Verify fee claims and persist the grant on register

Wires the claim verifier into register_node. The service now holds a set of
trusted issuer keys and a long-lived verification context; when a peer
registers, any fee_claim it presented is verified against those keys and the
granted policy is persisted onto the peer's SCID record before the response
is enqueued, so the policy is in place by the time the SCID is handed out.

The feature is inert by default. An empty issuer_pubkeys set short-circuits
before any crypto and resolves every peer to the standard policy, byte for
byte identical to today. Population of the key set is the operator's job
downstream; nothing in-tree sets it.

A grant is only ever upserted, never downgraded. An absent or unverifiable
claim returns None and leaves an existing record untouched, so a transient
miss or a malformed claim can't wipe a live grant; a brand-new record falls
back to standard. This deviates from a literal "else standard" on purpose:
once a node has been granted zero-fee, a dropped claim on a later
re-registration must not silently restore the 2% skim.

The verifier borrows the service's context rather than allocating per call,
and resolve_claim_policy logs and swallows verification failures rather than
failing the registration: a bad claim should cost the node its discount, not
its channel.

add_intercepted_scid is removed. It only built a standard-policy record,
which the new persist path now does directly with the resolved policy, so
the old helper had no remaining caller.

Author: amackillop

lightning-liquidity/src/lsps4/scid_store.rs

@@ -184,13 +184,6 @@ where L::Target: Logger, KV::Target: KVStoreSync {
 		Ok(())
 	}
 
-	pub fn add_intercepted_scid(
-		&self, scid: u64, peer_id: PublicKey,
-	) -> Result<bool, io::Error> {
-		let scid = ScidWithPeer::new(scid, peer_id, FeePolicy::Flat(FeeTier::Standard));
-		self.insert(scid)
-	}
-
 	pub fn get_peer(&self, scid: u64) -> Option<PublicKey> {
 		use lightning::log_debug;
 		let result = self.peer_by_scid.read().unwrap().get(&scid).cloned();
@@ -307,7 +300,7 @@ mod tests {
 	#[test]
 	fn default_record_resolves_to_standard_policy() {
 		let store = test_store();
-		store.add_intercepted_scid(42, test_peer()).unwrap();
+		store.insert(ScidWithPeer::new(42, test_peer(), FeePolicy::Flat(FeeTier::Standard))).unwrap();
 
 		assert_eq!(store.get_policy(&test_peer()), Some(FeePolicy::Flat(FeeTier::Standard)));
 	}

lightning-liquidity/src/lsps4/service.rs

@@ -15,10 +15,11 @@ use crate::lsps0::ser::{
 	JSONRPC_INTERNAL_ERROR_ERROR_CODE, JSONRPC_INTERNAL_ERROR_ERROR_MESSAGE,
 	LSPS0_CLIENT_REJECTED_ERROR_CODE,
 };
+use crate::lsps4::claim::verify_claim;
 use crate::lsps4::event::LSPS4ServiceEvent;
 use crate::lsps4::htlc_store::{HTLCStore, InterceptedHtlc};
 use crate::lsps4::fee_policy::{resolve_skim, FeePolicy, FeeTier};
-use crate::lsps4::scid_store::ScidStore;
+use crate::lsps4::scid_store::{ScidStore, ScidWithPeer};
 use crate::message_queue::MessageQueue;
 use crate::prelude::hash_map::Entry;
 use crate::prelude::{new_hash_map, HashMap};
@@ -34,7 +35,7 @@ use lightning::util::logger::{Level, Logger};
 use lightning::util::persist::{KVStore, KVStoreSync};
 use lightning_types::payment::PaymentHash;
 
-use bitcoin::secp256k1::PublicKey;
+use bitcoin::secp256k1::{PublicKey, Secp256k1, VerifyOnly, XOnlyPublicKey};
 
 use core::ops::Deref;
 use core::sync::atomic::{AtomicUsize, Ordering};
@@ -105,6 +106,10 @@ pub struct LSPS4ServiceConfig {
 	pub cltv_expiry_delta: u32,
 	/// The proportional fee, in millionths, to skim from forwarded payments.
 	pub forwarding_fee_proportional_millionths: u64,
+	/// Issuer keys trusted to sign fee-policy grants. Empty disables the feature: every claim is
+	/// rejected and every peer resolves to the standard policy. A claim signed by any one of these
+	/// keys is honoured.
+	pub issuer_pubkeys: Vec<XOnlyPublicKey>,
 }
 
 /// The main object allowing to send and receive LSPS4 messages.
@@ -122,6 +127,8 @@ where
 	htlc_store: HTLCStore<L, K>,
 	connected_peers: RwLock<HashSet<PublicKey>>,
 	config: LSPS4ServiceConfig,
+	/// Long-lived context for verifying fee-claim signatures during registration.
+	secp_ctx: Secp256k1<VerifyOnly>,
 	/// Per-peer timestamped cooldown for liquidity actions (splice or channel open).
 	/// Prevents 1Hz retry loops from process_pending_htlcs when actions fail.
 	/// Auto-expires after LIQUIDITY_COOLDOWN_SECS.
@@ -152,6 +159,7 @@ where
 			config,
 			logger,
 			connected_peers: RwLock::new(HashSet::new()),
+			secp_ctx: Secp256k1::verification_only(),
 			liquidity_cooldown: RwLock::new(new_hash_map()),
 		})
 	}
@@ -598,8 +606,56 @@ where
 		}
 	}
 
+	/// Resolve any fee-policy grant the registering node presented.
+	///
+	/// Returns `None` when the feature is off (no issuer keys configured), when no claim was
+	/// presented, or when the claim does not verify. A `None` must never downgrade a live grant, so
+	/// the caller only upserts on `Some`; a new record falls back to the standard policy.
+	fn resolve_claim_policy(
+		&self, counterparty: &PublicKey, fee_claim: &Option<String>,
+	) -> Option<FeePolicy> {
+		if self.config.issuer_pubkeys.is_empty() {
+			return None;
+		}
+		let fee_claim = fee_claim.as_ref()?;
+		match verify_claim(&self.secp_ctx, fee_claim, &self.config.issuer_pubkeys, counterparty) {
+			Ok(policy) => Some(policy),
+			Err(e) => {
+				log_error!(
+					self.logger,
+					"[LSPS4] Rejected fee claim from {}: {:?}",
+					counterparty,
+					e
+				);
+				None
+			},
+		}
+	}
+
+	/// Persist (upsert) a SCID record carrying the resolved fee policy for a peer.
+	fn persist_scid_policy(
+		&self, intercept_scid: u64, peer: &PublicKey, policy: FeePolicy,
+	) -> Result<(), LightningError> {
+		self.scid_store
+			.insert(ScidWithPeer::new(intercept_scid, peer.clone(), policy))
+			.map(|_| ())
+			.map_err(|e| {
+				log_error!(
+					self.logger,
+					"[LSPS4] Failed to persist intercept SCID {} for peer {}: {}",
+					intercept_scid,
+					peer,
+					e
+				);
+				LightningError {
+					err: format!("Failed to add intercepted SCID: {}", e),
+					action: ErrorAction::IgnoreAndLog(Level::Error),
+				}
+			})
+	}
+
 	fn handle_register_node_request(
-		&self, request_id: LSPSRequestId, counterparty_node_id: &PublicKey, _params: RegisterNodeRequest,
+		&self, request_id: LSPSRequestId, counterparty_node_id: &PublicKey, params: RegisterNodeRequest,
 	) -> Result<(), LightningError> {
 		log_info!(
 			self.logger,
@@ -608,6 +664,8 @@ where
 			request_id
 		);
 
+		let granted_policy = self.resolve_claim_policy(counterparty_node_id, &params.fee_claim);
+
 		let intercept_scid = match self.scid_store.get_scid(counterparty_node_id) {
 			Some(intercept_scid) => {
 				log_info!(
@@ -616,6 +674,11 @@ where
 					intercept_scid,
 					counterparty_node_id
 				);
+				// Upsert a verified grant onto the existing record. An absent or invalid claim
+				// leaves the live policy untouched so a transient miss can't wipe a grant.
+				if let Some(policy) = granted_policy {
+					self.persist_scid_policy(intercept_scid, counterparty_node_id, policy)?;
+				}
 				intercept_scid
 			},
 			None => {
@@ -626,20 +689,8 @@ where
 					intercept_scid,
 					counterparty_node_id
 				);
-				self.scid_store.add_intercepted_scid(intercept_scid, counterparty_node_id.clone())
-					.map_err(|e| {
-						log_error!(
-							self.logger,
-							"[LSPS4] Failed to persist intercept SCID {} for peer {}: {}",
-							intercept_scid,
-							counterparty_node_id,
-							e
-						);
-						LightningError {
-							err: format!("Failed to add intercepted SCID: {}", e),
-							action: ErrorAction::IgnoreAndLog(Level::Error),
-						}
-					})?;
+				let policy = granted_policy.unwrap_or(FeePolicy::Flat(FeeTier::Standard));
+				self.persist_scid_policy(intercept_scid, counterparty_node_id, policy)?;
 				log_info!(
 					self.logger,
 					"[LSPS4] Successfully stored intercept SCID {} for peer {}",