Reject snapshot-less join against primary holding a more recent snapshot

[Copilot]

The primary should express an opinion about what snapshot is acceptable. Currently this opinion is "at least my startup_seqno".
To fix #7835 we should have a two step system.
On the first try the primary should require the joiner to have a snapshot which is at its latest snapshot number.
On subsequent tries, that primary should fall back to the safety constraint of greater than startup_seqno.

Copilot generated description:

A joiner with startup_seqno == 0 was accepted by an original (also startup_seqno == 0) primary even when that primary held committed snapshots, causing the joiner to replay the entire ledger.

Changes

• Join request: new optional retry_count field on JoinNetworkNodeToNode::In, incremented by the joiner each time a StartupSeqnoIsOld response triggers a snapshot fetch + retry.
• Primary-side check (node_frontend.h accept handler):
  • retry_count == 0: require startup_seqno >= max(this_startup_seqno, latest_on_disk_snapshot_seqno). The max keeps the existing behaviour when this node holds no snapshot.
  • retry_count > 0: fall back to the prior startup_seqno >= this_startup_seqno check, so the joiner doesn't chase a snapshot committed mid-fetch.
• Latest snapshot source: read from disk via NodeConfigurationSubsystem + snapshots::find_latest_committed_snapshot_in_directory (i.e. what the joiner could actually fetch from this node), not from the SNAPSHOT_STATUS KV table.
• Joiner (NodeState): tracks join_retry_count, bumped where the existing StartupSeqnoIsOld + fetch_recent_snapshot path is taken, and sent on the next request.
• Test: run_join_no_snapshot_against_original_primary in tests/reconfiguration.py starts a single-node network, generates a committed snapshot, then asserts:
  • join with from_snapshot=False, fetch_recent_snapshot=False is rejected with StartupSeqnoIsOld (previously silently replayed the ledger);
  • join with from_snapshot=False, fetch_recent_snapshot=True succeeds and the joiner reports a non-zero startup_seqno.
• CHANGELOG: new [Unreleased] / Fixed entry.

[Copilot]

Pull request overview

This PR hardens the node join protocol to prevent snapshot-less joiners from being accepted by an “original” primary that has already committed snapshots, avoiding full-ledger replay by requiring a sufficiently recent startup snapshot on the initial join attempt.

Changes:

• Add retry_count to the node-to-node join request and track it on the joiner to distinguish first-attempt joins from retries after snapshot fetch.
• Update primary-side join acceptance logic to compare the joiner’s startup_seqno against the latest committed snapshot on disk (first attempt only), falling back to the previous check on retries.
• Add an E2E regression test covering rejection of snapshot-less joins and successful join after fetching a snapshot; add a changelog entry.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/node/rpc/node_call_types.h	Adds optional retry_count to join request type.
src/node/rpc/serialization.h	Adds retry_count to JSON serialization for join request.
src/node/node_state.h	Tracks and sends join_retry_count when retrying join after snapshot fetch.
src/node/rpc/node_frontend.h	Implements primary-side min acceptable seqno check using latest on-disk committed snapshot on first attempt.
tests/reconfiguration.py	Adds regression test for joining without a snapshot against an original primary holding committed snapshots.
CHANGELOG.md	Adds [Unreleased] fixed entry describing the behavior change.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh pr view --json number (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[cjen1-msft]

Was blocked on #7853 now unblocked.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[achamayou]

@cjen1-msft the new test does not seem to be passing:

RuntimeError: ["Failure in reconfiguration: RuntimeError('Node 1 joined a primary which holds a committed snapshot without fetching one - this would replay the entire ledger')"]