switchrpc: improve TrackOnion error handling

[calvinrzachman]

Change Description

Following up on some review comments from #9489, we explore an update to the communication of error information via TrackOnionResponse.

• Enforce at compile time that either a pre-image or an attempt error will be set in the TrackOnionResponse through a top-level oneof.
• Avoid proprietary string-based encoding of hop index and wire message for ForwardingError, instead opting for structured protobuf messages (FailureDetails) to transport rich error details without loss of information.
• Provide type-safe mechanisms (oneof failure) within FailureDetails to carry specific failure types: ForwardingFailure, ClearTextFailure, or raw encrypted_error_data bytes.
• Communicate failures of the TrackOnion query itself (e.g., attempt not found, server unavailable) via standard gRPC status codes (codes.NotFound, codes.Unavailable), cleanly separating them from application-level payment outcomes in the response body.

NOTE: This is a breaking change for clients. Though given that this RPC is not included in any release, this seems perfectly fine. A follow-up PR is planned for SendOnion.

Steps to Test

• make itest icase=track_onion
• go test -v -timeout 30s -tags switchrpc -run ^TestTrackOnion$ github.com/lightningnetwork/lnd/lnrpc/switchrpc
• go test -v -timeout 30s -tags switchrpc github.com/lightningnetwork/lnd/lnrpc/switchrpc

[gemini-code-assist]

Summary of Changes

Hello @calvinrzachman, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the error handling mechanism for the TrackOnion RPC. The primary goal is to move from a less structured, string-based error reporting to a more robust, type-safe, and explicit protobuf-driven approach. This enhancement ensures that clients receive clearer, more detailed, and programmatically accessible information about payment outcomes, whether successful or failed, while also aligning RPC-level errors with standard gRPC status codes.

Highlights

• Structured Error Handling: The TrackOnionResponse now uses a oneof field to ensure that either a preimage (for success) or detailed FailureDetails (for failure) is set, enforcing mutual exclusivity at compile time.
• Rich Failure Details: Proprietary string-based encoding for ForwardingError has been replaced with structured protobuf messages (FailureDetails), allowing for the transport of rich error details without loss of information.
• Type-Safe Failure Types: The new FailureDetails message includes a oneof field to carry specific failure types: ForwardingFailure, ClearTextFailure, or raw encrypted_error_data bytes, providing type-safe mechanisms for error reporting.
• Standard gRPC Status Codes: Failures related to the TrackOnion query itself (e.g., attempt not found, server unavailable) are now communicated via standard gRPC status codes (codes.NotFound, codes.Unavailable), cleanly separating them from application-level payment outcomes in the response body.
• Breaking Change Acknowledged: This change is acknowledged as a breaking change for clients, but it is deemed acceptable as the TrackOnion RPC is not yet included in any released version.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves error handling for the TrackOnion RPC by introducing structured error messages using protobuf's oneof feature. This is a great improvement over the previous string-based error reporting, making the API more robust and easier for clients to consume. The changes correctly separate RPC-level errors (communicated via gRPC status codes) from application-level payment failures. The implementation is solid, but I found one issue where the ErrorCode field is not being set for certain failure types, which I've commented on. Overall, this is a high-quality change that enhances the switchrpc API.

[calvinrzachman]

This leads to a code structure in the RPC client code like:

	switch result := trackResp.Result.(type) {
	case *switchrpc.TrackOnionResponse_Preimage:
		preimage, err := lntypes.MakePreimage(result.Preimage)
		if err != nil {
			// This is a data corruption error from the server. It
			// is NOT a definitive payment failure.

		}

		// Do something with pre-image...

	case *switchrpc.TrackOnionResponse_FailureDetails:
		details := result.FailureDetails
		translatedErr, err := switchrpc.UnmarshallFailureDetails(
			details, deobfuscator,
		)

		// Do something to handle attempt result (either settle/fail or retry if uncertain)

[bitromortac]

The code repetition here and in translageErrorForRPC isn't ideal, but I like the clarity of using one_of. Mabye we could do a similar approach in the SendOnion error to also add a ClearTextFailure.

[calvinrzachman]

Yep, for sure. I have a similar PR incoming which updates the way SendOnion rpc communicates error information. It will remove translateErrorForRPC. Just wanted to keep the PRs as small as possible to facilitate review.

[calvinrzachman]

One thing to consider is that SendOnion semantics differ a bit from TrackOnion. For TrackOnion, the gRPC request can itself be successful, but deliver information to the client about the failure of the given attempt ID being queried. For such failures, it makes sense to transport those via the RPC proto response message.

The SendOnion PR will likely move away from transporting error information via the proto response message. Instead we can reserve gRPC status status.OK for successful dispatches only and then transport structured error information via Details as mentioned in these docs:

• https://grpc.io/docs/guides/error/
• https://pkg.go.dev/google.golang.org/grpc/internal/status

I think this has added benefit to observability in that we'll be able to track gRPC failures/non-OK status for SendOnion endpoint more clearly to see if the remote router is having issues communicating with Switch RPC servers.

[calvinrzachman]

Before we were good to have separate commits for proto definitions and implementation. Now that the TrackOnion rpc exists in the codebase, this leads to the first commit not building here. I can squash proto change + implementation together if desired.

[bitromortac]

I wonder if we can get rid of this error code as it makes it harder to use the API. Perhaps this could be an alternative approach https://github.com/bitromortac/lnd/tree/re-10472-upstream-260108-17, not sure how much it interferes with the grpc error status based approach for SendOnion. This way we'd only need to switch on the failure details.

[calvinrzachman]

Thanks for the exploration of this alternate approach. After trying a few things on the rpc client side, I expect the ErrorCode will be the primary discriminator used by SendOnion rpc client. The switch statements are a bit less verbose when done over an integer like ErrorCode than a proto Message type. I think it can also improve the forward compatibility a bit in that new definitive failure types (e.g., a new LinkError) can be added within the same code/category without breaking older clients.

[lightninglabs-deploy]

@calvinrzachman, remember to re-request review from reviewers when ready

[lightninglabs-deploy]

🟠 PR Severity: HIGH

switchrpc: improve TrackOnion error handling | 7 files | 1087 additions / 313 deletions

🟠 High (2 files)

• lnrpc/switchrpc/switch.proto - RPC/API definition changes for TrackOnion error handling
• lnrpc/switchrpc/switch_server.go - RPC server implementation for improved error handling

🟢 Low (5 files)

• docs/release-notes/release-notes-0.21.0.md - Documentation
• itest/lnd_sendonion_test.go - Integration test
• lnrpc/switchrpc/switch.pb.go - Auto-generated protobuf code
• lnrpc/switchrpc/switch.swagger.json - Auto-generated Swagger spec
• lnrpc/switchrpc/switch_server_test.go - Unit tests

Analysis

This PR improves error handling in the TrackOnion RPC endpoint within the switchrpc package. The changes fall under the HIGH severity category because:

1. RPC/API Changes: The PR modifies lnrpc/* files, specifically the Switch RPC service definition and implementation
2. Error Handling Improvements: Enhances error reporting for payment tracking, which affects API behavior and client integration
3. Substantive Changes: ~251 lines changed in core implementation files (excluding tests and auto-generated code)

The PR does not warrant a bump to CRITICAL as it:

• Does not touch core HTLC switching logic (htlcswitch/*)
• Has <20 substantive files changed
• Has <500 substantive lines changed
• Focuses on RPC layer error handling rather than critical payment routing state

Recommendation: Requires review by an engineer knowledgeable in the RPC layer and payment tracking subsystems to ensure error handling changes maintain backward compatibility and don't introduce regressions in client error handling.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}

[lightninglabs-deploy]

🟠 PR Severity: HIGH

switchrpc improvements | 7 files | 1,131 additions / 314 deletions

🟠 High (1 file)

• lnrpc/switchrpc/switch_server.go - RPC server implementation for TrackOnion error handling

🟡 Medium (1 file)

• lnrpc/switchrpc/switch.proto - API definition changes

🟢 Low (2 files)

• docs/release-notes/release-notes-0.21.0.md - Release notes
• itest/lnd_sendonion_test.go - Integration test

⚪ Auto-generated (3 files, excluded from analysis)

• lnrpc/switchrpc/switch.pb.go - Protocol buffer generated code
• lnrpc/switchrpc/switch.swagger.json - Swagger API spec
• lnrpc/switchrpc/switch_server_test.go - Test file

Analysis

This PR improves error handling in the TrackOnion RPC endpoint within the switchrpc service. The changes are classified as HIGH severity because:

1. RPC API modification: Changes to lnrpc/switchrpc/switch_server.go affect the RPC server implementation, which falls under the HIGH category per the classification rules.

2. Protocol changes: The .proto file modifications indicate API surface changes that affect how clients interact with lnd.

3. Scope: While the PR is focused on error handling improvements (which is positive), any changes to RPC endpoints require knowledgeable engineer review to ensure backward compatibility and proper error propagation.

The PR does not meet the criteria for a severity bump (would need >20 files or >500 non-excluded lines changed). The majority of the line changes are in auto-generated protobuf code, which is expected.

Recommendation: This PR should be reviewed by an engineer familiar with the switchrpc interface and error handling patterns in lnd's RPC layer.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}

[lightninglabs-deploy]

🟠 PR Severity: HIGH

switchrpc: improve TrackOnion error handling | 7 files | 1,444 lines changed

🟠 High (2 files)

• lnrpc/switchrpc/switch.proto - RPC/API definition changes (78 lines)
• lnrpc/switchrpc/switch_server.go - RPC server implementation (261 lines)

🟢 Low (3 files)

• docs/release-notes/release-notes-0.21.0.md - Release notes documentation
• itest/lnd_sendonion_test.go - Integration test updates
• lnrpc/switchrpc/switch_server_test.go - Unit test updates

📦 Auto-generated (2 files, excluded from severity)

• lnrpc/switchrpc/switch.pb.go - Protobuf generated code
• lnrpc/switchrpc/switch.swagger.json - Swagger generated file

Analysis

This PR is classified as HIGH severity because it modifies RPC API definitions and server implementations in the switchrpc package. According to the severity guidelines, lnrpc/* (RPC/API definitions) falls under the HIGH category, requiring review by a knowledgeable engineer.

Key changes:

• Enhances error handling for the TrackOnion RPC endpoint
• Modifies the switch.proto API contract
• Updates server-side implementation logic

No severity bump applied: The PR has only 2 substantive files (excluding tests and auto-generated code) with 339 lines changed, which doesn't meet the bump thresholds (>20 files or >500 lines).

Recommendation: This should be reviewed by an engineer familiar with the Lightning RPC layer and onion routing functionality to ensure the error handling changes maintain API compatibility and correctness.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}

[bitromortac]

I think this is a nice improvement as the errors we encounter can be manifold 🙏.

[bitromortac]

Critical will lead to a shutdown. Not sure we want that

[calvinrzachman]

Ahh my mistake. Definitely don't want a shut down. Updated ✅

[bitromortac]

Does it make sense to get rid of that and use the internal error status code instead, so maybe add a return error to marshallFailureDetails?

[lightninglabs-deploy]

🟠 PR Severity: HIGH

switchrpc: improve TrackOnion error handling | 3 non-test files | ~340 lines changed

🟠 High (2 files)

• lnrpc/switchrpc/switch.proto - API definition changes for TrackOnion RPC
• lnrpc/switchrpc/switch_server.go - RPC server implementation with error handling logic

🟡 Medium (0 files)

None

🟢 Low (1 file)

• docs/release-notes/release-notes-0.21.0.md - Documentation update

Analysis

This PR is classified as HIGH severity because it modifies the switchrpc RPC server implementation (lnrpc/switchrpc/switch_server.go), which handles TrackOnion payment tracking functionality. The changes involve:

1. API Changes: Modifications to the .proto file introduce new error handling fields
2. RPC Server Logic: Updates to error handling and response construction in the switch server
3. Auto-generated Files: Corresponding updates to .pb.go and swagger files (excluded from counting)

The PR touches RPC/API definitions and server implementations, which fall under the HIGH severity category per the classification rules. The changes improve error handling for the TrackOnion RPC, which is important for payment tracking reliability.

No severity bump applied: The PR has 3 non-test/non-generated files and approximately 340 lines changed, both below the thresholds for bumping (20 files or 500 lines).

Review Focus: Reviewers should pay attention to backward compatibility of the API changes, error handling completeness, and proper error propagation in the TrackOnion implementation.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}

[lightninglabs-deploy]

🟠 PR Severity: HIGH

switchrpc improvements | 7 files | ~249 lines changed (excluding auto-generated)

🟠 High (2 files)

• lnrpc/switchrpc/switch.proto - RPC API definition changes for TrackOnion error handling
• lnrpc/switchrpc/switch_server.go - RPC server implementation with improved error handling logic

🟡 Medium (0 files)

None

🟢 Low (5 files)

• docs/release-notes/release-notes-0.21.0.md - Release notes documentation
• itest/lnd_sendonion_test.go - Integration test updates
• lnrpc/switchrpc/switch.pb.go - Auto-generated protobuf code
• lnrpc/switchrpc/switch.swagger.json - Auto-generated swagger spec
• lnrpc/switchrpc/switch_server_test.go - Unit tests

Analysis

This PR improves error handling in the TrackOnion RPC endpoint. The changes are focused in the lnrpc/switchrpc package, which falls into the HIGH severity category as it involves RPC/API definitions and their implementations.

Key considerations:

• API changes: The .proto file modifications indicate changes to the RPC interface contract
• Error handling improvements: The server implementation enhances error handling for onion payment tracking
• No severity bump: With only 2 non-test/non-generated files (~249 lines) changed, this doesn't meet the criteria for bumping to CRITICAL

Review focus areas:

• Backwards compatibility of API changes
• Proper error propagation and handling in TrackOnion
• Impact on existing RPC clients

---

_{To override, add a severity-override-{critical,high,medium,low} label.}