Continuing to explore these ideas, and discussing with many folks (thanks everyone), it is seeming more and more like for hash-based transaction validation there is at least some disjunction between the types of hashes that we would want to verify with a signature vs. those that we would want to check a simple comparison. In light of this, I’m working on an updated proposal that attempts to unify this style of (loosely) ANYPREVOUT/NOINPUT hash that can be used to form covenants, and (for similar reasons) allow for dynamic binding.
Some folks have been talking about soft forking both APO and CTV as written, which is tempting (and I would not resist such a fork); but I continue to think that APO itself is kinda a weird half measure. My current line of thinking is to take much of APO’s design (new key version, signing with taproot internal key), but use an entirely new hashing method that is nearly or completely disjoint from the existing Tapscript v0 key signature hashing. Is anyone currently aware of a proposal or protocol that would specifically want to use a Tapscript v1 key and in some cases sign with SIGHASH_DEFAULT but in others sign with one of the new APO modes?
If we design a separate hashing mode for our new Tapscript key version, then we can also mirror that mode (with appropriate modification for use in equality vs. signature check) to CTV with 33-byte hash, and avoid the temptation for folks to use pre-signed output covenants in awkward ways. Further, in designing the hashing mode, we can have a separate default mode from the existing SIGHASH_DEFAULT which is better suited to these V1 keys and would save a byte in whatever that common signing case is (I propose that this default be the signature-appropriate equivalent of CTV so that Tapscript v1 key and CTV hashes closely mirror each other).
Here’s my (updated link) draft of this line of thinking: