fix(sdk): eagerly bootstrap protocol version before first proof parse

[QuantumExplorer]

Summary

Close the bootstrap hole in the auto-detect protocol version feature from #3483.

Before: On a fresh auto-detect SDK the first `parse_proof_with_metadata_and_proof` call uses `PlatformVersion::latest()` as a fallback because no response metadata has been seen yet. On an older network whose proof interpretation differs from `latest()`, the very first proof-backed request fails before the SDK ever learns the correct version. The old doc comment on `parse_proof_with_metadata_and_proof` called this out as a known limitation and told users to pin the version explicitly via `SdkBuilder::with_version()` if they cared.

After: The first time `parse_proof_with_metadata_and_proof` runs on an auto-detect SDK, it transparently kicks off a one-shot `CurrentQuorumsInfo` unproved RPC, reads `metadata.protocol_version` from the response, and updates the SDK's cached version before the proof parse executes. A `tokio::sync::OnceCell` guarantees the bootstrap RPC runs at most once per SDK (and its clones) even under concurrent first calls — subsequent callers wait for the in-flight bootstrap to finish.

Design notes

• Skipped for SDKs pinned via `SdkBuilder::with_version()`, mock SDKs, and any SDK that has already seen a response (`protocol_version != 0`).
• Best-effort: if the bootstrap RPC itself fails the SDK logs a warning and falls back to the previous `latest()` behaviour, so partially-reachable networks still function.
• Unproved path chosen intentionally: `CurrentQuorumsInfo::fetch_unproved_with_settings` does not itself call `parse_proof_with_metadata_and_proof`, so there's no re-entry into the bootstrap helper.
• Protocol-version update reuses the existing `maybe_update_protocol_version` path, which already handles unknown-version validation.

Test plan

• `cargo check --workspace --all-targets` — clean
• CI: existing rs-sdk unit tests (`test_version_update_from_metadata`, `test_unknown_version_ignored`, etc.) still pass — they use mock SDKs so the bootstrap path is skipped.
• Manual: `cargo test -p dash-sdk` locally
• Follow-up: add an integration test hitting a real testnet node to verify the bootstrap RPC flows end-to-end

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Protocol version now automatically detects and initializes on first SDK use, with fallback to the latest version if detection fails.

• Chores

  • Updated .gitignore configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated .gitignore to exclude the entire .claude/ directory. Added protocol version bootstrapping to the SDK using Arc<tokio::sync::OnceCell<()>> to coordinate a single unproved RPC call that discovers and caches the protocol version before parsing proofs.

Changes

Cohort / File(s)	Summary
Gitignore Update .gitignore	Broadened exclusion from .claude/worktrees/ subdirectory to entire .claude/ directory.
Protocol Version Bootstrapping packages/rs-sdk/src/sdk.rs	Added protocol_version_bootstrapped OnceCell field for coordinating one-shot bootstrap. Introduced ensure_protocol_version_bootstrapped() async method that fetches CurrentQuorumsInfo via unproved RPC when auto-detect is enabled and cached version is 0, updates metadata, and falls back to PlatformVersion::latest() on failure. Wired bootstrap into proof parsing flow and updated builder initialization.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant SDK
    participant OnceCell as OnceCell<br/>(Bootstrap)
    participant DAPI
    participant MetadataCache

    Client->>SDK: parse_proof_with_metadata_and_proof()
    SDK->>OnceCell: Check if bootstrap completed
    alt First call (OnceCell empty)
        OnceCell->>SDK: Bootstrap needed
        SDK->>SDK: Check if auto-detect enabled<br/>& cached version == 0
        alt Conditions met
            SDK->>DAPI: fetch_unproved<br/>CurrentQuorumsInfo
            DAPI-->>SDK: metadata with protocol_version
            SDK->>MetadataCache: Update cached<br/>protocol_version
            SDK->>OnceCell: Mark bootstrap complete
        else Conditions not met
            SDK->>OnceCell: Mark bootstrap complete<br/>(no-op)
        end
    else Already bootstrapped
        OnceCell-->>SDK: Bootstrap skipped<br/>(cached result)
    end
    SDK->>Client: Resume proof parsing

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• feat(sdk): auto-detect and update platform protocol version from network epoch info #3410: Related as both implement runtime protocol version discovery within the SDK, with this PR adding OnceCell-based single-execution bootstrap before proof parsing while the referenced issue proposes alternative runtime update mechanisms.

Poem

🐰 With whiskers twitched and paws alight,
The .claude now hides from git's keen sight,
Protocol versions bootstrap true,
One call to fetch, the cache renewed,
No more guessing—discovery's in flight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: eagerly bootstrapping the protocol version before the first proof parse, which directly addresses the bootstrap gap described in the PR objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sdk-protocol-version-bootstrap

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

✅ Review complete (commit 923c4af)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/rs-sdk/src/sdk.rs`:
- Around line 357-360: The bootstrap RPC call uses RequestSettings::default()
which ignores the SDK-wide settings and caller overrides; replace that hardcoded
default with the SDK instance's configured RequestSettings (the field on the
client, e.g., self.request_settings or self.settings) and pass that into
CurrentQuorumsInfo::fetch_unproved_with_settings so the call honors
SdkBuilder::with_settings() and the SDK's retry/timeout policy.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c7a31a89-fb63-46a6-af36-cebcad6b41dd

📥 Commits

Reviewing files that changed from the base of the PR and between 127ad5e and fd1e4a2.

📒 Files selected for processing (2)

• .gitignore
• packages/rs-sdk/src/sdk.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use the SDK’s configured request settings for the bootstrap RPC.

Line 360 hardcodes RequestSettings::default(), so this new pre-parse RPC ignores both the SDK default retry policy and any caller overrides from SdkBuilder::with_settings(). That makes the first proof-backed request run under a different timeout/retry policy than every other SDK call.

Suggested fix

                 match CurrentQuorumsInfo::fetch_unproved_with_settings(
                     self,
                     NoParamQuery {},
-                    RequestSettings::default(),
+                    self.dapi_client_settings,
                 )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	match CurrentQuorumsInfo::fetch_unproved_with_settings(
	self,
	NoParamQuery {},
	RequestSettings::default(),
	match CurrentQuorumsInfo::fetch_unproved_with_settings(
	self,
	NoParamQuery {},
	self.dapi_client_settings,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/rs-sdk/src/sdk.rs` around lines 357 - 360, The bootstrap RPC call
uses RequestSettings::default() which ignores the SDK-wide settings and caller
overrides; replace that hardcoded default with the SDK instance's configured
RequestSettings (the field on the client, e.g., self.request_settings or
self.settings) and pass that into
CurrentQuorumsInfo::fetch_unproved_with_settings so the call honors
SdkBuilder::with_settings() and the SDK's retry/timeout policy.

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/24452541833
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "c4e7ddc282704f0a475ba2a8f9f187d52feede046a90605ef3479195aac1590b"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[lklimek]

I think calling this function in SdkBuilder::build() will be simpler and (marginally) cheaper.

[thepastaclaw]

Code Review

The detached HEAD commit fd1e4a2329f95ba2fa24d9ae0bccce9f3939618f is a small repo-hygiene change that deletes .claude/scheduled_tasks.lock and broadens .gitignore from .claude/worktrees/ to .claude/. That change is otherwise safe, but the broader ignore rule now covers an already tracked subtree under .claude/, which will hide future additions there from git status unless contributors force-add them.

Reviewed commit: fd1e4a2

🟡 1 suggestion(s)

1 additional finding

🟡 suggestion: Blanket `.claude/` ignore masks new files in an already tracked subtree

.gitignore (line 93)

This repository already tracks .claude/skills/pr-description/SKILL.md, so changing the ignore rule from .claude/worktrees/ to .claude/ makes future files under intentionally versioned .claude/* paths invisible to normal Git workflows. Existing tracked files remain visible, but any new skill metadata or other committed assets under .claude/ will be skipped by git status and require git add -f, which is easy to miss and creates avoidable maintenance risk. Keep the ignore scoped to local Claude state or add negations for the tracked subtree.

💡 Suggested change

__pycache__/
.claude/*
!.claude/skills/
!.claude/skills/**

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `.gitignore`:
- [SUGGESTION] line 93: Blanket `.claude/` ignore masks new files in an already tracked subtree
  This repository already tracks `.claude/skills/pr-description/SKILL.md`, so changing the ignore rule from `.claude/worktrees/` to `.claude/` makes future files under intentionally versioned `.claude/*` paths invisible to normal Git workflows. Existing tracked files remain visible, but any new skill metadata or other committed assets under `.claude/` will be skipped by `git status` and require `git add -f`, which is easy to miss and creates avoidable maintenance risk. Keep the ignore scoped to local Claude state or add negations for the tracked subtree.

[thepastaclaw]

Code Review

The eager-bootstrap fix closes the first-proof-on-older-network gap, but the OnceCell latch treats failure and zero-version responses as permanent success, so a single transient RPC failure can leave the SDK in the exact latest()-fallback state the PR was meant to prevent. Additional issues: bootstrap uses unproved metadata that a single DAPI node can use to pin the cached version (monotonic fetch_max prevents correction), the bootstrap RPC ignores user-configured dapi_client_settings, and the whole bootstrap path has zero test coverage. Minor doc and Arc::clone nits.

Reviewed commit: 923c4af

🔴 1 blocking | 🟡 3 suggestion(s) | 💬 2 nitpick(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [BLOCKING] lines 351-379: Failed bootstrap (and zero-version responses) permanently disable future protocol-version detection
  `ensure_protocol_version_bootstrapped()` uses `OnceCell::get_or_init` with a closure that always returns `()`, even in the `Err` arm and even when `maybe_update_protocol_version` short-circuits on `received_version == 0`. After one transient failure (or a response whose metadata protocol_version is 0 — possible for older nodes or protobuf defaults), `protocol_version_bootstrapped` is permanently initialized while `self.protocol_version` stays at 0. Every subsequent call to `parse_proof_with_metadata_and_proof` then skips bootstrap and falls back to `PlatformVersion::latest()` for the rest of the SDK's lifetime — the exact broken state this PR is meant to fix. Store `Result<(), Error>` in the OnceCell (or use a more granular latch) so that only a *successful* version discovery marks bootstrap as complete, and transient failures get retried.
- [SUGGESTION] lines 337-380: Unproved bootstrap metadata can pin the SDK's protocol_version
  The bootstrap value comes from `ResponseMetadata.protocol_version` of an *unproved* `CurrentQuorumsInfo` response. Because `maybe_update_protocol_version` uses `fetch_max` and only accepts monotonically increasing known versions, a single DAPI node that wins the bootstrap RPC can return the highest-known version and pin the cached version there; any later honest proof-backed metadata carrying the real lower network version is silently discarded. This widens the SDK's attack surface compared to the previous `latest()` fallback — an attacker can cause proof-parse failures (DoS) against a client whose network is on a lower version. Consider cross-checking the bootstrap metadata against multiple peers, or only treating the bootstrap version as a hint that is confirmed by the first proof-backed response.
- [SUGGESTION] lines 357-362: Bootstrap RPC ignores the user-configured dapi_client_settings
  `CurrentQuorumsInfo::fetch_unproved_with_settings(self, NoParamQuery {}, RequestSettings::default())` discards `self.dapi_client_settings`, so timeouts, retries, and ban policy set on the `SdkBuilder` are silently ignored for the bootstrap call. This runs on the critical path of the very first proof-backed request, so a user who configured longer timeouts for a slow network (or stricter retry/ban policy) will instead get library defaults here. Pass `self.dapi_client_settings` (or an explicit, documented bootstrap-specific RequestSettings) instead.
- [SUGGESTION] lines 337-380: No tests exercise the bootstrap RPC path itself
  The diff adds no new tests. The existing tests target `verify_response_metadata` / `maybe_update_protocol_version` via mock SDKs, but `ensure_protocol_version_bootstrapped` early-returns for mocks, so the bootstrap logic — which is the entire point of this PR — has no automated coverage. Important untested behaviours include: idempotence of the OnceCell under concurrent first parses, correct skip for pinned and mock SDKs, correct behaviour when the bootstrap RPC fails, and that the cached version is actually updated before the first proof parse.

[thepastaclaw]

🔴 Blocking: Failed bootstrap (and zero-version responses) permanently disable future protocol-version detection

ensure_protocol_version_bootstrapped() uses OnceCell::get_or_init with a closure that always returns (), even in the Err arm and even when maybe_update_protocol_version short-circuits on received_version == 0. After one transient failure (or a response whose metadata protocol_version is 0 — possible for older nodes or protobuf defaults), protocol_version_bootstrapped is permanently initialized while self.protocol_version stays at 0. Every subsequent call to parse_proof_with_metadata_and_proof then skips bootstrap and falls back to PlatformVersion::latest() for the rest of the SDK's lifetime — the exact broken state this PR is meant to fix. Store Result<(), Error> in the OnceCell (or use a more granular latch) so that only a successful version discovery marks bootstrap as complete, and transient failures get retried.

_{source: ['claude-general', 'codex-general', 'claude-security-auditor', 'codex-security-auditor', 'claude-rust-quality', 'codex-rust-quality']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [BLOCKING] lines 351-379: Failed bootstrap (and zero-version responses) permanently disable future protocol-version detection
  `ensure_protocol_version_bootstrapped()` uses `OnceCell::get_or_init` with a closure that always returns `()`, even in the `Err` arm and even when `maybe_update_protocol_version` short-circuits on `received_version == 0`. After one transient failure (or a response whose metadata protocol_version is 0 — possible for older nodes or protobuf defaults), `protocol_version_bootstrapped` is permanently initialized while `self.protocol_version` stays at 0. Every subsequent call to `parse_proof_with_metadata_and_proof` then skips bootstrap and falls back to `PlatformVersion::latest()` for the rest of the SDK's lifetime — the exact broken state this PR is meant to fix. Store `Result<(), Error>` in the OnceCell (or use a more granular latch) so that only a *successful* version discovery marks bootstrap as complete, and transient failures get retried.

[thepastaclaw]

🟡 Suggestion: Unproved bootstrap metadata can pin the SDK's protocol_version

The bootstrap value comes from ResponseMetadata.protocol_version of an unproved CurrentQuorumsInfo response. Because maybe_update_protocol_version uses fetch_max and only accepts monotonically increasing known versions, a single DAPI node that wins the bootstrap RPC can return the highest-known version and pin the cached version there; any later honest proof-backed metadata carrying the real lower network version is silently discarded. This widens the SDK's attack surface compared to the previous latest() fallback — an attacker can cause proof-parse failures (DoS) against a client whose network is on a lower version. Consider cross-checking the bootstrap metadata against multiple peers, or only treating the bootstrap version as a hint that is confirmed by the first proof-backed response.

_{source: ['claude-general', 'claude-security-auditor', 'codex-security-auditor', 'codex-rust-quality']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [SUGGESTION] lines 337-380: Unproved bootstrap metadata can pin the SDK's protocol_version
  The bootstrap value comes from `ResponseMetadata.protocol_version` of an *unproved* `CurrentQuorumsInfo` response. Because `maybe_update_protocol_version` uses `fetch_max` and only accepts monotonically increasing known versions, a single DAPI node that wins the bootstrap RPC can return the highest-known version and pin the cached version there; any later honest proof-backed metadata carrying the real lower network version is silently discarded. This widens the SDK's attack surface compared to the previous `latest()` fallback — an attacker can cause proof-parse failures (DoS) against a client whose network is on a lower version. Consider cross-checking the bootstrap metadata against multiple peers, or only treating the bootstrap version as a hint that is confirmed by the first proof-backed response.

[thepastaclaw]

🟡 Suggestion: Bootstrap RPC ignores the user-configured dapi_client_settings

CurrentQuorumsInfo::fetch_unproved_with_settings(self, NoParamQuery {}, RequestSettings::default()) discards self.dapi_client_settings, so timeouts, retries, and ban policy set on the SdkBuilder are silently ignored for the bootstrap call. This runs on the critical path of the very first proof-backed request, so a user who configured longer timeouts for a slow network (or stricter retry/ban policy) will instead get library defaults here. Pass self.dapi_client_settings (or an explicit, documented bootstrap-specific RequestSettings) instead.

_{source: ['claude-rust-quality']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [SUGGESTION] lines 357-362: Bootstrap RPC ignores the user-configured dapi_client_settings
  `CurrentQuorumsInfo::fetch_unproved_with_settings(self, NoParamQuery {}, RequestSettings::default())` discards `self.dapi_client_settings`, so timeouts, retries, and ban policy set on the `SdkBuilder` are silently ignored for the bootstrap call. This runs on the critical path of the very first proof-backed request, so a user who configured longer timeouts for a slow network (or stricter retry/ban policy) will instead get library defaults here. Pass `self.dapi_client_settings` (or an explicit, documented bootstrap-specific RequestSettings) instead.

[thepastaclaw]

🟡 Suggestion: No tests exercise the bootstrap RPC path itself

The diff adds no new tests. The existing tests target verify_response_metadata / maybe_update_protocol_version via mock SDKs, but ensure_protocol_version_bootstrapped early-returns for mocks, so the bootstrap logic — which is the entire point of this PR — has no automated coverage. Important untested behaviours include: idempotence of the OnceCell under concurrent first parses, correct skip for pinned and mock SDKs, correct behaviour when the bootstrap RPC fails, and that the cached version is actually updated before the first proof parse.

_{source: ['claude-general', 'claude-rust-quality']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [SUGGESTION] lines 337-380: No tests exercise the bootstrap RPC path itself
  The diff adds no new tests. The existing tests target `verify_response_metadata` / `maybe_update_protocol_version` via mock SDKs, but `ensure_protocol_version_bootstrapped` early-returns for mocks, so the bootstrap logic — which is the entire point of this PR — has no automated coverage. Important untested behaviours include: idempotence of the OnceCell under concurrent first parses, correct skip for pinned and mock SDKs, correct behaviour when the bootstrap RPC fails, and that the cached version is actually updated before the first proof parse.

[thepastaclaw]

💬 Nitpick: Doc comment claims a re-entry guard that doesn't exist

The doc says the helper is Skipped entirely ... any time this helper is entered from within the unproved request path itself (to avoid re-entry). There is no such guard in the implementation — re-entry is prevented only by the structural fact that FetchUnproved::fetch_unproved_with_settings does not call parse_proof_with_metadata_and_proof. Either add an explicit guard or fix the doc to describe the actual invariant (so a future refactor doesn't silently introduce a deadlock on the OnceCell).

_{source: ['claude-general', 'claude-security-auditor', 'claude-rust-quality']}

[thepastaclaw]

💬 Nitpick: Redundant Arc::clone before get_or_init

let bootstrapped = Arc::clone(&self.protocol_version_bootstrapped); bootstrapped.get_or_init(...) bumps the Arc count only to call a method that takes &self. self.protocol_version_bootstrapped.get_or_init(...).await works just as well.

_{source: ['claude-rust-quality']}