feat(v2): collision guard — refuse machines whose npub matches an operator account (#32)

Adds `_assert_no_pubkey_collision` to `views_api`, wired into
`api_create_machine` between the wallet-ownership guard and the
`create_machine` CRUD call. Refuses with HTTP 400 + operator-actionable
error message if the supplied `machine_npub` matches any existing
LNbits operator account's `accounts.pubkey`.

## Why this matters

Reproducer 2026-05-30T21:33Z (coord-log archive `2026-05-31-pre-rotation.md`):
Greg's operator account `accounts.pubkey` had been seeded as the same
value as Sintra's `dca_machines.machine_npub` (`522a4538…`) during
manual setup. The collision masked the routing bug for days — lnbits'
nostr-transport `auth.py:resolve_nostr_auth` was routing inbound
kind-21000 RPCs from the ATM directly to Greg's wallet *by coincidence*
of the matching pubkey. When Greg's account migrated to
`RemoteBunkerSigner` and got a fresh pubkey, the coincidence broke +
`auto-account-from-npub` fired for the orphaned ATM npub. A real $20
test cash-out silently landed on a fresh auto-account wallet
(`a94b564f…`); satmachineadmin lost the settlement entirely — no
`dca_settlements` row, no DCA distribution, no commission split.

The proper architectural fix is path B / `aiolabs/satmachineadmin#20`
(S6, in-progress with lnbits — coord-log `2026-05-31T15:25Z`). This
guard is the complementary preventive layer: stops a future operator
from re-entering the broken state by registering a machine whose npub
collides with an existing account.

## What's in this commit

- **`views_api._assert_no_pubkey_collision`** — canonicalises the input
  npub (accepts hex or `npub1…` bech32) via `normalize_public_key`,
  queries `lnbits.core.crud.users.get_account_by_pubkey` (which itself
  lowercases internally), raises HTTPException(400) on hit. Error
  message names the canonical pubkey prefix, explains the
  pubkey-collision dependency that breaks on operator pubkey rotation,
  + points to the `lamassu-next provision-atm` remediation path +
  this issue for context.
- **Wired into `api_create_machine`** after `_assert_wallet_owned_by`
  + before `create_machine`. `api_update_machine` is unaffected
  because `UpdateMachineData` doesn't allow npub changes on existing
  rows.
- **`tests/test_collision_guard.py`** — 7 unit tests covering hex /
  bech32 / uppercase-hex inputs all canonicalise to the same lookup,
  the no-collision case returns silently, error message asserts
  (truncated pubkey + remediation hint). Uses pytest monkeypatch to
  isolate the assertion logic from a live `get_account_by_pubkey` DB
  call — matches the assertion-style pattern of
  `tests/test_nostr_attribution.py`.
- **`CLAUDE.md`** — new "No-collision invariant" subsection under
  Security Considerations: documents the rule + the SQL check
  operators can run on existing installs + the
  `ATM_PRIVATE_KEY`-unset remediation + cross-refs to `#20` and `#32`.

## Regtest SQL check result

Ran the diagnostic SQL against the regtest LNbits + satmachineadmin DBs:

- 1 active `dca_machines.machine_npub`: `522a4538…` (Greg's Sintra)
- 1 collision found: the auto-account orphan `a94b564f…` (username =
  None — auto-account signature) created during yesterday's silent-drop
  failure mode. NOT a legitimate operator account. Greg's actual
  operator account `ac35c9fc…` carries pubkey `197a4cf4…` post-bunker
  migration, no collision there.

The orphan is operational cleanup (sweep + delete), separate from this
code fix. No real-operator collisions remain on the regtest instance.

## Test status

162 passed, 1 pre-existing async-plugin failure unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

views_api.py

@@ -9,8 +9,10 @@ from http import HTTPStatus
 
 from fastapi import APIRouter, Depends, HTTPException
 from lnbits.core.crud import get_wallet
+from lnbits.core.crud.users import get_account_by_pubkey
 from lnbits.core.models import User
 from lnbits.decorators import check_super_user, check_user_exists
+from lnbits.utils.nostr import normalize_public_key
 
 from .cassette_transport import (
     CassetteTransportError,
@@ -105,6 +107,46 @@ async def _assert_wallet_owned_by(wallet_id: str, user_id: str) -> None:
         )
 
 
+async def _assert_no_pubkey_collision(machine_npub: str) -> None:
+    """Defence-in-depth: refuse to register a machine whose npub matches
+    any LNbits operator account's pubkey.
+
+    Such a collision causes lnbits' nostr-transport `auth.py:resolve_
+    nostr_auth` to route inbound kind-21000 RPCs from the ATM directly
+    to that operator's wallet — works by coincidence, but breaks silently
+    the moment the operator's pubkey rotates (because the auto-account-
+    from-npub flow then fires for the ATM's now-orphaned npub, and the
+    invoice lands on a fresh auto-account wallet instead). Reproducer:
+    Greg's Sintra silent-drop on 2026-05-30T21:33Z. See
+    aiolabs/satmachineadmin#32 for the failure mode + this guard's
+    design rationale.
+
+    Path B (`#20` roster-lookup) is the architectural fix at the
+    routing layer; this guard prevents new operators from inadvertently
+    setting up the collision in the first place. Two layers of defence.
+
+    Idempotent on the same caller re-attempting machine creation with
+    the same npub (the second attempt hits the dca_machines.machine_npub
+    UNIQUE on m001, not this guard — they only collide with operator-
+    account pubkeys, not other machine npubs).
+    """
+    canonical = normalize_public_key(machine_npub).lower()
+    matching = await get_account_by_pubkey(canonical)
+    if matching is not None:
+        raise HTTPException(
+            HTTPStatus.BAD_REQUEST,
+            (
+                f"machine_npub {canonical[:12]}... collides with an "
+                f"existing LNbits operator account's pubkey. Registering "
+                "an ATM under this npub would silently route invoices via "
+                "a pubkey-collision dependency that breaks on operator "
+                "pubkey rotation. Use a fresh ATM keypair: lamassu-next "
+                "`provision-atm` regenerates one with `ATM_PRIVATE_KEY` "
+                "unset. See aiolabs/satmachineadmin#32."
+            ),
+        )
+
+
 # =============================================================================
 # Machines
 # =============================================================================
@@ -115,6 +157,7 @@ async def api_create_machine(
     data: CreateMachineData, user: User = Depends(check_user_exists)
 ) -> Machine:
     await _assert_wallet_owned_by(data.wallet_id, user.id)
+    await _assert_no_pubkey_collision(data.machine_npub)
     machine = await create_machine(user.id, data)
     return machine