lightningdevkit
diff --git a/‎lightning-liquidity/src/lsps2/service.rs‎
Lines changed: 262 additions & 29 deletions b/‎lightning-liquidity/src/lsps2/service.rs‎
Lines changed: 262 additions & 29 deletions
@@ -500,7 +500,10 @@ struct OutboundJITChannel {
 	payment_size_msat: Option<u64>,
 	trust_model: TrustModel,
 	/// The time at which the JIT channel was created (i.e., the buy request was accepted).
-	created_at: LSPSDateTime,
+	///
+	/// `None` for channels deserialized from data written before this field was introduced;
+	/// those channels are treated as having an unknown age by [`PeerState::prune_terminal_channels`].
+	created_at: Option<LSPSDateTime>,
 }
 
 impl_writeable_tlv_based!(OutboundJITChannel, {
@@ -509,13 +512,13 @@ impl_writeable_tlv_based!(OutboundJITChannel, {
 	(4, opening_fee_params, required),
 	(6, payment_size_msat, option),
 	(8, trust_model, required),
-	(10, created_at, (default_value, LSPSDateTime::new_from_duration_since_epoch(Duration::ZERO))),
+	(10, created_at, option),
 });
 
 impl OutboundJITChannel {
 	fn new(
 		payment_size_msat: Option<u64>, opening_fee_params: LSPS2OpeningFeeParams,
-		user_channel_id: u128, client_trusts_lsp: bool, created_at: LSPSDateTime,
+		user_channel_id: u128, client_trusts_lsp: bool, created_at: Option<LSPSDateTime>,
 	) -> Self {
 		Self {
 			user_channel_id,
@@ -664,6 +667,48 @@ impl PeerState {
 		// Return whether the entire state is empty.
 		self.pending_requests.is_empty() && self.outbound_channels_by_intercept_scid.is_empty()
 	}
+
+	/// Removes all channels in the [`PaymentForwarded`] terminal state whose `created_at`
+	/// timestamp is at least `max_age` old. Passing [`Duration::ZERO`] removes all terminal
+	/// channels regardless of age.
+	///
+	/// Channels with no `created_at` (deserialized from data written before the field was
+	/// introduced) have an unknown age and are only removed when `max_age` is
+	/// [`Duration::ZERO`]; they are skipped by any age-based filter.
+	///
+	/// Cleans up the intra-peer auxiliary maps for each removed channel and returns the
+	/// `(intercept_scid, channel_id)` pairs so the caller can remove them from the
+	/// handler-level peer lookup maps.
+	///
+	/// [`PaymentForwarded`]: OutboundJITChannelState::PaymentForwarded
+	/// [`Duration::ZERO`]: core::time::Duration::ZERO
+	fn prune_terminal_channels(
+		&mut self, now: &LSPSDateTime, max_age: Duration,
+	) -> Vec<(u64, ChannelId)> {
+		let mut removed = Vec::new();
+		self.outbound_channels_by_intercept_scid.retain(|scid, channel| {
+			if let OutboundJITChannelState::PaymentForwarded { channel_id } = &channel.state {
+				let should_prune = if max_age == Duration::ZERO {
+					true
+				} else {
+					// Channels without a created_at (pre-upgrade legacy data) have an unknown
+					// age and are excluded from age-based filtering.
+					channel.created_at.as_ref()
+						.map(|ts| now.duration_since(ts) >= max_age)
+						.unwrap_or(false)
+				};
+				if should_prune {
+					removed.push((*scid, *channel_id));
+					self.intercept_scid_by_channel_id.retain(|_, iscid| iscid != scid);
+					self.intercept_scid_by_user_channel_id.retain(|_, iscid| iscid != scid);
+					self.needs_persist = true;
+					return false;
+				}
+			}
+			true
+		});
+		removed
+	}
 }
 
 impl_writeable_tlv_based!(PeerState, {
@@ -932,9 +977,9 @@ where
 							peer_by_intercept_scid.insert(intercept_scid, *counterparty_node_id);
 						}
 
-						let created_at = LSPSDateTime::new_from_duration_since_epoch(
+						let created_at = Some(LSPSDateTime::new_from_duration_since_epoch(
 							self.time_provider.duration_since_epoch(),
-						);
+						));
 						let outbound_jit_channel = OutboundJITChannel::new(
 							buy_request.payment_size_msat,
 							buy_request.opening_fee_params,
@@ -1267,6 +1312,70 @@ where
 		Ok(())
 	}
 
+	/// Prunes completed JIT channels from state for a given peer, freeing memory.
+	///
+	/// Removes all channels in the [`OutboundJITChannelState::PaymentForwarded`] terminal state
+	/// whose `created_at` timestamp is at least `max_age` old. Pass [`Duration::ZERO`] to prune
+	/// all terminal channels regardless of age.
+	///
+	/// Channels loaded from persisted data written before the `created_at` field was introduced
+	/// have an unknown creation time. They are only pruned when `max_age` is [`Duration::ZERO`];
+	/// any positive `max_age` leaves them untouched.
+	///
+	/// All associated state is cleaned up for each removed channel, including the per-peer
+	/// `intercept_scid_by_channel_id` and `intercept_scid_by_user_channel_id` maps as well as
+	/// the handler-level `peer_by_intercept_scid` and `peer_by_channel_id` lookups.
+	///
+	/// Returns the number of channels pruned, or an [`APIError::APIMisuseError`] if the
+	/// counterparty has no state.
+	///
+	/// [`Duration::ZERO`]: core::time::Duration::ZERO
+	pub async fn prune_channels(
+		&self, counterparty_node_id: PublicKey, max_age: Duration,
+	) -> Result<usize, APIError> {
+		let now = LSPSDateTime::new_from_duration_since_epoch(
+			self.time_provider.duration_since_epoch(),
+		);
+
+		let removed = {
+			let outer_state_lock = self.per_peer_state.read().unwrap();
+			let inner_state_lock =
+				outer_state_lock.get(&counterparty_node_id).ok_or_else(|| {
+					APIError::APIMisuseError {
+						err: format!(
+							"No existing state with counterparty {}",
+							counterparty_node_id
+						),
+					}
+				})?;
+			let mut peer_state = inner_state_lock.lock().unwrap();
+			peer_state.prune_terminal_channels(&now, max_age)
+		};
+
+		let pruned = removed.len();
+		if pruned > 0 {
+			let mut peer_by_intercept_scid = self.peer_by_intercept_scid.write().unwrap();
+			let mut peer_by_channel_id = self.peer_by_channel_id.write().unwrap();
+			for (scid, channel_id) in &removed {
+				peer_by_intercept_scid.remove(scid);
+				peer_by_channel_id.remove(channel_id);
+			}
+			drop(peer_by_intercept_scid);
+			drop(peer_by_channel_id);
+
+			self.persist_peer_state(counterparty_node_id).await.map_err(|e| {
+				APIError::APIMisuseError {
+					err: format!(
+						"Failed to persist peer state for {}: {}",
+						counterparty_node_id, e
+					),
+				}
+			})?;
+		}
+
+		Ok(pruned)
+	}
+
 	/// Abandons a pending JIT‐open flow for `user_channel_id`, removing all local state.
 	///
 	/// This removes the intercept SCID, any outbound channel state, and associated
@@ -2349,6 +2458,24 @@ where
 		}
 	}
 
+	/// Prunes completed JIT channels from state for a given peer, freeing memory.
+	///
+	/// Wraps [`LSPS2ServiceHandler::prune_channels`].
+	pub fn prune_channels(
+		&self, counterparty_node_id: PublicKey, max_age: Duration,
+	) -> Result<usize, APIError> {
+		let mut fut = pin!(self.inner.prune_channels(counterparty_node_id, max_age));
+
+		let mut waker = dummy_waker();
+		let mut ctx = task::Context::from_waker(&mut waker);
+		match fut.as_mut().poll(&mut ctx) {
+			task::Poll::Ready(result) => result,
+			task::Poll::Pending => {
+				unreachable!("Should not be pending in a sync context");
+			},
+		}
+	}
+
 	/// Forward [`Event::ChannelReady`] event parameters into this function.
 	///
 	/// Wraps [`LSPS2ServiceHandler::channel_ready`].
@@ -2804,7 +2931,7 @@ mod tests {
 			opening_fee_params.clone(),
 			user_channel_id,
 			true,
-			LSPSDateTime::from_str("2024-01-01T00:00:00Z").unwrap(),
+			Some(LSPSDateTime::from_str("2024-01-01T00:00:00Z").unwrap()),
 		);
 
 		let opening_payment_hash = PaymentHash([42; 32]);
@@ -2885,46 +3012,152 @@ mod tests {
 		);
 	}
 
-	#[test]
-	fn test_outbound_jit_channel_created_at_stored() {
-		let opening_fee_params = LSPS2OpeningFeeParams {
-			min_fee_msat: 1_000,
-			proportional: 0,
-			valid_until: LSPSDateTime::from_str("2035-05-20T08:30:45Z").unwrap(),
+	fn make_test_opening_fee_params() -> LSPS2OpeningFeeParams {
+		LSPS2OpeningFeeParams {
+			min_fee_msat: 1000,
+			proportional: 100,
+			valid_until: LSPSDateTime::from_str("2035-01-01T00:00:00Z").unwrap(),
 			min_lifetime: 144,
 			max_client_to_self_delay: 128,
 			min_payment_size_msat: 1,
 			max_payment_size_msat: 10_000_000_000,
 			promise: "ignore".to_string(),
-		};
+		}
+	}
+
+	#[test]
+	fn test_outbound_jit_channel_created_at_stored() {
 		let created_at = LSPSDateTime::from_str("2024-06-15T12:00:00Z").unwrap();
-		let channel =
-			OutboundJITChannel::new(Some(1_000_000), opening_fee_params, 1u128, true, created_at);
-		assert_eq!(channel.created_at, created_at);
+		let channel = OutboundJITChannel::new(
+			Some(1_000_000),
+			make_test_opening_fee_params(),
+			1u128,
+			true,
+			Some(created_at),
+		);
+		assert_eq!(channel.created_at, Some(created_at));
 	}
 
 	#[test]
 	fn test_outbound_jit_channel_created_at_round_trips() {
 		use lightning::util::ser::{Readable, Writeable};
 
-		let opening_fee_params = LSPS2OpeningFeeParams {
-			min_fee_msat: 1_000,
-			proportional: 0,
-			valid_until: LSPSDateTime::from_str("2035-05-20T08:30:45Z").unwrap(),
-			min_lifetime: 144,
-			max_client_to_self_delay: 128,
-			min_payment_size_msat: 1,
-			max_payment_size_msat: 10_000_000_000,
-			promise: "ignore".to_string(),
-		};
 		let created_at = LSPSDateTime::from_str("2024-06-15T12:00:00Z").unwrap();
-		let channel =
-			OutboundJITChannel::new(Some(1_000_000), opening_fee_params, 1u128, true, created_at);
+		let channel = OutboundJITChannel::new(
+			Some(1_000_000),
+			make_test_opening_fee_params(),
+			1u128,
+			true,
+			Some(created_at),
+		);
+
+		let mut buf = Vec::new();
+		channel.write(&mut buf).unwrap();
+
+		let decoded = <OutboundJITChannel as Readable>::read(&mut &buf[..]).unwrap();
+		assert_eq!(decoded.created_at, Some(created_at));
+	}
+
+	// Verify that data written before the `created_at` field existed deserializes with
+	// `created_at = None`, keeping backwards compatibility.
+	#[test]
+	fn test_outbound_jit_channel_created_at_defaults_for_old_data() {
+		use lightning::util::ser::{Readable, Writeable};
+
+		// Serialize a channel that has no created_at (simulated by None).
+		let channel = OutboundJITChannel::new(
+			Some(1_000_000),
+			make_test_opening_fee_params(),
+			1u128,
+			false,
+			None,
+		);
 
 		let mut buf = Vec::new();
 		channel.write(&mut buf).unwrap();
 
+		// A channel serialized with created_at = None must not write TLV 10,
+		// and must round-trip as None.
 		let decoded = <OutboundJITChannel as Readable>::read(&mut &buf[..]).unwrap();
-		assert_eq!(decoded.created_at, created_at);
+		assert_eq!(decoded.created_at, None);
+	}
+
+	// Verify that a PeerState entry in PaymentForwarded state is correctly removed along with
+	// all auxiliary lookup maps when prune_channel logic is exercised manually.
+	#[test]
+	fn test_peer_state_prune_payment_forwarded_channel() {
+		let intercept_scid = 42u64;
+		let user_channel_id = 1u128;
+		let channel_id = ChannelId([1; 32]);
+		let created_at = Some(LSPSDateTime::from_str("2024-01-01T00:00:00Z").unwrap());
+
+		let mut jit_channel = OutboundJITChannel::new(
+			Some(1_000_000),
+			make_test_opening_fee_params(),
+			user_channel_id,
+			false,
+			created_at,
+		);
+
+		// Drive the channel through to PaymentForwarded state.
+		let htlc = InterceptedHTLC {
+			intercept_id: InterceptId([0; 32]),
+			expected_outbound_amount_msat: 1_000_000,
+			payment_hash: PaymentHash([1; 32]),
+		};
+		let action = jit_channel.htlc_intercepted(htlc).unwrap();
+		assert!(matches!(action, Some(HTLCInterceptedAction::OpenChannel(_))));
+		jit_channel.channel_ready(channel_id).unwrap();
+		// Provide enough fee to transition to PaymentForwarded.
+		jit_channel.payment_forwarded(1_000).unwrap();
+
+		// Build a minimal PeerState with the channel and auxiliary maps.
+		let mut peer_state = PeerState::new();
+		peer_state.outbound_channels_by_intercept_scid.insert(intercept_scid, jit_channel);
+		peer_state.intercept_scid_by_user_channel_id.insert(user_channel_id, intercept_scid);
+		peer_state.intercept_scid_by_channel_id.insert(channel_id, intercept_scid);
+
+		// Confirm the channel is in PaymentForwarded state.
+		assert!(matches!(
+			peer_state.outbound_channels_by_intercept_scid.get(&intercept_scid).unwrap().state,
+			OutboundJITChannelState::PaymentForwarded { .. }
+		));
+
+		// Simulate what prune_channel does internally.
+		peer_state.outbound_channels_by_intercept_scid.remove(&intercept_scid);
+		peer_state.intercept_scid_by_channel_id.retain(|_, iscid| *iscid != intercept_scid);
+		peer_state.intercept_scid_by_user_channel_id.retain(|_, iscid| *iscid != intercept_scid);
+		peer_state.needs_persist = true;
+
+		// All maps must be empty after pruning.
+		assert!(peer_state.outbound_channels_by_intercept_scid.is_empty());
+		assert!(peer_state.intercept_scid_by_channel_id.is_empty());
+		assert!(peer_state.intercept_scid_by_user_channel_id.is_empty());
+		assert!(peer_state.needs_persist);
+	}
+
+	// Verify that prune_channel rejects non-terminal states.
+	#[test]
+	fn test_peer_state_prune_channel_non_terminal_rejected() {
+		let intercept_scid = 99u64;
+		let user_channel_id = 2u128;
+		let created_at = Some(LSPSDateTime::from_str("2024-01-01T00:00:00Z").unwrap());
+		let jit_channel = OutboundJITChannel::new(
+			Some(500_000),
+			make_test_opening_fee_params(),
+			user_channel_id,
+			false,
+			created_at,
+		);
+
+		// Channel is in PendingInitialPayment — a non-terminal state.
+		assert!(matches!(jit_channel.state, OutboundJITChannelState::PendingInitialPayment { .. }));
+
+		// Verify the guard logic that prune_channel uses.
+		let is_prunable =
+			matches!(jit_channel.state, OutboundJITChannelState::PaymentForwarded { .. });
+		assert!(!is_prunable, "PendingInitialPayment must not be considered prunable");
+
+		let _ = intercept_scid; // silence unused warning
 	}
 }