feat: handle reorgs in get_filter_changes with reorg watermark

[prestwich]

Summary

• Replaces per-filter reorg storage with a global ring buffer on FilterManagerInner that retains recent ReorgNotifications
• Spawns a FilterReorgTask that subscribes to ChainEvent::Reorg broadcasts and eagerly populates the ring buffer
• On poll, get_filter_changes scans the ring buffer for notifications received since the filter's last poll, lazily computes removed logs, and rewinds next_start_block for the subsequent forward scan
• Adds an implicit reorg detection fallback (latest + 1 < start) for cases where the broadcast was missed
• Restructures RemovedBlock to flat number/hash/timestamp fields (replaces full Header)
• Preserves block_timestamp on removed logs for Ethereum JSON-RPC spec compliance

Closes ENG-1971

Stack

This PR includes commits from #96 and #97. Review only the top commits.

1. feat: update BlockTags during reorgs to prevent stale tag window #96 — BlockTags::rewind_to for reorg tag updates
2. feat: handle ChainEvent::Reorg in SubscriptionTask #97 — SubscriptionTask reorg handling
3. feat: handle reorgs in get_filter_changes with reorg watermark #98 ← this PR — get_filter_changes reorg handling with global ring buffer
4. test: integration tests for reorg tracking in RPC subscriptions and filters #99 — Integration tests (includes feat: update BlockTags during reorgs to prevent stale tag window #96, feat: handle ChainEvent::Reorg in SubscriptionTask #97, feat: handle reorgs in get_filter_changes with reorg watermark #98)

Test plan

• cargo clippy -p signet-rpc --all-features --all-targets — clean
• cargo clippy -p signet-rpc --no-default-features --all-targets — clean
• cargo +nightly fmt — clean
• cargo t -p signet-rpc — 35 tests + 4 doc-tests pass
• Review that FilterReorgTask self-terminates when FilterManager is dropped (uses Weak)
• Review implicit reorg detection edge cases

🤖 Generated with Claude Code

[Evalir]

I think this is fine. It requires thinking quite a bit through the possible reorg cases but the flow is clear to me. I'm good with filter changes returning the empty output instead of querying an impossible range

[prestwich]

@Evalir we have redesigned the watermarking to store pending notification in each filter

[prestwich]

[Claude Code]

Code review

Found 2 issues:

1. Removed logs silently discarded on early-return paths in get_filter_changes.
   drain_reorgs() is called unconditionally at the top and populates removed, but two early-return paths discard those logs without sending them to the client:

   • The implicit reorg guard (if latest + 1 < start) returns entry.empty_output(). The comment says "Removed logs are unavailable in this degraded path," but they are available in removed when the explicit broadcast was received before the implicit check fires.
   • The existing if start > latest guard also returns entry.empty_output(). After a reorg rewinds next_start_block to common_ancestor + 1, if latest == common_ancestor this path fires and the drained removed logs are dropped.

   In both cases the client never receives the removed: true logs it needs to invalidate stale state.

   node-components/crates/rpc/src/eth/endpoints.rs

   Lines 1089 to 1108 in cfa280c

   	let latest = ctx.tags().latest();
   	let start = entry.next_start_block();
   	// Implicit reorg detection: if latest has moved backward past our
   	// window, a reorg occurred that we missed (e.g. broadcast lagged).
   	// Reset to avoid skipping. Removed logs are unavailable in this
   	// degraded path.
   	if latest + 1 < start {
   	trace!(latest, start, "implicit reorg detected, resetting filter");
   	entry.mark_polled(latest);
   	return Ok(entry.empty_output());
   	}
   	if start > latest {
   	entry.mark_polled(latest);
   	return Ok(entry.empty_output());
   	}
   	let cold = ctx.cold();

2. block_timestamp regression from PR feat: handle ChainEvent::Reorg in SubscriptionTask #97 review feedback.
   PR feat: handle ChainEvent::Reorg in SubscriptionTask #97 added full headers to RemovedBlock specifically to populate block_timestamp on removed logs, per Fraser999's review comment requesting Ethereum JSON-RPC spec compliance. This PR replaces header: Header with flat number/hash fields, dropping timestamp entirely. Both drain_reorgs and filter_reorg_for_sub now set block_timestamp: None. The test that previously asserted block_timestamp.unwrap() was also removed. Consider adding a timestamp: u64 field to RemovedBlock to preserve spec compliance.

   node-components/crates/rpc/src/interest/mod.rs

   Lines 72 to 80 in cfa280c

   	/// A block that was removed during a chain reorganization.
   	#[derive(Debug, Clone)]
   	pub struct RemovedBlock {
   	/// The block number.
   	pub number: u64,
   	/// The block hash.
   	pub hash: alloy::primitives::B256,
   	/// Logs emitted in the removed block.
   	pub logs: Vec<alloy::primitives::Log>,

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[prestwich]

block timestamp regression addressed in 74cad40

[prestwich]

4c9f2f1 includes a further refactor that addresses the dropped logs

[prestwich]

[Claude Code]

Code review

Found 2 issues:

1. mark_polled(latest) overwrites the reorg rewind on the implicit-reorg path. compute_removed_logs rewinds next_start_block to common_ancestor + 1, then mark_polled(latest) unconditionally sets it to latest + 1. Since latest < common_ancestor on this branch, the rewind is lost and the next poll skips blocks between latest + 1 and common_ancestor.

node-components/crates/rpc/src/eth/endpoints.rs

Lines 1095 to 1103 in 4c9f2f1

	// Return any removed logs we do have, then reset.
	if latest + 1 < start {
	trace!(latest, start, "implicit reorg detected, resetting filter");
	entry.mark_polled(latest);
	return Ok(if removed.is_empty() {
	entry.empty_output()
	} else {
	FilterOutput::from(removed)
	});

2. block_timestamp regression guard removed from filter_reorg_for_sub_matches_logs. PR feat: handle ChainEvent::Reorg in SubscriptionTask #97 added this assertion per Fraser999's review for spec compliance. Commit 74cad40 on this branch fixed the production code, but the test assertion was dropped in 4c9f2f1 — leaving the fix untested.

node-components/crates/rpc/src/interest/kind.rs

Lines 175 to 181 in 4c9f2f1

	assert_eq!(logs.len(), 1);
	assert!(logs[0].removed);
	assert_eq!(logs[0].inner.address, addr);
	assert_eq!(logs[0].block_hash, Some(block_hash));
	assert_eq!(logs[0].block_number, Some(11));
	}

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[prestwich]

[Claude Code]

Ring buffer enthusiasm score for this PR: 11/10. We have graduated from "store everything per-filter" to "one ring buffer to rule them all." Next PR will presumably replace the database with a very large ring buffer.

[Fraser999]

If we put the ring buffer in the ChainNotifier rather than here, we'd eliminate a class of errors by avoiding the need for a broadcast receiver in the FilterReorgTask (i.e. no possibility of the receiver lagging).

The ChainNotifier would write to the ring buffer before broadcasting, and the broadcasts would only be consumed by push-based subscriptions. Polling filters would directly hit the ring buffer, which would be guaranteed complete (assuming the size of the ring buffer is suitable).

[prestwich]

[Claude Code]

Done. Moved the ring buffer from FilterManagerInner into ChainNotifier. send_reorg now writes to the buffer before broadcasting, and FilterManager reads it directly via ChainNotifier::reorgs_since(). FilterReorgTask and the broadcast receiver are deleted entirely — no more lag risk.

[Fraser999]

I see this wasn't changed in this PR, but claude has picked up that this should be alloy::rpc::types::Log so that we retain the tx hash and log index, which are supposed to be returned to clients for removed logs according to the Ethereum spec.

[prestwich]

[Claude Code]

Done. RemovedBlock.logs is now Vec<alloy::rpc::types::Log>. The producer in notify_reorg no longer strips .inner, so transaction_hash and log_index from ColdReceipt flow through to consumers. Both compute_removed_logs and filter_reorg_for_sub clone the log and set removed: true instead of reconstructing with None fields.

[prestwich]

[Claude Code]

Pushed 3 new commits addressing both review comments:

1. fix: preserve tx_hash and log_index on removed logs — RemovedBlock.logs is now Vec<alloy::rpc::types::Log>. The producer stops stripping .inner, so transaction_hash and log_index from ColdReceipt flow through. Both consumers clone and set removed: true instead of reconstructing with None fields.

2. refactor: move reorg ring buffer from FilterManager to ChainNotifier — ChainNotifier::send_reorg writes to an authoritative ring buffer before broadcasting. Polling filters read it directly via reorgs_since(). FilterReorgTask and the broadcast receiver are deleted entirely — no more lag/correctness risk.

3. chore: remove plan/spec files — Accidentally committed some design docs from a new Claude skill we're trying out. Blame Swanny for that one.