tests: pin multisig no-descriptor and consolidation behaviour

nkatha23 · nkatha23 · commit b91a825e7cde · 2026-05-07T14:15:14.000+03:00
When a coordinator strips witness_script/redeem_script from multisig output scopes, _get_policy() returns a bare policy dict with no m/n/cosigners, which never matches the input policy — so no output is classified as change and all value shows as spend_amount. This was the correct conservative behaviour but had no test pinning it. Also adds a consolidation test: a PSBT where both a change-branch (1/*) and a receive-branch (0/*) output belong to the signing wallet. PSBTParser classifies both as internal regardless of branch index, giving spend_amount == 0. Covers all three multisig types for test #1, all seven script types for test #4.
diff --git a/tests/test_psbt_parser.py b/tests/test_psbt_parser.py
@@ -284,6 +284,140 @@ def test_verify_multisig_output(self):
 
 
 
+    def test_multisig_no_descriptor_all_outputs_are_spend(self):
+        """
+        When a multisig PSBT output is missing its witness_script / redeem_script,
+        PSBTParser cannot reconstruct the multisig policy from that output scope alone.
+
+        Root cause: _get_policy() requires witness_script (P2WSH, P2SH-P2WSH) or
+        redeem_script (legacy P2SH) to extract m, n, and cosigners. Without those
+        fields the output policy dict contains no multisig keys and does not match
+        the input policy, so _parse_outputs() never sets is_change = True for that
+        output.
+
+        Expected behaviour: every such output is classified as a destination (spend),
+        num_change_outputs == 0, and change_amount == 0.
+
+        Pins the current conservative default so that any future refactor that
+        accidentally starts trusting bare scriptPubKey matches cannot silently
+        reclassify unverifiable multisig outputs as change.
+        """
+        cases = [
+            (PSBTTestData.MULTISIG_NATIVE_SEGWIT_1_INPUT, PSBTTestData.MULTISIG_NATIVE_SEGWIT_CHANGE),
+            (PSBTTestData.MULTISIG_NESTED_SEGWIT_1_INPUT, PSBTTestData.MULTISIG_NESTED_SEGWIT_CHANGE),
+            (PSBTTestData.MULTISIG_LEGACY_P2SH_1_INPUT,   PSBTTestData.MULTISIG_LEGACY_P2SH_CHANGE),
+        ]
+
+        fee_amount = 5_000
+        for psbt_base64, change_data in cases:
+            psbt: PSBT = PSBT.parse(a2b_base64(psbt_base64))
+            input_amount = sum(inp.utxo.value for inp in psbt.inputs)
+            output_amount = input_amount - fee_amount
+
+            stripped = create_output(change_data, output_amount)
+            stripped.witness_script = None
+            stripped.redeem_script = None
+            psbt.outputs.append(stripped)
+
+            psbt_parser = PSBTParser(p=psbt, seed=self.seed, network=SettingsConstants.REGTEST)
+
+            assert psbt_parser.num_change_outputs == 0, \
+                "Without witness_script/redeem_script the output policy cannot match; no change should be detected"
+            assert psbt_parser.num_destinations == 1, \
+                "The unverifiable output must fall through to destination_addresses"
+            assert psbt_parser.spend_amount == output_amount, \
+                "The full output value is treated as a spend when the multisig script is absent"
+            assert psbt_parser.change_amount == 0, \
+                "No output can be verified as change without the multisig script"
+            assert psbt_parser.fee_amount == fee_amount
+            assert psbt_parser.input_amount == psbt_parser.spend_amount + psbt_parser.change_amount + psbt_parser.fee_amount
+
+
+    def test_consolidation_all_outputs_internal(self):
+        """
+        A consolidation PSBT where every output belongs to the signing wallet:
+        one output on the change branch (BIP32 derivation index 1/*) and one on
+        the receive / self-transfer branch (index 0/*).
+
+        PSBTParser does not restrict the change classification to derivation index
+        1/* only.  When full PSBT metadata is present (witness_script for multisig,
+        bip32_derivations for single-sig) and the derived key matches the output
+        scriptPubKey, both outputs are classified as internal regardless of branch.
+
+        Expected behaviour:
+        - num_destinations  == 0       (no external recipients)
+        - num_change_outputs == 2      (both branches recognised as internal)
+        - spend_amount == 0            (nothing leaves the wallet)
+        - change_amount == input_amount - fee_amount
+        - input_amount == change_amount + fee_amount  (conservation property)
+
+        Covers all seven supported script types.
+        """
+        cases = [
+            (
+                PSBTTestData.SINGLE_SIG_NATIVE_SEGWIT_1_INPUT,
+                PSBTTestData.SINGLE_SIG_NATIVE_SEGWIT_CHANGE,
+                PSBTTestData.SINGLE_SIG_NATIVE_SEGWIT_SELF_TRANSFER,
+            ),
+            (
+                PSBTTestData.SINGLE_SIG_NESTED_SEGWIT_1_INPUT,
+                PSBTTestData.SINGLE_SIG_NESTED_SEGWIT_CHANGE,
+                PSBTTestData.SINGLE_SIG_NESTED_SEGWIT_SELF_TRANSFER,
+            ),
+            (
+                PSBTTestData.SINGLE_SIG_TAPROOT_1_INPUT,
+                PSBTTestData.SINGLE_SIG_TAPROOT_CHANGE,
+                PSBTTestData.SINGLE_SIG_TAPROOT_SELF_TRANSFER,
+            ),
+            (
+                PSBTTestData.SINGLE_SIG_LEGACY_P2PKH_1_INPUT,
+                PSBTTestData.SINGLE_SIG_LEGACY_P2PKH_CHANGE,
+                PSBTTestData.SINGLE_SIG_LEGACY_P2PKH_SELF_TRANSFER,
+            ),
+            (
+                PSBTTestData.MULTISIG_NATIVE_SEGWIT_1_INPUT,
+                PSBTTestData.MULTISIG_NATIVE_SEGWIT_CHANGE,
+                PSBTTestData.MULTISIG_NATIVE_SEGWIT_SELF_TRANSFER,
+            ),
+            (
+                PSBTTestData.MULTISIG_NESTED_SEGWIT_1_INPUT,
+                PSBTTestData.MULTISIG_NESTED_SEGWIT_CHANGE,
+                PSBTTestData.MULTISIG_NESTED_SEGWIT_SELF_TRANSFER,
+            ),
+            (
+                PSBTTestData.MULTISIG_LEGACY_P2SH_1_INPUT,
+                PSBTTestData.MULTISIG_LEGACY_P2SH_CHANGE,
+                PSBTTestData.MULTISIG_LEGACY_P2SH_SELF_TRANSFER,
+            ),
+        ]
+
+        fee_amount = 5_000
+        for psbt_base64, change_data, self_transfer_data in cases:
+            psbt: PSBT = PSBT.parse(a2b_base64(psbt_base64))
+            input_amount = sum(inp.utxo.value for inp in psbt.inputs)
+            total_output = input_amount - fee_amount
+            # Exact split does not matter; both outputs must be recognised as internal
+            change_output_amount = total_output // 2
+            self_transfer_amount = total_output - change_output_amount
+
+            psbt.outputs.append(create_output(change_data, change_output_amount))
+            psbt.outputs.append(create_output(self_transfer_data, self_transfer_amount))
+
+            psbt_parser = PSBTParser(p=psbt, seed=self.seed, network=SettingsConstants.REGTEST)
+
+            assert psbt_parser.num_destinations == 0, \
+                "All outputs belong to the signing wallet; no external recipients expected"
+            assert psbt_parser.num_change_outputs == 2, \
+                "Both change-branch (1/*) and receive-branch (0/*) outputs must be classified as internal"
+            assert psbt_parser.spend_amount == 0, \
+                "No value is sent to an external address in a full consolidation"
+            assert psbt_parser.change_amount == total_output, \
+                "All output value (minus fee) must be retained internally"
+            assert psbt_parser.fee_amount == fee_amount
+            assert psbt_parser.input_amount == psbt_parser.spend_amount + psbt_parser.change_amount + psbt_parser.fee_amount
+
+
+
 # TODO: Refactor all tests to be in the TestPSBTParser class(?)
 def test_p2tr_change_detection():
     """ Should successfully detect change in a p2tr to p2tr psbt spend
