fix: invoice error mapping so Stripe 4xx responses are not returned as 500

Co-authored-by: userAdityaa <aditya.chaudhary1558@gmail.com>
Co-committed-by: userAdityaa <aditya.chaudhary1558@gmail.com>

backend/.env.template

@@ -4,7 +4,7 @@ PORT=3000
 ALLOW_ORIGINS=                 # Optional comma-separated allowed CORS origins; empty = permissive
 
 # Auth
-ADMINS=                        # Comma-separated admin keys (hex pubkey or npub)
+ADMINS=                        # Comma-separated hex pubkeys with admin access
 
 # Database
 DATABASE_URL=sqlite://data/caravel.db

backend/README.md

@@ -35,7 +35,7 @@ Environment variables:
 | `DATABASE_URL` | SQLite URL. Relative paths are resolved under `backend/`. | `sqlite://<backend>/data/caravel.db` |
 | `HOST` | API bind host (also used for NIP-98 `u` host check) | `127.0.0.1` |
 | `PORT` | API bind port | `3000` |
-| `ADMINS` | Comma-separated admin pubkeys (`hex` or `npub`) | _optional_ |
+| `ADMINS` | Comma-separated admin pubkeys (hex) | _optional_ |
 | `ALLOW_ORIGINS` | Comma-separated CORS origins. If empty, CORS is permissive. | _optional_ |
 | `ZOOID_API_URL` | Zooid API base URL used by infra worker | _required for infra sync_ |
 | `ZOOID_API_SECRET` | Nostr secret key used for authentication of requests to the zooid API | _required_ |

backend/migrations/0001_init.sql

@@ -12,7 +12,7 @@ CREATE TABLE IF NOT EXISTS tenant (
   nwc_url TEXT NOT NULL DEFAULT '',
   nwc_error TEXT,
   created_at INTEGER NOT NULL,
-  stripe_customer_id TEXT NOT NULL DEFAULT '',
+  stripe_customer_id TEXT NOT NULL,
   stripe_subscription_id TEXT,
   past_due_at INTEGER
 );

backend/spec/infra.md

@@ -19,7 +19,7 @@ Members:
 
 ## `async fn handle_activity(&self, activity: &Activity)`
 
-- For `create_relay`, `update_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
+- For `create_relay`, `update_relay`, `activate_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
 - All other activity types are ignored (e.g. `fail_relay_sync`, `complete_relay_sync`).
 
 ## `async fn sync_and_report(&self, relay: &Relay, is_new: bool)`

backend/src/api.rs

@@ -9,12 +9,14 @@ use axum::{
     routing::{get, post},
 };
 use base64::Engine;
-use nostr_sdk::{Event, JsonUtil, Keys, Kind, PublicKey};
+use nostr_sdk::{Event, JsonUtil, Kind};
 use serde::{Deserialize, Serialize};
 
-use crate::billing::Billing;
+use crate::billing::{Billing, InvoiceLookupError};
 use crate::command::Command;
-use crate::models::{Relay, Tenant};
+use crate::models::{
+    RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay, Tenant,
+};
 use crate::query::Query;
 use axum::body::Bytes;
 
@@ -70,6 +72,11 @@ enum ApiError {
     Unauthorized(anyhow::Error),
     Forbidden(&'static str),
     NotFound(&'static str),
+    Client {
+        status: StatusCode,
+        code: &'static str,
+        message: &'static str,
+    },
     Internal(String),
 }
 
@@ -79,18 +86,44 @@ impl IntoResponse for ApiError {
             Self::Unauthorized(e) => err(StatusCode::UNAUTHORIZED, "unauthorized", &e.to_string()),
             Self::Forbidden(message) => err(StatusCode::FORBIDDEN, "forbidden", message),
             Self::NotFound(message) => err(StatusCode::NOT_FOUND, "not-found", message),
+            Self::Client {
+                status,
+                code,
+                message,
+            } => err(status, code, message),
             Self::Internal(message) => err(StatusCode::INTERNAL_SERVER_ERROR, "internal", &message),
         }
     }
 }
 
+fn map_invoice_lookup_error(error: InvoiceLookupError) -> ApiError {
+    match error {
+        InvoiceLookupError::StripeClient { status } => {
+            let status = StatusCode::from_u16(status.as_u16()).unwrap_or(StatusCode::BAD_REQUEST);
+            match status {
+                StatusCode::NOT_FOUND => ApiError::NotFound("invoice not found"),
+                StatusCode::UNAUTHORIZED | StatusCode::FORBIDDEN => {
+                    ApiError::Forbidden("invoice access denied")
+                }
+                _ => ApiError::Client {
+                    status,
+                    code: "invoice-request-rejected",
+                    message: "invoice request rejected",
+                },
+            }
+        }
+        InvoiceLookupError::Internal(error) => ApiError::Internal(error.to_string()),
+    }
+}
+
 impl Api {
     pub fn new(query: Query, command: Command, billing: Billing) -> Self {
         let host = std::env::var("HOST").unwrap_or_else(|_| "127.0.0.1".to_string());
         let admins = std::env::var("ADMINS")
             .unwrap_or_default()
             .split(',')
-            .filter_map(parse_admin_pubkey)
+            .map(|v| v.trim().to_lowercase())
+            .filter(|v| !v.is_empty())
             .collect();
         Self {
             host,
@@ -234,7 +267,7 @@ impl Api {
             relay.schema = format!("{}_{}", relay.subdomain.replace('-', "_"), relay.id);
         }
         if relay.status.is_empty() {
-            relay.status = "active".to_string();
+            relay.status = RELAY_STATUS_ACTIVE.to_string();
         }
         relay.policy_public_join = parse_bool_default(relay.policy_public_join, 0);
         relay.policy_strip_signatures = parse_bool_default(relay.policy_strip_signatures, 0);
@@ -254,24 +287,6 @@ impl Api {
     }
 }
 
-fn parse_admin_pubkey(value: &str) -> Option<String> {
-    let value = value.trim();
-    if value.is_empty() {
-        return None;
-    }
-
-    if let Ok(pubkey) = PublicKey::parse(value) {
-        return Some(pubkey.to_hex());
-    }
-
-    // Allow nsec values by deriving their pubkey so admin matching still works.
-    if let Ok(keys) = Keys::parse(value) {
-        return Some(keys.public_key().to_hex());
-    }
-
-    None
-}
-
 fn ok<T: Serialize>(status: StatusCode, data: T) -> Response {
     (status, Json(OkResponse { data, code: "ok" })).into_response()
 }
@@ -385,32 +400,50 @@ async fn get_identity(
     let pubkey = state.api.extract_auth_pubkey(&headers)?;
     let is_admin = state.api.admins.iter().any(|a| a == &pubkey);
 
-    // Only create if tenant doesn't exist yet
+    // Ensure tenant exists.
-    if let Ok(None) = state.api.query.get_tenant(&pubkey).await {
+    match state.api.query.get_tenant(&pubkey).await {
-        // TODO: Call Stripe API to create a new customer
+        Ok(Some(_)) => {}
-        let stripe_customer_id = String::new();
+        Ok(None) => {
+            let stripe_customer_id = match state.api.billing.stripe_create_customer(&pubkey).await {
+                Ok(id) => id,
+                Err(e) => {
+                    return Ok(err(
+                        StatusCode::INTERNAL_SERVER_ERROR,
+                        "stripe-customer-create-failed",
+                        &e.to_string(),
+                    ));
+                }
+            };
 
-        let tenant = Tenant {
+            let tenant = Tenant {
-            pubkey: pubkey.clone(),
+                pubkey: pubkey.clone(),
-            nwc_url: String::new(),
+                nwc_url: String::new(),
-            nwc_error: None,
+                nwc_error: None,
-            created_at: now_ts(),
+                created_at: now_ts(),
-            stripe_customer_id,
+                stripe_customer_id,
-            stripe_subscription_id: None,
+                stripe_subscription_id: None,
-            past_due_at: None,
+                past_due_at: None,
-        };
+            };
 
-        match state.api.command.create_tenant(&tenant).await {
+            match state.api.command.create_tenant(&tenant).await {
-            Ok(()) => {}
+                Ok(()) => {}
-            Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {}
+                Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {}
-            Err(e) => {
+                Err(e) => {
-                return Ok(err(
+                    return Ok(err(
-                    StatusCode::INTERNAL_SERVER_ERROR,
+                        StatusCode::INTERNAL_SERVER_ERROR,
-                    "internal",
+                        "internal",
-                    &e.to_string(),
+                        &e.to_string(),
-                ));
+                    ));
-            }
+                }
-        };
+            };
+        }
+        Err(e) => {
+            return Ok(err(
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "internal",
+                &e.to_string(),
+            ));
+        }
     }
 
     Ok(ok(StatusCode::OK, IdentityResponse { pubkey, is_admin }))
@@ -542,7 +575,7 @@ async fn create_relay(
         subdomain: payload.subdomain,
         plan: payload.plan,
         stripe_subscription_item_id: None,
-        status: "active".to_string(),
+        status: RELAY_STATUS_ACTIVE.to_string(),
         sync_error: String::new(),
         info_name: payload.info_name.unwrap_or_default(),
         info_icon: payload.info_icon.unwrap_or_default(),
@@ -713,7 +746,7 @@ async fn deactivate_relay(
 
     state.api.require_admin_or_tenant(&auth, &relay.tenant)?;
 
-    if relay.status == "inactive" {
+    if relay.status == RELAY_STATUS_INACTIVE || relay.status == RELAY_STATUS_DELINQUENT {
         return Ok(err(
             StatusCode::BAD_REQUEST,
             "relay-is-inactive",
@@ -752,7 +785,7 @@ async fn reactivate_relay(
 
     state.api.require_admin_or_tenant(&auth, &relay.tenant)?;
 
-    if relay.status == "active" {
+    if relay.status == RELAY_STATUS_ACTIVE {
         return Ok(err(
             StatusCode::BAD_REQUEST,
             "relay-is-active",
@@ -805,7 +838,7 @@ async fn get_invoice(
         .billing
         .get_invoice_with_tenant(&id)
         .await
-        .map_err(|e| ApiError::Internal(e.to_string()))?;
+        .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
     Ok(ok(StatusCode::OK, invoice))
@@ -822,7 +855,7 @@ async fn get_invoice_bolt11(
         .billing
         .get_invoice_with_tenant(&id)
         .await
-        .map_err(|e| ApiError::Internal(e.to_string()))?;
+        .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
     let status = invoice["status"].as_str().unwrap_or_default();
@@ -835,8 +868,9 @@ async fn get_invoice_bolt11(
     }
 
     let amount_due = invoice["amount_due"].as_i64().unwrap_or(0);
+    let currency = invoice["currency"].as_str().unwrap_or("usd");
 
-    match state.api.billing.create_bolt11(amount_due).await {
+    match state.api.billing.create_bolt11(amount_due, currency).await {
         Ok(bolt11) => Ok(ok(StatusCode::OK, serde_json::json!({ "bolt11": bolt11 }))),
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,

backend/src/billing.rs

@@ -1,20 +1,58 @@
 use anyhow::{Result, anyhow};
 use hmac::{Hmac, Mac};
 use nwc::prelude::{
-    MakeInvoiceRequest, NostrWalletConnectURI, PayInvoiceRequest as NwcPayInvoiceRequest, NWC,
+    MakeInvoiceRequest, NWC, NostrWalletConnectURI, PayInvoiceRequest as NwcPayInvoiceRequest,
 };
 use sha2::Sha256;
 
 use crate::command::Command;
-use crate::models::Activity;
+use crate::models::{
+    Activity, RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay,
+};
 use crate::query::Query;
 use crate::robot::Robot;
 
 type HmacSha256 = Hmac<Sha256>;
 
 const STRIPE_API: &str = "https://api.stripe.com/v1";
+const COINBASE_SPOT_API: &str = "https://api.coinbase.com/v2/prices";
 const WEBHOOK_TOLERANCE_SECS: i64 = 300;
 
+#[derive(Debug)]
+pub enum InvoiceLookupError {
+    StripeClient { status: reqwest::StatusCode },
+    Internal(anyhow::Error),
+}
+
+impl std::fmt::Display for InvoiceLookupError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::StripeClient { status } => {
+                write!(
+                    f,
+                    "stripe invoice lookup failed with status {}",
+                    status.as_u16()
+                )
+            }
+            Self::Internal(error) => write!(f, "{error}"),
+        }
+    }
+}
+
+impl std::error::Error for InvoiceLookupError {}
+
+impl From<anyhow::Error> for InvoiceLookupError {
+    fn from(value: anyhow::Error) -> Self {
+        Self::Internal(value)
+    }
+}
+
+impl From<reqwest::Error> for InvoiceLookupError {
+    fn from(value: reqwest::Error) -> Self {
+        Self::Internal(value.into())
+    }
+}
+
 #[derive(serde::Deserialize)]
 struct StripeEvent {
     #[serde(rename = "type")]
@@ -27,11 +65,22 @@ struct StripeEventData {
     object: serde_json::Value,
 }
 
+#[derive(serde::Deserialize)]
+struct CoinbaseSpotPriceResponse {
+    data: CoinbaseSpotPriceData,
+}
+
+#[derive(serde::Deserialize)]
+struct CoinbaseSpotPriceData {
+    amount: String,
+}
+
 #[derive(Clone)]
 pub struct Billing {
     nwc_url: String,
     stripe_secret_key: String,
     stripe_webhook_secret: String,
+    btc_quote_api_base: String,
     http: reqwest::Client,
     query: Query,
     command: Command,
@@ -42,11 +91,17 @@ impl Billing {
     pub fn new(query: Query, command: Command, robot: Robot) -> Self {
         let nwc_url = std::env::var("NWC_URL").unwrap_or_default();
         let stripe_secret_key = std::env::var("STRIPE_SECRET_KEY").unwrap_or_default();
+        if stripe_secret_key.trim().is_empty() {
+            panic!("missing STRIPE_SECRET_KEY environment variable");
+        }
         let stripe_webhook_secret = std::env::var("STRIPE_WEBHOOK_SECRET").unwrap_or_default();
+        let btc_quote_api_base =
+            std::env::var("BTC_PRICE_API_BASE").unwrap_or_else(|_| COINBASE_SPOT_API.to_string());
         Self {
             nwc_url,
             stripe_secret_key,
             stripe_webhook_secret,
+            btc_quote_api_base,
             http: reqwest::Client::new(),
             query,
             command,
@@ -75,8 +130,12 @@ impl Billing {
     async fn handle_activity(&self, activity: &Activity) -> Result<()> {
         let needs_billing_sync = matches!(
             activity.activity_type.as_str(),
-            "create_relay" | "update_relay" | "activate_relay" | "deactivate_relay"
+            "create_relay"
-                | "fail_relay_sync" | "complete_relay_sync"
+                | "update_relay"
+                | "activate_relay"
+                | "deactivate_relay"
+                | "fail_relay_sync"
+                | "complete_relay_sync"
         );
 
         if needs_billing_sync {
@@ -99,26 +158,28 @@ impl Billing {
         if relay.plan == "free" {
             if let Some(ref item_id) = relay.stripe_subscription_item_id {
                 self.stripe_delete_subscription_item(item_id).await?;
-                self.command.delete_relay_subscription_item(&relay.id).await?;
+                self.command
+                    .delete_relay_subscription_item(&relay.id)
+                    .await?;
             }
             self.cleanup_empty_subscription(&tenant.pubkey).await?;
             return Ok(());
         }
 
         // Inactive relay: remove subscription item if exists, then clean up
-        if relay.status == "inactive" {
+        if relay.status == RELAY_STATUS_INACTIVE || relay.status == RELAY_STATUS_DELINQUENT {
             if let Some(ref item_id) = relay.stripe_subscription_item_id {
                 self.stripe_delete_subscription_item(item_id).await?;
-                self.command.delete_relay_subscription_item(&relay.id).await?;
+                self.command
+                    .delete_relay_subscription_item(&relay.id)
+                    .await?;
             }
             self.cleanup_empty_subscription(&tenant.pubkey).await?;
             return Ok(());
         }
 
         // Active relay on a paid plan
-        let plan = Query::list_plans()
+        let plan = Query::list_plans().into_iter().find(|p| p.id == relay.plan);
-            .into_iter()
-            .find(|p| p.id == relay.plan);
 
         let Some(plan) = plan else {
             return Ok(());
@@ -170,7 +231,9 @@ impl Billing {
 
         if let Some(ref subscription_id) = tenant.stripe_subscription_id {
             self.stripe_cancel_subscription(subscription_id).await?;
-            self.command.clear_tenant_subscription(tenant_pubkey).await?;
+            self.command
+                .clear_tenant_subscription(tenant_pubkey)
+                .await?;
         }
 
         Ok(())
@@ -186,8 +249,9 @@ impl Billing {
             "invoice.created" => {
                 let customer = obj["customer"].as_str().unwrap_or_default();
                 let amount_due = obj["amount_due"].as_i64().unwrap_or(0);
+                let currency = obj["currency"].as_str().unwrap_or("usd");
                 let invoice_id = obj["id"].as_str().unwrap_or_default();
-                self.handle_invoice_created(customer, amount_due, invoice_id)
+                self.handle_invoice_created(customer, amount_due, currency, invoice_id)
                     .await?;
             }
             "invoice.paid" => {
@@ -240,7 +304,9 @@ impl Billing {
             return Err(anyhow!("webhook signature mismatch"));
         }
 
-        let ts: i64 = timestamp.parse().map_err(|_| anyhow!("bad webhook timestamp"))?;
+        let ts: i64 = timestamp
+            .parse()
+            .map_err(|_| anyhow!("bad webhook timestamp"))?;
         let now = chrono::Utc::now().timestamp();
         if (now - ts).abs() > WEBHOOK_TOLERANCE_SECS {
             return Err(anyhow!("webhook timestamp outside tolerance"));
@@ -253,6 +319,7 @@ impl Billing {
         &self,
         stripe_customer_id: &str,
         amount_due: i64,
+        currency: &str,
         invoice_id: &str,
     ) -> Result<()> {
         if amount_due == 0 {
@@ -269,12 +336,13 @@ impl Billing {
 
         // 1. NWC auto-pay: if the tenant has a nwc_url
         if !tenant.nwc_url.is_empty() {
-            match self.nwc_pay_invoice(amount_due, &tenant.nwc_url).await {
+            match self
+                .nwc_pay_invoice(amount_due, currency, &tenant.nwc_url)
+                .await
+            {
                 Ok(()) => {
                     self.stripe_pay_invoice_out_of_band(invoice_id).await?;
-                    self.command
+                    self.command.clear_tenant_nwc_error(&tenant.pubkey).await?;
-                        .clear_tenant_nwc_error(&tenant.pubkey)
-                        .await?;
                     return Ok(());
                 }
                 Err(e) => {
@@ -320,7 +388,7 @@ impl Billing {
 
             let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
             for relay in relays {
-                if relay.status == "inactive" && relay.plan != "free" {
+                if Self::should_reactivate_after_payment(&relay) {
                     self.command.activate_relay(&relay).await?;
                 }
             }
@@ -374,8 +442,8 @@ impl Billing {
 
         let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
         for relay in relays {
-            if relay.status == "active" && relay.plan != "free" {
+            if relay.status == RELAY_STATUS_ACTIVE && relay.plan != "free" {
-                self.command.deactivate_relay(&relay).await?;
+                self.command.mark_relay_delinquent(&relay).await?;
             }
         }
 
@@ -409,8 +477,8 @@ impl Billing {
 
         let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
         for relay in relays {
-            if relay.status == "active" && relay.plan != "free" {
+            if relay.status == RELAY_STATUS_ACTIVE && relay.plan != "free" {
-                self.command.deactivate_relay(&relay).await?;
+                self.command.mark_relay_delinquent(&relay).await?;
             }
         }
 
@@ -429,19 +497,48 @@ impl Billing {
     pub async fn get_invoice_with_tenant(
         &self,
         invoice_id: &str,
-    ) -> Result<(serde_json::Value, crate::models::Tenant)> {
+    ) -> std::result::Result<(serde_json::Value, crate::models::Tenant), InvoiceLookupError> {
         let invoice = self.stripe_get_invoice(invoice_id).await?;
         let customer_id = invoice["customer"]
             .as_str()
-            .ok_or_else(|| anyhow!("invoice missing customer"))?;
+            .ok_or_else(|| InvoiceLookupError::Internal(anyhow!("invoice missing customer")))?;
         let tenant = self
             .query
             .get_tenant_by_stripe_customer_id(customer_id)
             .await?
-            .ok_or_else(|| anyhow!("tenant not found for customer"))?;
+            .ok_or_else(|| {
+                InvoiceLookupError::Internal(anyhow!("tenant not found for customer"))
+            })?;
         Ok((invoice, tenant))
     }
 
+    pub async fn stripe_create_customer(&self, tenant_pubkey: &str) -> Result<String> {
+        let short_pubkey: String = tenant_pubkey.chars().take(12).collect();
+        let display_name = format!("Caravel tenant {short_pubkey}");
+
+        let resp = self
+            .http
+            .post(format!("{STRIPE_API}/customers"))
+            .bearer_auth(&self.stripe_secret_key)
+            .form(&[
+                ("name", display_name.as_str()),
+                ("metadata[tenant_pubkey]", tenant_pubkey),
+            ])
+            .send()
+            .await?;
+
+        let body: serde_json::Value = resp.error_for_status()?.json().await?;
+        let customer_id = body["id"]
+            .as_str()
+            .ok_or_else(|| anyhow!("missing customer id"))?;
+
+        if !customer_id.starts_with("cus_") {
+            return Err(anyhow!("unexpected customer id format"));
+        }
+
+        Ok(customer_id.to_string())
+    }
+
     pub async fn stripe_list_invoices(&self, customer_id: &str) -> Result<serde_json::Value> {
         let resp = self
             .http
@@ -455,7 +552,10 @@ impl Billing {
         Ok(body["data"].clone())
     }
 
-    pub async fn stripe_get_invoice(&self, invoice_id: &str) -> Result<serde_json::Value> {
+    pub async fn stripe_get_invoice(
+        &self,
+        invoice_id: &str,
+    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
         let resp = self
             .http
             .get(format!("{STRIPE_API}/invoices/{invoice_id}"))
@@ -463,14 +563,22 @@ impl Billing {
             .send()
             .await?;
 
+        if resp.status().is_client_error() {
+            return Err(InvoiceLookupError::StripeClient {
+                status: resp.status(),
+            });
+        }
+
         let body: serde_json::Value = resp.error_for_status()?.json().await?;
         Ok(body)
     }
 
-    pub async fn create_bolt11(&self, amount_due_cents: i64) -> Result<String> {
+    pub async fn create_bolt11(&self, amount_due_minor: i64, currency: &str) -> Result<String> {
-        let amount_msats = (amount_due_cents as u64) * 1000; // placeholder conversion
+        let amount_msats = self.fiat_minor_to_msats(amount_due_minor, currency).await?;
 
-        let system_uri: NostrWalletConnectURI = self.nwc_url.parse()
+        let system_uri: NostrWalletConnectURI = self
+            .nwc_url
+            .parse()
             .map_err(|_| anyhow!("invalid system NWC URL"))?;
         let system_nwc = NWC::new(system_uri);
 
@@ -550,10 +658,7 @@ impl Billing {
             .http
             .post(format!("{STRIPE_API}/subscription_items"))
             .bearer_auth(&self.stripe_secret_key)
-            .form(&[
+            .form(&[("subscription", subscription_id), ("price", price_id)])
-                ("subscription", subscription_id),
-                ("price", price_id),
-            ])
             .send()
             .await?;
 
@@ -642,14 +747,18 @@ impl Billing {
 
     // --- NWC helpers ---
 
-    async fn nwc_pay_invoice(&self, amount_due_cents: i64, tenant_nwc_url: &str) -> Result<()> {
+    async fn nwc_pay_invoice(
-        // Convert USD cents to millisatoshis (approximate: 1 sat ≈ variable USD)
+        &self,
-        // amount_due is in cents from Stripe. We create a Lightning invoice for the exact amount.
+        amount_due_minor: i64,
-        // The NWC make_invoice amount is in millisatoshis.
+        currency: &str,
-        let amount_msats = (amount_due_cents as u64) * 1000; // placeholder conversion, actual rate would come from exchange
+        tenant_nwc_url: &str,
+    ) -> Result<()> {
+        let amount_msats = self.fiat_minor_to_msats(amount_due_minor, currency).await?;
 
         // Create a bolt11 invoice using the system wallet (self.nwc_url)
-        let system_uri: NostrWalletConnectURI = self.nwc_url.parse()
+        let system_uri: NostrWalletConnectURI = self
+            .nwc_url
+            .parse()
             .map_err(|_| anyhow!("invalid system NWC URL"))?;
         let system_nwc = NWC::new(system_uri);
 
@@ -668,7 +777,8 @@ impl Billing {
         system_nwc.shutdown().await;
 
         // Pay the bolt11 invoice using the tenant's wallet
-        let tenant_uri: NostrWalletConnectURI = tenant_nwc_url.parse()
+        let tenant_uri: NostrWalletConnectURI = tenant_nwc_url
+            .parse()
             .map_err(|_| anyhow!("invalid tenant NWC URL"))?;
         let tenant_nwc = NWC::new(tenant_uri);
 
@@ -683,4 +793,261 @@ impl Billing {
 
         Ok(())
     }
+
+    async fn fiat_minor_to_msats(&self, amount_due_minor: i64, currency: &str) -> Result<u64> {
+        let normalized_currency = currency.to_uppercase();
+        let btc_price = self.fetch_btc_spot_price(&normalized_currency).await?;
+        fiat_minor_to_msats_from_quote(amount_due_minor, &normalized_currency, btc_price)
+    }
+
+    fn should_reactivate_after_payment(relay: &Relay) -> bool {
+        relay.status == RELAY_STATUS_DELINQUENT && relay.plan != "free"
+    }
+
+    async fn fetch_btc_spot_price(&self, currency: &str) -> Result<f64> {
+        fetch_btc_spot_price_from_base(&self.http, &self.btc_quote_api_base, currency).await
+    }
+
+    fn currency_minor_exponent(currency: &str) -> Result<u8> {
+        let normalized = currency.to_uppercase();
+        let exponent = match normalized.as_str() {
+            // Zero-decimal currencies in Stripe.
+            "BIF" | "CLP" | "DJF" | "GNF" | "JPY" | "KMF" | "KRW" | "MGA" | "PYG" | "RWF"
+            | "UGX" | "VND" | "VUV" | "XAF" | "XOF" | "XPF" => 0,
+            // Three-decimal currencies in Stripe.
+            "BHD" | "JOD" | "KWD" | "OMR" | "TND" => 3,
+            _ if normalized.chars().all(|c| c.is_ascii_alphabetic()) && normalized.len() == 3 => 2,
+            _ => return Err(anyhow!("invalid currency code: {currency}")),
+        };
+
+        Ok(exponent)
+    }
+}
+
+pub async fn fetch_btc_spot_price_from_base(
+    http: &reqwest::Client,
+    api_base: &str,
+    currency: &str,
+) -> Result<f64> {
+    let pair = format!("BTC-{currency}");
+    let url = format!("{}/{pair}/spot", api_base.trim_end_matches('/'));
+    let resp = http.get(url).send().await?;
+    let body: CoinbaseSpotPriceResponse = resp.error_for_status()?.json().await?;
+
+    let amount = body
+        .data
+        .amount
+        .parse::<f64>()
+        .map_err(|e| anyhow!("invalid BTC spot quote for {currency}: {e}"))?;
+
+    if amount <= 0.0 {
+        return Err(anyhow!(
+            "invalid non-positive BTC spot quote for {currency}"
+        ));
+    }
+
+    Ok(amount)
+}
+
+pub fn fiat_minor_to_msats_from_quote(
+    amount_due_minor: i64,
+    currency: &str,
+    btc_price_in_fiat: f64,
+) -> Result<u64> {
+    if amount_due_minor <= 0 {
+        return Err(anyhow!("amount_due must be positive"));
+    }
+
+    if btc_price_in_fiat <= 0.0 {
+        return Err(anyhow!("btc_price_in_fiat must be positive"));
+    }
+
+    let exponent = Billing::currency_minor_exponent(currency)?;
+    let divisor = 10_f64.powi(exponent as i32);
+    let amount_fiat = (amount_due_minor as f64) / divisor;
+    let amount_btc = amount_fiat / btc_price_in_fiat;
+    let raw_msats = amount_btc * 100_000_000_000.0;
+    // Guard against tiny floating point artifacts at integer boundaries.
+    let amount_msats = if (raw_msats - raw_msats.round()).abs() < 1e-6 {
+        raw_msats.round()
+    } else {
+        raw_msats.ceil()
+    };
+
+    if !amount_msats.is_finite() || amount_msats <= 0.0 || amount_msats > u64::MAX as f64 {
+        return Err(anyhow!("calculated msat amount is out of bounds"));
+    }
+
+    Ok(amount_msats as u64)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{Billing, fiat_minor_to_msats_from_quote};
+    use crate::models::{
+        RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay,
+    };
+
+    fn relay_fixture(status: &str, plan: &str) -> Relay {
+        Relay {
+            id: "relay-1".to_string(),
+            tenant: "tenant-1".to_string(),
+            schema: "tenant_1".to_string(),
+            subdomain: "relay-1".to_string(),
+            plan: plan.to_string(),
+            stripe_subscription_item_id: None,
+            status: status.to_string(),
+            sync_error: String::new(),
+            info_name: String::new(),
+            info_icon: String::new(),
+            info_description: String::new(),
+            policy_public_join: 0,
+            policy_strip_signatures: 0,
+            groups_enabled: 1,
+            management_enabled: 1,
+            blossom_enabled: 1,
+            livekit_enabled: 1,
+            push_enabled: 1,
+            synced: 1,
+        }
+    }
+
+    #[test]
+    fn converts_usd_minor_units_with_quote() {
+        let msats = fiat_minor_to_msats_from_quote(100, "usd", 100_000.0)
+            .expect("conversion should succeed");
+        assert_eq!(msats, 1_000_000);
+    }
+
+    #[test]
+    fn converts_zero_decimal_currency_with_quote() {
+        let msats = fiat_minor_to_msats_from_quote(100, "jpy", 10_000_000.0)
+            .expect("conversion should succeed");
+        assert_eq!(msats, 1_000_000);
+    }
+
+    #[test]
+    fn reactivates_only_delinquent_paid_relays_after_payment() {
+        let delinquent_paid = relay_fixture(RELAY_STATUS_DELINQUENT, "basic");
+        assert!(Billing::should_reactivate_after_payment(&delinquent_paid));
+
+        let manually_inactive_paid = relay_fixture(RELAY_STATUS_INACTIVE, "basic");
+        assert!(!Billing::should_reactivate_after_payment(
+            &manually_inactive_paid
+        ));
+
+        let free_delinquent = relay_fixture(RELAY_STATUS_DELINQUENT, "free");
+        assert!(!Billing::should_reactivate_after_payment(&free_delinquent));
+
+        let active_paid = relay_fixture(RELAY_STATUS_ACTIVE, "basic");
+        assert!(!Billing::should_reactivate_after_payment(&active_paid));
+
+        let unknown_status_paid = relay_fixture("suspended", "basic");
+        assert!(!Billing::should_reactivate_after_payment(
+            &unknown_status_paid
+        ));
+    }
+
+    use super::*;
+    use sqlx::SqlitePool;
+    use sqlx::sqlite::{SqliteConnectOptions, SqlitePoolOptions};
+    use std::str::FromStr;
+    use std::sync::{Mutex, OnceLock};
+
+    fn env_lock() -> &'static Mutex<()> {
+        static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+        LOCK.get_or_init(|| Mutex::new(()))
+    }
+
+    #[allow(unused_unsafe)]
+    fn set_stripe_secret_key(value: Option<&str>) {
+        match value {
+            Some(v) => unsafe { std::env::set_var("STRIPE_SECRET_KEY", v) },
+            None => unsafe { std::env::remove_var("STRIPE_SECRET_KEY") },
+        }
+    }
+
+    struct StripeSecretKeyGuard {
+        previous: Option<String>,
+    }
+
+    impl StripeSecretKeyGuard {
+        fn set(value: Option<&str>) -> Self {
+            let previous = std::env::var("STRIPE_SECRET_KEY").ok();
+            set_stripe_secret_key(value);
+            Self { previous }
+        }
+    }
+
+    impl Drop for StripeSecretKeyGuard {
+        fn drop(&mut self) {
+            set_stripe_secret_key(self.previous.as_deref());
+        }
+    }
+
+    async fn test_pool() -> SqlitePool {
+        let connect_options = SqliteConnectOptions::from_str("sqlite::memory:")
+            .expect("valid sqlite memory url")
+            .create_if_missing(true);
+
+        let pool = SqlitePoolOptions::new()
+            .max_connections(1)
+            .connect_with(connect_options)
+            .await
+            .expect("connect sqlite memory db");
+
+        sqlx::migrate!("./migrations")
+            .run(&pool)
+            .await
+            .expect("run migrations");
+
+        pool
+    }
+
+    #[tokio::test]
+    async fn billing_new_panics_without_stripe_secret_key() {
+        let _lock = env_lock().lock().expect("acquire env lock");
+        let _env = StripeSecretKeyGuard::set(None);
+
+        let pool = test_pool().await;
+        let query = Query::new(pool.clone());
+        let command = Command::new(pool);
+        let robot = Robot::test_stub();
+
+        let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+            Billing::new(query, command, robot)
+        }));
+
+        let panic_payload = match result {
+            Ok(_) => panic!("constructor should panic when STRIPE_SECRET_KEY is missing"),
+            Err(payload) => payload,
+        };
+        let panic_msg = if let Some(msg) = panic_payload.downcast_ref::<&str>() {
+            (*msg).to_string()
+        } else if let Some(msg) = panic_payload.downcast_ref::<String>() {
+            msg.clone()
+        } else {
+            String::new()
+        };
+
+        assert!(
+            panic_msg.contains("missing STRIPE_SECRET_KEY environment variable"),
+            "unexpected panic: {panic_msg}"
+        );
+    }
+
+    #[tokio::test]
+    async fn billing_new_accepts_non_empty_stripe_secret_key() {
+        let _lock = env_lock().lock().expect("acquire env lock");
+        let _env = StripeSecretKeyGuard::set(Some("sk_test_dummy"));
+
+        let pool = test_pool().await;
+        let billing = Billing::new(
+            Query::new(pool.clone()),
+            Command::new(pool),
+            Robot::test_stub(),
+        );
+
+        assert_eq!(billing.stripe_secret_key, "sk_test_dummy");
+    }
 }

backend/src/command.rs

@@ -2,7 +2,9 @@ use anyhow::Result;
 use sqlx::{Sqlite, SqlitePool, Transaction};
 use tokio::sync::broadcast;
 
-use crate::models::{Activity, Relay, Tenant};
+use crate::models::{
+    Activity, RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay, Tenant,
+};
 
 #[derive(Clone)]
 pub struct Command {
@@ -64,6 +66,10 @@ impl Command {
     }
 
     pub async fn create_tenant(&self, tenant: &Tenant) -> Result<()> {
+        if tenant.stripe_customer_id.trim().is_empty() {
+            anyhow::bail!("stripe_customer_id is required");
+        }
+
         let mut tx = self.pool.begin().await?;
 
         sqlx::query(
@@ -77,7 +83,8 @@ impl Command {
         .execute(&mut *tx)
         .await?;
 
-        let activity = Self::insert_activity(&mut tx, "create_tenant", "tenant", &tenant.pubkey).await?;
+        let activity =
+            Self::insert_activity(&mut tx, "create_tenant", "tenant", &tenant.pubkey).await?;
 
         tx.commit().await?;
         self.emit(activity);
@@ -93,7 +100,8 @@ impl Command {
             .execute(&mut *tx)
             .await?;
 
-        let activity = Self::insert_activity(&mut tx, "update_tenant", "tenant", &tenant.pubkey).await?;
+        let activity =
+            Self::insert_activity(&mut tx, "update_tenant", "tenant", &tenant.pubkey).await?;
 
         tx.commit().await?;
         self.emit(activity);
@@ -178,14 +186,30 @@ impl Command {
     }
 
     pub async fn deactivate_relay(&self, relay: &Relay) -> Result<()> {
+        self.set_relay_status(&relay.id, RELAY_STATUS_INACTIVE, "deactivate_relay")
+            .await
+    }
+
+    pub async fn mark_relay_delinquent(&self, relay: &Relay) -> Result<()> {
+        self.set_relay_status(&relay.id, RELAY_STATUS_DELINQUENT, "deactivate_relay")
+            .await
+    }
+
+    async fn set_relay_status(
+        &self,
+        relay_id: &str,
+        status: &str,
+        activity_type: &str,
+    ) -> Result<()> {
         let mut tx = self.pool.begin().await?;
 
-        sqlx::query("UPDATE relay SET status = 'inactive' WHERE id = ?")
+        sqlx::query("UPDATE relay SET status = ? WHERE id = ?")
-            .bind(&relay.id)
+            .bind(status)
+            .bind(relay_id)
             .execute(&mut *tx)
             .await?;
 
-        let activity = Self::insert_activity(&mut tx, "deactivate_relay", "relay", &relay.id).await?;
+        let activity = Self::insert_activity(&mut tx, activity_type, "relay", relay_id).await?;
 
         tx.commit().await?;
         self.emit(activity);
@@ -193,18 +217,8 @@ impl Command {
     }
 
     pub async fn activate_relay(&self, relay: &Relay) -> Result<()> {
-        let mut tx = self.pool.begin().await?;
+        self.set_relay_status(&relay.id, RELAY_STATUS_ACTIVE, "activate_relay")
-
+            .await
-        sqlx::query("UPDATE relay SET status = 'active' WHERE id = ?")
-            .bind(&relay.id)
-            .execute(&mut *tx)
-            .await?;
-
-        let activity = Self::insert_activity(&mut tx, "activate_relay", "relay", &relay.id).await?;
-
-        tx.commit().await?;
-        self.emit(activity);
-        Ok(())
     }
 
     pub async fn fail_relay_sync(&self, relay: &Relay, sync_error: String) -> Result<()> {
@@ -216,7 +230,8 @@ impl Command {
             .execute(&mut *tx)
             .await?;
 
-        let activity = Self::insert_activity(&mut tx, "fail_relay_sync", "relay", &relay.id).await?;
+        let activity =
+            Self::insert_activity(&mut tx, "fail_relay_sync", "relay", &relay.id).await?;
 
         tx.commit().await?;
         self.emit(activity);
@@ -231,7 +246,8 @@ impl Command {
             .execute(&mut *tx)
             .await?;
 
-        let activity = Self::insert_activity(&mut tx, "complete_relay_sync", "relay", relay_id).await?;
+        let activity =
+            Self::insert_activity(&mut tx, "complete_relay_sync", "relay", relay_id).await?;
 
         tx.commit().await?;
         self.emit(activity);
@@ -246,7 +262,11 @@ impl Command {
         Ok(())
     }
 
-    pub async fn set_relay_subscription_item(&self, relay_id: &str, stripe_subscription_item_id: &str) -> Result<()> {
+    pub async fn set_relay_subscription_item(
+        &self,
+        relay_id: &str,
+        stripe_subscription_item_id: &str,
+    ) -> Result<()> {
         sqlx::query("UPDATE relay SET stripe_subscription_item_id = ? WHERE id = ?")
             .bind(stripe_subscription_item_id)
             .bind(relay_id)
@@ -255,7 +275,11 @@ impl Command {
         Ok(())
     }
 
-    pub async fn set_tenant_subscription(&self, pubkey: &str, stripe_subscription_id: &str) -> Result<()> {
+    pub async fn set_tenant_subscription(
+        &self,
+        pubkey: &str,
+        stripe_subscription_id: &str,
+    ) -> Result<()> {
         sqlx::query("UPDATE tenant SET stripe_subscription_id = ? WHERE pubkey = ?")
             .bind(stripe_subscription_id)
             .bind(pubkey)
@@ -307,3 +331,56 @@ impl Command {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use sqlx::SqlitePool;
+    use sqlx::sqlite::{SqliteConnectOptions, SqlitePoolOptions};
+    use std::str::FromStr;
+
+    async fn test_pool() -> SqlitePool {
+        let connect_options = SqliteConnectOptions::from_str("sqlite::memory:")
+            .expect("valid sqlite memory url")
+            .create_if_missing(true);
+
+        let pool = SqlitePoolOptions::new()
+            .max_connections(1)
+            .connect_with(connect_options)
+            .await
+            .expect("connect sqlite memory db");
+
+        sqlx::migrate!("./migrations")
+            .run(&pool)
+            .await
+            .expect("run migrations");
+
+        pool
+    }
+
+    #[tokio::test]
+    async fn create_tenant_rejects_empty_stripe_customer_id() {
+        let pool = test_pool().await;
+        let command = Command::new(pool);
+
+        let tenant = Tenant {
+            pubkey: "tenant_pubkey".to_string(),
+            nwc_url: String::new(),
+            nwc_error: None,
+            created_at: 0,
+            stripe_customer_id: "   ".to_string(),
+            stripe_subscription_id: None,
+            past_due_at: None,
+        };
+
+        let err = command
+            .create_tenant(&tenant)
+            .await
+            .expect_err("empty customer id must be rejected");
+
+        assert!(
+            err.to_string().contains("stripe_customer_id is required"),
+            "unexpected error: {err}"
+        );
+    }
+}

backend/src/infra.rs

@@ -2,7 +2,7 @@ use anyhow::Result;
 use nostr_sdk::prelude::*;
 
 use crate::command::Command;
-use crate::models::Activity;
+use crate::models::{Activity, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE};
 use crate::query::Query;
 
 #[derive(Clone)]
@@ -56,10 +56,7 @@ impl Infra {
     }
 
     async fn handle_activity(&self, activity: &Activity) -> Result<()> {
-        let needs_sync = matches!(
+        let needs_sync = should_sync_relay_activity(activity.activity_type.as_str());
-            activity.activity_type.as_str(),
-            "create_relay" | "update_relay" | "deactivate_relay"
-        );
 
         if needs_sync {
             let Some(relay) = self.query.get_relay(&activity.resource_id).await? else {
@@ -93,7 +90,9 @@ impl Infra {
     async fn nip98_auth(&self, url: &str, method: HttpMethod) -> Result<String> {
         let keys = Keys::parse(&self.api_secret)?;
         let server_url = Url::parse(url)?;
-        let auth = HttpData::new(server_url, method).to_authorization(&keys).await?;
+        let auth = HttpData::new(server_url, method)
+            .to_authorization(&keys)
+            .await?;
         Ok(auth)
     }
 
@@ -124,7 +123,8 @@ impl Infra {
             "host": host,
             "schema": relay.schema,
             "secret": secret,
-            "inactive": relay.status == "inactive",
+            "inactive": relay.status == RELAY_STATUS_INACTIVE
+                || relay.status == RELAY_STATUS_DELINQUENT,
             "info": {
                 "name": relay.info_name,
                 "icon": relay.info_icon,
@@ -149,11 +149,21 @@ impl Infra {
         let response = if is_new {
             let url = format!("{}/relay/{}", base, relay.id);
             let auth = self.nip98_auth(&url, HttpMethod::POST).await?;
-            client.post(&url).header("Authorization", auth).json(&body).send().await?
+            client
+                .post(&url)
+                .header("Authorization", auth)
+                .json(&body)
+                .send()
+                .await?
         } else {
             let url = format!("{}/relay/{}", base, relay.id);
             let auth = self.nip98_auth(&url, HttpMethod::PUT).await?;
-            client.put(&url).header("Authorization", auth).json(&body).send().await?
+            client
+                .put(&url)
+                .header("Authorization", auth)
+                .json(&body)
+                .send()
+                .await?
         };
 
         if !response.status().is_success() {
@@ -164,3 +174,10 @@ impl Infra {
         Ok(())
     }
 }
+
+fn should_sync_relay_activity(activity_type: &str) -> bool {
+    matches!(
+        activity_type,
+        "create_relay" | "update_relay" | "activate_relay" | "deactivate_relay"
+    )
+}

backend/src/models.rs

@@ -1,5 +1,9 @@
 use serde::{Deserialize, Serialize};
 
+pub const RELAY_STATUS_ACTIVE: &str = "active";
+pub const RELAY_STATUS_INACTIVE: &str = "inactive";
+pub const RELAY_STATUS_DELINQUENT: &str = "delinquent";
+
 #[derive(Debug, Clone, Serialize, Deserialize, sqlx::FromRow)]
 pub struct Activity {
     pub id: String,

backend/src/query.rs

@@ -70,7 +70,7 @@ impl Query {
 
     pub async fn list_relays(&self) -> Result<Vec<Relay>> {
         let rows = sqlx::query_as::<_, Relay>(
-             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
+            "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
                      status, sync_error,
                      info_name, info_icon, info_description,
                      policy_public_join, policy_strip_signatures,
@@ -86,7 +86,7 @@ impl Query {
 
     pub async fn list_relays_for_tenant(&self, tenant_id: &str) -> Result<Vec<Relay>> {
         let rows = sqlx::query_as::<_, Relay>(
-             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
+            "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
                      status, sync_error,
                      info_name, info_icon, info_description,
                      policy_public_join, policy_strip_signatures,
@@ -104,7 +104,7 @@ impl Query {
 
     pub async fn get_relay(&self, id: &str) -> Result<Option<Relay>> {
         let row = sqlx::query_as::<_, Relay>(
-             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
+            "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
                      status, sync_error,
                      info_name, info_icon, info_description,
                      policy_public_join, policy_strip_signatures,
@@ -119,7 +119,10 @@ impl Query {
         Ok(row)
     }
 
-    pub async fn get_tenant_by_stripe_customer_id(&self, stripe_customer_id: &str) -> Result<Option<Tenant>> {
+    pub async fn get_tenant_by_stripe_customer_id(
+        &self,
+        stripe_customer_id: &str,
+    ) -> Result<Option<Tenant>> {
         let row = sqlx::query_as::<_, Tenant>(
             "SELECT pubkey, nwc_url, nwc_error, created_at, stripe_customer_id, stripe_subscription_id, past_due_at
              FROM tenant

backend/src/robot.rs

@@ -254,3 +254,23 @@ async fn set_cached(
         },
     );
 }
+
+#[cfg(test)]
+impl Robot {
+    pub fn test_stub() -> Self {
+        let keys = Keys::generate();
+        let client = Client::new(keys);
+
+        Self {
+            secret: String::new(),
+            name: String::new(),
+            description: String::new(),
+            picture: String::new(),
+            outbox_client: client.clone(),
+            indexer_client: client.clone(),
+            messaging_client: client,
+            outbox_cache: std::sync::Arc::new(Mutex::new(HashMap::new())),
+            dm_cache: std::sync::Arc::new(Mutex::new(HashMap::new())),
+        }
+    }
+}

backend/tests/btc_quote_stub.rs

@@ -0,0 +1,31 @@
+use axum::{Json, Router, routing::get};
+use backend::billing::{fetch_btc_spot_price_from_base, fiat_minor_to_msats_from_quote};
+
+#[tokio::test]
+async fn quote_endpoint_can_be_stubbed_deterministically() {
+    async fn spot() -> Json<serde_json::Value> {
+        Json(serde_json::json!({ "data": { "amount": "50000.00" } }))
+    }
+
+    let app = Router::new().route("/v2/prices/BTC-USD/spot", get(spot));
+
+    let listener = tokio::net::TcpListener::bind("127.0.0.1:0")
+        .await
+        .expect("bind test server");
+    let addr = listener.local_addr().expect("get local addr");
+    tokio::spawn(async move {
+        axum::serve(listener, app).await.expect("serve quote stub");
+    });
+
+    let client = reqwest::Client::new();
+    let base = format!("http://{addr}/v2/prices");
+    let btc_price = fetch_btc_spot_price_from_base(&client, &base, "USD")
+        .await
+        .expect("fetch stubbed quote");
+
+    assert_eq!(btc_price, 50_000.0);
+
+    let msats = fiat_minor_to_msats_from_quote(100, "USD", btc_price)
+        .expect("convert quoted fiat amount");
+    assert_eq!(msats, 2_000_000);
+}

frontend/src/components/PaymentDialog.tsx

@@ -6,6 +6,7 @@ import { getInvoice, getInvoiceBolt11 } from "@/lib/api"
 import { tenantNeedsPaymentSetup } from "@/lib/hooks"
 
 type PayStatus = "idle" | "loading" | "success" | "error"
+type Bolt11Status = "idle" | "loading" | "ready" | "error"
 
 type PaymentInvoice = {
   id: string
@@ -21,20 +22,34 @@ type PaymentDialogProps = {
 export default function PaymentDialog(props: PaymentDialogProps) {
   const [bolt11, setBolt11] = createSignal("")
   const [qrDataUrl, setQrDataUrl] = createSignal("")
+  const [bolt11Status, setBolt11Status] = createSignal<Bolt11Status>("idle")
+  const [bolt11Error, setBolt11Error] = createSignal("")
   const [payStatus, setPayStatus] = createSignal<PayStatus>("idle")
   const [payError, setPayError] = createSignal("")
   const [showSetup, setShowSetup] = createSignal(false)
   const [showPaymentSetup, setShowPaymentSetup] = createSignal(false)
 
-  createEffect(async () => {
+  async function loadBolt11() {
-    if (!props.open || !props.invoice.id) return
+    if (!props.invoice.id) return
+    setBolt11Status("loading")
+    setBolt11Error("")
+    setBolt11("")
+    setQrDataUrl("")
+
     try {
       const { bolt11: invoice } = await getInvoiceBolt11(props.invoice.id)
       setBolt11(invoice)
       setQrDataUrl(await QRCode.toDataURL(invoice, { width: 256, margin: 2 }))
-    } catch {
+      setBolt11Status("ready")
-      // bolt11 generation may fail
+    } catch (e) {
+      setBolt11Status("error")
+      setBolt11Error(e instanceof Error ? e.message : "Failed to generate Lightning invoice")
     }
+  }
+
+  createEffect(() => {
+    if (!props.open || !props.invoice.id) return
+    void loadBolt11()
   })
 
   function copyBolt11() {
@@ -62,6 +77,8 @@ export default function PaymentDialog(props: PaymentDialogProps) {
   function handleClose() {
     setPayStatus("idle")
     setPayError("")
+    setBolt11Status("idle")
+    setBolt11Error("")
     setBolt11("")
     setQrDataUrl("")
     setShowSetup(false)
@@ -104,33 +121,46 @@ export default function PaymentDialog(props: PaymentDialogProps) {
           when={payStatus() === "success"}
           fallback={
             <div class="w-full space-y-3">
-              <Show
+              <Show when={bolt11Status() === "idle" || bolt11Status() === "loading"}>
-                when={qrDataUrl()}
+                <div class="flex items-center justify-center py-12 text-sm text-gray-400">Generating invoice...</div>
-                fallback={<div class="flex items-center justify-center py-12 text-sm text-gray-400">Generating invoice...</div>}
-              >
-                <img src={qrDataUrl()} alt="Lightning invoice QR code" class="mx-auto rounded-lg" />
               </Show>
-              <Show when={bolt11()}>
+              <Show when={bolt11Status() === "error"}>
-                <div class="flex rounded-lg border border-gray-300">
+                <div class="rounded-lg border border-red-200 bg-red-50 p-4">
-                  <input
+                  <p class="text-sm font-medium text-red-700">Unable to generate invoice</p>
-                    type="text"
+                  <p class="mt-1 text-xs text-red-600 wrap-break-word">{bolt11Error()}</p>
-                    readOnly
-                    value={bolt11()}
-                    class="min-w-0 flex-1 rounded-l-lg border-0 px-3 py-2 text-xs text-gray-500 bg-transparent focus:outline-none"
-                  />
                   <button
                     type="button"
-                    class="flex items-center px-3 text-gray-400 hover:text-gray-700"
+                    onClick={() => void loadBolt11()}
-                    onClick={copyBolt11}
+                    class="mt-3 inline-flex items-center rounded-lg bg-red-600 px-3 py-1.5 text-sm font-medium text-white hover:bg-red-700"
-                    title="Copy invoice"
                   >
-                    <svg class="w-4 h-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                    Retry
-                      <rect x="9" y="9" width="13" height="13" rx="2" />
-                      <path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1" />
-                    </svg>
                   </button>
                 </div>
               </Show>
+              <Show when={bolt11Status() === "ready"}>
+                <img src={qrDataUrl()} alt="Lightning invoice QR code" class="mx-auto rounded-lg" />
+                <Show when={bolt11()}>
+                  <div class="flex rounded-lg border border-gray-300">
+                    <input
+                      type="text"
+                      readOnly
+                      value={bolt11()}
+                      class="min-w-0 flex-1 rounded-l-lg border-0 px-3 py-2 text-xs text-gray-500 bg-transparent focus:outline-none"
+                    />
+                    <button
+                      type="button"
+                      class="flex items-center px-3 text-gray-400 hover:text-gray-700"
+                      onClick={copyBolt11}
+                      title="Copy invoice"
+                    >
+                      <svg class="w-4 h-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                        <rect x="9" y="9" width="13" height="13" rx="2" />
+                        <path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1" />
+                      </svg>
+                    </button>
+                  </div>
+                </Show>
+              </Show>
             </div>
           }
         >
@@ -188,7 +218,7 @@ export default function PaymentDialog(props: PaymentDialogProps) {
           <button
             type="button"
             onClick={checkPayment}
-            disabled={payStatus() === "loading"}
+            disabled={payStatus() === "loading" || bolt11Status() !== "ready"}
             class="py-2 px-4 bg-blue-600 text-white text-sm font-medium rounded-lg hover:bg-blue-700 disabled:opacity-50 transition-colors"
           >
             {payStatus() === "loading" ? "Checking..." : "Complete Payment"}