Reviewing files that changed from the base of the PR and between e5ce1f0 and f12a3b7.

• src/chainlock/chainlock.cpp (1 hunks)
• src/chainlock/chainlock.h (1 hunks)
• src/chainlock/signing.cpp (2 hunks)
• src/init.cpp (3 hunks)
• src/instantsend/signing.cpp (3 hunks)
• src/llmq/context.cpp (2 hunks)
• src/llmq/context.h (1 hunks)
• src/llmq/ehf_signals.cpp (2 hunks)
• src/llmq/signing.cpp (1 hunks)
• src/llmq/signing.h (2 hunks)
• src/llmq/signing_shares.cpp (37 hunks)
• src/llmq/signing_shares.h (4 hunks)
• src/masternode/active/context.cpp (3 hunks)
• src/masternode/active/context.h (2 hunks)
• src/masternode/active/notificationinterface.cpp (2 hunks)
• src/masternode/active/notificationinterface.h (2 hunks)
• src/net_processing.cpp (1 hunks)
• src/rpc/quorums.cpp (5 hunks)
• test/lint/lint-circular-dependencies.py (1 hunks)

src/chainlock/chainlock.cpp (1)

46-56: Constructor changes align with header

Init list removal of sigman is consistent and safe.

src/instantsend/signing.cpp (3)

16-17: Include addition is appropriate

Directly using CSigSharesManager API warrants including signing_shares.h.

---

392-393: Consistent usage of AsyncSignIfMember

Call site aligns with new signature; relying on default fRetroactive=false is fine.

---

328-336: Parameter order and function signature verification complete—no issues found.

The function signature at src/llmq/signing_shares.h:443-447 confirms the parameter order is:

AsyncSignIfMember(Consensus::LLMQType llmqType, CSigningManager& sigman, const uint256& id,
                  const uint256& msgHash, const uint256& quorumHash = uint256(), bool allowReSign = false,
                  bool allowDiffMsgHashSigning = false)

Both calls in src/instantsend/signing.cpp align correctly:

• Line 334: AsyncSignIfMember(llmqType, m_sigman, id, tx.GetHash(), {}, fRetroactive) maps parameters correctly (quorumHash={}, allowReSign=fRetroactive)
• Line 392: AsyncSignIfMember(llmqType, m_sigman, id, tx.GetHash(), quorum->m_quorum_base_block_index->GetBlockHash()) uses defaults appropriately

All other usages across the codebase follow the same consistent parameter order.

src/chainlock/signing.cpp (2)

12-13: Include addition is appropriate

Using CSigSharesManager API requires including its header.

---

144-145: AsyncSignIfMember call updated correctly

Param order matches new interface. No further issues.

src/llmq/signing.h (1)

181-182: Constructor signature change successfully propagated; all call sites updated

The verification confirms the CSigningManager constructor signature change is complete. The only instantiation site at src/llmq/context.cpp:33 correctly uses the new 4-parameter signature without mn_activeman:

std::make_unique<llmq::CSigningManager>(chainman.ActiveChainstate(), *qman, unit_tests, wipe)

No stale 5-parameter call sites remain.

src/net_processing.cpp (1)

5378-5381: Move to ActiveContext::shareman looks good; please verify injection/lifetime.

Dropping the explicit PeerManager param means CSigSharesManager must already hold the correct PeerManager reference. Confirm:

• ActiveContext builds shareman with this PeerManager instance.
• shareman’s lifetime ≥ PeerManagerImpl usage.
• No additional locks required beyond g_msgproc_mutex here.

src/masternode/active/notificationinterface.cpp (1)

9-9: Include is appropriate for calling CSigSharesManager APIs.

OK to include signing_shares.h here since the method call needs the full type.

test/lint/lint-circular-dependencies.py (1)

72-72: Circular dependency confirmed; refactoring is recommended but optional.

The cycle llmq/signing_shares → net_processing → masternode/active/context → llmq/signing_shares is real:

• net_processing.cpp includes masternode/active/context.h
• masternode/active/context.cpp includes llmq/signing_shares.h
• llmq/signing_shares.cpp includes net_processing.h

Adding this to the expected circular dependencies list is acceptable if breaking the cycle is not feasible within this PR. However, the suggested refactoring approaches remain valid long-term improvements:

• Extract a minimal interface header (e.g., net/peerman_iface.h) to decouple llmq/signing_shares from net_processing
• Introduce an ISigSharesManager interface in masternode/active/context to eliminate the dependency chain

If this cycle was newly introduced by the PR's refactoring, consider whether these decoupling strategies could be applied now; otherwise, this is a good candidate for a follow-up refactoring effort.

src/masternode/active/notificationinterface.h (1)

10-10: LGTM!

The additions properly integrate recovered signature notifications into the active masternode notification interface. The forward declaration avoids unnecessary header dependencies, and the method signature follows the validation interface pattern correctly.

Also applies to: 14-16, 28-28

src/llmq/ehf_signals.cpp (1)

14-17: LGTM!

The include additions and AsyncSignIfMember parameter adjustment align with the refactor to move CSigSharesManager to ActiveContext and adjust dependency flow between signing managers.

Also applies to: 81-81

src/masternode/active/context.cpp (1)

29-37: LGTM!

The shareman initialization and lifecycle method implementations are correct. The refactor properly moves CSigSharesManager ownership to ActiveContext and wires it into the startup/shutdown sequence alongside the existing LLMQ DKG session manager.

Also applies to: 49-66

src/llmq/context.h (1)

44-44: LGTM!

The Start method signature change and removal of shareman member are consistent with the refactor goals. CSigSharesManager ownership has been successfully moved to ActiveContext, and LLMQContext.Start no longer requires CConnman since it doesn't manage shareman anymore.

Based on learnings.

src/init.cpp (1)

234-236: LGTM!

The lifecycle integration for ActiveContext follows the correct dependency order:

• Startup: llmq_ctx → active_ctx (base first, dependents second)
• Shutdown: active_ctx → llmq_ctx (dependents first, base second)

The Start method parameter changes align with the refactored ownership model.

Also applies to: 272-272, 2259-2260

src/masternode/active/context.h (1)

33-33: LGTM!

The interface design is sound:

• Forward declaration minimizes dependencies
• Public lifecycle methods follow established patterns
• shareman is appropriately public for external access
• cl_signer and is_signer are correctly private since they're managed through registration

The access levels reflect proper encapsulation.

Also applies to: 50-52, 61-61, 64-70

src/rpc/quorums.cpp (1)

31-31: LGTM!

The include addition enables access to ActiveContext, and the SelectMemberForRecovery change to use the static method is appropriate since it's a pure function called from a non-masternode-specific RPC command.

Also applies to: 750-750

src/llmq/signing.cpp (1)

335-340: Ctor change LGTM; dependency slimming achieved.

Dropping CActiveMasternodeManager here is clean and consistent with the PR goal. No functional risk spotted.

src/llmq/context.cpp (1)

33-36: Ctor wiring LGTM.

Updated CSigningManager and CChainLocksHandler ctor args align with the refactor.

src/llmq/signing_shares.h (3)

419-423: New constructor/dtor LGTM.

Explicit ctor with all dependencies, plus virtual dtor override, improves ownership clarity.

---

443-447: Verification confirms new API migration complete.

All 5 caller sites (rpc/quorums.cpp, ehf_signals.cpp, instantsend/signing.cpp, chainlock/signing.cpp) correctly use the new API pattern where AsyncSignIfMember is invoked on shareman with sigman passed as a parameter. No legacy calls using the old API remain in the codebase.

---

1-7: Apply clang-format to fix formatting violations in this file.

The file contains formatting issues that violate the project's .clang-format configuration, specifically:

• Excessive blank lines (3+) at lines 104–108 and similar locations exceed the MaxEmptyLinesToKeep: 2 limit
• Include organization may need adjustment

Run clang-format locally on src/llmq/signing_shares.h using:

clang-format -i src/llmq/signing_shares.h

Then commit the formatting changes to unblock CI.

src/llmq/signing_shares.cpp (7)

183-195: Ctor wiring LGTM.

Capturing deps by reference and resetting the interrupt is correct.

---

199-207: Worker start LGTM.

Parameterless StartWorkerThread() aligns with member-internalized deps.

---

639-705: Banning invalid lazy sigs is strict; confirm policy.

On invalid lazy sig deserialization, you ban immediately. If that’s intentional, all good; otherwise consider penalizing less harshly first.

Do we have prior art in net_processing for equivalent penalties?

---

725-774: Recovery flow LGTM.

On threshold reached, attempt recovery; single-member special-case is handled; sporadic verification guards against regressions.

Also applies to: 776-855

---

1150-1204: Announcement path LGTM; uses quorum node discovery once per quorum.

The memoization via quorumNodesMap avoids repeated GetMasternodeQuorumNodes calls.

---

1532-1577: Ban flow uses PeerManager::Misbehaving/IsBanned; good encapsulation.

Local state is cleaned up to re-request from others; matches resiliency goals.

---

1635-1655: Single-quorum signing still uses operator key; TODO acknowledged.

Noted; leaving as-is matches existing behavior.

Reviewing files that changed from the base of the PR and between f12a3b7 and af9a15f.

• src/chainlock/chainlock.h (2 hunks)
• src/chainlock/signing.cpp (2 hunks)
• src/instantsend/signing.cpp (3 hunks)
• src/llmq/context.cpp (2 hunks)
• src/llmq/ehf_signals.cpp (2 hunks)
• src/llmq/signing.cpp (2 hunks)
• src/llmq/signing.h (4 hunks)
• src/llmq/signing_shares.cpp (37 hunks)
• src/llmq/signing_shares.h (4 hunks)
• src/masternode/active/context.cpp (3 hunks)
• src/masternode/active/notificationinterface.cpp (2 hunks)
• src/masternode/active/notificationinterface.h (2 hunks)
• src/net_processing.cpp (1 hunks)
• src/rpc/quorums.cpp (5 hunks)

• src/masternode/active/notificationinterface.cpp
• src/net_processing.cpp
• src/masternode/active/notificationinterface.h

• GitHub Check: Build container / Build container

src/chainlock/chainlock.h (2)

73-74: Constructor update looks correct.

Removal of CSigningManager& aligns with implementation and ownership shift.

---

70-70: Fix chrono literal in header (compile blocker).

0s requires std::chrono_literals; headers shouldn’t rely on using-directives. Initialize explicitly.

-    std::atomic<std::chrono::seconds> lastCleanupTime{0s};
+    std::atomic<std::chrono::seconds> lastCleanupTime{std::chrono::seconds{0}};

⛔ Skipped due to learnings

Learnt from: kwvg
PR: dashpay/dash#6815
File: src/chainlock/chainlock.h:68-69
Timestamp: 2025-08-13T16:10:32.972Z
Learning: The Dash codebase extensively uses std::chrono_literals throughout, including in header files. Chrono literals like 0s, 1min, etc. are acceptable and preferred over explicit constructors like std::chrono::seconds::zero().

Learnt from: kwvg
PR: dashpay/dash#6815
File: src/chainlock/chainlock.h:68-69
Timestamp: 2025-08-13T16:10:32.972Z
Learning: The Dash codebase extensively uses std::chrono_literals throughout, including in header files. The pattern using namespace std::chrono_literals; is used globally in src/util/time.h, and chrono literals like 0s are commonly used for atomic member initialization in headers (e.g., src/net.h). Chrono literals like 0s, 1min, etc. are preferred over explicit constructors.

src/llmq/signing_shares.h (5)

407-413: Objective mismatch: CActiveMasternodeManager still a hard dependency.

Member m_mn_activeman and ctor parameter persist, contrary to “drop CActiveMasternodeManager from CSigSharesManager”.

• If the intent is to eliminate this dep, consider:
  • Injecting only required data (e.g., local ProTxHash) via an abstracted provider, or
  • Querying membership via qman and peerman (verified ProRegTx) without mn_activeman.
    Would you like a follow-up patch to remove the dependency fully?

Also applies to: 419-423

---

443-447: AsyncSignIfMember moved here: ACK.

Signature matches usage sites (sigman passed in). No issues.

---

448-449: NotifyRecoveredSig hook: ACK.

Provides relay via peerman outside CSigningManager.

---

1-496: Developer must manually run clang-format to fix reported formatting differences.

The file src/llmq/signing_shares.h exists (496 lines as shown), but clang-format tool is unavailable in this verification environment. Since CI is reporting formatting failures, run clang-format locally using either:

contrib/devtools/clang-format.py -p src/llmq/signing_shares.h
# or
clang-format -i src/llmq/signing_shares.h

Then commit the formatting changes to resolve the CI pipeline failure.

---

432-432: ProcessMessage signature update verified complete.

All call sites have been correctly updated. The single call at src/net_processing.cpp:5380 uses the new 3-parameter signature without the sporkman reference, matching both the header declaration and implementation in src/llmq/signing_shares.{h,cpp}. No legacy 4-parameter calls remain.

src/chainlock/signing.cpp (1)

12-12: AsyncSignIfMember call switched to shareman: ACK.

Include added and call matches new API.

Also applies to: 144-145

src/llmq/signing.cpp (1)

333-341: CSigningManager dep cleanup: ACK.

• Ctor no longer needs CActiveMasternodeManager.
• Worker thread renamed to “recsigs”.
• Relaying moved out; GetDb exposed as friend for shareman.

Also applies to: 714-715

src/instantsend/signing.cpp (1)

16-17: InstantSend signing paths use shareman.AsyncSignIfMember: ACK.

Matches refactor; no functional concerns spotted.

Also applies to: 334-335, 392-393

src/llmq/ehf_signals.cpp (1)

14-18: EHF signals: include updates and shareman.AsyncSignIfMember usage: ACK.

Consistent with new API.

Also applies to: 81-82

src/llmq/context.cpp (1)

33-37: I need to gather more information to fully verify the review comment. Let me search for call sites and related method changes:

I need to search the codebase directly to verify the lifecycle changes. Let me run more targeted queries:

Verify the Start() call sites in the codebase and check for Interrupt/Stop methods

Based on the script output provided, I can verify the key change mentioned in the review comment. The executed rg command confirmed that the Start method at line 51 in src/llmq/context.cpp now takes PeerManager& as its only parameter:

void LLMQContext::Start(PeerManager& peerman)

This matches the review comment's claim that "Start now takes PeerManager only."

However, I cannot fully verify the other claims in the review comment (shareman lifecycle moved to ActiveContext, sigman worker moved) without access to the full codebase context and previous versions of the code. The snippet provided shows the member initializations at lines 33-37 using std::make_unique, but without seeing the complete class definition, related files (ActiveContext, previous code state), and call sites, I cannot definitively confirm all the lifecycle changes mentioned.

src/masternode/active/context.cpp (2)

29-37: LGTM! Proper dependency injection and initialization order.

The shareman is correctly instantiated before being passed to dependent components (ehf_sighandler, cl_signer, is_signer), ensuring proper initialization order.

---

49-66: LGTM! Proper lifecycle management with LIFO ordering.

The Start/Stop/Interrupt methods follow correct LIFO ordering:

• Start: DKG threads → shareman registration → shareman worker
• Stop: shareman worker → shareman unregister → DKG threads

This ensures clean shutdown and matches the pattern used in LLMQContext.

Note: There's a clang-format issue on line 46 (empty line) flagged by CI that should be addressed.

src/rpc/quorums.cpp (2)

443-445: LGTM! Proper enforcement of masternode-mode requirement.

This check correctly enforces the documented breaking change that quorum sign RPC requires masternode-mode. The error message is clear and the check placement prevents execution of signing operations without the required context.

---

750-750: LGTM! Correct usage of static method.

The call correctly uses the static method CSigSharesManager::SelectMemberForRecovery, which is appropriate as this function doesn't require instance state.

src/llmq/signing.h (2)

23-25: LGTM! Necessary includes for standard library types.

The includes are justified:

• <memory> for std::unique_ptr<CDBWrapper> (line 119)
• <thread> for std::thread workThread (line 234)

---

183-183: LGTM! Constructor signature correctly removes active masternode dependency.

The removal of the CActiveMasternodeManager parameter aligns with the PR's objective to decouple CSigningManager from active masternode concerns. This responsibility is now handled by CSigSharesManager.

src/llmq/signing_shares.cpp (8)

183-197: LGTM! Clean dependency injection and RAII design.

The constructor properly injects all required dependencies as references, and initializes the worker interrupt. The default destructor is appropriate since cleanup is handled by explicit Stop() methods.

---

199-207: LGTM! Simplified thread start with member-based access.

The parameterless StartWorkerThread() correctly captures this to access member variables. Since all dependencies are stored as members initialized at construction, this is thread-safe.

---

236-313: LGTM! Consistent member-based access pattern.

The ProcessMessage method correctly uses direct member access (m_mn_activeman, m_sporkman) and consistently extracts node ID from the CNode reference. The early return for non-masternode mode (line 239) is appropriate.

---

871-949: LGTM! AsyncSignIfMember correctly relocated with proper dependencies.

The method has been successfully moved from CSigningManager to CSigSharesManager, now accepting CSigningManager& as a parameter. The implementation:

• Correctly uses member access for active masternode and chainstate
• Properly accesses the signing manager's database via friend access
• Maintains the original voting and conflict checking logic
• Ends with AsyncSign() to queue the signing operation

The method is thread-safe as it uses explicit locking (cs_pendingSigns via AsyncSign) and the database has its own internal locking.

---

951-954: LGTM! Clean delegation of recovery signature relay.

The NotifyRecoveredSig() method properly delegates to the peer manager for relaying. The Assert() ensures the signature pointer is valid before dereferencing, which is appropriate as this is called from internal code paths where the signature should always be valid.

---

775-854: LGTM! Proper signature recovery and processing flow.

The TryRecoverSig method correctly:

• Handles single-member quorums (lines 792-809) and multi-member quorums (lines 811-851)
• Validates recovered signatures periodically (line 842)
• Delegates to sigman.ProcessRecoveredSig() with the peer manager reference

The sporadic self-verification (line 842-850) is a good practice to catch bugs without impacting performance.

---

1632-1700: LGTM! Consistent signature creation with member-based access.

The CreateSigShare method correctly:

• Uses direct member access for active masternode (m_mn_activeman)
• Handles both single-member (operator key) and multi-member (skShare) quorums
• Maintains the existing TODO about single-member signing key (line 1651)

The conversion from pointer-based to member-based access is consistent and correct.

---

1148-1600: LGTM! Comprehensive and consistent refactor to member-based access.

The refactor systematically replaces parameter passing with member access throughout:

• m_connman for connection management and messaging
• m_peerman for peer management and banning
• m_mn_activeman for masternode identity
• m_sporkman for spork checks

All changes maintain thread safety as these members are initialized at construction and accessed appropriately. The messaging flow (PushMessage), banning logic (Misbehaving), and node iteration (ForEachNode) all work correctly with the member-based pattern.