feat: platform-wallet backend rewrite (spec + implementation)

CHANGELOG.md

@@ -0,0 +1,103 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+## [Unreleased]
+
+### Changed
+
+- **Sign-time wallet unlock**: the passphrase is now requested just-in-time, the
+  moment an operation actually needs your secret (sending funds, registering an
+  identity, signing). The prompt offers an optional "Keep this wallet unlocked
+  until I close the app" checkbox so a busy session asks only once. This replaces
+  the old upfront unlock gate that held the wallet open for the whole session —
+  the HD seed is no longer kept in memory between operations; it is decrypted on
+  demand and wiped as soon as the operation finishes.
+
+- **Wallet storage backend**: HD wallet seeds and single-key private keys are now
+  stored in an upstream `platform-wallet-storage` encrypted vault
+  (`secrets/det-secrets.pwsvault` in the app data directory) rather than in the legacy
+  `data.db` SQLite database. Wallet metadata (alias, main flag,
+  Core wallet name) moves to a new `det-app.sqlite` key-value sidecar. The legacy
+  `data.db` file is left intact for safety; it is no longer read at runtime.
+
+- **Cold-start migration**: on the first launch after upgrading, DET automatically
+  migrates wallet seeds, metadata, and imported single-key data from `data.db` into
+  the new storage layout. A progress banner is shown during migration (typically
+  under one second on local storage). The migration is idempotent — subsequent
+  launches skip it via a completion sentinel in `det-app.sqlite`.
+
+- **Identity funding now goes through one spend engine**: registering or topping up
+  an identity always funds from your wallet balance through the upstream
+  asset-lock engine, which selects coins and tracks the lock to confirmation. The
+  separate "fund directly from a specific transaction output" path was removed so
+  there is a single, double-spend-safe funding flow.
+
+### Known Limitations
+
+- **Single-key wallets — send and balance refresh not available**: importing a
+  single-key wallet (WIF), viewing it, and signing with it all work in this
+  release. Sending funds and refreshing the balance or UTXO list are not yet
+  supported. Your key data is preserved and these actions will be available in a
+  future update. To send funds now, use an HD (recovery-phrase) wallet.
+
+- **DashPay contacts — non-mainnet / non-account-0 legacy addresses**: this
+  release drops back-compat for contact-request addresses derived outside mainnet
+  account 0 under the old DIP-14 scheme (non-mainnet networks, or secondary
+  account indices). If you used DashPay on testnet or devnet with a non-default
+  account, existing contact payment addresses for those contacts may not be
+  reproduced. Re-establishing the contact from both sides restores full
+  functionality.
+
+### Removed
+
+- Proof log screen (internal developer tool, not part of the public feature set).
+- QR-code wallet import flow for identity funding and top-up screens.
+- The "fund identity directly from a transaction output" option on the identity
+  registration and top-up screens (replaced by the single asset-lock funding flow
+  described under Changed).
+- The unused "Memo (optional)" field on the wallet send dialog and the single-key
+  send screen — the note was never attached to the transaction, so it has been
+  removed to avoid implying a memo would be saved.
+- The "Core Only" wallet refresh option. Core wallet balances and UTXOs now stay
+  current automatically, so a manual Core-only refresh had nothing to do; refresh
+  now covers Core plus Platform, or Platform only.
+- The unused ZMQ Core-event listener subsystem and the non-functional "Disable ZMQ"
+  setting. The listener was already gated off and never delivered events, so the
+  toggle did nothing; both have been removed (the `zmq`, `zeromq`, and
+  `crossbeam-channel` dependencies are no longer needed).
+- The unreachable Dash-Qt launcher and its settings — the executable path, the
+  overwrite-config option, and the close-on-exit option. There was no way to launch
+  Dash-Qt from the app, so the controls had no effect and have been removed.
+
+### Fixed
+
+- `WalletBackend` is now initialised eagerly at `AppState` start, eliminating a
+  retry-loop spam on the SDK connection during cold boot.
+- Wallet store is rehydrated on cold start, resolving a regression where wallets
+  were not visible after the storage migration.
+- The Disconnect button on the network settings screen now actually disconnects:
+  it stops the wallet backend and updates the connection indicator instead of
+  silently doing nothing. A fast double-click can no longer start two disconnects
+  at once.
+- Shielded balances no longer overstate after upgrading or after using
+  "Resync Notes": the spent-note scan cursor is reset so previously spent notes
+  are detected again. Previously a migrated or resynced wallet could show notes as
+  available that had already been spent, causing later spends to fail.
+- The unused-asset-lock picker on the identity registration and top-up screens now
+  shows a plain-language status and the funding address for each lock, instead of
+  an internal status name, so you can tell which lock is which.
+- A failed wallet-funded identity registration now tells you that your funds are
+  safe as a funding lock and how to finish: start a new identity and fund it from
+  your existing asset lock.
+- Platform and identity features stay reachable during initial sync. Previously,
+  on a fresh connection the app contacted Platform network nodes before its local
+  masternode list had finished syncing; every node it tried was wrongly marked as
+  failed and set aside, and once all of them were set aside Platform stopped
+  working until restart. The app now waits for the masternode list to be ready
+  before contacting those nodes.
+- Silent crashes now leave a trace: the app captures stderr output and fatal
+  signals to its log file, so an unexpected exit can be diagnosed from the logs
+  instead of vanishing without a record.

CLAUDE.md

@@ -69,6 +69,23 @@ scripts/safe-cargo.sh +nightly fmt --all
 * **Never parse error strings** to extract information. Always use the typed error chain (downcast, match on variants, access structured fields). If no typed variant exists for the information you need, define a new `TaskError` variant or extend the existing error type. String parsing is fragile, breaks on message changes, and bypasses the type system.
 * **Validation placement**: Pure input validation (format, length, character sets) lives in `model/` as stateless functions — single source of truth, unit-testable, no dependencies on `AppContext` or `Sdk`. Backend tasks are the authoritative enforcement layer: they call model validators for format checks AND perform stateful validation that requires network or database (existence checks, uniqueness, business rules). UI screens may call model validators for instant user feedback, but must never implement their own validation logic — always delegate to the model function.
 
+### DET Module Placement Policy
+
+Code lives by responsibility, not convenience:
+
+- **`model/`** — stateless data types and pure validation (format/length/charset). The single source of truth for validation. No `AppContext`, `Sdk`, DB, or `BackendTask`. All fee estimation goes in `model/fee_estimation.rs` — never inlined elsewhere.
+- **`backend_task/`** — async business logic, one submodule per domain; the authoritative enforcement layer. `TaskError` and its typed variants live in `backend_task/error.rs`.
+- **`database/`** — SQLite persistence, one module per domain.
+- **`context/`** — `AppContext` submodules (`*_db.rs`, lifecycle, settings, status).
+- **`wallet_backend/`** — the wallet orchestration seam: adapters, views, backend-side live caches, signers, the secret chokepoint, the event bridge.
+- **`ui/<domain>/`** — screens (`ScreenLike`). UI may *call* `model/` validators for instant feedback but never implements its own validation.
+- **`ui/components/`** — reusable **Component-pattern widgets ONLY**: a `show()` plus a `ComponentResponse`, a display-only render widget, or component infrastructure. If it does not render egui, it is not a component.
+- **`ui/state/`** — non-widget UI state: per-screen view-models and async fetch-state caches (e.g. `TrackedAssetLockCache`). Owned by screens, may return `BackendTask`, render nothing.
+- **`src/mcp/tools/`** — MCP tool logic, one file per domain (e.g. `wallet.rs`, `shielded.rs`, `identity.rs`) with multiple tool structs per file; never in `src/bin/det_cli/`.
+- **`src/localization.rs`** — localization logic. **`src/ui/theme.rs`** — theme/alignment helpers.
+
+Discriminator for `ui/components/` vs `ui/state/`: *does it render egui (`show`/`ui`/a render fn)?* Yes → component. No → state.
+
 ### Error messages
 
 User-facing error messages (shown in `MessageBanner` via `Display`) must follow these rules:
@@ -118,6 +135,40 @@ User-facing error messages (shown in `MessageBanner` via `Display`) must follow
 - **Error type**: `McpToolError` enum (InvalidParam, WalletNotFound, SpvSyncFailed, TaskFailed, Internal) converts to `rmcp::ErrorData` via `From`.
 - **Docs**: `docs/MCP.md` (server config, tool reference), `docs/CLI.md` (usage, examples), `docs/MCP_TOOL_DEVELOPMENT.md` (checklist for adding new MCP tools).
 
+### Smoke-testing changes with det-cli
+
+`det-cli` in standalone (stdio, lazy-init) mode is a fast, no-funds, no-GUI smoke test for the **MCP-tool layer + context wiring**. Run these after changes that touch MCP tools (`src/mcp/`), `AppContext` construction, or the wallet-backend boot path — they catch compile/API drift and context-init regressions before any live-network testing.
+
+Build:
+
+```bash
+cargo build --bin det-cli --features cli
+```
+
+Then, with `MCP_API_KEY` unset (or empty — the default `.env` ships it empty, which means standalone), run the read-only checks. Point `DASH_EVO_DATA_DIR` at a throwaway dir to avoid touching real user data or contending with a running GUI / `det-cli serve` instance:
+
+```bash
+DET=$(mktemp -d) && cp .env.example "$DET/.env"
+BIN=target/debug/det-cli   # or "$CARGO_TARGET_DIR/debug/det-cli" if that env var is set
+run() { env -u MCP_API_KEY DASH_EVO_DATA_DIR="$DET" RUST_LOG=off "$BIN" "$@"; }
+
+run network-info                       # active network as JSON — no SPV sync (network-exempt)
+run tools                              # discovers all tools via tools/list
+run tool-describe name=network_info    # full schema for one tool (meta tool, network-exempt)
+run core-wallets-list                  # exercises in-process MCP -> tool -> AppContext -> DB; returns {"wallets":[]}
+```
+
+What each verifies:
+
+- **`network-info`** — binary starts, lazy-inits `AppContext` (creates `.env`/DB/secret store), reports the active network. No SPV gate, so it's a pure context-wiring check.
+- **`tools`** — the in-process MCP server is up and the dynamic `tools/list` discovery path works (catches a tool that fails to register in `tool_router()`).
+- **`tool-describe name=...`** — the meta tool returns a tool's JSON schema; confirms tool metadata serializes cleanly.
+- **`core-wallets-list`** — drives the full dispatch chain (MCP service → tool invoke → `AppContext` → SQLite) without funds; skips the SPV gate.
+
+`--help`, `<cmd> --help`, and `completion <shell>` work from the on-disk tool cache without any context init.
+
+**Not smoke tests** (need a synced chain / live DAPI — they wait on the SPV gate, up to a 10-min timeout): all fund-moving and balance/withdrawal tools — `core-balances-get`, `core-funds-send`, `platform-addresses-list`, `platform-withdrawals-get`, every `identity-*` and `shielded-*` tool. Don't force these in a no-network smoke run.
+
 ### Key Dependencies
 
 - `dash-sdk` - Dash blockchain SDK (git dep from dashpay/platform)