fix: index rotated quorums by quorum_index and rebuild per cycle

[xdustinface]

The Vec<QualifiedQuorumEntry> had no size bound and no uniqueness check on quorum_index. Combined with QRInfo still being requested on every new block (will change soon), repeated feed_qr_info calls within a single rotation cycle accumulated duplicate entries that the lookup then returned as stale matches.

• Switch the inner container to BTreeMap<u16, QualifiedQuorumEntry> keyed by quorum_index so insertion replaces by key, lookup is direct, and re-feeds of the same cycle are not causing wrong behaviour anymore.
• Introduce insert_cycle_quorum_by_index as helper to centralize inserts.
• Both branches of feed_qr_info now .clear() the per-cycle map before refilling it and clearing is enforced via a debug assert.
• Migrates tests/data/test_DML_diffs/masternode_list_engine.hex to the new format.

[manki-review]

Manki — Review complete

Planner (24s)
    bugfix · 253 lines · 4 agents
    review effort: medium · judge effort: high

Review — 17 findings
    ✅ Security & Safety — 4 (181s)
    ✅ Correctness & Logic — 5 (228s)
    ✅ Architecture & Design — 4 (174s)
    ✅ Testing & Coverage — 4 (68s)

Judge — 8 kept · 0 dropped (83s)
    kept: 3 required · 2 suggestion · 3 nit

Review metadata

Config:

• Models: reviewer=claude-sonnet-4-6, judge=claude-sonnet-4-6
• Review level: medium (auto, 253 lines)
• Team: Security & Safety, Correctness & Logic, Architecture & Design, Testing & Coverage
• Memory: disabled
• Nit handling: issues

Judge decisions:

• ✓ Kept: "Negative i16 quorum_index silently wraps to large u16 map key" (required, high confidence) — "Merged findings 1, 5, and 11 — all three independently flag the same quorum_index as u16 cast on line 220. Three of four reviewers flagged this; two rated it required. Network-supplied data with a negative quorum_index passes the ok_or None-check, wraps to a key like 65535, occupies a capacity slot under a bogus key that legitimate lookups never hit, and can trigger TooManyRotatedQuorumsInCycle for the entire rotation cycle. Impact: High (DoS of InstantSend verification), Likelihood: Possible (requires a malformed QRInfo message, but in a p2p network this is a realistic attack surface) → required. Fix: u16::try_from(quorum_index).map_err(|_| ...) or an explicit < 0 guard before the cast."
• ✓ Kept: "#[should_panic] test fails in release mode — missing #[cfg(debug_assertions)]" (required, high confidence) — "Merged findings 6 and 14 — both independently flagged the same test at line 1269-1270. The panic is produced by debug_assert!, which is a no-op in release mode; #[should_panic] therefore never sees its expected panic and the test fails under cargo test --release. Impact: High (inverted test result in a CI configuration that runs release tests), Likelihood: Certain (will happen on every release-mode test run). The test name itself includes "in_debug" indicating the author was aware of the scope, but the #[cfg(debug_assertions)] guard was simply not added."
• ✓ Kept: "Tests import feature-gated function without matching cfg guard" (required, high confidence) — "Finding 10, flagged by one reviewer, but technically a compile error. insert_cycle_quorum_by_index is #[cfg(feature = "quorum_validation")] (line 211), and the use super::insert_cycle_quorum_by_index plus the four new unit tests are inside #[cfg(test)] but are not also guarded by #[cfg(feature = "quorum_validation")]. Without that feature the symbol does not exist and the use declaration produces an unresolved-import compile error on any build configuration that omits the feature. Impact: Critical (compile failure), Likelihood: Certain. Even though only one reviewer caught it, this is a hard build break."
• ✓ Kept: "Duplicate quorum_index only detected in debug builds; silently replaces entry in release" (suggestion, high confidence) — "Merged findings 2, 8, 12, and 16 — all describe the same debug/release behavioral divergence for duplicate keys. In debug builds the debug_assert! panics; in release it's stripped and BTreeMap::insert silently replaces the existing entry. The contract ('caller must clear() before re-feeding') is documented only in the assert message, and a production caller that forgets .clear() gets silent data mutation with no log, metric, or error. The cap check is also short-circuited for duplicates. Impact: Medium (silent data corruption under a specific caller bug), Likelihood: Possible. The correct fix is either promoting the check to a hard Err or at minimum adding a tracing::warn! for the duplicate case in release builds."
• ✓ Kept: "No regression test for the core bug fix (re-feeding the same cycle accumulates duplicates)" (suggestion, medium confidence) — "Finding 15, one reviewer. The PR's stated fix is that repeated feed_qr_info calls for the same cycle no longer accumulate stale entries, but the new unit tests only exercise insert_cycle_quorum_by_index in isolation. A higher-level test that feeds the same cycle twice and asserts rotated_quorums_per_cycle[&cycle_hash].len() == active_quorum_count would catch any future regression that removes the .clear() call. Impact: Medium (risk of regression going undetected), Likelihood: Possible."
• ✓ Kept: "Debug-log drops quorum_entry.quorum_index field, relies solely on BTreeMap key" (nit, high confidence) — "Merged findings 4 and 9. Both reviewers rated this nit. Logging idx (the map key) instead of q.quorum_entry.quorum_index (the raw field) means any future key/field inconsistency — e.g., from the negative-cast bug — would be invisible in traces. Logging both values costs nothing and preserves the original observability intent."
• ✓ Kept: "Redundant contains_key check after debug_assert" (nit, medium confidence) — "Finding 13, one reviewer, rated nit. The !inner.contains_key(&key) condition in the cap check duplicates the predicate already guarded by the preceding debug_assert!. In debug builds a duplicate would have already panicked; in release the guard silently permits replacement. The logic is harmless but a brief inline comment explaining the release-mode intent ('allow replacement without counting against the cap') would clarify the design."
• ✓ Kept: "Test comment documents an assumption that should be an assertion" (nit, medium confidence) — "Finding 17, one reviewer, rated nit. The comment // LlmqtypeTest has signing_active_quorum_count = 2 is load-bearing for the loop bound and cap match arm. An assert_eq!(LLMQType::LlmqtypeTest.active_quorum_count(), 2, ...) at the start of the test would cause an explicit failure if the constant ever changes, rather than silently letting the test pass with wrong coverage."

Timing:

• Parse: 5.0s
• Review agents: 253.8s
• Judge: 83.2s
• Total: 342.1s

[codecov-commenter]

Codecov Report

❌ Patch coverage is 85.21739% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.86%. Comparing base (77dd87b) to head (d6d04a3).

Files with missing lines	Patch %	Lines
dash/src/sml/masternode_list_engine/mod.rs	84.76%	16 Missing ⚠️
...ernode_list_engine/message_request_verification.rs	90.00%	1 Missing ⚠️

Additional details and impacted files

@@              Coverage Diff              @@
##           v0.42-dev      #97      +/-   ##
=============================================
+ Coverage      67.84%   67.86%   +0.02%     
=============================================
  Files            318      318              
  Lines          67784    67832      +48     
=============================================
+ Hits           45988    46036      +48     
  Misses         21796    21796              

Flag	Coverage Δ
core	75.27% <85.21%> (+0.05%)	⬆️
ffi	38.62% <ø> (ø)
rpc	20.00% <ø> (ø)
spv	85.34% <ø> (ø)
wallet	67.56% <ø> (ø)

Files with missing lines	Coverage Δ
dash/src/sml/quorum_validation_error.rs	37.50% <ø> (ø)
...ernode_list_engine/message_request_verification.rs	82.03% <90.00%> (-1.08%)	⬇️
dash/src/sml/masternode_list_engine/mod.rs	74.89% <84.76%> (+1.73%)	⬆️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[manki-review]

Three blockers need fixing before merge: a negative quorum_index from the network wraps silently to a phantom u16 key (DoS vector for InstantSend rotation), cargo test --release fails because the should_panic test expects a debug_assert that's a no-op in release, and the test module is missing #[cfg(feature = "quorum_validation")] which breaks compilation without that feature flag.

📊 8 findings (3 required, 2 suggestion, 3 nit) · 253 lines · 342s

Review stats

{
  "model": "claude-sonnet-4-6",
  "reviewTimeMs": 342054,
  "diffLines": 253,
  "diffAdditions": 181,
  "diffDeletions": 72,
  "filesReviewed": 4,
  "agents": [
    "Security & Safety",
    "Correctness & Logic",
    "Architecture & Design",
    "Testing & Coverage"
  ],
  "findingsRaw": 17,
  "findingsKept": 8,
  "findingsDropped": 9,
  "severity": {
    "required": 3,
    "suggestion": 2,
    "nit": 3
  },
  "verdict": "REQUEST_CHANGES",
  "prNumber": 97,
  "commitSha": "69e18e91b2e224936ed0fb9a7299fe26b8ecb5cf",
  "agentMetrics": [
    {
      "name": "Security & Safety",
      "findingsRaw": 4,
      "findingsKept": 3,
      "responseLength": 3864
    },
    {
      "name": "Correctness & Logic",
      "findingsRaw": 5,
      "findingsKept": 3,
      "responseLength": 5882
    },
    {
      "name": "Architecture & Design",
      "findingsRaw": 4,
      "findingsKept": 3,
      "responseLength": 3902
    },
    {
      "name": "Testing & Coverage",
      "findingsRaw": 4,
      "findingsKept": 3,
      "responseLength": 4278
    }
  ],
  "judgeMetrics": {
    "confidenceDistribution": {
      "high": 5,
      "medium": 3,
      "low": 0
    },
    "severityChanges": 8,
    "mergedDuplicates": 9
  },
  "fileMetrics": {
    "fileTypes": {
      ".rs": 3,
      ".hex": 1
    },
    "findingsPerFile": {
      "dash/src/sml/masternode_list_engine/mod.rs": 7,
      "dash/src/sml/masternode_list_engine/message_request_verification.rs": 1
    }
  },
  "reviewerModel": "claude-sonnet-4-6",
  "judgeModel": "claude-sonnet-4-6"
}

[manki-review]

Manki — Review complete

Planner (24s)
    bugfix · 360 lines · 5 agents
    review effort: medium · judge effort: high

Review — 17 findings
    ✅ Security & Safety — 4 (151s)
    ✅ Correctness & Logic — 2 (200s)
    ✅ Architecture & Design — 4 (209s)
    ✅ Testing & Coverage — 3 (78s)
    ✅ Dependencies & Integration — 4 (119s)

Judge — 12 kept · 0 dropped (131s)
    kept: 1 required · 6 suggestion · 5 nit

Review metadata

Config:

• Models: reviewer=claude-sonnet-4-6, judge=claude-sonnet-4-6
• Review level: medium (auto, 360 lines)
• Team: Security & Safety, Correctness & Logic, Architecture & Design, Testing & Coverage, Dependencies & Integration
• Memory: disabled
• Nit handling: issues

Judge decisions:

• ✓ Kept: "Per-cycle map left empty when rebuild fails mid-loop" (suggestion, high confidence) — "Impact: High (IS lock verification for an entire cycle fails with CycleHashEmpty until successful re-feed), Likelihood: Possible (requires malformed or adversarial QRInfo batch). After map.clear() any ?-propagated error from insert_cycle_quorum_by_index leaves the map in a partially or fully empty state. A temp-map-then-swap pattern is a clean, low-risk fix."
• ✓ Kept: "Incomplete cycle map silently accepted in release builds" (suggestion, high confidence) — "Impact: High (IS lock lookups for any missing quorum index return QuorumIndexNotFound, degrading verification for the whole cycle), Likelihood: Possible (malformed peer data). Both the post-loop debug_assert_eq! (line 777) and the absence of a floor check in insert_cycle_quorum_by_index mean under-filled maps pass silently in release builds. Merged findings 2 and 10 — same underlying gap at different code locations."
• ✓ Kept: "New regression test lacks #[cfg(feature = "quorum_validation")] guard" (required, high confidence) — "Impact: Critical (compile failure in non-validation builds — feed_qr_info has a different signature without the feature), Likelihood: Certain (any CI build without the feature will fail to compile). Three independent reviewers flagged this. Even if the build happens to pass today, the test validates nothing without the feature because rotated_quorums_per_cycle is never populated, so both assertion sides are empty and the bug goes undetected. Merged findings 3, 5, and 11."
• ✓ Kept: "Negative quorum_index reuses RequiredQuorumIndexNotPresent error variant" (nit, medium confidence) — "Impact: Low (ambiguous log messages only), Likelihood: Possible. Conflating a negative (invalid) index with an absent index makes debugging harder but does not affect correctness. A dedicated variant or CorruptedCodeExecution with a message would be clearer, but this is a diagnostics quality concern."
• ✓ Kept: "First-branch debug_assert_eq! is silently skipped when cycle map is None" (nit, medium confidence) — "Impact: Low (weakened debug-mode invariant check only), Likelihood: Unlikely (the or_default() call guarantees Some in the normal path). The asymmetry with the second branch is a minor inconsistency, not a correctness risk."
• ✓ Kept: "Inserting variant mid-enum breaks bincode discriminant stability" (suggestion, high confidence) — "Impact: High (silent deserialization corruption — old CorruptedCodeExecution encoded values would decode as TooManyRotatedQuorumsInCycle and vice versa), Likelihood: Possible (only affects persisted engine state across this version boundary; the test hex was already updated, indicating awareness). Two reviewers flagged this. The API is v0.x.x unstable, which reduces severity, but appending at the end costs nothing and eliminates the risk entirely. Merged findings 7 and 14."
• ✓ Kept: "Misleading error message on duplicate quorum_index — blames caller for a protocol violation" (nit, high confidence) — "Impact: Low (misleading diagnostic message only), Likelihood: Possible. Both call sites clear the map before the loop, so the message 'caller must clear the per-cycle map between feeds' misdirects debugging. The actionable fix is a one-line string change."
• ✓ Kept: "Regression test uses weak assertion (> 0) instead of exact quorum count" (suggestion, high confidence) — "Impact: Medium (test would pass with one quorum per cycle, not catching partial-clear or drop bugs), Likelihood: Certain (the weak assertion always runs). The debug_assert_eq! in production catches exact-count violations only in debug builds; the integration test should provide the release-mode complement. Merged findings 9 and 13."
• ✓ Kept: "Regression test only compares cycle entry counts, not the actual quorum maps" (suggestion, medium confidence) — "Impact: Medium (a re-feed that silently replaces quorums with different ones would pass), Likelihood: Certain (the test always has this limitation). Comparing (cycle_hash, BTreeMap<u16, quorum_hash>) would directly assert idempotency of content, not just cardinality."
• ✓ Kept: "Public struct field rotated_quorums_per_cycle type change is a breaking API contract" (nit, medium confidence) — "Impact: Medium (downstream callers using .iter() expecting flat entries or .push() get compile errors), Likelihood: Certain for any existing callers. However the library is explicitly v0.x.x unstable with documented API instability, so this is expected. A type alias would be a low-cost improvement but is not blocking."
• ✓ Kept: "QuorumValidationError import not gated by #[cfg(feature = "quorum_validation")] in test module" (suggestion, high confidence) — "Impact: Medium (unused import becomes a compile error under -D warnings in non-validation builds), Likelihood: Probable (any build without the feature with strict linting hits this). The project runs cargo clippy --all-features, which would miss this, but a targeted non-feature build in CI would catch it."
• ✓ Kept: "Unchecked quorum_index as u16 truncating cast in is_lock_quorum" (nit, high confidence) — "Impact: Low (practically impossible — current protocol caps quorum indices at ~24), Likelihood: Unlikely. The inconsistency with the try_from pattern in insert_cycle_quorum_by_index is worth noting but poses no real risk today."

Timing:

• Parse: 5.4s
• Review agents: 235.2s
• Judge: 130.8s
• Total: 371.4s

Superseded by new review

[manki-review]

Negative-index wrapping and debug-only duplicate detection from the previous review are both resolved. The new regression test is missing its #[cfg(feature = "quorum_validation")] guard — a definite compile failure in non-validation builds — and TooManyRotatedQuorumsInCycle is inserted mid-enum in a bincode-serialized type, silently shifting discriminants for all subsequent variants.

📊 12 findings (1 required, 6 suggestion, 5 nit) · 360 lines · 371s

Review stats

{
  "model": "claude-sonnet-4-6",
  "reviewTimeMs": 371372,
  "diffLines": 360,
  "diffAdditions": 286,
  "diffDeletions": 74,
  "filesReviewed": 4,
  "agents": [
    "Security & Safety",
    "Correctness & Logic",
    "Architecture & Design",
    "Testing & Coverage",
    "Dependencies & Integration"
  ],
  "findingsRaw": 17,
  "findingsKept": 12,
  "findingsDropped": 5,
  "severity": {
    "required": 1,
    "suggestion": 6,
    "nit": 5
  },
  "verdict": "REQUEST_CHANGES",
  "prNumber": 97,
  "commitSha": "6a4f4e0853d798a475d69e283850c78484407175",
  "agentMetrics": [
    {
      "name": "Security & Safety",
      "findingsRaw": 4,
      "findingsKept": 4,
      "responseLength": 3495
    },
    {
      "name": "Correctness & Logic",
      "findingsRaw": 2,
      "findingsKept": 1,
      "responseLength": 2416
    },
    {
      "name": "Architecture & Design",
      "findingsRaw": 4,
      "findingsKept": 3,
      "responseLength": 3859
    },
    {
      "name": "Testing & Coverage",
      "findingsRaw": 3,
      "findingsKept": 3,
      "responseLength": 3333
    },
    {
      "name": "Dependencies & Integration",
      "findingsRaw": 4,
      "findingsKept": 4,
      "responseLength": 4644
    }
  ],
  "judgeMetrics": {
    "confidenceDistribution": {
      "high": 8,
      "medium": 4,
      "low": 0
    },
    "severityChanges": 12,
    "mergedDuplicates": 5
  },
  "fileMetrics": {
    "fileTypes": {
      ".rs": 3,
      ".hex": 1
    },
    "findingsPerFile": {
      "dash/src/sml/masternode_list_engine/mod.rs": 10,
      "dash/src/sml/quorum_validation_error.rs": 1,
      "dash/src/sml/masternode_list_engine/message_request_verification.rs": 1
    }
  },
  "reviewerModel": "claude-sonnet-4-6",
  "judgeModel": "claude-sonnet-4-6"
}

[manki-review]

Manki — Review complete

Planner
    379 lines · 0 agents

Review — 15 findings

Judge — 6 kept · 0 dropped (122s)
    kept: 2 suggestion · 4 nit

Review metadata

Config:

• Models: reviewer=claude-sonnet-4-6, judge=claude-sonnet-4-6
• Review level: medium (auto, 379 lines)
• Team: Security & Safety, Architecture & Design, Correctness & Logic, Testing & Coverage, Performance & Efficiency
• Memory: disabled
• Nit handling: issues

Judge decisions:

• ✓ Kept: "Inserting TooManyRotatedQuorumsInCycle mid-enum shifts bincode discriminants" (suggestion, high confidence) — "Merged Findings 1, 2, 5, 8, 13 — all five independent reviewers reached the same conclusion. Impact: Medium-High (silent deserialization as wrong variant for CorruptedCodeExecution and later variants in any bincode-encoded blob); Likelihood: Possible (error values being persisted to disk or transmitted is less common for error types, but the enum does derive bincode::Encode/Decode under the bincode feature, the .hex test fixture confirms binary serialization is in active use, and fuzz corpora are explicitly mentioned). Fix is trivial: append the new variant after FeatureNotTurnedOn. Given 5/5 reviewer consensus in a crypto protocol library where wire-format stability matters, keeping at suggestion."
• ✓ Kept: "Count-mismatch check is silently skipped when qualified_rotated_quorums_per_cycle is None" (suggestion, high confidence) — "Merged Findings 3, 6, 12 — three independent reviewers flagged the same structural issue. Impact: Medium (a truncated cycle — fewer quorums than active_quorum_count — passes validation silently on the None path, which could mask a protocol violation or malformed peer message); Likelihood: Possible (the None branch is a real code path). Moving the count assertion outside the is_some() gate would enforce the invariant unconditionally. The old code would have panicked here, making this a regression in diagnostic coverage even if not a new correctness bug."
• ✓ Kept: "Unrelated change: unused StdError import removed from lib.rs" (nit, high confidence) — "Merged Findings 4 and 7. The import is genuinely unused (compiler-verified) so the deletion is correct. The only concern is PR hygiene — mixing this cleanup into a focused quorum-index fix muddies the diff. Impact: Low; no correctness risk."
• ✓ Kept: "New test binary fixtures missing from diff" (nit, medium confidence) — "Finding 9, single reviewer. The include_bytes! fixtures are referenced without any comment about how they were generated, making future regeneration opaque. Impact: Low (existing tests still pass; this is a maintainability concern). Likelihood: Unlikely to cause immediate problems."
• ✓ Kept: "Unnecessary clone of QualifiedQuorumEntry before insert – wasted on all error paths" (nit, medium confidence) — "Finding 10, single reviewer. The clone is called before insert_cycle_quorum_by_index even when the function will return an error, wasting a non-trivial allocation (two 96-byte BLS signatures plus heap bitsets). Impact: Low-Medium for a hot path; Likelihood: Possible on error paths. Given single reviewer and this being a performance rather than correctness concern, nit is appropriate."
• ✓ Kept: "BTreeMap inserts into tmp_cycle_map are wasted when qualified_rotated_quorums_per_cycle is None" (nit, low confidence) — "Finding 11, single reviewer. The BTreeMap is unconditionally allocated and all inserts (plus clones) run regardless of whether the result will be stored. The status-update side effects are needed but the map insertions could be guarded by is_some(). Impact: Low-Medium waste per None invocation; Likelihood: Possible. Single reviewer, performance only — nit is appropriate."

Timing:

• Parse: 5.8s
• Review agents: 520.3s
• Judge: 122.1s
• Total: 648.2s

Superseded by new review

[xdustinface]

@manki review

[manki-review]

Review skipped — a review is currently in progress. Retry when it completes, or force now:

• Force review

[manki-review]

Manki — Review complete

Planner (24s)
    bugfix · 377 lines · 3 agents
    review effort: medium · judge effort: high

Review — 6 findings
    ✅ Security & Safety — 2 (175s)
    ✅ Correctness & Logic — 1 (527s)
    ✅ Testing & Coverage — 3 (162s)

Judge — 3 kept · 0 dropped (455s)
    kept: 1 suggestion · 2 nit

Review metadata

Config:

• Models: reviewer=claude-sonnet-4-6, judge=claude-sonnet-4-6
• Review level: medium (auto, 377 lines)
• Team: Security & Safety, Correctness & Logic, Testing & Coverage
• Memory: disabled
• Nit handling: issues

Judge decisions:

• ✓ Kept: "Per-cycle map entry left empty/stale when rebuild fails mid-loop" (suggestion, medium confidence) — "The entry(...).or_default() binding at lines 688-693 still eagerly creates or acquires a map entry before the loop runs. For a brand-new cycle hash, any error propagated via ? from insert_cycle_quorum_by_index exits the function before *map = tmp_cycle_map executes, leaving an empty Vec in rotated_quorums_per_cycle. is_lock_potential_quorums (message_request_verification.rs:42-44) explicitly returns CycleHashEmpty on an empty vec, so every subsequent IS-lock lookup for that cycle silently fails with the wrong error. Impact: High (misdirected IS-lock failures with no hint of root cause). Likelihood: Possible (requires a validation error on first feed of a new cycle). Thread PRRT_kwDOQSlaXs56Wvno unresolved."
• ✓ Kept: "Count-mismatch check silently skipped when qualified_rotated_quorums_per_cycle is None" (nit, high confidence) — "The is_some() guard is structurally redundant: both the binding and the loop iterate the same qualified_last_commitment_per_index list, so None and an empty tmp_cycle_map are bound to the same empty-list condition — there is no state where tmp_cycle_map has entries but the binding is None. The silent skip is therefore a no-op in practice; the real concern is code clarity and inconsistency with the ungated second branch (~line 892). Downgrading from suggestion because the scenario where data is silently discarded cannot arise under current code structure. Impact: Low (no realistic data-loss path). Likelihood: Unlikely."
• ✓ Kept: "make_qualified_quorum_entry uses identical all-zeros quorum_hash for every entry" (nit, high confidence) — "Test helper quality issue only — the cap-overflow test inserts three entries with distinct quorum_index values but the same all-zeros hash, meaning any future deduplication or uniqueness check keyed on hash rather than index would pass silently. No production correctness risk today; a per-index derived hash would make the helper more realistic. Impact: Low (only affects future test sensitivity)."

Timing:

• Parse: 4.7s
• Review agents: 552.5s
• Judge: 455.3s
• Total: 1012.5s

[manki-review]

The staging-map approach cleanly fixes the partial-write issue (PRRT_kwDOQSlaXs56Wvno) and the new test now carries the correct cfg guard (PRRT_kwDOQSlaXs56Wvns). The bincode discriminant problem from last review is still present and now flagged by all 5 specialists; the count-completeness check asymmetry on the None branch also carries over unresolved.

📊 6 findings (2 suggestion, 4 nit) · 379 lines · 648s

Review stats

{
  "model": "claude-sonnet-4-6",
  "reviewTimeMs": 648218,
  "diffLines": 379,
  "diffAdditions": 304,
  "diffDeletions": 75,
  "filesReviewed": 5,
  "agents": [
    "Security & Safety",
    "Architecture & Design",
    "Correctness & Logic",
    "Testing & Coverage",
    "Performance & Efficiency"
  ],
  "findingsRaw": 15,
  "findingsKept": 6,
  "findingsDropped": 9,
  "severity": {
    "required": 0,
    "suggestion": 2,
    "nit": 4
  },
  "verdict": "REQUEST_CHANGES",
  "prNumber": 97,
  "commitSha": "942b34105997caace91b9664035c8230b9ce63eb",
  "agentMetrics": [
    {
      "name": "Security & Safety",
      "findingsRaw": 2,
      "findingsKept": 0,
      "responseLength": 2258
    },
    {
      "name": "Architecture & Design",
      "findingsRaw": 3,
      "findingsKept": 2,
      "responseLength": 2463
    },
    {
      "name": "Correctness & Logic",
      "findingsRaw": 3,
      "findingsKept": 3,
      "responseLength": 3082
    },
    {
      "name": "Testing & Coverage",
      "findingsRaw": 3,
      "findingsKept": 1,
      "responseLength": 4353
    },
    {
      "name": "Performance & Efficiency",
      "findingsRaw": 4,
      "findingsKept": 3,
      "responseLength": 4584
    }
  ],
  "judgeMetrics": {
    "confidenceDistribution": {
      "high": 3,
      "medium": 2,
      "low": 1
    },
    "severityChanges": 6,
    "mergedDuplicates": 7
  },
  "fileMetrics": {
    "fileTypes": {
      ".rs": 4,
      ".hex": 1
    },
    "findingsPerFile": {
      "dash/src/sml/quorum_validation_error.rs": 1,
      "dash/src/sml/masternode_list_engine/mod.rs": 4,
      "dash/src/lib.rs": 1
    }
  },
  "reviewerModel": "claude-sonnet-4-6",
  "judgeModel": "claude-sonnet-4-6"
}

[manki-review]

The or_default() empty-entry leak (Finding 1) persists despite the tmp_cycle_map refactor — switching to a staging map only helps re-feed paths, not brand-new cycle hashes. The prior required finding (PRRT_kwDOQSlaXs56Wvns) about the regression test at line 1441 missing its #[cfg(feature = "quorum_validation")] guard is still unaddressed and was missed by all three current reviewers.

📊 3 findings (1 suggestion, 2 nit) · 377 lines · 1013s

Review stats

{
  "model": "claude-sonnet-4-6",
  "reviewTimeMs": 1012532,
  "diffLines": 377,
  "diffAdditions": 304,
  "diffDeletions": 73,
  "filesReviewed": 4,
  "agents": [
    "Security & Safety",
    "Correctness & Logic",
    "Testing & Coverage"
  ],
  "findingsRaw": 6,
  "findingsKept": 3,
  "findingsDropped": 3,
  "severity": {
    "required": 0,
    "suggestion": 1,
    "nit": 2
  },
  "verdict": "APPROVE",
  "prNumber": 97,
  "commitSha": "0ea93ca27f5c56829210bf64e5ee926a5c5a0375",
  "agentMetrics": [
    {
      "name": "Security & Safety",
      "findingsRaw": 2,
      "findingsKept": 2,
      "responseLength": 2924
    },
    {
      "name": "Correctness & Logic",
      "findingsRaw": 1,
      "findingsKept": 0,
      "responseLength": 1180
    },
    {
      "name": "Testing & Coverage",
      "findingsRaw": 3,
      "findingsKept": 1,
      "responseLength": 2928
    }
  ],
  "judgeMetrics": {
    "confidenceDistribution": {
      "high": 2,
      "medium": 1,
      "low": 0
    },
    "severityChanges": 3,
    "mergedDuplicates": 0
  },
  "fileMetrics": {
    "fileTypes": {
      ".rs": 3,
      ".hex": 1
    },
    "findingsPerFile": {
      "dash/src/sml/masternode_list_engine/mod.rs": 3
    }
  },
  "reviewerModel": "claude-sonnet-4-6",
  "judgeModel": "claude-sonnet-4-6"
}

[manki-review]

Manki — Review complete

Planner
    243 lines · 0 agents

Review — 12 findings

Judge — 6 kept · 0 dropped (102s)
    kept: 1 suggestion · 5 nit

Review metadata

Config:

• Models: reviewer=claude-sonnet-4-6, judge=claude-sonnet-4-6
• Review level: medium (auto, 243 lines)
• Team: Security & Safety, Architecture & Design, Correctness & Logic, Testing & Coverage, Performance & Efficiency
• Memory: disabled
• Nit handling: issues

Judge decisions:

• ✓ Kept: "Debug log loses quorum_entry.quorum_index field, removing cross-verification signal" (nit, high confidence) — "Merged findings 1, 2, and 5 — all three reviewers independently flagged the same issue and all rated it nit. Impact: Low (debug logging only, no functional effect). Likelihood: Certain (field is simply absent from the log). Logging both the BTreeMap key and the raw Option field is the right call for future corruption investigations, but this doesn't affect correctness or behavior."
• ✓ Kept: "Misleading error variant reused for negative quorum_index in build_cycle_quorum_map" (suggestion, high confidence) — "Impact: Medium (error diagnostics in a consensus-adjacent code path), Likelihood: Possible (requires a corrupt negative quorum_index value). RequiredQuorumIndexNotPresent semantically means the field was None, but it's also returned when the value is present but out-of-range — a future operator or developer triaging a corrupt-data incident will be misled. In a library that explicitly calls out error handling as a code style requirement, this is worth fixing."
• ✓ Kept: "or_default() allocates a throwaway BTreeMap immediately overwritten by assignment" (nit, high confidence) — "Impact: Low (spurious allocation for small cycle maps), Likelihood: Certain (triggered on every new cycle key insertion). Using insert() directly is cleaner and idiomatic, but the performance cost is negligible in practice."
• ✓ Kept: "make_qualified_quorum_entry uses identical all-zeros quorum hash for every entry" (nit, medium confidence) — "Impact: Low (test code only, no production effect), Likelihood: Certain. All entries are hash-indistinguishable, which reduces diagnostic value when tests fail, but the tests currently cover the indexing invariant adequately via quorum_index."
• ✓ Kept: "Double BTreeMap traversal in build_cycle_quorum_map per entry" (nit, high confidence) — "Impact: Low (O(log n) overhead with n ≤ 64), Likelihood: Certain. The insert().is_some() pattern is also more idiomatic Rust, but the performance difference is immeasurable at this scale."
• ✓ Kept: "Unnecessary Vec allocation in test to convert BTreeMap values to slice" (nit, high confidence) — "Impact: Low (test code only), Likelihood: Certain. The allocation is harmless in a test context; this is a style/readability note rather than a real concern."

Timing:

• Parse: 5.2s
• Review agents: 292.2s
• Judge: 102.2s
• Total: 399.6s

Superseded by new review

[manki-review]

No required fixes — the core indexing change (BTreeMap<u16, QualifiedQuorumEntry> keyed by quorum_index, cycle rebuild, duplicate detection) is structurally sound. The one actionable item is the misleading error variant in build_cycle_quorum_map that conflates a missing index with a negative one, which will frustrate future incident triage in this consensus-adjacent code.

📊 6 findings (1 suggestion, 5 nit) · 243 lines · 400s

Review stats

{
  "model": "claude-sonnet-4-6",
  "reviewTimeMs": 399615,
  "diffLines": 243,
  "diffAdditions": 155,
  "diffDeletions": 88,
  "filesReviewed": 3,
  "agents": [
    "Security & Safety",
    "Architecture & Design",
    "Correctness & Logic",
    "Testing & Coverage",
    "Performance & Efficiency"
  ],
  "findingsRaw": 12,
  "findingsKept": 6,
  "findingsDropped": 6,
  "severity": {
    "required": 0,
    "suggestion": 1,
    "nit": 5
  },
  "verdict": "REQUEST_CHANGES",
  "prNumber": 97,
  "commitSha": "25d0f452e09e8189e640c489a61b0b9eaeb3efe6",
  "agentMetrics": [
    {
      "name": "Security & Safety",
      "findingsRaw": 3,
      "findingsKept": 0,
      "responseLength": 3571
    },
    {
      "name": "Architecture & Design",
      "findingsRaw": 2,
      "findingsKept": 1,
      "responseLength": 3645
    },
    {
      "name": "Correctness & Logic",
      "findingsRaw": 3,
      "findingsKept": 3,
      "responseLength": 2778
    },
    {
      "name": "Testing & Coverage",
      "findingsRaw": 2,
      "findingsKept": 1,
      "responseLength": 1877
    },
    {
      "name": "Performance & Efficiency",
      "findingsRaw": 2,
      "findingsKept": 2,
      "responseLength": 1526
    }
  ],
  "judgeMetrics": {
    "confidenceDistribution": {
      "high": 5,
      "medium": 1,
      "low": 0
    },
    "severityChanges": 6,
    "mergedDuplicates": 2
  },
  "fileMetrics": {
    "fileTypes": {
      ".rs": 2,
      ".hex": 1
    },
    "findingsPerFile": {
      "dash/src/sml/masternode_list_engine/message_request_verification.rs": 1,
      "dash/src/sml/masternode_list_engine/mod.rs": 5
    }
  },
  "reviewerModel": "claude-sonnet-4-6",
  "judgeModel": "claude-sonnet-4-6"
}

[manki-review]

Manki — Review complete

Planner (29s)
    bugfix · 263 lines · 3 agents
    review effort: medium · judge effort: high

Review — 7 findings
    ✅ Security & Safety — 3 (365s)
    ✅ Correctness & Logic — 1 (290s)
    ✅ Testing & Coverage — 3 (192s)

Judge — 2 kept · 1 dropped (69s)
    kept: 1 suggestion · 1 nit
    dropped: 1 ignore

Review metadata

Config:

• Models: reviewer=claude-sonnet-4-6, judge=claude-sonnet-4-6
• Review level: medium (auto, 263 lines)
• Team: Security & Safety, Correctness & Logic, Testing & Coverage
• Memory: disabled
• Nit handling: issues

Judge decisions:

• ✗ Dropped: "Previously open finding: misleading error variant for negative quorum_index is resolved" (ignore, high confidence) — "The new InvalidQuorumIndex { quorum_hash, index } variant in QuorumValidationError is correctly wired for both the u16::try_from failure and the bounds check at line 219. No action needed; included in resolveThreads."
• ✓ Kept: "Missing test for out-of-bounds quorum_index in build_cycle_quorum_map" (suggestion, high confidence) — "Impact: Medium (untested validation branch in a security-relevant function), Likelihood: Certain (the key >= expected path at line 219 is a distinct branch that no existing test exercises). The five current cases deliberately skip the scenario where quorum_index is a valid u16 but equals or exceeds active_quorum_count. For a crypto library where correct quorum slot rejection matters, this gap is worth closing."
• ✓ Kept: "make_qualified_quorum_entry creates all entries with identical quorum hashes" (nit, medium confidence) — "Impact: Low (current tests are unaffected; only future tests relying on per-entry identity would silently pass with incorrect behavior), Likelihood: Unlikely (requires a specific future test pattern). Reasonable to flag for robustness but not blocking."

Timing:

• Parse: 6.0s
• Review agents: 397.6s
• Judge: 69.0s
• Total: 472.6s

Superseded by new review

[manki-review]

The previously open thread on misleading error variant is cleanly resolved — InvalidQuorumIndex now correctly handles both the negative-index and out-of-bounds cases. One real test coverage gap remains: the bounds check branch (key >= expected) in build_cycle_quorum_map is never exercised despite the surrounding cases being covered.

📊 2 findings (1 suggestion, 1 nit) · 263 lines · 473s

Review stats

{
  "model": "claude-sonnet-4-6",
  "reviewTimeMs": 472568,
  "diffLines": 263,
  "diffAdditions": 175,
  "diffDeletions": 88,
  "filesReviewed": 4,
  "agents": [
    "Security & Safety",
    "Correctness & Logic",
    "Testing & Coverage"
  ],
  "findingsRaw": 7,
  "findingsKept": 2,
  "findingsDropped": 5,
  "severity": {
    "required": 0,
    "suggestion": 1,
    "nit": 1
  },
  "verdict": "REQUEST_CHANGES",
  "prNumber": 97,
  "commitSha": "d6d04a30eb6e6e81cecea936ae7d2d93c77916e0",
  "agentMetrics": [
    {
      "name": "Security & Safety",
      "findingsRaw": 3,
      "findingsKept": 0,
      "responseLength": 3311
    },
    {
      "name": "Correctness & Logic",
      "findingsRaw": 1,
      "findingsKept": 0,
      "responseLength": 1228
    },
    {
      "name": "Testing & Coverage",
      "findingsRaw": 3,
      "findingsKept": 2,
      "responseLength": 3528
    }
  ],
  "judgeMetrics": {
    "confidenceDistribution": {
      "high": 2,
      "medium": 1,
      "low": 0
    },
    "severityChanges": 3,
    "mergedDuplicates": 0
  },
  "fileMetrics": {
    "fileTypes": {
      ".rs": 3,
      ".hex": 1
    },
    "findingsPerFile": {
      "dash/src/sml/masternode_list_engine/mod.rs": 2
    }
  },
  "reviewerModel": "claude-sonnet-4-6",
  "judgeModel": "claude-sonnet-4-6"
}

[manki-review]

💡 Suggestion _{[high confidence]}: Missing test for out-of-bounds quorum_index in build_cycle_quorum_map

The build_cycle_quorum_map_edge_cases test covers five cases (valid, missing index, negative index, duplicate index, wrong count) but omits the distinct branch at line 219: if (key as usize) >= expected. For LlmqtypeTest with active_quorum_count==2, an entry with quorum_index=2 is a valid u16 and non-negative, so the u16::try_from path succeeds, but the bounds check should reject it with InvalidQuorumIndex. This code path is entirely untested, leaving a gap in coverage for a security-relevant validation function.

Suggested fix

Suggested change

	fn build_cycle_quorum_map_edge_cases() {
	// Out-of-bounds index is rejected (valid u16 but >= active_quorum_count)
	let quorums = vec![
	make_qualified_quorum_entry(ty, Some(0)),
	make_qualified_quorum_entry(ty, Some(2)), // 2 >= count of 2
	];
	let err = build_cycle_quorum_map(quorums, ty).expect_err("out-of-bounds index should fail");
	assert!(matches!(
	err,
	QuorumValidationError::InvalidQuorumIndex { index: 2, .. }
	));

AI context

{
  "file": "dash/src/sml/masternode_list_engine/mod.rs",
  "line": 1232,
  "severity": "suggestion",
  "confidence": "high",
  "flaggedBy": [
    "Testing & Coverage"
  ],
  "title": "Missing test for out-of-bounds quorum_index in build_cycle_quorum_map",
  "fix": "// Out-of-bounds index is rejected (valid u16 but >= active_quorum_count)\nlet quorums = vec![\n    make_qualified_quorum_entry(ty, Some(0)),\n    make_qualified_quorum_entry(ty, Some(2)), // 2 >= count "
}

[github-actions]

This PR has merge conflicts with the base branch. Please rebase or merge the base branch into your branch to resolve them.