Description
The signed distribution path uses a deadline embedded in DistributeUsdcRequest and returns RemittanceSplitError::DeadlineExpired (14) or InvalidDeadline (25) when the deadline is malformed or in the past. Boundary behavior at deadline == now, deadline == now - 1, and deadlines beyond SIGNATURE_EXPIRATION must be deterministically tested, since off-by-one errors here directly affect replay-window safety. There are no dedicated boundary tests asserting the exact comparison semantics.
Requirements and context
- Secure: Deadline comparison must be checked against
env.ledger().timestamp() before require_auth side effects; expired requests must not advance the nonce.
- Tested: Equal-to-now (accepted or rejected per spec), one-second-past (rejected), far-future beyond
SIGNATURE_EXPIRATION (rejected as InvalidDeadline).
- Documented: Document the deadline window semantics.
- Reference real symbols:
distribute_usdc_signed, DistributeUsdcRequest, RemittanceSplitError::{DeadlineExpired, InvalidDeadline}, SIGNATURE_EXPIRATION, compute_request_hash.
Suggested execution
- Branch
feature/rs-deadline-boundary-tests.
- Confirm comparison operators in
remittance_split/src/lib.rs; add boundary tests in remittance_split/src/test.rs.
- Add docs
docs/remittance-split-deadline-window.md.
- Add
/// comments clarifying inclusive/exclusive bounds.
- Validate security assumptions: no nonce advance on expired/invalid deadline.
Test and commit
- Run
cargo test -p remittance_split.
- Cover edge cases:
now, now-1, now + SIGNATURE_EXPIRATION + 1.
- Include test output and replay-window security note.
Example commit message
test: add DeadlineExpired/InvalidDeadline boundary coverage for signed distribution
Guidelines
- Minimum 95% test coverage
- Clear documentation in
docs/ and inline /// comments
- Timeframe: 96 hours
Description
The signed distribution path uses a deadline embedded in
DistributeUsdcRequestand returnsRemittanceSplitError::DeadlineExpired(14) orInvalidDeadline(25) when the deadline is malformed or in the past. Boundary behavior atdeadline == now,deadline == now - 1, and deadlines beyondSIGNATURE_EXPIRATIONmust be deterministically tested, since off-by-one errors here directly affect replay-window safety. There are no dedicated boundary tests asserting the exact comparison semantics.Requirements and context
env.ledger().timestamp()beforerequire_authside effects; expired requests must not advance the nonce.SIGNATURE_EXPIRATION(rejected asInvalidDeadline).distribute_usdc_signed,DistributeUsdcRequest,RemittanceSplitError::{DeadlineExpired, InvalidDeadline},SIGNATURE_EXPIRATION,compute_request_hash.Suggested execution
feature/rs-deadline-boundary-tests.remittance_split/src/lib.rs; add boundary tests inremittance_split/src/test.rs.docs/remittance-split-deadline-window.md.///comments clarifying inclusive/exclusive bounds.Test and commit
cargo test -p remittance_split.now,now-1,now + SIGNATURE_EXPIRATION + 1.Example commit message
test: add DeadlineExpired/InvalidDeadline boundary coverage for signed distributionGuidelines
docs/and inline///comments