Updates §7.2, §7.3, §12 to reflect the actual architecture from
aiolabs/lnbits#9 (reframed since the earlier commit) and #18 (the
concrete phase 2 bunker integration using nsecbunkerd).
Three shifts:
- LocalSigner demoted to transitional/migration helper. RemoteBunker
Signer is the steady state for every bound user. New accounts MUST
NOT default to LocalSigner. Earlier framing treated them as
equivalent choices — they're not.
- Binding artifact is a per-device NIP-46 connection token with
scoped permissions, not just a (mxid → user_id) mapping row. Calls
out the security property: compromise of one client device
(tracker, ATM, webapp) leaks only that token's scope, not the
user's full identity. Revocation is one RPC at the bunker.
- §12 redrawn around the operator-IdP-with-sidecar-bunker pattern.
Names nsecbunkerd as the canonical bunker for the aiolabs ref
impl, points at #9 + #18 for the LNbits side. Pattern is reusable
beyond LNbits — any operator providing identity-as-a-service can
run this shape.
NIP-26 explicitly out (Nostr ecosystem has deprecated; NIP-46 covers
the use case). §11 open questions trimmed accordingly.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Padreug
d089a4b021