From 271102477b120b8ec063ec05ca199074955082b8 Mon Sep 17 00:00:00 2001
From: hconsulting987654321-blip
 <hconsulting987654321-blip@users.noreply.github.com>
Date: Sat, 11 Apr 2026 21:31:11 +0200
Subject: [PATCH] fix(p2ms): isAcceptableSignature always returned true due to
 operator precedence

The expression `(opts!.allowIncomplete && ...) !== undefined` always
evaluates to `true` because any boolean value (including `false`) is
not `undefined`. This caused `isAcceptableSignature` to accept any
input as a valid signature, bypassing P2MS signature validation entirely.

Fix by wrapping the expression with `!!` to coerce it to a proper boolean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/cjs/payments/p2ms.cjs | 2 +-
 src/esm/payments/p2ms.js  | 2 +-
 ts_src/payments/p2ms.ts   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/cjs/payments/p2ms.cjs b/src/cjs/payments/p2ms.cjs
index 9a40c7077..a7b1eacc5 100644
--- a/src/cjs/payments/p2ms.cjs
+++ b/src/cjs/payments/p2ms.cjs
@@ -90,7 +90,7 @@ function p2ms(a, opts) {
   function isAcceptableSignature(x) {
     return (
       bscript.isCanonicalScriptSignature(x) ||
-      (opts.allowIncomplete && x === OPS.OP_0) !== undefined
+      !!(opts.allowIncomplete && x === OPS.OP_0)
     );
   }
   v.parse(
diff --git a/src/esm/payments/p2ms.js b/src/esm/payments/p2ms.js
index 2d82e510e..58bc7a5fd 100644
--- a/src/esm/payments/p2ms.js
+++ b/src/esm/payments/p2ms.js
@@ -43,7 +43,7 @@ export function p2ms(a, opts) {
   function isAcceptableSignature(x) {
     return (
       bscript.isCanonicalScriptSignature(x) ||
-      (opts.allowIncomplete && x === OPS.OP_0) !== undefined
+      !!(opts.allowIncomplete && x === OPS.OP_0)
     );
   }
   v.parse(
diff --git a/ts_src/payments/p2ms.ts b/ts_src/payments/p2ms.ts
index 862448a6a..a998237a9 100644
--- a/ts_src/payments/p2ms.ts
+++ b/ts_src/payments/p2ms.ts
@@ -47,7 +47,7 @@ export function p2ms(a: Payment, opts?: PaymentOpts): Payment {
   function isAcceptableSignature(x: Uint8Array | number): boolean {
     return (
       bscript.isCanonicalScriptSignature(x as Uint8Array) ||
-      (opts!.allowIncomplete && (x as number) === OPS.OP_0) !== undefined
+      !!(opts!.allowIncomplete && (x as number) === OPS.OP_0)
     );
   }