fix: limit signing share sessions per peer

[thepastaclaw]

fix: limit signing share sessions per peer

Issue being fixed or feature implemented

Peers can announce many distinct QSIGSESANN signing sessions. Without a per-peer
cap, a peer can make its node state grow with announcement-only sessions.

What was done?

• Add a per-peer limit for sessions created from QSIGSESANN announcements.
• Preserve refresh of an already-known session so normal re-announcements remain
  accepted.
• Seed the existing session timeout state for newly announced sessions, without
  refreshing that timeout on repeated announcements.
• Add unit coverage for the session cap helper.

How Has This Been Tested?

Tested on macOS arm64.

• git diff --check upstream/develop...HEAD
• make -j8 src/test/test_dash
• src/test/test_dash --run_test=llmq_signing_shares_tests
• Pre-PR code review gate: ship

Breaking Changes

None.

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation
• I have assigned this pull request to a milestone

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0935734d-0022-4e0b-af8e-187d6e477b7b

📥 Commits

Reviewing files that changed from the base of the PR and between f6aa12a and 03dddee.

📒 Files selected for processing (3)

• src/llmq/signing_shares.cpp
• src/llmq/signing_shares.h
• src/test/llmq_utils_tests.cpp

🚧 Files skipped from review as they are similar to previous changes (3)

• src/test/llmq_utils_tests.cpp
• src/llmq/signing_shares.h
• src/llmq/signing_shares.cpp

---

Walkthrough

This PR enforces per-peer session limits for LLMQ signing shares. It adds GetMaxSessionsForPeer and related constants, four [[nodiscard]] CSigSharesNodeState query methods, and marks sessions that received announcements. ProcessMessageSigSesAnn now fetches LLMQ params, computes a per-peer maxSessions, rejects announcements exceeding the cap with logging, and records time-seen entries for accepted sign hashes. Cleanup now also considers sign hashes in timeSeenForSessions when removing recovered sessions. Unit tests verify limit enforcement, refresh semantics, send-only session exclusions, and per-LLMQType scoping.

Sequence Diagram(s)

sequenceDiagram
  participant Peer
  participant CSigSharesManager
  participant CSigSharesNodeState
  participant TimeSeenStore

  Peer->>CSigSharesManager: CSigSesAnn(llmqType, signHash)
  CSigSharesManager->>CSigSharesManager: Params().GetLLMQ(llmqType)
  CSigSharesManager->>CSigSharesNodeState: CanCreateSessionFromAnn(ann, maxSessions)
  alt below cap
    CSigSharesNodeState-->>CSigSharesManager: true
    CSigSharesManager->>TimeSeenStore: timeSeenForSessions.try_emplace(signHash)
    CSigSharesManager-->>Peer: accept announcement
  else at/over cap
    CSigSharesNodeState-->>CSigSharesManager: false
    CSigSharesManager-->>Peer: reject announcement (logged)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: limit signing share sessions per peer' directly and accurately describes the main change: adding per-peer limits for LLMQ signing sessions.
Description check	✅ Passed	The description clearly explains the issue, what was done, testing approach, and breaking changes—all directly related to the signing sessions per-peer limitation changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Infer (1.2.0)

src/llmq/signing_shares.cpp

src/llmq/signing_shares.cpp:5:10: fatal error: 'llmq/signing_shares.h' file not found
5 | #include <llmq/signing_shares.h>
| ^~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
Error: the following clang command did not run successfully:
/opt/infer-linux-x86_64-v1.2.0/lib/infer/facebook-clang-plugins/clang/install/bin/clang-18
@/tmp/coderabbit-infer/03dddeea35c8f7c523a7ac863359573919403832-6c042c2de87ef62e/tmp/clang_command_.tmp.4ee502.txt
++Contents of '/tmp/coderabbit-infer/03dddeea35c8f7c523a7ac863359573919403832-6c042c2de87ef62e/tmp/clang_command_.tmp.4ee502.txt':
"-cc1" "-load"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../../facebook-clang-plugins/libtooling/build/FacebookClangPlugin.dylib"
"-add-plugin" "BiniouASTExporter" "-plugin-arg-BiniouASTExporter" "-"
"-plugin-arg-BiniouASTExporter" "PREPEND_CURRENT_DIR=1"
"-plugin-arg-BiniouASTExporter" "MAX_STRING_SIZE=65535" "-cc1" "-triple"
"x86_64-unknown-linux-gnu" "-emit-obj" "-m

... [truncated 1097 characters] ...

install/lib/clang/18/include"
"-internal-isystem" "/usr/local/include" "-internal-isystem"
"/usr/lib/gcc/x86_64-linux-gnu/12/../../../../x86_64-linux-gnu/include"
"-internal-externc-isystem" "/usr/include/x86_64-linux-gnu"
"-internal-externc-isystem" "/include" "-internal-externc-isystem"
"/usr/include" "-Wno-ignored-optimization-argument" "-Wno-everything"
"-fdeprecated-macro" "-ferror-limit" "19" "-fgnuc-version=4.2.1"
"-fskip-odr-check-in-gmf" "-fcxx-exceptions" "-fexceptions"
"-D__GCC_HAVE_DWARF2_CFI_ASM=1" "-o"
"/tmp/coderabbit-infer/6c042c2de87ef62e/file.o" "-x" "c++"
"src/llmq/signing_shares.cpp" "-O0" "-fno-builtin" "-include"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../lib/clang_wrappers/global_defines.h"
"-Wno-everything"

src/test/llmq_utils_tests.cpp

src/test/llmq_utils_tests.cpp:5:10: fatal error: 'test/util/llmq_tests.h' file not found
5 | #include <test/util/llmq_tests.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
Error: the following clang command did not run successfully:
/opt/infer-linux-x86_64-v1.2.0/lib/infer/facebook-clang-plugins/clang/install/bin/clang-18
@/tmp/coderabbit-infer/03dddeea35c8f7c523a7ac863359573919403832-acb29ce53c41f00c/tmp/clang_command_.tmp.e6e5db.txt
++Contents of '/tmp/coderabbit-infer/03dddeea35c8f7c523a7ac863359573919403832-acb29ce53c41f00c/tmp/clang_command_.tmp.e6e5db.txt':
"-cc1" "-load"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../../facebook-clang-plugins/libtooling/build/FacebookClangPlugin.dylib"
"-add-plugin" "BiniouASTExporter" "-plugin-arg-BiniouASTExporter" "-"
"-plugin-arg-BiniouASTExporter" "PREPEND_CURRENT_DIR=1"
"-plugin-arg-BiniouASTExporter" "MAX_STRING_SIZE=65535" "-cc1" "-triple"
"x86_64-unknown-linux-gnu" "-emit-obj

... [truncated 1106 characters] ...

stall/lib/clang/18/include"
"-internal-isystem" "/usr/local/include" "-internal-isystem"
"/usr/lib/gcc/x86_64-linux-gnu/12/../../../../x86_64-linux-gnu/include"
"-internal-externc-isystem" "/usr/include/x86_64-linux-gnu"
"-internal-externc-isystem" "/include" "-internal-externc-isystem"
"/usr/include" "-Wno-ignored-optimization-argument" "-Wno-everything"
"-fdeprecated-macro" "-ferror-limit" "19" "-fgnuc-version=4.2.1"
"-fskip-odr-check-in-gmf" "-fcxx-exceptions" "-fexceptions"
"-D__GCC_HAVE_DWARF2_CFI_ASM=1" "-o"
"/tmp/coderabbit-infer/acb29ce53c41f00c/file.o" "-x" "c++"
"src/test/llmq_utils_tests.cpp" "-O0" "-fno-builtin" "-include"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../lib/clang_wrappers/global_defines.h"
"-Wno-everything"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ No Merge Conflicts Detected

This PR currently has no conflicts with other open PRs.

[thepastaclaw]

@coderabbitai review

[thepastaclaw]

Follow-up pushed in f54c9b7: kept the per-peer signing-session cap bounded, but added a minimum cap of 100 sessions so small test/devnet quorums do not exhaust the limit during normal ChainLock/InstantSend bursts before session cleanup runs.

Validation:

• make -C src -j8 test/llmq_signing_shares_tests.cpp.test test/test_dash
• src/test/test_dash --run_test=llmq_signing_shares_tests --catch_system_errors=no
• src/test/test_dash --run_test=evo_dip3_activation_tests/verify_db_legacy --catch_system_errors=no
• test/functional/feature_llmq_chainlocks.py --configfile=$(pwd)/test/config.ini --tmpdir=/tmp/pr7351-chainlocks-test could not run locally because this worktree was built without wallet support; CI will cover the wallet functional path.

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

@thepastaclaw Thanks for the follow-up — the minimum-cap floor of 100 sessions is a sensible guard for small test/devnet quorums. Triggering a review of commit f54c9b7 now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thepastaclaw]

CI follow-up pushed in e5e8d1e84e.

What changed:

• Kept the per-peer qsigsesann cap, but ensured small/regtest LLMQs have a safe minimum session allowance so legitimate ChainLocks/InstantSend signing bursts are not rejected.
• Added cleanup for announced sessions whose recovered signature already exists even when there are no retained sig shares for that session, so recovered sessions do not linger against the per-peer cap until timeout.
• Kept the focused llmq_signing_shares_tests coverage for enforcing the cap while allowing refreshes of existing sessions.

Validation:

• make -j8
• src/test/test_dash --run_test=llmq_signing_shares_tests --catch_system_errors=no
• src/test/test_dash --run_test=evo_dip3_activation_tests/verify_db_legacy --catch_system_errors=no
• git diff --check

Note: the prior feature_llmq_chainlocks.py failures were on old head 99be9334cd; the updated head is e5e8d1e84e and CI has been retriggered by the push.

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thepastaclaw]

✅ Review complete (commit 03dddee)

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thepastaclaw]

Follow-up pushed in 6595948 to avoid the src/Makefile.test.include predict-conflicts failure: the new signing-share session-cap unit coverage now lives in existing llmq_utils_tests.cpp instead of adding a new test translation unit.\n\nValidation: src/test/test_dash --run_test=llmq_utils_tests passed locally.\n\n ✅ Review complete (commit 6595948)\n\nAutomated code review verdict: ship.

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6595948482

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve announcement-only session expiry on refresh

When a peer periodically re-announces an already-known QSIGSESANN before SESSION_NEW_SHARES_TIMEOUT, insert_or_assign refreshes timeSeenForSessions, and cleanup only expires sessions by comparing the current time to that stored value. That lets announcement-only sessions stay alive indefinitely, so an attacker can keep its capped session slots and the corresponding per-peer state pinned forever; seed this timestamp only when the signHash is first inserted rather than on refresh.

Useful? React with 👍 / 👎.

[thepastaclaw]

Addressed in f6aa12a: QSIGSESANN announcements now seed timeSeenForSessions only on first insert (try_emplace) instead of refreshing it on repeat announcements. Actual sig-share receipt still refreshes the timestamp via ProcessSigShare, so announcement-only sessions expire normally.

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f6aa12a20f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Count only announcement-created sessions in the cap

When this node already has maxSessions sessions for a peer that were created locally for outgoing traffic (for example CollectSigSharesToAnnounce calls GetOrCreateSessionFromShare for that peer before SendMessages assigns a send session), this count rejects the peer's first unrelated QSIGSESANN even though the new limit is meant to constrain sessions created from announcements. NetSigning::ProcessMessage treats this false return as a ban, so under a busy signing backlog an honest peer can be banned because our own send-side sessions filled the per-peer count; the cap should exclude send-only sessions or track announcement-created sessions separately.

Useful? React with 👍 / 👎.

[thepastaclaw]

Addressed in 03dddee: the session cap now counts only sessions that were actually introduced by QSIGSESANN announcements. Send-only sessions created locally via sig shares no longer consume the announcement-session budget, while existing-session announcements are still accepted and then marked as announcement-backed.

Validation:

• git diff --check
• make -C src -j8 test/test_dash
• src/test/test_dash --run_test=llmq_utils_tests --catch_system_errors=no

[thepastaclaw]

Follow-up pushed in 03dddeea35 for the latest automated review: the QSIGSESANN cap now counts only sessions that were received via announcements, so locally-created send-side sessions do not cause an honest peer's first unrelated announcement to be rejected.

Validation:

• git diff --check
• make -C src -j8 test/test_dash
• src/test/test_dash --run_test=llmq_utils_tests --catch_system_errors=no

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.