feat(key-wallet): add DIP-13 identity authentication accounts (ECDSA + BLS)

Add two new `AccountType` variants for DIP-13 sub-feature 0' (per-identity
signing keys the user employs to sign Dash Platform state transitions):

  - `IdentityAuthenticationEcdsa { identity_index }` — key_type 0',
    backed by a regular `Account` (secp256k1).
  - `IdentityAuthenticationBls { identity_index }` — key_type 1',
    backed by `BLSAccount`, gated on `#[cfg(feature = "bls")]`.

Both account types use the DIP-13 derivation path
`m/9'/coin_type'/5'/0'/key_type'/identity_index'` with hardened children
for individual keys (`.../identity_index'/key_index'`). Address pools use
`AbsentHardened` since DIP-13 mandates hardened leaves.

### Wiring

- `AccountCollection` gains `identity_authentication_ecdsa:
  BTreeMap<u32, Account>` and (under `bls`) `identity_authentication_bls:
  BTreeMap<u32, BLSAccount>`, keyed by `identity_index`. All collection
  methods (`new`, `insert`, `insert_bls_account`, `contains_account_type`,
  `account_of_type[_mut]`, `bls_account_of_type[_mut]`, `all_accounts[_mut]`,
  `count`, `is_empty`, `clear`) are updated.
- `ManagedAccountCollection`, `ManagedAccountType`, `CoreAccountTypeMatch`
  mirror the new variants and are routed through the usual matchers.
- `AccountTypeToCheck::IdentityAuthentication{Ecdsa,Bls}` variants are
  added so conversions from `ManagedAccountType`/`AccountType` stay
  total. Identity authentication accounts are **Platform-only**: they are
  deliberately absent from every `TransactionType` relevance set
  (`TransactionRouter::get_relevant_account_types`), and the
  `ManagedAccountCollection::check_account_type` arms return empty
  results. Address matching in `ManagedCoreAccount::check_transaction_for_match`
  returns `None` for these variants for the same reason.
- `Wallet::add_bls_account` now accepts `IdentityAuthenticationBls` in
  addition to `ProviderOperatorKeys`.
- Two new DIP-9 `IndexConstPath<5>` constants per network
  (`IDENTITY_AUTHENTICATION_{ECDSA,BLS}_PATH_{MAINNET,TESTNET}`) and the
  matching `DerivationPathReference::BlockchainIdentityAuthentication{Ecdsa,Bls}`
  variants.
- `asset_lock_builder::resolve_funding_account` is intentionally left
  untouched — identity authentication accounts do not fund asset locks.
- `WalletAccountCreationOptions` is unchanged. Identity authentication
  accounts are per-identity and come into existence when the user
  registers a Platform identity, not at wallet creation. Callers insert
  them post-hoc via `Wallet::add_account` (ECDSA) or
  `Wallet::add_bls_account` (BLS).

### FFI

`FFIAccountType` gains `IdentityAuthenticationEcdsa = 16` and
`IdentityAuthenticationBls = 17`; `to_account_type` / `from_account_type`
route the `index` parameter as `identity_index`. `FFIAccountMatch`
emission for `CoreAccountTypeMatch::IdentityAuthentication*` reports the
identity index in `account_index` (these variants are never produced by
the L1 transaction router, but the FFI matcher stays exhaustive).

### Tests

New `identity_authentication_tests` module in `account_type.rs` covers:
ECDSA and BLS mainnet/testnet/regtest path derivation, `index()` /
`derivation_path_reference()` / `AccountTypeToCheck` round-trip, and
end-to-end insert / `contains_account_type` / `account_of_type` /
`bls_account_of_type` round-trips through `AccountCollection`. BLS tests
are `#[cfg(feature = "bls")]`-gated. Existing
`test_wrong_account_type_for_bls` message was updated for the broadened
`insert_bls_account` validation.

### Serialization compatibility

Adding enum variants is forward-incompatible for `bincode::Encode`/
`Decode` — wallet blobs serialized by earlier v0.42-dev builds will fail
to decode after this change. This is acceptable given the unstable 0.x
API per `CLAUDE.md`. Serde uses its default (externally tagged)
representation, so new readers still decode old data identically and old
readers will error cleanly on new variants they cannot name.

Verified: `cargo build -p key-wallet --all-features`,
`cargo test -p key-wallet --lib --all-features`,
`cargo clippy -p key-wallet --all-features --all-targets -- -D warnings`,
`cargo fmt -p key-wallet --check`, and downstream `key-wallet-ffi` /
`key-wallet-manager` builds and lib tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: QuantumExplorer

key-wallet-ffi/src/address_pool.rs

@@ -45,6 +45,13 @@ fn get_managed_account_by_type<'a>(
             collection.identity_topup_not_bound.as_ref()
         }
         AccountType::IdentityInvitation => collection.identity_invitation.as_ref(),
+        AccountType::IdentityAuthenticationEcdsa {
+            identity_index,
+        } => collection.identity_authentication_ecdsa.get(identity_index),
+        #[cfg(feature = "bls")]
+        AccountType::IdentityAuthenticationBls {
+            identity_index,
+        } => collection.identity_authentication_bls.get(identity_index),
         AccountType::AssetLockAddressTopUp => collection.asset_lock_address_topup.as_ref(),
         AccountType::AssetLockShieldedAddressTopUp => {
             collection.asset_lock_shielded_address_topup.as_ref()
@@ -98,6 +105,13 @@ fn get_managed_account_by_type_mut<'a>(
             collection.identity_topup_not_bound.as_mut()
         }
         AccountType::IdentityInvitation => collection.identity_invitation.as_mut(),
+        AccountType::IdentityAuthenticationEcdsa {
+            identity_index,
+        } => collection.identity_authentication_ecdsa.get_mut(identity_index),
+        #[cfg(feature = "bls")]
+        AccountType::IdentityAuthenticationBls {
+            identity_index,
+        } => collection.identity_authentication_bls.get_mut(identity_index),
         AccountType::AssetLockAddressTopUp => collection.asset_lock_address_topup.as_mut(),
         AccountType::AssetLockShieldedAddressTopUp => {
             collection.asset_lock_shielded_address_topup.as_mut()

key-wallet-ffi/src/managed_account.rs

@@ -247,6 +247,13 @@ pub unsafe extern "C" fn managed_wallet_get_account(
                 managed_collection.identity_topup_not_bound.as_ref()
             }
             AccountType::IdentityInvitation => managed_collection.identity_invitation.as_ref(),
+            AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => managed_collection.identity_authentication_ecdsa.get(&identity_index),
+            #[cfg(feature = "bls")]
+            AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => managed_collection.identity_authentication_bls.get(&identity_index),
             AccountType::AssetLockAddressTopUp => {
                 managed_collection.asset_lock_address_topup.as_ref()
             }
@@ -564,6 +571,13 @@ pub unsafe extern "C" fn managed_core_account_get_account_type(
             FFIAccountType::IdentityTopUpNotBoundToIdentity
         }
         AccountType::IdentityInvitation => FFIAccountType::IdentityInvitation,
+        AccountType::IdentityAuthenticationEcdsa {
+            ..
+        } => FFIAccountType::IdentityAuthenticationEcdsa,
+        #[cfg(feature = "bls")]
+        AccountType::IdentityAuthenticationBls {
+            ..
+        } => FFIAccountType::IdentityAuthenticationBls,
         AccountType::AssetLockAddressTopUp => FFIAccountType::AssetLockAddressTopUp,
         AccountType::AssetLockShieldedAddressTopUp => FFIAccountType::AssetLockShieldedAddressTopUp,
         AccountType::ProviderVotingKeys => FFIAccountType::ProviderVotingKeys,
@@ -1167,6 +1181,15 @@ pub unsafe extern "C" fn managed_core_account_get_address_pool(
                     addresses,
                     ..
                 } => addresses,
+                ManagedAccountType::IdentityAuthenticationEcdsa {
+                    addresses,
+                    ..
+                } => addresses,
+                #[cfg(feature = "bls")]
+                ManagedAccountType::IdentityAuthenticationBls {
+                    addresses,
+                    ..
+                } => addresses,
             };
 
             let ffi_pool = FFIAddressPool {

key-wallet-ffi/src/transaction_checking.rs

@@ -11,7 +11,8 @@ use std::slice;
 use crate::error::{FFIError, FFIErrorCode};
 use crate::managed_wallet::{managed_wallet_info_free, FFIManagedWalletInfo};
 use crate::types::{
-    transaction_context_from_ffi, FFIBlockInfo, FFITransactionContextType, FFIWallet,
+    transaction_context_from_ffi, FFIAccountType, FFIBlockInfo, FFITransactionContextType,
+    FFIWallet,
 };
 use dashcore::consensus::Decodable;
 use dashcore::Transaction;
@@ -473,6 +474,49 @@ pub unsafe extern "C" fn managed_wallet_check_transaction(
                     ffi_accounts.push(ffi_match);
                     continue;
                 }
+                // DIP-13 identity-authentication matches are Platform-only and
+                // therefore never produced by the L1 transaction router. We
+                // still need exhaustive handling here in case a caller
+                // constructs the variant directly; in that case we emit an
+                // FFI record using the `IdentityAuthenticationEcdsa` /
+                // `IdentityAuthenticationBls` FFI enum values (16 / 17) with
+                // the identity index reported in `account_index`.
+                CoreAccountTypeMatch::IdentityAuthenticationEcdsa {
+                    identity_index,
+                    involved_addresses,
+                } => {
+                    let ffi_match = FFIAccountMatch {
+                        account_type: FFIAccountType::IdentityAuthenticationEcdsa as u32,
+                        account_index: *identity_index,
+                        registration_index: 0,
+                        received: account_match.received,
+                        sent: account_match.sent,
+                        external_addresses_count: involved_addresses.len() as c_uint,
+                        internal_addresses_count: 0,
+                        has_external_addresses: !involved_addresses.is_empty(),
+                        has_internal_addresses: false,
+                    };
+                    ffi_accounts.push(ffi_match);
+                    continue;
+                }
+                CoreAccountTypeMatch::IdentityAuthenticationBls {
+                    identity_index,
+                    involved_addresses,
+                } => {
+                    let ffi_match = FFIAccountMatch {
+                        account_type: FFIAccountType::IdentityAuthenticationBls as u32,
+                        account_index: *identity_index,
+                        registration_index: 0,
+                        received: account_match.received,
+                        sent: account_match.sent,
+                        external_addresses_count: involved_addresses.len() as c_uint,
+                        internal_addresses_count: 0,
+                        has_external_addresses: !involved_addresses.is_empty(),
+                        has_internal_addresses: false,
+                    };
+                    ffi_accounts.push(ffi_match);
+                    continue;
+                }
             }
         }
 

key-wallet-ffi/src/types.rs

@@ -235,6 +235,12 @@ pub enum FFIAccountType {
     AssetLockAddressTopUp = 14,
     /// Asset lock shielded address top-up funding (subfeature 5)
     AssetLockShieldedAddressTopUp = 15,
+    /// Per-identity ECDSA authentication keys (DIP-13, sub-feature 0', key type 0').
+    /// Path prefix: `m/9'/coin_type'/5'/0'/0'/identity_index'`.
+    IdentityAuthenticationEcdsa = 16,
+    /// Per-identity BLS authentication keys (DIP-13, sub-feature 0', key type 1').
+    /// Path prefix: `m/9'/coin_type'/5'/0'/1'/identity_index'`.
+    IdentityAuthenticationBls = 17,
 }
 
 impl FFIAccountType {
@@ -273,6 +279,29 @@ impl FFIAccountType {
             FFIAccountType::ProviderOwnerKeys => key_wallet::AccountType::ProviderOwnerKeys,
             FFIAccountType::ProviderOperatorKeys => key_wallet::AccountType::ProviderOperatorKeys,
             FFIAccountType::ProviderPlatformKeys => key_wallet::AccountType::ProviderPlatformKeys,
+            // DIP-13 authentication accounts use the provided `index` as
+            // `identity_index` (the hardened child at path level 6).
+            FFIAccountType::IdentityAuthenticationEcdsa => {
+                key_wallet::AccountType::IdentityAuthenticationEcdsa {
+                    identity_index: index,
+                }
+            }
+            #[cfg(feature = "bls")]
+            FFIAccountType::IdentityAuthenticationBls => {
+                key_wallet::AccountType::IdentityAuthenticationBls {
+                    identity_index: index,
+                }
+            }
+            #[cfg(not(feature = "bls"))]
+            FFIAccountType::IdentityAuthenticationBls => {
+                // This should never happen at runtime in a default-featured
+                // build (key-wallet-ffi enables `bls` by default), but handle
+                // gracefully if the host opts out.
+                panic!(
+                    "FFIAccountType::IdentityAuthenticationBls requires the `bls` feature \
+                     in key-wallet-ffi to be enabled"
+                );
+            }
             // DashPay variants require additional identity IDs (user_identity_id and friend_identity_id)
             // that are not part of the current FFI API. These types cannot be constructed via this
             // conversion path. Attempting to use them is a programming error.
@@ -366,6 +395,13 @@ impl FFIAccountType {
             key_wallet::AccountType::ProviderPlatformKeys => {
                 (FFIAccountType::ProviderPlatformKeys, 0, None)
             }
+            key_wallet::AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => (FFIAccountType::IdentityAuthenticationEcdsa, *identity_index, None),
+            #[cfg(feature = "bls")]
+            key_wallet::AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => (FFIAccountType::IdentityAuthenticationBls, *identity_index, None),
             key_wallet::AccountType::DashpayReceivingFunds {
                 index,
                 user_identity_id,