feat: add failsafe to transaction replay

[hstove]

• Closes TX Replay: Failsafe logic in signer state #6206

(Opening as a draft - the test could be improved, and I'm not very confident in the "rules" implemented here)

This PR implements a 'failsafe' for transaction replay - if we've had 2 burn blocks since the new fork tip, clear the replay set. While this is very imperfect, it prioritizes liveness of the chain over guarantees about replay getting executed as expected. Most of the time, this shouldn't make a difference anyways. A new config field, reset_replay_set_after_fork_blocks, is provided to allow changing this value (which defaults to 2).

I've also refactored many of the transaction replay tests to do shallower forks, which aligns much more with reality. This actually caught a bug in the fork detection logic, which we were getting away with due to the tests using deeper forks. We now use a descendency check to determine whether a new burn block is a fork, where we previously did a simple check against the height of a new burn block.

[hstove]

After some discussion, we're going to update this to use the rule of "once there are 2 burn blocks past the previous tip, clear the replay set if we're still in it". We'll use a config value for the "2 burn blocks" value.

[codecov]

Codecov Report

Attention: Patch coverage is 9.94550% with 661 lines in your changes missing coverage. Please review.

Project coverage is 82.55%. Comparing base (97a96fc) to head (66bfc13).

Files with missing lines	Patch %	Lines
testnet/stacks-node/src/tests/signer/v0.rs	1.19%	581 Missing ⚠️
testnet/stacks-node/src/tests/signer/mod.rs	5.00%	38 Missing ⚠️
stacks-signer/src/v0/signer_state.rs	68.49%	23 Missing ⚠️
stackslib/src/net/api/postblock_proposal.rs	0.00%	10 Missing ⚠️
...-node/src/burnchains/bitcoin_regtest_controller.rs	0.00%	9 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #6212      +/-   ##
===========================================
+ Coverage    82.45%   82.55%   +0.10%     
===========================================
  Files          541      541              
  Lines       344244   344309      +65     
  Branches       323      323              
===========================================
+ Hits        283833   284251     +418     
+ Misses       60403    60050     -353     
  Partials         8        8              

Files with missing lines	Coverage Δ
stacks-signer/src/chainstate.rs	94.71% <100.00%> (+0.01%)	⬆️
stacks-signer/src/client/mod.rs	99.23% <100.00%> (+<0.01%)	⬆️
stacks-signer/src/config.rs	91.03% <100.00%> (+0.14%)	⬆️
stacks-signer/src/runloop.rs	89.68% <100.00%> (+0.02%)	⬆️
stacks-signer/src/tests/chainstate.rs	100.00% <100.00%> (ø)
stacks-signer/src/v0/signer.rs	84.30% <100.00%> (-0.08%)	⬇️
...net/stacks-node/src/tests/nakamoto_integrations.rs	87.17% <100.00%> (+0.12%)	⬆️
...-node/src/burnchains/bitcoin_regtest_controller.rs	87.79% <0.00%> (-0.40%)	⬇️
stackslib/src/net/api/postblock_proposal.rs	68.73% <0.00%> (-1.15%)	⬇️
stacks-signer/src/v0/signer_state.rs	76.31% <68.49%> (-1.53%)	⬇️
... and 2 more

... and 41 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 97a96fc...66bfc13. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fdefelici]

Overall the implementation looks fine!

As expected, all tx_replay_* tests are currently failing due to the two-tenure limit, for the reasons reported in the PR description. Once the current approach is finalized, these tests will likely need to be revisited and properly adjusted to align with the new logic.

I've included a few remarks throughout the review suggesting possible improvements for readability and maintainability.

[fdefelici]

should this be tip_after_fork.stacks_tip_height + 2 ?

[fdefelici]

nit: Would it make sense to swap these two waits to align the structure with the surrounding code block, specifically to make this section more symmetric with the previous block ("Mining a second tenure") and the next one ("Mining a third tenure")?

[hstove]

I'm not sure - I think either way makes sense? Since the replay set is tied to a new burn block, it may happen first anyways.

[fdefelici]

Yeah, that makes sense! What I mean, is If ordering isn't relevant for correctness, I’d favor maintaining code symmetry with the surrounding blocks. I try to summarize the involved test steps like this:

info!("---- Waiting for two tenures, without replay set cleared ----";)
// - unstall mining
// - wait for chain tip
// - wait for signer state check

info!("---- Mining a second tenure ----");
// - Mine naka block
// - wait for signer state check
// - wait for chain tip

info!("---- Mining a third tenure ----");
// - Mine naka block
// - wait for chain tip
// - wait for signer state check

As you can see, in the "Mining a second tenure" block, the two checks are inverted compared to the others.

If the order doesn’t matter functionally, I’d suggest aligning them to follow the same pattern across all blocks. It improves readability and could also help in the future if we migrate these tests to madhouse commands.

[kantai]

If I'm understanding the scope construction correctly, I think the behavior here is roughly: if a replay set takes longer than 2 burn blocks to resolve, clear the replay set.

I think that behavior is actually fine. But I think the alternative we discussed was something like "if its been more than 2 burn blocks since a transaction in the replay set has been processed" which is a more restrictive condition (i.e., less likely to trigger). I'm okay with the less restrictive condition, but we should make sure to communicate it.

[fdefelici]

Overall looks fine!

Added some minor remarks.

I also noticed that:

• there is a small clippy issue to be addressed: https://github.com/stacks-network/stacks-core/actions/runs/16027643852/job/45219629003?pr=6212
• and a bunch of flaky tests where one is tx replay related: https://github.com/stacks-network/stacks-core/actions/runs/16027643859/job/45221079154?pr=6212 (which I tested succesfully locally)

[fdefelici]

Just a quick thought: in general, for this kind of test configuration, I wonder if it might be valuable to use the DEFAULT_RESET_REPLAY_SET_AFTER_FORK_BLOCKS constant. Not a strong opinion, just sharing in case it's worth considering for consistency or clarity.

[hstove]

Good suggestion, done!

[fdefelici]

Ok. I see the change in the nakamoto_integrations.rs module.

Eventually let me know if you want to apply the same approach in the remaining modules or not:

• stacks-signer/src/tests/chainstate.rs
• testnet/stacks-node/src/tests/signer/v0.rs

[fdefelici]

nit: Consider renaming the test to better reflect the scenario being tested (e.g. tx_replay_started_after_fork or similar)

[hstove]

I definitely understand this suggestion, but I'm a little partial to keeping it as-is - it's really just a useful test for testing out the "base case" of tx replay. "Started after fork" is also redundant, since all tx replay happens after a fork.

[fdefelici]

Yeah, I see your point. This test essentially just verifies whether the transaction replay starts correctly.
If we can’t come up with a better name, I’m okay with keeping it as is.

[fdefelici]

I've resolved some of the remarks and updated the others.

@hstove, let me know your thoughts on also the remaining older comments