feat(platform)!: unify documents count + split-count into one endpoint

[QuantumExplorer]

Summary

Collapse the two count gRPC endpoints (`getDocumentsCount` + `getDocumentsSplitCount`) into a single unified `getDocumentsCount` that handles both modes via the where clauses. Split semantics are signalled by an `In` clause: the In's field becomes the split property and the In's array enumerates the values to count. No In clause → single total count.

This is a wire-format breaking change. Pre-release, so OK.

Wire format (this PR)

`GetDocumentsCountRequestV0` gets new fields:

• `return_distinct_counts_in_range: bool` — when true (and a range clause is present), return per-distinct-value entries within the range. Currently rejected; requires `range_countable` indexes + grovedb `NonCounted<*>` (parallel work).
• `order_by_ascending: optional bool` — sort direction for split entries.
• `limit: optional uint32` — cap on entries returned.
• `start_after_split_key: optional bytes` — pagination cursor for split mode.

`GetDocumentsCountResponseV0.result` becomes `oneof { CountResults counts; Proof proof; }`. `CountResults` carries `repeated CountEntry { bytes key; uint64 count; }`. Total count is one entry with empty `key`; per-In-value counts are one entry per In value.

`GetDocumentsSplitCount{Request,Response}` deleted.

Mode dispatch (handler)

Where clauses	Response shape
Empty / Equal-only	1 entry, empty key (total count)
Exactly one `In`	N entries, one per In value
Multiple `In`	InvalidArgument (only one split dimension)
`return_distinct_counts_in_range = true`	InvalidArgument until `range_countable` lands

Per-layer changes

• `dapi-grpc` proto + build.rs registrations
• `rs-dapi-client` transport: remove `getDocumentsSplitCount` impl
• `rs-dapi` server: remove drive_method passthrough
• `rs-drive-abci`: delete `document_split_count_query` module + trait method; rewrite count handler to dispatch on In presence
• `rs-drive-proof-verifier`: `DocumentSplitCounts.Response` retargets to unified response
• `rs-sdk`: delete `DocumentSplitCountQuery`; both `DocumentCount` and `DocumentSplitCounts` back the unified `DocumentCountQuery`
• `wasm-sdk` / `rs-sdk-ffi`: `getDocumentsSplitCount` keeps its name but drops the `splitProperty` parameter (signalled via In clause now)

Status

• Wire format + immediate consumers compile cleanly
• Drive-abci handler dispatches on In presence; existing 5 handler tests pass (total / empty / proof / range-rejection / In)
• All 14 rs-drive `drive_document_count_query` lib tests pass

Not yet in this PR (follow-ups, in priority order)

• Plumb `limit` / `start_after_split_key` / `order_by_ascending` through `DriveDocumentCountQuery` and the handler
• Add tests covering pagination + ordering
• `yarn build` to regenerate JS clients (auto-generated; haven't run yet)
• Book chapter update (`book/src/drive/document-count-trees.md`) for the unified API
• PR title scope review

Depends on (separate work)

• `return_distinct_counts_in_range` mode + range operators on the no-prove path require the parallel `range_countable` per-index property (rs-dpp) + grovedb `NonCounted` variants. Design lives in book/src/drive/indexes.md § Range-Countable Indexes (added in feat(platform): add GetDocumentsCount and GetDocumentsSplitCount queries #3435).

Test plan

• `cargo check --workspace --all-targets` clean
• 14 rs-drive lib tests pass
• 5 rs-drive-abci handler tests pass
• CI

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Unified document count API: richer count modes (total, per-value, range), distinct-range options, ordering and pagination.
  • Range-countable indexes: opt-in index type for efficient range counting.

• API Changes

  • Consolidated split-count into enhanced count endpoint and response format (per-key counts or proof).

• Documentation

  • Updated count/query docs and added Mermaid diagram support.

[coderabbitai]

Warning

Rate limit exceeded

@QuantumExplorer has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 42 minutes and 55 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6411482c-098f-43c9-b429-61ab87c58891

📥 Commits

Reviewing files that changed from the base of the PR and between aab3377 and d4bf97b.

📒 Files selected for processing (4)

• book/src/drive/document-count-trees.md
• packages/rs-dpp/src/data_contract/document_type/index_level/mod.rs
• packages/rs-drive/src/drive/contract/insert/insert_contract/v0/mod.rs
• packages/rs-sdk/src/platform/documents/document_count_query.rs

📝 Walkthrough

Walkthrough

Replaces GetDocumentsSplitCount with a unified GetDocumentsCount, adds rangeCountable index metadata and Drive range-count executors (no‑proof range walks and aggregate proofs), updates generated clients, SDK/FFI/WASM, proof verification, docs, tests, and grove dependency pins.

Changes

Unified count API and range-countable indexing

Layer / File(s)	Summary
Schema and index metadata packages/rs-dpp/schema/..., packages/rs-dpp/src/data_contract/...	Adds rangeCountable; exposes Index.range_countable; propagates to IndexLevelTypeInfo; protocol-gates and update validation.
Proto and build definitions packages/dapi-grpc/protos/..., packages/dapi-grpc/build.rs	Removes GetDocumentsSplitCount RPC/messages; extends GetDocumentsCountRequestV0 with where, return_distinct_counts_in_range, order_by_ascending, limit, start_after_split_key, moves prove; changes GetDocumentsCountResponseV0 to counts: CountResults or proof; updates versioned lists.
Clients: generated Java/Node/ObjC/Python/Web packages/dapi-grpc/clients/...	Regenerated client/server stubs and Typings to remove split-count hooks and to add CountEntry/CountResults and new request fields; adjusts wire field numbers and serializers.
Drive query core (range support) packages/rs-drive/src/query/drive_document_count_query/*	Adds DocumentCountMode, mode detection, range index selector, execute_range_count_no_proof, execute_aggregate_count_with_proof, Drive per-mode executors, and unified execute_document_count_request.
ABCI: unified count handler packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs	Handler builds DocumentCountRequest, delegates to Drive executor, normalizes Counts vs Proof into protobuf responses; adds end‑to‑end range tests.
Remove split-count path packages/rs-drive-abci/src/query/document_split_count_query/*, rs-dapi*, clients/*	Deletes split-count module, v0 handler, transports, generated stubs, and tests; proof verifier adjusted to new response type.
Drive index trees and costs packages/rs-drive/src/drive/document/*, .../contract/insert/*	Initializes ProvableCountTree/CountTree for rangeCountable terminators; threads parent_value_tree_is_range_countable through insert/remove recursion; inserts NonCounted wrappers for sibling continuations; updates estimated layer info; adds E2E tests.
Low-level ops and batch insert packages/rs-drive/src/fees/op.rs, .../batch_insert_empty_tree_if_not_exists/*	Adds helpers to create empty NonCounted trees; adds wrap_in_non_counted flag to v0 batch helper and public wrappers; updates tests.
SDK/FFI/WASM unified count packages/rs-sdk*, packages/rs-sdk-ffi/*, packages/wasm-*/*	SDK DocumentCountQuery adds flags and setters; FromProof verification extended for aggregate-count proofs; DocumentSplitCounts gains fetch/FromProof support; DocumentSplitCountQuery removed; FFI/WASM split-count APIs drop splitProperty and derive split via in clause.
Docs and mdBook mermaid book/*	Documentation rewritten for unified GetDocumentsCount modes, operator constraints, and proofs; adds mdBook Mermaid preprocessor and updates mermaid-init.js to initialize mermaid and theme handlers.
Dependencies and shielded fix */Cargo.toml, shielded_common/mod.rs	Bumps grovedb-related git revs across crates; treats Action::from_parts as fallible and maps failure to InvalidShieldedProofError.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• dashpay/platform#3435: Earlier PR introduced separate GetDocumentsCount and GetDocumentsSplitCount; this PR unifies and removes split-count.

Suggested labels

dapi-endpoint

Suggested reviewers

• shumkov

Poem

I counted carrots, hops, and keys,
One query sings through branchy trees.
Ranges, proofs, and counts align,
A rabbit tallies every line. 🥕

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude-unified-count-and-range

[github-actions]

📖 Book Preview built successfully.

Download the preview from the workflow artifacts.
To view locally: download the artifact, unzip, and open index.html.

Updated at 2026-05-10T14:15:24.739Z

[thepastaclaw]

Review Gate

Commit: d4bf97b3

• ⏳ Debounce: 3m ago (need 30m)

• ✅ CI checks: builds passed, 0/0 tests passed

• ✅ CodeRabbit review: comment found

• ✅ Off-peak hours: off-peak (07:18 AM PT Sunday)

• Run review now (check to override)

[codecov]

Codecov Report

❌ Patch coverage is 84.30204% with 316 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.25%. Comparing base (a28c298) to head (8fb7a47).

Files with missing lines	Patch %	Lines
...-drive/src/query/drive_document_count_query/mod.rs	71.65%	195 Missing ⚠️
...rc/drive/contract/insert/insert_contract/v0/mod.rs	96.65%	27 Missing ⚠️
...tions/batch_insert_empty_tree_if_not_exists/mod.rs	50.00%	25 Missing ⚠️
...s-drive-proof-verifier/src/proof/document_count.rs	0.00%	21 Missing ⚠️
packages/rs-drive/src/fees/op.rs	46.87%	17 Missing ⚠️
...rive-abci/src/query/document_count_query/v0/mod.rs	95.91%	10 Missing ⚠️
...ument_type/class_methods/try_from_schema/v1/mod.rs	22.22%	7 Missing ⚠️
...s-dpp/src/data_contract/document_type/index/mod.rs	62.50%	6 Missing ⚠️
...src/data_contract/document_type/index_level/mod.rs	88.00%	3 Missing ⚠️
...e-proof-verifier/src/proof/document_split_count.rs	0.00%	2 Missing ⚠️
... and 2 more

Additional details and impacted files

@@             Coverage Diff              @@
##           v3.1-dev    #3623      +/-   ##
============================================
- Coverage     88.27%   88.25%   -0.03%     
============================================
  Files          2493     2491       -2     
  Lines        304434   305819    +1385     
============================================
+ Hits         268751   269898    +1147     
- Misses        35683    35921     +238     

Components	Coverage Δ
dpp	87.98% <68.00%> (-0.02%)	⬇️
drive	87.37% <84.23%> (-0.05%)	⬇️
drive-abci	90.23% <95.93%> (+0.05%)	⬆️
sdk	∅ <ø> (∅)
dapi-client	∅ <ø> (∅)
platform-version	∅ <ø> (∅)
platform-value	92.17% <ø> (ø)
platform-wallet	∅ <ø> (∅)
drive-proof-verifier	53.28% <0.00%> (-0.94%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/25629206261
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "819e1335063d38ee8f92de4c72715fbea508942aaa451b24cfc7c9711e0db5df"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[QuantumExplorer]

Codex review findings on PR #3623. I rechecked these against the latest head (749fbc43) before posting.

Finding 1: [P1] Range count proofs fail SDK verification

packages/rs-sdk/src/platform/documents/document_count_query.rs:172-178

The server now returns an AggregateCountOnRange proof for prove=true range-count requests, but the SDK adapter still converts the request into a DriveDocumentQuery and delegates to the old document-materializing verifier. That verifier expects proved documents and counts documents.len(), so SDK/WASM/FFI range-count calls using the default proof path cannot verify the new proof shape.

How I would fix it: detect the same single-range + covering range_countable index in the SDK/proof-verifier path, rebuild the same PathQuery::new_aggregate_count_on_range, call GroveDb::verify_aggregate_count_query, verify the returned root against Tenderdash, and return DocumentCount(count). Add an SDK/proof-verifier test for prove=true range count.

Finding 2: [P1] Unset distinct range limit is unbounded

packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs:295-296

This maps an omitted limit to None, but RangeCountOptions documents None as no limit and execute_range_count_no_proof only truncates when Some(limit). The proto says unset should use the server default, so a return_distinct_counts_in_range request can return every distinct key in a large range and bypass max_query_limit.

How I would fix it: apply a default limit for distinct mode, for example min(limit.unwrap_or(default_query_limit), max_query_limit), while keeping summed mode unaffected. Add a handler test with distinct=true, limit=None, and more entries than the configured default/max boundary.

Finding 3: [P2] SDK cannot reach new no-proof range modes

packages/rs-sdk/src/platform/documents/document_count_query.rs:104-115

The unified request adds return_distinct_counts_in_range, pagination fields, and a no-proof range-distinct response, but DocumentCountQuery always sends return_distinct_counts_in_range=false, no pagination, and prove=true. That makes the documented per-distinct-range mode unreachable through rs-sdk/WASM/FFI even though these bindings now route split counts through this query.

How I would fix it: add request options/builders plus a FetchUnproved or custom response parser for CountResults, and have the split-count/range-histogram APIs set return_distinct_counts_in_range and pagination when callers request a range histogram.

[coderabbitai]

Actionable comments posted: 10

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

book/mermaid-init.js (1)

5-39: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix indentation to use 2 spaces instead of 4.

The file uses 4-space indentation throughout, but the coding guidelines require 2-space indentation for JS/TS files. As per coding guidelines, "Use 2-space indent for JS/TS files".

♻️ Proposed fix to standardize indentation

 (() => {
-    const darkThemes = ['ayu', 'navy', 'coal'];
-    const lightThemes = ['light', 'rust'];
+  const darkThemes = ['ayu', 'navy', 'coal'];
+  const lightThemes = ['light', 'rust'];

-    const classList = document.getElementsByTagName('html')[0].classList;
+  const classList = document.getElementsByTagName('html')[0].classList;

-    let lastThemeWasLight = true;
-    for (const cssClass of classList) {
-        if (darkThemes.includes(cssClass)) {
-            lastThemeWasLight = false;
-            break;
-        }
-    }
+  let lastThemeWasLight = true;
+  for (const cssClass of classList) {
+    if (darkThemes.includes(cssClass)) {
+      lastThemeWasLight = false;
+      break;
+    }
+  }

-    const theme = lastThemeWasLight ? 'default' : 'dark';
-    mermaid.initialize({ startOnLoad: true, theme });
+  const theme = lastThemeWasLight ? 'default' : 'dark';
+  mermaid.initialize({ startOnLoad: true, theme });

-    // Simplest way to make mermaid re-render the diagrams in the new theme is via refreshing the page
+  // Simplest way to make mermaid re-render the diagrams in the new theme is via refreshing the page

-    for (const darkTheme of darkThemes) {
-        document.getElementById(darkTheme).addEventListener('click', () => {
-            if (lastThemeWasLight) {
-                window.location.reload();
-            }
-        });
-    }
+  for (const darkTheme of darkThemes) {
+    document.getElementById(darkTheme).addEventListener('click', () => {
+      if (lastThemeWasLight) {
+        window.location.reload();
+      }
+    });
+  }

-    for (const lightTheme of lightThemes) {
-        document.getElementById(lightTheme).addEventListener('click', () => {
-            if (!lastThemeWasLight) {
-                window.location.reload();
-            }
-        });
-    }
+  for (const lightTheme of lightThemes) {
+    document.getElementById(lightTheme).addEventListener('click', () => {
+      if (!lastThemeWasLight) {
+        window.location.reload();
+      }
+    });
+  }
 })();

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@book/mermaid-init.js` around lines 5 - 39, The file uses 4-space indentation;
convert all indentation in this IIFE to 2-space indentation to follow the JS/TS
style guide: reformat every block (the arrays darkThemes and lightThemes, the
loop over classList that sets lastThemeWasLight, the mermaid.initialize call,
and both event-listener loops that reference darkThemes/lightThemes and
lastThemeWasLight) so each nested level uses 2 spaces; ensure alignment for the
const declarations, for/of loops, arrow functions in
getElementById(...).addEventListener callbacks, and the final IIFE closure
remain consistent after re-indenting.

packages/dapi-grpc/clients/platform/v0/web/platform_pb.d.ts (1)

2587-2588: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Add jstype = JS_STRING to CountEntry.count in proto and regenerate.

CountEntry.count is defined as uint64 in platform.proto (line 665) but lacks the jstype = JS_STRING option. The generated TypeScript code treats it as number, which silently loses precision for values above 2^53 − 1. Other uint64 fields in the same proto file that need to preserve precision use jstype = JS_STRING (e.g., snapshot_chunks_count, remaining_time). Apply the same pattern here by adding the option to the proto definition and regenerating.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/dapi-grpc/clients/platform/v0/web/platform_pb.d.ts` around lines
2587 - 2588, The CountEntry.count field is defined as uint64 but the generated
accessors (getCount / setCount) are using number and risk precision loss; update
the platform.proto definition for CountEntry.count to include the option `jstype
= JS_STRING` (matching other uint64 fields like snapshot_chunks_count and
remaining_time), then regenerate the TypeScript protobufs so the generated
platform_pb.d.ts and related methods (getCount/setCount) use string types to
preserve full uint64 precision.

packages/rs-sdk/src/platform/documents/document_count_query.rs (2)

164-188: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

prove: true hardcoded — new no-proof distinct/pagination modes are unreachable via Fetch.

The new setters (with_distinct_counts_in_range, with_order_by_ascending, with_limit, with_start_after_split_key) advertise pagination / per-key distinct ranges, but try_from always sets prove: true (line 183) and Fetch for DocumentCount/DocumentSplitCounts is the only consumer. Since the server rejects return_distinct_counts_in_range=true together with prove=true (per the field comment on lines 50-55), a caller that sets with_distinct_counts_in_range(true) on the SDK will get a server-side error rather than the new behavior. The same is true for start_after_split_key/limit paginated distinct results, which are only meaningful in the no-proof mode.

Concretely, this needs a separate transport / fetch entry point (e.g. a FetchUnproved-style API or a dedicated split-count/range-histogram method) that builds the request with prove: false and decodes CountResults directly, rather than going through the proof verifier. Otherwise the new request fields exposed on DocumentCountQuery are effectively dead weight from the SDK side.

Sketch of the gap

// Today, this compiles and sends a request that the server will reject:
let q = DocumentCountQuery::new(contract, "doc")?
    .with_where(range_clause)
    .with_distinct_counts_in_range(true) // forces no-proof mode on server
    .with_limit(Some(50));
let _ = DocumentSplitCounts::fetch(&sdk, q).await?; // Fetch sets prove: true → server rejects

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-sdk/src/platform/documents/document_count_query.rs` around lines
164 - 188, The conversion impl TryFrom<DocumentCountQuery> for
GetDocumentsCountRequest currently hardcodes GetDocumentsCountRequestV0.prove =
true which makes no-proof pagination/distinct modes unreachable; add a separate
transport path that builds the same GetDocumentsCountRequest with prove = false
(e.g., a new constructor or helper like
build_unproved_get_documents_count_request(query: DocumentCountQuery) ->
GetDocumentsCountRequest) and expose a new fetch entry point (e.g.,
DocumentSplitCounts::fetch_unproved or FetchUnproved API) that uses this builder
and decodes CountResults directly without running the proof verifier; keep the
existing TryFrom/DocumentSplitCounts::fetch for proof-mode but ensure the new
method references GetDocumentsCountRequestV0, the prove field,
DocumentCountQuery, and DocumentSplitCounts so callers can request no-proof
distinct/pagination behavior.

---

216-249: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Range-count proofs fail SDK verification due to missing AggregateCountOnRange adapter.

The backend generates AggregateCountOnRange proofs when prove=true and the request contains a range clause (documented in book/src/drive/document-count-trees.md:147,202). Both FromProof<DocumentCountQuery> for DocumentCount (lines 216–249) and its fallback in FromProof<DocumentCountQuery> for DocumentSplitCounts (lines 313–319) unconditionally delegate to <DocumentCount as FromProof<DriveDocumentQuery>>, which expects document-materialization proofs and will reject an AggregateCountOnRange proof.

To verify range-count proofs, add an adapter that detects range clauses in the request, verifies the proof via GroveDb::verify_aggregate_count_query, and returns the recovered count. A test exercising prove=true with a range where clause would catch this regression.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-sdk/src/platform/documents/document_count_query.rs` around lines
216 - 249, The current FromProof implementation for DocumentCountQuery
unconditionally forwards to <DocumentCount as
FromProof<DriveDocumentQuery>>::maybe_from_proof_with_metadata which fails for
backend AggregateCountOnRange proofs; update maybe_from_proof_with_metadata in
the impl for DocumentCountQuery (and the similar fallback for
DocumentSplitCounts) to detect when the incoming request contains a range
clause, and in that case verify the proof via
GroveDb::verify_aggregate_count_query (passing the proof/response, network,
platform_version and provider), extract and return the recovered count wrapped
in DocumentCount along with ResponseMetadata and Proof; otherwise fall back to
converting the request to DriveDocumentQuery and delegating to
FromProof<DriveDocumentQuery>::maybe_from_proof_with_metadata as before. Ensure
you reference DocumentCountQuery, AggregateCountOnRange,
GroveDb::verify_aggregate_count_query, DocumentCount, DocumentSplitCounts,
DriveDocumentQuery and maybe_from_proof_with_metadata while implementing the
adapter.

🧹 Nitpick comments (7)

packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shielded_common/mod.rs (1)

130-147: ⚡ Quick win

Consider adding test coverage for the "invalid action parts" error path.

The new error path where Action::from_parts returns None is not explicitly tested. While existing tests verify earlier validation failures, a dedicated test exercising this specific error would improve coverage and document when malformed action parts can occur.

🧪 Suggested test structure

#[test]
fn test_invalid_action_parts_returns_error() {
    // Craft a SerializedAction with valid field sizes but invalid content
    // that passes early checks but fails Action::from_parts construction.
    // The exact values depend on what makes action parts "invalid" in
    // grovedb-commitment-tree::Action::from_parts.
    
    let action = create_serialized_action_with_invalid_parts();
    
    let result = reconstruct_and_verify_bundle(
        &[action],
        FLAGS_SPENDS_AND_OUTPUTS,
        0,
        &[42u8; 32],
        &[0u8; 100],
        &[0u8; 64],
        &[],
    );
    
    assert!(result.is_err());
    let err = result.unwrap_err();
    assert!(
        err.message().contains("invalid action parts"),
        "expected invalid action parts error, got: {}",
        err.message()
    );
}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shielded_common/mod.rs`
around lines 130 - 147, Add a unit test that triggers the new None-return path
of Action::from_parts and asserts it maps to InvalidShieldedProofError;
specifically craft a SerializedAction (or use an existing test helper) with
valid-sized fields but malformed content so Action::from_parts(None) is
returned, call the surrounding function that invokes Action::from_parts (e.g.,
the bundle reconstruction/verification function used in this module such as
reconstruct_and_verify_bundle or the function that wraps Action::from_parts in
mod.rs), and assert the Result is Err and the error is an
InvalidShieldedProofError whose message contains "invalid action parts".

packages/rs-drive/src/util/grove_operations/batch_insert_empty_tree_if_not_exists/v0/mod.rs (1)

336-340: ⚡ Quick win

Please add at least one test covering the new wrap_in_non_counted = true path.

This PR adds a new execution branch, but current test updates only exercise false. A targeted test for the true path (and ideally an unsupported TreeType error case) would harden this change.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/rs-drive/src/util/grove_operations/batch_insert_empty_tree_if_not_exists/v0/mod.rs`
around lines 336 - 340, Add a unit/integration test that invokes
batch_insert_empty_tree_if_not_exists_v0 with wrap_in_non_counted = true (the
new branch) to exercise the new logic path: call
batch_insert_empty_tree_if_not_exists_v0(info, TreeType::NormalTree, true, None)
and assert the resulting state (e.g., the tree was created and marked
non-counted or the expected DB entry/flag is present) and any side effects
expected by the function; also add a separate test that passes an unsupported
TreeType to batch_insert_empty_tree_if_not_exists_v0 and asserts it returns the
appropriate error. Use the same test harness/fixtures as existing tests for this
module so setup/teardown mirror current coverage.

packages/rs-dpp/src/data_contract/document_type/index/mod.rs (1)

700-753: ⚡ Quick win

Add focused unit tests for rangeCountable parsing + invariants.

The new parser/guard logic is central to contract compatibility, but there are no direct tests for: invalid type, rangeCountable=true + NotCountable rejection, and acceptance with Countable/CountableAllowingOffset.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-dpp/src/data_contract/document_type/index/mod.rs` around lines
700 - 753, Add focused unit tests that exercise the rangeCountable parsing and
invariants: write tests that feed the index-parsing path (the code constructing
range_countable and calling IndexProperty::from_platform_value / the document
type index parser in mod.rs) with (1) rangeCountable of the wrong type to assert
it returns DataContractError::ValueWrongType, (2) rangeCountable=true combined
with a countable value that is NotCountable to assert it returns
DataContractError::InvalidContractStructure (message about rangeCountable
requires countable), and (3) rangeCountable=true combined with Countable and
with CountableAllowingOffset to assert successful parsing (no error) and that
range_countable is set; use the symbols range_countable,
countable.is_countable(), Countable, CountableAllowingOffset, NotCountable, and
the DataContractError variants to locate and validate behavior.

packages/rs-drive/src/drive/contract/insert/insert_contract/v0/mod.rs (1)

328-339: ⚡ Quick win

Add a compound rangeCountable prefix test here.

This branch now relies on has_index_with_type() to mean “the range-countable index terminates at this level”, but the new e2e coverage only proves the single-property case. Please add a [brand, color] rangeCountable contract test asserting the brand node stays a normal tree and only the terminal range-countable layer gets the provable/count-tree treatment.

Based on learnings: In packages/rs-drive (Rust), CountTree should only be used at the reference/leaf level of a countable index. It must not be used for intermediate/top-level index path nodes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-drive/src/drive/contract/insert/insert_contract/v0/mod.rs` around
lines 328 - 339, The test coverage is missing a compound-index case: add an
insert_contract v0 test that exercises a rangeCountable compound prefix like
[brand, color] and asserts that the intermediate `brand` node remains a
NormalTree while only the terminal `color` layer becomes a Provable/CountTree;
modify or add a test that inserts data and then inspects the index_structure via
`index_structure.sub_levels()` (the logic around
`property_name_is_range_countable_terminator`, `has_index_with_type()` and
`range_countable`) to verify CountTree is only created at the leaf/terminal
level and not for intermediate path nodes.

book/src/drive/document-count-trees.md (2)

147-148: ⚡ Quick win

Consider noting the current SDK verification limitation for range count proofs.

The documentation describes the intended verification flow using GroveDb::verify_aggregate_count_query, but per the PR objectives (finding #1), the SDK proof-verifier (rs-drive-proof-verifier, rs-sdk, wasm-sdk, rs-sdk-ffi) does not yet implement verification for AggregateCountOnRange proofs—it still uses the old document-materializing verifier, which will fail when it receives the new proof shape.

This means prove=true combined with a range clause will currently fail at SDK verification time. Consider adding a note or callout (e.g., "Note: SDK verification for range count proofs will be available in a future release") to prevent users from encountering unexpected verification failures when following this documentation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@book/src/drive/document-count-trees.md` around lines 147 - 148, Add a short
note to the document explaining the current SDK limitation: mention that
although drive-abci produces AggregateCountOnRange proofs via
get_proved_path_query and GroveDb::verify_aggregate_count_query, the SDK
proof-verifier implementations (rs-drive-proof-verifier, rs-sdk, wasm-sdk,
rs-sdk-ffi) do not yet support verifying AggregateCountOnRange proofs and still
expect the older document-materializing proof shape, so using prove=true with a
range clause will currently fail verification; suggest using prove=false for
range+distinct needs or wait for a future SDK release that adds
AggregateCountOnRange verification support.

---

398-399: ⚡ Quick win

Consider noting SDK coverage gaps for new features.

The documentation describes several new fields (return_distinct_counts_in_range, order_by_ascending, limit, start_after_split_key, prove=false) in the Range Modes section, but per the PR objectives (finding #3), the current rs-sdk / wasm-sdk / rs-sdk-ffi builders don't yet expose these fields—they auto-derive mode from where clauses and default to prove=true.

Users reading this doc might expect to control these options via the SDK APIs shown here. Consider adding a brief note (e.g., a callout box or inline remark) clarifying which features are available in the current SDK release vs. planned for future versions, to set correct expectations.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@book/src/drive/document-count-trees.md` around lines 398 - 399, Add a brief
note to the "Range Modes" section clarifying SDK coverage gaps: state that the
current builders (DocumentCountQuery, DocumentSplitCountQuery and their
underlying DocumentQuery -> GetDocumentsCountRequest) in rs-sdk / wasm-sdk /
rs-sdk-ffi do not yet expose the new fields return_distinct_counts_in_range,
order_by_ascending, limit, start_after_split_key and that mode is auto-derived
from where clauses and prove currently defaults to true; place this as a short
callout or inline remark near the Range Modes paragraph so readers know these
options are planned for future SDK releases.

packages/rs-drive/src/query/drive_document_count_query/mod.rs (1)

1116-1117: 💤 Low value

Doc claims In-on-prefix is supported, but the dispatch rejects it.

execute_range_count_no_proof's doc (lines 1116–1117) and the implementation (lines 1203–1226) explicitly handle In on the prefix with cartesian-fork + dedupe. However, detect_mode rejects range + In outright (lines 206–212), so via the unified Drive::execute_document_count_request entry point this branch is unreachable.

Since the function is pub and self-validates, the In-handling code isn't dead per se, but the current state is confusing: the picker find_range_countable_index_for_where_clauses accepts an In prefix, the executor handles it, the dispatch rejects it. Either tighten detect_mode to allow range + (In on prefix), or trim the unreachable In branch and update the doc to say "Equal-only prefix, In + range is rejected upstream". Whichever way it goes, the three layers should agree.

Also applies to: 1203-1226

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-drive/src/query/drive_document_count_query/mod.rs` around lines
1116 - 1117, The docs and execute_range_count_no_proof (and its In-handling code
at 1203–1226) claim support for "In on prefix" but detect_mode currently rejects
range + In; fix detect_mode so Drive::execute_document_count_request does not
reject a range query when the only In appears on the prefix: update
detect_mode's logic (the branch that rejects "range + In") to allow cases where
find_range_countable_index_for_where_clauses identifies an index with an In-only
prefix, keep execute_range_count_no_proof's cartesian-fork + dedupe behavior,
and add/update tests to cover range + In-on-prefix dispatch so the three layers
(picker, dispatcher, executor) agree.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@book/mermaid-init.js`:
- Around line 24-38: The loops over darkThemes and lightThemes call
document.getElementById(...) and immediately addEventListener, which can throw
if the element is null; update both loops in mermaid-init.js to first assign the
result to a variable (e.g., btn), check for null/undefined, and only call
addEventListener when btn exists, preserving the existing callback logic that
uses lastThemeWasLight; this prevents TypeError crashes when some theme IDs are
missing.

In `@book/src/drive/document-count-trees.md`:
- Line 196: Add a concise note under the `limit` row clarifying the unset
semantics: state that when `limit` is omitted the query is treated as unbounded
(no client-side truncation), that this currently can bypass `max_query_limit`
unless server-side enforcement is applied, and recommend that clients explicitly
set `limit` to avoid accidental DoS; reference the `limit` and `max_query_limit`
symbols so readers know exactly which fields/controls the note applies to.

In `@book/src/drive/indexes.md`:
- Around line 405-416: Update the section status text for range-countable
indexes to reflect that the feature is implemented and shipped instead of
“design / not implemented”: change the status label and any surrounding wording
that claims it’s unimplemented to state it’s implemented and covered by tests,
and reference the existing implementation details (the walker
add_indices_for_index_level_for_contract_operations, the range_countable
behavior in compound indexes, and the end-to-end test suite
range_countable_index_e2e_tests including the
count_tree_value_count_excludes_compound_continuation_via_non_counted test) so
the prose and status are consistent.

In `@packages/dapi-grpc/protos/platform/v0/platform.proto`:
- Around line 663-665: The CountEntry.count field (message CountEntry, field
name "count") is missing the JS-safe annotation; update the proto by adding the
option `[jstype = JS_STRING]` to the `uint64 count = 2;` declaration so
generated JS/Web clients represent the 64-bit value as a string and avoid
precision loss for large counts, then re-run your proto generation to regenerate
the JS clients.

In `@packages/rs-dpp/src/data_contract/document_type/index_level/mod.rs`:
- Around line 45-57: Index validation currently only rejects changes to the
`countable` flag but `range_countable` (now stored on `IndexLevelTypeInfo`) also
changes index-tree layout and must be treated as immutable; update the index
update validation logic that compares old and new `IndexLevelTypeInfo` to also
check `old.range_countable != new.range_countable` and reject the update with
the same error path/behavior used for `countable` mismatches so toggling
`range_countable` is disallowed just like `countable`.

In `@packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs`:
- Around line 142-145: The current mapping uses limit.map(...) so None remains
None and bypasses the server default; change the logic to first normalize None
to the configured default and then clamp to max_query_limit—i.e. replace the
limit mapping so it uses limit.unwrap_or(self.config.drive.default_query_limit)
(or the actual configured default field in config) and then apply
.min(self.config.drive.max_query_limit as u32) before assigning to limit (keep
start_after_split_key unchanged).

In `@packages/rs-drive/src/query/drive_document_count_query/mod.rs`:
- Around line 1696-1699: The DocumentCountRequest::limit field can be None and
currently gets forwarded into RangeCountOptions unchecked, allowing
distinct-range counts to return unbounded results; update the dispatch that
builds RangeCountOptions to clamp/replace request.limit with the system max
(ensuring RangeCountOptions.limit is always Some and ≤ system cap) before
calling execute_range_count_no_proof, and adjust the DocumentCountRequest::limit
docstring to reflect that Drive enforces a server-side cap; reference
DocumentCountRequest::limit, RangeCountOptions, and execute_range_count_no_proof
when making the change and add/update a handler test for distinct=true with
limit=None to validate the behavior.
- Around line 226-235: detect_mode currently maps (has_range=false, has_in=true,
prove=_) to DocumentCountMode::PerInValue and thus silently drops prove=true;
change detect_mode to return an Err (InvalidWhereClauseComponents) when has_in
is true and prove is true (i.e. reject In-only queries requesting proofs)
instead of mapping to PerInValue, and add/adjust a unit test asserting
detect_mode(&[in_clause], false, true) returns Err; also ensure
execute_document_count_request (the PerInValue arm) remains unchanged for
non-proof requests so behavior is consistent.

In `@packages/rs-sdk-ffi/src/document/queries/count.rs`:
- Around line 219-223: The DocumentCountQuery struct literal is missing required
fields causing compilation failure; update the creation of count_query (used
with DocumentSplitCounts::fetch and built from base_query) to initialize all
five fields by adding return_distinct_counts_in_range: false,
order_by_ascending: None, limit: None, and start_after_split_key: None alongside
document_query: base_query so it matches DocumentCountQuery::new() and the
pattern in packages/wasm-sdk/src/queries/document.rs.

In `@packages/wasm-sdk/src/queries/document.rs`:
- Around line 464-476: The wrappers construct DocumentCountQuery with hard-coded
proof-only fields (DocumentCountQuery usage sets
return_distinct_counts_in_range=false and clears
order_by_ascending/limit/start_after_split_key), preventing the new no-proof
distinct-range and pagination options from being reachable; update the
WASM-facing API to accept optional fields and propagate them into the
DocumentCountQuery: expose return_distinct_counts_in_range, order_by_ascending,
limit, and start_after_split_key from the JS query object (or add dedicated
range-count entrypoints) and use those values instead of the current literals
when building DocumentCountQuery (see where DocumentCountQuery is constructed
around base_query).

---

Outside diff comments:
In `@book/mermaid-init.js`:
- Around line 5-39: The file uses 4-space indentation; convert all indentation
in this IIFE to 2-space indentation to follow the JS/TS style guide: reformat
every block (the arrays darkThemes and lightThemes, the loop over classList that
sets lastThemeWasLight, the mermaid.initialize call, and both event-listener
loops that reference darkThemes/lightThemes and lastThemeWasLight) so each
nested level uses 2 spaces; ensure alignment for the const declarations, for/of
loops, arrow functions in getElementById(...).addEventListener callbacks, and
the final IIFE closure remain consistent after re-indenting.

In `@packages/dapi-grpc/clients/platform/v0/web/platform_pb.d.ts`:
- Around line 2587-2588: The CountEntry.count field is defined as uint64 but the
generated accessors (getCount / setCount) are using number and risk precision
loss; update the platform.proto definition for CountEntry.count to include the
option `jstype = JS_STRING` (matching other uint64 fields like
snapshot_chunks_count and remaining_time), then regenerate the TypeScript
protobufs so the generated platform_pb.d.ts and related methods
(getCount/setCount) use string types to preserve full uint64 precision.

In `@packages/rs-sdk/src/platform/documents/document_count_query.rs`:
- Around line 164-188: The conversion impl TryFrom<DocumentCountQuery> for
GetDocumentsCountRequest currently hardcodes GetDocumentsCountRequestV0.prove =
true which makes no-proof pagination/distinct modes unreachable; add a separate
transport path that builds the same GetDocumentsCountRequest with prove = false
(e.g., a new constructor or helper like
build_unproved_get_documents_count_request(query: DocumentCountQuery) ->
GetDocumentsCountRequest) and expose a new fetch entry point (e.g.,
DocumentSplitCounts::fetch_unproved or FetchUnproved API) that uses this builder
and decodes CountResults directly without running the proof verifier; keep the
existing TryFrom/DocumentSplitCounts::fetch for proof-mode but ensure the new
method references GetDocumentsCountRequestV0, the prove field,
DocumentCountQuery, and DocumentSplitCounts so callers can request no-proof
distinct/pagination behavior.
- Around line 216-249: The current FromProof implementation for
DocumentCountQuery unconditionally forwards to <DocumentCount as
FromProof<DriveDocumentQuery>>::maybe_from_proof_with_metadata which fails for
backend AggregateCountOnRange proofs; update maybe_from_proof_with_metadata in
the impl for DocumentCountQuery (and the similar fallback for
DocumentSplitCounts) to detect when the incoming request contains a range
clause, and in that case verify the proof via
GroveDb::verify_aggregate_count_query (passing the proof/response, network,
platform_version and provider), extract and return the recovered count wrapped
in DocumentCount along with ResponseMetadata and Proof; otherwise fall back to
converting the request to DriveDocumentQuery and delegating to
FromProof<DriveDocumentQuery>::maybe_from_proof_with_metadata as before. Ensure
you reference DocumentCountQuery, AggregateCountOnRange,
GroveDb::verify_aggregate_count_query, DocumentCount, DocumentSplitCounts,
DriveDocumentQuery and maybe_from_proof_with_metadata while implementing the
adapter.

---

Nitpick comments:
In `@book/src/drive/document-count-trees.md`:
- Around line 147-148: Add a short note to the document explaining the current
SDK limitation: mention that although drive-abci produces AggregateCountOnRange
proofs via get_proved_path_query and GroveDb::verify_aggregate_count_query, the
SDK proof-verifier implementations (rs-drive-proof-verifier, rs-sdk, wasm-sdk,
rs-sdk-ffi) do not yet support verifying AggregateCountOnRange proofs and still
expect the older document-materializing proof shape, so using prove=true with a
range clause will currently fail verification; suggest using prove=false for
range+distinct needs or wait for a future SDK release that adds
AggregateCountOnRange verification support.
- Around line 398-399: Add a brief note to the "Range Modes" section clarifying
SDK coverage gaps: state that the current builders (DocumentCountQuery,
DocumentSplitCountQuery and their underlying DocumentQuery ->
GetDocumentsCountRequest) in rs-sdk / wasm-sdk / rs-sdk-ffi do not yet expose
the new fields return_distinct_counts_in_range, order_by_ascending, limit,
start_after_split_key and that mode is auto-derived from where clauses and prove
currently defaults to true; place this as a short callout or inline remark near
the Range Modes paragraph so readers know these options are planned for future
SDK releases.

In `@packages/rs-dpp/src/data_contract/document_type/index/mod.rs`:
- Around line 700-753: Add focused unit tests that exercise the rangeCountable
parsing and invariants: write tests that feed the index-parsing path (the code
constructing range_countable and calling IndexProperty::from_platform_value /
the document type index parser in mod.rs) with (1) rangeCountable of the wrong
type to assert it returns DataContractError::ValueWrongType, (2)
rangeCountable=true combined with a countable value that is NotCountable to
assert it returns DataContractError::InvalidContractStructure (message about
rangeCountable requires countable), and (3) rangeCountable=true combined with
Countable and with CountableAllowingOffset to assert successful parsing (no
error) and that range_countable is set; use the symbols range_countable,
countable.is_countable(), Countable, CountableAllowingOffset, NotCountable, and
the DataContractError variants to locate and validate behavior.

In
`@packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shielded_common/mod.rs`:
- Around line 130-147: Add a unit test that triggers the new None-return path of
Action::from_parts and asserts it maps to InvalidShieldedProofError;
specifically craft a SerializedAction (or use an existing test helper) with
valid-sized fields but malformed content so Action::from_parts(None) is
returned, call the surrounding function that invokes Action::from_parts (e.g.,
the bundle reconstruction/verification function used in this module such as
reconstruct_and_verify_bundle or the function that wraps Action::from_parts in
mod.rs), and assert the Result is Err and the error is an
InvalidShieldedProofError whose message contains "invalid action parts".

In `@packages/rs-drive/src/drive/contract/insert/insert_contract/v0/mod.rs`:
- Around line 328-339: The test coverage is missing a compound-index case: add
an insert_contract v0 test that exercises a rangeCountable compound prefix like
[brand, color] and asserts that the intermediate `brand` node remains a
NormalTree while only the terminal `color` layer becomes a Provable/CountTree;
modify or add a test that inserts data and then inspects the index_structure via
`index_structure.sub_levels()` (the logic around
`property_name_is_range_countable_terminator`, `has_index_with_type()` and
`range_countable`) to verify CountTree is only created at the leaf/terminal
level and not for intermediate path nodes.

In `@packages/rs-drive/src/query/drive_document_count_query/mod.rs`:
- Around line 1116-1117: The docs and execute_range_count_no_proof (and its
In-handling code at 1203–1226) claim support for "In on prefix" but detect_mode
currently rejects range + In; fix detect_mode so
Drive::execute_document_count_request does not reject a range query when the
only In appears on the prefix: update detect_mode's logic (the branch that
rejects "range + In") to allow cases where
find_range_countable_index_for_where_clauses identifies an index with an In-only
prefix, keep execute_range_count_no_proof's cartesian-fork + dedupe behavior,
and add/update tests to cover range + In-on-prefix dispatch so the three layers
(picker, dispatcher, executor) agree.

In
`@packages/rs-drive/src/util/grove_operations/batch_insert_empty_tree_if_not_exists/v0/mod.rs`:
- Around line 336-340: Add a unit/integration test that invokes
batch_insert_empty_tree_if_not_exists_v0 with wrap_in_non_counted = true (the
new branch) to exercise the new logic path: call
batch_insert_empty_tree_if_not_exists_v0(info, TreeType::NormalTree, true, None)
and assert the resulting state (e.g., the tree was created and marked
non-counted or the expected DB entry/flag is present) and any side effects
expected by the function; also add a separate test that passes an unsupported
TreeType to batch_insert_empty_tree_if_not_exists_v0 and asserts it returns the
appropriate error. Use the same test harness/fixtures as existing tests for this
module so setup/teardown mirror current coverage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8d7977d1-7bd3-42fb-bd0e-8282591bc6cb

📥 Commits

Reviewing files that changed from the base of the PR and between a28c298 and 8c1f872.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (63)

• book/book.toml
• book/mermaid-init.js
• book/src/drive/document-count-trees.md
• book/src/drive/indexes.md
• packages/dapi-grpc/build.rs
• packages/dapi-grpc/clients/drive/v0/nodejs/drive_pbjs.js
• packages/dapi-grpc/clients/platform/v0/java/org/dash/platform/dapi/v0/PlatformGrpc.java
• packages/dapi-grpc/clients/platform/v0/nodejs/platform_pbjs.js
• packages/dapi-grpc/clients/platform/v0/nodejs/platform_protoc.js
• packages/dapi-grpc/clients/platform/v0/objective-c/Platform.pbobjc.h
• packages/dapi-grpc/clients/platform/v0/objective-c/Platform.pbobjc.m
• packages/dapi-grpc/clients/platform/v0/objective-c/Platform.pbrpc.h
• packages/dapi-grpc/clients/platform/v0/objective-c/Platform.pbrpc.m
• packages/dapi-grpc/clients/platform/v0/python/platform_pb2.py
• packages/dapi-grpc/clients/platform/v0/python/platform_pb2_grpc.py
• packages/dapi-grpc/clients/platform/v0/web/platform_pb.d.ts
• packages/dapi-grpc/clients/platform/v0/web/platform_pb.js
• packages/dapi-grpc/clients/platform/v0/web/platform_pb_service.d.ts
• packages/dapi-grpc/clients/platform/v0/web/platform_pb_service.js
• packages/dapi-grpc/protos/platform/v0/platform.proto
• packages/rs-dapi-client/src/transport/grpc.rs
• packages/rs-dapi/src/services/platform_service/mod.rs
• packages/rs-dpp/Cargo.toml
• packages/rs-dpp/schema/meta_schemas/document/v1/document-meta.json
• packages/rs-dpp/src/data_contract/document_type/class_methods/try_from_schema/v1/mod.rs
• packages/rs-dpp/src/data_contract/document_type/index/mod.rs
• packages/rs-dpp/src/data_contract/document_type/index/random_index.rs
• packages/rs-dpp/src/data_contract/document_type/index_level/mod.rs
• packages/rs-drive-abci/Cargo.toml
• packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/shielded_common/mod.rs
• packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs
• packages/rs-drive-abci/src/query/document_split_count_query/mod.rs
• packages/rs-drive-abci/src/query/document_split_count_query/v0/mod.rs
• packages/rs-drive-abci/src/query/mod.rs
• packages/rs-drive-abci/src/query/service.rs
• packages/rs-drive-proof-verifier/src/proof/document_split_count.rs
• packages/rs-drive/Cargo.toml
• packages/rs-drive/src/drive/contract/insert/insert_contract/v0/mod.rs
• packages/rs-drive/src/drive/document/delete/remove_indices_for_index_level_for_contract_operations/mod.rs
• packages/rs-drive/src/drive/document/delete/remove_indices_for_index_level_for_contract_operations/v0/mod.rs
• packages/rs-drive/src/drive/document/delete/remove_indices_for_top_index_level_for_contract_operations/v0/mod.rs
• packages/rs-drive/src/drive/document/insert/add_indices_for_index_level_for_contract_operations/mod.rs
• packages/rs-drive/src/drive/document/insert/add_indices_for_index_level_for_contract_operations/v0/mod.rs
• packages/rs-drive/src/drive/document/insert/add_indices_for_top_index_level_for_contract_operations/v0/mod.rs
• packages/rs-drive/src/fees/op.rs
• packages/rs-drive/src/query/drive_document_count_query/mod.rs
• packages/rs-drive/src/query/drive_document_count_query/tests.rs
• packages/rs-drive/src/query/mod.rs
• packages/rs-drive/src/util/grove_operations/batch_insert_empty_tree_if_not_exists/mod.rs
• packages/rs-drive/src/util/grove_operations/batch_insert_empty_tree_if_not_exists/v0/mod.rs
• packages/rs-platform-version/Cargo.toml
• packages/rs-platform-wallet/Cargo.toml
• packages/rs-sdk-ffi/src/document/queries/count.rs
• packages/rs-sdk-ffi/src/system/queries/path_elements.rs
• packages/rs-sdk/Cargo.toml
• packages/rs-sdk/src/mock/sdk.rs
• packages/rs-sdk/src/platform/documents/document_count_query.rs
• packages/rs-sdk/src/platform/documents/document_split_count_query.rs
• packages/rs-sdk/src/platform/documents/mod.rs
• packages/rs-sdk/tests/fetch/document_split_count.rs
• packages/rs-sdk/tests/fetch/mod.rs
• packages/wasm-drive-verify/src/state_transition/state_transition_execution_path_queries/token_transition.rs
• packages/wasm-sdk/src/queries/document.rs

💤 Files with no reviewable changes (15)

• packages/rs-sdk/src/platform/documents/mod.rs
• packages/rs-drive-abci/src/query/mod.rs
• packages/rs-dapi/src/services/platform_service/mod.rs
• packages/dapi-grpc/clients/platform/v0/web/platform_pb_service.d.ts
• packages/dapi-grpc/clients/platform/v0/web/platform_pb_service.js
• packages/rs-drive-abci/src/query/document_split_count_query/mod.rs
• packages/rs-drive-abci/src/query/document_split_count_query/v0/mod.rs
• packages/rs-sdk/tests/fetch/mod.rs
• packages/dapi-grpc/clients/platform/v0/objective-c/Platform.pbrpc.m
• packages/dapi-grpc/clients/platform/v0/python/platform_pb2_grpc.py
• packages/dapi-grpc/clients/platform/v0/objective-c/Platform.pbrpc.h
• packages/rs-dapi-client/src/transport/grpc.rs
• packages/rs-sdk/tests/fetch/document_split_count.rs
• packages/rs-sdk/src/mock/sdk.rs
• packages/rs-sdk/src/platform/documents/document_split_count_query.rs

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Add null checks before calling addEventListener.

document.getElementById() returns null if the element doesn't exist. Calling addEventListener on null will throw a TypeError at runtime. The current code assumes all theme button IDs ('ayu', 'navy', 'coal', 'light', 'rust') exist in the DOM, but if any are missing (due to configuration changes or incomplete HTML), the script will crash.

🛡️ Proposed fix to add null-safety guards

 for (const darkTheme of darkThemes) {
-    document.getElementById(darkTheme).addEventListener('click', () => {
-        if (lastThemeWasLight) {
-            window.location.reload();
-        }
-    });
+    const darkButton = document.getElementById(darkTheme);
+    if (darkButton) {
+        darkButton.addEventListener('click', () => {
+            if (lastThemeWasLight) {
+                window.location.reload();
+            }
+        });
+    }
 }

 for (const lightTheme of lightThemes) {
-    document.getElementById(lightTheme).addEventListener('click', () => {
-        if (!lastThemeWasLight) {
-            window.location.reload();
-        }
-    });
+    const lightButton = document.getElementById(lightTheme);
+    if (lightButton) {
+        lightButton.addEventListener('click', () => {
+            if (!lastThemeWasLight) {
+                window.location.reload();
+            }
+        });
+    }
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@book/mermaid-init.js` around lines 24 - 38, The loops over darkThemes and
lightThemes call document.getElementById(...) and immediately addEventListener,
which can throw if the element is null; update both loops in mermaid-init.js to
first assign the result to a variable (e.g., btn), check for null/undefined, and
only call addEventListener when btn exists, preserving the existing callback
logic that uses lastThemeWasLight; this prevents TypeError crashes when some
theme IDs are missing.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify implementation status wording in this section.

This new block describes shipped behavior and cites e2e coverage, but the chapter still labels range-countable as “design / not implemented.” Please align the status text so readers don’t get contradictory guidance.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@book/src/drive/indexes.md` around lines 405 - 416, Update the section status
text for range-countable indexes to reflect that the feature is implemented and
shipped instead of “design / not implemented”: change the status label and any
surrounding wording that claims it’s unimplemented to state it’s implemented and
covered by tests, and reference the existing implementation details (the walker
add_indices_for_index_level_for_contract_operations, the range_countable
behavior in compound indexes, and the end-to-end test suite
range_countable_index_e2e_tests including the
count_tree_value_count_excludes_compound_continuation_via_non_counted test) so
the prose and status are consistent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

These wrappers still hard-code the old proof-only count mode.

All four entry points force return_distinct_counts_in_range = false and drop order_by_ascending / limit / start_after_split_key, so the new no-proof distinct-range and pagination flow added in this PR is still unreachable from WASM. Please surface these as optional JS query fields (or add dedicated range-count APIs) before merging.

Also applies to: 495-507, 540-546, 566-572

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/wasm-sdk/src/queries/document.rs` around lines 464 - 476, The
wrappers construct DocumentCountQuery with hard-coded proof-only fields
(DocumentCountQuery usage sets return_distinct_counts_in_range=false and clears
order_by_ascending/limit/start_after_split_key), preventing the new no-proof
distinct-range and pagination options from being reachable; update the
WASM-facing API to accept optional fields and propagate them into the
DocumentCountQuery: expose return_distinct_counts_in_range, order_by_ascending,
limit, and start_after_split_key from the JS query object (or add dedicated
range-count entrypoints) and use those values instead of the current literals
when building DocumentCountQuery (see where DocumentCountQuery is constructed
around base_query).

[thepastaclaw]

Code Review

The unified getDocumentsCount refactor and new range_countable index plumbing are coherent at the drive layer, but the SDK seam has multiple verified regressions: SDK Fetch hard-codes prove=true while the server silently downgrades In-clause requests to a no-proof Counts response (NoProofInResult), the SDK Fetch range path is intentionally rejected client-side with no working alternative through Fetch, and the PerInValue executor ignores the documented limit/order/cursor knobs. Generated JS web/node bindings also drop the proto's [jstype = JS_STRING] annotation on the new CountEntry.count field, undoing the precision protection the proto comment is trying to guarantee.

Reviewed commit: b5cee1d

🔴 4 blocking | 🟡 5 suggestion(s) | 💬 1 nitpick(s)

4 additional findings

🔴 blocking: Generated JS web/node bindings ignore `[jstype = JS_STRING]` on new CountEntry.count — large counts will be rounded

packages/dapi-grpc/clients/platform/v0/web/platform_pb.js (lines 26408-26429)

platform.proto:669 annotates uint64 count = 2 [jstype = JS_STRING] precisely so JS consumers don't lose precision above Number.MAX_SAFE_INTEGER, and the doc-comment immediately above explicitly cites the convention. But the generated bindings checked into this PR don't honor it: platform_pb.js:26420 calls reader.readUint64() (not readUint64String), :26378 uses getFieldWithDefault(msg, 2, 0) (not "0"), and platform_pb.d.ts:2587-2588 types getCount()/setCount() as number. For comparison, an existing count = 2 [jstype = JS_STRING] field at platform.proto:425 properly generates readUint64String() and getCount(): string (platform_pb.js:18496,18538; platform_pb.d.ts:1447-1448), so the in-tree artifact is genuinely inconsistent — not a generator-doesn't-support-jstype problem. The same loss-of-precision bug is duplicated in packages/dapi-grpc/clients/platform/v0/nodejs/platform_protoc.js. Re-run the JS protoc against the current proto so the new field's type matches its annotation.

🟡 suggestion: `execute_split_count` / `expand_split_prefix_paths` / `collect_split_at_prefix` / `find_countable_index_for_split` are dead code in production

packages/rs-drive/src/query/drive_document_count_query/mod.rs (lines 638-877)

After the refactor, Drive::execute_document_count_request always builds DriveDocumentCountQuery with split_by_property: None (mod.rs:1500, 1582, 1628, 1663), and the In mode dispatches to execute_document_count_per_in_value_no_proof (which builds Equal-on-each-value subqueries) rather than execute_no_proof with a split property. Grep confirms execute_split_count, expand_split_prefix_paths, collect_split_at_prefix, and find_countable_index_for_split are only referenced from tests.rs and within the mod itself — no production caller. That's ~250 lines of working-but-orphaned logic plus tests pinning behavior nothing dispatches to anymore. Worth deleting (and trimming the corresponding tests) so the file's surface matches what the dispatcher actually exercises.

🟡 suggestion: `.expect()` inside `execute_transport` can panic on CBOR encode failure

packages/rs-sdk/src/platform/documents/document_count_query.rs (lines 204-213)

self.try_into().expect("DocumentCountQuery should always be valid") runs inside the BoxFuture returned by the transport layer. The TryFrom<DocumentCountQuery> for GetDocumentsCountRequest impl above goes through serialize_where_clauses_to_cbor, which surfaces Error::Protocol(ProtocolError::EncodingError(...)) for ciborium failures. A panic inside the future is worse than a returned TransportError — async runtimes typically convert this into a hung/aborted task instead of a recoverable error. Even if today's WhereClause shapes can't trigger the encode failure, the pattern is fragile under future Value -> CborValue semantic changes. Map the error into a TransportError so the failure is recoverable.

💬 nitpick: Stale doc reference points to test files deleted in this PR

packages/rs-drive-proof-verifier/src/proof/document_split_count.rs (lines 154-157)

The trailing comment points readers to packages/rs-sdk/tests/fetch/document_split_count.rs and to drive-abci's src/query/document_split_count_query/v0/mod.rs tests, but both are removed in this PR (document_split_count.rs | 176 --, document_split_count_query/{mod.rs,v0/mod.rs} | 725 --). Future contributors hit a dead link. Repoint to the surviving fixtures (e.g. packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs tests) or drop the stale bullets.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/platform/documents/document_count_query.rs`:
- [BLOCKING] lines 179-183: SDK count Fetch with `In` clause fails end-to-end with NoProofInResult
  `DocumentCountQuery -> GetDocumentsCountRequest` hard-codes `prove: true` here, but in `packages/rs-drive/src/query/drive_document_count_query/mod.rs:235-244` `detect_mode` maps `(has_range=false, has_in=true, _)` to `DocumentCountMode::PerInValue` regardless of `prove`, and `execute_document_count_request` (mod.rs:1842-1851) dispatches `PerInValue` to `execute_document_count_per_in_value_no_proof`, which always returns `DocumentCountResponse::Counts(...)` — never a proof. The SDK proof verifier `DocumentSplitCounts::maybe_from_proof_with_split_property` (`packages/rs-drive-proof-verifier/src/proof/document_split_count.rs:97`) then bails with `Error::NoProofInResult`. Net effect: every SDK / wasm-sdk / rs-sdk-ffi caller using an `In` where-clause — i.e. the entire split-count entry-point this PR exposes via `DocumentSplitCounts::fetch` (rs-sdk doc_count_query.rs:301, wasm-sdk queries/document.rs:529-548, rs-sdk-ffi document/queries/count.rs:209-265) — gets a runtime error. The regression is uncaught because the only SDK split-count integration test (`packages/rs-sdk/tests/fetch/document_split_count.rs`) was deleted in this PR with no replacement. Either generate a real proof for `In`-bearing requests when `prove=true`, or reject `prove=true && in` server-side and add a no-proof transport entry point on the SDK so the public API actually works.
- [BLOCKING] lines 232-264: Range count via DocumentCount::fetch always errors — newly unified count API is unusable for ranges from Rust clients
  `FromProof<DocumentCountQuery> for DocumentCount` rejects any range operator before parsing the response and tells callers to use `prove = false`, but the same SDK request builder above hard-codes `prove: true` and there is no alternative `Fetch` path that passes `prove = false`. Before this refactor, `prove=true` count queries fell through the materialize-and-count document-proof path; after the new server dispatch, range + prove is routed to `DocumentCountMode::RangeProof` (returns `AggregateCountOnRange` proof bytes) and the SDK can no longer decode it. Net: every wasm-sdk / rs-sdk-ffi count call with `>`, `<`, `between*` (or `startsWith` once enabled) is a hard runtime failure with no usable workaround through the SDK Fetch surface. Either wire up `GroveDb::verify_aggregate_count_query` (the doc-comment notes grovedb's `feature = "minimal"` gate) or expose a no-proof Fetch path before merging.
- [SUGGESTION] lines 355-366: DocumentSplitCounts total-count case yields empty map for count=0 instead of the documented `[(empty key, 0)]` entry
  Both the proto wire-format comment (`platform.proto:621-622`: "single CountEntry with empty key") and the wasm/FFI docstrings (`packages/wasm-sdk/src/queries/document.rs:520-524`, `packages/rs-sdk-ffi/src/document/queries/count.rs:194-201`) say the no-`In` total-count case returns one entry with empty key. But here the closure does `if count > 0 { m.insert(Vec::new(), count); }`, so when 0 docs match, JS receives `new Map()` and iOS receives `{"counts": {}}` — indistinguishable from "no entries at all" and contradicting the spec. Drop the `count > 0` guard so the empty-key entry is always present.
- [SUGGESTION] lines 204-213: `.expect()` inside `execute_transport` can panic on CBOR encode failure
  `self.try_into().expect("DocumentCountQuery should always be valid")` runs inside the BoxFuture returned by the transport layer. The `TryFrom<DocumentCountQuery> for GetDocumentsCountRequest` impl above goes through `serialize_where_clauses_to_cbor`, which surfaces `Error::Protocol(ProtocolError::EncodingError(...))` for ciborium failures. A panic inside the future is worse than a returned `TransportError` — async runtimes typically convert this into a hung/aborted task instead of a recoverable error. Even if today's `WhereClause` shapes can't trigger the encode failure, the pattern is fragile under future `Value -> CborValue` semantic changes. Map the error into a `TransportError` so the failure is recoverable.

In `packages/rs-drive/src/query/drive_document_count_query/mod.rs`:
- [BLOCKING] lines 1512-1593: PerInValue executor silently ignores `limit`, `order_by_ascending`, and `start_after_split_key`
  `packages/dapi-grpc/protos/platform/v0/platform.proto:642-653` documents `order_by_ascending`, `limit`, and `start_after_split_key` as applying to *split-mode entries (per-`In`-value or per-range-distinct-value)* — i.e. PerInValue is in scope. The unified dispatcher at `mod.rs:1842-1851` calls `execute_document_count_per_in_value_no_proof` with no options, and that executor iterates the `In` array in input order, dedupes, and returns every entry with no clamp/skip/sort. Only the `RangeNoProof` arm (1853-1858) threads these into `RangeCountOptions`. Callers will get silently wrong (full, input-ordered, unbounded) results instead of the documented page/sort/cursor semantics. Either honor the options for `PerInValue` or carve them out of the proto contract.
- [SUGGESTION] lines 1348-1353: `startsWith` is advertised as a supported range count operator but the executor rejects it
  `is_range_operator` (mod.rs:144) lists `WhereOperator::StartsWith`, `find_range_countable_index_for_where_clauses` will happily pick a covering index for it, and `platform.proto:627` explicitly enumerates `startsWith` alongside `>`/`<`/`between*` as a supported range-clause form. But `range_clause_to_query_item` then errors with `InvalidWhereClauseComponents("startsWith is not yet supported on the range_countable count fast path")`. Two layers disagree on what the count fast path supports, and clients trying to use the documented operator hit a runtime failure. Either reject `StartsWith` in `is_range_operator` / the proto comment until grovedb encoding is wired, or implement the encoding before merging the doc claim.
- [SUGGESTION] lines 638-877: `execute_split_count` / `expand_split_prefix_paths` / `collect_split_at_prefix` / `find_countable_index_for_split` are dead code in production
  After the refactor, `Drive::execute_document_count_request` always builds `DriveDocumentCountQuery` with `split_by_property: None` (mod.rs:1500, 1582, 1628, 1663), and the `In` mode dispatches to `execute_document_count_per_in_value_no_proof` (which builds Equal-on-each-value subqueries) rather than `execute_no_proof` with a split property. Grep confirms `execute_split_count`, `expand_split_prefix_paths`, `collect_split_at_prefix`, and `find_countable_index_for_split` are only referenced from `tests.rs` and within the mod itself — no production caller. That's ~250 lines of working-but-orphaned logic plus tests pinning behavior nothing dispatches to anymore. Worth deleting (and trimming the corresponding tests) so the file's surface matches what the dispatcher actually exercises.

In `packages/dapi-grpc/clients/platform/v0/web/platform_pb.js`:
- [BLOCKING] lines 26408-26429: Generated JS web/node bindings ignore `[jstype = JS_STRING]` on new CountEntry.count — large counts will be rounded
  `platform.proto:669` annotates `uint64 count = 2 [jstype = JS_STRING]` precisely so JS consumers don't lose precision above `Number.MAX_SAFE_INTEGER`, and the doc-comment immediately above explicitly cites the convention. But the generated bindings checked into this PR don't honor it: `platform_pb.js:26420` calls `reader.readUint64()` (not `readUint64String`), `:26378` uses `getFieldWithDefault(msg, 2, 0)` (not `"0"`), and `platform_pb.d.ts:2587-2588` types `getCount()/setCount()` as `number`. For comparison, an existing `count = 2 [jstype = JS_STRING]` field at `platform.proto:425` properly generates `readUint64String()` and `getCount(): string` (`platform_pb.js:18496,18538`; `platform_pb.d.ts:1447-1448`), so the in-tree artifact is genuinely inconsistent — not a generator-doesn't-support-jstype problem. The same loss-of-precision bug is duplicated in `packages/dapi-grpc/clients/platform/v0/nodejs/platform_protoc.js`. Re-run the JS protoc against the current proto so the new field's type matches its annotation.

In `packages/rs-sdk-ffi/src/document/queries/count.rs`:
- [SUGGESTION] lines 209-215: `dash_sdk_document_split_count` C ABI silently changed without a symbol/version bump
  The exported `extern "C"` symbol kept the same name `dash_sdk_document_split_count` but its parameter list went from `(sdk, contract, doc_type, split_property, where_json)` (5 args) to `(sdk, contract, doc_type, where_json)` (4 args). cbindgen at `packages/rs-sdk-ffi/build.rs:21-31` regenerates the header, but any iOS/Swift caller already linked against the previous header will still pass five arguments and on arm64/x86_64 the callee will read the old `split_property` pointer in the slot now occupied by `where_json`, so `serde_json::from_str` on the property name fails and the call returns an `InternalError` JSON without any compile-time signal. Pre-release scope is acknowledged, but consider renaming (`_v2` suffix) or otherwise breaking the symbol so stale wrappers fail loudly at link time.

[thepastaclaw]

🔴 Blocking: SDK count Fetch with In clause fails end-to-end with NoProofInResult

DocumentCountQuery -> GetDocumentsCountRequest hard-codes prove: true here, but in packages/rs-drive/src/query/drive_document_count_query/mod.rs:235-244 detect_mode maps (has_range=false, has_in=true, _) to DocumentCountMode::PerInValue regardless of prove, and execute_document_count_request (mod.rs:1842-1851) dispatches PerInValue to execute_document_count_per_in_value_no_proof, which always returns DocumentCountResponse::Counts(...) — never a proof. The SDK proof verifier DocumentSplitCounts::maybe_from_proof_with_split_property (packages/rs-drive-proof-verifier/src/proof/document_split_count.rs:97) then bails with Error::NoProofInResult. Net effect: every SDK / wasm-sdk / rs-sdk-ffi caller using an In where-clause — i.e. the entire split-count entry-point this PR exposes via DocumentSplitCounts::fetch (rs-sdk doc_count_query.rs:301, wasm-sdk queries/document.rs:529-548, rs-sdk-ffi document/queries/count.rs:209-265) — gets a runtime error. The regression is uncaught because the only SDK split-count integration test (packages/rs-sdk/tests/fetch/document_split_count.rs) was deleted in this PR with no replacement. Either generate a real proof for In-bearing requests when prove=true, or reject prove=true && in server-side and add a no-proof transport entry point on the SDK so the public API actually works.

_{source: ['claude-general', 'codex-general', 'codex-rust-quality', 'codex-security-auditor']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/platform/documents/document_count_query.rs`:
- [BLOCKING] lines 179-183: SDK count Fetch with `In` clause fails end-to-end with NoProofInResult
  `DocumentCountQuery -> GetDocumentsCountRequest` hard-codes `prove: true` here, but in `packages/rs-drive/src/query/drive_document_count_query/mod.rs:235-244` `detect_mode` maps `(has_range=false, has_in=true, _)` to `DocumentCountMode::PerInValue` regardless of `prove`, and `execute_document_count_request` (mod.rs:1842-1851) dispatches `PerInValue` to `execute_document_count_per_in_value_no_proof`, which always returns `DocumentCountResponse::Counts(...)` — never a proof. The SDK proof verifier `DocumentSplitCounts::maybe_from_proof_with_split_property` (`packages/rs-drive-proof-verifier/src/proof/document_split_count.rs:97`) then bails with `Error::NoProofInResult`. Net effect: every SDK / wasm-sdk / rs-sdk-ffi caller using an `In` where-clause — i.e. the entire split-count entry-point this PR exposes via `DocumentSplitCounts::fetch` (rs-sdk doc_count_query.rs:301, wasm-sdk queries/document.rs:529-548, rs-sdk-ffi document/queries/count.rs:209-265) — gets a runtime error. The regression is uncaught because the only SDK split-count integration test (`packages/rs-sdk/tests/fetch/document_split_count.rs`) was deleted in this PR with no replacement. Either generate a real proof for `In`-bearing requests when `prove=true`, or reject `prove=true && in` server-side and add a no-proof transport entry point on the SDK so the public API actually works.

[thepastaclaw]

🔴 Blocking: Range count via DocumentCount::fetch always errors — newly unified count API is unusable for ranges from Rust clients

FromProof<DocumentCountQuery> for DocumentCount rejects any range operator before parsing the response and tells callers to use prove = false, but the same SDK request builder above hard-codes prove: true and there is no alternative Fetch path that passes prove = false. Before this refactor, prove=true count queries fell through the materialize-and-count document-proof path; after the new server dispatch, range + prove is routed to DocumentCountMode::RangeProof (returns AggregateCountOnRange proof bytes) and the SDK can no longer decode it. Net: every wasm-sdk / rs-sdk-ffi count call with >, <, between* (or startsWith once enabled) is a hard runtime failure with no usable workaround through the SDK Fetch surface. Either wire up GroveDb::verify_aggregate_count_query (the doc-comment notes grovedb's feature = "minimal" gate) or expose a no-proof Fetch path before merging.

_{source: ['codex-general', 'codex-rust-quality']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/platform/documents/document_count_query.rs`:
- [BLOCKING] lines 232-264: Range count via DocumentCount::fetch always errors — newly unified count API is unusable for ranges from Rust clients
  `FromProof<DocumentCountQuery> for DocumentCount` rejects any range operator before parsing the response and tells callers to use `prove = false`, but the same SDK request builder above hard-codes `prove: true` and there is no alternative `Fetch` path that passes `prove = false`. Before this refactor, `prove=true` count queries fell through the materialize-and-count document-proof path; after the new server dispatch, range + prove is routed to `DocumentCountMode::RangeProof` (returns `AggregateCountOnRange` proof bytes) and the SDK can no longer decode it. Net: every wasm-sdk / rs-sdk-ffi count call with `>`, `<`, `between*` (or `startsWith` once enabled) is a hard runtime failure with no usable workaround through the SDK Fetch surface. Either wire up `GroveDb::verify_aggregate_count_query` (the doc-comment notes grovedb's `feature = "minimal"` gate) or expose a no-proof Fetch path before merging.

[thepastaclaw]

🔴 Blocking: PerInValue executor silently ignores limit, order_by_ascending, and start_after_split_key

packages/dapi-grpc/protos/platform/v0/platform.proto:642-653 documents order_by_ascending, limit, and start_after_split_key as applying to split-mode entries (per-In-value or per-range-distinct-value) — i.e. PerInValue is in scope. The unified dispatcher at mod.rs:1842-1851 calls execute_document_count_per_in_value_no_proof with no options, and that executor iterates the In array in input order, dedupes, and returns every entry with no clamp/skip/sort. Only the RangeNoProof arm (1853-1858) threads these into RangeCountOptions. Callers will get silently wrong (full, input-ordered, unbounded) results instead of the documented page/sort/cursor semantics. Either honor the options for PerInValue or carve them out of the proto contract.

_{source: ['codex-general']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-drive/src/query/drive_document_count_query/mod.rs`:
- [BLOCKING] lines 1512-1593: PerInValue executor silently ignores `limit`, `order_by_ascending`, and `start_after_split_key`
  `packages/dapi-grpc/protos/platform/v0/platform.proto:642-653` documents `order_by_ascending`, `limit`, and `start_after_split_key` as applying to *split-mode entries (per-`In`-value or per-range-distinct-value)* — i.e. PerInValue is in scope. The unified dispatcher at `mod.rs:1842-1851` calls `execute_document_count_per_in_value_no_proof` with no options, and that executor iterates the `In` array in input order, dedupes, and returns every entry with no clamp/skip/sort. Only the `RangeNoProof` arm (1853-1858) threads these into `RangeCountOptions`. Callers will get silently wrong (full, input-ordered, unbounded) results instead of the documented page/sort/cursor semantics. Either honor the options for `PerInValue` or carve them out of the proto contract.

[thepastaclaw]

🟡 Suggestion: startsWith is advertised as a supported range count operator but the executor rejects it

is_range_operator (mod.rs:144) lists WhereOperator::StartsWith, find_range_countable_index_for_where_clauses will happily pick a covering index for it, and platform.proto:627 explicitly enumerates startsWith alongside >/</between* as a supported range-clause form. But range_clause_to_query_item then errors with InvalidWhereClauseComponents("startsWith is not yet supported on the range_countable count fast path"). Two layers disagree on what the count fast path supports, and clients trying to use the documented operator hit a runtime failure. Either reject StartsWith in is_range_operator / the proto comment until grovedb encoding is wired, or implement the encoding before merging the doc claim.

_{source: ['claude-general', 'codex-general']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-drive/src/query/drive_document_count_query/mod.rs`:
- [SUGGESTION] lines 1348-1353: `startsWith` is advertised as a supported range count operator but the executor rejects it
  `is_range_operator` (mod.rs:144) lists `WhereOperator::StartsWith`, `find_range_countable_index_for_where_clauses` will happily pick a covering index for it, and `platform.proto:627` explicitly enumerates `startsWith` alongside `>`/`<`/`between*` as a supported range-clause form. But `range_clause_to_query_item` then errors with `InvalidWhereClauseComponents("startsWith is not yet supported on the range_countable count fast path")`. Two layers disagree on what the count fast path supports, and clients trying to use the documented operator hit a runtime failure. Either reject `StartsWith` in `is_range_operator` / the proto comment until grovedb encoding is wired, or implement the encoding before merging the doc claim.

[thepastaclaw]

🟡 Suggestion: DocumentSplitCounts total-count case yields empty map for count=0 instead of the documented [(empty key, 0)] entry

Both the proto wire-format comment (platform.proto:621-622: "single CountEntry with empty key") and the wasm/FFI docstrings (packages/wasm-sdk/src/queries/document.rs:520-524, packages/rs-sdk-ffi/src/document/queries/count.rs:194-201) say the no-In total-count case returns one entry with empty key. But here the closure does if count > 0 { m.insert(Vec::new(), count); }, so when 0 docs match, JS receives new Map() and iOS receives {"counts": {}} — indistinguishable from "no entries at all" and contradicting the spec. Drop the count > 0 guard so the empty-key entry is always present.

💡 Suggested change

Suggested change

	.map(|(opt, mtd, proof)| {
	let map = opt
	.map(|DocumentCount(count)| {
	let mut m = std::collections::BTreeMap::new();
	if count > 0 {
	m.insert(Vec::new(), count);
	}
	m
	})
	.unwrap_or_default();
	(Some(DocumentSplitCounts(map)), mtd, proof)
	})
	.map(|(opt, mtd, proof)| {
	let map = opt
	.map(|DocumentCount(count)| {
	let mut m = std::collections::BTreeMap::new();
	m.insert(Vec::new(), count);
	m
	})
	.unwrap_or_default();
	(Some(DocumentSplitCounts(map)), mtd, proof)
	})

_{source: ['claude-ffi-engineer']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/platform/documents/document_count_query.rs`:
- [SUGGESTION] lines 355-366: DocumentSplitCounts total-count case yields empty map for count=0 instead of the documented `[(empty key, 0)]` entry
  Both the proto wire-format comment (`platform.proto:621-622`: "single CountEntry with empty key") and the wasm/FFI docstrings (`packages/wasm-sdk/src/queries/document.rs:520-524`, `packages/rs-sdk-ffi/src/document/queries/count.rs:194-201`) say the no-`In` total-count case returns one entry with empty key. But here the closure does `if count > 0 { m.insert(Vec::new(), count); }`, so when 0 docs match, JS receives `new Map()` and iOS receives `{"counts": {}}` — indistinguishable from "no entries at all" and contradicting the spec. Drop the `count > 0` guard so the empty-key entry is always present.

[thepastaclaw]

🟡 Suggestion: dash_sdk_document_split_count C ABI silently changed without a symbol/version bump

The exported extern "C" symbol kept the same name dash_sdk_document_split_count but its parameter list went from (sdk, contract, doc_type, split_property, where_json) (5 args) to (sdk, contract, doc_type, where_json) (4 args). cbindgen at packages/rs-sdk-ffi/build.rs:21-31 regenerates the header, but any iOS/Swift caller already linked against the previous header will still pass five arguments and on arm64/x86_64 the callee will read the old split_property pointer in the slot now occupied by where_json, so serde_json::from_str on the property name fails and the call returns an InternalError JSON without any compile-time signal. Pre-release scope is acknowledged, but consider renaming (_v2 suffix) or otherwise breaking the symbol so stale wrappers fail loudly at link time.

_{source: ['claude-ffi-engineer', 'codex-ffi-engineer']}

🤖 Fix this with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk-ffi/src/document/queries/count.rs`:
- [SUGGESTION] lines 209-215: `dash_sdk_document_split_count` C ABI silently changed without a symbol/version bump
  The exported `extern "C"` symbol kept the same name `dash_sdk_document_split_count` but its parameter list went from `(sdk, contract, doc_type, split_property, where_json)` (5 args) to `(sdk, contract, doc_type, where_json)` (4 args). cbindgen at `packages/rs-sdk-ffi/build.rs:21-31` regenerates the header, but any iOS/Swift caller already linked against the previous header will still pass five arguments and on arm64/x86_64 the callee will read the old `split_property` pointer in the slot now occupied by `where_json`, so `serde_json::from_str` on the property name fails and the call returns an `InternalError` JSON without any compile-time signal. Pre-release scope is acknowledged, but consider renaming (`_v2` suffix) or otherwise breaking the symbol so stale wrappers fail loudly at link time.

[thepastaclaw]

Code Review

The latest commit closes some prior issues (server now rejects prove=true + In rather than silently downgrading; both abci and rs-drive RangeNoProof paths clamp limit). However, the public count API surface remains broken end-to-end: the SDK's TryFrom hard-codes prove=true, so every wasm-sdk/FFI split-count call with In now hits a hard server reject, and every range count fails verifier-side. PerInValue still ignores limit/order/cursor and walks the In array unbounded (DoS amplification). The regenerated JS protobuf bindings still ignore [jstype = JS_STRING] on CountEntry.count. Several smaller follow-ups (dead split-count code, count=0 empty-map, FFI symbol silently re-shaped, .expect() in transport future, stale doc refs) carry forward.

Reviewed commit: 10e34a7

🔴 5 blocking | 🟡 5 suggestion(s)

10 additional findings

🔴 blocking: SDK split-count Fetch with `In` is end-to-end broken — `prove: true` is hard-coded but the server now rejects prove+In

packages/rs-sdk/src/platform/documents/document_count_query.rs (lines 167-188)

TryFrom<DocumentCountQuery> for GetDocumentsCountRequest always sets prove: true (line 183). On this head, DriveDocumentCountQuery::detect_mode (packages/rs-drive/src/query/drive_document_count_query/mod.rs:241-246) explicitly rejects prove=true && has_in with InvalidWhereClauseComponents("prove = true is not supported with an in where-clause"). That means every public caller of DocumentSplitCounts::fetch with an In clause — wasm-sdk's getDocumentsSplitCount / getDocumentsSplitCountWithProofInfo (packages/wasm-sdk/src/queries/document.rs:529-581) and FFI's dash_sdk_document_split_count (packages/rs-sdk-ffi/src/document/queries/count.rs:209-265) — is now a guaranteed InvalidArgument runtime failure. The split-count surface this PR ships is unreachable through every supported client. Either implement a per-In-value aggregate proof primitive on the server so prove=true + In works, or expose a no-proof Fetch entry point so the SDK can flip prove=false for In-bearing count requests. The deleted packages/rs-sdk/tests/fetch/document_split_count.rs integration test would have caught this; reinstate equivalent coverage before merge.

🔴 blocking: Range count via `DocumentCount::fetch` is unusable — no SDK Fetch path issues `prove=false`

packages/rs-sdk/src/platform/documents/document_count_query.rs (lines 232-264)

The new FromProof<DocumentCountQuery> for DocumentCount arm explicitly rejects any range operator with a clear error pointing callers to either prove=false or GroveDb::verify_aggregate_count_query plus DriveDocumentCountQuery::aggregate_count_path_query. But the request builder above hard-codes prove: true, the path-builder is gated behind rs-drive's cfg(any(server, verify)), and verify_aggregate_count_query lives behind grovedb's feature = "minimal" (which rs-drive-proof-verifier does not enable). Net result: every wasm-sdk / rs-sdk-ffi / rs-sdk count call with >, <, between* (or startsWith, when its other rejection lifts) returns Error::RequestError from this verifier check before any productive round-trip, and there is no public Rust API that constructs a prove=false count fetch. Either widen grovedb's feature gate so the verify path is reachable from rs-drive-proof-verifier, or add a prove=false Fetch entry point on DocumentCountQuery returning the parsed Counts directly.

🔴 blocking: PerInValue dispatch ignores `limit`, `order_by_ascending`, and `start_after_split_key`

packages/rs-drive/src/query/drive_document_count_query/mod.rs (lines 1861-1870)

platform.proto:642-653 documents order_by_ascending, limit, and start_after_split_key as split-mode controls applying to both per-In-value and per-range-distinct-value entries. The dispatcher's PerInValue arm calls execute_document_count_per_in_value_no_proof(contract_id, document_type, document_type_name, where_clauses, transaction, platform_version) with no options arg, and the executor at lines 1526-1607 iterates the In array in input order, dedupes via BTreeSet, and emits every entry with no limit, no skip, and no sort. Only the RangeNoProof arm threads these into RangeCountOptions. The new abci-side limit clamp (packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs:143-145) is a no-op for the PerInValue path: callers passing limit=1 still get all N In entries back, and start_after_split_key cursors are ignored. Either honor the options for PerInValue (sort + skip + clamp) or carve them out of the proto contract for In mode.

🔴 blocking: Generated JS bindings ignore `[jstype = JS_STRING]` on new `CountEntry.count` — counts > 2^53−1 silently round in JS

packages/dapi-grpc/clients/platform/v0/web/platform_pb.js (lines 26408-26429)

The proto field is uint64 count = 2 [jstype = JS_STRING] at platform.proto:669, with the doc-comment immediately above explicitly citing the convention. The checked-in JS bindings don't honor it: platform_pb.js:26420 calls reader.readUint64() (returns Number, not String); :26378 uses getFieldWithDefault(msg, 2, 0) (numeric default); platform_pb.d.ts:2587-2604 types count: number; and :26461 calls writer.writeUint64(). For comparison the existing count = 2 [jstype = JS_STRING] field at platform.proto:425 correctly emits readUint64String() and getCount(): string (platform_pb.js:18496-18539), so the generator does support the annotation — the in-tree artifact is genuinely stale. The same loss-of-precision is duplicated in packages/dapi-grpc/clients/platform/v0/nodejs/platform_protoc.js. Re-run protoc against the current proto so the new field's wire decoding matches its declared type-precision contract.

🔴 blocking: PerInValue no-proof count path is unbounded — request-amplification DoS

packages/rs-drive/src/query/drive_document_count_query/mod.rs (lines 1526-1606)

execute_document_count_per_in_value_no_proof reads in_clause.value.as_array() directly (line 1544) and loops over every element, performing one find_countable_index_for_where_clauses + count_query.execute_no_proof GroveDB walk per value. The 100-element cap in WhereClause::in_values() (packages/rs-drive/src/query/conditions.rs:354-365) is not on this path: the abci handler builds WhereClauses via WhereClause::from_components (packages/rs-drive/src/query/conditions.rs:477-525), which performs no length validation, and the dispatcher's PerInValue arm doesn't apply max_query_limit either — only RangeNoProof does. Since DAPI accepts gRPC messages up to 64 MiB and CBOR-encoded small integers cost ~1-2 bytes each, an unauthenticated client can issue a single getDocumentsCount carrying hundreds of thousands of In values, each triggering an independent GroveDB scan. This bypasses the max_query_limit budget the handler is explicitly trying to enforce on the parallel range path. Either invoke WhereClause::in_values() to inherit the existing 100-cap + dedup + non-empty checks, clamp in_values.len() against drive_config.max_query_limit analogously to the RangeNoProof arm, or push an effective_limit into the PerInValue executor.

🟡 suggestion: DocumentSplitCounts total-count case drops the documented empty-key entry when count=0

packages/rs-sdk/src/platform/documents/document_count_query.rs (lines 355-366)

The proto wire-format comment (platform.proto:620-622: "single CountEntry with empty key") and the wasm/FFI docstrings (packages/wasm-sdk/src/queries/document.rs:520-524, packages/rs-sdk-ffi/src/document/queries/count.rs:194-201) all specify that the no-In total-count case returns one entry with empty key. The drive-abci handler also unconditionally produces a [(empty, 0)] entry on Total mode (packages/rs-drive/src/query/drive_document_count_query/mod.rs:1845-1849). But the closure here does if count > 0 { m.insert(Vec::new(), count); }, so when 0 docs match the proven path, JS receives new Map() and iOS receives {"counts":{}} — indistinguishable from "no entries at all" and contradicting both the no-proof path and the published wire shape. Drop the count > 0 guard so the empty-key entry is always present.

💡 Suggested change

            .map(|(opt, mtd, proof)| {
                let map = opt
                    .map(|DocumentCount(count)| {
                        let mut m = std::collections::BTreeMap::new();
                        m.insert(Vec::new(), count);
                        m
                    })
                    .unwrap_or_default();
                (Some(DocumentSplitCounts(map)), mtd, proof)
            })

🟡 suggestion: `dash_sdk_document_split_count` C ABI silently changed without symbol/version bump

packages/rs-sdk-ffi/src/document/queries/count.rs (lines 209-215)

The exported extern "C" fn dash_sdk_document_split_count keeps the same name but its parameter list shrank from 5 args (sdk, contract, doc_type, split_property, where_json) to 4 args (sdk, contract, doc_type, where_json). cbindgen at packages/rs-sdk-ffi/build.rs regenerates the header, but any iOS/Swift wrapper still linked against the previous header will continue to push five arguments; on arm64/x86_64 the callee will read what was the old split_property slot as where_json, fail serde_json::from_str, and return an InternalError JSON with no compile- or link-time signal. Pre-release scope acknowledged, but consider renaming (e.g. _v2 suffix) so stale wrappers fail loudly at link time rather than at runtime.

🟡 suggestion: `startsWith` is advertised as a supported range-count operator but rejected at runtime

packages/rs-drive/src/query/drive_document_count_query/mod.rs (lines 1362-1368)

is_range_operator (line 144) lists WhereOperator::StartsWith as range-capable, find_range_countable_index_for_where_clauses will pick a covering index for it, and platform.proto:627 enumerates startsWith alongside >/</between* as a supported range form. But range_clause_to_query_item returns InvalidWhereClauseComponents("startsWith is not yet supported on the range_countable count fast path"). Two layers disagree on what the count fast path supports, and clients trying the documented operator pass mode detection only to hit a late runtime failure when the path query is materialized. Either drop StartsWith from is_range_operator and the proto comment until the byte-incremented upper-bound encoding is wired, or implement it before publishing the doc claim.

🟡 suggestion: `execute_split_count` / `expand_split_prefix_paths` / `collect_split_at_prefix` / `find_countable_index_for_split` are dead in production

packages/rs-drive/src/query/drive_document_count_query/mod.rs (lines 638-877)

After the unified-handler refactor, every production caller of DriveDocumentCountQuery builds the struct with split_by_property: None (mod.rs:1514, 1596, 1642, 1677), and the PerInValue arm dispatches to execute_document_count_per_in_value_no_proof (Equal-on-each-value subqueries) rather than execute_no_proof with a split property. Grep confirms split_by_property: Some(_) is set only in tests.rs:261 and :557. The execute_split_count / expand_split_prefix_paths / collect_split_at_prefix / find_countable_index_for_split helpers and the Some(_) arm of execute_no_proof are no longer reachable from any production path — ~250 lines of working-but-orphaned logic plus tests pinning behavior nothing dispatches to. Either delete them (and trim the dependent tests) so the file's surface matches what the dispatcher exercises, or wire PerInValue to use execute_split_count if its prefix-walk encoding is preferable to the per-value Equal-on-each loop.

🟡 suggestion: `.expect()` inside `execute_transport` future can panic on CBOR encode failure

packages/rs-sdk/src/platform/documents/document_count_query.rs (lines 204-213)

self.try_into().expect("DocumentCountQuery should always be valid") runs inside the BoxFuture returned by the transport layer. The TryFrom<DocumentCountQuery> for GetDocumentsCountRequest impl above goes through serialize_where_clauses_to_cbor (lines 375-390), which surfaces Error::Protocol(ProtocolError::EncodingError(...)) for ciborium failures. A panic inside an async transport future is worse than a returned TransportError — async runtimes typically convert it into a hung/aborted task rather than a recoverable error. Even if today's WhereClause shapes can't trigger the encode failure, the pattern is fragile under future Value -> CborValue semantic changes. Map the conversion error into a TransportError so the failure stays recoverable.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `packages/rs-sdk/src/platform/documents/document_count_query.rs`:
- [BLOCKING] lines 167-188: SDK split-count Fetch with `In` is end-to-end broken — `prove: true` is hard-coded but the server now rejects prove+In
  `TryFrom<DocumentCountQuery> for GetDocumentsCountRequest` always sets `prove: true` (line 183). On this head, `DriveDocumentCountQuery::detect_mode` (`packages/rs-drive/src/query/drive_document_count_query/mod.rs:241-246`) explicitly rejects `prove=true && has_in` with `InvalidWhereClauseComponents("prove = true is not supported with an `in` where-clause")`. That means every public caller of `DocumentSplitCounts::fetch` with an `In` clause — wasm-sdk's `getDocumentsSplitCount` / `getDocumentsSplitCountWithProofInfo` (`packages/wasm-sdk/src/queries/document.rs:529-581`) and FFI's `dash_sdk_document_split_count` (`packages/rs-sdk-ffi/src/document/queries/count.rs:209-265`) — is now a guaranteed `InvalidArgument` runtime failure. The split-count surface this PR ships is unreachable through every supported client. Either implement a per-`In`-value aggregate proof primitive on the server so `prove=true + In` works, or expose a no-proof Fetch entry point so the SDK can flip `prove=false` for In-bearing count requests. The deleted `packages/rs-sdk/tests/fetch/document_split_count.rs` integration test would have caught this; reinstate equivalent coverage before merge.
- [BLOCKING] lines 232-264: Range count via `DocumentCount::fetch` is unusable — no SDK Fetch path issues `prove=false`
  The new `FromProof<DocumentCountQuery> for DocumentCount` arm explicitly rejects any range operator with a clear error pointing callers to either `prove=false` or `GroveDb::verify_aggregate_count_query` plus `DriveDocumentCountQuery::aggregate_count_path_query`. But the request builder above hard-codes `prove: true`, the path-builder is gated behind rs-drive's `cfg(any(server, verify))`, and `verify_aggregate_count_query` lives behind grovedb's `feature = "minimal"` (which `rs-drive-proof-verifier` does not enable). Net result: every wasm-sdk / rs-sdk-ffi / rs-sdk count call with `>`, `<`, `between*` (or `startsWith`, when its other rejection lifts) returns `Error::RequestError` from this verifier check before any productive round-trip, and there is no public Rust API that constructs a `prove=false` count fetch. Either widen grovedb's feature gate so the verify path is reachable from `rs-drive-proof-verifier`, or add a `prove=false` Fetch entry point on `DocumentCountQuery` returning the parsed `Counts` directly.
- [SUGGESTION] lines 355-366: DocumentSplitCounts total-count case drops the documented empty-key entry when count=0
  The proto wire-format comment (`platform.proto:620-622`: "single CountEntry with empty key") and the wasm/FFI docstrings (`packages/wasm-sdk/src/queries/document.rs:520-524`, `packages/rs-sdk-ffi/src/document/queries/count.rs:194-201`) all specify that the no-`In` total-count case returns one entry with empty key. The drive-abci handler also unconditionally produces a `[(empty, 0)]` entry on Total mode (`packages/rs-drive/src/query/drive_document_count_query/mod.rs:1845-1849`). But the closure here does `if count > 0 { m.insert(Vec::new(), count); }`, so when 0 docs match the proven path, JS receives `new Map()` and iOS receives `{"counts":{}}` — indistinguishable from "no entries at all" and contradicting both the no-proof path and the published wire shape. Drop the `count > 0` guard so the empty-key entry is always present.
- [SUGGESTION] lines 204-213: `.expect()` inside `execute_transport` future can panic on CBOR encode failure
  `self.try_into().expect("DocumentCountQuery should always be valid")` runs inside the `BoxFuture` returned by the transport layer. The `TryFrom<DocumentCountQuery> for GetDocumentsCountRequest` impl above goes through `serialize_where_clauses_to_cbor` (lines 375-390), which surfaces `Error::Protocol(ProtocolError::EncodingError(...))` for ciborium failures. A panic inside an async transport future is worse than a returned `TransportError` — async runtimes typically convert it into a hung/aborted task rather than a recoverable error. Even if today's `WhereClause` shapes can't trigger the encode failure, the pattern is fragile under future `Value -> CborValue` semantic changes. Map the conversion error into a `TransportError` so the failure stays recoverable.

In `packages/rs-drive/src/query/drive_document_count_query/mod.rs`:
- [BLOCKING] lines 1861-1870: PerInValue dispatch ignores `limit`, `order_by_ascending`, and `start_after_split_key`
  `platform.proto:642-653` documents `order_by_ascending`, `limit`, and `start_after_split_key` as split-mode controls applying to *both* per-`In`-value and per-range-distinct-value entries. The dispatcher's `PerInValue` arm calls `execute_document_count_per_in_value_no_proof(contract_id, document_type, document_type_name, where_clauses, transaction, platform_version)` with no options arg, and the executor at lines 1526-1607 iterates the In array in input order, dedupes via `BTreeSet`, and emits every entry with no limit, no skip, and no sort. Only the `RangeNoProof` arm threads these into `RangeCountOptions`. The new abci-side limit clamp (`packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs:143-145`) is a no-op for the PerInValue path: callers passing `limit=1` still get all N In entries back, and `start_after_split_key` cursors are ignored. Either honor the options for `PerInValue` (sort + skip + clamp) or carve them out of the proto contract for In mode.
- [BLOCKING] lines 1526-1606: PerInValue no-proof count path is unbounded — request-amplification DoS
  `execute_document_count_per_in_value_no_proof` reads `in_clause.value.as_array()` directly (line 1544) and loops over every element, performing one `find_countable_index_for_where_clauses` + `count_query.execute_no_proof` GroveDB walk per value. The 100-element cap in `WhereClause::in_values()` (`packages/rs-drive/src/query/conditions.rs:354-365`) is **not** on this path: the abci handler builds `WhereClause`s via `WhereClause::from_components` (`packages/rs-drive/src/query/conditions.rs:477-525`), which performs no length validation, and the dispatcher's `PerInValue` arm doesn't apply `max_query_limit` either — only `RangeNoProof` does. Since DAPI accepts gRPC messages up to 64 MiB and CBOR-encoded small integers cost ~1-2 bytes each, an unauthenticated client can issue a single `getDocumentsCount` carrying hundreds of thousands of In values, each triggering an independent GroveDB scan. This bypasses the `max_query_limit` budget the handler is explicitly trying to enforce on the parallel range path. Either invoke `WhereClause::in_values()` to inherit the existing 100-cap + dedup + non-empty checks, clamp `in_values.len()` against `drive_config.max_query_limit` analogously to the RangeNoProof arm, or push an effective_limit into the PerInValue executor.
- [SUGGESTION] lines 1362-1368: `startsWith` is advertised as a supported range-count operator but rejected at runtime
  `is_range_operator` (line 144) lists `WhereOperator::StartsWith` as range-capable, `find_range_countable_index_for_where_clauses` will pick a covering index for it, and `platform.proto:627` enumerates `startsWith` alongside `>`/`<`/`between*` as a supported range form. But `range_clause_to_query_item` returns `InvalidWhereClauseComponents("startsWith is not yet supported on the range_countable count fast path")`. Two layers disagree on what the count fast path supports, and clients trying the documented operator pass mode detection only to hit a late runtime failure when the path query is materialized. Either drop `StartsWith` from `is_range_operator` and the proto comment until the byte-incremented upper-bound encoding is wired, or implement it before publishing the doc claim.
- [SUGGESTION] lines 638-877: `execute_split_count` / `expand_split_prefix_paths` / `collect_split_at_prefix` / `find_countable_index_for_split` are dead in production
  After the unified-handler refactor, every production caller of `DriveDocumentCountQuery` builds the struct with `split_by_property: None` (mod.rs:1514, 1596, 1642, 1677), and the `PerInValue` arm dispatches to `execute_document_count_per_in_value_no_proof` (Equal-on-each-value subqueries) rather than `execute_no_proof` with a split property. Grep confirms `split_by_property: Some(_)` is set only in `tests.rs:261` and `:557`. The `execute_split_count` / `expand_split_prefix_paths` / `collect_split_at_prefix` / `find_countable_index_for_split` helpers and the `Some(_)` arm of `execute_no_proof` are no longer reachable from any production path — ~250 lines of working-but-orphaned logic plus tests pinning behavior nothing dispatches to. Either delete them (and trim the dependent tests) so the file's surface matches what the dispatcher exercises, or wire `PerInValue` to use `execute_split_count` if its prefix-walk encoding is preferable to the per-value Equal-on-each loop.

In `packages/dapi-grpc/clients/platform/v0/web/platform_pb.js`:
- [BLOCKING] lines 26408-26429: Generated JS bindings ignore `[jstype = JS_STRING]` on new `CountEntry.count` — counts > 2^53−1 silently round in JS
  The proto field is `uint64 count = 2 [jstype = JS_STRING]` at `platform.proto:669`, with the doc-comment immediately above explicitly citing the convention. The checked-in JS bindings don't honor it: `platform_pb.js:26420` calls `reader.readUint64()` (returns Number, not String); `:26378` uses `getFieldWithDefault(msg, 2, 0)` (numeric default); `platform_pb.d.ts:2587-2604` types `count: number`; and `:26461` calls `writer.writeUint64()`. For comparison the existing `count = 2 [jstype = JS_STRING]` field at `platform.proto:425` correctly emits `readUint64String()` and `getCount(): string` (`platform_pb.js:18496-18539`), so the generator does support the annotation — the in-tree artifact is genuinely stale. The same loss-of-precision is duplicated in `packages/dapi-grpc/clients/platform/v0/nodejs/platform_protoc.js`. Re-run protoc against the current proto so the new field's wire decoding matches its declared type-precision contract.

In `packages/rs-sdk-ffi/src/document/queries/count.rs`:
- [SUGGESTION] lines 209-215: `dash_sdk_document_split_count` C ABI silently changed without symbol/version bump
  The exported `extern "C" fn dash_sdk_document_split_count` keeps the same name but its parameter list shrank from 5 args `(sdk, contract, doc_type, split_property, where_json)` to 4 args `(sdk, contract, doc_type, where_json)`. cbindgen at `packages/rs-sdk-ffi/build.rs` regenerates the header, but any iOS/Swift wrapper still linked against the previous header will continue to push five arguments; on arm64/x86_64 the callee will read what was the old `split_property` slot as `where_json`, fail `serde_json::from_str`, and return an `InternalError` JSON with no compile- or link-time signal. Pre-release scope acknowledged, but consider renaming (e.g. `_v2` suffix) so stale wrappers fail loudly at link time rather than at runtime.

Inline posting hit GitHub HTTP 422, so I posted the same verified findings in the top-level review body for the dispatcher-assigned commit.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

packages/rs-dpp/src/data_contract/document_type/index_level/mod.rs (1)

607-793: ⚡ Quick win

Add test coverage for range_countable immutability.

The validation logic correctly rejects range_countable changes, but no tests verify this behavior. Consider adding parallel tests to the existing countable immutability suite:

• should_return_invalid_result_if_range_countable_changed_from_false_to_true
• should_return_invalid_result_if_range_countable_changed_from_true_to_false
• (optional) compound index test for range_countable changes

These tests would document the immutability constraint and prevent regressions if the validation logic is later modified.

📋 Example test structure

#[test]
fn should_return_invalid_result_if_range_countable_changed_from_false_to_true() {
    let platform_version = PlatformVersion::latest();
    let document_type_name = "test";

    let old_indices = vec![Index {
        name: "test".to_string(),
        properties: vec![IndexProperty {
            name: "test".to_string(),
            ascending: false,
        }],
        unique: false,
        null_searchable: true,
        contested_index: None,
        countable: IndexCountability::NotCountable,
        range_countable: false,
    }];

    let new_indices = vec![Index {
        name: "test".to_string(),
        properties: vec![IndexProperty {
            name: "test".to_string(),
            ascending: false,
        }],
        unique: false,
        null_searchable: true,
        contested_index: None,
        countable: IndexCountability::NotCountable,
        range_countable: true,
    }];

    let old_index_structure =
        IndexLevel::try_from_indices(&old_indices, document_type_name, platform_version)
            .expect("failed to create old index level");

    let new_index_structure =
        IndexLevel::try_from_indices(&new_indices, document_type_name, platform_version)
            .expect("failed to create new index level");

    let result = old_index_structure.validate_update(document_type_name, &new_index_structure);

    assert_matches!(
        result.errors.as_slice(),
        [ConsensusError::BasicError(
            BasicError::DataContractInvalidIndexDefinitionUpdateError(e)
        )] if e.index_path() == "test -> (range_countable changed)"
    );
}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/rs-dpp/src/data_contract/document_type/index_level/mod.rs` around
lines 607 - 793, Add tests mirroring the existing countable immutability suite
to cover range_countable changes: implement tests named like
should_return_invalid_result_if_range_countable_changed_from_false_to_true,
should_return_invalid_result_if_range_countable_changed_from_true_to_false (and
optionally a compound index test). Each test should construct old and new Index
vectors (using Index, IndexProperty, IndexCountability as in existing tests)
that only toggle range_countable, build IndexLevel instances via
IndexLevel::try_from_indices, call IndexLevel::validate_update, and assert the
result contains a DataContractInvalidIndexDefinitionUpdateError with
e.index_path() matching "test -> (range_countable changed)" (or the compound
path "first -> second -> (range_countable changed)").

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@book/src/drive/document-count-trees.md`:
- Line 369: The docs text for the migration check uses snake_case
`range_countable` which is inconsistent with the public schema/contract JSON
casing used elsewhere; update the example/verbiage to use `rangeCountable`
instead of `range_countable` so references to the per-index flags (`countable`,
`rangeCountable`) and the `GetDocumentsCount` behavior match the rest of the
chapter and SDK/API examples.
- Around line 179-180: Clarify the contradictory guidance by splitting the rules
into path/mode-specific statements: explicitly state that for the query handler
(reference symbols: Equal, In, range, InvalidArgument, between*), in "no-prove"
mode Equal/In may be used to cover an index prefix with a single range
terminator, but in "prove" mode mixing In and a range is rejected and the
handler returns InvalidArgument (use between* for two-sided ranges); update the
paragraph to clearly label these two cases (no-prove vs prove) and describe the
allowed/forbidden combinations and the exact error behavior.

In `@packages/rs-sdk/src/platform/documents/document_count_query.rs`:
- Around line 179-187: The request builder in DocumentCountQuery is hard-coding
prove: true which prevents no-proof distinct/pagination options
(return_distinct_counts_in_range, order_by_ascending, limit,
start_after_split_key) from reaching the no-proof executors; update the fetch
path used by the DocumentCountQuery/Fetch flow to conditionally set prove based
on whether those distinct/pagination knobs are set (or alternatively validate
and reject those setters early), e.g., propagate a new boolean or enum from the
DocumentCountQuery builder into the code that constructs the transport request
instead of always assigning prove: true, add a code path that performs a
no-proof fetch when appropriate, and add an SDK integration test that exercises
with_distinct_counts_in_range(true) plus order/limit/start_after_split_key to
verify the no-proof executor is used and the server accepts the request.
- Around line 390-398: The total-count branch in DocumentSplitCounts is calling
DocumentCount::maybe_from_proof_with_metadata via FromProof<DriveDocumentQuery>,
bypassing the new range-proof verifier; change the call to use
FromProof<DocumentCountQuery> for DocumentCount (i.e. invoke
DocumentCount::maybe_from_proof_with_metadata via the DocumentCountQuery path so
AggregateCountOnRange is used), then take the verified DocumentCount result and
insert it into the returned map under the empty key ("" or the same empty-key
used elsewhere) so the function returns a single-entry map with the verified
count; update the call sites that currently reference DriveDocumentQuery and
ensure the provider/network/platform_version args are forwarded unchanged.

---

Nitpick comments:
In `@packages/rs-dpp/src/data_contract/document_type/index_level/mod.rs`:
- Around line 607-793: Add tests mirroring the existing countable immutability
suite to cover range_countable changes: implement tests named like
should_return_invalid_result_if_range_countable_changed_from_false_to_true,
should_return_invalid_result_if_range_countable_changed_from_true_to_false (and
optionally a compound index test). Each test should construct old and new Index
vectors (using Index, IndexProperty, IndexCountability as in existing tests)
that only toggle range_countable, build IndexLevel instances via
IndexLevel::try_from_indices, call IndexLevel::validate_update, and assert the
result contains a DataContractInvalidIndexDefinitionUpdateError with
e.index_path() matching "test -> (range_countable changed)" (or the compound
path "first -> second -> (range_countable changed)").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d1301141-2f98-483f-8494-13b1f2832178

📥 Commits

Reviewing files that changed from the base of the PR and between 8c1f872 and aab3377.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (21)

• book/src/drive/document-count-trees.md
• packages/dapi-grpc/clients/platform/v0/nodejs/platform_protoc.js
• packages/dapi-grpc/clients/platform/v0/objective-c/Platform.pbobjc.h
• packages/dapi-grpc/clients/platform/v0/python/platform_pb2.py
• packages/dapi-grpc/clients/platform/v0/web/platform_pb.d.ts
• packages/dapi-grpc/clients/platform/v0/web/platform_pb.js
• packages/dapi-grpc/protos/platform/v0/platform.proto
• packages/rs-dpp/Cargo.toml
• packages/rs-dpp/src/data_contract/document_type/index_level/mod.rs
• packages/rs-drive-abci/Cargo.toml
• packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs
• packages/rs-drive-proof-verifier/src/lib.rs
• packages/rs-drive-proof-verifier/src/proof/document_count.rs
• packages/rs-drive/Cargo.toml
• packages/rs-drive/src/query/drive_document_count_query/mod.rs
• packages/rs-drive/src/query/drive_document_count_query/tests.rs
• packages/rs-platform-version/Cargo.toml
• packages/rs-platform-wallet/Cargo.toml
• packages/rs-sdk-ffi/src/document/queries/count.rs
• packages/rs-sdk/Cargo.toml
• packages/rs-sdk/src/platform/documents/document_count_query.rs

✅ Files skipped from review due to trivial changes (4)

• packages/rs-sdk/Cargo.toml
• packages/rs-dpp/Cargo.toml
• packages/dapi-grpc/clients/platform/v0/objective-c/Platform.pbobjc.h
• packages/dapi-grpc/clients/platform/v0/nodejs/platform_protoc.js

🚧 Files skipped from review as they are similar to previous changes (7)

• packages/rs-platform-version/Cargo.toml
• packages/rs-platform-wallet/Cargo.toml
• packages/dapi-grpc/clients/platform/v0/web/platform_pb.d.ts
• packages/rs-drive-abci/src/query/document_count_query/v0/mod.rs
• packages/rs-sdk-ffi/src/document/queries/count.rs
• packages/dapi-grpc/clients/platform/v0/web/platform_pb.js
• packages/dapi-grpc/protos/platform/v0/platform.proto