feat(key-wallet-manager): WalletInterface::rewind_to_height with descendant cascade (#169)

* feat(key-wallet): add rewind primitives on managed accounts

Add `demote_records_above`, `demote_record`, and (for the funds variant) `rebuild_utxos` so wallet-side reorg handling can demote above-cut records and rebuild the UTXO / spent-outpoint state from the surviving records. Mirrors the post-deserialization rebuild that the funds account's serde `Deserialize` impl already uses.

The keys variant only needs the context demotions since it carries no UTXO state. Both helpers leave records currently in `InstantSend`, `Conflicted`, or `Abandoned` contexts alone.

* feat(key-wallet): `WalletInfoInterface::rewind_to_height` with descendant cascade

Adds the wallet-level rewind orchestrator that consumes the new per-account demote / rebuild primitives. Validates the chainlock floor up front, runs an initial cut on every account, then drives a cross-account fixed-point loop that demotes any in-wallet record whose inputs spend an output of an already-demoted record. Finally rebuilds every funds account's UTXO state and rolls `last_processed_height` / `synced_height` back to `min(height, current)`.

`used_addresses` markers are intentionally preserved as monotonic state. The trait method returns a `RewindOutcome` so the manager-level emitter can fire a single atomic event per wallet. Self-conflict detection and ISLock-quorum re-validation are explicitly deferred to follow-ups with in-code TODOs.

* feat(key-wallet-manager): `WalletInterface::rewind_to_height` and `get_transaction`

Threads the wallet-side reorg path through the manager:

- new `RewindResult` and `RewindError` types
- `rewind_to_height` validates the chainlock floor across every managed wallet up front, then runs the per-wallet rewind and emits a single `WalletEvent::Reorg` per wallet whose state changed
- `get_transaction` lookup for the auto-rebroadcast path
- `WalletEvent::Reorg` variant with the partitioned demoted-vs-conflicted txid lists and the post-rewind balance

The `&mut self` receiver on `rewind_to_height` is the lock contract: implementations must not yield mid-rewind so concurrent mutators on the same trait surface cannot interleave with a reorg-driven demotion.

Mock implementations in `test_utils` get the minimum stubs needed to satisfy the trait.

* feat(dash-spv-ffi): handle `WalletEvent::Reorg` in callback dispatch

Adds the exhaustive-match arm for the new `WalletEvent::Reorg`
variant. The C ABI does not yet carry a dedicated reorg callback,
so the arm logs intent via a TODO and drops the event. Wiring a
real callback is tracked separately.

* test(key-wallet-manager): cover `rewind_to_height` and `get_transaction`

Adds seven scenarios behind the new `WalletInterface`:

- single tx at H+1 demotes from `InBlock` to `Mempool` and emits a
  `WalletEvent::Reorg` with zero confirmed balance
- TxA at H+1, TxB spending TxA at H+2 cascades both
- IS-locked record is retained as `InstantSend` through the rewind
- rewind below the chainlock floor is rejected with the correct
  error fields and a rewind at the floor itself is allowed
- `last_processed_height` and `synced_height` roll back, and a
  rewind above the current height does not advance them forward
- `get_transaction` returns stored records and `None` for unknown
  txids

* chore(key-wallet-manager): re-sort imports after rewind addition

* chore: pr cleanup — import, visibility, and comment fixes

- Import `RewindError` at module top in `event_tests.rs` instead of using `crate::wallet_interface::RewindError` inline
- Use imported `WalletId` instead of `crate::WalletId` in `wallet_interface.rs`
- Replace em-dash prose separators in doc comments with `:` or `;`
- Remove caller-reference sentence from `spend_from` doc
- Rewrite `state_changed` field doc to describe the field, not its callers

* fix(key-wallet): make `rebuild_utxos` order-independent and restore `is_trusted`

Guards every UTXO insert against `spent_outpoints` so a record whose spending child sorts earlier (e.g. two records demoted to `Mempool` after a rewind, both with `None` heights) cannot resurrect a spent outpoint into the spendable set.

Restores `is_trusted` on self-send change outputs by detecting `has_owned_input` against the rebuild's own `spent_outpoints` and matching against the account's internal pool. Post-rewind self-send change outputs that demote to `Mempool` continue to bucket into `confirmed` rather than silently undercounting.

Addresses manki-review on PR [#169](#169) ([thread](#169 (comment)), [thread](#169 (comment))).

* fix(key-wallet): require `rewind_to_height` and bound cascade work

Removes the no-op default body of `WalletInfoInterface::rewind_to_height`. The default returned `Ok(RewindOutcome::default())` with `state_changed = false`, which silently suppresses the `WalletEvent::Reorg` event and leaves UTXOs unrebuilt — a correctness-critical mutation cannot be advisory. Any implementor that forgets to override would silently appear to succeed.

Replaces the descendant cascade's full `already_demoted` re-scan with a `frontier` that carries only the previous wave. Any newly reachable descendant must spend an output of that wave, so the prior `O(D²)` loop collapses to `O(D)` for the outpoint collection step. The `already_demoted` set is retained for the candidate-skip predicate.

Addresses manki-review on PR [#169](#169) ([thread](#169 (comment)), [thread](#169 (comment))).

* refactor(key-wallet): delegate funds-account demote helpers to the keys account

`ManagedCoreFundsAccount::demote_records_above` and `demote_record` were verbatim duplicates of the keys-account versions that routed through `self.keys.transactions_mut()`. Collapse the funds versions to one-line delegations so a future correctness fix to the demotion predicate (e.g. also skipping `InstantSend`) only needs to land on the keys account.

Addresses manki-review on PR [#169](#169) ([thread](#169 (comment))).

* test(key-wallet-manager): assert balance and `Reorg` event invariants on rewind

Extends `test_rewind_cascades_to_descendant_in_same_account` to assert the post-rewind balance equals exactly the child output value. The parent UTXO remains claimed by the child (still in `Mempool`), so only the child's output reaches the spendable set. This pins down the order-independence of `rebuild_utxos`: without the `spent_outpoints` insert guard the parent UTXO would resurrect into the spendable set whenever the child's txid sorts before the parent's.

Extends `test_rewind_below_current_does_not_advance_heights_upward` to subscribe to events before the no-op rewind and assert no `WalletEvent::Reorg` was emitted. This pins down the `state_changed` guard that suppresses spurious events.

Addresses manki-review on PR [#169](#169) ([thread](#169 (comment)), [thread](#169 (comment))).

* fix(key-wallet): make `has_owned_input` order-independent in `rebuild_utxos`

`has_owned_input` was checking `spent_outpoints`, which only sees
inputs of already-processed records. A mempool child sorted before
its block parent would observe an empty set, so `is_trusted` never
got restored and trusted change still landed in `unconfirmed` after
rewind.

Collect every owned outpoint from the active records in a pre-pass
and use that set for the check, decoupling the signal from sort
order.

Addresses manki review comment on PR #169
#169 (comment)

* test(key-wallet-manager): cover three-level cascade and `is_trusted` restoration on rewind

Add `test_rewind_cascades_three_levels` so a regression that drops
descendants past the first wave of the frontier cascade is caught
by tests, and `test_rewind_restores_is_trusted_on_mempool_change`
to lock in the `has_owned_input` fix by paying change back to an
internal-pool address and asserting the demoted output lands in
`confirmed()` rather than `unconfirmed()`.

Addresses manki review comments on PR #169
#169 (comment)
#169 (comment)

* test(key-wallet-manager): assert post-rewind balance in three-level cascade

Adds a `confirmed() + unconfirmed()` assertion to `test_rewind_cascades_three_levels` so a `rebuild_utxos` regression that double-removes the intermediate `tx_b`'s output or resurrects a spent ancestor is caught by the test, not just frontier-propagation regressions.

Addresses manki-review review comment on PR #169
#169 (comment)

Author: xdustinface

dash-spv-ffi/src/callbacks.rs

@@ -1207,6 +1207,14 @@ impl FFIWalletEventCallbacks {
                     cb(c_wallet_id.as_ptr(), *height, self.user_data);
                 }
             }
+            WalletEvent::Reorg {
+                ..
+            } => {
+                // TODO(issue #145): wire a dedicated FFI callback for
+                // wallet rewind so durable consumers see demoted /
+                // conflicted txid lists and the post-rewind balance.
+                // Until then this variant has no surface on the C ABI.
+            }
             WalletEvent::ChainLockProcessed {
                 wallet_id,
                 chain_lock,

key-wallet-manager/Cargo.toml

@@ -29,6 +29,7 @@ dashcore = { path = "../dash" }
 async-trait = "0.1"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
 tracing = "0.1"
+thiserror = "1.0"
 zeroize = { version = "1.8", features = ["derive"] }
 rayon = { version = "1.11", optional = true }
 bincode = { version = "2.0.1", optional = true }

key-wallet-manager/src/event_tests.rs

@@ -1,6 +1,6 @@
 use super::test_helpers::*;
 use super::*;
-use crate::wallet_interface::WalletInterface;
+use crate::wallet_interface::{RewindError, WalletInterface};
 use dashcore::block::{Block, Header, Version};
 use dashcore::blockdata::script::Builder;
 use dashcore::blockdata::transaction::special_transaction::asset_lock::AssetLockPayload;
@@ -1269,3 +1269,287 @@ async fn test_block_processed_chainlocked_flag_matches_record_context() {
         assert!(matches!(inserted[0].context, TransactionContext::InBlock(_)));
     }
 }
+
+// ---------------------------------------------------------------------------
+// Reorg path
+// ---------------------------------------------------------------------------
+
+/// Build a transaction that spends a specific outpoint of a previous
+/// transaction (mimicking a child) paying back to one of the wallet's
+/// addresses.
+fn spend_from(parent_txid: Txid, parent_vout: u32, addr: &Address, value: u64) -> Transaction {
+    Transaction {
+        version: 2,
+        lock_time: 0,
+        input: vec![TxIn {
+            previous_output: OutPoint {
+                txid: parent_txid,
+                vout: parent_vout,
+            },
+            script_sig: ScriptBuf::new(),
+            sequence: u32::MAX,
+            witness: Witness::default(),
+        }],
+        output: vec![TxOut {
+            value,
+            script_pubkey: addr.script_pubkey(),
+        }],
+        special_transaction_payload: None,
+    }
+}
+
+#[tokio::test]
+async fn test_rewind_demotes_single_above_cut_record() {
+    let (mut manager, wallet_id, addr) = setup_manager_with_wallet();
+    let tx = create_tx_paying_to(&addr, 0xb0);
+    let block = make_block(vec![tx.clone()], 0xb0, 100);
+    let wallets = BTreeSet::from([wallet_id]);
+    manager.process_block_for_wallets(&block, 11, &wallets).await;
+
+    let mut rx = manager.subscribe_events();
+    let result = manager.rewind_to_height(10).await.expect("rewind below cut succeeds");
+    assert_eq!(result.demoted_txids, vec![tx.txid()]);
+    assert!(result.conflicted_txids.is_empty());
+
+    let events = drain_events(&mut rx);
+    let reorg = events
+        .iter()
+        .find_map(|e| match e {
+            WalletEvent::Reorg {
+                fork_height,
+                demoted_txids,
+                conflicted_txids,
+                balance,
+                ..
+            } => Some((*fork_height, demoted_txids.clone(), conflicted_txids.clone(), *balance)),
+            _ => None,
+        })
+        .expect("Reorg event must be emitted for a wallet whose state changed");
+    assert_eq!(reorg.0, 10);
+    assert_eq!(reorg.1, vec![tx.txid()]);
+    assert!(reorg.2.is_empty());
+    assert_eq!(reorg.3.confirmed(), 0, "demoted record must drop out of confirmed balance");
+
+    let info = manager.get_wallet_info(&wallet_id).expect("wallet present");
+    assert_eq!(info.last_processed_height(), 10);
+}
+
+#[tokio::test]
+async fn test_rewind_cascades_to_descendant_in_same_account() {
+    let (mut manager, wallet_id, addr) = setup_manager_with_wallet();
+    let tx_a = create_tx_paying_to(&addr, 0xc1);
+    let block_a = make_block(vec![tx_a.clone()], 0xc1, 100);
+    let wallets = BTreeSet::from([wallet_id]);
+    manager.process_block_for_wallets(&block_a, 11, &wallets).await;
+
+    let tx_b = spend_from(tx_a.txid(), 0, &addr, TX_AMOUNT / 2);
+    let block_b = make_block(vec![tx_b.clone()], 0xc2, 200);
+    manager.process_block_for_wallets(&block_b, 12, &wallets).await;
+
+    let result = manager.rewind_to_height(10).await.expect("rewind succeeds");
+    let demoted: BTreeSet<Txid> = result.demoted_txids.iter().copied().collect();
+    assert!(demoted.contains(&tx_a.txid()), "parent must be demoted");
+    assert!(demoted.contains(&tx_b.txid()), "child spending parent must cascade");
+
+    let info = manager.get_wallet_info(&wallet_id).expect("wallet present");
+    assert_eq!(info.last_processed_height(), 10);
+
+    // Rewind to Mempool leaves the child still spending the parent's
+    // output, so only the child's own output reaches the spendable
+    // set. Without `rebuild_utxos`'s order-independent spent-outpoint
+    // guard the child's output could be wrongly resurrected as still
+    // spent, or the parent's output wrongly resurrected as spendable,
+    // depending on txid sort order.
+    let balance = info.balance();
+    let total = balance.confirmed() + balance.unconfirmed();
+    assert_eq!(
+        total,
+        TX_AMOUNT / 2,
+        "after rewind the child still spends the parent in mempool, only the child's output is a UTXO (got balance {balance:?})",
+    );
+}
+
+#[tokio::test]
+async fn test_rewind_cascades_three_levels() {
+    let (mut manager, wallet_id, addr) = setup_manager_with_wallet();
+    let wallets = BTreeSet::from([wallet_id]);
+
+    let tx_a = create_tx_paying_to(&addr, 0xd0);
+    manager
+        .process_block_for_wallets(&make_block(vec![tx_a.clone()], 0xd0, 100), 11, &wallets)
+        .await;
+
+    let tx_b = spend_from(tx_a.txid(), 0, &addr, TX_AMOUNT / 2);
+    manager
+        .process_block_for_wallets(&make_block(vec![tx_b.clone()], 0xd1, 200), 12, &wallets)
+        .await;
+
+    let tx_c = spend_from(tx_b.txid(), 0, &addr, TX_AMOUNT / 4);
+    manager
+        .process_block_for_wallets(&make_block(vec![tx_c.clone()], 0xd2, 300), 13, &wallets)
+        .await;
+
+    let result = manager.rewind_to_height(10).await.expect("rewind succeeds");
+    let demoted: BTreeSet<Txid> = result.demoted_txids.iter().copied().collect();
+    // Wave 2 of the frontier cascade only fires if wave 1 propagated the
+    // newly-demoted parent into the next frontier. A regression that drops
+    // descendants beyond the first hop would still pass the two-level test
+    // above but fail here.
+    assert!(demoted.contains(&tx_a.txid()), "grandparent must be demoted");
+    assert!(demoted.contains(&tx_b.txid()), "parent must cascade (wave 1)");
+    assert!(demoted.contains(&tx_c.txid()), "child must cascade (wave 2)");
+
+    // Beyond the first cascade hop, `rebuild_utxos` must still produce a
+    // correct UTXO set: a regression that double-removes the intermediate
+    // tx_b's output, or that resurrects a spent ancestor, would inflate or
+    // deflate the balance without affecting the demotion list above.
+    let info = manager.get_wallet_info(&wallet_id).expect("wallet present");
+    let balance = info.balance();
+    let total = balance.confirmed() + balance.unconfirmed();
+    assert_eq!(
+        total,
+        TX_AMOUNT / 4,
+        "after 3-level cascade only tx_c's output remains spendable (got balance {balance:?})",
+    );
+}
+
+#[tokio::test]
+async fn test_rewind_restores_is_trusted_on_mempool_change() {
+    let (mut manager, wallet_id, addr) = setup_manager_with_wallet();
+    let wallets = BTreeSet::from([wallet_id]);
+    let (_, _, change_addr) = pool_state(&manager, &wallet_id, AddressPoolType::Internal);
+
+    let tx_a = create_tx_paying_to(&addr, 0xe0);
+    manager
+        .process_block_for_wallets(&make_block(vec![tx_a.clone()], 0xe0, 100), 11, &wallets)
+        .await;
+
+    // tx_b spends the wallet's UTXO from tx_a and pays change back to our
+    // own internal pool: after rewind tx_b ends up in mempool, so the
+    // change output is a trusted-change UTXO that must be credited to
+    // `confirmed()`, not `unconfirmed()`.
+    let tx_b = spend_from(tx_a.txid(), 0, &change_addr, TX_AMOUNT / 2);
+    manager
+        .process_block_for_wallets(&make_block(vec![tx_b.clone()], 0xe1, 200), 12, &wallets)
+        .await;
+
+    manager.rewind_to_height(10).await.expect("rewind succeeds");
+
+    let info = manager.get_wallet_info(&wallet_id).expect("wallet present");
+    let balance = info.balance();
+    assert_eq!(
+        balance.confirmed(),
+        TX_AMOUNT / 2,
+        "trusted mempool change must be credited to confirmed() after rebuild (got {balance:?})",
+    );
+    assert_eq!(balance.unconfirmed(), 0, "no untrusted mempool outputs remain");
+}
+
+#[tokio::test]
+async fn test_rewind_retains_instant_send_record() {
+    let (mut manager, wallet_id, addr) = setup_manager_with_wallet();
+    let tx = create_tx_paying_to(&addr, 0xd3);
+
+    // First sighting is an IS-locked mempool tx.
+    let islock = dummy_instant_lock(tx.txid());
+    manager.process_mempool_transaction(&tx, Some(islock.clone())).await;
+
+    let _ = manager.rewind_to_height(0).await.expect("rewind succeeds");
+
+    let info = manager.get_wallet_info(&wallet_id).expect("wallet present");
+    let mut found = false;
+    for account in info.accounts().all_accounts() {
+        if let Some(record) = account.transactions().get(&tx.txid()) {
+            assert!(
+                matches!(record.context, TransactionContext::InstantSend(_)),
+                "IS-locked record must be retained as InstantSend after rewind, got {:?}",
+                record.context,
+            );
+            found = true;
+        }
+    }
+    assert!(found, "the IS-locked transaction record must still be present after rewind");
+}
+
+#[tokio::test]
+async fn test_rewind_refuses_below_chainlock_floor() {
+    let (mut manager, wallet_id, _addr) = setup_manager_with_wallet();
+    manager.apply_chain_lock(ChainLock::dummy(50));
+
+    let err = manager
+        .rewind_to_height(49)
+        .await
+        .expect_err("rewind below chainlock floor must be rejected");
+    match err {
+        RewindError::BelowChainLockFloor {
+            requested,
+            floor,
+            wallet_id: rejecting,
+        } => {
+            assert_eq!(requested, 49);
+            assert_eq!(floor, 50);
+            assert_eq!(rejecting, wallet_id);
+        }
+    }
+
+    // Rewinding to the floor itself is allowed.
+    manager.rewind_to_height(50).await.expect("rewind at the floor is allowed");
+}
+
+#[tokio::test]
+async fn test_rewind_rolls_back_last_processed_and_synced_height() {
+    let (mut manager, wallet_id, _addr) = setup_manager_with_wallet();
+    let wallets = BTreeSet::from([wallet_id]);
+    let block = make_block(vec![], 0xee, 100);
+    manager.process_block_for_wallets(&block, 500, &wallets).await;
+    manager.update_wallet_synced_height(&wallet_id, 500);
+
+    let info = manager.get_wallet_info(&wallet_id).expect("wallet present");
+    assert_eq!(info.last_processed_height(), 500);
+    assert_eq!(info.synced_height(), 500);
+
+    manager.rewind_to_height(250).await.expect("rewind succeeds");
+
+    let info = manager.get_wallet_info(&wallet_id).expect("wallet present");
+    assert_eq!(info.last_processed_height(), 250);
+    assert_eq!(info.synced_height(), 250);
+}
+
+#[tokio::test]
+async fn test_rewind_below_current_does_not_advance_heights_upward() {
+    let (mut manager, wallet_id, _addr) = setup_manager_with_wallet();
+    let wallets = BTreeSet::from([wallet_id]);
+    let block = make_block(vec![], 0xef, 100);
+    manager.process_block_for_wallets(&block, 100, &wallets).await;
+
+    let mut rx = manager.subscribe_events();
+    manager.rewind_to_height(1000).await.expect("rewind succeeds");
+
+    let info = manager.get_wallet_info(&wallet_id).expect("wallet present");
+    assert_eq!(
+        info.last_processed_height(),
+        100,
+        "rewinding to a height above current must not advance the wallet forward",
+    );
+
+    let reorg_events: Vec<_> = drain_events(&mut rx)
+        .into_iter()
+        .filter(|e| matches!(e, WalletEvent::Reorg { .. }))
+        .collect();
+    assert!(reorg_events.is_empty(), "no-op rewind must not emit Reorg, got {reorg_events:?}",);
+}
+
+#[tokio::test]
+async fn test_get_transaction_returns_stored_record() {
+    let (mut manager, wallet_id, addr) = setup_manager_with_wallet();
+    let tx = create_tx_paying_to(&addr, 0xa9);
+    let block = make_block(vec![tx.clone()], 0xa9, 100);
+    let wallets = BTreeSet::from([wallet_id]);
+    manager.process_block_for_wallets(&block, 50, &wallets).await;
+
+    let fetched = manager.get_transaction(&tx.txid()).await.expect("tx must be retrievable");
+    assert_eq!(fetched.txid(), tx.txid());
+
+    let missing = manager.get_transaction(&Txid::from_byte_array([0xff; 32])).await;
+    assert!(missing.is_none(), "unknown txid must return None");
+}

key-wallet-manager/src/events.rs

@@ -322,6 +322,31 @@ pub enum WalletEvent {
         /// the parent transaction).
         locked_transactions: BTreeMap<AccountType, Vec<Txid>>,
     },
+    /// The wallet was rolled back to `fork_height` after a chain reorg.
+    /// Fires once per wallet whose state actually changed (records
+    /// demoted, or `last_processed_height` rolled back). Carries the
+    /// partitioned demoted-vs-conflicted txid lists plus the wallet's
+    /// post-rewind balance so consumers can persist the new state
+    /// atomically.
+    Reorg {
+        /// ID of the affected wallet.
+        wallet_id: WalletId,
+        /// Common-ancestor height in the active chain that the wallet
+        /// was rolled back to.
+        fork_height: CoreBlockHeight,
+        /// Records demoted to an active-but-unconfirmed context
+        /// (`Mempool` or retained `InstantSend`). Empty when the
+        /// reorg rolled `last_processed_height` back over a height
+        /// range that contained no wallet records.
+        demoted_txids: Vec<Txid>,
+        /// Records demoted to a terminal inactive context
+        /// (`Conflicted` / `Abandoned`). Currently always empty;
+        /// self-conflict detection is deferred to a follow-up.
+        conflicted_txids: Vec<Txid>,
+        /// Wallet balance after the rewind. UTXO state was rebuilt
+        /// from the surviving records before this value was computed.
+        balance: WalletCoreBalance,
+    },
 }
 
 impl WalletEvent {
@@ -347,6 +372,10 @@ impl WalletEvent {
             | WalletEvent::ChainLockProcessed {
                 wallet_id,
                 ..
+            }
+            | WalletEvent::Reorg {
+                wallet_id,
+                ..
             } => *wallet_id,
         }
     }
@@ -425,6 +454,20 @@ impl fmt::Display for WalletEvent {
                     total_txids,
                 )
             }
+            WalletEvent::Reorg {
+                fork_height,
+                demoted_txids,
+                conflicted_txids,
+                balance,
+                ..
+            } => write!(
+                f,
+                "Reorg(fork_height={}, demoted={}, conflicted={}, balance={})",
+                fork_height,
+                demoted_txids.len(),
+                conflicted_txids.len(),
+                balance,
+            ),
         }
     }
 }