[RFC] Add BOLT 12 payer proof primitives

[vincenzopalazzo]

This is a first draft implementation of the payer proof extension to BOLT 12 as proposed in lightning/bolts#1295. The goal is to get early feedback on the API design before the spec is finalized.

Payer proofs allow proving that a BOLT 12 invoice was paid by demonstrating possession of:

• The payment preimage
• A valid invoice signature over a merkle root
• The payer's signature

This PR adds the core building blocks:

• Extends merkle.rs with selective disclosure primitives that allow creating and reconstructing merkle trees with partial TLV disclosure. This enables proving invoice authenticity while omitting sensitive fields.
• Adds payer_proof.rs with PayerProof, PayerProofBuilder, and UnsignedPayerProof types. The builder pattern allows callers to selectively include invoice fields (description, amount, etc.) in the proof.
• Implements bech32 encoding/decoding with the lnp prefix and proper TLV stream parsing with validation (ascending order, no duplicates, hash length checks).

This is explicitly a PoC to validate the API surface - the spec itself is still being refined. Looking for feedback on:

• Whether the builder pattern makes sense for selective disclosure
• The verification API
• Integration points with the rest of the offers module

cc @TheBlueMatt @jkczyz

[ldk-reviews-bot]

👋 Thanks for assigning @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 91.07939% with 100 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.24%. Comparing base (e39437d) to head (712d3fc).
⚠️ Report is 162 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/offers/payer_proof.rs	86.52%	34 Missing and 54 partials ⚠️
lightning/src/offers/merkle.rs	97.63%	8 Missing and 1 partial ⚠️
lightning/src/offers/invoice.rs	96.00%	2 Missing ⚠️
lightning/src/offers/signer.rs	97.29%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4297      +/-   ##
==========================================
+ Coverage   85.88%   86.24%   +0.36%     
==========================================
  Files         159      161       +2     
  Lines      104448   108548    +4100     
  Branches   104448   108548    +4100     
==========================================
+ Hits        89706    93622    +3916     
- Misses      12235    12256      +21     
- Partials     2507     2670     +163     

Flag	Coverage Δ
tests	86.24% <91.07%> (+0.36%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TheBlueMatt]

A few notes, though I didn't dig into the code at a particularly low level.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @valentinewallace! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

Some API comments. I'll review the actual code somewhat later (are we locked on on the spec or is it still in flux at all?), but would be nice to reduce allocations in it first anyway.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @valentinewallace! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 4th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 5th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 6th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 7th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 8th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 9th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-claude-review-bot]

The test claims "Serialization Round-Trip" and encodes to bech32, but only checks the prefix and then round-trips through raw TLV bytes via PayerProof::try_from(proof.bytes().to_vec()). The actual bech32 decode path (from_bech32_str → TryFrom<Vec<u8>>) is never tested. You should decode from the bech32 string too:

let decoded_from_bech32 = PayerProof::from_bech32_str(&encoded).unwrap();
assert_eq!(decoded_from_bech32.preimage(), proof.preimage());

(Same issue in the second test at creates_payer_proof_with_note_and_selective_disclosure.)

[vincenzopalazzo]

The test intentionally round-trips through raw TLV bytes (PayerProof::try_from(proof.bytes().to_vec())) which exercises the full verification pipeline (preimage, invoice sig, payer sig, merkle reconstruction). The bech32 encode is tested via to_string() prefix check. Full bech32 decode requires FromStr which is deferred — see the other comment.

[ldk-claude-review-bot]

prev_type + 1 and last_marker + 1 can overflow if the value is u64::MAX. While extreme TLV types are impractical, this would panic in debug builds. The same + 1 overflow exists in reconstruct_merkle_root at line 561 (prev_marker + 1). Consider using checked_add or saturating_add and returning an error on overflow.

[vincenzopalazzo]

Theoretical but not practical — TLV types near u64::MAX don't exist in any BOLT 12 context. The marker algorithm operates on types 0-239 (non-signature invoice TLVs). That said, if we want to be paranoid we could use saturating_add, but it would change semantics in an impossible edge case. Not worth the complexity IMO.

[ldk-claude-review-bot]

Bug (defense-in-depth): This iterates over self.invoice_bytes which includes the invoice's own signature record (type 240, same value as TLV_SIGNATURE). If included_types ever contains a signature-range type (e.g., 240), this loop would write the invoice signature as a "passthrough" included record, and then lines 327-329 would write it again as TLV_SIGNATURE, producing duplicate type-240 entries that fail the parser's ordering check.

The prior review flagged include_type() not rejecting types >= 240 as the root cause. But even if that's fixed, this loop should defensively filter signature types to match what build_unsigned does for bytes_without_sig:

Suggested change

	fn serialize_payer_proof(&self, payer_signature: &Signature, note: Option<&str>) -> Vec<u8> {
	let mut bytes = Vec::new();
	for record in
	TlvStream::new(&self.invoice_bytes).filter(|r| self.included_types.contains(&r.r#type))
	{
	bytes.extend_from_slice(record.record_bytes);
	}
	for record in
	TlvStream::new(&self.invoice_bytes).filter(|r| self.included_types.contains(&r.r#type) && !SIGNATURE_TYPES.contains(&r.r#type))
	{
	bytes.extend_from_slice(record.record_bytes);
	}

[vincenzopalazzo]

Good catch, fixed in f78efc0 together with the include_type guard. The serialization loop now defensively filters SIGNATURE_TYPES from the invoice bytes iteration as belt-and-suspenders.

[ldk-claude-review-bot]

Minor bug in ordering logic: prev_tlv_type is initialized to 0, and the guard prev_tlv_type != 0 means the check never fires when prev_tlv_type == 0. This is intentional for the first iteration (to allow any first TLV type), but it also means that if two consecutive TLV records both have type 0, the second would not be caught by this check.

Currently mitigated because type 0 (PAYER_METADATA_TYPE) is rejected at line 588, but the ordering logic itself is unsound. A cleaner approach would be:

Suggested change

	for record in TlvStream::new(&bytes) {
	let tlv_type = record.r#type;
	// Strict ascending order check covers both ordering and duplicates.
	if tlv_type <= prev_tlv_type && prev_tlv_type != 0 {
	return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
	}
	prev_tlv_type = tlv_type;
	// Strict ascending order check covers both ordering and duplicates.
	// Use a separate flag for the first iteration rather than special-casing 0.
	if prev_tlv_type > 0 && tlv_type <= prev_tlv_type {
	return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
	}
	prev_tlv_type = tlv_type;

(Note: this changes behavior slightly — the very first TLV with type 0 would now set prev_tlv_type = 0, and a second type 0 would still pass. A proper fix would use an Option<u64> or a bool flag. But since type 0 is rejected anyway, this is low priority.)

[vincenzopalazzo]

Same as the other comment — type 0 is PAYER_METADATA_TYPE, unconditionally rejected by the catch-all. The prev_tlv_type \!= 0 guard only matters for the first iteration, which is the intended behavior.

[ldk-claude-review-bot]

Design concern: This payer signature construction uses a non-standard double-hash pattern — SHA256(tag || tag || SHA256(note || merkle_root)) — rather than the standard BOLT 12 pattern used elsewhere (SHA256(tag || tag || merkle_root), as in TaggedHash::from_merkle_root).

Two things to verify against the spec:

1. No length-prefix on the note: The inner hash concatenates note_bytes || merkle_root_bytes without a length delimiter. Since the merkle root is always 32 bytes, the boundary is deterministic — but this is unusual and should be confirmed as spec-intended.

2. None vs empty note ambiguity: When note is None, the inner hash is SHA256(merkle_root). When note is Some(""), it's also SHA256(merkle_root) since "".as_bytes() is empty. Both produce the same signature, meaning a verifier cannot distinguish "no note" from "empty note". If the spec distinguishes these cases, this needs a fix (e.g., including a presence flag in the hash).

[vincenzopalazzo]

This follows the spec exactly. The payer proof spec defines payer_signature.sig as signing SHA256(note || merkle_root) using the standard BOLT 12 tagged hash format (SHA256(tag || tag || msg)). The "double hash" is just the BIP 340 tagged hash construction applied to the inner SHA256(note || merkle_root) message. This is the specified behavior, not a deviation.

[ldk-claude-review-bot]

Potential issue with malformed proofs: len.0 is parsed from untrusted input. If len.0 is, say, 63 (less than the 64 bytes needed for the signature), Readable::read at line 575 will attempt to read 64 bytes but the cursor only has len.0 bytes of value remaining. This will fail with a decode error, which is correct.

However, saturating_sub(64) silently produces 0 here, masking the fact that the length was invalid. Consider explicitly rejecting len.0 < 64:

if len.0 < 64 {
    return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
}

This would provide a clearer error and avoid relying on the signature read to catch the malformed length.

[vincenzopalazzo]

Not a bug — the cursor reads from record.record_bytes which is bounded by TlvStream. After reading _type and _len, the remaining cursor data is exactly len.0 bytes. If len.0 < 64, Readable::read for Signature hits EOF on the cursor and returns a decode error. The saturating_sub for note_len never executes because the sig read already failed.

[ldk-claude-review-bot]

Subtle invariant: compute_omitted_markers unconditionally skips TLV type 0 at line 390, assuming it's always the first record (payer_metadata). But the function operates on a &[TlvMerkleData] with no assertion that the first entry IS type 0. If this function were ever called with a TLV stream whose first record is NOT type 0 (e.g., a different invoice format), the implicit TLV0 assumption would produce incorrect markers.

Consider either:

• Adding debug_assert!(tlv_data.first().map(|d| d.tlv_type) == Some(0)) at the top, or
• Documenting the precondition that the first TLV must be type 0

[vincenzopalazzo]

Correct by design — per spec, type 0 (invreq_metadata) is always omitted and implicit (never included in markers). The function receives the full TlvMerkleData vec which always starts with TLV 0 from the invoice bytes. The if data.tlv_type == 0 { continue } just skips the implicit omission. If called with pre-filtered data that excludes type 0, the skip is a no-op — the algorithm still works correctly.

[ldk-claude-review-bot]

Bug: TlvStream::new(&bytes) on untrusted input can panic. The TlvStream iterator calls .unwrap() on BigSize::read and performs unchecked slice indexing (&data[start..end] where end = offset + length from the TLV). If the input bytes are malformed (e.g., truncated BigSize, or a TLV length field claiming more bytes than available), this will panic.

All other BOLT 12 TryFrom<Vec<u8>> implementations go through ParsedMessage<T> / CursorReadable which does bounds-checked reads. This is the only parser that feeds raw untrusted bytes directly into TlvStream, creating a DoS vector via panic.

You need to either:

1. Add bounds checking to TlvStream (returns None instead of panicking on malformed input), or
2. Pre-validate the TLV stream before passing it to TlvStream::new, or
3. Use the existing CursorReadable / ParsedMessage infrastructure for the initial parse pass.

[ldk-claude-review-bot]

Bug: This check doesn't catch duplicate type 0. prev_tlv_type starts at 0. If the first TLV has type 0, then 0 <= 0 && 0 != 0 is false, so it passes. Now prev_tlv_type = 0. If the second TLV also has type 0, the check is again 0 <= 0 && 0 != 0 → false, so a duplicate type 0 is accepted.

Fix: use an Option<u64> for prev_tlv_type initialized to None, and only skip the check on the very first record:

Suggested change

	if tlv_type <= prev_tlv_type && prev_tlv_type != 0 {
	if prev_tlv_type != 0 && tlv_type <= prev_tlv_type {

Or alternatively, use a boolean is_first flag to skip only the initial comparison.

[ldk-claude-review-bot]

Nit/API: Secp256k1::new() allocates a ~1.3MB signing+verification context on every call. The adjacent derive_payer_signing_keys method (which this calls into) already accepts a secp_ctx parameter, and this is the standard pattern for public BOLT 12 APIs in this codebase. Consider accepting a &Secp256k1<secp256k1::All> parameter instead of allocating internally.

[ldk-claude-review-bot]

Minor: If len.0 < 64, the Readable::read for the 64-byte signature on line 585 will attempt to read past the available value bytes, failing with a generic DecodeError from the ? propagation. Consider adding an explicit check if len.0 < 64 { return Err(...) } before the signature read for a clearer error message and to avoid relying on the cursor's bounds for correctness.

[ldk-claude-review-bot]

The min_type field in the reconstruction uses sequential node indices (0, 1, 2, ...) rather than actual TLV type values. Meanwhile, build_tree_with_disclosure uses actual TLV type numbers. The needs_hash and missing_with_types vectors are sorted by min_type, so the ordering must agree between producer and consumer.

This currently works because both TLV types and sequential indices are monotonically increasing, preserving relative ordering. However, this is a fragile invariant that's not documented. If either side's iteration order were to change (e.g., for experimental TLV types in a different range), the sorted orders could diverge silently, producing incorrect merkle roots that would fail signature verification with no useful diagnostic.

Consider using actual TLV types (available from included_records[inc_idx].0) instead of node_idx for min_type in the reconstruction, to make the two sides structurally consistent.

[ldk-claude-review-bot]

The payer signature message uses a non-standard double-hash construction: H(tag || tag || H(note || merkle_root)). Standard BOLT 12 signature computation (as in TaggedHash::from_merkle_root) is a single tagged hash: H(tag || tag || merkle_root).

If the spec defines the payer signature differently from the standard BOLT 12 tagged hash, this should be documented with a reference to the spec section. If the spec uses the standard construction, this needs to be fixed — the inner hash would make this incompatible with other implementations.

Also, when note is None, this computes H(merkle_root) as the inner message. When note is Some("") (empty string), it also computes H(merkle_root) since empty input contributes nothing to the hasher. These two cases are indistinguishable, meaning a verifier cannot distinguish "no note" from "empty note".

[ldk-claude-review-bot]

This test explicitly disagrees with the spec ("The spec example only shows 3, but that appears to be incomplete"). If the implementation produces 4 missing hashes but the spec says 3, one of them is wrong. This needs to be resolved against the spec before merging — either the spec is right and the tree construction has a bug (perhaps types 50 and 60 should be merged into a single missing hash at a higher level), or the spec example is indeed incomplete and should be updated.

Shipping code that knowingly diverges from the spec without a clear resolution risks incompatibility with other implementations.

[ldk-claude-review-bot]

Bug (panic on untrusted input): TlvStream::new(&bytes) is used here on untrusted payer proof bytes. However, TlvStream's iterator implementation (merkle.rs:263, 267) uses .unwrap() on BigSize reads, and performs unchecked slice indexing (merkle.rs:271) where end = offset + length can exceed the buffer size. Both of these will panic on malformed input (truncated BigSize encoding, or a length field claiming more bytes than available).

All other TlvStream callers in the codebase operate on already-validated bytes (e.g., through ParsedMessage which uses CursorReadable::read that returns errors instead of panicking). This TryFrom is the only place TlvStream is used directly on untrusted external input, creating a DoS vector.

You should either:

1. Add bounds checking to TlvStream's iterator (return None on malformed data), or
2. Pre-validate the TLV framing before calling TlvStream::new, or
3. Use a different parsing approach (like ParsedMessage) for the initial TLV framing pass.

[ldk-claude-review-bot]

Bug: This guard rejects PAYER_METADATA_TYPE (0) and SIGNATURE_TYPES (240..=1000), but allows types > 1000 (experimental BOLT 12 TLV types, e.g. 1000000000+). If an invoice contains experimental TLVs and the caller includes one via include_type(1000000001), the serialized payer proof will have those records written before the payer proof TLVs (types 240-250), producing an out-of-order TLV stream — the output would go from type >1000 back down to type 240.

Consider also rejecting types >= TLV_SIGNATURE (240), since the payer proof TLVs own that range:

Suggested change

	pub fn include_type(mut self, tlv_type: u64) -> Result<Self, PayerProofError> {
	if tlv_type == PAYER_METADATA_TYPE {
	return Err(PayerProofError::InvreqMetadataNotAllowed);
	}
	if SIGNATURE_TYPES.contains(&tlv_type) {
	return Err(PayerProofError::SignatureTypeNotAllowed);
	}
	self.included_types.insert(tlv_type);
	Ok(self)
	}
	pub fn include_type(mut self, tlv_type: u64) -> Result<Self, PayerProofError> {
	if tlv_type == PAYER_METADATA_TYPE {
	return Err(PayerProofError::InvreqMetadataNotAllowed);
	}
	if tlv_type >= TLV_SIGNATURE {
	return Err(PayerProofError::SignatureTypeNotAllowed);
	}
	self.included_types.insert(tlv_type);
	Ok(self)
	}

[ldk-claude-review-bot]

Nit/minor: The && prev_tlv_type != 0 condition means two consecutive type-0 TLVs would bypass this ordering check (since prev_tlv_type is initialized to 0). This doesn't cause a real issue because type 0 is separately rejected by the PAYER_METADATA_TYPE check below, but the ordering guard itself has a blind spot. Consider initializing differently or using an Option<u64>:

let mut prev_tlv_type: Option<u64> = None;
// ...
if let Some(prev) = prev_tlv_type {
    if tlv_type <= prev {
        return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
    }
}
prev_tlv_type = Some(tlv_type);

[ldk-claude-review-bot]

Nit (performance): The invoice is serialized here (line 162-163) just to check if the features TLV exists, but it's serialized again in build_unsigned() (line 245-246). Consider storing the serialized bytes in the builder to avoid the redundant serialization, or deferring the features check to build_unsigned.

[ldk-claude-review-bot]

Naming confusion: leaf_hashes stores nonce hashes (nonce_hash), not leaf hashes. In the BOLT 12 merkle tree, the "leaf hash" is H("LnLeaf" || record_bytes) while the "nonce hash" is H(nonce_tag || type_bytes) — these are distinct values. Storing nonce hashes under the name leaf_hashes here, in the SelectiveDisclosure struct, and in the TLV encoding (type 248 = TLV_LEAF_HASHES) is confusing.

If the spec calls these "leaf hashes," a code comment clarifying the distinction would help readers.

[ldk-claude-review-bot]

Potential issue: When len.0 < 64, the Readable::read for the 64-byte Signature at line 592 will read past the TLV value boundary into subsequent TLV data (since record_cursor spans the full record_bytes which includes the type and length prefix, but the value is only len.0 bytes after the prefix). The Readable read doesn't know about the TLV length boundary — it just reads 64 bytes from the cursor.

In practice, record_bytes is bounded by TlvStream to exactly type_len + length_len + value_len bytes, so reading 64 bytes of signature when value_len < 64 would either read into the type/length prefix of the next TLV (if record_bytes was somehow longer) or fail with a short read. The short read case is safe, but consider adding an explicit check: if len.0 < 64 { return Err(...) } before reading the signature to make the error handling clearer.

[jkczyz]

Why do we need to use PayerProofError if the only caller replaces it with Bolt12ParseError::Decode?

[jkczyz]

It would be cleaner if included_records stored TlvRecords instead and have reconstruct_merkle_root take them, too.

[jkczyz]

Could we add as a method to TlvRecord? We've already read the bytes, so re-reading the bytes is redundant. We can always store a value_bytes field in TlvRecord to avoid re-parsing.

[jkczyz]

With inspiration from my last round of comments, I asked Claude if there are any more opportunities to simplify the code.

[jkczyz]

Straight from Claude:

prev_included_type and prev_marker are mutually exclusive. The marker is always prev_value + 1 where prev_value tracks the last included type or last marker. The whole function reduces to:

  fn compute_omitted_markers(tlv_data: &[TlvMerkleData]) -> Vec<u64> {
      let mut markers = Vec::new();
      let mut prev_value: u64 = 0;
      for data in tlv_data {
          if data.tlv_type == 0 { continue; }
          if !data.is_included {
              let marker = prev_value + 1;
              markers.push(marker);
              prev_value = marker;
          } else {
              prev_value = data.tlv_type;
          }
      }
      markers
  }

[jkczyz]

Also from Claude:

All four (Some(l), Some(r), ...) arms compute the branch hash and update min_type. The only differences: whether to push to missing_with_types and whether to set included = true. Could be restructured as:

let combined = tagged_branch_hash_from_engine(branch_tag.clone(), l, r);
if left_incl != right_incl {
    let (missing_type, missing_hash) = if right_incl {
        (nodes[left_pos].min_type, l)
    } else {
        (right_min_type, r)
    };
    missing_with_types.push((missing_type, missing_hash));
    nodes[left_pos].included = true;
} else {
    nodes[left_pos].included |= left_incl;
}
nodes[left_pos].hash = Some(combined);
nodes[left_pos].min_type = core::cmp::min(nodes[left_pos].min_type,
right_min_type);

[jkczyz]

I'd prefer if we could implement Readable where possible. Here's what Claude told me:

PaymentPreimage already implements Readable (reads 32 bytes and wraps). So TLV_PREIMAGE could just be:

TLV_PREIMAGE => {
    preimage = Some(record.read_value()?);
},

Same pattern as TLV_SIGNATURE. The length validation is implicit — Readable for PaymentPreimage reads exactly 32 bytes and fails if the cursor is short.

For the hash lists, there's no Readable for sha256::Hash, but there could be — it's the same pattern as Sha256dHash, PaymentPreimage, PaymentHash,
and Hmac: read 32 bytes, wrap. If one were added, then TLV_MISSING_HASHES and TLV_LEAF_HASHES could use a cursor over value_bytes:

let mut cursor = io::Cursor::new(record.value_bytes);
while (cursor.position() as usize) < record.value_bytes.len() {
    missing_hashes.push(Readable::read(&mut cursor)?);
}

No manual chunks_exact / copy_from_slice / from_byte_array, and the len % 32 check becomes implicit (a short final read would error). That also deduplicates the two arms — they'd be identical except for the target vec.

For TLV_PAYER_SIGNATURE, read_value doesn't work directly because the value is a signature followed by an optional note — it's a composite encoding. But Readable::read from a cursor on value_bytes already handles the signature part, which is what's being done.

So the concrete opportunities:

• TLV_PREIMAGE: replace with record.read_value()? (one line, like TLV_SIGNATURE)
• TLV_MISSING_HASHES / TLV_LEAF_HASHES: add Readable for sha256::Hash in ser.rs, then both arms become a cursor loop — or a shared helper

[jkczyz]

Similarly here with Writeable.

[jkczyz]

Might make sense to make a composite type for this.

[jkczyz]

Let's use PrintableString.

[jkczyz]

Seems like this duplicates much of reconstruct_merkle_root. What be great if we can re-use that somehow without introducing new Vec allocations in non-test code.

[ldk-claude-review-bot]

Bug: Producer-consumer mismatch on trailing_count. The compute_omitted_markers function (merkle.rs:384) produces one marker per omitted TLV after the last included type, with no limit. But this validation rejects proofs with trailing_count > 1.

This means build_unsigned can produce proofs that TryFrom<Vec<u8>> rejects. Concrete scenario:

If a BOLT 12 invoice has unknown/future invoice TLV types above 176 (the highest required included type INVOICE_NODE_ID_TYPE), those types are present in bytes_without_sig (since SIGNATURE_TYPES only filters 240..=1000) and will be omitted by default. Each generates a trailing marker > 176.

Example: Invoice has TLV types [0, 88, 168, 176, 178, 180] (types 178/180 are unknown future invoice types in the valid 160..240 range). Required included types: {88, 168, 176}, so max_included = 176. Markers for omitted types 178 and 180 would be [177, 178] — both > 176, so trailing_count = 2 → rejected.

This also applies to invoices with experimental invoice types (3_000_000_000+), which are not filtered by SIGNATURE_TYPES.

The trailing_count check and compute_omitted_markers need to agree — either the producer should cap trailing markers (merging multiple trailing omitted TLVs into a single marker), or the consumer should accept multiple trailing markers.

[ldk-claude-review-bot]

Nit: bytes_without_sig includes ALL non-signature TLVs from the invoice, including experimental invoice types (3_000_000_000+) and any unknown types in ranges 1001-999_999_999. These get processed by compute_selective_disclosure and will be omitted by default (since they're not in included_types). This interacts with the trailing_count > 1 validation bug noted on validate_omitted_markers_for_parsing — invoices with experimental types will produce unparseable proofs.

Consider documenting that the TLV stream fed to compute_selective_disclosure should match the set of TLVs that contribute to the invoice's merkle root, and ensuring the producer and consumer agree on the handling of trailing omitted types.

[ldk-claude-review-bot]

The implicit TLV0 node prepended here assumes the original TLV stream starts with type 0 (payer_metadata). This is true for BOLT 12 invoices, but the function's API doesn't enforce or document this invariant.

If compute_selective_disclosure is called on a TLV stream that doesn't contain type 0 (as in the unit test test_selective_disclosure_computation with types [1, 2]), the producer creates a 2-node tree but this reconstruction creates a 3-node tree (with the extra TLV0 node), causing InsufficientMissingHashes because the needs_hash count won't match missing_hashes.

Consider either:

1. Adding a debug_assert! that omitted_markers and included_records are consistent with the TLV0 assumption, or
2. Documenting on both compute_selective_disclosure and reconstruct_merkle_root that the TLV stream MUST start with type 0.

[ldk-claude-review-bot]

Potential issue: inc_type + 1 on line 781 can overflow if inc_type == u64::MAX. While include_type() rejects types >= 240, the parser's catch-all _ arm accepts any type < 240 as included — but an adversary who crafts a TLV with type 239 would have inc_type + 1 = 240, which is fine. However, this function is also called with included_types populated from parsed data. On 32-bit platforms or with unusual inputs, inc_type could theoretically be very large. Using inc_type.checked_add(1) would be defensive.

Similarly, expected_next = marker + 1 on line 794 would overflow if marker == u64::MAX. A subsequent marker != expected_next comparison against expected_next = 0 would always succeed (since markers must be > 0), causing the code to search for a matching included type rather than treating it as a continuation. While the ascending order check prevents marker == u64::MAX from being followed by another marker, the overflow is still unsound.

[ldk-claude-review-bot]

The invoice is serialized here to check for the features TLV, and then serialized again in build_unsigned() (line 246-247). Since Bolt12Invoice::write just copies self.bytes, the result is deterministic and the double serialization is functionally correct — but it's an unnecessary allocation. Consider storing the serialized bytes in the builder or deferring the features check.

More importantly: this check uses TlvStream::new(&invoice_bytes) which iterates ALL TLVs. But INVOICE_FEATURES_TYPE (174) is in the invoice range — the any() call will short-circuit after finding it, but it still scans through all preceding TLVs (offer, invreq, etc.). A TlvStream::new(&invoice_bytes).range(INVOICE_TYPES) would be more targeted.