fix(sync): cold-join wedge — hold chain_height >= snapshot anchor on every path

A fork-recovery rollback could strand the contiguous apply-frontier (get_chain_height) below the monotonic snapshot/finality floor (SNAPSHOT_ANCHOR_MB). The apply-dedup gate skips every block at/below the anchor while the sync coordinator re-requests from chain_height+1 -> permanent re-request livelock (frozen apply, growing future_drop). Clean snapshot cold-join was safe (fast_sync sets chain_height=snapshot_height); the wedge needed a rollback below an already-raised anchor.

Maintain get_chain_height() >= SNAPSHOT_ANCHOR_MB*90: adopt_snapshot_finality sets chain_height with the floor (atomic adoption); reload_snapshot_anchor heals it at boot; fork-recovery clamps rollback_to = fork_h.max(anchor_floor); sync coordinator floors apply_tip by the anchor (keystone self-heal).

Close the cross-attempt discard edge: a rejected snapshot after a prior adopt left a high anchor over wiped state. AnchorReset guard caps the restored anchor by live chain_height; discard_snapshot_state resets the runtime floors + deletes the persisted anchor before the CF wipes.

Genesis-inert (anchor=0). cargo check clean, 185 lib tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: AIQnetLab

development/qnet-integration/src/node.rs

@@ -1084,6 +1084,18 @@ pub fn adopt_snapshot_finality(snapshot_height: u64, anchor_hash: [u8; 32]) {
     // replay) and the bulk-sync target isn't collapsed to chain_height/90. fetch_max ⇒ only advances.
     crate::unified_p2p::LOCAL_BLOCKCHAIN_HEIGHT.fetch_max(snapshot_height, std::sync::atomic::Ordering::SeqCst);
     QC_VERIFIED_FRONTIER.fetch_max(anchor_mb.saturating_mul(90), std::sync::atomic::Ordering::SeqCst);
+    // Install the contiguous apply-frontier WITH the floor (atomic adoption). The apply-dedup gate
+    // treats height<=SNAPSHOT_ANCHOR_MB*90 as already-final, so chain_height must never trail the
+    // anchor — otherwise sync re-requests sub-anchor bodies that apply forever dup-skips → wedge. The
+    // bound snapshot legitimately replaces sub-anchor bodies, so the anchor IS the contiguous base.
+    // Raise-only; the clean fast_sync path already sets this, recovery/catch-up adopts did not.
+    if let Some(storage) = try_get_storage() {
+        if storage.get_chain_height().unwrap_or(0) < snapshot_height {
+            if let Err(e) = storage.set_chain_height(snapshot_height) {
+                if is_warn() { println!("[WARN][SYNC] adopt_set_chain_height_fail h={} err={}", snapshot_height, e); }
+            }
+        }
+    }
     persist_snapshot_anchor(anchor_mb, &anchor_hash);
     println!("[INFO][SYNC] snapshot_finality_adopted h={} mb={}", snapshot_height, anchor_mb);
 }
@@ -1115,9 +1127,32 @@ pub fn reload_snapshot_anchor() {
     let anchor_h = anchor_mb.saturating_mul(90);
     LAST_FINALIZED_HEIGHT.fetch_max(anchor_h, std::sync::atomic::Ordering::SeqCst);
     LAST_FINALIZED_CONSENSUS_ROUND.fetch_max(anchor_h, std::sync::atomic::Ordering::SeqCst);
+    // Heal the contiguous frontier up to the reloaded floor: a node whose chain_height was driven
+    // below the anchor by a pre-restart rollback would otherwise re-wedge (durable chain_height <
+    // reloaded anchor ⇒ sub-anchor re-request loop). Raise-only; runs once at boot before live blocks.
+    if storage.get_chain_height().unwrap_or(0) < anchor_h {
+        let _ = storage.set_chain_height(anchor_h);
+    }
     if is_info() { println!("[INFO][SYNC] snapshot_anchor_reloaded mb={} h={}", anchor_mb, anchor_h); }
 }
 
+/// Zero the runtime height + finality floors for a CLEAN re-bootstrap after discard_snapshot_state
+/// wiped all state (a snapshot rejected AFTER a prior one was already adopted). Keeps the invariant
+/// chain_height >= SNAPSHOT_ANCHOR_MB*90 consistent at 0: discard sets chain_height=0, the snapshot-bind
+/// AnchorReset guard caps SNAPSHOT_ANCHOR_MB to the now-0 chain_height, and this drops the other floors
+/// so no stale high floor strands the re-sync onto empty state. The genesis-rooted GALC capsule + binary
+/// WS pin are INDEPENDENT and intentionally untouched, so the clean block-sync re-verifies safely.
+pub fn reset_floors_for_rebootstrap() {
+    crate::unified_p2p::LOCAL_BLOCKCHAIN_HEIGHT.store(0, std::sync::atomic::Ordering::SeqCst);
+    QC_VERIFIED_FRONTIER.store(0, std::sync::atomic::Ordering::SeqCst);
+    WEAK_SUBJECTIVITY_CHECKPOINT.store(0, std::sync::atomic::Ordering::SeqCst);
+    {
+        let _g = crate::storage::lock_finality_state();
+        LAST_FINALIZED_HEIGHT.store(0, std::sync::atomic::Ordering::SeqCst);
+        LAST_FINALIZED_CONSENSUS_ROUND.store(0, std::sync::atomic::Ordering::SeqCst);
+    }
+}
+
 /// v9.0 BUG-30: Check if rollback to target_height is allowed by finality rules.
 /// LEGACY v14.8: Non-atomic finality check. Exists only for diagnostic paths
 /// that need to inspect the current finality boundary WITHOUT claiming the
@@ -13894,9 +13929,18 @@ impl BlockchainNode {
                             // diverged → competing forks (the rollback storm); it also over-deleted one
                             // good block (the extra -1). A node behind the fork (local_h ≤ fork_h)
                             // deletes nothing here (guard below) — it pulls the canonical chain via sync.
-                            let rollback_to = fork_h;
-                            println!("[WARN][FORK] pipeline_detected fork_h={} local_h={} rollback_to={}",
-                                     fork_h, local_h, rollback_to);
+                            // Never roll the contiguous frontier below the adopted snapshot/finality
+                            // floor: the anchor is 2f+1-QC-final and the snapshot holds sub-anchor state,
+                            // so a target below it is not a real reorg point. Clamping up means a target
+                            // ≥ local_h makes the destructive delete below no-op (rollback_to < local_h
+                            // guard) and the node re-syncs cleanly instead of stranding chain_height under
+                            // a higher monotonic anchor (the wedge). Complements the LAST_FINALIZED guard
+                            // inside begin_finality_guarded_rollback.
+                            let anchor_floor = SNAPSHOT_ANCHOR_MB
+                                .load(std::sync::atomic::Ordering::Acquire).saturating_mul(90);
+                            let rollback_to = fork_h.max(anchor_floor);
+                            println!("[WARN][FORK] pipeline_detected fork_h={} local_h={} rollback_to={} anchor_floor={}",
+                                     fork_h, local_h, rollback_to, anchor_floor);
 
                             if let Some(p2p) = &unified_p2p {
                                 // 1. Rollback local chain to before fork point

development/qnet-integration/src/storage.rs

@@ -9752,7 +9752,16 @@ impl Storage {
                 // Restore the prior runtime floor on ANY early return; only a fully-verified anchor
                 // commits a new floor (adopt_snapshot_finality + mem::forget at the end). No provisional
                 // floor is set during the walk (the old mb_idx-3 shortcut was the circularity hole).
-                crate::node::SNAPSHOT_ANCHOR_MB.store(self.0, std::sync::atomic::Ordering::SeqCst);
+                // CAP by the live chain_height: discard_snapshot_state zeroes chain_height on a full
+                // state wipe (a snapshot rejected after a prior one was adopted), so a blind restore of
+                // the higher prior anchor would strand the dedup floor above an empty chain (the cross-
+                // attempt invariant break). A non-wiping early return leaves chain_height == prior, so the
+                // prior anchor is restored unchanged.
+                let chain_mb = crate::node::try_get_storage()
+                    .and_then(|s| s.get_chain_height().ok())
+                    .map(|h| h / 90)
+                    .unwrap_or(self.0);
+                crate::node::SNAPSHOT_ANCHOR_MB.store(self.0.min(chain_mb), std::sync::atomic::Ordering::SeqCst);
             }
         }
         let anchor_guard = AnchorReset(crate::node::SNAPSHOT_ANCHOR_MB.load(std::sync::atomic::Ordering::SeqCst));
@@ -10056,6 +10065,11 @@ impl Storage {
     /// Roll back a rejected snapshot: wipe all state it wrote + reset height to 0 so the
     /// orphaned state can never pollute the fallback block-sync. Node re-bootstraps clean.
     fn discard_snapshot_state(&self, height: u64) -> IntegrationResult<()> {
+        // Drop the runtime floors + chain_height FIRST, before any CF wipe: if a later wipe write fails
+        // mid-way, the node is left with LOW floors (clean re-bootstrap from genesis trust) rather than a
+        // high anchor stranded over partially-wiped state. reset_floors is infallible (atomic stores).
+        crate::node::reset_floors_for_rebootstrap();
+        self.set_chain_height(0)?;
         for cf in &["accounts", "pending_rewards", "node_registry", "contract_storage"] {
             self.clear_cf(cf)?;
         }
@@ -10066,14 +10080,16 @@ impl Storage {
             use rocksdb::{IteratorMode, Direction};
             let mut batch = rocksdb::WriteBatch::default();
             batch.delete_cf(&meta_cf, Self::REGISTRY_LT_STATE_KEY);
+            // Drop the persisted snapshot anchor too: leaving it would make a warm restart re-load a
+            // high anchor (reload_snapshot_anchor) and heal chain_height up to it onto the wiped state.
+            batch.delete_cf(&meta_cf, b"snapshot_anchor");
             for item in self.persistent.db.iterator_cf(&meta_cf, IteratorMode::From(b"rr_seal_", Direction::Forward)) {
                 let (k, _) = match item { Ok(kv) => kv, Err(_) => break };
                 if !k.starts_with(b"rr_seal_") { break; }
                 batch.delete_cf(&meta_cf, &k);
             }
             let _ = self.persistent.db.write(batch);
         }
-        self.set_chain_height(0)?;
         if let Some(snapshots_cf) = self.persistent.db.cf_handle("snapshots") {
             for prefix in &["full_snap_", "state_snap_"] {
                 let _ = self.persistent.db.delete_cf(&snapshots_cf, format!("{}{}", prefix, height).as_bytes());

development/qnet-integration/src/sync_manager.rs

@@ -593,7 +593,13 @@ impl SyncManager {
         }
 
         while self.active.load(Ordering::Relaxed) {
-            let apply_tip = self.storage.get_chain_height().unwrap_or(local_h);
+            // Floor the apply-frontier by the adopted snapshot anchor. The apply-dedup gate treats
+            // height<=SNAPSHOT_ANCHOR_MB*90 as already-final (bound snapshot replaces sub-anchor
+            // bodies), so requesting sub-anchor blocks would loop forever (fetched → dup-skipped →
+            // never saved → re-requested). Tailing from anchor+1 keeps this coordinator and the apply
+            // stage agreeing on "done", and self-heals a frontier transiently stranded below the anchor.
+            let apply_tip = self.storage.get_chain_height().unwrap_or(local_h)
+                .max(crate::node::SNAPSHOT_ANCHOR_MB.load(Ordering::Relaxed).saturating_mul(90));
 
             // Sync complete?
             if apply_tip >= target {