feat(key-wallet): add DIP-13 identity authentication accounts (ECDSA + BLS)

Add two new `AccountType` variants for DIP-13 sub-feature 0' (per-identity
signing keys the user employs to sign Dash Platform state transitions):

  - `IdentityAuthenticationEcdsa { identity_index }` — key_type 0',
    backed by a regular `Account` (secp256k1).
  - `IdentityAuthenticationBls { identity_index }` — key_type 1',
    backed by `BLSAccount`, gated on `#[cfg(feature = "bls")]`.

Both account types use the DIP-13 derivation path
`m/9'/coin_type'/5'/0'/key_type'/identity_index'` with hardened children
for individual keys (`.../identity_index'/key_index'`). Address pools use
`AbsentHardened` since DIP-13 mandates hardened leaves.

### Wiring

- `AccountCollection` gains `identity_authentication_ecdsa:
  BTreeMap<u32, Account>` and (under `bls`) `identity_authentication_bls:
  BTreeMap<u32, BLSAccount>`, keyed by `identity_index`. All collection
  methods (`new`, `insert`, `insert_bls_account`, `contains_account_type`,
  `account_of_type[_mut]`, `bls_account_of_type[_mut]`, `all_accounts[_mut]`,
  `count`, `is_empty`, `clear`) are updated.
- `ManagedAccountCollection`, `ManagedAccountType`, `CoreAccountTypeMatch`
  mirror the new variants and are routed through the usual matchers.
- `AccountTypeToCheck::IdentityAuthentication{Ecdsa,Bls}` variants are
  added so conversions from `ManagedAccountType`/`AccountType` stay
  total. Identity authentication accounts are **Platform-only**: they are
  deliberately absent from every `TransactionType` relevance set
  (`TransactionRouter::get_relevant_account_types`), and the
  `ManagedAccountCollection::check_account_type` arms return empty
  results. Address matching in `ManagedCoreAccount::check_transaction_for_match`
  returns `None` for these variants for the same reason.
- `Wallet::add_bls_account` now accepts `IdentityAuthenticationBls` in
  addition to `ProviderOperatorKeys`.
- Two new DIP-9 `IndexConstPath<5>` constants per network
  (`IDENTITY_AUTHENTICATION_{ECDSA,BLS}_PATH_{MAINNET,TESTNET}`) and the
  matching `DerivationPathReference::BlockchainIdentityAuthentication{Ecdsa,Bls}`
  variants.
- `asset_lock_builder::resolve_funding_account` is intentionally left
  untouched — identity authentication accounts do not fund asset locks.
- `WalletAccountCreationOptions` is unchanged. Identity authentication
  accounts are per-identity and come into existence when the user
  registers a Platform identity, not at wallet creation. Callers insert
  them post-hoc via `Wallet::add_account` (ECDSA) or
  `Wallet::add_bls_account` (BLS).

### FFI

`FFIAccountType` gains `IdentityAuthenticationEcdsa = 16` and
`IdentityAuthenticationBls = 17`; `to_account_type` / `from_account_type`
route the `index` parameter as `identity_index`. `FFIAccountMatch`
emission for `CoreAccountTypeMatch::IdentityAuthentication*` reports the
identity index in `account_index` (these variants are never produced by
the L1 transaction router, but the FFI matcher stays exhaustive).

### Tests

New `identity_authentication_tests` module in `account_type.rs` covers:
ECDSA and BLS mainnet/testnet/regtest path derivation, `index()` /
`derivation_path_reference()` / `AccountTypeToCheck` round-trip, and
end-to-end insert / `contains_account_type` / `account_of_type` /
`bls_account_of_type` round-trips through `AccountCollection`. BLS tests
are `#[cfg(feature = "bls")]`-gated. Existing
`test_wrong_account_type_for_bls` message was updated for the broadened
`insert_bls_account` validation.

### Serialization compatibility

Adding enum variants is forward-incompatible for `bincode::Encode`/
`Decode` — wallet blobs serialized by earlier v0.42-dev builds will fail
to decode after this change. This is acceptable given the unstable 0.x
API per `CLAUDE.md`. Serde uses its default (externally tagged)
representation, so new readers still decode old data identically and old
readers will error cleanly on new variants they cannot name.

Verified: `cargo build -p key-wallet --all-features`,
`cargo test -p key-wallet --lib --all-features`,
`cargo clippy -p key-wallet --all-features --all-targets -- -D warnings`,
`cargo fmt -p key-wallet --check`, and downstream `key-wallet-ffi` /
`key-wallet-manager` builds and lib tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: QuantumExplorer

key-wallet-ffi/src/account.rs

@@ -89,7 +89,20 @@ pub unsafe extern "C" fn wallet_get_account(
     }
 
     let wallet = &*wallet;
-    let account_type_rust = account_type.to_account_type(account_index);
+    let account_type_rust = match account_type.to_account_type(account_index) {
+        Ok(t) => t,
+        Err(mut err) => {
+            let code = err.code;
+            let message = if err.message.is_null() {
+                "Invalid account type".to_string()
+            } else {
+                let msg = std::ffi::CStr::from_ptr(err.message).to_string_lossy().to_string();
+                err.free_message();
+                msg
+            };
+            return FFIAccountResult::error(code, message);
+        }
+    };
 
     match wallet.inner().accounts.account_of_type(account_type_rust) {
         Some(account) => {

key-wallet-ffi/src/address_pool.rs

@@ -45,6 +45,12 @@ fn get_managed_account_by_type<'a>(
             collection.identity_topup_not_bound.as_ref()
         }
         AccountType::IdentityInvitation => collection.identity_invitation.as_ref(),
+        AccountType::IdentityAuthenticationEcdsa {
+            identity_index,
+        } => collection.identity_authentication_ecdsa.get(identity_index),
+        AccountType::IdentityAuthenticationBls {
+            identity_index,
+        } => collection.identity_authentication_bls.get(identity_index),
         AccountType::AssetLockAddressTopUp => collection.asset_lock_address_topup.as_ref(),
         AccountType::AssetLockShieldedAddressTopUp => {
             collection.asset_lock_shielded_address_topup.as_ref()
@@ -98,6 +104,12 @@ fn get_managed_account_by_type_mut<'a>(
             collection.identity_topup_not_bound.as_mut()
         }
         AccountType::IdentityInvitation => collection.identity_invitation.as_mut(),
+        AccountType::IdentityAuthenticationEcdsa {
+            identity_index,
+        } => collection.identity_authentication_ecdsa.get_mut(identity_index),
+        AccountType::IdentityAuthenticationBls {
+            identity_index,
+        } => collection.identity_authentication_bls.get_mut(identity_index),
         AccountType::AssetLockAddressTopUp => collection.asset_lock_address_topup.as_mut(),
         AccountType::AssetLockShieldedAddressTopUp => {
             collection.asset_lock_shielded_address_topup.as_mut()
@@ -298,7 +310,20 @@ pub unsafe extern "C" fn managed_wallet_get_address_pool_info(
     let wrapper = &*managed_wallet;
     let managed_wallet = wrapper.inner();
 
-    let account_type_rust = account_type.to_account_type(account_index);
+    let account_type_rust = match account_type.to_account_type(account_index) {
+        Ok(t) => t,
+        Err(mut e) => {
+            let msg = if e.message.is_null() {
+                "Invalid account type".to_string()
+            } else {
+                let m = std::ffi::CStr::from_ptr(e.message).to_string_lossy().to_string();
+                e.free_message();
+                m
+            };
+            FFIError::set_error(error, e.code, msg);
+            return false;
+        }
+    };
 
     // Get the specific managed account
     let managed_account =
@@ -404,7 +429,20 @@ pub unsafe extern "C" fn managed_wallet_set_gap_limit(
 
     let managed_wallet = (&mut *managed_wallet).inner_mut();
 
-    let account_type_rust = account_type.to_account_type(account_index);
+    let account_type_rust = match account_type.to_account_type(account_index) {
+        Ok(t) => t,
+        Err(mut e) => {
+            let msg = if e.message.is_null() {
+                "Invalid account type".to_string()
+            } else {
+                let m = std::ffi::CStr::from_ptr(e.message).to_string_lossy().to_string();
+                e.free_message();
+                m
+            };
+            FFIError::set_error(error, e.code, msg);
+            return false;
+        }
+    };
 
     // Get the specific managed account
     let managed_account =
@@ -501,7 +539,20 @@ pub unsafe extern "C" fn managed_wallet_generate_addresses_to_index(
     let managed_wallet = (&mut *managed_wallet).inner_mut();
     let wallet = &*wallet;
 
-    let account_type_rust = account_type.to_account_type(account_index);
+    let account_type_rust = match account_type.to_account_type(account_index) {
+        Ok(t) => t,
+        Err(mut e) => {
+            let msg = if e.message.is_null() {
+                "Invalid account type".to_string()
+            } else {
+                let m = std::ffi::CStr::from_ptr(e.message).to_string_lossy().to_string();
+                e.free_message();
+                m
+            };
+            FFIError::set_error(error, e.code, msg);
+            return false;
+        }
+    };
 
     let account_type_to_check = match account_type_rust.try_into() {
         Ok(check_type) => check_type,
@@ -746,6 +797,22 @@ pub unsafe extern "C" fn managed_wallet_mark_address_used(
                 }
             }
         }
+        if !found {
+            for account in collection.identity_authentication_ecdsa.values_mut() {
+                if account.mark_address_used(&address) {
+                    found = true;
+                    break;
+                }
+            }
+        }
+        if !found {
+            for account in collection.identity_authentication_bls.values_mut() {
+                if account.mark_address_used(&address) {
+                    found = true;
+                    break;
+                }
+            }
+        }
         if !found {
             if let Some(account) = &mut collection.asset_lock_address_topup {
                 if account.mark_address_used(&address) {

key-wallet-ffi/src/managed_account.rs

@@ -218,7 +218,25 @@ pub unsafe extern "C" fn managed_wallet_get_account(
     }
 
     let managed_wallet = &*managed_wallet_ptr;
-    let account_type_rust = account_type.to_account_type(account_index);
+    let account_type_rust = match account_type.to_account_type(account_index) {
+        Ok(t) => t,
+        Err(mut e) => {
+            let code = e.code;
+            let message = if e.message.is_null() {
+                "Invalid account type".to_string()
+            } else {
+                let m = std::ffi::CStr::from_ptr(e.message).to_string_lossy().to_string();
+                e.free_message();
+                m
+            };
+            // `wallet_manager_get_managed_wallet_info` allocated `managed_wallet_ptr`
+            // above; the success path frees it via `managed_wallet_info_free` at the
+            // bottom of this function. Do the same here before bailing so the
+            // managed-wallet handle isn't leaked on invalid-account-type errors.
+            crate::managed_wallet::managed_wallet_info_free(managed_wallet_ptr);
+            return FFIManagedCoreAccountResult::error(code, message);
+        }
+    };
 
     let result = {
         use key_wallet::account::StandardAccountType;
@@ -247,6 +265,12 @@ pub unsafe extern "C" fn managed_wallet_get_account(
                 managed_collection.identity_topup_not_bound.as_ref()
             }
             AccountType::IdentityInvitation => managed_collection.identity_invitation.as_ref(),
+            AccountType::IdentityAuthenticationEcdsa {
+                identity_index,
+            } => managed_collection.identity_authentication_ecdsa.get(&identity_index),
+            AccountType::IdentityAuthenticationBls {
+                identity_index,
+            } => managed_collection.identity_authentication_bls.get(&identity_index),
             AccountType::AssetLockAddressTopUp => {
                 managed_collection.asset_lock_address_topup.as_ref()
             }
@@ -564,6 +588,12 @@ pub unsafe extern "C" fn managed_core_account_get_account_type(
             FFIAccountType::IdentityTopUpNotBoundToIdentity
         }
         AccountType::IdentityInvitation => FFIAccountType::IdentityInvitation,
+        AccountType::IdentityAuthenticationEcdsa {
+            ..
+        } => FFIAccountType::IdentityAuthenticationEcdsa,
+        AccountType::IdentityAuthenticationBls {
+            ..
+        } => FFIAccountType::IdentityAuthenticationBls,
         AccountType::AssetLockAddressTopUp => FFIAccountType::AssetLockAddressTopUp,
         AccountType::AssetLockShieldedAddressTopUp => FFIAccountType::AssetLockShieldedAddressTopUp,
         AccountType::ProviderVotingKeys => FFIAccountType::ProviderVotingKeys,
@@ -1167,6 +1197,14 @@ pub unsafe extern "C" fn managed_core_account_get_address_pool(
                     addresses,
                     ..
                 } => addresses,
+                ManagedAccountType::IdentityAuthenticationEcdsa {
+                    addresses,
+                    ..
+                } => addresses,
+                ManagedAccountType::IdentityAuthenticationBls {
+                    addresses,
+                    ..
+                } => addresses,
             };
 
             let ffi_pool = FFIAddressPool {