[feature]: non-interactive BTC<->asset swaps with asset-level ANYONECANSPEND

[jharveyb]

Related to #577.

Currently we're enabling asset-level sighashes, with one application being BTC-to-asset swaps via PSBT.

A seller can construct a 1-in 1-out PSBT, where the first output anchors any assets not being sold + determines the price to fulfill the swap. The TX is invalid until a buyer attaches an input of sufficient value. The second output, constructed by the buyer, would anchor the assets being sold.

An issue here is how to maintain non-interactivity, while also constructing the asset purchased by the sender correctly. The script key they want to use cannot be known in advance, and there are issues around splitting the input asset to complete the sale.

One option is to have the purchased asset spendable by anyone - in practice only one TX built from this PSBT will confirm, so there will only be one owner of the sold asset.

There are many ways to create this ANYONECANSPEND behavior using the asset script key, via OP_TRUE or a constant. We could extend the script further to make these ANYONECANSPEND keys globally unique, similar to burn keys.

This would allow a seller to perform an asset split in the same TX as the sale. They would publish the asset leaf being sold, with the correct ANYONECANSPEND key, and all the relevant proof data. Specifically the split commitment, proof of non-inclusion in the first output, and the proof of inclusion for the input. That should be enough for any buyer to construct the second output that anchors the sold asset with their own internal key.

One issue with the seller anchoring assets in the output is that they need to generate a proof of non-inclusion for any output a buyer produces, which would require knowing the internal key used by the buyer. Also, since the value of the other anchored assets is unknown, the seller is at risk if the auction is griefed and the TX is constructed s.t. all assets are burned.