Reviewing files that changed from the base of the PR and between 4cfb520 and 8dfe537.

• src/Makefile.am (4 hunks)
• src/active/context.cpp (1 hunks)
• src/active/context.h (1 hunks)
• src/active/notificationinterface.cpp (1 hunks)
• src/active/notificationinterface.h (1 hunks)
• src/chainlock/chainlock.cpp (1 hunks)
• src/chainlock/chainlock.h (2 hunks)
• src/coinjoin/coinjoin.cpp (0 hunks)
• src/coinjoin/coinjoin.h (1 hunks)
• src/coinjoin/context.cpp (1 hunks)
• src/coinjoin/context.h (1 hunks)
• src/coinjoin/server.cpp (9 hunks)
• src/coinjoin/server.h (2 hunks)
• src/dsnotificationinterface.cpp (1 hunks)
• src/dsnotificationinterface.h (0 hunks)
• src/governance/governance.cpp (25 hunks)
• src/governance/governance.h (9 hunks)
• src/governance/object.cpp (1 hunks)
• src/governance/object.h (1 hunks)
• src/governance/signing.cpp (1 hunks)
• src/governance/signing.h (1 hunks)
• src/governance/vote.cpp (0 hunks)
• src/governance/vote.h (0 hunks)
• src/init.cpp (8 hunks)
• src/instantsend/instantsend.cpp (1 hunks)
• src/instantsend/instantsend.h (2 hunks)
• src/llmq/context.cpp (1 hunks)
• src/llmq/context.h (0 hunks)
• src/llmq/ehf_signals.cpp (1 hunks)
• src/llmq/ehf_signals.h (2 hunks)
• src/masternode/node.cpp (1 hunks)
• src/masternode/node.h (3 hunks)
• src/masternode/sync.cpp (2 hunks)
• src/net.cpp (2 hunks)
• src/net.h (4 hunks)
• src/net_processing.cpp (9 hunks)
• src/net_processing.h (2 hunks)
• src/node/context.cpp (1 hunks)
• src/node/context.h (2 hunks)
• src/node/interfaces.cpp (2 hunks)
• src/rpc/coinjoin.cpp (2 hunks)
• src/rpc/governance.cpp (3 hunks)
• src/test/coinjoin_queue_tests.cpp (1 hunks)
• src/test/denialofservice_tests.cpp (5 hunks)
• src/test/net_peer_connection_tests.cpp (2 hunks)
• src/test/util/setup_common.cpp (2 hunks)
• src/util/system.cpp (0 hunks)
• src/util/system.h (0 hunks)
• src/version.h (0 hunks)
• src/wallet/coinjoin.cpp (0 hunks)
• test/functional/feature_governance.py (2 hunks)
• test/functional/feature_governance_cl.py (2 hunks)
• test/functional/test_framework/p2p.py (1 hunks)
• test/lint/lint-circular-dependencies.py (1 hunks)
• test/util/data/non-backported.txt (1 hunks)

• src/util/system.h
• src/util/system.cpp
• src/wallet/coinjoin.cpp
• src/version.h
• src/governance/vote.cpp
• src/llmq/context.h
• src/coinjoin/coinjoin.cpp
• src/dsnotificationinterface.h
• src/governance/vote.h

• GitHub Check: x86_64-w64-mingw32 / Build depends
• GitHub Check: x86_64-pc-linux-gnu_nowallet / Build depends
• GitHub Check: x86_64-apple-darwin / Build depends
• GitHub Check: x86_64-pc-linux-gnu_multiprocess / Build depends
• GitHub Check: x86_64-pc-linux-gnu / Build depends
• GitHub Check: arm-linux-gnueabihf / Build depends

test/functional/feature_governance_cl.py (1)

112-114: Make waits bounded and align mocktime bump with governance relay tick
At lines 112–114 and 124–126, add an explicit timeout (e.g. 15 s) to your wait_until calls and replace the hard-coded bump_mocktime(10) with the governance relay thread’s scheduling interval. I couldn’t find the relay tick constant in the code—please verify its definition and update these calls accordingly.

test/lint/lint-circular-dependencies.py (1)

25-27: Install missing dependency or update cycle-check script
The cycle-detection script errors with “No module named ‘multiprocess’”. To validate current circular dependencies, either:

• Run pip3 install multiprocess before rerunning the script.
• Or edit contrib/devtools/circular-dependencies.py to use the standard library:

  # replace this line
  from multiprocess import Pool
  # with this
  from multiprocessing import Pool

Then re-run:

cd src
python3 ../contrib/devtools/circular-dependencies.py $(git ls-files '*.h' '*.cpp') | sed 's/^Circular dependency: //'

src/net.h (1)

1197-1198: Plumbed m_active_masternode into Options/Init — LGTM

Initialization copies the flag; usage can gate MN-only behavior elsewhere.

Also applies to: 1235-1236

src/chainlock/chainlock.h (1)

69-71: All CChainLocksHandler constructor call sites updated.

src/chainlock/chainlock.cpp (1)

46-48: All CChainLocksHandler constructor calls updated to new signature Verified that the only instantiation in llmq/context.cpp now matches the updated parameters (chainstate, qman, sigman, sporkman, mempool, mn_sync) and no callers pass _shareman or is_masternode anymore.

src/instantsend/instantsend.h (1)

92-95: Confirm CInstantSendManager constructor call sites updated
Removed CSigSharesManager& and is_masternode; verify all instantiations (global definitions and any new calls) use the updated signature.

src/instantsend/instantsend.cpp (3)

62-63: LGTM: initializer list update.

m_mn_sync{mn_sync} matches the new ownership model.

---

52-55: Constructor signature updated—verify all instantiation sites
Definitions in instantsend.h/.cpp now accept only CSigningManager and drop _shareman/is_masternode, but no instantiations of CInstantSendManager were found by grep—manually confirm all call sites (e.g. in active/context.cpp) are updated to the new signature.

---

919-953: Signer lifecycle correctly ordered; no gating required
ConnectSigner is invoked in ActiveContext before any Start() calls (LLMQContext::Start), and DisconnectSigner occurs in ActiveContext destructor after LLMQContext::Stop; the original suggestion is not needed.

Likely an incorrect or invalid review comment.

test/functional/test_framework/p2p.py (1)

157-157: Approve v2 headers handler wiring
Mappings for getheaders2/headers2/sendheaders2 correctly align with on_getheaders2/on_headers2/on_sendheaders2 and their message classes.

src/node/context.cpp (1)

7-7: Include of ActiveContext is appropriate.

Matches the header’s new std::unique_ptr<ActiveContext> member usage.

src/net.cpp (2)

1974-1978: Update tests to use m_active_masternode Replace any fMasternodeMode toggles in tests with toggles of CConnman::m_active_masternode (or its new accessor) to preserve inbound‐gating behavior coverage.

---

1804-1821: m_active_masternode initialization verified: Options::m_active_masternode defaults to false (net.h 1197), is set from node.mn_activeman in init.cpp 2444, and propagated to CConnman::m_active_masternode in Init (net.h 1235); there are no other assignments or dynamic updates, so eviction protection semantics align with the legacy fMasternodeMode.

src/rpc/coinjoin.cpp (1)

5-5: New include dependency is fine.

No issues.

src/masternode/node.cpp (1)

279-285: SignBasic helper is a clean addition.

Good: lock assertions, non-legacy scheme, and returning serialized bytes.

src/test/net_peer_connection_tests.cpp (1)

88-92: PeerManager::make call updated with active_ctx parameter.

Signature update is correct; passing nullptr here is expected in unit tests.

src/test/coinjoin_queue_tests.cpp (1)

36-39: Test updated to use CActiveMasternodeManager::SignBasic.

Matches the new API; verification via CheckSignature(pub) is intact.

src/net_processing.h (2)

28-31: Forward-declare ActiveContext: OK.

No header include needed; forward decl suffices.

---

58-67: PeerManager::make signature update validated
All call sites (src/init.cpp and all tests) pass the new active_ctx argument, and no unguarded active_ctx-> dereferences were found in net_processing.cpp.

src/test/util/setup_common.cpp (1)

346-349: CJContext ctor change (added relay_txes): test wiring OK.

Passing true makes sense for tests.

src/llmq/ehf_signals.h (2)

16-16: Namespace formatting change only.

No action needed.

---

44-45: All CEHFSignalsHandler::UpdatedBlockTip invocations updated
No remaining call site passes the removed is_masternode flag.

src/node/context.h (2)

34-34: Forward declaration looks correct.

struct ActiveContext; here avoids a heavy include in the header. Good.

---

80-95: Verify destruction order and inclusion for incomplete type.

Because active_ctx is a unique_ptr to an incomplete type in this header, ensure the out-of-line ~NodeContext() is defined in a TU that includes active/context.h. Also confirm that active_ctx being destroyed before managers is intended (members destroy in reverse order of declaration).

src/masternode/sync.cpp (2)

127-132: Behavior tweak on inactivity reset—confirm intent.

Reset now only when not a masternode (!connman.IsActiveMasternode()). This mirrors !fMasternodeMode, but please confirm we don’t want to reset when we are an active MN that slept >1h.

---

160-160: Inbound skip guard switched to IsActiveMasternode().

Condition now skips inbound when we’re an active MN. Looks right; just verify no unintended side effects for non-MN nodes.

test/functional/feature_governance.py (2)

320-322: Log expectation updated—double-check exact message.

Make sure the governance code actually emits "VoteGovernanceTriggers --" on this path; otherwise this assertion will flake.

---

354-357: Mocktime bumps increased—OK.

Increasing to 10s aligns with new timing; no issues.

Also applies to: 361-362, 369-370, 375-376

src/Makefile.am (1)

138-140: Build wiring for ActiveContext/Notification/GovernanceSigner looks consistent.

Headers and sources are added in the right places. Please confirm new headers use the standard BITCOIN_*-style include guards and have the MIT header.

Also applies to: 213-216, 456-458, 497-497

src/test/denialofservice_tests.cpp (1)

23-24: Include ActiveContext header—good.

Needed for the extended PeerManager::make signature.

src/active/notificationinterface.cpp (1)

21-24: Remove the suggested null checks—these pointers can’t be null
Both ehf_sighandler and gov_signer are declared as const std::unique_ptr<…> in ActiveContext (context.h) and are unconditionally initialized via std::make_unique in its constructor (src/active/context.cpp:31–32), so neither can ever be null at runtime.

Likely an incorrect or invalid review comment.

src/governance/object.cpp (2)

244-250: Formatting nits—CI flagged clang-format drift.

CI reports clang-format differences around this hunk. Please run ./contrib/devtools/clang-format-diff.py -p1.

---

5-22: No lingering CGovernanceObject::Sign/Relay references. Searches confirmed zero occurrences; old API hooks have been fully removed.

src/rpc/governance.cpp (3)

456-459: Good: dropped PeerManager from ProcessVoteAndRelay call

Passing only (vote, exception, connman) aligns with the refactor and simplifies RPC paths.

---

399-399: No action needed: AddGovernanceObject always enqueues for relay and returns void — it never returns a status but, after validity checks, unconditionally appends to m_relay_invs (src/governance/governance.cpp ln 385).

---

960-966: ProcessVoteAndRelay behavior verified
ProcessVoteAndRelay only uses connman to request missing objects in the orphan-vote path, and since ProcessVote returns false for already seen votes, each vote is enqueued exactly once for relay.

src/active/notificationinterface.h (1)

30-31: g_active_notification_interface lifecycle ordering is correct
Constructed in init.cpp (lines 2169–2175) before its RegisterValidationInterface call and unregistered/reset in init.cpp (lines 325–327) prior to UnregisterAllValidationInterfaces (line 394).

src/llmq/context.cpp (1)

37-40: Verified constructor parameters and usages match updated signatures. Context.cpp’s CChainLocksHandler and CInstantSendManager instantiations align with their headers, and no obsolete call sites were found.

src/governance/object.h (1)

217-219: SetSignature API: avoid copies and enforce type/size

• Change SetSignature to accept a dedicated BLS signature type or a Span<const uint8_t> instead of std::vector<uint8_t> to enforce compile-time type and size guarantees.
• Inside SetSignature, acquire the class mutex (cs) and perform a cheap runtime check that sig.size() matches the expected BLS signature length.

Diff options:

-    void SetSignature(const std::vector<uint8_t>& sig);
+class CBLSSignature;
+    void SetSignature(const CBLSSignature& sig);

or

-    void SetSignature(const std::vector<uint8_t>& sig);
+#include <span.h>
+    void SetSignature(Span<const uint8_t> sig);

Current rg search for CGovernanceObject::(Sign|Relay) returned no matches—please manually verify that no callers remain before removing those methods.

src/coinjoin/context.cpp (2)

10-10: Include looks appropriate.

coinjoin/coinjoin.h is a reasonable dependency here and matches the new wiring.

---

22-23: LGTM: dstxman ownership and construction are clear.

src/active/context.cpp (2)

35-37: Balanced ConnectSigner calls — good.

Connects CL and IS signers after successful construction of all members; avoids partial-init pitfalls.

---

24-28: No change needed—ctor signature includes clhandler as second parameter.
The InstantSendSigner constructor is declared in src/instantsend/signing.h (lines 72–75) as

InstantSendSigner(CChainState& chainstate,
                  llmq::CChainLocksHandler& clhandler,
                  InstantSendSignerParent& isman,
                  llmq::CSigningManager& sigman,
                  llmq::CSigSharesManager& shareman,
                  llmq::CQuorumManager& qman,
                  CSporkManager& sporkman,
                  CTxMemPool& mempool,
                  const CMasternodeSync& mn_sync);

so passing *llmq_ctx.clhandler in that position is correct.

Likely an incorrect or invalid review comment.

src/dsnotificationinterface.cpp (1)

93-93: Governance UpdatedBlockTip decoupling LGTM.

Calling m_govman.UpdatedBlockTip(pindexNew) aligns with moving relay into an internal periodic thread and drops peerman/mn_activeman coupling.

src/coinjoin/server.cpp (2)

337-345: LGTM: switch to SignBasic and reference-based activeman.

The DSTX construction and signature assignment via SignBasic look correct, and the relay path now uses PeerManager by reference.

---

685-701: LGTM: guard against starting a new session when one is active.

The early return on non-zero nSessionID is a good correctness check.

src/coinjoin/context.h (2)

36-44: Ensure full types are included in the TU where the dtor is defined
The out-of-line CJContext::~CJContext() definition (context.cpp:25) is correct; confirm that context.cpp includes the headers for CoinJoinWalletManager, CCoinJoinClientQueueManager (under ENABLE_WALLET), and CDSTXManager so the unique_ptr members refer to complete types at destruction.

---

33-35: All CJContext call sites use the new signature and no CConnman/PeerManager references remain.

src/net_processing.cpp (1)

590-603: Ensure ActiveContext reference lifetime

PeerManagerImpl binds a const std::unique_ptr<ActiveContext>& m_active_ctx to node.active_ctx. Verify that init.cpp wiring:

• Constructs node.active_ctx before any PeerManagerImpl methods that dereference it (Step 7d runs after PeerManager::make).
• Never calls into ActiveContext after node.active_ctx.reset()—shutdown resets node.active_ctx before node.peerman.reset(), so confirm PeerManagerImpl’s destructor and scheduled tasks don’t use it post-reset.

Also apply the same check for CJContext and LLMQContext (lines 792–799).

src/governance/signing.h (2)

36-41: API surface looks good; keep private helpers private.

Minimal public API (UpdatedBlockTip) and friend CGovernanceManager align with goals. No issues.

Also applies to: 44-53

---

40-41: No action required: destructor is defined in signing.cpp (L36).

src/governance/signing.cpp (1)

21-21: Fix chrono literal: 2h requires C++14 chrono literals or a safer construction.

constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{2h}; won’t compile unless chrono literals are brought into scope. Prefer explicit construction to avoid global using:

Apply:

-constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{2h};
+constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{std::chrono::hours{2}};

Also ensure <chrono> is included (see include comment below).

⛔ Skipped due to learnings

Learnt from: kwvg
PR: dashpay/dash#6815
File: src/chainlock/chainlock.h:68-69
Timestamp: 2025-08-13T16:10:32.972Z
Learning: The Dash codebase extensively uses std::chrono_literals throughout, including in header files. Chrono literals like 0s, 1min, etc. are acceptable and preferred over explicit constructors like std::chrono::seconds::zero().

Learnt from: kwvg
PR: dashpay/dash#6815
File: src/chainlock/chainlock.h:68-69
Timestamp: 2025-08-13T16:10:32.972Z
Learning: The Dash codebase extensively uses std::chrono_literals throughout, including in header files. The pattern using namespace std::chrono_literals; is used globally in src/util/time.h, and chrono literals like 0s are commonly used for atomic member initialization in headers (e.g., src/net.h). Chrono literals like 0s, 1min, etc. are preferred over explicit constructors.

src/governance/governance.h (4)

247-260: Relay-thread fields look good; ensure lifecycle is safe.

New cs_relay, m_relay_interrupt, m_relay_thread, and m_relay_invs are fine. Please verify Stop() interrupts and joins m_relay_thread, and destructor does not rely on implicit join.

Would you like me to scan governance.cpp for Start/Stop to confirm proper join() and no lock inversions with cs/cs_relay?

---

267-269: Explicit Start/Stop API: good separation.

Starting/stopping the internal relay thread via CGovernanceManager::Start/Stop is a clean decoupling from PeerManager.

---

284-286: Thread-safety annotation change: ok, but check call sites.

Marking methods EXCLUSIVE_LOCKS_REQUIRED(!cs_relay) is sensible. Please ensure no call sites hold cs_relay when calling these; otherwise TSAN will complain.

I can generate a repo-wide grep to spot any calls from inside cs_relay critical sections if helpful.

---

329-333: ProcessVoteAndRelay/CheckPostponedObjects gating on !cs_relay: consistent.

API simplification (dropping PeerManager param) is fine and lock annotations are coherent.

src/init.cpp (8)

271-272: Stopping governance on shutdown: good.

Calling node.govman->Stop() in PrepareShutdown ensures the relay thread is joined before destruction.

---

325-333: Orderly teardown of ActiveContext/notifications: good.

Unregister then reset is correct; avoids callbacks into freed objects.

---

1707-1709: Creation point of CActiveMasternodeManager: OK; initialization deferred.

Instantiation before ThreadImport is fine; just ensure Init() is invoked later (it is in load thread).

---

2149-2154: PeerManager::make now takes ActiveContext: verify nullability.

At this point node.active_ctx is still null (created in Step 7d). Ensure PeerManager::make treats it as optional and does not dereference it.

Do you want a quick scan of net_processing.{h,cpp} to confirm it’s guarded or uses a weak/optional pointer?

---

2167-2176: ActiveContext/ActiveNotificationInterface creation and registration: solid.

Asserts and registration order look right.

---

2282-2284: Governance relay thread start timing: good.

govman->Start(*peerman) only when valid and after peerman is ready — correct.

---

2288-2289: CoinJoin server maintenance scheduling: ensure active_ctx non-null.

Guarded by if (node.mn_activeman); active_ctx exists in the same branch — good.

---

2444-2445: Propagate active-masternode flag to CConnman: good.

This helps downstream feature gating.

src/governance/governance.cpp (29)

27-27: LGTM! Good addition of thread utilities.

The inclusion of util/thread.h is appropriate given the new relay thread implementation.

---

34-37: LGTM! Proper use of chrono-based constants.

The replacement of raw integer constants with proper chrono types improves type safety and code clarity. The values and naming are appropriate for their usage in governance timing logic.

---

57-59: LGTM! Standard defaulted constructors.

The defaulted constructor and destructor are appropriate for the GovernanceStore class.

---

69-69: LGTM! Constructor parameter update is consistent.

The change from reference to unique_ptr parameter is consistent with the AI summary and maintains proper ownership semantics.

---

79-98: LGTM! Well-implemented relay thread initialization.

The Start method properly initializes the governance relay thread with:

• Proper thread safety with interrupt mechanism
• Appropriate sync checks before relaying
• Clean queue processing with contention reduction
• Named thread for debugging ("govrelay")

---

100-106: LGTM! Clean shutdown implementation.

The Stop method properly handles thread cleanup with interrupt and join semantics.

---

161-166: LGTM! Proper thread-safe postponed object handling.

The method correctly adds objects to both the postponed objects map and the relay queue while maintaining thread safety with proper lock assertions.

---

168-169: LGTM! Simplified ProcessMessage signature.

The updated signature with 4 parameters is cleaner and consistent with the new relay model described in the AI summary.

---

171-171: Good defensive programming with lock assertion.

The lock assertion ensures thread safety for the relay mechanism.

---

263-263: LGTM! Consistent parameter update.

The addition of the peer parameter to AddGovernanceObject is consistent with the new signature.

---

297-297: LGTM! Proper inventory handling.

Using emplace_back with the inventory vector is more efficient than previous approaches.

---

312-314: LGTM! Proper lock assertion for thread safety.

The lock assertion ensures the relay queue is properly protected.

---

330-330: LGTM! Consistent relay queue usage.

The vote relay is properly queued using the new relay mechanism.

---

339-341: LGTM! Updated method signature with proper lock assertion.

The method signature update and lock assertion are consistent with the new relay model.

---

385-385: LGTM! Governance object relay queuing.

The governance object is properly added to the relay queue using the new mechanism.

---

394-394: LGTM! Orphan vote processing.

The CheckOrphanVotes call is consistent with the updated method signature.

---

454-454: LGTM! Proper use of chrono-based timing.

Using count_seconds(GOVERNANCE_DELETION_DELAY) is consistent with the new chrono-based constants.

---

478-479: LGTM! Consistent chrono usage in expiration calculation.

The use of count_seconds(GOVERNANCE_DELETION_DELAY) maintains consistency with the new timing constants.

---

658-658: LGTM! Proper use of chrono constant.

Using RELIABLE_PROPAGATION_TIME with the chrono-based time calculation is consistent with the refactoring.

---

784-784: LGTM! Consistent chrono usage in rate checking.

The use of count_seconds() with the chrono constants maintains consistency throughout the timing logic.

---

825-825: LGTM! Future deviation check with chrono.

The future timestamp validation using count_seconds(MAX_TIME_FUTURE_DEVIATION) is consistent with the new timing approach.

---

862-870: LGTM! Proper relay integration in vote processing.

The ProcessVoteAndRelay method correctly:

• Asserts lock state for thread safety
• Processes the vote first
• Queues for relay only on success
• Maintains the existing return semantics

---

899-900: LGTM! Consistent chrono usage in orphan vote timing.

The use of count_seconds() with GOVERNANCE_ORPHAN_EXPIRATION_TIME is consistent with the chrono refactoring.

---

926-928: LGTM! Proper lock assertion in postponed object checking.

The method signature and lock assertion are consistent with the thread-safe relay model.

---

944-944: LGTM! Consistent method call.

The AddGovernanceObject call without peer parameter is appropriate for internal usage.

---

971-979: LGTM! Proper chrono usage in timing validation.

The timing calculations using count_seconds() with the chrono constants are consistent and correct for the additional relay logic.

---

1112-1112: LGTM! Proper masternode connection filtering.

The use of connman.IsActiveMasternode() instead of the previous flag-based approach is consistent with the refactoring mentioned in the AI summary.

---

1273-1275: LGTM! Updated method signature with proper lock assertion.

The UpdatedBlockTip method signature and lock assertion are consistent with the new relay model.

---

1292-1292: LGTM! Consistent method call.

The CheckPostponedObjects call is consistent with the updated method signature.

Reviewing files that changed from the base of the PR and between 8dfe537 and 61fdd18.

• src/Makefile.am (2 hunks)
• src/coinjoin/coinjoin.cpp (0 hunks)
• src/coinjoin/coinjoin.h (1 hunks)
• src/coinjoin/server.cpp (3 hunks)
• src/dsnotificationinterface.cpp (1 hunks)
• src/dsnotificationinterface.h (0 hunks)
• src/governance/governance.cpp (35 hunks)
• src/governance/governance.h (7 hunks)
• src/governance/object.cpp (1 hunks)
• src/governance/object.h (1 hunks)
• src/governance/signing.cpp (1 hunks)
• src/governance/signing.h (1 hunks)
• src/governance/vote.cpp (0 hunks)
• src/governance/vote.h (0 hunks)
• src/init.cpp (3 hunks)
• src/masternode/active/context.cpp (2 hunks)
• src/masternode/active/context.h (3 hunks)
• src/masternode/active/notificationinterface.cpp (2 hunks)
• src/masternode/node.cpp (1 hunks)
• src/masternode/node.h (1 hunks)
• src/net_processing.cpp (1 hunks)
• src/node/interfaces.cpp (3 hunks)
• src/qt/governancelist.h (2 hunks)
• src/rpc/governance.cpp (3 hunks)
• src/test/coinjoin_queue_tests.cpp (1 hunks)
• src/version.h (0 hunks)
• src/wallet/interfaces.cpp (0 hunks)
• test/functional/feature_governance.py (1 hunks)
• test/lint/lint-circular-dependencies.py (1 hunks)

• src/wallet/interfaces.cpp
• src/dsnotificationinterface.h
• src/governance/vote.cpp
• src/coinjoin/coinjoin.cpp
• src/governance/vote.h
• src/version.h

• src/coinjoin/coinjoin.h
• src/masternode/node.cpp
• src/coinjoin/server.cpp
• src/test/coinjoin_queue_tests.cpp
• test/lint/lint-circular-dependencies.py
• src/rpc/governance.cpp
• src/governance/object.cpp
• src/masternode/node.h

src/net_processing.cpp (3)

5283-5286: Guard optional CJ server before dereference.

m_active_ctx may exist while cj_server is null; this can crash.

Apply this diff:

-        if (m_active_ctx) {
-            PostProcessMessage(m_active_ctx->cj_server->ProcessMessage(pfrom, msg_type, vRecv), pfrom.GetId());
-        }
+        if (m_active_ctx && m_active_ctx->cj_server) {
+            PostProcessMessage(m_active_ctx->cj_server->ProcessMessage(pfrom, msg_type, vRecv), pfrom.GetId());
+        }

---

2279-2284: Fix potential null dereference: guard cj_server in DSQ AlreadyHave path.

Current code dereferences cj_server without checking it.

Apply this diff:

     case MSG_DSQ:
         return
 #ifdef ENABLE_WALLET
                 (m_cj_ctx->queueman && m_cj_ctx->queueman->HasQueue(inv.hash)) ||
 #endif // ENABLE_WALLET
-                (m_active_ctx && m_active_ctx->cj_server->HasQueue(inv.hash));
+                (m_active_ctx && m_active_ctx->cj_server && m_active_ctx->cj_server->HasQueue(inv.hash));

---

5288-5289: LGTM: governance message processing integrated via PostProcessMessage.

The new call aligns with the refactored governance pipeline.

src/masternode/active/notificationinterface.cpp (1)

7-7: LGTM: correct include for new signer.

#include <governance/signing.h> is appropriate for invoking signer hooks.

src/dsnotificationinterface.cpp (1)

93-94: LGTM: governance tip update routed via CGovernanceManager.

Simplified UpdatedBlockTip(pindexNew) aligns with centralized relay/scheduler changes.

src/node/interfaces.cpp (2)

151-154: API update: PeerManager removed from vote relay path — good.

Call now matches CGovernanceManager::ProcessVoteAndRelay(vote, exception, connman).

---

241-243: Resolved — scheduler uses 1s on mockable chains and RelayMessage already used

CGovernanceManager::Schedule uses Params().IsMockableChain() ? std::chrono::seconds{1} : std::chrono::seconds{5} and CGovernanceManager::AddGovernanceObject calls RelayMessage(govobj); interfaces.cpp already calls RelayMessage for postponed objects — no change required.

src/qt/governancelist.h (1)

37-39: No change needed — forward-declared enum matches its definition.
Definition found at src/governance/vote.h:22 as enum vote_outcome_enum_t : int, so the forward declaration is correct.

src/Makefile.am (1)

210-214: Confirm governance/signing.h exists and public exposure is intentional.

governance/signing.cpp is added to sources (src/Makefile.am:496); governance/signing.h is listed in BITCOIN_CORE_H (src/Makefile.am:210-214) but the header file wasn't found in the repo — add the header if it should be public or remove it from BITCOIN_CORE_H.

src/masternode/active/context.h (1)

16-17: Constructor/API updates — verified: destructor visibility, callsites, and gov_signer usage are OK.

• ~ActiveContext is defined in src/masternode/active/context.cpp which includes <governance/signing.h> — destructor visibility satisfied.
• The ctor now takes CGovernanceManager&; the ActiveContext construction in src/init.cpp passes *node.govman (no other ctor callsites found).
• gov_signer is constructed unconditionally in src/masternode/active/context.cpp, so the dereference in src/masternode/active/notificationinterface.cpp is safe.

src/masternode/active/context.cpp (1)

10-11: LGTM: GovernanceSigner wiring added correctly

Includes and GovernanceSigner construction look consistent with the broader refactor.

Also applies to: 31-33

src/init.cpp (3)

2155-2157: Verify DSNotificationInterface arg types and init order

You pass node.llmq_ctx and node.cj_ctx before cj_ctx is created (created at Line 2162). If CDSNotificationInterface stores references to the unique_ptrs, this is fine; if it snapshots raw pointers, UpdatedBlockTip may hit the assert (m_cj_ctx && m_llmq_ctx). Confirm the constructor expects references to unique_ptrs (or a lazily-populated pointer) and not dereferenced objects.

---

2170-2173: LGTM: ActiveContext ctor updates

ActiveContext construction matches the new signature including govman, and the arg order looks correct.

---

2281-2283: LGTM: Governance scheduling

Scheduling governance via CGovernanceManager::Schedule gated on IsValid() is appropriate.

src/governance/governance.cpp (3)

702-709: Type-safety note: m_requested_hash_time value type

Good use of std::chrono::seconds for validity. No action needed.

---

1066-1066: Run clang-format to satisfy CI

Clang format differences are reported for this file. Please run the repo’s formatting script.

---

27-40: Fix chrono literal usage and missing header

10min/1h/1min require std::chrono literals or explicit types. Add and use std::chrono::minutes/hours to avoid namespace pollution.

Apply:

+#include <chrono>
@@
-constexpr std::chrono::seconds GOVERNANCE_DELETION_DELAY{10min};
-constexpr std::chrono::seconds GOVERNANCE_ORPHAN_EXPIRATION_TIME{10min};
-constexpr std::chrono::seconds MAX_TIME_FUTURE_DEVIATION{1h};
-constexpr std::chrono::seconds RELIABLE_PROPAGATION_TIME{1min};
+constexpr std::chrono::seconds GOVERNANCE_DELETION_DELAY{std::chrono::minutes{10}};
+constexpr std::chrono::seconds GOVERNANCE_ORPHAN_EXPIRATION_TIME{std::chrono::minutes{10}};
+constexpr std::chrono::seconds MAX_TIME_FUTURE_DEVIATION{std::chrono::hours{1}};
+constexpr std::chrono::seconds RELIABLE_PROPAGATION_TIME{std::chrono::minutes{1}};

⛔ Skipped due to learnings

Learnt from: kwvg
PR: dashpay/dash#6815
File: src/chainlock/chainlock.h:68-69
Timestamp: 2025-08-13T16:10:32.972Z
Learning: The Dash codebase extensively uses std::chrono_literals throughout, including in header files. The pattern using namespace std::chrono_literals; is used globally in src/util/time.h, and chrono literals like 0s are commonly used for atomic member initialization in headers (e.g., src/net.h). Chrono literals like 0s, 1min, etc. are preferred over explicit constructors.

Learnt from: kwvg
PR: dashpay/dash#6815
File: src/chainlock/chainlock.h:68-69
Timestamp: 2025-08-13T16:10:32.972Z
Learning: The Dash codebase extensively uses std::chrono_literals throughout, including in header files. Chrono literals like 0s, 1min, etc. are acceptable and preferred over explicit constructors like std::chrono::seconds::zero().

src/governance/signing.cpp (10)

267-267: Run clang-format to satisfy CI

Clang format differences are reported for this file. Please run the repo’s formatting script.

---

5-13: Add required standard headers

std::sort/std::ranges and std::chrono usage require and .

Apply:

 #include <governance/signing.h>
 
+#include <algorithm>
+#include <chrono>

---

19-21: Use explicit chrono type, not bare 2h literal

Define GOVERNANCE_FUDGE_WINDOW using std::chrono::hours for portability.

Apply:

-constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{2h};
+constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{std::chrono::hours{2}};

---

56-60: Replace magic per-block time with consensus spacing

Avoid 2.62*60 float math; use consensus nPowTargetSpacing.

Apply:

-    auto SBEpochTime = static_cast<int64_t>(GetTime<std::chrono::seconds>().count() +
-                                            (nNextSuperblock - nHeight) * 2.62 * 60);
+    const int64_t now = GetTime();
+    const int64_t spacing = Params().GetConsensus().nPowTargetSpacing; // seconds per block
+    const int64_t SBEpochTime = now + (nNextSuperblock - nHeight) * spacing;

---

84-86: Fix UniValue getters

Use get_int64() instead of non-existent getInt<int64_t>().

Apply:

-        int64_t windowStart = jproposal["start_epoch"].getInt<int64_t>() - count_seconds(GOVERNANCE_FUDGE_WINDOW);
-        int64_t windowEnd = jproposal["end_epoch"].getInt<int64_t>() + count_seconds(GOVERNANCE_FUDGE_WINDOW);
+        int64_t windowStart = jproposal["start_epoch"].get_int64() - count_seconds(GOVERNANCE_FUDGE_WINDOW);
+        int64_t windowEnd = jproposal["end_epoch"].get_int64() + count_seconds(GOVERNANCE_FUDGE_WINDOW);

---

89-95: Correct 64-bit logging format specifiers

Use %lld and cast to long long for int64_t values (or PRId64 with <inttypes.h>).

Apply:

-            LogPrint(BCLog::GOBJECT, "%s -- nHeight:%d SB:%d windowStart:%d\n", __func__, nHeight, SBEpochTime,
-                     windowStart);
+            LogPrint(BCLog::GOBJECT, "%s -- nHeight:%d SB:%lld windowStart:%lld\n", __func__, nHeight,
+                     (long long)SBEpochTime, (long long)windowStart);
@@
-            LogPrint(BCLog::GOBJECT, "%s -- nHeight:%d SB:%d windowEnd:%d\n", __func__, nHeight, SBEpochTime, windowEnd);
+            LogPrint(BCLog::GOBJECT, "%s -- nHeight:%d SB:%lld windowEnd:%lld\n", __func__, nHeight,
+                     (long long)SBEpochTime, (long long)windowEnd);

---

126-137: Avoid double-locking cs_main

Already holding ::cs_main; remove the nested WITH_LOCK.

Apply:

-    LOCK(::cs_main);
+    LOCK(::cs_main);
@@
-    const CBlockIndex* tip = WITH_LOCK(::cs_main, return m_chainman.ActiveChain().Tip());
+    const CBlockIndex* tip = m_chainman.ActiveChain().Tip();

---

184-197: Fix ranges algorithm qualifier

Use std::ranges::any_of (C++20) or std::any_of; current ranges::any_of is invalid and will not compile.

Apply:

-            voted_already = ranges::any_of(voteRecord.mapInstances, [&](const auto& voteInstancePair) {
+            voted_already = std::ranges::any_of(voteRecord.mapInstances, [&](const auto& voteInstancePair) {

---

216-218: Null-deref risk on govobj

Check govobj for nullptr before dereferencing.

Apply:

-        const auto govobj = m_govman.FindGovernanceObject(trigger->GetGovernanceObjHash());
-        const uint256 trigger_hash = govobj->GetHash();
+        const auto govobj = m_govman.FindGovernanceObject(trigger->GetGovernanceObjHash());
+        if (!govobj) {
+            LogPrint(BCLog::GOBJECT, "%s -- Skipping trigger with unknown govobj:%s\n",
+                     __func__, trigger->GetGovernanceObjHash().ToString());
+            continue;
+        }
+        const uint256 trigger_hash = govobj->GetHash();

---

232-242: Fix second ranges call

Same as above: std::ranges::any_of (or std::any_of with iterators).

Apply:

-            if (ranges::any_of(voteRecord.mapInstances, [&](const auto& voteInstancePair) {
+            if (std::ranges::any_of(voteRecord.mapInstances, [&](const auto& voteInstancePair) {
                 if (voteInstancePair.first == VOTE_SIGNAL_FUNDING) {
                     LogPrint(BCLog::GOBJECT, /* Continued */
                              "%s -- Not voting NO-FUNDING for trigger:%s, we voted %s for it already\n", strFunc,
                              trigger_hash.ToString(),
                              CGovernanceVoting::ConvertOutcomeToString(voteInstancePair.second.eOutcome));
                     return true;
                 }
                 return false;
-                })) {
+                })) {

src/governance/governance.h (1)

269-271: LGTM: Relay queue guarded by its own mutex

Dedicated cs_relay and guarded vector is a clean separation to avoid contention with main cs.

Reviewing files that changed from the base of the PR and between 61fdd18 and 27c40fc.

• src/Makefile.am (2 hunks)
• src/coinjoin/coinjoin.cpp (0 hunks)
• src/coinjoin/coinjoin.h (1 hunks)
• src/coinjoin/server.cpp (3 hunks)
• src/dsnotificationinterface.cpp (1 hunks)
• src/dsnotificationinterface.h (0 hunks)
• src/governance/governance.cpp (35 hunks)
• src/governance/governance.h (7 hunks)
• src/governance/object.cpp (1 hunks)
• src/governance/object.h (1 hunks)
• src/governance/signing.cpp (1 hunks)
• src/governance/signing.h (1 hunks)
• src/governance/vote.cpp (0 hunks)
• src/governance/vote.h (0 hunks)
• src/init.cpp (3 hunks)
• src/masternode/active/context.cpp (2 hunks)
• src/masternode/active/context.h (3 hunks)
• src/masternode/active/notificationinterface.cpp (2 hunks)
• src/masternode/node.cpp (1 hunks)
• src/masternode/node.h (1 hunks)
• src/net_processing.cpp (1 hunks)
• src/node/interfaces.cpp (3 hunks)
• src/qt/governancelist.h (2 hunks)
• src/rpc/governance.cpp (3 hunks)
• src/test/coinjoin_queue_tests.cpp (1 hunks)
• src/version.h (0 hunks)
• src/wallet/interfaces.cpp (0 hunks)
• test/functional/feature_governance.py (1 hunks)
• test/lint/lint-circular-dependencies.py (1 hunks)

• src/governance/vote.cpp
• src/version.h
• src/coinjoin/coinjoin.cpp
• src/wallet/interfaces.cpp
• src/governance/vote.h
• src/dsnotificationinterface.h

• src/masternode/node.h
• src/Makefile.am
• src/coinjoin/coinjoin.h
• src/masternode/node.cpp
• src/test/coinjoin_queue_tests.cpp
• src/governance/object.h
• src/dsnotificationinterface.cpp
• src/node/interfaces.cpp

• GitHub Check: Build slim container / Build container

src/coinjoin/server.cpp (3)

500-500: Same signing pattern as line 341.

This line follows the same refactored signing pattern as line 341. The same error handling considerations apply - if SignBasic can fail, the DSQ would be relayed with an invalid signature. See the comment on line 341 for verification steps.

---

710-710: Consistent refactoring across all signing paths.

The signing pattern is consistently applied across all three changed locations (lines 341, 500, 710). The refactoring successfully centralizes signing logic in SignBasic and removes direct object-based Sign methods.

However, ensure that error handling for SignBasic failures is appropriate across all call sites. See verification script in the comment on line 341.

---

341-341: No error handling needed - SignBasic includes validation.

The SignBasic method includes assert(sig.IsValid()) at line 283 of src/masternode/node.cpp, which ensures that only valid signatures are returned. This assert will catch initialization errors in debug builds. Additionally, all signed objects (DSTX, CCoinJoinQueue, governance votes) are verified via CheckSignature() methods when received by peers, providing defense-in-depth. This pattern is consistent across the entire codebase—7 call sites use the same approach without explicit error checking.

Likely an incorrect or invalid review comment.

test/lint/lint-circular-dependencies.py (1)

50-54: LGTM! Expected circular dependencies correctly documented.

The added circular dependency paths accurately reflect the architectural changes from splitting governance signing logic into GovernanceSigner and introducing relay-queue patterns through ActiveContext.

src/qt/governancelist.h (2)

9-9: LGTM! Required include for CKeyID usage.

The pubkey.h include is necessary for the CKeyID type used in the votableMasternodes member at line 63.

---

14-14: LGTM! Good practice reducing header dependencies.

The forward declaration of vote_outcome_enum_t with explicit underlying type avoids including the full governance/vote.h header, reducing compilation dependencies. The include reordering and preserved CDeterministicMNList forward declaration maintain proper header hygiene.

Also applies to: 37-38

src/governance/object.cpp (1)

247-250: LGTM! Clean separation of signing and storage.

Replacing Sign() with SetSignature() successfully decouples signing logic (now in GovernanceSigner) from signature storage. The implementation correctly stores the provided signature without performing validation, which is handled separately by CheckSignature() (lines 252-261). This aligns with the PR objective of extracting masternode-only logic.

src/governance/governance.h (12)

25-52: LGTM!

Forward declarations and type aliases are correctly added to support the new relay infrastructure and governance signer integration.

---

242-242: LGTM!

The multiple inheritance pattern correctly establishes CGovernanceManager as both a data store (GovernanceStore) and a parent interface for governance signing operations (GovernanceSignerParent). This enables the new GovernanceSigner to interact with the manager via the interface.

---

269-270: LGTM!

The relay queue infrastructure (cs_relay mutex and m_relay_invs queue) correctly implements the new centralized relay pattern described in the PR objectives. The use of Mutex (non-recursive) is appropriate for this queue protection pattern.

---

278-278: LGTM!

The Schedule method signature correctly establishes the periodic governance tasks infrastructure. The implementation (seen in governance.cpp) appropriately schedules orphan cleanup, relay queue processing, and object maintenance at suitable intervals.

---

282-286: LGTM!

The IsValid() override and RelayMessage overloads are correctly declared. The EXCLUSIVE_LOCKS_REQUIRED(!cs_relay) annotations properly document that callers must not hold the relay lock, which the implementations respect by acquiring it internally.

---

297-298: LGTM!

The ProcessMessage signature correctly enforces lock ordering with EXCLUSIVE_LOCKS_REQUIRED(!cs_relay) and uses [[nodiscard]] to ensure error handling. This aligns with the relay-aware processing model.

---

301-344: LGTM!

The method signature updates consistently apply the override keyword and EXCLUSIVE_LOCKS_REQUIRED annotations to support the new relay-aware governance architecture. The lock annotations correctly enforce lock ordering:

• Methods that may relay require !cs_relay (caller must not hold it)
• Methods that query state require !cs (caller must not hold it)

---

363-391: LGTM!

The trigger and proposal query methods correctly use override and EXCLUSIVE_LOCKS_REQUIRED(!cs) annotations. The implementations properly delegate to internal helpers that hold the lock, and return shared_ptr for thread-safe access to governance objects.

---

395-398: LGTM!

The internal helper methods correctly document with EXCLUSIVE_LOCKS_REQUIRED(cs) that they expect the caller to hold the lock. This is the proper pattern for separating public (locking) from internal (locked) implementations.

---

404-404: LGTM!

The AddInvalidVote method correctly has no lock annotation because cmapInvalidVotes is a CacheMap with internal synchronization.

---

411-411: LGTM!

The EXCLUSIVE_LOCKS_REQUIRED(!cs_relay) annotation on CheckOrphanVotes is correct because the method calls RelayMessage, which also requires the caller not hold cs_relay.

---

11-21: Add missing standard headers.

The header uses std::optional (line 266) and std::chrono::seconds (line 264) but does not include <optional> and <chrono>. This can cause compilation failures depending on transitive includes.

Apply this diff to add the required headers:

 #include <protocol.h>
 #include <sync.h>
 
 #include <governance/signing.h>
 
+#include <chrono>
 #include <limits>
 #include <map>
 #include <memory>
+#include <optional>
 #include <set>
 #include <string>
 #include <string_view>
 #include <vector>

src/masternode/active/context.h (3)

16-22: LGTM!

Forward declarations are correctly used for CGovernanceManager and GovernanceSigner to minimize header dependencies.

---

62-62: LGTM!

The gov_signer member uses const std::unique_ptr<GovernanceSigner> which correctly establishes single ownership and prevents pointer reassignment after construction, consistent with other members like cj_server and ehf_sighandler.

---

50-53: LGTM! Constructor correctly initializes governance signer

The constructor signature properly adds CGovernanceManager& govman, and the implementation correctly uses it at line 31 of context.cpp to initialize gov_signer with all required parameters.

src/masternode/active/notificationinterface.cpp (2)

7-7: LGTM!

The include for governance/signing.h is correctly added to support the gov_signer->UpdatedBlockTip call.

---

26-26: Guard against null gov_signer.

If gov_signer is not initialized (e.g., in non-masternode mode), this will cause a segmentation fault. Add a nullptr check or ensure gov_signer is always initialized in ActiveContext.

Apply this diff to add a null check:

     m_mn_activeman.UpdatedBlockTip(pindexNew, pindexFork, fInitialDownload);
     m_active_ctx.ehf_sighandler->UpdatedBlockTip(pindexNew);
-    m_active_ctx.gov_signer->UpdatedBlockTip(pindexNew);
+    if (m_active_ctx.gov_signer) {
+        m_active_ctx.gov_signer->UpdatedBlockTip(pindexNew);
+    }

Based on learnings: kwvg may defer this to follow-up consistent with avoiding scope creep in refactoring PRs.

src/rpc/governance.cpp (4)

396-401: LGTM!

The gobject_submit handler correctly uses the new relay API:

• RelayMessage(govobj) for postponed objects
• AddGovernanceObject(govobj) for validated objects (which internally calls RelayMessage)

This eliminates the need for PeerManager in this code path, consistent with the PR objectives.

---

458-458: LGTM!

The ProcessVoteAndRelay call correctly uses the new signature without PeerManager, relying on the internal relay queue mechanism.

---

964-964: LGTM!

The voteraw handler correctly adopts the new ProcessVoteAndRelay signature without PeerManager.

---

396-964: Governance RPC refactoring successfully removes PeerManager dependency.

All governance RPC handlers (gobject_submit, VoteWithMasternodes, voteraw) correctly adopt the new relay API that eliminates direct PeerManager usage. The relay responsibility is now centralized in CGovernanceManager via RelayMessage and the periodic relay queue, as intended by the PR objectives.

test/functional/feature_governance.py (1)

320-320: Verify the log message matches the implementation.

The test expects "VoteGovernanceTriggers --" in the debug log. The GovernanceSigner::VoteGovernanceTriggers method uses LogPrint(BCLog::GOBJECT, "%s -- ...", __func__, ...) throughout its implementation, where __func__ expands to "VoteGovernanceTriggers". The test framework's assert_debug_log performs substring matching, so it will correctly match any log line containing "VoteGovernanceTriggers --" from this function.

src/net_processing.cpp (2)

5288-5289: Callsite update matches new CGovernanceManager::ProcessMessage signature.

Looks good; relays will flow via PostProcessMessage as intended by the periodic relay refactor.

Please confirm that governance scheduled tasks are started once at init (e.g., CGovernanceManager::StartScheduledTasks or equivalent), so the relay queue is processed on mainnet/test cadence.

---

5283-5286: Optional guard/assert for cj_server access.

If cj_server is always constructed with ActiveContext, no change needed. Otherwise guard or assert to prevent accidental null deref.

-        if (m_active_ctx) {
-            PostProcessMessage(m_active_ctx->cj_server->ProcessMessage(pfrom, msg_type, vRecv), pfrom.GetId());
-        }
+        if (m_active_ctx && m_active_ctx->cj_server) {
+            PostProcessMessage(m_active_ctx->cj_server->ProcessMessage(pfrom, msg_type, vRecv), pfrom.GetId());
+        }

src/masternode/active/context.cpp (2)

10-11: Includes for governance look correct.

---

19-22: Call site already updated correctly.

The single ActiveContext instantiation at src/init.cpp:2170-2172 already matches the new 13-parameter constructor signature with all arguments in the correct order. No further updates required.

src/init.cpp (2)

2170-2173: ActiveContext wiring LGTM

ActiveContext now includes govman and updated deps; ordering and derefs look consistent.

---

2155-2157: Constructor signature verified - code is correct

The constructor expects const std::unique_ptr<LLMQContext>& and const std::unique_ptr<CJContext>&, and the call site correctly passes node.llmq_ctx and node.cj_ctx by reference without .get(). While node.cj_ctx is null at construction (line 2155) and initialized later (line 2162), this is safe: RegisterValidationInterface only registers the callback without invoking it, and InitializeCurrentBlockTip (which triggers methods that assert both contexts are non-null) is called at line 2353, well after cj_ctx initialization.

src/governance/signing.cpp (9)

5-13: Missing headers for used symbols (sort, ranges, chrono logs)

Include the right headers to avoid transitive‑include breaks.

 #include <governance/signing.h>
 
+#include <algorithm>      // std::sort
+#include <chrono>         // chrono literals if used
+#include <inttypes.h>     // PRId64 if using printf macros
+#include <util/ranges.h>  // ranges::any_of alias

---

56-60: Replace magic 2.62*60 with consensus spacing (integer math)

Avoid floating rounding and encode network target spacing.

-    auto SBEpochTime = static_cast<int64_t>(GetTime<std::chrono::seconds>().count() +
-                                            (nNextSuperblock - nHeight) * 2.62 * 60);
+    const int64_t now = GetTime();
+    const int64_t spacing = Params().GetConsensus().nPowTargetSpacing; // seconds
+    const int64_t SBEpochTime = now + (nNextSuperblock - nHeight) * spacing;

---

89-95: Fix int64 logging specifiers

SBEpochTime/windowStart/windowEnd are int64_t; "%d" is wrong. Use %lld with casts or PRId64.

-            LogPrint(BCLog::GOBJECT, "%s -- nHeight:%d SB:%d windowStart:%d\n", __func__, nHeight, SBEpochTime,
-                     windowStart);
+            LogPrint(BCLog::GOBJECT, "%s -- nHeight:%d SB:%lld windowStart:%lld\n", __func__, nHeight,
+                     (long long)SBEpochTime, (long long)windowStart);
...
-            LogPrint(BCLog::GOBJECT, "%s -- nHeight:%d SB:%d windowEnd:%d\n", __func__, nHeight, SBEpochTime, windowEnd);
+            LogPrint(BCLog::GOBJECT, "%s -- nHeight:%d SB:%lld windowEnd:%lld\n", __func__, nHeight,
+                     (long long)SBEpochTime, (long long)windowEnd);

---

230-242: Same issue: ranges::any_of without header

As above; include util/ranges.h and keep ranges::any_of, or use std::ranges::any_of with .

---

84-86: UniValue getter misuse: getInt<int64_t>() is not valid

Use get_int64().

-        int64_t windowStart = jproposal["start_epoch"].getInt<int64_t>() - count_seconds(GOVERNANCE_FUDGE_WINDOW);
-        int64_t windowEnd = jproposal["end_epoch"].getInt<int64_t>() + count_seconds(GOVERNANCE_FUDGE_WINDOW);
+        int64_t windowStart = jproposal["start_epoch"].get_int64() - count_seconds(GOVERNANCE_FUDGE_WINDOW);
+        int64_t windowEnd = jproposal["end_epoch"].get_int64() + count_seconds(GOVERNANCE_FUDGE_WINDOW);

---

126-137: Double-locking cs_main

You LOCK(::cs_main) then call WITH_LOCK(::cs_main, ...) causing re-lock on non‑recursive mutex. Get tip directly.

-    LOCK(::cs_main);
...
-    const CBlockIndex* tip = WITH_LOCK(::cs_main, return m_chainman.ActiveChain().Tip());
+    LOCK(::cs_main);
+    const CBlockIndex* tip = m_chainman.ActiveChain().Tip();

---

216-218: Null deref risk: govobj may be nullptr

FindGovernanceObject can return nullptr. Guard before dereference.

-        const auto govobj = m_govman.FindGovernanceObject(trigger->GetGovernanceObjHash());
-        const uint256 trigger_hash = govobj->GetHash();
+        const auto govobj = m_govman.FindGovernanceObject(trigger->GetGovernanceObjHash());
+        if (!govobj) {
+            LogPrint(BCLog::GOBJECT, "%s -- Skipping trigger with unknown govobj:%s\n",
+                     __func__, trigger->GetGovernanceObjHash().ToString());
+            continue;
+        }
+        const uint256 trigger_hash = govobj->GetHash();

---

184-197: ranges::any_of without ranges header

Either include util/ranges.h and keep ranges::any_of, or switch to std::ranges::any_of with . Given other files use util/ranges.h, include it here.

-            voted_already = ranges::any_of(voteRecord.mapInstances, [&](const auto& voteInstancePair) {
+            voted_already = ranges::any_of(voteRecord.mapInstances, [&](const auto& voteInstancePair) {
                 ...
             });

(Add #include <util/ranges.h> as above.)

---

19-21: Chrono literal 2h may not compile without chrono_literals

Either add using namespace std::chrono_literals; in this TU, or use explicit hours.

-constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{2h};
+using namespace std::chrono_literals;
+constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{2h};

Or:

-constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{2h};
+constexpr std::chrono::seconds GOVERNANCE_FUDGE_WINDOW{std::chrono::hours{2}};

⛔ Skipped due to learnings

Learnt from: kwvg
PR: dashpay/dash#6815
File: src/chainlock/chainlock.h:68-69
Timestamp: 2025-08-13T16:10:32.972Z
Learning: The Dash codebase extensively uses std::chrono_literals throughout, including in header files. The pattern using namespace std::chrono_literals; is used globally in src/util/time.h, and chrono literals like 0s are commonly used for atomic member initialization in headers (e.g., src/net.h). Chrono literals like 0s, 1min, etc. are preferred over explicit constructors.

Learnt from: kwvg
PR: dashpay/dash#6815
File: src/chainlock/chainlock.h:68-69
Timestamp: 2025-08-13T16:10:32.972Z
Learning: The Dash codebase extensively uses std::chrono_literals throughout, including in header files. Chrono literals like 0s, 1min, etc. are acceptable and preferred over explicit constructors like std::chrono::seconds::zero().

src/governance/governance.cpp (6)

95-122: Scheduler closures LGTM

Periodic maintenance and relay flushing look correct; intervals match PR intent (1s test, 5s main).

---

205-210: Postponed map guarded by cs: LGTM

---

306-307: Relay on accepted object

Switch to RelayMessage(obj) aligns with centralized relay.

---

355-374: Orphan vote processing relay path updated

Relaying via queue is consistent; good.

---

1015-1024: Additional relay timing guards are clear

The valid/ready checks with MAX_TIME_FUTURE_DEVIATION and RELIABLE_PROPAGATION_TIME are reasonable.

---

1322-1344: UpdatedBlockTip pathway

Setting nCachedBlockHeight before CheckPostponedObjects/ExecuteBestSuperblock is correct ordering.

Reviewing files that changed from the base of the PR and between 27c40fc and 6898eff.

• src/Makefile.am (2 hunks)
• src/coinjoin/coinjoin.cpp (0 hunks)
• src/coinjoin/coinjoin.h (1 hunks)
• src/coinjoin/server.cpp (3 hunks)
• src/dsnotificationinterface.cpp (1 hunks)
• src/dsnotificationinterface.h (0 hunks)
• src/governance/governance.cpp (35 hunks)
• src/governance/governance.h (7 hunks)
• src/governance/object.cpp (1 hunks)
• src/governance/object.h (1 hunks)
• src/governance/signing.cpp (1 hunks)
• src/governance/signing.h (1 hunks)
• src/governance/vote.cpp (0 hunks)
• src/governance/vote.h (0 hunks)
• src/init.cpp (3 hunks)
• src/masternode/active/context.cpp (2 hunks)
• src/masternode/active/context.h (3 hunks)
• src/masternode/active/notificationinterface.cpp (2 hunks)
• src/masternode/node.cpp (1 hunks)
• src/masternode/node.h (1 hunks)
• src/net_processing.cpp (1 hunks)
• src/node/interfaces.cpp (3 hunks)
• src/qt/governancelist.h (2 hunks)
• src/rpc/governance.cpp (3 hunks)
• src/test/coinjoin_queue_tests.cpp (1 hunks)
• src/version.h (0 hunks)
• src/wallet/interfaces.cpp (0 hunks)
• test/functional/feature_governance.py (1 hunks)
• test/lint/lint-circular-dependencies.py (1 hunks)

• src/governance/vote.h
• src/dsnotificationinterface.h
• src/coinjoin/coinjoin.cpp
• src/wallet/interfaces.cpp
• src/governance/vote.cpp
• src/version.h

• src/net_processing.cpp
• src/masternode/active/context.h
• src/rpc/governance.cpp
• src/Makefile.am
• src/coinjoin/server.cpp
• src/dsnotificationinterface.cpp
• src/masternode/node.h

• GitHub Check: Build container / Build container

test/lint/lint-circular-dependencies.py (1)

50-54: LGTM! Circular dependency expectations updated correctly.

The updated circular dependency paths accurately reflect the governance refactor:

• Two expanded paths for governance/classes involving the new governance/signing module
• New path through masternode/active/context that results from integrating GovernanceSigner

These are documented as expected circular dependencies arising from the architectural changes.

src/coinjoin/coinjoin.h (1)

212-212: LGTM! Sign() method removed as part of signature refactor.

The removal of the Sign() method from CCoinJoinQueue aligns with the broader refactor where signatures are now provisioned externally via vchSig using CActiveMasternodeManager::SignBasic(), rather than being generated inline by the object itself.

This is consistent with similar changes to CCoinJoinBroadcastTx and governance objects.

test/functional/feature_governance.py (1)

320-320: LGTM! Test updated to match new log format.

The expected debug log message has been updated from CGovernanceManager::VoteGovernanceTriggers to VoteGovernanceTriggers -- to align with the new logging format introduced by the governance refactor.

The test logic remains unchanged; only the log message assertion was updated.

src/test/coinjoin_queue_tests.cpp (1)

37-37: LGTM! Test updated to use SignBasic() for signature provisioning.

The test now correctly uses mn_activeman.SignBasic(q.GetSignatureHash()) to provision the signature and assigns it directly to q.vchSig, replacing the removed q.Sign(mn_activeman) method.

This change aligns with the broader refactor where signatures are embedded directly via the vchSig field rather than generated inline by the object.

src/masternode/node.cpp (1)

279-285: LGTM! SignBasic() implementation is correct.

The new SignBasic() method provides a clean, non-legacy signing interface that:

• Correctly delegates to Sign() with is_legacy=false
• Maintains proper lock discipline with AssertLockNotHeld(cs)
• Asserts signature validity (appropriate since invalid signatures indicate a critical error)
• Returns the signature as a byte vector for external consumption

This serves as the unified signing pathway for governance and coinjoin components, replacing inline Sign() methods.

src/masternode/active/notificationinterface.cpp (2)

7-7: LGTM! Governance signing header included.

The inclusion of governance/signing.h is necessary to support the new gov_signer->UpdatedBlockTip() call added at line 26.

---

26-26: LGTM! Governance signer integrated into block tip updates.

The call to m_active_ctx.gov_signer->UpdatedBlockTip(pindexNew) correctly integrates governance signing with block tip updates. As confirmed in previous review discussions, gov_signer is always initialized in the ActiveContext constructor, so no null check is needed.

The call is appropriately guarded by the same conditions as other updates (not in IBD, new block).

src/qt/governancelist.h (2)

9-14: LGTM! Header organization improved.

The changes improve header organization by:

• Explicitly including pubkey.h (needed for CKeyID in votableMasternodes)
• Reordering governance/object.h to follow other includes
• Maintaining proper include structure

These changes reduce header coupling while preserving functionality.

---

37-38: LGTM! Forward declarations reduce header dependencies.

Adding forward declarations for CDeterministicMNList and vote_outcome_enum_t reduces compilation dependencies without affecting the public API.

This is a good practice that improves build times and reduces coupling.

src/governance/object.h (1)

217-217: LGTM! Signature API simplified and improved.

The change from Sign() to SetSignature(const std::vector<uint8_t>& sig) is a good design improvement that:

• Separates signature production from signature storage
• Allows external callers to use CActiveMasternodeManager::SignBasic() for signing
• Simplifies the governance object API by removing the signing responsibility
• Aligns with similar changes across coinjoin components

This is consistent with the broader refactor toward centralized signing and relay mechanisms.

src/node/interfaces.cpp (2)

151-158: ProcessVoteAndRelay peerman removal looks correct

Calling govman->ProcessVoteAndRelay(vote, exception, *connman) matches updated API and centralizes relay.

Also applies to: 160-161

---

239-243: Good switch to queued relay flow

Using AddPostponedObject + RelayMessage on missing confirmations and AddGovernanceObject otherwise aligns with periodic relay design.

src/governance/object.cpp (1)

1-1: Run clang-format to fix style diffs

CI reports clang-format differences for this file. Please run clang-format on src/governance/object.cpp.

src/masternode/active/context.cpp (2)

10-12: Governance dependencies correctly introduced

Including governance headers here is appropriate for the new signer wiring.

---

19-23: ActiveContext now owns GovernanceSigner — wiring looks good

Constructor signature and gov_signer initialization match GovernanceSigner(CConnman, DmnMan, GovMan, ActiveMN, Chainman, MnSync).

Also applies to: 31-33

src/init.cpp (3)

2137-2139: Updated CDSNotificationInterface wiring is consistent

Constructor args updated to remove peerman/activemn and include govman/chainman; matches new interfaces.

---

2151-2154: ActiveContext construction updated correctly

Passing govman into ActiveContext and expanded dependency order match the new constructor.

---

2263-2264: Governance scheduling change LGTM

Using govman->Schedule(scheduler, connman, peerman) meets the periodic relay design and is gated by IsValid().

src/governance/signing.cpp (1)

1-1: Run clang-format to satisfy CI

CI reports clang-format differences for this file. Please run clang-format on src/governance/signing.cpp.

src/governance/governance.cpp (15)

135-161: LGTM! Relay message queuing is correctly implemented.

The RelayMessage overloads properly check sync status, validate masternode existence for votes, and safely queue relay messages using the cs_relay mutex.

---

205-209: LGTM! AddPostponedObject implementation is correct.

The method properly locks the mutex and inserts the governance object into the postponed objects map.

---

211-353: LGTM! ProcessMessage updated for relay queue model.

The method signature correctly removes the PeerManager parameter and uses the new RelayMessage approach for queuing relays instead of direct relay calls.

---

355-380: LGTM! CheckOrphanVotes updated correctly.

The method signature properly removes the PeerManager parameter and uses RelayMessage for vote relay.

---

382-441: LGTM! AddGovernanceObject updated for relay queue model.

The method signature correctly changes to take a nullable peer pointer and uses RelayMessage for object relay instead of direct relay calls.

---

497-497: LGTM! count_seconds usage is correct.

The conversion from chrono::seconds to int64_t using count_seconds() is appropriate for time comparisons.

Also applies to: 521-522

---

573-585: LGTM! Lock separation pattern is well implemented.

The separation of FindGovernanceObject (public, acquires lock) and InternalFindGovernanceObject (internal, requires lock) is a good pattern that clarifies lock requirements.

---

587-595: LGTM! Lock acquisition is correctly added.

The method properly asserts lock is not held and acquires it before accessing mapObjects.

---

702-702: LGTM! Chrono-based time calculations are correct.

All usages of count_seconds() properly convert chrono::seconds to int64_t for time comparisons and calculations.

Also applies to: 828-828, 869-869, 943-944, 1015-1018, 1023-1023

---

906-914: LGTM! ProcessVoteAndRelay updated correctly.

The method properly asserts lock state and uses RelayMessage for vote relay.

---

970-1036: LGTM! CheckPostponedObjects updated correctly.

The method properly asserts lock state and uses the updated AddGovernanceObject and RelayMessage APIs.

---

1069-1072: LGTM! AddInvalidVote implementation is correct.

The method properly inserts the invalid vote into the cache.

---

1322-1344: LGTM! UpdatedBlockTip signature simplified correctly.

The method signature properly removes unnecessary parameters and uses the updated CheckPostponedObjects API.

---

1458-1458: LGTM! Internal methods and GetApprovedProposals are well implemented.

The internal methods pattern is consistently applied throughout. GetApprovedProposals correctly filters and sorts approved proposals by vote threshold and yes votes, with proper tie-breaking logic.

Also applies to: 1500-1500, 1554-1773

---

95-122: Guarantee valid lifetimes for connman and peerman in scheduled lambdas. Lambdas in CGovernanceManager::Schedule capture these by reference—ensure they outlive all scheduled callbacks or switch to owning captures (e.g. std::shared_ptr) and stop the scheduler before destroying them.

src/governance/governance.h (7)

10-10: LGTM! Required headers are now included.

The necessary headers <chrono> and <optional> are now included, addressing previous review feedback. The inclusion of <governance/signing.h> and other standard headers is appropriate for the declarations in this file.

Also applies to: 13-13, 15-23

---

27-27: LGTM! Forward declarations and typedefs are well organized.

The forward declarations appropriately reduce header dependencies, and the typedefs provide clear aliases for complex types.

Also applies to: 29-29, 33-34, 39-39, 47-54

---

244-244: LGTM! Multiple inheritance is appropriate here.

Inheriting from both GovernanceStore and GovernanceSignerParent aligns with the PR's goal of separating governance signing responsibilities.

---

271-272: LGTM! Relay infrastructure is well designed.

The cs_relay mutex and m_relay_invs vector are properly annotated with thread safety attributes. RelayMessage methods correctly require the relay lock is NOT held to prevent deadlocks.

Also applies to: 280-280, 284-284, 286-287

---

299-300: LGTM! API signatures are correctly updated.

All method signatures properly reflect the new relay queue model, removing direct PeerManager usage. Lock annotations and override keywords are appropriate.

Also applies to: 303-304, 311-312, 318-318, 322-322

---

335-335: LGTM! Additional API methods are correctly annotated.

All method declarations have appropriate lock annotations and override keywords where needed.

Also applies to: 339-339, 343-344, 346-346, 365-365, 389-393

---

396-400: LGTM! Internal methods are well designed.

The separation of public methods (that acquire locks) and internal methods (that require locks to be held) is a clear and maintainable pattern. Lock annotations properly document threading requirements.

Also applies to: 406-406, 413-413