Review: feat(wallet): explicit wallet.restore() recovery mechanism

Verdict: Request changes (protocol-critical — requires human sign-off)

This is well-architected fund-recovery code with solid error semantics and thorough test coverage. The gap-limit scan, error-collection model, and concurrency guard are all sound. However, this is protocol-critical (VTXO discovery = fund recovery) — bugs here make users believe they have no funds when they do. Requesting human review per repo policy.

🟢 Strengths

1. Error contract is correct: handler discoverAt errors collected → scan finishes → inline VTXO pull recovers safely-discovered funds → then AggregateError surfaces. A truncated restore is loud, never silent.
2. Concurrency model is solid: _restoreInFlight coalesces concurrent calls; dispose() drains it deadlock-free (restore never calls dispose).
3. HD watermark is monotonic: advanceLastIndexUsed uses mutate() (mutex-protected) and only advances.
4. Cross-repo impact is nil: all changes are additive. No external implementations of IContractManager exist. The materializeAt → materializeDescriptorAt rename is internal.
5. Test coverage: 28 unit cases + e2e. Key invariants tested: gap-window-kept-open-by-swap, concurrent coalesce, dispose-races-restore, handler-error-after-pull.

🟡 Minor Issues (non-blocking, but worth addressing)

1. Unbounded loop if a buggy handler always returns results
src/contracts/contractManager.ts:131 — while (i <= maxIdx && unused < gapLimit) with maxIdx = POSITIVE_INFINITY for HD mode. If a malicious/buggy third-party Discoverable handler always returns non-empty from discoverAt, the loop never terminates.

Suggestion: Add a hard ceiling (e.g. const MAX_INDEX = 10_000) as a safety valve. Gap-limit 20 with continuous hits reaching 10k indices would already be extraordinary; an infinite loop would OOM/hang the wallet.

const maxIdx = opts.hd ? MAX_INDEX : 0;

2. Sequential handler probing — potential performance cliff
src/contracts/contractManager.ts:135-145 — handlers are iterated sequentially within each index. With N handlers × G gap-limit × T timelocks per handler, each making an indexer round-trip, a restore with 3 handlers and gap 20 would make ~60+ serial network calls minimum.

Suggestion (future): Consider Promise.all across handlers within an index (they're independent). Not blocking this PR, but worth a TODO comment.

3. Duck-typing for HD detection is fragile
src/wallet/wallet.ts:1192-1194:

const hd = !!provider && typeof (provider as Partial<HDDescriptorProvider>).materializeDescriptorAt === "function";

Any non-HD DescriptorProvider that happens to have a materializeDescriptorAt method would be incorrectly treated as HD. Consider using instanceof HDDescriptorProvider (you already import it) for type safety:

const hd = provider instanceof HDDescriptorProvider;

🟢 No Issues Found In

• Gap-limit termination logic (correct BIP44-style scan)
• createContract idempotency reliance (script-keyed dedup is existing behavior)
• Metadata tagging (index 0 untagged, index > 0 tagged with wallet-receive + signingDescriptor)
• deriveDescriptorLeafPubKey extraction (logic identical to original)
• WALLET_RECEIVE_SOURCE layering fix (re-export maintains back-compat)
• pickActiveReceive tiebreak (deterministic on HD index)
• ServiceWorker proxy rejection (clear error, correct — callbacks not structured-cloneable)
• signingDescriptorIndex regex (correctly parses trailing /N) pattern)

⚠️ Protocol-Critical Flag

This PR adds fund-recovery logic. If scanContracts terminates early (gap closes before all funds discovered), or if refreshVtxos fails silently after the scan, users lose visibility of their own money. The error contract handles both cases correctly in the current implementation, but this requires human sign-off before merge per protocol-critical review policy.

TL;DR: Clean, well-tested, correct error semantics. The unbounded-loop ceiling (#1) should be addressed before merge; #2-#3 are nice-to-haves. Human approval required for protocol-critical code.

Review: feat(wallet): explicit wallet.restore() recovery mechanism

Verdict: Request changes (protocol-critical — requires human sign-off)

This is well-architected fund-recovery code with solid error semantics and thorough test coverage. The gap-limit scan, error-collection model, and concurrency guard are all sound. However, this is protocol-critical (VTXO discovery = fund recovery) — bugs here make users believe they have no funds when they do. Requesting human review per repo policy.

🟢 Strengths

1. Error contract is correct: handler discoverAt errors collected → scan finishes → inline VTXO pull recovers safely-discovered funds → then AggregateError surfaces. A truncated restore is loud, never silent.
2. Concurrency model is solid: _restoreInFlight coalesces concurrent calls; dispose() drains it deadlock-free (restore never calls dispose).
3. HD watermark is monotonic: advanceLastIndexUsed uses mutate() (mutex-protected) and only advances.
4. Cross-repo impact is nil: all changes are additive. No external implementations of IContractManager exist. The materializeAt → materializeDescriptorAt rename is internal.
5. Test coverage: 28 unit cases + e2e. Key invariants tested: gap-window-kept-open-by-swap, concurrent coalesce, dispose-races-restore, handler-error-after-pull.

🟡 Minor Issues (non-blocking, but worth addressing)

1. Unbounded loop if a buggy handler always returns results
src/contracts/contractManager.ts:131 — while (i <= maxIdx && unused < gapLimit) with maxIdx = POSITIVE_INFINITY for HD mode. If a malicious/buggy third-party Discoverable handler always returns non-empty from discoverAt, the loop never terminates.

Suggestion: Add a hard ceiling (e.g. const MAX_INDEX = 10_000) as a safety valve. Gap-limit 20 with continuous hits reaching 10k indices would already be extraordinary; an infinite loop would OOM/hang the wallet.

const maxIdx = opts.hd ? MAX_INDEX : 0;

2. Sequential handler probing — potential performance cliff
src/contracts/contractManager.ts:135-145 — handlers are iterated sequentially within each index. With N handlers × G gap-limit × T timelocks per handler, each making an indexer round-trip, a restore with 3 handlers and gap 20 would make ~60+ serial network calls minimum.

Suggestion (future): Consider Promise.all across handlers within an index (they're independent). Not blocking this PR, but worth a TODO comment.

3. Duck-typing for HD detection is fragile
src/wallet/wallet.ts:1192-1194:

const hd = !!provider && typeof (provider as Partial<HDDescriptorProvider>).materializeDescriptorAt === "function";

Any non-HD DescriptorProvider that happens to have a materializeDescriptorAt method would be incorrectly treated as HD. Consider using instanceof HDDescriptorProvider (you already import it) for type safety:

const hd = provider instanceof HDDescriptorProvider;

🟢 No Issues Found In

• Gap-limit termination logic (correct BIP44-style scan)
• createContract idempotency reliance (script-keyed dedup is existing behavior)
• Metadata tagging (index 0 untagged, index > 0 tagged with wallet-receive + signingDescriptor)
• deriveDescriptorLeafPubKey extraction (logic identical to original)
• WALLET_RECEIVE_SOURCE layering fix (re-export maintains back-compat)
• pickActiveReceive tiebreak (deterministic on HD index)
• ServiceWorker proxy rejection (clear error, correct — callbacks not structured-cloneable)
• signingDescriptorIndex regex (correctly parses trailing /N) pattern)

⚠️ Protocol-Critical Flag

This PR adds fund-recovery logic. If scanContracts terminates early (gap closes before all funds discovered), or if refreshVtxos fails silently after the scan, users lose visibility of their own money. The error contract handles both cases correctly in the current implementation, but this requires human sign-off before merge per protocol-critical review policy.

TL;DR: Clean, well-tested, correct error semantics. The unbounded-loop ceiling (#1) should be addressed before merge; #2-#3 are nice-to-haves. Human approval required for protocol-critical code.

Actionable comments posted: 6

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/contracts/contractManager.ts`:
- Around line 528-537: The discovery loop currently calls createContract() which
immediately triggers full hydration via fetchContractVxosFromIndexer() and
watcher registration; to avoid N full indexer pulls during restore, add a new
lightweight API (e.g., persistAndWatchContract or createContractWatchOnly) on
the same class that only persists the DiscoveredContract and registers watchers
but does not call fetchContractVxosFromIndexer(), then replace the
createContract(c) call inside the discoverables loop with this new method; keep
createContract(c) intact for later restore flow where refreshVtxos({
includeInactive: true }) will perform the full hydration. Ensure the new method
signature accepts the DiscoveredContract and any opts needed and that any error
handling (handlerErrors) remains unchanged.

In `@src/wallet/hdDescriptorProvider.ts`:
- Around line 134-142: The advanceLastIndexUsed method currently accepts invalid
watermarks; before calling mutate() add a guard that validates the incoming
index using Number.isInteger(index) && index >= 0 and bail out (no-op) if it
fails so you never persist NaN, fractions, or negatives to
settings.lastIndexUsed; ensure you reference advanceLastIndexUsed, mutate, and
settings.lastIndexUsed in the change and note that invalid values currently
break parseSettings on subsequent reads.

In `@src/wallet/wallet.ts`:
- Around line 1229-1243: The current HD branch uses hd inferred only from
materializeDescriptorAt but later calls advanceLastIndexUsed, causing a
TypeError; update the capability check to require both functions
(materializeDescriptorAt and advanceLastIndexUsed) on this._descriptorProvider
(e.g., replace hd with hdCapable or similar), narrow the type to an
HDDescriptorProvider-like shape for the rest of _runRestore, and adjust the
materialize function and subsequent calls (including where advanceLastIndexUsed
is invoked) to rely on that guarded, correctly typed provider so custom
providers that only implement one method won't take the HD path.
- Around line 1213-1224: Move the early-return that checks this._restoreInFlight
to before any validation of opts so concurrent calls coalesce; specifically, in
restore() check if (this._restoreInFlight) return this._restoreInFlight; first,
then compute/validate gapLimit and set this._restoreInFlight =
this._runRestore(gapLimit).finally(...). Ensure you still validate gapLimit
(Number.isInteger and >0) only for the caller that actually starts the run, and
keep the same error message when throwing.

In `@test/helpers/restoreWallet.ts`:
- Around line 84-95: makeVtxo currently returns a constant outpoint (txid/vout)
which causes accidental deduping; update makeVtxo to generate a unique outpoint
per call (e.g., derive txid or vout from the script, a counter, timestamp, or a
short hash of script+Date.now()) so each VirtualCoin has a distinct txid/vout
pair while preserving other fields (value, status, createdAt, script,
isUnrolled, isSpent, virtualStatus). Apply the same uniqueness fix to the other
similar helper(s) referenced in the file (the alternate makeVtxo usage around
the later lines 125-127) so all mocked VTXOs use unique outpoints.
- Around line 259-261: The current unchecked cast retrieving hdProvider from
wallet (const hdProvider = (wallet as unknown as { _descriptorProvider:
HDDescriptorProvider })._descriptorProvider) should be protected by a runtime
guard: verify wallet._descriptorProvider exists and matches the expected shape
(e.g., instanceof HDDescriptorProvider or has required methods/properties) and
if not throw a clear, fast-failing error mentioning wallet and
HDDescriptorProvider; replace the direct cast with this guard and use the
validated hdProvider thereafter so failures are explicit if wallet internals
change.

---

Nitpick comments:
In `@test/e2e/restore.test.ts`:
- Around line 22-59: The test creates two wallets via
createTestArkWalletFromMnemonic (variables a and b) but only disposes them on
the happy path; move both lifecycles into try/finally blocks so each wallet is
always disposed even if assertions fail: surround the logic after creating a
with try { ... } finally { await a.wallet.dispose(); } and likewise surround the
logic after creating b (using createSharedRepos and calling
faucetOffchain/waitFor/getBalance/restore) with a try/finally that awaits
b.wallet.dispose(); ensure awaits remain and no test logic is left outside the
try so cleanup is guaranteed.

In `@test/restore.test.ts`:
- Around line 426-468: The test currently only asserts that a swap hit at index
4 was found and lastIndexUsed is 4, but doesn't verify the scanner actually
probed indices after the hit; capture the handler invocation details returned by
makeFakeHandler (the `handler`/`calls` structure) and add an assertion that the
handler was invoked for indices beyond 4 up to the expected post-hit window
(given gapLimit:5), e.g., verify `calls` includes probes for indices 5..(4 +
gapLimit - 1) or the equivalent sequence, so the test fails if the loop stopped
immediately after the hit; update the test to extract `calls` from
makeFakeHandler and assert the expected indices were probed.
- Around line 102-111: The mockIndexer’s getVtxos currently returns a single
boolean hit if any queried script matches, which masks partial-hit bugs; update
mockIndexer (and tests at the other locations) so getVtxos returns per-script
results (or at least an explicit case where only one timelock script is present)
— e.g., have mockIndexer examine each script in opts.scripts and return vtxos
only for the scripts that are in usedScripts (or add a new test that supplies
two timelock scripts but only marks one as used and asserts the handler does not
treat both as found); target the mockIndexer function and getVtxos behavior used
by the multi-timelock tests to ensure partial-hit cases are covered.

Follow-up review (commit 0aaac20)

New commit: test(e2e): make restore test HD-mode and load-bearing — test-only, no production code changed.

✅ New test is correct and well-designed

The old e2e test was vacuous — index-0 funds are auto-registered at baseline, so a same-seed wallet B would see them without restore(). The new test is genuinely load-bearing:

1. Funds wallet A at index-0 → receive rotator advances to index-1
2. Funds wallet A at index-1 (a script baseline doesn't cover)
3. Fresh wallet B on same seed → baseline only sees index-0 → before < totalA
4. After restore() → gap scan discovers index-1 → after >= totalA

The waitFor polling for rotation and the toBeLessThan assertion (instead of === 0) correctly handle the timing window where B's watcher may or may not have synced index-0 VTXOs. Good.

The utils.ts change (adding optional walletMode param) is clean — no default changed, existing callers unaffected.

⚠️ Previous review concerns still open

My prior review's findings remain unaddressed:

1. Unbounded loop (contractManager.ts:518 — maxIdx = POSITIVE_INFINITY) — still needs a hard ceiling
2. Duck-typing for HD detection (wallet.ts:1233) — still uses method-existence check instead of instanceof

These are non-blocking for this test commit but still need resolution before merge. Protocol-critical flag and human sign-off requirement remain.

Iterative review — commits 400829f through fb8cfab

Both open concerns from my previous review are now resolved:

✅ Unbounded loop → bounded at SCAN_MAX_INDEX = 10_000

contractManager.ts:38 — hard ceiling with a clear safety-valve comment. The post-loop check (i > maxIdx && unused < gapLimit) correctly distinguishes "gap closed naturally" from "hit the ceiling" and throws loudly for the latter. Good.

✅ Duck-typing → instanceof HDDescriptorProvider

wallet.ts:~1105 — const hd = provider instanceof HDDescriptorProvider. Comment documents the trade-off if custom HD providers are added later. Clean.

✅ New: upsertContract / persistAndWatchContract refactor (commit 3d15d5e3)

Well-factored split. persistAndWatchContract skips the per-contract fetchContractVxosFromIndexer round-trip, reducing N+1 indexer calls to 1 bulk refreshVtxos({ includeInactive: true }). The shared upsertContract preserves the existing dedupe-by-script and type-mismatch semantics. No behavioral change for external createContract callers.

✅ New: Concurrent coalesce reorder (commit fb8cfabc)

restore() now checks _restoreInFlight before validating gapLimit. Correct — a coalescing caller's value is documented as ignored, so validating it first would surface misleading errors.

✅ New: advanceLastIndexUsed input validation (commit 400829f8)

hdDescriptorProvider.ts:~140 — if (!Number.isInteger(index) || index < 0) return; silently no-ops on invalid input instead of corrupting lastIndexUsed. The monotonic guard (index > settings.lastIndexUsed) was already present; the new guard prevents NaN/fractions/negatives from bypassing it.

Test coverage

772-line unit suite + load-bearing e2e test. Coverage includes: gap-limit validation, swap-keeps-gap-open with full post-hit probe-window assertion (calls === [0..9]), per-handler error collection vs fatal propagation, static single-pass, concurrent coalesce, dispose-races-restore, HD watermark advance, partial-timelock-hit, per-script mock indexer. Comprehensive.

Protocol-critical flag

This PR touches fund recovery — a wallet.restore() that silently truncates or misidentifies scripts risks hiding user funds. The code is correct and well-tested, but human sign-off is required before merge per protocol-critical review policy.

🤖 Arkana

Good to go from my side @Kukks your call since I've pushed some updates. Planning a follow-up PR for service worker support.