Pre-cascade prerequisite for aiolabs/lnbits#17 (signer abstraction
phase 1), which lands an m002 startup job that fail-closed NULLs the
legacy `accounts.prvkey` column. This commit migrates the two sites
in `views_api.py` that read `account.prvkey` so they no longer
silently undo m002, and fail-closed cleanly when prvkey is missing.
Scope intentionally narrow — this is the prvkey-elimination subset
of aiolabs/nostrmarket#5. The full phase A (envelope-encrypt
`merchants.private_key` → `signer_blob`) and phase B (route
`Merchant.sign_hash` through core's `NostrSigner`) work remains
tracked under that issue.
## What changed
### views_api.py — `_auto_create_merchant`
Was: lazy fallback that, if `account.prvkey` was missing, generated
a fresh keypair and wrote it back into the account (lines 112-118).
After m002 NULLs `accounts.prvkey`, this regenerate-and-write-back
path would silently undo the migration AND change the user's
Nostr pubkey out from under them.
Now: no longer touches the account. Asserts `account.prvkey` is
present (matching the existing pubkey assertion) with a clear
fail-closed message pointing at aiolabs/nostrmarket#5 for the
phase A/B fix. For accounts that still carry a plaintext prvkey
(pre-m002, FakeWallet local dev, etc.) the auto-provision path
continues to work unchanged. For migrated accounts, the assertion
fires fast with an actionable error.
Removed the regenerate block entirely. Dropped now-unused imports:
`update_account`, `generate_keypair`.
### views_api.py — `api_migrate_merchant_keys`
Was: same `account and account.pubkey and account.prvkey` assertion
with the generic message "Account has no Nostr keypair".
Now: assertion updated with the same bridge-state framing — points
at aiolabs/nostrmarket#5 for the phase A/B fix.
## Acceptance
- [x] regenerate-and-write-back block removed (would undo m002)
- [x] `account.prvkey` references in views_api.py are assertions only
(fail-closed guards, not data reads)
- [x] unused imports dropped (`update_account`, `generate_keypair`)
- [x] error messages reference aiolabs/nostrmarket#5 for the
phase A/B fix path
Manual smoke / version bump / tag / catalog entry deferred until
the lnbits cascade lands AND phase A's schema migration ships;
this commit alone doesn't change the on-disk merchants table.
## Out of scope (per aiolabs/nostrmarket#5)
- Phase A: envelope-encrypting `merchants.private_key` column.
- Phase B (full): refactoring `Merchant.sign_hash` /
`helpers.sign_message_hash` through core's `NostrSigner`.
- Phase C: NIP-46 bunker + NIP-26 delegation variants.
- Re-enabling `_create_default_merchant` on the lnbits core side.
## Cross-references
- aiolabs/nostrmarket#5 — issue this is a partial step toward
- aiolabs/lnbits#17 — the cascading signer-abstraction PR whose
m002 fail-closed NULLs `accounts.prvkey`
- aiolabs/lnbits#21 — umbrella audit (5 affected extensions)
- aiolabs/events#23 / aiolabs/tasks#3 / aiolabs/restaurant#11 —
sister migrations already on signer-abstraction branches
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
NIP-59 randomizes gift wrap created_at up to 2 days into the past so
metadata observers can't correlate publish moments. The lenient
`since = last_dm_time - 5min` window from commit e0fdada was designed
for NIP-04 messages where created_at is the real send time; with
gift wraps it locks out any wrap whose randomized timestamp falls
before the latest stored DM.
aio-demo symptom: established merchant (last_dm_time = today 14:40)
subscribes with `since = today 14:35`. Customer publishes a new gift
wrap whose randomized created_at is May 1 23:11. NostrFilter.matches
sees `event.created_at < self.since` and returns False — relay logs
"❌ Filter didn't match" and the order never reaches the merchant.
Fix: don't apply `since` at all on the kind 1059 filter. Replay risk
is bounded by server-side dedup and our existing
NostrClient.is_duplicate_event() guard. Other filters (stalls,
products, profiles) keep their `since` because those events use
real timestamps.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both _auto_create_merchant (lazy GET fallback in views_api) and
LNbits' _create_default_merchant (eager signup hook) used to
reimplement merchant + zone + stall creation independently. Moves the
canonical implementation to services.provision_merchant() so both
call sites stay in lockstep — future changes (NIP-17 kind 10050 relay
list, additional default zones, etc.) only happen in one place.
- services.provision_merchant(user_id, wallet_id, public_key,
private_key, display_name, config): creates merchant if absent,
default 'Online' zone, default '<username>'s Store' stall, and
publishes the kind 30017 stall event. Idempotent on the merchant
pubkey: returns the existing merchant unchanged if one exists.
- views_api._auto_create_merchant: now a 10-line wrapper that loads
the account, generates fallback keys if missing, then delegates.
The LNbits-side hook (lnbits/core/services/users.py:_create_default_merchant)
will be updated in a companion commit to also call this service.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two complementary fixes for the "Unknown Stall" bug, where a customer
sees a product on the relay but the parent stall is missing.
1. _auto_create_merchant() now creates a default "<username>'s Store"
stall and publishes its kind 30017 event before returning. New users
land with a fully-published merchant identity, so the very first
product they create has a known parent stall on relays.
2. POST /api/v1/product (api_create_product) now republishes the parent
stall before publishing the product. NIP-33 parameterized replaceable
events make this idempotent, but it self-heals every existing case
where the stall publish failed or never happened (transient relay
issues, accounts that pre-date the auto-publish flow, manual stall
creation that didn't reach all relays).
This complements the LNbits-side fix in core/services/users.py
(_create_default_merchant publishes the stall on signup) and the
webapp self-heal in useMarketStallSelfHeal.ts. With all three layers,
"Unknown Stall" should disappear from the customer view.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Phase 3 (auto-provision merchant from account keypair) removed the
generateKeys / importKeys methods and the dialog data fields, but
left the dialog templates and dropdown menu items behind. They
referenced importKeyDialog.show and generateKeyDialog.show, which
were now undefined — breaking the merchant dashboard with
"Cannot read properties of undefined (reading 'show')".
Removes:
- The Import Key and Generate New Key dialogs from index.html
- The corresponding dropdown items from merchant-tab.html
- The 'import-key' and 'generate-key' emits from merchant-tab.js
- The dangling @import-key / @generate-key listeners in index.html
Merchants are auto-provisioned from the account keypair on first
GET; key rotation is handled by the migrate-keys feature instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a user rotates their Nostr keypair in account settings, the
merchant still holds the old key. This adds:
- key_mismatch flag on MerchantConfig (runtime, not persisted) -
detected on each GET /api/v1/merchant by comparing account vs
merchant pubkey
- POST /api/v1/merchant/{id}/migrate-keys endpoint that updates
the merchant keys, republishes all stalls/products under the new
identity, and resubscribes
- Warning banner in the UI with a "Migrate Keys" button and
confirmation dialog
- update_merchant_keys() crud function
Orders and DM history are preserved since they reference customer
pubkeys. Old stall/product events on relays become orphaned.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The LNbits user account IS the merchant identity. GET /api/v1/merchant
now auto-creates the merchant record using the account's existing Nostr
keypair if one doesn't exist yet, so the extension is immediately
usable without any setup screen.
- Extract _auto_create_merchant() helper used by both GET and POST
- Remove welcome/key-generation screen (replaced with loading spinner)
- Remove dead frontend code (generateKeys, importKeys dialogs)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Modernize the entire customer-merchant communication layer from deprecated
NIP-04 (kind 4, AES-256-CBC) to NIP-17 private direct messages using
NIP-44 v2 encryption (ChaCha20 + HMAC-SHA256) and NIP-59 gift wrapping
(rumor/seal/gift-wrap protocol). No backwards compatibility retained.
New modules:
- nostr/nip44.py: NIP-44 v2 encryption verified against official spec vectors
- nostr/nip59.py: NIP-59 gift wrap with wrap/unwrap convenience functions
- tests/: 44 unit tests for NIP-44 and NIP-59
Key changes:
- Subscription filters: kind 4 → kind 1059 gift wraps
- Message handler: _handle_nip04_message → _handle_gift_wrap (unwrap + route)
- send_dm/reply_to_structured_dm: NIP-59 gift wrap to recipient + self-archive
- Merchant model: removed NIP-04 crypto methods (decrypt/encrypt/build_dm_event)
- helpers.py: removed NIP-04 functions, kept Schnorr signing + key normalization
- views_api.py: consolidated DM sending through send_dm() service function
Reliability improvements:
- Event deduplication via bounded LRU set in NostrClient
- Subscription health monitor (resubscribes after 120s of silence)
- Preserved 5-minute lenient time window from prior work
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updates type hints in `crud.py`, `helpers.py`, and `models.py` for improved readability and maintainability.
Replaces `Merchant | None` with `Optional[Merchant]` and `list[X]` with `List[X]` for consistency with standard Python typing practices.
Enhances the processing of Nostr messages by adding more robust error handling and logging, providing better insights into potential issues.
Specifically:
- Improves the checks on the websocket connection to log errors and debug information.
- Implements more comprehensive error logging for failed product quantity checks.
- Enhances logging and validation of EVENT messages to prevent potential errors.
- Implements a more robust merchant lookup logic to avoid double processing of events.
- Implements a more lenient time window for direct message subscriptions.
Adds a document analyzing the order discovery mechanism in Nostrmarket.
The document identifies the reasons merchants need to manually refresh to see new orders, instead of receiving them automatically. It analyzes timing window issues, connection stability, subscription state management, and event processing delays. It proposes solutions such as enhanced persistent subscriptions, periodic auto-refresh, WebSocket health monitoring, and event gap detection.
Improves websocket connection reliability by predefining the websocket URL and handling potential queueing errors.
This change also updates the websocket close message for clarity.
Enhance the merchant creation process by automatically generating Nostr keypairs
for users who don't have them, and streamline the API interface.
Changes:
- Add CreateMerchantRequest model to simplify merchant creation API
- Auto-generate Nostr keypairs for users without existing keys
- Update merchant creation endpoint to use user account keypairs
- Improve error handling and validation in merchant creation flow
- Clean up frontend JavaScript for merchant creation
This ensures all merchants have proper Nostr keypairs for marketplace
functionality without requiring manual key management from users.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove backend restriction on one merchant per user
- Add "Generate New Key" dialog with npub/nsec display
- Add "Import Existing Key" option with duplicate check
- Change "Save" to "Save & Publish" in edit profile dialog
- Remove standalone Publish button (now part of Save)
- Add trash icon to saved profile for removal
- Show display_name in saved profiles dropdown
- Hide nsec by default with eye toggle in generate dialog
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add "Import Existing Key" option with vpn_key icon
- Add "Generate New Key" option to create fresh nsec
- Add "Remove <name>" option to delete merchant from DB
- Wire up generate-key event to existing generateKeys function
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add left margin to inset avatar from banner edge
- Use dark background color for avatar
- Add object-fit: cover to prevent image stretching
- Add profile-avatar CSS class with border and shadow
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PATCH endpoint for updating merchant profile config
- Add website field to MerchantProfile model
- Fix to_nostr_event to include all profile fields (display_name, banner, website, nip05, lud16)
- Always publish merchant profile (kind 0) when publishing to Nostr
- Extract edit-profile-dialog and nostr-keys-dialog into separate components
- Fix profile avatar alignment to match original design
- Simplify keys dialog to show only npub QR code (no nsec QR)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Display merchant profile information with:
- Banner image or grey placeholder
- Profile avatar with shadow
- Display name (or name fallback)
- About description
- NIP-05 verified identity indicator
- Lightning address (LUD16)
Extends MerchantProfile model with new fields:
display_name, banner, nip05, lud16
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
