feat(v2): collision guard — refuse machines whose npub matches an operator account (#32)

Adds `_assert_no_pubkey_collision` to `views_api`, wired into
`api_create_machine` between the wallet-ownership guard and the
`create_machine` CRUD call. Refuses with HTTP 400 + operator-actionable
error message if the supplied `machine_npub` matches any existing
LNbits operator account's `accounts.pubkey`.

## Why this matters

Reproducer 2026-05-30T21:33Z (coord-log archive `2026-05-31-pre-rotation.md`):
Greg's operator account `accounts.pubkey` had been seeded as the same
value as Sintra's `dca_machines.machine_npub` (`522a4538…`) during
manual setup. The collision masked the routing bug for days — lnbits'
nostr-transport `auth.py:resolve_nostr_auth` was routing inbound
kind-21000 RPCs from the ATM directly to Greg's wallet *by coincidence*
of the matching pubkey. When Greg's account migrated to
`RemoteBunkerSigner` and got a fresh pubkey, the coincidence broke +
`auto-account-from-npub` fired for the orphaned ATM npub. A real $20
test cash-out silently landed on a fresh auto-account wallet
(`a94b564f…`); satmachineadmin lost the settlement entirely — no
`dca_settlements` row, no DCA distribution, no commission split.

The proper architectural fix is path B / `aiolabs/satmachineadmin#20`
(S6, in-progress with lnbits — coord-log `2026-05-31T15:25Z`). This
guard is the complementary preventive layer: stops a future operator
from re-entering the broken state by registering a machine whose npub
collides with an existing account.

## What's in this commit

- **`views_api._assert_no_pubkey_collision`** — canonicalises the input
  npub (accepts hex or `npub1…` bech32) via `normalize_public_key`,
  queries `lnbits.core.crud.users.get_account_by_pubkey` (which itself
  lowercases internally), raises HTTPException(400) on hit. Error
  message names the canonical pubkey prefix, explains the
  pubkey-collision dependency that breaks on operator pubkey rotation,
  + points to the `lamassu-next provision-atm` remediation path +
  this issue for context.
- **Wired into `api_create_machine`** after `_assert_wallet_owned_by`
  + before `create_machine`. `api_update_machine` is unaffected
  because `UpdateMachineData` doesn't allow npub changes on existing
  rows.
- **`tests/test_collision_guard.py`** — 7 unit tests covering hex /
  bech32 / uppercase-hex inputs all canonicalise to the same lookup,
  the no-collision case returns silently, error message asserts
  (truncated pubkey + remediation hint). Uses pytest monkeypatch to
  isolate the assertion logic from a live `get_account_by_pubkey` DB
  call — matches the assertion-style pattern of
  `tests/test_nostr_attribution.py`.
- **`CLAUDE.md`** — new "No-collision invariant" subsection under
  Security Considerations: documents the rule + the SQL check
  operators can run on existing installs + the
  `ATM_PRIVATE_KEY`-unset remediation + cross-refs to `#20` and `#32`.

## Regtest SQL check result

Ran the diagnostic SQL against the regtest LNbits + satmachineadmin DBs:

- 1 active `dca_machines.machine_npub`: `522a4538…` (Greg's Sintra)
- 1 collision found: the auto-account orphan `a94b564f…` (username =
  None — auto-account signature) created during yesterday's silent-drop
  failure mode. NOT a legitimate operator account. Greg's actual
  operator account `ac35c9fc…` carries pubkey `197a4cf4…` post-bunker
  migration, no collision there.

The orphan is operational cleanup (sweep + delete), separate from this
code fix. No real-operator collisions remain on the regtest instance.

## Test status

162 passed, 1 pre-existing async-plugin failure unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/test_collision_guard.py

@@ -0,0 +1,124 @@
+"""
+Tests for `views_api._assert_no_pubkey_collision` (aiolabs/satmachineadmin#32).
+
+Defends against the silent-drop failure mode reproduced on 2026-05-30T21:33Z:
+Greg's operator account pubkey had been seeded identical to the Sintra ATM's
+machine_npub, which masked the routing problem until Greg's pubkey rotated
+during the bunker migration — then `auto-account-from-npub` fired for the
+orphaned ATM npub and the cash-out invoice silently landed on a fresh
+auto-account wallet.
+
+The guard refuses to register a machine whose npub matches any LNbits
+operator account's `accounts.pubkey`, so this state cannot be entered
+through the satmachineadmin UI in the first place.
+
+Monkeypatches `views_api.get_account_by_pubkey` to avoid needing a live
+LNbits DB; this matches the assertion-style of tests/test_nostr_attribution
+(both isolate the assertion function for unit-testability).
+"""
+
+import asyncio
+from types import SimpleNamespace
+
+import pytest
+
+from .. import views_api
+from ..views_api import _assert_no_pubkey_collision
+
+# Canonical x-only pubkey for the integer 1 secret (matches NIP-44 reference vector).
+_PUBKEY_HEX = "79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798"
+# Bech32 form of the same pubkey — operators may enter either form in the UI.
+_PUBKEY_NPUB = "npub10xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vqpkge6d"
+
+
+def _fake_account(pubkey: str = _PUBKEY_HEX):
+    """Account-shaped duck-typed object. _assert_no_pubkey_collision only
+    cares whether get_account_by_pubkey returns non-None; the returned
+    shape doesn't matter beyond that."""
+    return SimpleNamespace(id="op1", username="alice", pubkey=pubkey)
+
+
+def _patch_lookup(monkeypatch, return_value):
+    """Replace `views_api.get_account_by_pubkey` with an async stub that
+    captures the canonical-hex argument the guard normalised to and
+    returns the configured value."""
+    captured = {}
+
+    async def fake_lookup(pubkey: str):
+        captured["called_with"] = pubkey
+        return return_value
+
+    monkeypatch.setattr(views_api, "get_account_by_pubkey", fake_lookup)
+    return captured
+
+
+class TestCollisionDetected:
+    """Positive cases: machine_npub collides with an operator account's
+    pubkey. Each form (hex / bech32 / uppercase) must normalise to the
+    same canonical lookup + raise the same 400."""
+
+    def test_collision_with_hex_input_raises(self, monkeypatch):
+        _patch_lookup(monkeypatch, return_value=_fake_account())
+        with pytest.raises(Exception) as exc:
+            asyncio.run(_assert_no_pubkey_collision(_PUBKEY_HEX))
+        assert exc.value.status_code == 400
+        assert "collides with an existing LNbits operator account" in exc.value.detail
+        assert "aiolabs/satmachineadmin#32" in exc.value.detail
+
+    def test_collision_with_bech32_input_raises(self, monkeypatch):
+        """Operator may enter `npub1...` in the UI; the guard must
+        canonicalise to hex BEFORE the lookup, otherwise a colliding
+        npub-form input would silently miss the hex-stored
+        accounts.pubkey row."""
+        captured = _patch_lookup(monkeypatch, return_value=_fake_account())
+        with pytest.raises(Exception) as exc:
+            asyncio.run(_assert_no_pubkey_collision(_PUBKEY_NPUB))
+        assert exc.value.status_code == 400
+        # The bech32 input must be canonicalised to lowercase hex before the lookup.
+        assert captured["called_with"] == _PUBKEY_HEX
+
+    def test_collision_with_uppercase_hex_input_raises(self, monkeypatch):
+        """Hex inputs from manual entry / paste can land uppercase; the
+        guard's `normalize_public_key().lower()` should bring it to the
+        canonical lowercase hex that get_account_by_pubkey itself also
+        lowercases internally."""
+        captured = _patch_lookup(monkeypatch, return_value=_fake_account())
+        with pytest.raises(Exception) as exc:
+            asyncio.run(_assert_no_pubkey_collision(_PUBKEY_HEX.upper()))
+        assert exc.value.status_code == 400
+        assert captured["called_with"] == _PUBKEY_HEX
+
+
+class TestNoCollision:
+    """Negative cases: machine_npub does not match any account → guard
+    returns silently, machine creation can proceed."""
+
+    def test_no_collision_returns_silently(self, monkeypatch):
+        _patch_lookup(monkeypatch, return_value=None)
+        # Should NOT raise.
+        asyncio.run(_assert_no_pubkey_collision(_PUBKEY_HEX))
+
+    def test_no_collision_bech32_form_returns_silently(self, monkeypatch):
+        captured = _patch_lookup(monkeypatch, return_value=None)
+        asyncio.run(_assert_no_pubkey_collision(_PUBKEY_NPUB))
+        # The lookup still gets called with the canonicalised hex form.
+        assert captured["called_with"] == _PUBKEY_HEX
+
+
+class TestErrorMessage:
+    """The 400 detail must be operator-actionable: explains the failure,
+    points at the issue, and gives the remediation path."""
+
+    def test_error_includes_truncated_pubkey(self, monkeypatch):
+        _patch_lookup(monkeypatch, return_value=_fake_account())
+        with pytest.raises(Exception) as exc:
+            asyncio.run(_assert_no_pubkey_collision(_PUBKEY_HEX))
+        # First 12 chars of the canonical lowercase hex, followed by an ellipsis.
+        assert _PUBKEY_HEX[:12] in exc.value.detail
+
+    def test_error_includes_remediation_hint(self, monkeypatch):
+        _patch_lookup(monkeypatch, return_value=_fake_account())
+        with pytest.raises(Exception) as exc:
+            asyncio.run(_assert_no_pubkey_collision(_PUBKEY_HEX))
+        assert "lamassu-next" in exc.value.detail
+        assert "ATM_PRIVATE_KEY" in exc.value.detail