Problem
cosigner-runtime/src/dkg_coordinator/handlers.rs around the DKG-step-3 finalize:
persist_policy(...) returns Err on failure → caller treats it as fatal ✓- The subsequent
policy_owner_idx write only logs a warning if it fails (lines ~498-501).
If the forward-index write fails (disk full mid-flush, permission flip, sled corruption), the policy is persisted but un-discoverable by owner pubkey — only by recovery_id. The user would appear to onboard successfully but later fail in any flow that looks up policy by owner.
Impact
Low frequency (sled write failure is rare), but the failure mode is silent and split-state: the user can't tell from the success status that lookups will later fail.
Suggested fix
Either:
- Propagate the index write failure as
Err for symmetry with persist_policy, OR
- Rebuild the index lazily on first lookup-miss if the underlying policy row exists (self-healing).
The first is simpler; the second is more resilient. Either is better than the current silent warn.
Discovered during PR #32 review.
Problem
cosigner-runtime/src/dkg_coordinator/handlers.rsaround the DKG-step-3 finalize:persist_policy(...)returnsErron failure → caller treats it as fatal ✓policy_owner_idxwrite only logs a warning if it fails (lines ~498-501).If the forward-index write fails (disk full mid-flush, permission flip, sled corruption), the policy is persisted but un-discoverable by owner pubkey — only by recovery_id. The user would appear to onboard successfully but later fail in any flow that looks up policy by owner.
Impact
Low frequency (sled write failure is rare), but the failure mode is silent and split-state: the user can't tell from the success status that lookups will later fail.
Suggested fix
Either:
Errfor symmetry withpersist_policy, ORThe first is simpler; the second is more resilient. Either is better than the current silent warn.
Discovered during PR #32 review.