Receiver fallback typestate

[spacebear21]

Supersedes #1542.

Receiver counterpart to #1557 . It's a much bigger PR because a) the receiver state machine is more complicated than the sender's, and b) it also implements the "protocol failure" fallback path (i.e. not a manually-initiated cancel, but an irrecoverable error that would also warrant broadcasting the fallback tx).

stateDiagram-v2
      [*] --> Initialized

      Initialized --> UncheckedOriginalPayload: RetrievedOriginalPayload
      UncheckedOriginalPayload --> MaybeInputsOwned: CheckedBroadcastSuitability

      state "9 HasFallbackTx in-protocol states" as InProtocol {
          MaybeInputsOwned --> MaybeInputsSeen: CheckedInputsNotOwned
          MaybeInputsSeen --> OutputsUnknown: CheckedNoInputsSeenBefore
          OutputsUnknown --> WantsOutputs: IdentifiedReceiverOutputs
          WantsOutputs --> WantsInputs: CommittedOutputs
          WantsInputs --> WantsFeeRange: CommittedInputs
          WantsFeeRange --> ProvisionalProposal: AppliedFeeRange
          ProvisionalProposal --> PayjoinProposal: FinalizedProposal
          PayjoinProposal --> Monitor: PostedPayjoinProposal
      }

      UncheckedOriginalPayload --> HasReplyableError: GotReplyableError, fallback_tx is None (broadcast unverified)
      InProtocol --> HasReplyableError: GotReplyableError, fallback_tx is Some

      InProtocol --> PendingFallback: Cancelled (cancel from any HasFallbackTx state)
      PayjoinProposal --> PendingFallback: ProtocolFailed (fatal process_response)
      HasReplyableError --> PendingFallback: Cancelled or ProtocolFailed, when fallback_tx is Some

      Initialized --> Closed: Closed(Cancel) on cancel, or Closed(Failure) on fatal process_response
      UncheckedOriginalPayload --> Closed: Closed(Cancel) on cancel
      HasReplyableError --> Closed: Closed(Cancel) on cancel, or Closed(Failure) on process_error_response, when fallback_tx is None
      Monitor --> Closed: check_payment observes Success, FallbackBroadcasted, or PayjoinProposalSent

      PendingFallback --> Closed: close() emits Closed(Cancel) after Cancelled entry, or Closed(Failure) after ProtocolFailed entry

      Closed --> [*]

      note right of PendingFallback
          Holds the wallet's obligation to broadcast
          or explicitly discard the original tx.
          Stays active until close() so it survives
          resume cycles.
      end note

Loading

Planned with Claude Opus 4.7, implemented by Codex 5.5

Pull Request Checklist

Please confirm the following before requesting review:

• I have disclosed my use of
  AI
  in the body of this PR.
• I have read CONTRIBUTING.md and rebased my branch to produce hygienic commits.

[coveralls]

Coverage Report for CI Build 26266054947

Coverage increased (+0.04%) to 85.184%

Details

• Coverage increased (+0.04%) from the base build.
• Patch coverage: 109 uncovered changes across 3 files (690 of 799 lines covered, 86.36%).
• 21 coverage regressions across 3 files.

Uncovered Changes

File	Changed	Covered	%
payjoin/src/core/receive/v2/mod.rs	513	446	86.94%
payjoin-cli/src/app/v2/mod.rs	54	13	24.07%
payjoin-cli/src/db/v2.rs	1	0	0.0%

Coverage Regressions

21 previously-covered lines in 3 files lost coverage.

File	Lines Losing Coverage	Coverage
payjoin-cli/src/app/v2/mod.rs	14	51.29%
payjoin/src/core/receive/v2/mod.rs	6	90.82%
payjoin-cli/src/app/v1.rs	1	69.33%

---

Coverage Stats

Relevant Lines:	14376
Covered Lines:	12246
Line Coverage:	85.18%
Coverage Strength:	377.76 hits per line

---

💛 - Coveralls

[DanGould]

I read the writeups and concept ACK. I wonder if MayBroadcastFallback is a more appropriate name that implies an action than HasFallback.

[spacebear21]

I wonder if MayBroadcastFallback is a more appropriate name that implies an action than HasFallback.

In the latest iteration of this PR the typestate is called PendingFallback and HasFallbackTx is a sealed marker trait for receiver states that hold a verified broadcastable fallback tx. Does that sound better?

[spacebear21]

I described here and here how we could get rid of the Cancel/Failure SessionOutcome variants since this information can be inferred from the event log. Then we wouldn't need to pass outcome through here. But I'd prefer to address that in a follow-up for both the sender and receiver together.

[xstoicunicornx]

Only went through the payjoin core changes so far but felt it was a good stopping point for some questions/comments.

[xstoicunicornx]

If 'next_state' isn't being used why is it being provided?

[xstoicunicornx]

This was the main piece I wanted to ask about/check my understanding on.

It seems like there are two types of paths here:

1. Return a transition where persistence will only result in persistence error
2. Return a transition where persistence may unwrap a protocol error

Is this a correct understanding? If so I am not sure how I feel about that discrepancy. It seems like it would require fatal_advance and transient error paths to preserve the prior receiver state so that the session can be closed via .cancel().

The current version of this method established this pattern, but I am not even sure how the current version would close the session if it was a transient error? Would it have to keep the previous receiver state just in case so that it can rerun create_error_request and process_error_response? Also Receiver<Initialized>::process_response seems to follow a similar pattern, but at least there it consistently only returns transitions that, when persisted, only produce persister errors (though it does make me have more questions on why we handle the other transition states at all when they don't get persisted).

Is there a reason we have to try to handle the process_post_req error (Receiver<Initialized>::process_response doesn't seem to)? Would it be acceptable to just map the errors to the appropriate next state (either PendingFallback or Closed)? Maybe if transient error really is a NoOp within the persister it should return current state?

Apologies for the rambling...

Edit: Looks like MaybeFatalTransition also follows this sort of pattern so maybe this is just me finally learning how the transitions work. Though MaybeFatalTransition does return an error_state wrapped within the error, not sure if it actually meant to be used? I assume yes since its trying to advance to HasReplyableError state?

[xstoicunicornx]

I don't think this actually enters PendingFallback since save() returns and error and not the PendingFallback state?

[benalleng]

I guess this is where the above comment https://github.com/payjoin/rust-payjoin/pull/1558/changes#r3311885155 becomes relevant. Either we choose to wire this _next_state allowing a pending_fallback state to be seen or we drop that and this test just needs a rename.

Based on the current logic in process_error_response I am assuming it was meant to be fully wired up.

[xstoicunicornx]

Might be good to add a test vector for:

• SessionEvent::ProtocolFailed results in ReceiveSession::PendingFallback
• closing ReceiveSession::PendingFallback results in ReceiveSession::Closed

[benalleng]

added additional vectors to cover these in 8f642a4