Support async signing of splice shared input

[wpaulino]

While user signatures may be provided whenever ready at the user's discretion when handling a FundingTransactionReadyForSigning event, it does not cover the user's signature for the 2-of-2 multisig input in a splice. This signature is obtained via the EcdsaChannelSigner, which did not support providing it asynchronously.

Since the splice shared input signature is part of the tx_signatures message, we're not allowed to send the message until it's complete. This results in us needing to explicitly handle the signature exchange logic when the signer unblocks the shared input signature.

Fixes #4533.

[ldk-reviews-bot]

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-claude-review-bot]

Nit: The variable name splice_tx and the debug_assert!(matches!(tx_type, TransactionType::Splice { .. })) assume this funding_tx is always a splice transaction. While this assertion is correct for all currently reachable paths (V2 initial funding cannot reach on_tx_signatures_exchange from signer_maybe_unblocked because the counterparty can't send tx_signatures before receiving our commitment_signed), the FundingTxSigned struct is generic enough to carry either type. If V2 dual-funding support evolves and this path becomes reachable for initial funding, the assert would fire and emit_channel_pending_event! would be missing (unlike the internal_tx_signatures handler which calls broadcast_interactive_funding).

Consider either renaming splice_tx → funding_tx and handling both cases, or at minimum adding a comment explaining why this is splice-only.

[ldk-claude-review-bot]

Minor: the return value of provide_holder_shared_input_signature (which includes (Option<TxSignatures>, Option<Transaction>)) is discarded at line 9974 and then re-fetched via signing_session.holder_tx_signatures() and signing_session.signed_tx() at lines 9986-9987. Each call to signed_tx() internally calls holder_tx_signatures() again, resulting in 3 total calls to holder_tx_signatures() (which clones and rebuilds each time). Not a correctness issue, but you could reuse the values from provide_holder_shared_input_signature to avoid redundant cloning.

[ldk-claude-review-bot]

Note: signed_tx() previously accessed self.holder_tx_signatures (the field) directly, but now calls self.holder_tx_signatures() (the method). The method adds two filters:

1. Shared input signature must be present (new in this PR - correct for async signing)
2. Timing condition: (has_received_commitment_signed && holder_sends_tx_signatures_first) || has_received_tx_signatures()

The timing filter is effectively a no-op here because counterparty_tx_signatures.clone()? on the next line already returns None if counterparty hasn't sent theirs. But it changes signed_tx() from being purely about "are all signatures available" to also encoding protocol ordering constraints.

[ldk-claude-review-bot]

Review Summary

After thoroughly reviewing all files in this PR diff, I found one new issue not covered by prior review comments.

Inline comments posted:

1. lightning/src/ln/channelmanager.rs:13947-13951 — Missing debug_assert for counterparty_initial_commitment_signed_result being None in the signer_unblocked handler. All other FundingTxSigned consumers (internal_tx_signatures, monitor_updated_completion_actions) assert this field is None. The signer_unblocked handler silently drops it, which could mask a data-loss bug if signer_maybe_unblocked is ever changed to populate this field.

Cross-cutting observations:

• The bidirectional interaction between monitor completion and signer unblocking is correctly handled: when monitor completes before the signer, monitor_pending_tx_signatures is cleared and the signer path picks up later; when the signer completes before the monitor, the shared input signature is stored and the monitor completion path picks up later. Both orderings converge correctly.
• The signed_tx() → holder_tx_signatures() → finalize() chain now passes owned values instead of references, which actually reduces one clone per witnesses vector inside finalize (previously cloned inside the method body).

[codecov]

Codecov Report

❌ Patch coverage is 85.20408% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.13%. Comparing base (42e198c) to head (fc1921c).
⚠️ Report is 30 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channel.rs	79.48%	13 Missing and 3 partials ⚠️
lightning/src/ln/interactivetxs.rs	84.61%	6 Missing and 2 partials ⚠️
lightning/src/ln/channelmanager.rs	93.22%	2 Missing and 2 partials ⚠️
lightning/src/util/test_channel_signer.rs	80.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4579      +/-   ##
==========================================
- Coverage   87.15%   86.13%   -1.03%     
==========================================
  Files         161      157       -4     
  Lines      109251   108916     -335     
  Branches   109251   108916     -335     
==========================================
- Hits        95215    93810    -1405     
- Misses      11560    12490     +930     
- Partials     2476     2616     +140     

Flag	Coverage Δ
fuzzing-fake-hashes	?
fuzzing-real-hashes	?
tests	86.13% <85.20%> (-0.09%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

TBH it seems like a weird API to pass shared_input_signature None when it was a splice. At a minimum it needs to be documented but it kinda feels like it'd be nicer to separately call provide_holder_shared_input_signature, dunno how crazy the refactor would be though. Same with the call to on_tx_signatures_exchange below.

[wpaulino]

Let me know if what I pushed is what you had in mind. Not sure what you meant by the on_tx_signatures_exchange comment though.

[TheBlueMatt]

Shouldn't most callers of this now be checking if we have the shared input as well?

[wpaulino]

I already accounted for this. All callers of has_holder_tx_signatures now only care about whether the user approved the transaction by signing, not necessarily if it's fully signed (with the shared input signature).

[ldk-claude-review-bot]

The signer_unblocked handler processes FundingTxSigned fields individually via .take(), but never asserts that counterparty_initial_commitment_signed_result is None. Both internal_tx_signatures (line 12207) and monitor_updated_completion_actions (line 11059) include this assertion. Without it, if signer_maybe_unblocked ever populates this field in a future change, the monitor update would be silently dropped — a data-loss bug.

Suggested change

	if let Some(msg) = msgs
	.funding_tx_signed
	.as_mut()
	.and_then(|funding_tx_signed| funding_tx_signed.commitment_signed.take())
	{
	if let Some(msg) = msgs
	.funding_tx_signed
	.as_mut()
	.and_then(|funding_tx_signed| funding_tx_signed.commitment_signed.take())
	{
	debug_assert!(msgs.funding_tx_signed.as_ref()
	.map(|f| f.counterparty_initial_commitment_signed_result.is_none())
	.unwrap_or(true));