fix(swift-sdk): tie shielded completion suppression to a sync generation

[QuantumExplorer]

Issue being fixed or feature implemented

Follow-up to #3603 (shielded send end-to-end), which merged with a
boolean suppressShieldedCompletionEvents gate guarding the shielded
sync completion event after stop/clear.

A reviewer flagged that the boolean is bypassable: the FFI completion
callback re-dispatches onto the @MainActor, so a final, already-enqueued
event can land just after stop/clear returns. Because start cleared
the flag, a caller that stops (or clears) and restarts shielded sync in
the same actor turn re-opens the gate before the stale, queued
completion task runs — so the previous run's completion leaks into the
new run and is published as if it belonged to it.

What was done?

Replaced the boolean with a lock-guarded monotonic generation counter
(ShieldedSyncGenerationCounter):

• The FFI completion callback snapshots the generation on the callback
  thread, before enqueueing the event onto the main actor.
• stopShieldedSync / clearShielded bump the generation after the Rust
  drain returns.
• handleShieldedSyncCompleted(_:generation:) drops any event whose
  snapshot no longer matches the current generation.
• startShieldedSync / syncShieldedNow no longer reset anything — a new
  run's events carry the current generation and pass the guard, while a
  trailing event from a prior, stopped run still carries the older
  generation and is dropped, even on a same-turn restart.

This is a pure SDK-layer change (no FFI/Rust signature changes); the
example app's guard isBound remains as harmless defense-in-depth.

How Has This Been Tested?

Built the unified iOS framework + SwiftExampleApp for the simulator
(./build_ios.sh --target sim) — build succeeded. The change is
behaviorally identical for the common case (events from the live run
publish normally); the generation guard only differs from the old boolean
on the same-actor-turn stop→restart race, which is the bug being fixed.

Breaking Changes

None. handleShieldedSyncCompleted is an internal method; its new
generation: parameter is not part of the public API.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Summary by CodeRabbit

• Bug Fixes
  • Improved reliability of platform wallet shielded sync by preventing stale completion events from being processed after sync is stopped, cleared, or restarted, closing a race that could surface incorrect/old statuses.
• Tests
  • Added regression tests validating correct handling of sync completion, restart, and stale-event drop scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dbb2406a-6bab-4a3a-8fb5-6917649b2cdc

📥 Commits

Reviewing files that changed from the base of the PR and between 07421ab and a70eb9d.

📒 Files selected for processing (1)

• packages/swift-sdk/SwiftExampleApp/SwiftExampleAppTests/ShieldedSyncGenerationTests.swift

---

📝 Walkthrough

Walkthrough

Replaces a boolean suppression flag with a lock-guarded, nonisolated generation counter; FFI callback threads snapshot the generation and pass it into the main-actor handler, which discards completion events whose snapshot doesn't match the manager's current generation.

Changes

Shielded Sync Generation Counter

Layer / File(s)	Summary
ShieldedSyncGenerationCounter data structure packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManager.swift	Introduces a lock-guarded monotonic UInt64 counter with thread-safe current() and bump() methods for snapshotting and incrementing generation across FFI and main-actor boundaries.
Generation counter property in PlatformWalletManager packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManager.swift	Adds nonisolated let shieldedSyncGeneration property, replacing the prior suppressShieldedCompletionEvents boolean gate with generation-based suppression documented inline.
FFI callback thread-safe generation snapshot packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedSync.swift	shieldedSyncCompletedCallback captures the current generation on the FFI callback thread before scheduling main-actor work, ensuring the snapshot is immutable against concurrent bumps.
Event filtering by generation in handler packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedSync.swift	handleShieldedSyncCompleted accepts and validates a generation parameter, discarding events whose generation does not match the manager's current counter value.
Lifecycle methods generation bumping packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedSync.swift	stopShieldedSync and clearShielded call bump() to invalidate trailing events; startShieldedSync and syncShieldedNow document that generation snapshots enable filtering of stale completions from prior stops.
Regression tests for generation behavior packages/swift-sdk/SwiftExampleApp/SwiftExampleAppTests/ShieldedSyncGenerationTests.swift	Adds main-actor XCTest cases that validate generation semantics: stale completions are dropped after bump(), current-generation completions publish, same-turn restart flows behave correctly, and stale stragglers do not overwrite published events.

Sequence Diagram

sequenceDiagram
  participant FFIThread as FFI Callback Thread
  participant Manager as PlatformWalletManager
  participant MainActor as Main Actor
  participant Handler as handleShieldedSyncCompleted

  FFIThread->>FFIThread: shieldedSyncCompletedCallback()\nsnapshot shieldedSyncGeneration
  FFIThread->>Manager: read nonisolated generation
  FFIThread->>MainActor: enqueue handleShieldedSyncCompleted(event, generation)
  MainActor->>Handler: handleShieldedSyncCompleted(event, generation)
  Handler->>Manager: compare generation vs shieldedSyncGeneration.current()
  alt generations match
    Handler->>Handler: publish event (set lastShieldedSyncEvent)
  else generations mismatch
    Handler->>Handler: drop stale event
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 A counter so fine, monotonic and true,
Snapshots on threads where the callbacks pass through,
Stale events begone — bump and they're swept,
Main actor keeps only the freshest kept,
Hooray for safe syncs and quiet code stew! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.14% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: replacing a boolean gate with a generation counter to fix shielded completion suppression.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch platform-wallet/shielded-completion-generation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/26388387423
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "ecc49a140c4da3a71d40898f79b5e0c8c94c7a37aa77f748b15484fc4d2505f1"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[thepastaclaw]

Code Review

The generation-counter approach fixes the stale shielded-sync completion race at the Swift/Rust callback boundary without changing the FFI ownership contract. I did not find a functional or security regression in the implementation, but the PR still needs focused regression coverage for the exact stop/clear versus queued-completion ordering this fix relies on.

🟡 1 suggestion(s)

Suggestion: Add regression coverage for stale queued shielded completion events

packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedSync.swift:68

This fix depends on a precise ordering guarantee: the FFI callback snapshots shieldedSyncGeneration before enqueueing onto @MainActor, then stopShieldedSync or clearShielded bumps the generation before that queued completion is delivered. I verified the implementation follows that pattern, but there is still no Swift test coverage exercising shielded-sync completion delivery or the stop/clear race. A later refactor could reintroduce the original boolean-gate problem while still compiling cleanly. Please add a focused regression test that enqueues a completion under generation N, bumps to N+1 before delivery and asserts the stale event is dropped, then verifies a completion captured under the current generation is published.

Inline posting hit GitHub HTTP 422, so this verified finding is posted as a top-level review body.

[thepastaclaw]

Code Review

I verified the worktree at a70eb9d2edb4f1e18610368235c4463343d802e6 and confirmed the only delta since 07421abc64ef74739de6d12347371e62234987f9 is the new ShieldedSyncGenerationTests.swift regression suite. The underlying generation-based stale-event guard remains correctly implemented in the production shielded-sync path, and the new tests exercise the same-turn restart and late-straggler cases that previously needed coverage. I did not find any remaining correctness issues or false-positive review findings to carry forward.