test(dpp,drive-abci): cover transfer-key signing rules for token transfers

[thephez]

Issue being fixed or feature implemented

Token-transfer signing has a split validation path: sign_external enforces token-batch security up front, while Drive's signature validation and the batch's advanced structure validation re-derive purpose/security from the batched transitions. The declared rule — a standalone token transfer accepts AUTHENTICATION or TRANSFER (CRITICAL), while multi-transition batches require AUTHENTICATION (CRITICAL) — was only thinly exercised:

• DPP signing tests didn't cover transfer-key acceptance, the high-authentication rejection, or the single-vs-multi transfer-key boundary.
• Drive token-transfer tests only used the default setup identity, which signs with its critical authentication key — no end-to-end coverage that a CRITICAL TRANSFER key actually clears advanced structure validation.

Without these, a manually signed transition could plausibly pass one validation layer and fail another, and we'd have no regression net for the boundary.

What was done?

DPP unit tests in batch_transition/tests.rs:

• signing_single_token_transfer_accepts_critical_authentication_key
• signing_single_token_transfer_accepts_critical_transfer_key
• signing_single_token_transfer_rejects_high_authentication_key — expects InvalidSignaturePublicKeySecurityLevelError
• signing_multi_transition_batch_rejects_transfer_key — expects WrongPublicKeyPurposeError

Drive-abci end-to-end test in batch/tests/token/transfer/mod.rs:

• test_token_transfer_signed_with_transfer_key — signs a standalone token transfer with an ECDSA_HASH160 CRITICAL TRANSFER key, processes the state transition, and asserts both sender and recipient balances post-execution.

These nail down the declared rule at both layers and prove the transfer-key path actually clears advanced structure validation, not just sign_external.

How Has This Been Tested?

• cargo test -p dash-sdk-dpp --lib state_transition::state_transitions::document::batch_transition::tests
• cargo test -p drive-abci --lib execution::validation::state_transition::state_transitions::batch::tests::token::transfer

Breaking Changes

None. Tests only.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation
• My changes generate no new warnings

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Summary by CodeRabbit

Release Notes

• Tests
  • Added test cases validating token transfer batch signing with authentication and transfer keys
  • Implemented validation for security level requirements in signing operations
  • Expanded test infrastructure for multi-transition batch signing scenarios
  • New tests verify token balance updates following transfer operations
  • Enhanced helper functions for test key generation and signing workflows

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fc2bdedc-7b84-450a-8682-223cfe4eab39

📥 Commits

Reviewing files that changed from the base of the PR and between 1f66e5d and 26043cf.

📒 Files selected for processing (2)

• packages/rs-dpp/src/state_transition/state_transitions/document/batch_transition/tests.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/token/transfer/mod.rs

---

📝 Walkthrough

Walkthrough

This PR adds test infrastructure and test cases to validate signing token transfer batches with transfer keys. It introduces a TestSigner utility for deterministic test signing, helper functions to generate keys by security level, and comprehensive unit and integration tests confirming that critical-level authentication and transfer keys are accepted while invalid key levels and batch types are properly rejected.

Changes

Token Transfer Key Signing

Layer / File(s)	Summary
TestSigner infrastructure and signing helpers packages/rs-dpp/src/state_transition/state_transitions/document/batch_transition/tests.rs	Expands test imports for identity and signing types; introduces TestSigner implementing Signer<IdentityPublicKey> with deterministic signature bytes and an error-returning witness method; adds helper functions to construct authentication/transfer keys by security level/purpose and an async helper to build and sign token-transfer batches via sign_external.
Token transfer signing validation tests packages/rs-dpp/src/state_transition/state_transitions/document/batch_transition/tests.rs	Four new async Tokio tests validate signing behavior for single-token batches: critical authentication key accepted, critical transfer key accepted, high authentication key rejected with InvalidPublicKeySecurityLevel error, and multi-transition batch rejected with transfer key via WrongSignaturePurpose error.
Integration test with transfer key signing packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/token/transfer/mod.rs	Imports setup helper and KeyType; new Tokio test creates identity with transfer key, executes token transfer batch transition signed with that key, and asserts successful execution with correct post-transfer token balances.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 With TestSigner's keyed magic bright,
Transfer tokens now sign just right,
Critical keys pass the guard's keen eye,
While wrong purposes make errors fly! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 52.94% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding test coverage for transfer-key signing rules in token transfers across DPP and Drive-ABCI layers.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch token-transfer-signing-key-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.17%. Comparing base (1f66e5d) to head (26043cf).
⚠️ Report is 1 commits behind head on v3.1-dev.

Additional details and impacted files

@@            Coverage Diff            @@
##           v3.1-dev    #3766   +/-   ##
=========================================
  Coverage     87.17%   87.17%           
=========================================
  Files          2607     2607           
  Lines        319589   319589           
=========================================
+ Hits         278602   278614   +12     
+ Misses        40987    40975   -12     

Components	Coverage Δ
dpp	87.74% <ø> (+0.01%)	⬆️
drive	85.95% <ø> (ø)
drive-abci	89.60% <ø> (ø)
sdk	∅ <ø> (∅)
dapi-client	∅ <ø> (∅)
platform-version	∅ <ø> (∅)
platform-value	92.17% <ø> (ø)
platform-wallet	∅ <ø> (∅)
drive-proof-verifier	49.14% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/26585058099
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "dde4b2f57e35999cf3f789f4e054b7431db6d163e25b42319c8b98078585f190"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[thephez]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 0