Update create_refund_builder to use create_blinded_paths

This change mirrors the previous update to `create_offer_builder`, applying the
**“One `MessageRouter`, one `BlindedPath` type”** principle to refund creation.

Now, `create_refund_builder` uses the `create_blinded_paths` method of the
`MessageRouter` associated with the `ChannelManager` or `OffersMessageFlow`.

For non-default path behavior, users can call `create_refund_builder_using_router`
and pass a custom `MessageRouter`.

See previous commit for detailed reasoning.

Author: shaavan

lightning/src/ln/channelmanager.rs

@@ -11013,6 +11013,55 @@ macro_rules! create_refund_builder { ($self: ident, $builder: ty) => {
 
 		Ok(builder.into())
 	}
+
+	/// Same as [`Self::create_refund_builder`], but allows specifying a custom [`MessageRouter`]
+	/// instead of using the one provided during [`ChannelManager`] construction for
+	/// [`BlindedMessagePath`] creation.
+	///
+	/// This gives users full control over how the [`BlindedMessagePath`] is constructed for the
+	/// refund, including the option to omit it entirely. This is useful for testing or when
+	/// alternative privacy strategies are needed.
+	///
+	/// See [`Self::create_refund_builder`] for:
+	/// - refund recognition by [`ChannelManager`] via [`Bolt12Invoice`] handling,
+	/// - `payment_id` rules and expiration behavior,
+	/// - invoice revocation and refund failure handling,
+	/// - defaulting behavior for `max_total_routing_fee_msat`,
+	/// - and detailed payment and privacy semantics.
+	///
+	/// # Errors
+	///
+	/// In addition to the errors in [`Self::create_refund_builder`], this returns an error if
+	/// the provided [`MessageRouter`] fails to construct a valid [`BlindedMessagePath`] for the refund.
+	///
+	/// [`Refund`]: crate::offers::refund::Refund
+	/// [`BlindedMessagePath`]: crate::blinded_path::message::BlindedMessagePath
+	/// [`Bolt12Invoice`]: crate::offers::invoice::Bolt12Invoice
+	pub fn create_refund_builder_using_router<ME: Deref>(
+		&$self, router: ME, amount_msats: u64, absolute_expiry: Duration, payment_id: PaymentId,
+		retry_strategy: Retry, route_params_config: RouteParametersConfig
+	) -> Result<$builder, Bolt12SemanticError>
+	where
+		ME::Target: MessageRouter,
+	{
+		let entropy = &*$self.entropy_source;
+
+		let builder = $self.flow.create_refund_builder_using_router(
+			router, entropy, amount_msats, absolute_expiry,
+			payment_id, $self.get_peers_for_blinded_path()
+		)?;
+
+		let _persistence_guard = PersistenceNotifierGuard::notify_on_drop($self);
+
+		let expiration = StaleExpiration::AbsoluteTimeout(absolute_expiry);
+		$self.pending_outbound_payments
+			.add_new_awaiting_invoice(
+				payment_id, expiration, retry_strategy, route_params_config, None,
+			)
+			.map_err(|_| Bolt12SemanticError::DuplicatePaymentId)?;
+
+		Ok(builder.into())
+	}
 } }
 
 impl<

lightning/src/ln/offers_tests.rs

@@ -476,7 +476,7 @@ fn creates_short_lived_refund() {
 #[test]
 fn creates_long_lived_refund() {
 	let chanmon_cfgs = create_chanmon_cfgs(2);
-	let node_cfgs = create_node_cfgs_with_node_id_message_router(2, &chanmon_cfgs);
+	let node_cfgs = create_node_cfgs(2, &chanmon_cfgs);
 	let node_chanmgrs = create_node_chanmgrs(2, &node_cfgs, &[None, None]);
 	let nodes = create_network(2, &node_cfgs, &node_chanmgrs);
 
@@ -488,8 +488,10 @@ fn creates_long_lived_refund() {
 	let absolute_expiry = bob.node.duration_since_epoch() + MAX_SHORT_LIVED_RELATIVE_EXPIRY
 		+ Duration::from_secs(1);
 	let payment_id = PaymentId([1; 32]);
+
+	let router = NodeIdMessageRouter::new(bob.network_graph, bob.keys_manager);
 	let refund = bob.node
-		.create_refund_builder(10_000_000, absolute_expiry, payment_id, Retry::Attempts(0), RouteParametersConfig::default())
+		.create_refund_builder_using_router(&router, 10_000_000, absolute_expiry, payment_id, Retry::Attempts(0), RouteParametersConfig::default())
 		.unwrap()
 		.build().unwrap();
 	assert_eq!(refund.absolute_expiry(), Some(absolute_expiry));

lightning/src/offers/flow.rs

@@ -611,28 +611,71 @@ where
 		})
 	}
 
+	fn create_refund_builder_intern<ES: Deref, PF, I>(
+		&self, entropy_source: ES, make_paths: PF, amount_msats: u64, absolute_expiry: Duration,
+		payment_id: PaymentId,
+	) -> Result<RefundBuilder<secp256k1::All>, Bolt12SemanticError>
+	where
+		ES::Target: EntropySource,
+		PF: FnOnce(
+			PublicKey,
+			MessageContext,
+			&secp256k1::Secp256k1<secp256k1::All>,
+		) -> Result<I, Bolt12SemanticError>,
+		I: IntoIterator<Item = BlindedMessagePath>,
+	{
+		let node_id = self.get_our_node_id();
+		let expanded_key = &self.inbound_payment_key;
+		let entropy = &*entropy_source;
+		let secp_ctx = &self.secp_ctx;
+
+		let nonce = Nonce::from_entropy_source(entropy);
+		let context = MessageContext::Offers(OffersContext::OutboundPayment {
+			payment_id,
+			nonce,
+			hmac: None,
+		});
+
+		// Create the base builder with common properties
+		let mut builder = RefundBuilder::deriving_signing_pubkey(
+			node_id,
+			expanded_key,
+			nonce,
+			secp_ctx,
+			amount_msats,
+			payment_id,
+		)?
+		.chain_hash(self.chain_hash)
+		.absolute_expiry(absolute_expiry);
+
+		for path in make_paths(node_id, context, secp_ctx)? {
+			builder = builder.path(path);
+		}
+
+		Ok(builder.into())
+	}
+
 	/// Creates a [`RefundBuilder`] such that the [`Refund`] it builds is recognized by the
 	/// [`OffersMessageFlow`], and any corresponding [`Bolt12Invoice`] received for the refund
 	/// can be verified using [`Self::verify_bolt12_invoice`].
 	///
+	/// # Privacy
+	///
+	/// Uses the [`OffersMessageFlow`]'s [`MessageRouter`] to construct a [`BlindedMessagePath`]
+	/// for the offer. See those docs for privacy implications.
+	///
 	/// The builder will have the provided expiration set. Any changes to the expiration on the
 	/// returned builder will not be honored by [`OffersMessageFlow`]. For non-`std`, the highest seen
 	/// block time minus two hours is used for the current time when determining if the refund has
 	/// expired.
 	///
-	/// To refund can be revoked by the user prior to receiving the invoice.
+	/// The refund can be revoked by the user prior to receiving the invoice.
 	/// If abandoned, or if an invoice is not received before expiration, the payment will fail
 	/// with an [`Event::PaymentFailed`].
 	///
 	/// If `max_total_routing_fee_msat` is not specified, the default from
 	/// [`RouteParameters::from_payment_params_and_value`] is applied.
 	///
-	/// # Privacy
-	///
-	/// Uses [`MessageRouter`] to construct a [`BlindedMessagePath`] for the refund based on the given
-	/// `absolute_expiry` according to [`MAX_SHORT_LIVED_RELATIVE_EXPIRY`]. See those docs for
-	/// privacy implications.
-	///
 	/// Also uses a derived payer id in the refund for payer privacy.
 	///
 	/// # Errors
@@ -651,32 +694,62 @@ where
 	where
 		ES::Target: EntropySource,
 	{
-		let node_id = self.get_our_node_id();
-		let expanded_key = &self.inbound_payment_key;
-		let entropy = &*entropy_source;
-		let secp_ctx = &self.secp_ctx;
-
-		let nonce = Nonce::from_entropy_source(entropy);
-		let context = OffersContext::OutboundPayment { payment_id, nonce, hmac: None };
-
-		let path = self
-			.create_blinded_paths_using_absolute_expiry(context, Some(absolute_expiry), peers)
-			.and_then(|paths| paths.into_iter().next().ok_or(()))
-			.map_err(|_| Bolt12SemanticError::MissingPaths)?;
-
-		let builder = RefundBuilder::deriving_signing_pubkey(
-			node_id,
-			expanded_key,
-			nonce,
-			secp_ctx,
+		self.create_refund_builder_intern(
+			&*entropy_source,
+			|_, context, _| {
+				self.create_blinded_paths(peers, context)
+					.map(|paths| paths.into_iter().take(1))
+					.map_err(|_| Bolt12SemanticError::MissingPaths)
+			},
 			amount_msats,
+			absolute_expiry,
 			payment_id,
-		)?
-		.chain_hash(self.chain_hash)
-		.absolute_expiry(absolute_expiry)
-		.path(path);
+		)
+	}
 
-		Ok(builder)
+	/// Same as [`Self::create_refund_builder`] but allows specifying a custom [`MessageRouter`]
+	/// instead of using the one provided via the [`OffersMessageFlow`] parameterization.
+	///
+	/// This gives users full control over how the [`BlindedMessagePath`] is constructed,
+	/// including the option to omit it entirely.
+	///
+	/// See [`Self::create_refund_builder`] for:
+	/// - how the resulting [`Refund`] is recognized by [`OffersMessageFlow`] and verified via [`Self::verify_bolt12_invoice`],
+	/// - refund expiration handling,
+	/// - rules around revocation and [`Event::PaymentFailed`] behavior,
+	/// - and defaulting logic for `max_total_routing_fee_msat`.
+	///
+	/// # Errors
+	///
+	/// In addition to the errors documented in [`Self::create_refund_builder`], this method will
+	/// return an error if the provided [`MessageRouter`] fails to construct a valid
+	/// [`BlindedMessagePath`] for the refund.
+	///
+	/// [`Refund`]: crate::offers::refund::Refund
+	/// [`BlindedMessagePath`]: crate::blinded_path::message::BlindedMessagePath
+	/// [`Bolt12Invoice`]: crate::offers::invoice::Bolt12Invoice
+	/// [`Event::PaymentFailed`]: crate::events::Event::PaymentFailed
+	/// [`RouteParameters::from_payment_params_and_value`]: crate::routing::router::RouteParameters::from_payment_params_and_value
+	pub fn create_refund_builder_using_router<ES: Deref, ME: Deref>(
+		&self, router: ME, entropy_source: ES, amount_msats: u64, absolute_expiry: Duration,
+		payment_id: PaymentId, peers: Vec<MessageForwardNode>,
+	) -> Result<RefundBuilder<secp256k1::All>, Bolt12SemanticError>
+	where
+		ME::Target: MessageRouter,
+		ES::Target: EntropySource,
+	{
+		self.create_refund_builder_intern(
+			&*entropy_source,
+			|node_id, context, secp_ctx| {
+				router
+					.create_blinded_paths(node_id, context, peers, secp_ctx)
+					.map(|paths| paths.into_iter().take(1))
+					.map_err(|_| Bolt12SemanticError::MissingPaths)
+			},
+			amount_msats,
+			absolute_expiry,
+			payment_id,
+		)
 	}
 
 	/// Creates an [`InvoiceRequestBuilder`] such that the [`InvoiceRequest`] it builds is recognized