Skip to content

fix: prevent channel monitor overwrite in migrations#74

Open
ovitrif wants to merge 8 commits intomainfrom
fix/channel-monitor-migration
Open

fix: prevent channel monitor overwrite in migrations#74
ovitrif wants to merge 8 commits intomainfrom
fix/channel-monitor-migration

Conversation

@ovitrif
Copy link
Collaborator

@ovitrif ovitrif commented Mar 9, 2026
edited
Loading

Summary

  • Fixed channel monitor migration from FS store to KV store overwriting newer state. During migration, the code now checks if the KV store already has a channel monitor with a newer update_id before writing, preventing stale data from overwriting current state on repeated migrations/restarts.
  • Migration read/deserialize errors now fail-closed (abort with ReadFailed) instead of fail-open, preventing silent data loss from transient I/O errors or format mismatches.
  • Rewrote AGENTS.md testing documentation with correct syntax and setup requirements.
  • Bumped version to 0.7.0-rc.33 and regenerated bindings.

Test plan

  • cargo fmt --check — clean
  • cargo build — builds successfully
  • Bindings regenerated (Swift/Kotlin/Python)
  • xcframework checksum verified in Package.swift

Release

🤖 Generated with Claude Code

ovitrif and others added 4 commits March 9, 2026 22:22
@ovitrif @claude
fix: prevent channel monitor migration from overwriting newer state
e48948f 
During FS→KV store migration, the code now compares update_id before
writing and skips if the KV store already has a newer monitor. This
prevents stale migration data from clobbering current channel state
on repeated restarts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ovitrif @claude
docs: rewrite testing section with correct syntax and setup requirements
7d2ed46 
Replace incomplete testing docs with comprehensive coverage of unit tests,
integration tests (with macOS ulimit note), and CLN/LND/VSS backend tests
using correct RUSTFLAGS syntax.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ovitrif @claude
chore: bump version to 0.7.0-rc.33
530f449 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ovitrif @claude
chore: regenerate bindings for v0.7.0-rc.33
fdab2be 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
claude[bot]
claude bot reviewed Mar 9, 2026
View reviewed changes
Copy link

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Found 3 issues: 1 CLAUDE.md compliance issue and 2 logic issues with the fail-open error handling in the migration code.

@ovitrif ovitrif requested review from ben-kaufman and coreyphillips and removed request for ben-kaufman and coreyphillips March 10, 2026 18:31
ovitrif and others added 2 commits March 10, 2026 21:03
@ovitrif @claude
fix: fail-closed on migration read/deserialize errors
2df9b0a 
Address PR review: change channel monitor migration error handling from
fail-open (proceed with overwrite) to fail-closed (abort with ReadFailed)
for both deserialization errors and non-NotFound I/O errors. This prevents
silent data loss when the KV store has valid data that can't be read due
to transient errors or format changes.

Also moves CHANGELOG entry to Synonym Fork Additions per project convention.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ovitrif @claude
chore: regenerate bindings for v0.7.0-rc.33
e998973 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ovitrif ovitrif marked this pull request as draft March 10, 2026 22:01
@ovitrif ovitrif changed the title fix: prevent channel monitor migration from overwriting newer state fix: prevent channel monitor overwrite in migrations Mar 10, 2026
@ovitrif @claude
fix: regenerate android bindings with correct gobley v0.2.0
d96e813 
The previous bindgen run used gobley-uniffi-bindgen v0.3.7 (from gobley
main branch) instead of v0.2.0 (from fix-v0.2.0 branch), which added
explicit `public` visibility modifiers and return types throughout the
generated Kotlin code. Regenerated with the correct version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ovitrif ovitrif marked this pull request as ready for review March 11, 2026 00:46
@ovitrif @claude
test: add unit tests for channel monitor migration logic
630b364 
Extract the channel data migration block from build_with_store_internal
into a standalone apply_channel_data_migration function, making it
generic over the keys manager type to enable direct unit testing.

Add 7 unit tests covering all code paths:
- Invalid monitor data returns ReadFailed
- Empty monitors list succeeds
- Fresh write to empty store
- Equal update_id (existing == migrated) still writes
- Existing data with same update_id gets overwritten
- Corrupt existing data triggers fail-closed (ReadFailed)
- Store IO error triggers fail-closed (ReadFailed)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ben-kaufman
Copy link

ben-kaufman commented Mar 11, 2026

Looks good, but needs to add some tests ideally.

@coreyphillips
Copy link
Collaborator

coreyphillips commented Mar 11, 2026
edited
Loading

One nit. Line 1666 uses > so when existing_update_id == migrated_update_id, we still write. Could use >= to skip the redundant write. Unless I'm missing something.

@ovitrif
Copy link
Collaborator Author

ovitrif commented Mar 11, 2026

Looks good, but needs to add some tests ideally.

Thx, added unit tests, does that suffice?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@coreyphillips coreyphillips coreyphillips approved these changes

@ben-kaufman ben-kaufman Awaiting requested review from ben-kaufman

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ovitrif @ben-kaufman @coreyphillips