WIP NOT REVIEWED VALIDATION OF REFERENCES

Author: lklimek

TODO.md

@@ -0,0 +1,35 @@
+# Reference Validation (`refersTo`) Implementation Checklist
+
+## Schema / Compatibility
+- [x] Update document meta-schema (`packages/rs-dpp/schema/meta_schemas/document/v0/document-meta.json`) to allow `refersTo` object with `type`/`mustExist` (default true, false disables validation).
+- [x] Extend JSON schema compatibility rules (`packages/rs-json-schema-compatibility-validator/src/rules/rule_set.rs`) to allow `refersTo` keyword (disallow changes post-creation).
+
+## DPP Parsing / Model
+- [x] Parse `refersTo` in property handling (`packages/rs-dpp/src/data_contract/document_type/property/mod.rs`) and store metadata (path → {target, mustExist}).
+- [x] Keep `identifier_paths`/`binary_paths` behavior unchanged; access `refersTo` via existing property structures (no dedicated references map).
+- [x] Ensure `DocumentType::try_from_schema` (v0/v1) validates `refersTo` placement (identifier fields only) and rejects in updates (mutability rule).
+- [x] Expose `refersTo` in serialization (Value/JSON) and bindings (WASM/JS) so clients can introspect.
+
+## Errors
+- [x] Add consensus state error for missing referenced entity (includes type, path, id) and wire to error codes (new code without shifting existing ones).
+
+## Validation (Drive / ABCI)
+- [ ] Implement reference existence checks in advanced structure v1 validators:
+  - `document_create_transition_action/advanced_structure_v1`
+  - `document_replace_transition_action/advanced_structure_v1`
+- [ ] Hook checks into `validate_advanced_structure_from_state` flow; applied in CheckTx/PrepareProposal/ProcessProposal.
+- [ ] Gate enforcement by protocol/platform version; legacy nodes reject contracts with `refersTo` pre-activation.
+- [ ] Count identity lookups in execution context fee accounting.
+
+## Versioning / Config
+- [ ] Bump/introduce version constants to select v1 advanced structure validators for reference validation.
+- [ ] Add protocol feature flag to ignore `refersTo` pre-activation.
+
+## Tests
+- [ ] Meta-schema and compatibility tests for `refersTo`.
+- [ ] DPP unit tests: parsing/serialization of `refersTo`, placement validation, defaults (`mustExist` default true, false skips checks).
+- [ ] Drive/ABCI tests: create/replace transitions with missing/exists identities, nested fields, version gating.
+- [ ] WASM/JS binding tests to ensure `refersTo` surfaces correctly.
+
+## Docs
+- [ ] Update `docs/specs/reference-validation.md` if behavior diverges; add any developer notes in code as needed.

packages/rs-dpp/src/data_contract/document_type/property/mod.rs

@@ -3,8 +3,8 @@ use std::convert::TryInto;
 
 use std::io::{BufReader, Cursor, Read};
 
-use bincode::{Decode, Encode};
 use crate::data_contract::errors::DataContractError;
+use bincode::{Decode, Encode};
 
 use crate::consensus::basic::decode::DecodingError;
 use crate::data_contract::config::v1::DataContractConfigGettersV1;

packages/rs-dpp/src/errors/consensus/basic/basic_error.rs

@@ -1,3 +1,4 @@
+use crate::consensus::state::document::referenced_entity_not_found_error::ReferencedEntityNotFoundError;
 use crate::errors::ProtocolError;
 use bincode::{Decode, Encode};
 use platform_serialization_derive::{PlatformDeserialize, PlatformSerialize};
@@ -273,6 +274,9 @@ pub enum BasicError {
     #[error(transparent)]
     MaxDocumentsTransitionsExceededError(MaxDocumentsTransitionsExceededError),
 
+    #[error(transparent)]
+    ReferencedEntityNotFoundError(ReferencedEntityNotFoundError),
+
     // Identity
     #[error(transparent)]
     DuplicatedIdentityPublicKeyBasicError(DuplicatedIdentityPublicKeyBasicError),

packages/rs-dpp/src/errors/consensus/codes.rs

@@ -153,6 +153,7 @@ impl ErrorWithCode for BasicError {
             Self::DocumentCreationNotAllowedError(_) => 10416,
             Self::DocumentFieldMaxSizeExceededError(_) => 10417,
             Self::ContestedDocumentsTemporarilyNotAllowedError(_) => 10418,
+            Self::ReferencedEntityNotFoundError(_) => 10419,
 
             // Token Errors: 10450-10499
             Self::InvalidTokenIdError(_) => 10450,

packages/rs-drive-abci/src/execution/validation/state_transition/check_tx_verification/v0/mod.rs

@@ -2,6 +2,7 @@ use crate::error::Error;
 use crate::execution::types::execution_event::ExecutionEvent;
 use crate::execution::validation::state_transition::transformer::StateTransitionActionTransformer;
 use crate::platform_types::platform::PlatformRef;
+use crate::platform_types::platform::PlatformStateRef;
 use crate::platform_types::platform_state::PlatformStateV0Methods;
 use crate::rpc::core::CoreRPCLike;
 use dpp::identity::state_transition::OptionallyAssetLockProved;
@@ -242,11 +243,14 @@ pub(super) fn state_transition_to_execution_event_for_check_tx_v0<'a, C: CoreRPC
                 let action = state_transition_action_result.into_data()?;
 
                 // Validating structure
+                let platform_state_ref: PlatformStateRef = platform.into();
                 let result = state_transition.validate_advanced_structure_from_state(
                     platform.state.last_block_info(),
                     platform.config.network,
                     &action,
                     maybe_identity.as_ref(),
+                    &platform_state_ref,
+                    None,
                     &mut state_transition_execution_context,
                     platform_version,
                 )?;

packages/rs-drive-abci/src/execution/validation/state_transition/processor/traits/advanced_structure_with_state.rs

@@ -4,13 +4,15 @@ use crate::execution::types::state_transition_execution_context::StateTransition
 use crate::execution::validation::state_transition::address_funding_from_asset_lock::StateTransitionStructureKnownInStateValidationForAddressFundingFromAssetLockTransition;
 use crate::execution::validation::state_transition::identity_create::StateTransitionStructureKnownInStateValidationForIdentityCreateTransitionV0;
 use crate::execution::validation::state_transition::identity_create_from_addresses::StateTransitionStructureKnownInStateValidationForIdentityCreateFromAddressesTransitionV0;
+use crate::platform_types::platform::PlatformStateRef;
 use dpp::block::block_info::BlockInfo;
 use dpp::dashcore::Network;
 use dpp::identity::PartialIdentity;
 use dpp::prelude::ConsensusValidationResult;
 use dpp::serialization::Signable;
 use dpp::state_transition::StateTransition;
 use dpp::version::PlatformVersion;
+use drive::grovedb::TransactionArg;
 use drive::state_transition_action::StateTransitionAction;
 
 /// A trait for validating state transitions within a blockchain.
@@ -31,6 +33,8 @@ pub(crate) trait StateTransitionStructureKnownInStateValidationV0 {
         network: Network,
         action: &StateTransitionAction,
         maybe_identity: Option<&PartialIdentity>,
+        platform: &PlatformStateRef,
+        transaction: TransactionArg,
         execution_context: &mut StateTransitionExecutionContext,
         platform_version: &PlatformVersion,
     ) -> Result<ConsensusValidationResult<StateTransitionAction>, Error>;
@@ -49,6 +53,8 @@ impl StateTransitionStructureKnownInStateValidationV0 for StateTransition {
         network: Network,
         action: &StateTransitionAction,
         maybe_identity: Option<&PartialIdentity>,
+        platform: &PlatformStateRef,
+        transaction: TransactionArg,
         execution_context: &mut StateTransitionExecutionContext,
         platform_version: &PlatformVersion,
     ) -> Result<ConsensusValidationResult<StateTransitionAction>, Error> {
@@ -58,6 +64,8 @@ impl StateTransitionStructureKnownInStateValidationV0 for StateTransition {
                 network,
                 action,
                 maybe_identity,
+                platform,
+                transaction,
                 execution_context,
                 platform_version,
             ),
@@ -72,6 +80,8 @@ impl StateTransitionStructureKnownInStateValidationV0 for StateTransition {
                 st.validate_advanced_structure_from_state_for_identity_create_transition(
                     identity_create_action,
                     signable_bytes,
+                    platform,
+                    transaction,
                     execution_context,
                     platform_version,
                 )
@@ -81,6 +91,8 @@ impl StateTransitionStructureKnownInStateValidationV0 for StateTransition {
                 network,
                 action,
                 maybe_identity,
+                platform,
+                transaction,
                 execution_context,
                 platform_version,
             ),
@@ -94,6 +106,8 @@ impl StateTransitionStructureKnownInStateValidationV0 for StateTransition {
                 };
                 st.validate_advanced_structure_from_state_for_address_funding_from_asset_lock_transition(
                     address_funding_action,
+                    platform,
+                    transaction,
                     execution_context,
                     platform_version,
                 )
@@ -102,6 +116,8 @@ impl StateTransitionStructureKnownInStateValidationV0 for StateTransition {
                 let signable_bytes = self.signable_bytes()?;
                 st.validate_advanced_structure_from_state_for_identity_create_from_addresses_transition(
                     signable_bytes,
+                    platform,
+                    transaction,
                     execution_context,
                     platform_version,
                 )

packages/rs-drive-abci/src/execution/validation/state_transition/processor/v0/mod.rs

@@ -20,6 +20,7 @@ use crate::execution::validation::state_transition::processor::state::StateTrans
 use crate::execution::validation::state_transition::transformer::StateTransitionActionTransformer;
 use crate::execution::validation::state_transition::ValidationMode;
 use crate::platform_types::platform::PlatformRef;
+use crate::platform_types::platform::PlatformStateRef;
 use crate::platform_types::platform_state::PlatformStateV0Methods;
 use crate::rpc::core::CoreRPCLike;
 use dpp::block::block_info::BlockInfo;
@@ -270,11 +271,14 @@ pub(super) fn process_state_transition_v0<'a, C: CoreRPCLike>(
         let action = state_transition_action_result.into_data()?;
 
         // Validating structure
+        let platform_state_ref: PlatformStateRef = platform.into();
         let result = state_transition.validate_advanced_structure_from_state(
             block_info,
             platform.config.network,
             &action,
             maybe_identity.as_ref(),
+            &platform_state_ref,
+            transaction,
             &mut state_transition_execution_context,
             platform_version,
         )?;

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/address_funding_from_asset_lock/mod.rs

@@ -18,6 +18,7 @@ use crate::error::execution::ExecutionError;
 use crate::error::Error;
 use crate::execution::types::state_transition_execution_context::StateTransitionExecutionContext;
 use crate::execution::validation::state_transition::address_funding_from_asset_lock::advanced_structure::v0::AddressFundingFromAssetLockStateTransitionAdvancedStructureValidationV0;
+use crate::platform_types::platform::PlatformStateRef;
 use crate::execution::validation::state_transition::address_funding_from_asset_lock::transform_into_action::v0::AddressFundingFromAssetLockStateTransitionTransformIntoActionValidationV0;
 use crate::platform_types::platform::PlatformRef;
 use crate::rpc::core::CoreRPCLike;
@@ -85,6 +86,8 @@ pub trait StateTransitionStructureKnownInStateValidationForAddressFundingFromAss
     fn validate_advanced_structure_from_state_for_address_funding_from_asset_lock_transition(
         &self,
         action: AddressFundingFromAssetLockTransitionAction,
+        _platform: &PlatformStateRef,
+        _transaction: TransactionArg,
         execution_context: &mut StateTransitionExecutionContext,
         platform_version: &PlatformVersion,
     ) -> Result<ConsensusValidationResult<StateTransitionAction>, Error>;
@@ -96,6 +99,8 @@ impl StateTransitionStructureKnownInStateValidationForAddressFundingFromAssetLoc
     fn validate_advanced_structure_from_state_for_address_funding_from_asset_lock_transition(
         &self,
         action: AddressFundingFromAssetLockTransitionAction,
+        _platform: &PlatformStateRef,
+        _transaction: TransactionArg,
         execution_context: &mut StateTransitionExecutionContext,
         platform_version: &PlatformVersion,
     ) -> Result<ConsensusValidationResult<StateTransitionAction>, Error> {

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/action_validation/document/document_create_transition_action/advanced_structure_v1/mod.rs

@@ -0,0 +1,112 @@
+use dpp::block::block_info::BlockInfo;
+use dpp::dashcore::Network;
+use dpp::identifier::Identifier;
+use dpp::validation::SimpleConsensusValidationResult;
+use dpp::data_contract::accessors::v0::DataContractV0Getters;
+use dpp::data_contract::document_type::accessors::DocumentTypeV0Getters;
+use dpp::data_contract::document_type::DocumentPropertyReferenceTarget;
+use dpp::errors::consensus::ConsensusError;
+use dpp::errors::consensus::state::document::referenced_entity_not_found_error::ReferencedEntityNotFoundError;
+use dpp::platform_value::btreemap_extensions::BTreeValueMapPathHelper;
+use drive::state_transition_action::batch::batched_transition::document_transition::document_base_transition_action::DocumentBaseTransitionActionAccessorsV0;
+use drive::state_transition_action::batch::batched_transition::document_transition::document_create_transition_action::{
+    DocumentCreateTransitionAction, DocumentCreateTransitionActionAccessorsV0,
+};
+use dpp::version::PlatformVersion;
+use crate::error::Error;
+use crate::execution::types::state_transition_execution_context::{
+    StateTransitionExecutionContext, StateTransitionExecutionContextMethodsV0,
+};
+use crate::platform_types::platform::PlatformStateRef;
+use crate::execution::types::execution_operation::{RetrieveIdentityInfo, ValidationOperation};
+use drive::grovedb::TransactionArg;
+use crate::execution::validation::state_transition::batch::action_validation::document::document_create_transition_action::advanced_structure_v0::DocumentCreateTransitionActionStructureValidationV0;
+
+/// Advanced structure validation for document create transitions (v1).
+/// This version is where reference validation and other new checks will be added.
+pub(in crate::execution::validation::state_transition::state_transitions::batch::action_validation) trait DocumentCreateTransitionActionStructureValidationV1 {
+    fn validate_structure_v1(
+        &self,
+        owner_id: Identifier,
+        block_info: &BlockInfo,
+        network: Network,
+        platform: &PlatformStateRef,
+        transaction: TransactionArg,
+        execution_context: &mut StateTransitionExecutionContext,
+        platform_version: &PlatformVersion,
+    ) -> Result<SimpleConsensusValidationResult, Error>;
+}
+
+impl DocumentCreateTransitionActionStructureValidationV1 for DocumentCreateTransitionAction {
+    fn validate_structure_v1(
+        &self,
+        owner_id: Identifier,
+        block_info: &BlockInfo,
+        network: Network,
+        platform: &PlatformStateRef,
+        transaction: TransactionArg,
+        execution_context: &mut StateTransitionExecutionContext,
+        platform_version: &PlatformVersion,
+    ) -> Result<SimpleConsensusValidationResult, Error> {
+        // Run existing v0 validation first (covers schema checks, contested flows, etc.)
+        let base_result =
+            self.validate_structure_v0(owner_id, block_info, network, platform_version)?;
+        if !base_result.is_valid() {
+            return Ok(base_result);
+        }
+
+        let contract_fetch_info = self.base().data_contract_fetch_info();
+        let data_contract = &contract_fetch_info.contract;
+        let document_type_name = self.base().document_type_name();
+
+        // Safe to unwrap thanks to v0 validation
+        let document_type = data_contract
+            .document_type_optional_for_name(document_type_name)
+            .expect("document type must exist after v0 validation");
+
+        // Check referenced identities if requested
+        for (path, property) in document_type.flattened_properties() {
+            let Some(reference) = &property.reference else {
+                continue;
+            };
+            if !reference.must_exist
+                || reference.target != DocumentPropertyReferenceTarget::Identity
+            {
+                continue;
+            }
+
+            let Some(identity_bytes) = self
+                .data()
+                .get_optional_identifier_at_path(path)
+                .map_err(|e| Error::Protocol(e.into()))?
+            else {
+                continue;
+            };
+
+            // account for the lookup cost
+            execution_context.add_operation(ValidationOperation::RetrieveIdentity(
+                RetrieveIdentityInfo::only_balance(),
+            ));
+
+            let Some(_) = platform.drive.fetch_identity_balance(
+                identity_bytes,
+                transaction,
+                platform_version,
+            )?
+            else {
+                let missing_id = Identifier::from_bytes(&identity_bytes)
+                    .map_err(|e| Error::Protocol(e.into()))?;
+
+                return Ok(SimpleConsensusValidationResult::new_with_error(
+                    ConsensusError::from(ReferencedEntityNotFoundError::new(
+                        missing_id,
+                        reference.target.clone(),
+                        path.to_string(),
+                    )),
+                ));
+            };
+        }
+
+        Ok(SimpleConsensusValidationResult::new())
+    }
+}

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/batch/action_validation/document/document_create_transition_action/mod.rs

@@ -11,9 +11,11 @@ use crate::execution::types::state_transition_execution_context::StateTransition
 use crate::execution::validation::state_transition::batch::action_validation::document::document_create_transition_action::state_v0::DocumentCreateTransitionActionStateValidationV0;
 use crate::execution::validation::state_transition::batch::action_validation::document::document_create_transition_action::state_v1::DocumentCreateTransitionActionStateValidationV1;
 use crate::execution::validation::state_transition::batch::action_validation::document::document_create_transition_action::advanced_structure_v0::DocumentCreateTransitionActionStructureValidationV0;
+use crate::execution::validation::state_transition::batch::action_validation::document::document_create_transition_action::advanced_structure_v1::DocumentCreateTransitionActionStructureValidationV1;
 use crate::platform_types::platform::PlatformStateRef;
 
 mod advanced_structure_v0;
+mod advanced_structure_v1;
 mod state_v0;
 mod state_v1;
 
@@ -23,6 +25,9 @@ pub trait DocumentCreateTransitionActionValidation {
         owner_id: Identifier,
         block_info: &BlockInfo,
         network: Network,
+        platform: &PlatformStateRef,
+        transaction: TransactionArg,
+        execution_context: &mut StateTransitionExecutionContext,
         platform_version: &PlatformVersion,
     ) -> Result<SimpleConsensusValidationResult, Error>;
 
@@ -43,6 +48,9 @@ impl DocumentCreateTransitionActionValidation for DocumentCreateTransitionAction
         owner_id: Identifier,
         block_info: &BlockInfo,
         network: Network,
+        platform: &PlatformStateRef,
+        transaction: TransactionArg,
+        execution_context: &mut StateTransitionExecutionContext,
         platform_version: &PlatformVersion,
     ) -> Result<SimpleConsensusValidationResult, Error> {
         match platform_version
@@ -53,9 +61,18 @@ impl DocumentCreateTransitionActionValidation for DocumentCreateTransitionAction
             .document_create_transition_structure_validation
         {
             0 => self.validate_structure_v0(owner_id, block_info, network, platform_version),
+            1 => self.validate_structure_v1(
+                owner_id,
+                block_info,
+                network,
+                platform,
+                transaction,
+                execution_context,
+                platform_version,
+            ),
             version => Err(Error::Execution(ExecutionError::UnknownVersionMismatch {
                 method: "DocumentCreateTransitionAction::validate_structure".to_string(),
-                known_versions: vec![0],
+                known_versions: vec![0, 1],
                 received: version,
             })),
         }