Reachable panic in `Utxo::txout`

[ValuedMammal]

Utxo::txout() returns &TxOut but contains two reachable panics for the Foreign variant:

1. prev_tx.output[outpoint.vout as usize] — panics if the attached non_witness_utxo has fewer outputs than the outpoint.vout indicates.
2. unreachable!("Foreign UTXOs will always have one of these set") — asserts an invariant the type does not enforce. Because Utxo::Foreign is a public enum variant with public fields, a caller can theoretically construct one with an empty psbt::Input, making this branch reachable.

The validation that guards against these states lives in TxBuilder::add_foreign_utxo_with_sequence but is bypassed by any direct construction of Utxo::Foreign.

To Reproduce

let utxo = Utxo::Foreign {
    outpoint: OutPoint::null(),
    sequence: Sequence::MAX,
    psbt_input: Box::new(psbt::Input::default()),
};
utxo.txout();

Expected behavior

txout() should not panic on a value that is constructable through the public API.

Build environment

• BDK tag/commit: current master
• OS+version:
• Rust/Cargo version:
• Rust/Cargo target:

Which backend(s) are relevant (if any)?

• None / not backend-related

Is this blocking production use?

• Yes
• No

Additional context

Raised during review of #445. Three options identified:

1. Make Utxo::Foreign wrap a type with private fields.

• Short-term non-breaking — collapse the two if let arms and the unreachable! into a single chained Option with an honest .expect("Foreign UTXOs should have one of witness_utxo, non_witness_utxo set"). fix(types): avoid reachable panics in Utxo::txout for Foreign variant #487
• Return Option<&TxOut> from txout() (breaking).

[muhahahmad68]

Would you like me to implement the third option as a short-term non-breaking fix or proceed with the long-term fix?

[ValuedMammal]

Yeah I'm in favor of option 3 for now, and we should plan on doing a follow-up to change the function signature to pub fn txout(&self) -> Option<&TxOut>.