feat(key-wallet): add DIP-13 identity authentication accounts (ECDSA + BLS)

Add two new `AccountType` variants for DIP-13 sub-feature 0' (per-identity
signing keys the user employs to sign Dash Platform state transitions):

  - `IdentityAuthenticationEcdsa { identity_index }` — key_type 0',
    backed by a regular `Account` (secp256k1).
  - `IdentityAuthenticationBls { identity_index }` — key_type 1',
    backed by `BLSAccount`, gated on `#[cfg(feature = "bls")]`.

Both account types use the DIP-13 derivation path
`m/9'/coin_type'/5'/0'/key_type'/identity_index'` with hardened children
for individual keys (`.../identity_index'/key_index'`). Address pools use
`AbsentHardened` since DIP-13 mandates hardened leaves.

### Wiring

- `AccountCollection` gains `identity_authentication_ecdsa:
  BTreeMap<u32, Account>` and (under `bls`) `identity_authentication_bls:
  BTreeMap<u32, BLSAccount>`, keyed by `identity_index`. All collection
  methods (`new`, `insert`, `insert_bls_account`, `contains_account_type`,
  `account_of_type[_mut]`, `bls_account_of_type[_mut]`, `all_accounts[_mut]`,
  `count`, `is_empty`, `clear`) are updated.
- `ManagedAccountCollection`, `ManagedAccountType`, `CoreAccountTypeMatch`
  mirror the new variants and are routed through the usual matchers.
- `AccountTypeToCheck::IdentityAuthentication{Ecdsa,Bls}` variants are
  added so conversions from `ManagedAccountType`/`AccountType` stay
  total. Identity authentication accounts are **Platform-only**: they are
  deliberately absent from every `TransactionType` relevance set
  (`TransactionRouter::get_relevant_account_types`), and the
  `ManagedAccountCollection::check_account_type` arms return empty
  results. Address matching in `ManagedCoreAccount::check_transaction_for_match`
  returns `None` for these variants for the same reason.
- `Wallet::add_bls_account` now accepts `IdentityAuthenticationBls` in
  addition to `ProviderOperatorKeys`.
- Two new DIP-9 `IndexConstPath<5>` constants per network
  (`IDENTITY_AUTHENTICATION_{ECDSA,BLS}_PATH_{MAINNET,TESTNET}`) and the
  matching `DerivationPathReference::BlockchainIdentityAuthentication{Ecdsa,Bls}`
  variants.
- `asset_lock_builder::resolve_funding_account` is intentionally left
  untouched — identity authentication accounts do not fund asset locks.
- `WalletAccountCreationOptions` is unchanged. Identity authentication
  accounts are per-identity and come into existence when the user
  registers a Platform identity, not at wallet creation. Callers insert
  them post-hoc via `Wallet::add_account` (ECDSA) or
  `Wallet::add_bls_account` (BLS).

### FFI

`FFIAccountType` gains `IdentityAuthenticationEcdsa = 16` and
`IdentityAuthenticationBls = 17`; `to_account_type` / `from_account_type`
route the `index` parameter as `identity_index`. `FFIAccountMatch`
emission for `CoreAccountTypeMatch::IdentityAuthentication*` reports the
identity index in `account_index` (these variants are never produced by
the L1 transaction router, but the FFI matcher stays exhaustive).

### Tests

New `identity_authentication_tests` module in `account_type.rs` covers:
ECDSA and BLS mainnet/testnet/regtest path derivation, `index()` /
`derivation_path_reference()` / `AccountTypeToCheck` round-trip, and
end-to-end insert / `contains_account_type` / `account_of_type` /
`bls_account_of_type` round-trips through `AccountCollection`. BLS tests
are `#[cfg(feature = "bls")]`-gated. Existing
`test_wrong_account_type_for_bls` message was updated for the broadened
`insert_bls_account` validation.

### Serialization compatibility

Adding enum variants is forward-incompatible for `bincode::Encode`/
`Decode` — wallet blobs serialized by earlier v0.42-dev builds will fail
to decode after this change. This is acceptable given the unstable 0.x
API per `CLAUDE.md`. Serde uses its default (externally tagged)
representation, so new readers still decode old data identically and old
readers will error cleanly on new variants they cannot name.

Verified: `cargo build -p key-wallet --all-features`,
`cargo test -p key-wallet --lib --all-features`,
`cargo clippy -p key-wallet --all-features --all-targets -- -D warnings`,
`cargo fmt -p key-wallet --check`, and downstream `key-wallet-ffi` /
`key-wallet-manager` builds and lib tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: QuantumExplorer

key-wallet-ffi/src/address_pool.rs

@@ -45,6 +45,12 @@ fn get_managed_account_by_type<'a>(
             collection.identity_topup_not_bound.as_ref()
         }
         AccountType::IdentityInvitation => collection.identity_invitation.as_ref(),
+        AccountType::IdentityAuthenticationEcdsa {
+            identity_index,
+        } => collection.identity_authentication_ecdsa.get(identity_index),
+        AccountType::IdentityAuthenticationBls {
+            identity_index,
+        } => collection.identity_authentication_bls.get(identity_index),
         AccountType::AssetLockAddressTopUp => collection.asset_lock_address_topup.as_ref(),
         AccountType::AssetLockShieldedAddressTopUp => {
             collection.asset_lock_shielded_address_topup.as_ref()
@@ -98,6 +104,12 @@ fn get_managed_account_by_type_mut<'a>(
             collection.identity_topup_not_bound.as_mut()
         }
         AccountType::IdentityInvitation => collection.identity_invitation.as_mut(),
+        AccountType::IdentityAuthenticationEcdsa {
+            identity_index,
+        } => collection.identity_authentication_ecdsa.get_mut(identity_index),
+        AccountType::IdentityAuthenticationBls {
+            identity_index,
+        } => collection.identity_authentication_bls.get_mut(identity_index),
         AccountType::AssetLockAddressTopUp => collection.asset_lock_address_topup.as_mut(),
         AccountType::AssetLockShieldedAddressTopUp => {
             collection.asset_lock_shielded_address_topup.as_mut()

key-wallet-ffi/src/managed_account.rs

@@ -247,6 +247,12 @@ pub unsafe extern "C" fn managed_wallet_get_account(
                 managed_collection.identity_topup_not_bound.as_ref()
             }
             AccountType::IdentityInvitation => managed_collection.identity_invitation.as_ref(),
+            AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => managed_collection.identity_authentication_ecdsa.get(&identity_index),
+            AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => managed_collection.identity_authentication_bls.get(&identity_index),
             AccountType::AssetLockAddressTopUp => {
                 managed_collection.asset_lock_address_topup.as_ref()
             }
@@ -564,6 +570,12 @@ pub unsafe extern "C" fn managed_core_account_get_account_type(
             FFIAccountType::IdentityTopUpNotBoundToIdentity
         }
         AccountType::IdentityInvitation => FFIAccountType::IdentityInvitation,
+        AccountType::IdentityAuthenticationEcdsa {
+            ..
+        } => FFIAccountType::IdentityAuthenticationEcdsa,
+        AccountType::IdentityAuthenticationBls {
+            ..
+        } => FFIAccountType::IdentityAuthenticationBls,
         AccountType::AssetLockAddressTopUp => FFIAccountType::AssetLockAddressTopUp,
         AccountType::AssetLockShieldedAddressTopUp => FFIAccountType::AssetLockShieldedAddressTopUp,
         AccountType::ProviderVotingKeys => FFIAccountType::ProviderVotingKeys,
@@ -1167,6 +1179,14 @@ pub unsafe extern "C" fn managed_core_account_get_address_pool(
                     addresses,
                     ..
                 } => addresses,
+                ManagedAccountType::IdentityAuthenticationEcdsa {
+                    addresses,
+                    ..
+                } => addresses,
+                ManagedAccountType::IdentityAuthenticationBls {
+                    addresses,
+                    ..
+                } => addresses,
             };
 
             let ffi_pool = FFIAddressPool {

key-wallet-ffi/src/types.rs

@@ -235,6 +235,12 @@ pub enum FFIAccountType {
     AssetLockAddressTopUp = 14,
     /// Asset lock shielded address top-up funding (subfeature 5)
     AssetLockShieldedAddressTopUp = 15,
+    /// Per-identity ECDSA authentication keys (DIP-13, sub-feature 0', key type 0').
+    /// Path prefix: `m/9'/coin_type'/5'/0'/0'/identity_index'`.
+    IdentityAuthenticationEcdsa = 16,
+    /// Per-identity BLS authentication keys (DIP-13, sub-feature 0', key type 1').
+    /// Path prefix: `m/9'/coin_type'/5'/0'/1'/identity_index'`.
+    IdentityAuthenticationBls = 17,
 }
 
 impl FFIAccountType {
@@ -273,6 +279,18 @@ impl FFIAccountType {
             FFIAccountType::ProviderOwnerKeys => key_wallet::AccountType::ProviderOwnerKeys,
             FFIAccountType::ProviderOperatorKeys => key_wallet::AccountType::ProviderOperatorKeys,
             FFIAccountType::ProviderPlatformKeys => key_wallet::AccountType::ProviderPlatformKeys,
+            // DIP-13 authentication accounts use the provided `index` as
+            // `identity_index` (the hardened child at path level 6).
+            FFIAccountType::IdentityAuthenticationEcdsa => {
+                key_wallet::AccountType::IdentityAuthenticationEcdsa {
+                    identity_index: index,
+                }
+            }
+            FFIAccountType::IdentityAuthenticationBls => {
+                key_wallet::AccountType::IdentityAuthenticationBls {
+                    identity_index: index,
+                }
+            }
             // DashPay variants require additional identity IDs (user_identity_id and friend_identity_id)
             // that are not part of the current FFI API. These types cannot be constructed via this
             // conversion path. Attempting to use them is a programming error.
@@ -366,6 +384,12 @@ impl FFIAccountType {
             key_wallet::AccountType::ProviderPlatformKeys => {
                 (FFIAccountType::ProviderPlatformKeys, 0, None)
             }
+            key_wallet::AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => (FFIAccountType::IdentityAuthenticationEcdsa, *identity_index, None),
+            key_wallet::AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => (FFIAccountType::IdentityAuthenticationBls, *identity_index, None),
             key_wallet::AccountType::DashpayReceivingFunds {
                 index,
                 user_identity_id,

key-wallet/src/account/account_collection.rs

@@ -58,6 +58,14 @@ pub struct AccountCollection {
     pub identity_topup_not_bound: Option<Account>,
     /// Identity invitation account (optional)
     pub identity_invitation: Option<Account>,
+    /// Per-identity ECDSA authentication accounts (DIP-13, sub-feature 0',
+    /// key type 0'), keyed by `identity_index`. Platform-only — these carry no
+    /// L1 UTXOs.
+    pub identity_authentication_ecdsa: BTreeMap<u32, Account>,
+    /// Per-identity BLS authentication accounts (DIP-13, sub-feature 0',
+    /// key type 1'), keyed by `identity_index`. Platform-only.
+    #[cfg(feature = "bls")]
+    pub identity_authentication_bls: BTreeMap<u32, BLSAccount>,
     /// Asset lock address top-up account (optional)
     pub asset_lock_address_topup: Option<Account>,
     /// Asset lock shielded address top-up account (optional)
@@ -91,6 +99,9 @@ impl AccountCollection {
             identity_topup: BTreeMap::new(),
             identity_topup_not_bound: None,
             identity_invitation: None,
+            identity_authentication_ecdsa: BTreeMap::new(),
+            #[cfg(feature = "bls")]
+            identity_authentication_bls: BTreeMap::new(),
             asset_lock_address_topup: None,
             asset_lock_shielded_address_topup: None,
             provider_voting_keys: None,
@@ -141,6 +152,18 @@ impl AccountCollection {
             AccountType::IdentityInvitation => {
                 self.identity_invitation = Some(account);
             }
+            AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => {
+                self.identity_authentication_ecdsa.insert(*identity_index, account);
+            }
+            AccountType::IdentityAuthenticationBls {
+                ..
+            } => {
+                return Err(
+                    "IdentityAuthenticationBls requires BLSAccount, use insert_bls_account",
+                );
+            }
             AccountType::AssetLockAddressTopUp => {
                 self.asset_lock_address_topup = Some(account);
             }
@@ -197,14 +220,29 @@ impl AccountCollection {
         Ok(())
     }
 
-    /// Insert a BLS account for provider operator keys
+    /// Insert a BLS account for provider operator keys or identity
+    /// authentication.
+    ///
+    /// Accepts [`AccountType::ProviderOperatorKeys`] or
+    /// [`AccountType::IdentityAuthenticationBls`]. Rejects any other account
+    /// type.
     #[cfg(feature = "bls")]
     pub fn insert_bls_account(&mut self, account: BLSAccount) -> Result<(), &'static str> {
-        if !matches!(account.account_type, AccountType::ProviderOperatorKeys) {
-            return Err("BLS account must have ProviderOperatorKeys type");
+        match account.account_type {
+            AccountType::ProviderOperatorKeys => {
+                self.provider_operator_keys = Some(account);
+                Ok(())
+            }
+            AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => {
+                self.identity_authentication_bls.insert(identity_index, account);
+                Ok(())
+            }
+            _ => {
+                Err("BLS account must have ProviderOperatorKeys or IdentityAuthenticationBls type")
+            }
         }
-        self.provider_operator_keys = Some(account);
-        Ok(())
     }
 
     /// Insert an EdDSA account for provider platform keys
@@ -242,6 +280,17 @@ impl AccountCollection {
             } => self.identity_topup.contains_key(registration_index),
             AccountType::IdentityTopUpNotBoundToIdentity => self.identity_topup_not_bound.is_some(),
             AccountType::IdentityInvitation => self.identity_invitation.is_some(),
+            AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => self.identity_authentication_ecdsa.contains_key(identity_index),
+            #[cfg(feature = "bls")]
+            AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => self.identity_authentication_bls.contains_key(identity_index),
+            #[cfg(not(feature = "bls"))]
+            AccountType::IdentityAuthenticationBls {
+                ..
+            } => false,
             AccountType::AssetLockAddressTopUp => self.asset_lock_address_topup.is_some(),
             AccountType::AssetLockShieldedAddressTopUp => {
                 self.asset_lock_shielded_address_topup.is_some()
@@ -315,6 +364,12 @@ impl AccountCollection {
             } => self.identity_topup.get(&registration_index),
             AccountType::IdentityTopUpNotBoundToIdentity => self.identity_topup_not_bound.as_ref(),
             AccountType::IdentityInvitation => self.identity_invitation.as_ref(),
+            AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => self.identity_authentication_ecdsa.get(&identity_index),
+            AccountType::IdentityAuthenticationBls {
+                ..
+            } => None, // BLSAccount, use bls_account_of_type
             AccountType::AssetLockAddressTopUp => self.asset_lock_address_topup.as_ref(),
             AccountType::AssetLockShieldedAddressTopUp => {
                 self.asset_lock_shielded_address_topup.as_ref()
@@ -382,6 +437,12 @@ impl AccountCollection {
             } => self.identity_topup.get_mut(&registration_index),
             AccountType::IdentityTopUpNotBoundToIdentity => self.identity_topup_not_bound.as_mut(),
             AccountType::IdentityInvitation => self.identity_invitation.as_mut(),
+            AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => self.identity_authentication_ecdsa.get_mut(&identity_index),
+            AccountType::IdentityAuthenticationBls {
+                ..
+            } => None, // BLSAccount, use bls_account_of_type_mut
             AccountType::AssetLockAddressTopUp => self.asset_lock_address_topup.as_mut(),
             AccountType::AssetLockShieldedAddressTopUp => {
                 self.asset_lock_shielded_address_topup.as_mut()
@@ -449,6 +510,8 @@ impl AccountCollection {
             accounts.push(account);
         }
 
+        accounts.extend(self.identity_authentication_ecdsa.values());
+
         if let Some(account) = &self.asset_lock_address_topup {
             accounts.push(account);
         }
@@ -497,6 +560,8 @@ impl AccountCollection {
             accounts.push(account);
         }
 
+        accounts.extend(self.identity_authentication_ecdsa.values_mut());
+
         if let Some(account) = &mut self.asset_lock_address_topup {
             accounts.push(account);
         }
@@ -523,23 +588,37 @@ impl AccountCollection {
         accounts
     }
 
-    /// Get the BLS account (provider operator keys)
+    /// Get a BLS account by type.
+    ///
+    /// Supports [`AccountType::ProviderOperatorKeys`] and
+    /// [`AccountType::IdentityAuthenticationBls`] — returns `None` for other
+    /// types.
     #[cfg(feature = "bls")]
     pub fn bls_account_of_type(&self, account_type: AccountType) -> Option<&BLSAccount> {
         match account_type {
             AccountType::ProviderOperatorKeys => self.provider_operator_keys.as_ref(),
+            AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => self.identity_authentication_bls.get(&identity_index),
             _ => None,
         }
     }
 
-    /// Get the BLS account mutably (provider operator keys)
+    /// Get a BLS account by type mutably.
+    ///
+    /// Supports [`AccountType::ProviderOperatorKeys`] and
+    /// [`AccountType::IdentityAuthenticationBls`] — returns `None` for other
+    /// types.
     #[cfg(feature = "bls")]
     pub fn bls_account_of_type_mut(
         &mut self,
         account_type: AccountType,
     ) -> Option<&mut BLSAccount> {
         match account_type {
             AccountType::ProviderOperatorKeys => self.provider_operator_keys.as_mut(),
+            AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => self.identity_authentication_bls.get_mut(&identity_index),
             _ => None,
         }
     }
@@ -575,6 +654,11 @@ impl AccountCollection {
             count += 1;
         }
 
+        #[cfg(feature = "bls")]
+        {
+            count += self.identity_authentication_bls.len();
+        }
+
         #[cfg(feature = "eddsa")]
         if self.provider_platform_keys.is_some() {
             count += 1;
@@ -605,14 +689,17 @@ impl AccountCollection {
             && self.identity_topup.is_empty()
             && self.identity_topup_not_bound.is_none()
             && self.identity_invitation.is_none()
+            && self.identity_authentication_ecdsa.is_empty()
             && self.asset_lock_address_topup.is_none()
             && self.asset_lock_shielded_address_topup.is_none()
             && self.provider_voting_keys.is_none()
             && self.provider_owner_keys.is_none();
 
         #[cfg(feature = "bls")]
         {
-            is_empty = is_empty && self.provider_operator_keys.is_none();
+            is_empty = is_empty
+                && self.provider_operator_keys.is_none()
+                && self.identity_authentication_bls.is_empty();
         }
 
         #[cfg(feature = "eddsa")]
@@ -632,13 +719,15 @@ impl AccountCollection {
         self.identity_topup.clear();
         self.identity_topup_not_bound = None;
         self.identity_invitation = None;
+        self.identity_authentication_ecdsa.clear();
         self.asset_lock_address_topup = None;
         self.asset_lock_shielded_address_topup = None;
         self.provider_voting_keys = None;
         self.provider_owner_keys = None;
         #[cfg(feature = "bls")]
         {
             self.provider_operator_keys = None;
+            self.identity_authentication_bls.clear();
         }
         #[cfg(feature = "eddsa")]
         {

key-wallet/src/account/account_collection_test.rs

@@ -125,7 +125,10 @@ mod tests {
 
         let result = collection.insert_bls_account(bls_account);
         assert!(result.is_err());
-        assert_eq!(result.unwrap_err(), "BLS account must have ProviderOperatorKeys type");
+        assert_eq!(
+            result.unwrap_err(),
+            "BLS account must have ProviderOperatorKeys or IdentityAuthenticationBls type"
+        );
     }
 
     #[test]