fix(dashmate): use active_dkgs for safe DKG stop

[thepastaclaw]

Issue being fixed or feature implemented

dashmate stop --safe / dashmate restart --safe used quorum dkginfo.next_dkg as the only DKG safety signal. next_dkg is a countdown until the next potential DKG cycle; it is not proof that this node is not currently participating in DKG.

When the countdown wraps at the start of a new cycle, next_dkg can become large again while the node is still in an active DKG session. In that case dashmate could treat the node as safe to stop during active DKG participation, risking a failed DKG and PoSe penalty.

What was done?

• Added isMasternodeSafeToStopDuringDkg(...) as the shared safety predicate.
• Kept the existing imminent-DKG guard based on next_dkg <= MIN_BLOCKS_BEFORE_DKG / 6 blocks.
• When active_dkgs > 0, inspect quorum dkgstatus session data plus the current block height instead of treating the aggregate active_dkgs counter as permanently unsafe.
• Compare each tracked session's llmqType and status.quorumHeight against Dash Core's dkgMiningWindowStart values, so stale sessions no longer block once their active DKG phase has passed.
• Fail safe when active sessions exist but session data is unknown, malformed, empty, or from an unknown LLMQ type.
• Updated both the immediate non---safe check and the --safe wait path to use the shared predicate.
• Intentionally kept --safe fail-closed: it only proceeds when Core reports a safe state.
• Added unit coverage for:
  • imminent DKG staying unsafe even when active_dkgs === 0;
  • active platform sessions blocking during their first 10 blocks;
  • platform sessions becoming safe at offset 10 even if active_dkgs is still non-zero;
  • longer non-platform DKG windows such as llmq_400_60 still blocking at offset 15;
  • unknown, malformed, or empty active session data failing safe;
  • waitForDKGWindowPass waiting through an active session and resolving once the session reaches the safe window.

How Has This Been Tested?

• Direct behavioral validation with node --input-type=module against the changed dashmate modules:
  • verified imminent DKG remains unsafe even without active sessions;
  • verified no active sessions above the imminent threshold are safe;
  • verified active llmq_test_platform session offset 5 is unsafe;
  • verified llmq_test_platform session offset 10 is safe;
  • verified active llmq_400_60 session offset 15 is unsafe and offset 20 is safe;
  • verified unknown and empty active session data fail safe.
• node --check on all changed source/test files.
• git diff --check upstream/v3.1-dev..HEAD
• Pre-PR code review gate: ship.

Formal Mocha/eslint commands were attempted but are currently blocked in this environment before repo code executes by Node 25 + Yarn PnP loader failure:

Error: EBADF: bad file descriptor, fstat
    at tryStatSync (node:fs:386:25)
    at readFileSync (node:fs:442:17)
    at getSourceSync (node:internal/modules/esm/load:37:14)
...
Node.js v25.9.0

Blocked commands:

yarn workspace dashmate test:unit packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js packages/dashmate/test/unit/core/quorum/waitForDKGWindowPass.spec.js
yarn workspace dashmate lint

Breaking Changes

None.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Summary by CodeRabbit

• New Features
  • Improved masternode stop safety during DKG by adding rule-based inspection of active DKG windows and blocking unsafe stops.
  • Updated the DKG window wait behavior to poll at regular intervals until the node is confirmed safe to stop, reducing false “deadline” failures.
• Tests
  • Added unit tests covering safety validation, window-boundary behavior, and fail-safe handling for malformed or unknown DKG status data.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f749606c-d05b-4d18-b241-afc28647c38b

📥 Commits

Reviewing files that changed from the base of the PR and between 2ba3c83 and a14c214.

📒 Files selected for processing (2)

• packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js
• packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js
• packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js

---

📝 Walkthrough

Walkthrough

A new isMasternodeSafeToStopDuringDkg module is introduced with a per-llmqType mining window constant table, a gate function to determine when deep inspection is needed, and a fail-safe decision function that blocks node stops during active DKG sessions or when the next DKG is imminent. waitForDKGWindowPass is rewritten as an infinite poll loop that conditionally fetches RPC data and uses the new decision logic. stopNodeTaskFactory is updated to import and apply these helpers. Unit tests cover all new behaviors with boundary cases and fail-safe scenarios.

Changes

DKG Safe-Stop Safety Logic Rewrite

Layer / File(s)	Summary
Safety module: constants, validation helpers, and gate function packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js	Introduces DKG_MINING_WINDOW_START_BY_LLMQ_TYPE mapping each llmqType to its mining window start offset in blocks, internal validation helpers for dkgInfo shape, and shouldInspectDkgStatusForSafeStop gate that returns true only when active DKG sessions exist and the next DKG is not immediately pending.
Safety module: core decision logic and documentation packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js	Implements default export isMasternodeSafeToStopDuringDkg with detailed JSDoc describing the fail-safe rule set and expected RPC shapes. Returns false when next_dkg is too close, true when no active sessions exist, and otherwise iterates each session to verify the currentHeight offset from quorumHeight exceeds the llmqType window length, returning true only when all sessions are past their active windows.
Poller rewrite: imports, documentation, and infinite poll loop packages/dashmate/src/core/quorum/waitForDKGWindowPass.js	Replaces deadline-based do...while logic with an infinite for(;;) loop that fetches dkginfo on each iteration, conditionally fetches dkgstatus and block height when shouldInspectDkgStatusForSafeStop indicates need, and exits only when isMasternodeSafeToStopDuringDkg returns true, sleeping 10 seconds between iterations.
Task factory integration: imports and DKG inspection task packages/dashmate/src/listr/tasks/stopNodeTaskFactory.js	Updates imports to include the new safety helpers and replaces the inline next_dkg check with conditional inspection using shouldInspectDkgStatusForSafeStop, parallel RPC calls, and isMasternodeSafeToStopDuringDkg for safety determination.
Unit tests for safety decision module packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js	Tests cover imminent-DKG gating, per-llmqType window boundary cases (offset 0, last block of window, window-closed), fail-safe blocking on malformed dkgInfo, and fail-safe behavior when RPC fields are missing or invalid while active sessions exist. Includes window constant table sanity checks.
Unit tests for polling function packages/dashmate/test/unit/core/quorum/waitForDKGWindowPass.spec.js	Tests validate immediate resolution when no active sessions and next_dkg is not imminent, multi-poll wait-then-resolve as block heights progress past session windows, continued polling when next_dkg is imminent despite no active sessions, and fail-safe continued waiting when dkgstatus contains unknown llmqType. Uses fake timers and RPC stub assertions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• QuantumExplorer
• shumkov

Poem

🐇 Hop hop, the DKG windows align,
No more deadlines, just a polling design!
Each session is checked with a fail-safe flair,
next_dkg too close? I'm staying right there.
When all windows close, I'll stop with no dread —
A safe little bunny who checks before bed. 🌙

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'fix(dashmate): use active_dkgs for safe DKG stop' clearly summarizes the main change: introducing use of active_dkgs counter for determining if it's safe to stop a masternode during DKG operations, directly addressing the core safety issue described in the PR objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

✅ Review complete (commit a14c214)

[thepastaclaw]

Code Review

Centralizes the DKG safe-stop predicate into a shared isMasternodeSafeToStopDuringDkg helper that requires both active_dkgs === 0 and next_dkg > MIN_BLOCKS_BEFORE_DKG, fixing the prior bug where a wrapped next_dkg countdown was read as safe while the node was still mid-session. The --safe wait loop adopts the same predicate and gains both a block-height deadline and a no-progress wall-clock backstop. No in-scope defects identified; all agent findings are pre-existing fragilities or speculative tuning notes outside this PR's scope.

[thepastaclaw]

Code Review

Current-head review for a9cf279c9c after scope reduction.

The PR now stays focused on the active-DKG regression: both the immediate stop check and the --safe wait loop use the same predicate, active_dkgs === 0 && next_dkg > MIN_BLOCKS_BEFORE_DKG. This preserves the imminent-DKG guard while preventing the countdown-wrap case (next_dkg back to a large value while active_dkgs > 0) from unblocking a safe stop.

The previous wall-clock/no-progress exit hatch has been removed from the diff and from the PR body.

Review result: no significant issues found.

Validation reviewed:

• node --check on the changed files
• direct helper smoke checks for safe/unsafe combinations
• git diff --check upstream/v3.1-dev..HEAD
• formal dashmate unit command still blocked locally by Node 25 + Yarn PnP EBADF before repo code executes

Recommendation: ship.

[thepastaclaw]

Code Review

Re-review of head SHA 81550f0 (incremental + cumulative). Prior review at a9cf279 was clean and the delta has not introduced new issues. Only one in-scope nitpick from claude-general was validated: the offset < 0 clause at line 116 is mathematically redundant given the minimum window value of 10, but harmless and arguably documentary. No blocking or suggestion-level findings; codex-general, both security auditors, and CodeRabbit all reported clean.

💬 1 nitpick(s)

[thepastaclaw]

Code Review

Cumulative PR is a sound, conservative safe-stop fix that composes the imminent-DKG guard with per-session active-window inspection and fails closed on malformed input. Latest delta is test-only Sinon formatting and introduces no behavioral change. One pre-existing nitpick about a redundant offset < 0 clause persists at head; not blocking.

💬 1 nitpick(s)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js (1)

1-1: ⚡ Quick win

Rename this new package file to kebab-case.

Please rename isMasternodeSafeToStopDuringDkg.js to kebab-case (and update imports) to match package file naming rules.
As per coding guidelines, packages/**/!(node_modules)/**/*.{js,jsx,ts,tsx} should use kebab-case filenames within JS packages.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js` at line
1, The file isMasternodeSafeToStopDuringDkg.js is named in camelCase but should
follow kebab-case naming convention according to package guidelines. Rename the
file from isMasternodeSafeToStopDuringDkg.js to
is-masternode-safe-to-stop-during-dkg.js and update all import statements
throughout the codebase that reference this file to use the new kebab-case
filename instead of the camelCase version.

Source: Coding guidelines

packages/dashmate/test/unit/core/quorum/waitForDKGWindowPass.spec.js (1)

1-1: ⚡ Quick win

Rename this new package test file to kebab-case.

Please rename waitForDKGWindowPass.spec.js to kebab-case and update imports accordingly.
As per coding guidelines, packages/**/!(node_modules)/**/*.{js,jsx,ts,tsx} should use kebab-case filenames within JS packages.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/dashmate/test/unit/core/quorum/waitForDKGWindowPass.spec.js` at line
1, The test file waitForDKGWindowPass.spec.js uses camelCase naming instead of
the required kebab-case format per coding guidelines. Rename the file from
waitForDKGWindowPass.spec.js to wait-for-dkg-window-pass.spec.js and update the
import statement at the top of the file to reference the new kebab-case filename
accordingly.

Source: Coding guidelines

packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js (2)

1-3: ⚡ Quick win

Rename this new package test file to kebab-case.

Please rename isMasternodeSafeToStopDuringDkg.spec.js to kebab-case and update imports accordingly.
As per coding guidelines, packages/**/!(node_modules)/**/*.{js,jsx,ts,tsx} should use kebab-case filenames within JS packages.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js`
around lines 1 - 3, The test file isMasternodeSafeToStopDuringDkg.spec.js does
not follow the kebab-case naming convention required for JavaScript package
files. Rename the file from camelCase to kebab-case format and update the import
statement at the top of the file that references isMasternodeSafeToStopDuringDkg
to match the new filename.

Source: Coding guidelines

---

127-189: ⚡ Quick win

Add fail-closed tests for malformed dkgInfo.

Current fail-safe coverage is strong for dkgStatus/currentHeight, but it does not assert malformed dkgInfo cases (e.g., missing/non-numeric next_dkg or active_dkgs). Add explicit false expectations for those payloads.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js`
around lines 127 - 189, Add test cases within the "fail-safe on malformed inputs
while active_dkgs > 0" describe block to verify that
isMasternodeSafeToStopDuringDkg returns false when dkgInfo is malformed,
specifically when next_dkg is missing or non-numeric, when active_dkgs is
missing or non-numeric, and when dkgInfo itself is undefined or null. Each test
should follow the existing pattern of setting up dkgInfo with a valid dkgStatus
and currentHeight while varying only the dkgInfo payload to trigger the
malformed input conditions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js`:
- Around line 84-92: The function isMasternodeSafeToStopDuringDkg fails to
validate that the destructured properties next_dkg and active_dkgs from dkgInfo
are properly defined and valid before using them. If these properties are
missing or malformed, the function can incorrectly return true, breaking the
fail-closed behavior. Add validation at the beginning after the destructuring to
check that both nextDkg and activeDkgs are valid numbers, and return false
immediately if either property is missing, undefined, or malformed, ensuring the
function fails closed when dkgInfo is malformed.

---

Nitpick comments:
In `@packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js`:
- Line 1: The file isMasternodeSafeToStopDuringDkg.js is named in camelCase but
should follow kebab-case naming convention according to package guidelines.
Rename the file from isMasternodeSafeToStopDuringDkg.js to
is-masternode-safe-to-stop-during-dkg.js and update all import statements
throughout the codebase that reference this file to use the new kebab-case
filename instead of the camelCase version.

In
`@packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js`:
- Around line 1-3: The test file isMasternodeSafeToStopDuringDkg.spec.js does
not follow the kebab-case naming convention required for JavaScript package
files. Rename the file from camelCase to kebab-case format and update the import
statement at the top of the file that references isMasternodeSafeToStopDuringDkg
to match the new filename.
- Around line 127-189: Add test cases within the "fail-safe on malformed inputs
while active_dkgs > 0" describe block to verify that
isMasternodeSafeToStopDuringDkg returns false when dkgInfo is malformed,
specifically when next_dkg is missing or non-numeric, when active_dkgs is
missing or non-numeric, and when dkgInfo itself is undefined or null. Each test
should follow the existing pattern of setting up dkgInfo with a valid dkgStatus
and currentHeight while varying only the dkgInfo payload to trigger the
malformed input conditions.

In `@packages/dashmate/test/unit/core/quorum/waitForDKGWindowPass.spec.js`:
- Line 1: The test file waitForDKGWindowPass.spec.js uses camelCase naming
instead of the required kebab-case format per coding guidelines. Rename the file
from waitForDKGWindowPass.spec.js to wait-for-dkg-window-pass.spec.js and update
the import statement at the top of the file to reference the new kebab-case
filename accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ba636f47-6c04-4284-ab0f-8675f5e276dd

📥 Commits

Reviewing files that changed from the base of the PR and between a0c013f and 2ba3c83.

📒 Files selected for processing (5)

• packages/dashmate/src/core/quorum/isMasternodeSafeToStopDuringDkg.js
• packages/dashmate/src/core/quorum/waitForDKGWindowPass.js
• packages/dashmate/src/listr/tasks/stopNodeTaskFactory.js
• packages/dashmate/test/unit/core/quorum/isMasternodeSafeToStopDuringDkg.spec.js
• packages/dashmate/test/unit/core/quorum/waitForDKGWindowPass.spec.js

[thepastaclaw]

Addressed the malformed dkgInfo feedback in a14c214f:

• safe-stop helpers now fail closed for missing/non-object dkgInfo, missing/non-numeric/non-finite/negative active_dkgs, and missing/non-numeric/non-finite/negative next_dkg;
• added malformed-dkgInfo coverage for those cases;
• validation: node --check on changed files, git diff --check, and inline smoke harness passed.

I intentionally did not apply the kebab-case rename nitpicks: packages/dashmate/src currently uses camelCase for JS filenames package-wide (I counted 235 .js files and zero kebab-case), so renaming only these new files would diverge from the local convention rather than align with it.

Formal yarn/mocha/eslint commands are still blocked locally by the known Node 25 + Yarn PnP EBADF: bad file descriptor, fstat failure before repo code loads.

[thepastaclaw]

Code Review

Latest push (a14c214) adds fail-closed handling for malformed dkginfo plus tests. Verified at head: two nitpicks remain — stale JSDoc on shouldInspectDkgStatusForSafeStop (Claude) and the redundant offset<0 clause carried over from the prior review (Codex). No blocking issues; the session-window math, llmqType mapping, and fail-closed paths are consistent between the immediate stop check and the --safe wait loop.

💬 2 nitpick(s)

[thepastaclaw]

💬 Nitpick: JSDoc on shouldInspectDkgStatusForSafeStop omits malformed-input behavior

The function now returns false for null/undefined/non-object dkgInfo and for non-finite active_dkgs/next_dkg via hasValidDkgInfoShape, but the JSDoc still types dkgInfo as { active_dkgs: number, next_dkg: number } and only documents the happy-path return. Future callers (waitForDKGWindowPass, stopNodeTaskFactory) could read this as 'expects a well-formed dkgInfo' and add redundant upstream guards, defeating the centralization this PR just introduced. Tighten the JSDoc to state the predicate is also the malformed-dkgInfo guard.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: Redundant negative-offset check

Every value in DKG_MINING_WINDOW_START_BY_LLMQ_TYPE is positive (10/12/20/42), and unknown llmqTypes return false at the windowLength === undefined branch above. So any negative offset already satisfies offset < windowLength, making offset < 0 strictly redundant. The doc comment at lines 79-81 explicitly calls out the negative branch as fail-safe, so this is style-only — keep it if you want the intent to read explicitly at the call site, otherwise collapse to offset < windowLength.

Suggested change

	if (offset < 0 || offset < windowLength) {
	return false;
	}
	if (offset < windowLength) {
	return false;
	}

_{source: ['codex']}