refactor(sdk): per-network protocol-version floor + version_pinned unification

[Claudius-Maginificent]

Why this PR exists

• Problem: the SDK's protocol-version handling was brittle and inconsistent. The pin flag was modelled two different, opposite-polarity ways (SdkBuilder::version_explicit true = pinned, Sdk::auto_detect_protocol_version true = not pinned), and refresh_protocol_version lived in its own module behind a redundant post-build clamp that silently rewrote a caller's pinned version.
• What breaks without it: the contradictory pin flags are an easy footgun (a reader has to remember which polarity means "pinned"), and the post-build clamp meant with_version() did not actually honour the version you pinned — it bumped a sub-floor pin up to the floor behind your back. Cleaning this up is the groundwork for refreshing the protocol version on SDK init.
• Blocking relationship to feat(sdk): refresh protocol version on SDK init (FFI/WASM/JS) #3902: that init wiring (FFI / WASM / JS) ships separately in feat(sdk): refresh protocol version on SDK init (FFI/WASM/JS) #3902, which builds directly on the co-located refresh primitive and the unified version_pinned flag introduced here. The two are intended to land together. (Native rs-sdk init is wired by neither PR — build() stays synchronous; native callers can call refresh_protocol_version() themselves or rely on the lazy first-query ratchet. Tracked as follow-up.)

What was done

• min_protocol_version is per-network (restored in 02b63c5f0a). It is a const fn returning the network-specific minimum — Mainnet → v11; Testnet / Devnet / Regtest → v12 — and is the per-network lower bound an unpinned SDK seeds from in build(). An earlier iteration of this PR had collapsed it to a single flat v11 baseline; that has been reverted so an unpinned SDK on a v12 network no longer seeds below the network's live minimum. The rustdoc was condensed to the floor-not-a-pin rationale.
• The floor is a seed/lower-bound, not a runtime clamp. build() deliberately does not apply .max(min_protocol_version(network)) — the clamp is removed and stays removed (out of scope for the floor restoration). So a pinned-below version is preserved exactly as given (doc: "the pinned version is used as-is; it is not clamped"), while an unpinned build seeds from the per-network floor and ratchets upward monotonically via auto-detect.
• Unified the pin flag as version_pinned. Collapses the opposite-polarity pair (version_explicit + auto_detect_protocol_version) into one consistently-polarised flag (true = pinned, auto-detect off). The builder's version field also became Option<&'static PlatformVersion> (defaulting to None instead of a seeded constant). Internal rename — 21 references, none of the old names remain.
• Relocated the refresh primitive. refresh_protocol_version is inlined into sdk.rs and the dedicated sdk/refresh.rs module is deleted (−105 lines). It has no production caller in this PR — the init call sites live in feat(sdk): refresh protocol version on SDK init (FFI/WASM/JS) #3902; three #[cfg(test)] unit tests exercise it here.

Testing

• cargo build -p dash-sdk, cargo fmt -p dash-sdk --check, cargo clippy -p dash-sdk --all-targets --features mocks — clean (zero warnings).
• cargo test -p dash-sdk --features mocks --lib — 143 passed; cargo test -p dash-sdk --features mocks --test main fetch::document_query_v0_v1 — 10 passed. The floor-targeted unit tests assert against min_protocol_version(network) directly (floor-agnostic, survive future floor changes); sdk_builder_default_seeds_atomic_to_floor boots a default (Mainnet) SDK and still expects PROTOCOL_VERSION_11.
• CI on the PR is the source of truth for the full workspace + JS package suites.
• The refresh-on-init mechanism was validated end-to-end on the paloma devnet on an earlier snapshot of this work — an unpinned SDK seeded at the configured floor and auto-ratcheted to the network's active version on the first proven response. That live refresh path now lives in feat(sdk): refresh protocol version on SDK init (FFI/WASM/JS) #3902; see its description for the full run.

CI reconciliation

• wasm-sdk WasmSdkBuilder builder-chaining tests (withVersion() / multiple-method chaining) — greaterThan(1) → equal(1), because a pinned version is no longer clamped to the floor (depends on the removed clamp, not on the floor value).
• tests/fetch/common.rs and the sdk_builder_default_seeds_atomic_to_floor comment — doc-comment wording aligned with the per-network floor semantics (no logic change).

Breaking changes

• Removes the public DEFAULT_INITIAL_PROTOCOL_VERSION constant (was pub). External code referencing it will no longer compile.
• Promotes SdkBuilder::with_initial_version from pub(crate) to pub (additive).
• Behavioural: a pinned version is no longer clamped up to the per-network floor — with_version() now honours the version exactly as given, including a pin below the floor. (The per-network seed values themselves are unchanged: Mainnet → v11, others → v12.)
• with_version() signature is unchanged; version_pinned and min_protocol_version remain internal.

Checklist

• Code builds, formats, and lints clean (cargo build / cargo fmt --check / cargo clippy --all-targets --features mocks).
• Unit + integration tests pass locally (dash-sdk lib: 143; document_query_v0_v1: 10).
• CI-reconciliation tests updated to match the kept (no-clamp) behaviour.
• Public-API / behavioural breaking changes documented above.
• Intended to land together with feat(sdk): refresh protocol version on SDK init (FFI/WASM/JS) #3902 (refresh-on-init).

Related

• feat(sdk): refresh protocol version on SDK init (FFI/WASM/JS) #3902 — wires refresh_protocol_version into the SDK init paths (FFI / WASM / JS). Provides the production behaviour that eagerly refreshes the version on init; builds on the unified version_pinned flag and the co-located refresh primitive from this PR; intended to land together.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

Summary by CodeRabbit

• New Features

  • Added ability to manually refresh protocol version on demand with best-effort semantics
  • Made protocol version initialization method publicly available for custom configuration
  • Introduced protocol version pinning to lock SDK behavior to specific versions

• Refactor

  • Streamlined SDK protocol version management and default bootstrapping

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR refactors protocol-version floor logic by converting min_protocol_version to a const fn, inlining refresh_protocol_version from the deleted sdk/refresh.rs into sdk.rs, replacing the auto_detect_protocol_version boolean with a version_pinned flag, and changing SdkBuilder to seed the stored protocol version from min_protocol_version(self.network) instead of a boot-time constant. Tests and public documentation are updated throughout to derive expected behavior from the new floor-based constant.

Changes

Protocol-Version Floor Rework

Layer / File(s)	Summary
Floor constant and refresh capability packages/rs-sdk/src/sdk.rs	min_protocol_version refactored to const fn returning a fixed protocol-version floor value; imports added for ExtendedEpochInfo and FetchCurrent to support proven refresh.
SDK internals: pinning state and version guarding packages/rs-sdk/src/sdk.rs	Sdk struct field changed from auto_detect_protocol_version to version_pinned; Sdk clone updated to copy version_pinned; maybe_update_protocol_version early-returns when pinned to prevent ratcheting from received metadata.
refresh_protocol_version public API packages/rs-sdk/src/sdk.rs	Sdk::refresh_protocol_version() async method performs proven ExtendedEpochInfo::fetch_current when unpinned, ratchets stored protocol version upward on success, logs warning on failure (non-fatal), and returns current stored version in all cases; pinned SDKs skip network calls.
SdkBuilder restructuring and floor seeding packages/rs-sdk/src/sdk.rs	SdkBuilder fields restructured to use version_pinned and Option<&'static PlatformVersion>; default() seeds unpinned state; build() computes initial PlatformVersion from min_protocol_version(self.network) when no explicit version is set; Sdk construction in both DAPI and mock modes initializes protocol-version atomic from computed floor and sets version_pinned based on builder flag.
Unit tests: protocol-version behavior packages/rs-sdk/src/sdk.rs	All version-related unit tests updated to derive expected floors from min_protocol_version(Network::Mainnet) and min_protocol_version(Network::Testnet); tests cover boot-time seeding, ratcheting upward, rejection below floor, pinning state assertion, per-network behavior, proven-refresh flow, and refresh-unavailable behavior (stored version unchanged rather than clamping upward).
Integration test documentation and assertion updates packages/rs-sdk/tests/fetch/common.rs, packages/rs-sdk/tests/fetch/document_query_v0_v1.rs, packages/wasm-sdk/tests/unit/builder-with-addresses.spec.ts	bootstrap_mock_sdk_to_latest doc comment updated to reference min_protocol_version; sdk_builder_default_seeds_atomic_to_floor assertion changed to use mainnet floor constant; WasmSdkBuilder.withVersion tests updated to expect pinned versions used exactly as-is without floor clamping.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• dashpay/platform#3893: Both PRs directly modify the SDK's refresh_protocol_version implementation to use proven ExtendedEpochInfo::fetch_current with verified-metadata ratcheting, overlapping at the refresh logic and testnet validation.
• dashpay/platform#3751: The FFI/Swift PR forwards a caller-supplied platform_version into SdkBuilder::with_version, and the main PR changes SdkBuilder::with_version to pin the provided version "as-is" (no floor clamping), so the version-handling behavior wired by the FFI depends on the main PR's SDK builder semantics.
• dashpay/platform#3809: Both PRs modify SDK default/unpinned protocol-version bootstrapping logic (initial floor seed and ratcheting behavior) in SdkBuilder.

Suggested reviewers

• shumkov
• llbartekll
• ZocoLini

🐇 A floor was laid, a constant set,
No default version to forget.
The refresh inline, refresh.rs gone,
Pinning guards the ratchet's dawn.
min_protocol_version leads the way —
A rabbit hops to a brighter day! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title precisely summarizes the main changes: consolidating protocol-version floor handling per-network and unifying the version_pinned flag, which are the core refactoring objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/sdk-collapse-protocol-version-floor

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

✅ Review complete (commit ec3d164)

[Copilot]

Pull request overview

This PR aims to restore correct SDK protocol-version boot behavior by reintroducing a per-network minimum protocol-version floor (instead of a single cross-network default), and by simplifying protocol-version refresh to use the existing proven-query ratchet path.

Changes:

• Replaces the single initial protocol-version constant with a min_protocol_version(network) floor used during SdkBuilder::build().
• Inlines Sdk::refresh_protocol_version into sdk.rs and deletes the dedicated sdk/refresh.rs module.
• Updates fetch/encoder tests and shared test helpers to assert the new “boot at per-network floor” behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
packages/rs-sdk/src/sdk.rs	Implements protocol-version floor + refresh changes; updates builder seeding and related tests.
packages/rs-sdk/src/sdk/refresh.rs	Removes the old refresh module (refresh logic moved into sdk.rs).
packages/rs-sdk/tests/fetch/document_query_v0_v1.rs	Updates tests to assert default builder seeds to the mainnet floor instead of the removed constant.
packages/rs-sdk/tests/fetch/common.rs	Updates documentation/comments in shared test helpers to describe per-network floor boot behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/rs-sdk/src/sdk.rs`:
- Around line 62-64: The min_protocol_version function ignores its network
parameter (indicated by the underscore prefix) and always returns
PROTOCOL_VERSION_10, but the tests expect per-network values: Mainnet should
return PROTOCOL_VERSION_11 and Testnet/Devnet/Regtest should return
PROTOCOL_VERSION_12. Remove the underscore prefix from the network parameter and
implement a match statement to return the appropriate protocol version based on
the network variant, returning PROTOCOL_VERSION_11 for Mainnet and
PROTOCOL_VERSION_12 for the other network types.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 093f5a31-599c-4e7b-b043-4896611f61e9

📥 Commits

Reviewing files that changed from the base of the PR and between e2039e5 and 8b03937.

📒 Files selected for processing (4)

• packages/rs-sdk/src/sdk.rs
• packages/rs-sdk/src/sdk/refresh.rs
• packages/rs-sdk/tests/fetch/common.rs
• packages/rs-sdk/tests/fetch/document_query_v0_v1.rs

💤 Files with no reviewable changes (1)

• packages/rs-sdk/src/sdk/refresh.rs

[thepastaclaw]

Code Review

All six agents independently flagged the same blocking issue: min_protocol_version at packages/rs-sdk/src/sdk.rs:62-64 ignores its Network argument and returns PROTOCOL_VERSION_10 for every network. Verified against the source — this directly contradicts the new in-file tests (test_min_protocol_version_mapping, test_testnet_default_builder_boots_at_per_network_floor, test_testnet_refresh_confirms_floor_via_proven_query) and reintroduces (and widens) the fee-under-reservation window the PR description claims to close. The accompanying doc comments still describe a per-network floor that no longer exists.

🔴 1 blocking

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [BLOCKING] packages/rs-sdk/src/sdk.rs:62-64: min_protocol_version returns v10 for every network — defeats the PR's purpose and breaks the new tests
  `min_protocol_version` discards its `Network` argument and unconditionally returns `dpp::version::v10::PROTOCOL_VERSION_10`, with a `TODO` to set real per-network floors later. This is the helper `SdkBuilder::build()` uses to seed `initial_protocol_version`, so every unpinned SDK now boots at v10 — mainnet boots below its v11 live floor, and testnet/devnet/regtest boot two versions below their v12 live floor.

  Concrete consequences in this PR:

  1. The three new tests added in the same module fail at runtime:
     - `test_min_protocol_version_mapping` (sdk.rs:1922) asserts Mainnet → `PROTOCOL_VERSION_11` and Testnet/Devnet/Regtest → `PROTOCOL_VERSION_12`.
     - `test_testnet_default_builder_boots_at_per_network_floor` (sdk.rs:1944) asserts the testnet SDK boots at `PROTOCOL_VERSION_12`.
     - `test_testnet_refresh_confirms_floor_via_proven_query` (sdk.rs:1967) asserts `dpp::version::LATEST_VERSION == floor`, which is false when `floor == 10`.
  2. The PR description's stated regression fix is undone. The PR explains that an unpinned SDK on testnet/devnet/regtest was 'booting one protocol version low (at 11 instead of those networks' live 12)' and that fee-sensitive flows (shielded shield/unshield/transfer/withdraw) size their reserve off `Sdk::version()`. With the floor pinned at v10 for every network — and the previous runtime `fetch_max` clamp in `refresh_protocol_version` removed in this PR — the under-shoot window is strictly wider than before this PR.
  3. The surrounding doc comments (sdk.rs:56–61 and elsewhere) still describe a per-network hard lower bound and claim 'testnet boots directly at 12', which no longer matches the implementation.

  Either restore the per-network mapping the rest of the PR (description, tests, doc comments) was built around, or — if a single uniform floor is intentional — revise the PR title, description, tests, and re-evaluate the fee-under-reservation risk for non-mainnet networks before landing.

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/27564694784
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "152b8b74e130dd3c7cee1e0d04f5e32707d038f622a1a73213616b4d08db220e"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[thepastaclaw]

Code Review

Carried-forward prior finding from 8b03937 is STILL VALID at head 42f75e0: min_protocol_version at packages/rs-sdk/src/sdk.rs:62-64 still ignores its Network argument and returns PROTOCOL_VERSION_10 for every network, directly contradicting the PR's own tests (test_min_protocol_version_mapping asserts v11/v12) and the PR's stated goal of booting mainnet at 11 and testnet/devnet/regtest at 12. The latest-push delta (rename of auto_detect_protocol_version to version_pinned and boolean polarity inversion) is mechanically clean and introduces no new latest-delta findings. Carried-forward: 1 blocking. New: 0.

1 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

[thepastaclaw]

Code Review

Carried-forward prior finding from 42f75e0 is STILL VALID at 21ea0d9: min_protocol_version at sdk.rs:64-66 still returns PROTOCOL_VERSION_10 unconditionally with a TODO, while the PR description and title explicitly promise per-network floors (Mainnet→v11, Testnet/Devnet/Regtest→v12). The PR's central stated goal therefore is not implemented; unpinned testnet/devnet/regtest SDKs boot two versions below the live network protocol until the first proven metadata refresh, re-opening the fee-under-reservation window the PR was written to close. A secondary issue from the latest delta: build() no longer clamps caller-supplied with_initial_version against min_protocol_version, so once the per-network mapping is corrected, a sub-floor initial seed would still slip through (with_version pins remain intentionally exempt).

🔴 1 blocking | 🟡 1 suggestion(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [BLOCKING] packages/rs-sdk/src/sdk.rs:64-66: min_protocol_version still returns v10 for every network — PR's stated goal is not implemented
  Carried-forward prior finding, STILL VALID at this head. `min_protocol_version` ignores its `_network` argument and unconditionally returns `dpp::version::v10::PROTOCOL_VERSION_10` with a TODO deferring the real per-network mapping. The PR description explicitly commits Mainnet→`PROTOCOL_VERSION_11` and Testnet/Devnet/Regtest→`PROTOCOL_VERSION_12`, and frames the whole change as closing a fee-under-reservation window for shielded flows that size reserves from `Sdk::version()` before the first proven response.

  Consequences observable at this SHA:
  - `SdkBuilder::build()` (sdk.rs:1081-1084) seeds every unpinned network at v10. Testnet/devnet/regtest under-shoot the live floor by two versions instead of one, which is strictly worse than the cross-network constant the PR claims to have replaced.
  - `test_testnet_default_builder_boots_at_per_network_floor` (sdk.rs:1885-1897) asserts `sdk.protocol_version_number() == min_protocol_version(Network::Testnet)`. Because both sides resolve through the same function, the assertion is tautological and passes against any uniform floor; it does NOT verify the PR's stated invariant.
  - The PR description claims a `test_min_protocol_version_mapping` test guards the mapping, but no such test exists in this checkout.

  Until the per-network mapping is implemented and guarded by a literal-value test (e.g. `assert_eq!(min_protocol_version(Network::Testnet), PROTOCOL_VERSION_12)`), the surrounding refactor (refresh inlining, clamp removal, field rename) is cosmetic and the original regression remains.
- [SUGGESTION] packages/rs-sdk/src/sdk.rs:1081-1084: build() does not floor an explicit with_initial_version against the per-network minimum
  The PR description states: "`build()` floors per-network. `initial_protocol_version = self.version.protocol_version.max(min_protocol_version(self.network))`." The actual code uses `self.version.unwrap_or_else(...)`, so a caller invoking `with_initial_version(pv)` where `pv.protocol_version < min_protocol_version(self.network)` is NOT lifted to the floor. `with_version` pins remain intentionally exempt (sdk.rs:949-950, guarded by the pin-below-floor test), but `with_initial_version` is documented as a seed, not a pin — its docstring says auto-detect already starts at the per-network floor, so an explicit seed below the floor contradicts the documented contract. Once the blocking finding above is fixed, this gap is what allows a caller to re-open the under-reservation window. Pair the floor mapping fix with a `max()` clamp here.

[thepastaclaw]

Code Review

Carried-forward verification: prior finding #1 (flat v10 floor) and #2 (with_initial_version not floored) are both classified per the current PR contract — #1 is INTENTIONALLY DEFERRED (TODO at sdk.rs:65 explicitly tracks restoration; docs frame v10 as a seed for auto-detect) and #2 is OUTDATED (with the lowest known PV as the floor and with_initial_version documented as a deliberate auto-detect seed, no clamp is required). One new cumulative finding remains: the PR description promises eager refresh_protocol_version on every real init path (native, FFI dash_sdk_create*, WASM constructor), but the code at f7d9154 does not wire it into any of those paths — only the explicit caller-driven dash_sdk_refresh_protocol_version FFI symbol and Swift wrapper invoke it. Because this PR simultaneously lowers the mainnet floor from v11 to v10, the gap the PR claims to close is in fact widened for shielded fee-sensitive flows that compute reserves from Sdk::version() before the first proven response ratchets the atomic upward. The latest-push delta itself is test-only and reconciles assertions to the new flat floor and the no-clamp behavior; those test changes are correct.

🔴 1 blocking

1 additional finding(s) omitted (not in diff).

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [BLOCKING] packages/rs-sdk/src/sdk.rs:1075-1199: Real SDK init paths return before the proven refresh runs, contradicting the PR's stated safety story
  The PR description justifies collapsing `min_protocol_version` to a flat `PROTOCOL_VERSION_10` (which is below mainnet's live `PROTOCOL_VERSION_12`) by stating that `refresh_protocol_version()` is invoked eagerly on every real init path — native, the FFI `dash_sdk_create*` entry points (via the FFI runtime), and the WASM constructor — so the version is correct before the first real query. That wiring is not present at this head:

  - `SdkBuilder::build()` (sdk.rs:1075-1199) is synchronous; it seeds the atomic with `min_protocol_version` (v10) and returns without invoking refresh.
  - `dash_sdk_create`, `dash_sdk_create_extended`, `dash_sdk_create_trusted`, and `dash_sdk_create_with_callbacks` in `packages/rs-sdk-ffi/src/sdk.rs` all return immediately after `builder.build()` without `runtime.block_on(wrapper.sdk.refresh_protocol_version())`. Only the standalone, caller-driven `dash_sdk_refresh_protocol_version` symbol calls it.
  - `WasmSdkBuilder::build()` (packages/wasm-sdk/src/sdk.rs:315) just calls `self.inner.build()` and returns the wrapper.

  Auto-detect via `verify_response_metadata` → `maybe_update_protocol_version` still ratchets the version after the first proven response, but it cannot help any code path that reads `Sdk::version()` before that first response — which is exactly the pre-query window the PR cites for shielded shield/unshield/transfer/withdraw fee reserves. Before this PR, mainnet seeded at v11, so the gap to a v12 network was one version; with v10 as the new floor and no eager refresh wired, the gap is two versions on first use.

  Either wire `refresh_protocol_version` into the real init paths as the description promises (e.g. an async `build_and_refresh` on `SdkBuilder` plus `runtime.block_on(refresh)` after `builder.build()` in each `dash_sdk_create*` and an `await` in `WasmSdkBuilder::build`), or restore a higher per-network floor (the prior behavior) and amend the description to make clear that eager refresh on init is the caller's responsibility on the FFI/WASM paths. Shipping a v10 floor with the eager-refresh story un-wired is the worst combination for the fee-reserve regression the PR is meant to address.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.23%. Comparing base (83fc8c3) to head (ec3d164).
⚠️ Report is 2 commits behind head on v3.1-dev.

Additional details and impacted files

@@              Coverage Diff              @@
##           v3.1-dev    #3900       +/-   ##
=============================================
+ Coverage     72.78%   87.23%   +14.44%     
=============================================
  Files            22     2643     +2621     
  Lines          3054   328910   +325856     
=============================================
+ Hits           2223   286918   +284695     
- Misses          831    41992    +41161     

Components	Coverage Δ
dpp	87.70% <ø> (∅)
drive	86.14% <ø> (∅)
drive-abci	89.45% <ø> (∅)
sdk	∅ <ø> (∅)
dapi-client	∅ <ø> (∅)
platform-version	∅ <ø> (∅)
platform-value	92.20% <ø> (∅)
platform-wallet	∅ <ø> (∅)
drive-proof-verifier	49.55% <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[thepastaclaw]

Code Review

Latest push (0771206 'chore: initial version 11') bumps min_protocol_version from PV10 to PV11 in sdk.rs:65, but the integration test sdk_builder_default_seeds_atomic_to_floor in tests/fetch/document_query_v0_v1.rs:229 still asserts PROTOCOL_VERSION_10 — CI will fail deterministically. The PR description also still describes the floor as PV10, so code, test, and description are three-way out of sync. Prior finding about real init paths not running refresh_protocol_version is INTENTIONALLY DEFERRED per the updated PR body, which scopes refresh-on-init wiring to #3902 and keeps native rs-sdk caller-driven.

🔴 1 blocking

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/tests/fetch/document_query_v0_v1.rs`:
- [BLOCKING] packages/rs-sdk/tests/fetch/document_query_v0_v1.rs:226-230: Floor bumped to PV11 but integration test still asserts PV10 — CI will fail
  Commit 077120681 raised `min_protocol_version()` in `packages/rs-sdk/src/sdk.rs:65` from `PROTOCOL_VERSION_10` to `PROTOCOL_VERSION_11`. `SdkBuilder::new_mock()` defaults to `Network::Mainnet` and `build()` (sdk.rs:1081-1084, 1178) seeds the atomic from `min_protocol_version(self.network)`, so `sdk_default.version().protocol_version` is now 11. But this test still hard-codes the assertion to `dpp::version::v10::PROTOCOL_VERSION_10`, so the assertion will fail every run under `cargo test -p dash-sdk --features mocks`.

  The in-crate refresh test `test_refresh_ratchets_up_via_proven_query` was updated in this same delta to use `super::min_protocol_version(Network::Mainnet)` (floor-agnostic), but the equivalent external test here was missed. The comment immediately above the assertion (lines 222-225) explicitly says "We assert against the actual floor constant rather than a hardcoded integer so the test survives future floor bumps" — yet the assertion below it does the opposite by binding to the `PROTOCOL_VERSION_10` symbol.

  Note that the PR description still describes the floor as `PROTOCOL_VERSION_10` and lists this exact test as already reconciled to `== 10`; that text is stale relative to the head being reviewed. The PR author should either (a) revert the floor bump in sdk.rs:65 back to PV10 and keep the test as-is to match the stated contract, or (b) keep the bump, update the test to PV11, and reconcile the PR description. Because `min_protocol_version` is private to `sdk.rs`, the cleanest in-scope fix if keeping PV11 is to assert against `dpp::version::v11::PROTOCOL_VERSION_11`. A more durable fix (worth a follow-up) would expose the floor via a `pub` accessor so `tests/` files can track future floor bumps automatically.

[thepastaclaw]

Code Review

Prior PV10/PV11 test-assertion finding is FIXED at head 1976b6b. No new blocking issues in the 0771206..1976b6b delta. Remaining items are documentation staleness — several doc-comments and one test name still describe the protocol-version floor as 'per-network' even though min_protocol_version now returns a flat PV11 baseline — plus a minor API hygiene nit that refresh_protocol_version returns a Result that is always Ok.

💬 2 nitpick(s)

[thepastaclaw]

Code Review

Cumulative review of the rs-sdk protocol-version floor/pinning/refresh refactor at 02b63c5. The per-network floor is correctly restored (Mainnet→PV11, Testnet/Devnet/Regtest→PV12), version_pinned polarity is consistent, the proven-only refresh path is sound, and tests cover floor seeding, sub-floor pin preservation, upward ratchet, and non-fatal refresh failure. Remaining items are documentation/API-shape nitpicks around the newly public surface and the always-Ok refresh signature.

💬 4 nitpick(s)

1 additional finding(s) omitted (not in diff).

1 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/rs-sdk/src/sdk.rs (1)

374-376: ⚠️ Potential issue | 🔴 Critical

Call fetch_current_with_metadata_and_proof() explicitly to honor refresh's proven-only contract.

The documentation states refresh_protocol_version issues a "proven" query, but the implementation calls ExtendedEpochInfo::fetch_current(), which routes through the generic fetch_with_metadata() → fetch_with_metadata_and_proof() path that honors sdk.query_settings(). This means refresh can consume unproven metadata when the SDK is configured with with_proofs(false). Either call fetch_current_with_metadata_and_proof() directly to enforce proven-only semantics, or update the documentation to reflect that refresh follows the SDK's proof setting.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-sdk/src/sdk.rs` around lines 374 - 376, In the
refresh_protocol_version method, replace the call to
ExtendedEpochInfo::fetch_current() with
ExtendedEpochInfo::fetch_current_with_metadata_and_proof() to explicitly enforce
the proven-only contract that the documentation claims for refresh operations,
ensuring that refresh always uses proven metadata regardless of the SDK's
general query_settings configuration.

🧹 Nitpick comments (1)

packages/rs-sdk/src/sdk.rs (1)

1088-1188: ⚡ Quick win

Run rustfmt on the builder construction block.

This changed block has several non-rustfmt forms (let sdk=, Sdk{, inner:SdkInstance, extra spaces in calls). Please format before merge.

As per coding guidelines, Rust files should be formatted with cargo fmt --all, follow rustfmt defaults, and use 4-space indentation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-sdk/src/sdk.rs` around lines 1088 - 1188, Run cargo fmt on the
SDK builder construction block in packages/rs-sdk/src/sdk.rs to fix formatting
inconsistencies. The block contains several non-rustfmt formatting issues in the
Sdk struct initialization (lines 1088-1188), including missing spaces around
operators in variable assignments (let sdk=), improper spacing in struct field
initialization (Sdk{, inner:SdkInstance), and inconsistent spacing in method
calls. Execute cargo fmt --all to automatically reformat this section to comply
with rustfmt defaults and 4-space indentation standards.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/rs-sdk/src/sdk.rs`:
- Around line 374-376: In the refresh_protocol_version method, replace the call
to ExtendedEpochInfo::fetch_current() with
ExtendedEpochInfo::fetch_current_with_metadata_and_proof() to explicitly enforce
the proven-only contract that the documentation claims for refresh operations,
ensuring that refresh always uses proven metadata regardless of the SDK's
general query_settings configuration.

---

Nitpick comments:
In `@packages/rs-sdk/src/sdk.rs`:
- Around line 1088-1188: Run cargo fmt on the SDK builder construction block in
packages/rs-sdk/src/sdk.rs to fix formatting inconsistencies. The block contains
several non-rustfmt formatting issues in the Sdk struct initialization (lines
1088-1188), including missing spaces around operators in variable assignments
(let sdk=), improper spacing in struct field initialization (Sdk{,
inner:SdkInstance), and inconsistent spacing in method calls. Execute cargo fmt
--all to automatically reformat this section to comply with rustfmt defaults and
4-space indentation standards.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9cf04fbc-1d25-4ef4-bb0b-61768eb95e08

📥 Commits

Reviewing files that changed from the base of the PR and between 1976b6b and 23832dc.

📒 Files selected for processing (2)

• packages/rs-sdk/src/sdk.rs
• packages/rs-sdk/tests/fetch/document_query_v0_v1.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/rs-sdk/tests/fetch/document_query_v0_v1.rs

[thepastaclaw]

Code Review

Cumulative reconciliation against the prior reviewed commit 02b63c5. The PR's behavioral core — version_pinned unification, per-network seed via min_protocol_version, no construction-time clamp, and the inlined refresh_protocol_version ratchet — is sound and well-tested. All five prior nitpicks remain unaddressed in the new HEAD (23832dc); they are carried forward verbatim per verifier policy. One additional nit (truncated test rustdoc) is added. No blocking issues; review action is COMMENT.

💬 2 nitpick(s)

1 additional finding(s) omitted (not in diff).

4 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

[thepastaclaw]

Code Review

Cumulative reconciliation against prior reviewed commit 23832dc. The 23832dc..2dc43e1 delta is dominated by a v3.1-dev merge bringing in unrelated work (swift-sdk, rs-sdk-ffi signer preflight, KeyDisableGate) that does not touch the PR-owned protocol-version surface. All six prior nitpicks were re-verified against the current HEAD and remain present verbatim; none are addressed. The behavioral core (version_pinned unification, per-network seed via min_protocol_version, removal of the construction-time clamp, inlined best-effort refresh) remains sound and well-tested. No blocking issues — review action COMMENT.

💬 3 nitpick(s)

1 additional finding(s) omitted (not in diff).

3 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

[thepastaclaw]

Code Review

Cumulative verifier review of PR #3900 at 5b0f41d. Latest delta (single rustdoc fix on test_explicit_pin_below_floor_is_preserved) resolves prior finding F6. Four prior nitpicks on rustdoc accuracy after with_initial_version became public and the construction-time clamp was removed remain STILL VALID and are carried forward. One new codex-rust-quality finding (refresh_protocol_version may panic under proofs=false via ExtendedEpochInfo::fetch_current) is preserved as a suggestion. F5 (collapse three non-mainnet match arms) is dropped as out-of-scope style polish. No blocking issues; PR core (version_pinned unification, removed post-build clamp, per-network floor restoration) is coherent and well-tested.

🟡 1 suggestion(s) | 💬 1 nitpick(s)

3 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [SUGGESTION] packages/rs-sdk/src/sdk.rs:375-384: refresh_protocol_version may panic when SDK is built with proofs disabled
  codex-rust-quality flagged that `ExtendedEpochInfo::fetch_current(self)` flows into `LimitQuery<EpochQuery>::query`, which on proofs-disabled SDKs hits `unimplemented!("queries without proofs are not supported yet")`. The refresh path documents itself as best-effort and non-fatal, so a panic on a supported builder configuration would violate that contract. Verify the proofs=false path: if it does panic, gate it behind an early return that either no-ops (preserving the stored version) or returns a typed error via the existing Result channel.

[thepastaclaw]

Code Review

Latest delta (rustdoc-only on min_protocol_version, with_initial_version, and Sdk::version) resolves the prior floor/seed precision findings (prior-3, prior-4). Three carried-forward prior findings remain valid against head 0d7697b: refresh_protocol_version still panics via unimplemented! when the SDK is built with proofs disabled, its Result<u32, Error> shape still never produces Err, and Sdk::version()'s rustdoc still omits the now-public with_initial_version seed path. One new related nit: parse_proof_with_metadata_and_proof's bootstrap-limit rustdoc still references latest() as the seed, which no longer matches the per-network floor seed used in practice.

💬 1 nitpick(s)

1 additional finding(s) omitted (not in diff).

3 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

[thepastaclaw]

Code Review

Incremental review against head 54b8cc7. Latest delta (0d7697b..54b8cc7) is documentation-only (Swift SwiftExampleApp TEST_PLAN.md removing TOK-17) and does not touch the rs-sdk protocol-version refactor. All four prior findings remain valid against the current sdk.rs and are carried forward unchanged; no new in-scope issues were introduced.

💬 1 nitpick(s)

1 additional finding(s) omitted (not in diff).

3 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

[thepastaclaw]

Code Review

Incremental review at 33a69c6 reconciles four prior findings: the proofs-disabled refresh panic is fixed via the early-return guard, the Sdk::version() rustdoc now references with_initial_version, and the parse_proof_with_metadata_and_proof bootstrap doc is reframed around the per-network floor seed. The single carried-forward concern is API-shape: refresh_protocol_version still returns Result<u32, Error> while every branch (proofs-off, pinned, fetch error) returns Ok. New verified concerns are a missing test for the new proofs-off no-op branch and minor doc gaps (the parse_proof bootstrap doc still omits the with_initial_version seed path, and several public rustdoc links target the now-module-private min_protocol_version).

🟡 1 suggestion(s) | 💬 2 nitpick(s)

1 additional finding(s) omitted (not in diff).

1 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/sdk.rs`:
- [SUGGESTION] packages/rs-sdk/src/sdk.rs:380-395: New proofs-disabled refresh branch has no test
  The `!self.prove()` early-return at lines 381–383 is the regression-fix the latest delta adds to prevent `refresh_protocol_version` from panicking on a `with_proofs(false)` SDK. The two other branches of this method each have a dedicated unit test in this file (`test_refresh_leaves_pinned_sdk_unchanged` for the pinned arm and `test_refresh_query_unavailable_keeps_current_version` for the fetch-error arm), but the proofs-disabled arm — the exact configuration this commit is in the tree to protect — is not asserted. Adding a tokio test that builds `SdkBuilder::new_mock().with_proofs(false).build()`, calls `refresh_protocol_version()`, and asserts the seeded version is returned without recording any mock expectation would pin the documented contract ("On a proofs-disabled SDK … this is a no-op") so a future refactor cannot silently re-introduce the panic by inverting or removing the guard.

[thepastaclaw]

Code Review

Cumulative review for the rs-sdk protocol-version refactor at ec3d164. The latest delta (33a69c6..ec3d164) is a v3.1-dev merge bringing only Swift example-app work (PR #3926); no new Rust changes were introduced. All four prior in-scope findings remain unresolved in the current head and are carried forward unchanged. None are blocking — the only behavioral one (Result with no Err path) is a public-API shape concern best fixed now before #3902 wires this signature into FFI/WASM. Overflow: none (4 of 10 budget used).

💬 1 nitpick(s)

1 additional finding(s) omitted (not in diff).

3 carried-forward finding(s) already raised on this PR; not re-posting as new inline comments.