[#2193] Add Android voting JNI round lifecycle

[greg0x]

Part of zodl-inc/zodl-android#2193.
Slice of #1924 (umbrella draft PR being split into reviewable pieces).
Depends on #1934 (first slice — zcash_voting dependency foundation).
Resolves MOB-1109

Why

Second slice of the Android shielded-voting integration. #1934 wires the zcash_voting crate into backend-lib; this PR adds the voting DB handle and round lifecycle so the round-keyed surface (init / state / list / get-votes / clear / delete-skipped) compiles end-to-end from Rust through JNI to Kotlin.

Foundation for the Coinholder Polling flow tracked in zodl-inc/zodl-android#2193 — no user-visible behavior on its own.

What's in

Rust / JNI (backend-lib/src/main/rust/voting/):

• db.rs — open/close native handle, setWalletId
• rounds.rs — initRound, getRoundState, listRoundsJson, getVotesJson, clearRound, deleteSkippedBundles
• share_tracking.rs — existing computeShareNullifier, lifted out of the monolithic module
• helpers.rs — shared JNI helpers: fixed-width byte validation (PROTOCOL_FIELD_BYTES = 32), jint/jlong widening, RoundState → FfiRoundState construction
• json.rs — round summary / vote record serialization, RoundPhase ↔ u32 mapping
• voting.rs — reduced to module roots + shared imports

Kotlin (sdk-lib/.../internal/):

• jni/VotingRustBackend.kt — external declarations for the new surface
• TypesafeVotingBackend.kt + impl — suspend wrappers, IO dispatcher, error checks, JSON → VoteRecord parsing
• model/voting/FfiVotingModels.kt — FfiRoundState, FfiRoundPhase

Not included

• hotkey generation
• bundle setup/count
• proving cache warmup
• delegation proving/submission
• vote commitment or share payloads
• recovery/share tracking
• public Synchronizer voting API

Review focus

Primary review track: core-dev. Please look at:

• native handle lifecycle (Box::into_raw / Box::from_raw across openVotingDb/closeVotingDb, Arc<VotingDb> usage)
• JNI boundary error semantics (panic-safe via catch_unwind, exception conversion)
• byte-array validation (java_bytes_exact on 32-byte protocol fields)
• RoundState / RoundSummary JSON and FFI mapping
• Kotlin surface is intentionally internal and minimal — just enough to compile and exercise the JNI

Swift counterparts:

• [#1661] Add voting FFI foundation helpers zcash-swift-wallet-sdk#1716
• [#1661] Add voting round recovery FFI zcash-swift-wallet-sdk#1722
• [#1661] Voting FFI in VotingRustBackend.swift (database, PR, VAN witness gen) zcash-swift-wallet-sdk#1719

Validation

• cargo check --manifest-path backend-lib/Cargo.toml --locked
• cargo fmt --manifest-path backend-lib/Cargo.toml --check
• ./gradlew :backend-lib:compileReleaseKotlin :sdk-lib:compileReleaseKotlin
• ./gradlew ktlint detektAll
• ./gradlew checkProperties
• git diff --check

Author

• Self-review your own code in GitHub web interface
• Add automated tests as appropriate
• Update the manual tests as appropriate
• Check the code coverage report for the automated tests
• Update documentation as appropriate
• Run the demo app and try the changes
• Pull in the latest changes from the main branch and squash your commits before assigning a reviewer

Reviewer

• Check the code with the Code Review Guidelines checklist
• Perform an ad hoc review
• Review the automated tests
• Review the manual tests
• Review the documentation as appropriate
• Run the demo app and try the changes

[noop-sk]

PR added into code

The base branch was changed.

[noop-sk]

Forward compatibility risk

This throws if Rust adds a new RoundPhase variant before Kotlin is updated — a library update alone can crash the app. For an internal sdk-lib boundary it is defensible, but consider an UNKNOWN(-1) fallback or returning null until the phase set is stable.

[greg0x]

This is an internal api contract between rust and kotlin. For this it's better to fail as soon as possible so the issue comes out during dev, failing silently.

The phase set can also be considered stable.

p.s.: I wish we could enjoy the comfort of UniFFI which solves this problem at generation time.

[nullcopy]

p.s.: I wish we could enjoy the comfort of UniFFI which solves this problem at generation time.

@noop-sk Is this something we should track as a future improvement?

[noop-sk]

agree

[noop-sk]

@nuttycom — Ordering::Relaxed on both the success and failure orderings of fetch_update is correct for a monotone uniqueness counter on its own, since the registry Mutex provides the necessary acquire/release barriers around the actual map insert. Just flagging for a second pair of eyes given the subtle interaction between the two synchronization primitives.

[greg0x]

Confirm, that the above is correct.

[nullcopy]

Reviewed 3c8bd28

[nullcopy]

p.s.: I wish we could enjoy the comfort of UniFFI which solves this problem at generation time.

@noop-sk Is this something we should track as a future improvement?

[nullcopy]

utACK 450fe29

[linear]

MOB-1109