Exit quiescence when splice_init and tx_init_rbf are rejected

[jkczyz]

Summary

• Fix quiescence not being exited when tx_init_rbf or splice_init is rejected with Abort (e.g., insufficient RBF feerate, negotiation in progress), which left the channel stuck in a quiescent state
• Refactor both handlers to return InteractiveTxMsgError, reusing the same pattern already used by the interactive TX message handlers, with a shared handle_interactive_tx_msg_err helper in channelmanager

Test plan

• Existing test_splice_rbf_insufficient_feerate updated to verify quiescence is properly exited after tx_abort
• Existing test_splice_feerate_too_high updated to verify quiescence is properly exited after splice_init rejection
• All splicing tests pass

🤖 Generated with Claude Code

Based on #4494.

[ldk-reviews-bot]

I've assigned @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 61.79775% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.22%. Comparing base (8d00139) to head (959b553).
⚠️ Report is 111 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channelmanager.rs	42.85%	30 Missing and 2 partials ⚠️
lightning/src/ln/channel.rs	92.30%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4495      +/-   ##
==========================================
- Coverage   86.24%   86.22%   -0.02%     
==========================================
  Files         160      161       +1     
  Lines      107909   108651     +742     
  Branches   107909   108651     +742     
==========================================
+ Hits        93061    93681     +620     
- Misses      12212    12339     +127     
+ Partials     2636     2631       -5     

Flag	Coverage Δ
tests	86.22% <61.79%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-claude-review-bot]

In splice_init, resolve_queued_contribution (which can return Abort(FeeRateTooHigh)) is called before validate_splice_init checks is_quiescent(). If a misbehaving peer sends splice_init during the STFU handshake (before quiescence is established), and the holder has a queued contribution with a low max_feerate, the Abort error would flow into quiescent_negotiation_err → exit_quiescence(), which has debug_assert!(!is_local_stfu_sent()) / debug_assert!(!is_remote_stfu_sent()).

Those asserts would fire because the STFU flags are still set (handshake incomplete). In release builds, exit_quiescence would harmlessly return false, but in debug/test builds this would panic.

Same issue applies to tx_init_rbf at line 12762 (and line 12780).

Consider guarding with an is_quiescent() check before calling exit_quiescence:

Suggested change

	fn quiescent_negotiation_err(&mut self, err: ChannelError) -> InteractiveTxMsgError {
	let exited_quiescence =
	if matches!(err, ChannelError::Abort(_)) { self.exit_quiescence() } else { false };
	InteractiveTxMsgError { err, splice_funding_failed: None, exited_quiescence }
	}
	fn quiescent_negotiation_err(&mut self, err: ChannelError) -> InteractiveTxMsgError {
	let exited_quiescence = if matches!(err, ChannelError::Abort(_))
	&& self.context.channel_state.is_quiescent()
	{
	self.exit_quiescence()
	} else {
	false
	};
	InteractiveTxMsgError { err, splice_funding_failed: None, exited_quiescence }
	}

[jkczyz]

Fixed, though I took the opportunity to have validate_splice_init and validate_ tx_init_rbf no longer call validate_splice_contributions and FundingScope::for_splice. Rather they are called at those call sites. This let's us check if we are quiescent before checking fee rates when calling resolve_queued_contribution.

[ldk-claude-review-bot]

I've completed my thorough review of all changes in this PR. The code is well-structured and correct.

Key verifications performed:

• validate_splice_init and validate_tx_init_rbf both check is_quiescent() first, returning WarnAndDisconnect (not Abort) for non-quiescent channels — ensuring the debug_assert!(is_quiescent()) in quiescent_negotiation_err can never fire
• All Abort-producing paths (resolve_queued_contribution, InsufficientRbfFeerate, NegotiationInProgress, FeeRateTooHigh) are only reachable after quiescence is confirmed
• handle_interactive_tx_msg_err is a faithful extraction of the inline code from internal_tx_msg, with identical semantics
• from_chan_no_close is safe here because no ChannelError::Close can be produced by these paths
• resolve_queued_contribution is side-effect-free (&self), so the reordering (after validation) is safe
• exit_quiescence → mark_response_received + clear_quiescent is the correct cleanup
• The exited_quiescence flag correctly triggers check_free_peer_holding_cells in handle_error
• validate_splice_contributions removal from validate_tx_init_rbf / validate_splice_init and re-addition in the callers preserves identical validation logic and parameter values
• Tests correctly verify quiescence exit, STFU re-proposal, and misbehaving peer handling

No new issues found. My prior review comment (about the debug_assert in quiescent_negotiation_err) is effectively resolved by the latest commit (3c55d3c) that defers resolve_queued_contribution until after validation — all Abort errors now only occur in quiescent state.

[jkczyz]

Note that we'll now abort an in-progress RBF if the counterparty misbehaves by sending us tx_init_rbf. The spec isn't really clear on what to do here. There's a similar case in validate_splice_init where we'll disconnect if we already have a pending splice (even if negotiation is still in progress). The spec does indicate this should be done. So maybe both of these are fine?

[jkczyz]

Rebased