feat(v2): operator-side cassette inventory v1.1 + signer.nip44_* migration (#29) #30

Merged

padreug merged 19 commits from feat/cassette-config-v1 into v2-bitspire 2026-05-31 13:54:19 +00:00

Conversation 0 Commits 19 Files changed 13 +3095 -165

padreug commented 2026-05-30 16:11:25 +00:00

Owner

Copy link

Status as of merge

Closes aiolabs/satmachineadmin#29 (per-machine cassette inventory). Paired with aiolabs/lamassu-next#56 (ATM-side consumer + bootstrap publisher) and aiolabs/lnbits#38 (signer.nip44_* ABC).

End-to-end validated through Greg's RemoteBunkerSigner on regtest 2026-05-31:

Direction	Evidence	Timestamp
Operator → ATM publish	nip44_encrypt + sign_event via bunker → kind-30078 → relay (event_id=04a57d6a6ce2…)	13:21:37Z
ATM → operator consume	nip44_decrypt via bunker → apply_bootstrap_state upsert → state_event_id advanced to 970c67147e18…	13:43:10Z
Multi-same-denom HAL dispense	Padreug published Bay 2 → 20, ATM re-applied + live $20 cash-out drained from bay1:20×20, bay2:20×10	bitspire 06:22Z coord-log

Tests: 155 passed, 1 pre-existing async-plugin failure unchanged.

What landed

Three layered scopes, in delivery order:

v1 — denomination-keyed wire (commits 1-9)

Initial PR shape per the design locked in ~/dev/coordination/log.md 06:30Z→15:55Z on 2026-05-30:

• m007 cassette_configs schema with reserved v2 reconciliation columns
• CRUD + 23 unit tests
• Hand-rolled NIP-44 v2 (matches paulmillr/nip44 reference vector) + 34 tests
• cassette_transport publish/decrypt
• Bootstrap consumer task + 14 tests
• POST /cassettes/publish API + UI
• Cross-test fixture against bitspire's nostr-tools NIP-44 v2 impl
• Dirty-row UX hardening (bg-yellow-1 → inline box-shadow accent to dodge the LNbits theme-vs-Quasar-utility CSS specificity trap)

v1.1 — position-keyed wire-shape pivot (commits 10-15)

After Padreug surfaced that v1 wrongly froze per-slot denominations (real operational case: dispatcher swaps a $20 cassette for $50 during refill), wire shape flipped from {denominations: {<d>: {position, count}}} to {positions: {<p>: {denomination, count}}}. Plus: drop the implicit "one cassette per denomination" invariant — production machines load N same-denom cassettes for cash-out throughput.

• m008 schema flip PK (machine_id, position), no UNIQUE on denomination, new state_denomination column
• Models + CRUD + transport + consumer + API all flipped position-keyed
• UI: denomination becomes editable q-input, position is read-only "Bay N" label
• Test suite rewrite (covers the multi-same-denom round-trip explicitly)
• Cross-test fixture refreshed against bitspire's v1.1 wire shape

Decision context: coord-log 2026-05-30T18:30Z/18:45Z. Bitspire mirrored on lamassu-next#56.

v1.1 hardening — bunker-mediated nip44 + lint (commits 16-20)

Once aiolabs/lnbits#38 (phase 2.4: bunker-mediated nip44_* via NDK 3.0.3) merged + Greg's account migrated to RemoteBunkerSigner (lnbits coord-log 22:00Z), the satmachineadmin transport's direct account.prvkey reads stopped working. Migration:

• cassette_transport._nip44_*_via_signer routes through signer.nip44_encrypt / signer.nip44_decrypt via the post-#38 NostrSigner ABC
• LocalSigner transitional fallback preserved for any operator not yet migrated (retires when last LocalSigner operator moves to bunker; tracked as #21 S7 final AC)
• Error mapping: NsecBunkerTimeoutError → CassetteEventTransientError (consumer doesn't advance state_event_id, retries on next poll); NsecBunkerRpcError / SignerUnavailableError → CassetteEventDecodeError (log + skip)
• Pre-existing bug caught en route: the try: from lnbits.core.signers import SignerError ... block was permanently failing (those errors live in .base, not the package root) — the "pre-#17 fallback" had been masquerading as the active path
• Lint pass (black + ruff --fix); 2 new mypy regressions fixed; nip44.py runtime exports narrowed to LocalSigner transitional + test-only

Out of scope (tracked separately)

• Continuous reverse-channel consumer + dashboard reconciliation UI — v2 follow-up (separate issue when ready, paired with aiolabs/lamassu-next#57)
• Multi-operator-per-ATM coordination — #21 S7 final ACs
• Wallet-routing miss when LNbits' nostr-transport auto-account-from-npub fires for an ATM npub instead of the registered operator — symptom mitigation at #31, root-cause guard at #32, architectural fix at #20 (S6)
• v1 local-prvkey caveat for not-yet-bunker-migrated operators — documented in #29 comment (mirrors bitspire lamassu-next#56)

Commit chain (20)

d448fab chore(v2): lint pass — black + ruff auto-fix + mypy regressions
dcb7de0 refactor(v2): cassette transport — signer.nip44_* migration
1cebefc test(v2): rewrite cassette tests for v1.1 position-keyed shape
3014962 refactor(v2)(ui): denomination editable per slot, position read-only
34e324b refactor(v2): cassette consumer + API endpoint — position-keyed
5dbd731 refactor(v2): cassette CRUD + transport — position-keyed
427cad3 refactor(v2): cassette models — position-keyed wire shape
df6e8e0 feat(v2): m008 flip cassette_configs PK to (machine_id, position)
4b128ca test(v2): re-wire bitspire cross-test fixture for v1.1
23b6156 fix(v2)(ui): dirty cassette row — inset shadow accent
5f9c84b fix(v2)(ui): dirty cassette row needs explicit text-grey-9 (superseded)
5631246 test(v2): wire bitspire's NIP-44 v2 cross-test fixture from coord log
4071491 feat(v2)(ui): cassette sub-tab in machine detail + overwrite-confirm modal
f8042f8 feat(v2): POST cassettes/publish API endpoint + ownership guard
e57a730 feat(v2): bootstrap consumer task — auto-populate cassette_configs
b9d5ea3 feat(v2): cassette_transport — kind-30078 publish + decrypt
da07bae feat(v2): hand-rolled NIP-44 v2 crypto + reference-vector tests
9b8008d feat(v2): cassette_configs CRUD + unit tests
13684e7 feat(v2): m007 cassette_configs schema + Pydantic models

Test plan

• Unit tests green: docker compose exec lnbits /app/.venv/bin/python -m pytest tests/ → 155 passed
• Live smoke publish (operator → ATM via bunker): 04a57d6a6ce2… lands on relay
• Live smoke consume (ATM → operator via bunker): 970c67147e18… applied, cassette_configs advanced
• Multi-same-denom HAL dispense validated on Sintra hardware (bitspire 06:22Z)
• Lint pass: black clean on touched files; ruff --fix applied; remaining 26 ruff warnings are stylistic (Pydantic cls validators, exception suffix preference, docstring line-length); mypy regressions from this PR fixed

🤖 Generated with Claude Code

## Status as of merge Closes `aiolabs/satmachineadmin#29` (per-machine cassette inventory). Paired with `aiolabs/lamassu-next#56` (ATM-side consumer + bootstrap publisher) and `aiolabs/lnbits#38` (`signer.nip44_*` ABC). **End-to-end validated through Greg's `RemoteBunkerSigner` on regtest 2026-05-31:** | Direction | Evidence | Timestamp | |---|---|---| | Operator → ATM publish | `nip44_encrypt` + `sign_event` via bunker → kind-30078 → relay (`event_id=04a57d6a6ce2…`) | 13:21:37Z | | ATM → operator consume | `nip44_decrypt` via bunker → `apply_bootstrap_state` upsert → `state_event_id` advanced to `970c67147e18…` | 13:43:10Z | | Multi-same-denom HAL dispense | Padreug published Bay 2 → 20, ATM re-applied + live $20 cash-out drained from `bay1:20×20, bay2:20×10` | bitspire `06:22Z` coord-log | Tests: **155 passed**, 1 pre-existing async-plugin failure unchanged. ## What landed Three layered scopes, in delivery order: ### v1 — denomination-keyed wire (commits 1-9) Initial PR shape per the design locked in `~/dev/coordination/log.md` `06:30Z`→`15:55Z` on 2026-05-30: - `m007` `cassette_configs` schema with reserved v2 reconciliation columns - CRUD + 23 unit tests - Hand-rolled NIP-44 v2 (matches paulmillr/nip44 reference vector) + 34 tests - `cassette_transport` publish/decrypt - Bootstrap consumer task + 14 tests - POST `/cassettes/publish` API + UI - Cross-test fixture against bitspire's nostr-tools NIP-44 v2 impl - Dirty-row UX hardening (`bg-yellow-1` → inline `box-shadow` accent to dodge the LNbits theme-vs-Quasar-utility CSS specificity trap) ### v1.1 — position-keyed wire-shape pivot (commits 10-15) After Padreug surfaced that v1 wrongly froze per-slot denominations (real operational case: dispatcher swaps a $20 cassette for $50 during refill), wire shape flipped from `{denominations: {<d>: {position, count}}}` to `{positions: {<p>: {denomination, count}}}`. Plus: drop the implicit "one cassette per denomination" invariant — production machines load N same-denom cassettes for cash-out throughput. - `m008` schema flip `PK (machine_id, position)`, no UNIQUE on denomination, new `state_denomination` column - Models + CRUD + transport + consumer + API all flipped position-keyed - UI: denomination becomes editable q-input, position is read-only "Bay N" label - Test suite rewrite (covers the multi-same-denom round-trip explicitly) - Cross-test fixture refreshed against bitspire's v1.1 wire shape Decision context: coord-log `2026-05-30T18:30Z`/`18:45Z`. Bitspire mirrored on `lamassu-next#56`. ### v1.1 hardening — bunker-mediated nip44 + lint (commits 16-20) Once `aiolabs/lnbits#38` (phase 2.4: bunker-mediated `nip44_*` via NDK 3.0.3) merged + Greg's account migrated to `RemoteBunkerSigner` (lnbits coord-log `22:00Z`), the satmachineadmin transport's direct `account.prvkey` reads stopped working. Migration: - `cassette_transport._nip44_*_via_signer` routes through `signer.nip44_encrypt` / `signer.nip44_decrypt` via the post-#38 `NostrSigner` ABC - LocalSigner transitional fallback preserved for any operator not yet migrated (retires when last LocalSigner operator moves to bunker; tracked as `#21` S7 final AC) - Error mapping: `NsecBunkerTimeoutError` → `CassetteEventTransientError` (consumer doesn't advance `state_event_id`, retries on next poll); `NsecBunkerRpcError` / `SignerUnavailableError` → `CassetteEventDecodeError` (log + skip) - Pre-existing bug caught en route: the `try: from lnbits.core.signers import SignerError ...` block was permanently failing (those errors live in `.base`, not the package root) — the "pre-#17 fallback" had been masquerading as the active path - Lint pass (`black` + `ruff --fix`); 2 new mypy regressions fixed; `nip44.py` runtime exports narrowed to LocalSigner transitional + test-only ## Out of scope (tracked separately) - Continuous reverse-channel consumer + dashboard reconciliation UI — v2 follow-up (separate issue when ready, paired with `aiolabs/lamassu-next#57`) - Multi-operator-per-ATM coordination — `#21` S7 final ACs - Wallet-routing miss when LNbits' nostr-transport auto-account-from-npub fires for an ATM npub instead of the registered operator — symptom mitigation at `#31`, root-cause guard at `#32`, architectural fix at `#20` (S6) - v1 local-prvkey caveat for not-yet-bunker-migrated operators — documented in `#29` comment (mirrors bitspire `lamassu-next#56`) ## Commit chain (20) ``` d448fab chore(v2): lint pass — black + ruff auto-fix + mypy regressions dcb7de0 refactor(v2): cassette transport — signer.nip44_* migration 1cebefc test(v2): rewrite cassette tests for v1.1 position-keyed shape 3014962 refactor(v2)(ui): denomination editable per slot, position read-only 34e324b refactor(v2): cassette consumer + API endpoint — position-keyed 5dbd731 refactor(v2): cassette CRUD + transport — position-keyed 427cad3 refactor(v2): cassette models — position-keyed wire shape df6e8e0 feat(v2): m008 flip cassette_configs PK to (machine_id, position) 4b128ca test(v2): re-wire bitspire cross-test fixture for v1.1 23b6156 fix(v2)(ui): dirty cassette row — inset shadow accent 5f9c84b fix(v2)(ui): dirty cassette row needs explicit text-grey-9 (superseded) 5631246 test(v2): wire bitspire's NIP-44 v2 cross-test fixture from coord log 4071491 feat(v2)(ui): cassette sub-tab in machine detail + overwrite-confirm modal f8042f8 feat(v2): POST cassettes/publish API endpoint + ownership guard e57a730 feat(v2): bootstrap consumer task — auto-populate cassette_configs b9d5ea3 feat(v2): cassette_transport — kind-30078 publish + decrypt da07bae feat(v2): hand-rolled NIP-44 v2 crypto + reference-vector tests 9b8008d feat(v2): cassette_configs CRUD + unit tests 13684e7 feat(v2): m007 cassette_configs schema + Pydantic models ``` ## Test plan - [x] Unit tests green: `docker compose exec lnbits /app/.venv/bin/python -m pytest tests/` → 155 passed - [x] Live smoke publish (operator → ATM via bunker): `04a57d6a6ce2…` lands on relay - [x] Live smoke consume (ATM → operator via bunker): `970c67147e18…` applied, `cassette_configs` advanced - [x] Multi-same-denom HAL dispense validated on Sintra hardware (bitspire 06:22Z) - [x] Lint pass: black clean on touched files; ruff `--fix` applied; remaining 26 ruff warnings are stylistic (Pydantic `cls` validators, exception suffix preference, docstring line-length); mypy regressions from this PR fixed 🤖 Generated with [Claude Code](https://claude.com/claude-code)

padreug added 3 commits 2026-05-30 16:11:25 +00:00

feat(v2): m007 cassette_configs schema + Pydantic models (#29 v1) ... 13684e7134

Add the operator-side schema for per-machine ATM cassette inventory
(aiolabs/satmachineadmin#29). Schema choice mirrors the ATM-side
denomination-as-key invariant audited at coord-log 2026-05-30T06:40Z
across bitspire/atm-tui/src/db.zig:31, lamassu-next state-store.ts:54,
and hal-service.ts:116/189 — every ATM layer keys on denomination, so
the operator-side PK is (machine_id, denomination) to make
duplicate-denomination payloads impossible at the schema boundary.

Reserved nullable columns (state_count, state_at, state_event_id) hold
the latest bitspire-cassettes-state:<atm_pubkey_hex> event the ATM
publishes. v1 populates them on bootstrap-event receipt; v1 UI doesn't
render reconciliation. v2 reconciliation UI consumes them without a
migration.

Pydantic models in this commit:
  - CassetteConfig — read model for a stored row
  - UpsertCassetteConfigData — operator-edit form (count and/or position)
  - CassettePayloadRow — one denomination's wire-format values
  - PublishCassettesPayload — the full kind-30078 content payload,
    bidirectional (operator → ATM and ATM → operator share the shape).
    Validates int-coerced denomination keys, positive ints, no duplicate
    positions, and exposes to_wire_dict() that re-stringifies keys for
    JSON compatibility.

CRUD + transport + API + UI land in subsequent commits.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

feat(v2): cassette_configs CRUD + unit tests (#29 v1) ... 9b8008db1f

Wire up the cassette_configs storage layer:
  - get_cassette_config / list_cassette_configs_for_machine — reads
  - update_cassette_config — operator UI per-row edit (count + position).
    Refuses to create new rows; the denomination set is hardware-determined
    per #29 row lifecycle.
  - apply_bootstrap_state — consumer-side upsert from an ATM-published
    kind-30078 bitspire-cassettes-state event. Populates both the
    operator-believed columns and the v2 reverse-channel columns
    (state_count, state_at, state_event_id) in one transaction. Returns
    False on relay re-delivery (any existing row's state_event_id matches
    the incoming event_id).
  - _should_apply_bootstrap_state — pure-function dedup gate extracted
    from apply_bootstrap_state so the relay-re-delivery decision is
    unit-testable without a database round-trip.

23 new pure-function/model tests in tests/test_cassette_configs.py
covering the wire-shape validators (denomination key coercion, no-duplicate-
positions, int ranges, wire-dict round-trip) and the dedup-helper logic.
DB-touching CRUD follows the existing project convention (see
test_deposit_currency.py rationale): smoke-tested manually via the dev
container, integration tests deferred.

Total: 98 passed, 1 pre-existing async-plugin failure unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

feat(v2): hand-rolled NIP-44 v2 crypto + reference-vector tests (#29 v1) ... da07bae554

LNbits ships only NIP-04 (AES-CBC) in lnbits.utils.nostr.encrypt_content,
but the locked design at #29 (paired with lamassu-next#56) wires kind-30078
cassette config with NIP-44 v2 content per the privacy-by-default
architecture (dcd0874). Hand-rolling rather than adding a Python lib dep
per the plan-approval (option A) — keeps the impl auditable inline and
avoids pulling in a non-trivial dep tree.

nip44.py covers the full envelope:
  - get_conversation_key — ECDH x-coord + HKDF-extract with salt b"nip44-v2"
  - encrypt_with_conversation_key / decrypt_with_conversation_key — low-level,
    nonce-controllable for testing pinned vectors
  - encrypt_for / decrypt_from — high-level pair-keyed API (the shape app
    code reaches for)
  - _pad / _unpad — NIP-44 v2 length-prefixed padding scheme
  - HMAC-SHA256 verification on nonce || ciphertext, constant-time compare
    via hmac.compare_digest
  - Typed errors (Nip44VersionError / Nip44MacError / Nip44LengthError)
    so callers can distinguish tamper from corruption from spec mismatch

Stack: coincurve for ECDH (already a transitive lnbits dep), cryptography
for ChaCha20 + HKDF-expand (also already there). No new pyproject deps.

34 tests in tests/test_nip44_v2.py, three layers:
  1. Pinned reference vector — conversation_key for (sec=1, sec=2) matches
     the canonical paulmillr/nip44 published value
     (c41c775356fd92eadc63ff5a0dc1da211b268cbea22316767095b2871ea1412d).
     Regression-fails loudly if key derivation drifts.
  2. Round-trip + tamper detection — encrypt/decrypt across plaintext
     lengths (1, 32, 33, 1000, 5000, 65535 bytes); flipped MAC byte;
     flipped ciphertext byte; flipped nonce byte; wrong recipient privkey;
     version-byte rejection; padding-formula spot checks.
  3. Cross-impl byte-compat — placeholder test_decrypts_bitspire_sample
     marked @pytest.mark.skip, pending bitspire posting a sample event
     encrypted on their nostr-tools side to the coord log (per the
     2026-05-30T15:55Z entry). Wire that fixture and unskip when posted.

Total: 132 passed, 1 skipped (cross-test fixture pending), 1 pre-existing
async-plugin failure unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug added 1 commit 2026-05-30 16:14:29 +00:00

feat(v2): cassette_transport — kind-30078 publish + decrypt (#29 v1) ... b9d5ea3c57

The Nostr-wire layer for operator ↔ ATM cassette config. Owns both
directions:

  operator → ATM (publish_to_atm):
    build PublishCassettesPayload → NIP-44 v2 encrypt to ATM pubkey →
    sign as operator via _sign_as_operator hybrid → publish through
    nostrclient.router.nostr_client.relay_manager
    d-tag: bitspire-cassettes:<atm_pubkey_hex>
    p-tag: <atm_pubkey_hex>

  ATM → operator (decrypt_and_parse_state_event):
    consumer task feeds inbound events (already sig-verified by the
    subscription layer); we NIP-44 v2 decrypt with operator privkey +
    event sender pubkey, JSON-parse, validate as PublishCassettesPayload
    d-tag: bitspire-cassettes-state:<atm_pubkey_hex>
    p-tag: <operator_pubkey_hex>

`_sign_as_operator` recovers the hybrid signer pattern from commits
131ff92 / e13178d (removed in dcd0874 for the NIP-78 fleet rip): tries
`from lnbits.core.signers import resolve_signer` first (post-#17 path),
falls back to a direct `account.prvkey` read for pre-#17 lnbits hosts.
Both paths produce identical signed events. Unlike the prior fleet-
publish that soft-failed on missing identity (CRUD side-effect), this
publish is operator-initiated so missing identity raises
OperatorIdentityMissing for the API to surface as 400.

`_atm_hex_pubkey(machine)` centralises the `<m>` placeholder rule from
the 2026-05-30T11:50Z coord-log entry: always normalize_public_key on
machine.machine_npub, NEVER use the internal dca_machines.id UUID. The
build_state_d_tags_for_machines helper exposes the canonical d-tag
list for the consumer subscription filter to use.

Typed errors map cleanly to HTTP statuses in the API caller:
  - OperatorIdentityMissing → 400 (operator hasn't onboarded)
  - SignerUnavailable → 503 (signer offline / client-side-only)
  - RelayUnavailable → 503 (nostrclient not installed)
  - CassetteEventDecodeError → consumer-side log + skip (never crash)

NIP-44 v2 ECDH needs the raw operator scalar, which the signer
abstraction's high-level sign_event doesn't expose. v1 reads
account.prvkey directly (same surface as the pre-#17 sign fallback);
post-bunker (lnbits#18) this becomes a NIP-44-over-bunker RPC and the
operator nsec leaves the LNbits host — v2 follow-up.

Smoke-tested via docker exec: round-trip publish (build → encrypt →
parse) of the realistic {"denominations": {"20": ..., "50": ...}}
payload; tamper detection on a corrupted content field; malformed
pubkey rejection.

Full suite: 132 passed, 1 skipped, 1 pre-existing async-plugin failure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug added 1 commit 2026-05-30 16:19:26 +00:00

feat(v2): bootstrap consumer task — auto-populate cassette_configs (#29 v1) ... e57a73083e

Long-running task wired into satmachineadmin_start that subscribes to
kind-30078 bitspire-cassettes-state:<atm_pubkey_hex> events from every
active machine's ATM and upserts cassette_configs via apply_bootstrap_state
on receipt. Pairs with bitspire's one-shot bootstrap publish in
aiolabs/lamassu-next#56 — operator's first config publish then validates
against a non-empty denomination set.

Pattern mirrors wait_for_paid_invoices (try/except per event, never lets
the loop die). Uses the same nostr_client.relay_manager singleton that
cassette_transport.publish_to_atm uses, just on the subscribe side.

Implementation: poll the singleton NostrRouter.received_subscription_events
dict keyed by our subscription_id (satmachineadmin-cassette-bootstrap).
This is the same drain pattern nostrclient's per-WebSocket NostrRouter
uses; since we use a distinct sub_id, no cross-contamination with
WebSocket-connected clients of nostrclient.

Filter is re-derived from active machines each tick — newly-added
machines start receiving bootstrap events without an LNbits restart.

Soft-fail surfaces (none crash the listener):
  - nostrclient extension not installed → log + 30s backoff
  - inbound event sig-verify fails → log + skip
  - sender pubkey not in dca_machines → log + skip (relay noise)
  - operator privkey not on file → log + skip
  - NIP-44 v2 decrypt / payload validation fails → log + skip
  - apply_bootstrap_state error → log + skip

Per-event handler routes to the right operator's privkey by looking up
the machine via get_machine_by_atm_pubkey_hex (O(N) over active
machines — fine for small fleets; if fleets grow, normalize machine_npub
at write + add an index).

CRUD additions:
  - list_all_active_machines: cross-operator query for the subscription
    filter
  - get_machine_by_atm_pubkey_hex: route inbound events to the right
    machine row + operator account; accepts hex or bech32 storage

14 tests in test_cassette_state_consumer.py covering:
  - decrypt_and_parse_state_event happy path + 6 negative paths (tamper,
    wrong privkey, malformed pubkey, missing fields, garbage JSON,
    wrong-shape payload)
  - d-tag construction regression guard (REGRESSION GUARD: d-tag uses
    ATM hex pubkey not internal UUID — pins the load-bearing detail
    from coord-log 11:50Z)
  - build_state_d_tags_for_machines + bech32 → hex canonicalisation

Full handler dispatch (verify_event → get_machine_by_atm_pubkey_hex →
apply_bootstrap_state) needs a live LNbits DB; smoke-tested manually
per the existing project convention.

Total: 146 passed, 1 skipped (cross-test fixture pending), 1 pre-existing
async-plugin failure unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug added 1 commit 2026-05-30 16:22:03 +00:00

feat(v2): POST cassettes/publish API endpoint + ownership guard (#29 v1) ... f8042f8e4d

Two operator-scoped endpoints, both gated by check_user_exists +
_machine_owned_by:

  GET  /api/v1/dca/machines/{machine_id}/cassettes
    List the operator-owned machine's cassette_configs rows. Empty list
    means the ATM hasn't published its bootstrap event yet (or the
    consumer task hasn't drained it); UI shows a "waiting for ATM" state.

  POST /api/v1/dca/machines/{machine_id}/cassettes/publish
    Operator submits the full per-machine cassette state (PublishCassettes
    Payload) for publish to the ATM. Validates the denomination set
    matches what's stored (defensive — UI prevents add/remove but API
    enforces), upserts each row with the operator's user id as audit
    updated_by, then calls cassette_transport.publish_to_atm to encrypt+
    sign+publish kind-30078.

The path param `{machine_id}` is satmachineadmin's internal dca_machines.id
UUID; the handler fetches Machine and uses machine.machine_npub
canonicalised via normalize_public_key as the `<m>` value in the d-tag
bitspire-cassettes:<atm_pubkey_hex> per the locked design and the
2026-05-30T11:50Z coord-log nudge. Translation happens inside
cassette_transport._atm_hex_pubkey so the API handler stays thin.

Error mapping:
  400 — payload denomination set doesn't match stored set (operator
        publishing for a cassette the ATM doesn't have, or no rows
        exist because the bootstrap hasn't landed)
  400 — OperatorIdentityMissing (operator hasn't onboarded a Nostr
        identity via LNbits Nostr-login)
  503 — SignerUnavailable (signer offline / client-side-only)
  503 — RelayUnavailable (nostrclient extension not installed)
  500 — anything else from the publish path

Returns the fresh cassette_configs rows after the upserts so the UI
refreshes its table from one round-trip.

Total: 146 passed (route registration verified via FastAPI router
introspection), 1 skipped (cross-test fixture pending), 1 pre-existing
async-plugin failure unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug referenced this pull request from a commit 2026-05-30 16:26:09 +00:00

feat(v2)(ui): cassette sub-tab in machine detail + overwrite-confirm modal (#29 v1)

padreug added 1 commit 2026-05-30 16:26:09 +00:00

feat(v2)(ui): cassette sub-tab in machine detail + overwrite-confirm modal (#29 v1) ... 407149137a

The operator-facing surface for #29 v1. Two changes:

1. Sub-tab inside the existing machine-detail modal
   (`templates/satmachineadmin/index.html`):
   - q-tabs strip with Settlements + Cassettes inside the machine detail
     q-card-section, wrapping the existing Settlements content in a
     q-tab-panel name="settlements" and adding a new q-tab-panel
     name="cassettes"
   - Cassettes panel renders the cassette_configs rows from
     GET /api/v1/dca/machines/{id}/cassettes:
       - One row per denomination (read-only label)
       - Editable q-input for count + position (the only operator-
         editable fields per the locked design)
       - ATM-reported count column (read-only, shows the v2 reverse-
         channel state_count when populated; v1 only populates on
         bootstrap)
       - Last-updated timestamp
       - Dirty rows highlighted bg-yellow-1
   - "Revert" + "Publish to ATM" buttons in the header; both disabled
     until at least one row is dirty
   - "Waiting for ATM bootstrap" banner when cassette_configs is empty
     (the bootstrap consumer hasn't received the ATM's state event yet)

2. Confirm-on-publish modal (per coord-log `07:50Z`):
   - Yellow warning banner: "This publish will overwrite the ATM's
     currently-tracked counts. If the ATM has dispensed cash since your
     last refill, those decrements will be lost. Publish only after a
     physical refill (a known total), not to 'tweak' counts mid-day. v2
     reconciliation will replace this modal with reconciled state display."
   - Per-denomination preview list of what's being sent
   - Cancel + Publish-to-ATM buttons

Vue 3 + Quasar UMD compliance per workspace CLAUDE.md: explicit-close
tags (no self-closing), v-model.number on the numeric inputs,
@update:model-value to trigger dirty-tracking, JSON-clone for the
pristine snapshot.

JS additions in `static/js/index.js`:
  - machineDetail.cassetteEdits / .cassettesPristine / .cassettesDirty /
    .cassettesLoading / .cassettesPublishing / .cassettesError state
  - cassettesTable.columns (no pagination — small fleets)
  - cassettePublishConfirm.show
  - loadMachineCassettes — fetches + sets pristine snapshot
  - markCassetteDirty — compares to pristine, toggles _dirty + the
    overall cassettesDirty flag
  - revertCassetteEdits — deep-clone pristine back into edits
  - openCassettePublishConfirm — opens the modal
  - submitCassettePublish — builds PublishCassettesPayload from edits,
    POSTs to /machines/{id}/cassettes/publish, refreshes from the
    response, closes modal on success, surfaces 400/503 errors in
    the inline banner

reloadMachineDetail now also calls loadMachineCassettes so the
Cassettes tab is pre-populated and tab-switching is flicker-free.
viewMachine resets the cassette state (edits, pristine, dirty, error,
activeTab) on each open.

This is the final commit in the #29 v1 chain. PR #30 is ready for
review once the build + manual smoke pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug added 1 commit 2026-05-30 16:34:58 +00:00

test(v2): wire bitspire's NIP-44 v2 cross-test fixture from coord log (#29 v1) ... 5631246337

Bitspire posted the sample event at ~/dev/coordination/log.md
2026-05-30T13:15Z — encrypted via @bitSpire/nostr-client's
encryptContentV2 + createSignedEvent (the same production code path
the ATM bootstrap publish uses), round-tripped on bitspire side
before posting.

Replaces the @pytest.mark.skip stub from commit da07bae with three
real cross-impl byte-compat assertions in TestBitspireCrossTest:

  1. test_decrypts_bitspire_sample_event — the load-bearing one. Our
     nip44.decrypt_from recovers the expected
     {"denominations": {"20": ..., "50": ...}} plaintext from the
     fixture's ciphertext. Confirms our hand-rolled NIP-44 v2 produces
     wire output that nostr-tools' impl reads, and vice versa.

  2. test_signature_verifies_via_lnbits_helper — lnbits.utils.nostr.
     verify_event returns True for the fixture's (id, pubkey, sig).
     Confirms both sides hash the event id the same way + Schnorr-
     verify under the same x-only public-key convention. The consumer
     path runs verify_event before NIP-44 decrypt, so this is the
     other half of the sig-algorithm agreement check.

  3. test_encrypt_round_trip_via_our_impl_decrypts_with_their_keys —
     encrypts the expected plaintext using OUR encrypt_for with the
     fixture's ATM keypair as sender + operator pubkey as recipient;
     decrypts back with OUR decrypt_from; asserts the recovered
     plaintext matches. Locks the encrypt direction too. Asserts the
     re-encrypted ciphertext differs from the fixture's (NIP-44 v2
     nonces are random — byte-equality would be a CSPRNG regression).

If any of these ever fail, the spec ambiguity surfaces before either
side ships — exactly what the cross-test is for.

Same trap I made writing 16:35Z (didn't re-tail before writing, missed
bitspire's 13:15Z fixture post between my 15:55Z ask and the 16:35Z
ack) that bitspire owned at 07:55Z and I'd written into my session
memory as a rule. Symmetric lesson — the trap fires for any session
that goes head-down on implementation work.

Total: 149 passed (146 + 3 new), 0 skipped (cross-test no longer
skipped), 1 pre-existing async-plugin failure unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug added 1 commit 2026-05-30 17:34:15 +00:00

fix(v2)(ui): dirty cassette row needs explicit text-grey-9 under dark theme ... 5f9c84b6e8

Per workspace CLAUDE.md "Dark-mode color discipline": pale bg-{color}-1
utilities render white-on-cream under the LNbits dark theme. The dirty-
row highlight in the Cassettes sub-tab used bg-yellow-1 alone, so the
denomination text (rendered as default-coloured <b>) went invisible on
the pale yellow background as soon as the operator started editing.

Paired with text-grey-9 the way the existing q-banner classes in this
file already are (bg-blue-1 text-grey-9, bg-orange-1 text-grey-9, etc).
Sintra dispatcher Greg surfaced this during the v1 joint smoke today
(coord-log 2026-05-30T17:55Z).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug added 1 commit 2026-05-30 17:39:38 +00:00

fix(v2)(ui): dirty cassette row — inset shadow accent, not bg-color class ... 23b615601f

Previous attempt (commit 5f9c84b) added text-grey-9 to bg-yellow-1 on
the q-tr dirty class. Didn't work: per CLAUDE.md "CSS specificity trap"
— LNbits applies theme overrides on Quasar utility classes with
!important, so extension class rules lose the fight even when the
pairing is correct.

Switching to inline :style with an inset left-edge box-shadow accent
(4px yellow bar) instead of changing background or text colors at all.
Per CLAUDE.md: "Inline `style` attrs (static or via Vue `:style`) win
without an arms race." The dirty indicator is now a vertical yellow
accent on the row's left edge — visible under dark theme without
touching contrast.

Reported by user during v1 joint-smoke UX pass: editing count or
position turned the row cream-coloured and made cell contents
unreadable. Fix verified with the same screenshot scenario.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug referenced this pull request from a commit 2026-05-30 20:22:33 +00:00

feat(v2): m008 flip cassette_configs PK to (machine_id, position) (#29 v1.1)

padreug added 1 commit 2026-05-30 20:22:33 +00:00

feat(v2): m008 flip cassette_configs PK to (machine_id, position) (#29 v1.1) ... df6e8e0a22

Coordinated v1.1 fix with the ATM side per coord-log 2026-05-30T18:30Z
+ 18:45Z. The m007 schema's denomination-PK was wrong:

  - Operators need to swap cartridge denominations during refill (a $20
    bay becomes a $50 bay) without re-provisioning. m007 made
    denomination immutable per slot.
  - Real machines have N cartridges of the same denomination for
    cash-out throughput (e.g., four $20 cartridges on a single ATM to
    avoid mid-day refill). m007 + denomination-PK rejected duplicates.

The flip:
  - PK becomes (machine_id, position). Position is the fixed hardware
    bay number; denomination + count are operator-editable per row.
  - No UNIQUE constraint on denomination — multiple same-denom cassettes
    are operationally valid.
  - New nullable column state_denomination for v2 reverse-channel
    reconciliation (operator-believed denomination per slot vs ATM-
    reported denomination — diff highlighting in v2 UI).

SQLite doesn't support ALTER PRIMARY KEY directly; the migration does
the standard create-new / backfill-from-old / drop / rename dance.
Idempotent via state_denomination column-probe.

Backfill choice: in m007 the row's denomination was simultaneously the
operator-believed AND the ATM-reported value (only write path was the
bootstrap consumer copying state.db verbatim). At migration time
state_denomination = current denomination as a best-guess baseline;
the next bootstrap event re-populates the state_* columns
authoritatively per the v1.1 wire shape.

Wire shape, models, CRUD, transport, consumer, API, and UI all flip in
subsequent commits. PR #30 will grow from 9 → 14 commits.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug added 5 commits 2026-05-30 20:31:13 +00:00

refactor(v2): cassette models — position-keyed wire shape (#29 v1.1) ... 427cad33de

The wire format flips from
  {"denominations": {"<denom>": {"position", "count"}}}
to
  {"positions": {"<pos>": {"denomination", "count"}}}

per coord-log 2026-05-30T18:30Z + 18:45Z.

Per-row editable surface changes:
  - denomination becomes mutable (operator swaps cartridges during refill)
  - count remains mutable
  - position becomes the row identity (hardware bay number)

Removed: the no_duplicate_positions validator (no longer relevant — position
is the key, dups are impossible at the dict level) and the implicit
"denomination unique" assumption. Multiple positions with the same
denomination are now operationally valid per bitspire 18:45Z.

CassetteConfig model adds state_denomination (Optional[int]) for v2
reverse-channel reconciliation diff highlighting.

Tests under tests/test_cassette_configs.py and test_cassette_state_consumer.py
will fail at this commit — they reference the old denomination-keyed
shape. They get rewritten in v1.1 commit f. Branch tip is green only after
commit f lands; this and the next 3 commits are intermediate states.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

refactor(v2): cassette CRUD + transport — position-keyed (#29 v1.1) ... 5dbd7314f4

CRUD layer flips:
  - get_cassette_config(machine_id, position) — was (..., denomination)
  - list_cassette_configs_for_machine returns ORDER BY position alone
    (no secondary denomination ordering — position is the unique key)
  - update_cassette_config(machine_id, position, data, updated_by) —
    operator edits denomination + count for a fixed slot
  - apply_bootstrap_state upserts ON CONFLICT(machine_id, position)
    iterating payload.positions; populates new state_denomination
    column from row.denomination alongside state_count

cassette_transport.py needs almost no functional change — the wire
shape is implicit via PublishCassettesPayload.to_wire_dict (now emits
{"positions": {...}}) and decrypt_and_parse_state_event accepts what
the model parses. Just the module docstring + the publish log line
get updated to reference positions rather than denominations.

Tests still red until commit f rewrites them.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

refactor(v2): cassette consumer + API endpoint — position-keyed (#29 v1.1) ... 34e324b4c5

API endpoint:
  - api_publish_machine_cassettes validates incoming payload.positions
    set matches stored cassette_configs.position set (was: denomination
    set match). Error message updated to "slot count is hardware-fixed
    — re-provision the ATM via atm-tui to add/remove physical bays."
  - Per-row upsert loop iterates payload.positions and passes
    UpsertCassetteConfigData(denomination=, count=) — operator edits
    denomination + count for a fixed slot.

Bootstrap consumer task: just a log-message field rename (now reports
"N cassettes" from len(payload.positions) instead of len(payload.
denominations)). Per-event handler already routes through the
transport's decrypt_and_parse_state_event, which returns a
PublishCassettesPayload that's now position-keyed via the model.

Tests still red until commit f.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

refactor(v2)(ui): denomination editable per slot, position read-only (#29 v1.1) ... 3014962563

UI flips to position-keyed per the v1.1 redesign:

  - Column order: Bay | Denomination | Count | ATM-reported | Updated
    (position first, since it's the row identity)
  - Position becomes read-only: rendered as "Bay N" label
  - Denomination becomes an editable q-input (with the fiat code as a
    suffix on the input)
  - Count remains editable
  - ATM-reported column now shows "<denom> <fiat> · ×<count>" combining
    state_denomination + state_count for at-a-glance reconciliation
    (still v1: only the bootstrap snapshot; v2 reverse-channel makes
    this live)
  - Confirm-modal preview list: header is "Bay N", side shows the
    denomination + count being sent

JS:
  - cassettesTable.columns reordered to put position first
  - markCassetteDirty pivots on position (the immutable identity) and
    compares denomination + count against pristine
  - submitCassettePublish builds {positions: {<pos>: {denomination,
    count}}} payload instead of {denominations: ...}

No "lock icon" on denomination — the previous instinct to add one was
based on the m007 misinterpretation. v1.1 design correctly makes
denomination operator-editable.

Tests still red until commit f.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

test(v2): rewrite cassette tests for v1.1 position-keyed wire shape (#29 v1.1) ... 1cebefcde5

The wire-shape pivot (m007 denomination-keyed → m008 position-keyed)
needs the unit test surface re-written to match:

  test_cassette_configs.py
    - PublishCassettesPayload tests pivot to positions-keyed input.
      Validators reject non-int / non-positive position keys, negative
      denom, negative count. Zero count allowed (empty cassette).
    - NEW: test_accepts_multiple_same_denomination_cassettes — pins the
      v1.1 operational requirement (real machines load 4×$20 for cash-out
      throughput) per coord-log 18:45Z. No denom-unique validator.
    - CassettePayloadRow tests pivot to the new field shape
      (denomination + count, no position).
    - UpsertCassetteConfigData tests cover edit-denomination (the v1.1
      "operator swaps a cartridge during refill" scenario) and edit-count.
      Position no longer in the model.

  test_cassette_state_consumer.py
    - _make_state_event helper builds {"positions": {...}} ciphertext.
    - Happy-path assertion checks p.positions keys + denomination/count
      per row.
    - NEW: test_round_trips_multiple_same_denomination — covers the v1.1
      four-of-the-same case through encrypt → decrypt → parse.
    - All negative paths (tamper, wrong privkey, malformed pubkey,
      missing fields, garbage JSON, wrong shape) carry over with the new
      payload shape.
    - d-tag tests unchanged (position vs denomination isn't on the d-tag).

  test_nip44_v2.py
    - TestBitspireCrossTest temporarily re-skipped at the class level: the
      13:15Z fixture is encoded with the v1 denomination-keyed shape;
      bitspire's posting a v1.1 fixture and commit g will swap +
      unskip.

Total: 148 passed, 3 skipped (bitspire cross-test pending the v1.1
fixture from bitspire), 1 pre-existing async-plugin failure unchanged.

Branch tip is now functionally green (the pre-existing async failure
predates this PR + can't be addressed without a pytest plugin install).
Pending commit g for the cross-test fixture re-wire when bitspire posts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug referenced this pull request from a commit 2026-05-30 20:43:16 +00:00

test(v2): re-wire bitspire cross-test fixture for v1.1 positions-keyed shape (#29 v1.1)

padreug added 1 commit 2026-05-30 20:43:16 +00:00

test(v2): re-wire bitspire cross-test fixture for v1.1 positions-keyed shape (#29 v1.1) ... 4b128ca53c

Replaces the v1 fixture (denominations-keyed, 2026-05-30T13:15Z) with
bitspire's v1.1 fixture (positions-keyed, 2026-05-30T19:00Z log entry).
Drops the class-level @pytest.mark.skip from commit 1cebefc.

The v1.1 fixture intentionally includes two positions (1 + 2) both
holding denomination=20 — exercises the multi-same-denomination round-
trip end-to-end through encrypt → wire → decrypt → payload-validate.
Pinned explicitly in test_decrypts_bitspire_sample_event:

    assert payload["positions"]["1"]["denomination"] == 20
    assert payload["positions"]["2"]["denomination"] == 20
    assert payload["positions"]["1"]["count"] != payload["positions"]["2"]["count"]

So a future "fix" that re-introduces denom-uniqueness validation
surfaces at this test instead of as a runtime rejection on real
machines (the v1.1 operational case from coord-log 18:45Z).

Other two cross-tests (test_signature_verifies_via_lnbits_helper,
test_encrypt_round_trip_via_our_impl_decrypts_with_their_keys) carry
over from v1 unchanged — same shape, just the new fixture's keys +
event flow through them.

Total: 151 passed, 0 skipped, 1 pre-existing async-plugin failure
unchanged. PR #30 is now byte-compat-verified end-to-end with the
v1.1 wire shape; bitspire side is typecheck-green + about to cache-
push (per coord-log 20:55Z). Joint re-smoke on Sintra is the
remaining v1.1 step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug added 1 commit 2026-05-31 07:21:48 +00:00

refactor(v2): cassette transport — signer.nip44_* migration (#29 v1.1 / closes #21 partial) ... dcb7de0c27

Migrates the cassette transport's encrypt/decrypt paths off direct
`account.prvkey` reads to `signer.nip44_encrypt` / `signer.nip44_decrypt`
on the NostrSigner ABC landed by aiolabs/lnbits PR #38 (phase 2.4). Closes
the operator-side regression flagged at coord-log 2026-05-31T06:50Z:
Greg's RemoteBunkerSigner-migrated account had `accounts.prvkey IS NULL`
post-bunker, which the old code couldn't handle — consumer was logging
WARN every poll cycle and skipping every inbound state event.

## What changed

### cassette_transport.py

- New imports: `resolve_signer`, `SignerError`, `SignerUnavailableError`,
  `NsecBunkerTimeoutError`, `NsecBunkerRpcError` from the post-#38 lnbits
  surface. (The `try: from lnbits.core.signers import SignerError` block
  in the old code was permanently failing because `SignerError` actually
  lives in `lnbits.core.signers.base`, not the package root — fixed.)
- New `_resolve_operator_signer(operator_user_id)`: single source of
  truth for "give me the operator's account + NostrSigner, or raise an
  operator-facing error." Used by both the publish path and the consumer
  task.
- New `_nip44_encrypt_via_signer(account, signer, plaintext, peer)`
  and `_nip44_decrypt_via_signer(...)`: route through `signer.nip44_*`
  first; on `SignerUnavailableError` from a LocalSigner stub (the
  post-#38 ABC has LocalSigner raise on nip44_* explicitly — bunker
  migration required for NIP-44 v2), fall back to the hand-rolled impl
  against `account.prvkey`. Transitional until every operator on the
  instance is bunker-backed (S7).
- `_sign_as_operator` simplified: now `await signer.sign_event(event)`
  (the ABC is async; the old code passed `signer.sign_event` to the
  caller without await, returning a coroutine — also broken but never
  hit because the ImportError fallback fired first).
- `publish_to_atm` flow: `_resolve_operator_signer` → `_nip44_encrypt_
  via_signer` → `_sign_as_operator` → publish. Each step maps bunker /
  signer errors to `OperatorIdentityMissing` (400) / `SignerUnavailable`
  (503) / `CassetteTransportError` (500) for the API handler.
- `decrypt_and_parse_state_event` now `async` and takes `(event, account,
  signer)` instead of `(event, operator_privkey_hex)`. Maps
  `NsecBunkerTimeoutError` → `CassetteEventTransientError` (caller
  should retry on next poll, NOT advance `state_event_id`).
  `NsecBunkerRpcError` / `SignerUnavailableError` / `Nip44Error` / etc.
  → `CassetteEventDecodeError` (terminal — caller logs + skips).
- New `CassetteEventTransientError` class for the bunker-timeout case.
  Distinct from `CassetteEventDecodeError` so the consumer can log at
  INFO + retry vs WARNING + advance.
- Deleted `_get_operator_privkey_hex` (no longer needed).

### tasks.py — _handle_cassette_state_event

- Resolves the signer via `_resolve_operator_signer(machine.operator_
  user_id)`. On `CassetteTransportError` (OperatorIdentityMissing /
  SignerUnavailable), logs + skips.
- Awaits `decrypt_and_parse_state_event(event_obj, account, signer)`.
  On `CassetteEventTransientError`, logs at INFO + returns (state_event_
  id NOT advanced → consumer retries on next poll cycle).
  On `CassetteEventDecodeError`, logs at WARNING + returns (still
  state_event_id NOT advanced for v1; the WARN log surfaces the
  underlying issue for operator triage).

### tests/test_cassette_state_consumer.py — rewritten

- Three test doubles: `_FakeBunkerSigner` (working nip44_decrypt via
  hand-rolled impl), `_FakeLocalSignerStub` (raises like the post-#38
  LocalSigner stub), `_FakeRaisingSigner` (configurable exception).
- `_fake_account` helper using SimpleNamespace — the code under test
  only reads `.signer_type` + `.prvkey`.
- Five test classes covering: bunker-signer happy path (incl. multi-
  same-denom round-trip), LocalSigner transitional fallback,
  bunker-error mapping (timeout → transient, rpc reject → decode),
  payload validation (tamper / wrong-key / missing-fields / garbage
  JSON / wrong shape), d-tag construction (unchanged, kept as
  regression guard).
- Async coroutines driven via `asyncio.run` — matches the existing
  project pattern (no pytest-asyncio plugin in CI; see test_init.py
  failure mode).

### nip44.py — docstring update

Added a "Runtime status (post lnbits PR #38, 2026-05-31)" section
documenting that runtime usage moved to `signer.nip44_*` and this
module's role narrowed to (a) the LocalSigner transitional fallback
called from `cassette_transport`, and (b) test-only fixtures in
test_nip44_v2.py for spec-vector + bitspire cross-test validation.
"Don't add new runtime call sites here. The signer abstraction is
the path."

## Verification

- 155 passed, 1 pre-existing async-plugin failure unchanged. The 19
  consumer tests cover bunker happy path + LocalSigner fallback +
  bunker error mapping + payload validation + d-tag construction.
- Live smoke against Greg's RemoteBunkerSigner-migrated account
  on the regtest container: consumer correctly resolves the bunker
  signer, fires `NIP-46 rpc -> method=nip44_decrypt`, catches the
  resulting `NsecBunkerTimeoutError` (the local nsecbunkerd is not
  responding within 15s — separate operational concern), maps to
  `CassetteEventTransientError`, logs at INFO with "will retry next
  poll", and crucially does NOT advance `state_event_id` on the
  cassette_configs rows. Retry semantics preserved.

## Outstanding

- The bunker timeout itself is an operational issue (nsecbunkerd
  config / policy / process state for kind-less nip44_decrypt RPC) —
  not a satmachineadmin code concern; surface to the nsecbunkerd /
  lnbits sessions if it persists.
- Once every operator on the instance is on RemoteBunkerSigner (S7
  fully landed), the `_nip44_*_via_signer` helpers collapse to a
  direct `await signer.nip44_*` call, the LocalSigner fallback can
  be deleted, and `nip44.py`'s runtime exports retire (test-only).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug referenced this pull request 2026-05-31 12:06:12 +00:00

S7 — Consume LNbits sidecar bunker (was: NIP-46 bunker option) #21

padreug referenced this pull request 2026-05-31 12:07:00 +00:00

Operator dashboard: per-machine cassette inventory config #29

padreug referenced this pull request from a commit 2026-05-31 13:50:17 +00:00

chore(v2): lint pass — black + ruff auto-fix + mypy regressions (#29 v1.1)

padreug added 1 commit 2026-05-31 13:50:17 +00:00

chore(v2): lint pass — black + ruff auto-fix + mypy regressions (#29 v1.1) ... d448fab0d2

Pre-merge lint hygiene on the PR #30 touched files:

- `black` reformatted 9 files (cassette_transport, crud, models, tasks,
  views_api, nip44, all 3 cassette test files, migrations). Cosmetic:
  line lengths, trailing commas, multi-line argument layout.
- `ruff check --fix` cleared 176 of 202 errors auto-fixed. Mostly
  `UP006` `typing.Optional` → `| None` modernization, `I001` import
  sort order, `UP035` typing-extensions cleanup.
- Two new mypy regressions introduced by the migration commit dcb7de0
  fixed:
  - `crud.py:apply_bootstrap_state` — annotated `existing_first: dict
    | None` on the dedup fetch.
  - `tasks.py:_cassette_consumer_tick` — `# type: ignore[arg-type]` on
    the `nostr_client.relay_manager.add_subscription` call; nostrclient's
    upstream typing declares `list[str]` for filters but the actual
    Nostr protocol takes `list[<filter-dict>]`. The runtime accepts it
    (live smoke at 13:43Z dispatched `nip44_decrypt` cleanly through
    this subscription); the typing mismatch is upstream's.

Remaining lint state, intentionally not addressed in this commit
(all pre-existing baseline, not regressions):
- 8 mypy errors in `calculations.py` + the unchanged-by-this-PR parts
  of `crud.py` — pre-existing on v2-bitspire.
- 26 ruff style warnings: 14 are N805 false-positives on Pydantic
  validators (`cls` first-arg is correct for `@validator`-decorated
  methods); 4 are N818 exception-name-suffix preferences on my new
  exception classes (renaming would touch many call sites; keep
  `OperatorIdentityMissing` / `SignerUnavailable` / `RelayUnavailable`
  / `_NostrclientUnavailable` as-is for clarity); 5 are E501 line-too-
  long on docstrings (the long lines are formatted for clarity);
  1 RUF002 unicode-minus in a docstring.

Tests: 155 passed, 1 pre-existing async-plugin failure unchanged.
Live smoke (both publish + consume directions through the bunker)
unaffected — this is purely a code-style pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

padreug changed title from feat(v2): operator-side cassette inventory v1 (#29) to feat(v2): operator-side cassette inventory v1.1 + signer.nip44_* migration (#29) 2026-05-31 13:53:25 +00:00

padreug merged commit 44f6c0b1bd into v2-bitspire 2026-05-31 13:54:19 +00:00

padreug deleted branch feat/cassette-config-v1 2026-05-31 13:54:19 +00:00

padreug referenced this pull request from a commit 2026-05-31 13:54:20 +00:00

Merge pull request 'feat(v2): operator-side cassette inventory v1.1 + signer.nip44_* migration (#29)' (#30) from feat/cassette-config-v1 into v2-bitspire

padreug referenced this pull request 2026-05-31 13:57:48 +00:00

Operator dashboard: per-machine cassette inventory config #29

padreug referenced this pull request 2026-05-31 20:18:18 +00:00

feat: operator-configurable fee architecture (super% + per-machine operator%) — replaces bitspire-hardcoded fee #37

padreug referenced this pull request 2026-05-31 20:23:10 +00:00

feat: Layer 2 — publish operator fee config to bitspire via Nostr (kind-30078) #39

padreug referenced this pull request 2026-06-01 07:03:27 +00:00

track: legacy aiolabs/lamassu-server issue disposition under Nostr-native architecture (+ future: customer KYC via Nostr DM) #40

padreug referenced this pull request from aiolabs/spirekeeper 2026-06-14 07:08:47 +00:00

track: legacy aiolabs/lamassu-server issue disposition under Nostr-native architecture (+ future: customer KYC via Nostr DM) #18

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

aiolabs/satmachineadmin!30

No description provided.