feat(platform-wallet): e2e test spec and harness extensions

[lklimek]

Issue being fixed or feature implemented

Stacks on top of #3549 to deliver the next layer of the rs-platform-wallet e2e test suite: a written test specification, plus the harness extensions that subsequent test-implementation PRs will consume.

No test cases are added in this PR — the existing cases/transfer.rs is unchanged. The cases themselves come in follow-up PRs.

What was done?

Documentation

• tests/e2e/TEST_SPEC.md — 31 prioritized test cases across Platform Addresses (8), Identity (6), Tokens (4), Core/SPV (3), Contracts (3), DPNS (2), Dashpay (3), Contested (2). Each case has scenario steps, assertions, harness extensions required, DET parallels, complexity estimate.

Wallet public API additions (small, surgical)

• PlatformAddressChangeSet::fee_paid() — direct fee accessor populated in transfer() via AddressFundsTransferTransition::estimate_min_fee. Exact for the canonical DeductFromInput(_) strategy.
• PlatformAddressWallet::sync_watermark() -> Option<u64> — monotonic block watermark for sync assertions.
• IdentityManager::identity_count() / identity_ids() — convenience accessors.
• PlatformPaymentAddressProvider::last_known_recent_block getter — required plumbing for sync_watermark.

Harness — Wave A: identity signer + setup helpers

• SeedBackedIdentitySigner implementing Signer<IdentityPublicKey> (DIP-9 derivation).
• derive_identity_key(seed, network, identity_index, key_index, purpose, security_level) -> IdentityPublicKey — placeholder identity construction helper.
• TestWallet::register_identity_from_addresses(funding) -> RegisteredIdentity — end-to-end registration helper.
• wait_for_identity_balance and wait_for_dpns_name_visible in framework/wait.rs.

Harness — Wave B: multi-identity setup

• setup_with_n_identities(n) -> MultiIdentitySetupGuard — funds n distinct addresses on one test wallet and registers an identity from each. Wrapper around the existing SetupGuard (chosen over field extension because SetupGuard.teardown_called is pub(crate)).

Harness — Wave F: test-only utilities

• TestWallet::transfer_with_inputs (PA-002 negative variant — bypasses auto_select_inputs).
• TestWallet::transfer_capturing_st_bytes (PA-006 — returns serialized state-transition bytes alongside the changeset).
• PersistentTestWalletRegistry::get_status (PA-004 — single-entry status read).

Out of scope (per spec §4)

• Wave C (contract fixtures), Wave D (token contract config), Wave E (SPV re-enablement, blocked on Task fix(sdk): hash is not a function #15) — each tied to specific test-case PRs and gated on prerequisites.

How Has This Been Tested?

• cargo check -p platform-wallet --tests ✓
• cargo clippy -p platform-wallet --tests --all-features -- -D warnings ✓
• cargo fmt --all -- --check ✓
• No live e2e run — that requires PLATFORM_WALLET_E2E_BANK_MNEMONIC and a funded testnet wallet; documented in tests/e2e/README.md.

Breaking Changes

None. All additions are net-new public API or framework-only code.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (TEST_SPEC.md)
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works — N/A; this PR is harness infrastructure. Test cases land in follow-up PRs per TEST_SPEC.md.
• New and existing unit tests pass locally with my changes
• I have made corresponding changes to the documentation

---

Stacks on #3549. Merge order: #3549 → this PR → follow-up test-case PRs.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec70543c-d7a1-421f-ae52-80c2fcd26c91

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/rs-platform-wallet-e2e-cases

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

✅ Review complete (commit 511d28c)

[Copilot]

Pull request overview

This PR extends rs-platform-wallet’s end-to-end (e2e) testing effort by adding a written test-case specification and expanding the e2e harness with identity-related tooling and a few small, test-driven wallet API additions to enable upcoming follow-up test PRs.

Changes:

• Added a comprehensive e2e test specification document (TEST_SPEC.md) enumerating prioritized test cases and required harness capabilities.
• Extended the e2e harness with an identity signer, identity registration helpers, new wait utilities, and multi-identity setup support.
• Introduced small wallet/public-API additions to support e2e assertions (transfer fee accessor plumbing via changesets, sync watermark getter, identity manager convenience accessor, and a provider watermark getter).

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
packages/rs-platform-wallet/tests/e2e/framework/wallet_factory.rs	Adds transfer helpers, identity registration helper, and a RegisteredIdentity bundle used by future e2e cases
packages/rs-platform-wallet/tests/e2e/framework/wait.rs	Adds polling waiters for identity balance visibility and DPNS name propagation
packages/rs-platform-wallet/tests/e2e/framework/signer.rs	New seed-backed Signer<IdentityPublicKey> and identity key derivation helper for harness usage
packages/rs-platform-wallet/tests/e2e/framework/registry.rs	Adds a single-entry status accessor for registry lifecycle assertions
packages/rs-platform-wallet/tests/e2e/framework/mod.rs	Adds setup_with_n_identities and guard type for multi-identity test setup
packages/rs-platform-wallet/tests/e2e/TEST_SPEC.md	New written e2e test plan/spec with prioritized cases and harness roadmap
packages/rs-platform-wallet/src/wallet/platform_addresses/wallet.rs	Adds sync_watermark() accessor for incremental-sync assertions
packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs	Computes and attaches an estimated fee into PlatformAddressChangeSet on transfer
packages/rs-platform-wallet/src/wallet/platform_addresses/provider.rs	Exposes provider watermark getter used by wallet-level sync_watermark()
packages/rs-platform-wallet/src/wallet/identity/state/manager/accessors.rs	Adds identity_ids() convenience accessor
packages/rs-platform-wallet/src/changeset/changeset.rs	Extends PlatformAddressChangeSet with a fee field and fee_paid() accessor; updates merge/is_empty logic

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Claudius-Maginificent]

Valid finding — the comment overstates DeductFromInput(_)'s role. The harness defaults to [ReduceOutput(0)] (see framework/wallet_factory.rs::default_fee_strategy) and select_inputs_reduce_output is fully wired. Will reword on the next push.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[Claudius-Maginificent]

Valid. The line "no sync has produced a watermark in this session" is inaccurate — apply_sync_state restoration also produces a watermark. Docstring already references apply_sync_state at the end but the leading sentence still says session-scoped. Will reword to "the provider's current stored watermark, whether restored from persistence or produced by a sync".

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[Claudius-Maginificent]

Confirmed real, not currently triggered. Marvin's audit (commit 511d28cb90) verified the failure path: SeedBackedIdentitySigner::lookup_identity_secret and can_sign_with unconditionally compute ripemd160_sha256(key.data()) for the cache probe, while SimpleSigner::from_seed_for_identity populates the cache keyed by ripemd160_sha256(raw_pubkey). For KeyType::ECDSA_HASH160, key.data() is already a 20-byte hash → second hash → cache miss every time.

Pinned as Found-019 (HIGH severity, dormant) in tests/e2e/TEST_SPEC.md § Found-bug pins, with the proof-shape test scenario. The bug doesn't currently trigger because derive_identity_key hard-codes KeyType::ECDSA_SECP256K1, but the type contract is broken for any caller that hands an ECDSA_HASH160-typed key to this signer. Fix is a separate PR — either special-case ECDSA_HASH160 to use the 20-byte data directly as the lookup key, or drop ECDSA_HASH160 from the supported set.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[Claudius-Maginificent]

Valid — the docstring needs to match the current implementation, which (a) takes funding_address as a caller-provided argument, and (b) does not pre-check its balance before register_from_addresses. Will reword the docstring to remove the "picks a fresh receive address" and "verifies it has at least funding credits" claims; balance verification is the caller's responsibility (or a follow-up if a fail-fast variant is wanted).

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[Claudius-Maginificent]

Acknowledged. PlatformAddressChangeSet is pub; adding pub fee is a semver-breaking change for any external code that constructs it via struct literal or destructure. Two options: (a) mark the struct #[non_exhaustive] going forward (one-time breaking change but immunises future additions), (b) wrap fee behind a private field with a fee_paid() accessor (still requires struct-literal callers to update if they exist). The PR should note the breaking change in its body. Will surface to the milestone owner.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[Claudius-Maginificent]

Confirmed real — pinned as Found-018 in tests/e2e/TEST_SPEC.md § Found-bug pins (LOW severity, doc-vs-impl divergence). The docstring claims "adjusted by the configured fee_strategy" but transfer() stores AddressFundsTransferTransition::estimate_min_fee(input_count, output_count, version) unconditionally. Two consistent ways to resolve (per the Found-018 entry): either update the docs to describe what's actually stored (total estimated min fee), or change the implementation to apply the fee-strategy adjustment. Both are tracked; fix lands in a separate PR.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[Claudius-Maginificent]

Confirmed — pinned as Found-018 in tests/e2e/TEST_SPEC.md § Found-bug pins. The comment is internally inconsistent (it says "last-non-zero-wins" then immediately says "merging two transfer changesets sums the fees"), and the implementation is saturating_add (sums). Aligns with this finding's recommendation: pick one of (a) accumulate + rename field to total_fee, or (b) preserve last-non-zero + refuse-on-merge for two non-zero fees. Either way the docstring needs to match. Tracked; fix in a separate PR.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[thepastaclaw]

Code Review

Verified all findings against the worktree at HEAD 895fa93. Two blocking issues are real and dovetail: setup_with_n_identities() advertises safe teardown but sweep_identities() is a no-op so identity credits leak while the registry entry is removed, and the same setup helper returns a wallet whose platform-address cache is stale because register_from_addresses explicitly skips the cache update (confirmed by an in-source TODO). Suggestion-tier findings cluster around the new fee_paid() API: its doc promises strategy-adjusted accounting but the implementation just stores estimate_min_fee, which the same crate elsewhere flags (issue #3040) as a known under-estimate of real chain-time fees — and the harness's default strategy is exactly the case that under-estimates the most. Two comment-correctness issues round out the review.

Reviewed commit: 895fa93

🔴 2 blocking | 🟡 3 suggestion(s) | 💬 2 nitpick(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [BLOCKING] lines 220-223: `setup_with_n_identities()` leaks identity credits because `sweep_identities()` is still a no-op
  `MultiIdentitySetupGuard::teardown()` (mod.rs:236-238) forwards to `SetupGuard::teardown()`, whose docstring at mod.rs:220-223 advertises identity-side cleanup as implicit because "funds drain back to the bank during the wallet sweep". They don't: `cleanup.rs:170` calls `sweep_identities()` which is `Ok(())` (cleanup.rs:261-263, with a TODO blocking on a `Signer<IdentityPublicKey>` and CreditTransfer wiring). Meanwhile in the new flow, every funded address is consumed by `register_identity_from_addresses()`, so the credits sit on the identities, not on platform addresses, and the platform-address sweep at line 159 cannot recover them. Then `cleanup.rs:177` removes the registry breadcrumb, so the next startup sweep can no longer recover them either. Net effect: every test using this helper permanently burns `n * funding_per` bank credits while reporting a clean teardown. Fix: either implement `sweep_identities()` before merging this helper, or change the multi-identity guard's docstring + teardown to surface the leak (e.g. fail-loud teardown unless identity sweep lands), so tests don't silently drain the testnet bank.
- [BLOCKING] lines 193-215: `setup_with_n_identities()` returns a wallet with stale platform-address balances and nonces
  After registration, `IdentityWallet::register_from_addresses()` explicitly does NOT push the returned address infos into the platform-address cache — see the TODO at `src/wallet/identity/network/register_from_addresses.rs:139-143` ("For now the next BLAST sync round refreshes them"). `setup_with_n_identities()` registers `n` identities sequentially and returns immediately, so the `TestWallet` it returns thinks each funding address still holds its pre-registration balance with the pre-registration nonce. Any consumer that calls `balances()`, `total_credits()`, or attempts an address-funded transfer before triggering a sync will read stale state and likely select already-spent inputs, producing spurious `InsufficientFunds` / nonce-mismatch failures from the very tests this helper is meant to enable. A setup helper should leave the wallet in a consistent post-setup state — invoke `sync_balances()` on each consumed address (or push the returned `address_infos` into the cache directly) before returning the guard.

In `packages/rs-platform-wallet/src/changeset/changeset.rs`:
- [SUGGESTION] lines 591-606: `fee_paid()` doc promises a `fee_strategy` adjustment the implementation doesn't perform — and underestimates real chain-time fees
  The doc on `fee_paid()` claims the value is computed via `estimate_min_fee` "then adjusted by the configured `fee_strategy` so the returned number reflects the portion of the fee charged to the fee-bearing input's remaining balance." The producer at `transfer.rs:118-119` does no such adjustment — it stores the raw `estimate_min_fee(input_count, output_count, version)`. Worse, the in-tree comment at `transfer.rs:685-698` (cross-referencing platform issue #3040) acknowledges that `estimate_min_fee` returns only the static `state_transition_min_fees` floor, which the comment notes can be ~6.5M for 1in/1out while the real chain-time fee is ~14.94M. The harness's own `default_fee_strategy()` is `ReduceOutput(0)` (`wallet_factory.rs:399-401`) — exactly the case the bug report calls out. Any test that uses `cs.fee_paid()` to compute a post-transfer balance will be off by a meaningful and non-deterministic amount, producing flaky equality assertions on real testnets. Recommended fix: tighten the doc to say "lower-bound static estimate from `estimate_min_fee`, NOT the actual on-chain fee — see platform issue #3040" and consider renaming the accessor to `estimated_min_fee` (or returning `Option<Credits>`) until #3040 is resolved, so consumers cannot mistake the static floor for ground truth.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [SUGGESTION] lines 113-119: Comment claims `DeductFromInput(_)` is the canonical strategy, but the crate's default is `ReduceOutput(0)`
  The new comment immediately above the `fee_paid` computation says: "With `DeductFromInput(_)` (the canonical strategy used everywhere in this crate) the entire fee is charged to the targeted input's remaining balance, so this value matches the on-chain debit." This is wrong on two counts. (1) `default_fee_strategy()` in `tests/e2e/framework/wallet_factory.rs:399-401` is `vec![AddressFundsFeeStrategyStep::ReduceOutput(0)]`, and the cleanup sweeps in `cleanup.rs:231` also use `ReduceOutput(0)` — there is no `DeductFromInput` use in this crate. (2) Under `ReduceOutput(0)`, the fee is taken from output 0's amount, not from any input's remaining balance, so the "matches the on-chain debit" claim doesn't hold for the strategy actually in use. The total `estimate_min_fee` value is the same regardless of strategy, so the field semantics are unaffected — but the justification is misleading and will confuse anyone trying to reconcile `fee_paid` against per-input deltas.

In `packages/rs-platform-wallet/tests/e2e/framework/wallet_factory.rs`:
- [SUGGESTION] lines 237-245: `transfer_capturing_st_bytes` doc misattributes byte differences to nonce divergence
  The doc says: "The captured bytes are taken from a sibling build (separate nonce fetch, separate signing pass) — they are NOT byte-equal to the broadcast transition, because the production path bumps nonces independently." The sibling build runs `fetch_inputs_with_nonce` + `nonce_inc` BEFORE `transfer_with_inputs` is called; `transfer_with_inputs` then does its own fetch of on-chain state and bumps the nonce identically. Because the sibling transition is never broadcast, on-chain state is unchanged between the two fetches, so both transitions end up with the *same* address nonces. The bytes diverge only because of ECDSA signature non-determinism (assuming no RFC 6979). This matters for PA-006: with identical nonces but different signatures the second submission is rejected by nonce-duplicate detection, not by content-hash duplicate detection. Future test authors writing assertions around this helper will be misled by the current explanation.

[thepastaclaw]

🔴 Blocking: setup_with_n_identities() leaks identity credits because sweep_identities() is still a no-op

MultiIdentitySetupGuard::teardown() (mod.rs:236-238) forwards to SetupGuard::teardown(), whose docstring at mod.rs:220-223 advertises identity-side cleanup as implicit because "funds drain back to the bank during the wallet sweep". They don't: cleanup.rs:170 calls sweep_identities() which is Ok(()) (cleanup.rs:261-263, with a TODO blocking on a Signer<IdentityPublicKey> and CreditTransfer wiring). Meanwhile in the new flow, every funded address is consumed by register_identity_from_addresses(), so the credits sit on the identities, not on platform addresses, and the platform-address sweep at line 159 cannot recover them. Then cleanup.rs:177 removes the registry breadcrumb, so the next startup sweep can no longer recover them either. Net effect: every test using this helper permanently burns n * funding_per bank credits while reporting a clean teardown. Fix: either implement sweep_identities() before merging this helper, or change the multi-identity guard's docstring + teardown to surface the leak (e.g. fail-loud teardown unless identity sweep lands), so tests don't silently drain the testnet bank.

_{source: ['codex-general', 'codex-rust-quality']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [BLOCKING] lines 220-223: `setup_with_n_identities()` leaks identity credits because `sweep_identities()` is still a no-op
  `MultiIdentitySetupGuard::teardown()` (mod.rs:236-238) forwards to `SetupGuard::teardown()`, whose docstring at mod.rs:220-223 advertises identity-side cleanup as implicit because "funds drain back to the bank during the wallet sweep". They don't: `cleanup.rs:170` calls `sweep_identities()` which is `Ok(())` (cleanup.rs:261-263, with a TODO blocking on a `Signer<IdentityPublicKey>` and CreditTransfer wiring). Meanwhile in the new flow, every funded address is consumed by `register_identity_from_addresses()`, so the credits sit on the identities, not on platform addresses, and the platform-address sweep at line 159 cannot recover them. Then `cleanup.rs:177` removes the registry breadcrumb, so the next startup sweep can no longer recover them either. Net effect: every test using this helper permanently burns `n * funding_per` bank credits while reporting a clean teardown. Fix: either implement `sweep_identities()` before merging this helper, or change the multi-identity guard's docstring + teardown to surface the leak (e.g. fail-loud teardown unless identity sweep lands), so tests don't silently drain the testnet bank.

[thepastaclaw]

🔴 Blocking: setup_with_n_identities() returns a wallet with stale platform-address balances and nonces

After registration, IdentityWallet::register_from_addresses() explicitly does NOT push the returned address infos into the platform-address cache — see the TODO at src/wallet/identity/network/register_from_addresses.rs:139-143 ("For now the next BLAST sync round refreshes them"). setup_with_n_identities() registers n identities sequentially and returns immediately, so the TestWallet it returns thinks each funding address still holds its pre-registration balance with the pre-registration nonce. Any consumer that calls balances(), total_credits(), or attempts an address-funded transfer before triggering a sync will read stale state and likely select already-spent inputs, producing spurious InsufficientFunds / nonce-mismatch failures from the very tests this helper is meant to enable. A setup helper should leave the wallet in a consistent post-setup state — invoke sync_balances() on each consumed address (or push the returned address_infos into the cache directly) before returning the guard.

_{source: ['codex-general']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [BLOCKING] lines 193-215: `setup_with_n_identities()` returns a wallet with stale platform-address balances and nonces
  After registration, `IdentityWallet::register_from_addresses()` explicitly does NOT push the returned address infos into the platform-address cache — see the TODO at `src/wallet/identity/network/register_from_addresses.rs:139-143` ("For now the next BLAST sync round refreshes them"). `setup_with_n_identities()` registers `n` identities sequentially and returns immediately, so the `TestWallet` it returns thinks each funding address still holds its pre-registration balance with the pre-registration nonce. Any consumer that calls `balances()`, `total_credits()`, or attempts an address-funded transfer before triggering a sync will read stale state and likely select already-spent inputs, producing spurious `InsufficientFunds` / nonce-mismatch failures from the very tests this helper is meant to enable. A setup helper should leave the wallet in a consistent post-setup state — invoke `sync_balances()` on each consumed address (or push the returned `address_infos` into the cache directly) before returning the guard.

[thepastaclaw]

🟡 Suggestion: fee_paid() doc promises a fee_strategy adjustment the implementation doesn't perform — and underestimates real chain-time fees

The doc on fee_paid() claims the value is computed via estimate_min_fee "then adjusted by the configured fee_strategy so the returned number reflects the portion of the fee charged to the fee-bearing input's remaining balance." The producer at transfer.rs:118-119 does no such adjustment — it stores the raw estimate_min_fee(input_count, output_count, version). Worse, the in-tree comment at transfer.rs:685-698 (cross-referencing platform issue #3040) acknowledges that estimate_min_fee returns only the static state_transition_min_fees floor, which the comment notes can be ~6.5M for 1in/1out while the real chain-time fee is ~14.94M. The harness's own default_fee_strategy() is ReduceOutput(0) (wallet_factory.rs:399-401) — exactly the case the bug report calls out. Any test that uses cs.fee_paid() to compute a post-transfer balance will be off by a meaningful and non-deterministic amount, producing flaky equality assertions on real testnets. Recommended fix: tighten the doc to say "lower-bound static estimate from estimate_min_fee, NOT the actual on-chain fee — see platform issue #3040" and consider renaming the accessor to estimated_min_fee (or returning Option<Credits>) until #3040 is resolved, so consumers cannot mistake the static floor for ground truth.

_{source: ['claude-general', 'claude-rust-quality', 'codex-rust-quality']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/changeset/changeset.rs`:
- [SUGGESTION] lines 591-606: `fee_paid()` doc promises a `fee_strategy` adjustment the implementation doesn't perform — and underestimates real chain-time fees
  The doc on `fee_paid()` claims the value is computed via `estimate_min_fee` "then adjusted by the configured `fee_strategy` so the returned number reflects the portion of the fee charged to the fee-bearing input's remaining balance." The producer at `transfer.rs:118-119` does no such adjustment — it stores the raw `estimate_min_fee(input_count, output_count, version)`. Worse, the in-tree comment at `transfer.rs:685-698` (cross-referencing platform issue #3040) acknowledges that `estimate_min_fee` returns only the static `state_transition_min_fees` floor, which the comment notes can be ~6.5M for 1in/1out while the real chain-time fee is ~14.94M. The harness's own `default_fee_strategy()` is `ReduceOutput(0)` (`wallet_factory.rs:399-401`) — exactly the case the bug report calls out. Any test that uses `cs.fee_paid()` to compute a post-transfer balance will be off by a meaningful and non-deterministic amount, producing flaky equality assertions on real testnets. Recommended fix: tighten the doc to say "lower-bound static estimate from `estimate_min_fee`, NOT the actual on-chain fee — see platform issue #3040" and consider renaming the accessor to `estimated_min_fee` (or returning `Option<Credits>`) until #3040 is resolved, so consumers cannot mistake the static floor for ground truth.

[thepastaclaw]

🟡 Suggestion: Comment claims DeductFromInput(_) is the canonical strategy, but the crate's default is ReduceOutput(0)

The new comment immediately above the fee_paid computation says: "With DeductFromInput(_) (the canonical strategy used everywhere in this crate) the entire fee is charged to the targeted input's remaining balance, so this value matches the on-chain debit." This is wrong on two counts. (1) default_fee_strategy() in tests/e2e/framework/wallet_factory.rs:399-401 is vec![AddressFundsFeeStrategyStep::ReduceOutput(0)], and the cleanup sweeps in cleanup.rs:231 also use ReduceOutput(0) — there is no DeductFromInput use in this crate. (2) Under ReduceOutput(0), the fee is taken from output 0's amount, not from any input's remaining balance, so the "matches the on-chain debit" claim doesn't hold for the strategy actually in use. The total estimate_min_fee value is the same regardless of strategy, so the field semantics are unaffected — but the justification is misleading and will confuse anyone trying to reconcile fee_paid against per-input deltas.

_{source: ['claude-general']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [SUGGESTION] lines 113-119: Comment claims `DeductFromInput(_)` is the canonical strategy, but the crate's default is `ReduceOutput(0)`
  The new comment immediately above the `fee_paid` computation says: "With `DeductFromInput(_)` (the canonical strategy used everywhere in this crate) the entire fee is charged to the targeted input's remaining balance, so this value matches the on-chain debit." This is wrong on two counts. (1) `default_fee_strategy()` in `tests/e2e/framework/wallet_factory.rs:399-401` is `vec![AddressFundsFeeStrategyStep::ReduceOutput(0)]`, and the cleanup sweeps in `cleanup.rs:231` also use `ReduceOutput(0)` — there is no `DeductFromInput` use in this crate. (2) Under `ReduceOutput(0)`, the fee is taken from output 0's amount, not from any input's remaining balance, so the "matches the on-chain debit" claim doesn't hold for the strategy actually in use. The total `estimate_min_fee` value is the same regardless of strategy, so the field semantics are unaffected — but the justification is misleading and will confuse anyone trying to reconcile `fee_paid` against per-input deltas.

[thepastaclaw]

🟡 Suggestion: transfer_capturing_st_bytes doc misattributes byte differences to nonce divergence

The doc says: "The captured bytes are taken from a sibling build (separate nonce fetch, separate signing pass) — they are NOT byte-equal to the broadcast transition, because the production path bumps nonces independently." The sibling build runs fetch_inputs_with_nonce + nonce_inc BEFORE transfer_with_inputs is called; transfer_with_inputs then does its own fetch of on-chain state and bumps the nonce identically. Because the sibling transition is never broadcast, on-chain state is unchanged between the two fetches, so both transitions end up with the same address nonces. The bytes diverge only because of ECDSA signature non-determinism (assuming no RFC 6979). This matters for PA-006: with identical nonces but different signatures the second submission is rejected by nonce-duplicate detection, not by content-hash duplicate detection. Future test authors writing assertions around this helper will be misled by the current explanation.

_{source: ['claude-general']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/wallet_factory.rs`:
- [SUGGESTION] lines 237-245: `transfer_capturing_st_bytes` doc misattributes byte differences to nonce divergence
  The doc says: "The captured bytes are taken from a sibling build (separate nonce fetch, separate signing pass) — they are NOT byte-equal to the broadcast transition, because the production path bumps nonces independently." The sibling build runs `fetch_inputs_with_nonce` + `nonce_inc` BEFORE `transfer_with_inputs` is called; `transfer_with_inputs` then does its own fetch of on-chain state and bumps the nonce identically. Because the sibling transition is never broadcast, on-chain state is unchanged between the two fetches, so both transitions end up with the *same* address nonces. The bytes diverge only because of ECDSA signature non-determinism (assuming no RFC 6979). This matters for PA-006: with identical nonces but different signatures the second submission is rejected by nonce-duplicate detection, not by content-hash duplicate detection. Future test authors writing assertions around this helper will be misled by the current explanation.

[thepastaclaw]

💬 Nitpick: Merge fee comment opens with "last-non-zero-wins" but the code sums

The comment leads with // Fee: last-non-zero-wins. and then in the same block describes "merging two transfer changesets sums the fees" — directly contradicting itself. The code is self.fee = self.fee.saturating_add(other.fee), i.e. sum semantics; a true last-non-zero-wins merge of fee=100 then fee=50 would yield 50, while saturating_add yields 150. Drop the misleading lead clause so the policy matches the code.

💡 Suggested change

Suggested change

	// Fee: last-non-zero-wins. Sync-only merges (which carry
	// `fee == 0`) preserve a transfer's recorded fee; merging
	// two transfer changesets sums the fees, matching the
	// "total fee paid across operations in this batch" intent.
	self.fee = self.fee.saturating_add(other.fee);
	// Fee: append-sum across merged changesets. Sync-only merges
	// (which carry `fee == 0`) preserve a transfer's recorded
	// fee; merging two transfer changesets sums the fees,
	// matching the "total fee paid across operations in this
	// batch" intent.
	self.fee = self.fee.saturating_add(other.fee);

_{source: ['claude-general', 'claude-rust-quality']}

[thepastaclaw]

💬 Nitpick: wait_for_identity_balance / wait_for_dpns_name_visible can overshoot the supplied timeout by up to BACKSTOP_WAKE_INTERVAL

Both new helpers do match fetch ... ; if Instant::now() >= deadline { err } ; sleep(BACKSTOP_WAKE_INTERVAL=2s) ; loop. If the caller passes a timeout shorter than 2s, the unconditional 2s sleep can run after the deadline check, so the helpers can return a timeout error nearly 2 seconds late — and the next iteration's fetch may succeed against a chain state the test no longer cares about. Cap the sleep against deadline.saturating_duration_since(Instant::now()) (the same pattern wait_for_balance already uses with cap = std::cmp::min(remaining, BACKSTOP_WAKE_INTERVAL)) so the overshoot is bounded by one fetch RTT instead of a fixed 2s. Low-impact today (callers in the harness all pass ≥30s), but cheap to get right while the helpers are new.

_{source: ['claude-rust-quality']}

[thepastaclaw]

Code Review

Verified all findings against worktree HEAD 511d28c. Two blocking issues persist around setup_with_n_identities(): it forwards teardown to a no-op sweep_identities() (leaking identity credits while removing the registry breadcrumb), and it returns a wallet with stale platform-address cache because register_from_addresses deliberately skips the cache update. The new SeedBackedIdentitySigner ECDSA_HASH160 double-hash bug flagged by Codex is real but dormant on this PR's reachable paths and the author already pinned it as Found-019 in TEST_SPEC.md — kept as suggestion for visibility on the follow-up test wiring. Remaining items are doc/comment correctness on the new fee_paid API and a wait-helper timeout overshoot.

Reviewed commit: 511d28c

🔴 2 blocking | 🟡 4 suggestion(s) | 💬 2 nitpick(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [BLOCKING] lines 220-238: `setup_with_n_identities()` leaks identity credits because `sweep_identities()` is still a no-op
  `MultiIdentitySetupGuard::teardown()` (mod.rs:236-238) just forwards to `SetupGuard::teardown()`, whose docstring at mod.rs:220-223 advertises identity-side cleanup as implicit because "funds drain back to the bank during the wallet sweep". They don't: `cleanup.rs:170` calls `sweep_identities()` which is `Ok(())` (cleanup.rs:261-263, with a TODO blocking on `Signer<IdentityPublicKey>` and CreditTransfer wiring). In the new flow every funded address is consumed by `register_identity_from_addresses()`, so credits sit on identities, not on platform addresses — the platform-address sweep at line 159 cannot recover them. Then `cleanup.rs:177` removes the registry breadcrumb, so the next startup sweep also loses the only handle to the wallet. Net effect: every test using this helper permanently burns `n * funding_per` bank credits while reporting a clean teardown. Fix: implement `sweep_identities()` before merging this helper, or change the multi-identity guard's docstring + teardown to surface the leak (fail-loud teardown until identity sweep lands) so tests don't silently drain the testnet bank.
- [BLOCKING] lines 193-215: `setup_with_n_identities()` returns a wallet with stale platform-address balances and nonces
  `IdentityWallet::register_from_addresses()` explicitly does NOT push the SDK-returned address infos into the platform-address cache — see the TODO at `src/wallet/identity/network/register_from_addresses.rs:139-143` ("For now the next BLAST sync round refreshes them"). `setup_with_n_identities()` registers `n` identities sequentially and returns immediately, so the `TestWallet` it returns thinks each funding address still holds its pre-registration balance with the pre-registration nonce. Any consumer that calls `balances()`, `total_credits()`, or attempts another address-funded transfer before triggering a sync will read stale state and likely select already-spent inputs, producing spurious `InsufficientFunds` / nonce-mismatch failures from the very tests this helper is meant to enable. A setup helper should leave the wallet in a consistent post-setup state — invoke `sync_balances()` on each consumed address (or push the returned `address_infos` into the cache directly) before returning the guard.

In `packages/rs-platform-wallet/src/changeset/changeset.rs`:
- [SUGGESTION] lines 591-606: `fee_paid()` doc promises a `fee_strategy` adjustment the implementation never performs — and underestimates real chain-time fees
  The doc on `fee_paid()` claims the value is computed via `estimate_min_fee` "then adjusted by the configured `fee_strategy` so the returned number reflects the portion of the fee charged to the fee-bearing input's remaining balance." The producer at `transfer.rs:118-119` does no such adjustment — it stores the raw `estimate_min_fee(input_count, output_count, version)`. Worse, the in-tree comment at `transfer.rs:685-698` (cross-referencing platform issue #3040) acknowledges that `estimate_min_fee` returns only the static `state_transition_min_fees` floor; for 1in/1out that floor is ~6.5M while real chain-time fees are ~14.94M. The harness's own `default_fee_strategy()` is `ReduceOutput(0)` (`wallet_factory.rs:399-401`) — exactly the case the bug report calls out. Tests that use `cs.fee_paid()` to compute post-transfer balances will be off by a meaningful and non-deterministic amount, producing flaky equality assertions. Fix: tighten the doc to say "lower-bound static estimate from `estimate_min_fee`, NOT the actual on-chain fee — see platform issue #3040" and consider renaming the accessor to `estimated_min_fee` (or returning `Option<Credits>`) until #3040 is resolved.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [SUGGESTION] lines 113-119: Comment claims `DeductFromInput(_)` is the canonical strategy, but the crate's default is `ReduceOutput(0)`
  The new comment immediately above the `fee_paid` computation says: "With `DeductFromInput(_)` (the canonical strategy used everywhere in this crate) the entire fee is charged to the targeted input's remaining balance, so this value matches the on-chain debit." This is wrong on two counts. (1) `default_fee_strategy()` in `tests/e2e/framework/wallet_factory.rs:399-401` is `vec![AddressFundsFeeStrategyStep::ReduceOutput(0)]`, and the cleanup sweeps in `cleanup.rs:231` also use `ReduceOutput(0)` — there is no `DeductFromInput` use in this crate. (2) Under `ReduceOutput(0)`, the fee is taken from output 0's amount, not from any input's remaining balance, so the "matches the on-chain debit" claim doesn't hold for the strategy actually in use. The total `estimate_min_fee` value is the same regardless of strategy, so field semantics are unaffected — but the justification will mislead anyone reconciling `fee_paid` against per-input deltas.

In `packages/rs-platform-wallet/tests/e2e/framework/signer.rs`:
- [SUGGESTION] lines 114-143: `SeedBackedIdentitySigner` double-hashes `ECDSA_HASH160` lookup keys
  Both `can_sign_with()` (lines 114-122) and `lookup_identity_secret()` (lines 128-143) compute `ripemd160_sha256(key.data())` before probing `inner.address_private_keys`. That lookup is correct for `ECDSA_SECP256K1` because the cache is keyed by `hash160(pubkey)`. It is wrong for `ECDSA_HASH160` where `key.data()` is already the 20-byte hash — hashing it again yields `hash160(hash160(pubkey))`, which never matches the stored `hash160(pubkey)`. Result: any `ECDSA_HASH160` key reports `can_sign_with == false` and `sign()` fails with the misleading "not in pre-derived gap window" error even when the secret was pre-derived. Currently dormant — only `ECDSA_SECP256K1` keys are derived on reachable paths in this PR — and already documented as Found-019 in `tests/e2e/TEST_SPEC.md`. Worth fixing alongside the test pin so the test author isn't reasoning about a moving target. Fix: branch on `key.key_type()` so `ECDSA_HASH160` uses `key.data().as_slice()` directly as the lookup fingerprint.

In `packages/rs-platform-wallet/tests/e2e/framework/wallet_factory.rs`:
- [SUGGESTION] lines 237-245: `transfer_capturing_st_bytes` doc misattributes byte differences to nonce divergence
  The doc says: "The captured bytes are taken from a sibling build (separate nonce fetch, separate signing pass) — they are NOT byte-equal to the broadcast transition, because the production path bumps nonces independently." In practice the sibling build runs `fetch_inputs_with_nonce` + `nonce_inc` first against unchanged on-chain state; `transfer_with_inputs` then does its own fetch and bumps the nonce identically. Both transitions end up with the *same* address nonces — the bytes diverge only because of ECDSA signature non-determinism (no RFC 6979 in the signing path). This matters for PA-006: with identical nonces but different signatures, the second submission is rejected by nonce-duplicate detection, not by content-hash duplicate detection. The current explanation will mislead future test authors writing assertions around this helper, and risks landing a green PA-006 test that doesn't actually exercise pure-bytes-replay protection. Fix the doc to attribute the divergence to signature non-determinism, and either capture the bytes from the production submission (so re-broadcast shares both nonces and signature) or assert the rejection reason is duplicate-content rather than nonce-replay.

[thepastaclaw]

🔴 Blocking: setup_with_n_identities() leaks identity credits because sweep_identities() is still a no-op

MultiIdentitySetupGuard::teardown() (mod.rs:236-238) just forwards to SetupGuard::teardown(), whose docstring at mod.rs:220-223 advertises identity-side cleanup as implicit because "funds drain back to the bank during the wallet sweep". They don't: cleanup.rs:170 calls sweep_identities() which is Ok(()) (cleanup.rs:261-263, with a TODO blocking on Signer<IdentityPublicKey> and CreditTransfer wiring). In the new flow every funded address is consumed by register_identity_from_addresses(), so credits sit on identities, not on platform addresses — the platform-address sweep at line 159 cannot recover them. Then cleanup.rs:177 removes the registry breadcrumb, so the next startup sweep also loses the only handle to the wallet. Net effect: every test using this helper permanently burns n * funding_per bank credits while reporting a clean teardown. Fix: implement sweep_identities() before merging this helper, or change the multi-identity guard's docstring + teardown to surface the leak (fail-loud teardown until identity sweep lands) so tests don't silently drain the testnet bank.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [BLOCKING] lines 220-238: `setup_with_n_identities()` leaks identity credits because `sweep_identities()` is still a no-op
  `MultiIdentitySetupGuard::teardown()` (mod.rs:236-238) just forwards to `SetupGuard::teardown()`, whose docstring at mod.rs:220-223 advertises identity-side cleanup as implicit because "funds drain back to the bank during the wallet sweep". They don't: `cleanup.rs:170` calls `sweep_identities()` which is `Ok(())` (cleanup.rs:261-263, with a TODO blocking on `Signer<IdentityPublicKey>` and CreditTransfer wiring). In the new flow every funded address is consumed by `register_identity_from_addresses()`, so credits sit on identities, not on platform addresses — the platform-address sweep at line 159 cannot recover them. Then `cleanup.rs:177` removes the registry breadcrumb, so the next startup sweep also loses the only handle to the wallet. Net effect: every test using this helper permanently burns `n * funding_per` bank credits while reporting a clean teardown. Fix: implement `sweep_identities()` before merging this helper, or change the multi-identity guard's docstring + teardown to surface the leak (fail-loud teardown until identity sweep lands) so tests don't silently drain the testnet bank.

[thepastaclaw]

🔴 Blocking: setup_with_n_identities() returns a wallet with stale platform-address balances and nonces

IdentityWallet::register_from_addresses() explicitly does NOT push the SDK-returned address infos into the platform-address cache — see the TODO at src/wallet/identity/network/register_from_addresses.rs:139-143 ("For now the next BLAST sync round refreshes them"). setup_with_n_identities() registers n identities sequentially and returns immediately, so the TestWallet it returns thinks each funding address still holds its pre-registration balance with the pre-registration nonce. Any consumer that calls balances(), total_credits(), or attempts another address-funded transfer before triggering a sync will read stale state and likely select already-spent inputs, producing spurious InsufficientFunds / nonce-mismatch failures from the very tests this helper is meant to enable. A setup helper should leave the wallet in a consistent post-setup state — invoke sync_balances() on each consumed address (or push the returned address_infos into the cache directly) before returning the guard.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/mod.rs`:
- [BLOCKING] lines 193-215: `setup_with_n_identities()` returns a wallet with stale platform-address balances and nonces
  `IdentityWallet::register_from_addresses()` explicitly does NOT push the SDK-returned address infos into the platform-address cache — see the TODO at `src/wallet/identity/network/register_from_addresses.rs:139-143` ("For now the next BLAST sync round refreshes them"). `setup_with_n_identities()` registers `n` identities sequentially and returns immediately, so the `TestWallet` it returns thinks each funding address still holds its pre-registration balance with the pre-registration nonce. Any consumer that calls `balances()`, `total_credits()`, or attempts another address-funded transfer before triggering a sync will read stale state and likely select already-spent inputs, producing spurious `InsufficientFunds` / nonce-mismatch failures from the very tests this helper is meant to enable. A setup helper should leave the wallet in a consistent post-setup state — invoke `sync_balances()` on each consumed address (or push the returned `address_infos` into the cache directly) before returning the guard.

[thepastaclaw]

🟡 Suggestion: fee_paid() doc promises a fee_strategy adjustment the implementation never performs — and underestimates real chain-time fees

The doc on fee_paid() claims the value is computed via estimate_min_fee "then adjusted by the configured fee_strategy so the returned number reflects the portion of the fee charged to the fee-bearing input's remaining balance." The producer at transfer.rs:118-119 does no such adjustment — it stores the raw estimate_min_fee(input_count, output_count, version). Worse, the in-tree comment at transfer.rs:685-698 (cross-referencing platform issue #3040) acknowledges that estimate_min_fee returns only the static state_transition_min_fees floor; for 1in/1out that floor is ~6.5M while real chain-time fees are ~14.94M. The harness's own default_fee_strategy() is ReduceOutput(0) (wallet_factory.rs:399-401) — exactly the case the bug report calls out. Tests that use cs.fee_paid() to compute post-transfer balances will be off by a meaningful and non-deterministic amount, producing flaky equality assertions. Fix: tighten the doc to say "lower-bound static estimate from estimate_min_fee, NOT the actual on-chain fee — see platform issue #3040" and consider renaming the accessor to estimated_min_fee (or returning Option<Credits>) until #3040 is resolved.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/changeset/changeset.rs`:
- [SUGGESTION] lines 591-606: `fee_paid()` doc promises a `fee_strategy` adjustment the implementation never performs — and underestimates real chain-time fees
  The doc on `fee_paid()` claims the value is computed via `estimate_min_fee` "then adjusted by the configured `fee_strategy` so the returned number reflects the portion of the fee charged to the fee-bearing input's remaining balance." The producer at `transfer.rs:118-119` does no such adjustment — it stores the raw `estimate_min_fee(input_count, output_count, version)`. Worse, the in-tree comment at `transfer.rs:685-698` (cross-referencing platform issue #3040) acknowledges that `estimate_min_fee` returns only the static `state_transition_min_fees` floor; for 1in/1out that floor is ~6.5M while real chain-time fees are ~14.94M. The harness's own `default_fee_strategy()` is `ReduceOutput(0)` (`wallet_factory.rs:399-401`) — exactly the case the bug report calls out. Tests that use `cs.fee_paid()` to compute post-transfer balances will be off by a meaningful and non-deterministic amount, producing flaky equality assertions. Fix: tighten the doc to say "lower-bound static estimate from `estimate_min_fee`, NOT the actual on-chain fee — see platform issue #3040" and consider renaming the accessor to `estimated_min_fee` (or returning `Option<Credits>`) until #3040 is resolved.

[thepastaclaw]

🟡 Suggestion: Comment claims DeductFromInput(_) is the canonical strategy, but the crate's default is ReduceOutput(0)

The new comment immediately above the fee_paid computation says: "With DeductFromInput(_) (the canonical strategy used everywhere in this crate) the entire fee is charged to the targeted input's remaining balance, so this value matches the on-chain debit." This is wrong on two counts. (1) default_fee_strategy() in tests/e2e/framework/wallet_factory.rs:399-401 is vec![AddressFundsFeeStrategyStep::ReduceOutput(0)], and the cleanup sweeps in cleanup.rs:231 also use ReduceOutput(0) — there is no DeductFromInput use in this crate. (2) Under ReduceOutput(0), the fee is taken from output 0's amount, not from any input's remaining balance, so the "matches the on-chain debit" claim doesn't hold for the strategy actually in use. The total estimate_min_fee value is the same regardless of strategy, so field semantics are unaffected — but the justification will mislead anyone reconciling fee_paid against per-input deltas.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [SUGGESTION] lines 113-119: Comment claims `DeductFromInput(_)` is the canonical strategy, but the crate's default is `ReduceOutput(0)`
  The new comment immediately above the `fee_paid` computation says: "With `DeductFromInput(_)` (the canonical strategy used everywhere in this crate) the entire fee is charged to the targeted input's remaining balance, so this value matches the on-chain debit." This is wrong on two counts. (1) `default_fee_strategy()` in `tests/e2e/framework/wallet_factory.rs:399-401` is `vec![AddressFundsFeeStrategyStep::ReduceOutput(0)]`, and the cleanup sweeps in `cleanup.rs:231` also use `ReduceOutput(0)` — there is no `DeductFromInput` use in this crate. (2) Under `ReduceOutput(0)`, the fee is taken from output 0's amount, not from any input's remaining balance, so the "matches the on-chain debit" claim doesn't hold for the strategy actually in use. The total `estimate_min_fee` value is the same regardless of strategy, so field semantics are unaffected — but the justification will mislead anyone reconciling `fee_paid` against per-input deltas.

[thepastaclaw]

🟡 Suggestion: SeedBackedIdentitySigner double-hashes ECDSA_HASH160 lookup keys

Both can_sign_with() (lines 114-122) and lookup_identity_secret() (lines 128-143) compute ripemd160_sha256(key.data()) before probing inner.address_private_keys. That lookup is correct for ECDSA_SECP256K1 because the cache is keyed by hash160(pubkey). It is wrong for ECDSA_HASH160 where key.data() is already the 20-byte hash — hashing it again yields hash160(hash160(pubkey)), which never matches the stored hash160(pubkey). Result: any ECDSA_HASH160 key reports can_sign_with == false and sign() fails with the misleading "not in pre-derived gap window" error even when the secret was pre-derived. Currently dormant — only ECDSA_SECP256K1 keys are derived on reachable paths in this PR — and already documented as Found-019 in tests/e2e/TEST_SPEC.md. Worth fixing alongside the test pin so the test author isn't reasoning about a moving target. Fix: branch on key.key_type() so ECDSA_HASH160 uses key.data().as_slice() directly as the lookup fingerprint.

_{source: ['codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/signer.rs`:
- [SUGGESTION] lines 114-143: `SeedBackedIdentitySigner` double-hashes `ECDSA_HASH160` lookup keys
  Both `can_sign_with()` (lines 114-122) and `lookup_identity_secret()` (lines 128-143) compute `ripemd160_sha256(key.data())` before probing `inner.address_private_keys`. That lookup is correct for `ECDSA_SECP256K1` because the cache is keyed by `hash160(pubkey)`. It is wrong for `ECDSA_HASH160` where `key.data()` is already the 20-byte hash — hashing it again yields `hash160(hash160(pubkey))`, which never matches the stored `hash160(pubkey)`. Result: any `ECDSA_HASH160` key reports `can_sign_with == false` and `sign()` fails with the misleading "not in pre-derived gap window" error even when the secret was pre-derived. Currently dormant — only `ECDSA_SECP256K1` keys are derived on reachable paths in this PR — and already documented as Found-019 in `tests/e2e/TEST_SPEC.md`. Worth fixing alongside the test pin so the test author isn't reasoning about a moving target. Fix: branch on `key.key_type()` so `ECDSA_HASH160` uses `key.data().as_slice()` directly as the lookup fingerprint.

[thepastaclaw]

🟡 Suggestion: transfer_capturing_st_bytes doc misattributes byte differences to nonce divergence

The doc says: "The captured bytes are taken from a sibling build (separate nonce fetch, separate signing pass) — they are NOT byte-equal to the broadcast transition, because the production path bumps nonces independently." In practice the sibling build runs fetch_inputs_with_nonce + nonce_inc first against unchanged on-chain state; transfer_with_inputs then does its own fetch and bumps the nonce identically. Both transitions end up with the same address nonces — the bytes diverge only because of ECDSA signature non-determinism (no RFC 6979 in the signing path). This matters for PA-006: with identical nonces but different signatures, the second submission is rejected by nonce-duplicate detection, not by content-hash duplicate detection. The current explanation will mislead future test authors writing assertions around this helper, and risks landing a green PA-006 test that doesn't actually exercise pure-bytes-replay protection. Fix the doc to attribute the divergence to signature non-determinism, and either capture the bytes from the production submission (so re-broadcast shares both nonces and signature) or assert the rejection reason is duplicate-content rather than nonce-replay.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/tests/e2e/framework/wallet_factory.rs`:
- [SUGGESTION] lines 237-245: `transfer_capturing_st_bytes` doc misattributes byte differences to nonce divergence
  The doc says: "The captured bytes are taken from a sibling build (separate nonce fetch, separate signing pass) — they are NOT byte-equal to the broadcast transition, because the production path bumps nonces independently." In practice the sibling build runs `fetch_inputs_with_nonce` + `nonce_inc` first against unchanged on-chain state; `transfer_with_inputs` then does its own fetch and bumps the nonce identically. Both transitions end up with the *same* address nonces — the bytes diverge only because of ECDSA signature non-determinism (no RFC 6979 in the signing path). This matters for PA-006: with identical nonces but different signatures, the second submission is rejected by nonce-duplicate detection, not by content-hash duplicate detection. The current explanation will mislead future test authors writing assertions around this helper, and risks landing a green PA-006 test that doesn't actually exercise pure-bytes-replay protection. Fix the doc to attribute the divergence to signature non-determinism, and either capture the bytes from the production submission (so re-broadcast shares both nonces and signature) or assert the rejection reason is duplicate-content rather than nonce-replay.

[thepastaclaw]

💬 Nitpick: Merge fee comment opens with "last-non-zero-wins" but the code sums

The comment leads with // Fee: last-non-zero-wins. and then in the same block describes "merging two transfer changesets sums the fees" — directly contradicting itself. The code is self.fee = self.fee.saturating_add(other.fee), i.e. sum semantics; a true last-non-zero-wins merge of fee=100 then fee=50 would yield 50, while saturating_add yields 150. Drop the misleading lead clause so the policy matches the code.

💡 Suggested change

Suggested change

	// Fee: last-non-zero-wins. Sync-only merges (which carry
	// `fee == 0`) preserve a transfer's recorded fee; merging
	// two transfer changesets sums the fees, matching the
	// "total fee paid across operations in this batch" intent.
	self.fee = self.fee.saturating_add(other.fee);
	// Fee: append-sum across merged changesets. Sync-only merges
	// (which carry `fee == 0`) preserve a transfer's recorded
	// fee; merging two transfer changesets sums the fees,
	// matching the "total fee paid across operations in this
	// batch" intent.
	self.fee = self.fee.saturating_add(other.fee);

_{source: ['claude', 'codex']}

[thepastaclaw]

💬 Nitpick: wait_for_identity_balance / wait_for_dpns_name_visible can overshoot the supplied timeout by up to BACKSTOP_WAKE_INTERVAL

Both new helpers do match fetch ... ; if Instant::now() >= deadline { err } ; sleep(BACKSTOP_WAKE_INTERVAL=2s) ; loop. If the caller passes a timeout shorter than 2s, the unconditional 2s sleep can run after the deadline check, so the helpers can return a timeout error nearly 2 seconds late — and the next iteration's fetch may succeed against a chain state the test no longer cares about. Cap the sleep against deadline.saturating_duration_since(Instant::now()) (the same pattern wait_for_balance already uses with cap = std::cmp::min(remaining, BACKSTOP_WAKE_INTERVAL)) so the overshoot is bounded by one fetch RTT. Low-impact today (callers in the harness all pass ≥30s), but cheap to get right while the helpers are new.

_{source: ['claude', 'codex']}