Add binary codec and transaction models for MPT

[e-desouza]

Summary

Adds XLS-0033 Multi-Purpose Token (MPT) support to xrpl-rust, including typed models, binary codec support, request/result handling, and integration coverage against local xrpld/Clio services.

MPT Support

• Add MPT amount/currency support:
  • MPTAmount
  • MPTCurrency
  • Amount::MPTAmount
  • Currency::MPTCurrency
• Add MPT transaction models and validation:
  • MPTokenIssuanceCreate
  • MPTokenIssuanceDestroy
  • MPTokenIssuanceSet
  • MPTokenAuthorize
• Add MPT ledger object models:
  • MPToken
  • MPTokenIssuance
• Add MPT binary codec support for Hash192 / MPTokenIssuanceID and MPT amounts.
• Add MPT support in transaction parsing / balance conversion helpers.
• Add account_objects MPT filters for mpt_issuance and mptoken.

Correctness / Review Follow-ups

• Align MPT validation with XLS-0033 and xrpld behavior:
  • 63-bit maximum MPT amount handling.
  • strict decimal-string MPT amount validation.
  • strict 48-hex-character MPTokenIssuanceID validation.
  • metadata hex validation and 1024-byte limit.
  • non-zero transfer fee requires tfMPTCanTransfer.
• Harden Amount and Currency deserialization to avoid ambiguous MPT/issued-currency fallback.
• Replace fragile RPC string checks with typed XRPLRpcError mapping where touched.
• Replace hardcoded branch test literals with named fixtures.
• Preserve no_std compatibility for model/helper paths.

Integration Coverage

Adds end-to-end MPT coverage for:

• Issuance creation with XLS-89-style metadata.
• Holder opt-in / issuer authorization / holder unauthorize lifecycle.
• Issuance destroy success and destroy-with-obligations rejection.
• MPT payments and outstanding amount updates.
• Require-auth rejection before issuer authorization.
• Global lock transfer rejection.
• Maximum amount enforcement.
• Clawback success and clawback permission rejection.
• Holder transfer restriction when tfMPTCanTransfer is absent.
• MPT payment binary codec round-trip.

Validation

Validated locally against Podman xrpld / Clio services:

• cargo fmt --check
• git diff --check
• cargo test --features integration --lib -- --test-threads=1
• cargo test --features integration --test integration_test -- --test-threads=1
• cargo test --features integration --test cli_integration -- --test-threads=1
• cargo test --no-default-features --features models --lib -- --test-threads=1
• cargo test --no-default-features --features "models,wallet,helpers,json-rpc,embassy-rt" --lib -- --test-threads=1
• cargo test --no-default-features --features "models,wallet,helpers,websocket,embassy-rt" --lib -- --test-threads=1
• cargo check --no-default-features --features "models,wallet,helpers,json-rpc,websocket,embassy-rt"

[pdp2121]

/ai-review

[xrplf-ai-reviewer]

One correctness gap flagged inline: missing asset_scale range validation.

Review by Claude Opus 4.6 · Prompt: V13

[pdp2121]

@e-desouza can you add integration tests for all transactions?

[e-desouza]

Added in 380da30d. There's now an integration test for each of the four MPToken transaction types: create (with a second variant that sets metadata, scale, and fee), authorize (holder opt-in), set (locking via TfMPTLock), and destroy (on an empty issuance).

The authorize/set/destroy tests all need a real issuance to work against, so I added a create_mptoken_issuance() helper in tests/common that creates one and derives the MPTokenIssuanceID from the autofilled sequence + account ID.

[pdp2121]

LGTM

[e-desouza]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved by merging origin/main and fixing the conflict in tests/transactions/mod.rs by keeping both sides. Addressed in commit 678abe6.

[ckeshava]

Thanks for adding the wait_for_ledger_close_time method. However, this change is not sufficient. The above assert statement is still working on a temporary transaction-status result.

The correct way to validate the status of a transaction would be to invoke the Tx RPC call on the next validated ledger. This will provide the authoritative grouth-truth info from the blockchain-state.

For example, here is the pattern used by xrpl.js integ-tests to verify that the submitted transaction was in-fact processed correctly. Specifically, we need a Rust-equivalent of the verifySubmittedTransaction method."

After deeper inspection, I acknowledge that this is missing in the integration-test harness of the xrpl-py SDK. This is something that I will raise with the team and prioritize for future work of xrpl-py SDK.

[ckeshava]

IMO we should not have this type of file because its a code-smell. The tests should be as stringent as possible.

In the current integ-test harness, we are liberally allowing all of these errors which mask our understanding.

None of the other SDKs have this type of "allow-list" of potential errors for a correctly structured transaction.

[e-desouza]

Ideally, we should have granular numeric/enum error codes, but it seems we lose fidelity when we map real errors to the existing error codes. Will analyze and see if this is something we can improve in the ecosystem overall.

Will try to fix the above to map to error codes/something more robust in the meantime.

[e-desouza]

This is addressed by the typed error cleanup in 3a93900 and bd5e337. We no longer rely on a broad string allow-list for branch-touched network/RPC paths: transport failures classify through the centralized XRPLNetworkErrorKind helpers in src/asynch/clients/*/exceptions.rs, and server RPC failures classify through reusable XRPLRpcError in src/models/results/mod.rs.

[ckeshava]

IMO we should not liberally allow these errors. This test-structure can hide regression errors.

For example, in the future, if the WebSocket connection's port is updated to 51232, then these tests will pass although the rippled server returns "Connection Refused" on port 51233.

I don't see the benefits of allowing these errors to pass through.

[e-desouza]

This is addressed by the same typed error cleanup in 3a93900 and bd5e337. The broad pass-through behavior was removed for the branch-touched tests; transport errors are now classified via centralized XRPLNetworkErrorKind instead of brittle string matching, and server-side RPC errors use XRPLRpcError (including is_server_network_state) where relevant.

[ckeshava]

This unit-test diverges from the rippled behavior. In fact, rippled rejects these types of transactions with temMALFORMED error.

Rippled code ref here

[e-desouza]

Addressed in 6957139. MaximumAmount validation now matches xrpld: zero is rejected, values above i64::MAX are rejected, and the max accepted value is covered by a positive test.

[ckeshava]

Hello, did you mean to demonstrate a unit-test where non-zero transfer fee + no-flag will throw an error? It is not obvious that this case actually throws an error with rippled.

Here is the validation source code of rippled. Only non-zero transfer-fees + no-flag are rejected here.

[e-desouza]

Addressed in 6957139. The validation now rejects non-zero TransferFee without tfMPTCanTransfer, while TransferFee: 0 without the flag is allowed. Tests cover both cases.

[e-desouza]

Split the prerequisite plumbing into stacked PRs so this PR can stay focused on MPT:

1. Stabilize client network error coverage #327: typed async client network errors + integration-covered exception mapping tests + CI stabilization.
2. Add typed RPC errors for submit-and-wait #328: typed xrpld/Clio RPC errors and submit_and_wait txnNotFound handling, stacked on Stabilize client network error coverage #327.
3. Add binary codec and transaction models for MPT #131: MPT binary codec/models/transactions, now stacked on Add typed RPC errors for submit-and-wait #328.

I force-pushed #131 with --force-with-lease after validating the stack locally with podman-backed xrpld and clio smoke tests.