dashpay · Claudius-Maginificent · May 11, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
@@ -1,3 +1,5 @@
 [advisories]
-# TODO Remove it from here
-ignore = [ "RUSTSEC-2020-0071"] # advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
+# Advisory IDs to ignore, e.g. ["RUSTSEC-2019-0001", ...]. Each entry
+# must point at a live advisory in the resolved graph and carry a dated
+# rationale; an entry matching nothing trains reviewers to skim the list.
+ignore = []
@@ -102,3 +102,6 @@ __pycache__/
 
 # Security audit reports (local-only, not committed)
 audits/
+
+# Review scratch (grumpy-review / triage output, local-only)
+.review-*/
@@ -174,6 +174,51 @@ unsafe fn create_wallet_from_mnemonic_impl(
     PlatformWalletFFIResult::ok()
 }
 
+/// One wallet skipped during `load_from_persistor` because its
+/// persisted row was structurally corrupt (per-row decode failure).
+/// The load path is seedless and watch-only, so this is the only skip
+/// reason. `reason_code` is per-`CorruptKind` family — see its table.
+#[repr(C)]
+#[derive(Debug, Clone, Copy)]
+pub struct SkippedWalletFFI {
+    /// The (public) 32-byte wallet id that was skipped.
+    pub wallet_id: [u8; 32],
+    /// Structural skip reason. `100` = missing account manifest,
+    /// `101` = malformed account xpub, `102` = any other structural
+    /// decode error. No secret material is ever carried.
+    pub reason_code: u32,
+}
+
+/// C-visible summary of one `load_from_persistor` pass so the host can
+/// see which wallets loaded and which were skipped (and why) instead
+/// of the outcome being silently discarded.
+///
+/// `skipped` is a heap array of length `skipped_count`; pass this
+/// struct (by pointer) to
+/// [`platform_wallet_load_outcome_free`] exactly once to release it.
+#[repr(C)]
+#[derive(Debug)]
+pub struct LoadOutcomeFFI {
+    /// Number of wallets fully reconstructed + registered.
+    pub loaded_count: usize,
+    /// Length of the `skipped` array.
+    pub skipped_count: usize,
+    /// Heap-allocated skipped-wallet array (null iff `skipped_count`
+    /// is 0). Owned by Rust until `platform_wallet_load_outcome_free`.
+    pub skipped: *mut SkippedWalletFFI,
+}
+
+fn skip_reason_code(reason: &platform_wallet::SkipReason) -> u32 {
+    use platform_wallet::manager::load_outcome::CorruptKind;
+    match reason {
+        platform_wallet::SkipReason::CorruptPersistedRow { kind } => match kind {
+            CorruptKind::MissingManifest => 100,
+            CorruptKind::MalformedXpub => 101,
+            CorruptKind::DecodeError(_) => 102,
+        },
+    }
+}
+
 /// Create a wallet from raw seed bytes (64 bytes).
 ///
 /// On success, `out_wallet_handle` is set to a `PlatformWallet` handle and
@@ -296,23 +341,102 @@ pub unsafe extern "C" fn platform_wallet_manager_create_wallet_from_mnemonic_wit
 ///
 /// Triggers `on_load_wallet_list_fn` on the persistence callbacks to
 /// fetch the persisted wallet list from the client side (SwiftData),
-/// reconstructs each wallet as **watch-only** via its stored root +
-/// per-account xpubs, and registers them inside the manager. Does not
-/// produce wallet handles — the caller should follow up with
-/// [`platform_wallet_manager_get_wallet`] per `wallet_id` it knows
-/// about.
+/// builds a keyless reconstruction payload per wallet, then registers
+/// each one as a **watch-only** wallet. No signing keys are derived
+/// here — signing happens later, on demand, via the configured
+/// `MnemonicResolverHandle` (`sign_with_mnemonic_resolver` and its
+/// siblings), which fail-closed gate the resolver-supplied seed
+/// against the loaded `wallet_id`. Does not produce wallet handles —
+/// follow up with [`platform_wallet_manager_get_wallet`] per
+/// `wallet_id`.
+///
+/// A wallet whose persisted row is structurally corrupt is
+/// **skipped**, not failed: the call still returns `Success`, every
+/// skipped `(wallet_id, reason)` is logged, and — when `out_outcome`
+/// is non-null — surfaced through it.
+///
+/// # Safety
+/// - `out_outcome` may be null (caller doesn't want the summary);
+///   otherwise it must point to writable `LoadOutcomeFFI` storage and
+///   the caller must later release it via
+///   [`platform_wallet_load_outcome_free`].
 #[no_mangle]
 pub unsafe extern "C" fn platform_wallet_manager_load_from_persistor(
     manager_handle: Handle,
+    out_outcome: *mut LoadOutcomeFFI,
 ) -> PlatformWalletFFIResult {
     let option = PLATFORM_WALLET_MANAGER_STORAGE.with_item(manager_handle, |manager| {
         runtime().block_on(manager.load_from_persistor())
     });
     let result = unwrap_option_or_return!(option);
-    unwrap_result_or_return!(result);
+    let outcome = unwrap_result_or_return!(result);
+
+    // Never silently drop the outcome: log a structured summary plus
+    // one line per skipped wallet (the host can inspect / clear the
+    // corrupt rows).
+    tracing::info!(
+        loaded = outcome.loaded.len(),
+        skipped = outcome.skipped.len(),
+        "platform_wallet_manager_load_from_persistor complete"
+    );
+    for (wid, reason) in &outcome.skipped {
+        tracing::warn!(
+            wallet_id = %hex::encode(wid),
+            reason = %reason,
+            "load_from_persistor skipped wallet (corrupt persisted row)"
+        );
+    }
+
+    if !out_outcome.is_null() {
+        let skipped_vec: Vec<SkippedWalletFFI> = outcome
+            .skipped
+            .iter()
+            .map(|(wid, reason)| SkippedWalletFFI {
+                wallet_id: *wid,
+                reason_code: skip_reason_code(reason),
+            })
+            .collect();
+        let skipped_count = skipped_vec.len();
+        let skipped_ptr = if skipped_count == 0 {
+            std::ptr::null_mut()
+        } else {
+            let boxed = skipped_vec.into_boxed_slice();
+            Box::into_raw(boxed) as *mut SkippedWalletFFI
+        };
+        std::ptr::write(
+            out_outcome,
+            LoadOutcomeFFI {
+                loaded_count: outcome.loaded.len(),
+                skipped_count,
+                skipped: skipped_ptr,
+            },
+        );
+    }
     PlatformWalletFFIResult::ok()
 }
 
+/// Release the heap `skipped` array a successful
+/// [`platform_wallet_manager_load_from_persistor`] wrote into a
+/// `LoadOutcomeFFI`. Idempotent: nulls the pointer after freeing, and
+/// a null `outcome` (or already-freed array) is a no-op.
+///
+/// # Safety
+/// `outcome` must point to a `LoadOutcomeFFI` previously populated by
+/// `platform_wallet_manager_load_from_persistor`, not freed already.
+#[no_mangle]
+pub unsafe extern "C" fn platform_wallet_load_outcome_free(outcome: *mut LoadOutcomeFFI) {
+    if outcome.is_null() {
+        return;
+    }
+    let o = &mut *outcome;
+    if !o.skipped.is_null() && o.skipped_count > 0 {
+        let slice = std::slice::from_raw_parts_mut(o.skipped, o.skipped_count);
+        drop(Box::from_raw(slice as *mut [SkippedWalletFFI]));
+    }
+    o.skipped = std::ptr::null_mut();
+    o.skipped_count = 0;
+}
+
 /// Get a `PlatformWallet` handle for a wallet registered in the
 /// manager. Returns `NotFound` if no wallet with the given
 /// id is currently held.

@@ -3361,11 +3361,59 @@ fn build_wallet_start_state(
     // status without rebroadcasting.
     let unused_asset_locks = build_unused_asset_locks(entry)?;
 
+    // Project the reconstructed `wallet` + `wallet_info` into the
+    // keyless `ClientWalletStartState` the persister contract requires
+    // (SECRETS.md: no `Wallet`/seed crosses `load()`). The manager
+    // rebuilds a watch-only wallet from this manifest via
+    // `Wallet::new_watch_only` and applies this `core_state` projection.
+    // Signing happens later via the on-demand
+    // `sign_with_mnemonic_resolver` path, which fail-closed gates the
+    // resolver-supplied seed against the loaded `wallet_id`. The
+    // locally-built `wallet` is dropped — it was only needed to shape
+    // the account collection / UTXO routing above.
+    let account_manifest: Vec<AccountRegistrationEntry> = wallet
+        .accounts
+        .all_accounts()
+        .into_iter()
+        .map(|a| AccountRegistrationEntry {
+            account_type: a.account_type,
+            account_xpub: a.account_xpub,
+        })
+        .collect();
+    let new_utxos: Vec<key_wallet::Utxo> = wallet_info
+        .accounts
+        .all_funding_accounts()
+        .into_iter()
+        .flat_map(|acct| acct.utxos.values().cloned())
+        .collect();
+    let core_state = platform_wallet::changeset::CoreChangeSet {
+        new_utxos,
+        last_processed_height: (wallet_info.metadata.last_processed_height > 0)
+            .then_some(wallet_info.metadata.last_processed_height),
+        synced_height: (wallet_info.metadata.synced_height > 0)
+            .then_some(wallet_info.metadata.synced_height),
+        ..Default::default()
+    };
+
+    // `contacts` / `identity_keys` are the PR-3 keyless feed the
+    // manager layers onto the managed identities via
+    // `apply_contacts_and_keys`. The iOS path does NOT use them:
+    // identity PUBLIC keys are already reconstructed straight into
+    // `Identity.public_keys` by `build_wallet_identity_bucket` (feeding
+    // the slot too would double-apply), and `WalletRestoreEntryFFI`
+    // carries no contacts back from Swift on load — surfacing them
+    // would need a new cross-boundary struct field + Swift wiring,
+    // tracked as a follow-up. Empty slots make `apply_contacts_and_keys`
+    // a no-op for this path, preserving the established iOS behaviour.
     let wallet_state = ClientWalletStartState {
-        wallet,
-        wallet_info,
+        network,
+        birth_height: entry.birth_height,
+        account_manifest,
+        core_state,
         identity_manager,
         unused_asset_locks,
+        contacts: Default::default(),
+        identity_keys: Default::default(),
     };
 
     let platform_address_state = if per_account.is_empty()

@@ -0,0 +1,26 @@
+[advisories]
+# Each entry MUST point at a live advisory in this crate's resolved graph
+# and carry a dated rationale + remediation plan. Do not blanket-ignore.
+ignore = [
+    # RUSTSEC-2025-0141 — bincode is unmaintained (informational advisory,
+    # not an exploitable CVE; published 2025-12-16, no patched release).
+    # Acknowledged 2026-06-08.
+    #
+    # Why this is acceptable for now:
+    #   - bincode 2.0.1 is the BLOB-codec trust boundary for every
+    #     persisted column and backup. The known risk class for an
+    #     unmaintained deserializer is unbounded allocation (OOM) on a
+    #     crafted/corrupt input.
+    #   - In-crate size bounds defang that class: MAX_VALUE_LEN /
+    #     BLOB_SIZE_LIMIT_BYTES (kv/blob), the per-secret SecretTooLarge
+    #     write cap, and the MAX_VAULT_SIZE_BYTES read ceiling all reject
+    #     oversized inputs before bincode ever allocates from them.
+    #   - load() is fail-hard: a malformed/over-large row aborts the call
+    #     with a typed error rather than silently over-allocating.
+    #
+    # Residual risk: a future bincode defect would go unpatched upstream.
+    # Remediation plan: migrate the BLOB codec to a maintained equivalent
+    # (postcard / bitcode candidates) once the wire format is frozen at
+    # release; revisit this ignore at that time.
+    "RUSTSEC-2025-0141",
+]
@@ -80,7 +80,14 @@ keyring-core = { version = "=1.0.0", optional = true }
 # was removed from the sqlite arm — those tests grep for `fs2`/`fs4`
 # literals in this crate's source/manifest and would re-trigger on the
 # older crates. `fd-lock` has no such collision.
-fd-lock = { version = "4.0.4", optional = true }
+# LOCAL-FS ONLY: flock/LockFileEx interlock processes only on local
+# filesystems; over NFS/CIFS the lock does not interlock, so a vault file
+# must not be shared across hosts — steer multi-host to the OS-keyring arm.
+# Exact-pinned (`=`) like the rest of the soundness-critical stack: the
+# `VaultLock` unsafe drop-order argument in `secrets/file/mod.rs` is
+# calibrated to fd-lock 4.0.4's guard internals; any bump must re-verify
+# that the guard releases the OS lock before the backing `RwLock` frees.
+fd-lock = { version = "=4.0.4", optional = true }
 
 # CLI deps (gated by the `cli` feature)
 clap = { version = "4", features = ["derive"], optional = true }
@@ -180,6 +187,13 @@ cli = [
 # crate without the crypto graph.
 secrets = [
     "dep:argon2",
+    # Enable argon2's `zeroize` feature so the KDF wipes its sensitive
+    # intermediate state (`initial_hash`/`blockhash`) on drop. In argon2
+    # 0.5.3 this does NOT cover the bulk `Block` matrix — that residual is
+    # documented at `derive_key` in `secrets/file/crypto.rs`. Keep it in
+    # the feature list (not a `default-features = false` rewrite) so
+    # argon2's own default features stay intact.
+    "argon2/zeroize",
     "dep:chacha20poly1305",
     # secrets uses serde directly (vault format + crypto envelope derive
     # `Serialize`/`Deserialize`); declare the dep here so

@@ -103,8 +103,11 @@ flush, 5 s busy timeout, WAL journal, `NORMAL` synchronous, and an
 auto-backup dir at `<db_dir>/backups/auto/`.
 
 The trait surface is `store` / `flush` / `load` / `get_core_tx_record`.
-Schema migrations are append-only Rust files under `migrations/`, applied
-via [`refinery`](https://github.com/rust-db/refinery) on every `open`.
+Schema migrations are versioned Rust files under `migrations/`, applied via
+[`refinery`](https://github.com/rust-db/refinery) on every `open`. While the
+crate is unreleased, in-place edits to the sole shipped `V001` are allowed;
+the append-only guarantee (add a new versioned file, never edit a prior one)
+takes effect once the schema is frozen at release.
 
 #### Flush semantics (store / flush)
 
@@ -138,17 +141,31 @@ so one failed wallet does not hide its siblings.
 
 #### load() reconstruction
 
-`SqlitePersister::load()` returns the base `ClientStartState` (plain struct,
-two slots — no `#[non_exhaustive]`):
+`SqlitePersister::load()` returns a fully-rehydrated `ClientStartState`
+(plain struct — no `#[non_exhaustive]`). Both slots are populated:
 
 | Slot | Reader | Status |
 |---|---|---|
-| `platform_addresses` | `schema::platform_addrs::load_all` (a fixed set of grouped scans over `platform_address_sync`, `platform_addresses`, and `account_registrations`, driven by the `wallet_meta::list_ids` wallet universe) | populated |
-| `wallets`            | — | empty pending upstream `Wallet::from_persisted` |
-
-The `identities` / `contacts` / `asset_locks` per-area readers exist as
-hardened dormant helpers (`schema::<area>::load_state`) but are not wired
-into `load()` — `ClientStartState` carries no slot for them.
+| `platform_addresses` | `schema::platform_addrs::load_all` (a fixed set of grouped scans over `platform_address_sync`, `platform_addresses`, and `account_registrations`, driven by the `wallets::list_ids` wallet universe) | populated |
+| `wallets`            | per-wallet `schema::<area>` readers (see below) | populated |
+
+Each `ClientStartState::wallets` entry is a **keyless** `ClientWalletStartState`
+reconstructed from these per-area readers:
+
+| Field | Reader |
+|---|---|
+| `network` / `birth_height` | `schema::wallets::fetch` |
+| `account_manifest` | `schema::accounts::load_state` |
+| `core_state` | `schema::core_state::load_state` |
+| `identity_manager` | `schema::identities::load_state` |
+| `unused_asset_locks` | `schema::asset_locks::load_unconsumed` (`Consumed`-filtered — spent locks stay on disk but are never resurrected) |
+| `contacts` | `schema::contacts::load_changeset` |
+| `identity_keys` | `schema::identity_keys::load_state` |
+
+The payload carries **no** `Wallet` and no key material — the manager
+rebuilds each wallet watch-only via `Wallet::new_watch_only` from the
+manifest and applies this state; signing keys are derived later on demand
+via the `sign_with_mnemonic_resolver` path.
 
 Loading is **fail-hard**: any row that fails to decode, or a stored
 `wallet_id` that is not exactly 32 bytes, aborts the whole call with a typed
@@ -158,9 +175,9 @@ corruption tolerance, no per-row skip, and no partial `Ok` — a corrupt
 database surfaces as an error rather than silently losing rows.
 
 The summary `tracing::info!` carries `wallets_seen`, `addresses_loaded`,
-`wallets_rehydrated`, and `wallets_pending_rehydration` (the count of
-wallets that *would* be rehydrated once upstream provides
-`Wallet::from_persisted`).
+`wallets_rehydrated` (the count actually rehydrated this call), and
+`wallets_pending_rehydration` (now always `0` — every seen wallet is
+rehydrated). The only deferred field is listed in `LOAD_UNIMPLEMENTED`.
 
 ### KV metadata API