bolt12+lnwire: add codec foundation with Offer message

[bitromortac]

Part of the first milestone in #10736 (total WIP of the first milestone can be found here).

This PR adds a new bolt12/ package skeleton, its first message struct (Offer), and the lnwire work needed to host it. Includes TLV subtypes as well as reader/write message validation.

[github-actions]

🔴 PR Severity: CRITICAL

Automated classification | 9 files (non-test) | 1,335 lines changed

🔴 Critical (2 files)

• lnwire/custom_records.go - Lightning wire protocol messages (lnwire/*)
• lnwire/pure_tlv.go - Lightning wire protocol messages (lnwire/*)

🟡 Medium (7 files)

• bolt12/decode.go - New BOLT12 package (uncategorized Go files → medium)
• bolt12/doc.go - New BOLT12 package documentation
• bolt12/offer.go - New BOLT12 offer types
• bolt12/pure_tlv.go - New BOLT12 TLV utilities
• bolt12/subtypes.go - New BOLT12 subtypes
• bolt12/tlv_types.go - New BOLT12 TLV type definitions
• bolt12/validate.go - New BOLT12 validation logic

Analysis

This PR introduces a new bolt12 package implementing BOLT12 (Offers) functionality, alongside modifications to two files in the lnwire package. The changes to lnwire/custom_records.go and lnwire/pure_tlv.go drive this PR to CRITICAL severity, as lnwire/* covers Lightning wire protocol messages and requires expert review.

The new bolt12 package itself does not fall into any predefined critical or high category and classifies as medium. However, the highest severity file governs, making this PR overall CRITICAL.

Additionally, with ~1,335 non-test lines changed (exceeding the 500-line bump threshold), a severity bump is triggered — though the PR is already at the maximum level of CRITICAL.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}
<!-- pr-severity-bot -->

[github-actions]

🔴 PR Severity: CRITICAL

Automated classification | 9 files (non-test) | 1,335 lines changed

🔴 Critical (2 files)

• lnwire/custom_records.go - Lightning wire protocol messages (lnwire/*)
• lnwire/pure_tlv.go - Lightning wire protocol messages (lnwire/*)

🟡 Medium (7 files)

• bolt12/decode.go - New BOLT12 package (uncategorized Go files → medium)
• bolt12/doc.go - New BOLT12 package documentation
• bolt12/offer.go - New BOLT12 offer types
• bolt12/pure_tlv.go - New BOLT12 TLV utilities
• bolt12/subtypes.go - New BOLT12 subtypes
• bolt12/tlv_types.go - New BOLT12 TLV type definitions
• bolt12/validate.go - New BOLT12 validation logic

Analysis

This PR introduces a new bolt12 package implementing BOLT12 (Offers) functionality, alongside modifications to two files in the lnwire package. The changes to lnwire/custom_records.go and lnwire/pure_tlv.go drive this PR to CRITICAL severity, as lnwire/* covers Lightning wire protocol messages and requires expert review.

The new bolt12 package does not fall into any predefined critical or high category and classifies as medium. However, the highest severity file governs, making this PR overall CRITICAL.

Additionally, with ~1,335 non-test lines changed (exceeding the 500-line bump threshold), a severity bump is triggered — though the PR is already at the maximum level of CRITICAL.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}
<!-- pr-severity-bot -->

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes the foundational codec infrastructure for BOLT 12 support in LND. It introduces a dedicated bolt12 package to manage the serialization and validation of offer messages, while extending lnwire with necessary utilities to support the required TLV-based message structures.

Highlights

• BOLT 12 Foundation: Introduced the bolt12 package skeleton to manage the encoding, decoding, and validation of BOLT 12 messages.
• Offer Message Implementation: Implemented the Offer struct, supporting various optional TLV fields and providing a clean interface for message serialization.
• lnwire Extensions: Added helper functions to lnwire to support PureTLVMessage handling and improved management of optional records.
• Validation Logic: Included comprehensive validation rules to ensure BOLT 12 messages comply with spec-defined writer and reader requirements.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request implements the core BOLT 12 offer codec, including encoding, decoding, and validation logic. It introduces the Offer message type, support for blinded paths, and chain-specific validation. Additionally, it extends the lnwire package with generic TLV helpers and predicate-driven serialization to accommodate BOLT 12's specific signed-range requirements. Feedback includes a critical fix for a dangling pointer in the AddOpt helper and a recommendation to use unsigned comparisons for expiry timestamps to avoid potential overflow issues.

[Abdulkbk]

Had a first pass and left one question. Would take a deeper look.

[erickcestari]

Still going through the diff. A few things worth tightening already flagged inline. Requesting changes for now so we can iterate on those while I finish the rest. Thanks!

[erickcestari]

We could use the btcec.ParsePubKey to validate if the point is really in the curve.

[bitromortac]

Yes, good point. I'm using *btcec.PublicKey for pubkey-based fields now. That way we get the validation when during decode. Currently this checks only for non-nilness, will probably also add the on-curve check here in the next round.

[bitromortac]

Have added the checks that keys are on curve.

[erickcestari]

bp.IntroductionNode used to be a fixed 33-byte pubkey; now it's 33 bytes for PubkeyIntro or 9 bytes for SciddirIntro with no discriminator, so any client doing btcec.ParsePubKey(bp.IntroductionNode) (as the proto comment promises) breaks the first time a sciddir reply path arrives.

[bitromortac]

That's a good point. I'd need to think more about how that's used on the client side. I'd tend towards updating the proto description and later add a one_of for the two introduction node types?

[bitromortac]

To not increase the scope of this PR I added a TODO(bolt12) (will use this to keep track of lightweight things we need to fix) to SubscribeOnionMessages. We need to decide if we want to convert to a pubkey (which adds a db roundtrip) or if we just update the proto description that the field can contain both data types (together with adding a convenience one_of).

[Abdulkbk]

Leaning more toward oneoff because, aside from the lookup cost, we'd also need a fallback when we fail to resolve the scid. Updating the proto description and maybe a follow-up adding the one_off is the cleanest path imo.

[bitromortac]

Yes, I agree with that. I'll follow up with an RPC update PR.

[bitromortac]

I have experimented with this a bit more and if we add a one_of to lightning.proto:BlindedPath we would leak protocol internals to the RPCs. With this we would have to make other endpoints aware of the scid intro node, which doesn't make too much sense as it's just a pointer to the node id. For the RPCs where it's cheap (like DecodeOffer) we can do the graph lookup and skip over paths that don't resolve (with logging). Instead I'd update the SubscribeOnionMessages proto description that we may pass out scid-based intro nodes verbatim. If needed we can later add a bool resolveScidIntros or similar to that RPC. That way the behavior is constrained to a single RPC, which is anyhow more of a debugging kind.

[ziggie1984]

can you make sure you do not forget it during the BOLT12 saga

[erickcestari]

Q: Should we set a maximum ceiling size for offers to avoid decoding huge offers?

[bitromortac]

I added a check to DecodeOfferString (included in future PR), to have this function be decode only without validation.

[Abdulkbk]

Another pass, mostly nits and a few suggestions.

[Abdulkbk]

Leaning more toward oneoff because, aside from the lookup cost, we'd also need a fallback when we fail to resolve the scid. Updating the proto description and maybe a follow-up adding the one_off is the cleanest path imo.

[erickcestari]

Nice work!

LGTM! 🫴

[vctt94]

Overall this looks like a solid start for the BOLT 12 offer codec. The offer TLV mapping matches the spec fields, tu64 values use truncated encoding, unknown signed-range TLVs are preserved for re-encoding, and pubkeys are parsed with btcec.ParsePubKey rather than only length/prefix checked.

I left a few inline comments around onion message TLV handling and smaller validation/API edges. I also added a regression test for the unknown-even final-hop TLV case here: lnwire/onion_msg_payload_test.go.

[vctt94]

BOLT 4 says the final node must ignore an onion message containing more than one payload field.

This appends every recognized final-hop payload field that appears, and the test suite currently round-trips invoice_request, invoice, and invoice_error together.

Should decode reject/ignore when more than one final-hop payload namespace is present?

[erickcestari]

Good catch! We should do that!

[bitromortac]

Nice, yes, will do that in the next PR (out of scope for this one).

[vctt94]

Does this need to reject unknown even final-hop TLVs?

Type 70, for example, is >=64 so it reaches this append path, but it is also even and not one of the known payload namespaces.

BOLT 1 treats unknown even TLVs as must-understand, and BOLT 4 says an onion message containing unknown even types MUST be ignored.

[bitromortac]

👍 Will do that in the next PR, since it deals with onion messages.

[vctt94]

Should this check tlvBytes == nil instead? TypeMap uses nil to mark known/parsed TLVs, while an unknown odd zero-length TLV is valid but would be dropped here.

[bitromortac]

Good call, will bundle a fix in the next PR.

[vctt94]

Can we also reject a present-but-nil OfferIssuerID here? IsSome() satisfies this check, but encode later calls SerializeCompressed on the *btcec.PublicKey, so a nil key would panic instead of returning a validation error.

[bitromortac]

Yes, makes sense, fixed.

[vctt94]

Should Bytes return an error instead of silently dropping encode failures?

For example, PubkeyIntro{} currently returns an empty slice here, which can hide an invalid introduction node from RPC/logging callers. Since serialization can fail, Bytes() ([]byte, error) seems safer.

If changing the signature is too invasive for this PR, maybe this should at least be guarded at construction/validation time or documented clearly so callers do not treat an empty slice as a valid encoding.

[bitromortac]

I fixed this by adding a constructor, which isn't bullet-proof as one can use the zero-value initializer, but have also added docstrings to use the constructor. I think this is nicer to not have to check the error at the call sites.

[ziggie1984]

Almost there 👏, strong PR.

I had a couple of minor coments which should be addressed.

[ziggie1984]

normally we don't do somthing like this.

[bitromortac]

Agree that we don't have the pattern, but I think it's a nice golang feature. And why not start it if we create a standalone package that could be useful for outside consumers?

[ziggie1984]

does an offer have a signed range which needs to be skipped ?

[bitromortac]

Offers aren't signed in BOLT 12 (no signature TLV), so there's no signed range to skip here. The signed-range handling is relevant to invoice_request and invoice. An offer is validated purely against its allowed type ranges.

[ziggie1984]

does this allow paths with just the introduction point ?

[bitromortac]

It doesn't, the current spec forbids blinded paths with empty hops.

[ziggie1984]

is this according to the spec or do we need to update the spec to not allow zero expiry ?

[erickcestari]

Based on the writer rules, I understand that 0 should be considered expired.

https://github.com/lightning/bolts/blob/master/12-offer-encoding.md?plain=1#L260-L263

By the way, this might mean that, if we want an offer that doesn't expire, we should add a very large value to offer_absolute_expiry instead of 0.

[bitromortac]

Yes, one needs to set an explicit timestamp according to the spec and it's interpreted as a real unix timestamp. I changed the inline comment to be more explicit.

[ziggie1984]

Non-Blocking test gaps:

  1. TLV type boundary cases — cheap to write, catches a real bug class (off-by-one in offerAllowedRange/invreqAllowedRange).
  2. UTF-8 invalid for offer_description and offer_issuer — uncovered code paths today.
  3. offer_quantity_max = 0 (unlimited) valid case — pins the three-state semantic.
  4. now == expiry rejected — boundary off-by-one.
  5. Symmetric explicit-bitcoin chain test — pins the inverted-default invariant.
  6. Multi-error determinism — pins the sortedTypes contract.

[bitromortac]

Added those tests, thanks!

[vctt94]

LGTM!

Good job on this PR

[Abdulkbk]

LGTM

[Abdulkbk]

Since PubkeyIntro and SciddirIntro all have exported fields (Pubkey, Direction, SCID), a caller can write PubkeyIntro{Pubkey: nil} directly and bypass the validator, after which Bytes() silently returns empty bytes, exactly the failure mode the constructor added was to prevent.

[ziggie1984]

see this #10789 (comment) for explanation

[Abdulkbk]

micro nit: non-nil

[ziggie1984]

LGTM

[ziggie1984]

Nit: Somehow it feels wrong validating in the size path, because a blindedPath without a intropoint is not a valid blinded route and should not happen. So maybe we assume that it is correct here ?

[ziggie1984]

What do you think adding this test-case:

bolt12.Offer should decode and re-encode unknown odd TLVs in the allowed offer ranges byte-for-byte.

[ziggie1984]

Suggested change

	var chainsEmpty bool
	o.OfferChains.WhenSome(
	func(r tlv.RecordT[tlv.TlvType2, ChainsRecord]) {
	if len(r.Val.Chains) == 0 {
	chainsEmpty = true
	}
	},
	)
	if chainsEmpty {
	return ErrEmptyChains
	}
	if err := fn.MapOptionZ(
	o.OfferChains.ValOpt(),
	func(r ChainsRecord) error {
	if len(r.Chains) == 0 {
	return ErrEmptyChains
	}
	return nil
	},
	); err != nil {
	return err
	}

[ziggie1984]

Nit: normally we mostly use MapOptionZ for this stuff.

[ziggie1984]

Maybe add:

• // A decoded offer_issuer_id has already passed the TLV point decoder, but
  // ValidateOfferRead may also be called on manually constructed offers. Reject a
  // present-but-nil key here so the reader-side identity check cannot be satisfied
  // by a value that would panic or fail later when used as a public key.
  if err := checkIssuerID(o.OfferIssuerID); err != nil {
  	return err
  }

[ziggie1984]

hmm here you use the MapOptionZ ?

[ziggie1984]

check:

 if !isKnownOfferTLVType(t) && t%2 == 0 {
     	return fmt.Errorf("%w: type %d", ErrUnknownEvenType, t)
     }

as well here ?