[RFC] Add BOLT 12 payer proof primitives

[vincenzopalazzo]

This is a first draft implementation of the payer proof extension to BOLT 12 as proposed in lightning/bolts#1295. The goal is to get early feedback on the API design before the spec is finalized.

Payer proofs allow proving that a BOLT 12 invoice was paid by demonstrating possession of:

• The payment preimage
• A valid invoice signature over a merkle root
• The payer's signature

This PR adds the core building blocks:

• Extends merkle.rs with selective disclosure primitives that allow creating and reconstructing merkle trees with partial TLV disclosure. This enables proving invoice authenticity while omitting sensitive fields.
• Adds payer_proof.rs with PayerProof, PayerProofBuilder, and UnsignedPayerProof types. The builder pattern allows callers to selectively include invoice fields (description, amount, etc.) in the proof.
• Implements bech32 encoding/decoding with the lnp prefix and proper TLV stream parsing with validation (ascending order, no duplicates, hash length checks).

This is explicitly a PoC to validate the API surface - the spec itself is still being refined. Looking for feedback on:

• Whether the builder pattern makes sense for selective disclosure
• The verification API
• Integration points with the rest of the offers module

cc @TheBlueMatt @jkczyz

[ldk-reviews-bot]

👋 Thanks for assigning @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 93.85113% with 95 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.08%. Comparing base (4c398bb) to head (1ee2f1a).
⚠️ Report is 36 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/offers/payer_proof.rs	92.46%	32 Missing and 46 partials ⚠️
lightning/src/offers/merkle.rs	96.70%	7 Missing and 4 partials ⚠️
lightning/src/ln/channelmanager.rs	88.46%	3 Missing ⚠️
lightning/src/ln/outbound_payment.rs	97.72%	1 Missing ⚠️
lightning/src/offers/invoice.rs	97.91%	1 Missing ⚠️
lightning/src/offers/signer.rs	97.29%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4297      +/-   ##
==========================================
+ Coverage   86.99%   87.08%   +0.08%     
==========================================
  Files         163      164       +1     
  Lines      108706   110509    +1803     
  Branches   108706   110509    +1803     
==========================================
+ Hits        94571    96235    +1664     
- Misses      11655    11735      +80     
- Partials     2480     2539      +59     

Flag	Coverage Δ
fuzzing	37.82% <2.70%> (-2.45%)	⬇️
tests	86.20% <93.85%> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TheBlueMatt]

A few notes, though I didn't dig into the code at a particularly low level.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @valentinewallace! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

Some API comments. I'll review the actual code somewhat later (are we locked on on the spec or is it still in flux at all?), but would be nice to reduce allocations in it first anyway.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @valentinewallace! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 4th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 5th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 6th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 7th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 8th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 9th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[vincenzopalazzo]

Thanks for the catch @jkczyz need to remind myself not to work with git magic command late at night, so I should have restored the old history with the changes requested in the last review from you and Matt.

Thanks!

[ldk-reviews-bot]

🔔 4th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 5th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

Why do we need this and the manual TLV record parsing in impl TryFrom<Vec<u8>> for PayerProof {? Can't we use the tlv_stream macros that we use in the other offer types?

[jkczyz]

I think it comes down to needing the bytes after parsing to pass to reconstruct_merkle_root, so tlv_stream alone is not sufficient unless we want to re-serialize there. See #4297 (comment).

[vincenzopalazzo]

I think we still need the manual path here because reconstruct_merkle_root needs the original disclosed TLV record bytes, not just parsed field values. tlv_stream! / ParsedMessage works well for the other BOLT 12 types because they parse a fixed known set of TLVs, but here we also need to carry through an arbitrary subset of invoice TLVs as opaque records for merkle reconstruction. Re-serializing after parsing felt wrong since the merkle logic is defined over the original record bytes, not a normalized encoding. I think we could factor this better if we taught the TLV helpers to preserve/filter raw records alongside typed fields, but that seemed like a larger abstraction change than I wanted to take on in this PR. Happy to go that route if you think it is worth it.

[jkczyz]

Re-serializing after parsing felt wrong since the merkle logic is defined over the original record bytes, not a normalized encoding.

We shouldn't need to re-serialize though as we retain the bytes to include in PayerProof. So we can just wrap that in TlvStream and iterate over its TlvRecords as you are currently doing. It's just we wouldn't need to do the parsing in that loop anymore. It would require an additional pass over the bytes, though.

[vincenzopalazzo]

I vibe some experimentation on this based on our offline discussion, and I added a fixup commit 664617f

I am kind of unsure regarding the impl CursorReadable for FullPayerProofTlvStream if this is the correct approach tho

[jkczyz]

I think it comes down to needing the bytes after parsing to pass to reconstruct_merkle_root, so tlv_stream alone is not sufficient unless we want to re-serialize there. See #4297 (comment).

[jkczyz]

What I mean is why does this check only apply to SIGNATURE_TYPES? Is this mentioned in the spec somewhere?

[jkczyz]

I can't quite tell from the spec where it defines these distinctions. Why isn't any unknown even TLV rejected? Seems we are only reject unknown even signature TLV types.

[ldk-claude-review-bot]

Nit: This filter is dead code. PAYER_METADATA_TYPE is 0, and INVOICE_REQUEST_TYPES is 80..160. Type 0 can never appear in range 80..160, so the filter never matches. Additionally, the producer (serialize_payer_proof) never emits type 0 since include_type rejects it, so even the OFFER_TYPES range (1..80) wouldn't contain it.

Suggested change

	.filter(|record| record.r#type != PAYER_METADATA_TYPE);
	let invoice_request_records = TlvStream::new(bytes)
	.range(INVOICE_REQUEST_TYPES);

[jkczyz]

Do we need this?

[jkczyz]

Not done

[jkczyz]

In InvoiceRequest, we use payer_signing_pubkey so we should do the same here.

[jkczyz]

Not done.

[ldk-claude-review-bot]

Bug: This test asserts the wrong error variant and should fail at runtime.

FullPayerProofTlvStream starts with OfferTlvStream (range OFFER_TYPES = 1..80). Since type 0 falls below this range, the CursorReadable for OfferTlvStream reads the type, finds it out of range, rewinds, and breaks. All 7 CursorReadable components do the same — they all skip type 0. The cursor stays at position 0 forever.

Result: all TLV fields are None. ParsedPayerProofFields::try_from then fails at:

let payer_id = payer_id.ok_or(Bolt12ParseError::InvalidSemantics(
    Bolt12SemanticError::MissingPayerSigningPubkey,
))?;

This produces Bolt12ParseError::InvalidSemantics(MissingPayerSigningPubkey), not Bolt12ParseError::Decode(DecodeError::InvalidValue) as asserted here.

Fix: either change the assertion to match the actual error, or (better) add an explicit type-0 rejection in the parser so the error is clear:

Suggested change

	fn test_parsing_rejects_payer_metadata() {
	let proof = build_round_trip_proof_with_multiple_trailing_omitted_tlvs();
	let mut bytes = Vec::new();
	write_tlv_record_bytes(&mut bytes, PAYER_METADATA_TYPE, &[1; 32]);
	bytes.extend_from_slice(proof.bytes());
	let result = PayerProof::try_from(bytes);
	assert!(matches!(result, Err(Bolt12ParseError::Decode(DecodeError::InvalidValue))));
	}
	fn test_parsing_rejects_payer_metadata() {
	let proof = build_round_trip_proof_with_multiple_trailing_omitted_tlvs();
	let mut bytes = Vec::new();
	write_tlv_record_bytes(&mut bytes, PAYER_METADATA_TYPE, &[1; 32]);
	bytes.extend_from_slice(proof.bytes());
	let result = PayerProof::try_from(bytes);
	assert!(result.is_err(), "Payer metadata (type 0) should be rejected");
	}

[jkczyz]

ParsedMessage checks that all bytes are consumed, so it should fail before then.

[ldk-claude-review-bot]

Residual panic on crafted input (extends prior TlvStream issue):

ParsedMessage<FullPayerProofTlvStream> validates TLV framing only for types in covered ranges. There's a type gap at 1001–999,999,999 (between PayerProofTlvStream range 240..=1000 and ExperimentalOfferTlvStream range 1,000,000,000+). The CursorReadable for each component reads the type BigSize, finds it out of range, rewinds, and breaks — without reading the length or value bytes.

If a crafted proof contains a TLV with a type in this gap and a malformed BigSize length (e.g., 0xFD prefix followed by only 1 byte), ParsedMessage::try_from succeeds (cursor stuck at the gap TLV), but tlv_stream_iter(&bytes) here calls TlvStream::new(&bytes) which iterates over the full bytes. When it reaches the gap TLV and tries to read the truncated length, BigSize::read().unwrap() panics.

This is a DoS vector on untrusted input. Fix options:

1. Check that ParsedMessage consumed all bytes (cursor at end) and reject if not
2. Make TlvStream::next() return None instead of panicking on malformed BigSize
3. Add a validate_tlv_framing(&bytes) pass before tlv_stream_iter

Option 1 is simplest and also catches other gap issues (e.g., type 0 from the test above):

let parsed_proof = ParsedMessage::<FullPayerProofTlvStream>::try_from(bytes)?;
// Reject if ParsedMessage didn't consume all bytes (gap TLVs, type 0, etc.)
// (would need ParsedMessage to expose cursor position or a "fully consumed" check)

[jkczyz]

I believe (1) is exactly what ParsedMessage does, but wouldn't hurt to add a test.

[ldk-claude-review-bot]

Design concern: FullPayerProofTlvStream omits PayerTlvStream (type 0) from its component list. This means type 0 TLVs in untrusted input are silently skipped rather than explicitly rejected, causing confusing downstream errors (MissingPayerSigningPubkey instead of a clear "payer metadata not allowed" error).

Consider either:

1. Adding PayerTlvStream as the first component (then checking payer_metadata.is_none() in ParsedPayerProofFields::try_from)
2. Or adding a post-parse check that no types below OFFER_TYPES.start exist in the bytes

This would also fix the test_parsing_rejects_payer_metadata test which currently asserts the wrong error variant.

[jkczyz]

I don't believe this is the case just as it isn't for FullOfferTlvStream. @vincenzopalazzo Could you write a test that confirms this?

[jkczyz]

Specifically, when using PayerProof::try_from, which uses ParsedMessage::<FullPayerProofTlvStream>::try_from.