[RFC] Add BOLT 12 payer proof primitives

[vincenzopalazzo]

This is a first draft implementation of the payer proof extension to BOLT 12 as proposed in lightning/bolts#1295. The goal is to get early feedback on the API design before the spec is finalized.

Payer proofs allow proving that a BOLT 12 invoice was paid by demonstrating possession of:

• The payment preimage
• A valid invoice signature over a merkle root
• The payer's signature

This PR adds the core building blocks:

• Extends merkle.rs with selective disclosure primitives that allow creating and reconstructing merkle trees with partial TLV disclosure. This enables proving invoice authenticity while omitting sensitive fields.
• Adds payer_proof.rs with PayerProof, PayerProofBuilder, and UnsignedPayerProof types. The builder pattern allows callers to selectively include invoice fields (description, amount, etc.) in the proof.
• Implements bech32 encoding/decoding with the lnp prefix and proper TLV stream parsing with validation (ascending order, no duplicates, hash length checks).

This is explicitly a PoC to validate the API surface - the spec itself is still being refined. Looking for feedback on:

• Whether the builder pattern makes sense for selective disclosure
• The verification API
• Integration points with the rest of the offers module

cc @TheBlueMatt @jkczyz

[ldk-reviews-bot]

👋 Thanks for assigning @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 60.86957% with 378 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.63%. Comparing base (2d2151a) to head (9b3865f).

Files with missing lines	Patch %	Lines
lightning/src/offers/payer_proof.rs	37.99%	347 Missing and 12 partials ⚠️
lightning/src/offers/merkle.rs	95.09%	16 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4297      +/-   ##
==========================================
- Coverage   85.86%   85.63%   -0.23%     
==========================================
  Files         159      160       +1     
  Lines      104302   105267     +965     
  Branches   104302   105267     +965     
==========================================
+ Hits        89558    90149     +591     
- Misses      12246    12599     +353     
- Partials     2498     2519      +21     

Flag	Coverage Δ
tests	85.63% <60.86%> (-0.23%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TheBlueMatt]

A few notes, though I didn't dig into the code at a particularly low level.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @valentinewallace! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

Some API comments. I'll review the actual code somewhat later (are we locked on on the spec or is it still in flux at all?), but would be nice to reduce allocations in it first anyway.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @valentinewallace! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 4th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 5th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 6th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 7th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 8th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 9th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-claude-review-bot]

Naming: the field is called leaf_hashes but the doc comment says "Nonce hashes" and the values stored are nonce hashes (computed from tagged_hash_from_engine(nonce_tag, record.type_bytes)), not leaf hashes. In reconstruct_merkle_root, the variable is used as nonce_hash = leaf_hashes[inc_idx]. This naming inconsistency could lead to confusion during maintenance. Consider renaming to nonce_hashes.

[vincenzopalazzo]

Fair point on the naming — the doc comment says "Nonce hashes" but the field is leaf_hashes. Looking at the spec though, the TLV field is literally called leaf_hashes (type 248), so the field name matches the spec. The doc comment could be more precise but the naming follows the wire format.

[ldk-claude-review-bot]

[ldk-claude-review-bot]

Missing FromStr impl. Both Offer and Refund implement FromStr (delegating to from_bech32_str), which is the standard Rust way to parse from a string. Without this, users can't do encoded.parse::<PayerProof>(). The bech32 decode path (from_bech32_str → TryFrom<Vec<u8>>) is also not exercised by any test — the tests only check the bech32 prefix and then round-trip through raw TLV bytes.

Suggested change

	impl Bech32Encode for PayerProof {
	const BECH32_HRP: &'static str = PAYER_PROOF_HRP;
	}
	impl Bech32Encode for PayerProof {
	const BECH32_HRP: &'static str = PAYER_PROOF_HRP;
	}
	impl core::str::FromStr for PayerProof {
	type Err = crate::offers::parse::Bolt12ParseError;
	fn from_str(s: &str) -> Result<Self, <Self as core::str::FromStr>::Err> {
	Self::from_bech32_str(s)
	}
	}

[vincenzopalazzo]

Intentionally deferred — the bech32 decode path can be added later when there's a concrete use case. Right now we have Display for encoding and TryFrom<Vec<u8>> for raw bytes. Adding FromStr is a nice-to-have but not blocking for the initial implementation.

[ldk-claude-review-bot]

The min_type field is assigned node_idx (a sequential counter 0, 1, 2, ...) rather than the actual TLV type. On the producer side (build_tree_with_disclosure), min_type is the real TLV type (e.g., 0, 10, 20, ...). Both needs_hash and missing_with_types are sorted by min_type to establish a bijection between the two sides, so this only works because sequential indices and TLV types are both monotonically increasing left-to-right, preserving the relative sort order.

This implicit invariant is fragile and worth documenting with a comment, since a reader comparing the two functions would naturally expect the min_type values to match.

[vincenzopalazzo]

Not a bug — the sequential node_idx preserves the same relative ordering as the actual TLV types because TLVs are always in ascending type order. Since min_type is only used for sorting needs_hash entries, and sorted sequential indices produce the same order as sorted TLV types, the result is equivalent. The producer uses real types, the consumer uses indices, but both sort to the same permutation.

[ldk-claude-review-bot]

This comment acknowledges a disagreement with the spec ("The spec example only shows 3, but that appears to be incomplete ... Our implementation should produce 4"). For the tree structure with 7 nodes where the last node (type 60) is an odd-one-out at level 0, it correctly needs its own missing_hash at level 1 when paired with the (40,50) subtree. So this implementation produces 4 missing hashes.

This should be resolved with the spec authors before merging — if other implementations follow the spec's "3 missing hashes" example, payer proofs generated by this code won't interoperate.

[vincenzopalazzo]

This is a known open question with the spec, already noted in the test comment. The spec example shows 3 missing hashes but for 7 nodes with 2 included, the correct count is 4 (type 0, types 20+30 as branch, type 50, type 60). The round-trip test proves our implementation is self-consistent. Once the spec adds test vectors (there's a FIXME placeholder for that), we'll align.

[ldk-claude-review-bot]

The test claims "Serialization Round-Trip" and encodes to bech32, but only checks the prefix and then round-trips through raw TLV bytes via PayerProof::try_from(proof.bytes().to_vec()). The actual bech32 decode path (from_bech32_str → TryFrom<Vec<u8>>) is never tested. You should decode from the bech32 string too:

let decoded_from_bech32 = PayerProof::from_bech32_str(&encoded).unwrap();
assert_eq!(decoded_from_bech32.preimage(), proof.preimage());

(Same issue in the second test at creates_payer_proof_with_note_and_selective_disclosure.)

[vincenzopalazzo]

The test intentionally round-trips through raw TLV bytes (PayerProof::try_from(proof.bytes().to_vec())) which exercises the full verification pipeline (preimage, invoice sig, payer sig, merkle reconstruction). The bech32 encode is tested via to_string() prefix check. Full bech32 decode requires FromStr which is deferred — see the other comment.

[ldk-claude-review-bot]

prev_type + 1 and last_marker + 1 can overflow if the value is u64::MAX. While extreme TLV types are impractical, this would panic in debug builds. The same + 1 overflow exists in reconstruct_merkle_root at line 561 (prev_marker + 1). Consider using checked_add or saturating_add and returning an error on overflow.

[vincenzopalazzo]

Theoretical but not practical — TLV types near u64::MAX don't exist in any BOLT 12 context. The marker algorithm operates on types 0-239 (non-signature invoice TLVs). That said, if we want to be paranoid we could use saturating_add, but it would change semantics in an impossible edge case. Not worth the complexity IMO.

[ldk-claude-review-bot]

Bug (defense-in-depth): This iterates over self.invoice_bytes which includes the invoice's own signature record (type 240, same value as TLV_SIGNATURE). If included_types ever contains a signature-range type (e.g., 240), this loop would write the invoice signature as a "passthrough" included record, and then lines 327-329 would write it again as TLV_SIGNATURE, producing duplicate type-240 entries that fail the parser's ordering check.

The prior review flagged include_type() not rejecting types >= 240 as the root cause. But even if that's fixed, this loop should defensively filter signature types to match what build_unsigned does for bytes_without_sig:

Suggested change

	fn serialize_payer_proof(&self, payer_signature: &Signature, note: Option<&str>) -> Vec<u8> {
	let mut bytes = Vec::new();
	for record in
	TlvStream::new(&self.invoice_bytes).filter(|r| self.included_types.contains(&r.r#type))
	{
	bytes.extend_from_slice(record.record_bytes);
	}
	for record in
	TlvStream::new(&self.invoice_bytes).filter(|r| self.included_types.contains(&r.r#type) && !SIGNATURE_TYPES.contains(&r.r#type))
	{
	bytes.extend_from_slice(record.record_bytes);
	}

[vincenzopalazzo]

Good catch, fixed in f78efc0 together with the include_type guard. The serialization loop now defensively filters SIGNATURE_TYPES from the invoice bytes iteration as belt-and-suspenders.

[ldk-claude-review-bot]

Minor bug in ordering logic: prev_tlv_type is initialized to 0, and the guard prev_tlv_type != 0 means the check never fires when prev_tlv_type == 0. This is intentional for the first iteration (to allow any first TLV type), but it also means that if two consecutive TLV records both have type 0, the second would not be caught by this check.

Currently mitigated because type 0 (PAYER_METADATA_TYPE) is rejected at line 588, but the ordering logic itself is unsound. A cleaner approach would be:

Suggested change

	for record in TlvStream::new(&bytes) {
	let tlv_type = record.r#type;
	// Strict ascending order check covers both ordering and duplicates.
	if tlv_type <= prev_tlv_type && prev_tlv_type != 0 {
	return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
	}
	prev_tlv_type = tlv_type;
	// Strict ascending order check covers both ordering and duplicates.
	// Use a separate flag for the first iteration rather than special-casing 0.
	if prev_tlv_type > 0 && tlv_type <= prev_tlv_type {
	return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
	}
	prev_tlv_type = tlv_type;

(Note: this changes behavior slightly — the very first TLV with type 0 would now set prev_tlv_type = 0, and a second type 0 would still pass. A proper fix would use an Option<u64> or a bool flag. But since type 0 is rejected anyway, this is low priority.)

[vincenzopalazzo]

Same as the other comment — type 0 is PAYER_METADATA_TYPE, unconditionally rejected by the catch-all. The prev_tlv_type \!= 0 guard only matters for the first iteration, which is the intended behavior.

[ldk-claude-review-bot]

Design concern: This payer signature construction uses a non-standard double-hash pattern — SHA256(tag || tag || SHA256(note || merkle_root)) — rather than the standard BOLT 12 pattern used elsewhere (SHA256(tag || tag || merkle_root), as in TaggedHash::from_merkle_root).

Two things to verify against the spec:

1. No length-prefix on the note: The inner hash concatenates note_bytes || merkle_root_bytes without a length delimiter. Since the merkle root is always 32 bytes, the boundary is deterministic — but this is unusual and should be confirmed as spec-intended.

2. None vs empty note ambiguity: When note is None, the inner hash is SHA256(merkle_root). When note is Some(""), it's also SHA256(merkle_root) since "".as_bytes() is empty. Both produce the same signature, meaning a verifier cannot distinguish "no note" from "empty note". If the spec distinguishes these cases, this needs a fix (e.g., including a presence flag in the hash).

[vincenzopalazzo]

This follows the spec exactly. The payer proof spec defines payer_signature.sig as signing SHA256(note || merkle_root) using the standard BOLT 12 tagged hash format (SHA256(tag || tag || msg)). The "double hash" is just the BIP 340 tagged hash construction applied to the inner SHA256(note || merkle_root) message. This is the specified behavior, not a deviation.

[ldk-claude-review-bot]

Potential issue with malformed proofs: len.0 is parsed from untrusted input. If len.0 is, say, 63 (less than the 64 bytes needed for the signature), Readable::read at line 575 will attempt to read 64 bytes but the cursor only has len.0 bytes of value remaining. This will fail with a decode error, which is correct.

However, saturating_sub(64) silently produces 0 here, masking the fact that the length was invalid. Consider explicitly rejecting len.0 < 64:

if len.0 < 64 {
    return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
}

This would provide a clearer error and avoid relying on the signature read to catch the malformed length.

[vincenzopalazzo]

Not a bug — the cursor reads from record.record_bytes which is bounded by TlvStream. After reading _type and _len, the remaining cursor data is exactly len.0 bytes. If len.0 < 64, Readable::read for Signature hits EOF on the cursor and returns a decode error. The saturating_sub for note_len never executes because the sig read already failed.

[ldk-claude-review-bot]

Subtle invariant: compute_omitted_markers unconditionally skips TLV type 0 at line 390, assuming it's always the first record (payer_metadata). But the function operates on a &[TlvMerkleData] with no assertion that the first entry IS type 0. If this function were ever called with a TLV stream whose first record is NOT type 0 (e.g., a different invoice format), the implicit TLV0 assumption would produce incorrect markers.

Consider either:

• Adding debug_assert!(tlv_data.first().map(|d| d.tlv_type) == Some(0)) at the top, or
• Documenting the precondition that the first TLV must be type 0

[vincenzopalazzo]

Correct by design — per spec, type 0 (invreq_metadata) is always omitted and implicit (never included in markers). The function receives the full TlvMerkleData vec which always starts with TLV 0 from the invoice bytes. The if data.tlv_type == 0 { continue } just skips the implicit omission. If called with pre-filtered data that excludes type 0, the skip is a no-op — the algorithm still works correctly.

[ldk-claude-review-bot]

Bug: TlvStream::new(&bytes) on untrusted input can panic. The TlvStream iterator calls .unwrap() on BigSize::read and performs unchecked slice indexing (&data[start..end] where end = offset + length from the TLV). If the input bytes are malformed (e.g., truncated BigSize, or a TLV length field claiming more bytes than available), this will panic.

All other BOLT 12 TryFrom<Vec<u8>> implementations go through ParsedMessage<T> / CursorReadable which does bounds-checked reads. This is the only parser that feeds raw untrusted bytes directly into TlvStream, creating a DoS vector via panic.

You need to either:

1. Add bounds checking to TlvStream (returns None instead of panicking on malformed input), or
2. Pre-validate the TLV stream before passing it to TlvStream::new, or
3. Use the existing CursorReadable / ParsedMessage infrastructure for the initial parse pass.

[ldk-claude-review-bot]

Bug: This check doesn't catch duplicate type 0. prev_tlv_type starts at 0. If the first TLV has type 0, then 0 <= 0 && 0 != 0 is false, so it passes. Now prev_tlv_type = 0. If the second TLV also has type 0, the check is again 0 <= 0 && 0 != 0 → false, so a duplicate type 0 is accepted.

Fix: use an Option<u64> for prev_tlv_type initialized to None, and only skip the check on the very first record:

Suggested change

	if tlv_type <= prev_tlv_type && prev_tlv_type != 0 {
	if prev_tlv_type != 0 && tlv_type <= prev_tlv_type {

Or alternatively, use a boolean is_first flag to skip only the initial comparison.

[ldk-claude-review-bot]

Nit/API: Secp256k1::new() allocates a ~1.3MB signing+verification context on every call. The adjacent derive_payer_signing_keys method (which this calls into) already accepts a secp_ctx parameter, and this is the standard pattern for public BOLT 12 APIs in this codebase. Consider accepting a &Secp256k1<secp256k1::All> parameter instead of allocating internally.

[ldk-claude-review-bot]

Minor: If len.0 < 64, the Readable::read for the 64-byte signature on line 585 will attempt to read past the available value bytes, failing with a generic DecodeError from the ? propagation. Consider adding an explicit check if len.0 < 64 { return Err(...) } before the signature read for a clearer error message and to avoid relying on the cursor's bounds for correctness.

[ldk-claude-review-bot]

The min_type field in the reconstruction uses sequential node indices (0, 1, 2, ...) rather than actual TLV type values. Meanwhile, build_tree_with_disclosure uses actual TLV type numbers. The needs_hash and missing_with_types vectors are sorted by min_type, so the ordering must agree between producer and consumer.

This currently works because both TLV types and sequential indices are monotonically increasing, preserving relative ordering. However, this is a fragile invariant that's not documented. If either side's iteration order were to change (e.g., for experimental TLV types in a different range), the sorted orders could diverge silently, producing incorrect merkle roots that would fail signature verification with no useful diagnostic.

Consider using actual TLV types (available from included_records[inc_idx].0) instead of node_idx for min_type in the reconstruction, to make the two sides structurally consistent.

[ldk-claude-review-bot]

The payer signature message uses a non-standard double-hash construction: H(tag || tag || H(note || merkle_root)). Standard BOLT 12 signature computation (as in TaggedHash::from_merkle_root) is a single tagged hash: H(tag || tag || merkle_root).

If the spec defines the payer signature differently from the standard BOLT 12 tagged hash, this should be documented with a reference to the spec section. If the spec uses the standard construction, this needs to be fixed — the inner hash would make this incompatible with other implementations.

Also, when note is None, this computes H(merkle_root) as the inner message. When note is Some("") (empty string), it also computes H(merkle_root) since empty input contributes nothing to the hasher. These two cases are indistinguishable, meaning a verifier cannot distinguish "no note" from "empty note".

[ldk-claude-review-bot]

This test explicitly disagrees with the spec ("The spec example only shows 3, but that appears to be incomplete"). If the implementation produces 4 missing hashes but the spec says 3, one of them is wrong. This needs to be resolved against the spec before merging — either the spec is right and the tree construction has a bug (perhaps types 50 and 60 should be merged into a single missing hash at a higher level), or the spec example is indeed incomplete and should be updated.

Shipping code that knowingly diverges from the spec without a clear resolution risks incompatibility with other implementations.

[ldk-claude-review-bot]

Bug (panic on untrusted input): TlvStream::new(&bytes) is used here on untrusted payer proof bytes. However, TlvStream's iterator implementation (merkle.rs:263, 267) uses .unwrap() on BigSize reads, and performs unchecked slice indexing (merkle.rs:271) where end = offset + length can exceed the buffer size. Both of these will panic on malformed input (truncated BigSize encoding, or a length field claiming more bytes than available).

All other TlvStream callers in the codebase operate on already-validated bytes (e.g., through ParsedMessage which uses CursorReadable::read that returns errors instead of panicking). This TryFrom is the only place TlvStream is used directly on untrusted external input, creating a DoS vector.

You should either:

1. Add bounds checking to TlvStream's iterator (return None on malformed data), or
2. Pre-validate the TLV framing before calling TlvStream::new, or
3. Use a different parsing approach (like ParsedMessage) for the initial TLV framing pass.

[ldk-claude-review-bot]

Bug: This guard rejects PAYER_METADATA_TYPE (0) and SIGNATURE_TYPES (240..=1000), but allows types > 1000 (experimental BOLT 12 TLV types, e.g. 1000000000+). If an invoice contains experimental TLVs and the caller includes one via include_type(1000000001), the serialized payer proof will have those records written before the payer proof TLVs (types 240-250), producing an out-of-order TLV stream — the output would go from type >1000 back down to type 240.

Consider also rejecting types >= TLV_SIGNATURE (240), since the payer proof TLVs own that range:

Suggested change

	pub fn include_type(mut self, tlv_type: u64) -> Result<Self, PayerProofError> {
	if tlv_type == PAYER_METADATA_TYPE {
	return Err(PayerProofError::InvreqMetadataNotAllowed);
	}
	if SIGNATURE_TYPES.contains(&tlv_type) {
	return Err(PayerProofError::SignatureTypeNotAllowed);
	}
	self.included_types.insert(tlv_type);
	Ok(self)
	}
	pub fn include_type(mut self, tlv_type: u64) -> Result<Self, PayerProofError> {
	if tlv_type == PAYER_METADATA_TYPE {
	return Err(PayerProofError::InvreqMetadataNotAllowed);
	}
	if tlv_type >= TLV_SIGNATURE {
	return Err(PayerProofError::SignatureTypeNotAllowed);
	}
	self.included_types.insert(tlv_type);
	Ok(self)
	}

[ldk-claude-review-bot]

Nit/minor: The && prev_tlv_type != 0 condition means two consecutive type-0 TLVs would bypass this ordering check (since prev_tlv_type is initialized to 0). This doesn't cause a real issue because type 0 is separately rejected by the PAYER_METADATA_TYPE check below, but the ordering guard itself has a blind spot. Consider initializing differently or using an Option<u64>:

let mut prev_tlv_type: Option<u64> = None;
// ...
if let Some(prev) = prev_tlv_type {
    if tlv_type <= prev {
        return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
    }
}
prev_tlv_type = Some(tlv_type);

[ldk-claude-review-bot]

Nit (performance): The invoice is serialized here (line 162-163) just to check if the features TLV exists, but it's serialized again in build_unsigned() (line 245-246). Consider storing the serialized bytes in the builder to avoid the redundant serialization, or deferring the features check to build_unsigned.

[ldk-claude-review-bot]

Naming confusion: leaf_hashes stores nonce hashes (nonce_hash), not leaf hashes. In the BOLT 12 merkle tree, the "leaf hash" is H("LnLeaf" || record_bytes) while the "nonce hash" is H(nonce_tag || type_bytes) — these are distinct values. Storing nonce hashes under the name leaf_hashes here, in the SelectiveDisclosure struct, and in the TLV encoding (type 248 = TLV_LEAF_HASHES) is confusing.

If the spec calls these "leaf hashes," a code comment clarifying the distinction would help readers.

[ldk-claude-review-bot]

Potential issue: When len.0 < 64, the Readable::read for the 64-byte Signature at line 592 will read past the TLV value boundary into subsequent TLV data (since record_cursor spans the full record_bytes which includes the type and length prefix, but the value is only len.0 bytes after the prefix). The Readable read doesn't know about the TLV length boundary — it just reads 64 bytes from the cursor.

In practice, record_bytes is bounded by TlvStream to exactly type_len + length_len + value_len bytes, so reading 64 bytes of signature when value_len < 64 would either read into the type/length prefix of the next TLV (if record_bytes was somehow longer) or fail with a short read. The short read case is safe, but consider adding an explicit check: if len.0 < 64 { return Err(...) } before reading the signature to make the error handling clearer.