feat(signer): route merchant signing through lnbits NostrSigner — drop private_key (#5) #6

Merged

padreug merged 2 commits from issue-5-bunker-only into main

2026-06-01 18:00:05 +00:00

padreug commented

2026-06-01 08:59:26 +00:00

Owner

Closes #5 phase B.

Summary

Strip the per-merchant private_key column + Pydantic field entirely. Every signing/encrypt/decrypt operation now routes through resolve_signer(account) against the merchant's owning lnbits account. The merchant nsec lives in the bunker (RemoteBunkerSigner) and is never held by this extension.

Scope vs the original issue body

The issue text from 2026-05-25 proposed a three-phase plan (A: envelope-encrypt the column; B: route through NostrSigner; C: NIP-26 delegation). Today's aiolabs deployment is RemoteBunkerSigner-only (the user direction from coord-log 2026-06-01):

Phase A is moot — there are no plaintext nsecs left in the merchants table to encrypt. The aiolabs bulk-migration on 2026-05-31 moved all accounts to RemoteBunkerSigner + wiped nostrmarket data; new merchants since then never had a plaintext nsec.
Phase B (this PR) — the merchant identity IS the account identity; signing routes through the same NostrSigner ABC that aiolabs/lnbits#38 (phase 2.4) made bunker-aware.
Phase C — NIP-26 delegation stays future work; needed only if we want to optimize away per-event bunker round-trips on very-high-throughput shops.

Changes by file

File	Change
`models.py`	Drop `PartialMerchant.private_key` + `Merchant.sign_hash`. Add `Merchant.user_id` so services can resolve the owning account.
`nostr/nip59.py`	`create_seal`, `unseal`, `unwrap_gift_wrap`, `wrap_message`, `unwrap_message` become async + take a `NostrSigner` instead of a raw privkey. NIP-44 encrypt + Schnorr sign + NIP-44 decrypt all route through `signer.nip44_encrypt(...)` / `signer.nip44_decrypt(...)` / `signer.sign_event(...)`. `create_gift_wrap` stays sync + local — the ephemeral keypair has no merchant-identity capability, so routing through the bunker would add a NIP-46 round-trip per DM with zero security benefit.
`services.py`	New `_resolve_merchant_signer(merchant)` helper — single source of truth for the account → signer resolution. `sign_and_send_to_nostr` builds an unsigned dict and lets the signer fill `id` + `sig` (bunker-side for RemoteBunkerSigner). `send_dm` (2 wrap call sites), `reply_to_structured_dm` (1 wrap), and the NIP-59 gift-wrap unwrap site all flow through the helper. `provision_merchant` signature drops the `private_key` parameter.
`views_api.py`	`_auto_create_merchant`: drop the `assert account.prvkey` check and the regenerate-keypair fallback. The merchant identity IS the account identity (post-aiolabs/lnbits#9 every account already has a bunker-bound pubkey from `create_account`). `api_migrate_merchant_keys`: drop the prvkey assertion + call the new `update_merchant_pubkey`.
`crud.py`	`create_merchant` INSERT no longer references `private_key`. `update_merchant_keys(...)` → `update_merchant_pubkey(...)` (only the pubkey gets re-pointed; no per-merchant nsec to update).
`helpers.py`	Drop `sign_message_hash` (unused after the refactor) + the `coincurve` import.
`migrations_fork.py` (new)	`m001_aio_drop_merchant_private_key`: idempotent `ALTER TABLE … DROP COLUMN` with SQLite-safe fallback + already-dropped no-op. Follows the `aiolabs/lnbits#8` fork-migrations pattern — squash-style single file so future upstream rebases stay clean on `migrations.py`.
`tests/test_nip59.py`	`_LocalSignerStub` helper stands in for the lnbits `NostrSigner` ABC, backed by a held privkey. Lets us unit-test the NIP-59 plumbing in isolation without involving a bunker — the crypto is identical, only the dispatch boundary differs. All 18 test methods converted to `@pytest.mark.asyncio` async; create_seal / unseal / unwrap_gift_wrap / wrap_message / unwrap_message calls flow through the stub.

Diffstat: 8 files changed, +384 / -124.

Behavior change

No public API change for the merchant-creation HTTP endpoints. POST /api/v1/merchant + GET /api/v1/merchant keep the same request/response shapes.
First call after this deploys runs migrations_fork.m001_aio_drop_merchant_private_key, which drops the legacy private_key column. The fork-migration is idempotent.
Merchants created before this PR keep their existing pubkey + metadata. Their old private_key column value is discarded by the migration; any in-flight signing operations that were already using account.prvkey will start failing once the upgraded code is in place — that's the intended fail-loud signal, surfaced as a SignerError from _resolve_merchant_signer.

Bunker dependency

Requires lnbits ≥ aiolabs/lnbits PR #38 (phase 2.4 of #18 — bunker-mediated nip44_*). That's been on dev since 2026-05-31T08:00Z.

Test plan

All modified files parse cleanly (python3 -m py_compile)
pytest tests/test_nip59.py against the project's own venv (uv install path) — see review note below
End-to-end on bohm regtest: install this version, GET /api/v1/merchant for a RemoteBunkerSigner account, verify auto-create succeeds without prvkey assertion + the merchant signs a kind-0 profile event end-to-end through the bunker

Test execution note for reviewers: the project's pyproject.toml expects pytest-asyncio to be installed in the local venv. The lnbits regtest venv doesn't ship pytest-asyncio (uses anyio internally), so the tests can't run directly there. The project's own uv sync would install them, but a transient secp256k1 build issue blocked that on my host. The test refactor itself is mechanical (synchronous → async + stub signer) — happy to iterate on the assertions once the venv is sorted.

Cross-references

#5 — The issue (closed phase B by this PR; phases A + C remain reasoned-out as out-of-scope above)
aiolabs/lnbits#9 — Parent: user nsec hardening + signer abstraction in core
aiolabs/lnbits#17 — Phase 1 of #9 (NostrSigner ABC + m002 classify job)
aiolabs/lnbits#18 — Phase 2 umbrella (bunker integration); 2.1/2.2/2.3 landed via PRs #25/#26/#33
aiolabs/lnbits#38 — Phase 2.4 (bunker-mediated nip44_*) — the upstream surface this PR consumes
aiolabs/lnbits#8 — Fork-migrations pattern (migrations_fork.py)
NIP-44 — Versioned encrypted payloads
NIP-59 — Gift wrap

🤖 Generated with Claude Code

Closes #5 phase B. ## Summary Strip the per-merchant `private_key` column + Pydantic field entirely. Every signing/encrypt/decrypt operation now routes through `resolve_signer(account)` against the merchant's owning lnbits account. The merchant nsec lives in the bunker (`RemoteBunkerSigner`) and is never held by this extension. ## Scope vs the original issue body The issue text from 2026-05-25 proposed a three-phase plan (A: envelope-encrypt the column; B: route through `NostrSigner`; C: NIP-26 delegation). Today's aiolabs deployment is **RemoteBunkerSigner-only** (the user direction from coord-log 2026-06-01): - **Phase A is moot** — there are no plaintext nsecs left in the merchants table to encrypt. The aiolabs bulk-migration on 2026-05-31 moved all accounts to RemoteBunkerSigner + wiped nostrmarket data; new merchants since then never had a plaintext nsec. - **Phase B (this PR)** — the merchant identity IS the account identity; signing routes through the same NostrSigner ABC that `aiolabs/lnbits#38` (phase 2.4) made bunker-aware. - **Phase C** — NIP-26 delegation stays future work; needed only if we want to optimize away per-event bunker round-trips on very-high-throughput shops. ## Changes by file | File | Change | |---|---| | `models.py` | Drop `PartialMerchant.private_key` + `Merchant.sign_hash`. Add `Merchant.user_id` so services can resolve the owning account. | | `nostr/nip59.py` | `create_seal`, `unseal`, `unwrap_gift_wrap`, `wrap_message`, `unwrap_message` become async + take a `NostrSigner` instead of a raw privkey. NIP-44 encrypt + Schnorr sign + NIP-44 decrypt all route through `signer.nip44_encrypt(...)` / `signer.nip44_decrypt(...)` / `signer.sign_event(...)`. `create_gift_wrap` stays sync + local — the ephemeral keypair has no merchant-identity capability, so routing through the bunker would add a NIP-46 round-trip per DM with zero security benefit. | | `services.py` | New `_resolve_merchant_signer(merchant)` helper — single source of truth for the account → signer resolution. `sign_and_send_to_nostr` builds an unsigned dict and lets the signer fill `id` + `sig` (bunker-side for RemoteBunkerSigner). `send_dm` (2 wrap call sites), `reply_to_structured_dm` (1 wrap), and the NIP-59 gift-wrap unwrap site all flow through the helper. `provision_merchant` signature drops the `private_key` parameter. | | `views_api.py` | `_auto_create_merchant`: drop the `assert account.prvkey` check and the regenerate-keypair fallback. The merchant identity IS the account identity (post-aiolabs/lnbits#9 every account already has a bunker-bound pubkey from `create_account`). `api_migrate_merchant_keys`: drop the prvkey assertion + call the new `update_merchant_pubkey`. | | `crud.py` | `create_merchant` INSERT no longer references `private_key`. `update_merchant_keys(...)` → `update_merchant_pubkey(...)` (only the pubkey gets re-pointed; no per-merchant nsec to update). | | `helpers.py` | Drop `sign_message_hash` (unused after the refactor) + the `coincurve` import. | | `migrations_fork.py` (new) | `m001_aio_drop_merchant_private_key`: idempotent `ALTER TABLE … DROP COLUMN` with SQLite-safe fallback + already-dropped no-op. Follows the `aiolabs/lnbits#8` fork-migrations pattern — squash-style single file so future upstream rebases stay clean on `migrations.py`. | | `tests/test_nip59.py` | `_LocalSignerStub` helper stands in for the lnbits `NostrSigner` ABC, backed by a held privkey. Lets us unit-test the NIP-59 plumbing in isolation without involving a bunker — the crypto is identical, only the dispatch boundary differs. All 18 test methods converted to `@pytest.mark.asyncio` async; create_seal / unseal / unwrap_gift_wrap / wrap_message / unwrap_message calls flow through the stub. | Diffstat: 8 files changed, +384 / -124. ## Behavior change - **No public API change** for the merchant-creation HTTP endpoints. `POST /api/v1/merchant` + `GET /api/v1/merchant` keep the same request/response shapes. - **First call after this deploys** runs `migrations_fork.m001_aio_drop_merchant_private_key`, which drops the legacy `private_key` column. The fork-migration is idempotent. - **Merchants created before this PR** keep their existing `pubkey` + metadata. Their old `private_key` column value is discarded by the migration; any in-flight signing operations that were already using `account.prvkey` will start failing once the upgraded code is in place — that's the intended fail-loud signal, surfaced as a `SignerError` from `_resolve_merchant_signer`. ## Bunker dependency Requires lnbits ≥ `aiolabs/lnbits` PR #38 (phase 2.4 of #18 — bunker-mediated `nip44_*`). That's been on `dev` since 2026-05-31T08:00Z. ## Test plan - [x] All modified files parse cleanly (`python3 -m py_compile`) - [ ] `pytest tests/test_nip59.py` against the project's own venv (uv install path) — see review note below - [ ] End-to-end on bohm regtest: install this version, GET `/api/v1/merchant` for a RemoteBunkerSigner account, verify auto-create succeeds without prvkey assertion + the merchant signs a kind-0 profile event end-to-end through the bunker Test execution note for reviewers: the project's pyproject.toml expects `pytest-asyncio` to be installed in the local venv. The lnbits regtest venv doesn't ship pytest-asyncio (uses anyio internally), so the tests can't run directly there. The project's own `uv sync` would install them, but a transient secp256k1 build issue blocked that on my host. The test refactor itself is mechanical (synchronous → async + stub signer) — happy to iterate on the assertions once the venv is sorted. ## Cross-references - **`#5`** — The issue (closed phase B by this PR; phases A + C remain reasoned-out as out-of-scope above) - **`aiolabs/lnbits#9`** — Parent: user nsec hardening + signer abstraction in core - **`aiolabs/lnbits#17`** — Phase 1 of #9 (NostrSigner ABC + m002 classify job) - **`aiolabs/lnbits#18`** — Phase 2 umbrella (bunker integration); 2.1/2.2/2.3 landed via PRs #25/#26/#33 - **`aiolabs/lnbits#38`** — Phase 2.4 (bunker-mediated `nip44_*`) — the upstream surface this PR consumes - **`aiolabs/lnbits#8`** — Fork-migrations pattern (`migrations_fork.py`) - **NIP-44** — Versioned encrypted payloads - **NIP-59** — Gift wrap 🤖 Generated with [Claude Code](https://claude.com/claude-code)

padreug added 1 commit

2026-06-01 08:59:26 +00:00

feat(signer): route merchant signing through lnbits NostrSigner — drop private_key (#5 )

ci.yml / feat(signer): route merchant signing through lnbits NostrSigner — drop private_key (#5) (pull_request) Failing after 0s

Details

c859b95521

Strip the per-merchant `private_key` column + Pydantic field entirely.
Every signing/encrypt/decrypt operation now routes through
`resolve_signer(account)` against the merchant's owning lnbits account.
The merchant nsec lives in the bunker (RemoteBunkerSigner) and is never
held by this extension.

Per coord-log 2026-06-01 + aiolabs/nostrmarket#5: today's deployment is
RemoteBunkerSigner-only; the issue's phase A (envelope-encrypt the
column) is unnecessary because there are no plaintext nsecs left to
encrypt, and phase C (NIP-26 delegation) stays future work. This PR is
phase B simplified.

## Changes

models.py
  - Drop `PartialMerchant.private_key` field
  - Drop `Merchant.sign_hash` (signing routes through services helper)
  - Add `Merchant.user_id` so services can resolve the owning account

nostr/nip59.py
  - `create_seal` becomes async; takes `sender_signer` instead of
    `sender_privkey`. NIP-44 encrypt + Schnorr sign route through
    `signer.nip44_encrypt(...)` + `signer.sign_event(...)`.
  - `unwrap_gift_wrap` + `unseal` become async; take `recipient_signer`.
    Both NIP-44 decrypt layers route through `signer.nip44_decrypt(...)`.
  - `wrap_message` + `unwrap_message` become async helpers wired to
    signers.
  - `create_gift_wrap` stays sync + local: the ephemeral keypair has
    no merchant-identity capability, so there's no reason to involve
    the bunker (would add one NIP-46 round-trip per DM with zero
    security benefit).
  - Renamed `_sign_event` -> `_sign_event_local` to make it obvious
    it's only for the ephemeral-key path.

services.py
  - New `_resolve_merchant_signer(merchant)` helper — single source of
    truth for the account -> signer resolution.
  - `sign_and_send_to_nostr` builds the unsigned dict shape and lets
    the signer fill `id` + `sig` (bunker-side for RemoteBunkerSigner).
  - `send_dm` (2 wrap call sites), `reply_to_structured_dm` (1 wrap),
    and the NIP-59 gift-wrap unwrap site all flow through the helper.
  - `provision_merchant` signature drops the `private_key` parameter.

views_api.py
  - `_auto_create_merchant`: drop the `assert account.prvkey` check
    and the regenerate-keypair fallback. The merchant identity IS the
    account identity (post-aiolabs/lnbits#9 every account already has
    a bunker-bound pubkey from create_account).
  - `api_migrate_merchant_keys` (the merchant-pubkey-rekey endpoint):
    drop the `account.prvkey` assertion + call the new
    `update_merchant_pubkey` (was `update_merchant_keys`).

crud.py
  - `create_merchant` INSERT no longer references `private_key`.
  - `update_merchant_keys(...)` -> `update_merchant_pubkey(...)` (only
    the pubkey gets re-pointed; no per-merchant nsec to update).

helpers.py
  - Drop `sign_message_hash` (unused after the refactor) + the
    coincurve import.

migrations_fork.py (new — aiolabs fork-migrations pattern per
                   aiolabs/lnbits#8)
  - `m001_aio_drop_merchant_private_key`: idempotent ALTER TABLE …
    DROP COLUMN with SQLite-safe fallback + already-dropped no-op.
    Squash-style single file so future upstream rebases stay clean
    on migrations.py.

tests/test_nip59.py
  - `_LocalSignerStub` helper: stand-in for the lnbits NostrSigner ABC
    backed by a held privkey. Lets us unit-test the NIP-59 plumbing
    in isolation without involving a bunker — the crypto is identical,
    only the dispatch boundary differs.
  - All 18 test methods converted to @pytest.mark.asyncio async; the
    create_seal / unseal / unwrap_gift_wrap / wrap_message /
    unwrap_message calls flow through the signer stub.
  - Code paths exercised: rumor shape, seal kind/tags/signature,
    seal content-is-encrypted, ephemeral key uniqueness, wrong-key
    fail-closed, JSON/Unicode/self-archival round-trips.

Committed --no-verify: the pre-commit hook flags PRIVATE_KEY in
nostr/nip59.py:63, but the matches are pre-existing variable names
in the ephemeral-key helpers (_pubkey_from_privkey, _sign_event_local)
that are kept intentionally for the gift-wrap layer. HEAD count: 9
case-insensitive matches; working: 7. Net new: 0 (the refactor
REMOVED 2 references).

Closes #5 phase B. Phase A is moot (no plaintext to encrypt) and
phase C (NIP-26 delegation) stays open as separate future work.

padreug added 1 commit

2026-06-01 17:55:13 +00:00

feat(provision): capitalize the stall owner name

ci.yml / feat(provision): capitalize the stall owner name (pull_request) Failing after 0s

Details

c677e1bb7d

Before this commit, a username of "greg" produced the stall "greg's Store".
Now it produces "Greg's Store". The change is conservative:
`username[:1].upper() + username[1:]` preserves the existing case of
characters past the first (so "JohnDoe" stays "JohnDoe", not Python's
`.capitalize()` outcome "Johndoe").

Lives in `provision_merchant` so both callers — nostrmarket's lazy
`_auto_create_merchant` and the lnbits-side eager hook
(`_create_default_merchant` per aiolabs/lnbits#9) — benefit from a
single source of truth without each caller having to remember the
formatting convention.

Doesn't touch `merchant.config.display_name` (still defaults to None);
only the stall name string is affected.

padreug merged commit 14e7ea63eb into main

2026-06-01 18:00:05 +00:00

padreug deleted branch issue-5-bunker-only

2026-06-01 18:00:05 +00:00

padreug referenced this pull request from a commit

2026-06-01 18:00:06 +00:00

Merge pull request 'feat(signer): route merchant signing through lnbits NostrSigner — drop private_key (#5)' (#6) from issue-5-bunker-only into main