Introduce FundingContributionBuilder API

[wpaulino]

Looking for initial feedback on the design, still needs to be cleaned up a good bit.

[ldk-reviews-bot]

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.08%. Comparing base (5704e8e) to head (de4ccfb).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4516      +/-   ##
==========================================
+ Coverage   86.99%   87.08%   +0.08%     
==========================================
  Files         163      163              
  Lines      108635   108936     +301     
  Branches   108635   108936     +301     
==========================================
+ Hits        94511    94869     +358     
+ Misses      11647    11587      -60     
- Partials     2477     2480       +3     

Flag	Coverage Δ
fuzzing	40.50% <73.91%> (+0.19%)	⬆️
tests	86.16% <100.00%> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TheBlueMatt]

basically lgtm

[wpaulino]

Leaving the explicit input support for a follow-up as this PR is large enough already.

[ldk-claude-review-bot]

Nit: unnecessary return in final expression position. Same on line 740 for the sync variant.

Suggested change

	return Ok(FundingContribution::new(
	Ok(FundingContribution::new(

[ldk-claude-review-bot]

Review Summary — PR #4516: Introduce FundingContributionBuilder API

Correction from prior review

My prior comment #2 ("with_inputs_and_outputs uses wrong fee estimate when checking sufficiency after dropping change") was a false positive. On re-examination, the fallthrough _ => arm at line 656 correctly uses estimated_fee_no_change, not estimated_fee. The code handles the change-dropped case properly.

New issues (this pass)

• lightning/src/ln/funding.rs:1153 — validate_contribution_parameters rejects value_added == 0 && outputs.is_empty() before build_from_prior_contribution can reuse a fee-bump-only prior contribution, creating an asymmetry where a previously valid contribution can't be reused with an identical request.
• lightning/src/ln/funding.rs:516 — FundingInputs single-variant enum adds unnecessary indirection.

Previously flagged issues (still present)

1. lightning/src/ln/funding.rs:546-554 — Breaking serialization: TLV tags renumbered for a persisted type (FundingContribution is stored in PendingFunding.contributions).
2. lightning/src/ln/funding.rs:777 — splice_in/splice_in_sync additive semantics double value_added during RBF when the template carries a prior contribution.
3. lightning/src/ln/funding.rs:584 — saturating_add/saturating_sub for bitcoin amounts silently produces nonsensical values.
4. lightning/src/ln/funding.rs:655 — add_value/remove_value/add_output/remove_outputs methods duplicated across AsyncFundingBuilder and SyncFundingBuilder.
5. lightning/src/ln/funding.rs:682,740 — Unnecessary return keyword in final expression position.
6. lightning/src/ln/funding.rs:856 — rbf_prior_contribution now requires a prior contribution, removing old fee-bump-only capability.
7. lightning/src/ln/funding.rs:418 — Missed amend_without_coin_selection opportunity for input-backed prior contributions with holder_balance: None.

Cross-cutting concerns

• The validate() method was removed from FundingContribution and replaced with validate_inputs() (called only after coin selection in the builder). Contributions reused from prior state or deserialized from disk no longer undergo input validation at the channel level. This relies on the assumption that previously validated inputs remain valid, which should hold in practice but reduces defense-in-depth.
• The PR description says "still needs to be cleaned up a good bit" — the serialization break (try! instead of ? #1 above) and the additive semantics footgun (Fix typos #2) should be addressed before merge.

[TheBlueMatt]

I didn't look too deeply at the tests but basically LGTM.

[wpaulino]

Had to rebase due to a small import conflict.

[TheBlueMatt]

needs rebase again tho

[jkczyz]

Code looks good, but I think merging some impl blocks will help the diff.

[ldk-claude-review-bot]

Breaking serialization: TLV tags renumbered for a persisted type

FundingContribution is serialized as part of PendingFunding.contributions (channel.rs:2926), which is persisted in FundedChannel (channel.rs:15814, tag 64). Renumbering the TLV tags means any previously serialized FundingContribution will fail to deserialize:

• Old tag 1 = value_added (Amount), new tag 1 = estimated_fee (Amount) — same type, wrong semantics
• Old tag 3 = estimated_fee (Amount), new tag 3 = inputs (Vec) — different types, will fail

If a node with a pending splice upgrades, it will be unable to read its channel data.

Options:

1. Keep the old tag numbering and make value_added optional (defaulting to derived) for backward compatibility
2. Use new, higher tag numbers (e.g., start at 17+) so old fields are simply ignored by the new code
3. If splicing serialization is considered unstable/unreleased, document this as a known breaking change

[wpaulino]

This serialization has not been included in a release so it should be safe to break.

[TheBlueMatt]

linter, fuzz-sanity, and check_commits are failing.

[jkczyz]

Could you add a test for this error path?

[jkczyz]

Hmm... this comment was made on the second commit, but it shows up in a weird place on the third commit.

[wpaulino]

Added a unit test since a functional test would be pretty hard to discern. It's also quite the edge case, you shouldn't have a net-negative contribution in the first place if you didn't have a balance, so either the contribution is stale/invalid or the balance is.

[jkczyz]

Should we check if this overflows?

[wpaulino]

We check it when we select the inputs.

[jkczyz]

Where is that? I don't see it checked after calling select_confirmed_utxo. Maybe we shouldn't care if the user's CoinSelectionSource is broken?

[wpaulino]

Ah somehow this part didn't make it into this commit and was in my follow-up for manual input support. Should be good now.

[jkczyz]

Isn't the previous wording correct?

[wpaulino]

Only when there aren't any inputs because there may be some that are partially contributing to the net-negative contribution.

[jkczyz]

I believe the validation was removed?

[wpaulino]

Everything should be in validate_contribution_parameters, inputs are validated separately when we do coin selection.

[jkczyz]

I meant can't the sum overflow? We avoided the problem earlier with the explicit value_added. But maybe it was already a problem elsewhere?

[jkczyz]

Likewise.

[ldk-claude-review-bot]

Correctness concern: validate_contribution_parameters blocks reuse of fee-bump-only prior contributions

When a prior contribution has value_added() == 0 and empty outputs (a fee-bump-only contribution that only selected wallet inputs to pay fees), initializing a builder from it yields self.value_added = 0 and self.outputs = []. The validate_contribution_parameters check here then rejects the request with InvalidSpliceValue before build_from_prior_contribution gets a chance to reuse the prior.

This can happen when coin selection returned inputs where inputs - fee - change = 0 exactly. The old rbf code handled this case (via force_coin_selection = true); the new builder path rejects it at validation.

This may be intentional given the removal of the fee-bump-only flow, but it creates an asymmetry: a contribution that was successfully built and stored as a prior can fail to be reused with an identical request, which would be surprising to callers using rbf_prior_contribution or with_prior_contribution.

[wpaulino]

Fee-bump-only contributions would have the prior contribution's value_added and outputs so this is nonsense.

[ldk-claude-review-bot]

Nit: FundingInputs is a single-variant enum, adding indirection without benefit

FundingInputs has only one variant (CoinSelected), yet with_inputs_and_outputs and amend_without_coin_selection match on it. The target_value_added extracted from the match is Option<Amount> but is always Some(...) in practice. This makes the control flow harder to follow without adding extensibility — if new variants are expected soon, a comment noting that would help; otherwise this could be simplified to a plain struct or direct parameter.

[wpaulino]

We plan to add another variant in a follow-up for manual input support.

[TheBlueMatt]

Does this need to consider dust?

[wpaulino]

new_change is returned from compute_feerate_adjustment so it should have already been considered there.

[TheBlueMatt]

Huh? We always have a holder_balance, there's just cases where we failed to compute one but that is a "this mostly shouldn't happen" case and should just return an error anyway because our channel is kinda borked. We shouldn't convert everything to an option.

[wpaulino]

Happy to drop the commit, but then we probably should not allow splice_channel to return a FundingTemplate when we can't compute the balance so that PriorContribution::holder_balance is not an option.

[TheBlueMatt]

Its weird to split on whether the net contribution was negative or not - if I have a splice where I added 1 BTC+1 sat to the channel but sent 1BTC out without change output, I'm probably more than happy to RBF by using the value of some of my inputs to change the channel's balance.

[wpaulino]

Good point, but then we're not really abiding by the value_added they provided when we initially coin-selected the inputs. With manual input selection, this will work out of the box since there's no explicit value_added there, we're just always adding whatever is left after fees. Should we treat the coin-selected no-change case the same way?