Pre-cascade prerequisite for aiolabs/lnbits#17 (signer abstraction
phase 1), which lands an m002 startup job that fail-closed NULLs the
legacy `accounts.prvkey` column. This commit migrates the two sites
in `views_api.py` that read `account.prvkey` so they no longer
silently undo m002, and fail-closed cleanly when prvkey is missing.
Scope intentionally narrow — this is the prvkey-elimination subset
of aiolabs/nostrmarket#5. The full phase A (envelope-encrypt
`merchants.private_key` → `signer_blob`) and phase B (route
`Merchant.sign_hash` through core's `NostrSigner`) work remains
tracked under that issue.
## What changed
### views_api.py — `_auto_create_merchant`
Was: lazy fallback that, if `account.prvkey` was missing, generated
a fresh keypair and wrote it back into the account (lines 112-118).
After m002 NULLs `accounts.prvkey`, this regenerate-and-write-back
path would silently undo the migration AND change the user's
Nostr pubkey out from under them.
Now: no longer touches the account. Asserts `account.prvkey` is
present (matching the existing pubkey assertion) with a clear
fail-closed message pointing at aiolabs/nostrmarket#5 for the
phase A/B fix. For accounts that still carry a plaintext prvkey
(pre-m002, FakeWallet local dev, etc.) the auto-provision path
continues to work unchanged. For migrated accounts, the assertion
fires fast with an actionable error.
Removed the regenerate block entirely. Dropped now-unused imports:
`update_account`, `generate_keypair`.
### views_api.py — `api_migrate_merchant_keys`
Was: same `account and account.pubkey and account.prvkey` assertion
with the generic message "Account has no Nostr keypair".
Now: assertion updated with the same bridge-state framing — points
at aiolabs/nostrmarket#5 for the phase A/B fix.
## Acceptance
- [x] regenerate-and-write-back block removed (would undo m002)
- [x] `account.prvkey` references in views_api.py are assertions only
(fail-closed guards, not data reads)
- [x] unused imports dropped (`update_account`, `generate_keypair`)
- [x] error messages reference aiolabs/nostrmarket#5 for the
phase A/B fix path
Manual smoke / version bump / tag / catalog entry deferred until
the lnbits cascade lands AND phase A's schema migration ships;
this commit alone doesn't change the on-disk merchants table.
## Out of scope (per aiolabs/nostrmarket#5)
- Phase A: envelope-encrypting `merchants.private_key` column.
- Phase B (full): refactoring `Merchant.sign_hash` /
`helpers.sign_message_hash` through core's `NostrSigner`.
- Phase C: NIP-46 bunker + NIP-26 delegation variants.
- Re-enabling `_create_default_merchant` on the lnbits core side.
## Cross-references
- aiolabs/nostrmarket#5 — issue this is a partial step toward
- aiolabs/lnbits#17 — the cascading signer-abstraction PR whose
m002 fail-closed NULLs `accounts.prvkey`
- aiolabs/lnbits#21 — umbrella audit (5 affected extensions)
- aiolabs/events#23 / aiolabs/tasks#3 / aiolabs/restaurant#11 —
sister migrations already on signer-abstraction branches
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Both _auto_create_merchant (lazy GET fallback in views_api) and
LNbits' _create_default_merchant (eager signup hook) used to
reimplement merchant + zone + stall creation independently. Moves the
canonical implementation to services.provision_merchant() so both
call sites stay in lockstep — future changes (NIP-17 kind 10050 relay
list, additional default zones, etc.) only happen in one place.
- services.provision_merchant(user_id, wallet_id, public_key,
private_key, display_name, config): creates merchant if absent,
default 'Online' zone, default '<username>'s Store' stall, and
publishes the kind 30017 stall event. Idempotent on the merchant
pubkey: returns the existing merchant unchanged if one exists.
- views_api._auto_create_merchant: now a 10-line wrapper that loads
the account, generates fallback keys if missing, then delegates.
The LNbits-side hook (lnbits/core/services/users.py:_create_default_merchant)
will be updated in a companion commit to also call this service.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two complementary fixes for the "Unknown Stall" bug, where a customer
sees a product on the relay but the parent stall is missing.
1. _auto_create_merchant() now creates a default "<username>'s Store"
stall and publishes its kind 30017 event before returning. New users
land with a fully-published merchant identity, so the very first
product they create has a known parent stall on relays.
2. POST /api/v1/product (api_create_product) now republishes the parent
stall before publishing the product. NIP-33 parameterized replaceable
events make this idempotent, but it self-heals every existing case
where the stall publish failed or never happened (transient relay
issues, accounts that pre-date the auto-publish flow, manual stall
creation that didn't reach all relays).
This complements the LNbits-side fix in core/services/users.py
(_create_default_merchant publishes the stall on signup) and the
webapp self-heal in useMarketStallSelfHeal.ts. With all three layers,
"Unknown Stall" should disappear from the customer view.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a user rotates their Nostr keypair in account settings, the
merchant still holds the old key. This adds:
- key_mismatch flag on MerchantConfig (runtime, not persisted) -
detected on each GET /api/v1/merchant by comparing account vs
merchant pubkey
- POST /api/v1/merchant/{id}/migrate-keys endpoint that updates
the merchant keys, republishes all stalls/products under the new
identity, and resubscribes
- Warning banner in the UI with a "Migrate Keys" button and
confirmation dialog
- update_merchant_keys() crud function
Orders and DM history are preserved since they reference customer
pubkeys. Old stall/product events on relays become orphaned.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The LNbits user account IS the merchant identity. GET /api/v1/merchant
now auto-creates the merchant record using the account's existing Nostr
keypair if one doesn't exist yet, so the extension is immediately
usable without any setup screen.
- Extract _auto_create_merchant() helper used by both GET and POST
- Remove welcome/key-generation screen (replaced with loading spinner)
- Remove dead frontend code (generateKeys, importKeys dialogs)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Modernize the entire customer-merchant communication layer from deprecated
NIP-04 (kind 4, AES-256-CBC) to NIP-17 private direct messages using
NIP-44 v2 encryption (ChaCha20 + HMAC-SHA256) and NIP-59 gift wrapping
(rumor/seal/gift-wrap protocol). No backwards compatibility retained.
New modules:
- nostr/nip44.py: NIP-44 v2 encryption verified against official spec vectors
- nostr/nip59.py: NIP-59 gift wrap with wrap/unwrap convenience functions
- tests/: 44 unit tests for NIP-44 and NIP-59
Key changes:
- Subscription filters: kind 4 → kind 1059 gift wraps
- Message handler: _handle_nip04_message → _handle_gift_wrap (unwrap + route)
- send_dm/reply_to_structured_dm: NIP-59 gift wrap to recipient + self-archive
- Merchant model: removed NIP-04 crypto methods (decrypt/encrypt/build_dm_event)
- helpers.py: removed NIP-04 functions, kept Schnorr signing + key normalization
- views_api.py: consolidated DM sending through send_dm() service function
Reliability improvements:
- Event deduplication via bounded LRU set in NostrClient
- Subscription health monitor (resubscribes after 120s of silence)
- Preserved 5-minute lenient time window from prior work
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updates type hints in `crud.py`, `helpers.py`, and `models.py` for improved readability and maintainability.
Replaces `Merchant | None` with `Optional[Merchant]` and `list[X]` with `List[X]` for consistency with standard Python typing practices.
Enhance the merchant creation process by automatically generating Nostr keypairs
for users who don't have them, and streamline the API interface.
Changes:
- Add CreateMerchantRequest model to simplify merchant creation API
- Auto-generate Nostr keypairs for users without existing keys
- Update merchant creation endpoint to use user account keypairs
- Improve error handling and validation in merchant creation flow
- Clean up frontend JavaScript for merchant creation
This ensures all merchants have proper Nostr keypairs for marketplace
functionality without requiring manual key management from users.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove backend restriction on one merchant per user
- Add "Generate New Key" dialog with npub/nsec display
- Add "Import Existing Key" option with duplicate check
- Change "Save" to "Save & Publish" in edit profile dialog
- Remove standalone Publish button (now part of Save)
- Add trash icon to saved profile for removal
- Show display_name in saved profiles dropdown
- Hide nsec by default with eye toggle in generate dialog
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PATCH endpoint for updating merchant profile config
- Add website field to MerchantProfile model
- Fix to_nostr_event to include all profile fields (display_name, banner, website, nip05, lud16)
- Always publish merchant profile (kind 0) when publishing to Nostr
- Extract edit-profile-dialog and nostr-keys-dialog into separate components
- Fix profile avatar alignment to match original design
- Simplify keys dialog to show only npub QR code (no nsec QR)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: restore stalls from `nostr` as pending
* feat: stall and prod last update time
* feat: restore products and stalls as `pending`
* feat: show pending stalls
* feat: restore stall
* feat: restore a stall from nostr
* feat: add blank `Restore Product` button
* fix: handle no talls to restore case
* feat: show restore dialog
* feat: allow query for pending products
* feat: restore products
* chore: code clean-up
* fix: last dm and last order query
* chore: code clean-up
* fix: subscribe for stalls and products on merchant create/restore
* feat: add message type to orders
* feat: simplify messages; code format
* feat: add type to DMs; restore DMs from nostr
* fix: parsing ints
* fix: hide copy button if invoice not present
* fix: do not generate invoice if product not found
* feat: order restore: first version
* refactor: move some logic into `services`
* feat: improve restore UX
* fix: too many calls to customer DMs
* fix: allow `All` customers filter
* fix: ws reconnect on server restart
* fix: query for customer profiles only one
* fix: unread messages per customer per merchant
* fix: disable `user-profile-events`
* fix: customer profile is optional
* fix: get customers after new message debounced
* chore: code clean-up
* feat: auto-create zone
* feat: fixed ID for default zone
* feat: notify order paid
