feat: open payment modal immediately on relay plan upgrade

Co-authored-by: userAdityaa <aditya.chaudhary1558@gmail.com>
Co-committed-by: userAdityaa <aditya.chaudhary1558@gmail.com>

backend/.env.template

@@ -28,5 +28,6 @@ LIVEKIT_API_SECRET=
 
 # Billing
 NWC_URL=                      # Nostr Wallet Connect URL for generating Lightning invoices
+ENCRYPTION_SECRET=            # Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest
 STRIPE_SECRET_KEY=            # Required Stripe API secret key (sk_...)
 STRIPE_WEBHOOK_SECRET=whsec_test_00000000000000000000000000  # Webhook signing secret (use real value in production)

backend/README.md

@@ -44,6 +44,7 @@ Environment variables:
 | `LIVEKIT_API_KEY`        | LiveKit API key sent to zooid                                           | _optional_                           |
 | `LIVEKIT_API_SECRET`     | LiveKit API secret sent to zooid                                        | _optional_                           |
 | `NWC_URL`                | Platform NWC URL used to generate BOLT11 invoices                       | _required for invoice generation_    |
+| `ENCRYPTION_SECRET`      | Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest  | _required_                           |
 | `STRIPE_SECRET_KEY`      | Stripe API secret key used for billing API operations                   | _required_                           |
 | `STRIPE_WEBHOOK_SECRET`  | Stripe webhook signing secret used to verify `Stripe-Signature` headers | _required_                           |
 | `ROBOT_SECRET`           | Robot Nostr secret key                                                  | _required_                           |

backend/migrations/0003_invoice_nwc_payment_guard.sql

@@ -0,0 +1,11 @@
+CREATE TABLE IF NOT EXISTS invoice_nwc_payment (
+  invoice_id TEXT PRIMARY KEY,
+  tenant_pubkey TEXT NOT NULL,
+  state TEXT NOT NULL CHECK (state IN ('pending', 'paid')),
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  FOREIGN KEY (tenant_pubkey) REFERENCES tenant(pubkey)
+);
+
+CREATE INDEX IF NOT EXISTS idx_invoice_nwc_payment_tenant_pubkey
+ON invoice_nwc_payment (tenant_pubkey);

backend/migrations/0004_invoice_manual_lightning_payment.sql

@@ -0,0 +1,11 @@
+CREATE TABLE IF NOT EXISTS invoice_manual_lightning_payment (
+  invoice_id TEXT PRIMARY KEY,
+  tenant_pubkey TEXT NOT NULL,
+  bolt11 TEXT NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  FOREIGN KEY (tenant_pubkey) REFERENCES tenant(pubkey)
+);
+
+CREATE INDEX IF NOT EXISTS idx_invoice_manual_lightning_payment_tenant_pubkey
+ON invoice_manual_lightning_payment (tenant_pubkey);

backend/spec/api.md

@@ -57,7 +57,7 @@ Notes:
 
 - Serves `GET /tenants`
 - Authorizes admin only
-- Return `data` is a list of tenant structs from `query.list_tenants`
+- Return `data` is a list of `TenantResponse` structs (contains `nwc_is_set: bool` instead of `nwc_url`)
 
 ## `async fn create_tenant(...) -> Response`
 
@@ -69,20 +69,21 @@ Notes:
 - On unique-constraint race (`pubkey-exists`), re-fetch and return the existing tenant
 - If Stripe customer creation fails, return `code=stripe-customer-create-failed`
 - Always returns `200` (create-or-get is uniform)
-- Return `data` is a single `Tenant` struct
+- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
 
 ## `async fn get_tenant(...) -> Response`
 
 - Serves `GET /tenants/:pubkey`
 - Authorizes admin or matching tenant
-- Return `data` is a single tenant struct from `query.get_tenant`
+- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
 
 ## `async fn update_tenant(...) -> Response`
 
 - Serves `PUT /tenants/:pubkey`
 - Authorizes admin or matching tenant
+- Accepts `nwc_url` in the request body; encrypts it before storage using `cipher::encrypt`
 - Updates tenant using `command.update_tenant`
-- Return `data` is the updated tenant struct
+- Return `data` is the updated `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)
 
 ## `async fn list_tenant_relays(...) -> Response`
 

backend/spec/models.md

@@ -52,7 +52,7 @@ There are three plans available:
 Tenants are customers of the service, identified by a nostr `pubkey`. Public metadata like name etc are pulled from the nostr network. They also have associated billing information.
 
 - `pubkey` is the nostr public key identifying the tenant
-- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf
+- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf; stored encrypted at rest using NIP-44 via `ENCRYPTION_SECRET`; never serialized to API responses — tenant API endpoints expose `nwc_is_set: bool` instead
 - `nwc_error` (private) a string indicating the most recent NWC payment error, if any. Cleared on successful NWC payment.
 - `created_at` unix timestamp identifying tenant creation time
 - `stripe_customer_id` a string identifying the associated stripe customer
@@ -63,9 +63,9 @@ Tenants are customers of the service, identified by a nostr `pubkey`. Public met
 
 A relay is a nostr relay owned by a `tenant` and hosted by the attached zooid instance. Relay subdomains MUST be unique.
 
-- `id` - a random ID identifying the relay
+- `id` - calculated based on `subdomain` + 8 random hex chars
 - `tenant` - the tenant's pubkey
-- `schema` - the relay's db schema (read_only, calculated based on `subdomain` + `id`)
+- `schema` - the relay's db schema (read only, same as `id`)
 - `subdomain` - the relay's subdomain
 - `plan` - the relay's plan
 - `stripe_subscription_item_id` (nullable) - the Stripe subscription item id. Only set for relays on paid plans.

backend/src/api.rs

@@ -275,9 +275,6 @@ impl Api {
             return Err(RelayValidationError::PremiumFeature);
         }
 
-        if relay.schema.is_empty() {
-            relay.schema = format!("{}_{}", relay.subdomain.replace('-', "_"), relay.id);
-        }
         if relay.status.is_empty() {
             relay.status = RELAY_STATUS_ACTIVE.to_string();
         }
@@ -445,6 +442,31 @@ struct IdentityResponse {
     is_admin: bool,
 }
 
+#[derive(Serialize)]
+struct TenantResponse {
+    pubkey: String,
+    nwc_is_set: bool,
+    nwc_error: Option<String>,
+    created_at: i64,
+    stripe_customer_id: String,
+    stripe_subscription_id: Option<String>,
+    past_due_at: Option<i64>,
+}
+
+impl From<Tenant> for TenantResponse {
+    fn from(t: Tenant) -> Self {
+        TenantResponse {
+            nwc_is_set: !t.nwc_url.is_empty(),
+            pubkey: t.pubkey,
+            nwc_error: t.nwc_error,
+            created_at: t.created_at,
+            stripe_customer_id: t.stripe_customer_id,
+            stripe_subscription_id: t.stripe_subscription_id,
+            past_due_at: t.past_due_at,
+        }
+    }
+}
+
 #[derive(Deserialize)]
 struct CreateRelayRequest {
     tenant: String,
@@ -486,7 +508,13 @@ async fn list_tenants(
     state.api.require_admin(&pubkey)?;
 
     match state.api.query.list_tenants().await {
-        Ok(tenants) => Ok(ok(StatusCode::OK, tenants)),
+        Ok(tenants) => Ok(ok(
+            StatusCode::OK,
+            tenants
+                .into_iter()
+                .map(TenantResponse::from)
+                .collect::<Vec<_>>(),
+        )),
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,
             "internal",
@@ -515,7 +543,7 @@ async fn create_tenant(
     let pubkey = state.api.extract_auth_pubkey(&headers)?;
 
     match state.api.query.get_tenant(&pubkey).await {
-        Ok(Some(t)) => Ok(ok(StatusCode::OK, t)),
+        Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))),
         Ok(None) => {
             let stripe_customer_id = match state.api.billing.stripe_create_customer(&pubkey).await {
                 Ok(id) => id,
@@ -539,10 +567,10 @@ async fn create_tenant(
             };
 
             match state.api.command.create_tenant(&tenant).await {
-                Ok(()) => Ok(ok(StatusCode::OK, tenant)),
+                Ok(()) => Ok(ok(StatusCode::OK, TenantResponse::from(tenant))),
                 Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {
                     match state.api.query.get_tenant(&pubkey).await {
-                        Ok(Some(t)) => Ok(ok(StatusCode::OK, t)),
+                        Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))),
                         Ok(None) => Ok(err(
                             StatusCode::INTERNAL_SERVER_ERROR,
                             "internal",
@@ -585,7 +613,7 @@ async fn get_tenant(
     let auth = state.api.extract_auth_pubkey(&headers)?;
     state.api.require_admin_or_tenant(&auth, &pubkey)?;
     let tenant = state.api.get_tenant_or_404(&pubkey).await?;
-    Ok(ok(StatusCode::OK, tenant))
+    Ok(ok(StatusCode::OK, TenantResponse::from(tenant)))
 }
 
 async fn list_relays(
@@ -723,10 +751,16 @@ async fn create_relay(
     let auth = state.api.extract_auth_pubkey(&headers)?;
     state.api.require_admin_or_tenant(&auth, &payload.tenant)?;
 
+    let relay_id = format!(
+        "{}_{}",
+        payload.subdomain.replace('-', "_"),
+        &uuid::Uuid::new_v4().simple().to_string()[..8]
+    );
+
     let mut relay = Relay {
-        id: uuid::Uuid::new_v4().to_string(),
+        id: relay_id.clone(),
         tenant: payload.tenant,
-        schema: String::new(),
+        schema: relay_id.clone(),
         subdomain: payload.subdomain,
         plan: payload.plan,
         stripe_subscription_item_id: None,
@@ -1009,6 +1043,13 @@ async fn get_invoice(
         .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
+    let invoice = state
+        .api
+        .billing
+        .reconcile_manual_lightning_invoice(&id, &invoice)
+        .await
+        .map_err(map_invoice_lookup_error)?;
+
     Ok(ok(StatusCode::OK, invoice))
 }
 
@@ -1026,6 +1067,13 @@ async fn get_invoice_bolt11(
         .map_err(map_invoice_lookup_error)?;
     state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
 
+    let invoice = state
+        .api
+        .billing
+        .reconcile_manual_lightning_invoice(&id, &invoice)
+        .await
+        .map_err(map_invoice_lookup_error)?;
+
     let status = invoice["status"].as_str().unwrap_or_default();
     if status != "open" {
         return Ok(err(
@@ -1038,7 +1086,12 @@ async fn get_invoice_bolt11(
     let amount_due = invoice["amount_due"].as_i64().unwrap_or(0);
     let currency = invoice["currency"].as_str().unwrap_or("usd");
 
-    match state.api.billing.create_bolt11(amount_due, currency).await {
+    match state
+        .api
+        .billing
+        .get_or_create_manual_lightning_bolt11(&id, &tenant.pubkey, amount_due, currency)
+        .await
+    {
         Ok(bolt11) => Ok(ok(StatusCode::OK, serde_json::json!({ "bolt11": bolt11 }))),
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,
@@ -1084,7 +1137,12 @@ async fn update_tenant(
 
     let nwc_previously_empty = tenant.nwc_url.is_empty();
     if let Some(nwc_url) = payload.nwc_url {
-        tenant.nwc_url = nwc_url;
+        if nwc_url.is_empty() {
+            tenant.nwc_url = String::new();
+        } else {
+            tenant.nwc_url =
+                crate::cipher::encrypt(&nwc_url).map_err(|e| ApiError::Internal(e.to_string()))?;
+        }
     }
 
     match state.api.command.update_tenant(&tenant).await {
@@ -1103,7 +1161,7 @@ async fn update_tenant(
                     }
                 });
             }
-            Ok(ok(StatusCode::OK, tenant))
+            Ok(ok(StatusCode::OK, TenantResponse::from(tenant)))
         }
         Err(e) => Ok(err(
             StatusCode::INTERNAL_SERVER_ERROR,

backend/src/billing.rs

@@ -1,7 +1,8 @@
 use anyhow::{Result, anyhow};
 use hmac::{Hmac, Mac};
 use nwc::prelude::{
-    MakeInvoiceRequest, NWC, NostrWalletConnectURI, PayInvoiceRequest as NwcPayInvoiceRequest,
+    LookupInvoiceRequest, LookupInvoiceResponse, MakeInvoiceRequest, NWC, NostrWalletConnectURI,
+    PayInvoiceRequest as NwcPayInvoiceRequest, TransactionState,
 };
 use sha2::Sha256;
 
@@ -17,6 +18,9 @@ type HmacSha256 = Hmac<Sha256>;
 const STRIPE_API: &str = "https://api.stripe.com/v1";
 const COINBASE_SPOT_API: &str = "https://api.coinbase.com/v2/prices";
 const WEBHOOK_TOLERANCE_SECS: i64 = 300;
+const MANUAL_LIGHTNING_PAYMENT_DM: &str = "Payment is due for your relay subscription. Please visit the application to complete a manual Lightning payment.";
+const NWC_ERROR_DM_PREFIX: &str = "NWC auto-payment failed:";
+const NWC_ERROR_DM_MAX_CHARS: usize = 240;
 
 #[derive(Debug)]
 pub enum InvoiceLookupError {
@@ -75,12 +79,17 @@ struct CoinbaseSpotPriceData {
     amount: String,
 }
 
+enum NwcInvoicePaymentOutcome {
+    Paid,
+    Fallback(anyhow::Error),
+    Pending(anyhow::Error),
+}
+
 #[derive(Clone)]
 pub struct Billing {
     nwc_url: String,
     stripe_secret_key: String,
     stripe_webhook_secret: String,
-    btc_quote_api_base: String,
     http: reqwest::Client,
     query: Query,
     command: Command,
@@ -98,13 +107,10 @@ impl Billing {
         if stripe_webhook_secret.trim().is_empty() {
             panic!("missing STRIPE_WEBHOOK_SECRET environment variable");
         }
-        let btc_quote_api_base =
-            std::env::var("BTC_PRICE_API_BASE").unwrap_or_else(|_| COINBASE_SPOT_API.to_string());
         Self {
             nwc_url,
             stripe_secret_key,
             stripe_webhook_secret,
-            btc_quote_api_base,
             http: reqwest::Client::new(),
             query,
             command,
@@ -115,6 +121,10 @@ impl Billing {
     pub async fn start(self) {
         let mut rx = self.command.notify.subscribe();
 
+        if let Err(error) = self.reconcile_relay_subscriptions("startup").await {
+            tracing::error!(error = %error, "failed to reconcile relay billing state on startup");
+        }
+
         loop {
             match rx.recv().await {
                 Ok(activity) => {
@@ -124,12 +134,39 @@ impl Billing {
                 }
                 Err(tokio::sync::broadcast::error::RecvError::Lagged(n)) => {
                     tracing::warn!(missed = n, "billing lagged");
+
+                    if let Err(error) = self.reconcile_relay_subscriptions("lagged").await {
+                        tracing::error!(error = %error, "failed to reconcile relay billing state after lag");
+                    }
                 }
                 Err(tokio::sync::broadcast::error::RecvError::Closed) => break,
             }
         }
     }
 
+    async fn reconcile_relay_subscriptions(&self, source: &str) -> Result<()> {
+        let relays = self.query.list_relays().await?;
+
+        if relays.is_empty() {
+            return Ok(());
+        }
+
+        tracing::info!(source, relay_count = relays.len(), "reconciling relay billing state");
+
+        for relay in relays {
+            if let Err(error) = self.sync_relay_subscription_for_relay(&relay).await {
+                tracing::error!(
+                    source,
+                    relay = %relay.id,
+                    error = %error,
+                    "failed to reconcile relay billing state"
+                );
+            }
+        }
+
+        Ok(())
+    }
+
     async fn handle_activity(&self, activity: &Activity) -> Result<()> {
         let needs_billing_sync = matches!(
             activity.activity_type.as_str(),
@@ -153,6 +190,10 @@ impl Billing {
             return Ok(());
         };
 
+        self.sync_relay_subscription_for_relay(&relay).await
+    }
+
+    async fn sync_relay_subscription_for_relay(&self, relay: &Relay) -> Result<()> {
         let Some(tenant) = self.query.get_tenant(&relay.tenant).await? else {
             return Ok(());
         };
@@ -261,6 +302,23 @@ impl Billing {
         Ok(())
     }
 
+    async fn existing_invoice_nwc_payment_outcome(
+        &self,
+        invoice_id: &str,
+    ) -> Result<Option<NwcInvoicePaymentOutcome>> {
+        let state = self.query.get_invoice_nwc_payment_state(invoice_id).await?;
+        match state.as_deref() {
+            Some("paid") => Ok(Some(NwcInvoicePaymentOutcome::Paid)),
+            Some("pending") => Ok(Some(NwcInvoicePaymentOutcome::Pending(anyhow!(
+                "invoice {invoice_id} has a pending NWC reconciliation; refusing to create a new Lightning charge"
+            )))),
+            Some(other) => Err(anyhow!(
+                "unknown invoice_nwc_payment state '{other}' for invoice {invoice_id}"
+            )),
+            None => Ok(None),
+        }
+    }
+
     pub async fn handle_webhook(&self, payload: &str, signature: &str) -> Result<()> {
         self.verify_webhook_signature(payload, signature)?;
 
@@ -360,24 +418,55 @@ impl Billing {
             return Ok(());
         };
 
+        let mut nwc_error_for_dm: Option<String> = None;
+
         // 1. NWC auto-pay: if the tenant has a nwc_url
         if !tenant.nwc_url.is_empty() {
+            let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?;
             match self
-                .nwc_pay_invoice(amount_due, currency, &tenant.nwc_url)
+                .nwc_pay_invoice(
-                .await
+                    invoice_id,
+                    &tenant.pubkey,
+                    amount_due,
+                    currency,
+                    &plain_nwc_url,
+                )
+                .await?
             {
-                Ok(()) => {
+                NwcInvoicePaymentOutcome::Paid => {
-                    self.stripe_pay_invoice_out_of_band(invoice_id).await?;
+                    self.mark_invoice_paid_out_of_band_after_nwc(invoice_id, &tenant.pubkey)
-                    self.command.clear_tenant_nwc_error(&tenant.pubkey).await?;
+                        .await?;
                     return Ok(());
                 }
-                Err(e) => {
+                NwcInvoicePaymentOutcome::Fallback(e) => {
                     let error_msg = format!("{e}");
                     self.command
                         .set_tenant_nwc_error(&tenant.pubkey, &error_msg)
                         .await?;
+                    tracing::warn!(
+                        error = %e,
+                        tenant_pubkey = %tenant.pubkey,
+                        stripe_customer_id,
+                        invoice_id,
+                        "nwc auto-payment failed for invoice.created"
+                    );
+                    nwc_error_for_dm = summarize_nwc_error_for_dm(&error_msg);
                     // Fall through to next option
                 }
+                NwcInvoicePaymentOutcome::Pending(e) => {
+                    let error_msg = format!("{e}");
+                    self.command
+                        .set_tenant_nwc_error(&tenant.pubkey, &error_msg)
+                        .await?;
+                    tracing::error!(
+                        error = %e,
+                        tenant_pubkey = %tenant.pubkey,
+                        stripe_customer_id,
+                        invoice_id,
+                        "nwc auto-payment requires reconciliation before retry"
+                    );
+                    return Err(e);
+                }
             }
         }
 
@@ -390,12 +479,8 @@ impl Billing {
         }
 
         // 3. Manual payment: send a DM
-        self.robot
+        let dm_message = manual_lightning_payment_dm(nwc_error_for_dm.as_deref());
-            .send_dm(
+        self.robot.send_dm(&tenant.pubkey, &dm_message).await?;
-                &tenant.pubkey,
-                "Payment is due for your relay subscription. Please visit the application to complete a manual Lightning payment.",
-            )
-            .await?;
 
         Ok(())
     }
@@ -635,14 +720,60 @@ impl Billing {
         Ok((invoice, tenant))
     }
 
+    pub async fn reconcile_manual_lightning_invoice(
+        &self,
+        invoice_id: &str,
+        invoice: &serde_json::Value,
+    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
+        self.reconcile_manual_lightning_invoice_if_settled(invoice_id, invoice)
+            .await
+    }
+
+    pub async fn get_or_create_manual_lightning_bolt11(
+        &self,
+        invoice_id: &str,
+        tenant_pubkey: &str,
+        amount_due_minor: i64,
+        currency: &str,
+    ) -> Result<String> {
+        if let Some(existing_bolt11) = self
+            .query
+            .get_invoice_manual_lightning_bolt11(invoice_id)
+            .await?
+        {
+            return Ok(existing_bolt11);
+        }
+
+        let bolt11 = self.create_bolt11(amount_due_minor, currency).await?;
+
+        if self
+            .command
+            .insert_manual_lightning_invoice_payment(invoice_id, tenant_pubkey, &bolt11)
+            .await?
+        {
+            return Ok(bolt11);
+        }
+
+        self.query
+            .get_invoice_manual_lightning_bolt11(invoice_id)
+            .await?
+            .ok_or_else(|| {
+                anyhow!(
+                    "manual lightning payment row missing after insert race for invoice {invoice_id}"
+                )
+            })
+    }
+
     pub async fn stripe_create_customer(&self, tenant_pubkey: &str) -> Result<String> {
         let short_pubkey: String = tenant_pubkey.chars().take(12).collect();
         let display_name = format!("Caravel tenant {short_pubkey}");
+        let idempotency_key = self.idempotency_key(&["create_customer", tenant_pubkey]);
 
         let resp = self
             .http
             .post(format!("{STRIPE_API}/customers"))
             .bearer_auth(&self.stripe_secret_key)
+            .header("Idempotency-Key", idempotency_key)
             .form(&[
                 ("name", display_name.as_str()),
                 ("metadata[tenant_pubkey]", tenant_pubkey),
@@ -727,6 +858,8 @@ impl Billing {
             return Ok(());
         }
 
+        let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?;
+
         let invoices = self
             .stripe_list_invoices(&tenant.stripe_customer_id)
             .await?;
@@ -743,21 +876,28 @@ impl Billing {
             }
 
             match self
-                .nwc_pay_invoice(amount_due, currency, &tenant.nwc_url)
+                .nwc_pay_invoice(
-                .await
+                    invoice_id,
+                    &tenant.pubkey,
+                    amount_due,
+                    currency,
+                    &plain_nwc_url,
+                )
+                .await?
             {
-                Ok(()) => {
+                NwcInvoicePaymentOutcome::Paid => {
-                    if let Err(e) = self.stripe_pay_invoice_out_of_band(invoice_id).await {
+                    if let Err(e) = self
+                        .mark_invoice_paid_out_of_band_after_nwc(invoice_id, &tenant.pubkey)
+                        .await
+                    {
                         tracing::error!(
                             error = %e,
                             invoice_id,
                             "failed to mark invoice paid out of band"
                         );
-                    } else {
-                        let _ = self.command.clear_tenant_nwc_error(&tenant.pubkey).await;
                     }
                 }
-                Err(e) => {
+                NwcInvoicePaymentOutcome::Fallback(e) => {
                     let error_msg = format!("{e}");
                     tracing::error!(
                         error = %e,
@@ -769,6 +909,18 @@ impl Billing {
                         .set_tenant_nwc_error(&tenant.pubkey, &error_msg)
                         .await;
                 }
+                NwcInvoicePaymentOutcome::Pending(e) => {
+                    let error_msg = format!("{e}");
+                    tracing::error!(
+                        error = %e,
+                        invoice_id,
+                        "outstanding invoice requires NWC reconciliation before retry"
+                    );
+                    let _ = self
+                        .command
+                        .set_tenant_nwc_error(&tenant.pubkey, &error_msg)
+                        .await;
+                }
             }
         }
 
@@ -829,15 +981,30 @@ impl Billing {
 
     // --- Stripe API helpers ---
 
+    fn idempotency_key(&self, parts: &[&str]) -> String {
+        let mut mac = HmacSha256::new_from_slice(self.stripe_secret_key.as_bytes())
+            .expect("HMAC accepts any key length");
+        for (i, part) in parts.iter().enumerate() {
+            if i > 0 {
+                mac.update(b":");
+            }
+            mac.update(part.as_bytes());
+        }
+        hex::encode(mac.finalize().into_bytes())
+    }
+
     async fn stripe_create_subscription(
         &self,
         customer_id: &str,
         price_id: &str,
     ) -> Result<(String, String)> {
+        let idempotency_key =
+            self.idempotency_key(&["create_subscription", customer_id, price_id]);
         let resp = self
             .http
             .post(format!("{STRIPE_API}/subscriptions"))
             .bearer_auth(&self.stripe_secret_key)
+            .header("Idempotency-Key", idempotency_key)
             .form(&[
                 ("customer", customer_id),
                 ("collection_method", "charge_automatically"),
@@ -864,10 +1031,13 @@ impl Billing {
         subscription_id: &str,
         price_id: &str,
     ) -> Result<String> {
+        let idempotency_key =
+            self.idempotency_key(&["create_subscription_item", subscription_id, price_id]);
         let resp = self
             .http
             .post(format!("{STRIPE_API}/subscription_items"))
             .bearer_auth(&self.stripe_secret_key)
+            .header("Idempotency-Key", idempotency_key)
             .form(&[("subscription", subscription_id), ("price", price_id)])
             .send()
             .await?;
@@ -886,10 +1056,13 @@ impl Billing {
         item_id: &str,
         price_id: &str,
     ) -> Result<String> {
+        let idempotency_key =
+            self.idempotency_key(&["update_subscription_item", item_id, price_id]);
         let resp = self
             .http
             .post(format!("{STRIPE_API}/subscription_items/{item_id}"))
             .bearer_auth(&self.stripe_secret_key)
+            .header("Idempotency-Key", idempotency_key)
             .form(&[("price", price_id)])
             .send()
             .await?;
@@ -926,9 +1099,11 @@ impl Billing {
     }
 
     async fn stripe_pay_invoice(&self, invoice_id: &str) -> Result<()> {
+        let idempotency_key = self.idempotency_key(&["pay_invoice", invoice_id]);
         self.http
             .post(format!("{STRIPE_API}/invoices/{invoice_id}/pay"))
             .bearer_auth(&self.stripe_secret_key)
+            .header("Idempotency-Key", idempotency_key)
             .send()
             .await?
             .error_for_status()?;
@@ -968,9 +1143,11 @@ impl Billing {
     }
 
     async fn stripe_pay_invoice_out_of_band(&self, invoice_id: &str) -> Result<()> {
+        let idempotency_key = self.idempotency_key(&["pay_invoice_oob", invoice_id]);
         self.http
             .post(format!("{STRIPE_API}/invoices/{invoice_id}/pay"))
             .bearer_auth(&self.stripe_secret_key)
+            .header("Idempotency-Key", idempotency_key)
             .form(&[("paid_out_of_band", "true")])
             .send()
             .await?
@@ -999,19 +1176,113 @@ impl Billing {
 
     // --- NWC helpers ---
 
+    async fn mark_invoice_paid_out_of_band_after_nwc(
+        &self,
+        invoice_id: &str,
+        tenant_pubkey: &str,
+    ) -> Result<()> {
+        self.stripe_pay_invoice_out_of_band(invoice_id).await?;
+        self.command.clear_tenant_nwc_error(tenant_pubkey).await?;
+        Ok(())
+    }
+
+    async fn reconcile_manual_lightning_invoice_if_settled(
+        &self,
+        invoice_id: &str,
+        invoice: &serde_json::Value,
+    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
+        if invoice["status"].as_str().unwrap_or_default() != "open" {
+            return Ok(invoice.clone());
+        }
+
+        let Some(bolt11) = self
+            .query
+            .get_invoice_manual_lightning_bolt11(invoice_id)
+            .await?
+        else {
+            return Ok(invoice.clone());
+        };
+
+        let settled = match self.is_manual_lightning_invoice_settled(&bolt11).await {
+            Ok(settled) => settled,
+            Err(error) => {
+                tracing::warn!(
+                    error = %error,
+                    invoice_id,
+                    "failed to lookup manual lightning invoice settlement"
+                );
+                return Ok(invoice.clone());
+            }
+        };
+
+        if !settled {
+            return Ok(invoice.clone());
+        }
+
+        if let Err(error) = self.stripe_pay_invoice_out_of_band(invoice_id).await {
+            tracing::warn!(
+                error = %error,
+                invoice_id,
+                "failed to mark settled manual lightning invoice as paid_out_of_band"
+            );
+        }
+
+        self.stripe_get_invoice(invoice_id).await
+    }
+
+    async fn is_manual_lightning_invoice_settled(&self, bolt11: &str) -> Result<bool> {
+        let system_uri = Self::parse_nwc_uri(&self.nwc_url, "system")?;
+        let system_nwc = NWC::new(system_uri);
+
+        let lookup_req = LookupInvoiceRequest {
+            payment_hash: None,
+            invoice: Some(bolt11.to_string()),
+        };
+
+        let lookup_result = system_nwc.lookup_invoice(lookup_req).await;
+        system_nwc.shutdown().await;
+
+        let lookup_response =
+            lookup_result.map_err(|error| anyhow!("failed to lookup invoice: {error}"))?;
+
+        Ok(Self::lookup_invoice_response_is_settled(&lookup_response))
+    }
+
+    fn lookup_invoice_response_is_settled(response: &LookupInvoiceResponse) -> bool {
+        response.state == Some(TransactionState::Settled) || response.settled_at.is_some()
+    }
+
+    fn parse_nwc_uri(nwc_url: &str, role: &str) -> Result<NostrWalletConnectURI> {
+        nwc_url
+            .parse::<NostrWalletConnectURI>()
+            .map_err(|_| anyhow!("invalid {role} NWC URL"))
+    }
+
     async fn nwc_pay_invoice(
         &self,
+        invoice_id: &str,
+        tenant_pubkey: &str,
         amount_due_minor: i64,
         currency: &str,
         tenant_nwc_url: &str,
-    ) -> Result<()> {
+    ) -> Result<NwcInvoicePaymentOutcome> {
-        let amount_msats = self.fiat_minor_to_msats(amount_due_minor, currency).await?;
+        if let Some(existing_outcome) = self
+            .existing_invoice_nwc_payment_outcome(invoice_id)
+            .await?
+        {
+            return Ok(existing_outcome);
+        }
+
+        let amount_msats = match self.fiat_minor_to_msats(amount_due_minor, currency).await {
+            Ok(amount_msats) => amount_msats,
+            Err(error) => return Ok(NwcInvoicePaymentOutcome::Fallback(error)),
+        };
 
         // Create a bolt11 invoice using the system wallet (self.nwc_url)
-        let system_uri: NostrWalletConnectURI = self
+        let system_uri = match Self::parse_nwc_uri(&self.nwc_url, "system") {
-            .nwc_url
+            Ok(system_uri) => system_uri,
-            .parse()
+            Err(error) => return Ok(NwcInvoicePaymentOutcome::Fallback(error)),
-            .map_err(|_| anyhow!("invalid system NWC URL"))?;
+        };
         let system_nwc = NWC::new(system_uri);
 
         let make_req = MakeInvoiceRequest {
@@ -1021,29 +1292,61 @@ impl Billing {
             expiry: None,
         };
 
-        let invoice_response = system_nwc
+        let invoice_response = system_nwc.make_invoice(make_req).await;
-            .make_invoice(make_req)
+
-            .await
+        let invoice_response = match invoice_response {
-            .map_err(|e| anyhow!("failed to create invoice: {e}"))?;
+            Ok(invoice_response) => invoice_response,
+            Err(error) => {
+                system_nwc.shutdown().await;
+                return Ok(NwcInvoicePaymentOutcome::Fallback(anyhow!(
+                    "failed to create invoice: {error}"
+                )));
+            }
+        };
 
         system_nwc.shutdown().await;
 
         // Pay the bolt11 invoice using the tenant's wallet
-        let tenant_uri: NostrWalletConnectURI = tenant_nwc_url
+        let tenant_uri = match Self::parse_nwc_uri(tenant_nwc_url, "tenant") {
-            .parse()
+            Ok(tenant_uri) => tenant_uri,
-            .map_err(|_| anyhow!("invalid tenant NWC URL"))?;
+            Err(error) => return Ok(NwcInvoicePaymentOutcome::Fallback(error)),
+        };
+
+        if !self
+            .command
+            .insert_pending_invoice_nwc_payment(invoice_id, tenant_pubkey)
+            .await?
+        {
+            if let Some(existing_outcome) = self
+                .existing_invoice_nwc_payment_outcome(invoice_id)
+                .await?
+            {
+                return Ok(existing_outcome);
+            }
+            return Err(anyhow!(
+                "invoice_nwc_payment row missing after insert race for invoice {invoice_id}"
+            ));
+        }
+
         let tenant_nwc = NWC::new(tenant_uri);
 
         let pay_req = NwcPayInvoiceRequest::new(invoice_response.invoice);
 
-        tenant_nwc
+        let pay_result = tenant_nwc.pay_invoice(pay_req).await;
-            .pay_invoice(pay_req)
-            .await
-            .map_err(|e| anyhow!("failed to pay invoice: {e}"))?;
 
         tenant_nwc.shutdown().await;
 
-        Ok(())
+        match pay_result {
+            Ok(_) => match self.command.mark_invoice_nwc_payment_paid(invoice_id).await {
+                Ok(()) => Ok(NwcInvoicePaymentOutcome::Paid),
+                Err(error) => Ok(NwcInvoicePaymentOutcome::Pending(anyhow!(
+                    "invoice {invoice_id} was charged over NWC but failed to persist paid state: {error}"
+                ))),
+            },
+            Err(error) => Ok(NwcInvoicePaymentOutcome::Pending(anyhow!(
+                "invoice {invoice_id} NWC payment attempt requires reconciliation: {error}"
+            ))),
+        }
     }
 
     async fn fiat_minor_to_msats(&self, amount_due_minor: i64, currency: &str) -> Result<u64> {
@@ -1057,7 +1360,7 @@ impl Billing {
     }
 
     async fn fetch_btc_spot_price(&self, currency: &str) -> Result<f64> {
-        fetch_btc_spot_price_from_base(&self.http, &self.btc_quote_api_base, currency).await
+        fetch_btc_spot_price_from_base(&self.http, COINBASE_SPOT_API, currency).await
     }
 
     fn currency_minor_exponent(currency: &str) -> Result<u8> {
@@ -1101,6 +1404,31 @@ pub async fn fetch_btc_spot_price_from_base(
     Ok(amount)
 }
 
+fn summarize_nwc_error_for_dm(error: &str) -> Option<String> {
+    let normalized = error.split_whitespace().collect::<Vec<_>>().join(" ");
+    if normalized.is_empty() {
+        return None;
+    }
+
+    if normalized.chars().count() <= NWC_ERROR_DM_MAX_CHARS {
+        return Some(normalized);
+    }
+
+    let prefix_len = NWC_ERROR_DM_MAX_CHARS.saturating_sub(3);
+    let mut truncated = normalized.chars().take(prefix_len).collect::<String>();
+    truncated.push_str("...");
+    Some(truncated)
+}
+
+fn manual_lightning_payment_dm(nwc_error: Option<&str>) -> String {
+    match nwc_error {
+        Some(error) if !error.is_empty() => {
+            format!("{MANUAL_LIGHTNING_PAYMENT_DM}\n\n{NWC_ERROR_DM_PREFIX} {error}")
+        }
+        _ => MANUAL_LIGHTNING_PAYMENT_DM.to_string(),
+    }
+}
+
 pub fn fiat_minor_to_msats_from_quote(
     amount_due_minor: i64,
     currency: &str,
@@ -1398,4 +1726,5 @@ mod tests {
         assert_eq!(billing.stripe_secret_key, "sk_test_dummy");
         assert_eq!(billing.stripe_webhook_secret, "whsec_test_dummy");
     }
+
 }

backend/src/cipher.rs

@@ -0,0 +1,28 @@
+use anyhow::{Result, anyhow};
+use nostr_sdk::prelude::*;
+
+pub fn encrypt(plaintext: &str) -> Result<String> {
+    let keys = load_key()?;
+    nip44::encrypt(
+        keys.secret_key(),
+        &keys.public_key(),
+        plaintext,
+        nip44::Version::V2,
+    )
+    .map_err(|e| anyhow!("encryption failed: {e}"))
+}
+
+pub fn decrypt(ciphertext: &str) -> Result<String> {
+    let keys = load_key()?;
+    nip44::decrypt(keys.secret_key(), &keys.public_key(), ciphertext)
+        .map_err(|e| anyhow!("decryption failed: {e}"))
+}
+
+fn load_key() -> Result<Keys> {
+    let secret = std::env::var("ENCRYPTION_SECRET")
+        .map_err(|_| anyhow!("missing ENCRYPTION_SECRET environment variable"))?;
+    if secret.trim().is_empty() {
+        return Err(anyhow!("ENCRYPTION_SECRET is empty"));
+    }
+    Keys::parse(&secret).map_err(|e| anyhow!("invalid ENCRYPTION_SECRET: {e}"))
+}

backend/src/command.rs

@@ -113,12 +113,12 @@ impl Command {
 
         sqlx::query(
             "INSERT INTO relay (
-                id, tenant, schema, subdomain, plan, status, sync_error,
+                id, tenant, schema, subdomain, plan, status, synced, sync_error,
                 info_name, info_icon, info_description,
                 policy_public_join, policy_strip_signatures,
                 groups_enabled, management_enabled, blossom_enabled,
                 livekit_enabled, push_enabled
-            ) VALUES (?, ?, ?, ?, ?, 'active', ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+            ) VALUES (?, ?, ?, ?, ?, 'active', 0, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
         )
         .bind(&relay.id)
         .bind(&relay.tenant)
@@ -151,7 +151,7 @@ impl Command {
 
         sqlx::query(
             "UPDATE relay
-             SET tenant = ?, schema = ?, subdomain = ?, plan = ?, status = ?, sync_error = ?,
+             SET tenant = ?, schema = ?, subdomain = ?, plan = ?, status = ?, sync_error = ?, synced = 0,
                  info_name = ?, info_icon = ?, info_description = ?,
                  policy_public_join = ?, policy_strip_signatures = ?,
                  groups_enabled = ?, management_enabled = ?, blossom_enabled = ?,
@@ -203,7 +203,7 @@ impl Command {
     ) -> Result<()> {
         let mut tx = self.pool.begin().await?;
 
-        sqlx::query("UPDATE relay SET status = ? WHERE id = ?")
+        sqlx::query("UPDATE relay SET status = ?, synced = 0 WHERE id = ?")
             .bind(status)
             .bind(relay_id)
             .execute(&mut *tx)
@@ -224,7 +224,7 @@ impl Command {
     pub async fn fail_relay_sync(&self, relay: &Relay, sync_error: String) -> Result<()> {
         let mut tx = self.pool.begin().await?;
 
-        sqlx::query("UPDATE relay SET sync_error = ? WHERE id = ?")
+        sqlx::query("UPDATE relay SET synced = 0, sync_error = ? WHERE id = ?")
             .bind(&sync_error)
             .bind(&relay.id)
             .execute(&mut *tx)
@@ -313,6 +313,70 @@ impl Command {
         Ok(())
     }
 
+    pub async fn insert_pending_invoice_nwc_payment(
+        &self,
+        invoice_id: &str,
+        tenant_pubkey: &str,
+    ) -> Result<bool> {
+        let now = chrono::Utc::now().timestamp();
+        let result = sqlx::query(
+            "INSERT INTO invoice_nwc_payment (invoice_id, tenant_pubkey, state, created_at, updated_at)
+             VALUES (?, ?, 'pending', ?, ?)
+             ON CONFLICT(invoice_id) DO NOTHING",
+        )
+        .bind(invoice_id)
+        .bind(tenant_pubkey)
+        .bind(now)
+        .bind(now)
+        .execute(&self.pool)
+        .await?;
+
+        Ok(result.rows_affected() > 0)
+    }
+
+    pub async fn mark_invoice_nwc_payment_paid(&self, invoice_id: &str) -> Result<()> {
+        let now = chrono::Utc::now().timestamp();
+        let result = sqlx::query(
+            "UPDATE invoice_nwc_payment
+             SET state = 'paid', updated_at = ?
+             WHERE invoice_id = ?",
+        )
+        .bind(now)
+        .bind(invoice_id)
+        .execute(&self.pool)
+        .await?;
+
+        if result.rows_affected() == 0 {
+            anyhow::bail!("invoice_nwc_payment row missing for invoice_id: {invoice_id}");
+        }
+
+        Ok(())
+    }
+
+    pub async fn insert_manual_lightning_invoice_payment(
+        &self,
+        invoice_id: &str,
+        tenant_pubkey: &str,
+        bolt11: &str,
+    ) -> Result<bool> {
+        let now = chrono::Utc::now().timestamp();
+        let result = sqlx::query(
+            "INSERT INTO invoice_manual_lightning_payment
+             (invoice_id, tenant_pubkey, bolt11, created_at, updated_at)
+             VALUES (?, ?, ?, ?, ?)
+             ON CONFLICT(invoice_id) DO NOTHING",
+        )
+        .bind(invoice_id)
+        .bind(tenant_pubkey)
+        .bind(bolt11)
+        .bind(now)
+        .bind(now)
+        .execute(&self.pool)
+        .await?;
+
+        Ok(result.rows_affected() > 0)
+    }
+
     pub async fn set_tenant_past_due(&self, pubkey: &str) -> Result<()> {
         let now = chrono::Utc::now().timestamp();
         sqlx::query("UPDATE tenant SET past_due_at = ? WHERE pubkey = ?")

backend/src/infra.rs

@@ -53,8 +53,8 @@ impl Infra {
     pub async fn start(self) {
         let mut rx = self.command.notify.subscribe();
 
-        if let Err(e) = self.schedule_startup_retries().await {
+        if let Err(error) = self.reconcile_relay_state("startup").await {
-            tracing::error!(error = %e, "failed to schedule relay sync retries on startup");
+            tracing::error!(error = %error, "failed to reconcile relay state on startup");
         }
 
         loop {
@@ -66,6 +66,10 @@ impl Infra {
                 }
                 Err(tokio::sync::broadcast::error::RecvError::Lagged(n)) => {
                     tracing::warn!(missed = n, "infra lagged");
+
+                    if let Err(error) = self.reconcile_relay_state("lagged").await {
+                        tracing::error!(error = %error, "failed to reconcile relay state after lag");
+                    }
                 }
                 Err(tokio::sync::broadcast::error::RecvError::Closed) => break,
             }
@@ -89,17 +93,28 @@ impl Infra {
             return Ok(());
         };
 
-        let is_new = relay.synced == 0;
+        let is_new = self.relay_sync_is_new(&relay).await?;
         self.sync_and_report(&relay, is_new).await;
 
         Ok(())
     }
 
-    async fn schedule_startup_retries(&self) -> Result<()> {
+    async fn reconcile_relay_state(&self, source: &str) -> Result<()> {
-        let relays = self.query.list_relays_with_sync_error().await?;
+        let relays = self.query.list_relays_pending_sync().await?;
+
+        if relays.is_empty() {
+            return Ok(());
+        }
+
+        tracing::info!(source, relay_count = relays.len(), "reconciling pending relay state");
 
         for relay in relays {
-            self.schedule_relay_sync_retry(&relay.id, "startup").await?;
+            if relay.sync_error.trim().is_empty() {
+                let is_new = self.relay_sync_is_new(&relay).await?;
+                self.sync_and_report(&relay, is_new).await;
+            } else {
+                self.schedule_relay_sync_retry(&relay.id, source).await?;
+            }
         }
 
         Ok(())
@@ -151,11 +166,20 @@ impl Infra {
             return Ok(());
         }
 
-        let is_new = relay.synced == 0;
+        let is_new = self.relay_sync_is_new(&relay).await?;
         self.sync_and_report(&relay, is_new).await;
         Ok(())
     }
 
+    async fn relay_sync_is_new(&self, relay: &Relay) -> Result<bool> {
+        if relay.synced == 1 {
+            return Ok(false);
+        }
+
+        let has_completed_sync = self.query.relay_has_completed_sync(&relay.id).await?;
+        Ok(!has_completed_sync)
+    }
+
     async fn sync_and_report(&self, relay: &Relay, is_new: bool) {
         match self.sync_relay(relay, is_new).await {
             Ok(()) => {

backend/src/lib.rs

@@ -1,5 +1,6 @@
 pub mod api;
 pub mod billing;
+pub mod cipher;
 pub mod command;
 pub mod infra;
 pub mod models;

backend/src/main.rs

@@ -1,5 +1,6 @@
 mod api;
 mod billing;
+mod cipher;
 mod command;
 mod infra;
 mod models;

backend/src/query.rs

@@ -94,7 +94,7 @@ impl Query {
         Ok(rows)
     }
 
-    pub async fn list_relays_with_sync_error(&self) -> Result<Vec<Relay>> {
+    pub async fn list_relays_pending_sync(&self) -> Result<Vec<Relay>> {
         let rows = sqlx::query_as::<_, Relay>(
             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
                      status, sync_error,
@@ -103,7 +103,7 @@ impl Query {
                      groups_enabled, management_enabled, blossom_enabled,
                      livekit_enabled, push_enabled, synced
               FROM relay
-              WHERE TRIM(sync_error) != ''
+              WHERE synced = 0 OR TRIM(sync_error) != ''
               ORDER BY id",
         )
         .fetch_all(&self.pool)
@@ -161,6 +161,29 @@ impl Query {
         Ok(row)
     }
 
+    pub async fn get_invoice_nwc_payment_state(&self, invoice_id: &str) -> Result<Option<String>> {
+        let state = sqlx::query_scalar::<_, String>(
+            "SELECT state FROM invoice_nwc_payment WHERE invoice_id = ?",
+        )
+        .bind(invoice_id)
+        .fetch_optional(&self.pool)
+        .await?;
+        Ok(state)
+    }
+
+    pub async fn get_invoice_manual_lightning_bolt11(
+        &self,
+        invoice_id: &str,
+    ) -> Result<Option<String>> {
+        let bolt11 = sqlx::query_scalar::<_, String>(
+            "SELECT bolt11 FROM invoice_manual_lightning_payment WHERE invoice_id = ?",
+        )
+        .bind(invoice_id)
+        .fetch_optional(&self.pool)
+        .await?;
+        Ok(bolt11)
+    }
+
     pub async fn has_active_paid_relays(&self, tenant_id: &str) -> Result<bool> {
         let plans = sqlx::query_scalar::<_, String>(
             "SELECT plan FROM relay WHERE tenant = ? AND status = 'active'",
@@ -184,4 +207,20 @@ impl Query {
         .await?;
         Ok(rows)
     }
+
+    pub async fn relay_has_completed_sync(&self, relay_id: &str) -> Result<bool> {
+        let found = sqlx::query_scalar::<_, i64>(
+            "SELECT 1
+             FROM activity
+             WHERE resource_type = 'relay'
+               AND resource_id = ?
+               AND activity_type = 'complete_relay_sync'
+             LIMIT 1",
+        )
+        .bind(relay_id)
+        .fetch_optional(&self.pool)
+        .await?;
+
+        Ok(found.is_some())
+    }
 }

frontend/src/lib/useRelayToggles.ts

@@ -1,5 +1,5 @@
 import { createSignal } from "solid-js"
-import { updateRelayById, deactivateRelayById, reactivateRelayById, getLatestOpenInvoice, type Relay } from "@/lib/hooks"
+import { updateRelayById, deactivateRelayById, reactivateRelayById, getLatestOpenInvoice, tenantNeedsPaymentSetup, type Relay } from "@/lib/hooks"
 import { setToastMessage } from "@/components/Toast"
 import type { Invoice, PlanId } from "@/lib/api"
 
@@ -31,6 +31,7 @@ export default function useRelayToggles(
 ) {
   const [busy, setBusy] = createSignal(false)
   const [pendingInvoice, setPendingInvoice] = createSignal<Invoice | undefined>()
+  const [pendingPaymentSetup, setPendingPaymentSetup] = createSignal(false)
 
   async function updateRelay(next: Relay, previous: Relay) {
     mutate(next)
@@ -101,8 +102,12 @@ export default function useRelayToggles(
     }
 
     if (plan !== "free") {
-      const invoice = await getLatestOpenInvoice()
+      const needsSetup = await tenantNeedsPaymentSetup()
-      if (invoice) setPendingInvoice(invoice)
+      if (needsSetup) {
+        const invoice = await getLatestOpenInvoice()
+        if (invoice) setPendingInvoice(invoice)
+        setPendingPaymentSetup(true)
+      }
     }
   }
 
@@ -116,5 +121,5 @@ export default function useRelayToggles(
     onToggleLivekitSupport: () => toggle("livekit_enabled", relay()?.plan !== "free"),
   }
 
-  return { busy, handleDeactivate, handleReactivate, handleUpdatePlan, pendingInvoice, clearPendingInvoice: () => setPendingInvoice(undefined), toggles }
+  return { busy, handleDeactivate, handleReactivate, handleUpdatePlan, pendingInvoice, clearPendingInvoice: () => setPendingInvoice(undefined), pendingPaymentSetup, clearPendingPaymentSetup: () => setPendingPaymentSetup(false), toggles }
 }

frontend/src/pages/relays/RelayDetail.tsx

@@ -1,5 +1,5 @@
 import { useParams } from "@solidjs/router"
-import { createMemo, createResource, createSignal, Show } from "solid-js"
+import { createEffect, createMemo, createResource, createSignal, Show } from "solid-js"
 import BackLink from "@/components/BackLink"
 import PageContainer from "@/components/PageContainer"
 import PaymentDialog from "@/components/PaymentDialog"
@@ -28,13 +28,20 @@ export default function RelayDetail() {
   })
   const loading = useMinLoading(() => relay.loading && !relay())
   const [activity] = useRelayActivity(relayId)
-  const { busy, handleDeactivate, handleReactivate, handleUpdatePlan, pendingInvoice, clearPendingInvoice, toggles } = useRelayToggles(relayId, relay, { refetch, mutate })
+  const { busy, handleDeactivate, handleReactivate, handleUpdatePlan, pendingInvoice, clearPendingInvoice, pendingPaymentSetup, clearPendingPaymentSetup, toggles } = useRelayToggles(relayId, relay, { refetch, mutate })
 
   const [tenant, { refetch: refetchTenant }] = useTenant()
   const [paymentSetupOpen, setPaymentSetupOpen] = createSignal(false)
   const [invoiceDialogOpen, setInvoiceDialogOpen] = createSignal(false)
   const [paymentBannerDismissed, setPaymentBannerDismissed] = createSignal(false)
 
+  createEffect(() => {
+    if (pendingPaymentSetup() && !pendingInvoice()) {
+      setPaymentSetupOpen(true)
+      clearPendingPaymentSetup()
+    }
+  })
+
   const isPaidRelay = createMemo(() => {
     const r = relay()
     if (!r) return false

frontend/src/pages/relays/RelayNew.tsx

@@ -3,13 +3,15 @@ import { useNavigate } from "@solidjs/router"
 import BackLink from "@/components/BackLink"
 import PageContainer from "@/components/PageContainer"
 import PaymentDialog from "@/components/PaymentDialog"
+import PaymentSetup from "@/components/PaymentSetup"
 import RelayForm, { type RelayFormValues } from "@/components/RelayForm"
-import { createRelayForActiveTenant, getLatestOpenInvoice } from "@/lib/hooks"
+import { createRelayForActiveTenant, getLatestOpenInvoice, tenantNeedsPaymentSetup } from "@/lib/hooks"
 import type { Invoice } from "@/lib/api"
 
 export default function RelayNew() {
   const navigate = useNavigate()
   const [pendingInvoice, setPendingInvoice] = createSignal<Invoice | undefined>()
+  const [paymentSetupOpen, setPaymentSetupOpen] = createSignal(false)
   let createdRelayId = ""
 
   async function handleSubmit(values: RelayFormValues) {
@@ -17,9 +19,14 @@ export default function RelayNew() {
     createdRelayId = relay.id
 
     if (values.plan !== "free") {
-      const invoice = await getLatestOpenInvoice()
+      const needsSetup = await tenantNeedsPaymentSetup()
-      if (invoice) {
+      if (needsSetup) {
-        setPendingInvoice(invoice)
+        const invoice = await getLatestOpenInvoice()
+        if (invoice) {
+          setPendingInvoice(invoice)
+          return
+        }
+        setPaymentSetupOpen(true)
         return
       }
     }
@@ -27,8 +34,13 @@ export default function RelayNew() {
     navigate(`/relays/${relay.id}`)
   }
 
-  function handleDialogClose() {
+  function handleInvoiceClose() {
     setPendingInvoice(undefined)
+    setPaymentSetupOpen(true)
+  }
+
+  function handleSetupClose() {
+    setPaymentSetupOpen(false)
     navigate(`/relays/${createdRelayId}`)
   }
 
@@ -47,10 +59,14 @@ export default function RelayNew() {
           <PaymentDialog
             invoice={inv()}
             open={true}
-            onClose={handleDialogClose}
+            onClose={handleInvoiceClose}
           />
         )}
       </Show>
+      <PaymentSetup
+        open={paymentSetupOpen()}
+        onClose={handleSetupClose}
+      />
     </PageContainer>
   )
 }

justfile

@@ -5,6 +5,9 @@ dev:
   cd frontend && bun dev &
   wait
 
+dev-backend:
+  cd backend && onchange src -ik -- bash -c 'RUST_LOG=backend=info cargo run'
+
 dev-frontend:
   cd frontend && bun run dev
 
@@ -27,7 +30,7 @@ build-backend:
   cd backend && cargo build
 
 build-frontend:
-  cd frontend && bun run build
+  cd frontend && bun i && bun run build
 
 fmt: fmt-backend