gate timeout handling and cutover by current view

[bfish713]

Closes #<ISSUE_NUMBER>

This PR:

This PR does not:

Key places to review:

[gemini-code-assist]

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

[claude]

Claude finished @bfish713's task in 1m 29s —— View job

---

Code Review: gate timeout handling and cutover by current view

• Read CLAUDE.md and existing review comments
• Analyze PR diff and changed files
• Review code quality, correctness, and edge cases
• Post detailed review feedback

---

Summary

This PR adds staleness guards at multiple layers of the consensus and coordinator pipeline to prevent a node from regressing to a past view or epoch when it receives stale timeout votes, timeout certificates, epoch change messages, or pre-cutover seeds. It also tightens the legacy handle_timeout handler to stop emitting LegacyTimeoutVoteEmitted events after the cutover view has been passed. Solid, defensive change with good test coverage.

Findings

The changes are well-structured and correct. Each guard is placed at the earliest reasonable point in its respective handler, uses the right comparison (< for views, < for epochs with appropriate semantics), and has a corresponding regression test. Specific observations:

Consensus layer (consensus.rs)

1. handle_timeout guard (line 906): view < self.current_view correctly allows the current view to still time out while rejecting anything behind it. The test covers both the rejection and the happy path.

2. handle_timeout_certificate guard (line 1022): Uses view = certificate.view_number() + 1 (the view the TC would advance into) and filters on view < self.current_view. This means a TC that would advance into the current view or ahead is accepted, which is correct — it mirrors the semantics of the timeout guard.

3. handle_epoch_change guard (line 1085–1096): Good design decision to compare on epochs rather than views. The comment explains the rationale clearly: a node that timed out past a boundary it never saw should still be able to recover via a genuinely new epoch change. The cert2.data.epoch < current check correctly rejects epoch changes that would transition into epochs the node has already entered (since handle_epoch_change sets current_epoch = cert2.data.epoch + 1).

Coordinator layer (coordinator.rs)

4. ViewChanged output guard (line 754): Defensive check in process_consensus_output before calling set_view. This is a good belt-and-suspenders layer — even if the consensus core emits a stale ViewChanged output, the coordinator won't act on it.

5. TimeoutVote message guard (line 905): Early filter on incoming timeout vote messages before they reach the collectors. Prevents stale votes from polluting the accumulator.

6. SeedPreCutover guard (line 1223): The condition seed.cutover_view > ViewNumber::genesis() && current_view >= seed.cutover_view correctly handles the edge case where cutover_view is genesis (no cutover configured). Clean early return with respond.send(()).

7. SubmitTimeoutVote guard (line 1307): Filters bridged timeout votes from the legacy protocol before they reach the new-protocol collectors.

Legacy handler (handlers.rs)

8. Cutover view bound (line 497): view_number <= cert.data.new_version_first_view stops emitting LegacyTimeoutVoteEmitted events for views past the cutover. This is the source-side fix that complements the coordinator-side guard.

Tests

The four new tests (test_stale_timeout_ignored, test_stale_timeout_certificate_ignored, test_handle_epoch_change_replay_of_crossed_boundary) are well-written with clear docstrings explaining the regression scenario. Each test verifies both the rejection case and the happy path (or relies on existing happy-path tests).

Nits / Minor observations

• No issues found that warrant inline comments. The code is clean, the guards are consistent in style, and the log messages are descriptive and appropriately leveled (debug for expected filtering, warn for the coordinator ViewChanged case which indicates an unexpected internal state).

Overall: This looks good to merge. The defensive guards are well-placed, the epoch-vs-view distinction in the epoch change handler is thoughtful, and the test coverage validates the key scenarios.