test(account-keychain): add integration test for TEMPO-KEY21 tx_origin spending limit enforcement

[bennytimz]

Summary

Adds an integration test for TEMPO-KEY21: spending limits are only consumed when msg_sender == tx_origin.

Why an integration test?

The transaction_key and tx_origin values are set via transient storage (TSTORE/TLOAD) during real transaction execution. Foundry's vm.store cannot set transient storage, so this invariant cannot be verified in the existing Foundry invariant test suite (AccountKeychain.t.sol).

A unit test already exists in crates/precompiles/src/account_keychain/mod.rs (test_spending_limits_only_apply_to_tx_origin) but it mocks msg_sender directly — it does not exercise the full transaction pipeline.

What the test does

1. Authorizes an access key with a 100-token spending limit
2. Deploys a forwarder contract and funds it with 50 tokens of its own
3. Sends a batched transaction (signed with the access key) that:
   • Calls the forwarder → forwarder calls TIP20.transfer() internally (msg_sender = forwarder ≠ tx_origin)
   • Directly transfers 10 tokens from the EOA (msg_sender = tx_origin)
4. Asserts the spending limit decreased by 10 only (not 60), proving contract-initiated transfers bypass the limit

Files changed

• crates/node/tests/it/account_keychain.rs — new test file
• crates/node/tests/it/main.rs — module declaration added