aiolabs/nsecbunkerd
8
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity Actions

docs: migration & DB-maintenance runbook (never full-wipe nsecbunker.db) #32

Merged
padreug merged 1 commit from docs-migration-runbook into dev 2026-06-19 21:09:27 +00:00
Conversation 0 Commits 1 Files changed 1 +65
padreug commented 2026-06-19 20:58:29 +00:00
Owner
Copy link

Docs-only. Captures the deploy hazard found during the #27 rollout on cfaun (now in session memory) so it's team-visible, not just tribal knowledge.

The hazard: the nsecbunkerd ↔ LNbits pairing is split across both systems — bunker KeyUser/Token bindings + LNbits accounts.signer_config. RemoteBunkerSigner signs directly with the stored client_nsec with no auto-repair, and provision() mints a new npub. So a full nsecbunker.db wipe (which my #27 merge-checklist offered as an option — that was wrong) orphans every LNbits account and forces identity-changing re-provisioning.

The rule: strip the old #24 materialized photocopies with a targeted DELETE FROM SigningCondition (keeps KeyUser+Token+Policy; live-token clients keep working). Never full-wipe.

Also documents: keys live in nsecbunker.json not the DB; migrations apply via the deploy's prisma migrate deploy, not the daemon's no-op boot step (#31); the prisma-engines_6 pin (#30).

Yours to merge via the UI when you're happy with it.

🤖 Generated with Claude Code

Docs-only. Captures the deploy hazard found during the #27 rollout on cfaun (now in session memory) so it's team-visible, not just tribal knowledge. **The hazard:** the nsecbunkerd ↔ LNbits pairing is **split across both systems** — bunker `KeyUser`/`Token` bindings + LNbits `accounts.signer_config`. `RemoteBunkerSigner` signs directly with the stored `client_nsec` with no auto-repair, and `provision()` mints a *new* npub. So a full `nsecbunker.db` wipe (which my #27 merge-checklist offered as an option — **that was wrong**) orphans every LNbits account and forces identity-changing re-provisioning. **The rule:** strip the old #24 materialized photocopies with a targeted `DELETE FROM SigningCondition` (keeps `KeyUser`+`Token`+`Policy`; live-token clients keep working). Never full-wipe. Also documents: keys live in `nsecbunker.json` not the DB; migrations apply via the deploy's `prisma migrate deploy`, not the daemon's no-op boot step (#31); the `prisma-engines_6` pin (#30). Yours to merge via the UI when you're happy with it. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
docs: add migration & DB-maintenance runbook (never full-wipe nsecbunker.db)
Some checks failed
Docker image / build-and-push-image (push) Has been cancelled
Details
14e20d50d4 
Captures the deploy hazard found during #27 rollout (cfaun): the
nsecbunkerd<->LNbits pairing is split across both systems, so a full
nsecbunker.db wipe orphans LNbits's signer_config and forces an
identity-changing re-provision. Documents the targeted
'DELETE FROM SigningCondition' procedure, the keys-live-in-json fact,
and the migrate-on-boot no-op (#31).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
padreug deleted branch docs-migration-runbook 2026-06-19 21:09:27 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
aiolabs/nsecbunkerd!32
No description provided.