Handle fatal errors in receiver state machine

[spacebear21]

This brings fatal error handling into the receiver state machine.

Supersedes #1045

TODOs:

• HasError::process_error_response should terminally close the session if the response is successfuly, or record a fatal error and move to terminal state if another error request should not be attempted (e.g. expired session or bad reply key).
• handle_fatal_reject shouldn't close sessions, instead it should only close after an error response has been processed.
• SessionEvent::TerminalFailure holds a JsonReply because they are serializable, but this results in a hacky workaroundfor recording Expired sessions since those shouldn't actually be replied to.
• Remove SessionHistory::extract_err_req
• Implement session.fail() and session.cancel() to allow receiver to explicitly close a session. Maybe fail() should take a Error parameter and transition to HasReplyableError state if appropriate? see discussion here Fix apply_fee_range error handling #1108 (review)

Pull Request Checklist

Please confirm the following before requesting review:

• I have disclosed my use of
  AI
  in the body of this PR.
• I have read CONTRIBUTING.md and rebased my branch to produce hygienic commits.

[arminsabouri]

Approach ACK.
Just had some high level questions. In general this is moving in the right direction

[arminsabouri]

Was this pub(crate)'d for tests?

[spacebear21]

Yeah, specifically to match on the rejection details

[arminsabouri]

Would pub(self) work?

[benalleng]

Any decision on whether pub(self) or pub(crate) is better here?

[arminsabouri]

FWIW this is a nit.

[DanGould]

Definitely easier to deal with if not mut. I believe the concern is &mut self.session_context.ohttp_keys is supposed to get mutated if it ohttp_encapsulate ratchets instead of using randomness so that the same OHTTP ephemeral key doesn't get used twice which would allow a relay to correlate requests since they'd be encrypted with the same key & nonce (base nonce + seq).

I'd like @nothingmuch to confirm.

[arminsabouri]

From our devcall:
SessionEvent::Close should take a Reason as an argument. Instead of the reason being derived from previous session event.

We should consider adding a pub abort and private close(). In general it should be a hard to be in limbo where we close but dont push an event or vice-versa

[coveralls]

Pull Request Test Coverage Report for Build 18170784561

Details

• 210 of 268 (78.36%) changed or added relevant lines in 4 files are covered.
• 8 unchanged lines in 3 files lost coverage.
• Overall coverage decreased (-0.2%) to 84.561%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
payjoin/src/core/persist.rs	44	51	86.27%
payjoin-cli/src/app/v2/mod.rs	1	14	7.14%
payjoin/src/core/receive/v2/mod.rs	101	139	72.66%

Files with Coverage Reduction	New Missed Lines	%
payjoin/src/core/receive/v2/mod.rs	2	90.43%
payjoin-cli/src/app/v2/mod.rs	3	60.57%
payjoin/src/core/persist.rs	3	94.94%

Totals
Change from base Build 18168561417:	-0.2%
Covered Lines:	8654
Relevant Lines:	10234

---

💛 - Coveralls

[spacebear21]

Re-requesting review because I believe all the main logic changes are in place and the overall design shouldn't change much unless something clearly wrong comes up in review. Leaving in draft status because some cleanup is needed (e.g. extract_err_req from SessionHistory and remove pub process_err_res pure function since it should only be called in HasReplyableError), and it will need additional testing.

[arminsabouri]

Partial ApporachACK.
I mostly had highlevel questions. Mainly around:

• The necessity for a session event trait
• How the typestate progresses to the reply error state

[arminsabouri]

Would pub(self) work?

[spacebear21]

The biggest change since the last round of review is ca5da9c which introduces a new state transition method for replyable errors resulting in the HasReplyableError typestate. This approach replaces the SessionEventTrait approach taken previously, so instead of introspecting on the SessionEvent the caller just calls the appropriate transition method. I used Claude Code opus+sonnet to plan and write the majority of the code in that commit.

[benalleng]

ack on ca5da9c, Just a few more general clarifying questions. As well the terminal_error TODO can be ignored as we are getting rid of that method entirely, but there still remains the added TODO in the test_err_response in the integrations tests, I'm assuming that can safely be handled after 1.0 in a followup

[spacebear21]

there still remains the added TODO in the test_err_response in the integrations tests, I'm assuming that can safely be handled after 1.0 in a followup

Yeah this should be getting addressed in #1114

[arminsabouri]

CodeACK dcfe2f4
Just had some questions and noted follow up items 🚀

Perhaps we first review and merge #1114, resolve the TODO in the integration test so we can get more e2e coverage on the changes in this PR.

[arminsabouri]

FWIW this is a nit.

[arminsabouri]

Note to follow up with some unit testing for this

[DanGould]

In general I think this works. Wild how few changes actually end up in payjoin-cli's implementation after all this internal jostling. Overall it seems like a much more realistic abstraction of reality. It does seem that tests could be a little tighter if InternalPersistedError could be matched on.

I'm also still a bit bugged out by that name since Transient InternalPersistedErrors are not Persisted. They're PersistErrors which arise from persistence attempts, not errors that are persisted by their nature.

[DanGould]

Other than an Err(anyhow::Error) being propagated if post_request or process_error_response fails, are there circumstances where we want to close the session in this function? for example, if process_error_response fails? Or if the post_request fails for one of a few enumerated reasons as a follow up with the session.fail() implementation?

[DanGould]

InternalPersistedError is pub(crate).

Would making the internal field in PersistedError pub(super) (to the core scope) address this concern?

#[derive(Debug)]
pub struct PersistedError<
    ApiError: std::error::Error,
    StorageError: std::error::Error,
    ErrorState: fmt::Debug = (),
>(pub(super) InternalPersistedError<ApiError, StorageError, ErrorState>);

[DanGould]

Why change the static vec! definition to mut & .push() instead? nit.

[spacebear21]

Hmm I don't think I changed that; this old test got deleted and the new test_session_transient_error is being displayed side by side but it's unrelated. I think I just copied to mut events approach from a different test, we seem to mix and match already.

[spacebear21]

Latest push is a simple rebase on the latest master. There is an outstanding task in the PR description for the fail()/cancel() methods that I will address in a follow-up.

[arminsabouri]

Re-Ack 9cdb1eb