test(platform-wallet): integration test framework + first transfer test

[Claudius-Maginificent]

Issue being fixed or feature implemented

rs-platform-wallet had a thin test surface (tests/spv_sync.rs, tests/contact_workflow_tests.rs, tests/thread_safety.rs) and no end-to-end harness exercising the full wallet → SDK → broadcast pipeline. This adds a generalised, future-extractable e2e test framework modelled on dash-evo-tool/tests/backend-e2e/, plus the first test case: passing credits between two platform addresses.

Two notable differences from DET:

1. Bank uses platform addresses (not Core asset locks) as the funding source — initial bootstrap is operator-managed out-of-band.
2. Future Core support designed in — directory is tests/e2e/ (not platform_e2e/); SPV runtime + ContextProvider modules retained (currently disabled, see below) for re-enablement when SPV stabilises.

Per user direction, production code is kept as close to upstream v3.1-dev as possible — only one real bug fix lands in src/. All test-only convenience accessors (fee_paid, address_derivation_info) were absorbed inside the test framework.

What was done?

Production code (single bug fix only)

src/wallet/platform_addresses/transfer.rs — auto_select_inputs was inserting the FULL address balance as the input contribution. The protocol enforces Σ inputs == Σ outputs (with fee strategy adjusting), so when one input had 500B credits and the requested output was 50M, the balance equation broke. Fix: trim the last selected input to required - prior_accumulated so the contribution map matches what the protocol expects. Includes new unit tests covering the trimming behaviour.

This bug affected every caller using InputSelection::Auto — not just our framework.

Cargo.toml — dev-dependencies for the e2e framework (tokio_shared_rt, tempfile, dotenvy, bip39, fs2, serde_json, simple-signer, rs-sdk-trusted-context-provider, dash-async, parking_lot, tokio-util, async-trait).

git diff origin/v3.1-dev -- packages/rs-platform-wallet/src/ shows ONLY the auto_select_inputs fix.

Test framework (packages/rs-platform-wallet/tests/e2e/)

• framework/harness.rs — E2eContext lazy-init via OnceCell: workdir slot lock → SDK construction → TrustedHttpContextProvider → PlatformWalletManager → bank load → registry open → startup cleanup::sweep_orphans.
• framework/sdk.rs — SDK constructed with TrustedHttpContextProvider::new(network, None, cache_size). Optional PLATFORM_WALLET_E2E_TRUSTED_CONTEXT_URL env override. SPV-based context provider commented out and tracked for re-enablement.
• framework/bank.rs — BankWallet::load parses BIP-39, syncs, panics with operator-actionable message if under-funded (includes the bank's primary receive address).
• framework/wallet_factory.rs — TestWallet, SetupGuard (synchronous Drop that warns and defers to startup-sweep). setup() registers wallets in the persistent registry BEFORE returning the guard so panics leave a recoverable trail.
• framework/signer.rs — SeedBackedPlatformAddressSigner with eager DIP-17 key cache (derives 0..GAP_LIMIT keys at construction; can_sign_with is honest, no async wallet round-trip).
• framework/registry.rs — PersistentTestWalletRegistry, JSON-backed at <workdir>/test_wallets.json, atomic write-temp-+-rename.
• framework/cleanup.rs — sweep_orphans (startup) + teardown_one (per-test). Uses InputSelection::Explicit(full_balances) to bypass auto_select_inputs trim semantics; reserves SWEEP_FEE_ESTIMATE = 30M on a fee-bearer input (covers 1-3 input sweeps based on observed testnet fees).
• framework/wait_hub.rs — WaitEventHub implementing PlatformEventHandler, lock-free tokio::sync::Notify-based event bus integration. wait_for_balance is event-driven (no fixed polling).
• framework/workdir.rs — flock-based slot fallback (DET pattern, up to 10 slots) for cross-process safety.
• framework/context_provider.rs — SpvContextProvider using dash_async::block_on (runtime-flavour-agnostic). Currently disabled; module retained for re-enablement.
• framework/spv.rs — SPV start + wait_for_mn_list_synced with 600s timeout floor matching tests/spv_sync.rs precedent. Currently disabled.
• cases/transfer.rs — the first test:

  #[tokio_shared_rt::test(shared, flavor = "multi_thread", worker_threads = 12)]
  #[ignore]
  async fn transfer_between_two_platform_addresses() { /* ... */ }

  Bank funds test wallet's addr_1 with 50M; test wallet self-transfers 10M to addr_2; assertions on balances; explicit teardown sweeps remaining funds back to bank.

Documentation

• tests/e2e/README.md — operator setup, env-var table, bank pre-funding, multi-process safety, panic-safe cleanup, troubleshooting, future Core support.

How Has This Been Tested?

• cargo check --tests -p platform-wallet — clean
• cargo clippy --tests -p platform-wallet -- -D warnings — clean
• cargo fmt -p platform-wallet — applied
• Live happy-path: passes end-to-end against testnet in 24.76s:

  test cases::transfer::transfer_between_two_platform_addresses ... ok
  test result: ok. 1 passed; 0 failed; finished in 24.76s
  

  • TrustedHttpContextProvider boot: ~3s
  • Bank funded addr_1 with 50M (2.3s confirmation)
  • Self-transfer addr_1 → addr_2 (202ms confirmation)
  • Post-transfer assertions: funded=50M received=10M remaining=30755720 fee=9244280 ✓
  • Teardown sweep: ✓ clean
• Panic-recovery verified live: across multiple iteration runs, the startup sweep recovered orphan wallets from prior failed runs (startup sweep recovered orphan wallets from prior runs count=N).
• QA audit (Marvin, 9 findings): all resolved or documented as intentional. See docs/ private notes.

Breaking Changes

None.

Outstanding (deferred)

• SPV re-enablement (Task fix(sdk): hash is not a function #15 internal): re-enable SPV start + SPV-based ContextProvider once SPV cold-start is reliable on testnet. Modules retained, harness blocks commented out.
• Per-address transaction history (out of scope): scoped at ~2000-3000 LOC across Drive (state-tree change + breaking platform-version bump), SDK, wallet, FFI, Swift. Recommended as a separate ADR + multi-PR rollout. Full scope analysis kept in private notes.
• Sweep fee estimator dynamic refinement (latent): SWEEP_FEE_ESTIMATE = 30M is a constant calibrated against observed testnet fees (1-input ~9.5M, 2-input ~21M). Long-term: derive from transfer::estimate_fee_for_inputs (currently private) — needs a small public helper.

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests (this IS the e2e test framework)
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any (no breaking changes)
• I have made corresponding changes to the documentation if needed (README + module-level rustdoc)

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

Summary by CodeRabbit

Release Notes

• New Features

  • Added comprehensive end-to-end testing framework for wallet operations including bank wallet management, test registry, and cleanup utilities
  • Added seed-based constructors to SimpleSigner for DIP-17 key derivation support
  • Exposed SDK address input functions for public use

• Tests

  • Added E2E test suite with transfer operation test case demonstrating platform address transfers

• Documentation

  • Added E2E test framework guide with setup instructions and configuration reference
  • Added environment variable configuration template for E2E tests

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4e1d9c2d-86fe-42da-b7b1-d324f78d090e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

An end-to-end testing framework for rs-platform-wallet is added with shared process context, bank wallet funding, persistent wallet registry, cleanup/orphan sweeping, and complete test infrastructure including configuration management, SDK setup, event notification, and example test cases demonstrating transfers between platform addresses. Related SDK modules are also exposed for external use, and seed-based signer constructors are introduced.

Changes

Cohort / File(s)	Summary
E2E Framework Infrastructure packages/rs-platform-wallet/tests/e2e/framework/config.rs, workdir.rs, registry.rs	Environment variable loading with .env file support, workdir slot reservation with exclusive file locking, and persistent JSON-backed wallet seed registry with atomic writes and corruption recovery.
E2E Harness & Context packages/rs-platform-wallet/tests/e2e/framework/harness.rs, mod.rs	Process-shared E2eContext initialization via OnceCell, SDK/wallet manager/bank/registry/event-hub injection, setup utilities for seed generation and test wallet creation with registry entry insertion.
Bank Wallet & Funding packages/rs-platform-wallet/tests/e2e/framework/bank.rs	BIP-39 mnemonic-backed bank wallet with minimum-credit validation, DIP-17 address derivation, and concurrent-safe fund transfers using global async mutex to prevent nonce races.
Cleanup & Lifecycle packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs, wallet_factory.rs	Orphan wallet sweeping at startup with fund drainage and registry status updates, per-test teardown with unregistration, plus test wallet factory with address selection, balance sync, and cleanup guards.
SDK & Event Infrastructure packages/rs-platform-wallet/tests/e2e/framework/sdk.rs, wait_hub.rs, context_provider.rs	SDK construction with TrustedHttpContextProvider, testnet DAPI endpoint defaults, WaitEventHub for event-driven async test waits, and SpvContextProvider implementing platform SDK context bridge.
Wait & Polling Utilities packages/rs-platform-wallet/tests/e2e/framework/wait.rs, spv.rs	Generic polling loop with timeout, event-driven balance-change waiter with sync/notification integration, SPV client startup and masternode-list sync readiness checker with progress logging.
E2E Test Cases & Entry Points packages/rs-platform-wallet/tests/e2e.rs, cases/mod.rs, cases/transfer.rs, README.md, .env.example	Integration test root module, test case organization, fund-and-transfer example test verifying fee deduction, framework documentation with operator setup requirements and architecture overview, and environment configuration template.
Cargo Dependencies packages/rs-platform-wallet/Cargo.toml	Dev-dependency additions: tokio-shared-rt, tempfile, dotenv, bip39, fs2, parking_lot, simple-signer, SDK context provider, plus tokio-util rt feature.
SDK Public API Exposure packages/rs-sdk/src/platform/transition.rs, transition/address_inputs.rs	Module visibility change from crate-restricted to public; functions fetch_inputs_with_nonce and nonce_inc exposed for external callers.
Signer Feature & Constructors packages/simple-signer/Cargo.toml, signer.rs	New derive feature pulling key-wallet and thiserror dependencies; two seed-based constructors for platform-address and identity signers with BIP-32 derivation and error mapping.

Sequence Diagram(s)

sequenceDiagram
    participant Test as E2E Test
    participant Harness as E2eContext Harness
    participant Registry as Wallet Registry
    participant Bank as BankWallet
    participant TWallet as TestWallet
    participant Manager as PlatformWalletManager
    participant SDK as SDK/PlatformWallet
    participant Cleanup as Cleanup

    Test->>Harness: init() first call
    Harness->>Registry: open(test_wallets.json)
    Harness->>Cleanup: sweep_orphans()
    Cleanup->>Registry: list_orphans()
    Cleanup->>Manager: create from orphan seed
    Cleanup->>SDK: sync & drain to bank
    Cleanup->>Registry: remove_orphan_entry
    Harness->>Bank: load from mnemonic
    Harness->>Bank: sync_balances()
    Harness->>Bank: fund_address(test_addr1, credits)
    Harness->>SDK: transfer via bank wallet
    Test->>Test: setup() generates seed
    Test->>Manager: create TestWallet
    Test->>TWallet: create(seed)
    Test->>TWallet: next_unused_address() → addr2
    Test->>Bank: fund_address(addr2, TRANSFER_CREDITS)
    Test->>SDK: transfer via bank
    Test->>TWallet: wait_for_balance(addr2, expected)
    TWallet->>SDK: sync_balances()
    Test->>SDK: transfer(addr2 → addr1, TRANSFER_CREDITS)
    SDK->>SDK: execute, compute fee
    Test->>TWallet: verify balances & fee
    Test->>Test: teardown()
    Test->>Cleanup: teardown_one(test_wallet)
    Cleanup->>TWallet: drain all addresses to bank
    Cleanup->>Registry: remove_entry

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

---

🐰 Hopping through the test warren,
New E2E frames make wallets soar-in',
Bank funds and registry keep,
While cleanup sweeps run deep,
SDK paths now public—hooray, no more hide-n'! 🌙✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding an integration test framework and the first transfer test for platform-wallet, which aligns with the extensive test infrastructure added across the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/rs-platform-wallet-e2e

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds an end-to-end (wallet → SDK → broadcast) integration test harness to rs-platform-wallet and introduces the first live test case (address-funds transfer), alongside a production fix to InputSelection::Auto input selection so generated transitions satisfy protocol structure rules.

Changes:

• Added a reusable E2E framework under packages/rs-platform-wallet/tests/e2e/ (workdir slot locking, bank wallet, persistent registry, cleanup/sweep, wait hub, signer, SDK wiring).
• Added the first E2E test case: transferring credits between two platform-payment addresses in a test wallet (ignored by default).
• Fixed auto_select_inputs in production code to avoid selecting full balances as “input credits”, and added unit tests for the selection logic.

Reviewed changes

Copilot reviewed 21 out of 22 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs	Fixes auto input selection; adds pure helper + unit tests for selection behavior.
packages/rs-platform-wallet/tests/e2e.rs	Adds the integration test crate root and module wiring for the e2e suite.
packages/rs-platform-wallet/tests/e2e/README.md	Operator/setup documentation for running live e2e tests.
packages/rs-platform-wallet/tests/e2e/cases/mod.rs	Declares e2e test modules.
packages/rs-platform-wallet/tests/e2e/cases/transfer.rs	First e2e test exercising funding + self-transfer + teardown.
packages/rs-platform-wallet/tests/e2e/framework/mod.rs	Framework public surface (setup, errors, prelude) and module layout.
packages/rs-platform-wallet/tests/e2e/framework/harness.rs	E2eContext singleton init: config, workdir locking, SDK, manager, bank, registry, startup sweep.
packages/rs-platform-wallet/tests/e2e/framework/config.rs	Env/.env configuration loader for the harness.
packages/rs-platform-wallet/tests/e2e/framework/sdk.rs	Constructs dash_sdk::Sdk with TrustedHttpContextProvider and DAPI address resolution.
packages/rs-platform-wallet/tests/e2e/framework/workdir.rs	Cross-process workdir slot selection via flock.
packages/rs-platform-wallet/tests/e2e/framework/panic_hook.rs	Installs panic hook to cancel background work on panic.
packages/rs-platform-wallet/tests/e2e/framework/wait_hub.rs	Notify-based hub bridging wallet/SPV/platform events to async waiters.
packages/rs-platform-wallet/tests/e2e/framework/wait.rs	Async waiting helpers (event-driven balance wait + generic polling).
packages/rs-platform-wallet/tests/e2e/framework/signer.rs	Seed-backed Signer<PlatformAddress> with eager DIP-17 key cache.
packages/rs-platform-wallet/tests/e2e/framework/wallet_factory.rs	Test wallet factory + SetupGuard (panic-safe registry-backed lifecycle).
packages/rs-platform-wallet/tests/e2e/framework/registry.rs	JSON-backed persistent registry for panic-safe orphan recovery.
packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs	Startup sweep + per-test teardown draining funds back to bank.
packages/rs-platform-wallet/tests/e2e/framework/bank.rs	Loads and syncs a pre-funded bank wallet; serialized funding API.
packages/rs-platform-wallet/tests/e2e/framework/context_provider.rs	Retained (disabled) SPV-backed SDK context provider module for future re-enable.
packages/rs-platform-wallet/tests/e2e/framework/spv.rs	Retained (disabled) SPV startup/readiness helpers for future re-enable.
packages/rs-platform-wallet/Cargo.toml	Adds dev-dependencies needed by the e2e harness.
Cargo.lock	Locks new/updated dependencies for the added test tooling.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[thepastaclaw]

✅ Review complete (commit 921833f)

[Copilot]

Pull request overview

Copilot reviewed 23 out of 24 changed files in this pull request and generated 9 comments.

Comments suppressed due to low confidence (2)

packages/rs-sdk/src/platform/transition/address_inputs.rs:39

• Now that this helper is public, nonce + 1 can overflow when nonce == u32::MAX, which will panic in debug builds and wrap in release builds. Consider using checked_add(1) and returning an error (or otherwise handling the overflow) so callers can't accidentally produce an invalid/wrapping nonce.

pub fn nonce_inc(
    data: BTreeMap<PlatformAddress, (AddressNonce, Credits)>,
) -> BTreeMap<PlatformAddress, (AddressNonce, Credits)> {
    data.into_iter()
        .map(|(address, (nonce, credits))| (address, (nonce + 1, credits)))
        .collect()

packages/rs-sdk/src/platform/transition/address_inputs.rs:18

• fetch_inputs_with_nonce is now public but has no doc comment explaining (1) that it performs existence/balance checks and (2) that callers typically need to apply nonce_inc before building a transfer (as transfer_address_funds does). Please document the intended call pattern (or provide a single public helper that returns the incremented nonces) to reduce misuse from external callers.

pub async fn fetch_inputs_with_nonce(
    sdk: &Sdk,
    amounts: &BTreeMap<PlatformAddress, Credits>,
) -> Result<BTreeMap<PlatformAddress, (AddressNonce, Credits)>, Error> {
    if amounts.is_empty() {
        return Err(Error::from(TransitionNoInputsError::new()));
    }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[thepastaclaw]

Code Review

PR adds a substantial e2e framework for rs-platform-wallet. Four blocking issues in the cleanup/teardown lifecycle: the live test no longer carries #[ignore] (so plain cargo test fails without the bank mnemonic), the sweep helper doesn't filter sub-min_input_amount inputs (DPP rejects them), SWEEP_DUST_THRESHOLD (5M) sits below the protocol's min transfer fee (6.5M) leaving an unsweepable balance band, and positive sub-threshold balances are silently dropped from the registry. Several supporting suggestions and nitpicks around dead/misnamed API and error-context loss. Overflow: 3 valid findings dropped to fit the 10-comment budget.

Reviewed commit: ae98ccf

🔴 4 blocking | 🟡 4 suggestion(s) | 💬 2 nitpick(s)

1 additional finding

🟡 suggestion: `fetch_inputs_with_nonce` / `nonce_inc` promoted to `pub` with no caller outside rs-sdk

packages/rs-sdk/src/platform/transition/address_inputs.rs (lines 12-40)

Both functions (and the address_inputs module itself) were widened from pub(crate) to pub. A repo-wide grep finds no caller outside crate::platform::transition::* — the e2e framework in rs-platform-wallet does not import them, and rs-platform-wallet production code doesn't either. The PR description frames this as future-friendliness for the e2e framework, but that framework never lands the call. Promoting low-level internals to the SDK's public API surface without a concrete consumer is a maintenance hazard: once pub, the signatures become a stability commitment, and nonce_inc in particular is footgun-prone outside the strict fetch→increment→sign→broadcast flow. Revert to pub(crate) (or pub(super)) and widen in the same PR as the first external caller.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/cases/transfer.rs`:
- [BLOCKING] lines 30-31: Live e2e test runs by default; `cargo test` hard-fails without operator env
  `transfer_between_two_platform_addresses` is no longer `#[ignore]`d (the doc comment on lines 4-7 makes this explicit). `setup()` calls `Config::from_env()` which errors if `PLATFORM_WALLET_E2E_BANK_MNEMONIC` is unset, and the test escalates that to a panic via `.expect("e2e setup failed")`. Consequence: a stock `cargo test -p platform-wallet` (or workspace-wide invocation) becomes a hard failure for any contributor or CI job without a funded testnet bank wallet. Workflow-level gating is a coordination requirement, not a guarantee. The DET precedent the framework cites keeps live-network tests behind `#[ignore]` for exactly this reason. Re-add `#[ignore]` and run live with `cargo test -- --ignored`.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [BLOCKING] lines 202-211: Sweep helper doesn't filter sub-`min_input_amount` balances; DPP rejects the transition
  `sweep_platform_addresses` filters inputs by `*b > 0` only. The address-funds-transfer state-transition validation (`packages/rs-dpp/src/state_transition/state_transitions/address_funds/address_funds_transfer_transition/v0/state_transition_validation.rs:157-163`) rejects any input below `platform_version.dpp.state_transitions.address_funds.min_input_amount`. So as soon as one tracked address holds a sub-minimum balance, every sweep attempt for that wallet — both `teardown_one` and the orphan `sweep_one` — submits an invalid transition and the entry stays stuck. Mirror the production auto-selector and drop inputs below `min_input_amount` from the explicit map.
- [BLOCKING] lines 26-30: `SWEEP_DUST_THRESHOLD` (5M) is below the protocol's minimum transfer fee (6.5M)
  Sweep eligibility is `total > 5_000_000`, but the minimum fee for a 1-input/1-output address transfer is `address_funds_transfer_input_cost (500_000) + address_funds_transfer_output_cost (6_000_000) = 6_500_000` credits (`packages/rs-platform-version/src/version/fee/state_transition_min_fees/v1.rs:14-15`). For balances in `(5_000_000, 6_500_000)`, both `teardown_one` and `sweep_one` will attempt a `ReduceOutput(0)` sweep that cannot cover its own fee, so those wallets get retried forever (with the registry entry repeatedly marked `Failed`) until someone tops them up manually. Raise the threshold above the protocol minimum (and ideally derive it from the platform-version constants so it stays in sync).
- [BLOCKING] lines 109-162: Positive sub-threshold balances are dropped from the registry without sweeping
  When `total <= SWEEP_DUST_THRESHOLD`, `teardown_one` (lines 147-162) skips `sweep_platform_addresses` and unconditionally calls `registry.remove(...)`; the orphan path does the same indirectly — `sweep_one` returns `Ok(())` after logging "below sweep threshold; skipping" (lines 109-117), and `sweep_orphans` then removes the registry entry (lines 58-66). Any wallet that still holds a positive balance under the threshold is therefore forgotten rather than retried or aggregated, permanently stranding real testnet credits and contradicting the README's recovery guarantees. Either keep the entry tagged `Failed` so a future operator can audit, or only drop entries whose `total == 0`.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: `from_seed_for_identity` is misleadingly named, half-functional, and unused
  The new (feature-gated) constructor derives DIP-9 identity-authentication ECDSA secp256k1 keys but inserts them into `address_private_keys: BTreeMap<[u8; 20], [u8; 32]>` — the map consumed by `Signer<PlatformAddress>::sign` (line 339, keyed on the 20-byte address hash). The `Signer<IdentityPublicKey>` view that the function name implies (line 245) only consults `private_keys` / `private_keys_in_creation`, both of which remain empty after this constructor runs. The doc comment hand-waves this with "callers must additionally register `IdentityPublicKey` records" — but if the caller has to do that themselves the constructor isn't actually "for identity." A repo-wide grep confirms zero callers. Either (a) populate `private_keys` inside the constructor so identity signing works out of the box, (b) drop it until a real consumer exists, or (c) rename to reflect what it actually populates (e.g. `derive_identity_path_into_address_keys`).

In `packages/rs-platform-wallet/tests/e2e/framework/sdk.rs`:
- [SUGGESTION] lines 39-46: `FrameworkError::NotImplemented` used as a generic runtime-error wrapper, dropping the underlying error
  `SdkBuilder::build()` failure here is a real runtime error, not an unimplemented-feature path, but it's mapped to `FrameworkError::NotImplemented("sdk::build_sdk — SdkBuilder::build failed (see logs)")`. The actual error `e` is only emitted via a side-effect `tracing::error!` and then discarded. Callers that pattern-match on the `Result` (or render it for CI failure summaries) see only the `&'static str`. The same pattern recurs at lines 76-84, 99-107, 117-125, and `framework/spv.rs:125-148, 215-236`. The `FrameworkError` enum already has `Wallet(String)`, `Bank(String)`, `Config(String)` for this purpose — add `Sdk(String)` / `Spv(String)` variants and propagate `e.to_string()` through the `Result`.

In `packages/rs-sdk/src/platform/transition/address_inputs.rs`:
- [SUGGESTION] lines 12-40: `fetch_inputs_with_nonce` / `nonce_inc` promoted to `pub` with no caller outside rs-sdk
  Both functions (and the `address_inputs` module itself) were widened from `pub(crate)` to `pub`. A repo-wide grep finds no caller outside `crate::platform::transition::*` — the e2e framework in rs-platform-wallet does not import them, and rs-platform-wallet production code doesn't either. The PR description frames this as future-friendliness for the e2e framework, but that framework never lands the call. Promoting low-level internals to the SDK's public API surface without a concrete consumer is a maintenance hazard: once `pub`, the signatures become a stability commitment, and `nonce_inc` in particular is footgun-prone outside the strict fetch→increment→sign→broadcast flow. Revert to `pub(crate)` (or `pub(super)`) and widen in the same PR as the first external caller.

In `packages/rs-platform-wallet/tests/e2e/framework/spv.rs`:
- [SUGGESTION] lines 205-208: Retained SPV path bypasses the slot-locked workdir
  `E2eContext::build` acquires a unique slot via `pick_available_workdir` and stores it in `workdir`, but `build_client_config` derives its storage path from `config.workdir_base`. If the commented-out SPV block in `harness.rs` is re-enabled (Task #15), every concurrent process will share `<base>/spv-data` instead of using the locked slot directory, defeating the cross-process isolation mechanism and creating avoidable RocksDB/SPV state contention. Because the SPV module is intentionally kept compilable for re-enablement, fix this now — pass the slot workdir into `build_client_config` so the path tracks the lock.

[thepastaclaw]

🔴 Blocking: Sweep helper doesn't filter sub-min_input_amount balances; DPP rejects the transition

sweep_platform_addresses filters inputs by *b > 0 only. The address-funds-transfer state-transition validation (packages/rs-dpp/src/state_transition/state_transitions/address_funds/address_funds_transfer_transition/v0/state_transition_validation.rs:157-163) rejects any input below platform_version.dpp.state_transitions.address_funds.min_input_amount. So as soon as one tracked address holds a sub-minimum balance, every sweep attempt for that wallet — both teardown_one and the orphan sweep_one — submits an invalid transition and the entry stays stuck. Mirror the production auto-selector and drop inputs below min_input_amount from the explicit map.

_{source: ['codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [BLOCKING] lines 202-211: Sweep helper doesn't filter sub-`min_input_amount` balances; DPP rejects the transition
  `sweep_platform_addresses` filters inputs by `*b > 0` only. The address-funds-transfer state-transition validation (`packages/rs-dpp/src/state_transition/state_transitions/address_funds/address_funds_transfer_transition/v0/state_transition_validation.rs:157-163`) rejects any input below `platform_version.dpp.state_transitions.address_funds.min_input_amount`. So as soon as one tracked address holds a sub-minimum balance, every sweep attempt for that wallet — both `teardown_one` and the orphan `sweep_one` — submits an invalid transition and the entry stays stuck. Mirror the production auto-selector and drop inputs below `min_input_amount` from the explicit map.

[thepastaclaw]

🔴 Blocking: SWEEP_DUST_THRESHOLD (5M) is below the protocol's minimum transfer fee (6.5M)

Sweep eligibility is total > 5_000_000, but the minimum fee for a 1-input/1-output address transfer is address_funds_transfer_input_cost (500_000) + address_funds_transfer_output_cost (6_000_000) = 6_500_000 credits (packages/rs-platform-version/src/version/fee/state_transition_min_fees/v1.rs:14-15). For balances in (5_000_000, 6_500_000), both teardown_one and sweep_one will attempt a ReduceOutput(0) sweep that cannot cover its own fee, so those wallets get retried forever (with the registry entry repeatedly marked Failed) until someone tops them up manually. Raise the threshold above the protocol minimum (and ideally derive it from the platform-version constants so it stays in sync).

_{source: ['codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [BLOCKING] lines 26-30: `SWEEP_DUST_THRESHOLD` (5M) is below the protocol's minimum transfer fee (6.5M)
  Sweep eligibility is `total > 5_000_000`, but the minimum fee for a 1-input/1-output address transfer is `address_funds_transfer_input_cost (500_000) + address_funds_transfer_output_cost (6_000_000) = 6_500_000` credits (`packages/rs-platform-version/src/version/fee/state_transition_min_fees/v1.rs:14-15`). For balances in `(5_000_000, 6_500_000)`, both `teardown_one` and `sweep_one` will attempt a `ReduceOutput(0)` sweep that cannot cover its own fee, so those wallets get retried forever (with the registry entry repeatedly marked `Failed`) until someone tops them up manually. Raise the threshold above the protocol minimum (and ideally derive it from the platform-version constants so it stays in sync).

[thepastaclaw]

🔴 Blocking: Positive sub-threshold balances are dropped from the registry without sweeping

When total <= SWEEP_DUST_THRESHOLD, teardown_one (lines 147-162) skips sweep_platform_addresses and unconditionally calls registry.remove(...); the orphan path does the same indirectly — sweep_one returns Ok(()) after logging "below sweep threshold; skipping" (lines 109-117), and sweep_orphans then removes the registry entry (lines 58-66). Any wallet that still holds a positive balance under the threshold is therefore forgotten rather than retried or aggregated, permanently stranding real testnet credits and contradicting the README's recovery guarantees. Either keep the entry tagged Failed so a future operator can audit, or only drop entries whose total == 0.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [BLOCKING] lines 109-162: Positive sub-threshold balances are dropped from the registry without sweeping
  When `total <= SWEEP_DUST_THRESHOLD`, `teardown_one` (lines 147-162) skips `sweep_platform_addresses` and unconditionally calls `registry.remove(...)`; the orphan path does the same indirectly — `sweep_one` returns `Ok(())` after logging "below sweep threshold; skipping" (lines 109-117), and `sweep_orphans` then removes the registry entry (lines 58-66). Any wallet that still holds a positive balance under the threshold is therefore forgotten rather than retried or aggregated, permanently stranding real testnet credits and contradicting the README's recovery guarantees. Either keep the entry tagged `Failed` so a future operator can audit, or only drop entries whose `total == 0`.

[thepastaclaw]

🟡 Suggestion: from_seed_for_identity is misleadingly named, half-functional, and unused

The new (feature-gated) constructor derives DIP-9 identity-authentication ECDSA secp256k1 keys but inserts them into address_private_keys: BTreeMap<[u8; 20], [u8; 32]> — the map consumed by Signer<PlatformAddress>::sign (line 339, keyed on the 20-byte address hash). The Signer<IdentityPublicKey> view that the function name implies (line 245) only consults private_keys / private_keys_in_creation, both of which remain empty after this constructor runs. The doc comment hand-waves this with "callers must additionally register IdentityPublicKey records" — but if the caller has to do that themselves the constructor isn't actually "for identity." A repo-wide grep confirms zero callers. Either (a) populate private_keys inside the constructor so identity signing works out of the box, (b) drop it until a real consumer exists, or (c) rename to reflect what it actually populates (e.g. derive_identity_path_into_address_keys).

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: `from_seed_for_identity` is misleadingly named, half-functional, and unused
  The new (feature-gated) constructor derives DIP-9 identity-authentication ECDSA secp256k1 keys but inserts them into `address_private_keys: BTreeMap<[u8; 20], [u8; 32]>` — the map consumed by `Signer<PlatformAddress>::sign` (line 339, keyed on the 20-byte address hash). The `Signer<IdentityPublicKey>` view that the function name implies (line 245) only consults `private_keys` / `private_keys_in_creation`, both of which remain empty after this constructor runs. The doc comment hand-waves this with "callers must additionally register `IdentityPublicKey` records" — but if the caller has to do that themselves the constructor isn't actually "for identity." A repo-wide grep confirms zero callers. Either (a) populate `private_keys` inside the constructor so identity signing works out of the box, (b) drop it until a real consumer exists, or (c) rename to reflect what it actually populates (e.g. `derive_identity_path_into_address_keys`).

[thepastaclaw]

💬 Nitpick: cancel_token is constructed and exposed but never observed

E2eContext::cancel_token is created at line 109, exposed via the cancel_token() accessor at line 96, and the doc comments promise it backs "graceful shutdown" of background helpers. In practice no code in the framework or test cases ever (a) cancel()s it, or (b) select!s on it — wait_for_balance, the deferred SPV blocks, and the test bodies all ignore it. The token is dead state with a forward-looking accessor that tempts misuse. Either drop the field until shutdown wiring lands (Task #15) or add a tokio::select! arm in wait_for_balance so the documented behavior actually fires.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: EntryStatus::Sweeping is defined but never set anywhere

The doc comment promises Sweeping is "set transiently so a second process knows the wallet is already being handled." The only set_status call in the codebase is cleanup::sweep_orphans setting EntryStatus::Failed after a failed sweep — no code path ever transitions an entry to Sweeping. Either wire set_status(.., Sweeping) at the start of cleanup::sweep_one (and clear it on success/failure) so the doc claim becomes true, or drop the variant and update the doc.

_{source: ['claude']}

[thepastaclaw]

Code Review

Two blocking issues remain: the live testnet e2e test still runs in the default cargo test path (no #[ignore]), and the cleanup sweep's per-input filter (*b > 0) admits sub-min_input_amount dust into the explicit input map, which DPP rejects with InputBelowMinimumError — making mixed-balance wallets perpetually un-sweepable. The remaining items are correctness/quality suggestions: a fee-floor mismatch in the sweep gate, error-context loss via FrameworkError::NotImplemented, dead-but-public cancel_token, the misnamed SimpleSigner::from_seed_for_identity, premature pub widening of SDK internals, and the SPV path bypassing the slot-locked workdir. Several single-source security findings were dropped as not meeting the bar.

Reviewed commit: 5515ba9

🔴 2 blocking | 🟡 5 suggestion(s) | 💬 3 nitpick(s)

1 additional finding

🟡 suggestion: `fetch_inputs_with_nonce` / `nonce_inc` promoted to `pub` with no caller outside rs-sdk

packages/rs-sdk/src/platform/transition/address_inputs.rs (lines 12-40)

pub mod address_inputs; at transition.rs:3 and pub fn fetch_inputs_with_nonce / pub fn nonce_inc widen these from pub(crate) to pub. A repo-wide grep finds callers only inside crate::platform::transition::* (address_credit_withdrawal.rs, top_up_identity_from_addresses.rs, shield.rs, transfer_address_funds.rs, put_identity.rs); the e2e framework in rs-platform-wallet does not import them, and rs-platform-wallet production code doesn't either. Once pub, the signatures become a stability commitment — nonce_inc in particular is footgun-prone outside the strict fetch→increment→sign→broadcast flow (it does not protect against double-spending the same nonce in concurrent calls). Revert to pub(crate) (or pub(super)) and widen alongside the first external caller.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/cases/transfer.rs`:
- [BLOCKING] lines 62-63: Live testnet e2e test runs by default; `cargo test` hard-fails without operator env
  `transfer_between_two_platform_addresses` has no `#[ignore]` and the module docs explicitly say it "Runs by default". `setup()` calls `Config::from_env()`, which returns `FrameworkError::Bank` when `PLATFORM_WALLET_E2E_BANK_MNEMONIC` is unset (`framework/config.rs`); the test escalates that to a panic via `.expect("e2e setup failed")`. Consequence: a stock `cargo test -p platform-wallet` (or workspace-wide invocation) becomes a hard failure for any contributor or CI job without a funded testnet bank wallet, live DAPI access, and the operator `.env`. The crate's own `tests/spv_sync.rs` follows the standard convention of gating live-network tests behind `#[ignore]`. Re-add the gate so default runs stay green and live coverage is opt-in.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [BLOCKING] lines 217-226: Sweep input filter is `b > 0`; sub-`min_input_amount` inputs make mixed wallets permanently un-sweepable
  The new total-balance gate at lines 114 and 155 uses `min_input_amount(version)` (good), but the per-input filter inside `sweep_platform_addresses` is still `filter(|(_, b)| *b > 0)`. DPP enforces `min_input_amount` per individual input (`packages/rs-dpp/src/state_transition/state_transitions/address_funds/address_funds_transfer_transition/v0/state_transition_validation.rs:157-167` — the loop returns `InputBelowMinimumError` for any amount below the threshold), not on the sum. So a wallet with addr_A=50M and addr_B=50K passes the total gate (50.05M >> 100K) but the broadcast fails with `InputBelowMinimumError`. `teardown_one` returns the error and `sweep_orphans` marks the entry `EntryStatus::Failed` and retries on every startup — it can never succeed without manual intervention. Mirror the production auto-selector and drop sub-`min_input_amount` inputs from the explicit map (the unsweepable dust on those addresses is the same loss already accepted by the wallet-level skip path).
- [SUGGESTION] lines 111-169: Sweep gate is keyed to `min_input_amount` (100K), not the minimum transfer fee (~6.5M)
  Both `sweep_one` (line 114) and `teardown_one` (line 155) treat `min_input_amount` as the sweep gate. On current platform versions that value is `100_000`, but the static 1-input/1-output address-transfer fee floor is already `address_funds_transfer_input_cost + address_funds_transfer_output_cost = 6_500_000` (`packages/rs-platform-version/src/version/fee/state_transition_min_fees/v1.rs:14-15`), and this PR's own transfer test commentary notes real chain-time fees closer to ~15M while platform bug #3040 is open (`tests/e2e/cases/transfer.rs:24-33`). So wallets with totals in `[100k, 6.5M)` go down the sweep path even though every `ReduceOutput(0)` attempt will fail (output goes negative or below `min_output_amount`), leaving the orphan permanently in `Failed`. Gate on a fee-aware floor (e.g. the static min-fee plus a safety margin) instead of just the per-input minimum.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: `from_seed_for_identity` is misleadingly named, half-functional, and unused
  The (feature-gated) constructor derives DIP-9 identity-authentication ECDSA secp256k1 keys but inserts them into `address_private_keys: BTreeMap<[u8; 20], [u8; 32]>` — the map consumed by `Signer<PlatformAddress>::sign` (line 339, keyed on the 20-byte address hash). The `Signer<IdentityPublicKey>` impl that the function name implies (line 245) only consults `private_keys` / `private_keys_in_creation`, both of which remain empty after this constructor runs. The doc comment hand-waves this with "callers must additionally register `IdentityPublicKey` records via `add_identity_public_key`" — but if the caller has to do that themselves the constructor isn't actually "for identity." A repo-wide grep confirms zero callers outside this file. Either populate `private_keys` inside the constructor so identity signing works out of the box, drop it until a real consumer exists, or rename to reflect what it actually populates (e.g. `derive_identity_path_into_address_keys`). Beyond the API-quality issue, the dual-keystore reachability (same secret reachable via both signer pathways) is the kind of cross-purpose-key footgun worth eliminating before any production caller arrives.

In `packages/rs-platform-wallet/tests/e2e/framework/sdk.rs`:
- [SUGGESTION] lines 32-41: `FrameworkError::NotImplemented` used as a generic runtime-error wrapper, dropping the underlying error
  `SdkBuilder::build()` failure is a real runtime error, not an unimplemented-feature path, but it's mapped to `FrameworkError::NotImplemented("sdk::build_sdk — SdkBuilder::build failed (see logs)")`. The actual error `e` is only emitted via a side-effect `tracing::error!` and then discarded — callers that pattern-match on the `Result` (or render it for CI failure summaries) see only the static `&str`. The same pattern recurs at lines 68-77, 100-103, 113-122 here and at `framework/spv.rs:223-226, 241-244`. The `FrameworkError` enum already has `Wallet(String)`, `Bank(String)`, `Config(String)` variants for this purpose — add `Sdk(String)` / `Spv(String)` variants and propagate `e.to_string()` so CI logs and downstream callers actually receive the underlying message.

In `packages/rs-sdk/src/platform/transition/address_inputs.rs`:
- [SUGGESTION] lines 12-40: `fetch_inputs_with_nonce` / `nonce_inc` promoted to `pub` with no caller outside rs-sdk
  `pub mod address_inputs;` at `transition.rs:3` and `pub fn fetch_inputs_with_nonce` / `pub fn nonce_inc` widen these from `pub(crate)` to `pub`. A repo-wide grep finds callers only inside `crate::platform::transition::*` (`address_credit_withdrawal.rs`, `top_up_identity_from_addresses.rs`, `shield.rs`, `transfer_address_funds.rs`, `put_identity.rs`); the e2e framework in rs-platform-wallet does not import them, and rs-platform-wallet production code doesn't either. Once `pub`, the signatures become a stability commitment — `nonce_inc` in particular is footgun-prone outside the strict fetch→increment→sign→broadcast flow (it does not protect against double-spending the same nonce in concurrent calls). Revert to `pub(crate)` (or `pub(super)`) and widen alongside the first external caller.

In `packages/rs-platform-wallet/tests/e2e/framework/spv.rs`:
- [SUGGESTION] lines 210-247: Retained SPV path bypasses the slot-locked workdir
  `E2eContext::build` acquires a unique slot via `pick_available_workdir` and stores it in `workdir`, but `build_client_config` derives its storage path from `config.workdir_base.join("spv-data")` (line 216). When the commented-out SPV block in `harness.rs:131-147` is re-enabled (Task #15), every concurrent process will share `<base>/spv-data` instead of using the locked slot directory, defeating the cross-process isolation mechanism and creating avoidable RocksDB/SPV state contention. Because the SPV module is intentionally kept compilable for re-enablement, fix it now — pass the slot workdir into `build_client_config` so SPV storage tracks the lock.

[thepastaclaw]

🔴 Blocking: Sweep input filter is b > 0; sub-min_input_amount inputs make mixed wallets permanently un-sweepable

The new total-balance gate at lines 114 and 155 uses min_input_amount(version) (good), but the per-input filter inside sweep_platform_addresses is still filter(|(_, b)| *b > 0). DPP enforces min_input_amount per individual input (packages/rs-dpp/src/state_transition/state_transitions/address_funds/address_funds_transfer_transition/v0/state_transition_validation.rs:157-167 — the loop returns InputBelowMinimumError for any amount below the threshold), not on the sum. So a wallet with addr_A=50M and addr_B=50K passes the total gate (50.05M >> 100K) but the broadcast fails with InputBelowMinimumError. teardown_one returns the error and sweep_orphans marks the entry EntryStatus::Failed and retries on every startup — it can never succeed without manual intervention. Mirror the production auto-selector and drop sub-min_input_amount inputs from the explicit map (the unsweepable dust on those addresses is the same loss already accepted by the wallet-level skip path).

💡 Suggested change

Suggested change

	let inputs: BTreeMap<PlatformAddress, Credits> = wallet
	.platform()
	.addresses_with_balances()
	.await
	.into_iter()
	.filter(|(_, b)| *b > 0)
	.collect();
	if inputs.is_empty() {
	return Ok(());
	}
	let dust_gate = min_input_amount(PlatformVersion::latest());
	let inputs: BTreeMap<PlatformAddress, Credits> = wallet
	.platform()
	.addresses_with_balances()
	.await
	.into_iter()
	.filter(|(_, b)| *b >= dust_gate)
	.collect();
	if inputs.is_empty() {
	return Ok(());
	}

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [BLOCKING] lines 217-226: Sweep input filter is `b > 0`; sub-`min_input_amount` inputs make mixed wallets permanently un-sweepable
  The new total-balance gate at lines 114 and 155 uses `min_input_amount(version)` (good), but the per-input filter inside `sweep_platform_addresses` is still `filter(|(_, b)| *b > 0)`. DPP enforces `min_input_amount` per individual input (`packages/rs-dpp/src/state_transition/state_transitions/address_funds/address_funds_transfer_transition/v0/state_transition_validation.rs:157-167` — the loop returns `InputBelowMinimumError` for any amount below the threshold), not on the sum. So a wallet with addr_A=50M and addr_B=50K passes the total gate (50.05M >> 100K) but the broadcast fails with `InputBelowMinimumError`. `teardown_one` returns the error and `sweep_orphans` marks the entry `EntryStatus::Failed` and retries on every startup — it can never succeed without manual intervention. Mirror the production auto-selector and drop sub-`min_input_amount` inputs from the explicit map (the unsweepable dust on those addresses is the same loss already accepted by the wallet-level skip path).

[thepastaclaw]

🟡 Suggestion: Sweep gate is keyed to min_input_amount (100K), not the minimum transfer fee (~6.5M)

Both sweep_one (line 114) and teardown_one (line 155) treat min_input_amount as the sweep gate. On current platform versions that value is 100_000, but the static 1-input/1-output address-transfer fee floor is already address_funds_transfer_input_cost + address_funds_transfer_output_cost = 6_500_000 (packages/rs-platform-version/src/version/fee/state_transition_min_fees/v1.rs:14-15), and this PR's own transfer test commentary notes real chain-time fees closer to ~15M while platform bug #3040 is open (tests/e2e/cases/transfer.rs:24-33). So wallets with totals in [100k, 6.5M) go down the sweep path even though every ReduceOutput(0) attempt will fail (output goes negative or below min_output_amount), leaving the orphan permanently in Failed. Gate on a fee-aware floor (e.g. the static min-fee plus a safety margin) instead of just the per-input minimum.

_{source: ['codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [SUGGESTION] lines 111-169: Sweep gate is keyed to `min_input_amount` (100K), not the minimum transfer fee (~6.5M)
  Both `sweep_one` (line 114) and `teardown_one` (line 155) treat `min_input_amount` as the sweep gate. On current platform versions that value is `100_000`, but the static 1-input/1-output address-transfer fee floor is already `address_funds_transfer_input_cost + address_funds_transfer_output_cost = 6_500_000` (`packages/rs-platform-version/src/version/fee/state_transition_min_fees/v1.rs:14-15`), and this PR's own transfer test commentary notes real chain-time fees closer to ~15M while platform bug #3040 is open (`tests/e2e/cases/transfer.rs:24-33`). So wallets with totals in `[100k, 6.5M)` go down the sweep path even though every `ReduceOutput(0)` attempt will fail (output goes negative or below `min_output_amount`), leaving the orphan permanently in `Failed`. Gate on a fee-aware floor (e.g. the static min-fee plus a safety margin) instead of just the per-input minimum.

[thepastaclaw]

🟡 Suggestion: from_seed_for_identity is misleadingly named, half-functional, and unused

The (feature-gated) constructor derives DIP-9 identity-authentication ECDSA secp256k1 keys but inserts them into address_private_keys: BTreeMap<[u8; 20], [u8; 32]> — the map consumed by Signer<PlatformAddress>::sign (line 339, keyed on the 20-byte address hash). The Signer<IdentityPublicKey> impl that the function name implies (line 245) only consults private_keys / private_keys_in_creation, both of which remain empty after this constructor runs. The doc comment hand-waves this with "callers must additionally register IdentityPublicKey records via add_identity_public_key" — but if the caller has to do that themselves the constructor isn't actually "for identity." A repo-wide grep confirms zero callers outside this file. Either populate private_keys inside the constructor so identity signing works out of the box, drop it until a real consumer exists, or rename to reflect what it actually populates (e.g. derive_identity_path_into_address_keys). Beyond the API-quality issue, the dual-keystore reachability (same secret reachable via both signer pathways) is the kind of cross-purpose-key footgun worth eliminating before any production caller arrives.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: `from_seed_for_identity` is misleadingly named, half-functional, and unused
  The (feature-gated) constructor derives DIP-9 identity-authentication ECDSA secp256k1 keys but inserts them into `address_private_keys: BTreeMap<[u8; 20], [u8; 32]>` — the map consumed by `Signer<PlatformAddress>::sign` (line 339, keyed on the 20-byte address hash). The `Signer<IdentityPublicKey>` impl that the function name implies (line 245) only consults `private_keys` / `private_keys_in_creation`, both of which remain empty after this constructor runs. The doc comment hand-waves this with "callers must additionally register `IdentityPublicKey` records via `add_identity_public_key`" — but if the caller has to do that themselves the constructor isn't actually "for identity." A repo-wide grep confirms zero callers outside this file. Either populate `private_keys` inside the constructor so identity signing works out of the box, drop it until a real consumer exists, or rename to reflect what it actually populates (e.g. `derive_identity_path_into_address_keys`). Beyond the API-quality issue, the dual-keystore reachability (same secret reachable via both signer pathways) is the kind of cross-purpose-key footgun worth eliminating before any production caller arrives.

[thepastaclaw]

💬 Nitpick: Sub-min_input_amount balances are silently dropped from the registry

When total < dust_gate, both sweep_one (lines 113-123) and teardown_one (lines 155-169) skip the sweep — sweep_orphans then treats the Ok(()) as a successful recovery and removes the entry (line 62), and teardown_one unconditionally calls registry.remove(...) (line 177). Because dust_gate is PlatformVersion::min_input_amount (currently 100K), the funds in the dropped band are protocol-unsweepable so removing the entry is defensible — but small refund / fee-dust residues then silently disappear from the registry with no audit trail. Consider keeping the entry tagged EntryStatus::Failed with a one-line note like "balance below min_input_amount" so an operator can see what was abandoned, rather than removing it.

_{source: ['claude', 'codex']}

[thepastaclaw]

💬 Nitpick: cancel_token is constructed and exposed but never observed

E2eContext::cancel_token is created at line 109, exposed via the cancel_token() accessor at line 96, and the doc comments promise it backs "graceful shutdown" of background helpers. In practice no code in the framework or test cases ever (a) cancel()s it, or (b) select!s on it — wait_for_balance, the deferred SPV blocks, and the test bodies all ignore it. The token is dead state with a forward-looking accessor that tempts misuse. Either drop the field until shutdown wiring lands (Task #15) or add a tokio::select! arm in wait_for_balance so the documented behavior actually fires.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: Test-wallet seeds persisted hex-plaintext to JSON without restrictive file mode

atomic_write_json writes the registry — which contains hex-encoded 64-byte BIP-39 seeds in RegistryEntry::seed_hex — via tempfile::NamedTempFile then persist, with no chmod/0600 step. Default file mode honors umask, so on a multi-user host with a permissive umask another local user could read in-flight test seeds from <workdir>/test_wallets.json. Risk is bounded: seeds are OsRng-generated, ephemeral, scoped to one test run, used only on testnet, and never the bank mnemonic; the workdir defaults to $TMPDIR/dash-platform-wallet-e2e which is typically user-private. Defense-in-depth: set mode 0600 on the temp file before persist, or document that the workdir must be on a user-private mount.

_{source: ['claude']}

[thepastaclaw]

Code Review

Test-only PR adding an e2e harness for rs-platform-wallet plus a small production surface (auto_select_inputs fix, simple-signer derive feature, two pub-visibility bumps). One blocking issue: the live testnet e2e test had its #[ignore] removed but the CI workflow runs platform-wallet --all-features with no env wiring or filter, so it will panic in every CI run. Several smaller architecture / robustness concerns in the framework and unused public-API surface.

Reviewed commit: aad27c5

🔴 1 blocking | 🟡 5 suggestion(s) | 💬 3 nitpick(s)

1 additional finding

💬 nitpick: Inconsistent invariant guarding: debug_assert + runtime check here, debug_assert only in sibling helper

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (lines 343-360)

select_inputs_deduct_from_input is private and its only caller (auto_select_inputs) has already pattern-matched the strategy before dispatching here. The function still re-checks the same invariant twice — a debug_assert! (343-350) followed by a runtime if !matches!(...) (351-360) returning an error string referencing an internal function name. The companion select_inputs_reduce_output (570-574) keeps only the debug_assert!. Pick one pattern for private invariant guards and apply it consistently.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/cases/transfer.rs`:
- [BLOCKING] lines 62-63: Live testnet e2e test will panic in CI: #[ignore] removed but workflow runs platform-wallet --all-features with no env wiring or test filter
  `transfer_between_two_platform_addresses` is no longer `#[ignore]`. `.github/workflows/tests-rs-workspace.yml` (lines 144-171 and 308-335) runs `cargo nextest --package platform-wallet --all-features --locked` with only an `-E 'not test(~shield)'` filter — no env wiring for `PLATFORM_WALLET_E2E_BANK_MNEMONIC`, no exclusion of the `e2e` test binary, and no `offline-testing`-style feature gate on platform-wallet. Without the env var, `Config::from_env()` returns `FrameworkError::Bank("PLATFORM_WALLET_E2E_BANK_MNEMONIC not set ...")`, `setup().await.expect("e2e setup failed")` panics, and CI fails on every run. Either restore `#[ignore]` until the workflow is updated, or land the workflow change (filter + env wiring) in this PR.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [SUGGESTION] lines 217-223: sweep_platform_addresses includes dust inputs the protocol will reject
  `sweep_platform_addresses` collects every address with `balance > 0` and feeds the full map into `InputSelection::Explicit`. The DPP `address_funds_transfer_transition/v0/state_transition_validation.rs:159` rejects any input `< min_input_amount`. The wallet-level gates at lines 113-114 and 154-155 only check `total >= min_input_amount`, not per-address balance, so a wallet with one spendable address plus any sub-minimum dust address (easy to produce once `ReduceOutput(0)` leaves remainders or future tests do partial spends) will fail teardown forever, leaving the registry entry behind. The current single test happens to leave both addresses well above min, but the framework is meant to generalize. Filter individual balances against `min_input_amount` instead of relying on the total gate.

In `packages/rs-sdk/src/platform/transition.rs`:
- [SUGGESTION] line 3: address_inputs promoted to pub with no external consumer
  `address_inputs` (and `fetch_inputs_with_nonce` / `nonce_inc`) flipped from `pub(crate)` to `pub`, but every caller in the workspace is still inside rs-sdk itself (`transfer_address_funds.rs`, `address_credit_withdrawal.rs`, `top_up_identity_from_addresses.rs`, `put_identity.rs`, `shield.rs`). The e2e framework added in this PR does not call either function. The signatures expose internal SDK types (`dpp::AddressNonce`, `drive_proof_verifier::types::AddressInfos`, `BTreeMap<PlatformAddress, ...>`) and once `pub`, downgrading is a breaking change. Either land a justified external consumer alongside the visibility bump or keep these `pub(crate)`.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: from_seed_for_identity is unused in this PR and has a misleading contract
  `from_seed_for_identity` populates `self.address_private_keys` (keyed on pubkey-hash, used by `Signer<PlatformAddress>` at lines 379-385) but does not populate `self.private_keys: BTreeMap<IdentityPublicKey, [u8; 32]>`. Per the impl at lines 247-258, `Signer<IdentityPublicKey>::sign` reads from `private_keys` only, so the returned signer cannot satisfy that trait despite the function name. The doc-comment honestly admits callers must additionally call `add_identity_public_key`, but the e2e framework only uses `from_seed_for_platform_address_account`; nothing in the PR consumes `from_seed_for_identity`. Either drop it until a real consumer lands or rename to reflect that it populates the address-signing path (e.g. `from_seed_for_identity_authentication_addresses`) so future callers don't expect a turnkey `Signer<IdentityPublicKey>`.

In `packages/rs-platform-wallet/tests/e2e/framework/sdk.rs`:
- [SUGGESTION] lines 35-38: FrameworkError::NotImplemented misused as a generic error envelope; underlying cause is dropped
  `SdkBuilder::build` (and several sibling sites in sdk.rs and spv.rs) wrap a real runtime failure in `FrameworkError::NotImplemented`, whose `Display` reads "e2e framework not yet implemented: ...". The actual error is logged at error-level then discarded. Operators reading test output will see a misleading "not implemented" message when SDK construction in fact failed at runtime, and downstream `Result` matching cannot recover the cause. Add a dedicated `Sdk(String)` (and `Spv(String)`) variant or carry the source via `#[source] Box<dyn Error + Send + Sync>` so the chain survives.

In `packages/rs-platform-wallet/tests/e2e/framework/registry.rs`:
- [SUGGESTION] lines 103-132: Registry mutates in-memory state before the JSON write succeeds
  `insert`, `remove`, and `set_status` all lock, mutate `self.state`, clone the snapshot, drop the lock, and only then call `atomic_write_json`. If the write fails, the method returns `Err` but the in-memory map has already changed. That violates the module's own "persist before returning" contract: an `insert` failure leaves an in-memory orphan with no disk record (next-run sweep won't see it), and a `remove` failure forgets the entry in memory while the disk entry persists. Build the snapshot first, persist it, then swap it into `self.state` only after the write succeeds.

[thepastaclaw]

🟡 Suggestion: sweep_platform_addresses includes dust inputs the protocol will reject

sweep_platform_addresses collects every address with balance > 0 and feeds the full map into InputSelection::Explicit. The DPP address_funds_transfer_transition/v0/state_transition_validation.rs:159 rejects any input < min_input_amount. The wallet-level gates at lines 113-114 and 154-155 only check total >= min_input_amount, not per-address balance, so a wallet with one spendable address plus any sub-minimum dust address (easy to produce once ReduceOutput(0) leaves remainders or future tests do partial spends) will fail teardown forever, leaving the registry entry behind. The current single test happens to leave both addresses well above min, but the framework is meant to generalize. Filter individual balances against min_input_amount instead of relying on the total gate.

💡 Suggested change

Suggested change

	let inputs: BTreeMap<PlatformAddress, Credits> = wallet
	.platform()
	.addresses_with_balances()
	.await
	.into_iter()
	.filter(|(_, b)| *b > 0)
	.collect();
	let min_input = PlatformVersion::latest()
	.dpp
	.state_transitions
	.address_funds
	.min_input_amount;
	let inputs: BTreeMap<PlatformAddress, Credits> = wallet
	.platform()
	.addresses_with_balances()
	.await
	.into_iter()
	.filter(|(_, b)| *b >= min_input)
	.collect();

_{source: ['codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [SUGGESTION] lines 217-223: sweep_platform_addresses includes dust inputs the protocol will reject
  `sweep_platform_addresses` collects every address with `balance > 0` and feeds the full map into `InputSelection::Explicit`. The DPP `address_funds_transfer_transition/v0/state_transition_validation.rs:159` rejects any input `< min_input_amount`. The wallet-level gates at lines 113-114 and 154-155 only check `total >= min_input_amount`, not per-address balance, so a wallet with one spendable address plus any sub-minimum dust address (easy to produce once `ReduceOutput(0)` leaves remainders or future tests do partial spends) will fail teardown forever, leaving the registry entry behind. The current single test happens to leave both addresses well above min, but the framework is meant to generalize. Filter individual balances against `min_input_amount` instead of relying on the total gate.

[thepastaclaw]

🟡 Suggestion: address_inputs promoted to pub with no external consumer

address_inputs (and fetch_inputs_with_nonce / nonce_inc) flipped from pub(crate) to pub, but every caller in the workspace is still inside rs-sdk itself (transfer_address_funds.rs, address_credit_withdrawal.rs, top_up_identity_from_addresses.rs, put_identity.rs, shield.rs). The e2e framework added in this PR does not call either function. The signatures expose internal SDK types (dpp::AddressNonce, drive_proof_verifier::types::AddressInfos, BTreeMap<PlatformAddress, ...>) and once pub, downgrading is a breaking change. Either land a justified external consumer alongside the visibility bump or keep these pub(crate).

💡 Suggested change

Suggested change

	pub mod address_inputs;
	pub(crate) mod address_inputs;

_{source: ['claude']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/platform/transition.rs`:
- [SUGGESTION] line 3: address_inputs promoted to pub with no external consumer
  `address_inputs` (and `fetch_inputs_with_nonce` / `nonce_inc`) flipped from `pub(crate)` to `pub`, but every caller in the workspace is still inside rs-sdk itself (`transfer_address_funds.rs`, `address_credit_withdrawal.rs`, `top_up_identity_from_addresses.rs`, `put_identity.rs`, `shield.rs`). The e2e framework added in this PR does not call either function. The signatures expose internal SDK types (`dpp::AddressNonce`, `drive_proof_verifier::types::AddressInfos`, `BTreeMap<PlatformAddress, ...>`) and once `pub`, downgrading is a breaking change. Either land a justified external consumer alongside the visibility bump or keep these `pub(crate)`.

[thepastaclaw]

🟡 Suggestion: from_seed_for_identity is unused in this PR and has a misleading contract

from_seed_for_identity populates self.address_private_keys (keyed on pubkey-hash, used by Signer<PlatformAddress> at lines 379-385) but does not populate self.private_keys: BTreeMap<IdentityPublicKey, [u8; 32]>. Per the impl at lines 247-258, Signer<IdentityPublicKey>::sign reads from private_keys only, so the returned signer cannot satisfy that trait despite the function name. The doc-comment honestly admits callers must additionally call add_identity_public_key, but the e2e framework only uses from_seed_for_platform_address_account; nothing in the PR consumes from_seed_for_identity. Either drop it until a real consumer lands or rename to reflect that it populates the address-signing path (e.g. from_seed_for_identity_authentication_addresses) so future callers don't expect a turnkey Signer<IdentityPublicKey>.

_{source: ['claude']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: from_seed_for_identity is unused in this PR and has a misleading contract
  `from_seed_for_identity` populates `self.address_private_keys` (keyed on pubkey-hash, used by `Signer<PlatformAddress>` at lines 379-385) but does not populate `self.private_keys: BTreeMap<IdentityPublicKey, [u8; 32]>`. Per the impl at lines 247-258, `Signer<IdentityPublicKey>::sign` reads from `private_keys` only, so the returned signer cannot satisfy that trait despite the function name. The doc-comment honestly admits callers must additionally call `add_identity_public_key`, but the e2e framework only uses `from_seed_for_platform_address_account`; nothing in the PR consumes `from_seed_for_identity`. Either drop it until a real consumer lands or rename to reflect that it populates the address-signing path (e.g. `from_seed_for_identity_authentication_addresses`) so future callers don't expect a turnkey `Signer<IdentityPublicKey>`.

[thepastaclaw]

💬 Nitpick: DEFAULT_ACCOUNT_INDEX/DEFAULT_KEY_CLASS in mod.rs duplicate wallet_factory's pinned spec without sharing the drift guard

wallet_factory.rs pins DEFAULT_PLATFORM_PAYMENT_ACCOUNT_SPEC from PlatformPaymentAccountSpec::default() and exports DEFAULT_ACCOUNT_INDEX_PUB / DEFAULT_KEY_CLASS_PUB with a drift test. mod.rs:40-41 declares its own DEFAULT_ACCOUNT_INDEX = 0; DEFAULT_KEY_CLASS = 0; and feeds them into make_platform_signer. If PlatformPaymentAccountSpec::default() ever drifts, TestWallet::create (uses WalletAccountCreationOptions::Default) would track the new value while make_platform_signer would still derive 0/0 keys — signer/wallet drift without firing the existing test. Re-export from wallet_factory so there's one source of truth.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: Test wallet seeds persisted to default-permissioned JSON under shared TMPDIR

atomic_write_json writes the registry (containing 64-byte hex seeds for every fresh test wallet) under ${TMPDIR}/dash-platform-wallet-e2e/... with default umask permissions. On Linux/macOS that's typically /tmp and world-readable. On a multi-user runner or shared dev host, a co-located unprivileged user could read seeds between setup and teardown and drain the testnet credits. Impact is bounded (testnet credits, narrow window, operators self-select), but defense-in-depth is cheap: chmod the registry file to 0600 and the slot dir to 0700, or default the workdir base to ${HOME}/.cache/dash-platform-wallet-e2e.

_{source: ['claude']}

[thepastaclaw]

Code Review

All previously reported blockers around the live test gate, sweep dust filtering, error propagation, and SPV workdir scoping are resolved at this head. Two correctness issues remain in the new multi-identity helpers — setup_with_n_identities waits for and spends a gross funding amount the bank transfer never delivers, and MultiIdentitySetupGuard::teardown permanently leaks registered-identity credits because sweep_identities is a no-op while the registry entry is dropped. The rest are quality polish: dead error/cancel-token surface, a public Credits field that knowingly misrepresents the chain-time fee, a misleading simple-signer constructor, and rs-sdk nonce internals widened to pub for a single test consumer.

Reviewed commit: 74b1ed7

🔴 1 blocking | 🟡 5 suggestion(s) | 💬 4 nitpick(s)

1 additional finding

🟡 suggestion: Low-level nonce helpers were promoted to the public SDK surface for a single cross-crate test consumer

packages/rs-sdk/src/platform/transition/address_inputs.rs (lines 12-40)

pub mod address_inputs; (transition.rs:3) plus pub fn fetch_inputs_with_nonce and pub fn nonce_inc widen what was previously pub(crate) plumbing into a permanent public-API stability commitment for rs-sdk. The only out-of-crate consumer is transfer_capturing_st_bytes in the e2e framework's wallet_factory.rs:265-280, which uses these in a fetch→increment→sign→broadcast capture for replay-safety tests. The signatures expose internal types (AddressNonce, AddressInfos, BTreeMap<PlatformAddress, ...>); nonce_inc in particular is a footgun outside the strict flow it presumes — a naive consumer that calls it twice or uses the result without broadcasting will desync the address nonce. Prefer a higher-level public helper on the SDK (e.g. build_replayable_transfer_bytes) that owns the fetch/increment/serialize sequence, and revert these to pub(crate). If a test-only export is acceptable, keep them pub(crate) plus #[cfg(any(test, feature = "test-helpers"))] rather than ship them on the stable surface.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [BLOCKING] lines 206-223: `setup_with_n_identities` waits for and spends a gross funding amount that `bank.fund_address` never delivers
  `bank.fund_address(&funding_addr, funding_per)` in `bank.rs:162-182` calls `transfer(...)` with `default_fee_strategy()` = `[ReduceOutput(0)]` (`wallet_factory.rs:417-419`), so the chain-time fee is taken out of output #0 — the recipient address receives `funding_per - fee`, not `funding_per`. The next call, `wait_for_balance(&base.test_wallet, &funding_addr, funding_per, 60s)` (`wait.rs:67-124`), polls for `current >= expected`, so on any non-zero-fee network it can never satisfy and will always hit the `Cleanup` timeout. Even relaxing that wait, `register_identity_from_addresses(funding_addr, funding_per, ...)` then asks `register_from_addresses` to consume `funding_per` from `funding_addr`, and the SDK's `fetch_inputs_with_nonce` (rs-sdk `address_inputs.rs:103-115`) returns `AddressNotEnoughFundsError` when `available < required`. Net effect: as currently written, this helper cannot complete against a real network. Fix by either (a) waiting for the actual delivered amount (e.g. compute the post-fee target from `cs.fee` returned by `fund_address`, or use a `<= funding_per` floor that accounts for the static min fee) and registering with that same amount, or (b) topping up by `funding_per + max_expected_fee` and registering with `funding_per`.
- [SUGGESTION] lines 242-263: `MultiIdentitySetupGuard::teardown` guarantees identity credits are leaked once `setup_with_n_identities` is exercised
  `MultiIdentitySetupGuard::teardown` simply forwards to `SetupGuard::teardown`, whose cleanup path (`cleanup.rs:146-188`) calls `sweep_identities(...)` and then `registry.remove(&test_wallet.id())`. But `sweep_identities` in `cleanup.rs:336-338` is a stub `Ok(())` (still pending Task #15 / the `#identity-sweep` TODO), so identity-held credits are never recovered. Once the registry entry is removed there is no recovery trail either, so the next process startup's `sweep_orphans` cannot reclaim them. For a framework whose primary safety property is panic-safe fund recovery, shipping a public setup path that spends bank credits to register identities and then permanently forgets the resulting balance is a contract violation — and it compounds across every test using the helper. Either (a) keep the registry entry (don't remove it) when identities still hold balances so the orphan sweep can pick them up later, (b) block teardown with a clear `FrameworkError::Cleanup` until `sweep_identities` is implemented, or (c) gate `setup_with_n_identities` behind a feature flag / `#[ignore]` until identity sweep lands.

In `packages/rs-platform-wallet/tests/e2e/framework/wait.rs`:
- [SUGGESTION] lines 76-122: `wait_for_balance`'s `Notified` future is captured but not registered before the sync — defeats the documented invariant
  The doc claims "The `Notified` future is captured BEFORE the sync to avoid dropping a notification that fires mid-sync." That contract is not honored: `let notified = test_wallet.wait_hub().notified(); tokio::pin!(notified);` only constructs and pins the future — Tokio's `Notify::notified` does not register the waiter until first poll (or via `Notified::enable()`). The first poll happens at `tokio::time::timeout(cap, notified.as_mut()).await` AFTER `sync_balances` returns, so any `notify_waiters()` fired by `WaitEventHub` during the sync (`on_sync_event`, `on_wallet_event`, `on_platform_address_sync_completed`) is silently lost. Worst-case wake delay is bounded by `BACKSTOP_WAKE_INTERVAL` (2s), so this is a polish issue rather than a hang risk — but it means `wait_for_balance` is effectively a 2s polling loop on busy chains, not the event-driven helper it documents itself as. Calling `notified.as_mut().enable()` immediately after the `pin!` would honor the docstring's claim.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: `from_seed_for_identity` is misleadingly named — the resulting `SimpleSigner` cannot sign as a `Signer<IdentityPublicKey>`
  `from_seed_for_identity` populates only `address_private_keys` (the 20-byte-keyed map used by `Signer<PlatformAddress>::sign`), but the `Signer<IdentityPublicKey>` impl on `SimpleSigner` (lines 245-291) reads exclusively from `private_keys` / `private_keys_in_creation`. The constructor's name therefore promises an identity signer that the trait impl cannot deliver. The doc hand-waves with "callers must additionally register `IdentityPublicKey` records via `add_identity_public_key`," but `add_identity_public_key` requires the raw private-key bytes that this constructor never exposes. The new e2e harness only works because `SeedBackedIdentitySigner` (`tests/e2e/framework/signer.rs`) bypasses the impl and reaches into `address_private_keys` directly. A downstream caller who reads the name and instantiates this constructor reasonably assumes the returned `SimpleSigner` can sign identity keys — it cannot. Either rename to reflect the actual side effect (e.g. `from_seed_for_identity_authentication_addresses`) or also insert into `private_keys` so the trait impl works out of the box.

In `packages/rs-platform-wallet/src/changeset/changeset.rs`:
- [SUGGESTION] lines 583-645: `PlatformAddressChangeSet::fee` is a public `Credits` field that knowingly misrepresents the on-chain fee, and `Merge` silently sums it
  `pub fee: Credits` stores `AddressFundsTransferTransition::estimate_min_fee(...)`, which the accessor's own doc admits is "NOT the actual on-chain fee" — the static `state_transition_min_fees` floor (~6.5M for 1in/1out) is far below the real chain-time debit (~14.94M observed; see #3040). Because the field is public and shares its type with real credit values, callers reaching for `cs.fee` (rather than the doc-laden `estimated_min_fee()` accessor) get the unfiltered footgun. `Merge::merge` then does `self.fee = self.fee.saturating_add(other.fee)`, so a merged changeset's reported fee is "the sum across operations of a number that already lied for one operation," compounding the misrepresentation. Pick one of: (a) wrap in a newtype like `EstimatedMinFee(Credits)` so the type system surfaces the caveat at every call site, (b) rename the field to `static_min_fee_estimate` so accidental consumers can't confuse it with paid fees, or (c) keep it `pub(crate)` until #3040 lands and the value can mean what callers naturally expect.

In `packages/rs-sdk/src/platform/transition/address_inputs.rs`:
- [SUGGESTION] lines 12-40: Low-level nonce helpers were promoted to the public SDK surface for a single cross-crate test consumer
  `pub mod address_inputs;` (transition.rs:3) plus `pub fn fetch_inputs_with_nonce` and `pub fn nonce_inc` widen what was previously `pub(crate)` plumbing into a permanent public-API stability commitment for `rs-sdk`. The only out-of-crate consumer is `transfer_capturing_st_bytes` in the e2e framework's `wallet_factory.rs:265-280`, which uses these in a fetch→increment→sign→broadcast capture for replay-safety tests. The signatures expose internal types (`AddressNonce`, `AddressInfos`, `BTreeMap<PlatformAddress, ...>`); `nonce_inc` in particular is a footgun outside the strict flow it presumes — a naive consumer that calls it twice or uses the result without broadcasting will desync the address nonce. Prefer a higher-level public helper on the SDK (e.g. `build_replayable_transfer_bytes`) that owns the fetch/increment/serialize sequence, and revert these to `pub(crate)`. If a test-only export is acceptable, keep them `pub(crate)` plus `#[cfg(any(test, feature = "test-helpers"))]` rather than ship them on the stable surface.

[thepastaclaw]

🔴 Blocking: setup_with_n_identities waits for and spends a gross funding amount that bank.fund_address never delivers

bank.fund_address(&funding_addr, funding_per) in bank.rs:162-182 calls transfer(...) with default_fee_strategy() = [ReduceOutput(0)] (wallet_factory.rs:417-419), so the chain-time fee is taken out of output #0 — the recipient address receives funding_per - fee, not funding_per. The next call, wait_for_balance(&base.test_wallet, &funding_addr, funding_per, 60s) (wait.rs:67-124), polls for current >= expected, so on any non-zero-fee network it can never satisfy and will always hit the Cleanup timeout. Even relaxing that wait, register_identity_from_addresses(funding_addr, funding_per, ...) then asks register_from_addresses to consume funding_per from funding_addr, and the SDK's fetch_inputs_with_nonce (rs-sdk address_inputs.rs:103-115) returns AddressNotEnoughFundsError when available < required. Net effect: as currently written, this helper cannot complete against a real network. Fix by either (a) waiting for the actual delivered amount (e.g. compute the post-fee target from cs.fee returned by fund_address, or use a <= funding_per floor that accounts for the static min fee) and registering with that same amount, or (b) topping up by funding_per + max_expected_fee and registering with funding_per.

_{source: ['codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [BLOCKING] lines 206-223: `setup_with_n_identities` waits for and spends a gross funding amount that `bank.fund_address` never delivers
  `bank.fund_address(&funding_addr, funding_per)` in `bank.rs:162-182` calls `transfer(...)` with `default_fee_strategy()` = `[ReduceOutput(0)]` (`wallet_factory.rs:417-419`), so the chain-time fee is taken out of output #0 — the recipient address receives `funding_per - fee`, not `funding_per`. The next call, `wait_for_balance(&base.test_wallet, &funding_addr, funding_per, 60s)` (`wait.rs:67-124`), polls for `current >= expected`, so on any non-zero-fee network it can never satisfy and will always hit the `Cleanup` timeout. Even relaxing that wait, `register_identity_from_addresses(funding_addr, funding_per, ...)` then asks `register_from_addresses` to consume `funding_per` from `funding_addr`, and the SDK's `fetch_inputs_with_nonce` (rs-sdk `address_inputs.rs:103-115`) returns `AddressNotEnoughFundsError` when `available < required`. Net effect: as currently written, this helper cannot complete against a real network. Fix by either (a) waiting for the actual delivered amount (e.g. compute the post-fee target from `cs.fee` returned by `fund_address`, or use a `<= funding_per` floor that accounts for the static min fee) and registering with that same amount, or (b) topping up by `funding_per + max_expected_fee` and registering with `funding_per`.

[thepastaclaw]

🟡 Suggestion: MultiIdentitySetupGuard::teardown guarantees identity credits are leaked once setup_with_n_identities is exercised

MultiIdentitySetupGuard::teardown simply forwards to SetupGuard::teardown, whose cleanup path (cleanup.rs:146-188) calls sweep_identities(...) and then registry.remove(&test_wallet.id()). But sweep_identities in cleanup.rs:336-338 is a stub Ok(()) (still pending Task #15 / the #identity-sweep TODO), so identity-held credits are never recovered. Once the registry entry is removed there is no recovery trail either, so the next process startup's sweep_orphans cannot reclaim them. For a framework whose primary safety property is panic-safe fund recovery, shipping a public setup path that spends bank credits to register identities and then permanently forgets the resulting balance is a contract violation — and it compounds across every test using the helper. Either (a) keep the registry entry (don't remove it) when identities still hold balances so the orphan sweep can pick them up later, (b) block teardown with a clear FrameworkError::Cleanup until sweep_identities is implemented, or (c) gate setup_with_n_identities behind a feature flag / #[ignore] until identity sweep lands.

_{source: ['codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [SUGGESTION] lines 242-263: `MultiIdentitySetupGuard::teardown` guarantees identity credits are leaked once `setup_with_n_identities` is exercised
  `MultiIdentitySetupGuard::teardown` simply forwards to `SetupGuard::teardown`, whose cleanup path (`cleanup.rs:146-188`) calls `sweep_identities(...)` and then `registry.remove(&test_wallet.id())`. But `sweep_identities` in `cleanup.rs:336-338` is a stub `Ok(())` (still pending Task #15 / the `#identity-sweep` TODO), so identity-held credits are never recovered. Once the registry entry is removed there is no recovery trail either, so the next process startup's `sweep_orphans` cannot reclaim them. For a framework whose primary safety property is panic-safe fund recovery, shipping a public setup path that spends bank credits to register identities and then permanently forgets the resulting balance is a contract violation — and it compounds across every test using the helper. Either (a) keep the registry entry (don't remove it) when identities still hold balances so the orphan sweep can pick them up later, (b) block teardown with a clear `FrameworkError::Cleanup` until `sweep_identities` is implemented, or (c) gate `setup_with_n_identities` behind a feature flag / `#[ignore]` until identity sweep lands.

[thepastaclaw]

🟡 Suggestion: wait_for_balance's Notified future is captured but not registered before the sync — defeats the documented invariant

The doc claims "The Notified future is captured BEFORE the sync to avoid dropping a notification that fires mid-sync." That contract is not honored: let notified = test_wallet.wait_hub().notified(); tokio::pin!(notified); only constructs and pins the future — Tokio's Notify::notified does not register the waiter until first poll (or via Notified::enable()). The first poll happens at tokio::time::timeout(cap, notified.as_mut()).await AFTER sync_balances returns, so any notify_waiters() fired by WaitEventHub during the sync (on_sync_event, on_wallet_event, on_platform_address_sync_completed) is silently lost. Worst-case wake delay is bounded by BACKSTOP_WAKE_INTERVAL (2s), so this is a polish issue rather than a hang risk — but it means wait_for_balance is effectively a 2s polling loop on busy chains, not the event-driven helper it documents itself as. Calling notified.as_mut().enable() immediately after the pin! would honor the docstring's claim.

_{source: ['claude']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/wait.rs`:
- [SUGGESTION] lines 76-122: `wait_for_balance`'s `Notified` future is captured but not registered before the sync — defeats the documented invariant
  The doc claims "The `Notified` future is captured BEFORE the sync to avoid dropping a notification that fires mid-sync." That contract is not honored: `let notified = test_wallet.wait_hub().notified(); tokio::pin!(notified);` only constructs and pins the future — Tokio's `Notify::notified` does not register the waiter until first poll (or via `Notified::enable()`). The first poll happens at `tokio::time::timeout(cap, notified.as_mut()).await` AFTER `sync_balances` returns, so any `notify_waiters()` fired by `WaitEventHub` during the sync (`on_sync_event`, `on_wallet_event`, `on_platform_address_sync_completed`) is silently lost. Worst-case wake delay is bounded by `BACKSTOP_WAKE_INTERVAL` (2s), so this is a polish issue rather than a hang risk — but it means `wait_for_balance` is effectively a 2s polling loop on busy chains, not the event-driven helper it documents itself as. Calling `notified.as_mut().enable()` immediately after the `pin!` would honor the docstring's claim.

[thepastaclaw]

🟡 Suggestion: from_seed_for_identity is misleadingly named — the resulting SimpleSigner cannot sign as a Signer<IdentityPublicKey>

from_seed_for_identity populates only address_private_keys (the 20-byte-keyed map used by Signer<PlatformAddress>::sign), but the Signer<IdentityPublicKey> impl on SimpleSigner (lines 245-291) reads exclusively from private_keys / private_keys_in_creation. The constructor's name therefore promises an identity signer that the trait impl cannot deliver. The doc hand-waves with "callers must additionally register IdentityPublicKey records via add_identity_public_key," but add_identity_public_key requires the raw private-key bytes that this constructor never exposes. The new e2e harness only works because SeedBackedIdentitySigner (tests/e2e/framework/signer.rs) bypasses the impl and reaches into address_private_keys directly. A downstream caller who reads the name and instantiates this constructor reasonably assumes the returned SimpleSigner can sign identity keys — it cannot. Either rename to reflect the actual side effect (e.g. from_seed_for_identity_authentication_addresses) or also insert into private_keys so the trait impl works out of the box.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: `from_seed_for_identity` is misleadingly named — the resulting `SimpleSigner` cannot sign as a `Signer<IdentityPublicKey>`
  `from_seed_for_identity` populates only `address_private_keys` (the 20-byte-keyed map used by `Signer<PlatformAddress>::sign`), but the `Signer<IdentityPublicKey>` impl on `SimpleSigner` (lines 245-291) reads exclusively from `private_keys` / `private_keys_in_creation`. The constructor's name therefore promises an identity signer that the trait impl cannot deliver. The doc hand-waves with "callers must additionally register `IdentityPublicKey` records via `add_identity_public_key`," but `add_identity_public_key` requires the raw private-key bytes that this constructor never exposes. The new e2e harness only works because `SeedBackedIdentitySigner` (`tests/e2e/framework/signer.rs`) bypasses the impl and reaches into `address_private_keys` directly. A downstream caller who reads the name and instantiates this constructor reasonably assumes the returned `SimpleSigner` can sign identity keys — it cannot. Either rename to reflect the actual side effect (e.g. `from_seed_for_identity_authentication_addresses`) or also insert into `private_keys` so the trait impl works out of the box.

[thepastaclaw]

🟡 Suggestion: PlatformAddressChangeSet::fee is a public Credits field that knowingly misrepresents the on-chain fee, and Merge silently sums it

pub fee: Credits stores AddressFundsTransferTransition::estimate_min_fee(...), which the accessor's own doc admits is "NOT the actual on-chain fee" — the static state_transition_min_fees floor (~6.5M for 1in/1out) is far below the real chain-time debit (~14.94M observed; see #3040). Because the field is public and shares its type with real credit values, callers reaching for cs.fee (rather than the doc-laden estimated_min_fee() accessor) get the unfiltered footgun. Merge::merge then does self.fee = self.fee.saturating_add(other.fee), so a merged changeset's reported fee is "the sum across operations of a number that already lied for one operation," compounding the misrepresentation. Pick one of: (a) wrap in a newtype like EstimatedMinFee(Credits) so the type system surfaces the caveat at every call site, (b) rename the field to static_min_fee_estimate so accidental consumers can't confuse it with paid fees, or (c) keep it pub(crate) until #3040 lands and the value can mean what callers naturally expect.

_{source: ['claude']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/changeset/changeset.rs`:
- [SUGGESTION] lines 583-645: `PlatformAddressChangeSet::fee` is a public `Credits` field that knowingly misrepresents the on-chain fee, and `Merge` silently sums it
  `pub fee: Credits` stores `AddressFundsTransferTransition::estimate_min_fee(...)`, which the accessor's own doc admits is "NOT the actual on-chain fee" — the static `state_transition_min_fees` floor (~6.5M for 1in/1out) is far below the real chain-time debit (~14.94M observed; see #3040). Because the field is public and shares its type with real credit values, callers reaching for `cs.fee` (rather than the doc-laden `estimated_min_fee()` accessor) get the unfiltered footgun. `Merge::merge` then does `self.fee = self.fee.saturating_add(other.fee)`, so a merged changeset's reported fee is "the sum across operations of a number that already lied for one operation," compounding the misrepresentation. Pick one of: (a) wrap in a newtype like `EstimatedMinFee(Credits)` so the type system surfaces the caveat at every call site, (b) rename the field to `static_min_fee_estimate` so accidental consumers can't confuse it with paid fees, or (c) keep it `pub(crate)` until #3040 lands and the value can mean what callers naturally expect.

[thepastaclaw]

💬 Nitpick: make_platform_signer duplicates the DIP-17 default account/key-class constants instead of reusing the framework's tested source of truth

framework/mod.rs declares its own DEFAULT_ACCOUNT_INDEX = 0 / DEFAULT_KEY_CLASS = 0 and uses them in make_platform_signer, while framework/wallet_factory.rs:43-50 already exposes DEFAULT_ACCOUNT_INDEX_PUB / DEFAULT_KEY_CLASS_PUB derived from DEFAULT_PLATFORM_PAYMENT_ACCOUNT_SPEC and a drift test (wallet_factory.rs:651-653) asserting they match PlatformPaymentAccountSpec::default(). If the upstream default changes, every wallet-creation and transfer path that imports the _PUB constants will track the new value, but make_platform_signer will keep deriving keys for 0/0 — and the existing drift test won't catch the mismatch because it doesn't reference the local copies here. Reuse the exported constants from wallet_factory to keep signer derivation and wallet construction on a single source of truth.

💡 Suggested change

Suggested change

	/// DIP-17 default account / key-class for clear-funds platform
	/// payments. Matches `WalletAccountCreationOptions::Default`.
	const DEFAULT_ACCOUNT_INDEX: u32 = 0;
	const DEFAULT_KEY_CLASS: u32 = 0;
	/// Build a [`SimpleSigner`] populated with the DIP-17 platform-payment
	/// gap window for `seed_bytes` on `network`. Pins to
	/// `account=0`/`key_class=0` to match
	/// `WalletAccountCreationOptions::Default`. `SimpleSigner` already
	/// implements `Signer<PlatformAddress>` directly, so callers can pass
	/// the returned value straight to `PlatformAddressWallet::transfer`.
	pub(super) fn make_platform_signer(
	seed_bytes: &[u8; 64],
	network: Network,
	) -> FrameworkResult<SimpleSigner> {
	SimpleSigner::from_seed_for_platform_address_account(
	seed_bytes,
	network,
	DEFAULT_ACCOUNT_INDEX,
	DEFAULT_KEY_CLASS,
	DIP17_GAP_LIMIT,
	)
	.map_err(|err| FrameworkError::Wallet(format!("simple-signer: {err}")))
	}
	use key_wallet::gap_limit::DIP17_GAP_LIMIT;
	use key_wallet::Network;
	use simple_signer::signer::SimpleSigner;
	use self::wallet_factory::{DEFAULT_ACCOUNT_INDEX_PUB, DEFAULT_KEY_CLASS_PUB};
	/// Build a [`SimpleSigner`] populated with the DIP-17 platform-payment
	/// gap window for `seed_bytes` on `network`. Pins to
	/// `account=0`/`key_class=0` to match
	/// `WalletAccountCreationOptions::Default`. `SimpleSigner` already
	/// implements `Signer<PlatformAddress>` directly, so callers can pass
	/// the returned value straight to `PlatformAddressWallet::transfer`.
	pub(super) fn make_platform_signer(
	seed_bytes: &[u8; 64],
	network: Network,
	) -> FrameworkResult<SimpleSigner> {
	SimpleSigner::from_seed_for_platform_address_account(
	seed_bytes,
	network,
	DEFAULT_ACCOUNT_INDEX_PUB,
	DEFAULT_KEY_CLASS_PUB,
	DIP17_GAP_LIMIT,
	)
	.map_err(|err| FrameworkError::Wallet(format!("simple-signer: {err}")))
	}

_{source: ['codex']}

[thepastaclaw]

💬 Nitpick: FrameworkError::NotImplemented is dead — every prior call site migrated to typed Sdk / Spv variants

NotImplemented(&'static str) was previously the catch-all envelope in framework/sdk.rs and framework/spv.rs for SDK construction and SPV runtime failures. Both files now use FrameworkError::Sdk(String) / Spv(String), and a repo-wide grep confirms no producer or consumer of NotImplemented remains in the workspace. Carrying a dead variant lowers the signal in the error enum and tempts the next contributor to reach for it again as a generic placeholder when SPV (Task #15) re-lands. Drop it; if a real "feature deferred" path appears later, prefer a named typed variant.

_{source: ['claude', 'codex']}

[thepastaclaw]

💬 Nitpick: E2eContext::cancel_token is constructed and exposed but never observed

cancel_token is created at line 109, exposed via the cancel_token() accessor at line 96, and the doc claims it backs "graceful shutdown" of background helpers. A repo-wide grep across packages/rs-platform-wallet/tests/ shows no .cancel(), no .cancelled(), and no tokio::select! arm referencing it — wait_for_balance, wait_for_identity_balance, wait_for_dpns_name_visible, the deferred SPV blocks, and the test bodies all ignore it. The token is dead state with a forward-looking accessor that tempts misuse (a future contributor may assume it actually halts background work). Either drop the field until shutdown wiring lands (Task #15) or wire one observer in (e.g., a tokio::select! arm in wait::wait_for_balance) so the documented behavior actually fires.

_{source: ['claude', 'codex']}

[thepastaclaw]

💬 Nitpick: sync_watermark collapses "block 0" and "no watermark stored" into the same None

sync_watermark returns None whenever last_known_recent_block() == 0. The doc claim that this matches the "no stored watermark" convention is reasonable on freshly-restored mainnet/testnet wallets, but breaks down for any chain where block 0 is a legitimate genesis-aligned watermark (devnet/regtest, or any test fixture that explicitly sets last_known_recent_block to 0 during setup). After a sync that legitimately lands at height 0, the next call would still report "never synced." If the underlying intent is "distinguish unset from set," make the storage layer return Option<u64> end-to-end so the boundary stays honest. As-is, the zero-collapse is a quiet correctness footgun for non-mainnet chains.

_{source: ['claude']}

[thepastaclaw]

Code Review

All carry-forward findings validated at HEAD 921833f. The prior-blocking setup_with_n_identities funding mismatch is fixed via the bank's [DeductFromInput(0)] strategy. Remaining items are suggestions and nitpicks: a latent identity-credit teardown leak (sweep_identities is a no-op stub but the registry entry is still removed), a wait_for_balance Notify waiter that's never enabled before sync, several public API surface concerns (from_seed_for_identity, PlatformAddressChangeSet::fee, rs-sdk nonce helpers), and a few dead-code/duplication nits in the e2e harness.

Reviewed commit: 921833f

🟡 5 suggestion(s) | 💬 4 nitpick(s)

1 additional finding

🟡 suggestion: Low-level nonce helpers were promoted to the public rs-sdk surface for a single cross-crate test consumer

packages/rs-sdk/src/platform/transition/address_inputs.rs (lines 12-40)

Confirmed at HEAD. pub mod address_inputs (transition.rs:3) plus pub fn fetch_inputs_with_nonce (address_inputs.rs:12) and pub fn nonce_inc (address_inputs.rs:34) widen what was previously pub(crate) plumbing into a permanent public-API stability commitment for rs-sdk. They are used internally by put_identity / transfer_address_funds / shield / top_up_identity_from_addresses / address_credit_withdrawal, but pub(crate) would suffice for those. The only out-of-crate consumer is transfer_capturing_st_bytes in tests/e2e/framework/wallet_factory.rs:265-280 (a fetch→increment→sign→broadcast capture for replay tests). The signatures expose internal types (AddressNonce, AddressInfos, BTreeMap<PlatformAddress, ...>); nonce_inc is a footgun outside the strict flow it presumes — incrementing twice or without broadcasting desyncs the address nonce. Prefer a higher-level public helper (e.g. build_replayable_transfer_bytes) that owns the fetch/increment/serialize sequence and revert these to pub(crate). If a test-only export is acceptable, gate them behind #[cfg(any(test, feature = "test-helpers"))].

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [SUGGESTION] lines 171-188: MultiIdentitySetupGuard::teardown silently burns identity credits — sweep_identities is a no-op while the registry entry is unconditionally removed
  Confirmed at HEAD. `setup_with_n_identities` (framework/mod.rs:190-237) registers identities funded from the bank, but the teardown path forwards to `cleanup::teardown_one`, which calls `sweep_identities` (cleanup.rs:336-338, an explicit `Ok(())` stub gated by `#identity-sweep`) and then unconditionally drops the registry entry at cleanup.rs:178 (`registry.remove(&test_wallet.id())?`). Once the registry entry is gone, the next process startup's `sweep_orphans` cannot reconstruct the wallet, so the registered identity's balance is permanently lost. The framework's top-line safety property is panic-safe fund recovery; exposing a public setup helper that funds identities and then guarantees the resulting balances are forgotten violates that contract. Currently latent (no test in the PR calls `setup_with_n_identities`), but the helper is `pub` and TEST_SPEC.md schedules ID-* tests on it. Pick one of: (a) keep the registry entry while `sweep_identities` is a stub so the orphan sweep retains a recovery trail; (b) return `FrameworkError::Cleanup` from `teardown_one` until identity sweep is implemented; or (c) gate `setup_with_n_identities` behind a feature flag until identity sweep lands.

In `packages/rs-platform-wallet/tests/e2e/framework/wait.rs`:
- [SUGGESTION] lines 76-122: wait_for_balance's Notified future is constructed but never registered before sync_balances runs
  Confirmed at HEAD. The doc on lines 64-65/77 promises the `Notified` future is captured BEFORE the sync to avoid losing notifications fired mid-sync, but `let notified = test_wallet.wait_hub().notified(); tokio::pin!(notified);` only constructs and pins the future. Tokio's `Notify::notified` does not register the waiter on the hub until the first poll (or via `Notified::enable()`), and that first poll happens at `tokio::time::timeout(cap, notified.as_mut()).await` AFTER `sync_balances` returns. Notifications fired by `WaitEventHub` during the sync are silently dropped. `BACKSTOP_WAKE_INTERVAL = 2s` bounds the wake delay, so this is a polish issue rather than a hang risk — but it means `wait_for_balance` is effectively a 2s polling loop on busy chains, not the event-driven helper its docstring claims. Calling `notified.as_mut().enable()` immediately after the `pin!` would register the waiter eagerly and honor the documented invariant.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: from_seed_for_identity is misleadingly named — the resulting SimpleSigner cannot satisfy Signer<IdentityPublicKey>
  Confirmed at HEAD (behind the `derive` feature). `from_seed_for_identity` populates only `address_private_keys` keyed by `ripemd160_sha256(pubkey)` (lines 235-238), but the `Signer<IdentityPublicKey>` impl on `SimpleSigner` (lines 245-291) reads exclusively from `private_keys` / `private_keys_in_creation`. The constructor's name promises an identity signer the trait impl cannot deliver. The doc hand-waves with "callers must additionally register `IdentityPublicKey` records via `add_identity_public_key`" — but that requires raw private-key bytes the constructor never re-exposes. The new e2e harness only works because `SeedBackedIdentitySigner` bypasses the trait impl and reaches into `address_private_keys` directly. A downstream caller who reads the name and instantiates this constructor reasonably assumes the returned `SimpleSigner` can sign identity keys — it cannot. Either rename to reflect the actual side effect (e.g. `from_seed_for_identity_authentication_keys_by_pkh`) or also insert into `private_keys` so the trait impl is honest.

In `packages/rs-platform-wallet/src/changeset/changeset.rs`:
- [SUGGESTION] lines 583-645: PlatformAddressChangeSet::fee is a public Credits field whose own doc admits it does not represent the on-chain fee, and Merge silently sums it
  Confirmed at HEAD. `pub fee: Credits` (line 589) stores `AddressFundsTransferTransition::estimate_min_fee(...)`, which `estimated_min_fee()` (lines 592-611) explicitly calls out as "NOT the actual on-chain fee" and "NOT adjusted by the `fee_strategy`" — the static `state_transition_min_fees` floor (~6.5M for 1in/1out) is far below the chain-time debit (~14.94M observed; see issue #3040). Because the field is `pub` and shares its type with real credit values, callers reaching for `cs.fee` rather than the doc-laden accessor get the unfiltered footgun. `Merge::merge` (line 644) does `self.fee = self.fee.saturating_add(other.fee)`, so a merged changeset's reported fee is a sum of values that already lied per-operation. Pick one of: (a) wrap in a newtype like `EstimatedMinFee(Credits)` so the type system surfaces the caveat at every call site; (b) rename to `static_min_fee_estimate` so accidental consumers can't confuse it with paid fees; or (c) keep it `pub(crate)` until #3040 lands.

In `packages/rs-sdk/src/platform/transition/address_inputs.rs`:
- [SUGGESTION] lines 12-40: Low-level nonce helpers were promoted to the public rs-sdk surface for a single cross-crate test consumer
  Confirmed at HEAD. `pub mod address_inputs` (transition.rs:3) plus `pub fn fetch_inputs_with_nonce` (address_inputs.rs:12) and `pub fn nonce_inc` (address_inputs.rs:34) widen what was previously `pub(crate)` plumbing into a permanent public-API stability commitment for `rs-sdk`. They are used internally by put_identity / transfer_address_funds / shield / top_up_identity_from_addresses / address_credit_withdrawal, but `pub(crate)` would suffice for those. The only out-of-crate consumer is `transfer_capturing_st_bytes` in `tests/e2e/framework/wallet_factory.rs:265-280` (a fetch→increment→sign→broadcast capture for replay tests). The signatures expose internal types (`AddressNonce`, `AddressInfos`, `BTreeMap<PlatformAddress, ...>`); `nonce_inc` is a footgun outside the strict flow it presumes — incrementing twice or without broadcasting desyncs the address nonce. Prefer a higher-level public helper (e.g. `build_replayable_transfer_bytes`) that owns the fetch/increment/serialize sequence and revert these to `pub(crate)`. If a test-only export is acceptable, gate them behind `#[cfg(any(test, feature = "test-helpers"))]`.

[thepastaclaw]

🟡 Suggestion: MultiIdentitySetupGuard::teardown silently burns identity credits — sweep_identities is a no-op while the registry entry is unconditionally removed

Confirmed at HEAD. setup_with_n_identities (framework/mod.rs:190-237) registers identities funded from the bank, but the teardown path forwards to cleanup::teardown_one, which calls sweep_identities (cleanup.rs:336-338, an explicit Ok(()) stub gated by #identity-sweep) and then unconditionally drops the registry entry at cleanup.rs:178 (registry.remove(&test_wallet.id())?). Once the registry entry is gone, the next process startup's sweep_orphans cannot reconstruct the wallet, so the registered identity's balance is permanently lost. The framework's top-line safety property is panic-safe fund recovery; exposing a public setup helper that funds identities and then guarantees the resulting balances are forgotten violates that contract. Currently latent (no test in the PR calls setup_with_n_identities), but the helper is pub and TEST_SPEC.md schedules ID-* tests on it. Pick one of: (a) keep the registry entry while sweep_identities is a stub so the orphan sweep retains a recovery trail; (b) return FrameworkError::Cleanup from teardown_one until identity sweep is implemented; or (c) gate setup_with_n_identities behind a feature flag until identity sweep lands.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/cleanup.rs`:
- [SUGGESTION] lines 171-188: MultiIdentitySetupGuard::teardown silently burns identity credits — sweep_identities is a no-op while the registry entry is unconditionally removed
  Confirmed at HEAD. `setup_with_n_identities` (framework/mod.rs:190-237) registers identities funded from the bank, but the teardown path forwards to `cleanup::teardown_one`, which calls `sweep_identities` (cleanup.rs:336-338, an explicit `Ok(())` stub gated by `#identity-sweep`) and then unconditionally drops the registry entry at cleanup.rs:178 (`registry.remove(&test_wallet.id())?`). Once the registry entry is gone, the next process startup's `sweep_orphans` cannot reconstruct the wallet, so the registered identity's balance is permanently lost. The framework's top-line safety property is panic-safe fund recovery; exposing a public setup helper that funds identities and then guarantees the resulting balances are forgotten violates that contract. Currently latent (no test in the PR calls `setup_with_n_identities`), but the helper is `pub` and TEST_SPEC.md schedules ID-* tests on it. Pick one of: (a) keep the registry entry while `sweep_identities` is a stub so the orphan sweep retains a recovery trail; (b) return `FrameworkError::Cleanup` from `teardown_one` until identity sweep is implemented; or (c) gate `setup_with_n_identities` behind a feature flag until identity sweep lands.

[thepastaclaw]

🟡 Suggestion: wait_for_balance's Notified future is constructed but never registered before sync_balances runs

Confirmed at HEAD. The doc on lines 64-65/77 promises the Notified future is captured BEFORE the sync to avoid losing notifications fired mid-sync, but let notified = test_wallet.wait_hub().notified(); tokio::pin!(notified); only constructs and pins the future. Tokio's Notify::notified does not register the waiter on the hub until the first poll (or via Notified::enable()), and that first poll happens at tokio::time::timeout(cap, notified.as_mut()).await AFTER sync_balances returns. Notifications fired by WaitEventHub during the sync are silently dropped. BACKSTOP_WAKE_INTERVAL = 2s bounds the wake delay, so this is a polish issue rather than a hang risk — but it means wait_for_balance is effectively a 2s polling loop on busy chains, not the event-driven helper its docstring claims. Calling notified.as_mut().enable() immediately after the pin! would register the waiter eagerly and honor the documented invariant.

💡 Suggested change

Suggested change

	loop {
	// Capture `Notified` BEFORE the sync so a notification
	// arriving mid-sync isn't lost; pin + `as_mut()` lets us
	// re-await the same future across timeouts.
	let notified = test_wallet.wait_hub().notified();
	tokio::pin!(notified);
	match test_wallet.sync_balances().await {
	Ok(()) => {
	let balances = test_wallet.balances().await;
	let current = balances.get(addr).copied().unwrap_or(0);
	if current >= expected {
	tracing::info!(
	target: "platform_wallet::e2e::wait",
	addr = ?addr,
	observed = current,
	elapsed = ?start.elapsed(),
	"balance reached target"
	);
	return Ok(());
	}
	tracing::debug!(
	target: "platform_wallet::e2e::wait",
	addr = ?addr,
	current,
	expected,
	"balance below target; waiting on event hub"
	);
	}
	Err(err) => tracing::debug!(
	target: "platform_wallet::e2e::wait",
	error = %err,
	"sync_balances during wait_for_balance failed; retrying"
	),
	}
	let remaining = deadline.saturating_duration_since(Instant::now());
	if remaining.is_zero() {
	return Err(FrameworkError::Cleanup(format!(
	"wait_for_balance timed out after {timeout:?} \
	(addr={addr:?} expected={expected})"
	)));
	}
	// Backstop wake on idle chains; real activity wakes us
	// earlier via the `Notified` future.
	let cap = std::cmp::min(remaining, BACKSTOP_WAKE_INTERVAL);
	let _ = tokio::time::timeout(cap, notified.as_mut()).await;
	let notified = test_wallet.wait_hub().notified();
	tokio::pin!(notified);
	notified.as_mut().enable();

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/wait.rs`:
- [SUGGESTION] lines 76-122: wait_for_balance's Notified future is constructed but never registered before sync_balances runs
  Confirmed at HEAD. The doc on lines 64-65/77 promises the `Notified` future is captured BEFORE the sync to avoid losing notifications fired mid-sync, but `let notified = test_wallet.wait_hub().notified(); tokio::pin!(notified);` only constructs and pins the future. Tokio's `Notify::notified` does not register the waiter on the hub until the first poll (or via `Notified::enable()`), and that first poll happens at `tokio::time::timeout(cap, notified.as_mut()).await` AFTER `sync_balances` returns. Notifications fired by `WaitEventHub` during the sync are silently dropped. `BACKSTOP_WAKE_INTERVAL = 2s` bounds the wake delay, so this is a polish issue rather than a hang risk — but it means `wait_for_balance` is effectively a 2s polling loop on busy chains, not the event-driven helper its docstring claims. Calling `notified.as_mut().enable()` immediately after the `pin!` would register the waiter eagerly and honor the documented invariant.

[thepastaclaw]

🟡 Suggestion: from_seed_for_identity is misleadingly named — the resulting SimpleSigner cannot satisfy Signer

Confirmed at HEAD (behind the derive feature). from_seed_for_identity populates only address_private_keys keyed by ripemd160_sha256(pubkey) (lines 235-238), but the Signer<IdentityPublicKey> impl on SimpleSigner (lines 245-291) reads exclusively from private_keys / private_keys_in_creation. The constructor's name promises an identity signer the trait impl cannot deliver. The doc hand-waves with "callers must additionally register IdentityPublicKey records via add_identity_public_key" — but that requires raw private-key bytes the constructor never re-exposes. The new e2e harness only works because SeedBackedIdentitySigner bypasses the trait impl and reaches into address_private_keys directly. A downstream caller who reads the name and instantiates this constructor reasonably assumes the returned SimpleSigner can sign identity keys — it cannot. Either rename to reflect the actual side effect (e.g. from_seed_for_identity_authentication_keys_by_pkh) or also insert into private_keys so the trait impl is honest.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/simple-signer/src/signer.rs`:
- [SUGGESTION] lines 197-241: from_seed_for_identity is misleadingly named — the resulting SimpleSigner cannot satisfy Signer<IdentityPublicKey>
  Confirmed at HEAD (behind the `derive` feature). `from_seed_for_identity` populates only `address_private_keys` keyed by `ripemd160_sha256(pubkey)` (lines 235-238), but the `Signer<IdentityPublicKey>` impl on `SimpleSigner` (lines 245-291) reads exclusively from `private_keys` / `private_keys_in_creation`. The constructor's name promises an identity signer the trait impl cannot deliver. The doc hand-waves with "callers must additionally register `IdentityPublicKey` records via `add_identity_public_key`" — but that requires raw private-key bytes the constructor never re-exposes. The new e2e harness only works because `SeedBackedIdentitySigner` bypasses the trait impl and reaches into `address_private_keys` directly. A downstream caller who reads the name and instantiates this constructor reasonably assumes the returned `SimpleSigner` can sign identity keys — it cannot. Either rename to reflect the actual side effect (e.g. `from_seed_for_identity_authentication_keys_by_pkh`) or also insert into `private_keys` so the trait impl is honest.

[thepastaclaw]

🟡 Suggestion: PlatformAddressChangeSet::fee is a public Credits field whose own doc admits it does not represent the on-chain fee, and Merge silently sums it

Confirmed at HEAD. pub fee: Credits (line 589) stores AddressFundsTransferTransition::estimate_min_fee(...), which estimated_min_fee() (lines 592-611) explicitly calls out as "NOT the actual on-chain fee" and "NOT adjusted by the fee_strategy" — the static state_transition_min_fees floor (~6.5M for 1in/1out) is far below the chain-time debit (~14.94M observed; see issue #3040). Because the field is pub and shares its type with real credit values, callers reaching for cs.fee rather than the doc-laden accessor get the unfiltered footgun. Merge::merge (line 644) does self.fee = self.fee.saturating_add(other.fee), so a merged changeset's reported fee is a sum of values that already lied per-operation. Pick one of: (a) wrap in a newtype like EstimatedMinFee(Credits) so the type system surfaces the caveat at every call site; (b) rename to static_min_fee_estimate so accidental consumers can't confuse it with paid fees; or (c) keep it pub(crate) until #3040 lands.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/changeset/changeset.rs`:
- [SUGGESTION] lines 583-645: PlatformAddressChangeSet::fee is a public Credits field whose own doc admits it does not represent the on-chain fee, and Merge silently sums it
  Confirmed at HEAD. `pub fee: Credits` (line 589) stores `AddressFundsTransferTransition::estimate_min_fee(...)`, which `estimated_min_fee()` (lines 592-611) explicitly calls out as "NOT the actual on-chain fee" and "NOT adjusted by the `fee_strategy`" — the static `state_transition_min_fees` floor (~6.5M for 1in/1out) is far below the chain-time debit (~14.94M observed; see issue #3040). Because the field is `pub` and shares its type with real credit values, callers reaching for `cs.fee` rather than the doc-laden accessor get the unfiltered footgun. `Merge::merge` (line 644) does `self.fee = self.fee.saturating_add(other.fee)`, so a merged changeset's reported fee is a sum of values that already lied per-operation. Pick one of: (a) wrap in a newtype like `EstimatedMinFee(Credits)` so the type system surfaces the caveat at every call site; (b) rename to `static_min_fee_estimate` so accidental consumers can't confuse it with paid fees; or (c) keep it `pub(crate)` until #3040 lands.

[thepastaclaw]

💬 Nitpick: E2eContext::cancel_token is constructed and exposed but never observed

Confirmed at HEAD. cancel_token is created at harness.rs:109, exposed via cancel_token() at harness.rs:96, and the doc claims it backs "graceful shutdown" of background helpers. A grep across packages/rs-platform-wallet/tests/e2e/ shows no .cancel(), no .cancelled(), and no tokio::select! arm referencing it — wait_for_balance, wait_for_identity_balance, wait_for_dpns_name_visible, the deferred SPV blocks, and the test bodies all ignore it. (The spv_sync.rs matches use a different local cancel token.) The token is dead state with a forward-looking accessor that tempts misuse — a future contributor may assume it actually halts background work. Either drop the field until shutdown wiring lands (Task #15) or wire one observer in (e.g. a tokio::select! arm in wait::wait_for_balance).

_{source: ['claude', 'codex']}

[thepastaclaw]

💬 Nitpick: make_platform_signer duplicates the DIP-17 default account/key-class constants instead of reusing the framework's tested source of truth

Confirmed at HEAD. framework/mod.rs:41-42 declares its own DEFAULT_ACCOUNT_INDEX = 0 / DEFAULT_KEY_CLASS = 0 and uses them in make_platform_signer, while framework/wallet_factory.rs:49-50 already exposes DEFAULT_ACCOUNT_INDEX_PUB / DEFAULT_KEY_CLASS_PUB derived from DEFAULT_PLATFORM_PAYMENT_ACCOUNT_SPEC with a drift test (wallet_factory.rs:666-667) asserting they match PlatformPaymentAccountSpec::default(). If the upstream default ever changes, every wallet-creation and transfer path that imports the _PUB constants will track the new value, but make_platform_signer will keep deriving keys for 0/0 — and the drift test won't catch the mismatch because it doesn't reference the local copies. Reuse the exported constants to keep signer derivation and wallet construction on a single source of truth.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: FrameworkError::NotImplemented is dead — no producers anywhere in the workspace

Confirmed at HEAD. A repo-wide grep for NotImplemented in packages/rs-platform-wallet/ returns only the variant declaration on this line — every prior call site migrated to typed Sdk / Spv / Cleanup variants. Carrying a dead variant lowers signal in the error enum and tempts the next contributor to reach for it again as a generic placeholder when SPV (Task #15) re-lands. Drop it; if a real "feature deferred" path appears later, prefer a named typed variant.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: sync_watermark collapses "block 0" and "no watermark stored" into the same None

Confirmed at HEAD. sync_watermark returns None whenever last_known_recent_block() == 0 (lines 272-276). The doc claim that this matches the "no stored watermark" convention is reasonable on freshly-restored mainnet/testnet wallets, but breaks down for any chain where block 0 is a legitimate genesis-aligned watermark (devnet/regtest, or any test fixture that explicitly sets last_known_recent_block to 0 during setup). After a sync that legitimately lands at height 0, the next call would still report "never synced." PA-007 in the PR's TEST_SPEC.md motivates this getter for monotonicity assertions; on regtest those assertions could be misled by the collapse. If the underlying intent is "distinguish unset from set," make the storage layer return Option<u64> end-to-end so the boundary stays honest.

_{source: ['claude', 'codex']}