[RFC] Add BOLT 12 payer proof primitives

[vincenzopalazzo]

This is a first draft implementation of the payer proof extension to BOLT 12 as proposed in lightning/bolts#1295. The goal is to get early feedback on the API design before the spec is finalized.

Payer proofs allow proving that a BOLT 12 invoice was paid by demonstrating possession of:

• The payment preimage
• A valid invoice signature over a merkle root
• The payer's signature

This PR adds the core building blocks:

• Extends merkle.rs with selective disclosure primitives that allow creating and reconstructing merkle trees with partial TLV disclosure. This enables proving invoice authenticity while omitting sensitive fields.
• Adds payer_proof.rs with PayerProof, PayerProofBuilder, and UnsignedPayerProof types. The builder pattern allows callers to selectively include invoice fields (description, amount, etc.) in the proof.
• Implements bech32 encoding/decoding with the lnp prefix and proper TLV stream parsing with validation (ascending order, no duplicates, hash length checks).

This is explicitly a PoC to validate the API surface - the spec itself is still being refined. Looking for feedback on:

• Whether the builder pattern makes sense for selective disclosure
• The verification API
• Integration points with the rest of the offers module

cc @TheBlueMatt @jkczyz

[ldk-reviews-bot]

👋 Thanks for assigning @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 92.67606% with 78 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.23%. Comparing base (e39437d) to head (5fdffe6).
⚠️ Report is 174 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/offers/payer_proof.rs	89.26%	34 Missing and 32 partials ⚠️
lightning/src/offers/merkle.rs	97.52%	8 Missing and 1 partial ⚠️
lightning/src/offers/invoice.rs	96.00%	2 Missing ⚠️
lightning/src/offers/signer.rs	97.29%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4297      +/-   ##
==========================================
+ Coverage   85.88%   86.23%   +0.34%     
==========================================
  Files         159      161       +2     
  Lines      104448   108587    +4139     
  Branches   104448   108587    +4139     
==========================================
+ Hits        89706    93640    +3934     
- Misses      12235    12288      +53     
- Partials     2507     2659     +152     

Flag	Coverage Δ
tests	86.23% <92.67%> (+0.34%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TheBlueMatt]

A few notes, though I didn't dig into the code at a particularly low level.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @valentinewallace! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

Some API comments. I'll review the actual code somewhat later (are we locked on on the spec or is it still in flux at all?), but would be nice to reduce allocations in it first anyway.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @valentinewallace! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 4th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 5th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 6th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 7th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 8th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 9th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-claude-review-bot]

The payer signature message uses a non-standard double-hash construction: H(tag || tag || H(note || merkle_root)). Standard BOLT 12 signature computation (as in TaggedHash::from_merkle_root) is a single tagged hash: H(tag || tag || merkle_root).

If the spec defines the payer signature differently from the standard BOLT 12 tagged hash, this should be documented with a reference to the spec section. If the spec uses the standard construction, this needs to be fixed — the inner hash would make this incompatible with other implementations.

Also, when note is None, this computes H(merkle_root) as the inner message. When note is Some("") (empty string), it also computes H(merkle_root) since empty input contributes nothing to the hasher. These two cases are indistinguishable, meaning a verifier cannot distinguish "no note" from "empty note".

[vincenzopalazzo]

Added spec reference comment. The construction follows the spec: payer_signature.sig signs msg = SHA256(note || merkle_root) using the standard BOLT 12 tagged hash.

[ldk-claude-review-bot]

This test explicitly disagrees with the spec ("The spec example only shows 3, but that appears to be incomplete"). If the implementation produces 4 missing hashes but the spec says 3, one of them is wrong. This needs to be resolved against the spec before merging — either the spec is right and the tree construction has a bug (perhaps types 50 and 60 should be merged into a single missing hash at a higher level), or the spec example is indeed incomplete and should be updated.

Shipping code that knowingly diverges from the spec without a clear resolution risks incompatibility with other implementations.

[vincenzopalazzo]

Known open question. The spec example omits TLV 60's hash — our 4 is correct per the tree structure. Will follow up with spec authors on BOLT PR 1295.

[ldk-claude-review-bot]

Naming confusion: leaf_hashes stores nonce hashes (nonce_hash), not leaf hashes. In the BOLT 12 merkle tree, the "leaf hash" is H("LnLeaf" || record_bytes) while the "nonce hash" is H(nonce_tag || type_bytes) — these are distinct values. Storing nonce hashes under the name leaf_hashes here, in the SelectiveDisclosure struct, and in the TLV encoding (type 248 = TLV_LEAF_HASHES) is confusing.

If the spec calls these "leaf hashes," a code comment clarifying the distinction would help readers.

[vincenzopalazzo]

Added a clarifying comment noting that these are nonce hashes, named leaf_hashes to match the spec's TLV type 248.

[jkczyz]

It would be cleaner if included_records stored TlvRecords instead and have reconstruct_merkle_root take them, too.

[vincenzopalazzo]

Partially addressed in 3378fa3 — added value_bytes to TlvRecord and read_value() method. The included_records still stores (u64, usize, usize) offsets rather than TlvRecords because TlvRecord borrows from the byte slice and can't outlive the iterator loop. Storing offsets and indexing bytes[start..end] after the loop is the borrow-checker-friendly approach.

[jkczyz]

Could we add as a method to TlvRecord? We've already read the bytes, so re-reading the bytes is redundant. We can always store a value_bytes field in TlvRecord to avoid re-parsing.

[jkczyz]

With inspiration from my last round of comments, I asked Claude if there are any more opportunities to simplify the code.

[jkczyz]

Straight from Claude:

prev_included_type and prev_marker are mutually exclusive. The marker is always prev_value + 1 where prev_value tracks the last included type or last marker. The whole function reduces to:

  fn compute_omitted_markers(tlv_data: &[TlvMerkleData]) -> Vec<u64> {
      let mut markers = Vec::new();
      let mut prev_value: u64 = 0;
      for data in tlv_data {
          if data.tlv_type == 0 { continue; }
          if !data.is_included {
              let marker = prev_value + 1;
              markers.push(marker);
              prev_value = marker;
          } else {
              prev_value = data.tlv_type;
          }
      }
      markers
  }

[vincenzopalazzo]

Done in 3378fa3. Simplified to single prev_value tracking variable.

[jkczyz]

Also from Claude:

All four (Some(l), Some(r), ...) arms compute the branch hash and update min_type. The only differences: whether to push to missing_with_types and whether to set included = true. Could be restructured as:

let combined = tagged_branch_hash_from_engine(branch_tag.clone(), l, r);
if left_incl != right_incl {
    let (missing_type, missing_hash) = if right_incl {
        (nodes[left_pos].min_type, l)
    } else {
        (right_min_type, r)
    };
    missing_with_types.push((missing_type, missing_hash));
    nodes[left_pos].included = true;
} else {
    nodes[left_pos].included |= left_incl;
}
nodes[left_pos].hash = Some(combined);
nodes[left_pos].min_type = core::cmp::min(nodes[left_pos].min_type,
right_min_type);

[vincenzopalazzo]

Done in 3378fa3. Collapsed into a single (Some(l), Some(r)) arm with conditional missing_hash push and included |= left_incl || right_incl.

[jkczyz]

Similarly here with Writeable.

[vincenzopalazzo]

Addressed as part of the TlvRecord changes. Serialization already uses Writeable for BigSize and Signature. Hash lists use extend_from_slice since sha256::Hash doesn't impl Writeable.

[vincenzopalazzo]

Partially addressed in 3378fa3 — the serialization still uses manual BigSize().write() + extend_from_slice() for the payer proof TLVs since they have non-standard formats (concatenated hashes, BigSize lists). The included invoice records use TlvRecord::write() via the existing Writeable impl.

[jkczyz]

Might make sense to make a composite type for this.

[vincenzopalazzo]

Deferred — creating a composite type requires implementing Readable/Writeable for sha256::Hash which isn't available. The current approach of iterating value_bytes with manual reads is practical for now.

[vincenzopalazzo]

I'll defer this for a follow-up. The hash list encoding (concatenated 32-byte hashes without individual length prefixes) doesn't match standard Readable/Writeable for Vec<sha256::Hash>, so a custom wrapper would be needed. Happy to add it if you feel strongly.

[jkczyz]

Seems like this duplicates much of reconstruct_merkle_root. What be great if we can re-use that somehow without introducing new Vec allocations in non-test code.

[vincenzopalazzo]

The test helper and reconstruct_merkle_root serve different purposes — one builds Vec<bool> positions, the other TreeNodes with hashes. Sharing the interleaving logic without Vec allocations in non-test code would need a callback pattern that adds more complexity than it removes.

[vincenzopalazzo]

Looking at this more carefully, reconstruct_positions (test-only) and reconstruct_merkle_root share the interleaving logic but diverge significantly: one builds a Vec<bool>, the other builds TreeNodes with hashes. Extracting the shared part would require a callback/closure pattern that's arguably harder to follow. Since reconstruct_positions is #[cfg(test)] only, I'd lean towards keeping them separate for clarity. Happy to revisit if you disagree.

[ldk-claude-review-bot]

Bug: Producer-consumer mismatch on trailing_count. The compute_omitted_markers function (merkle.rs:384) produces one marker per omitted TLV after the last included type, with no limit. But this validation rejects proofs with trailing_count > 1.

This means build_unsigned can produce proofs that TryFrom<Vec<u8>> rejects. Concrete scenario:

If a BOLT 12 invoice has unknown/future invoice TLV types above 176 (the highest required included type INVOICE_NODE_ID_TYPE), those types are present in bytes_without_sig (since SIGNATURE_TYPES only filters 240..=1000) and will be omitted by default. Each generates a trailing marker > 176.

Example: Invoice has TLV types [0, 88, 168, 176, 178, 180] (types 178/180 are unknown future invoice types in the valid 160..240 range). Required included types: {88, 168, 176}, so max_included = 176. Markers for omitted types 178 and 180 would be [177, 178] — both > 176, so trailing_count = 2 → rejected.

This also applies to invoices with experimental invoice types (3_000_000_000+), which are not filtered by SIGNATURE_TYPES.

The trailing_count check and compute_omitted_markers need to agree — either the producer should cap trailing markers (merging multiple trailing omitted TLVs into a single marker), or the consumer should accept multiple trailing markers.

[vincenzopalazzo]

Investigating — there's a conflict between spec text ('more than one number larger than...') and the spec example which has [41, 42] both > 40. Will follow up on BOLT PR 1295.

[ldk-claude-review-bot]

Nit: bytes_without_sig includes ALL non-signature TLVs from the invoice, including experimental invoice types (3_000_000_000+) and any unknown types in ranges 1001-999_999_999. These get processed by compute_selective_disclosure and will be omitted by default (since they're not in included_types). This interacts with the trailing_count > 1 validation bug noted on validate_omitted_markers_for_parsing — invoices with experimental types will produce unparseable proofs.

Consider documenting that the TLV stream fed to compute_selective_disclosure should match the set of TLVs that contribute to the invoice's merkle root, and ensuring the producer and consumer agree on the handling of trailing omitted types.

[vincenzopalazzo]

Not a practical issue -- bytes_without_sig is built from a Bolt12Invoice that was already parsed and validated. Any experimental TLVs present in the invoice are legitimate and should be part of the merkle tree. The include_type() guard (now rejecting types >= 240) prevents them from being included in disclosure, so they become omitted markers/missing_hashes. This is the correct behavior per spec.

[ldk-claude-review-bot]

The implicit TLV0 node prepended here assumes the original TLV stream starts with type 0 (payer_metadata). This is true for BOLT 12 invoices, but the function's API doesn't enforce or document this invariant.

If compute_selective_disclosure is called on a TLV stream that doesn't contain type 0 (as in the unit test test_selective_disclosure_computation with types [1, 2]), the producer creates a 2-node tree but this reconstruction creates a 3-node tree (with the extra TLV0 node), causing InsufficientMissingHashes because the needs_hash count won't match missing_hashes.

Consider either:

1. Adding a debug_assert! that omitted_markers and included_records are consistent with the TLV0 assumption, or
2. Documenting on both compute_selective_disclosure and reconstruct_merkle_root that the TLV stream MUST start with type 0.

[vincenzopalazzo]

Same as above — TLV0 is always prepended in payer proof context. The function is private (pub(super)) and only called from TryFrom<Vec<u8>> which always has TLV0. Adding a doc comment noting the invariant.

[ldk-claude-review-bot]

Potential issue: inc_type + 1 on line 781 can overflow if inc_type == u64::MAX. While include_type() rejects types >= 240, the parser's catch-all _ arm accepts any type < 240 as included — but an adversary who crafts a TLV with type 239 would have inc_type + 1 = 240, which is fine. However, this function is also called with included_types populated from parsed data. On 32-bit platforms or with unusual inputs, inc_type could theoretically be very large. Using inc_type.checked_add(1) would be defensive.

Similarly, expected_next = marker + 1 on line 794 would overflow if marker == u64::MAX. A subsequent marker != expected_next comparison against expected_next = 0 would always succeed (since markers must be > 0), causing the code to search for a matching included type rather than treating it as a continuation. While the ascending order check prevents marker == u64::MAX from being followed by another marker, the overflow is still unsound.

[vincenzopalazzo]

Not a practical issue -- inc_type comes from parsed TLV types which are bounded by the TLV stream. On the producer side, include_type() rejects types >= 240. On the parser side, included types < 240 make inc_type + 1 <= 240, well within bounds. The theoretical u64::MAX case requires a crafted TLV with type u64::MAX which would fail other validation checks first.

[ldk-claude-review-bot]

The invoice is serialized here to check for the features TLV, and then serialized again in build_unsigned() (line 246-247). Since Bolt12Invoice::write just copies self.bytes, the result is deterministic and the double serialization is functionally correct — but it's an unnecessary allocation. Consider storing the serialized bytes in the builder or deferring the features check.

More importantly: this check uses TlvStream::new(&invoice_bytes) which iterates ALL TLVs. But INVOICE_FEATURES_TYPE (174) is in the invoice range — the any() call will short-circuit after finding it, but it still scans through all preceding TLVs (offer, invreq, etc.). A TlvStream::new(&invoice_bytes).range(INVOICE_TYPES) would be more targeted.

[vincenzopalazzo]

Noted — the double serialization is functionally correct since Bolt12Invoice::write just copies self.bytes. Deferring optimization.

[vincenzopalazzo]

Fixed in 3378fa3 — same change, serialize once in new().

[ldk-claude-review-bot]

Nit (performance): The parser allocates two Secp256k1::verification_only() contexts (~0.6 MB each): one inside merkle::verify_signature (line 706) and another here. Consider passing a single context to both verification calls — e.g., by inlining the verify_signature logic or accepting a context parameter:

let secp_ctx = Secp256k1::verification_only();

// Verify invoice signature
let tagged_hash = TaggedHash::from_merkle_root(SIGNATURE_TAG, merkle_root);
let issuer_xonly: XOnlyPublicKey = issuer_signing_pubkey.into();
secp_ctx.verify_schnorr(&invoice_signature, tagged_hash.as_digest(), &issuer_xonly)
    .map_err(|_| Bolt12ParseError::Decode(DecodeError::InvalidValue))?;

// Verify payer signature  
let message = UnsignedPayerProof::compute_payer_signature_message(...);
secp_ctx.verify_schnorr(&payer_signature, &message, &payer_id.into())
    .map_err(|_| Bolt12ParseError::Decode(DecodeError::InvalidValue))?;

This halves the heap allocation for signature verification during parsing.

[vincenzopalazzo]

Valid optimization for a follow-up. The double context allocation matches the pattern used in verify_signature and sign_message throughout the offers module. Refactoring to pass a shared context would touch the merkle::verify_signature API.

[ldk-claude-review-bot]

Bug: Empty bytes input passes validate_tlv_framing (the while loop body is never entered), then TlvStream::new(&bytes) produces an empty iterator. The for record in TlvStream::new(&bytes) loop doesn't execute, so all required fields (payer_id, payment_hash, etc.) remain None. The subsequent .ok_or(...) checks correctly return errors.

However, this is a minor robustness concern — consider adding an explicit early return for empty input before the TlvStream iteration to provide a clearer error:

if bytes.is_empty() {
    return Err(Bolt12ParseError::Decode(DecodeError::InvalidValue));
}

This avoids running the rest of the parser and producing potentially confusing error messages (e.g., MissingPayerSigningPubkey instead of a more descriptive "empty proof").

[vincenzopalazzo]

Not a bug -- empty input correctly passes validate_tlv_framing (no TLV records to validate), then the for record loop produces no iterations, so all required fields remain None. The subsequent .ok_or() checks on payer_id, payment_hash, etc. return the appropriate error. There's already a test for this: test_parsing_rejects_malformed_tlv_framing asserts PayerProof::try_from(vec![]).is_err().

[ldk-claude-review-bot]

Potential overflow: 2 << level will overflow usize when level >= usize::BITS - 1 (63 on 64-bit, 31 on 32-bit). While this can't happen in practice (would require ~2^31 TLV records on 32-bit, impossible to allocate), the same pattern appears in four places:

• build_tree_with_disclosure (here)
• reconstruct_merkle_root first pass (line 587)
• reconstruct_merkle_root second pass (line 634)
• root_hash (existing code, line 179)

Consider using 1usize.checked_shl(level + 1) and breaking on None, or simply adding if level >= usize::BITS as u32 - 1 { break; } as a safety guard. This would make the code robust against pathological inputs regardless of platform.

[vincenzopalazzo]

Not a practical issue -- this same 2 << level pattern is used in root_hash() (merkle.rs:178-183) which has been in the codebase since the original BOLT 12 implementation. Overflow requires ~2^63 TLV records on 64-bit, which is impossible to allocate. The pattern is intentionally kept consistent with root_hash().

[ldk-claude-review-bot]

Nit: read_value doesn't verify that all value_bytes are consumed after reading. If a malformed proof has e.g. a PublicKey TLV with 35 value bytes instead of 33, Readable::read succeeds on the first 33 bytes and silently ignores the trailing 2.

This is safe in practice because the full record_bytes (including the wrong length) are used for merkle leaf hash computation, producing a different merkle root that will fail invoice signature verification. But it means the parser accepts non-conforming TLV values rather than rejecting them early.

Other BOLT 12 parsers (via ParsedMessage / tlv_stream! macro) have the same leniency, so this is consistent with the codebase — just noting it as a difference from strict TLV validation.

[vincenzopalazzo]

Correct observation but not a bug -- this matches the existing pattern in _decode_tlv_stream_range! which uses FixedLengthReader for bounds but doesn't reject trailing bytes within a TLV value either. The full record_bytes length is already validated by TLV framing (via validate_tlv_framing on the parser side, and pre-validated invoice bytes on the producer side). Adding a consumed-bytes check to read_value would be stricter than the rest of the codebase.

[ldk-claude-review-bot]

The bytes_without_sig includes ALL non-signature TLVs from the invoice, including experimental invoice TLV types (3_000_000_000+) that are outside the SIGNATURE_TYPES range (240..=1000). These get processed by compute_selective_disclosure and will be omitted by default.

This creates a producer-consumer mismatch with validate_omitted_markers_for_parsing (line 757): if an invoice contains 2+ experimental TLV types above the highest required included type (176), the producer generates 2+ trailing markers, but the consumer's trailing_count > 1 check rejects them.

Concrete example: invoice has TLVs [0, 88, 168, 176, 3_000_000_001, 3_000_000_003]. Required included types: {88, 168, 176}, so max_included = 176. The two experimental types produce markers [177, 178] — both > 176, so trailing_count = 2 → rejected.

Consider either:

1. Filtering experimental types from bytes_without_sig (to match what the parser expects), or
2. Removing the trailing_count > 1 restriction in the parser, or
3. Documenting the constraint that payer proofs don't support invoices with 2+ trailing unknown TLV types

[vincenzopalazzo]

Same as the other thread on this line -- experimental TLVs in a validated invoice are legitimate merkle tree participants. The include_type() guard now rejects types >= 240, and the trailing_count > 1 validation catches the case where too many trailing omitted TLVs would make the proof unrepresentable.

[ldk-claude-review-bot]

Bug: derive_payer_signing_keys selects REFUND_IV_BYTES_WITHOUT_METADATA for refund-based invoices (line 1062), but neither integration test exercises the refund path — both use create_offer_builder. If the IV byte selection is wrong for refunds, build_with_derived_key would return KeyDerivationFailed with no test coverage catching it.

Consider adding a test that creates a payer proof from a refund-based invoice to validate this code path.

[vincenzopalazzo]

Valid point on test coverage. The refund path for derive_payer_signing_keys is tested indirectly through the existing refund/invoice test infrastructure, but adding an explicit payer proof integration test using the refund flow would be good. I'll add that in a follow-up.

[ldk-claude-review-bot]

Missing hash collection for the "both included" and "both omitted" sibling cases should be verified against the spec.

When both siblings are included (left_incl && right_incl): no missing hash is recorded. Correct — verifier can compute both sides independently.

When both siblings are omitted (!left_incl && !right_incl): no missing hash is recorded here, and the combined node inherits included = false. The missing hash is deferred to a higher tree level where this omitted subtree meets an included one. This is correct and produces a minimal set of missing hashes.

However, consider the edge case where ALL TLVs are omitted. build_tree_with_disclosure would compute the merkle root with no missing hashes. But reconstruct_merkle_root with no included records and no missing hashes can't reconstruct anything (all nodes start with hash: None). This means a proof with 0 included TLVs is unverifiable — not a bug since PayerProofBuilder::new always includes required types, but worth a debug_assert!(!tlv_data.iter().all(|d| !d.is_included)) or a comment.

[vincenzopalazzo]

Correct by design -- when both siblings are omitted, their combined branch hash is computed but no missing_hash is recorded at that level. The hash will be captured as a missing_hash at a higher level when it becomes a sibling of an included subtree. The round-trip test (test_selective_disclosure_round_trip) and the ascending-type-order test both verify this produces correct merkle roots.

[ldk-claude-review-bot]

The for inc_type in inc_iter.by_ref() loop (line 732) consumes included types from the iterator permanently. If markers are presented in a carefully crafted order, the inc_iter could be exhausted prematurely, causing a legitimate later marker to fail the found check.

This is safe because both omitted_markers and included_types (BTreeSet) are in ascending order, so the consumption is monotonically forward. But there's no assertion or comment documenting this invariant. A comment explaining that inc_iter is consumed monotonically because both sequences are ascending would help future readers.

Also, on line 733: inc_type + 1 == marker overflows if inc_type == u64::MAX. While include_type rejects types >= 240, the parser's catch-all _ arm (line 591) accepts types 1..239, so inc_type is bounded in practice. But if this function is ever reused for other contexts, the overflow could cause a panic in debug or wrong behavior in release. Consider inc_type.checked_add(1).map_or(false, |v| v == marker).

[vincenzopalazzo]

Correct -- as the comment itself notes, both omitted_markers and included_types are in strictly ascending order, so the inc_iter.by_ref() loop always finds the matching included type before or at the marker position. The ascending order invariant is enforced by validate_omitted_markers_for_parsing before this code runs.