feat(rs-sdk-ffi): expose dash_sdk_signer_can_sign for signer-delegated key preflight

[QuantumExplorer]

Issue being fixed or feature implemented

Follow-up to #3922 (review thread #3922 (comment)).

selectSigningKey(from:operation:) in StateTransitionExtensions.swift picks the public key for a document state transition by ranking candidates by purpose/security, then checking private-material availability against KeychainManager.shared (via KeyManager.withSharedKeychain().findSigningKey(...)). The six document SDK ops (documentCreate / Replace / Delete / Transfer / UpdatePrice / Purchase) each accept a generic signer: OpaquePointer, so a caller passing a signer not backed by the shared Keychain — a raw-key KeyManager.createSigner(from:) signer, a hardware-backed callback signer, or a KeychainSigner bound to a different KeychainManager — would have its key availability mis-judged, and the preflight could reject a key that signer can actually sign with.

It's a latent design coupling, not an active bug: every current caller passes a KeychainSigner defaulting to KeychainManager.shared. But it's exactly the coupling #3922's own doc-comment flagged for removal.

What was done?

Removed the coupling by delegating the availability decision to the supplied signer, while keeping key-selection policy (ranking by purpose/security) in Swift.

rs-sdk-ffi (signer.rs) — new export:

pub unsafe extern "C" fn dash_sdk_signer_can_sign(
    signer: *const SignerHandle,
    pubkey_bytes: *const u8,
    pubkey_len: usize,
    key_type: u8,
) -> bool

It reconstructs a minimal IdentityPublicKey from (pubkey_bytes, key_type) and calls the existing VTableSigner::can_sign_with (previously only invoked internally by Rust during signing). This naturally covers both inner variants: Inner::Callback forwards (pubkey_bytes, key_type) through the vtable's can_sign_with slot (same wire encoding as sign_async), and Inner::Native delegates to the wrapped Rust signer. KeyType::try_from(key_type) fails closed on any out-of-range byte (including the 0xFF platform-address tag); a null signer returns false. No private-key material crosses the boundary.

swift-sdk:

• selectSigningKey now takes signer: OpaquePointer?. It ranks candidates via the new public KeyManager.rankSigningCandidates(...) and returns the first key the supplied signer reports it can sign with through a thin signerCanSign(_:_:) marshalling wrapper over dash_sdk_signer_can_sign.
• The shared-Keychain findSigningKey path is retained as the fallback used only when no signer is available (signer == nil).
• All six document ops pass their in-scope signer to selectSigningKey.
• KeyManager.rankSigningCandidates(...) is a public, read-only ranking entry point delegating to the existing private rankKeys(...) (no duplication; stays off the @MainActor Keychain path).

The same purpose/security policy as before is preserved: contract create/update → AUTHENTICATION + minimum CRITICAL; document ops → AUTHENTICATION, prefer CRITICAL. Existing log markers are unchanged.

How Has This Been Tested?

• cargo fmt --all clean; cargo check -p rs-sdk-ffi (incl. --all-targets) clean.
• 4 new unit tests in signer.rs (can_sign_ffi_*): true/false vtable verdict round-trip, null signer → false, out-of-range key_type fails closed before the vtable is consulted. cargo test -p rs-sdk-ffi can_sign_ffi → 4 passed; full signer suite → 39 passed.
• packages/swift-sdk/build_ios.sh succeeded; the new dash_sdk_signer_can_sign symbol is present in the generated rs-sdk-ffi.h. SwiftExampleApp built to BUILD SUCCEEDED, confirming the Swift wrapper, rankSigningCandidates, and rewired selectSigningKey compile against the regenerated header.

Breaking Changes

None. This adds a new FFI export and an additional signer: parameter on a private Swift helper (all in-tree call sites updated). Not consensus-breaking.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@QuantumExplorer, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 13 minutes and 30 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 02a3194e-786e-404e-9d90-942044fe8291

📥 Commits

Reviewing files that changed from the base of the PR and between f1570bb and 1e884de.

📒 Files selected for processing (3)

• packages/rs-sdk-ffi/src/signer.rs
• packages/swift-sdk/Sources/SwiftDashSDK/FFI/StateTransitionExtensions.swift
• packages/swift-sdk/Sources/SwiftDashSDK/KeyWallet/KeyManager.swift

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/zealous-lederberg-ada608

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

✅ Review complete (commit 1e884de)

[thepastaclaw]

Code Review

Both agents converged on no blocking issues. The new dash_sdk_signer_can_sign FFI export is sound (null-checks, fail-closed KeyType::try_from, no ownership transfer, no private material crossing the boundary), and the six Swift call-site rewires correctly delegate availability to the supplied signer. Two nitpicks remain: one about a documented-but-easy-to-misuse signer == nil fallback path in Swift, and one minor doc-contract loosening in the Rust FFI Safety comment.

💬 2 nitpick(s)

[thepastaclaw]

💬 Nitpick: signer == nil fallback silently reintroduces the KeychainManager.shared coupling this PR removes

All six in-tree callers of selectSigningKey (the document operations updated in this PR) pass a non-nil signer: OpaquePointer, so the guard let signer = signer else { ... } branch at lines 70–90 is unreachable today. The lines 51–53 docstring already calls out that passing nil falls back to KeyManager.findSigningKey(...) against KeychainManager.withSharedKeychain() — exactly the coupling the rest of the PR removes. Two cleaner options: (a) tighten the parameter to a non-optional OpaquePointer and delete the fallback so any future caller can't accidentally opt back into shared-Keychain semantics, or (b) leave the fallback but rename it so the foot-gun is explicit at the call site. Not a correctness defect for this PR, just a maintenance hazard.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: Safety contract under-specifies the (non-null pubkey_bytes, pubkey_len == 0) case

The Safety section says pubkey_bytes must "point to at least pubkey_len readable bytes, OR be null with pubkey_len == 0". The Swift caller (signerCanSign) routes through Data.withUnsafeBytes { ... bindMemory(to: UInt8.self).baseAddress }, which for an empty Data may yield either nil or a non-null sentinel depending on Swift runtime. The implementation correctly handles both because std::slice::from_raw_parts(non_null, 0) is well-defined for any non-null aligned pointer, but the doc as written excludes the non-null/zero-length case. Loosening to "pointer is ignored when pubkey_len == 0" would match actual behavior. Pure documentation polish — no behavior change.

_{source: ['claude']}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.78%. Comparing base (6a01c5b) to head (1e884de).
⚠️ Report is 6 commits behind head on v3.1-dev.

Additional details and impacted files

@@             Coverage Diff              @@
##           v3.1-dev    #3924      +/-   ##
============================================
+ Coverage     72.19%   72.78%   +0.59%     
============================================
  Files            21       22       +1     
  Lines          2946     3054     +108     
============================================
+ Hits           2127     2223      +96     
- Misses          819      831      +12     

Components	Coverage Δ
dpp	∅ <ø> (∅)
drive	∅ <ø> (∅)
drive-abci	∅ <ø> (∅)
sdk	∅ <ø> (∅)
dapi-client	∅ <ø> (∅)
platform-version	∅ <ø> (∅)
platform-value	∅ <ø> (∅)
platform-wallet	∅ <ø> (∅)
drive-proof-verifier	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[QuantumExplorer]

Reviewed