backport: cherrypick #46, #47, #49, #50, #52 into v0.16.2.x

[d0wn3d]

Backport

Cherry-picks of #46, #47, #49, and #50 into v0.16.2.x for v0.16.2.2

Extra cherry-picked commits:
263a25a chore: update copyright year in configure.ac
4c8df90 chore: Add issues templates
bdc1f02 chore: Add SECURITY.md
c8a7baa chore: add release nodes template
719796f chore: update docs inside /doc/
4bd9935 chore: update GPG key
534be8a chore: update testnet seeds

Included

• chore: update dependency download mirrors to reliable sources #46 — chore: update dependency download mirrors to reliable sources
• fix: Re-enable BIP34 height check and correct BIP34Height value #47 — fix: Re-enable BIP34 height check and correct BIP34Height value
• fix: validate null commitments before LLMQ type registration check #49 — fix: validate null commitments before LLMQ type registration check
• fix: remove LLMQ_5_60 and use LLMQ_50_60 for testnet #50 — fix: remove LLMQ_5_60 and use LLMQ_50_60 for testnet
• fix: restart testnet -- new genesis block #52 — fix: restart testnet -- new genesis block

Summary by CodeRabbit

• Chores

  • Updated copyright year to 2026
  • Updated several third‑party package download sources, versions, and metadata

• Bug Fixes

  • Stricter coinbase block-height validation to reject malformed blocks
  • Improved quorum/consensus handling to avoid runtime errors and tighten commitment verification
  • Removed a deprecated quorum type and adjusted quorum mappings

• Network

  • Updated consensus activation parameters, genesis checkpoints, and defaults

• Documentation

  • Added security policy, issue templates, operational guides, and a release‑notes template

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated dependency download metadata and build metadata; removed one LLMQ enum variant and migrated testnet to a different LLMQ; tightened LLMQ commitment handling and re-enabled BIP34 coinbase-height validation; multiple genesis/consensus/testnet parameter and formatting updates.

Changes

Cohort / File(s)	Summary
Build config configure.ac	Bumped _COPYRIGHT_YEAR from 2022 to 2026.
Dependency packages depends/packages/boost.mk, depends/packages/expat.mk, depends/packages/gmp.mk, depends/packages/qrencode.mk, depends/packages/zlib.mk	Updated download URLs, version/filename formatting (Boost), expat → GitHub Releases, GMP → ftp.gnu.org, qrencode config flag formatting fix, zlib URL → fossils path.
Consensus enum & chain params src/consensus/params.h, src/chainparams.cpp	Removed LLMQ_5_60 enum; switched testnet/devnet LLMQ usage to LLMQ_50_60; updated BIP34 heights/hashes, genesis hashes, deployments, checkpoints, and other testnet/regtest/devnet constants and formatting.
LLMQ validation & processing src/llmq/quorums_blockprocessor.cpp, src/llmq/quorums_commitment.cpp	Guard LLMQ params lookup before access; reject non-null commitments for unknown types; allow validated null commitments for unknown types; tighten VerifyNull() semantics and conditional size checks.
Block validation src/validation.cpp	Re-enabled coinbase height check (BIP34): construct expected height script and reject mismatches with bad-cb-height.
Docs / Templates / Security / Guidance .github/ISSUE_TEMPLATE/bug_report.md, .github/ISSUE_TEMPLATE/feature_request.md, SECURITY.md, doc/p2p-bad-ports.md, doc/reduce-memory.md, doc/reduce-traffic.md, doc/release-notes-empty-template.md	Added issue templates and SECURITY policy; added documentation pages for bad P2P ports, memory/traffic reduction, and a release-notes template.
Minor formatting src/chainparams.cpp (reformatted lines)	Various spacing, brace, and signature spacing adjustments with no semantic API changes in most places.

Sequence Diagram(s)

sequenceDiagram
  participant QC as "QC / CFinalCommitment"
  participant BP as "CQuorumBlockProcessor"
  participant CONS as "Params().GetConsensus()"
  participant EvoDB as "EvoDB"
  participant Log as "Logger/Reject"

  Note over BP,CONS: ProcessCommitment (high-level)
  QC->>BP: ProcessCommitment(qc)
  BP->>CONS: check if qc.llmqType in llmqs
  alt llmqType not registered
    QC->>BP: if qc.IsNull()
    QC->>BP: QC.VerifyNull() (accepted for unknown type)
    BP->>EvoDB: write null commitment (if valid)
    BP->>Log: accept or reject (bad-qc-type if non-null)
  else llmqType registered
    BP->>CONS: params = llmqs.at(qc.llmqType)
    BP->>QC: full verification using params
    alt verification passes
      BP->>EvoDB: write commitment
    else verification fails
      BP->>Log: reject commitment
    end
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• chore: update dependency download mirrors to reliable sources #46: Touches the same dependency package files (depends/packages/{boost.mk,expat.mk,gmp.mk,qrencode.mk,zlib.mk}) — related dependency URL/version/filename updates.
• fix: restart testnet -- new genesis block #52: Modifies src/chainparams.cpp and related consensus/genesis parameters — closely related chainparams/genesis changes.
• fix: validate null commitments before LLMQ type registration check #49: Alters LLMQ commitment handling and processing paths — related LLMQ validation and blockprocessor edits.

Poem

🐰 I hopped through years and URLs anew,
Changed archives, pruned a quorum or two.
Nulls now checked, coinbase heights aligned,
Docs and templates left for the warren to find.
Crunchy carrots for CI — a small celebratory chew!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately describes the main purpose: backporting multiple numbered PRs (#46, #47, #49, #50, #52) into the v0.16.2.x branch for the v0.16.2.2 release. This is the primary change and matches the changeset content.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

This pull request has conflicts, please rebase.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

src/validation.cpp (1)

3508-3515: Call out the full-reindex requirement in the release notes.

This restored rule only runs through ContextualCheckBlock(). The file comment here already notes that ConnectBlock() and -reindex-chainstate do not re-run these checks, so operators will only enforce the BIP34 fix on newly accepted blocks or a full -reindex.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/validation.cpp` around lines 3508 - 3515, Update the release notes to
clearly state that the restored BIP34 coinbase-height check (the code in
ContextualCheckBlock() comparing nHeight against consensusParams.BIP34Height and
validating coinbase scriptSig) is only enforced during contextual validation and
will not be re-run by ConnectBlock() or when running -reindex-chainstate;
therefore operators must perform a full reindex (not just -reindex-chainstate)
to apply this rule to existing chainstate. Mention the affected symbols:
ContextualCheckBlock(), ConnectBlock(), -reindex-chainstate, and BIP34Height,
and include a short remediation step telling users to run a full -reindex to
enforce the check on historical blocks.

src/llmq/quorums_blockprocessor.cpp (1)

186-202: Add a regression test for the unknown-type/null split.

This branch intentionally bypasses the normal .at() / quorum-hash path for unregistered llmqTypes. Please lock in both outcomes: a structurally valid null commitment should pass, and any non-null commitment for the same unknown type should still fail with bad-qc-type.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/llmq/quorums_blockprocessor.cpp` around lines 186 - 202, Add a regression
test that exercises the unknown LLMQ type branch: construct a quorum commitment
object `qc` whose `llmqType` is a value not present in
`Params().GetConsensus().llmqs`, then (1) set it up as a structurally valid null
commitment (so `qc.IsNull()` is true and `qc.VerifyNull()` returns true) and
assert the block processor call (the code path in quorums_blockprocessor.cpp
that checks
`Params().GetConsensus().llmqs.count((Consensus::LLMQType)qc.llmqType)`) returns
success/true, and (2) set up a non-null commitment for that same unknown
`llmqType` (so `qc.IsNull()` is false) and assert the call fails with the
DoS/reject code `"bad-qc-type"` (matching the `state.DoS(100, false,
REJECT_INVALID, "bad-qc-type")` branch); use the same creation/validation
helpers used elsewhere for commitments so the test mirrors real inputs and
references `qc.IsNull()`, `qc.VerifyNull()`, and the block processor entry point
that triggers this branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@depends/packages/gmp.mk`:
- Line 3: The gmp download URL points at gmp-6.1.2 which is affected by
CVE-2021-43618; update the package metadata to use a patched upstream release
(e.g., 6.2.1-r2, 6.3.0, or your distro's backport like 6.1.2-11) by changing the
referenced version and checksum, or if you cannot upgrade add a clear CVE note
and mitigation in the package metadata (e.g., in the same gmp package variables
or description) referencing CVE-2021-43618 and listing acceptable
workarounds/constraints; ensure $(package)_download_path and any checksum
variables are updated to match the chosen patched tarball.

---

Nitpick comments:
In `@src/llmq/quorums_blockprocessor.cpp`:
- Around line 186-202: Add a regression test that exercises the unknown LLMQ
type branch: construct a quorum commitment object `qc` whose `llmqType` is a
value not present in `Params().GetConsensus().llmqs`, then (1) set it up as a
structurally valid null commitment (so `qc.IsNull()` is true and
`qc.VerifyNull()` returns true) and assert the block processor call (the code
path in quorums_blockprocessor.cpp that checks
`Params().GetConsensus().llmqs.count((Consensus::LLMQType)qc.llmqType)`) returns
success/true, and (2) set up a non-null commitment for that same unknown
`llmqType` (so `qc.IsNull()` is false) and assert the call fails with the
DoS/reject code `"bad-qc-type"` (matching the `state.DoS(100, false,
REJECT_INVALID, "bad-qc-type")` branch); use the same creation/validation
helpers used elsewhere for commitments so the test mirrors real inputs and
references `qc.IsNull()`, `qc.VerifyNull()`, and the block processor entry point
that triggers this branch.

In `@src/validation.cpp`:
- Around line 3508-3515: Update the release notes to clearly state that the
restored BIP34 coinbase-height check (the code in ContextualCheckBlock()
comparing nHeight against consensusParams.BIP34Height and validating coinbase
scriptSig) is only enforced during contextual validation and will not be re-run
by ConnectBlock() or when running -reindex-chainstate; therefore operators must
perform a full reindex (not just -reindex-chainstate) to apply this rule to
existing chainstate. Mention the affected symbols: ContextualCheckBlock(),
ConnectBlock(), -reindex-chainstate, and BIP34Height, and include a short
remediation step telling users to run a full -reindex to enforce the check on
historical blocks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 743d2dc6-0670-4a01-b306-0b33616e7596

📥 Commits

Reviewing files that changed from the base of the PR and between fe7b849 and 677bccb.

📒 Files selected for processing (11)

• configure.ac
• depends/packages/boost.mk
• depends/packages/expat.mk
• depends/packages/gmp.mk
• depends/packages/qrencode.mk
• depends/packages/zlib.mk
• src/chainparams.cpp
• src/consensus/params.h
• src/llmq/quorums_blockprocessor.cpp
• src/llmq/quorums_commitment.cpp
• src/validation.cpp

💤 Files with no reviewable changes (1)

• src/consensus/params.h

[d0wn3d]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/chainparams.cpp`:
- Line 803: Replace the raw WIF private key literal
"cP4EKFyJsHT39LDqgdcB43Y3YXjNyjb5Fuas1GQSeAtjnZWmZEQK" found in the comment (the
"privKey:" comment) with a redacted placeholder such as "<REDACTED_WIF>", remove
any other raw key literals in src/chainparams.cpp, and move any explanatory
key-handling text out of source comments into external documentation (README or
developer docs) so comments no longer contain real or test private keys.
- Around line 533-572: The deployment start/timeout constants (e.g.,
consensus.vDeployments[Consensus::DEPLOYMENT_TESTDUMMY], DEPLOYMENT_CSV,
DEPLOYMENT_DIP0001, DEPLOYMENT_BIP147, DEPLOYMENT_DIP0003, DEPLOYMENT_DIP0008,
DEPLOYMENT_REALLOC and the other occurrences noted) have unix timestamps that do
not match their inline date comments; update either the numeric constants to the
correct Unix epoch for the commented dates or change the comment to the actual
UTC date represented by the timestamp so they match; locate these assignments in
the chainparams.cpp network constructor (the consensus.vDeployments[...] blocks)
and ensure consistency for all instances (also update the other occurrences
referenced in the review) so comments accurately reflect the nStartTime/nTimeout
values.
- Around line 517-523: Replace the invalid zero-argument uint256S() calls with
default-constructed uint256() where consensus.BIP34Hash and
consensus.DIP0003EnforcementHash are set; specifically, change the assignments
to use uint256() instead of uint256S() so they compile (follow the same pattern
used elsewhere in this file where default uint256() is used).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a491dca3-2808-459c-9c7d-37a9f3e546a1

📥 Commits

Reviewing files that changed from the base of the PR and between 677bccb and eaf3781.

📒 Files selected for processing (1)

• src/chainparams.cpp

[d0wn3d]

@CodeRabbit review

Check if all the PRs are backported correctly.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect the actual PR diff to verify backport correctness
gh pr view 51 --repo gobytecoin/gobyte --json files,commits,title,body

# Get the diff for the PR
gh pr diff 51 --repo gobytecoin/gobyte

Length of output: 35393

---

@d0wn3d Here is a detailed backport verification for each included PR:

---

✅ PR #46 — chore: update dependency download mirrors

All mirror updates in depends/packages/ look correct:

File	Change	Status
boost.mk	Version format 1_64_0 → 1.64.0; bintray → archives.boost.io with subst .,_ for filename	✅
expat.mk	SourceForge → GitHub Releases with R_$(subst .,_,...) tag format	✅
gmp.mk	gmplib.org/download/gmp → ftp.gnu.org/gnu/gmp	✅
zlib.mk	http://www.zlib.net → https://www.zlib.net/fossils/	✅
qrencode.mk	-without-tools → --without-tools (missing leading dash fixed)	✅ (bonus fix, not mentioned in PR body)

⚠️ Minor note: The qrencode.mk typo fix (-without-tools → --without-tools) is silently included under #46 but not called out in the PR description. It's a valid fix and safe to include.

---

✅ PR #47 — fix: Re-enable BIP34 height check and correct BIP34Height value

• src/validation.cpp: The BIP34 coinbase height validation block is correctly uncommented and re-enabled for nHeight >= BIP34Height && !fDIP0003Active_context. ✅
• src/chainparams.cpp (mainnet): BIP34Height corrected from 1 → 17 and BIP34Hash updated to the corresponding block hash. ✅

---

✅ PR #49 — fix: validate null commitments before LLMQ type registration check

Two-part fix, both correctly applied:

src/llmq/quorums_commitment.cpp:

• CheckLLMQCommitment(): The llmqs.count() type guard was moved to after the IsNull() early-exit path — non-null commitments still require full type registration. ✅
• VerifyNull(): Now correctly checks !IsNull() first (returns false if not null), and skips VerifySizes() for unregistered types since size params are unavailable. ✅

src/llmq/quorums_blockprocessor.cpp:

• ProcessCommitment(): Registration guard added at the top, before the unconditional .at() call that would throw std::out_of_range. Null commitments for unknown types are accepted as safe no-ops; non-null unknown types return DoS(100, "bad-qc-type") — consistent with CheckLLMQCommitment. ✅

---

✅ PR #50 — fix: remove LLMQ_5_60 and use LLMQ_50_60 for testnet

• src/consensus/params.h: LLMQ_5_60 = 100 removed.

  Note: LLMQ_5_60 and LLMQ_TEST shared the same integer value (100), which was a potential source of confusion. Removing the alias is safe since 100 remains valid as LLMQ_TEST. ✅

• src/chainparams.cpp: Static llmq5_60 params struct removed. Testnet now registers llmq50_60 and sets both llmqTypeChainLocks and llmqTypeInstantSend to LLMQ_50_60. ✅

---

✅ PR #52 — fix: restart testnet -- new genesis block (bonus, listed in PR body)

• New genesis: timestamp 1743000000, nonce 396944, hash asserted as 0x000001b38a18c71fa97799cc4cd763f5a2e6f046fa91eb94d64c056ffd861049. ✅
• Testnet checkpoints reset to genesis-only entry. ✅
• chainTxData reflects genesis-only state (tx=1). ✅
• Consensus hashes/heights that need post-reset values are properly stubbed with uint256() + // FIXME comments. ✅

⚠️ Minor note: consensus.defaultAssumeValid is commented out with a FIXME rather than explicitly set to uint256() like the other stubs. Both are functionally equivalent (assuming the field defaults to zero), but explicit zeroing would be more consistent with the style used for the other FIXME stubs in the same block.

---

✅ Extra commit — chore: update copyright year in configure.ac

• _COPYRIGHT_YEAR updated from 2022 → 2026. ✅

---

Summary

All 4 named backports (#46, #47, #49, #50) plus the testnet reset (#52) and copyright year update are correctly applied. The logic is semantically faithful to the originals, and no regressions are evident from the diff. The two minor notes above (undocumented qrencode.mk fix and defaultAssumeValid commenting style) are cosmetic and do not affect correctness.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

src/chainparams.cpp (1)

809-809: ⚠️ Potential issue | 🟠 Major

Remove the raw WIF private key literal from source comments.

Line 809 still embeds a full WIF-like private key string in code comments. This is risky hygiene and keeps triggering secret scanners. Redact it in-source (and remove any duplicate literal occurrences in this file as follow-up).

🔒 Suggested fix

-        // privKey: cP4EKFyJsHT39LDqgdcB43Y3YXjNyjb5Fuas1GQSeAtjnZWmZEQK
+        // privKey: <REDACTED_WIF>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/chainparams.cpp` at line 809, Remove the literal WIF/private key string
embedded in the comment (the line containing "privKey:
cP4EKFyJsHT39LDqgdcB43Y3YXjNyjb5Fuas1GQSeAtjnZWmZEQK") and replace it with a
redacted placeholder (e.g., "privKey: <REDACTED>") in the same comment block;
then search this source for any duplicate occurrences of that exact WIF token
and redact them as well. Ensure you only change comments (not code) and keep
surrounding comment context intact (look for the "privKey:" comment and any
similar WIF-like literals). After redaction, run the repository secret-scanner
to confirm the literal no longer appears.

🧹 Nitpick comments (2)

SECURITY.md (1)

10-21: Add response-time expectations for vulnerability reports.

Consider adding expected acknowledgment/triage timelines (for example, “initial response within X days”). It improves reporter experience and reduces follow-up noise without changing policy scope.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 10 - 21, Add a short response-time commitment to
the "Reporting a Vulnerability" section of SECURITY.md: specify an "Initial
acknowledgment" timeframe (e.g., "Initial response within X business days") and
a subsequent "Triage/Investigation" expectation (e.g., "Triage completed within
Y days"), and include contact/next-step guidance for reporters if these
timelines are missed; update the paragraph under "To report security issues..."
near the public keys table so the expectations are visible to anyone submitting
a report.

doc/release-notes-empty-template.md (1)

108-108: Use separate placeholders for previous vs current version in compare URL.

Line 108 currently uses *version* on both sides, which can accidentally produce a self-compare link. Use distinct placeholders (e.g., *previous-version*...*version*) to avoid empty diffs in published notes.

Proposed fix

-[set-of-changes]: https://github.com/gobytecoin/gobyte/compare/*version*...gobytecoin:*version*
+[set-of-changes]: https://github.com/gobytecoin/gobyte/compare/*previous-version*...gobytecoin:*version*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/release-notes-empty-template.md` at line 108, The compare URL placeholder
uses the same token on both sides causing self-compare links; update the
[set-of-changes] link target so the left and right placeholders are distinct
(e.g., replace the current '*version*...gobytecoin:*version*' token pair with
something like '*previous-version*...gobytecoin:*version*') so the URL generates
a proper diff between previous and current releases.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@doc/reduce-traffic.md`:
- Around line 26-27: Update the doc text that currently claims "Peers with the
`download` permission will never be disconnected" to reflect the actual
implementation in src/net_processing.cpp: explain that the exemption is based on
pfrom->fWhitelisted (peers in the whitelist) and the -whitelistforcerelay flag,
not a `download` permission; reference pfrom->fWhitelisted and the
-whitelistforcerelay behavior so operators know to use the whitelist mechanism
rather than a non-existent `download` permission.

In `@doc/release-notes-empty-template.md`:
- Line 52: Update the two occurrences of the phrase "wallet related" to the
hyphenated form "wallet-related" to use correct compound-adjective punctuation;
specifically replace the string "Changes to wallet related RPCs can be found in
the Wallet section below." (and the second occurrence at the other noted
location) with "Changes to wallet-related RPCs can be found in the Wallet
section below." so both Line 52 and Line 64 use "wallet-related".

In `@src/chainparams.cpp`:
- Around line 304-306: Update the explanatory comment that currently reads
"BIP34 enforcement begins at height 17: the first height at which PUSHDATA1 is
the only minimal encoding..." to a neutral activation statement that simply
notes BIP34 enforcement begins at height 17, removing the incorrect PUSHDATA1
claim; locate the comment near the BIP34 enforcement declaration (search for
"BIP34 enforcement begins at height 17" or references to BIP34/BIP34Height in
src/chainparams.cpp) and replace both occurrences with a concise line such as
"BIP34 enforcement begins at height 17." to avoid asserting incorrect encoding
details.

---

Duplicate comments:
In `@src/chainparams.cpp`:
- Line 809: Remove the literal WIF/private key string embedded in the comment
(the line containing "privKey:
cP4EKFyJsHT39LDqgdcB43Y3YXjNyjb5Fuas1GQSeAtjnZWmZEQK") and replace it with a
redacted placeholder (e.g., "privKey: <REDACTED>") in the same comment block;
then search this source for any duplicate occurrences of that exact WIF token
and redact them as well. Ensure you only change comments (not code) and keep
surrounding comment context intact (look for the "privKey:" comment and any
similar WIF-like literals). After redaction, run the repository secret-scanner
to confirm the literal no longer appears.

---

Nitpick comments:
In `@doc/release-notes-empty-template.md`:
- Line 108: The compare URL placeholder uses the same token on both sides
causing self-compare links; update the [set-of-changes] link target so the left
and right placeholders are distinct (e.g., replace the current
'*version*...gobytecoin:*version*' token pair with something like
'*previous-version*...gobytecoin:*version*') so the URL generates a proper diff
between previous and current releases.

In `@SECURITY.md`:
- Around line 10-21: Add a short response-time commitment to the "Reporting a
Vulnerability" section of SECURITY.md: specify an "Initial acknowledgment"
timeframe (e.g., "Initial response within X business days") and a subsequent
"Triage/Investigation" expectation (e.g., "Triage completed within Y days"), and
include contact/next-step guidance for reporters if these timelines are missed;
update the paragraph under "To report security issues..." near the public keys
table so the expectations are visible to anyone submitting a report.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5e5fe0d5-4d48-4991-b6e4-e3424b982a73

📥 Commits

Reviewing files that changed from the base of the PR and between eaf3781 and dc77772.

📒 Files selected for processing (8)

• .github/ISSUE_TEMPLATE/bug_report.md
• .github/ISSUE_TEMPLATE/feature_request.md
• SECURITY.md
• doc/p2p-bad-ports.md
• doc/reduce-memory.md
• doc/reduce-traffic.md
• doc/release-notes-empty-template.md
• src/chainparams.cpp

✅ Files skipped from review due to trivial changes (2)

• .github/ISSUE_TEMPLATE/feature_request.md
• .github/ISSUE_TEMPLATE/bug_report.md

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (3)

doc/reduce-traffic.md (1)

26-27: ⚠️ Potential issue | 🟠 Major

Permission terminology is incorrect for disconnect exemption.

This should reference whitelisted peers (pfrom->fWhitelisted), not download permission, to match src/net_processing.cpp:2166-2172 and src/net.cpp:1076-1095.

Suggested edit

-Peers with the `download` permission will never be disconnected, although their traffic counts for
+Whitelisted peers (when `-whitelistforcerelay` is enabled) will never be disconnected, although their traffic counts for
 calculating the target.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/reduce-traffic.md` around lines 26 - 27, The documentation incorrectly
states that peers with the `download` permission are never disconnected; update
the sentence to reference whitelisted peers instead: state that peers where
pfrom->fWhitelisted is true (whitelisted peers) are exempt from disconnection
and still counted for traffic calculations, matching the behavior implemented in
the net_processing and net code paths (e.g., the fWhitelisted checks).

src/chainparams.cpp (2)

304-306: ⚠️ Potential issue | 🟡 Minor

Correct the BIP34 rationale comment (PUSHDATA1 claim is inaccurate).

Line 304 and Line 519 still describe height 17 as the first point where PUSHDATA1 is minimal; that statement is misleading for consensus documentation. Please replace both with a neutral activation note.

Suggested edit

-// BIP34 enforcement begins at height 17: the first height at which
-// PUSHDATA1 is the only minimal encoding for the block height integer,
-// preventing non-minimal coinbase scriptSig encodings from earlier blocks.
+// BIP34 enforcement begins at height 17 (historical chain activation point).

Also applies to: 519-521

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/chainparams.cpp` around lines 304 - 306, Update the misleading BIP34
comment in src/chainparams.cpp that currently states "BIP34 enforcement begins
at height 17: the first height at which PUSHDATA1 is the only minimal encoding…"
— replace that sentence (the BIP34 rationale comment near the "BIP34
enforcement" comment and the similar block around lines 519-521) with a neutral
activation note such as "BIP34 enforcement begins at height 17 (activation
point)" so the comment simply records the activation height without asserting
the incorrect PUSHDATA1 rationale; locate the comments by searching for the
"BIP34 enforcement" text or the height 17 mention and update both occurrences
(the earlier BIP34 comment and the later duplicate) accordingly.

---

809-809: ⚠️ Potential issue | 🟠 Major

Remove raw WIF private key literals from source comments.

Line 809 exposes a full WIF key string in-source. Even for test/dev use, this is unsafe hygiene and creates scanner/compliance noise. Replace it with a redacted placeholder, and apply the same cleanup to the matching literal at Line 930.

Suggested edit

-        // privKey: cP4EKFyJsHT39LDqgdcB43Y3YXjNyjb5Fuas1GQSeAtjnZWmZEQK
+        // privKey: <REDACTED_WIF>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/chainparams.cpp` at line 809, Remove the raw WIF private key literal from
the source comment (the line containing "privKey:
cP4EKFyJsHT39LDqgdcB43Y3YXjNyjb5Fuas1GQSeAtjnZWmZEQK") and replace it with a
redacted placeholder such as "privKey: <REDACTED_WIF>"; also apply the same
replacement to the matching literal later in the file (the duplicate WIF at the
second occurrence noted in the review). Locate these by searching for the
"privKey:" comment instances in the chainparams area and update both comments to
not include any real keys.

🧹 Nitpick comments (4)

doc/p2p-bad-ports.md (1)

17-17: Tighten wording for readability.

Line 17 can be slightly cleaner by replacing “in order to use them” with “to use them.”

✏️ Suggested wording tweak

-and on some platforms, require administrative privileges in order to use them.
+and on some platforms, require administrative privileges to use them.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/p2p-bad-ports.md` at line 17, Replace the phrase "in order to use them"
with the tighter wording "to use them" in the sentence containing "and on some
platforms, require administrative privileges in order to use them." — locate
that sentence (contains "require administrative privileges in order to use
them") and update it to "and on some platforms, require administrative
privileges to use them."

doc/reduce-traffic.md (1)

29-29: Normalize heading style to satisfy markdownlint (MD003).

If lint is enforced, switch these headings to the same style used elsewhere in this doc.

Also applies to: 41-41

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/reduce-traffic.md` at line 29, Replace the inconsistent numbered ATX
headings with the same heading style used elsewhere in the document: change the
heading "## 2. Disable \"listening\" (`-listen=0`)" and the similar heading at
the other location ("41-41") to match the project's existing heading format
(e.g., remove the numeric prefix or adjust ATX level/format to match other
section headings), ensuring MD003 passes.

doc/release-notes-empty-template.md (2)

42-84: Consider using consistent ATX-style headings.

The template uses setext-style headings (underlined with = and -) for subsections. Consider using ATX-style headings (## and ###) throughout for consistency and clarity, as they're more widely recognized and easier to parse.

This is purely stylistic and both formats are valid Markdown.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/release-notes-empty-template.md` around lines 42 - 84, Replace
setext-style headings in the release notes template with consistent ATX-style
headings: convert "Notable changes" and all subsections like "P2P and network
changes", "Updated RPCs", "New RPCs", "Build System", "Updated settings", "New
settings", "Tools and Utilities", "Wallet", "GUI changes", "Low-level changes",
"RPC", and "Tests" to equivalent ATX headings (e.g., ## or ###) so the document
uses only ATX-style headings throughout for consistency and easier parsing.

---

108-108: Consider clarifying placeholder names in the compare URL.

The template uses *version* for both placeholders in the compare URL, but they represent different versions: the previous release version (first placeholder) and the current release version (second placeholder). Renaming to *prev-version*...gobytecoin:*version* would reduce confusion when using this template.

Comparison with actual release notes

Template: compare/*version*...gobytecoin:*version*

Actual usage in doc/release-notes.md: compare/v0.16.1.0...gobytecoin:v0.16.1.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/release-notes-empty-template.md` at line 108, Update the compare URL
placeholder in the release notes template so the two placeholders are distinct:
change the left-side placeholder in the link target for [set-of-changes] from
*version* to *prev-version* (i.e., replace
compare/*version*...gobytecoin:*version* with
compare/*prev-version*...gobytecoin:*version*) so it clearly represents the
previous release versus the current release.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@doc/reduce-memory.md`:
- Line 44: Change the heading text "Linux specific" to the hyphenated compound
adjective "Linux-specific" in the document (replace the heading string "Linux
specific" with "Linux-specific") so the heading reads "## Linux-specific" for
correct grammar and consistency.

In `@doc/reduce-traffic.md`:
- Around line 53-54: Update the doc text to match the implementation: replace
the phrase about the generic "forcerelay permission" with a precise description
that transactions are still received/relayed from whitelisted peers when the
-whitelistrelay option is set (matching the code path in src/net_processing.cpp
that checks whitelist/whitelistrelay, e.g., the fWhitelisted/whitelistrelay
logic), rather than implying a generic forcerelay permission check.

In `@SECURITY.md`:
- Around line 14-21: Update SECURITY.md to remove or correct the unverifiable
D0WN3D GPG key entry: either delete the table row containing the Name "D0WN3D"
and its fingerprint or replace the fingerprint E81C 4513 AABE E054 7015 16C8
04DF 2E71 5374 F98E with a verified one (and keep the existing guidance about
importing keys); ensure the documentation only lists keys that are resolvable on
public keyservers and reference the "D0WN3D" identifier when making the change
so reviewers can verify the correction.

---

Duplicate comments:
In `@doc/reduce-traffic.md`:
- Around line 26-27: The documentation incorrectly states that peers with the
`download` permission are never disconnected; update the sentence to reference
whitelisted peers instead: state that peers where pfrom->fWhitelisted is true
(whitelisted peers) are exempt from disconnection and still counted for traffic
calculations, matching the behavior implemented in the net_processing and net
code paths (e.g., the fWhitelisted checks).

In `@src/chainparams.cpp`:
- Around line 304-306: Update the misleading BIP34 comment in
src/chainparams.cpp that currently states "BIP34 enforcement begins at height
17: the first height at which PUSHDATA1 is the only minimal encoding…" — replace
that sentence (the BIP34 rationale comment near the "BIP34 enforcement" comment
and the similar block around lines 519-521) with a neutral activation note such
as "BIP34 enforcement begins at height 17 (activation point)" so the comment
simply records the activation height without asserting the incorrect PUSHDATA1
rationale; locate the comments by searching for the "BIP34 enforcement" text or
the height 17 mention and update both occurrences (the earlier BIP34 comment and
the later duplicate) accordingly.
- Line 809: Remove the raw WIF private key literal from the source comment (the
line containing "privKey: cP4EKFyJsHT39LDqgdcB43Y3YXjNyjb5Fuas1GQSeAtjnZWmZEQK")
and replace it with a redacted placeholder such as "privKey: <REDACTED_WIF>";
also apply the same replacement to the matching literal later in the file (the
duplicate WIF at the second occurrence noted in the review). Locate these by
searching for the "privKey:" comment instances in the chainparams area and
update both comments to not include any real keys.

---

Nitpick comments:
In `@doc/p2p-bad-ports.md`:
- Line 17: Replace the phrase "in order to use them" with the tighter wording
"to use them" in the sentence containing "and on some platforms, require
administrative privileges in order to use them." — locate that sentence
(contains "require administrative privileges in order to use them") and update
it to "and on some platforms, require administrative privileges to use them."

In `@doc/reduce-traffic.md`:
- Line 29: Replace the inconsistent numbered ATX headings with the same heading
style used elsewhere in the document: change the heading "## 2. Disable
\"listening\" (`-listen=0`)" and the similar heading at the other location
("41-41") to match the project's existing heading format (e.g., remove the
numeric prefix or adjust ATX level/format to match other section headings),
ensuring MD003 passes.

In `@doc/release-notes-empty-template.md`:
- Around line 42-84: Replace setext-style headings in the release notes template
with consistent ATX-style headings: convert "Notable changes" and all
subsections like "P2P and network changes", "Updated RPCs", "New RPCs", "Build
System", "Updated settings", "New settings", "Tools and Utilities", "Wallet",
"GUI changes", "Low-level changes", "RPC", and "Tests" to equivalent ATX
headings (e.g., ## or ###) so the document uses only ATX-style headings
throughout for consistency and easier parsing.
- Line 108: Update the compare URL placeholder in the release notes template so
the two placeholders are distinct: change the left-side placeholder in the link
target for [set-of-changes] from *version* to *prev-version* (i.e., replace
compare/*version*...gobytecoin:*version* with
compare/*prev-version*...gobytecoin:*version*) so it clearly represents the
previous release versus the current release.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 22e713e9-91ac-4bba-ae0f-3b133c2589ca

📥 Commits

Reviewing files that changed from the base of the PR and between eaf3781 and dc77772.

📒 Files selected for processing (8)

• .github/ISSUE_TEMPLATE/bug_report.md
• .github/ISSUE_TEMPLATE/feature_request.md
• SECURITY.md
• doc/p2p-bad-ports.md
• doc/reduce-memory.md
• doc/reduce-traffic.md
• doc/release-notes-empty-template.md
• src/chainparams.cpp

✅ Files skipped from review due to trivial changes (2)

• .github/ISSUE_TEMPLATE/feature_request.md
• .github/ISSUE_TEMPLATE/bug_report.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that the GPG keys listed in SECURITY.md exist on the keyserver.

echo "Testing GPG key availability on hkps://keys.openpgp.org..."
echo ""

# Test sirbond's key
echo "Checking sirbond's key (5E36 D7B2 4CAC D76C 7D8A 6B44 D344 58DB 363D 09AA)..."
gpg --keyserver hkps://keys.openpgp.org --recv-keys "5E36 D7B2 4CAC D76C 7D8A 6B44 D344 58DB 363D 09AA" 2>&1 | head -n 5
echo ""

# Test D0WN3D's key
echo "Checking D0WN3D's key (E81C 4513 AABE E054 7015 16C8 04DF 2E71 5374 F98E)..."
gpg --keyserver hkps://keys.openpgp.org --recv-keys "E81C 4513 AABE E054 7015 16C8 04DF 2E71 5374 F98E" 2>&1 | head -n 5
echo ""

echo "Verification complete. Keys should show 'imported' or 'unchanged' if they exist."

Repository: gobytecoin/gobyte

Length of output: 443

---

🌐 Web query:

sirbond GPG key 5E36 D7B2 4CAC D76C 7D8A 6B44 D344 58DB 363D 09AA

💡 Result:

The GPG key fingerprint 5E36 D7B2 4CAC D76C 7D8A 6B44 D344 58DB 363D 09AA belongs to "sirbond" (real name: Aliyul Erfan), associated with the GoByte cryptocurrency project. This key is used to sign official release binaries, as stated in multiple GoByte GitHub release notes (e.g., v0.16.2.1 and v0.16.1.1). The short key ID is D344 58DB 363D 09AA. Sirbond's Keybase profile is at https://keybase.io/sirbond/, where the PGP key can likely be obtained or verified. To import the public key using GPG, use the command: gpg --keyserver hkps://keys.openpgp.org --recv-keys 363D09AA (using the long key ID format is recommended for security). No direct public key block was found in search results, but it is available via keyservers or Keybase.

Citations:

• 1: https://github.com/gobytecoin/gobyte/releases
• 2: https://keybase.io/sirbond/

---

🌐 Web query:

D0WN3D GPG key E81C 4513 AABE E054 7015 16C8 04DF 2E71 5374 F98E

💡 Result:

No information found on a GPG key associated with "D0WN3D" having the fingerprint E81C 4513 AABE E054 7015 16C8 04DF 2E71 5374 F98E. Extensive searches across general web, keyservers, Keybase, Bitcoin-OTC, dark web references (dark.fail), GitLab, and hacker-related contexts returned no matching key details, owner, or public key block. The fingerprint does not appear in any retrieved sources. It may not be publicly available, revoked, or the query contains a misspelling.

Citations:

• 1: https://keybase.io/bdowne01/devices
• 2: http://bitcoin-otc.com/viewgpg.php?nick=ElevatedDownfall
• 3: https://docarchives.dlang.io/v2.081.0/gpg_keys.html
• 4: https://gitlab.com/im-down.gpg
• 5: http://bitcoin-otc.com/viewgpg.php?nick=Downandout
• 6: https://keybase.io/downfloor/devices
• 7: https://dark.fail/pgp-sigs.txt
• 8: https://dwayne.xyz/gpg/public
• 9: https://www.halostatue.ca/pgp-gpg/
• 10: https://forum.gitlab.com/t/gitlab-ce-update-failing/66376
• 11: https://www.gnupg.org/signature_key.html
• 12: https://www.tfeb.org/keys.html
• 13: https://strugee.net/gpg.html
• 14: https://gradle.org/keys/
• 15: https://db.torproject.org/fetchkey.cgi?fingerprint=E4ACD3975427A5BA8450A1BEB01C8B006DA77FAA
• 16: https://www.agwa.name/pgp/
• 17: https://www.red-bean.com/kfogel/public-key.html
• 18: https://www.stallman.org/gpg.html
• 19: https://keyserver.dobrev.eu/
• 20: https://gnewpg.org/
• 21: https://www.pgp.net/wwwkeys.html
• 22: https://www.pgp.net/ftp-key.html
• 23: https://www.afterdawn.com/software/security/encryption/gpg4win.cfm/v3_0_3
• 24: https://dlang.org/gpg_keys.html
• 25: https://keybase.io/d0wn
• 26: https://keybase.io/jtdowney/sigchain
• 27: https://keybase.io/drown/graph
• 28: https://keybase.io/dhn

---

🌐 Web query:

keys.openpgp.org GPG keyserver availability

💡 Result:

keys.openpgp.org is available and operational as of 2026-03-30. The official homepage is accessible and functional, providing key search, upload, and management features. The latest news update from 2023-04-28 reports no significant outages and steady operation with recent software maintenance (Hagrid v2.1.0). Official documentation confirms ongoing support for GnuPG usage via hkps://keys.openpgp.org, including Tor access. A 2026 GPG key update blog post implies continued reliance on the keyserver. No reports of downtime or shutdown found in recent sources.

Citations:

• 1: https://keys.openpgp.org/
• 2: https://keys.openpgp.org/about/faq
• 3: https://keys.openpgp.org/about/news
• 4: https://keys.openpgp.org/about/
• 5: https://keys.openpgp.org/about/usage-gnupg/
• 6: https://euroquis.nl/blabla/2026/02/03/gpg.html

---

Remove or verify the D0WN3D GPG key fingerprint.

The sirbond key is confirmed to exist and is available on the keyserver (used for signing official GoByte releases). However, the D0WN3D fingerprint (E81C 4513 AABE E054 7015 16C8 04DF 2E71 5374 F98E) cannot be found on any public GPG keyserver, Keybase, or other verification sources. Users attempting to import this key will fail. Either provide a corrected fingerprint or remove this entry from the security documentation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 14 - 21, Update SECURITY.md to remove or correct
the unverifiable D0WN3D GPG key entry: either delete the table row containing
the Name "D0WN3D" and its fingerprint or replace the fingerprint E81C 4513 AABE
E054 7015 16C8 04DF 2E71 5374 F98E with a verified one (and keep the existing
guidance about importing keys); ensure the documentation only lists keys that
are resolvable on public keyservers and reference the "D0WN3D" identifier when
making the change so reviewers can verify the correction.

[d0wn3d]

check now

[coderabbitai]

🧩 Analysis chain

Let me re-check the keyserver for the D0WN3D key.

Let me directly query the keyserver API to verify.

---

🏁 Script executed:

#!/bin/bash
# Check if the D0WN3D key is now available on keys.openpgp.org via their REST API
FINGERPRINT="E81C4513AABEE054701516C804DF2E715374F98E"
echo "Querying keys.openpgp.org for fingerprint: $FINGERPRINT"
curl -s "https://keys.openpgp.org/vks/v1/by-fingerprint/$FINGERPRINT" -o /dev/null -w "HTTP Status: %{http_code}\n"
echo ""
# Also try the search endpoint
echo "Querying search endpoint..."
curl -s "https://keys.openpgp.org/vks/v1/by-fingerprint/$FINGERPRINT" | head -c 200

Length of output: 199

---

@d0wn3d, the key is still not found on the keyserver. The keys.openpgp.org API returns:

HTTP Status: 404
No key found for fingerprint E81C4513AABEE054701516C804DF2E715374F98E

To resolve this, you'll need to upload your GPG public key to the keyserver. Here's how:

# Export your public key
gpg --export --armor E81C4513AABEE054701516C804DF2E715374F98E > d0wn3d.asc

# Upload it to keys.openpgp.org
curl -T d0wn3d.asc https://keys.openpgp.org

Or via the web interface at https://keys.openpgp.org/upload.

Note: keys.openpgp.org requires email verification before a key's UID is publicly searchable. After uploading, you'll receive a verification email at the address associated with your key — make sure to confirm it so users can successfully import your key.

Once you've uploaded and verified the key, I can re-check and resolve this comment.

[d0wn3d]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (5)

doc/reduce-memory.md (1)

44-44: ⚠️ Potential issue | 🟡 Minor

Heading needs hyphen for correct grammar.

As previously flagged, the compound adjective should be hyphenated: "Linux-specific" not "Linux specific".

Suggested fix

-## Linux specific
+## Linux-specific

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/reduce-memory.md` at line 44, The heading "## Linux specific" should be
hyphenated as "Linux-specific"; update the markdown heading text (the line
containing "## Linux specific") to "## Linux-specific" to correct the compound
adjective grammar and ensure consistency in doc/reduce-memory.md.

doc/reduce-traffic.md (2)

26-27: ⚠️ Potential issue | 🟠 Major

Permission terminology still doesn't match implementation.

This issue was previously flagged: the code uses pfrom->fWhitelisted with the -whitelistforcerelay flag, not a download permission. The documentation should reflect the actual whitelist mechanism to avoid operator misconfiguration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/reduce-traffic.md` around lines 26 - 27, Update the documentation to stop
calling the behavior a `download` permission and instead describe the actual
whitelist mechanism used by the code: reference pfrom->fWhitelisted and the
-whitelistforcerelay flag as the condition that prevents disconnection (and that
such peers still count toward traffic targets); replace mentions of "download
permission" with "whitelisted via -whitelistforcerelay / pfrom->fWhitelisted"
and ensure the wording matches the implementation.

---

53-54: ⚠️ Potential issue | 🟠 Major

forcerelay permission terminology still doesn't match implementation.

This issue was previously flagged: the code uses whitelisted peers with the -whitelistrelay flag, not a generic forcerelay permission. The documentation should accurately describe the whitelist + flag mechanism.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/reduce-traffic.md` around lines 53 - 54, The doc incorrectly references a
generic "forcerelay" permission; update the wording to match the implementation:
state that peers marked as whitelisted via the -whitelistrelay flag (or in the
whitelist configuration) will still have their transactions relayed, and remove
or replace all uses of "forcerelay" with "-whitelistrelay" or "whitelisted
peers" (search for the term "forcerelay" in this document and replace with the
-whitelistrelay/whitelisted-peers description).

src/chainparams.cpp (2)

304-306: ⚠️ Potential issue | 🟡 Minor

Correct the repeated BIP34 activation comment.

Height 17 is the historical activation point here, but it is not the point where PUSHDATA1 becomes the only minimal encoding. Please replace both copies with a neutral activation comment.

✏️ Suggested comment update

-// BIP34 enforcement begins at height 17: the first height at which
-// PUSHDATA1 is the only minimal encoding for the block height integer,
-// preventing non-minimal coinbase scriptSig encodings from earlier blocks.
+// BIP34 enforcement begins at height 17.

Also applies to: 519-521

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/chainparams.cpp` around lines 304 - 306, Replace the duplicated,
inaccurate BIP34 comment text near the BIP34 activation comments with a single
neutral activation comment: state that BIP34 historically activated at height 17
without asserting that this is the point where PUSHDATA1 becomes the only
minimal encoding; update both comment instances that mention BIP34 activation
(the two comment blocks referencing BIP34) to something like "BIP34 activated at
height 17 (historical activation point)" so the comment is accurate and not
duplicated.

---

809-809: ⚠️ Potential issue | 🟠 Major

Redact the WIF literal from source comments.

Even on non-mainnet networks, keeping a real-looking private key string here trips secret scanners and normalizes bad key handling. Please scrub this copy and the duplicate at Line 930 as well.

🧹 Suggested fix

-        // privKey: <existing WIF literal>
+        // privKey: <REDACTED_WIF>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/chainparams.cpp` at line 809, Remove the real-looking WIF literal in the
comment that starts with the label "privKey:" and replace it with a non-secret
placeholder (e.g. "privKey: <REDACTED_WIF>" or "privKey: <example-wif>"); do the
same for the duplicate occurrence of the same "privKey:" comment elsewhere in
the file so no actual WIF appears in source comments and then re-run the secret
scanner to confirm it's gone.

🧹 Nitpick comments (2)

doc/release-notes-empty-template.md (1)

42-84: Consider using consistent heading style throughout.

The file mixes ATX-style headings (#, ##) in the main structure with setext-style headings (underlined with === or ---) within the "Notable changes" section. While both are valid Markdown, using a consistent style throughout improves maintainability.

♻️ Example refactor to ATX-style

-Notable changes
-===============
+## Notable changes

-P2P and network changes
------------------------
+### P2P and network changes

-Updated RPCs
-------------
+### Updated RPCs

(Apply similar changes to all setext-style headings in this section)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/release-notes-empty-template.md` around lines 42 - 84, The document mixes
setext-style underlined headings with ATX-style (#) headings; convert all setext
headings (e.g., "Notable changes", "P2P and network changes", "Updated RPCs",
"New RPCs", "Build System", "Updated settings", "New settings", "Tools and
Utilities", "Wallet", "GUI changes", "Low-level changes", "RPC", "Tests") to a
consistent ATX style by replacing the underlined forms with the appropriate
number of leading hashes matching their current hierarchy (e.g., "# Notable
changes", "## P2P and network changes", "### Updated RPCs", etc.), and ensure
heading levels remain consistent across the section.

doc/p2p-bad-ports.md (1)

1-60: LGTM! Well-documented bad ports list.

This new documentation clearly explains the concept of "bad" ports and provides a comprehensive list with appropriate external references. The content is accurate and will help node operators understand connection behavior.

Optional: Minor style improvement on line 17

For more concise wording:

-and on some platforms, require administrative privileges in order to use them.
+and on some platforms, require administrative privileges to use them.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@doc/p2p-bad-ports.md` around lines 1 - 60, The sentence "A malicious actor
may gossip an address:port where no GoByte node is listening, or one where a
service is listening that is not related to the GoByte network." is wordy;
replace it with a concise alternative to improve flow: change that sentence in
the paragraph describing how peer lists are populated to "A malicious actor may
gossip an address:port where no GoByte node is listening or where an unrelated
service is running." Update the single sentence in the paragraph (the one
beginning with "A malicious actor may gossip...") to this shorter wording.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@doc/reduce-memory.md`:
- Around line 27-30: Update both docs to match the actual code: replace the
incorrect "11 outbound peers" / "10 outbound peers" wording with "9 outbound
peers" and remove the non-existent "2 block-relay-only" entries; state the
breakdown as MAX_OUTBOUND_CONNECTIONS (8) full-relay connections plus nMaxFeeler
(1) feeler (total 9). Edit the passages in doc/reduce-memory.md and
doc/reduce-traffic.md that mention outbound peer counts so they reference
MAX_OUTBOUND_CONNECTIONS and nMaxFeeler by name or the concrete counts (8
full-relay + 1 feeler = 9) and remove any mention of the two block-relay-only
peers.

In `@doc/reduce-traffic.md`:
- Around line 6-9: The documentation's outbound/inbound peer counts are
incorrect: update the text to reflect MAX_OUTBOUND_CONNECTIONS = 8 and that
there is an additional feeler connection nMaxFeeler = 1 (short-lived), and fix
the inbound calculation to use nMaxInbound = nMaxConnections - (nMaxOutbound +
nMaxFeeler) which yields 116 for nMaxConnections=125; remove the incorrect "2
block-relay-only" claim and mention that feeler is separate from the 8 regular
outbound peers and is not a persistent block-relay-only peer.

In `@doc/release-notes-empty-template.md`:
- Line 108: The compare URL currently uses the pattern
"*version*...gobytecoin:*version*" which compares the same tag to itself; update
the [set-of-changes] link so the left side is the previous ref and the right
side is the current release tag (e.g. change to
"https://github.com/gobytecoin/gobyte/compare/*previous*...*version*" or, if you
prefer comparing against a branch,
"https://github.com/gobytecoin/gobyte/compare/stable...*version*" so the diff
shows changes from the prior ref to the new *version*).

---

Duplicate comments:
In `@doc/reduce-memory.md`:
- Line 44: The heading "## Linux specific" should be hyphenated as
"Linux-specific"; update the markdown heading text (the line containing "##
Linux specific") to "## Linux-specific" to correct the compound adjective
grammar and ensure consistency in doc/reduce-memory.md.

In `@doc/reduce-traffic.md`:
- Around line 26-27: Update the documentation to stop calling the behavior a
`download` permission and instead describe the actual whitelist mechanism used
by the code: reference pfrom->fWhitelisted and the -whitelistforcerelay flag as
the condition that prevents disconnection (and that such peers still count
toward traffic targets); replace mentions of "download permission" with
"whitelisted via -whitelistforcerelay / pfrom->fWhitelisted" and ensure the
wording matches the implementation.
- Around line 53-54: The doc incorrectly references a generic "forcerelay"
permission; update the wording to match the implementation: state that peers
marked as whitelisted via the -whitelistrelay flag (or in the whitelist
configuration) will still have their transactions relayed, and remove or replace
all uses of "forcerelay" with "-whitelistrelay" or "whitelisted peers" (search
for the term "forcerelay" in this document and replace with the
-whitelistrelay/whitelisted-peers description).

In `@src/chainparams.cpp`:
- Around line 304-306: Replace the duplicated, inaccurate BIP34 comment text
near the BIP34 activation comments with a single neutral activation comment:
state that BIP34 historically activated at height 17 without asserting that this
is the point where PUSHDATA1 becomes the only minimal encoding; update both
comment instances that mention BIP34 activation (the two comment blocks
referencing BIP34) to something like "BIP34 activated at height 17 (historical
activation point)" so the comment is accurate and not duplicated.
- Line 809: Remove the real-looking WIF literal in the comment that starts with
the label "privKey:" and replace it with a non-secret placeholder (e.g.
"privKey: <REDACTED_WIF>" or "privKey: <example-wif>"); do the same for the
duplicate occurrence of the same "privKey:" comment elsewhere in the file so no
actual WIF appears in source comments and then re-run the secret scanner to
confirm it's gone.

---

Nitpick comments:
In `@doc/p2p-bad-ports.md`:
- Around line 1-60: The sentence "A malicious actor may gossip an address:port
where no GoByte node is listening, or one where a service is listening that is
not related to the GoByte network." is wordy; replace it with a concise
alternative to improve flow: change that sentence in the paragraph describing
how peer lists are populated to "A malicious actor may gossip an address:port
where no GoByte node is listening or where an unrelated service is running."
Update the single sentence in the paragraph (the one beginning with "A malicious
actor may gossip...") to this shorter wording.

In `@doc/release-notes-empty-template.md`:
- Around line 42-84: The document mixes setext-style underlined headings with
ATX-style (#) headings; convert all setext headings (e.g., "Notable changes",
"P2P and network changes", "Updated RPCs", "New RPCs", "Build System", "Updated
settings", "New settings", "Tools and Utilities", "Wallet", "GUI changes",
"Low-level changes", "RPC", "Tests") to a consistent ATX style by replacing the
underlined forms with the appropriate number of leading hashes matching their
current hierarchy (e.g., "# Notable changes", "## P2P and network changes", "###
Updated RPCs", etc.), and ensure heading levels remain consistent across the
section.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 73fa4492-49d8-4e28-a834-3938a82dc4f6

📥 Commits

Reviewing files that changed from the base of the PR and between eaf3781 and 4e0dc56.

📒 Files selected for processing (8)

• .github/ISSUE_TEMPLATE/bug_report.md
• .github/ISSUE_TEMPLATE/feature_request.md
• SECURITY.md
• doc/p2p-bad-ports.md
• doc/reduce-memory.md
• doc/reduce-traffic.md
• doc/release-notes-empty-template.md
• src/chainparams.cpp

✅ Files skipped from review due to trivial changes (2)

• .github/ISSUE_TEMPLATE/feature_request.md
• .github/ISSUE_TEMPLATE/bug_report.md

[d0wn3d]

@coderabbitai review
Check if the backports are done correctly or if there are discrepancies in the files vs actual commits/merges

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -e

echo "=== PR `#46` diff ==="
gh pr diff 46 --repo gobytecoin/gobyte 2>/dev/null || echo "PR `#46` not accessible or merged"

echo ""
echo "=== PR `#47` diff ==="
gh pr diff 47 --repo gobytecoin/gobyte 2>/dev/null || echo "PR `#47` not accessible or merged"

echo ""
echo "=== PR `#49` diff ==="
gh pr diff 49 --repo gobytecoin/gobyte 2>/dev/null || echo "PR `#49` not accessible or merged"

echo ""
echo "=== PR `#50` diff ==="
gh pr diff 50 --repo gobytecoin/gobyte 2>/dev/null || echo "PR `#50` not accessible or merged"

echo ""
echo "=== PR `#52` diff ==="
gh pr diff 52 --repo gobytecoin/gobyte 2>/dev/null || echo "PR `#52` not accessible or merged"

Length of output: 62479

---

🏁 Script executed:

#!/bin/bash
# Get the full PR `#51` diff to compare precisely against source PRs
gh pr diff 51 --repo gobytecoin/gobyte > /tmp/pr51_diff.txt

# Extract chainparams.cpp relevant sections from PR `#51`
echo "=== PR `#51` chainparams.cpp testnet genesis section ==="
grep -A5 -B2 "CreateGenesisBlock" /tmp/pr51_diff.txt | grep "^+" | grep -v "^+++"

echo ""
echo "=== PR `#51` hashGenesisBlock asserts ==="
grep "hashGenesisBlock\|assert" /tmp/pr51_diff.txt | grep "^+" | grep -v "^+++"

echo ""
echo "=== PR `#51` vSporkAddresses changes ==="
grep "vSporkAddresses\|SporkAddress" /tmp/pr51_diff.txt | grep "^[+-]" | grep -v "^[+-][+-][+-]"

echo ""
echo "=== PR `#51` chainTxData changes ==="
grep -A10 "chainTxData" /tmp/pr51_diff.txt | grep "^[+-]" | grep -v "^[+-][+-][+-]"

echo ""
echo "=== PR `#51` testnet BIP34Height/BIP34Hash ==="
grep "BIP34\|BIP65\|BIP66\|DIP0001\|DIP0003" /tmp/pr51_diff.txt | grep "^[+-]" | grep -v "^[+-][+-][+-]" | head -40

echo ""
echo "=== PR `#52` has LLMQ_TEST registration in testnet? ==="
grep "llmq_test\|LLMQ_TEST" /tmp/pr51_diff.txt | grep "^[+-]" | grep -v "^[+-][+-][+-]"

Length of output: 6549

---

@d0wn3d Here is the detailed file-by-file discrepancy analysis comparing each source PR's actual diff against PR #51:

---

✅ PR #46 — Dependency mirror updates

All 5 files match the source PR exactly:

File	Source PR #46	PR #51	Status
boost.mk	1_64_0→1.64.0, bintray→archives.boost.io	Identical	✅
expat.mk	SourceForge→GitHub Releases	Identical	✅
gmp.mk	gmplib.org→ftp.gnu.org/gnu/gmp	Identical	✅
zlib.mk	http://www.zlib.net→https://www.zlib.net/fossils/	Identical	✅
qrencode.mk	-without-tools→--without-tools	Identical	✅

---

✅ PR #47 — BIP34 re-enable + height fix

Location	Source PR #47	PR #51	Status
src/validation.cpp	8 commented lines uncommented	Identical	✅
src/chainparams.cpp mainnet BIP34Height	1→17	Identical	✅
src/chainparams.cpp mainnet BIP34Hash	Updated to 0x0000003f796a7213...	Identical	✅
Testnet nPowDGWHeight comment	TODO comment removed	Subsumed by #52 reformat	✅

---

✅ PR #49 — LLMQ null commitment validation

Location	Source PR #49	PR #51	Status
quorums_blockprocessor.cpp	17-line guard block before .at()	Identical	✅
quorums_commitment.cpp VerifyNull()	!IsNull() check first; skip VerifySizes for unknown types	Identical	✅
quorums_commitment.cpp CheckLLMQCommitment()	Type registration guard moved after IsNull() path	Identical	✅

---

✅ PR #50 — Remove LLMQ_5_60, use LLMQ_50_60 for testnet

Location	Source PR #50	PR #51	Status
src/consensus/params.h	LLMQ_5_60 = 100 removed	Identical	✅
src/chainparams.cpp	llmq5_60 struct removed	Identical	✅
Testnet llmqs map	LLMQ_5_60→LLMQ_50_60	Identical	✅
Testnet llmqTypeChainLocks / llmqTypeInstantSend	Both set to LLMQ_50_60	Identical	✅

---

✅ PR #52 — Testnet genesis reset

This is where the most scrutiny is warranted. Comparing PR #52 source diff against PR #51 directly:

Parameter	Source PR #52	PR #51 actual diff	Status
Testnet CreateGenesisBlock	(1774483200, 359663, 0x1e0ffff0, 1, 50 * COIN)	Identical	✅
Testnet genesis hash assert	0x00000b103faa9ba192192fa8905fc5b8a11bf79026fa089f8c0742cb79559b56	Identical	✅
Testnet hashMerkleRoot assert	0xdc9a719dc1bcda39107ea55424f00cab512170a1cb69efa08531f483f2399f21	Identical	✅
Testnet checkpoints	Reset to {0, <genesis hash>} only	Identical	✅
Testnet chainTxData	1774483200, tx=1, rate=0	Identical	✅
Testnet vSporkAddresses	nKxideDexymYFs3yxMSuJHLN3sNF3koezn	Identical	✅
Testnet BIP34Height	17 + FIXME stubs for other heights/hashes	Identical	✅
Testnet defaultAssumeValid	uint256S("0x00") with FIXME	Identical	✅
Devnet genesis hash assert	0x339500f3a84f1d4231087409104fafda47e652bd7e5301d343ceb60ed501c5ac	Identical	✅
Devnet chainTxData rate	0.001	Identical	✅
Mainnet vSporkAddresses	GS7REhk1msjCJsmcUdSdpgYBiiyjA1eM6Z	Identical	✅
LLMQ struct indentation	8-space→4-space reformatting	Identical	✅
CreateGenesisBlock field alignment	Trailing-spaces removed	Identical	✅

⚠️ Correction to prior analysis: The earlier bot comment stating the testnet genesis used timestamp 1743000000 / nonce 396944 / hash 0x000001b38a... was incorrect. The actual PR #51 diff confirms 1774483200 / 359663 / 0x00000b103f... — a perfect match with PR #52.

⚠️ Correction to prior analysis: consensus.defaultAssumeValid is not merely commented out — it is explicitly assigned uint256S("0x00") with a FIXME comment, fully consistent with PR #52's approach.

---

Summary

No functional discrepancies were found. All five sources (#46, #47, #49, #50, #52) are faithfully and completely cherry-picked into PR #51. The backport is clean.