fix(drive-abci): free advanced structure validation for invalid batch transitions

[shumkov]

Issue being fixed or feature implemented

Validators currently do advanced-structure validation work for free on invalid batch document transitions. When a per-transition check fails — find_replaced_document_v0, check_ownership_of_old_replaced_document_v0, check_revision_is_bumped_by_one_during_replace_v0, DocumentNotForSaleError, DocumentIncorrectPurchasePriceError — the failure path returns errors-only with no action data. The empty BatchTransitionAction flows up through flatten / merge_many and the transition is recorded as PaidConsensusError, but because there's no BumpIdentityDataContractNonce action, no UpdateIdentityContractNonce drive op is created. Two consequences:

• The user is only charged the bare-bump fee (≤ 41880 credits), not for the actual validation work the validator performed (document fetch + ownership/revision check).
• The contract nonce in state stays at the pre-tx value, so the same exact bytes can be re-broadcast — they pass CheckTx FirstTimeCheck again because the nonce slot is still free.

The mainnet duplicate-transaction symptom (issue #2867 — 35C08D…313C reappearing in multiple blocks) is the most visible consequence. The architectural mainnet fix is in #3616 (return data: None from the aggregators so all-failed batches become UnpaidConsensusError and are removed from the block). This PR is the complementary layer: when a transition does land in a block but its per-transition check fails, the user pays for the work that ran.

What was done?

Patched all 13 per-transition failure paths in packages/rs-drive-abci/.../batch/transformer/v0/mod.rs::transform_document_transition_v0 to emit a BumpIdentityDataContractNonceAction:

Arm	Failure paths bumped
Replace	find_replaced, check_ownership, check_revision
Transfer	find_replaced, check_ownership, check_revision
UpdatePrice	find_replaced, check_ownership, check_revision
Purchase	find_replaced, DocumentNotForSale, DocumentIncorrectPurchasePrice, check_revision

Cleaned up the now-dead let result = ConsensusValidationResult::new(); and if result.is_valid() { ... } else { Ok(result) } tails in those four arms.

How Has This Been Tested?

New regression test at batch/tests/document/replacement.rs::replayed_failed_replace_with_consumed_nonce_must_be_rejected_at_check_tx:

1. Create at nonce 2 → succeeds, doc at revision 1.
2. Replace at nonce 3 with revision 3 → check_revision_is_bumped_by_one fails.
3. Assert the bump advanced the contract nonce in state.
4. Re-submit the same exact bytes through state_transition_to_execution_event_for_check_tx with FirstTimeCheck.
5. Assert it's rejected with InvalidIdentityNonceError.

Three sibling tests had hard-coded fee assertions matching the old (under-charged) numbers; updated:

• test_document_replace_on_document_type_that_is_not_mutable: 41880 → 445700
• test_document_transfer_that_does_not_yet_exist: 36200 → 517400
• test_document_set_price_on_not_owned_document: 36200 → 571240

The new fee covers the fetch + structural check that ran before the failure (same drive ops, just charged correctly).

• cargo test -p drive-abci --lib batch::tests::document: 72 passed, 0 failed.

Breaking Changes

Consensus-affecting for PROTOCOL_VERSION_12 (current v3.1-dev, not yet active on mainnet — mainnet runs PROTOCOL_VERSION_11):

1. State: identity_contract_nonce advances on every per-transition failure path now, not just on find_replaced_document_v0 for Replace.
2. Fees: validators that fail the same transition pay a higher processing fee — the fee covers the document fetch + ownership/revision check that already ran. Those drive ops were happening before; they were just being charged as 0.

Activation should coincide with the v3.1 hard-fork.

Checklist

• Self-reviewed
• Comments on hard-to-understand areas
• Added/updated tests
• "!" in title — n/a (pre-release internal protocol version; consensus impact described above; no public API break)
• Documentation changes — n/a

Summary by CodeRabbit

• Bug Fixes

  • Improved cost handling for failed document operations; validation fees are now properly assessed when operations fail validation checks.

• Tests

  • Enhanced test coverage for document operations with version-specific fee validations across protocol versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a new failed_per_transition_action feature version field to batch document transition validation configuration, enabling protocol version 12+ to emit BumpIdentityDataContractNonce batched actions when document transitions fail validation. The transformer is refactored to route Replace, Transfer, UpdatePrice, and Purchase failures through a helper that returns both bump actions and errors (or errors-only for older protocol versions). Test expectations are updated to reflect higher processing fees that include bump action costs, and a regression test validates that failed transitions consume identity contract nonce to prevent replay attacks.

Changes

Batch Document Transition Fee Bump Actions

Layer / File(s)	Summary
Platform Version Configuration Schema packages/rs-platform-version/src/version/.../mod.rs	Adds failed_per_transition_action: FeatureVersion field to DriveAbciDocumentsStateTransitionValidationVersions with documentation describing emitted action behavior across protocol versions.
Protocol Version Initialization packages/rs-platform-version/src/version/.../v1.rs, v2.rs, v3.rs, v4.rs, v5.rs, v6.rs, v7.rs, v8.rs	Field initialized to 0 (disabled) in v1–v7, and set to 1 (enabled) in v8 for PROTOCOL_VERSION_12. v5 also enables masternode vote nonce validation.
Transformer Core Implementation packages/rs-drive-abci/src/.../transformer/v0/mod.rs	Replace, Transfer, UpdatePrice, Purchase branches refactored to emit BumpIdentityDataContractNonce actions on validation failures (missing document, ownership/revision mismatch, price validation). New helper routes behavior by protocol version.
Test Updates – NFT, Transfer, Replace packages/rs-drive-abci/src/.../tests/document/nft.rs, transfer.rs, replacement.rs	Tests refactored with protocol-version-aware helpers asserting version-specific expected fees (e.g., 571240 for PV12+, legacy values for PV11). Regression test validates nonce consumption prevents replay.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 A hop and a bump in the ledger we go,
Protocol-version fees now steal the show!
When transitions stumble, the nonce takes a leap,
Preventing replays in the blockchain's keep. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and clearly summarizes the main change: ensuring identity contract nonce is bumped (free advanced structure validation) for invalid batch transitions, which is the core fix described in the PR objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-2867-bump-nonce-on-failed-batch-document-transitions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 61.11111% with 42 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.29%. Comparing base (d048dc8) to head (24437ef).

Files with missing lines	Patch %	Lines
...tion/state_transitions/batch/transformer/v0/mod.rs	61.11%	42 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##           v3.1-dev    #3608      +/-   ##
============================================
- Coverage     88.29%   88.29%   -0.01%     
============================================
  Files          2479     2479              
  Lines        301659   301710      +51     
============================================
+ Hits         266347   266381      +34     
- Misses        35312    35329      +17     

Components	Coverage Δ
dpp	87.95% <ø> (ø)
drive	87.37% <ø> (ø)
drive-abci	90.23% <61.11%> (-0.02%)	⬇️
sdk	∅ <ø> (∅)
dapi-client	∅ <ø> (∅)
platform-version	∅ <ø> (∅)
platform-value	92.17% <ø> (ø)
platform-wallet	∅ <ø> (∅)
drive-proof-verifier	55.66% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[thepastaclaw]

✅ Review complete (commit 24437ef)

[coderabbitai]

🧹 Nitpick comments (2)

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/transformer/v0/mod.rs (1)

667-758: ⚡ Quick win

Factor out the nonce-bump failure return and drop the inert result.

result is never mutated here, so if result.is_valid() is always true and the else branch is dead. The repeated BumpIdentityDataContractNonce construction across these arms is also the exact pattern that drifted and caused this bug class in the first place. A small helper that builds the bump+errors result would make the control flow clearer and reduce the chance of missing another failure path later.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/transformer/v0/mod.rs`
around lines 667 - 758, The code creates identical BumpIdentityDataContractNonce
actions and returns ConsensusValidationResult with errors in several places
while keeping an inert local result
(ConsensusValidationResult::<BatchedTransitionAction> result) that is never
mutated; remove that dead variable and factor the repeated failure-return into a
small helper (e.g. build_bump_failure_result or bump_with_errors) that takes the
borrowed DocumentBaseTransition (document_replace_transition.base()), owner_id
and the validation errors and returns
ConsensusValidationResult::new_with_data_and_errors(BatchedTransitionAction::BumpIdentityDataContractNonce(<...>),
errors) using
BumpIdentityDataContractNonceAction::from_borrowed_document_base_transition;
replace each repeated block that constructs the bump action and returns with
calls to this helper, and after creating execution_context.add_operation(...)
simply return the successful DocumentReplaceTransitionAction instead of checking
the unused result.

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/replacement.rs (1)

868-880: ⚡ Quick win

Assert the exact consumed nonce here.

assert_ne! proves “something changed,” but this regression is really about consuming exactly one contract nonce on the failed replace. If this ever starts double-bumping, this test would still pass while consensus behavior changed.

Suggested tightening

-        assert_ne!(
-            post_replace_nonce, post_create_nonce,
-            "BUG: failed Replace's bump action did not advance the contract \
-             nonce. Stored nonce is still {:`#x`} (= post-create value), so the \
-             same exact serialized bytes can be replayed forever. \
-             Root cause: batch/transformer/v0/mod.rs:712-715 (and 697-700) \
-             return Ok(result) with errors-only and no BumpIdentityDataContractNonce \
-             action when check_revision_is_bumped_by_one_during_replace_v0 (or \
-             check_ownership_of_old_replaced_document_v0) fails — unlike the \
-             find_replaced_document_v0 failure path on the same arm (lines \
-             672-686) which does emit the bump.",
-            post_create_nonce
-        );
+        assert_eq!(
+            post_replace_nonce,
+            post_create_nonce + 1,
+            "failed Replace should consume exactly one identity_contract_nonce"
+        );

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/replacement.rs`
around lines 868 - 880, The assertion currently only checks that
post_replace_nonce differs from post_create_nonce (assert_ne!), but we must
assert it was advanced by exactly one; update the test to assert that
post_replace_nonce equals post_create_nonce + 1 (use the appropriate increment/
wrapping_add for the nonce type) so the test fails if nonce is not consumed
exactly once (refer to the variables post_replace_nonce and post_create_nonce in
the replacement test).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/replacement.rs`:
- Around line 868-880: The assertion currently only checks that
post_replace_nonce differs from post_create_nonce (assert_ne!), but we must
assert it was advanced by exactly one; update the test to assert that
post_replace_nonce equals post_create_nonce + 1 (use the appropriate increment/
wrapping_add for the nonce type) so the test fails if nonce is not consumed
exactly once (refer to the variables post_replace_nonce and post_create_nonce in
the replacement test).

In
`@packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/transformer/v0/mod.rs`:
- Around line 667-758: The code creates identical BumpIdentityDataContractNonce
actions and returns ConsensusValidationResult with errors in several places
while keeping an inert local result
(ConsensusValidationResult::<BatchedTransitionAction> result) that is never
mutated; remove that dead variable and factor the repeated failure-return into a
small helper (e.g. build_bump_failure_result or bump_with_errors) that takes the
borrowed DocumentBaseTransition (document_replace_transition.base()), owner_id
and the validation errors and returns
ConsensusValidationResult::new_with_data_and_errors(BatchedTransitionAction::BumpIdentityDataContractNonce(<...>),
errors) using
BumpIdentityDataContractNonceAction::from_borrowed_document_base_transition;
replace each repeated block that constructs the bump action and returns with
calls to this helper, and after creating execution_context.add_operation(...)
simply return the successful DocumentReplaceTransitionAction instead of checking
the unused result.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 71594617-1229-483e-aab0-52132a18b224

📥 Commits

Reviewing files that changed from the base of the PR and between ec0a605 and 5cdc306.

📒 Files selected for processing (5)

• packages/rs-dpp/src/state_transition/serialization.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/nft.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/replacement.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/transfer.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/transformer/v0/mod.rs

[QuantumExplorer]

We need to add a test that the state transition that causes a dedup continues to do the same (bad) thing in version 11 and below. Also the fix you did is not versioned which would lead to a chain stall.

[QuantumExplorer]

This should be the user_fee_increase, not 0

[QuantumExplorer]

Nvm, it can be anything, but we should leave a comment saying that it's okay that it's 0 because it's in a batch_action, and the batch_action will override the user fee increase.

[QuantumExplorer]

We need to add a test to verify that in version 11 the fees stay constant.

[QuantumExplorer]

We need to add a test that in version 11 the fees stay the same.

[QuantumExplorer]

We need to add a test that in version 11 the fees stay the same.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v7.rs (1)

2836-2840: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pin this fee test to protocol 12 instead of latest().

Line 2838 currently binds an exact fee (571240) to PlatformVersion::latest(). That can become flaky when a newer protocol updates fee accounting. Pinning explicitly to protocol 12 keeps this regression stable and scoped to the intended activation boundary.

Suggested change

-    async fn test_document_set_price_on_not_owned_document() {
+    async fn test_document_set_price_on_not_owned_document_protocol_version_12() {
         run_document_set_price_on_not_owned_document_at_protocol_version(
-            PlatformVersion::latest().protocol_version,
+            12,
             571240,
         )
         .await;
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v7.rs`
around lines 2836 - 2840, The test pins an exact fee (571240) to
PlatformVersion::latest(), which can break as newer protocols change fees;
update the test to explicitly target protocol 12 by replacing
PlatformVersion::latest() with the protocol-12 variant (e.g.,
PlatformVersion::V12 or the equivalent constructor that yields protocol 12)
where the fee 571240 is asserted so the fee expectation remains stable and
scoped to the intended activation boundary.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/replacement.rs`:
- Around line 873-879: The current assertion uses assert_ne!(post_replace_nonce,
post_create_nonce) which allows the nonce to decrease; change it to assert that
post_replace_nonce is strictly greater than post_create_nonce (e.g., use
assert!(post_replace_nonce > post_create_nonce, "...")) so the test enforces
monotonic nonce advancement after the Replace bump action; update the failure
message to reflect that we expect a larger (advanced) nonce and reference the
variables post_replace_nonce and post_create_nonce in the message.

---

Outside diff comments:
In
`@packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v7.rs`:
- Around line 2836-2840: The test pins an exact fee (571240) to
PlatformVersion::latest(), which can break as newer protocols change fees;
update the test to explicitly target protocol 12 by replacing
PlatformVersion::latest() with the protocol-12 variant (e.g.,
PlatformVersion::V12 or the equivalent constructor that yields protocol 12)
where the fee 571240 is asserted so the fee expectation remains stable and
scoped to the intended activation boundary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4fdabee4-8c7b-41c0-9bec-dcfede804d50

📥 Commits

Reviewing files that changed from the base of the PR and between 5cdc306 and be4a538.

📒 Files selected for processing (13)

• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/nft.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/replacement.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/transfer.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/transformer/v0/mod.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/mod.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v1.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v2.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v3.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v4.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v5.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v6.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v7.rs
• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v8.rs

✅ Files skipped from review due to trivial changes (1)

• packages/rs-platform-version/src/version/drive_abci_versions/drive_abci_validation_versions/v3.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/transformer/v0/mod.rs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Strengthen nonce assertion to enforce monotonic advancement.

assert_ne! can pass even if nonce changes in the wrong direction. This test should assert that post-failure nonce is strictly greater than post-create nonce.

Suggested assertion hardening

-        assert_ne!(
-            post_replace_nonce, post_create_nonce,
-            "failed Replace's bump action did not advance the contract \
-             nonce — stored nonce is still {:`#x`} (= post-create value), so \
-             the same serialized bytes can be replayed",
-            post_create_nonce
-        );
+        assert!(
+            post_replace_nonce > post_create_nonce,
+            "failed Replace must strictly advance contract nonce: post_create={:`#x`}, post_replace={:`#x`}",
+            post_create_nonce,
+            post_replace_nonce
+        );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	assert_ne!(
	post_replace_nonce, post_create_nonce,
	"failed Replace's bump action did not advance the contract \
	nonce — stored nonce is still {:#x} (= post-create value), so \
	the same serialized bytes can be replayed",
	post_create_nonce
	);
	assert!(
	post_replace_nonce > post_create_nonce,
	"failed Replace must strictly advance contract nonce: post_create={:`#x`}, post_replace={:`#x`}",
	post_create_nonce,
	post_replace_nonce
	);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/replacement.rs`
around lines 873 - 879, The current assertion uses
assert_ne!(post_replace_nonce, post_create_nonce) which allows the nonce to
decrease; change it to assert that post_replace_nonce is strictly greater than
post_create_nonce (e.g., use assert!(post_replace_nonce > post_create_nonce,
"...")) so the test enforces monotonic nonce advancement after the Replace bump
action; update the failure message to reflect that we expect a larger (advanced)
nonce and reference the variables post_replace_nonce and post_create_nonce in
the message.

[thepastaclaw]

Code Review

I verified the PR at be4a538372563e2ed75cefbe7f4129675b0b03ad and did not find a correctness or consensus-safety defect in the implementation. The only issue I could confirm is a regression-coverage gap: purchase failures now use the same consensus-visible version gate as other per-transition document failures, but the tests do not pin that behavior across protocol versions.

Reviewed commit: be4a538

🟡 1 suggestion(s)

1 additional finding

🟡 suggestion: Purchase failure paths are not pinned with the same version-specific assertions as the other new failed-per-transition cases

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/nft.rs (lines 1666-1861)

DocumentTransition::Purchase now routes both DocumentNotForSaleError and DocumentIncorrectPurchasePriceError through failed_per_transition_action, so from protocol 12 onward these failures must emit a BumpIdentityDataContractNonce action, charge the higher processing fee, and consume the contract nonce. The existing purchase regression in this file only checks that the wrong-price path becomes a PaidConsensusError with the expected message, and there is no paired protocol-11/protocol-12 assertion for either wrong-price or not-for-sale purchase failures. That leaves the purchase arm less protected than the replace, transfer, and update-price arms, whose tests now pin the version-specific fee behavior and, for replace, nonce consumption semantics. Because both fee accounting and nonce advancement are consensus-visible, this is a real regression-coverage gap.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/nft.rs`:
- [SUGGESTION] lines 1666-1861: Purchase failure paths are not pinned with the same version-specific assertions as the other new failed-per-transition cases
  `DocumentTransition::Purchase` now routes both `DocumentNotForSaleError` and `DocumentIncorrectPurchasePriceError` through `failed_per_transition_action`, so from protocol 12 onward these failures must emit a `BumpIdentityDataContractNonce` action, charge the higher processing fee, and consume the contract nonce. The existing purchase regression in this file only checks that the wrong-price path becomes a `PaidConsensusError` with the expected message, and there is no paired protocol-11/protocol-12 assertion for either wrong-price or not-for-sale purchase failures. That leaves the purchase arm less protected than the replace, transfer, and update-price arms, whose tests now pin the version-specific fee behavior and, for replace, nonce consumption semantics. Because both fee accounting and nonce advancement are consensus-visible, this is a real regression-coverage gap.

[thepastaclaw]

Code Review

The implementation at 24437ef8b3279d856a39437ccf62f94748b4f7c9 is internally consistent: DocumentTransition::Purchase now goes through the same failed_per_transition_action version gate as the other per-transition document failures, and protocol 12 correctly enables nonce-bumping actions while protocol 11 preserves legacy behavior. The remaining issue is a real regression-coverage gap: the purchase-specific failure tests still do not pin the protocol-11 versus protocol-12 fee and nonce semantics that this PR made consensus-visible.

Reviewed commit: 24437ef

🟡 1 suggestion(s)

1 additional finding

🟡 suggestion: Purchase failure paths are still not pinned across the protocol 11/12 gate

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/nft.rs (lines 1666-2358)

DocumentTransition::Purchase now routes both wrong-price and not-for-sale failures through failed_per_transition_action, and that helper is explicitly versioned: protocol 11 returns errors only, while protocol 12 emits BumpIdentityDataContractNonce, charges for the fetch/validation work that already ran, and consumes the contract nonce. In nft.rs, test_document_set_price_and_try_purchase_at_different_amount and test_document_set_price_and_purchase_then_try_buy_back only run at PlatformVersion::latest() and only assert the PaidConsensusError message. Unlike the replace, transfer, and update-price failure tests added elsewhere in this PR, these purchase-specific branches do not assert the version-specific processing-fee baseline or that replay is prevented once the nonce is consumed. Because fee accounting and nonce advancement are consensus-visible, leaving these purchase paths unpinned makes it easy for a later refactor to silently regress protocol 12 back to the old protocol 11 semantics.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/document/nft.rs`:
- [SUGGESTION] lines 1666-2358: Purchase failure paths are still not pinned across the protocol 11/12 gate
  `DocumentTransition::Purchase` now routes both wrong-price and not-for-sale failures through `failed_per_transition_action`, and that helper is explicitly versioned: protocol 11 returns errors only, while protocol 12 emits `BumpIdentityDataContractNonce`, charges for the fetch/validation work that already ran, and consumes the contract nonce. In `nft.rs`, `test_document_set_price_and_try_purchase_at_different_amount` and `test_document_set_price_and_purchase_then_try_buy_back` only run at `PlatformVersion::latest()` and only assert the `PaidConsensusError` message. Unlike the replace, transfer, and update-price failure tests added elsewhere in this PR, these purchase-specific branches do not assert the version-specific processing-fee baseline or that replay is prevented once the nonce is consumed. Because fee accounting and nonce advancement are consensus-visible, leaving these purchase paths unpinned makes it easy for a later refactor to silently regress protocol 12 back to the old protocol 11 semantics.

[shumkov]

Consolidated into #3616. Branch merged on top; PR #3616 now carries both the aggregator versioning and the per-transition bump emission as a single fix for issue #2867.