…om key_wallet

Replace the duplicated DEFAULT_ACCOUNT_INDEX / DEFAULT_KEY_CLASS constants
with a default_platform_payment_account_key() helper that destructures
key_wallet's PlatformPaymentAccountSpec::default(), and pin the const _PUB
values to the same canonical struct's fields. A colocated drift test asserts
PlatformPaymentAccountSpec::default() still matches our pinned constants —
preventing silent drift if upstream defaults change.

WalletAccountCreationOptions::Default is a unit variant (the (account, key_class)
shape lives in the BTreeSet variant, not Default itself), so destructuring
Default directly was not viable. Pinning to PlatformPaymentAccountSpec —
the canonical "what does Default mean for a PlatformPayment account" struct
— is the closest equivalent.

Resolves PR #3549 thread r-aA6u.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…t(0)

Pay fees by reducing output 0 instead of deducting from input 0. Simpler
to reason about for test authors — recipients see (requested - fee_share),
no input-side reservation needed.

KNOWN BREAKAGE: the existing transfer_between_two_platform_addresses test
asserts an exact recipient balance and will fail under the new default
(recipient receives 10M - fee_share). Test fixture update is a follow-up.

Also re-aligns import ordering in this file with `cargo fmt --all`
defaults (a minor stray drift from the previous commit).

Resolves PR #3549 thread r-aCky.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…dex 0

Sweep-back target uses the bank's address-0 deterministically instead of
advancing the unused-address pool every test run. Avoids accumulation of
empty addresses on the bank wallet across test invocations.

Implementation: derive the DIP-17 platform-payment address at index 0
directly from the bank seed (mirroring simple-signer's derivation logic),
side-stepping the AddressPool's "next unused" cursor that would skip
index 0 once it gets marked used.

Resolves PR #3549 thread r-Jhi_.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…put-from-output

Sweep-to-bank uses ReduceOutput(0) so the bank absorbs the fee from its
incoming sum. Drops SWEEP_FEE_ESTIMATE constant and the multi-input fee
headroom math. Sweep gate is now "if address balance > 0".

Resolves PR #3549 thread r-ZluD.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…noop stubs

Split drain_to_bank into per-source helpers: sweep_platform_addresses
(active), sweep_identities, sweep_core_addresses, sweep_unused_core_asset_locks,
sweep_shielded (all noop with TODOs). teardown_one and sweep_orphans now
walk every source type so future sweep implementations slot in cleanly.

Resolves PR #3549 thread r-Zoq9.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…-platform-wallet-e2e

…tication_path

`AccountType::IdentityAuthenticationEcdsa { identity_index }` was
removed from `key-wallet` between revs `4c8bec3` and `ea33cbc8`.
Replaced with the new top-level `DerivationPath::identity_authentication_path(
network, KeyDerivationType::ECDSA, identity_index, key_index)` API
(`key-wallet/src/bip32.rs:1115`), which bakes both identity_index and
key_index into the path directly — `key_index` becomes the loop
variable instead of an external `extend([leaf])` step.

…ectly

PR #3549 dedup re-audit (PROJ-001): the local DEFAULT_GAP_LIMIT = 20
shadows key_wallet's canonical pub const DIP17_GAP_LIMIT (rust-dashcore
ea33cbc8: key-wallet/src/gap_limit.rs:26). Drop the local constant and
import the upstream one — drift here would silently de-sync the harness
from key-wallet's own gap policy.

…gh PlatformWallet

PR #3549 dedup re-audit (PROJ-002): derive_platform_address_at_index
was running BIP-32 manually from raw seed bytes. The bank already holds
a PlatformWallet whose Wallet::derive_public_key (key-wallet/src/wallet/
helper.rs:763) does the same thing, so the parallel-derivation surface
was redundant. Take the existing &Arc<PlatformWallet>, call
.state().await.wallet().derive_public_key(&path), hash the result.

Drops the bip39 seed-bytes consumer (the seed bytes are still derived
once for SeedBackedPlatformAddressSigner::new four lines below). Net
removes RootExtendedPrivKey, Secp256k1, PublicKey imports from bank.rs.

…r wrapper

`framework/signer.rs` was a 78-line do-nothing shell around
`SimpleSigner::from_seed_for_platform_address_account`:
- the `Signer<PlatformAddress>` trait impl just delegated to inner;
- `SimpleSigner` already implements that trait directly
  (`packages/simple-signer/src/signer.rs:338`);
- `cached_key_count` and `new_with_gap` had zero callers outside the
  module;
- the only added value was pinning `account=0`/`key_class=0`, which
  collapses to four lines of construction code.

Replace with `framework::make_platform_signer(seed_bytes, network) ->
SimpleSigner` next to the `FrameworkError`/`FrameworkResult` types in
`mod.rs`. The three call sites (`bank.rs`, `wallet_factory.rs`,
`cleanup.rs`) now hold `SimpleSigner` directly and pass it straight to
`PlatformAddressWallet::transfer`. `TestWallet::address_signer()`
returns `&SimpleSigner` for the same reason.

…#763

Add tracking-issue cross-link in three places (file-level docstring,
`#[ignore]` reason, in line with the AL-001 / #3641
pattern from commit 27087f8).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…#764

Add tracking-issue cross-link in the file-level docstring and the
`#[ignore]` reason. Same pattern as Found-021 / #763 (commit 420250d)
and AL-001 / #3641 (commit 27087f8).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

… 546 (QA-901)

TRACE re-investigation 2026-05-14 confirmed the earlier deterministic
failure was a test-side dust-threshold mismatch (test assumed 2,730 duffs;
upstream `transaction_builder.rs:294`, rev `5313086…`, uses 546). Headroom
changed from 2,500 → 700; new change range [200, 474] is fully sub-dust
across the observed [226, 500] testnet fee range, so the builder folds it
into the fee and the BIP-32 account is truly drained.

CR-004 reclassified red-by-design (dash-evo-tool#845) → passing-as-regression.
The test now pins the symmetric BIP-32 spent-marking path
(TransactionRouter → ManagedAccountCollection → check_transaction_for_match →
update_utxos) plus the upstream sub-dust fold contract. The dash-evo-tool#845
reference is retained as a historical footnote — the symmetric spent-marking
path was confirmed working; any remaining DET surface lives in dash-evo-tool's
own UI refresh path, outside this suite's contract.

TEST_SPEC.md updates: matrix row, detailed body (Layer 2 description + bug
repro note), changelog entry, post-v47 status section, and counts annotation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…(already fixed)

Both pins describe contracts that are already satisfied in HEAD:

- Found-019 (SeedBackedIdentitySigner ECDSA_HASH160 re-hash) — fix
  landed at packages/rs-platform-wallet/tests/e2e/framework/signer.rs:148-154
  in commit 59cba08 (PR #3563). identity_key_lookup branches on
  key_type; ECDSA_HASH160 uses key.data() as-is, no re-hash. Production
  packages/simple-signer/src/signer.rs does NOT have the bug shape
  (different storage models).
- Found-020 (PA-001b output_change_address spec/impl drift) resolved
  via spec realignment in PR #3609 (option a). PA-001b rewritten to
  match implicit-change semantics. The parameter doesn't exist in
  production and isn't planned.

Knowledge preserved in memcan; spec clutter dropped. Total Found-bug
pins 26 → 24.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…e fee with symmetric pre-markers

PA-003 measures the real chain-time fee (Σ gross outputs −
Σ destination balance deltas, the canonical Σ inputs − Σ outputs under
[ReduceOutput(0)]) for two self-transfers that draw inputs exclusively
from a single source address (InputSelection::Explicit). Every
measured destination — including the 1-output dest_1 — is pre-markered
so both shapes hit address-funds UPDATE storage ops with no one-off
CREATE skew; output count is the sole varied factor. Restored guards:
strict fee_5 > fee_1, sub-linear fee_5 < fee_1*5, and the explicit
FEE_DELTA_CEILING linear-fee-schedule tripwire.

Funding defect fix: the explicit-input map value is the actual input
amount the transition encodes (it must balance Σ outputs and be backed
by the address balance), not a placeholder weight. inputs_1 now uses
OUTPUT_AMOUNT and inputs_5 uses 5×OUTPUT_AMOUNT. addr_src funding
bumped 500M → 700M to cover six MARKER_AMOUNT pre-markers (180M) plus
both measured transfers (50M + 250M) with headroom, so addr_src always
holds ≥ the explicit input amount when each transition is built.

TEST_SPEC.md: PA-003 status flipped to green (table row + body) with a
concise changelog line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…real eager-pool state

Production's DIP-17 platform-payment pool is built by the eager
AddressPool::new, which fills indices 0..=gap_limit-1 at construction
(highest_generated = Some(gap_limit-1)); the QA-002 setup hook then
marks index 0 used. From that real state the batch helper's
fresh-past-highest_generated headroom is highest_used + 1 = 1, so the
triplet's empty-pool full-window premise is unreachable in production.

Rather than suppressing eager fill or changing the (correct) shared
helper math at framework/gap_limit.rs, the test now models a real
wallet that has cycled its first DIP-17 gap window: a test-scoped
open_full_gap_window marks index gap_limit-1 used, shifting the ceiling
up by gap_limit to open a genuine gap_limit-wide fresh window. The same
DIP-17 boundary triad is pinned from the production starting state:

- A: request gap_limit-1 fresh addresses, assert success + all distinct
- B: request gap_limit (boundary), assert success + all distinct
- C: request gap_limit+1, assert GapLimitError::Exceeded with every
  field pinned against the LIVE post-mark watermarks
  (requested, available=gap_limit, gap_limit,
  highest_used=Some(gap_limit-1), highest_generated=Some(gap_limit-1)),
  then a boundary retry proves the rejection did not mutate the pool

Shared helper semantics are unchanged. TEST_SPEC.md PA-005b updated in
all three places (quick-index, body Status, changelog) to the accurate
rebaselined contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…ead-back (QA-014)

PA-009 sub-case C's post-teardown observation re-derived the gone test
wallet and trusted its recent-zone sync watermark. A watermark-less
re-derived wallet's sync_balances(AddressSyncConfig{
full_rescan_after_time_s: 0 }) resolves to a recent-zone-only query
that returned 0 for addr_1 even though the sub-min_input dust was
correctly abandoned and never swept — a non-deterministic harness gap
(QA-014), not a production defect. The v53 14-thread run failed at the
re-derive read-back assertion (pa_009_min_input_amount.rs:290,
left: 0, right: 1000) while the cleanup-gate abandon-dust path itself
worked correctly.

Replace the re-derive read-back with a direct proof-verified on-chain
read of addr_1 via wait_for_address_balance_chain_confirmed — the same
AddressInfo::fetch gate the funding step already uses successfully
earlier in the same test. The post-condition now asserts addr_1 still
holds exactly TARGET_RESIDUAL on chain, reading real chain state
instead of a stale re-derived local view.

All three pinned invariants are preserved and strengthened:
(a) below-gate dust abandoned, no sweep transition broadcast (a swept
dust drops the balance to ~0, timing out the gate);
(b) gate == PlatformVersion::latest().dpp.state_transitions.address_funds
.min_input_amount and is positive (sub-cases A/B, untouched);
(c) addr_1 residual remains on chain at exactly TARGET_RESIDUAL.

#[ignore] and #[tokio_shared_rt::test(shared)] retained (network-gated,
the standard for all on-chain e2e cases; suite runs --include-ignored).
TEST_SPEC.md PA-009 references (quick-index, body Status/Scenario,
changelog) updated consistently; no stale QA-014/degenerate drift.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

… Found-025 sync-discard race

TK-001 and TK-014 failed in the v53 14-thread run, both timing out in the
SETUP FUNDING gate before any token logic ran (tk_001_token_transfer.rs:67
setup_with_token_and_two_identities; tk_014_token_group_action.rs:109
setup_with_per_identity_funding). In both, bank.fund_address chain-confirmed
the funding (nonce streak 2/2) before the wait, then the rs-sdk address-sync
silently discarded the fetched balance update because the target address was
not yet in pending_addresses — Found-025, amplified by 14-thread concurrency.
Not production defects: transfer/group-action/co-sign code never executed and
siblings (TK-001b/c, TK-009/010/012) were green in the same run.

Root cause in the shared chokepoint framework/mod.rs::setup_with_per_identity_funding:
it gated on wait_for_balance, whose proof-verified hand-off only runs AFTER
the Found-025-poisoned local sync map (balances().get(addr)) first reaches
target — so under Found-025 the proof gate was never reached and the budget
expired in the local-view branch (60-62 polls, no chain-confirmed line).

Fix: observe funding directly via the proof-verified AddressInfo::fetch path
(wait_for_address_balance_chain_confirmed_n, CHAIN_CONFIRMED_CONSECUTIVE_SUCCESSES)
— the same chain-state read the validator walks and the family PA-009c
adopted — bypassing the poisoned map entirely. The existing strong
wait_for_address_known_to_platform gate is unchanged. Only the
funding-observation mechanism changed: no funding amounts, identity counts,
contract publish, propose/co-sign, or token/identity assertions altered.

Deterministic and concurrency-independent, so it hardens the whole
setup-helper blast radius (all 22 TK-*/ID-*/CR-003/DPNS-001 cases routing
through setup_with_per_identity_funding). No new Found-NNN pin and no
upstream issue (Found-025 already owns the root cause). A TK-wave
serialization / worker-pool cap remains a documented fallback only — not
implemented, since the proof-verified read-back structurally bypasses the
poisoned map.

TEST_SPEC.md: TK-001 (quick-index + body) and TK-014 (quick-index + body)
reclassified green -> red-real-fail mirroring TK-007 wording, cross-linked
to Found-025; one changelog entry added. All three references per test are
mutually consistent (no stale green/PASS-in-v47 drift).

Live e2e requires a bank-funded node (yarn start) unavailable in this
environment; verified by inspection + cargo build --tests + cargo clippy
(both clean). Live re-validation deferred to the combined v54 run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…ound-008 env-mask

FIX 1 (#475): the e2e README documented the opt-in invocation with
`--ignored`, which runs ONLY the `#[ignore]`-attributed subset (~40/108)
and silently skips owned-fix cases. Corrected to `--include-ignored` so the
full suite runs, with a one-line note explaining why `--ignored` alone is wrong.

FIX 2 (#474, CLAUDE.md infra-blocker rule): added a `// TODO(env):` marker in
al_001 near the Core-funded setup gate and a brief note in TEST_SPEC.md's
AL-001/Found-008 entry recording that the Found-008 pin is env-masked when the
e2e testnet Core L1 bank is depleted (al_001 dies at the setup gate, not at the
designed FinalityTimeout; same depletion also fails cr_003 + id_002b). Funding
address phrased generically — the specific address is being verified separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…ex 0

`primary_core_receive_address` routed through
`CoreWallet::next_receive_address_for_account(0)`, whose pool
advances its "next unused" cursor off index 0 as soon as a UTXO
lands there — so the operator-funded Core top-up address drifted
run-to-run, stranding duffs on stale empty addresses.

Mirror the existing `derive_platform_address_at_index` pattern with
`derive_core_receive_address_at_index`: derive a deterministic
`m/44'/coin'/0'/0/0` address via the live wallet's
`derive_public_key`, reconstructing the P2PKH address exactly as
key-wallet's own address pool does. The under-funded preflight now
reports this same stable address; `CORE_TX_FEE_RESERVE` semantics
and the under-funded arithmetic are unchanged.

<sub>🤖 Co-authored by [Claudius the Magnificent](https://github.com/lklimek/claudius) AI Agent</sub>

(cherry picked from commit 07f160c1d09eebfed320dbd0408195ee7bd5ea19)

…down with preflight

The Core-bank auto-refill defaults were 3-4 orders of magnitude too low to
keep the bank funded. A FULL e2e pass burns ~13 tDASH ≈ 1.3e9 duffs
(1 DASH = 1e8 duffs); the old defaults were 100_000 / 1_000_000 duffs
(0.001 / 0.01 DASH) — not even 0.1% of one pass.

Re-anchor sizing on the measured per-pass burn (CORE_BURN_PER_FULL_PASS_DUFF
= 1_300_000_000):
- threshold: 2_000_000_000 duffs (~20 tDASH) — one full pass + ~0.5-pass
  margin so the bank is topped up before it can starve mid-pass.
- target: 5_000_000_000 duffs (~50 tDASH ≈ 3.8 passes) — one slow
  Platform→Core withdrawal buys several passes of runway.

Run the refill on BOTH ends of the lifecycle:
- setup: existing call (harness.rs, unchanged) fires first.
- teardown: new call in SetupGuard::teardown after the sweep returns this
  test's funds to the bank — the cheapest point to refill for the next
  pass. Below-threshold-guarded inside the helper, so it's a no-op when
  already funded; best-effort, never fails a teardown.

Add a setup preflight (assert_core_funded_for_one_pass): after the refill
attempt, if confirmed Core is still below one full pass
(CORE_REFILL_OPERATIONAL_MIN_DUFF), fail fast with a FrameworkError::Bank
naming the fixed index-0 top-up address and the exact shortfall — mirrors
the existing send_core_to under-funded error shape — instead of silently
entering a doomed run.

Unit test pins the defaults to the measured burn (threshold ≥1 pass,
target ≥3 passes, preflight floor == 1 pass).

<sub>🤖 Co-authored by [Claudius the Magnificent](https://github.com/lklimek/claudius) AI Agent</sub>

(cherry picked from commit 6662725c4c95a8866eb62014fc070ca23ca38310)

…nfirmed (Found-025)

The funding-gate `wait_for_balance` in the identity/address state-transition
tests checks the wallet's local sync map before handing off to the
proof-verified chain gate. Under multi-thread churn the rs-sdk address-sync
silently drops a fetched balance update when the address isn't yet in
`pending_addresses` (Found-025), poisoning that local map so the precondition
never reaches target and the proof-verified hand-off never runs — the gate
times out before the immediately-following broadcast.

Swap the 9 funding-then-broadcast gates (register_identity_from_addresses /
top_up_from_addresses inputs) to `wait_for_address_balance_chain_confirmed_n`
with `CHAIN_CONFIRMED_CONSECUTIVE_SUCCESSES`, mirroring the
`setup_with_per_identity_funding` precedent exactly. Post-broadcast
`wait_for_balance` sites whose assertion subject IS the wallet's local
`.balances()` view (id_005 dest readback, all PA self-transfer tests) are
left untouched — swapping them would un-sync the local map those assertions
depend on.

<sub>🤖 Co-authored by [Claudius the Magnificent](https://github.com/lklimek/claudius) AI Agent</sub>

(cherry picked from commit bf4779e288ed2b22f52680b22543f57fc8690848)

…unmask

QA-501/502 (id_005:127, id_002:117): Found-025 fix unmasked a downstream
Found-026-family production cursor race — next_unused_address() returns a
DUPLICATE under 14-thread churn. RED-by-design pins + TEST_SPEC reclass
(green → red-by-design concurrency-only). No production fix; assertions
stay genuinely RED for the real reason. Same root component + concurrency
trigger as Found-026 (PA-008b); distinct observable mechanism
(duplicate-derivation vs enqueue-miss) — linked to Found-026 family, no
new Found-NNN (#496 holds filing; Found-026 still suspected).

QA-503 (id_sweep:167): HARNESS test-defect, minimal fix. The secondary
bank-identity post<=pre invariant is structurally unobservable under
concurrent harness bank_rebalance core-refill (which by design tops up
the bank identity; growth delta exactly matches topup_credits). Sweep
correctness already pinned by the race-immune swept_identity_credits
assertion — same flaw class QA-V39-001 fixed for the primary check.
Removed the unobservable invariant (not green-paint: no real check
weakened, no production source touched).

QA-504 (pa_006b:83): Found-025-family known-fail under documented
multi-thread conditions; un-swapped wait_for_balance reads the poisoned
local map (#480 intentional non-swap). TEST_SPEC status corrected
(green → red-real-fail multi-thread only). Flagged a swap-scope
recommendation (swap ONLY the funding gate) — NOT applied (out of code
scope).

<sub>🤖 Co-authored by [Claudius the Magnificent](https://github.com/lklimek/claudius) AI Agent</sub>

(cherry picked from commit e53d543a8f24e3ff3dbb917fd122f71322d52e67)

… chain-confirmed (QA-504)

Corrects a #480 mis-scoping: pa_006b:81 is a funding PRECONDITION
gate, not a post-broadcast `.balances()` assertion, so the #480
local-map rationale never applied. Swapped ONLY :81 to
`wait_for_address_balance_chain_confirmed_n` (same pattern / arg-order
/ CHAIN_CONFIRMED_CONSECUTIVE_SUCCESSES as the #480 funding-gate
swaps) — resolves the v-run's documented deterministic 14-thread
funding-gate timeout. Post-broadcast `wait_for_balance(&addr_dst)` at
:170 stays correctly un-swapped per #480.

TEST_SPEC PA-006b reclassified `red-real-fail` → `partially-fixed
(QA-504)`: the documented failure is fixed, but a clean multi-thread
pass is NOT claimed — :170 retains residual Found-025-family
exposure and no live re-run was possible (no bank-funded node).
Honest, not green-washed.

<sub>🤖 Co-authored by [Claudius the Magnificent](https://github.com/lklimek/claudius) AI Agent</sub>

(cherry picked from commit 92881fde6cce24ccc47123ef7982e5b961682184)