feat: track and persist session peer outcomes (#106)

* feat: add session outcome fields to `PeerReputation`

Adds `last_success`, `last_tried`, and `consecutive_failures` to `PeerReputation`, plus a `record_connection_failure` method on `PeerReputationManager`. All new fields use `#[serde(default)]` so existing `reputations.json` files load without migration.

`record_connection_attempt` now sets `last_tried` and `record_successful_connection` sets `last_success` and resets `consecutive_failures`.

* test: cover `PeerReputation` session outcome transitions

Adds unit tests for default values, `last_tried` on attempt, `last_success` plus `consecutive_failures` reset on success, failure streak increment preserving `last_success`, and legacy `reputations.json` decoding with missing fields.

* feat: bump `AddrV2.time` on successful handshake

Adds `AddrV2Handler::mark_seen` to refresh the stored timestamp for a directly observed peer, preserving existing services for known entries and inserting a fresh entry otherwise. `connect_to_peer` now calls `mark_seen` after a successful handshake so the `peers.dat` time reflects first-hand observation instead of gossip.

* feat: track peer connection outcomes in network manager

Calls `record_connection_failure` on both the TCP connect failure and the handshake failure paths in `PeerNetworkManager::connect_to_peer`, so the `consecutive_failures` streak reflects every unsuccessful attempt.

* refactor: drop backward-compat shims from `PeerReputation`

Removes `#[serde(default)]` on the new session outcome fields and the legacy-JSON load test. Backward compatibility of `reputations.json` across versions is no longer a requirement, so the shims and test are dead weight.

* refactor: thread peer-advertised services into `mark_seen`

* docs: clarify `last_connection` vs `last_tried` on `PeerReputation`

* refactor: extract `make_addr_message` helper in `addrv2`

* refactor: defensively set `last_tried` in `record_connection_failure`

* refactor: add atomic `record_failure_with_penalty` and use at failure sites

* chore: apply `cargo fmt`

* refactor: clamp `consecutive_failures` on deserialization

* refactor: extract `apply_score_change` and always update `last_tried` on failure

* test: cover `record_failure_with_penalty` directly

* refactor: clamp \`consecutive_failures\` at runtime and consolidate failure-field updates

Extract private `record_failure_fields` that applies `last_tried = now` and
`consecutive_failures.saturating_add(1).min(MAX_CONSECUTIVE_FAILURES)`. Both
`record_connection_failure` and `record_failure_with_penalty` now delegate to it,
eliminating duplicated mutations and capping the in-memory streak at the same 1000
limit enforced by the deserializer.

* test: cover \`consecutive_failures\` clamp, \`last_success\` preservation, \`mark_seen\` eviction

- Assert `last_success` is unchanged after `record_failure_with_penalty`
- Deserialize a `PeerReputation` with `consecutive_failures: 99999` and assert it clamps to `MAX_CONSECUTIVE_FAILURES`
- Fill `AddrV2Handler` to capacity and assert `mark_seen` stays bounded and includes the new entry

* refactor: remove unused `record_connection_failure`

* test: stabilize eviction test and cover runtime `consecutive_failures` saturation

* refactor: document and assert non-negative contract on `record_failure_with_penalty`

* test: cover `last_tried` preservation on success and update on failure

* fix: clamp negative `score_change` in `record_failure_with_penalty`

* test: cover happy-path attempt to success lifecycle

* refactor: tighten `clamp_future_system_time` bounds and enforce load invariants

Add a 30-day lower bound to `clamp_future_system_time` so stale or corrupted timestamps
(including epoch 0) are discarded on load, in addition to future ones.

Add `PeerReputation::normalize_after_load` and call it from the storage load path.
It resets `consecutive_failures` to 0 whenever `last_tried` is `None`, preventing
the inconsistent state where a non-zero failure streak has no temporal anchor.

* test: cover `clamp_future_system_time` edge cases

Add three tests: future timestamp rejected, epoch-zero rejected (exercising the new
lower bound), and recent-past timestamp preserved.

* docs: clarify zero-`score_change` contract on `record_failure_with_penalty`

A value of 0 is a deliberate no-op for the reputation score but still records
the failure counter and timestamp, which is useful for failures that should be
tracked without contributing toward a ban.

* fix: use `checked_sub` in `clamp_future_system_time` to avoid panic on broken clocks

* test: cover `normalize_after_load` via storage round-trip

* fix: use `checked_add` in `clamp_future_system_time` to avoid panic on far-future clocks

* test: also cover stale-timestamp path in `normalize_after_load` round-trip

* refactor: drop 30-day stale-timestamp floor from `clamp_future_system_time`

Remove `TIMESTAMP_MAX_AGE` and the `floor` computation that rejected timestamps older than 30 days. The future-timestamp guard (10-second tolerance) is the only meaningful constraint. Update the `normalize_after_load` doc comment to drop the "stale" reference.

* test: remove obsolete stale-timestamp tests and consolidate `clamp_future_system_time` coverage

Delete `test_normalize_after_load_via_storage_round_trip_stale` (tested the removed stale-floor path). Merge the three `test_clamp_future_system_time_*` tests into a single `test_clamp_future_system_time` covering future rejection and recent-past acceptance.

* fix: \`mark_seen\` now overwrites \`services\` on existing entries

Since round 1 the caller passes the actual handshake-negotiated services, so
preserving the gossip-sourced value was inverted. The handshake-observed value
is authoritative and is now written on both new and existing entries.

Rename \`test_mark_seen_bumps_time_and_preserves_services\` to
\`test_mark_seen_bumps_time_and_updates_services\` and update its assertion to
expect the handshake services, not the original gossip services.

* test: cover positive \`normalize_after_load\` branch

Add \`test_normalize_after_load_preserves_failures_when_last_tried_valid\`
to assert that a valid (non-future) \`last_tried\` and a non-zero
\`consecutive_failures\` are both preserved through the load round-trip,
complementing the existing reset-path test.

* refactor: move `record_failure_fields` to `impl PeerReputation`

* refactor: move `apply_score_change` to `impl PeerReputation`

Author: xdustinface

dash-spv/src/network/addrv2.rs

@@ -2,7 +2,7 @@
 
 use rand::prelude::*;
 use std::collections::{HashMap, HashSet};
-use std::net::SocketAddr;
+use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use tokio::sync::RwLock;
@@ -26,6 +26,19 @@ fn evict_if_needed(peers: &mut HashMap<SocketAddr, AddrV2Message>) {
     }
 }
 
+fn make_addr_message(addr: SocketAddr, services: ServiceFlags, time: u32) -> AddrV2Message {
+    let addr_v2 = match addr.ip() {
+        IpAddr::V4(ipv4) => AddrV2::Ipv4(ipv4),
+        IpAddr::V6(ipv6) => AddrV2::Ipv6(ipv6),
+    };
+    AddrV2Message {
+        time,
+        services,
+        addr: addr_v2,
+        port: addr.port(),
+    }
+}
+
 /// Handler for AddrV2 peer exchange protocol
 pub struct AddrV2Handler {
     /// Known peer addresses from AddrV2 messages
@@ -134,21 +147,36 @@ impl AddrV2Handler {
             })
             .as_secs() as u32;
 
-        let addr_v2 = match addr.ip() {
-            std::net::IpAddr::V4(ipv4) => AddrV2::Ipv4(ipv4),
-            std::net::IpAddr::V6(ipv6) => AddrV2::Ipv6(ipv6),
-        };
+        let mut known_peers = self.known_peers.write().await;
+        known_peers.insert(addr, make_addr_message(addr, services, now));
+        evict_if_needed(&mut known_peers);
+    }
 
-        let addr_msg = AddrV2Message {
-            time: now,
-            services,
-            addr: addr_v2,
-            port: addr.port(),
-        };
+    /// Bump the stored `AddrV2.time` for `addr` to now after directly observing
+    /// the peer (e.g. a successful handshake) and record the handshake-verified
+    /// `services`. A first-hand observation is authoritative, so both `time` and
+    /// `services` are overwritten on existing entries. If the entry is missing it
+    /// is created with the provided values.
+    pub async fn mark_seen(&self, addr: SocketAddr, services: ServiceFlags) {
+        let now = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap_or_else(|e| {
+                tracing::error!("System time error in mark_seen: {}", e);
+                Duration::from_secs(0)
+            })
+            .as_secs() as u32;
 
         let mut known_peers = self.known_peers.write().await;
-        known_peers.insert(addr, addr_msg);
-        evict_if_needed(&mut known_peers);
+        match known_peers.get_mut(&addr) {
+            Some(existing) => {
+                existing.time = now;
+                existing.services = services;
+            }
+            None => {
+                known_peers.insert(addr, make_addr_message(addr, services, now));
+                evict_if_needed(&mut known_peers);
+            }
+        }
     }
 
     /// Build a GetAddr response message
@@ -187,6 +215,84 @@ mod tests {
         assert_eq!(known[0].socket_addr().unwrap(), addr);
     }
 
+    #[tokio::test]
+    async fn test_mark_seen_bumps_time_and_updates_services() {
+        let handler = AddrV2Handler::new();
+        let addr: SocketAddr = "10.0.0.5:9999".parse().unwrap();
+
+        // Seed via AddrV2 gossip with a stale-but-valid timestamp and richer services.
+        let gossip_services = ServiceFlags::NETWORK | ServiceFlags::COMPACT_FILTERS;
+        let ipv4_addr = match addr.ip() {
+            IpAddr::V4(v4) => v4,
+            _ => panic!("test expects IPv4"),
+        };
+        let now =
+            SystemTime::now().duration_since(UNIX_EPOCH).expect("system time").as_secs() as u32;
+        let stale_time = now.saturating_sub(3600);
+        handler
+            .handle_addrv2(vec![AddrV2Message {
+                time: stale_time,
+                services: gossip_services,
+                addr: AddrV2::Ipv4(ipv4_addr),
+                port: addr.port(),
+            }])
+            .await;
+
+        // Observe the peer directly — handshake-verified services are authoritative.
+        let handshake_services = ServiceFlags::NETWORK;
+        handler.mark_seen(addr, handshake_services).await;
+
+        let known = handler.get_known_addresses().await;
+        let entry = known.iter().find(|m| m.socket_addr().ok() == Some(addr)).expect("entry");
+        assert!(entry.time >= now);
+        assert!(entry.time > stale_time);
+        assert_eq!(entry.services, handshake_services);
+    }
+
+    #[tokio::test]
+    async fn test_mark_seen_inserts_new_entry() {
+        let handler = AddrV2Handler::new();
+        let addr: SocketAddr = "10.0.0.6:9999".parse().unwrap();
+
+        assert!(handler.get_known_addresses().await.is_empty());
+
+        handler.mark_seen(addr, ServiceFlags::NETWORK).await;
+
+        let known = handler.get_known_addresses().await;
+        assert_eq!(known.len(), 1);
+        assert_eq!(known[0].socket_addr().unwrap(), addr);
+        assert_eq!(known[0].services, ServiceFlags::NETWORK);
+    }
+
+    #[tokio::test]
+    async fn test_mark_seen_evicts_when_at_capacity() {
+        let handler = AddrV2Handler::new();
+
+        // Use staggered timestamps strictly older than the mark_seen call below so
+        // the new entry is definitively the freshest and survives eviction.
+        let base_time =
+            (SystemTime::now().duration_since(UNIX_EPOCH).expect("system time").as_secs() as u32)
+                .saturating_sub(ONE_WEEK / 2);
+
+        let msgs: Vec<AddrV2Message> = (0..MAX_ADDR_TO_STORE)
+            .map(|i| {
+                let addr: SocketAddr =
+                    format!("10.{}.{}.1:9999", i / 256, i % 256).parse().unwrap();
+                make_addr_message(addr, ServiceFlags::NETWORK, base_time - i as u32)
+            })
+            .collect();
+        handler.handle_addrv2(msgs).await;
+
+        assert_eq!(handler.get_known_addresses().await.len(), MAX_ADDR_TO_STORE);
+
+        let new_addr: SocketAddr = "192.168.99.99:9999".parse().unwrap();
+        handler.mark_seen(new_addr, ServiceFlags::NETWORK).await;
+
+        let known = handler.get_known_addresses().await;
+        assert_eq!(known.len(), MAX_ADDR_TO_STORE);
+        assert!(known.iter().any(|m| m.socket_addr().ok() == Some(new_addr)));
+    }
+
     #[tokio::test]
     async fn test_addrv2_timestamp_validation() {
         let handler = AddrV2Handler::new();
@@ -199,7 +305,7 @@ mod tests {
         let addr: SocketAddr =
             "127.0.0.1:9999".parse().expect("Failed to parse test socket address");
         let ipv4_addr = match addr.ip() {
-            std::net::IpAddr::V4(v4) => v4,
+            IpAddr::V4(v4) => v4,
             _ => panic!("Test expects IPv4 address but got IPv6"),
         };
 

dash-spv/src/network/handshake.rs

@@ -301,6 +301,11 @@ impl HandshakeManager {
         self.peer_version
     }
 
+    /// Get the service flags advertised by the peer in its version message.
+    pub fn peer_services(&self) -> Option<ServiceFlags> {
+        self.peer_services
+    }
+
     /// Check if peer supports headers2 compression.
     pub fn peer_supports_headers2(&self) -> bool {
         self.peer_services.map(|services| services.has(NODE_HEADERS_COMPRESSED)).unwrap_or(false)

dash-spv/src/network/manager.rs

@@ -265,6 +265,10 @@ impl PeerNetworkManager {
                                 tracing::warn!("Failed to send GetAddr to {}: {}", addr, e);
                             }
 
+                            // Capture peer-advertised services before the peer is moved into the pool.
+                            let peer_services =
+                                handshake_manager.peer_services().unwrap_or(ServiceFlags::NETWORK);
+
                             // Record successful connection
                             reputation_manager.record_successful_connection(addr).await;
 
@@ -290,8 +294,9 @@ impl PeerNetworkManager {
                                 best_height,
                             });
 
-                            // Add to known addresses
-                            addrv2_handler.add_known_address(addr, ServiceFlags::NETWORK).await;
+                            // Bump the AddrV2 time on direct observation, using the peer's
+                            // actual advertised services from the version message.
+                            addrv2_handler.mark_seen(addr, peer_services).await;
 
                             // // Start message reader for this peer
                             Self::start_peer_reader(
@@ -311,9 +316,8 @@ impl PeerNetworkManager {
                             tracing::warn!("Handshake failed with {}: {}", addr, e);
                             // Only clears connecting set. Peer was never added, so no count/event needed.
                             pool.remove_peer(&addr).await;
-                            // Update reputation for handshake failure
                             reputation_manager
-                                .update_reputation(
+                                .record_failure_with_penalty(
                                     addr,
                                     misbehavior_scores::INVALID_MESSAGE,
                                     "Handshake failed",
@@ -328,9 +332,8 @@ impl PeerNetworkManager {
                     tracing::debug!("Failed to connect to {}: {}", addr, e);
                     // Only clears connecting set. Peer was never added, so no count/event needed.
                     pool.remove_peer(&addr).await;
-                    // Minor reputation penalty for connection failure
                     reputation_manager
-                        .update_reputation(
+                        .record_failure_with_penalty(
                             addr,
                             misbehavior_scores::TIMEOUT / 2,
                             "Connection failed",