fix: silent relay state drift when activity bus drops events

backend/.env.template

@@ -28,6 +28,5 @@ LIVEKIT_API_SECRET=
 
 # Billing
 NWC_URL=                      # Nostr Wallet Connect URL for generating Lightning invoices
-ENCRYPTION_SECRET=            # Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest
 STRIPE_SECRET_KEY=            # Required Stripe API secret key (sk_...)
 STRIPE_WEBHOOK_SECRET=whsec_test_00000000000000000000000000  # Webhook signing secret (use real value in production)

backend/README.md

@@ -44,7 +44,6 @@ Environment variables:
 | `LIVEKIT_API_KEY`        | LiveKit API key sent to zooid                                           | _optional_                           |
 | `LIVEKIT_API_SECRET`     | LiveKit API secret sent to zooid                                        | _optional_                           |
 | `NWC_URL`                | Platform NWC URL used to generate BOLT11 invoices                       | _required for invoice generation_    |
-| `ENCRYPTION_SECRET`      | Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest  | _required_                           |
 | `STRIPE_SECRET_KEY`      | Stripe API secret key used for billing API operations                   | _required_                           |
 | `STRIPE_WEBHOOK_SECRET`  | Stripe webhook signing secret used to verify `Stripe-Signature` headers | _required_                           |
 | `ROBOT_SECRET`           | Robot Nostr secret key                                                  | _required_                           |

backend/migrations/0004_invoice_manual_lightning_payment.sql

@@ -1,11 +0,0 @@
-CREATE TABLE IF NOT EXISTS invoice_manual_lightning_payment (
-  invoice_id TEXT PRIMARY KEY,
-  tenant_pubkey TEXT NOT NULL,
-  bolt11 TEXT NOT NULL,
-  created_at INTEGER NOT NULL,
-  updated_at INTEGER NOT NULL,
-  FOREIGN KEY (tenant_pubkey) REFERENCES tenant(pubkey)
-);
-
-CREATE INDEX IF NOT EXISTS idx_invoice_manual_lightning_payment_tenant_pubkey
-ON invoice_manual_lightning_payment (tenant_pubkey);

backend/spec/api.md

@@ -57,7 +57,7 @@ Notes:
 
 - Serves `GET /tenants`
 - Authorizes admin only
-- Return `data` is a list of `TenantResponse` structs (contains `nwc_is_set: bool` instead of `nwc_url`)
+- Return `data` is a list of tenant structs from `query.list_tenants`
 
 ## `async fn create_tenant(...) -> Response`
 
@@ -69,21 +69,20 @@ Notes:
 - On unique-constraint race (`pubkey-exists`), re-fetch and return the existing tenant
 - If Stripe customer creation fails, return `code=stripe-customer-create-failed`
 - Always returns `200` (create-or-get is uniform)
-- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
+- Return `data` is a single `Tenant` struct
 
 ## `async fn get_tenant(...) -> Response`
 
 - Serves `GET /tenants/:pubkey`
 - Authorizes admin or matching tenant
-- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
+- Return `data` is a single tenant struct from `query.get_tenant`
 
 ## `async fn update_tenant(...) -> Response`
 
 - Serves `PUT /tenants/:pubkey`
 - Authorizes admin or matching tenant
-- Accepts `nwc_url` in the request body; encrypts it before storage using `cipher::encrypt`
 - Updates tenant using `command.update_tenant`
-- Return `data` is the updated `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
+- Return `data` is the updated tenant struct
 
 ## `async fn list_tenant_relays(...) -> Response`
 

backend/spec/models.md

@@ -52,7 +52,7 @@ There are three plans available:
 Tenants are customers of the service, identified by a nostr `pubkey`. Public metadata like name etc are pulled from the nostr network. They also have associated billing information.
 
 - `pubkey` is the nostr public key identifying the tenant
-- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf; stored encrypted at rest using NIP-44 via `ENCRYPTION_SECRET`; never serialized to API responses — tenant API endpoints expose `nwc_is_set: bool` instead
+- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf
 - `nwc_error` (private) a string indicating the most recent NWC payment error, if any. Cleared on successful NWC payment.
 - `created_at` unix timestamp identifying tenant creation time
 - `stripe_customer_id` a string identifying the associated stripe customer

backend/src/api.rs

@@ -445,31 +445,6 @@ struct IdentityResponse {
     is_admin: bool,
 }
 
-#[derive(Serialize)]
-struct TenantResponse {
-    pubkey: String,
-    nwc_is_set: bool,
-    nwc_error: Option<String>,
-    created_at: i64,
-    stripe_customer_id: String,
-    stripe_subscription_id: Option<String>,
-    past_due_at: Option<i64>,
-}
-
-impl From<Tenant> for TenantResponse {
-    fn from(t: Tenant) -> Self {
-        TenantResponse {
-            nwc_is_set: !t.nwc_url.is_empty(),
-            pubkey: t.pubkey,
-            nwc_error: t.nwc_error,
-            created_at: t.created_at,
-            stripe_customer_id: t.stripe_customer_id,
-            stripe_subscription_id: t.stripe_subscription_id,
-            past_due_at: t.past_due_at,
-        }
-    }
-}
-
 #[derive(Deserialize)]
 struct CreateRelayRequest {
     tenant: String,
@@ -511,13 +486,7 @@ async fn list_tenants(
     state.api.require_admin(&pubkey)?;
 
     match state.api.query.list_tenants().await {
-        Ok(tenants) => Ok(ok(
-            StatusCode::OK,
-            tenants
-                .into_iter()
-                .map(TenantResponse::from)
-                .collect::<Vec<_>>(),
-        )),
+        Ok(tenants) => Ok(ok(StatusCode::OK, tenants)),
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,
             "internal",
@@ -546,7 +515,7 @@ async fn create_tenant(
     let pubkey = state.api.extract_auth_pubkey(&headers)?;
 
     match state.api.query.get_tenant(&pubkey).await {
-        Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))),
+        Ok(Some(t)) => Ok(ok(StatusCode::OK, t)),
         Ok(None) => {
             let stripe_customer_id = match state.api.billing.stripe_create_customer(&pubkey).await {
                 Ok(id) => id,
@@ -570,10 +539,10 @@ async fn create_tenant(
             };
 
             match state.api.command.create_tenant(&tenant).await {
-                Ok(()) => Ok(ok(StatusCode::OK, TenantResponse::from(tenant))),
+                Ok(()) => Ok(ok(StatusCode::OK, tenant)),
                 Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {
                     match state.api.query.get_tenant(&pubkey).await {
-                        Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))),
+                        Ok(Some(t)) => Ok(ok(StatusCode::OK, t)),
                         Ok(None) => Ok(err(
                             StatusCode::INTERNAL_SERVER_ERROR,
                             "internal",
@@ -616,7 +585,7 @@ async fn get_tenant(
     let auth = state.api.extract_auth_pubkey(&headers)?;
     state.api.require_admin_or_tenant(&auth, &pubkey)?;
     let tenant = state.api.get_tenant_or_404(&pubkey).await?;
-    Ok(ok(StatusCode::OK, TenantResponse::from(tenant)))
+    Ok(ok(StatusCode::OK, tenant))
 }
 
 async fn list_relays(
@@ -1040,13 +1009,6 @@ async fn get_invoice(
         .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
-    let invoice = state
-        .api
-        .billing
-        .reconcile_manual_lightning_invoice(&id, &invoice)
-        .await
-        .map_err(map_invoice_lookup_error)?;
-
     Ok(ok(StatusCode::OK, invoice))
 }
 
@@ -1064,13 +1026,6 @@ async fn get_invoice_bolt11(
         .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
-    let invoice = state
-        .api
-        .billing
-        .reconcile_manual_lightning_invoice(&id, &invoice)
-        .await
-        .map_err(map_invoice_lookup_error)?;
-
     let status = invoice["status"].as_str().unwrap_or_default();
     if status != "open" {
         return Ok(err(
@@ -1083,12 +1038,7 @@ async fn get_invoice_bolt11(
     let amount_due = invoice["amount_due"].as_i64().unwrap_or(0);
     let currency = invoice["currency"].as_str().unwrap_or("usd");
 
-    match state
-        .api
-        .billing
-        .get_or_create_manual_lightning_bolt11(&id, &tenant.pubkey, amount_due, currency)
-        .await
-    {
+    match state.api.billing.create_bolt11(amount_due, currency).await {
         Ok(bolt11) => Ok(ok(StatusCode::OK, serde_json::json!({ "bolt11": bolt11 }))),
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,
@@ -1134,12 +1084,7 @@ async fn update_tenant(
 
     let nwc_previously_empty = tenant.nwc_url.is_empty();
     if let Some(nwc_url) = payload.nwc_url {
-        if nwc_url.is_empty() {
-            tenant.nwc_url = String::new();
-        } else {
-            tenant.nwc_url =
-                crate::cipher::encrypt(&nwc_url).map_err(|e| ApiError::Internal(e.to_string()))?;
-        }
+        tenant.nwc_url = nwc_url;
     }
 
     match state.api.command.update_tenant(&tenant).await {
@@ -1158,7 +1103,7 @@ async fn update_tenant(
                     }
                 });
             }
-            Ok(ok(StatusCode::OK, TenantResponse::from(tenant)))
+            Ok(ok(StatusCode::OK, tenant))
         }
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,

backend/src/billing.rs

@@ -1,8 +1,7 @@
 use anyhow::{Result, anyhow};
 use hmac::{Hmac, Mac};
 use nwc::prelude::{
-    LookupInvoiceRequest, LookupInvoiceResponse, MakeInvoiceRequest, NWC, NostrWalletConnectURI,
-    PayInvoiceRequest as NwcPayInvoiceRequest, TransactionState,
+    MakeInvoiceRequest, NWC, NostrWalletConnectURI, PayInvoiceRequest as NwcPayInvoiceRequest,
 };
 use sha2::Sha256;
 
@@ -422,14 +421,13 @@ impl Billing {
 
         // 1. NWC auto-pay: if the tenant has a nwc_url
         if !tenant.nwc_url.is_empty() {
-            let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?;
             match self
                 .nwc_pay_invoice(
                     invoice_id,
                     &tenant.pubkey,
                     amount_due,
                     currency,
-                    &plain_nwc_url,
+                    &tenant.nwc_url,
                 )
                 .await?
             {
@@ -720,50 +718,6 @@ impl Billing {
         Ok((invoice, tenant))
     }
 
-    pub async fn reconcile_manual_lightning_invoice(
-        &self,
-        invoice_id: &str,
-        invoice: &serde_json::Value,
-    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
-        self.reconcile_manual_lightning_invoice_if_settled(invoice_id, invoice)
-            .await
-    }
-
-    pub async fn get_or_create_manual_lightning_bolt11(
-        &self,
-        invoice_id: &str,
-        tenant_pubkey: &str,
-        amount_due_minor: i64,
-        currency: &str,
-    ) -> Result<String> {
-        if let Some(existing_bolt11) = self
-            .query
-            .get_invoice_manual_lightning_bolt11(invoice_id)
-            .await?
-        {
-            return Ok(existing_bolt11);
-        }
-
-        let bolt11 = self.create_bolt11(amount_due_minor, currency).await?;
-
-        if self
-            .command
-            .insert_manual_lightning_invoice_payment(invoice_id, tenant_pubkey, &bolt11)
-            .await?
-        {
-            return Ok(bolt11);
-        }
-
-        self.query
-            .get_invoice_manual_lightning_bolt11(invoice_id)
-            .await?
-            .ok_or_else(|| {
-                anyhow!(
-                    "manual lightning payment row missing after insert race for invoice {invoice_id}"
-                )
-            })
-    }
-
     pub async fn stripe_create_customer(&self, tenant_pubkey: &str) -> Result<String> {
         let short_pubkey: String = tenant_pubkey.chars().take(12).collect();
         let display_name = format!("Caravel tenant {short_pubkey}");
@@ -858,8 +812,6 @@ impl Billing {
             return Ok(());
         }
 
-        let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?;
-
         let invoices = self
             .stripe_list_invoices(&tenant.stripe_customer_id)
             .await?;
@@ -881,7 +833,7 @@ impl Billing {
                     &tenant.pubkey,
                     amount_due,
                     currency,
-                    &plain_nwc_url,
+                    &tenant.nwc_url,
                 )
                 .await?
             {
@@ -1186,72 +1138,6 @@ impl Billing {
         Ok(())
     }
 
-    async fn reconcile_manual_lightning_invoice_if_settled(
-        &self,
-        invoice_id: &str,
-        invoice: &serde_json::Value,
-    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
-        if invoice["status"].as_str().unwrap_or_default() != "open" {
-            return Ok(invoice.clone());
-        }
-
-        let Some(bolt11) = self
-            .query
-            .get_invoice_manual_lightning_bolt11(invoice_id)
-            .await?
-        else {
-            return Ok(invoice.clone());
-        };
-
-        let settled = match self.is_manual_lightning_invoice_settled(&bolt11).await {
-            Ok(settled) => settled,
-            Err(error) => {
-                tracing::warn!(
-                    error = %error,
-                    invoice_id,
-                    "failed to lookup manual lightning invoice settlement"
-                );
-                return Ok(invoice.clone());
-            }
-        };
-
-        if !settled {
-            return Ok(invoice.clone());
-        }
-
-        if let Err(error) = self.stripe_pay_invoice_out_of_band(invoice_id).await {
-            tracing::warn!(
-                error = %error,
-                invoice_id,
-                "failed to mark settled manual lightning invoice as paid_out_of_band"
-            );
-        }
-
-        self.stripe_get_invoice(invoice_id).await
-    }
-
-    async fn is_manual_lightning_invoice_settled(&self, bolt11: &str) -> Result<bool> {
-        let system_uri = Self::parse_nwc_uri(&self.nwc_url, "system")?;
-        let system_nwc = NWC::new(system_uri);
-
-        let lookup_req = LookupInvoiceRequest {
-            payment_hash: None,
-            invoice: Some(bolt11.to_string()),
-        };
-
-        let lookup_result = system_nwc.lookup_invoice(lookup_req).await;
-        system_nwc.shutdown().await;
-
-        let lookup_response =
-            lookup_result.map_err(|error| anyhow!("failed to lookup invoice: {error}"))?;
-
-        Ok(Self::lookup_invoice_response_is_settled(&lookup_response))
-    }
-
-    fn lookup_invoice_response_is_settled(response: &LookupInvoiceResponse) -> bool {
-        response.state == Some(TransactionState::Settled) || response.settled_at.is_some()
-    }
-
     fn parse_nwc_uri(nwc_url: &str, role: &str) -> Result<NostrWalletConnectURI> {
         nwc_url
             .parse::<NostrWalletConnectURI>()

backend/src/cipher.rs

@@ -1,28 +0,0 @@
-use anyhow::{Result, anyhow};
-use nostr_sdk::prelude::*;
-
-pub fn encrypt(plaintext: &str) -> Result<String> {
-    let keys = load_key()?;
-    nip44::encrypt(
-        keys.secret_key(),
-        &keys.public_key(),
-        plaintext,
-        nip44::Version::V2,
-    )
-    .map_err(|e| anyhow!("encryption failed: {e}"))
-}
-
-pub fn decrypt(ciphertext: &str) -> Result<String> {
-    let keys = load_key()?;
-    nip44::decrypt(keys.secret_key(), &keys.public_key(), ciphertext)
-        .map_err(|e| anyhow!("decryption failed: {e}"))
-}
-
-fn load_key() -> Result<Keys> {
-    let secret = std::env::var("ENCRYPTION_SECRET")
-        .map_err(|_| anyhow!("missing ENCRYPTION_SECRET environment variable"))?;
-    if secret.trim().is_empty() {
-        return Err(anyhow!("ENCRYPTION_SECRET is empty"));
-    }
-    Keys::parse(&secret).map_err(|e| anyhow!("invalid ENCRYPTION_SECRET: {e}"))
-}

backend/src/command.rs

@@ -353,30 +353,6 @@ impl Command {
         Ok(())
     }
 
-    pub async fn insert_manual_lightning_invoice_payment(
-        &self,
-        invoice_id: &str,
-        tenant_pubkey: &str,
-        bolt11: &str,
-    ) -> Result<bool> {
-        let now = chrono::Utc::now().timestamp();
-        let result = sqlx::query(
-            "INSERT INTO invoice_manual_lightning_payment
-             (invoice_id, tenant_pubkey, bolt11, created_at, updated_at)
-             VALUES (?, ?, ?, ?, ?)
-             ON CONFLICT(invoice_id) DO NOTHING",
-        )
-        .bind(invoice_id)
-        .bind(tenant_pubkey)
-        .bind(bolt11)
-        .bind(now)
-        .bind(now)
-        .execute(&self.pool)
-        .await?;
-
-        Ok(result.rows_affected() > 0)
-    }
-
     pub async fn set_tenant_past_due(&self, pubkey: &str) -> Result<()> {
         let now = chrono::Utc::now().timestamp();
         sqlx::query("UPDATE tenant SET past_due_at = ? WHERE pubkey = ?")

backend/src/infra.rs

@@ -93,7 +93,7 @@ impl Infra {
             return Ok(());
         };
 
-        let is_new = self.relay_sync_is_new(&relay).await?;
+        let is_new = relay.synced == 0;
         self.sync_and_report(&relay, is_new).await;
 
         Ok(())
@@ -110,7 +110,7 @@ impl Infra {
 
         for relay in relays {
             if relay.sync_error.trim().is_empty() {
-                let is_new = self.relay_sync_is_new(&relay).await?;
+                let is_new = relay.synced == 0;
                 self.sync_and_report(&relay, is_new).await;
             } else {
                 self.schedule_relay_sync_retry(&relay.id, source).await?;
@@ -166,20 +166,11 @@ impl Infra {
             return Ok(());
         }
 
-        let is_new = self.relay_sync_is_new(&relay).await?;
+        let is_new = relay.synced == 0;
         self.sync_and_report(&relay, is_new).await;
         Ok(())
     }
 
-    async fn relay_sync_is_new(&self, relay: &Relay) -> Result<bool> {
-        if relay.synced == 1 {
-            return Ok(false);
-        }
-
-        let has_completed_sync = self.query.relay_has_completed_sync(&relay.id).await?;
-        Ok(!has_completed_sync)
-    }
-
     async fn sync_and_report(&self, relay: &Relay, is_new: bool) {
         match self.sync_relay(relay, is_new).await {
             Ok(()) => {

backend/src/lib.rs

@@ -1,6 +1,5 @@
 pub mod api;
 pub mod billing;
-pub mod cipher;
 pub mod command;
 pub mod infra;
 pub mod models;

backend/src/main.rs

@@ -1,6 +1,5 @@
 mod api;
 mod billing;
-mod cipher;
 mod command;
 mod infra;
 mod models;

backend/src/query.rs

@@ -171,19 +171,6 @@ impl Query {
         Ok(state)
     }
 
-    pub async fn get_invoice_manual_lightning_bolt11(
-        &self,
-        invoice_id: &str,
-    ) -> Result<Option<String>> {
-        let bolt11 = sqlx::query_scalar::<_, String>(
-            "SELECT bolt11 FROM invoice_manual_lightning_payment WHERE invoice_id = ?",
-        )
-        .bind(invoice_id)
-        .fetch_optional(&self.pool)
-        .await?;
-        Ok(bolt11)
-    }
-
     pub async fn has_active_paid_relays(&self, tenant_id: &str) -> Result<bool> {
         let plans = sqlx::query_scalar::<_, String>(
             "SELECT plan FROM relay WHERE tenant = ? AND status = 'active'",
@@ -207,20 +194,4 @@ impl Query {
         .await?;
         Ok(rows)
     }
-
-    pub async fn relay_has_completed_sync(&self, relay_id: &str) -> Result<bool> {
-        let found = sqlx::query_scalar::<_, i64>(
-            "SELECT 1
-             FROM activity
-             WHERE resource_type = 'relay'
-               AND resource_id = ?
-               AND activity_type = 'complete_relay_sync'
-             LIMIT 1",
-        )
-        .bind(relay_id)
-        .fetch_optional(&self.pool)
-        .await?;
-
-        Ok(found.is_some())
-    }
 }