Support manually selecting inputs consuming their entire value

[wpaulino]

This commit introduces an alternative way of splicing in funds without coin selection by requiring the full UTXO to be provided. Each UTXO's entire value (minus fees) is allocated towards the channel, which provides unified balance wallets a more intuitive API when splicing funds into the channel, as they don't particularly care about maintaining a portion of their balance onchain.

To simplify the implementation, we require that contributions are not allowed to mix coin-selected inputs with manually-selected ones. Users will need to start a fresh contribution if they want to change the funding input mode.

[ldk-reviews-bot]

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-claude-review-bot]

Bug: Backwards compatibility issue with persisted FundingContribution objects.

FundingContribution is persisted in PendingFunding.contributions (channel.rs:2917). When deserializing contributions created before this PR, input_mode will be None (it's a new option TLV field). Old coin-selected contributions with inputs will have input_mode == None, causing this condition to be false even though they should take the coin-selected branch.

This causes two problems for old persisted coin-selected contributions:

1. Wrong fee buffer calculation: Uses holder_balance + net_value_without_fee instead of estimated_fee + change_value, potentially allowing or rejecting feerate adjustments incorrectly.
2. Change output silently dropped: compute_feerate_adjustment returns None for change, and at_feerate sets change_output = None, losing the change value.

This is reachable via for_acceptor_at_feerate / for_initiator_at_feerate called on contributions loaded from pending_splice.contributions (channel.rs lines 12504, 12944, 13127, 13145).

Fix: use self.input_mode != Some(FundingInputMode::Manual) instead of self.input_mode == Some(FundingInputMode::CoinSelected) to preserve old behavior for contributions where input_mode is None:

Suggested change

	if !self.inputs.is_empty() && self.input_mode == Some(FundingInputMode::CoinSelected) {
	if !self.inputs.is_empty() && self.input_mode != Some(FundingInputMode::Manual) {

[wpaulino]

There is no backwards compatibility concern because the serialized object has not been included in a release yet.

[ldk-claude-review-bot]

Minor: Same backwards-compat pattern as line 880. Old persisted coin-selected contributions will have input_mode == None, so this guard won't fire for them. In practice this is mostly mitigated by the check at line 1309 (value_added > 0 && manually_selected_inputs non-empty), but it could miss edge cases where the old prior had value_added() == 0 (inputs exactly covered outputs + fees).

Consider using != Some(FundingInputMode::Manual) combined with a non-empty inputs check:

Suggested change

	if prior_contribution.input_mode == Some(FundingInputMode::CoinSelected)
	if prior_contribution.input_mode != Some(FundingInputMode::Manual)
	&& !prior_contribution.inputs.is_empty()

[ldk-claude-review-bot]

I've completed a thorough review of the entire PR diff and verified the current code state. All previously flagged issues have been checked, and I've searched for any new issues.

Review Summary

Previously Flagged Issues — Status

1. FIXED — lightning/src/ln/funding.rs — .take() destroying funding_inputs on coin selection fallback path is now .clone() at line 1229.

2. Still open — lightning/src/ln/funding.rs:933 — Backwards-compat: old persisted coin-selected contributions have input_mode == None, causing them to take the manual-inputs fee buffer branch instead of the coin-selected branch in compute_feerate_adjustment. This drops the change output and miscalculates the fee buffer.

3. Still open — lightning/src/ln/funding.rs:1401-1412 — Backwards-compat: old coin-selected priors with input_mode == None get funding_inputs = None in builder init, silently discarding their inputs when the request doesn't match and amend_without_coin_selection is called.

4. Still open — lightning/src/ln/funding.rs:1375-1381 — Duplicate-output validation (by script_pubkey) shadows MAX_MONEY sum tests since funding_output_sats() always produces the same script_pubkey.

No New Issues Found

The new code is otherwise correct. Specifically verified:

• FundingInputs/FundingInputMode enums and their serialization
• Builder add_input/add_inputs/remove_input methods correctly enforce mode exclusivity
• splice_in_inputs convenience method correctly appends to prior manual inputs
• ManuallySelectedInputsInsufficient error correctly does NOT fall through to coin selection in both sync and async builders
• Fee buffer calculation for manual inputs in compute_feerate_adjustment is correct for positive and negative net_value_without_fee
• validate_inputs duplicate detection covers the combined set (prior + new) of manually selected inputs
• validate_contribution_parameters runs before build_from_prior_contribution, catching duplicates and MAX_MONEY violations
• request_matches_prior correctly compares outpoints for manual inputs and value for coin-selected inputs
• net_value_without_fee and net_value_at_feerate arithmetic is sound for manual inputs
• Spliceable balance check in try_build_without_coin_selection correctly gates net-negative manual contributions

[codecov]

Codecov Report

❌ Patch coverage is 96.14874% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.58%. Comparing base (f408b17) to head (dcca939).
⚠️ Report is 33 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/funding.rs	96.07%	15 Missing and 14 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4575      +/-   ##
==========================================
+ Coverage   86.15%   86.58%   +0.43%     
==========================================
  Files         157      159       +2     
  Lines      109096   110419    +1323     
  Branches   109096   110419    +1323     
==========================================
+ Hits        93989    95611    +1622     
+ Misses      12485    12275     -210     
+ Partials     2622     2533      -89     

Flag	Coverage Δ
fuzzing-fake-hashes	6.57% <0.00%> (?)
fuzzing-real-hashes	23.17% <3.67%> (?)
tests	86.23% <96.14%> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TheBlueMatt]

All LGTM. One question.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

thanks

[elnosh]

Not that familiar with splicing-related code in the codebase but looking at this for learning purposes. After much staring, changes make sense although agree with @jkczyz comment on making an enum since those fields (value_added and manually_selected_inputs) are mutually exclusive in the ways inputs can be provided.

[elnosh]

I'm not sure I follow this comment. If we have a builder with either sync or async CoinSelectionSource then manually added inputs are not allowed.

[wpaulino]

Manually selected inputs are still allowed as long as the added_value is 0.

[TheBlueMatt]

Needs rebase again :/

[ldk-claude-review-bot]

Nit / test gap: this new duplicate-output check fires before the value_removed > MAX_MONEY accumulation below. Since funding_output_sats() always returns the same script_pubkey (new_p2wpkh(&WPubkeyHash::all_zeros())), the existing tests test_build_funding_contribution_validates_max_money ("splice_out with multiple outputs summing > MAX_MONEY", lines 2723-2734) and test_funding_builder_validates_mixed_request_max_money ("outputs summing > MAX_MONEY", lines 2755-2769) now hit this duplicate check first. They still pass because both paths yield InvalidSpliceValue, but the MAX_MONEY sum-of-outputs path has lost test coverage.

Consider using distinct script_pubkey values for each output in those tests.

[TheBlueMatt]

Its quite awkward that we call this here and it takes several fields from inner internally but then we reuse inner a few lines down as well as later. It probably makes sense to pay the penalty of either calling prepare_coin_selection_request upfront so we can make build_without_coin_selection take mut self without ref or cloneing internally to avoid ripping out parts of inner before we reuse it. Seems like too much opportunity for stuff to go wrong later.

[wpaulino]

Alright just decided to clone internally

[TheBlueMatt]

Sorry, this wasn't the only place, we also take the prior_contribution in try_build_without_coin_selection and mutate inner that way too.