spirekeeper

aiolabs/spirekeeper

Fork 0

Commit graph

Author	SHA1	Message	Date
Padreug	d717a6e214	refactor(v2): canonical sat-amount vocabulary + delete Lamassu-era reverse-derivation Cross-codebase decision logged at memory `reference_sat_amount_vocabulary.md` and at `~/dev/coordination/log.md` (2026-05-26). Canonical names with explicit units across satmachineadmin, lamassu-next, atm-tui: - `wire_sats` — actual Lightning payment amount (direction-agnostic; was `gross_sats`, only "gross" for cash-out) - `principal_sats` — market-rate sats before commission (unchanged) - `fee_sats` — commission (was `commission_sats` internally; already the wire format) - `fee_fraction` — commission rate as unit fraction in [0, 1] (was `_pct` / `fee_percent`; eliminates the latent 100x bug from `feePercent 100` on the lamassu-next side) Invariants enforced in bitspire._assert_sat_invariants on every parsed settlement — range (all sats >= 0, 0 <= fee_fraction <= 1) + direction-specific sum: - cash-out: wire_sats == principal_sats + fee_sats - cash-in: wire_sats == principal_sats - fee_sats AND fee_sats <= principal_sats Breaches raise SettlementInvariantError; tasks._handle_payment records the row as `status='rejected'` with the exception message and skips distribution. Attribution failure path symmetric. Schema changes (m001 + m006): - dca_settlements.gross_sats -> wire_sats - dca_settlements.commission_sats -> fee_sats - super_config.super_fee_pct -> super_fee_fraction - dca_commission_splits.pct -> fraction - dca_machines.fallback_commission_pct DROPPED (obsolete) - dca_settlements.used_fallback_split DROPPED (obsolete) m006 idempotently renames + drops columns on existing installs; m001 lays down the canonical schema for fresh installs. Obsolete code removed (Lamassu-era reverse-derivation): - calculations.calculate_commission — back-derived principal+fee from gross-with-commission-baked-in. v2 stamps both directly. - calculations.calculate_exchange_rate — bitSpire stamps directly. - bitspire._parse_fallback — sole caller of calculate_commission. - Machine.fallback_commission_fraction — only read by _parse_fallback. - DcaSettlement.used_fallback_split — only written by _parse_fallback. parse_settlement now raises SettlementMetadataError if Payment.extra lacks the bitSpire stamp or required absolute sat fields. No silent back-derivation; upstream-bug surfacing via dashboard rejection. Frontend (JS + Quasar templates) updated for the column renames and the removed fallback fields. Settlements table renders "Wire" + "Fee" columns; the "(fallback split)" warning badge is gone. Tests: - test_calculations.py: kept distribution tests; deleted calculate_commission + calculate_exchange_rate tests. - test_two_stage_split.py: renamed variables; rewrote docstring value literals (e.g. `super_fee_fraction=0.30` not `=30%`). - test_nostr_attribution.py: dropped fallback_commission_fraction from machine fixture. - 72/72 pass on regtest container. Cross-codebase follow-ups tracked in coordination log: - lamassu-next: rename `fee_percent` -> `fee_fraction` on Payment.extra + state.db; drop the `* 100` at lightning.ts:780. - atm-tui: read `fee_fraction` column in db.zig. Memory artefacts: - reference_sat_amount_vocabulary.md (canonical + invariants) - feedback_pct_to_fraction_renames_need_value_sweep.md (gotcha) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-26 20:08:30 +02:00
Padreug	9414a18f82	feat(v2): reject settlements that fail nostr attribution cross-check (S5 G5) When LNbits' nostr-transport stamps `nostr_sender_pubkey` and `nostr_event_id` onto Payment.extra (post aiolabs/lnbits PR #4), the listener now cross-checks the signer against the resolved machine's `machine_npub` before any distribution. Mismatch / absence / unparseable pubkey → settlement is recorded with `status='rejected'` and the reason in `error_message`, distribution is skipped. Wire shape: bitspire.SettlementAttributionError + assert_nostr_attribution() Raises on absence, mismatch, or unparseable pubkey on either side. Normalises both `machine.machine_npub` (operator UI accepts hex or `npub1...`) and the stamped sender through `lnbits.utils.nostr.normalize_public_key` so the comparison is canonical-hex on both sides. tasks._handle_payment parse_settlement -> stamp nostr_event_id onto bitspire_event_id -> try assert_nostr_attribution: on failure, insert row with initial_status='rejected' + error_message, return without spawning process_settlement. crud.create_settlement_idempotent Now takes `initial_status` (required) and `error_message`. Normal path passes 'pending'; rejected path passes 'rejected' with the reason. Single-statement insert — no two-step pending-> errored dance. crud.get_stuck_settlements_for_operator New `rejected` bucket alongside `errored` / `stuck_pending` / `stuck_processing`. Distinct because retry is wrong for these: the row was misrouted, not operationally failed. models.DcaSettlement.status enum extended with 'rejected'. Worklist response model carries the new bucket; API + UI plumbed end-to-end. static/js/index.js + templates/satmachineadmin/index.html New 'rejected' worklist bucket (deep-orange, gpp_bad icon). Force-reset button now scoped to stuck_pending / stuck_processing only — was 'not errored' which would have shown on rejected too. 10 unit tests in tests/test_nostr_attribution.py cover hex<->hex, hex<->bech32, case-insensitivity, every absent variant, mismatch, and unparseable on either side. All pass. Closes the consumer-side of aiolabs/satmachineadmin#19 (G5). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-15 22:39:30 +02:00

Author

SHA1

Message

Date

Padreug

d717a6e214

refactor(v2): canonical sat-amount vocabulary + delete Lamassu-era reverse-derivation

Cross-codebase decision logged at memory `reference_sat_amount_vocabulary.md`
and at `~/dev/coordination/log.md` (2026-05-26). Canonical names with
explicit units across satmachineadmin, lamassu-next, atm-tui:

  - `wire_sats` — actual Lightning payment amount (direction-agnostic;
                  was `gross_sats`, only "gross" for cash-out)
  - `principal_sats` — market-rate sats before commission (unchanged)
  - `fee_sats` — commission (was `commission_sats` internally;
                 already the wire format)
  - `fee_fraction` — commission rate as unit fraction in [0, 1]
                     (was `*_pct` / `fee_percent`; eliminates the
                     latent 100x bug from `feePercent * 100` on the
                     lamassu-next side)

Invariants enforced in bitspire._assert_sat_invariants on every
parsed settlement — range (all sats >= 0, 0 <= fee_fraction <= 1) +
direction-specific sum:

  - cash-out: wire_sats == principal_sats + fee_sats
  - cash-in:  wire_sats == principal_sats - fee_sats
              AND fee_sats <= principal_sats

Breaches raise SettlementInvariantError; tasks._handle_payment
records the row as `status='rejected'` with the exception message
and skips distribution. Attribution failure path symmetric.

Schema changes (m001 + m006):

  - dca_settlements.gross_sats              -> wire_sats
  - dca_settlements.commission_sats         -> fee_sats
  - super_config.super_fee_pct              -> super_fee_fraction
  - dca_commission_splits.pct               -> fraction
  - dca_machines.fallback_commission_pct    DROPPED (obsolete)
  - dca_settlements.used_fallback_split     DROPPED (obsolete)

m006 idempotently renames + drops columns on existing installs;
m001 lays down the canonical schema for fresh installs.

Obsolete code removed (Lamassu-era reverse-derivation):

  - calculations.calculate_commission — back-derived principal+fee
    from gross-with-commission-baked-in. v2 stamps both directly.
  - calculations.calculate_exchange_rate — bitSpire stamps directly.
  - bitspire._parse_fallback — sole caller of calculate_commission.
  - Machine.fallback_commission_fraction — only read by _parse_fallback.
  - DcaSettlement.used_fallback_split — only written by _parse_fallback.

parse_settlement now raises SettlementMetadataError if Payment.extra
lacks the bitSpire stamp or required absolute sat fields. No silent
back-derivation; upstream-bug surfacing via dashboard rejection.

Frontend (JS + Quasar templates) updated for the column renames and
the removed fallback fields. Settlements table renders "Wire" + "Fee"
columns; the "(fallback split)" warning badge is gone.

Tests:
  - test_calculations.py: kept distribution tests; deleted
    calculate_commission + calculate_exchange_rate tests.
  - test_two_stage_split.py: renamed variables; rewrote docstring
    value literals (e.g. `super_fee_fraction=0.30` not `=30%`).
  - test_nostr_attribution.py: dropped fallback_commission_fraction
    from machine fixture.
  - 72/72 pass on regtest container.

Cross-codebase follow-ups tracked in coordination log:
  - lamassu-next: rename `fee_percent` -> `fee_fraction` on
    Payment.extra + state.db; drop the `* 100` at lightning.ts:780.
  - atm-tui: read `fee_fraction` column in db.zig.

Memory artefacts:
  - reference_sat_amount_vocabulary.md (canonical + invariants)
  - feedback_pct_to_fraction_renames_need_value_sweep.md (gotcha)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-26 20:08:30 +02:00

Padreug

9414a18f82

feat(v2): reject settlements that fail nostr attribution cross-check (S5 G5)

When LNbits' nostr-transport stamps `nostr_sender_pubkey` and
`nostr_event_id` onto Payment.extra (post aiolabs/lnbits PR #4), the
listener now cross-checks the signer against the resolved machine's
`machine_npub` before any distribution. Mismatch / absence / unparseable
pubkey → settlement is recorded with `status='rejected'` and the
reason in `error_message`, distribution is skipped.

Wire shape:

  bitspire.SettlementAttributionError + assert_nostr_attribution()
    Raises on absence, mismatch, or unparseable pubkey on either side.
    Normalises both `machine.machine_npub` (operator UI accepts hex
    or `npub1...`) and the stamped sender through
    `lnbits.utils.nostr.normalize_public_key` so the comparison is
    canonical-hex on both sides.

  tasks._handle_payment
    parse_settlement -> stamp nostr_event_id onto bitspire_event_id ->
    try assert_nostr_attribution: on failure, insert row with
    initial_status='rejected' + error_message, return without
    spawning process_settlement.

  crud.create_settlement_idempotent
    Now takes `initial_status` (required) and `error_message`.
    Normal path passes 'pending'; rejected path passes 'rejected'
    with the reason. Single-statement insert — no two-step pending->
    errored dance.

  crud.get_stuck_settlements_for_operator
    New `rejected` bucket alongside `errored` / `stuck_pending` /
    `stuck_processing`. Distinct because retry is wrong for these:
    the row was misrouted, not operationally failed.

  models.DcaSettlement.status enum extended with 'rejected'.
    Worklist response model carries the new bucket; API + UI plumbed
    end-to-end.

  static/js/index.js + templates/satmachineadmin/index.html
    New 'rejected' worklist bucket (deep-orange, gpp_bad icon).
    Force-reset button now scoped to stuck_pending / stuck_processing
    only — was 'not errored' which would have shown on rejected too.

10 unit tests in tests/test_nostr_attribution.py cover hex<->hex,
hex<->bech32, case-insensitivity, every absent variant, mismatch,
and unparseable on either side. All pass.

Closes the consumer-side of aiolabs/satmachineadmin#19 (G5).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-15 22:39:30 +02:00

2 commits