feat(swift-sdk): seed shielded pool notes from the example app

[QuantumExplorer]

Issue being fixed or feature implemented

Dash Platform enforces a 250-note anonymity-set minimum on every outgoing shielded transition (transfer / unshield / withdrawal / identity-create-from-pool). After a devnet platform reset without the DRIVE_SHIELDED_SNAPSHOT genesis ingest, the pool starts empty and the entire shielded feature set is rejected with "pool has N notes but minimum 250 required" — exactly what happened on paloma after the rc.1 reset. Re-baking and redeploying a snapshot for every reset is heavy; this gives the example app a one-tap, batched way to seed the pool.

What was done?

• rs-dpp: build_output_only_bundle gained a dummy_outputs count — zero-value outputs to fresh random Orchard addresses (their spending keys are dropped, so they're pure unspendable anonymity-set fillers, ovk=None). Threaded through both ShieldFromAssetLock builders; dummy_outputs = 0 preserves existing behavior exactly (existing serializes_to_min_actions test still passes).
• rs-platform-wallet: new PlatformWallet::shielded_seed_pool_notes orchestration — serial ShieldFromAssetLock batches (1 real ~1e6-credit note to the wallet's own default shielded address + up to 5 fillers) until the on-chain getShieldedNotesCount reaches the target. Per-batch progress callback, hard mainnet gate, and retry-with-pause on FinalityTimeout (rapid back-to-back batches chain unconfirmed L1 change outputs; around ~25–30 of them IS/CL proofs stall until a core block lands — observed live).
• Batch size is 6 actions, not the 16-action consensus cap. Measured on-wire ShieldFromAssetLock sizes (real proofs): 2 actions → 8,294 B, 6 → 19,018 B, 7 → 21,699 B. The Halo 2 proof grows ~2,273 B/action, so 6 is the most that fits the 20 KiB max_state_transition_size / tenderdash max-tx-bytes = 20480 (a 16-action transition is rejected by the mempool as "Tx too large"). The stale "16 actions ≈ 11.8 KB" rationale comment on max_shielded_transition_actions in system_limits v1/v2 is corrected, and a new real-proof signing test (seed_pool_batch_fits_max_state_transition_size) pins the 6-action batch under the limit so a future proof-size change fails in CI instead of on a devnet.
• FFI: platform_wallet_manager_shielded_seed_pool_notes(handle, wallet_id, account, target_total_notes, funding_account_index, core_signer, progress_fn, progress_ctx).
• SwiftExampleApp: "Seed Pool Notes" button on the wallet detail (non-mainnet wallets only) presenting SeedShieldedPoolView — target field (default 250), live "Batch i/~n · M/target notes" progress.

How Has This Been Tested?

• cargo fmt --all --check; cargo check clean for dpp (shielded-client + signing features, --tests), platform-wallet (+--tests), platform-wallet-ffi.
• New tests: dpp dummy-padding action-count/value-balance test, real-proof 16-action signing test, real-proof 6-action ≤ 20 KiB size pin, seed-pool batch-math unit tests — all passing.
• ./build_ios.sh --target sim --profile release ends with "Swift/Xcode build succeeded".
• Live on devnet paloma (rc.1): seeded the pool from 2 → 250 notes in 43 batches (~0.15 DASH total burn), resuming cleanly across a finality stall; immediately afterwards the first IdentityCreateFromShieldedPool ever executed on the network landed cleanly (pool −0.1 DASH exactly, notes 250 → 252, chain advancing — the old type-20 chain-halt did not reproduce).

Breaking Changes

None. dummy_outputs = 0 callers are byte-class identical to before; the new API surface is additive; the seeding utility hard-errors on mainnet. No consensus, serialization, or protocol-version changes (the system_limits change is comment-only).

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Seeded shielded-pool tooling: wallet + SDK APIs to seed devnet/testnet anonymity sets with live progress and a UI in the example app.
  • Wallet orchestration supports configurable zero-value filler outputs so batch sizing and on-wire action counts are adjustable.

• Behavior Changes

  • Pool fee and reserved sizing now align with the chosen action count to ensure correct on-chain validation.

• Documentation

  • Clarified system limits and how action count affects proof/transition sizing.

[thepastaclaw]

✅ Review complete (commit 92d6b4f)

[coderabbitai]

Warning

Review limit reached

@QuantumExplorer, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 9 minutes and 52 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e1ce446c-24d9-4723-80a4-22d0638a5226

📥 Commits

Reviewing files that changed from the base of the PR and between f8d674a and 92d6b4f.

📒 Files selected for processing (1)

• packages/rs-platform-wallet/src/wallet/shielded/fund_from_asset_lock.rs

📝 Walkthrough

Walkthrough

This PR adds configurable zero-value Orchard outputs for action-count padding (dpp builder), threads dummy-output counts through wallet fee/submit paths, implements a serial devnet/testnet pool-seeding orchestration with retries and progress, exposes an FFI entrypoint, and wires Swift SDK + UI for live seeding.

Changes

Shielded Pool Seeding

Layer / File(s)	Summary
Orchard dummy output padding in bundle builder packages/rs-dpp/src/shielded/builder/mod.rs	build_output_only_bundle gains a dummy_outputs: usize parameter and a private random-address helper; it appends dummy_outputs zero-value External-scope outputs (sender_ovk = None, empty memo) and tests validate padded action count and preserved value_balance.
Shielded transition builders with dummy_outputs support packages/rs-dpp/src/shielded/builder/shield.rs, packages/rs-dpp/src/shielded/builder/shield_from_asset_lock.rs, packages/rs-dpp/src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/signing_tests.rs	Type 15 Shield explicitly passes dummy_outputs = 0; ShieldFromAssetLock builders accept dummy_outputs and forward it to the bundle constructor; tests updated/added to exercise padding and serialized size limits.
Action count calculation and fee integration packages/rs-platform-wallet/src/wallet/shielded/fund_from_asset_lock.rs, packages/rs-platform-version/src/version/system_limits/*	Adds shield_from_asset_lock_num_actions(dummy_outputs) and threads num_actions into shield_from_asset_lock_pool_fee; shielded_fund_from_asset_lock passes dummy_outputs across fresh-build and retry paths and fees are computed from num_actions; system_limits docs expanded to explain proof size scaling.
Pool seeding orchestration and helpers packages/rs-platform-wallet/src/wallet/shielded/mod.rs, packages/rs-platform-wallet/src/wallet/shielded/seed_pool.rs	New seed_pool module exposing SeedPoolProgress, SeedPoolOutcome, and PlatformWallet::shielded_seed_pool_notes which serially submits ShieldFromAssetLock batches (computes per-batch dummy outputs), polls on-chain note counts, retries on finality timeout, and reports progress; includes estimate_batches and unit tests.
FFI bridge for pool seeding packages/rs-platform-wallet-ffi/src/shielded_send.rs	New platform_wallet_manager_shielded_seed_pool_notes C-ABI export that runs seeding on the worker thread and optionally invokes a C progress callback via an opaque context; clarifying comments added to single-note fund call sites.
Swift SDK pool seeding API packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedFunding.swift	Adds SeedShieldedPoolProgress and an FFI trampoline; introduces PlatformWalletManager.seedShieldedPoolNotes(...) async with optional progress handler, input validation, and devnet-only gating.
Swift example app UI for pool seeding packages/swift-sdk/SwiftExampleApp/SwiftExampleApp/Core/Views/WalletDetailView.swift, packages/swift-sdk/SwiftExampleApp/SwiftExampleApp/Views/SeedShieldedPoolView.swift	Adds a devnet/testnet-only "Seed Pool Notes" action in WalletDetailView and a SeedShieldedPoolView with funding account selection, target input, batch estimation, run-phase UI, live progress, and async submission wired to the SDK.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• dashpay/platform#3753: Extends the signer-based ShieldFromAssetLock builder flow that this PR further modifies by forwarding dummy_outputs.
• dashpay/platform#3830: Tests Type 15 Shield padding behavior; related to the explicit dummy_outputs = 0 usage preserved here.
• dashpay/platform#3839: Modifies build_output_only_bundle in overlapping builder paths; closely related to this PR's builder changes.

Suggested labels

ready for final review

Suggested reviewers

• shumkov
• lklimek
• llbartekll
• ZocoLini

"A rabbit hums beneath the trees,
Padding bundles with gentle ease,
Dummy notes hop in a row,
Proofs stay tight — the pool can grow. 🐰✨"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat(swift-sdk): seed shielded pool notes from the example app' accurately describes the main user-facing change: adding a feature to the Swift example app for seeding the shielded pool.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/seed-shielded-pool-notes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

Code Review

Two convergent findings worth surfacing. The blocking issue is in the new seed-pool retry loop: on FinalityTimeout the code discards the timed-out asset-lock outpoint and builds a fresh asset lock from wallet balance on the next attempt, which can strand the original lock and burn extra L1 funds during the exact long-running flow this PR adds. The non-blocking issue is documentation drift: three public-facing doc strings (FFI extern, Swift wrapper, and the Rust library method) still describe the old 16-action/15-filler batch sizing after MAX_ACTIONS_PER_BATCH was lowered to 6 in this same PR.

🔴 1 blocking | 🟡 2 suggestion(s) | 💬 1 nitpick(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/shielded/seed_pool.rs`:
- [BLOCKING] packages/rs-platform-wallet/src/wallet/shielded/seed_pool.rs:259-291: Finality retry rebuilds the asset lock instead of resuming the timed-out one
  `PlatformWalletError::FinalityTimeout(out_point)` carries the exact outpoint of an already-broadcast and tracked asset lock whose IS/CL proof did not arrive in time. The retry arm captures `out_point` but does not use it — the next loop iteration calls `shielded_fund_from_asset_lock` with the unchanged `AssetLockFunding::FromWalletBalance { amount_duffs, account_index }`, which goes back through `resolve_funding_with_is_timeout_fallback`'s `FromWalletBalance` branch and builds/broadcasts a fresh L1 asset lock. The previously timed-out lock remains tracked but unconsumed.

  During a 40+ batch seed this is the precise stall path the comment at lines 251–258 describes, and each retry walks user UTXOs to fund another lock instead of letting the original one finalize. Repeated stalls can therefore (a) consume multiple wallet UTXOs per failing batch, (b) leave a fan of orphaned tracked locks behind, and (c) keep timing out because the new lock chains on top of the same unconfirmed-ancestor depth the original hit.

  After the first `FinalityTimeout`, switch the retry to `AssetLockFunding::FromExistingAssetLock { out_point }` so the pause+retry drives the originally tracked lock to completion (the manager already supports resume via `resume_asset_lock` and the IS→CL fallback also routes through this variant).

In `packages/rs-platform-wallet-ffi/src/shielded_send.rs`:
- [SUGGESTION] packages/rs-platform-wallet-ffi/src/shielded_send.rs:949-963: FFI doc-comment still advertises 16-action / 15-filler batches
  The doc-comment that forms the C-ABI contract for `platform_wallet_manager_shielded_seed_pool_notes` claims each batch adds "up to 16 notes (1 real note … + up to 15 zero-value anonymity-set fillers)" and that a 250-note seed is "roughly 16 batches." This same PR pins `MAX_ACTIONS_PER_BATCH = 6` because 6 actions is the largest bundle that fits the 20 KiB `max_state_transition_size`; the in-tree module docstring, the `system_limits` comment, and the size-pinning test all correctly describe 6/5/~42. A 250-note seed is therefore ~42 batches (the PR description's live devnet run was 43). Out-of-tree consumers reading only the generated cbindgen header will size watchdog timeouts, progress UIs, and L1 funding ("one lock per 16 notes") off numbers that are ~3× off.

In `packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedFunding.swift`:
- [SUGGESTION] packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedFunding.swift:291-305: Swift wrapper doc-comment mirrors the stale 16/15/~16 figures
  Same drift as the Rust FFI doc: `seedShieldedPoolNotes` claims each batch is "up to 16 notes (1 real note … + up to 15 zero-value anonymity-set fillers)" and "~16 batches." The actual cap (`MAX_ACTIONS_PER_BATCH = 6`) makes a 250-note seed ~42 batches. The `SeedShieldedPoolView` already uses the correct 6/5/~42 figures in its body; only this SDK-level doc lags.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/rs-platform-wallet/src/wallet/shielded/seed_pool.rs`:
- Around line 175-205: Move the early exit check so it runs before resolving the
recipient: call fetch_shielded_notes_count/sdk and compute start_notes and
batches_total_estimate and then perform the `if start_notes >=
target_total_notes` no-op return (creating SeedPoolOutcome and emitting
SeedPoolProgress) before calling seed_pool_recipient(account). This ensures
seed_pool_recipient(account) is only invoked when seeding is actually required
and avoids failing unbound shielded sub-wallets; touch symbols:
seed_pool_recipient, fetch_shielded_notes_count, start_notes,
target_total_notes, batches_total_estimate, SeedPoolOutcome, and
SeedPoolProgress.

In
`@packages/swift-sdk/SwiftExampleApp/SwiftExampleApp/Views/SeedShieldedPoolView.swift`:
- Around line 190-194: The UI is showing a 0-based completed-batch counter as a
human "Batch" number; update the Text in SeedShieldedPoolView so it reflects
completed batches rather than a 1-based batch label — e.g. change the string
built around p.batchIndex/p.batchesTotalEstimate to read "Completed
\(p.batchIndex)/~\(p.batchesTotalEstimate) · \(p.poolNotesNow)/\(p.target)
notes" (or alternatively use p.batchIndex + 1 if you truly want a 1-based
"Batch" label) so the displayed meaning matches the emitted p.batchIndex value
used with ProgressView and progressFraction(p).
- Around line 57-85: The sheet allows interactive swipe-to-dismiss even when
seeding is running; add an interactiveDismissDisabled modifier driven by the
view's phase to prevent dismissing while work is in-flight. Locate the SwiftUI
view body in SeedShieldedPoolView (the NavigationStack/Form switch over phase)
and apply .interactiveDismissDisabled(phase == .inFlight) to the top-level view
(e.g., on the NavigationStack or Form) so the sheet cannot be swiped away while
phase == .inFlight; keep the existing toolbar Cancel button disabling as-is.
- Around line 150-158: The current ceiling calculation for batches uses (target
+ 5) / 6 which can overflow when parsedTarget == UInt64.max; change the logic in
the view where parsedTarget / target is used (the batches calculation) to
compute the ceiling without adding 5 — e.g., use integer division plus a
remainder check: compute batches as target / 6 plus 1 only if target % 6 != 0
(handle target == 0 appropriately), so the calculation in the
SeedShieldedPoolView that references parsedTarget/target and batches never
performs target+5 and thus cannot overflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6a72416a-d41a-4341-9d37-c4255f6ab11e

📥 Commits

Reviewing files that changed from the base of the PR and between 93b657d and 430e6ce.

📒 Files selected for processing (13)

• packages/rs-dpp/src/shielded/builder/mod.rs
• packages/rs-dpp/src/shielded/builder/shield.rs
• packages/rs-dpp/src/shielded/builder/shield_from_asset_lock.rs
• packages/rs-dpp/src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/signing_tests.rs
• packages/rs-platform-version/src/version/system_limits/v1.rs
• packages/rs-platform-version/src/version/system_limits/v2.rs
• packages/rs-platform-wallet-ffi/src/shielded_send.rs
• packages/rs-platform-wallet/src/wallet/shielded/fund_from_asset_lock.rs
• packages/rs-platform-wallet/src/wallet/shielded/mod.rs
• packages/rs-platform-wallet/src/wallet/shielded/seed_pool.rs
• packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletManagerShieldedFunding.swift
• packages/swift-sdk/SwiftExampleApp/SwiftExampleApp/Core/Views/WalletDetailView.swift
• packages/swift-sdk/SwiftExampleApp/SwiftExampleApp/Views/SeedShieldedPoolView.swift

[thepastaclaw]

Code Review

All four prior findings from commit 0376f15 are verified fixed in the current head 430e6ce. The FinalityTimeout retry path now resumes the tracked asset lock via AssetLockFunding::FromExistingAssetLock { out_point } (seed_pool.rs:297) with an explanatory comment block, and all three doc-comments (Rust method doc, FFI C-ABI doc, Swift SDK wrapper doc) now correctly state 6 notes / 5 fillers / ~42 batches with rationale that 6 is MAX_ACTIONS_PER_BATCH bounded by 20 KiB max_state_transition_size, not the 16-action consensus cap. No new in-scope defects in the latest delta.

[thepastaclaw]

Code Review

Latest delta (4e2e672) is three small, correct fixes: reorder recipient resolution after the no-op early return so unbound shielded sub-wallets don't trip the already-satisfied path, replace (target + 5) / 6 with overflow-safe ceiling division to avoid a Swift UInt64.max trap, and add .interactiveDismissDisabled while a seed run is in flight. No in-scope findings; cumulative PR remains additive, mainnet-gated, with no consensus or serialization impact.

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/27392333131
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "3f158f14e839386d22b183235cc11d9c956d4063fb347404d6077fd3220947cf"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.73%. Comparing base (93b657d) to head (92d6b4f).
⚠️ Report is 15 commits behind head on v3.1-dev.

❗ There is a different number of reports uploaded between BASE (93b657d) and HEAD (92d6b4f). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (93b657d)	HEAD (92d6b4f)
rust	2	1

Additional details and impacted files

@@              Coverage Diff              @@
##           v3.1-dev    #3858       +/-   ##
=============================================
- Coverage     87.15%   70.73%   -16.43%     
=============================================
  Files          2641       20     -2621     
  Lines        327793     2788   -325005     
=============================================
- Hits         285701     1972   -283729     
+ Misses        42092      816    -41276     

Components	Coverage Δ
dpp	∅ <ø> (∅)
drive	∅ <ø> (∅)
drive-abci	∅ <ø> (∅)
sdk	∅ <ø> (∅)
dapi-client	∅ <ø> (∅)
platform-version	∅ <ø> (∅)
platform-value	∅ <ø> (∅)
platform-wallet	∅ <ø> (∅)
drive-proof-verifier	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[thepastaclaw]

Code Review

Latest delta f8d674a is a CI-budget test reduction (drops 16-action real-proving signing test, shrinks dummy-padding parametric test from {0,1,15} to {0,1,5}); the seed_pool_batch_fits_max_state_transition_size test still pins the real 6-action seeding ceiling. Cumulative PR remains sound: dummy_outputs is additive with value_balance preserved, 6-action batch is justified by on-wire size, mainnet is hard-gated, FinalityTimeout retry path is correct. One in-scope doc nit: the consensus-fee doc on shield_from_asset_lock_pool_fee was edited in this PR to say 'up to 16 for a pool-seeding batch', but the seeding batch caps at MAX_ACTIONS_PER_BATCH = 6.

💬 1 nitpick(s)

[thepastaclaw]

Code Review

Incremental review against 92d6b4f. The only delta from f8d674a is the doc-comment fix at fund_from_asset_lock.rs:452-457 that addresses the prior 'stale 16-action pool-fee doc' nitpick — verified at current head. No new in-scope findings; the rust-quality test-coverage nit about estimate_batches using per_batch=16 is dropped as a weak style nit (the function is pure arithmetic and the production cap is already pinned by batch_size_math_matches_action_count).