Support async signing of splice shared input

[wpaulino]

While user signatures may be provided whenever ready at the user's discretion when handling a FundingTransactionReadyForSigning event, it does not cover the user's signature for the 2-of-2 multisig input in a splice. This signature is obtained via the EcdsaChannelSigner, which did not support providing it asynchronously.

Since the splice shared input signature is part of the tx_signatures message, we're not allowed to send the message until it's complete. This results in us needing to explicitly handle the signature exchange logic when the signer unblocks the shared input signature.

Fixes #4533.

[ldk-reviews-bot]

👋 Thanks for assigning @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-claude-review-bot]

Nit: The variable name splice_tx and the debug_assert!(matches!(tx_type, TransactionType::Splice { .. })) assume this funding_tx is always a splice transaction. While this assertion is correct for all currently reachable paths (V2 initial funding cannot reach on_tx_signatures_exchange from signer_maybe_unblocked because the counterparty can't send tx_signatures before receiving our commitment_signed), the FundingTxSigned struct is generic enough to carry either type. If V2 dual-funding support evolves and this path becomes reachable for initial funding, the assert would fire and emit_channel_pending_event! would be missing (unlike the internal_tx_signatures handler which calls broadcast_interactive_funding).

Consider either renaming splice_tx → funding_tx and handling both cases, or at minimum adding a comment explaining why this is splice-only.

[ldk-claude-review-bot]

Minor: the return value of provide_holder_shared_input_signature (which includes (Option<TxSignatures>, Option<Transaction>)) is discarded at line 9974 and then re-fetched via signing_session.holder_tx_signatures() and signing_session.signed_tx() at lines 9986-9987. Each call to signed_tx() internally calls holder_tx_signatures() again, resulting in 3 total calls to holder_tx_signatures() (which clones and rebuilds each time). Not a correctness issue, but you could reuse the values from provide_holder_shared_input_signature to avoid redundant cloning.

[ldk-claude-review-bot]

Note: signed_tx() previously accessed self.holder_tx_signatures (the field) directly, but now calls self.holder_tx_signatures() (the method). The method adds two filters:

1. Shared input signature must be present (new in this PR - correct for async signing)
2. Timing condition: (has_received_commitment_signed && holder_sends_tx_signatures_first) || has_received_tx_signatures()

The timing filter is effectively a no-op here because counterparty_tx_signatures.clone()? on the next line already returns None if counterparty hasn't sent theirs. But it changes signed_tx() from being purely about "are all signatures available" to also encoding protocol ordering constraints.

[ldk-claude-review-bot]

All previously identified critical issues have been resolved in the current version of the code:

• interactivetxs.rs:576 — awaiting_holder_shared_input_signature() now correctly uses .unwrap_or(false)
• channelmanager.rs:14013 and async_signer_tests.rs:1819-1820 — Code uses Event::SpliceNegotiated (not the removed Event::SplicePending)
• channelmanager.rs:13975-13981 — The debug_assert for counterparty_initial_commitment_signed_result being None is present

No new inline comments posted in this review pass. All prior inline comments (efficiency nits on return value reuse, naming suggestions) remain applicable but were already posted.

Review Summary

No new issues found. The core async signing flow for splice shared inputs is correct:

• The two-phase approach (provide_holder_witnesses then provide_holder_shared_input_signature) correctly separates the synchronous wallet witnesses from the potentially-async channel signer operation.
• awaiting_holder_shared_input_signature() is properly defensive against being called before holder witnesses exist (returns false via unwrap_or).
• holder_tx_signatures() correctly filters out incomplete signatures (shared input missing) preventing premature tx_signatures messages.
• The signer_maybe_unblocked logic correctly handles all combinations: commitment sig pending + shared input pending, only one pending, neither pending.
• signer_pending_funding is correctly checked before attempting to send tx_signatures, preserving protocol ordering (commitment_signed before tx_signatures).
• on_tx_signatures_exchange is properly called from signer_maybe_unblocked with appropriate best_block_height, and the splice_negotiated/splice_locked/funding_tx fields are fully processed in signer_unblocked.
• check_free_holding_cells() is called after the per_peer_state lock is dropped, matching the pattern in other handlers.
• The SignerOp::SignSpliceSharedInput variant is properly added to all() for exhaustive test coverage.

Prior inline comments still applicable (already posted, not re-posted)

• channel.rs:10030 — Return value of provide_holder_shared_input_signature discarded and re-fetched (efficiency nit)
• channelmanager.rs:13990-14004 — Splice-only assumption in tx broadcast path (naming/consistency nit)
• interactivetxs.rs:747 — signed_tx() now encodes protocol ordering constraints via holder_tx_signatures() (semantic observation)

[codecov]

Codecov Report

❌ Patch coverage is 89.56522% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.10%. Comparing base (1a01b5a) to head (d794030).
⚠️ Report is 44 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channel.rs	90.81%	4 Missing and 5 partials ⚠️
lightning/src/ln/interactivetxs.rs	84.90%	6 Missing and 2 partials ⚠️
lightning/src/ln/channelmanager.rs	91.66%	3 Missing and 3 partials ⚠️
lightning/src/util/test_channel_signer.rs	80.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4579      +/-   ##
==========================================
+ Coverage   86.09%   86.10%   +0.01%     
==========================================
  Files         157      157              
  Lines      108828   108941     +113     
  Branches   108828   108941     +113     
==========================================
+ Hits        93694    93803     +109     
+ Misses      12519    12512       -7     
- Partials     2615     2626      +11     

Flag	Coverage Δ
tests	86.10% <89.56%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

Shouldn't most callers of this now be checking if we have the shared input as well?

[wpaulino]

I already accounted for this. All callers of has_holder_tx_signatures now only care about whether the user approved the transaction by signing, not necessarily if it's fully signed (with the shared input signature).

[TheBlueMatt]

Hmm.the log in channel_reestablish probably needs updating, maybe also the not_broadcasted_initial_funding in shutdown and is_funding_broadcastable, (though those are for V2, so I guess it doesn't matter). Also the handling in commitment_signed isn't clear to me at all - that is load-bearing in a few places, do we handle it correctly if we suddenly allow state to move forward a few steps but are still somehow waiting to send our last sig?

[TheBlueMatt]

ISTM this method probably needs renaming, though, cause it currently implies we have all the holder's tx signatures, but we don't.

[wpaulino]

the log in channel_reestablish probably needs updating

This seems fine? If we don't have the holder tx_signatures and the user hasn't provided their witnesses yet, then InteractiveTxSigningSession::holder_tx_signatures should be None and we log we're waiting for the user's signatures.

Also the handling in commitment_signed isn't clear to me at all - that is load-bearing in a few places, do we handle it correctly if we suddenly allow state to move forward a few steps but are still somehow waiting to send our last sig?

I don't quite follow (maybe the name change helps with understanding), processing the counterparty's commitment_signed is something that needs to happen prior to us releasing our tx_signatures, which we do within the same lock in ChannelManager::funding_transaction_signed regardless of whether the shared input signature is async or not.

[ldk-claude-review-bot]

Nit: The return value of provide_holder_shared_input_signature (which is Result<(Option<TxSignatures>, Option<Transaction>), String>) is discarded here, then immediately re-fetched via signing_session.holder_tx_signatures() and signing_session.signed_tx() at lines 10044-10045. Each call to signed_tx() internally calls holder_tx_signatures() again, resulting in 3-4 total calls to holder_tx_signatures() (which clones every time) and 2 calls to finalize(). Consider reusing the return value:

let (unblocked_tx_signatures, unblocked_funding_tx) = signing_session
    .provide_holder_shared_input_signature(shared_input_signature)
    .map_err(ChannelError::close)?;

Then use these values directly instead of re-fetching.

[wpaulino]

This doesn't make sense, if we have a shared input then we'd never have a finalized transaction in the earlier call.

[jkczyz]

Consider naming has_holder_witnesses to match provide_holder_witnesses.