fix(drive-abci): fixed issue with adding a key with contract bounds

[QuantumExplorer]

Issue being fixed or feature implemented

Adding a key with contract bounds would not work, this was because the inner paths did not yet exist.

What was done?

• Changed the grovedb and related dependencies in Cargo.toml from a git source to version 3.0.0.
• Updated the Cargo.lock file accordingly to reflect the new dependency versions.
• Added a new error if you are giving a non ENCRYPTION/DECRYPTION key for contract bounds.
• Properly handle adding a key with contract bounds with identity update state transition.

How Has This Been Tested?

The changes have been tested by running existing unit and integration tests to ensure that the application functions correctly with the updated dependencies.

Breaking Changes

None

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Summary by CodeRabbit

• New Features

  • Introduced a specific error for invalid key purposes in contract bounds, providing clearer feedback when an unsupported key purpose is used.
  • Enhanced test coverage for identity updates by adding tests for contract-bound and document-level contract-bound public keys.

• Bug Fixes

  • Improved error reporting in identity public key contract bound validation, distinguishing between missing contracts and invalid key purposes.

• Chores

  • Updated dependencies to use published crate versions instead of Git references, improving maintainability.
  • Removed unused imports and unnecessary debug print statements.

• Tests

  • Added comprehensive tests for identity updates involving contract-bound keys.
  • Updated test utilities for flexible identity and contract setup.

• Refactor

  • Improved handling of optional identity public keys in query results.
  • Adjusted function signatures and test setups for better clarity and extensibility.

[coderabbitai]

Walkthrough

This update introduces a new error type for invalid key purposes in contract bounds, integrates it into consensus error handling, and adds comprehensive tests for identity updates involving contract-bound keys. It also adds helper functions for handling optional identity public keys, adjusts dependency specifications, and refines test and query logic for identity key management.

Changes

Files/Paths	Change Summary
.../evaluate_interval.rs	Made certain imports conditional on the token-reward-explanations feature.
.../basic_error.rs, .../identity/invalid_key_purpose_for_contract_bounds_error.rs, .../identity/mod.rs, .../codes.rs, .../consensus/consensus_error.rs	Added new error type InvalidKeyPurposeForContractBoundsError and integrated it into consensus error handling and error code mapping.
.../check_tx/v0/mod.rs, .../identity_update/mod.rs	Updated test unpacking to account for additional return value from setup function; added two new comprehensive tests for contract-bound key updates.
.../validate_identity_public_key_contract_bounds/v0/mod.rs	Replaced generic error with new specific error for invalid key purposes in contract bounds validation.
.../token/direct_selling/mod.rs	Removed unused import in a test.
.../batch/transformer/v0/mod.rs	Removed a debug print statement for missing contracts.
.../state_transitions/mod.rs	Added IdentityTestInfo enum and register_contract_from_bytes function for flexible test setup; updated setup_identity_return_master_key to return an extra key.
.../key/fetch/mod.rs	Added helper functions for handling optional identity public keys; updated trait implementation to process query results into a map of key IDs to optional public keys.
.../grove_get_path_query_with_optional/v0/mod.rs	Changed a boolean argument in a GroveDB query from true to false.
.../Cargo.toml (rs-drive, rs-platform-version)	Updated grovedb and grovedb-version dependencies from Git references to version 3.0.0.

Sequence Diagram(s)

sequenceDiagram
    participant Test as Test Suite
    participant Platform as Platform
    participant Identity as Identity
    participant Contract as DataContract

    Test->>Platform: setup_identity_return_master_key()
    Platform-->>Test: (Identity, Signer, CriticalKey, MasterKey)

    Test->>Platform: register_contract_from_bytes(bytes, IdentityTestInfo, version)
    Platform->>Contract: Deserialize contract from bytes
    Platform->>Identity: Generate or use provided identity/signer/key
    Platform->>Contract: Set contract ID using identity & nonce
    Platform->>Platform: Create & sign DataContractCreateTransition
    Platform->>Platform: Process state transition (GroveDB tx)
    Platform-->>Test: DataContract

    Test->>Platform: Create IdentityUpdateTransition (add contract-bound key)
    Test->>Platform: Process state transition (GroveDB tx)
    Platform-->>Test: Result (success/failure)
    Test->>Platform: Commit transaction
    Test->>Platform: Fetch and verify updated identity keys

Loading

Possibly related PRs

• fix(drive): proved identity update was giving error #2642: Adds new test cases for identity update state transitions involving adding new public keys, related by testing identity update key additions but focusing on authentication keys instead of contract-bound keys.

Suggested labels

enhancement, cleanup

Suggested reviewers

• shumkov

Poem

In the warren of code, a new error hops in,
For contract-bound keys, let the right purpose win!
Tests now abound for identities bound,
With helpers and checks, new bugs won’t be found.
Dependencies trimmed, the garden is neat—
This rabbit declares: the update’s complete! 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd77264 and d3bec8a.

📒 Files selected for processing (1)

• packages/rs-drive-abci/src/execution/validation/state_transition/common/validate_identity_public_key_contract_bounds/v0/mod.rs (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/rs-drive-abci/src/execution/validation/state_transition/common/validate_identity_public_key_contract_bounds/v0/mod.rs

⏰ Context from checks skipped due to timeout of 90000ms (20)

• GitHub Check: Rust packages (wasm-dpp) / Linting
• GitHub Check: Rust packages (drive) / Unused dependencies
• GitHub Check: Rust packages (drive) / Linting
• GitHub Check: Rust packages (drive) / Formatting
• GitHub Check: Rust packages (drive) / Tests
• GitHub Check: Rust packages (dpp) / Unused dependencies
• GitHub Check: Rust packages (dpp) / Check each feature
• GitHub Check: Rust packages (dpp) / Formatting
• GitHub Check: Rust packages (dpp) / Linting
• GitHub Check: Rust packages (dpp) / Tests
• GitHub Check: Rust packages (dash-sdk) / Check each feature
• GitHub Check: Rust packages (dash-sdk) / Formatting
• GitHub Check: Rust packages (dash-sdk) / Linting
• GitHub Check: Rust packages (dash-sdk) / Tests
• GitHub Check: Rust packages (dash-sdk) / Unused dependencies
• GitHub Check: Build Docker images (Dashmate helper, dashmate-helper, dashmate-helper) / Build Dashmate helper image
• GitHub Check: Build Docker images (DAPI, dapi, dapi) / Build DAPI image
• GitHub Check: Build Docker images (Drive, drive, drive-abci) / Build Drive image
• GitHub Check: Build JS packages / Build JS
• GitHub Check: Rust crates security audit

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[QuantumExplorer]

Self reviewed

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (1)

packages/rs-drive-abci/src/execution/validation/state_transition/common/validate_identity_public_key_contract_bounds/v0/mod.rs (1)

248-256: DECRYPTION branch erroneously calls the encryption requirement helper

document_type.requires_identity_encryption_bounded_key() is invoked inside the DECRYPTION arm.
This should be the symmetric requires_identity_decryption_bounded_key() to respect contract-level settings.

-    let Some(requirements) = document_type
-        .requires_identity_encryption_bounded_key()
+    let Some(requirements) = document_type
+        .requires_identity_decryption_bounded_key()

🧹 Nitpick comments (13)

packages/rs-dpp/src/data_contract/associated_token/token_perpetual_distribution/distribution_function/evaluate_interval.rs (1)

2-2: Feature-gated import placement
The #[cfg(feature = "token-reward-explanations")] attribute correctly scopes the next import. Consider gating the unconditional PlatformVersion import (line 3) as well to avoid unused import warnings when the feature is disabled.

packages/wasm-dpp/src/errors/consensus/consensus_error.rs (2)

67-68: Minor: keep use list sorted for readability
The long import block for basic :: identity errors is already alphabetised; the new InvalidKeyPurposeForContractBoundsError entry breaks that order. Consider re-sorting to preserve quick-scan readability.

---

850-852: Exposed only via the generic wrapper – consider a typed Wasm error
InvalidKeyPurposeForContractBoundsError is surfaced through generic_consensus_error!, whereas most identity-related errors have dedicated *ErrorWasm wrappers. A typed wrapper keeps parity with the rest of the API and allows JS/TS consumers to pattern-match without stringly-typed inspection.

Optional, but aligning here avoids special-casing on the frontend.

packages/rs-dpp/src/errors/consensus/basic/basic_error.rs (1)

592-594: Variant added without dedicated doc comment
Most variants have a short description (useful for autogenerated docs). Consider adding one here for consistency:

-InvalidKeyPurposeForContractBoundsError(InvalidKeyPurposeForContractBoundsError),
+/// Key purpose is not allowed for the supplied contract/document bounds
+InvalidKeyPurposeForContractBoundsError(InvalidKeyPurposeForContractBoundsError),

packages/rs-drive-abci/src/execution/check_tx/v0/mod.rs (1)

3531-3533: Align tuple unpacking with updated function signature
The setup_identity_return_master_key now returns four values; you’re correctly discarding the extra value. For clarity, you could name the ignored element (e.g. let (identity, signer, _master_key, key) = …) so readers immediately understand what’s being skipped.

packages/rs-drive-abci/src/execution/validation/state_transition/common/validate_identity_public_key_contract_bounds/v0/mod.rs (1)

6-8: Minor: remove unused import

DataContractBoundsNotPresentError is imported but never used in this file after refactor.
Consider dropping it to keep the import list lean.

packages/rs-dpp/src/errors/consensus/basic/identity/invalid_key_purpose_for_contract_bounds_error.rs (1)

38-40: Expose a slice instead of &Vec

Returning &Vec<Purpose> ties callers to the concrete collection type.
Exposing a slice improves flexibility and avoids unnecessary clone() calls down the line.

-    pub fn allowed_key_purposes(&self) -> &Vec<Purpose> {
-        &self.allowed_key_purposes
+    pub fn allowed_key_purposes(&self) -> &[Purpose] {
+        &self.allowed_key_purposes
     }

packages/rs-drive/src/drive/identity/key/fetch/mod.rs (2)

198-205: Duplicate helper, consider DRY-ing

element_to_identity_public_key_id_and_some_object_pair differs from the existing
element_to_identity_public_key_id_and_object_pair only by wrapping the key in Some.
You can reuse the original helper and wrap at the call-site to reduce duplication.

---

615-624: Remove now-redundant NotSupported guard

KeyIDOptionalIdentityPublicKeyPairBTreeMap::try_from_query_results is implemented,
but the earlier KeyIDOptionalIdentityPublicKeyPairVec still returns NotSupported.
If vector results are also needed, implement them for consistency or add a comment
explaining why only the map variant is required.

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/identity_update/mod.rs (2)

684-685: Inline-hex payload inflates the test file – consider externalising

The 1 300-byte hex string embedded here makes the test hard to scan and increases compile-time parsing.
Prefer moving the byte blob to a fixture:

let contract_bytes = include_bytes!("fixtures/preorder_contract.hex");
let contract_bytes = hex::decode(contract_bytes).expect("valid hex");

This keeps the test source concise while preserving determinism.

---

1111-1112: Same large hex literal duplicated – DRY it up

This second contract definition duplicates the concern raised above. Storing both payloads under tests/fixtures/… and loading them with include_bytes! (or lazy_static!) will reduce duplication and compilation overhead.

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/mod.rs (2)

777-786: Add docs / derives to the new IdentityTestInfo enum

A short doc-comment explaining each variant will help future maintainers.
Also consider #[derive(Debug)]; it’s handy in tests and does not impose extra requirements.

---

788-871: register_contract_from_bytes – avoid extra cloning & ensure owner consistency

1. The call to into_partial_identity_info() need not clone the entire identity:

-            &identity_cow.as_ref().clone().into_partial_identity_info(),
+            &identity_cow.as_ref().into_partial_identity_info(),

2. After data_contract.set_id(contract_id); the contract’s owner_id remains whatever was in the raw bytes.
   If the fixture wasn’t authored by identity_cow, this mismatch could surface later (e.g., fee calculation, auth checks).
   Confirm that the bytes always encode the same owner you pass here, or explicitly set it.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b8b29d and cd77264.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (16)

• packages/rs-dpp/src/data_contract/associated_token/token_perpetual_distribution/distribution_function/evaluate_interval.rs (1 hunks)
• packages/rs-dpp/src/errors/consensus/basic/basic_error.rs (2 hunks)
• packages/rs-dpp/src/errors/consensus/basic/identity/invalid_key_purpose_for_contract_bounds_error.rs (1 hunks)
• packages/rs-dpp/src/errors/consensus/basic/identity/mod.rs (2 hunks)
• packages/rs-dpp/src/errors/consensus/codes.rs (1 hunks)
• packages/rs-drive-abci/src/execution/check_tx/v0/mod.rs (1 hunks)
• packages/rs-drive-abci/src/execution/validation/state_transition/common/validate_identity_public_key_contract_bounds/v0/mod.rs (2 hunks)
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/token/direct_selling/mod.rs (0 hunks)
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/transformer/v0/mod.rs (0 hunks)
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/identity_update/mod.rs (5 hunks)
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/mod.rs (6 hunks)
• packages/rs-drive/Cargo.toml (1 hunks)
• packages/rs-drive/src/drive/identity/key/fetch/mod.rs (3 hunks)
• packages/rs-drive/src/util/grove_operations/grove_get_path_query_with_optional/v0/mod.rs (1 hunks)
• packages/rs-platform-version/Cargo.toml (1 hunks)
• packages/wasm-dpp/src/errors/consensus/consensus_error.rs (2 hunks)

💤 Files with no reviewable changes (2)

• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/tests/token/direct_selling/mod.rs
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/transformer/v0/mod.rs

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: QuantumExplorer
PR: dashpay/platform#2257
File: packages/rs-drive-abci/src/mimic/test_quorum.rs:159-164
Timestamp: 2024-11-20T16:16:01.830Z
Learning: QuantumExplorer prefers not to receive auto-generated messages asking to post on social media.

packages/rs-platform-version/Cargo.toml (1)

Learnt from: QuantumExplorer
PR: dashpay/platform#2431
File: packages/rs-drive/Cargo.toml:55-60
Timestamp: 2025-01-19T07:36:46.042Z
Learning: The grovedb dependencies in packages/rs-drive/Cargo.toml and related files are intentionally kept at specific revisions rather than using the latest stable version, with plans to update them at a later time.

packages/rs-drive/Cargo.toml (1)

Learnt from: QuantumExplorer
PR: dashpay/platform#2431
File: packages/rs-drive/Cargo.toml:55-60
Timestamp: 2025-01-19T07:36:46.042Z
Learning: The grovedb dependencies in packages/rs-drive/Cargo.toml and related files are intentionally kept at specific revisions rather than using the latest stable version, with plans to update them at a later time.

⏰ Context from checks skipped due to timeout of 90000ms (20)

• GitHub Check: Rust packages (dapi-grpc) / Tests
• GitHub Check: Rust packages (dapi-grpc) / Linting
• GitHub Check: Rust packages (dapi-grpc) / Unused dependencies
• GitHub Check: Rust packages (drive-abci) / Unused dependencies
• GitHub Check: Rust packages (drive-abci) / Check each feature
• GitHub Check: Rust packages (drive-abci) / Linting
• GitHub Check: Rust packages (drive) / Tests
• GitHub Check: Rust packages (drive) / Unused dependencies
• GitHub Check: Rust packages (drive) / Linting
• GitHub Check: Rust packages (wasm-dpp) / Tests
• GitHub Check: Rust packages (wasm-dpp) / Linting
• GitHub Check: Rust packages (dpp) / Linting
• GitHub Check: Rust packages (dpp) / Check each feature
• GitHub Check: Rust packages (dpp) / Unused dependencies
• GitHub Check: Rust packages (dpp) / Tests
• GitHub Check: Build Docker images (Drive, drive, drive-abci) / Build Drive image
• GitHub Check: Build Docker images (Dashmate helper, dashmate-helper, dashmate-helper) / Build Dashmate helper image
• GitHub Check: Build Docker images (DAPI, dapi, dapi) / Build DAPI image
• GitHub Check: Build JS packages / Build JS
• GitHub Check: Rust crates security audit

🔇 Additional comments (11)

packages/rs-platform-version/Cargo.toml (1)

14-14: ```shell
#!/bin/bash

echo "=== Checking crates.io for grovedb-version 3.0.0 ==="
if curl -s https://crates.io/api/v1/crates/grovedb-version | grep -q '"num":"3.0.0"'; then
echo "✅ grovedb-version 3.0.0 is published on crates.io"
else
echo "❌ grovedb-version 3.0.0 not found on crates.io"
fi

echo
echo "=== Locating grovedb-version in Cargo.lock ==="
awk '/name = "grovedb-version"/ { print; getline; print }' Cargo.lock || echo "❌ grovedb-version block not found in Cargo.lock"

echo
echo "=== Listing all grovedb* dependencies with version fields in Cargo.toml ==="
rg -n 'grovedb(-[a-z-]+)? = {[^}]version' --glob '.toml'

</details>
<details>
<summary>packages/rs-dpp/src/data_contract/associated_token/token_perpetual_distribution/distribution_function/evaluate_interval.rs (3)</summary>

`6-6`: **DistributionFunction import**  
Importing `DistributionFunction` outside of any feature flag is appropriate for its core usage in the module.

---

`8-8`: **Feature-gated `MAX_DISTRIBUTION_CYCLES_PARAM` import**  
The `MAX_DISTRIBUTION_CYCLES_PARAM` constant is correctly gated to the `token-reward-explanations` feature and matches its usage in explanation code.

---

`12-15`: **Chrono and timezone crate imports**  
The `chrono` and `chrono_tz` imports are properly feature-gated, aligning with their use in time formatting functions.

</details>
<details>
<summary>packages/rs-dpp/src/errors/consensus/codes.rs (1)</summary>

`203-205`: **Confirm code-space continuity for the new error (10533)**  
`InvalidKeyPurposeForContractBoundsError` is slotted at 10533, immediately after 10532 and before the next reserved block (10600 – 10699).  Looks correct, but please double-check that:  
1. No other pending PR introduces a conflicting 10533.  
2. Protocol-version docs (if any) list the new code.

</details>
<details>
<summary>packages/rs-drive/src/util/grove_operations/grove_get_path_query_with_optional/v0/mod.rs (1)</summary>

`24-24`: **Behaviour change: `allow_subtrees_of_trees` flipped to `false`**  
In GroveDB 3.0.0 `query_keys_optional()` changed semantics:  
`(path_query, include_subtrees, proof, allow_subtrees_of_trees, …)`

Switching the 3ʳᵈ boolean from `true`→`false` will now SKIP keys that sit under subtree elements.  
Please verify every call-site that depended on the old behaviour; silent data omission can be hard to spot in higher layers.

</details>
<details>
<summary>packages/rs-dpp/src/errors/consensus/basic/basic_error.rs (1)</summary>

`69-71`: **New variant imported – make sure versioning rules are honoured**  
Adding a variant is fine as it’s appended, but the header comment warns about variant-order changes & protocol versions.  Ensure the protocol version bump accompanying GroveDB 3.0.0 also advertises support for this new error so mixed-version nodes don’t panic on unknown discriminants.

</details>
<details>
<summary>packages/rs-drive/Cargo.toml (1)</summary>

`55-60`: **Large dependency bump – run a full feature-matrix build**  
All `grovedb*` crates jump to 3.0.0.  Aside from compilation, please run:

1. `cargo test --no-default-features --features <each custom feature>`  
2. Integration tests that hit the `grovedb` storage back-end (e.g. Drive-ABCI).  

This guards against accidental feature-flag drift (several optional flags were removed in GroveDB 3).

</details>
<details>
<summary>packages/rs-drive/src/drive/identity/key/fetch/mod.rs (1)</summary>

`278-289`: **Conversion always wraps `Some`, losing the ability to represent ‘missing’ keys**

`supported_query_result_element_to_identity_public_key_id_and_some_object_pair`
cannot yield a `(key_id, None)` tuple. If `grovedb` ever includes results for absent
elements (e.g. via key-only results), the information will be lost.

Please verify that `QueryResultElement` cannot represent a missing element; otherwise
retain the previous `NotSupported` or handle the `None` case explicitly.

</details>
<details>
<summary>packages/rs-dpp/src/errors/consensus/basic/identity/mod.rs (1)</summary>

`29-29`: **LGTM – new error re-export appropriately added**

The public export for `invalid_key_purpose_for_contract_bounds_error` is in the correct alphabetical position and matches the module declaration below.

</details>
<details>
<summary>packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/mod.rs (1)</summary>

`260-265`: I’ll re-run the search with a fixed parsing approach to skip the definition and locate any remaining call-sites:


```shell
#!/usr/bin/env bash
set -euo pipefail

# Find all references to the helper (including the definition), extract file:line,
# then skip the definition in mod.rs and show context for each actual use
rg -n 'setup_identity_return_master_key\(' --type rust \
  | cut -d: -f1-2 \
  | sort -u \
  | grep -v 'packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/mod.rs:260' \
  | while IFS=: read -r file line; do
      echo "---- $file:$line ----"
      sed -n "$((line-2)),$((line+2))p" "$file"
    done