feat: platform-wallet backend rewrite (spec + implementation)

[lklimek]

Goal

Dash Evo Tool carried its own large SPV/wallet stack that duplicated logic now maintained upstream. This PR rewrites DET's wallet backend on top of the upstream platform-wallet crate (dashpay/platform), which owns SPV chain sync, address derivation, identity/asset-lock handling, and the shielded coordinator.

DET is now a thin adapter over that crate: its bespoke SPV stack (src/spv/) and the legacy RPC wallet mode are gone, chain sync and derivation come from upstream, and the shielded subsystem routes through the upstream coordinator. The BackendTask action/channel contract is preserved, so the UI layer is largely unchanged. Existing wallets are migrated onto the new model on first launch (marker-gated, with a *.premigration backup). Net effect: far less wallet code to maintain in DET, a single source of truth shared with the rest of the platform, and upstream fixes inherited automatically.

Bugs fixed

Funds-safety

• Funds sent to addresses beyond the SPV gap window — via Receive → New Address, the asset-lock deposit address, or platform top-up change — were never watched and never appeared in the balance. All address derivation now comes from the SPV-watched pool.
• The asset-lock deposit QR flow could hang at "Waiting for funds…" forever (the event that advances it had no producer).
• Incoming DashPay contact payments were never detected or credited (the detection chain had no callers).

Shielded confirmation-safety

• Shield-from-asset-lock and the four sibling shielded spends reported success / marked notes spent even when the transaction might never have confirmed. They now surface typed *ConfirmationUnknown errors instead of a false success.

Secret hygiene

• The passphrase was prompted at startup for wallets the user hadn't chosen to unlock; it is now requested just-in-time per operation and dropped immediately after use.
• A single-key private key was kept in plaintext for the whole session — removed.
• DashPay ECDH and HD encryption keys are now zeroized on drop.

Data-safety

• Password-protected single-key wallets that silently vanished after upgrade are preserved.
• Wallets left unloaded after the cold-start migration (which required a manual restart) are now rehydrated automatically.

Identity / sync

• User-set identity aliases are preserved during auto-discovery (previously silently overwritten).
• Platform/identity sync no longer starts before chain quorum is ready (which previously caused a DAPI ban storm).

Known gaps

• Dependency pin — merge-blocker (PROJ-005). The upstream platform-wallet / dash-sdk crates are pinned to an unreleased branch (fix/wallet-core-derived-rehydration), not a released tag. Must be re-pinned to a released version before merge-to-ship.
• Non-wallet data not migrated (PROJ-034). App settings (network/theme/paths), top-up history, and scheduled DPNS votes reset on upgrade; scheduled votes carry a vote-window deadline risk. Deferred to a follow-up.
• Single-key wallets partial (PROJ-007). Balance refresh and SPV send for single-key wallets still return SingleKeyWalletsUnsupported, pending upstream watch-only support. Import / data-loss guard / password-restore are done.
• Minor / deferred: token "stop tracking" is undone by a refresh (PROJ-041); no in-app notice for the removed QR-direct-fund path (DOC-003); external user-docs update pending (PROJ-018). Merge-time action: fill the ADR floor SHA placeholder (PROJ-019).

Testing

• cargo build / cargo build --features headless clean; cargo clippy --all-features --all-targets -- -D warnings clean.
• Library + UI (kittest) + e2e suites green (889 lib tests at latest push).
• Funds-safety / security review on the migration, shielded retirement, and address-derivation changes; per-workstream design + QA reports under docs/ai-design/.

Attribution

Additional fixes folded in (2026-06-17)

Two independently-verified fixes were folded onto this branch.

Wallet platform-balance source-of-truth (a21e2246…28bac801)

• Problem: The Wallets page selector showed a platform balance up to ~227× too high (e.g. 0.21674054 DASH vs the real 0.00039605), diverging from the per-address section.
• Cause: A direct sync_address_balances query wrote every found balance — including non-owned "orphan" addresses — into the balance-bearing map; the selector summed the whole map while the address section summed only watched addresses.
• Fix: Platform balance is now sourced from the upstream coordinator's push (owned addresses only), mirroring the shielded-balance pattern. The selector total and the per-address tab derive from the same data and are equal by construction (unit-tested). Balance updates automatically on each coordinator pass — no manual Refresh.

DashPay contact receiving-account registration (a11c8312…c163b67b)

• Problem: Incoming payments to established DashPay contacts weren't watched — funds appeared only after a manual refresh, and on fresh installs not at all.
• Cause: registration ran against watch-only wallets (hardened DashPay derivation needs the seed); the local wallet-manager was never told about sent/accepted contact requests, so contacts never auto-established.
• Fix: registration moved to the unlock/bootstrap path (seed in scope) and delegates to upstream platform-wallet account derivation; accepting a request now records both the incoming and the sent contact request so the contact establishes in-process; SPV rebuilds its bloom filter (within ~100 ms once synced) to watch the contact's pay-to-us addresses.

Both fixes verified by QA; the combined branch builds green (894 lib tests pass, clippy clean).

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

Additional fixes folded in (2026-06-18)

Wallet-backend lifecycle + adapter fixes layered on the rewrite. Combined branch builds green; clippy --all-features --all-targets -D warnings clean; wallet_lifecycle suite (39 tests, incl. new gates) passes.

Reconnect "wallet already open" (B + B-2) — 09540cf8, 976ad0d4

• Problem: Disconnect → Connect failed with WalletStorageError::AlreadyOpen on spv/<net>/platform-wallet.sqlite; the second Connect could never reopen the wallet DB.
• Cause: the SQLite persister path lives in a process-global open-set, released only on SqlitePersister::Drop. On disconnect the SPV run loop (B) and the three upstream sync coordinators each kept an Arc<SqlitePersister> alive past teardown, so the path stayed registered.
• Fix (B): WalletBackend::shutdown() now stops the SPV run loop before tearing down the manager.
• Fix (B-2, interim): a deterministic persister-release barrier in stop_spv waits (bounded, 5s) until the path is actually free before disconnect completes, closing the common coordinator-thread drain race. Verified as an interim stopgap.
• Known residual / follow-up: the barrier does not bound DET-owned wallet subtasks blocked on a dead-network DAPI call past the timeout. A durable cancel + await-exit shutdown primitive (StructuredShutdown = hierarchical CancellationToken + an mpsc all-senders-dropped exit barrier) — covering both the DET-owned subtasks (no upstream dependency) and the upstream coordinator threads — is designed as the follow-up that retires the barrier. The architecturally clean variant keeps the WalletBackend alive across reconnect and restarts SPV/coordinators in place (confirmed feasible upstream), removing the open/close registry race by construction. An upstream rs-platform-wallet issue (make coordinator quiesce() join, not cancel-and-drain) will be filed.

Watch-only identity funding (C/D) — 98bc4913

• Problem: On a reloaded (seedless watch-only) HD wallet, "Create Identity → Wallet balance" and "send funds core → identity" failed with AssetLockTransaction("Watch-only wallet has no private key").
• Cause: identity funding-account provisioning called add_account(type, None), deriving from the live wallet's absent root private key — before any seed was in scope.
• Fix: provisioning now runs inside the just-in-time seed scope, derives the account xpub from a seed wallet, and inserts via the Some(xpub) path — mirroring the DashPay contact-account pattern. One fix covers both reported flows plus the non-identity asset-lock path. Deterministic cold-boot regression guard added.

ensure_spv_synced made event-driven (②) — a98186af

• The MCP ensure_spv_synced gate replaced its poll loop with a tokio::watch subscription on ConnectionStatus's SPV status, waiting on SpvStatus::Running (not the DAPI-gated Synced). Wallet tools no longer busy-poll.

Inspector / Core-P2P removal (①) — 1c4f4dcd

• Removed the masternode-list-diff inspector and the legacy Core P2P handler (dead/duplicated since the platform-wallet rewrite owns chain sync).

Tests — 43ede282

• Added backend-e2e coverage: SPV reconnect (B) and cold-boot identity funding from wallet balance (C/D).

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7015e7a9-096b-4148-8f8c-e9677178a680

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/platform-wallet-migration-design

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lklimek]

Doc sync — 686430a4 (docs/kv-keys.md)

Trillian audited the k/v key reference against current source and corrected three stale entries. All align the doc with code changes already described in this PR:

• Migration sentinel — was documented as a single global det:migration:finish_unwire:v1 with constant SENTINEL_KEY. Now correctly det:migration:finish_unwire:<network>:v1 (per-network, via sentinel_key_for(network)), consts SENTINEL_KEY_PREFIX + SENTINEL_KEY_VERSION. Tracks SEC-001.
• Single-key metadata sidecar — ImportedKey field list extended from 3 → 5 (has_passphrase, passphrase_hint). Tracks SEC-002 Option C.
• HD seed envelope encoding — value is now [ version byte | bincode::serde(payload) ], not bare bincode::serde. Tracks SEC-005.

All other sections (17 platform-wallet keys, DashPay sidecar, settings, wallet selection, summary counts) verified accurate — no drift. Doc-only; no source touched.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[lklimek]

SPV-start fix (PROJ-001, CRITICAL) + consolidated gap report — 8d35933e

Bug: the Settings "Connect" button did nothing and SPV stayed idle. Root cause: AppContext::start_spv() was an inert Ok(()) compile-floor stub and WalletBackend::start() (the only spawner of the SPV run loop) had zero callers — so SPV / platform-address / identity sync never started in any path (Connect, auto-start, MCP, network switch).

Fix (3 commits):

• 42388c4b — wire start_spv() → WalletBackend::start(); add a per-instance StartLatch so SPV can't be double-driven.
• 3165f98c — route all callers through one idempotent async chokepoint AppContext::ensure_wallet_backend_and_start_spv() (wire-then-start); fixes the boot auto-start race (sync constructor fired before the backend was wired), MCP ensure_spv_synced, and network-switch restart; hoist SpvStatus::Error above the DAPI gate so chain-sync failures aren't masked as "Disconnected".
• 36f5a982 — surface start/wiring failures to the user (indicator → Error in the chokepoint; actionable banner at the Connect handler); replaces the dead AppAction::Custom no-op.

QA: two full Marvin rounds (caller-integration focus). All findings resolved; 2 LOW residuals (user-facing wiring-failure feedback + a forward-compat dead branch) closed by 36f5a982. 571 lib tests pass (+8), clippy/fmt clean. 8 new offline tests cover the start-path gating. The one kittest failure (tc_sk_004) is confirmed pre-existing.

---

Consolidated gap audit — 2313089a (+ status update 8d35933e)

docs/ai-design/2026-06-01-pr860-gap-audit/gaps.md — a whole-PR audit by project-reviewer Adams. 21 confirmed gaps (1 CRITICAL, 4 HIGH, 6 MEDIUM, 7 LOW, 3 INFO), each with file:line. Highlights:

• PROJ-001 (CRITICAL) — resolved on-branch (above).
• PROJ-005 (HIGH) — now the sole remaining open merge-blocker: Cargo.toml pins platform to the unreleased #3625 rev (release gate G1).
• 5 net-new findings, notably PROJ-004 (HIGH) — DashPay outgoing contact-request xpub derivation uses placeholder seed material (let wallet_seed = sender_private_key;), the substrate behind the TC-037/043 association symptom.
• 4 seeded "gaps" verified already-fixed (eager-init hard-failure → graceful warn, TC-019 precedence, core_backend_mode removal, the 5-manager readiness gate).

Remaining open gaps are catalogued in the report (not filed as separate issues by request).

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[lklimek]

DetKv per-object refactor + platform bump to 35e4a2f — 129d54d0

Reseats DET's KV layer onto upstream's per-object KvStore and retires two of three duplicate caches. 7 commits:

• 549ddfa1 — honest error when wallet data is from a newer app version (WalletDataTooNew, replaces the misleading "check disk space" for schema-version skew).
• dbd94356 — reseat DetKv on the 08b0ed9 per-object KvStore via a DET-side DetScope { Global, Wallet, Identity, Token } (maps to upstream ObjectId only inside kv.rs — no type leak); isolate the platform-address and token-balance caches behind PlatformAddressView/TokenBalanceView seams.
• 845ff685 — honest error for an incompatible on-disk schema (WalletDataIncompatible, divergent-migration case); finish the token-balance seam.
• fb50c044 — bump platform to 35e4a2f (meta_* FK relaxed to soft-cascade triggers; public per-(identity,token) balance reader).
• f6119de7 — delete the det:token_balance cache; balances now read live from upstream IdentitySyncManager via a lock-free snapshot bridge (pre-sync shows "syncing", not 0).
• d7ac9a06 — promote identities + DashPay overlays to Identity scope (identities/top-ups/scheduled-votes → Identity(id); dashpay private/address_index → Identity(owner)); Global enumeration indices; explicit cleanup (the upstream soft-cascade trigger doesn't fire for DET-only KV removals); hardened private-key Debug redaction.
• 129d54d0 — docs synced to the per-object model.

Principle applied: DET's KV stores only DET-specific metadata; canonical object state upstream owns (token balances) is read, not duplicated.

QA (Marvin, combined tree): PASS — cargo build --all-features ✓, 598 tests (597 pass, 1 ignored) ✓, clippy -D warnings ✓, fmt ✓. Zero code defects; M-DONT-LEAK-TYPES intact.

Remaining duplicate: the platform-address cache (det:platform_addr/det:platform_sync) stays, staged behind PlatformAddressView — one-line swap once upstream exposes a public per-address nonce reader (the only open platform-side dependency; the FK relaxation and token-balance reader both landed in #3625 @ 35e4a2f).

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[lklimek]

NEW since last push — 0484bcb6 post-migration identity auto-discovery (By-Wallet) + rolling gap-limit

Why: After the platform-wallet migration, a wallet's identities were only loaded if the user manually opened Load Identity → By Wallet and searched. This push discovers them automatically once Platform connectivity is ready, with a rolling gap-limit so newly-created identities are always found, and preserves user-set aliases on re-discovery.

What it does:

• Auto-discovery on Platform-ready. Once the SPV masternode list reaches Synced (the point at which Platform/DAPI is safe to query — querying earlier gets DAPI nodes banned), DET runs By-Wallet identity discovery across all open wallets. Two triggers: a global once-per-session sweep (AtomicBool latch, cleared on SPV stop so it re-arms on reconnect) and a per-wallet, latch-independent trigger fired when a wallet is unlocked.
• Rolling gap-limit (IDENTITY_GAP_LIMIT = 5). Scans to max(existing identity index) + 5, extending the window on each discovery so 5 empty indices always trail the highest found index (mirrors the BIP-44 address gap-limit). Bounded by a hard cap of 100. Pure decision logic in model/identity_discovery.rs (10 unit tests); one shared scan fn used by both the UI By-Wallet path and the auto-trigger.
• Alias preservation on re-discovery. Re-discovered identities are updated in place, but DET-only metadata (alias, wallet binding) is carried forward; top-ups are unaffected (stored under a separate key).

Safety items fixed in this push (surfaced by review):

• (High, pre-existing bug) the single-index By-Wallet search silently wiped a user's alias on every search — fixed (both single-index and gap-limit paths now carry the alias forward).
• (High, UX hazard) a background sweep over a locked protected wallet would have popped a passphrase modal unprompted (identity-auth keys are hardened-to-leaf, so a cold cache miss triggers a secret prompt); the background path now runs allow_prompt=false and skips locked wallets, and the eventual unlock re-triggers discovery for that wallet.

Verification: headless build clean · clippy -D warnings zero · 889 lib tests pass (4 new offline guards: latch one-shot + stop_spv re-arm, locked-wallet exclusion, alias preservation, search-index cap). Design + QA reports added under docs/ai-design/2026-06-17-identity-autodiscovery-gap-limit/.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[lklimek]

Session update — 5 commits pushed (d2f4fd87..1c4f4dcd)

Three fixes landed against the platform-wallet backend, each root-caused from a live testnet symptom:

Reconnect crash (09540cf8)

• Connect → disconnect → connect failed with WalletStorage(AlreadyOpen { … platform-wallet.sqlite }).
• Cause: WalletBackend::shutdown() never stopped the SPV run loop, so the persister path stayed registered in the process-global open-set.
• Fix: shutdown() now calls spv().stop().await before tearing down the wallet manager.

Watch-only asset-lock failure (98bc4913, tests b8517905 + acdd1336)

• Both "create identity" and "send funds core→identity" failed with AssetLockTransaction("Watch-only wallet has no private key").
• Cause: wallets reload seedless (watch-only); identity funding-account provisioning called add_account(type, None), which has no key material on a cold-booted watch-only wallet.
• Fix: provisioning now derives the account xpub from the seed (derive_extended_public_key) inside the with_secret_session scope and calls add_account(type, Some(xpub)). Regression guard uses a two-boot cold-start scenario (write persister from seed → copy data dir → cold-load seedless → assert provisioning succeeds + is idempotent).

Legacy MN-list-diff inspector + Core P2P handler removed (1c4f4dcd, −5,559 LOC)

• The Masternode-List-Diff inspector was the only RPC-only tool and is dead in SPV-only mode. Removed the screen (~4.5k LOC), core_p2p_handler.rs, MnListTask, TaskError::P2P, all wiring, and the backend-e2e mnlist tests.
• Verified independently: git grep clean of all removed symbols; surviving chainlock paths use only CoreTask::GetBestChainLock (no dependency on the removed task/handler).

Verification: cargo build (default + --features headless) ✅ · clippy --all-features --all-targets -D warnings ✅ zero · test --all-features --workspace ✅ 998 passed, 0 failed · +nightly fmt --check ✅ clean.

🤖 Generated with Claude Code

[lklimek]

Pushed 1c4f4dcd..976ad0d4 (3 commits): backend-e2e coverage (B reconnect + C/D cold-boot), event-driven ensure_spv_synced (②), and the interim persister-release barrier for the reconnect AlreadyOpen regression (B-2).

The B-2 barrier is verified as an interim stopgap (closes the common coordinator-thread drain race). The durable fix — a reusable cancel + await-exit shutdown primitive (StructuredShutdown) covering both DET-owned wallet subtasks and the upstream coordinator threads, with the architecturally clean variant being keep-the-WalletBackend-alive + SPV/coordinator restart-in-place — is designed and will retire the barrier. An upstream rs-platform-wallet issue (make coordinator quiesce() join, not cancel-and-drain) will be filed. See the "Additional fixes folded in (2026-06-18)" section in the description.

_{🤖 Co-authored by Claudius the Magnificent AI Agent}