refunder: expand E2E tests

[tilacog]

Resolves: #3785

Description

This PR improves test coverage for the refunder crate by expanding the end-to-end tests covering many refund scenarios.

Other Changes

1. Promoted the RefundStatus from tests to the main crate logic.
2. Fixed compilation error in shared crate that was blocking this work.

Run the refunder E2E tests:

cargo nextest run -p e2e refunder

[gemini-code-assist]

Summary of Changes

Hello @tilacog, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the testability and coverage of the refunder crate. It introduces a modular design for the refund service by abstracting its interactions with the database and blockchain, allowing for more isolated and comprehensive unit tests. Concurrently, it expands the existing end-to-end test suite to validate various refund conditions and edge cases, ensuring the service's reliability. These changes collectively improve the robustness and maintainability of the refunding mechanism.

Highlights

• Expanded E2E Tests: The end-to-end tests for the refunder crate have been significantly expanded to cover a wider array of refund scenarios, including various slippage and validity duration thresholds, and cases where orders are already invalidated or settled.
• Trait Abstractions for Unit Testing: New trait abstractions (DbRead, ChainRead, and ChainWrite) have been introduced in the refunder crate. These traits decouple the refund service from concrete database and blockchain implementations, enabling robust unit testing using the mockall crate.
• Refactored Refund Service: The RefundService struct has been refactored to be generic over the newly introduced traits, facilitating dependency injection and improving testability. Concrete implementations (AlloyChain for blockchain and Postgres for database) are now located in a new infra/ module.
• Compilation Fix: A compilation error in the shared crate that was blocking development work has been resolved.
• Dependency Updates: Several dependencies across the project, including winnow, indexmap, rustc_version, windows-sys, regex, and toml_edit, have been updated to newer versions. New dev-dependencies mockall and rstest were added for enhanced testing capabilities.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves the testability and robustness of the refunder crate by introducing trait-based abstractions for database and blockchain interactions. This refactoring enables comprehensive unit testing with mocks, which have been added and are very thorough. Additionally, the E2E test suite has been greatly expanded, covering numerous refund scenarios and edge cases, which increases confidence in the refunder's behavior.

My review focuses on the new abstractions and the refactored logic. The changes are excellent, but I have identified a couple of areas for improvement. One is a potential inconsistency in how refundable orders are processed, which could lead to misleading logs or wasteful transactions. The other is an opportunity to address a TODO left in the code for a performance enhancement. Overall, this is a high-quality contribution that substantially improves the codebase.

[gemini-code-assist]

I see you've left a TODO here about switching to FuturesUnordered. This is a good idea for performance, as it would allow processing results as they complete rather than waiting for all futures to finish.

You're already using buffer_unordered from futures::StreamExt in send_out_refunding_tx, which provides similar benefits. You could use it here as well for consistency and improved performance. A concurrency limit (e.g., 10) is a reasonable starting point to avoid overwhelming the RPC endpoint.

Suggested change

	let uid_with_latest_refundablility = futures::future::join_all(futures).await; // TODO: is it worth to switch to FuturesUnordered here?
	let uid_with_latest_refundablility: Vec<_> = stream::iter(futures).buffer_unordered(10).collect().await;

[gemini-code-assist]

There's a potential issue where uids and encoded_ethflow_orders can become out of sync. If get_ethflow_order_data fails for some UIDs, encoded_ethflow_orders will contain fewer items than the uids slice passed to submit_refund. This could lead to misleading logs and potentially sending wasteful empty transactions if all database lookups fail.

To make this more robust, you could refactor this section to ensure the lists are consistent. The following suggestion filters out orders that fail the database lookup and only attempts to submit a refund if there are successful orders to process.

            let futures = uids.iter().map(|uid| async move {
                match self.database.get_ethflow_order_data(uid).await {
                    Ok(data) => Some((*uid, data)),
                    Err(err) => {
                        tracing::error!(?err, ?uid, "failed to get data from db");
                        None
                    }
                }
            });

            let successful_orders: Vec<_> = stream::iter(futures)
                .buffer_unordered(10)
                .filter_map(|result| async { result })
                .collect()
                .await;

            if !successful_orders.is_empty() {
                let (successful_uids, encoded_ethflow_orders): (Vec<_>, Vec<_>) =
                    successful_orders.into_iter().unzip();
                self.submitter
                    .submit_refund(&successful_uids, encoded_ethflow_orders, contract)
                    .await?;
            }

[tilacog]

I think this is the same problem that’s been reported here:

1. services/crates/refunder/src/refund_service.rs

   Lines 523 to 539 in f79f7d1

   	/// DB errors for individual orders are skipped; other orders proceed.
   	///
   	/// # Current Behavior (documented, not necessarily ideal)
   	///
   	/// When a DB lookup fails for an order:
   	/// - The error is logged and the order data is excluded from the submission
   	/// - However, the UID is still included in the submission
   	///
   	/// This means `submit_refund` receives:
   	/// - `uids`: ALL original UIDs (including those with failed lookups)
   	/// - `orders`: Only the order data for successful lookups
   	///
   	/// This creates a mismatch between UIDs and order data. See the TODO in
   	/// `test_send_out_refunding_tx_all_db_calls_fail_still_submits` for
   	/// discussion of potential fixes.
   	#[tokio::test]
   	async fn test_send_out_refunding_tx_db_error_skips_order() {

2. services/crates/refunder/src/refund_service.rs

   Lines 585 to 608 in f79f7d1

   	/// If every DB lookup fails, we still call the submitter with the original
   	/// UIDs but without any order data.
   	///
   	/// What actually happens:
   	/// - Each failed order‑data fetch is logged and ignored (it doesn’t stop
   	/// the whole batch).
   	/// - The submitter gets the same list of UIDs we started with, but the
   	/// `orders` slice may be empty (or contain fewer entries) because some or
   	/// all lookups failed.
   	///
   	/// TODO: Is this the behavior we really want? Submitting a refund that
   	/// contains UIDs but no order details feels off. Possible fixes:
   	/// 1. Skip the submission entirely when `encoded_ethflow_orders` is empty.
   	/// 2. Return an error if *all* order‑data lookups fail.
   	/// 3. Filter the UID list so it only includes IDs with successful lookups.
   	///
   	/// NOTE: This test complements
   	/// `test_send_out_refunding_tx_db_error_skips_order`. That test covers
   	/// partial DB failure (some lookups succeed); this one covers
   	/// total DB failure (all lookups fail). Together they verify that DB errors
   	/// are non-fatal and UIDs are always preserved regardless of lookup
   	/// success.
   	#[tokio::test]
   	async fn test_send_out_refunding_tx_all_db_calls_fail_still_submits() {

I wasn't aiming for any behavioral changes with this PR, but happy to review and discuss this during the review.

[jmg-duarte]

IMO we should fix in a separate PR

[jmg-duarte]

IMO & ideally, this should be broken into two parts: the refactor and the tests

Would make review much easier.

Left some comments

[jmg-duarte]

IMO we should fix in a separate PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	rstest@​0.26.1

View full report

[tilacog]

For future reference, I've reverted the commit f098c48 to split this PR in two.

It'll be reintroduced in a follow-up PR.

[jmg-duarte]

this should work

Suggested change

	owner if owner == NO_OWNER => Self::Invalid,
	owner if owner == INVALIDATED_OWNER => Self::Refunded,
	NO_OWNER => Self::Invalid,
	INVALIDATED_OWNER => Self::Refunded,

[jmg-duarte]

To be honest, I prefer the Arc solution, I find that the leak may be a footgun

[squadgazzz]

Agree. Why not simply use Arc?

[tilacog]

After giving it a bit more thought, it seems we can't use Arc/Rc here because RefunderTestSetup> struct can't hold both Services<'a>, which in turn borrows &'a Onchain.

However, if we were to modify the Services and Onchain structs themselves, I think we could use Arc/Rc, but that seems like a PR on its own.

In the meantime, I managed to get it working quite easily using ouroboros for the self-referencing part.

What do you guys think? Should I stick with ouroboros, or do we want to refactor Services/Onchain to use Arc/Rc instead?

[squadgazzz]

Amazing PR 🚀
Just a few clarification questions before approving it.

[squadgazzz]

Does the result depend only on a SQL query? If so, can this be tested in a more lightweight setup? Maybe expanding the database tests would be enough here? And keep only 1-2 cases with a local node involved. My worry is that each test executes in 5-7s, which adds ~40s to the CI job execution. No strong opinion tho. Especially, if the alternative solution will require almost the same time to execute.

[tilacog]

Fair point.

Considering SQL alone, then I believe yes. I can see order expiration and slippage being tested at the postgres_refundable_ethflow_orders test

The current test operates one layer above and verifies the full integration, so I dare to say there's a bit more of value being added here.

Nonetheless, I'm still not sure what's the best way forward here.

Maybe we can remove the boundary test cases, since they are already covered in the database tests?

[squadgazzz]

Not sure I understand what stops the order from being settled. Could you add a comment in the code?

[tilacog]

Currently, settlement won't happen because of the time distance between the chain (2020) and autopilot (2026, current).

All tests' orders are expired at creation time by default because they are created based on chain time. The exception being the refunder_skips_settled_orders test, which manually creates valid orders.

I'll document this more thoroughly 👍