fix: reward-roster determinism + ip-gate log flood + BFT2 driver self-heal

- Genesis block creator now stamps reg_height for all block-0 NodeRegistration TXs (on CREATE and boot LOAD), matching synced peers. Fixes the minter computing count=1 eligible super vs count=5 on peers — the sole content divergence, observed live as proposal_content_rejected on reward_root at emission boundaries.

- QUIC handshake: suppress the duplicate unsampled log for ip_identity_gate_reject (already sampled + metered at the gate); narrow the private-IP heuristic to RFC1918 172.16/12 so public 172.32+ addresses are not mislabeled private_.

- BFT2 consensus driver: watchdog self-heals by adopting the latest stored checkpoint QC, plus eager driver.sync on startup so a restarted/synced node starts at the live window instead of lagging at index=1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: AIQnetLab

development/qnet-integration/src/consensus_v2_node.rs

@@ -410,6 +410,32 @@ pub async fn run(
     if crate::node::is_info() {
         println!("[INFO][BFT2] runtime_started committee={} view_timeout_ms={}", committee.len(), timeout_ms);
     }
+    // Eager startup catch-up: if the chain already holds committed macroblocks (restart, or the chain
+    // synced before this task spawned), adopt the latest checkpoint QC from storage NOW so the driver
+    // starts at the live window instead of index=1 — closing the cold-start lag at its source rather
+    // than waiting for the watchdog below to detect it reactively. driver.sync is monotonic +
+    // content-checked, and the stored QC was verified at apply time, so a fresh first boot (no
+    // macroblock yet) is a harmless no-op. The watchdog remains as the mid-run backstop.
+    if let Ok(idx) = storage.get_latest_macroblock_index() {
+        if idx > 0 {
+            if let Ok(Some(raw)) = storage.get_macroblock_by_height(idx) {
+                if let Ok(mb) = bincode::deserialize::<qnet_state::MacroBlock>(&raw) {
+                    if let Some(cp_qc) = mb.consensus_data.checkpoint_qc.as_ref() {
+                        if let Ok((cp, qc)) = bincode::deserialize::<(qnet_consensus::checkpoint_bft::Checkpoint, QuorumCertificate)>(cp_qc) {
+                            let effs = driver.sync(&cp, &qc);
+                            if !effs.is_empty() {
+                                if crate::node::is_info() {
+                                    println!("[INFO][BFT2] eager_startup_sync window={} next_window={}", idx, driver.next_window());
+                                }
+                                execute(effs, &node_id, &p2p, &storage).await;
+                            }
+                            last_index = driver.current_index();
+                        }
+                    }
+                }
+            }
+        }
+    }
     loop {
         tokio::select! {
             Some(ev) = rx.recv() => {
@@ -552,22 +578,44 @@ pub async fn run(
                     execute(effects, &node_id, &p2p, &storage).await;
                 }
                 last_index = driver.current_index();
-                // LIVENESS WATCHDOG: the applied chain tip advances via macroblock sync even when the
-                // driver is frozen — so a large, sustained gap between the chain's window and the
-                // window the driver still wants to commit means the driver fell behind the live quorum
-                // and the §4.5 sync catch-up did NOT recover it. Surface it LOUDLY (this failure was
-                // previously invisible: the container stayed "healthy"). Re-armed once recovered.
+                // LIVENESS WATCHDOG + SELF-HEAL: the applied chain tip advances via macroblock sync even
+                // when the driver is frozen — so a large, sustained gap between the chain's window and the
+                // window the driver still wants to commit means the driver fell behind the live quorum.
+                // Live §4.5 catch-up only fires on a freshly RECEIVED macroblock, so a node that caught its
+                // chain up by other means (or lagged at cold start) can stay stuck. Instead of only logging,
+                // re-feed the latest stored (already-verified) macroblock QC to the driver: driver.sync is
+                // monotonic + content-checked ⇒ a safe no-op once caught up, and it jumps the driver to the
+                // committed window deterministically. Recovery is logged once the gap closes.
                 const STUCK_WINDOWS: u64 = 3;   // beyond normal 2-chain finality lag
-                const STUCK_TICKS: u32 = 5;     // sustained (~20s at the 4s view timer) before alarming
+                const STUCK_TICKS: u32 = 5;     // sustained (~20s at the 4s view timer) before acting
                 let chain_window = crate::unified_p2p::LOCAL_BLOCKCHAIN_HEIGHT.load(Ordering::Relaxed) / 90;
                 if chain_window > driver.next_window().saturating_add(STUCK_WINDOWS) {
                     stuck_ticks = stuck_ticks.saturating_add(1);
-                    if stuck_ticks >= STUCK_TICKS && !stuck_alarmed {
-                        stuck_alarmed = true;
-                        println!("[ERROR][BFT2] consensus_driver_behind round={} next_window={} chain_window={} — driver lagging the quorum; §4.5 sync did not recover it (previously a SILENT dropout)",
-                                 driver.current_index(), driver.next_window(), chain_window);
+                    if stuck_ticks >= STUCK_TICKS {
+                        // Self-heal from local committed state: adopt the latest stored macroblock's QC.
+                        if let Ok(idx) = storage.get_latest_macroblock_index() {
+                            if let Ok(Some(raw)) = storage.get_macroblock_by_height(idx) {
+                                if let Ok(mb) = bincode::deserialize::<qnet_state::MacroBlock>(&raw) {
+                                    if let Some(cp_qc) = mb.consensus_data.checkpoint_qc.as_ref() {
+                                        if let Ok((cp, qc)) = bincode::deserialize::<(qnet_consensus::checkpoint_bft::Checkpoint, QuorumCertificate)>(cp_qc) {
+                                            let effs = driver.sync(&cp, &qc);
+                                            if !effs.is_empty() { execute(effs, &node_id, &p2p, &storage).await; }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                        if !stuck_alarmed {
+                            stuck_alarmed = true;
+                            println!("[WARN][BFT2] consensus_driver_behind round={} next_window={} chain_window={} — self-healing from latest stored macroblock QC",
+                                     driver.current_index(), driver.next_window(), chain_window);
+                        }
                     }
                 } else {
+                    if stuck_alarmed {
+                        println!("[INFO][BFT2] consensus_driver_recovered next_window={} chain_window={}",
+                                 driver.next_window(), chain_window);
+                    }
                     stuck_ticks = 0;
                     stuck_alarmed = false;
                 }

development/qnet-integration/src/node.rs

@@ -4946,7 +4946,30 @@ impl BlockchainNode {
     pub fn cache_node_registrations_from_transactions(storage: &crate::storage::Storage, transactions: &[qnet_state::Transaction]) {
         Self::cache_node_registrations_from_transactions_with_dashmap(storage, transactions, &DashMap::new());
     }
-    
+
+    /// Stamp `reg_height = 0` for every genesis NodeRegistration TX in block 0.
+    /// `super_registrations_sorted` (the reward roster) only counts entries with a stamped
+    /// reg_height. Synced peers stamp all five genesis nodes via the block-apply path
+    /// (deferred_registrations → save_node_registration_at_height, height 0, reputation 1.0).
+    /// The block CREATOR, however, applies block 0 through cache_node_registrations_from_transactions
+    /// → save_node_registration (NO height), so its roster would hold only its own self-registered
+    /// genesis id (count=1) while peers compute count=5 — a persistent per-epoch reward divergence.
+    /// This backfill makes the creator/restarted node byte-identical to synced peers. Idempotent.
+    fn stamp_genesis_registration_heights(storage: &crate::storage::Storage, transactions: &[qnet_state::Transaction]) {
+        for tx in transactions {
+            if let qnet_state::TransactionType::NodeRegistration { node_id, node_type, wallet_address, .. } = &tx.tx_type {
+                let type_str = match node_type {
+                    qnet_state::NodeType::Super => "super",
+                    qnet_state::NodeType::Light => "light",
+                };
+                // height 0 + reputation 1.0 == the values synced peers write via deferred_registrations.
+                if let Err(e) = storage.save_node_registration_at_height(node_id, type_str, wallet_address, 1.0, 0) {
+                    eprintln!("[WARN][REG] genesis_reg_height_stamp_fail node={} err={}", node_id, e);
+                }
+            }
+        }
+    }
+
     /// Register all 5 Genesis nodes on-chain (called once at blockchain start)
     /// Returns Vec of registration transactions to include in genesis/first block
     /// Create Genesis node registration TXs with FIXED timestamp for determinism
@@ -7369,6 +7392,10 @@ impl BlockchainNode {
         let genesis_timestamp = match storage.load_microblock_auto_format(0) {
             Ok(Some(genesis_block)) => {
                 if is_info() { println!("[INFO][GEN] loaded_ts={}", genesis_block.timestamp); }
+                // Self-heal the reward roster on restart: stamp reg_height=0 for the genesis
+                // registrations so a former creator (which only cached them without a height)
+                // matches synced peers. Idempotent for peers that already stamped them.
+                Self::stamp_genesis_registration_heights(&storage, &genesis_block.transactions);
                 genesis_block.timestamp
             }
             Ok(None) => {
@@ -14170,7 +14197,9 @@ impl BlockchainNode {
                                                 // CRITICAL FIX v3.2: Cache NodeRegistration TXs from genesis block
                                                 // Without this, genesis creator can't find wallet addresses for rewards!
                                                 Self::cache_node_registrations_from_transactions(&storage, &genesis_microblock.transactions);
-                                                println!("[INFO][GEN] Cached {} NodeRegistration TXs from genesis block", 
+                                                // Stamp reg_height=0 so the creator's reward roster matches synced peers (count=5, not 1).
+                                                Self::stamp_genesis_registration_heights(&storage, &genesis_microblock.transactions);
+                                                println!("[INFO][GEN] Cached {} NodeRegistration TXs from genesis block",
                                                     genesis_microblock.transactions.iter()
                                                         .filter(|tx| matches!(tx.tx_type, qnet_state::TransactionType::NodeRegistration { .. }))
                                                         .count());

development/qnet-integration/src/quic_transport.rs

@@ -1172,7 +1172,12 @@ impl QuicTransport {
                     let (remote_node_id, remote_cert_serial, remote_node_type, remote_block_height) = match handshake_result {
                         Ok(h) => h,
                         Err(e) => {
-                            if crate::node::is_warn() { println!("[WARN][QUIC] handshake_failed peer={} err={}", get_privacy_id_for_addr(&peer_addr.to_string()), e); }
+                            // ip_identity_gate_reject is already logged (1/256 sampled) and metered at the gate
+                            // itself; re-logging it through this generic catch-all floods (one impostor IP
+                            // produced thousands of identical lines). Suppress that class here — the metric carries it.
+                            if e != "ip_identity_gate_reject" && crate::node::is_warn() {
+                                println!("[WARN][QUIC] handshake_failed peer={} err={}", get_privacy_id_for_addr(&peer_addr.to_string()), e);
+                            }
                             return;
                         }
                     };

development/qnet-integration/src/unified_p2p.rs

@@ -19891,10 +19891,17 @@ pub fn get_privacy_id_for_addr(addr: &str) -> String {
         return format!("genesis_node_{}", genesis_id);
     }
 
-    // Check if it's a private/internal IP that shouldn't be in P2P network
-    if ip.starts_with("172.") || ip.starts_with("10.") || ip.starts_with("192.168.") {
-        // These are private IPs that shouldn't be exposed in P2P
-        // This includes Docker networks (172.17.x.x), private LANs, etc.
+    // Private/internal IPs (Docker bridges, private LANs) get a separate label. RFC1918 172 is
+    // private ONLY for second octet 16..=31 — 172.32+ (e.g. carrier-grade 172.58.x) is PUBLIC and
+    // must not be mislabeled "private_" (it surfaced as the impostor IP behind the gate-reject flood).
+    let is_private = ip.starts_with("10.")
+        || ip.starts_with("192.168.")
+        || ip.strip_prefix("172.")
+             .and_then(|rest| rest.split('.').next())
+             .and_then(|oct| oct.parse::<u8>().ok())
+             .map(|oct| (16..=31).contains(&oct))
+             .unwrap_or(false);
+    if is_private {
         let ip_hash = blake3::hash(format!("PRIVATE_{}", ip).as_bytes());
         return format!("private_{}", &ip_hash.to_hex()[..8]);
     }