Add BOLT12 support to LSPS2 via custom Router implementation

[tnull]

Closes #4272.

This is an alternative approach to #4394 which leverages a custom Router implementation on the client side to inject the respective.

LDK Node integration PR over at lightningdevkit/ldk-node#817

[ldk-reviews-bot]

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-claude-review-bot]

No issues found.

I re-reviewed the full current state of the PR (head commit abdecc2b9). The PR has been substantially refactored since my prior review passes — it is now a focused, self-contained payment-path Router wrapper. Notably, the current diff no longer touches events/mod.rs, onion_message/messenger.rs, or channelmanager.rs; the OnionMessageIntercepted event (with prev_hop/next_hop) is now pre-existing in the base branch. As a result, all of my prior inline comments targeted an older, different design and are obsolete — none of them map to current code lines, so I am not re-posting them.

What I verified in the current diff:

• router.rs (new) — create_blinded_payment_paths is correct: async-offer early Err(()) guard, delegates to inner router, appends LSPS2 paths with continue on BlindedPaymentPath::new failure, guards against an empty path set with Err(()), and increases max_cltv_expiry by the forwarding delta in the correct direction. cltv_expiry_delta is now u16, so the as u32 in saturating_add is lossless. The () and Fn blanket LSPS2Bolt12PaymentMetadataDecoder impls don't conflict. Well covered by 6 unit tests.
• PaymentContext::payment_metadata() (payment.rs:583) exists and returns Option<&BTreeMap<u64, Vec<u8>>> for all three Bolt12 variants — used correctly.
• event.rs / msgs.rs / service.rs — the u32→u16 change is consistent across the client event, the LSPS2BuyResponse wire struct, and the service API, and aligns with PaymentRelay.cltv_expiry_delta (u16) and the BOLT route-hint width. The LSPS2BuyResponse field is JSON (serde) and the value is semantically a u16 per the BOLT spec, so the narrowing is intentional and correct.
• Integration tests — the three new BOLT12 tests use u16 consistently (execute_lsps2_dance now takes u16, so the prior type-mismatch concern is resolved), and the compact-message-path test relies only on pre-existing base machinery.

Security: the decoded payment metadata is authored by the recipient and authenticated via the offer/reply-path context HMAC, so a payer cannot inject malicious LSP parameters. Safe.

One low-confidence observation I deliberately did not file (consistent with my prior pass): router.rs:240 uses plain MIN_FINAL_CLTV_EXPIRY_DELTA, whereas the BOLT11 route-hint path uses MIN_FINAL_CLTV_EXPIRY_DELTA + 2. The end-to-end test completes (client claims), demonstrating the plain value is functionally sufficient for the blinded-path case, so this is not a defect.

No inline comments posted this pass.

[codecov]

Codecov Report

❌ Patch coverage is 88.38174% with 56 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.13%. Comparing base (2313bd5) to head (4342483).
⚠️ Report is 169 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning-liquidity/src/lsps2/router.rs	93.39%	27 Missing ⚠️
lightning/src/ln/channelmanager.rs	32.00%	16 Missing and 1 partial ⚠️
lightning/src/events/mod.rs	33.33%	5 Missing and 1 partial ⚠️
lightning/src/offers/flow.rs	66.66%	2 Missing and 1 partial ⚠️
lightning/src/onion_message/messenger.rs	86.66%	2 Missing ⚠️
lightning/src/util/test_utils.rs	92.30%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4463      +/-   ##
==========================================
+ Coverage   87.08%   87.13%   +0.04%     
==========================================
  Files         161      162       +1     
  Lines      109255   109707     +452     
  Branches   109255   109707     +452     
==========================================
+ Hits        95147    95589     +442     
- Misses      11627    11632       +5     
- Partials     2481     2486       +5     

Flag	Coverage Δ
fuzzing-fake-hashes	31.10% <7.35%> (+0.12%)	⬆️
fuzzing-real-hashes	22.79% <4.41%> (+0.13%)	⬆️
tests	86.20% <88.38%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tnull]

Added back a commit that derives Hash for OfferId, as we need that downstream (slightly orthogonal, but connected to this PR).

[TheBlueMatt]

Does this need updating with the changes from #4584?

[tnull]

Does this need updating with the changes from #4584?

Yes, probably we should now wait for that to land first.

[tnull]

Now updated to use the new payment-metadata-in-BOLT12-context flow. Also updated lightningdevkit/ldk-node#817 to use this.

[TheBlueMatt]

Why do we need this? Doesn't our router inject the metadata for us?

[tnull]

The MessageRouter in LDK Node will do that for regular offers, but that doesn't work for the async path:

For regular offers, ldk-node does this:

• Wraps MessageRouter.
• When create_offer_builder_using_router(...) builds blinded invoice-request paths, the wrapper sees MessageContext::Offers(InvoiceRequest { payment_metadata, .. }).
• It writes LSPS2 metadata there.
• Later, when an invoice request arrives, LDK turns that into PaymentContext::Bolt12Offer { payment_metadata }.
• Then LSPS2BOLT12Router can decode it while building the actual invoice payment paths.

For async static invoices, the order is different:

• The recipient proactively builds a StaticInvoice before any payer invoice request exists.
• The static invoice’s payment paths are built via Router::create_blinded_payment_paths.
• That call receives PaymentContext::AsyncBolt12Offer { payment_metadata }.
• The MessageRouter is not involved in that payment-path construction, so it has no place to inject the metadata.

[TheBlueMatt]

Right, then shouldn't we wrap the router rather than adding a new top level method here?

[tnull]

Hmm, no? I think we're going in circles here - if we have the router inject, then it would need to be stateful, meaning LDK Node will need to persist the LSPS2 params, and we just went through quite a bit of effort to avoid that. Or maybe I'm missing something?

[TheBlueMatt]

Hmm, I don't think this currently works? If we build a static invoice when we connect to peers while we're negotiating LSPS2 (ie we have no LSPS2 parameters configured yet) we'll upload the static invoice to our static invoice storage server and there will be a window during which we cannot receive because the static invoice that is stored is bogus. LSPS2BOLT12Router really needs to fail until we have configured parameters so that we won't upload a bogus static invoice.

The docs here really need to mention that this should never really be required unless using LSPS.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 4th Reminder

Hey @TheBlueMatt @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.