Summary

First piece of the ION fast-sync overlay (epic #111). MerkleProof / VerifyMerkleProof prove a transaction is included at a given index in a block whose merkle root the node has already PoW-verified (via its header chain) — without downloading the full block.

This is the trustless core of fast-sync: a fast-sync peer is an untrusted source, but an inclusion proof verified against the node's own header merkle root makes the claim "this anchor exists at block H, index I" impossible to forge. (A peer can still omit anchors — handled separately by trust-then-verify in #116.) Same trust philosophy as --esplora-api: untrusted hint, verified against our own PoW chain, fails closed.

What's here

• internal/chain/merkleproof.go —
  • MerkleProof(txids, index) → sibling branch (bottom-up).
  • VerifyMerkleProof(txid, index, branch, root) → folds per the index bits and requires a zero residual (i==0), so an inflated index can't be fabricated.
  • Classic witness=false txid tree (the one the header commits to); handles the odd-row last-element duplication and the single-tx (empty branch) case.
  • Documents the 64-byte second-preimage caveat: callers must validate the leaf is a real tx (the fast-sync client parses the anchoring tx anyway).
• internal/chain/merkleproof_test.go — round-trips for sizes 1..100 cross-checked against btcd CalcMerkleRoot; negative paths (tampered branch / wrong index / wrong root / inflated index / wrong tx); bounds errors. Mutation-verified (a left/right swap fails the round-trip).
• docs/design/ion-fast-sync-overlay.md — design summary + the 7-issue roadmap.

go test -race ./... green (27 packages).

Post-Deploy Monitoring & Validation

No additional operational monitoring required: pure, self-contained primitive with no wiring into runtime paths yet — it's consumed by later fast-sync issues (#113+).

Part of #111. Closes #112

🤖 Generated with Claude Code