Support async signing of splice shared input

[wpaulino]

While user signatures may be provided whenever ready at the user's discretion when handling a FundingTransactionReadyForSigning event, it does not cover the user's signature for the 2-of-2 multisig input in a splice. This signature is obtained via the EcdsaChannelSigner, which did not support providing it asynchronously.

Since the splice shared input signature is part of the tx_signatures message, we're not allowed to send the message until it's complete. This results in us needing to explicitly handle the signature exchange logic when the signer unblocks the shared input signature.

Fixes #4533.

[ldk-reviews-bot]

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-claude-review-bot]

Nit: The variable name splice_tx and the debug_assert!(matches!(tx_type, TransactionType::Splice { .. })) assume this funding_tx is always a splice transaction. While this assertion is correct for all currently reachable paths (V2 initial funding cannot reach on_tx_signatures_exchange from signer_maybe_unblocked because the counterparty can't send tx_signatures before receiving our commitment_signed), the FundingTxSigned struct is generic enough to carry either type. If V2 dual-funding support evolves and this path becomes reachable for initial funding, the assert would fire and emit_channel_pending_event! would be missing (unlike the internal_tx_signatures handler which calls broadcast_interactive_funding).

Consider either renaming splice_tx → funding_tx and handling both cases, or at minimum adding a comment explaining why this is splice-only.

[ldk-claude-review-bot]

Minor: the return value of provide_holder_shared_input_signature (which includes (Option<TxSignatures>, Option<Transaction>)) is discarded at line 9974 and then re-fetched via signing_session.holder_tx_signatures() and signing_session.signed_tx() at lines 9986-9987. Each call to signed_tx() internally calls holder_tx_signatures() again, resulting in 3 total calls to holder_tx_signatures() (which clones and rebuilds each time). Not a correctness issue, but you could reuse the values from provide_holder_shared_input_signature to avoid redundant cloning.

[ldk-claude-review-bot]

Note: signed_tx() previously accessed self.holder_tx_signatures (the field) directly, but now calls self.holder_tx_signatures() (the method). The method adds two filters:

1. Shared input signature must be present (new in this PR - correct for async signing)
2. Timing condition: (has_received_commitment_signed && holder_sends_tx_signatures_first) || has_received_tx_signatures()

The timing filter is effectively a no-op here because counterparty_tx_signatures.clone()? on the next line already returns None if counterparty hasn't sent theirs. But it changes signed_tx() from being purely about "are all signatures available" to also encoding protocol ordering constraints.

[ldk-claude-review-bot]

Review Summary

After thorough analysis of all files in this PR, the implementation is well-structured and correctly handles the async splice shared input signing flow. The interaction between the two independent async mechanisms (monitor updates and signer availability) is correctly mediated through the shared signing session state.

No critical bugs or security issues found.

Inline comments posted:

1. lightning/src/ln/channelmanager.rs:13990-14001 — The signer_unblocked handler assumes funding_tx from FundingTxSigned is always a splice (variable naming + debug_assert). While correct for all currently reachable paths, this is fragile if V2 dual-funding support evolves to reach this code path, where emit_channel_pending_event! would also be missing.

2. lightning/src/ln/channel.rs:9957-9992 — Return value of provide_holder_shared_input_signature is discarded and then the same data is re-fetched via separate calls, resulting in 3 redundant calls to holder_tx_signatures() with cloning. Minor inefficiency.

3. lightning/src/ln/interactivetxs.rs:780 — signed_tx() now calls the holder_tx_signatures() method instead of accessing the field directly, adding protocol timing constraints as a filter. While effectively a no-op (counterparty signatures check already covers it), this is a subtle semantic shift in what signed_tx() means.

Additional observations (not line-specific):

• The test covers the initiator's shared input signer being blocked, but not the acceptor's (who gets funding_transaction_signed called automatically with empty witnesses when they have no local inputs). The same mechanism should work for the acceptor, but explicit test coverage would increase confidence.
• The provide_holder_witnesses change from inline condition has_received_commitment_signed && (sends_first || has_received_tx_signatures()) to the holder_tx_signatures() method subtly changes the boolean logic: the method uses (has_received_commitment_signed && sends_first) || has_received_tx_signatures(). These are equivalent in practice (protocol guarantees has_received_commitment_signed when has_received_tx_signatures() is true), but the parenthesization difference is worth noting.

[codecov]

Codecov Report

❌ Patch coverage is 95.21277% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.15%. Comparing base (42e198c) to head (9df5f83).

Files with missing lines	Patch %	Lines
lightning/src/ln/interactivetxs.rs	86.84%	4 Missing and 1 partial ⚠️
lightning/src/ln/channel.rs	97.59%	1 Missing and 1 partial ⚠️
lightning/src/ln/channelmanager.rs	98.33%	0 Missing and 1 partial ⚠️
lightning/src/util/test_channel_signer.rs	80.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4579      +/-   ##
==========================================
- Coverage   87.15%   87.15%   -0.01%     
==========================================
  Files         161      161              
  Lines      109251   109394     +143     
  Branches   109251   109394     +143     
==========================================
+ Hits        95215    95337     +122     
- Misses      11560    11580      +20     
- Partials     2476     2477       +1     

Flag	Coverage Δ
fuzzing-fake-hashes	31.16% <20.21%> (+0.01%)	⬆️
fuzzing-real-hashes	22.91% <17.55%> (-0.02%)	⬇️
tests	86.21% <95.21%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.