fix(platform-wallet): wallet_id gate on resolver-fed sign entrypoints

[Claudius-Maginificent]

Why this PR exists

The gap: Four FFI entrypoints in rs-platform-wallet-ffi accept a MnemonicResolverHandle plus a caller-supplied wallet_id_bytes. None of them verifies the resolver-returned mnemonic actually corresponds to that wallet_id. The resolver is host-controlled opaque state — there is no in-process cross-check.

Threat scenario: A host (Swift/iOS or any FFI consumer) calls one of these entrypoints with wallet_id = W_A, but the registered resolver — whether by host wiring bug, compromised resolver, or malicious resolver — returns the mnemonic for wallet W_B. Before this PR, all four entrypoints silently derive from W_B and proceed.

Per-site impact (with the gate removed) — confirmed by code audit:

Entrypoint	Downstream detection	Worst-case state on wrong-seed	Test demonstrating the gate
sign_with_mnemonic_resolver_and_path	External only (Platform InvalidSignature on submit, or L1 mempool reject on asset-lock TX)	Wrong-key 65-byte sig returned with rc = 0; caller ships it to the network; failure surfaces only after round-trip	sign_with_mnemonic_resolver::tests::wrong_wallet_id_fails_closed_with_wrong_seed_tag
derive_and_persist_identity_keys	NONE	Persister callback writes Keychain rows tagged wallet_id = W_A but holding W_B's pubkey/privkey/path. Subsequent registration succeeds with internally-consistent W_B keys, creating an identity W_A's seed cannot sign for. Irrecoverable without manual Keychain surgery.	identity_derive_and_persist::tests::wrong_wallet_id_fails_closed_before_persisting_anything
derive_identity_key_at_slot_with_resolver	NONE inside FFI	32-byte W_B private scalar + WIF crosses the FFI boundary with rc = Success; caller uses it freely	derive_identity_key_at_slot::tests::wrong_wallet_id_fails_closed_with_wrong_seed_tag
platform_wallet_manager_bind_shielded (shielded feature)	NONE — PlatformWallet::bind_shielded (platform_wallet.rs:338-427) uses self.wallet_id and the caller-supplied seed with zero cross-check	W_B's Orchard FVK/IVK/OVK durably installed under SubwalletId { wallet_id: W_A }. Sync flushes W_B's notes into W_A's persister rows; spend paths can authorize W_B's notes under W_A. Cross-wallet fund visibility and spend leakage.	shielded_sync::tests::wrong_wallet_id_fails_closed (requires --features shielded)

Note that rs-platform-wallet itself does not catch this: pure-Rust callers instantiate Wallet objects whose wallet_id is derived from their own root — the mismatch is unreachable from Rust. The vulnerability is exclusively expressible across the FFI trust boundary, which is why the gate lives in rs-platform-wallet-ffi.

Each row's test fails on v3.1-dev without this PR's gate and passes once the gate is applied — verified locally against the rebased commit.

Prerequisite/blocking relationship: This PR is the logical prerequisite for PR #3692 (seedless watch-only rehydration), which removes the existing load-time wrong-seed gate in rs-platform-wallet. Without #3735 landing first, #3692 would briefly create a window where any seed could sign for any wallet_id. Decoupled here so the security fix ships to v3.1-dev on its own merits.

Issue being fixed or feature implemented

Four FFI sign entrypoints in rs-platform-wallet-ffi take a MnemonicResolverHandle plus a wallet_id_bytes arg and derive signing material from the mnemonic the resolver returns. None of them previously checked that the seed actually belongs to that wallet_id. A host that called any of them with a mismatched (wallet_id, mnemonic) pair — whether by host bug or by a malicious resolver — would happily derive and sign with the wrong key.

This patch closes that gap.

It also unblocks the seedless-load model in PR #3692: that PR removes a load-time wrong-seed gate, so the sign-time gate has to exist before that change can land without regressing wrong-seed protection. Decoupled here so the security fix can ship to v3.1-dev on its own merits, ahead of the rehydration model rework.

What was done?

New helper: crate::sign_gate::verify_seed_matches_wallet_id

packages/rs-platform-wallet-ffi/src/sign_gate.rs (new):

#[inline]
#[must_use]
pub fn verify_seed_matches_wallet_id(
    root_pub: &ExtendedPubKey,
    expected_wallet_id: &[u8; 32],
) -> bool {
    let root_extended = RootExtendedPubKey::from_extended_pub_key(root_pub);
    let derived = Wallet::compute_wallet_id_from_root_extended_pub_key(&root_extended);
    bool::from(derived.ct_eq(expected_wallet_id))
}

• Constant-time comparison via subtle::ConstantTimeEq — no early-return on byte mismatch.
• #[must_use] so a caller can't silently drop the verdict.
• Operates on the public half of the root extended key — no private material flows into the comparator.
• New dep: subtle = "2" (well-known constant-time-comparison crate, single line added to Cargo.lock, no transitive bumps).

New result code: ErrorWrongSeedForWallet = 15

PlatformWalletFFIResultCode::ErrorWrongSeedForWallet = 15 in error.rs. Newly allocated slot 15. Slot 13 is taken by ErrorArithmeticOverflow (#3549), slot 14 by ErrorNoSelectableInputs; 15 was the smallest free integer.

For the byte-tagged sign_with_mnemonic_resolver_and_path path, a new u8 tag SIGN_WITH_RESOLVER_ERR_WRONG_SEED = 11 is also added in that module.

Gate wired into 4 entrypoints

Entrypoint	File	Gate location
dash_sdk_sign_with_mnemonic_resolver_and_path	sign_with_mnemonic_resolver.rs	After master derivation, before derive_priv
dash_sdk_derive_and_persist_identity_keys	identity_derive_and_persist.rs	Before persister callback ever fires
dash_sdk_derive_identity_key_at_slot_with_resolver	derive_identity_key_at_slot.rs	Before derive_at_slot_inner
platform_wallet_manager_bind_shielded (shielded feature)	shielded_sync.rs	Before PLATFORM_WALLET_MANAGER_STORAGE touch

At each site, on a mismatch:

• master.private_key.non_secure_erase() — derived master xpriv zeroed
• Caller-owned output buffer wiped (sig_buf zeroed via ptr::write_bytes; out_row left at IdentityKeyPreviewFFI::empty(); *out_signature_len = 0)
• Typed error returned (ErrorWrongSeedForWallet for structured paths, SIGN_WITH_RESOLVER_ERR_WRONG_SEED for the u8-tagged path)
• Persister callback / coordinator handoff never reached

Two of the four sites (derive_identity_key_at_slot, shielded_sync) non_secure_erase the gate-master unconditionally — defense in depth, since the gate-master is throwaway whether the verdict is true or false. The other two keep the master alive past the gate because the same master is then used for derive_priv and is erased downstream via the existing pattern.

How Has This Been Tested?

cargo fmt --all -- --check
cargo clippy -p platform-wallet-ffi --all-targets -- -D warnings
cargo clippy -p platform-wallet-ffi --all-targets --features shielded -- -D warnings
cargo check --workspace
cargo test -p platform-wallet-ffi
cargo test -p platform-wallet-ffi --features shielded shielded_sync
cargo test -p platform-wallet           # workspace regression sanity

All green. 83 unit + 26 comprehensive + 5 integration tests pass; 132 platform-wallet tests still pass; new gate tests included:

Test	Asserts
sign_gate::tests::matching_seed_passes	CT comparator returns true on matching seed
sign_gate::tests::mismatched_seed_fails	CT comparator returns false on distinct seeds
sign_with_mnemonic_resolver::tests::happy_path_signs_and_returns_signature	sig_len == 65 (compact-recoverable secp256k1)
sign_with_mnemonic_resolver::tests::wrong_wallet_id_fails_closed_with_wrong_seed_tag	rc=-1, tag=11, sig_len==0, every byte of 128-byte sig_buf is zero
identity_derive_and_persist::tests::happy_path_persists_three_keys_and_returns_pubkeys	gate doesn't false-positive on matching seed
identity_derive_and_persist::tests::wrong_wallet_id_fails_closed_before_persisting_anything	code=ErrorWrongSeedForWallet, out.count==0, out.items.is_null(), persister callback row count is zero
derive_identity_key_at_slot::tests::matching_seed_returns_derived_key	DIP-9 path, 33-byte pubkey, non-null WIF, non-zero private scalar
derive_identity_key_at_slot::tests::wrong_wallet_id_fails_closed_with_wrong_seed_tag	all output fields null/zero, every byte of private_key_bytes is zero
shielded_sync::tests::wrong_wallet_id_fails_closed	code=ErrorWrongSeedForWallet via NULL_HANDLE — gate short-circuits before manager-storage touch
shielded_sync::tests::null_resolver_handle_rejected	check_ptr! ordering locked in

Every wrong-seed test asserts on substance — typed tag + output-buffer state + side-effect counters — not "did the function run".

Breaking Changes

None for shipped consumers. The change is purely additive:

• New helper module (does not modify existing public APIs).
• New result code variant at a previously unoccupied enum slot.
• Gate insertions return new error tags only on the wrong-seed mismatch path — flows with correct (wallet_id, mnemonic) pairs behave identically to before.

No ! in the title.

Security note

This patch is logically the prerequisite for PR #3692 (seedless watch-only rehydration), which removes a load-time wrong-seed gate. Without this PR landed first, #3692 would briefly create a window where the same wallet_id could be signed by any seed. Once this lands, the merge-up cycle (v3.1-dev → #3625 → #3672 → #3692) will dedupe the duplicate sign-gate commits sitting on #3692 naturally — no force-push to that PR needed.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

---

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c26c166e-b5df-4699-8d3d-fd28b8681147

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/platform-wallet-ffi-sign-gate-wallet-id

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}