whole issue push

src/wallet/test/fixtures/inspect_psbt_gaps/README.md

@@ -0,0 +1,28 @@
+# inspect_psbt security gap fixtures (Signet test keys only)
+
+Captured from `rgb-msig-local` / `rgb_msig_wallet_setup` for offline regression tests.
+
+## Layout
+
+| Path | Contents |
+|------|----------|
+| `send_rgb/` | Op #5 SendRgb PSBTs, fascia, metadata |
+| `foreign_mnemonic/` | Op #6 foreign-signature PSBTs |
+| `party_datadirs/party-{1,2,3}/a44a82d6/` | Full multisig wallet dirs (stash required for `inspect_rgb_transfer`) |
+| `keys/wallet_{1,2,3}.keys.json` | Signet cosigner key material (test network) |
+
+## Tests
+
+Security-gap tests **fail on purpose** until rgb-lib rejects invalid cosigner signatures at every step.
+
+```bash
+cargo test --lib foreign_one_valid -- --nocapture   # 1 valid + 2 foreign mnemonics
+cargo test --lib op5_wrong_cosigner -- --nocapture  # op #5 wrong cosigner identity
+```
+
+Each run prints `OK <step>: rejected` or lists `SECURITY GAP` per layer:
+`inspect_psbt` → `inspect_rgb_transfer` → `respond_to_operation (pre-ACK)` → `finalize_psbt`.
+
+## Do not use on mainnet
+
+All mnemonics and keys are public Signet test material.

src/wallet/test/fixtures/inspect_psbt_gaps/foreign_mnemonic/combined_valid1_foreign2.psbt.b64

@@ -0,0 +1 @@
+cHNidP8BAIkCAAAAAfDZk2A/M7c+GuG3/TKpiuiDRrXDhdbfNTbMmJaSqgE9BAAAAAD9////AgAAAAAAAAAAImogn6uLTWg6LmTqxpAbvoF+l5aw0iF+m9iSseSU6g1HRAFRTQAAAAAAACJRIAvI2H9T1IpW4REBa34nYclPlLoWkAASIcJDHEwtjWToNnwFACb8A1JHQgHq67c/LUb4mIBLAhXSIJb60ReaHY0J1zlVGxOLH7UNtZ0AAIuNfTOhPUcj1KF64SBRRp5pjPuRVjpw1fWtqeDt5KIE//////////8QJwAAAQCLjX0zoT1HI9SheuEgUUaeaYz7kVY6cNX1rang7eSiBKAPAAABAKAPAQIAAAABAAAAQz9CdauTCMwIwM2V1OgAAAAB15UroqgzoJnbbeTuw8Uwb2yz+EJK5v81CZRy5UkJdusIQEIPAAAAAAAABvwDUkdCAgEAJvwDUkdCBIuNfTOhPUcj1KF64SBRRp5pjPuRVjpw1fWtqeDt5KIERIuNfTOhPUcj1KF64SBRRp5pjPuRVjpw1fWtqeDt5KIEoA8AAOrrtz8tRviYgEsCFdIglvrRF5odjQnXOVUbE4sftQ21AAEBKyBOAAAAAAAAIlEg5FvK+AmWU1wzYlPThxv7XxgRzZRVAyXI4l0RFF4APyhBFH9yB7qylJ98qTQIZAhnJQJAq0NvCnNWngVfXQ+ZkbwKQaJI/H8XHVoRaCPP5Z44pTm6huFX/380gHlj5iuD7lJAt6pnLUy5q0hMQ3FK0t6kf7i3Ti0KGlZj+e4jPBTmugLpgDn68EUpF0Ft+KPrScuQ/eemmZUi4xdCRWwgC42fPUEUo17xcpAlTsqxJjmElWO7vhXd7WHj0u7kfNK5IaCks9Hn5NWT/LcpJu7b4NHjEfQazW9u8WHcuggadRaOxNzTeUCKUqXSb4UYTahTf0EA2I991aM+R2TAYuhhKzjfvjLvL6jaRrIXrtdwwhFhV06VDWGzAnwBbzYZJkNvQOjMRgitQRS4yGCmaK1Z5aAbwT0WRNafoyMD7ygqKuYEf8sm2a8TmRqsJUCKTSgjPNMl+u+t6e8Prnb8seNdCBQARbuqOBswQKBkaZNUW3Q2LVIhPhwRaQpGi6IBaRPBbSOLoPoaQADKfIV+Ttie0BsWX1qVqVel+porI3n/waIrB+39j6VH7ewiFcCm1GdCF2iKM6r3fYFcUstnOfi8er+yVWd1lRWrfNb8N2kgRDM/In+kPHAk5o8O3Vdaniv9aGGrpYSqSF9Okd1GC9ysIJBZcGVpN3shgbgktHsvlxe8qcY/g4S1Oq5bfUj3nPB3uiB/cge6spSffKk0CGQIZyUCQKtDbwpzVp4FX10PmZG8CrpSnMAhFkQzPyJ/pDxwJOaPDt1XWp4r/Whhq6WEqkhfTpHdRgvcOQFBokj8fxcdWhFoI8/lnjilObqG4Vf/fzSAeWPmK4PuUgcxCUhWAACAH58MgAAAAIAAAAAAAQAAACEWf3IHurKUn3ypNAhkCGclAkCrQ28Kc1aeBV9dD5mRvAo5AUGiSPx/Fx1aEWgjz+WeOKU5uobhV/9/NIB5Y+Yrg+5SoNMOxVYAAIAfnwyAAAAAgAAAAAABAAAAIRaQWXBlaTd7IYG4JLR7L5cXvKnGP4OEtTquW31I95zwdzkBQaJI/H8XHVoRaCPP5Z44pTm6huFX/380gHlj5iuD7lIn79oKVgAAgB+fDIAAAACAAAAAAAEAAAAhFqbUZ0IXaIozqvd9gVxSy2c5+Lx6v7JVZ3WVFat81vw3DQB8Rh5dAAAAAAEAAAABFyCm1GdCF2iKM6r3fYFcUstnOfi8er+yVWd1lRWrfNb8NwEYIEGiSPx/Fx1aEWgjz+WeOKU5uobhV/9/NIB5Y+Yrg+5SACb8A01QQwCLjX0zoT1HI9SheuEgUUaeaYz7kVY6cNX1rang7eSiBCBBXzWDxC0QZrrs01bLn15dD5uTMEmwoBY+COylms1UzAb8A01QQwEILnqwMHwhOxoG/ANNUEMQIJ+ri01oOi5k6saQG76BfpeWsNIhfpvYkrHklOoNR0QBBvwDTVBDEf0/AQMAAAgAAAAAA2jUEXMvkqcDIs0rSS7JVS70h8ky/E+n3PmCyVUf8c7+AAOnqbGwyQ+h4QH+pqw25l6+qB/yj0BLzsdRJCqLJkEalAADwixS5J9EGyoQsIKmxVPvOzrgt+HyS05ioOPvgSeaOzIBi419M6E9RyPUoXrhIFFGnmmM+5FWOnDV9a2p4O3kogRBXzWDxC0QZrrs01bLn15dD5uTMEmwoBY+COylms1UzAADIooSGjPgnVwfFvFIC0i72cb+AZnYyqtopaAcBgTGd6sAA44Vsk6ABWTlqDTqxYLcqthtPhxF8GRq5oEEcWAUV71KAAPvSaJYUh+U+z7j23eao2LVHbz0Bepvvxsx3ampcTR5AAADJhEEHy2lQe5zbWenAVdpj0b8cujZ7CYNGloot2YHO80BLnqwMHwhOxoI/AVPUFJFVAEgn6uLTWg6LmTqxpAbvoF+l5aw0iF+m9iSseSU6g1HRAEAAQUgAvx7TAsyHFsw3w4YxjcKLxzroxeVoB0LXs+hRlYjp70BBmsAwGggpWBngwqic8QQgvF5idzK2eGL8pLMYfmjCftXIbcbYxisII6fK3MD9L1TfI8bG89FmK04opp238oqI6R6QgpaEY2DuiC5ii3OW+evQJgWpReY0UdtiB2w/AJ4iqjU4MP5mpYrfLpSnCEHAvx7TAsyHFsw3w4YxjcKLxzroxeVoB0LXs+hRlYjp70NAHxGHl0AAAAABQAAACEHjp8rcwP0vVN8jxsbz0WYrTiimnbfyiojpHpCCloRjYM5AT5yB32ZQ5c+IsorP0aRfiwA29ok3d41vyFJ0AOYoH/MJ+/aClYAAIAfnwyAAAAAgAAAAAAFAAAAIQelYGeDCqJzxBCC8XmJ3MrZ4Yvyksxh+aMJ+1chtxtjGDkBPnIHfZlDlz4iyis/RpF+LADb2iTd3jW/IUnQA5igf8wHMQlIVgAAgB+fDIAAAACAAAAAAAUAAAAhB7mKLc5b569AmBalF5jRR22IHbD8AniKqNTgw/malit8OQE+cgd9mUOXPiLKKz9GkX4sANvaJN3eNb8hSdADmKB/zKDTDsVWAACAH58MgAAAAIAAAAAABQAAAAA=

src/wallet/test/fixtures/inspect_psbt_gaps/foreign_mnemonic/send_btc_foreign_only.psbt.b64

@@ -0,0 +1 @@
+cHNidP8BAIkCAAAAAfDZk2A/M7c+GuG3/TKpiuiDRrXDhdbfNTbMmJaSqgE9BAAAAAD9////AgAAAAAAAAAAImogn6uLTWg6LmTqxpAbvoF+l5aw0iF+m9iSseSU6g1HRAFRTQAAAAAAACJRIAvI2H9T1IpW4REBa34nYclPlLoWkAASIcJDHEwtjWToNnwFACb8A1JHQgHq67c/LUb4mIBLAhXSIJb60ReaHY0J1zlVGxOLH7UNtZ0AAIuNfTOhPUcj1KF64SBRRp5pjPuRVjpw1fWtqeDt5KIE//////////8QJwAAAQCLjX0zoT1HI9SheuEgUUaeaYz7kVY6cNX1rang7eSiBKAPAAABAKAPAQIAAAABAAAAQz9CdauTCMwIwM2V1OgAAAAB15UroqgzoJnbbeTuw8Uwb2yz+EJK5v81CZRy5UkJdusIQEIPAAAAAAAABvwDUkdCAgEAJvwDUkdCBIuNfTOhPUcj1KF64SBRRp5pjPuRVjpw1fWtqeDt5KIERIuNfTOhPUcj1KF64SBRRp5pjPuRVjpw1fWtqeDt5KIEoA8AAOrrtz8tRviYgEsCFdIglvrRF5odjQnXOVUbE4sftQ21AAEBKyBOAAAAAAAAIlEg5FvK+AmWU1wzYlPThxv7XxgRzZRVAyXI4l0RFF4APyhBFHh3UNI02HnjIH6M/ggO52hu9vX6XNJBKJBeHiY2ZY2Z5+TVk/y3KSbu2+DR4xH0Gs1vbvFh3LoIGnUWjsTc03lA9pJC1TCEnvqPDuJXb6wCU24+0Gejhg2+27qVBfXyA6iXNz0YpGuQHHpaOiWDaB+dxG2fZ2eaO/heZXuxsyiFF0EUf3IHurKUn3ypNAhkCGclAkCrQ28Kc1aeBV9dD5mRvApBokj8fxcdWhFoI8/lnjilObqG4Vf/fzSAeWPmK4PuUkC3qmctTLmrSExDcUrS3qR/uLdOLQoaVmP57iM8FOa6AumAOfrwRSkXQW34o+tJy5D956aZlSLjF0JFbCALjZ89QRSjXvFykCVOyrEmOYSVY7u+Fd3tYePS7uR80rkhoKSz0efk1ZP8tykm7tvg0eMR9BrNb27xYdy6CBp1Fo7E3NN5QIpSpdJvhRhNqFN/QQDYj33Voz5HZMBi6GErON++Mu8vqNpGsheu13DCEWFXTpUNYbMCfAFvNhkmQ29A6MxGCK1BFLjIYKZorVnloBvBPRZE1p+jIwPvKCoq5gR/yybZrxOZGqwlQIpNKCM80yX6763p7w+udvyx410IFABFu6o4GzBAoGRpk1RbdDYtUiE+HBFpCkaLogFpE8FtI4ug+hpAAMp8hX5O2J7QGxZfWpWpV6X6misjef/BoisH7f2PpUft7EEU6wREGJLZ8+kOUkvf4UpzNsIpSUM1FvU/xiYMAzghTf8arCVAik0oIzzTJfrvrenvD652/LHjXQgUAEW7qjgbMEBvEFf2RJRkFbqlBwJcgsClweYdc8TurU7jWuYIHh10NH+HrsDFtgyuiriC7OffUWJXZ9Win3p2enMEXX2jrxJ2IhXAptRnQhdoijOq932BXFLLZzn4vHq/slVndZUVq3zW/DdpIEQzPyJ/pDxwJOaPDt1XWp4r/Whhq6WEqkhfTpHdRgvcrCCQWXBlaTd7IYG4JLR7L5cXvKnGP4OEtTquW31I95zwd7ogf3IHurKUn3ypNAhkCGclAkCrQ28Kc1aeBV9dD5mRvAq6UpzAIRZEMz8if6Q8cCTmjw7dV1qeK/1oYaulhKpIX06R3UYL3DkBQaJI/H8XHVoRaCPP5Z44pTm6huFX/380gHlj5iuD7lIHMQlIVgAAgB+fDIAAAACAAAAAAAEAAAAhFn9yB7qylJ98qTQIZAhnJQJAq0NvCnNWngVfXQ+ZkbwKOQFBokj8fxcdWhFoI8/lnjilObqG4Vf/fzSAeWPmK4PuUqDTDsVWAACAH58MgAAAAIAAAAAAAQAAACEWkFlwZWk3eyGBuCS0ey+XF7ypxj+DhLU6rlt9SPec8Hc5AUGiSPx/Fx1aEWgjz+WeOKU5uobhV/9/NIB5Y+Yrg+5SJ+/aClYAAIAfnwyAAAAAgAAAAAABAAAAIRam1GdCF2iKM6r3fYFcUstnOfi8er+yVWd1lRWrfNb8Nw0AfEYeXQAAAAABAAAAARcgptRnQhdoijOq932BXFLLZzn4vHq/slVndZUVq3zW/DcBGCBBokj8fxcdWhFoI8/lnjilObqG4Vf/fzSAeWPmK4PuUgAm/ANNUEMAi419M6E9RyPUoXrhIFFGnmmM+5FWOnDV9a2p4O3kogQgQV81g8QtEGa67NNWy59eXQ+bkzBJsKAWPgjspZrNVMwG/ANNUEMBCC56sDB8ITsaBvwDTVBDECCfq4tNaDouZOrGkBu+gX6XlrDSIX6b2JKx5JTqDUdEAQb8A01QQxH9PwEDAAAIAAAAAANo1BFzL5KnAyLNK0kuyVUu9IfJMvxPp9z5gslVH/HO/gADp6mxsMkPoeEB/qasNuZevqgf8o9AS87HUSQqiyZBGpQAA8IsUuSfRBsqELCCpsVT7zs64Lfh8ktOYqDj74EnmjsyAYuNfTOhPUcj1KF64SBRRp5pjPuRVjpw1fWtqeDt5KIEQV81g8QtEGa67NNWy59eXQ+bkzBJsKAWPgjspZrNVMwAAyKKEhoz4J1cHxbxSAtIu9nG/gGZ2MqraKWgHAYExnerAAOOFbJOgAVk5ag06sWC3KrYbT4cRfBkauaBBHFgFFe9SgAD70miWFIflPs+49t3mqNi1R289AXqb78bMd2pqXE0eQAAAyYRBB8tpUHuc21npwFXaY9G/HLo2ewmDRpaKLdmBzvNAS56sDB8ITsaCPwFT1BSRVQBIJ+ri01oOi5k6saQG76BfpeWsNIhfpvYkrHklOoNR0QBAAEFIAL8e0wLMhxbMN8OGMY3Ci8c66MXlaAdC17PoUZWI6e9AQZrAMBoIKVgZ4MKonPEEILxeYncytnhi/KSzGH5own7VyG3G2MYrCCOnytzA/S9U3yPGxvPRZitOKKadt/KKiOkekIKWhGNg7oguYotzlvnr0CYFqUXmNFHbYgdsPwCeIqo1ODD+ZqWK3y6UpwhBwL8e0wLMhxbMN8OGMY3Ci8c66MXlaAdC17PoUZWI6e9DQB8Rh5dAAAAAAUAAAAhB46fK3MD9L1TfI8bG89FmK04opp238oqI6R6QgpaEY2DOQE+cgd9mUOXPiLKKz9GkX4sANvaJN3eNb8hSdADmKB/zCfv2gpWAACAH58MgAAAAIAAAAAABQAAACEHpWBngwqic8QQgvF5idzK2eGL8pLMYfmjCftXIbcbYxg5AT5yB32ZQ5c+IsorP0aRfiwA29ok3d41vyFJ0AOYoH/MBzEJSFYAAIAfnwyAAAAAgAAAAAAFAAAAIQe5ii3OW+evQJgWpReY0UdtiB2w/AJ4iqjU4MP5mpYrfDkBPnIHfZlDlz4iyis/RpF+LADb2iTd3jW/IUnQA5igf8yg0w7FVgAAgB+fDIAAAACAAAAAAAUAAAAA

src/wallet/test/fixtures/inspect_psbt_gaps/foreign_mnemonic/send_btc_unsigned.psbt.b64

@@ -0,0 +1 @@
+cHNidP8BAIkCAAAAAR592bwhky4wG0ZuOtSl9ff7hBgmj2hwTkeDdjHzITayAAAAAAD9////AlDDAAAAAAAAIlEgAZoKMjrgDWuvvARXO1559jOZ0t0mF9MHoy94aLGgsBnhw1FqdAAAACJRIDE7ct+Dp5K3VTeAcMCSXFAN890fVuyu6Mtc7ddJflFldXwFAAABASsAiFJqdAAAACJRIO8XE2xbcVR1xkVn5RO57nf/18O4XKp8ZEpDRYCT9H1dIhXBTHD/T1dAqX3LLgjfXvoxc8FQb2CZ14LwU2kSyjvmP3dpIOZfBFEjBcFVG1eKlrAdW3lQI2o5wuw7y8j9KhAxQ4YqrCCcWMeNPZ3gRwgtMBSzuGwg+YiT2oatEqh3fuEnLohl7rogjOyw/Yos0zgKEDa9/wgiKsSmrZHmq2PAbUA9SHLiY5a6UpzAIRZMcP9PV0CpfcsuCN9e+jFzwVBvYJnXgvBTaRLKO+Y/dw0AfEYeXQAAAAAiAAAAIRaM7LD9iizTOAoQNr3/CCIqxKatkearY8BtQD1IcuJjljkBruys4bN82JckVPH46bOVrfBM688U+UIU1e7zA05e2eCg0w7FVgAAgAEAAIAAAACAAAAAACIAAAAhFpxYx409neBHCC0wFLO4bCD5iJPahq0SqHd+4ScuiGXuOQGu7Kzhs3zYlyRU8fjps5Wt8EzrzxT5QhTV7vMDTl7Z4Cfv2gpWAACAAQAAgAAAAIAAAAAAIgAAACEW5l8EUSMFwVUbV4qWsB1beVAjajnC7DvLyP0qEDFDhio5Aa7srOGzfNiXJFTx+Omzla3wTOvPFPlCFNXu8wNOXtngBzEJSFYAAIABAACAAAAAgAAAAAAiAAAAARcgTHD/T1dAqX3LLgjfXvoxc8FQb2CZ14LwU2kSyjvmP3cBGCCu7Kzhs3zYlyRU8fjps5Wt8EzrzxT5QhTV7vMDTl7Z4AAAAQUgV1qIXHw0W8zAe8Crcml8zL2au9RI3tuS4qyUGtAKyekBBmsAwGggCEn3BxeAK/LtPGIbVBbUeIL/wk/yKjQ+dMADC9wAyVKsIPj/MRbFWmPSXGrRYt9YorQxsH8ROdjB95QTUesNc3DruiDz9wP3h/X7T3x9hHOb90uQFcM0vfKFMdMi50yBZfabgbpSnCEHCEn3BxeAK/LtPGIbVBbUeIL/wk/yKjQ+dMADC9wAyVI5AfVCXp863ZAel5jUqNeGuAE+naGW1M87EfxyK3oiLXKIBzEJSFYAAIABAACAAAAAgAAAAAACAAAAIQdXWohcfDRbzMB7wKtyaXzMvZq71Eje25LirJQa0ArJ6Q0AfEYeXQAAAAACAAAAIQfz9wP3h/X7T3x9hHOb90uQFcM0vfKFMdMi50yBZfabgTkB9UJenzrdkB6XmNSo14a4AT6doZbUzzsR/HIreiItcoig0w7FVgAAgAEAAIAAAACAAAAAAAIAAAAhB/j/MRbFWmPSXGrRYt9YorQxsH8ROdjB95QTUesNc3DrOQH1Ql6fOt2QHpeY1KjXhrgBPp2hltTPOxH8cit6Ii1yiCfv2gpWAACAAQAAgAAAAIAAAAAAAgAAAAA=

src/wallet/test/fixtures/inspect_psbt_gaps/keys/wallet_1.keys.json

@@ -0,0 +1,8 @@
+{
+  "mnemonic": "else echo damage jealous green april knife prize corn stairs mother style",
+  "xpub": "tpubD6NzVbkrYhZ4WTqVBH4M39sbqegohRZ1beXGdiFVaDh7ZNueYe9f2vyTA1gFShTkeJTKkd6guczorByyYEsiq9tFWRi3ErN6Fek4MWTj25u",
+  "account_xpub_vanilla": "tpubDDPXUJ8Zm9YLxyg8fHAwZEKPUdV63b5GDA2XQov3xP4D7QUaZNtUE5HxbZRJerYHBuJaZm7gsmffPDPa7qfV33LP9dNJjZybD5AhrR5aG2o",
+  "account_xpub_colored": "tpubDC89L63ALPX4yxaguKmQhfn2zLFv2GyjihKgJ8MqsDqrCGEw53vGt1df7GTAsgmCnU6MLkesZZfAGKMVMjchMoDVuZTjWL63nkn7WvEBrXW",
+  "master_fingerprint": "a0d30ec5",
+  "witness_version": "Taproot"
+}

src/wallet/test/fixtures/inspect_psbt_gaps/keys/wallet_2.keys.json

@@ -0,0 +1,8 @@
+{
+  "mnemonic": "stumble measure text goat gate virus inform age kick punch giraffe coast",
+  "xpub": "tpubD6NzVbkrYhZ4WgY86c9LaEVfPF18FKL9Xfqqpci14M4Awu6M4NDzTGntUFKTDyGwM9GuLr6us73s4cg14WrQjmFpMVqRWE3wA2cXe4XkcX9",
+  "account_xpub_vanilla": "tpubDDqkxr2nDKQdDFPV9w6xnRQQWs7UZ9fgmpj2c8AR4fKAUEPR2uSQhnV4AL6D8XutaqhSzRingsA8fKegVanwdRyyege3iJsQaoMZ74JmjYE",
+  "account_xpub_colored": "tpubDCyM9iGCqRoruh6fr5B87cntA6pKDTJV2CVXndi8wvcatPXboeJs52RAQ1XXEbBdshgN8ttdcZUEA6XcS33ZXXjtVosMcvtf516orwfJGZJ",
+  "master_fingerprint": "27efda0a",
+  "witness_version": "Taproot"
+}

src/wallet/test/fixtures/inspect_psbt_gaps/keys/wallet_3.keys.json

@@ -0,0 +1,8 @@
+{
+  "mnemonic": "trip guide left lottery mixed network faint swing combine thought march allow",
+  "xpub": "tpubD6NzVbkrYhZ4WnxPyfY4htdyVH4Fjk5HcvG7rHYkdRshGEnXnvksJGusZvvYt4BNcGzvU6N9g9eM3zWbDt35Es4A6eHDpFmkWW8qVbWyoVU",
+  "account_xpub_vanilla": "tpubDCKJZh6VBQZBU1k67ASkgZZqUwV2go2MsnyKwKwY6vtcwqxhxuqhqnT9G5FhAu5pX2CFxZ1YGNkjRuS2LAYQRCpGW1BFoUPCwy7ALywMiBU",
+  "account_xpub_colored": "tpubDCM2tNjRs8MZ8bzYDkgvttm9cNQSg5sxix9fSoYgSPgarYqaTS7oGTfTFyvvLZYs8kCFjvEZHBxVMi7dfqwHZBKdxL5aydFC59bmmgMWaCj",
+  "master_fingerprint": "07310948",
+  "witness_version": "Taproot"
+}