fix: prevent negative shadow balances in utxo dual-write

[createkr]

Fix: UTXO dual-write shadow-balance guard

Summary

Add a balance re-check before the UTXO→account-model dual-write debit in utxo_endpoints.py. Prevents negative shadow balances when the account-model ledger diverges from UTXO balances.

Changes

node/utxo_endpoints.py

• Added: Shadow-balance SELECT before the dual-write UPDATE debit
• Added: Conditional skip when shadow_balance < amount_i64 — logs warning, skips dual-write, UTXO tx still succeeds (preserves "UTXO is primary" design)
• Behavior: When the guard triggers, neither the debit, credit, nor ledger entries are written to the account model

node/tests/test_dual_write_shadow_balance.py (new)

• 6 focused tests:
  • test_dual_write_skipped_when_shadow_balance_insufficient — core exploit path blocked
  • test_dual_write_skipped_when_sender_missing_from_shadow — missing sender row handled
  • test_dual_write_succeeds_when_shadow_sufficient — normal path unaffected
  • test_dual_write_exact_balance_goes_to_zero — boundary case (balance → 0)
  • test_no_ledger_entries_when_dual_write_skipped — no partial writes
  • test_utxo_succeeds_when_dual_write_disabled — dual_write=False unaffected

node/tests/test_dual_write_unit_mismatch.py (updated)

• Updated 5 existing tests to seed shadow balances so dual-write can proceed under the new guard
• Fixed test_dual_write_debit_matches_credit assertion (was expecting negative balance, which was the old buggy behavior)

Validation

30 passed in 0.42s
- tests/test_dual_write_unit_mismatch.py: 9 passed
- tests/test_dual_write_shadow_balance.py: 6 passed
- test_utxo_endpoints.py: 15 passed

Distinction from Prior Findings

• fix: prevent negative balances during transaction confirmation #2094 (confirm balance re-check): Fixes rustchain_tx_handler.py account-model tx pool — different code path
• security: UTXO dual-write uses wrong account units and inflates balances #2095 (dual-write unit mismatch): Fixes 1000x unit corruption — different bug class
• This PR: Fixes missing balance guard on the dual-write debit — distinct vulnerability

Compatibility

• Backward compatible: UTXO transactions succeed regardless of shadow balance state
• Dual-write behavior: When shadow balance is insufficient, dual-write is silently skipped (same failure mode as any other dual-write exception)
• No schema changes: Uses existing balances table, no migrations needed
• No config changes: Works with existing UTXO_DUAL_WRITE flag

Risk Assessment

• Low risk: The change is a single SELECT + conditional before existing UPDATEs
• No broad refactors: Minimal surgical fix, ~15 lines of logic added
• Preserves existing design: "UTXO is primary, account is shadow" — UTXO tx never fails due to shadow state

[createkr]

For bounty payout, please use RTC wallet: RTC1d48d848a5aa5ecf2c5f01aa5fb64837daaf2f35.

[Scottcjn]

Reviewed. Adds shadow balance guard in utxo_endpoints.py dual-write path — checks sender has sufficient amount_i64 before debit, skips dual-write (with warning log) if insufficient rather than driving the balance negative. Prevents fund minting when account-model diverges from UTXO. 346-line test + updates to 6 existing tests to seed proper shadow balances. Also correctly reverts the Decimal conversion back to float (UTXO uses int() truncation consistently).

Payment: 85 RTC — UTXO negative shadow balance minting (Critical severity)

Merging. Thank you createkr.