fix(platform-wallet): auto_select_inputs honors Σ inputs == Σ outputs

[Claudius-Maginificent]

Issue

auto_select_inputs in packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs was inserting each selected address with its full balance as the input's Credits value, then returning as soon as accumulated covered output + fee. The address-funds-transfer protocol enforces Σ inputs.credits == Σ outputs.credits (strict equality), so a bank with ~500B credits funding a 50M output produced:

inputs  = { bank: 499_985_086_740 }
outputs = { target: 50_000_000 }
→ rejected: "Input and output credits must be equal"

Verified at rs-dpp/.../address_funds_transfer_transition/v0/state_transition_validation.rs and asserted on-chain by rs-drive-abci/.../address_funds_transfer/tests.rs::test_input_balance_decreased_correctly (new_balance == initial_balance - transfer_amount - fee).

Protocol semantics (now respected)

• inputs[addr].credits = consumed amount from addr
• outputs[addr] = credited amount to addr
• Σ inputs.credits == Σ outputs.credits (strict equality)
• Fee is deducted from the targeted input's remaining balance (post-consumption) per AddressFundsFeeStrategy. DeductFromInput(0) reduces the remaining balance by the fee — never the inputs map's Credits value
• Every input must satisfy consumed >= min_input_amount (currently 100_000)

What changed

The PR grew through review feedback. Each commit is a focused step.

Selector correctness (5 commits)

1. aaf8be74 — initial Σ inputs == Σ outputs fix. Extracted the selection loop into a pure module-scope helper select_inputs that walks candidates and trims the result so the inputs map sums to exactly total_output.

2. 9ea9e703 — fee-headroom guarantee at DeductFromInput(0) target (CodeRabbit critical). The original fix proved aggregate balance covered the fee but not that the specific fee-bearing input had remaining headroom. Now identifies the prospective fee target (lex-smallest of selected) and reserves at least estimated_fee of remaining balance on it.

3. 687b1f86 — protocol-level reproduction test. Reconstructs the OLD buggy selector output for the CodeRabbit example, feeds the post-consumption input_current_balances through dpp::address_funds::fee_strategy::deduct_fee_from_outputs_or_remaining_balance_of_inputs, and asserts !fee_fully_covered. Proves the rejection at the protocol layer rather than asserting "the new output looks different."

4. 60f7850a — sort candidates by balance descending (mirrors dash-evo-tool's allocator). Reduces the frequency of multi-input cases — when the largest single balance covers total_output + fee, the result is a 1-input map and the lex-smallest fee-target headroom logic doesn't fire at all. Bonus: fee_headroom_violation_errors now produces a debuggable error message.

5. 9ff937ff — second review wave (4 blocking, 1 suggestion):

   • min_input_amount enforcement. auto_select_inputs filters candidates < min_input_amount upfront; Phase 4 distribution rolls any sub-minimum tail residue back into the fee target's consumption rather than producing an InputBelowMinimumError-prone tail.
   • fee_strategy restriction in transfer(). InputSelection::Auto now rejects any shape other than [DeductFromInput(0)] with a clear redirect to InputSelection::Explicit. The previous fallback path was publicly reachable but only protocol-correct for that single shape.
   • Phase 3 retry on infeasibility. When fee_target_min > fee_target_max, the algorithm extends the prefix with the next candidate and retries instead of erroring out — larger prefixes can yield a different lex-smallest fee target with sufficient headroom.
   • Early total_output < min_input_amount error (replaces the internal-error fallthrough).
   • Validator-based test assertions. assert_selection_validates helper builds an AddressFundsTransferTransitionV0 from each selector test's output and runs validate_structure. Catches future protocol-level regressions without depending on testnet.

CI / infrastructure (3 commits)

6. 79c2b285 — ci(rs-packages-filter): trigger Rust workspace tests on rs-platform-wallet changes. The path filter at .github/package-filters/rs-packages-no-workflows.yml didn't list rs-platform-wallet, so any crate-only change there evaluated rs-packages = '[]' and Rust workspace tests silently skipped. This PR's prior 5 commits had never been validated by Rust CI — only by local cargo test. The filter entry mirrors the existing pattern (path + *sdk alias for transitive triggers).

7. d610502 — merge v3.1-dev (9bd37f203a).

8. 3c4f9199 — Rust 1.92 clippy hardening that the previously-skipped pipeline had been quietly accumulating:

   • field_reassign_with_default in core_bridge.rs::build_core_changeset → struct literal init
   • let_unit_value in wallet/apply.rs:316 (WalletInfoInterface::update_balance returns ()) → drop the let _ =
   • Stale core.chain.synced_height access in tests/spv_sync.rs → flattened to core.synced_height (struct shape changed upstream; the test never recompiled because workspace tests were skipping)

Tests (121 lib tests, all passing)

auto_select_tests module — 11 tests:

• single_input_oversized_balance_trims_to_output_amount
• two_input_selection_keeps_fee_headroom_at_index_zero (renamed from the original ..._trims_only_the_last after the headroom fix)
• fee_target_keeps_remaining_for_fee_deduction — direct regression for CodeRabbit's example
• pre_fix_buggy_selector_output_is_rejected_by_protocol_fee_deduction — protocol-level reproduction (asserts !fee_fully_covered)
• fee_only_tail_input_does_not_inflate_input_sum
• descending_order_picks_single_largest_when_sufficient
• non_fee_target_below_min_input_redistributes
• total_output_below_min_input_amount_errors
• fee_headroom_violation_errors
• insufficient_balance_errors
• no_candidates_errors

5 of them now also assert structural validity via assert_selection_validates → AddressFundsTransferTransitionV0::validate_structure.

Note on withdrawal selector

The auto_select_inputs_for_withdrawal rustdoc clarifies the asymmetry: withdrawal validates Σ inputs > output_amount (strictly greater, surplus = fee), so its drain-everything strategy is correct by design. Not the same bug; no code change.

Verification

• cargo fmt -p platform-wallet --check ✓
• cargo clippy --workspace --tests -- -D warnings ✓
• cargo test -p platform-wallet --lib — 121/121 passing
• CI green on 3c4f9199 (Rust workspace tests / macOS now exercising this crate, was previously skipping)

Test plan

• Unit tests cover trim invariant in single- and multi-input cases
• Regression test for fee-only-tail-input case
• Protocol-level reproduction proves the pre-fix output is rejected by deduct_fee_from_outputs_or_remaining_balance_of_inputs
• Validator-based test assertions on 5 selector tests
• No public API change (transfer(), auto_select_inputs, select_inputs signatures stable; transfer() now rejects non-[DeductFromInput(0)] for Auto with a clear error)
• Workspace clippy clean under Rust 1.92
• Rust workspace tests now triggered by path filter
• Live e2e re-run on testnet via test(platform-wallet): integration test framework + first transfer test #3549 once both merge

Provenance

Originally surfaced and fixed during work on PR #3549 (rs-platform-wallet e2e harness). Split out so the production-code fix can ship independently of the long-running e2e branch. Subsequent commits address review feedback from CodeRabbit and thepastaclaw reviewers and close a CI coverage gap that was hiding pre-existing breaks on v3.1-dev.

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Restricts auto input-selection to a single fee-strategy shape and replaces the greedy selector with a deterministic, tested pure selector; plus small refactors and test/adaptations and a package-filter addition.

Changes

Cohort / File(s)	Summary
Input selection & tests packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs	Restricts InputSelection::Auto to the single supported fee-strategy [DeductFromInput(0)]; replaces previous greedy ascending selector with snapshot/filter → sort (descending) → pure select_inputs helper that returns per-address consumed credits summing to total_output, preserves fee headroom for the lexicographically-smallest DeductFromInput(0) target, folds sub-min_input_amount tail into fee target, and exposes estimate_fee_for_inputs_pub. Adds comprehensive unit and protocol-layer regression tests.
Core changeset projection packages/rs-platform-wallet/src/changeset/core_bridge.rs	Rewrites build_core_changeset projection to compute new_utxos/spent_utxos first and return a constructed CoreChangeSet literal instead of mutating a default via field reassignments.
Restore/apply behavior packages/rs-platform-wallet/src/wallet/apply.rs	Calls self.core_wallet.update_balance() for side effects (no returned changeset used); updates inline docs to reflect update_balance returns () and to avoid clippy let_unit_value.
SPV sync test update packages/rs-platform-wallet/tests/spv_sync.rs	Updates RecordingPersister::store to read synced_height from flattened CoreChangeSet (c.synced_height) instead of nested chain.synced_height, adjusting test persistence metadata observation.
Package filter addition .github/package-filters/rs-packages-no-workflows.yml	Adds new package filter group rs-platform-wallet matching packages/rs-platform-wallet/** and including *sdk dependency set.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Poem

🐰 I hopped through balances, tails in a row,
Picked the fattest coins so fees still could grow,
Folded tiny crumbs into the pot,
Wrote tests that thumped — no corner forgot,
A tiny rabbit happy to watch ledgers flow.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main bug fix: it specifies the component (auto_select_inputs), describes the core issue (honoring the sum equivalence property Σ inputs == Σ outputs), and directly addresses the central problem fixed in the PR.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/rs-platform-wallet-auto-select-inputs

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

Review Gate

Commit: 2dec6a66

• ✅ Debounce: 729m ago (need 30m)

• ⏳ CI checks: build failure: Rust workspace tests / Tests (macOS)

• ✅ CodeRabbit review: comment found

• ✅ Off-peak hours: off-peak (06:30 PM PT Wednesday)

• Run review now (check to override)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- Around line 341-365: When building the final `selected` map after `accumulated
>= required`, ensure the address referenced by the fee strategy
`DeductFromInput(index)` is reserved the estimated fee before returning: locate
the `chosen` prefix and the loop that constructs `selected` using
`remaining`/`total_output`, compute the required fee headroom for the
fee-bearing input (from `fee_strategy`/`DeductFromInput`) and reduce that
input's available amount by that fee (i.e., instead of consuming up to
`remaining`, cap consumption so the fee-bearing input keeps at least
`estimated_fee`), and if that causes the input to be insufficient, continue
selecting additional candidates or return an error; update uses of `selected`,
`remaining`, `accumulated`, and `required` accordingly so the returned map
guarantees the fee-bearing input still has the reserved fee.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 56d75786-5d1c-44b8-a304-2e962f372120

📥 Commits

Reviewing files that changed from the base of the PR and between 844edba and aaf8be7.

📒 Files selected for processing (1)

• packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- Around line 441-461: The distribution loop that sets each consumed = min(bal,
remaining) can insert inputs below min_input_amount (e.g., consumed <
min_input_amount); after that loop (the one that inserts entries into prefix and
uses variables fee_target_consumed, remaining, consumed, fee_target_addr),
validate all non-zero consumed values against min_input_amount and either (a)
rebalance by moving consumption from fee_target_consumed or other large entries
to bump small entries up to min_input_amount while preserving total consumption,
or (b) return an error indicating distribution impossible; implement the
simplest correct choice for your flow (prefer returning an error if safe
redistribution is complex) and ensure the function returns early on failure so
subsequent debug_asserts aren’t relied on.
- Around line 349-353: The code currently silently falls back to front-trimming
for any AddressFundsFeeStrategy other than the single-item [DeductFromInput(0)]
inside transfer()/where InputSelection::Auto is handled; change this to reject
unsupported auto-selection fee strategies by returning a clear error instead of
performing the unsafe fallback. Locate the branch handling InputSelection::Auto
in transfer.rs (the block that examines fee_strategy and falls back to
front-trimming) and add a guard that checks the strategy sequence—if it is not
exactly the single DeductFromInput(0) pattern, return an Err (with a descriptive
enum/variant or mapped error) indicating unsupported fee strategy for
auto-selection so callers cannot produce inputs that sum to outputs but will
fail on-chain once fees are applied. Ensure the new error flows out of
transfer() consistently with existing error types.
- Around line 363-385: The loop that builds the DIP-17-ordered prefix (variables
prefix, accumulated, covered) currently breaks out as soon as accumulated >=
required, which prevents trying larger prefixes when Phase 3 (fee target
feasibility using fee_target_min/fee_target_max and DeductFromInput(0)
semantics) fails; change the logic so that when a covering prefix is found you
run Phase 3 checks but do not return/error on Phase 3 failure—continue the for
(address, balance) in candidates iteration (calling estimate_fee_for_inputs_pub
as before) to grow the prefix and try later candidates until either Phase 3
succeeds or all candidates are exhausted, only then set covered/error
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 857ac9b6-556f-4771-a503-d3c0069a9ecb

📥 Commits

Reviewing files that changed from the base of the PR and between aaf8be7 and 9ea9e70.

📒 Files selected for processing (1)

• packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (2)

442-453: Fallback path for non-[DeductFromInput(0)] strategies still risks on-chain rejection.

The docstring at lines 371-375 acknowledges this limitation, but the code silently proceeds with a distribution that only guarantees Σ inputs == Σ outputs without reserving fee headroom on the actual fee-bearing input. If transfer() is ever called with a different fee strategy (e.g., DeductFromInput(1) or multi-step strategies), the returned inputs map could still fail on-chain when the targeted input lacks remaining balance for fee deduction.

A previous review suggested returning an error for unsupported strategies. The current approach documents the limitation but doesn't prevent misuse. Consider whether rejecting unsupported strategies is preferable to silent fallback with potential on-chain failure.

Alternative: Reject unsupported strategies explicitly

     if !single_deduct_from_input_zero {
-        let mut selected: BTreeMap<PlatformAddress, Credits> = BTreeMap::new();
-        let mut remaining = total_output;
-        for (addr, bal) in prefix.iter() {
-            if remaining == 0 {
-                break;
-            }
-            let consumed = (*bal).min(remaining);
-            selected.insert(*addr, consumed);
-            remaining = remaining.saturating_sub(consumed);
-        }
-        return Ok(selected);
+        return Err(PlatformWalletError::AddressOperation(
+            "Auto input selection currently supports only [DeductFromInput(0)] fee strategy. \
+             Other strategies require explicit input selection.".to_string(),
+        ));
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs` around
lines 442 - 453, The fallback branch that builds `selected` when
`!single_deduct_from_input_zero` must not silently return a transfer that may
fail on-chain; instead make `transfer()` validate the fee strategy up-front and
return an explicit error for unsupported strategies (e.g., when the strategy is
not `FeeStrategy::DeductFromInput(0)` or `single_deduct_from_input_zero` is
false). Replace the current loop-return branch that constructs `selected` with
an Err variant (create or reuse a `TransferError::UnsupportedFeeStrategy` or
similar), and ensure callers handle that error; keep the `prefix`-consumption
logic only for the supported `single_deduct_from_input_zero` path.

---

405-409: Phase 1 early break may cause false "fee headroom" failures when a larger prefix would succeed.

A previous review noted that because DeductFromInput(0) targets the lex-smallest address (not the first in iteration order), a later candidate joining the prefix can become the new fee target and make an otherwise-infeasible selection work. The current code breaks at the first covering prefix without checking Phase 3 feasibility.

With the descending-balance sort, this scenario is less common (the first candidates are the largest balances), but it can still occur when:

1. The largest-balance address is also lex-smallest
2. That address has just enough to cover total_output but not total_output + fee
3. Adding a lex-smaller address would shift the fee-target role to a smaller-balance address with better headroom characteristics

Consider continuing to accumulate candidates until Phase 3 succeeds or all candidates are exhausted, rather than erroring immediately on the first Phase 3 failure.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs` around
lines 405 - 409, The early break on the first prefix that meets accumulated >=
required causes false failures because Phase 3 (fee-target reassignment via
DeductFromInput(0)) may succeed for a larger prefix; in the loop that checks
accumulated, required and sets covered=true then break, remove the immediate
break and instead, after accumulated >= required, invoke the Phase 3 feasibility
check (the same logic that uses DeductFromInput(0) / the fee-target selection)
and only set covered=true and stop accumulating if that Phase 3 check succeeds;
if Phase 3 fails, continue accumulating more candidates and only error or mark
covered=false after all candidates are exhausted. Ensure you update the
variables used in the Phase 3 check to reflect the extended prefix and keep the
existing semantics for setting covered and returning an error when no prefix
passes Phase 3.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- Around line 509-521: The loop that distributes `remaining` across `prefix` may
insert entries below `min_input_amount` because it uses `consumed =
bal.min(remaining)` without validating per-input minimum; update the Phase 4
loop (the block iterating `for (addr, bal) in prefix.iter()`) to only insert a
`consumed` value if `consumed >= min_input_amount`, otherwise do not insert that
address and instead add the small remainder to the `fee_target_addr` (or
accumulate it to be merged into the fee target while preserving any fee
headroom) so no non-fee-target input can be below `min_input_amount`; retain
existing `remaining`/`selected` semantics and keep the Phase 5 `debug_assert`
intact.

---

Nitpick comments:
In `@packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- Around line 442-453: The fallback branch that builds `selected` when
`!single_deduct_from_input_zero` must not silently return a transfer that may
fail on-chain; instead make `transfer()` validate the fee strategy up-front and
return an explicit error for unsupported strategies (e.g., when the strategy is
not `FeeStrategy::DeductFromInput(0)` or `single_deduct_from_input_zero` is
false). Replace the current loop-return branch that constructs `selected` with
an Err variant (create or reuse a `TransferError::UnsupportedFeeStrategy` or
similar), and ensure callers handle that error; keep the `prefix`-consumption
logic only for the supported `single_deduct_from_input_zero` path.
- Around line 405-409: The early break on the first prefix that meets
accumulated >= required causes false failures because Phase 3 (fee-target
reassignment via DeductFromInput(0)) may succeed for a larger prefix; in the
loop that checks accumulated, required and sets covered=true then break, remove
the immediate break and instead, after accumulated >= required, invoke the Phase
3 feasibility check (the same logic that uses DeductFromInput(0) / the
fee-target selection) and only set covered=true and stop accumulating if that
Phase 3 check succeeds; if Phase 3 fails, continue accumulating more candidates
and only error or mark covered=false after all candidates are exhausted. Ensure
you update the variables used in the Phase 3 check to reflect the extended
prefix and keep the existing semantics for setting covered and returning an
error when no prefix passes Phase 3.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3b42e9a8-3597-407f-9ca0-e9a419a38732

📥 Commits

Reviewing files that changed from the base of the PR and between 9ea9e70 and 60f7850.

📒 Files selected for processing (1)

• packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs

[thepastaclaw]

Code Review

PR fixes the original Σ inputs == Σ outputs bug, but introduces three new protocol violations. The selector reasons about fee headroom in DIP-17 insertion order while the chain applies DeductFromInput(i) over BTreeMap key order — combined with dropping/draining tail inputs, this leaves the actual fee-bearing input with no remaining balance. The trim can also produce inputs below min_input_amount (100_000). The new tests assert only the structural invariant and would not catch any of these regressions.

Reviewed commit: aaf8be7

🔴 2 blocking | 🟡 1 suggestion(s) | 💬 2 nitpick(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [BLOCKING] lines 321-365: Selector reserves fee headroom in insertion order, but the protocol charges DeductFromInput(0) against the BTreeMap-first input
  `select_inputs` keeps `chosen` in insertion (DIP-17) order and consumes from front to back, fully draining every input except the last to reach exactly `total_output`. It returns a `BTreeMap`, however, and the on-chain validator resolves `DeductFromInput(index)` via `remaining_balances.iter().nth(index)` (verified at `rs-dpp/.../state_transition_estimated_fee_validation.rs:48-69`), i.e. against BTreeMap key order — the lex-smallest selected address.

When the BTreeMap-first address is not the same as the insertion-order tail, all fee headroom ends up on the wrong input. The new test `two_input_selection_trims_only_the_last` demonstrates the failure mode directly: `addr_a = [0x01;20]` (BTreeMap key 0) is consumed for its full 20M balance — remaining = 0; `addr_b` keeps 40M of headroom. With `DeductFromInput(0)` the protocol charges the fee to `addr_a`, which has 0 left, so `fee_fully_covered = false` and the transition is rejected with `AddressesNotEnoughFundsError` (`rs-drive-abci/.../validate_fees_of_event/v0/mod.rs:209-224`).

The `fee_only_tail_input_does_not_inflate_input_sum` test exposes the same root cause via dropping rather than draining: `addr_a` has `total_output + 1` and is consumed for `total_output`, leaving 1 credit of remaining balance on the only returned input — far below any realistic transfer fee. The aggregate guarantee `Σ remaining ≥ fee` is irrelevant because the protocol charges the fee from one specific input, not the aggregate.

The helper must guarantee that the input the protocol will actually charge (BTreeMap-first when `fee_strategy = [DeductFromInput(0)]`) retains at least `estimated_fee` of remaining balance after consumption. Practical options: (a) compute the BTreeMap-first selected address up front and direct the trim residue to it, leaving headroom there; (b) restrict consumption on the fee-target input to `balance − estimated_fee`. The unit tests need to assert remaining balances after consumption, not just `Σ values == total_output`, to catch this class of bug.
- [BLOCKING] lines 351-365: Trimmed tail input can fall below `min_input_amount`, causing structural rejection
  The trim sets `consumed = (*bal).min(remaining)` per input, with no lower bound. The transfer validator rejects any input below `platform_version.dpp.state_transitions.address_funds.min_input_amount` (currently 100_000) with `InputBelowMinimumError` (`rs-dpp/.../address_funds_transfer_transition/v0/state_transition_validation.rs:146-167`).

A perfectly normal multi-input scenario triggers this: candidates A=5M, B=100M with `total_output = 5_050_000` yields `{A: 5_000_000, B: 50_000}`, and 50_000 < 100_000. Or two 100k inputs funding a 150k output: `{first: 100_000, second: 50_000}` — also rejected. None of the new tests exercise this boundary.

Fix options: filter candidates with `balance >= min_input_amount` at the call site and either skip a tail that would trim below the minimum (rolling residue back into a prior input) or refuse to add a candidate whose post-trim consumption would violate the limit. The helper aims to encode protocol correctness, so this should be enforced inside `select_inputs` rather than left to the validator.
- [SUGGESTION] lines 412-539: Tests assert the input-sum invariant only, not full state-transition validation
  `single_input_oversized_balance_trims_to_output_amount`, `two_input_selection_trims_only_the_last`, and `fee_only_tail_input_does_not_inflate_input_sum` all assert only that `Σ values == total_output`. They never assemble the result into an `AddressFundsTransferTransition` and run it through `validate_structure` + the fee-validation pipeline. As a result they pass on inputs maps that the on-chain validator deterministically rejects (see the two blocking findings above). The dpp validators are pure and don't need a live node — wiring an integration assertion into these tests would catch both classes of regression and is the right substitute for the still-pending testnet rerun referenced in the PR description.

[thepastaclaw]

Code Review

The DeductFromInput(0) headroom bug from the prior review is fixed: the selector now targets the BTreeMap-first input via lex-smallest selection, and the new pre_fix_buggy_selector_output_is_rejected_by_protocol_fee_deduction test exercises dpp's actual fee-deduction path. Two prior blockers remain reachable on the current head, however: Phase 4's distribution across non-fee-target inputs has no min_input_amount floor, and the public-API fallback for fee strategies other than [DeductFromInput(0)] produces input maps the validator deterministically rejects.

Reviewed commit: 60f7850

🔴 2 blocking | 🟡 1 suggestion(s) | 💬 2 nitpick(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [BLOCKING] lines 504-521: Non-fee-target inputs can still be trimmed below `min_input_amount`
  Phase 3 pins `fee_target_min ≥ min_input_amount` (line 484), but Phase 4 then distributes `total_output − fee_target_consumed` across the non-fee-target prefix entries with `let consumed = (*bal).min(remaining)` and inserts any positive value (lines 516-520) — there is no per-input lower bound. The validator at `packages/rs-dpp/src/state_transition/state_transitions/address_funds/address_funds_transfer_transition/v0/state_transition_validation.rs:157-167` iterates `self.inputs.values()` and rejects ANY input below `min_input_amount` (100_000) with `InputBelowMinimumError`.

A construction that survives Phase 1 and Phase 3 but trips the validator:
- candidates after balance-desc sort: `[(addr_X=0x01, 1_000_000), (addr_Y=0x02, 30_000)]`
- `total_output = 950_000`, `min_input_amount = 100_000`
- Phase 1 needs both inputs (e.g. `fee_for_1 = 60_000` → 1_000_000 < 1_010_000; `fee_for_2 = 80_000` → 1_030_000 ≥ 1_030_000 ✓)
- `fee_target = addr_X`, `fee_target_max = 920_000`, `other_total = 30_000`, `fee_target_min = max(100_000, 920_000) = 920_000` — 920_000 ≤ 920_000 ✓
- Phase 4: `remaining = 30_000` → `addr_Y` inserted as 30_000 < 100_000 → rejected.

Fix options: filter candidates with `balance < min_input_amount` at the call site; refuse to insert a non-fee-target consumption that would land below the minimum (rolling residue back to the fee target, which already has remaining headroom); or bail out with a descriptive error. The existing `fee_headroom_violation_errors` test exercises only the fee-target min-input path; an analogous test for the tail input would catch this.
- [BLOCKING] lines 442-454: Fallback path is reachable via public API and produces protocol-invalid input maps
  `transfer()` (line 31) is `pub` and accepts an arbitrary `fee_strategy: AddressFundsFeeStrategy` from any caller. With `InputSelection::Auto`, this routes through `select_inputs()`, which only implements protocol-correct logic for the exact shape `[DeductFromInput(0)]` (line 437-440). For every other strategy, lines 442-453 fall back to a front-consume distribution that guarantees only `Σ inputs == total_output` and ignores both fee-target headroom and `min_input_amount`.

Reachable failure: with `fee_strategy = [DeductFromInput(1)]`, candidates `[(addr_b, 20M), (addr_a, 50M)]` where `addr_a < addr_b`, and `total_output = 30M`, the fallback returns `{addr_b: 20M, addr_a: 10M}`. The protocol resolves `DeductFromInput(i)` against BTreeMap key order (`packages/rs-dpp/src/address_funds/fee_strategy/.../v0/mod.rs`), so index 1 points at `addr_b`, which is fully drained — fee deduction fails exactly like the original bug. `ReduceOutput(...)` strategies can produce structurally invalid trailing inputs for the same reason.

The doc on lines 371-375 acknowledges this as 'must be revisited if [strategy] changes', but the public API surface is wide open today. Either constrain the strategy at the entry point, return an explicit `Err` for unsupported shapes, or extend the fee-target/min-input logic to general strategies. Returning a known-suspect map silently is the riskier option — it forces a future caller to stumble into the same protocol rejection that motivated this PR.
- [SUGGESTION] lines 484-545: `total_output < min_input_amount` falls through to misleading 'Internal selection error'
  When `total_output < min_input_amount` (e.g. caller asks to transfer 50_000 credits with min_input=100_000), the 1-input path computes `fee_target_min = max(min_input_amount, total_output) = 100_000 > total_output`, so `selected = {addr: 100_000}` and `input_sum = 100_000 ≠ total_output`. Phase 4's loop runs once with `remaining = total_output.saturating_sub(100_000) = 0`, then the flow trips the `debug_assert_eq!` at line 527 in debug builds and falls through to the line-538 'Internal selection error' branch in release.

The protocol disallows any transfer with `total_output < min_input_amount` (no input set can satisfy both `Σ inputs == total_output` and per-input `≥ min_input_amount`). This deserves an early, descriptive error like 'Transfer amount X below minimum Y' rather than the internal-error path that's documented as 'should never trip'. Add an early check at the top of `select_inputs` (or in the `transfer` entry-point on `outputs.values().sum()`).

[coderabbitai]

🧹 Nitpick comments (1)

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (1)

607-631: Phase 5 invariant checks are partially release-protected.

The debug_assert statements at lines 611-624 verify critical protocol invariants:

1. Σ inputs == total_output — also checked in release at line 626 ✓
2. Fee target is BTreeMap index-0 (lex-smallest)
3. Fee target retains ≥ estimated_fee remaining balance
4. Every input ≥ min_input_amount

Invariants 2-4 are only asserted in debug builds. If any of these fail in release (due to a future regression in Phase 1-4 logic), the transition would be submitted and rejected by the protocol layer rather than caught here.

Given the algorithm's structure and test coverage, these should never trip. However, promoting invariant 3 (the fee headroom check) to a release-mode error would provide defense-in-depth for the exact bug this PR fixes.

♻️ Optional: Add release-mode check for fee headroom

     if input_sum != total_output {
         return Err(PlatformWalletError::AddressOperation(format!(
             "Internal selection error: Σ inputs ({}) != total_output ({})",
             input_sum, total_output
         )));
     }
+
+    let fee_target_remaining = fee_target_balance.saturating_sub(fee_target_consumed);
+    if fee_target_remaining < estimated_fee {
+        return Err(PlatformWalletError::AddressOperation(format!(
+            "Internal selection error: fee target {} remaining {} < estimated fee {}",
+            format_address(&fee_target_addr),
+            fee_target_remaining,
+            estimated_fee,
+        )));
+    }
 
     Ok(selected)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs` around
lines 607 - 631, The fee-headroom check currently uses debug_assert! on
fee_target_balance.saturating_sub(fee_target_consumed) >= estimated_fee, which
is only active in debug builds; replace that debug-only assertion with a
release-mode runtime check inside the same scope (where selected,
fee_target_balance, fee_target_consumed and estimated_fee are available) so that
if the condition fails you return
Err(PlatformWalletError::AddressOperation(...)) with a clear message including
the computed headroom and required estimated_fee; keep the other debug_asserts
as-is and ensure the new check mirrors the existing error style used for
input_sum != total_output.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- Around line 607-631: The fee-headroom check currently uses debug_assert! on
fee_target_balance.saturating_sub(fee_target_consumed) >= estimated_fee, which
is only active in debug builds; replace that debug-only assertion with a
release-mode runtime check inside the same scope (where selected,
fee_target_balance, fee_target_consumed and estimated_fee are available) so that
if the condition fails you return
Err(PlatformWalletError::AddressOperation(...)) with a clear message including
the computed headroom and required estimated_fee; keep the other debug_asserts
as-is and ensure the new check mirrors the existing error style used for
input_sum != total_output.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e663ab0e-42e2-48de-b207-cd8e4fa9740b

📥 Commits

Reviewing files that changed from the base of the PR and between 60f7850 and 9ff937f.

📒 Files selected for processing (1)

• packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.29%. Comparing base (4ca63a1) to head (2dec6a6).
⚠️ Report is 1 commits behind head on v3.1-dev.

Additional details and impacted files

@@            Coverage Diff            @@
##           v3.1-dev    #3554   +/-   ##
=========================================
  Coverage     88.29%   88.29%           
=========================================
  Files          2479     2479           
  Lines        301541   301541           
=========================================
  Hits         266231   266231           
  Misses        35310    35310           

Components	Coverage Δ
dpp	87.95% <ø> (ø)
drive	87.36% <ø> (ø)
drive-abci	90.25% <ø> (ø)
sdk	∅ <ø> (∅)
dapi-client	∅ <ø> (∅)
platform-version	∅ <ø> (∅)
platform-value	92.17% <ø> (ø)
platform-wallet	∅ <ø> (∅)
drive-proof-verifier	55.66% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lklimek]

@coderabbitai review all

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@lklimek Sure, I'll kick off another full review of all the changes in this PR right away!

[full_review]

[Copilot]

Pull request overview

Fixes rs-platform-wallet's automatic platform-address input selection so transfer inputs model consumed credits instead of full balances, aligning wallet behavior with the address-funds transfer protocol.

Changes:

• Reworked auto_select_inputs in transfer.rs to build protocol-shaped input maps, add fee-strategy-specific selection helpers, and add extensive selector tests.
• Added new wallet error variants to surface arithmetic overflow and the “only output addresses are funded” case more explicitly.
• Updated CI package filters so rs-platform-wallet changes participate in Rust workspace test selection, plus a few small cleanup/refactor changes in related Rust files.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs	Main selector rewrite, fee-strategy handling, helper functions, and new unit tests.
packages/rs-platform-wallet/src/wallet/apply.rs	Small comment cleanup around balance recomputation.
packages/rs-platform-wallet/src/manager/accessors.rs	Minor accessor simplifications and type cleanup.
packages/rs-platform-wallet/src/error.rs	Adds new wallet error variants used by the selector changes.
packages/rs-platform-wallet/src/changeset/core_bridge.rs	Comment wording cleanup in core changeset construction.
.github/package-filters/rs-packages-no-workflows.yml	Adds rs-platform-wallet to Rust package path filters so workspace tests trigger.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[thepastaclaw]

Code Review

Incremental re-review at 92bc962 since b6e7d05. PR-authored deltas land focused fixes: typed OnlyOutputAddressesFunded error (CMT-014), tightened redistribute test (CMT-009), collapsed estimate_fee_for_inputs_pub wrapper (CMT-008), checked Credits arithmetic (CMT-005/006/007). 4 of 9 prior findings FIXED; 5 STILL VALID with adjusted line numbers. The address_paths.rs test-coverage finding from claude-rust-quality is dropped as out-of-scope — that file entered via upstream PR #3582 (commit 64821c2) through the v3.1-dev merge, not this PR's authored work. New code reads clean — no new defects.

Reviewed commit: 92bc962

🟡 4 suggestion(s) | 💬 3 nitpick(s)

1 additional finding

🟡 suggestion: `InputSelection::Auto` docstring is still wrong on three counts

packages/rs-platform-wallet/src/wallet/platform_addresses/mod.rs (lines 27-30)

STILL VALID at 92bc962 (mod.rs:27-30 unchanged). The doc claims Auto consumes addresses "from lowest derivation index to highest". (1) auto_select_inputs (transfer.rs:166-260) sorts candidates balance-descending via build_auto_select_candidates (transfer.rs:316-330) and skips balances below min_input_amount. (2) Supported fee strategies are [DeductFromInput(0)] or [ReduceOutput(0)] only (transfer.rs:78-88) — other shapes return an error. (3) Any address that also appears as a destination output is excluded (transfer.rs:326), now surfaced as the typed PlatformWalletError::OnlyOutputAddressesFunded (transfer.rs:229-237). InputSelection is part of this crate's public API, so the stale contract misleads downstream callers about spend order, fragmentation, accepted strategies, and the output-exclusion failure mode.

💡 Suggested change

    /// Automatically select inputs from the account, consuming
    /// addresses in balance-descending order until the required amount
    /// plus estimated fees is covered. Addresses with balance below the
    /// protocol's per-input minimum (`min_input_amount`) are skipped,
    /// and any address that is also a destination output is excluded
    /// (the protocol forbids the same address being both input and
    /// output of a single transition); when this exclusion empties the
    /// candidate set, `transfer()` returns the typed
    /// [`PlatformWalletError::OnlyOutputAddressesFunded`] so callers
    /// can rotate to a fresh receive address or fall back to
    /// `Explicit`.
    /// Supported fee strategies: `[DeductFromInput(0)]` (selector
    /// reserves fee headroom on input 0) and `[ReduceOutput(0)]`
    /// (selector verifies output 0 can absorb the static fee floor).
    /// Other strategies must use `Explicit`.
    Auto,

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/mod.rs`:
- [SUGGESTION] lines 27-30: `InputSelection::Auto` docstring is still wrong on three counts
  STILL VALID at 92bc9624 (mod.rs:27-30 unchanged). The doc claims `Auto` consumes addresses "from lowest derivation index to highest". (1) `auto_select_inputs` (transfer.rs:166-260) sorts candidates balance-descending via `build_auto_select_candidates` (transfer.rs:316-330) and skips balances below `min_input_amount`. (2) Supported fee strategies are `[DeductFromInput(0)]` or `[ReduceOutput(0)]` only (transfer.rs:78-88) — other shapes return an error. (3) Any address that also appears as a destination output is excluded (transfer.rs:326), now surfaced as the typed `PlatformWalletError::OnlyOutputAddressesFunded` (transfer.rs:229-237). `InputSelection` is part of this crate's public API, so the stale contract misleads downstream callers about spend order, fragmentation, accepted strategies, and the output-exclusion failure mode.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [SUGGESTION] lines 657-660: `select_inputs_reduce_output` Phase 3 doc says "lex-smallest peer" but the code uses caller order
  STILL VALID at 92bc9624 (helper now spans 665-820). The algorithm summary at lines 657-660 and the inline rationale at lines 741-743 describe lifting the trimmed last entry "from the lex-smallest peer with spare balance". The implementation at lines 753-757 instead iterates `prefix` (caller-supplied order — balance-descending in production via `auto_select_inputs`'s sort) and `find`s the first qualifying peer — i.e. the largest-balance peer, not the lex-smallest. The sibling `select_inputs_deduct_from_input` is careful to distinguish lex-smallest (BTreeMap index 0, used by `DeductFromInput(0)` to identify the fee target) from caller-prefix order. Reusing the "lex-smallest peer" phrasing here implies a protocol-level constraint exists for `ReduceOutput(0)` donor selection when in fact none does. Either correct the doc to reflect caller-prefix order, or iterate `selected` (BTreeMap, lex-ordered) so the documented invariant is enforced.
- [SUGGESTION] lines 665-820: `select_inputs_reduce_output` still lacks tests for Phase 3 redistribution and Phase 1 insufficient-balance
  STILL VALID at 92bc9624. The five `reduce_output_*` tests cover the single-input happy path, a multi-input no-Phase-3 trim, a multi-output absorbance case, the Phase 4 fee-cannot-be-absorbed error, and a structural-validate smoke test. None exercise (a) Phase 3 success — candidates `[(big, X), (medium, Y)]` where `Y - surplus < min_input_amount` so the trim drops the last entry below per-input minimum and the donor lifts it back, (b) Phase 3 failure — no peer has `min_input_amount + shift` of headroom (lines 758-764 dead from the test suite's perspective), or (c) the Phase 1 insufficient-balance error (lines 714-720). The Phase 3 redistribution branch is the most non-trivial logic. Suggested fixture: `[(addr_a, 109_000_000), (addr_b, 30_000)]` with `total_output = 109_020_000` (last gets trimmed to 10k, donor lifts it to 100k).
- [SUGGESTION] lines 75-88: `InputSelection::Auto` admits `[ReduceOutput(0)]` despite the documented chain-time fee shortfall (#3040)
  STILL VALID at 92bc9624. The Phase 4 comment in `select_inputs_reduce_output` (transfer.rs:773-786) explicitly acknowledges platform #3040: `PlatformAddressWallet::estimate_fee_for_inputs` returns only the static `state_transition_min_fees` floor (~6.5M for 1in/1out) while real chain-time fee is materially larger (~14.94M observed). For callers whose `output[0]` sits between the static floor and the real chain-time fee, `Auto + [ReduceOutput(0)]` will succeed locally and then be rejected on-chain with `AddressesNotEnoughFundsError`. No fund loss or consensus risk (the protocol validator catches it deterministically), but the auto-selector advertises a path it knows it cannot validate. The same underestimator weakness affects `[DeductFromInput(0)]`, so a blanket revert would be heavy-handed. Mitigation options ordered by reversibility cost: (a) log a warn-level diagnostic when output_0 ≥ static_estimate but the helper succeeds; (b) gate `[ReduceOutput(0)]` behind an `output_0 ≥ K * estimated_fee` safety margin until #3040 lands; (c) revert `Auto` to `[DeductFromInput(0)]`-only.

[thepastaclaw]

🟡 Suggestion: select_inputs_reduce_output Phase 3 doc says "lex-smallest peer" but the code uses caller order

STILL VALID at 92bc962 (helper now spans 665-820). The algorithm summary at lines 657-660 and the inline rationale at lines 741-743 describe lifting the trimmed last entry "from the lex-smallest peer with spare balance". The implementation at lines 753-757 instead iterates prefix (caller-supplied order — balance-descending in production via auto_select_inputs's sort) and finds the first qualifying peer — i.e. the largest-balance peer, not the lex-smallest. The sibling select_inputs_deduct_from_input is careful to distinguish lex-smallest (BTreeMap index 0, used by DeductFromInput(0) to identify the fee target) from caller-prefix order. Reusing the "lex-smallest peer" phrasing here implies a protocol-level constraint exists for ReduceOutput(0) donor selection when in fact none does. Either correct the doc to reflect caller-prefix order, or iterate selected (BTreeMap, lex-ordered) so the documented invariant is enforced.

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [SUGGESTION] lines 657-660: `select_inputs_reduce_output` Phase 3 doc says "lex-smallest peer" but the code uses caller order
  STILL VALID at 92bc9624 (helper now spans 665-820). The algorithm summary at lines 657-660 and the inline rationale at lines 741-743 describe lifting the trimmed last entry "from the lex-smallest peer with spare balance". The implementation at lines 753-757 instead iterates `prefix` (caller-supplied order — balance-descending in production via `auto_select_inputs`'s sort) and `find`s the first qualifying peer — i.e. the largest-balance peer, not the lex-smallest. The sibling `select_inputs_deduct_from_input` is careful to distinguish lex-smallest (BTreeMap index 0, used by `DeductFromInput(0)` to identify the fee target) from caller-prefix order. Reusing the "lex-smallest peer" phrasing here implies a protocol-level constraint exists for `ReduceOutput(0)` donor selection when in fact none does. Either correct the doc to reflect caller-prefix order, or iterate `selected` (BTreeMap, lex-ordered) so the documented invariant is enforced.

[thepastaclaw]

🟡 Suggestion: select_inputs_reduce_output still lacks tests for Phase 3 redistribution and Phase 1 insufficient-balance

STILL VALID at 92bc962. The five reduce_output_* tests cover the single-input happy path, a multi-input no-Phase-3 trim, a multi-output absorbance case, the Phase 4 fee-cannot-be-absorbed error, and a structural-validate smoke test. None exercise (a) Phase 3 success — candidates [(big, X), (medium, Y)] where Y - surplus < min_input_amount so the trim drops the last entry below per-input minimum and the donor lifts it back, (b) Phase 3 failure — no peer has min_input_amount + shift of headroom (lines 758-764 dead from the test suite's perspective), or (c) the Phase 1 insufficient-balance error (lines 714-720). The Phase 3 redistribution branch is the most non-trivial logic. Suggested fixture: [(addr_a, 109_000_000), (addr_b, 30_000)] with total_output = 109_020_000 (last gets trimmed to 10k, donor lifts it to 100k).

_{source: ['claude', 'codex']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [SUGGESTION] lines 665-820: `select_inputs_reduce_output` still lacks tests for Phase 3 redistribution and Phase 1 insufficient-balance
  STILL VALID at 92bc9624. The five `reduce_output_*` tests cover the single-input happy path, a multi-input no-Phase-3 trim, a multi-output absorbance case, the Phase 4 fee-cannot-be-absorbed error, and a structural-validate smoke test. None exercise (a) Phase 3 success — candidates `[(big, X), (medium, Y)]` where `Y - surplus < min_input_amount` so the trim drops the last entry below per-input minimum and the donor lifts it back, (b) Phase 3 failure — no peer has `min_input_amount + shift` of headroom (lines 758-764 dead from the test suite's perspective), or (c) the Phase 1 insufficient-balance error (lines 714-720). The Phase 3 redistribution branch is the most non-trivial logic. Suggested fixture: `[(addr_a, 109_000_000), (addr_b, 30_000)]` with `total_output = 109_020_000` (last gets trimmed to 10k, donor lifts it to 100k).

[thepastaclaw]

💬 Nitpick: select_inputs_reduce_output doesn't enforce min_input_amount on non-last prefix entries

STILL VALID at 92bc962. Phase 2 (lines 727-739) sets consumed = *balance for every non-last entry, and Phase 3 only checks/lifts the last entry. If a non-last candidate has balance < min_input_amount, the helper produces an inputs map containing a sub-minimum input. The Phase 5 debug_assert! at lines 807-810 is a no-op in release. In production this is unreachable because build_auto_select_candidates (transfer.rs:316-330) filters < min_input_amount candidates upstream, but the helper is module-scope and reachable from tests / future callers, and the asymmetry with select_inputs_deduct_from_input (which has explicit fold-back logic for sub-minimum tail consumption) is surprising. Either add an explicit guard at the top of the helper, or document that the helper relies on the upstream filter.

_{source: ['claude', 'codex']}

[thepastaclaw]

Code Review

I found one remaining blocking allocation issue at current head 6b530e5e.

select_inputs_deduct_from_input still chooses a feasible prefix using other_total, but Phase 4 greedily overfills the first non-fee-target peer and can leave a later selected peer below min_input_amount (or fold the tail into the fee target). That can reject otherwise valid transfers even when the output can be allocated as min_input_amount across multiple peers, and it also affects the new [ReduceOutput(0)] path where the old “single donor” redistribution cannot handle cases where several peers need to share the trim.

I prepared a fix branch because I don't have permission to push to the PR source branch:

• Branch: thepastaclaw:tracker-1204-auto-select-allocation
• Commit: 22c2054d7b fix(wallet): allocate auto-selected inputs exactly

The fix factors exact prefix allocation into allocate_prefix_consumptions: seed every selected input at min_input_amount, distribute remaining credits across non-fee-target entries in caller order, and fill the fee target last while respecting its fee-headroom cap. It adds regression coverage for both DeductFromInput(0) multi-peer allocation and [ReduceOutput(0)] trim spreading.

Verification on the fix branch:

• cargo fmt -p platform-wallet -- packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs
• git diff --check
• cargo test -p platform-wallet wallet::platform_addresses::transfer::auto_select_tests --lib — 23 passed
• cargo clippy -p platform-wallet --lib --tests -- -D warnings

[thepastaclaw]

Code Review

Fresh dispatcher rerun for the claimed gate item at 6b530e5e. A same-SHA PastaClaw review already requested changes for the allocation blocker, so this top-level review does not supersede that blocker or duplicate inline threads. This run revalidated the carried non-blocking findings and found no additional issues in the CI-only delta (ci: clean stale mac runner artifacts before rust tests).

Reviewed commit: 6b530e5

🟡 4 suggestion(s) | 💬 3 nitpick(s)

7 additional findings

🟡 suggestion: `InputSelection::Auto` docstring no longer matches the implementation

packages/rs-platform-wallet/src/wallet/platform_addresses/mod.rs (lines 27-30)

Verified at 6b530e5 (mod.rs:27-30 unchanged). InputSelection is part of this crate's public API, but the Auto doc still claims inputs are consumed "from lowest derivation index to highest until the required amount plus estimated fees is covered". The current behavior of auto_select_inputs (transfer.rs:166-260) diverges in three observable ways: (1) candidates are sorted balance-descending via build_auto_select_candidates (transfer.rs:316-330) and balances below min_input_amount are dropped; (2) only [DeductFromInput(0)] and [ReduceOutput(0)] fee strategies are accepted (transfer.rs:78-88, 239-258) — other shapes return an error; (3) any address that also appears as a destination output is excluded (transfer.rs:326), now surfaced as the typed PlatformWalletError::OnlyOutputAddressesFunded (transfer.rs:229-237). The stale contract misleads downstream callers about spend order, fragmentation profile, supported strategies, and the new typed failure mode.

💡 Suggested change

    /// Automatically select inputs from the account, consuming
    /// addresses in balance-descending order until the required amount
    /// plus estimated fees is covered. Addresses with balance below the
    /// protocol's per-input minimum (`min_input_amount`) are skipped,
    /// and any address that is also a destination output is excluded
    /// (the protocol forbids the same address being both input and
    /// output of a single transition); when this exclusion empties the
    /// candidate set, `transfer()` returns the typed
    /// [`PlatformWalletError::OnlyOutputAddressesFunded`] so callers
    /// can rotate to a fresh receive address or fall back to
    /// `Explicit`.
    ///
    /// Supported fee strategies: `[DeductFromInput(0)]` (selector
    /// reserves fee headroom on input 0) and `[ReduceOutput(0)]`
    /// (selector verifies output 0 can absorb the static fee floor).
    /// Other strategies must use `Explicit`.
    Auto,

🟡 suggestion: `select_inputs_reduce_output` Phase 3 doc says "lex-smallest peer" but the code uses caller order

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (lines 657-660)

Verified at 6b530e5. The algorithm summary (lines 657-660) and the inline rationale (lines 741-743) both describe lifting the trimmed last entry "from the lex-smallest peer with spare balance". The implementation at lines 753-757 instead does prefix.iter().filter(...).find(...), which iterates caller-supplied order — and in production that order is balance-descending (set by auto_select_inputs's sort), so the donor is typically the largest-balance peer, not the lex-smallest. The sibling select_inputs_deduct_from_input is careful to distinguish lex-smallest (BTreeMap index 0, used because DeductFromInput(0) requires the fee target to be the lex-first input) from caller-prefix order; reusing the "lex-smallest peer" phrasing here implies a protocol-level constraint exists for ReduceOutput(0) donor selection when in fact none does. Future maintainers may resolve the doc/code disagreement in the wrong direction since BTreeMap-iteration vs Vec-iteration semantics differ. Either correct the doc to reflect caller-prefix order, or iterate selected (BTreeMap, lex-ordered) so the documented invariant is enforced.

💡 Suggested change

/// 3. If the trim drops the last entry below `min_input_amount`,
///    shift consumption from the first earlier peer in caller order
///    that has enough spare balance to lift it back up while keeping
///    the donor itself ≥ `min_input_amount`. Error out if no peer has
///    the headroom.

🟡 suggestion: `select_inputs_reduce_output` lacks tests for Phase 3 redistribution and Phase 1 insufficient-balance

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (lines 665-820)

Verified at 6b530e5. The reduce_output_* tests cover the single-input happy path, a multi-input no-Phase-3 trim, a multi-output absorbance case, the Phase 4 fee-cannot-be-absorbed error, and a structural-validate smoke test. None exercise (a) Phase 3 success — candidates [(big, X), (medium, Y)] where Y - surplus < min_input_amount so the trim drops the last entry below the per-input minimum and a donor lifts it back, (b) Phase 3 failure — no peer has min_input_amount + shift of headroom (lines 758-764 dead from the test suite's perspective), or (c) the Phase 1 insufficient-balance error (lines 714-720). Phase 3 redistribution is the most non-trivial logic in the new helper and is the branch most likely to regress under future refactors. Suggested fixture for the Phase 3 success case: candidates [(addr_a, 109_000_000), (addr_b, 30_000)] with total_output = 109_020_000 (last gets trimmed to 10k, donor lifts it to 100k).

🟡 suggestion: `InputSelection::Auto` admits `[ReduceOutput(0)]` despite the documented chain-time fee shortfall (#3040)

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (lines 75-88)

Verified at 6b530e5. The Phase 4 comment in select_inputs_reduce_output (transfer.rs:773-786) explicitly acknowledges platform #3040: PlatformAddressWallet::estimate_fee_for_inputs returns only the static state_transition_min_fees floor (~6.5M for 1in/1out) while real chain-time fees scale with storage + processing (~14.94M observed). For callers whose output[0] lies between the static floor and the real chain-time fee, Auto + [ReduceOutput(0)] will succeed locally and then be rejected on-chain with AddressesNotEnoughFundsError. No fund loss or consensus risk (the protocol validator catches it deterministically), but the auto-selector advertises a path it knows it cannot validate against the real fee model. The same underestimator weakness affects [DeductFromInput(0)], so a blanket revert would be heavy-handed. Mitigation options ordered by reversibility cost: (a) emit a tracing::warn diagnostic when output[0] is within K * estimated_fee of the static floor; (b) gate [ReduceOutput(0)] behind an output_0 ≥ K * estimated_fee safety margin until #3040 lands; (c) revert Auto to [DeductFromInput(0)]-only.

💬 nitpick: `select_inputs_reduce_output` doesn't enforce `min_input_amount` on non-last prefix entries

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (lines 722-768)

Verified at 6b530e5. Phase 2 (lines 727-739) sets consumed = *balance for every non-last entry, and Phase 3 only checks/lifts the last entry. If a non-last candidate has balance < min_input_amount, the helper produces an inputs map containing a sub-minimum input. The Phase 5 debug_assert! at lines 807-810 is a no-op in release. In production this is unreachable because build_auto_select_candidates (transfer.rs:316-330) filters < min_input_amount candidates upstream, but the helper is module-scope and reachable from tests / future callers, and the asymmetry with select_inputs_deduct_from_input (which has explicit fold-back logic for sub-minimum tail consumption) is surprising — a fragile invariant that is module-private but not type-enforced. Either add an explicit guard at the top of the helper, or document that the helper relies on the upstream filter.

💬 nitpick: Residual unchecked `Credits` sum at the boundary of `auto_select_inputs`

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (line 173)

Verified at 6b530e5. Most arithmetic in this PR was routed through checked_credits_add/checked_credits_sub (transfer.rs:836+) and a unit test pins the typed ArithmeticOverflow variant. The boundary-level let total_output: Credits = outputs.values().sum(); at line 173 is the one remaining unchecked sum on caller-supplied data. The protocol validator (AddressFundsTransferTransitionV0::validate_structure) uses checked_add and returns OverflowError deterministically, so a saturated total_output here would mean the selector silently aims at a saturated target while the chain rejects with overflow — a confusing diagnostic, not a soundness hole. In debug builds u64::sum panics on overflow; in release it wraps. Practically unreachable given the credit supply, but transfer() is a public library API accepting raw u64 from callers; for consistency with the rest of the file, fold this last sum through try_fold over checked_credits_add and surface PlatformWalletError::ArithmeticOverflow { context: "auto_select_inputs: outputs.values().sum()" }.

💡 Suggested change

        let total_output: Credits = outputs.values().try_fold(0u64, |acc, amount| {
            checked_credits_add(acc, *amount, "auto_select_inputs: outputs.values().sum()")
        })?;

💬 nitpick: Empty-candidates "all sub-min" path still surfaces as generic "Insufficient balance"

packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs (lines 229-237)

Verified at 6b530e5. The PR introduced OnlyOutputAddressesFunded and detect_only_output_addresses_funded (transfer.rs:343-363) so the "every funded address is also an output" case now produces a typed, payload-bearing error. The complementary failure mode — every funded address sits below min_input_amount (e.g. wallet has 200 addresses each holding 50k credits, transfer requires 1M, min_input_amount=100k) — still falls through to the dispatched helper's generic Insufficient balance: available 0 credits, required ... message (transfer.rs:715-720). The user has 10M of usable funds, just not in spendable shape; "available 0" is misleading. Lower priority than the output-overlap case since it's a wallet-state pathology rather than a routine UX path. Suggested follow-up: a sibling typed variant (e.g. BalancesAllBelowPerInputMinimum { aggregate, min_input_amount }) so callers can offer consolidation guidance instead of parsing the message.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/mod.rs`:
- [SUGGESTION] lines 27-30: `InputSelection::Auto` docstring no longer matches the implementation
  Verified at 6b530e5e01 (mod.rs:27-30 unchanged). `InputSelection` is part of this crate's public API, but the `Auto` doc still claims inputs are consumed "from lowest derivation index to highest until the required amount plus estimated fees is covered". The current behavior of `auto_select_inputs` (transfer.rs:166-260) diverges in three observable ways: (1) candidates are sorted balance-descending via `build_auto_select_candidates` (transfer.rs:316-330) and balances below `min_input_amount` are dropped; (2) only `[DeductFromInput(0)]` and `[ReduceOutput(0)]` fee strategies are accepted (transfer.rs:78-88, 239-258) — other shapes return an error; (3) any address that also appears as a destination output is excluded (transfer.rs:326), now surfaced as the typed `PlatformWalletError::OnlyOutputAddressesFunded` (transfer.rs:229-237). The stale contract misleads downstream callers about spend order, fragmentation profile, supported strategies, and the new typed failure mode.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/transfer.rs`:
- [SUGGESTION] lines 657-660: `select_inputs_reduce_output` Phase 3 doc says "lex-smallest peer" but the code uses caller order
  Verified at 6b530e5e01. The algorithm summary (lines 657-660) and the inline rationale (lines 741-743) both describe lifting the trimmed last entry "from the lex-smallest peer with spare balance". The implementation at lines 753-757 instead does `prefix.iter().filter(...).find(...)`, which iterates caller-supplied order — and in production that order is balance-descending (set by `auto_select_inputs`'s sort), so the donor is typically the largest-balance peer, not the lex-smallest. The sibling `select_inputs_deduct_from_input` is careful to distinguish lex-smallest (BTreeMap index 0, used because `DeductFromInput(0)` requires the fee target to be the lex-first input) from caller-prefix order; reusing the "lex-smallest peer" phrasing here implies a protocol-level constraint exists for `ReduceOutput(0)` donor selection when in fact none does. Future maintainers may resolve the doc/code disagreement in the wrong direction since `BTreeMap`-iteration vs `Vec`-iteration semantics differ. Either correct the doc to reflect caller-prefix order, or iterate `selected` (BTreeMap, lex-ordered) so the documented invariant is enforced.
- [SUGGESTION] lines 665-820: `select_inputs_reduce_output` lacks tests for Phase 3 redistribution and Phase 1 insufficient-balance
  Verified at 6b530e5e01. The `reduce_output_*` tests cover the single-input happy path, a multi-input no-Phase-3 trim, a multi-output absorbance case, the Phase 4 fee-cannot-be-absorbed error, and a structural-validate smoke test. None exercise (a) Phase 3 success — candidates `[(big, X), (medium, Y)]` where `Y - surplus < min_input_amount` so the trim drops the last entry below the per-input minimum and a donor lifts it back, (b) Phase 3 failure — no peer has `min_input_amount + shift` of headroom (lines 758-764 dead from the test suite's perspective), or (c) the Phase 1 insufficient-balance error (lines 714-720). Phase 3 redistribution is the most non-trivial logic in the new helper and is the branch most likely to regress under future refactors. Suggested fixture for the Phase 3 success case: candidates `[(addr_a, 109_000_000), (addr_b, 30_000)]` with `total_output = 109_020_000` (last gets trimmed to 10k, donor lifts it to 100k).
- [SUGGESTION] lines 75-88: `InputSelection::Auto` admits `[ReduceOutput(0)]` despite the documented chain-time fee shortfall (#3040)
  Verified at 6b530e5e01. The Phase 4 comment in `select_inputs_reduce_output` (transfer.rs:773-786) explicitly acknowledges platform #3040: `PlatformAddressWallet::estimate_fee_for_inputs` returns only the static `state_transition_min_fees` floor (~6.5M for 1in/1out) while real chain-time fees scale with storage + processing (~14.94M observed). For callers whose `output[0]` lies between the static floor and the real chain-time fee, `Auto + [ReduceOutput(0)]` will succeed locally and then be rejected on-chain with `AddressesNotEnoughFundsError`. No fund loss or consensus risk (the protocol validator catches it deterministically), but the auto-selector advertises a path it knows it cannot validate against the real fee model. The same underestimator weakness affects `[DeductFromInput(0)]`, so a blanket revert would be heavy-handed. Mitigation options ordered by reversibility cost: (a) emit a `tracing::warn` diagnostic when `output[0]` is within K * `estimated_fee` of the static floor; (b) gate `[ReduceOutput(0)]` behind an `output_0 ≥ K * estimated_fee` safety margin until #3040 lands; (c) revert `Auto` to `[DeductFromInput(0)]`-only.

[thepastaclaw]

Code Review

Verified at 07d046b. The 5-commit delta closes most prior carryover findings. Two convergent issues remain: the InputSelection::Auto public docstring is stale across multiple observable axes, and the new NoSelectableInputs derived Display always renders both failure-mode clauses regardless of which one fired. One nitpick on a residual unchecked u64::sum at the public selector boundary, plus a low-confidence note on the CMT-001 warn-band having no test pinning the threshold.

Reviewed commit: 07d046b

🟡 2 suggestion(s) | 💬 2 nitpick(s)

1 additional finding

🟡 suggestion: `InputSelection::Auto` docstring no longer describes the actual selection policy

packages/rs-platform-wallet/src/wallet/platform_addresses/mod.rs (lines 27-30)

Verified at 07d046b (mod.rs:27-30 unchanged). The doc still claims Auto consumes addresses "from lowest derivation index to highest until the required amount plus estimated fees is covered." The current implementation diverges on five externally observable axes:

1. build_auto_select_candidates (transfer.rs:217-231) sorts candidates balance-descending, not by derivation index.
2. Addresses with balance below min_input_amount are filtered out (transfer.rs:204-231).
3. Any address that also appears as a destination output is excluded (protocol forbids same-address input/output).
4. Only [DeductFromInput(0)] and [ReduceOutput(0)] strategies are accepted; other shapes are rejected with AddressOperation (transfer.rs:249-269).
5. Empty-candidate failures surface as the typed PlatformWalletError::NoSelectableInputs { funded_outputs, sub_min_count, sub_min_aggregate, min_input_amount } (transfer.rs:239-247).

InputSelection is part of this crate's public API surface, so the stale contract misleads downstream callers about spend order, fragmentation profile, accepted fee strategies, and the structured failure payload they need to handle.

💡 Suggested change

    /// Automatically select inputs from the account, consuming
    /// addresses in balance-descending order until the required amount
    /// plus estimated fees is covered. Addresses with balance below the
    /// protocol's per-input minimum (`min_input_amount`) are skipped,
    /// and any address that is also a destination output is excluded
    /// (the protocol forbids the same address being both input and
    /// output of a single transition). When the resulting candidate
    /// set is empty, `transfer()` returns the typed
    /// [`PlatformWalletError::NoSelectableInputs`] payload, which
    /// distinguishes funded-but-also-output addresses from sub-minimum
    /// stranded balances so callers can offer rotation vs.
    /// consolidation guidance.
    ///
    /// Supported fee strategies: `[DeductFromInput(0)]` (selector
    /// reserves fee headroom on input 0) and `[ReduceOutput(0)]`
    /// (selector verifies output 0 can absorb the static fee floor and
    /// emits a `tracing::warn` when output 0 is within a safety
    /// multiple of that floor — see platform issue #3040). Other
    /// strategies must use `Explicit`.
    Auto,

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/mod.rs`:
- [SUGGESTION] lines 27-30: `InputSelection::Auto` docstring no longer describes the actual selection policy
  Verified at 07d046b7 (mod.rs:27-30 unchanged). The doc still claims `Auto` consumes addresses "from lowest derivation index to highest until the required amount plus estimated fees is covered." The current implementation diverges on five externally observable axes:

1. `build_auto_select_candidates` (transfer.rs:217-231) sorts candidates **balance-descending**, not by derivation index.
2. Addresses with balance below `min_input_amount` are filtered out (transfer.rs:204-231).
3. Any address that also appears as a destination output is excluded (protocol forbids same-address input/output).
4. Only `[DeductFromInput(0)]` and `[ReduceOutput(0)]` strategies are accepted; other shapes are rejected with `AddressOperation` (transfer.rs:249-269).
5. Empty-candidate failures surface as the typed `PlatformWalletError::NoSelectableInputs { funded_outputs, sub_min_count, sub_min_aggregate, min_input_amount }` (transfer.rs:239-247).

`InputSelection` is part of this crate's public API surface, so the stale contract misleads downstream callers about spend order, fragmentation profile, accepted fee strategies, and the structured failure payload they need to handle.

In `packages/rs-platform-wallet/src/error.rs`:
- [SUGGESTION] lines 77-99: `NoSelectableInputs` Display always renders both failure-mode clauses, leaking misleading guidance for the half not populated
  The `#[error(...)]` template at error.rs:77-85 unconditionally interpolates both halves of the failure mode, but the detector fires whenever **either** `funded_outputs` is non-empty **or** `sub_min_count > 0` — the populated set is asymmetric in practice.

Rendered output for the sub-min-only case (every address sub-minimum, no output overlap):

no selectable inputs for auto-selection: funded addresses [] all also appear as outputs of this transfer (rotate to a fresh receive address or use InputSelection::Explicit and split the operation); 3 other address(es) hold an aggregate balance of 75000 credits but each is below the per-input minimum 100000 (consolidate funds onto a single address before retrying)

The `funded addresses [] all also appear as outputs ...` clause is factually wrong — there are no such addresses, and the suggestion to rotate to a fresh receive address is irrelevant. Symmetrically, the funded-outputs-only case renders `0 other address(es) hold an aggregate balance of 0 credits but each is below the per-input minimum 100000 (consolidate funds onto a single address before retrying)`, falsely implying sub-min addresses exist.

This matters specifically because `NoSelectableInputs` is the typed error boundary for FFI/UI layers (`PlatformWalletFFIResult.message`) that often only preserve `Display` — once the formatting bakes in contradictory text, the typed payload no longer saves those callers. Replace the derive with a hand-written `impl Display` (or split into two error variants) that emits each clause only when its payload is populated, and add negative-assertion tests asserting the inactive clause is absent from `to_string()`.

[thepastaclaw]

Code Review

PR is in good shape after the 4-commit delta — typed NoSelectableInputs split, saturating arithmetic, refactored selector helpers, and explicit accepted-risk markers (CMT-001/004/005/006) all landed. The remaining issues are documentation and consistency: the public InputSelection::Auto docstring is now materially wrong on multiple axes (every agent flagged this), plus two minor cleanup items (one arithmetic-style outlier in Phase-3 donor shift, one dead helper parameter). No blockers.

Reviewed commit: 00ac7f2

🟡 1 suggestion(s) | 💬 2 nitpick(s)

1 additional finding

🟡 suggestion: `InputSelection::Auto` docstring no longer matches the implemented contract

packages/rs-platform-wallet/src/wallet/platform_addresses/mod.rs (lines 27-30)

Verified at HEAD (mod.rs:27-30). The doc still claims Auto consumes addresses "from lowest derivation index to highest until the required amount plus estimated fees is covered." The current implementation diverges on several externally observable axes:

1. Selection order. auto_select_inputs builds candidates via build_auto_select_candidates which sorts balance-descending, not by derivation index. This changes which addresses get spent first and the resulting fragmentation profile.
2. Filtering. Addresses with balance below min_input_amount are skipped, and any address that also appears as a destination output is excluded (the protocol forbids same-address input/output).
3. Supported strategies. Auto accepts only [DeductFromInput(0)] or [ReduceOutput(0)] (transfer.rs:89-99); other shapes are rejected with a typed redirect to Explicit.
4. Typed empty-candidate failures. When the candidate set is empty, transfer() returns one of the typed OnlyOutputAddressesFunded / AllInputsBelowMinimum / NoSelectableInputsBoth variants so callers can distinguish failure modes without parsing message strings.

InputSelection is a pub enum in this crate's API surface, so the stale doc misleads downstream callers about spend order, accepted fee strategies, and the failure variants they need to handle.

💡 Suggested change

    /// Automatically select inputs from the account, consuming addresses
    /// in balance-descending order until the required amount plus
    /// estimated fees is covered. Addresses with balance below the
    /// protocol's per-input minimum (`min_input_amount`) are skipped,
    /// and any address that is also a destination output is excluded
    /// (the protocol forbids the same address being both input and
    /// output of a single transition). When no candidate remains
    /// selectable, `transfer()` returns one of the typed
    /// [`PlatformWalletError::OnlyOutputAddressesFunded`] /
    /// [`PlatformWalletError::AllInputsBelowMinimum`] /
    /// [`PlatformWalletError::NoSelectableInputsBoth`] variants so
    /// callers can offer rotation vs. consolidation guidance.
    ///
    /// Supported fee strategies: `[DeductFromInput(0)]` and
    /// `[ReduceOutput(0)]`. Other strategies must use `Explicit`.
    Auto,

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-platform-wallet/src/wallet/platform_addresses/mod.rs`:
- [SUGGESTION] lines 27-30: `InputSelection::Auto` docstring no longer matches the implemented contract
  Verified at HEAD (mod.rs:27-30). The doc still claims `Auto` consumes addresses "from lowest derivation index to highest until the required amount plus estimated fees is covered." The current implementation diverges on several externally observable axes:

1. **Selection order.** `auto_select_inputs` builds candidates via `build_auto_select_candidates` which sorts **balance-descending**, not by derivation index. This changes which addresses get spent first and the resulting fragmentation profile.
2. **Filtering.** Addresses with balance below `min_input_amount` are skipped, and any address that also appears as a destination output is excluded (the protocol forbids same-address input/output).
3. **Supported strategies.** `Auto` accepts only `[DeductFromInput(0)]` or `[ReduceOutput(0)]` (transfer.rs:89-99); other shapes are rejected with a typed redirect to `Explicit`.
4. **Typed empty-candidate failures.** When the candidate set is empty, `transfer()` returns one of the typed `OnlyOutputAddressesFunded` / `AllInputsBelowMinimum` / `NoSelectableInputsBoth` variants so callers can distinguish failure modes without parsing message strings.

`InputSelection` is a `pub` enum in this crate's API surface, so the stale doc misleads downstream callers about spend order, accepted fee strategies, and the failure variants they need to handle.