feat(wallets): compose signers from IDescriptorSigningSources (#114)

* feat(wallets): compose signers from IPrivateKeyProviders

Closes #112.

Pushes signer composition down one layer: an IArkadeWalletSigner is now
always a CompositeArkadeWalletSigner built from one or more
IPrivateKeyProviders. Each provider answers CanProvideAsync(descriptor) and
exposes the signing operations rooted in the key it owns; the composite
dispatches each call to the first provider that claims the descriptor.

The three previous concrete signers collapse into providers behind the same
composite:

  - Bip39KeyProvider          (was HierarchicalDeterministicWalletSigner)
    claim by master fingerprint match on the descriptor's origin.

  - NsecKeyProvider           (was NSecWalletSigner)
    claim by x-only pubkey match on tr() descriptors.

  - RemoteTransportKeyProvider (was RemoteArkadeWalletSigner)
    claim by IRemoteSignerTransport.KnowsWalletAsync; passthrough proxy.

DefaultWalletProvider builds the composition automatically — adds the
matching local provider if Wallet.Secret is set, then a remote provider if
an IRemoteSignerTransport claims the wallet. Order is significant: local
providers get first refusal, remote is fallback. This is what makes hybrid
setups (e.g. local view-key paths + HWI spend path) expressible at all —
the previous binary local/remote split foreclosed them.

The interface keeps IArkadeWalletSigner unchanged for SDK consumers (the
TreeSignerSession path is unaffected); the new abstraction is added one
layer below. The three old concrete signer classes are deleted since
they're equivalent to constructing a CompositeArkadeWalletSigner with the
matching single provider — NsecKeyProvider.FromNsec is the new entry
point that mirrors the old NSecWalletSigner.FromNsec static.

The IPrivateKeyProvider shape is operation-level (Sign/SignMusig/
GenerateNonces) rather than returning a raw ECPrivKey, so a remote
provider can implement it honestly without round-tripping secret material
over the wire — the original sketch in #112 had IPrivateKeyProvider return
ECPrivKey, which would have defeated the point of remote signing.

Each local provider keeps its own per-session ConcurrentDictionary
nonce store with the same sessionId-keyed semantics established in #111.

* refactor(wallets): rename IPrivateKeyProvider → IDescriptorSigningSource, simplify cache key, drop hybrid claim

Three review-driven changes on top of the initial #112 sketch:

  - Renamed IPrivateKeyProvider → IDescriptorSigningSource. The interface
    never exposes ECPrivKey — it exposes the signing operations rooted in
    one. "PrivateKeyProvider" oversells what the abstraction returns;
    "DescriptorSigningSource" describes what it does.
    Renames track through:
      Bip39KeyProvider          → Bip39SigningSource
      NsecKeyProvider           → NsecSigningSource
      RemoteTransportKeyProvider → RemoteTransportSigningSource
      PrivateKeyProviders/      → SigningSources/
      NsecKeyProviderParityTests → NsecSigningSourceParityTests

  - DefaultWalletProvider signer cache key collapses to wallet.Id only.
    The previous key folded in hashes of wallet.Secret and the transport
    instance to handle re-import; in practice signers are singleton-lifetime
    and re-import is an out-of-band event handled by host restart or
    explicit cache invalidation. Documented in the field comment.

  - Dropped "hybrid (local + remote on the same wallet)" claim from
    README + wallets.md. RemoteTransportSigningSource.CanProvideAsync
    delegates to KnowsWalletAsync, which is wallet-grained, not
    descriptor-grained, so "local view-path + remote spend-path" is not
    actually expressible without a per-descriptor probe on the transport.
    Filing that as a follow-up; meanwhile the docs only promise what
    the current contract delivers.

No behaviour change beyond the cache-key simplification.

* perf(wallets): cache-hit short-circuit in GetSignerAsync

Addresses the remaining 🟡 from Arkana's PR #114 review.

GetSignerAsync is called per-VTXO during batch participation; previously
every call constructed a fresh Bip39SigningSource (master-fingerprint
derivation) and awaited KnowsWalletAsync (potentially a network round-trip
for remote transports) even when _signerCache would hit immediately after.

Move the cache check up to right after LoadWallet — if a signer is cached
for this wallet.Id we return it without touching the source-construction
path. Cache miss still runs the full composition.

The fingerprint derivation hits the static ExtKey cache so the in-process
overhead is small, but the cost matters once anyone plugs in a remote
transport whose KnowsWalletAsync is actually a network call.

Author: Kukks

NArk.Abstractions/Wallets/IDescriptorSigningSource.cs

@@ -0,0 +1,69 @@
+using NBitcoin;
+using NBitcoin.Scripting;
+using NBitcoin.Secp256k1;
+using NBitcoin.Secp256k1.Musig;
+
+namespace NArk.Abstractions.Wallets;
+
+/// <summary>
+/// A descriptor-scoped source of signing operations. The source owns signing material (locally
+/// or by reference) and exposes operations rooted in it — it never returns the raw key, which
+/// is what lets a remote-signing implementation honour the same contract.
+/// <para>
+/// A wallet's signer is a composition of one or more signing sources (see
+/// <see cref="IArkadeWalletSigner"/> implementations that compose sources). Each source answers
+/// <see cref="CanProvideAsync"/> for the descriptors it covers; the composing signer dispatches
+/// each call to the first source that claims the descriptor.
+/// </para>
+/// <para>
+/// The MuSig2 nonce lifecycle from <see cref="IArkadeWalletSigner"/> applies per-source:
+/// <see cref="GenerateNoncesAsync"/> retains the secret half indexed by <c>sessionId</c>, and
+/// <see cref="SignMusigAsync"/> consumes it on use. Different sources maintain independent nonce
+/// stores — there is no cross-source sharing.
+/// </para>
+/// </summary>
+public interface IDescriptorSigningSource
+{
+    /// <summary>
+    /// Returns <c>true</c> iff this source can sign for <paramref name="descriptor"/>.
+    /// Implementations should make this cheap (fingerprint / x-only match) — it is called on
+    /// every dispatch and may run against the BIP-32 / BIP-39 derivation path of long descriptors.
+    /// </summary>
+    Task<bool> CanProvideAsync(OutputDescriptor descriptor, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Gets the compressed public key for <paramref name="descriptor"/>, preserving parity.
+    /// </summary>
+    Task<ECPubKey> GetPubKeyAsync(OutputDescriptor descriptor, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Produces a BIP-340 Schnorr signature over <paramref name="hash"/> using the descriptor's
+    /// private key, returning the x-only pubkey alongside the signature.
+    /// </summary>
+    Task<(ECXOnlyPubKey, SecpSchnorrSignature)> SignAsync(
+        OutputDescriptor descriptor,
+        uint256 hash,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Generates a fresh MuSig2 nonce pair for <paramref name="context"/>, retains the secret
+    /// half indexed by <paramref name="sessionId"/>, and returns the public half. See
+    /// <see cref="IArkadeWalletSigner.GenerateNonces"/> for the lifecycle contract.
+    /// </summary>
+    Task<MusigPubNonce> GenerateNoncesAsync(
+        OutputDescriptor descriptor,
+        MusigContext context,
+        string sessionId,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Produces a MuSig2 partial signature using the secret nonce generated for the same
+    /// <paramref name="sessionId"/>. The secret nonce is consumed on this call. See
+    /// <see cref="IArkadeWalletSigner.SignMusig"/> for the lifecycle contract.
+    /// </summary>
+    Task<MusigPartialSignature> SignMusigAsync(
+        OutputDescriptor descriptor,
+        MusigContext context,
+        string sessionId,
+        CancellationToken cancellationToken = default);
+}

NArk.Core/Wallet/CompositeArkadeWalletSigner.cs

@@ -0,0 +1,57 @@
+using NArk.Abstractions.Wallets;
+using NBitcoin;
+using NBitcoin.Scripting;
+using NBitcoin.Secp256k1;
+using NBitcoin.Secp256k1.Musig;
+
+namespace NArk.Core.Wallet;
+
+/// <summary>
+/// An <see cref="IArkadeWalletSigner"/> composed of one or more <see cref="IDescriptorSigningSource"/>s.
+/// For every signing call the composite resolves the first source whose
+/// <see cref="IDescriptorSigningSource.CanProvideAsync"/> returns <c>true</c> and dispatches
+/// the operation to it. Source order is significant — earlier sources take precedence — so
+/// callers should register the cheapest / most-local source first and any fallbacks
+/// (e.g. remote-signer transports) last.
+/// </summary>
+public class CompositeArkadeWalletSigner : IArkadeWalletSigner
+{
+    private readonly IReadOnlyList<IDescriptorSigningSource> _sources;
+
+    public CompositeArkadeWalletSigner(IEnumerable<IDescriptorSigningSource> sources)
+    {
+        _sources = (sources ?? throw new ArgumentNullException(nameof(sources))).ToArray();
+        if (_sources.Count == 0)
+            throw new ArgumentException("At least one signing source is required.", nameof(sources));
+    }
+
+    public CompositeArkadeWalletSigner(params IDescriptorSigningSource[] sources)
+        : this((IEnumerable<IDescriptorSigningSource>)sources)
+    {
+    }
+
+    public async Task<ECPubKey> GetPubKey(OutputDescriptor descriptor, CancellationToken cancellationToken = default)
+        => await (await ResolveAsync(descriptor, cancellationToken)).GetPubKeyAsync(descriptor, cancellationToken);
+
+    public async Task<(ECXOnlyPubKey, SecpSchnorrSignature)> Sign(OutputDescriptor descriptor, uint256 hash, CancellationToken cancellationToken = default)
+        => await (await ResolveAsync(descriptor, cancellationToken)).SignAsync(descriptor, hash, cancellationToken);
+
+    public async Task<MusigPubNonce> GenerateNonces(OutputDescriptor descriptor, MusigContext context, string sessionId, CancellationToken cancellationToken = default)
+        => await (await ResolveAsync(descriptor, cancellationToken)).GenerateNoncesAsync(descriptor, context, sessionId, cancellationToken);
+
+    public async Task<MusigPartialSignature> SignMusig(OutputDescriptor descriptor, MusigContext context, string sessionId, CancellationToken cancellationToken = default)
+        => await (await ResolveAsync(descriptor, cancellationToken)).SignMusigAsync(descriptor, context, sessionId, cancellationToken);
+
+    private async Task<IDescriptorSigningSource> ResolveAsync(OutputDescriptor descriptor, CancellationToken cancellationToken)
+    {
+        foreach (var source in _sources)
+        {
+            if (await source.CanProvideAsync(descriptor, cancellationToken).ConfigureAwait(false))
+                return source;
+        }
+
+        throw new InvalidOperationException(
+            $"No registered IDescriptorSigningSource claims descriptor '{descriptor}'. " +
+            "Either the wallet is watch-only for this path, or a signing source is missing from the composition.");
+    }
+}

NArk.Core/Wallet/DefaultWalletProvider.cs

@@ -5,6 +5,7 @@
 using NArk.Abstractions.Safety;
 using NArk.Abstractions.Wallets;
 using NArk.Core.Transport;
+using NArk.Core.Wallet.SigningSources;
 using NBitcoin;
 
 namespace NArk.Core.Wallet;
@@ -30,9 +31,10 @@ public class DefaultWalletProvider(
     : IWalletProvider
 {
     // Signer instances must be reused across calls so the MuSig2 secret-nonce store on each
-    // signer (populated by GenerateNonces, consumed by SignMusig — see IArkadeWalletSigner)
-    // survives between the two calls. The cache key includes the wallet's secret so a wallet
-    // re-imported with a different mnemonic gets a fresh signer.
+    // signing source (populated by GenerateNonces, consumed by SignMusig — see
+    // IArkadeWalletSigner) survives between the two calls. Keyed by wallet.Id only — if a
+    // wallet is re-imported with different signing material the caller must explicitly
+    // invalidate (restart the host, or call into a fresh provider instance).
     private readonly ConcurrentDictionary<string, IArkadeWalletSigner> _signerCache = new();
 
     public async Task<IArkadeWalletSigner?> GetSignerAsync(string identifier, CancellationToken cancellationToken = default)
@@ -46,30 +48,40 @@ public class DefaultWalletProvider(
             logger?.LogDebug("GetSignerAsync: identifier={Identifier}, walletId={WalletId}, walletType={WalletType}, hasSecret={HasSecret}",
                 identifier, wallet.Id, wallet.WalletType, !string.IsNullOrEmpty(wallet.Secret));
 
-            // Local signing material present → produce a local signer of the right shape.
+            // Hot-path short-circuit: this method is called per-VTXO during batch participation,
+            // so avoid constructing a fresh Bip39SigningSource (master-fingerprint derivation)
+            // and round-tripping KnowsWalletAsync (potentially a network call for remote
+            // transports) every time. Cache miss runs the full composition below.
+            if (_signerCache.TryGetValue(wallet.Id, out var cached))
+                return cached;
+
+            var sources = new List<IDescriptorSigningSource>();
+
+            // Local signing material present → add the matching local signing source.
             if (!string.IsNullOrEmpty(wallet.Secret))
             {
-                var cacheKey = $"local:{wallet.Id}:{wallet.Secret.GetHashCode():x}";
-                return _signerCache.GetOrAdd(cacheKey, _ => wallet.WalletType switch
+                sources.Add(wallet.WalletType switch
                 {
-                    WalletType.HD => new HierarchicalDeterministicWalletSigner(wallet),
-                    WalletType.SingleKey => NSecWalletSigner.FromNsec(wallet.Secret, logger),
+                    WalletType.HD => new Bip39SigningSource(wallet.Secret),
+                    WalletType.SingleKey => NsecSigningSource.FromNsec(wallet.Secret, logger),
                     _ => throw new ArgumentOutOfRangeException(nameof(wallet.WalletType))
                 });
             }
 
-            // No local secret → ask the remote-signer transport (if any) whether it can sign for
-            // this wallet. The transport is the source of truth for "remote vs watch-only" —
-            // no flag on ArkWalletInfo encodes it.
+            // Remote-signer transport claims this wallet → add a remote source as a fallback
+            // for descriptors no local source covers. Order is significant: local sources get
+            // first refusal.
             if (remoteSignerTransport is not null
                 && await remoteSignerTransport.KnowsWalletAsync(wallet.Id, cancellationToken).ConfigureAwait(false))
             {
-                return _signerCache.GetOrAdd($"remote:{wallet.Id}",
-                    _ => new RemoteArkadeWalletSigner(wallet.Id, remoteSignerTransport));
+                sources.Add(new RemoteTransportSigningSource(remoteSignerTransport, wallet.Id));
             }
 
-            // No local key, no remote signer claims it → watch-only.
-            return null;
+            // Nothing can sign for this wallet → watch-only.
+            if (sources.Count == 0)
+                return null;
+
+            return _signerCache.GetOrAdd(wallet.Id, _ => new CompositeArkadeWalletSigner(sources));
         }
         catch (KeyNotFoundException)
         {