Batch MPP claims into single ChannelMonitorUpdate

[Abeeujah]

Claiming multiple MPP parts on the same channel was partially sequential, requiring claimee to claim the first part and wait for the peer to respond again before other parts can be claimed. This UX results in claim latency, time spent waiting on channel monitor updates, requiring a full round-trip (RAA/CS) for HTLC fulfillment.

This change optimizes the process by batching these claims into a single update and a single commitment_signed message.

• Introduce UpdateFulfillsCommitFetch enum and the get_update_fulfill_htlcs_and_commit method to Channel.
• Update ChannelManager to group claimable HTLCs by counterparty and channel ID before delegation.
• Refactor chanmon_update_fail_tests.rs and payment_tests.rs to align with the new atomic batching semantics.

Tests has been updated to reflect this new batching of MPP claims

• test_single_channel_multiple_mpp
• auto_retry_partial_failure
• test_keysend_dup_hash_partial_mpp

closes #3986

[ldk-reviews-bot]

👋 I see @jkczyz was un-assigned.
If you'd like another reviewer assignment, please click here.

[ldk-claude-review-bot]

Bug: This loop registers one PaymentClaimed completion action and one ClaimedMPPPayment RAA blocker per non-duplicate HTLC, but they all map to a single combined ChannelMonitorUpdate. When that monitor update completes, handle_monitor_update_completion_actions processes all N actions simultaneously:

1. The first PaymentClaimed action's retain loop finds all N RAA blockers (they share the same PendingMPPClaimPointer via Arc::ptr_eq). Each blocker is processed in sequence—after the first one transitions the channel in channels_without_preimage → channels_with_preimage, the remaining N-1 blockers each re-check channels_without_preimage.is_empty() and push duplicates into freed_channels.

2. Result: N entries in freed_channels, causing handle_monitor_update_release to be called N times for the same channel. This is redundant in the happy path but could prematurely unblock other channels' blocked monitor updates in edge cases (multi-channel MPP where only this channel has batched parts).

3. The remaining N-1 PaymentClaimed actions find no blockers (already drained by the first action) and no pending_claiming_payments entry (already removed by the first action), so they're no-ops—but they still churn through the completion handler.

Fix: Register exactly ONE PaymentClaimed action and ONE RAA blocker for the entire batch, matching the single ChannelMonitorUpdate. Something like:

// One action + one blocker for the entire batch
let this_mpp_claim = pending_mpp_claim_ptr_opt.as_ref().map(|pending_mpp_claim| {
    (counterparty_node_id, chan_id, PendingMPPClaimPointer(Arc::clone(pending_mpp_claim)))
});
let raa_blocker = pending_mpp_claim_ptr_opt.as_ref().map(|pending_claim| {
    RAAMonitorUpdateBlockingAction::ClaimedMPPPayment {
        pending_claim: PendingMPPClaimPointer(Arc::clone(pending_claim)),
    }
});
let action = MonitorUpdateCompletionAction::PaymentClaimed {
    payment_hash,
    pending_mpp_claim: this_mpp_claim,
};
peer_state.monitor_update_blocked_actions.entry(chan_id).or_insert(Vec::new()).push(action);
if let Some(raa_blocker) = raa_blocker {
    peer_state.actions_blocking_raa_monitor_updates.entry(chan_id).or_insert_with(Vec::new).push(raa_blocker);
}

[ldk-claude-review-bot]

Bug: The AllDuplicateClaims case only fires a debug_assert but doesn't handle startup replay. Compare with the single-HTLC path in claim_mpp_part (the UpdateFulfillCommitFetch::DuplicateClaim branch, ~lines 9768-9860), which does significant work during startup:

1. Re-registers RAA blockers that may not yet be present if the monitor update hadn't completed before shutdown (lines 9784-9789).
2. Queues or immediately processes the PaymentClaimed completion action so the PaymentClaimed event can be generated during replay (lines 9791-9855).

During startup replay, all claims in a batch can be duplicates if the ChannelMonitorUpdate with the preimages had already been applied before shutdown but the PaymentClaimed event wasn't generated yet. In that scenario, this code path silently drops the completion action, potentially causing:

• The PaymentClaimed event to never be emitted.
• RAA blockers to not be re-registered, allowing premature RAA processing.

[ldk-claude-review-bot]

Nit: Using update_id == 0 as a sentinel to detect the first NewClaim works because valid monitor update IDs start at 1, but this is an implicit invariant. Consider using an Option<u64> or a dedicated first_update_id variable to make this more robust and self-documenting.

[ldk-claude-review-bot]

The grouping logic uses group.len() == 1 to decide between the single-HTLC path and the batch path. For a single-source payment (sources.len() == 1), pending_mpp_claim_ptr_opt is None (set at line 9407). In that case the single HTLC takes the group.len() == 1 branch, which is correct.

However, for a multi-source MPP where each source happens to be on a different channel (no channel has >1 HTLC), every group has len==1, so ALL HTLCs go through the single-HTLC path. This means the batch path is only exercised when ≥2 parts of the same MPP arrive on the same channel—which is likely the intent, but worth documenting explicitly in a comment for future readers, since the grouping loop above suggests it handles all sources.

[ldk-claude-review-bot]

The else branch handles two distinct cases conflated together:

1. !release_cs_monitor (blocked monitor updates exist) — needs to shift IDs
2. release_cs_monitor && !any_not_blocked (no blocked updates, but all claims were put in holding cell) — no shifts needed

For case 2, blocked_monitor_updates is empty, so the for-loop and the last() call are no-ops, and latest_monitor_update_id is set to combined_monitor_update.update_id. This works correctly but is non-obvious. A comment or separate handling would make the two cases clearer.

Also: self.context.blocked_monitor_updates.get(0) should use .first() per idiomatic Rust.

[ldk-claude-review-bot]

After delivering all 6 update_fulfill_htlc messages, the test asserts 6 PaymentForwarded events but doesn't validate their contents (e.g. which upstream channel each forward corresponds to, or fee amounts). The old test checked expect_payment_forwarded! with specific source nodes and fee values (Some(1000)). Consider adding at least a fee check to ensure the batch claim correctly reports forwarding fees.

[ldk-claude-review-bot]

Review Summary

Prior Critical Issue: RESOLVED

The build_preimage_only_monitor_update missing monitor_updating_paused call (which would cause a hard assert! panic in production) has been fixed. The method now correctly calls monitor_updating_paused at channel.rs:7853-7861.

Prior Issues Status

• channelmanager.rs:10276 (missing monitor_updating_paused panic) — Fixed
• channelmanager.rs:10049 (multiple actions/blockers per batch) — Fixed (now one per batch)
• channelmanager.rs:10067 (all-duplicates startup replay) — Fixed (proper handling added)
• chanmon_update_fail_tests.rs:4729 (test missing validation) — Fixed (PaymentForwarded events now validated)
• Several prior nits about code structure — No longer applicable (code restructured)

Inline Comments Posted (this review)

• channelmanager.rs:9621 — Redundant counterparty_node_id unwrap (already validated during grouping)
• channelmanager.rs:10357-10358 — Closed-channel .take() pattern should document intent
• channelmanager.rs:10246-10249 — payment_info injection comment should explain why only first step needs it
• channel.rs:7792-7798 — Redundant HTLC lookup in log statement

No new bugs or security issues found.

The implementation correctly handles the main code paths: immediate flush, deferred flush (can't generate commitment), all-duplicates (startup replay), and closed-channel fallback. The ChannelMonitor preimage idempotency guarantees make the approach safe across all paths.

[ldk-claude-review-bot]

Nit: This comment says "for each successfully claimed (non-duplicate) HTLC" but the code registers exactly one completion action and one RAA blocker for the entire batch (i.e., per combined ChannelMonitorUpdate). This is actually the correct behavior — one action per monitor update — but the comment is misleading and could confuse future readers.

Suggested change

	// Register a completion action and RAA blocker for each
	// successfully claimed (non-duplicate) HTLC.
	// Register a single completion action and RAA blocker for the
	// combined ChannelMonitorUpdate covering all claims in this batch.

[ldk-claude-review-bot]

Nit: This comment was copied from the single-HTLC version and only mentions build_commitment_no_status_check, but in the batch case the N individual get_update_fulfill_htlc calls also bumped latest_monitor_update_id. The reset here discards N+1 ID increments (N preimage bumps + 1 commitment bump), not just the commitment bump. Consider updating the comment for accuracy:

Suggested change

	let mut additional_update = self.build_commitment_no_status_check(logger);
	// build_commitment_no_status_check may bump latest_monitor_id but we want them
	// to be strictly increasing by one, so reset it here.
	self.context.latest_monitor_update_id = combined_monitor_update.update_id;
	// The N calls to get_update_fulfill_htlc and build_commitment_no_status_check
	// each bumped latest_monitor_update_id, but we merged everything into a single
	// ChannelMonitorUpdate with the first ID, so reset to that ID.
	self.context.latest_monitor_update_id = combined_monitor_update.update_id;

[ldk-claude-review-bot]

This closed-channel fallback calls claim_funds_from_hop per HTLC, which registers a separate PaymentClaimed action + ClaimedMPPPayment RAA blocker for each HTLC. Since all N HTLCs are on the same channel, PendingMPPClaim.channels_without_preimage has only ONE entry for this channel. When the first monitor update completes, its PaymentClaimed action's retain loop in handle_monitor_update_completion_actions processes ALL N blockers (they share the same PendingMPPClaimPointer via Arc::ptr_eq). The first blocker empties channels_without_preimage, then all N blockers push duplicate entries to freed_channels (since is_empty() is true for each).

This causes handle_monitor_update_release to be called N times redundantly for the same channel. This is a pre-existing behavior (the original per-HTLC path had the same issue), but since you're explicitly handling the batch case for open channels, you could apply the same "single action + single blocker" pattern here for consistency and correctness:

// Channel is closed. Register one combined action + blocker, then claim each HTLC individually.
let this_mpp_claim = pending_mpp_claim_ptr_opt.as_ref().map(|pending_mpp_claim| {
    (counterparty_node_id, chan_id, PendingMPPClaimPointer(Arc::clone(pending_mpp_claim)))
});
let raa_blocker = pending_mpp_claim_ptr_opt.as_ref().map(|pending_claim| {
    RAAMonitorUpdateBlockingAction::ClaimedMPPPayment {
        pending_claim: PendingMPPClaimPointer(Arc::clone(pending_claim)),
    }
});
// claim_funds_from_hop for each, but only the first carries the action/blocker

Not blocking, but worth considering for a follow-up.

[Alkamal01]

let _ = htlc_value_msat in the NewClaims branch of claim_batch_funds_from_channel — that value is being silently dropped. If it's needed downstream for fee accounting or event data, this is a bug. If it's not needed, it probably shouldn't be in UpdateFulfillsCommitFetch::NewClaims at all.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[Abeeujah]

let _ = htlc_value_msat

It's intentionally left unused right now, pending any design decision that would be made for the msat values that field holds, in the case of a single claim, there's a completion_action function computing with the value, In this case, it is a batch claim, so it's open ended to how batch claims should work

• Do we sum all since they were claimed at a single swoop and pass to completion_action
• Should a Batch Claim Event be implemented as there is for a single claim

This is why that field exist, the absense of the direction it should take is the reason it is intentionally currently left unused.

[codecov]

Codecov Report

❌ Patch coverage is 61.97605% with 127 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.02%. Comparing base (23b620a) to head (f466457).

Files with missing lines	Patch %	Lines
lightning/src/ln/channelmanager.rs	63.78%	85 Missing and 3 partials ⚠️
lightning/src/ln/channel.rs	57.14%	37 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4552      +/-   ##
==========================================
- Coverage   87.11%   87.02%   -0.10%     
==========================================
  Files         161      161              
  Lines      109246   109527     +281     
  Branches   109246   109527     +281     
==========================================
+ Hits        95173    95316     +143     
- Misses      11592    11723     +131     
- Partials     2481     2488       +7     

Flag	Coverage Δ
fuzzing-fake-hashes	30.99% <0.00%> (-0.14%)	⬇️
fuzzing-real-hashes	22.83% <60.37%> (+0.23%)	⬆️
tests	86.06% <53.89%> (-0.12%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Alkamal01]

let _ = htlc_value_msat

It's intentionally left unused right now, pending any design decision that would be made for the msat values that field holds, in the case of a single claim, there's a completion_action function computing with the value, In this case, it is a batch claim, so it's open ended to how batch claims should work

* Do we sum all since they were claimed at a single swoop and pass to `completion_action`

* Should a Batch Claim Event be implemented as there is for a single claim

This is why that field exist, the absense of the direction it should take is the reason it is intentionally currently left unused.

let _ = htlc_value_msat

It's intentionally left unused right now, pending any design decision that would be made for the msat values that field holds, in the case of a single claim, there's a completion_action function computing with the value, In this case, it is a batch claim, so it's open ended to how batch claims should work

* Do we sum all since they were claimed at a single swoop and pass to `completion_action`

* Should a Batch Claim Event be implemented as there is for a single claim

This is why that field exist, the absense of the direction it should take is the reason it is intentionally currently left unused.

Makes sense, but could you drop a quick comment in the code explaining this? Anyone reading it later will just see let _ = htlc_value_msat and have no idea why. Also maybe open a follow-up issue so the decision doesn't get lost after merge.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

Hmm, would this not be simpler by using the holding cell instead? When we're failing, we call queue_fail_htlc which just shoves the failure into the holding cell then call check_free_peer_holding_cells to release them all at once. Rather than rebuilding that logic for claims, we should be able to do something similar. We'd have to handle the monitor updates with the preimages a bit differently, but not drastically so.

[ldk-claude-review-bot]

Bug: Panic in production — missing monitor_updating_paused call in the deferred-flush path.

When maybe_free_holding_cell_htlcs returns None (channel can't generate a new commitment due to AWAITING_REMOTE_REVOKE, PEER_DISCONNECTED, LOCAL_STFU_SENT, or QUIESCENT), build_preimage_only_monitor_update creates the update but does NOT call chan.monitor_updating_paused(...), so MONITOR_UPDATE_IN_PROGRESS is never set on the channel.

The subsequent handle_new_monitor_update (line 10297) submits the update to the chain monitor. If persistence is synchronous (common in simple setups) and there are no other in-flight updates for this channel, all_updates_complete becomes true, triggering try_resume_channel_post_monitor_update → monitor_updating_restored, which hits a hard assert! at channel.rs:9839:

assert!(self.context.channel_state.is_monitor_update_in_progress()); // PANICS

Compare with the single-HTLC path in get_update_fulfill_htlc_and_commit (line 7690) which always calls monitor_updating_paused(false, !update_blocked, false, ...) regardless of whether a commitment could be generated, ensuring MONITOR_UPDATE_IN_PROGRESS is set before the update is submitted.

Fix: After build_preimage_only_monitor_update, call:

chan.monitor_updating_paused(false, false, false, Vec::new(), Vec::new(), Vec::new(), &&logger);

Reproduction scenario: Node receives an MPP payment with ≥2 parts on the same channel. Before calling claim_funds, the channel enters AWAITING_REMOTE_REVOKE (e.g., a prior commitment exchange just completed with the peer's commitment_signed but the peer hasn't sent revoke_and_ack yet). claim_funds takes the batch path, can_generate_new_commitment() returns false, deferred flush path is taken, and the preimage-only update is submitted. With synchronous persistence → panic.

[ldk-claude-review-bot]

Nit: The counterparty_node_id expect message is duplicated from line 9604 (where it was already unwrapped for grouping). Since the grouping loop above already unwraps counterparty_node_id for every HTLC, by the time we reach the group.len() == 1 branch we know it's Some. The second expect at line 9621 is redundant — you could just reuse the counterparty_id from the group tuple.

Note: the same applies to claim_batch_funds_from_channel at line 10139 — the counterparty_node_id was already validated during grouping.

[ldk-claude-review-bot]

The closed-channel fallback uses .take() so only the first HTLC in the batch gets the MonitorUpdateCompletionAction and RAA blocker (2nd+ get (None, None)). This is functionally correct — all HTLCs share the same channel, so one action + one blocker is sufficient — but it means each subsequent HTLC creates and persists a ChannelMonitorUpdate with no associated completion action.

Consider adding a brief comment explaining the .take() intent: "Only the first HTLC in the batch carries the completion action and RAA blocker; subsequent HTLCs only persist the preimage for safety."

[ldk-claude-review-bot]

This payment_info injection only fills the first matching PaymentPreimage step in the combined monitor update (then breaks). When there are N HTLCs in the batch, there are N PaymentPreimage steps for the same preimage, and only the first gets payment_info. This is correct because ChannelMonitor::provide_payment_preimage uses and_modify().or_insert_with() and will store payment_info from the first step, while subsequent steps with None are no-ops.

Worth a brief comment explaining this, since a reader might expect all N steps to carry payment_info:

Suggested change

	// Inject payment_info into the first PaymentPreimage step that
	// matches our preimage (the holding cell may contain unrelated
	// claims for other preimages from prior queueing).
	for step in monitor_update.updates.iter_mut() {
	// Inject payment_info into the first PaymentPreimage step that
	// matches our preimage. Only one step needs it — the ChannelMonitor
	// stores payment_info per payment_hash (not per HTLC), so subsequent
	// preimage steps with None are idempotent no-ops.
	for step in monitor_update.updates.iter_mut() {

[ldk-claude-review-bot]

Nit: Redundant HTLC lookup — the htlc variable from the find at line 7730 already holds the matching HTLC, but this log statement does a second find to get the payment_hash. You can just use htlc.payment_hash from the earlier binding.

(The earlier htlc borrow does end at line 7763, but you could restructure to extract the payment_hash before the holding-cell loop, or restructure the scoping slightly.)