fix: PermissionedDEX (CreateOffer/Payment) never deletes expired credentials

[Kassaking7]

High Level Overview of Change

The PermissionedDEX code paths (CreateOffer and Payment) check credential validity via accountInDomain() in PermissionedDEXHelpers.cpp, but this function uses a ReadView — making it architecturally impossible to delete expired credential SLEs from the ledger. Expired credentials persist indefinitely, locking owner reserves and causing permanent ledger bloat.

Root Cause

The XRPL uses a two-phase cleanup pattern for expired credentials:

1. preclaim() (ReadView): identifies expired credentials, suppresses tecEXPIRED to allow doApply() to run

2. doApply() (ApplyView): calls verifyValidDomain() → removeExpired() → deleteSLE() to actually delete the expired credential from the ledger

This pattern is correctly implemented in VaultDeposit (via enforceMPTokenAuthorization → verifyValidDomain → removeExpired). However, the PermissionedDEX paths skip this entirely:

• accountInDomain() (PermissionedDEXHelpers.cpp:28-55) takes a ReadView const& parameter. It calls credentials::checkExpired() to skip expired credentials, but cannot call deleteSLE() because ReadView is immutable.

• Neither CreateOffer::doApply() nor Payment::doApply() have any call to verifyValidDomain() or removeExpired() for the PermissionedDEX credential check path.

Context of Change

Add a verifyValidDomain() call in the doApply() of both CreateOffer and Payment when a DomainID is present. This mirrors how VaultDeposit handles it. The pattern is:

1. In preclaim: accountInDomain(ReadView) checks validity, suppresses tecEXPIRED
2. In doApply: call verifyValidDomain(ApplyView) which triggers removeExpired → deleteSLE for any expired credentials encountered

API Impact

• Public API: New feature (new methods and/or new fields)
• Public API: Breaking change (in general, breaking changes should only impact the next api_version)
• libxrpl change (any change that may affect libxrpl or dependents of libxrpl)
• Peer protocol change (must be backward compatible or bump the peer protocol version)

[mvadari]

This needs to be amendment gated

[codecov]

Codecov Report

❌ Patch coverage is 94.64286% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.1%. Comparing base (d050073) to head (770fb96).

Files with missing lines	Patch %	Lines
src/libxrpl/tx/transactors/payment/Payment.cpp	94.4%	2 Missing ⚠️
src/libxrpl/tx/transactors/dex/OfferCreate.cpp	95.0%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##           develop   #6827     +/-   ##
=========================================
- Coverage     82.1%   82.1%   -0.0%     
=========================================
  Files         1010    1010             
  Lines        76033   76083     +50     
  Branches      7369    7373      +4     
=========================================
+ Hits         62418   62447     +29     
- Misses       13615   13636     +21     

Files with missing lines	Coverage Δ
src/libxrpl/tx/transactors/dex/OfferCreate.cpp	93.4% <95.0%> (+<0.1%)	⬆️
src/libxrpl/tx/transactors/payment/Payment.cpp	94.7% <94.4%> (-0.1%)	⬇️

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

This PR has conflicts, please resolve them in order for the PR to be reviewed.

[github-actions]

All conflicts have been resolved. Assigned reviewers can now start or resume their review.

[Kassaking7]

/ai-review

[xrplf-ai-reviewer]

No issues.

Review by Claude Opus 4.6 · Prompt: V15

[Kassaking7]

/ai-review

[PeterChen13579]

Not sure if

[PeterChen13579]

I think for here, if sender's credential is expired, it deletes only the sender’s credential and returns before checking destination. It would be good to cleanup for both sender and destination in one go

[PeterChen13579]

How to we usually name these? Can it be better names 😄

[shawnxie999]

This is the right name - it's what they came up for the series of bug fixes. This is to group the numerous bug fixes into one amendment

[github-actions]

This PR has conflicts, please resolve them in order for the PR to be reviewed.

[shawnxie999]

Are you sure that this PR is going into fixSecurity3_1_3? not 3.2? Hasn't 3.1.3 already made a cut off?

[shawnxie999]

should return tecINTERNAL here and exclude line coverage // LCOV_EXCL_LINE, the existence of domain was already checked in preclaim but we still need to check here for nullptr, but it should never be reachable

[godexsoft]

We recently merged a refactor to develop that enables clang-tidy's readability-identifier-naming. Your branch now has heavy conflicts that are largely mechanical. Below is a workflow that aligns your branch's naming with develop before merging, which should minimize the merge conflicts.

One-time setup

If you don't already have clang-tidy working in your env, on macOS:

brew install llvm@21
# Follow brew's hint to put $(brew --prefix llvm@21)/bin on PATH so run-clang-tidy is found.

Workflow on your branch (before merging develop)

1. Grab the new .clang-tidy from develop without pulling anything else. Sync your fork on GitHub first, then:

git remote -v   # should show 'upstream' among others; if not:
# git remote set-url upstream git@github.com:XRPLF/rippled.git
git fetch upstream
git checkout upstream/develop -- .clang-tidy

2. Reconfigure conan/cmake so compile_commands.json is fresh.

3. Apply renames for the files modified in your PR:

git diff --name-only $(git merge-base HEAD upstream/develop) HEAD \
  | grep -E '\.(cpp|h|hpp|ipp)$' \
  | xargs run-clang-tidy -p build -fix -allow-no-checks
# or -p .build, or whatever your build dir is called

4. Build + test, then commit as a single dedicated commit:

cmake --build build -j8
git commit -am "refactor: Align identifier naming with develop"

5. Now merge develop:

git merge upstream/develop

Extra

Run clang-tidy once more after the merge to catch any stragglers introduced from develop's side:

run-clang-tidy -p build -fix -allow-no-checks src tests
# or -p .build, or whatever your build dir is called

[shawnxie999]

you should not change the result of an existing test, behavior should not change without a amendment gate. Make sure you have a behavior that switches when amendment is on/off

[shawnxie999]

please have a single test setup for the same scenario and then switch the behavior with the amendment on/off. And call the test with

testExpiredCredentialCleanup(all);
testExpiredCredentialCleanup(all - amednemtn);

This would be much easier to maintain and read.

[shawnxie999]

we don't have a pre-fix test for this scenario. Even if it's tested elsewhere, it'd be good to have it for maintainability and readability - it should be easy to do by gating the test behavior with the amendment. see the comment above

[shawnxie999]

minor - would be good to that the bob's offer is still alive and bob's cred is alive

[shawnxie999]

this seemed to be shared code between the new tests, can be refactored into a lambda

[github-actions]

All conflicts have been resolved. Assigned reviewers can now start or resume their review.