feat(key-wallet): CoinJoin sweep + gap-limit recovery; TransactionBuilder drain mode

[llbartekll]

What

Moves the wallet-level logic for the DashSync → SwiftDashSDK CoinJoin migration upstream into key-wallet, so downstream consumers (platform-wallet, dashwallet-ios) wrap it rather than reimplementing transaction assembly. Post-migration CoinJoin is being dropped, so this lets a wallet find its scattered "mixed coins" and sweep them back into spendable BIP44 balance.

TransactionBuilder::sweep_to(dest) — drain mode

Consume every added input into a single no-change output (total − fee), skipping coin selection entirely (a normal build re-selects a covering subset and would leave small UTXOs behind — fatal for a sweep). The fee is sized from the maximum P2PKH input length so it never undershoots at the 1 duff/byte relay minimum, and a sub-dust output is rejected.

ManagedCoreFundsAccount::build_coinjoin_sweep_txs(xpub, height, dest, signer)

Snapshots the spendable CoinJoin UTXO set, splits it into balanced chunks under the standard relay size limit (≤ 500 inputs/tx), and builds + signs each chunk via the drain mode. Resolves signing paths across both CoinJoin chains — external /0/ and internal /1/ — from the account xpub, so a migrated wallet's internal-chain ("change") mixed coins sign correctly. Returns the signed txs; the caller broadcasts them (disjoint, so order is irrelevant and a partial broadcast can be re-run).

ManagedCoreFundsAccount::set_coinjoin_gap_limit(xpub, gap_limit)

Widens the CoinJoin pool's gap limit and materializes the addresses so an SPV recovery scan watches the wider window (DashSync used a gap of 400 vs the SDK default of 30). Rejects a zero gap limit (which would underflow maintain_gap_limit) and clamps to MAX_GAP_LIMIT.

Why

Addresses review feedback on dashpay/platform#3817 (@ZocoLini): this logic was implemented in platform-wallet, which should be a thin wrapper over rust-dashcore, and the sweep hand-rolled transaction assembly instead of using TransactionBuilder. This PR puts the generic Dash-wallet mechanics where they belong; platform-wallet now just resolves the account under its lock and delegates.

Testing

cargo test -p key-wallet — 5 new unit tests pass (drain mode consumes-all / sub-dust reject, dual-chain path resolution, chunk partitioning), existing transaction_builder tests unaffected.

Notes

• Branches from 5c0113e7 (the commit platform currently pins — 4 commits behind dev); base is dev. The platform pin advances only by this one additive commit, so there is no version drift for downstream consumers.
• No FFI surface added here — for now downstream calls through the existing platform-wallet-ffi. A direct key-wallet-ffi surface can follow if wanted.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@llbartekll, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 44 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 30dcad70-2c2a-4c5c-b0b4-697b5d91d7ed

📥 Commits

Reviewing files that changed from the base of the PR and between 95a3c8f and e406d1c.

📒 Files selected for processing (3)

• key-wallet/src/wallet/managed_wallet_info/coinjoin_sweep.rs
• key-wallet/src/wallet/managed_wallet_info/mod.rs
• key-wallet/src/wallet/managed_wallet_info/transaction_builder.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/coinjoin-sweep-and-recovery

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

❌ Patch coverage is 69.53642% with 92 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.98%. Comparing base (5c0113e) to head (e406d1c).
⚠️ Report is 4 commits behind head on dev.

Files with missing lines	Patch %	Lines
...t/src/wallet/managed_wallet_info/coinjoin_sweep.rs	58.52%	90 Missing ⚠️
.../wallet/managed_wallet_info/transaction_builder.rs	97.64%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##              dev     #819      +/-   ##
==========================================
+ Coverage   72.91%   72.98%   +0.07%     
==========================================
  Files         323      324       +1     
  Lines       71994    72310     +316     
==========================================
+ Hits        52492    52776     +284     
- Misses      19502    19534      +32     

Flag	Coverage Δ
core	76.74% <ø> (ø)
ffi	47.35% <ø> (+0.36%)	⬆️
rpc	20.00% <ø> (ø)
spv	90.18% <ø> (-0.02%)	⬇️
wallet	71.75% <69.53%> (+0.10%)	⬆️

Files with missing lines	Coverage Δ
key-wallet/src/wallet/managed_wallet_info/mod.rs	68.69% <ø> (ø)
.../wallet/managed_wallet_info/transaction_builder.rs	86.49% <97.64%> (+1.58%)	⬆️
...t/src/wallet/managed_wallet_info/coinjoin_sweep.rs	58.52% <58.52%> (ø)

... and 23 files with indirect coverage changes

[ZocoLini]

I think there is a bunch of logic that can be recycled, did you think about a new CoinSelectionStratey that indicates we want to use all inputs?? I think our current logic can be updated to support that. Now, about the account selection, instead of anew module maybe transaction_building.rs can be updated to receive an AccountType in the build transaction methods, adding the flexibility we need to do the sweep without having to add the much logic.

Maybe give me a 'sweep' definition and what you want to be able to do and I cancontinue the PR myself

[ZocoLini]

also, enable the pre-commit and pre-push checks in your machine pls