_subtree_root at 540-554. The combined_root cross-check at line 523 only covers the rebuilt CommitmentTree subtree contents, not the parent-leaf flags bytes, so the existing validation does not catch a parent-Merk divergence introduced by this lossy round-trip.

Concrete impact: if a source pool ever carries Some(vec![]) or Some(vec![0]) for the parent leaf flags, a snapshot-booted devnet will write different parent-leaf bytes than a live-seeded one starting from the same subtree. That changes the parent Merk serialization (and therefore the platform state root) silently, despite every downstream cross-check passing. The blast radius is bounded today because (a) this tooling is gated behind cfg(create_sdk_test_data) and (b) the realistic parent-leaf flags today are None or a single non-zero byte — hence suggestion rather than blocking. But the snapshot's stated contract is a faithful round-trip of the seeded pool, and the existing Inconsistent error on flags.len() > 1 already shows the format is intentionally narrow.

A localized fix that preserves header width: bump FORMAT_VERSION and use a presence/length discriminator — e.g. sentinel-encode None as 0xFF (rejecting 0xFF as a valid flags byte), 0x00 for Some(vec![]), and 0x01..=0xFE (or a separate flags_present: u8 plus the byte) for Some([byte]). This eliminates the 0 overload before any code path can synthesize the lossy states for that leaf.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

- [SUGGESTION] In `packages/rs-drive-abci/src/shielded_snapshot/mod.rs`:375-385: Snapshot header `flags_byte` is not injective over parent-leaf flags
  Verified at be33d412. The dump-side encoder at lines 375-385 collapses three distinct parent `Element::CommitmentTree` flag states — `None`, `Some(vec![])`, and `Some(vec![0])` — all to `flags_byte = 0`. The apply-side decoder at lines 534-538 unconditionally maps `0` back to `None`, then feeds that into `replace_commitment_tree_subtree_root` at 540-554. The `combined_root` cross-check at line 523 only covers the rebuilt CommitmentTree subtree contents, not the parent-leaf flags bytes, so the existing validation does not catch a parent-Merk divergence introduced by this lossy round-trip.

Concrete impact: if a source pool ever carries `Some(vec![])` or `Some(vec![0])` for the parent leaf flags, a snapshot-booted devnet will write different parent-leaf bytes than a live-seeded one starting from the same subtree. That changes the parent Merk serialization (and therefore the platform state root) silently, despite every downstream cross-check passing. The blast radius is bounded today because (a) this tooling is gated behind `cfg(create_sdk_test_data)` and (b) the realistic parent-leaf flags today are `None` or a single non-zero byte — hence suggestion rather than blocking. But the snapshot's stated contract is a faithful round-trip of the seeded pool, and the existing `Inconsistent` error on `flags.len() > 1` already shows the format is intentionally narrow.

A localized fix that preserves header width: bump `FORMAT_VERSION` and use a presence/length discriminator — e.g. sentinel-encode `None` as `0xFF` (rejecting `0xFF` as a valid flags byte), `0x00` for `Some(vec![])`, and `0x01..=0xFE` (or a separate `flags_present: u8` plus the byte) for `Some([byte])`. This eliminates the `0` overload before any code path can synthesize the lossy states for that leaf.

Top-level exact-SHA review posted because inline posting deduped the carried-forward open thread from the previous SHA; this records coverage for be33d41 without adding a duplicate inline thread.

[thepastaclaw]

Code Review

Cumulative incremental review at head b5db278. Prior be33d412 shielded_snapshot parent-leaf flags injectivity finding is FIXED: header now encodes Option<u8> as an injective [present, byte] pair, FORMAT_VERSION is bumped 1→2 (so v1 snapshots are rejected by FormatVersionMismatch rather than silently misread), ENCODED_LEN is 63, the dumper rejects empty/multi-byte parent-leaf flag vecs with ShieldedSnapshotError::Inconsistent, the decoder rejects invalid presence discriminators, and round-trip + bad-discriminator tests pin both paths. The latest delta is a single surgical commit; no new in-scope defects identified. Codex-general's dashmate buildArgs finding describes the documented intentional contract (the source comment at generateEnvsFactory.js:118-120 explicitly states drive-abci wins on collision because the namespace is shared by design), so it's dropped as not-a-defect. Codex-rust-quality's unwrap() finding is overstated as blocking: those calls live almost entirely in the offline dump_shielded_subtree bake CLI plus one InitChain site where startup panic is operationally equivalent to a typed error — preserved only as an internal follow-up.