Skip to content

refactor: integrate paykit sdk#1040

Open
ben-kaufman wants to merge 16 commits into
masterfrom
codex/paykit-sdk-native-integration
Open

refactor: integrate paykit sdk#1040
ben-kaufman wants to merge 16 commits into
masterfrom
codex/paykit-sdk-native-integration

Conversation

@ben-kaufman

@ben-kaufman ben-kaufman commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

This PR:

  1. Replaces Bitkit's custom Paykit private/public payment plumbing with the native Paykit SDK.
  2. Moves Pubky profile, contact, public endpoint, private endpoint, and SDK backup state handling through SDK APIs.
  3. Keeps Bitkit responsible for wallet execution, payment-request mapping, contact attribution, endpoint rotation, and public fallback behavior.
  4. Pins Paykit to the published com.synonym:paykit-android:0.1.0-rc23 artifact.
  5. Adds hardening for auth approval capabilities, canceled Ring auth cleanup, profile label fallback, pending private drain retries, and best-effort profile delete/sign-out cleanup.

Description

  • Adds a Paykit SDK service wrapper for session bootstrap, Ring auth, profile/avatar publishing, contact records, public endpoint sync, private payment list sync, and SDK backup state import/export.
  • Refactors public and private Paykit repositories to resolve and publish payment endpoints through SDK APIs while preserving Bitkit's existing endpoint preference order and local payability checks.
  • Moves private contact link and recovery state into the SDK backup string, while keeping Bitkit-owned address reservations and payment attribution in app storage.
  • Updates Pubky profile/contact loading, profile edits, sign-out/delete cleanup, backup/restore, and wallet wipe flows for the SDK-backed state model.

Preview

N/A - SDK integration; no UI layout change.

QA Notes

Manual Tests

  • 1. Profile -> create/edit profile -> add contact by Pubky key: contact profile resolves and remains visible after app restart.
  • 2. Send -> Contact -> select contact -> complete payment: private Paykit is attempted first and public endpoints remain available as fallback when private capability is unavailable.
  • 3. Backup/restore -> restore a wallet with Pubky state -> open contacts/pay contact: SDK state restores and contact payment preparation works.
  • 4. Settings -> Payment Preference -> toggle public/private contact payments: endpoint publication state follows the selected preferences.
  • 5. Profile -> Sign Out / Delete Profile / Disconnect Profile: remote endpoint cleanup runs first, then local Pubky and SDK state clear on success.

Automated Checks

  • ./gradlew compileDevDebugKotlin passed.
  • ./gradlew testDevDebugUnitTest passed.
  • ./gradlew testDevDebugUnitTest --tests to.bitkit.repositories.PrivatePaykitRepoTest passed.
  • ./gradlew detekt passed.
  • git diff --check passed.

@ben-kaufman ben-kaufman marked this pull request as ready for review June 24, 2026 11:42
@greptile-apps

greptile-apps Bot commented Jun 24, 2026

Copy link
Copy Markdown

Greptile Summary

This PR replaces Bitkit's hand-rolled Paykit plumbing with the published com.synonym:paykit-android:0.1.0-rc21 SDK, removing ~2,200 lines of custom link/handshake/recovery state machine code and delegating session, profile, contact, private-payment-list, and backup-state management to native SDK APIs. Wallet execution logic, public-endpoint fallback, Ring/public-only handling, contact attribution, and receiving-detail rotation remain in Bitkit.

  • PaykitSdkService (713 lines, new): wraps PaykitSdk behind operationMutex, implements SdkStateBlobStore (CAS-style revision check against the keychain) and SdkPubkySessionProvider, exposes backup-state versioning via withStateRevisionTracking.
  • PrivatePaykitRepo / PubkyRepo: substantially slimmed by delegating link/handshake work to the SDK; contact profile overrides and paykitSdkBackupState replace the previous PrivatePaykitContactLinkBackupV1 map in wallet backups.
  • Backup migration: old privatePaykitContactLinks data is silently discarded when restoring pre-SDK backups; existing contact-link sessions are not migrated to the new SDK state format.

Confidence Score: 4/5

The core payment flow and session lifecycle look structurally sound; the main risks are edge cases in the new blocking-inside-synchronized SDK state store and empty contact names when the SDK returns a profile with no display data.

The architectural shift is large but well-scoped: the SDK takes over state management that was previously hand-coded, and the delegation boundary is clear. The new PaykitSdkStateBlobStore uses runBlocking(ioDispatcher) inside a synchronized block — not a deadlock under normal load but a thread-starvation risk under sustained IO pressure. PaykitSdkSessionProvider.clearSessionAccess() uses a bare runBlocking {} without a dispatcher, which could misbehave if called from an unusual thread context. The backup restore path for legacy (pre-SDK) backups silently swallows SDK state-clearing errors. The contact-name-empty edge case is a UI regression when the SDK's profile record lacks both displayName and decodable extraJson. None of these are showstoppers, but the blocking-coroutine nesting deserves attention before shipping to broad audiences.

PaykitSdkService.kt (the PaykitSdkStateBlobStore and PaykitSdkSessionProvider inner classes), BackupRepo.kt (legacy restore path around line 619), and PubkyRepo.kt (contactProfile method).

Important Files Changed

Filename Overview
app/src/main/java/to/bitkit/services/PaykitSdkService.kt New singleton service wrapping the Paykit SDK; mixes runBlocking inside a synchronized block (saveStateBlobAtomically) and has a bare runBlocking in PaykitSdkSessionProvider.clearSessionAccess().
app/src/main/java/to/bitkit/data/keychain/Keychain.kt Adds a new synchronous upsert(ByteArray) method using runBlocking(this.coroutineContext); consistent with the existing snapshot pattern but called from a synchronized block, risking thread starvation under IO saturation.
app/src/main/java/to/bitkit/repositories/PrivatePaykitRepo.kt Substantially trimmed by delegating link/handshake/recovery state to the SDK; backup snapshot now delegates to PaykitSdkService.exportBackupState(); logic looks correct.
app/src/main/java/to/bitkit/repositories/PubkyRepo.kt Delegates session/profile/contact operations to PaykitSdkService; introduces contactProfileOverrides in PubkyStore and snapshotContactProfileOverrides/restoreContactProfileOverrides for backup; contact name may be empty when paykitProfile has no displayName and no extraJson.
app/src/main/java/to/bitkit/repositories/BackupRepo.kt Backup listeners refactored to observeBackupChanges helper; wallet restore silently swallows SDK state-clearing errors for legacy backups (null paykitSdkBackupState).
app/src/main/java/to/bitkit/services/PubkyService.kt Thin wrapper now fully delegates to PaykitSdkService; straightforward and correct.
gradle/libs.versions.toml Bumps paykit-android from rc8 to rc21; no other dependency changes.
app/src/main/java/to/bitkit/models/BackupPayloads.kt Replaces PrivatePaykitContactLinkBackupV1 map with a single paykitSdkBackupState string and adds pubkyContactProfileOverrides; old backup fields removed with no migration path for existing contact-link data.
app/src/main/java/to/bitkit/models/PubkyProfile.kt Adapts to SDK PubkyProfile/PaykitProfile types; fromPaykitProfile may produce an empty contact name if displayName and extraJson are both absent.
app/src/main/java/to/bitkit/usecases/WipeWalletUseCase.kt Wipe sequence unchanged in substance; closeAndClear() now delegates SDK state clearing, then keychain.wipe() removes all persisted state.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant App as App/UI
    participant PPR as PrivatePaykitRepo
    participant SDK as PaykitSdkService
    participant PaykitSdk as PaykitSdk (native)
    participant Keychain as Keychain
    participant BR as BackupRepo

    App->>PPR: prepareSavedContacts(publicKeys)
    PPR->>SDK: ensureLinkWithPeer(counterparty)
    SDK->>PaykitSdk: ensureLinkWithPeer()
    PaykitSdk->>Keychain: saveStateBlobAtomically() [synchronized + runBlocking]
    SDK->>BR: backupStateVersion++ (via withStateRevisionTracking)

    PPR->>SDK: syncPrivatePaymentListsWithReservations(updates)
    SDK->>PaykitSdk: syncPrivatePaymentListsWithReservationsAndProcessOutbound()
    PaykitSdk->>Keychain: saveStateBlobAtomically()
    SDK->>BR: backupStateVersion++

    App->>PPR: beginSavedContactPayment(publicKey)
    PPR->>SDK: prepareAndResolveContactPayment(counterparty)
    SDK->>PaykitSdk: prepareAndResolveContactPayment()
    PaykitSdk-->>SDK: ContactPaymentResolution
    SDK-->>PPR: PaykitContactPaymentResolution
    PPR-->>App: PublicPaykitPaymentResult

    BR->>PPR: backupSnapshot()
    PPR->>SDK: exportBackupState()
    SDK->>PaykitSdk: exportBackupString()
    PaykitSdk-->>SDK: String (opaque blob)
    SDK-->>BR: paykitSdkBackupState
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant App as App/UI
    participant PPR as PrivatePaykitRepo
    participant SDK as PaykitSdkService
    participant PaykitSdk as PaykitSdk (native)
    participant Keychain as Keychain
    participant BR as BackupRepo

    App->>PPR: prepareSavedContacts(publicKeys)
    PPR->>SDK: ensureLinkWithPeer(counterparty)
    SDK->>PaykitSdk: ensureLinkWithPeer()
    PaykitSdk->>Keychain: saveStateBlobAtomically() [synchronized + runBlocking]
    SDK->>BR: backupStateVersion++ (via withStateRevisionTracking)

    PPR->>SDK: syncPrivatePaymentListsWithReservations(updates)
    SDK->>PaykitSdk: syncPrivatePaymentListsWithReservationsAndProcessOutbound()
    PaykitSdk->>Keychain: saveStateBlobAtomically()
    SDK->>BR: backupStateVersion++

    App->>PPR: beginSavedContactPayment(publicKey)
    PPR->>SDK: prepareAndResolveContactPayment(counterparty)
    SDK->>PaykitSdk: prepareAndResolveContactPayment()
    PaykitSdk-->>SDK: ContactPaymentResolution
    SDK-->>PPR: PaykitContactPaymentResolution
    PPR-->>App: PublicPaykitPaymentResult

    BR->>PPR: backupSnapshot()
    PPR->>SDK: exportBackupState()
    SDK->>PaykitSdk: exportBackupString()
    PaykitSdk-->>SDK: String (opaque blob)
    SDK-->>BR: paykitSdkBackupState
Loading

Comments Outside Diff (1)

  1. app/src/main/java/to/bitkit/repositories/BackupRepo.kt, line 619-628 (link)

    P2 SDK state-clear failure silently ignored during legacy backup restore

    When paykitSdkBackupState is null (restoring a backup created before this PR), privateRepo.restoreBackup(null) is called and any failure is only logged via onFailure { Logger.warn(...) } — execution continues regardless. Inside restoreBackup(null), paykitSdkService.clearState() deletes the PAYKIT_SDK_STATE keychain entry. If this deletion fails (e.g., keystore error), the stale SDK state persists while the rest of the wallet is restored from the new backup, leaving contact-link and session state out of sync with the freshly restored wallet. The successful path (paykitSdkBackupState != null) uses .getOrThrow() — the legacy path should follow the same convention or at least propagate the failure to surface the inconsistency.

Reviews (1): Last reviewed commit: "fix: preserve paykit cancellation" | Re-trigger Greptile

Comment on lines +614 to +631
override fun saveStateBlobAtomically(
blob: SdkStateBlob,
expectedRevision: String?,
): String = synchronized(lock) {
val currentRevision = keychain.load(Keychain.Key.PAYKIT_SDK_STATE.name)
?.let { decodeSdkStateBlobSnapshot(it).revision }
if (currentRevision != expectedRevision) {
throw PaykitException.Storage(
code = "revision_conflict",
context = "SDK state revision changed",
)
}

val nextRevision = UUID.randomUUID().toString()
val snapshot = SdkStateBlobSnapshot(blob = blob, revision = nextRevision)
keychain.upsert(Keychain.Key.PAYKIT_SDK_STATE.name, encodeSdkStateBlobSnapshot(snapshot))
nextRevision
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 runBlocking inside synchronized may exhaust IO threads

saveStateBlobAtomically holds synchronized(lock) while calling keychain.upsert(), which in turn calls runBlocking(this.coroutineContext) (IoDispatcher). Because the thread holding the JVM monitor is then blocked waiting for a second IoDispatcher thread to complete the DataStore write, you effectively need at least two free IO threads for every concurrent SDK state save. Kotlin's Dispatchers.IO is elastic (default ceiling 64), so in normal operation this is fine, but under IO saturation (many concurrent LDK or network operations) you risk thread starvation and a deadlock between all threads waiting on each other via runBlocking. The equivalent upsertString suspend function avoids this pattern entirely — the same approach (a suspend overload or a plain keychain.edit call shared with the existing upsertString implementation) would eliminate the blocking-inside-synchronized nesting.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree this is worth cleaning up. I will move the SDK blob write away from blocking DataStore work inside the monitor, or otherwise keep the synchronized section limited to revision checks.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 82bb55cf6. The SDK state store now uses a dedicated synchronous Keychain access path for SDK sync callbacks instead of calling the suspend Keychain APIs through the service coroutine context inside the store callback. The state blob transaction is still serialized because the SDK storage callback is synchronous and does the revision check/write as one boundary.

Comment thread app/src/main/java/to/bitkit/services/PaykitSdkService.kt
Comment thread app/src/main/java/to/bitkit/repositories/PubkyRepo.kt

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8202a59774

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

return try {
runSuspendCatching {
withContext(ioDispatcher) {
pubkyService.completeAuth()

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Clear the session when auth is canceled

When the Ring auth request completes after the user has already canceled or a newer attempt has replaced it, pubkyService.completeAuth() now activates and persists the Paykit session inside PaykitSdkService before this ensureAuthAttemptActive check runs. The failure path only restores the UI state, so the app can appear to have canceled auth while the new session remains in keychain and is restored on the next launch; clear the SDK/session if the attempt is no longer active after completion.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, will fix. If auth is canceled or superseded after completeAuth activates the SDK session, we should clear that session before restoring the UI state.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 82bb55cf6 and mirrored on iOS. If SDK auth completion already activated a session but the app flow was canceled or superseded, Bitkit clears that completed session before restoring UI state. Added PubkyRepoTest coverage on Android and PubkyProfileManagerTests coverage on iOS.

isSetup.await()
PubkySessionBootstrap().approveAuth(
authUrl = authUrl,
expectedCapabilities = requiredCapabilities(),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use the auth URL's requested capabilities

For Pubky auth approval links from other apps, the approval sheet parses and displays the caps from the incoming URL, but this call validates the request against Bitkit's own required capabilities instead. Any auth URL whose requested capabilities differ from Bitkit's namespace set (for example a pubky.app/paykit request) is approved with the wrong expectation and will fail validation; pass the capabilities from the parsed auth URL here instead of requiredCapabilities().

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. This should use the capabilities from the incoming auth URL, and I will make the same fix on iOS for parity.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 82bb55cf6 and mirrored on iOS. Auth approval now parses the incoming auth URL through the SDK and passes that requested capabilities string into approval. Android also starts the sheet in Loading and reparses in confirmAuthorize if the user confirms before load finishes.

Comment thread app/src/main/java/to/bitkit/repositories/PrivatePaykitRepo.kt Outdated
@ben-kaufman

Copy link
Copy Markdown
Contributor Author

For the legacy backup migration note: this is intentional for this PR. The old private Paykit link backup format never shipped, so there is no production data to migrate. Treating it as if it never existed keeps the restore path simpler.

@ovitrif ovitrif left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left one inline comment.

val homegate = fetchHomegateSignupCode()

val session = runCatching {
runSuspendCatching {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this path still needs to bump pubkyRepo.backupStateVersion after the sign-up/sign-in state is persisted. The SDK emits its own backup version here, but BackupRepo maps that to WALLET; the Pubky session snapshot is only included in METADATA when pubkyRepo.backupStateVersion changes. Without that, a newly created identity can back up SDK wallet state without backing up the Pubky session needed to restore it.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rechecked this one and no extra code change is needed. createIdentity already calls notifyBackupStateChanged() after sign-up/sign-in and profile state are persisted, so the metadata Pubky session snapshot is queued separately from the SDK wallet backup-state version. Restore paths notify too.

@piotr-iohk

Copy link
Copy Markdown
Collaborator

That is not necessarily due to this change, because I saw it on other PR also - however e2e tests here failed partially because of this. The failure is intermittent and most of the time tests pass after re-runs.

To reproduce:

  • create a profile.
  • delete profile
  • recreate profile

Result after hitting "Continue" on the following screen:
Screenshot 2026-06-25 at 14 03 04

Attaching logs from e2e run where this happened:
bitkit_2026-06-24_17-37-36.log
logcat.txt

@ovitrif ovitrif added this to the 2.5.0 milestone Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Fixed now in 041548681.

Root cause was Android public Paykit publishing only refreshed the reusable on-chain address if the cached address was already reserved/unavailable. In the delete profile -> recreate profile flow, Lightning receive could be unavailable and the cached reusable on-chain address could still be blank, so endpoint sync concluded there were no supported endpoints and showed the toast.

I changed public Paykit endpoint sync to ensure a reusable on-chain address exists before deciding there is no publishable endpoint, and added regression coverage for the blank-address case. Also merged latest master and resolved the version-catalog conflict by keeping bitkit-core 0.1.75 from master plus Paykit 0.1.0-rc21 from this PR.

Checked:

  • ./gradlew testDevDebugUnitTest --tests to.bitkit.repositories.PublicPaykitRepoTest --tests to.bitkit.repositories.WalletRepoTest
  • ./gradlew compileDevDebugKotlin
  • ./gradlew detekt
  • git diff --check

GitHub now reports the PR as mergeable.

@jvsena42 jvsena42 self-requested a review July 1, 2026 12:46
@jvsena42

jvsena42 commented Jul 1, 2026

Copy link
Copy Markdown
Member

⚠️ Ring sign-in crashes: there is no reactor running, must be called from the context of a Tokio 1.x runtime

Reproduced when tapping "Sign in with Pubky Ring":

Screen_recording_20260701_095809.webm
ERROR [PubkyChoiceViewModel.kt:101] Starting Ring auth failed
[AppError='there is no reactor running, must be called from the context of a Tokio 1.x runtime']

Call chain

PubkyChoiceViewModel.startRingAuth()
  → PubkyRepo.startAuthentication()          (PubkyRepo.kt:268)
    → PubkyService.startAuth()               (PubkyService.kt:88)
      → PaykitSdkService.startAuth()         (PaykitSdkService.kt:201)
        → PubkySessionBootstrap().startSignInAuth(...)   ← panics here

Root cause (SDK binding, not app code)

Decompiled paykit-android:0.1.0-rc21 to confirm:

  • startSignInAuth / startSignUpAuth / resumeAuth are exported as synchronous FFI calls (uniffiRustCallWithError). UniFFI does not enter a Tokio runtime around blocking calls.
  • The bootstrap functions we use elsewhere — signIn, signUp, importSession, complete, approveAuth — are suspend, driven through UniFFI's async scaffolding on the SDK's Tokio runtime, so a reactor is present.

The Rust impl of startSignInAuth needs a Tokio reactor (builds the relay/network client for the Ring flow), but because it's a blocking export it runs on our core-queue thread with no runtime entered → panic. Pure-crypto sync functions in the same SDK (derivePubkySecretKey, pubkyPublicKeyFromSecret, parsePubkyAuthUrl) work fine because they touch no reactor.

The Ring startSignInAuth API did not exist in rc8 — it's new in rc21.

No clean app-side fix

Kotlin can't enter a Tokio reactor for a blocking UniFFI call, and there is no suspend alternative for starting the flow (only sync startSignInAuth/startSignUpAuth/resumeAuth exist), so withContext(ioDispatcher) / ServiceQueue.CORE don't help.

Fix belongs in paykit-rs: export the start-auth bootstrap functions as async, or have the Rust side enter/hold a runtime (Handle::enter()) inside them. Also worth checking whether a newer paykit-android rc already makes these async before pinning.

@jvsena42 jvsena42 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@piotr-iohk

Copy link
Copy Markdown
Collaborator

Manual regression — Paykit / contact payments

Environment: regtest, staging
Pair tested: Android (pubkyraoz…) ↔ iOS (pubkytrb4ja…)
Logs attached:
ios: bitkit_logs_2026-07-01_13-20-03.zip
android: logs.zip


Test setup

Device Platform Profile (pubky) LN node ID
A Android pubkyraozwuopbt5pa3e8ki4kqeec8rmw7giruqicw53zehk3uef71agy 02f2dc5c…
B iOS pubkytrb4ja4aorm19xsiouw5hmq6ecfp1xprbdkh8x9jqe9edmrwtz1o 021714b0…

Session 1 — fresh profiles (smoke)

Test Android iOS
Create Pubky profile
Paykit session / identity
Add contact (scan pubky)
Open LN channel (Blocktank)
On-chain send ✅ (9a042478…)
LN send to/from contact
Activity sync
Incoming activity shows “Received from [contact]”
RestoreReplayError in logs Not seen Not seen

Session 1 looked good for basic contact + payment flows cross-platform.

Private Paykit in session 1: Incoming activity showing “Received from [contact]” indicates the receive path worked — that label is only set when the payment matches a private Paykit invoice/address (not a generic public profile invoice). There are no private Paykit link errors in session 1 logs on either platform. Send-side logs showing Handling decoded scan data: OnChain(…?lightning=lnbcrt1…) do not by themselves prove public vs private; that is how the send flow represents the payment request.


Session 2 — profile delete, re-create, re-add contacts, second delete blocked

Step Android iOS
Delete profile (1st) ✅ ~12:23 ✅ ~12:22 (Deleted all contacts, keychain cleared)
Re-create profile (same pubky key) ✅ 409 → sign-in retry ✅ 409 → sign-in retry
Re-add contact ✅ ~12:26
Contact LN send A → B
Contact LN send B → A
Incoming activity shows “Received from [contact]”
Private Paykit link (no RestoreReplayError)
Delete profile again (2nd attempt) ❌ ~13:17–13:18 ❌ ~13:17 UTC
2nd delete error “Private Paykit is not available.” “Private Paykit is not available.”

Delete profile:

Screen.Recording.2026-07-01.at.15.18.17.mov

Regression — private Paykit broken after profile reset

Session 1: Private Paykit appears to work (receive-side “Received from contact” + no link errors).
Session 2: After deleting/re-creating profiles (same pubky keys) and re-adding contacts, contact LN sends still succeed but private Paykit does not recover. Incoming activity no longer shows “Received from [contact]” — consistent with payments hitting public endpoints instead of private ones. Public fallback is by design (includePublicEndpoints = true); no in-app warning is expected for payments.

Later in the same session, a second profile delete also failed on both platforms — private Paykit cleanup runs before delete and throws PrivateUnavailable, blocking sign-out entirely.

Private Paykit errors (identical on both platforms)

Every private Paykit attempt (prepare, channel usable / refresh, foreground, contact payment) logs:

Failed to prepare private Paykit link for '<contact>'
  → RestoreReplayError: pubky-noise handshake restore failed

Failed to queue private Paykit endpoints …
  → Encrypted Link recovery is required for counterparty <pubky-id>

Deferred private Paykit endpoint publish / Private Paykit is not available

First failures appear immediately after profile re-create (~12:23 iOS, ~12:26 Android on contact re-add).

Contact payments fall back to public

Payments use a public BIP21 unified invoice from the contact’s published profile — not an encrypted private payment list:

  • Shared public address in logs: bcrt1q2h4c7ghs2lj3glrm77mxdae3w2r5h6f3ph258l?lightning=lnbcrt1…
  • Android (AppViewModel): Handling decoded scan data: OnChain(… params={lightning=lnbcrt1…})PaymentSuccessful
  • iOS (LightningService / SendConfirmationView): Paying bolt11: lnbcrt1…Lightning payment successful

Second profile delete blocked

Profile delete runs private Paykit endpoint cleanup first. With private Paykit already broken, cleanup throws PrivateUnavailable and delete aborts before homeserver sign-out.

Android (EditProfileViewModelPrivatePaykitRepo.removePublishedEndpointsForCleanup):

Failed to remove private Paykit endpoints during 'EditProfileViewModel'
  [PrivateUnavailable='Private Paykit is not available']

iOS (PubkyProfileManager.deleteProfileremovePrivatePaykitEndpoints):

Failed to remove private Paykit endpoints before clearing session: privateUnavailable
ERROR Failed to delete profile: privateUnavailable - EditProfileView

Profile reset sequence (both sides)

  1. Profile delete → contacts removed, PAYKIT_SESSION / PAYKIT_SDK_STATE cleared
  2. Re-create → homeserver returns 409 User already exists → app signs in with existing key (same pubky identity)
  3. Public Paykit endpoints sync; no successful private encrypted-link handshake in logs
  4. After re-adding contact, RestoreReplayError persists through contact payments
  5. Second delete attempt fails — user stuck unless disconnect/retry workaround is used

Likely cause: local Paykit SDK state is wiped on delete/re-create, but encrypted-link handshake state is inconsistent across peers. SDK reports recovery is required; the app logs warnings, skips private publish, and resolves contact payments via public endpoints (intentional fallback).

Useful grep patterns: RestoreReplayError, Encrypted Link recovery, PrivateUnavailable, Failed to delete profile, Handling decoded scan data: OnChain


Verdict

Scope Result
Session 1 — fresh profiles: contacts, on-chain + LN, private receive (“Received from contact”) ✅ Pass (smoke)
Session 2 — profile reset: contact payments work (public fallback) ✅ By design
Session 2 — private Paykit restored; “Received from contact” on receive Regression
Session 2 — second profile delete blocked (PrivateUnavailable) Regression

Not approving on “private contact payments survive profile delete/re-add.” Session 1 private Paykit looks fine; session 2 regresses on private Paykit recovery and blocks a second profile delete.

@ben-kaufman

ben-kaufman commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Fixed in 82bb55cf6 on Android and 51b7c2ce on iOS.

Main thing is we now use Paykit v0.1.0-rc23, which includes the SDK fix for the stale recovery-required encrypted-link state after deleting/recreating a profile. It also fixes the Ring startSignInAuth Tokio runtime crash, so Android is pinned to rc23 now too.

I also fixed the related app-side edges:

  • sign out/delete no longer get blocked if private cleanup is temporarily unavailable
  • pending private drain retries now keep all queued peers instead of replacing older ones
  • auth approval uses the capabilities from the actual auth URL
  • if Ring auth completes but the app flow is canceled/superseded, we clear that session
  • blank SDK profile names fall back to the saved contact label

Public fallback while private recovery/link work is unavailable is still intentional so contact payments can still complete. Ring is still public-only for now; this fixes the crash path, not full Ring private payments support.

@ben-kaufman ben-kaufman requested a review from jvsena42 July 2, 2026 08:11
updates = preparation.updates,
clearUnlistedLinkedPeers = false,
)
val firstError = preparation.firstError ?: applyPrivatePaymentListDeliveryReport(report, reason)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

applyPrivatePaymentListDeliveryReport(report, reason) is skipped for the whole batch whenever any single contact fails to prepare endpoints.

val firstError = preparation.firstError ?: applyPrivatePaymentListDeliveryReport(report, reason) short-circuits: when preparation.firstError != null, the report is never applied. The early return at line 489 only fires when preparation.updates.isEmpty(), so a partial-failure batch (one contact with empty endpoints -> firstError = PrivateUnavailable, another contact succeeds -> updates non-empty) still runs the sync at line 496 and delivers the successful contact's endpoints.

Trigger: refreshKnownSavedContactEndpoints publishes for all known contacts at once, so one un-publishable contact (e.g. Lightning can't receive and on-chain disabled) suppresses report application for every contact in the batch. The successful contacts then never get hasPublishedPrivatePaymentList=true, report.cleared cache cleanup, updateDeletedContactCleanupPending(pk, false), the failedToQueue/failedToDeliver warnings, or persistState(markWalletBackup=true), so publish state isn't persisted and the wallet backup version isn't bumped.

Fix: evaluate the report unconditionally, e.g. val deliveryError = applyPrivatePaymentListDeliveryReport(report, reason) then val firstError = preparation.firstError ?: deliveryError.

@ben-kaufman ben-kaufman Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 14dd28d1a. The delivery report is applied before choosing the first error now, so partial publishes still update cache/cleanup state and bump backup state. Added PrivatePaykitRepoTest coverage for a mixed batch.


private suspend fun persistState(
markWalletBackup: Boolean = false,
preserveCleanupMarkers: Boolean = true,
) {
stateStore.persistState(markWalletBackup, ::notifyBackupStateChanged, preserveCleanupMarkers)
val currentState = state ?: PrivatePaykitState()
val stored = cacheStore.data.first()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

persistState reads the cleanup markers from a snapshot taken outside the cacheStore.update {} transform, dropping the atomicity the previous PrivatePaykitStateStore.persistState had and allowing concurrently-set markers to be lost.

Line 1064 reads val stored = cacheStore.data.first(), then the cacheStore.update { ... } at 1065 ignores its transform input and writes cleanupPending/deletedContactCleanupPendingPublicKeys computed from that pre-read stored. All repo methods run on serializedDispatcher = ioDispatcher.limitedParallelism(1), which serializes CPU work but still lets coroutines interleave at suspension points.

Trigger: coroutine A calls updateContactSharingCleanupPending(true) (which correctly mutates via it.copy(...)) while coroutine B is inside persistState between its data.first() (1064) and its update {} (1065). B writes from the stale stored and overwrites A's marker back to false, silently dropping it (same for deletedContactCleanupPendingPublicKeys). Those markers drive removePublishedEndpoints for removed/disabled contacts, so losing them can leave private payment endpoints published for contacts the user removed.

Fix: read the marker values from the transform's own input instead of the pre-read stored, e.g. cacheStore.update { current -> currentState.cacheState(cleanupPending = if (preserveCleanupMarkers) current.cleanupPending else false, ...) }, and drop the separate data.first() read.

@ben-kaufman ben-kaufman Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 14dd28d1a. persistState now preserves cleanup markers from the cacheStore.update {} input instead of a pre-read snapshot, so concurrent marker updates cannot be overwritten. Added coverage for preserving cleanup markers while saving publication state.

privatePaykitRepo.removePublishedEndpointsForCleanup(TAG)
val result = pubkyRepo.signOut()
if (result.isSuccess) {
privatePaykitRepo.closeAndClear()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

privatePaykitRepo.closeAndClear() runs only in the result.isSuccess branch, but pubkyRepo.signOut() clears the pubky session state unconditionally (it force-signs-out and clears the _publicKey/_profile StateFlows even on failure, returning Result.failure only when both signOut() and forceSignOut() throw).

Trigger: the rare double-failure path where both server and local sign-out throw. The pubky session is already cleared, but closeAndClear() is skipped and no SignedOut effect is emitted, so the private-Paykit local state (cached contacts, address reservations, and the on-disk PAYKIT_SDK_STATE blob via paykitSdkService.clearState()) is left intact and inconsistent with the now-empty session. This is a regression from the pre-PR code, which called closeAndClear() unconditionally before signOut(). EditProfileViewModel.disconnectProfile (EditProfileViewModel.kt:233) has the identical pattern with the same signOut() call.

Fix: clear the local Paykit state whenever pubkyRepo.signOut() has cleared the session (move closeAndClear() out of the isSuccess guard) while still surfacing the error toast on failure. Apply the same to disconnectProfile.

@ben-kaufman ben-kaufman Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 14dd28d1a in both sign-out paths. closeAndClear() now runs after pubkyRepo.signOut() regardless of success, while still showing the error toast if sign-out reports a failure. Added tests for ProfileViewModel and EditProfileViewModel.

contactProfile(record.publicKey, record.label, record.profile, overrides)
}.onFailure {
Logger.warn("Failed to load contact '$contactKey'", it, context = TAG)
Logger.warn("Failed to load contact '${record.publicKey}'", it, context = TAG)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Full unredacted pubky public keys (the user's and their contacts') are written to the app log here and at several sibling sites, while the rest of the codebase (including PrivatePaykitRepo touched in this same PR) routes keys through PubkyPublicKeyFormat.redacted().

Line 685 logs Failed to load contact '${record.publicKey}'. Related sites: 615 (deleteAllContacts), 718, 741, 772, 783, 799 (fallback/add/update/remove/import), 1048 (resolveContactProfile retry), plus the info-level '$pk' auth log at 318. The Paykit SDK deliberately renders keys/labels as <redacted> in its own Debug impls, and app logs are routinely adb-exported per the debugging workflow, so this discloses the user's identity and their full contact social graph.

Fix: wrap these values with PubkyPublicKeyFormat.redacted(...) as PrivatePaykitRepo already does, e.g. Logger.warn("Failed to load contact '${PubkyPublicKeyFormat.redacted(record.publicKey)}'", it, context = TAG).

@ben-kaufman ben-kaufman Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 14dd28d1a. PubkyRepo now redacts pubky keys in auth/contact/profile logs using PubkyPublicKeyFormat.redacted(...). I also covered the sibling key-bearing log sites, not only this one.

@piotr-iohk

Copy link
Copy Markdown
Collaborator

@ben-kaufman is pubky-ring option disabled?
Gating_no_profile_pubky_profile_1_-_Contactsprofile_entry_points_lead_to_choice_screen-2026-07-02T10-13-40-607Z

@ben-kaufman

Copy link
Copy Markdown
Contributor Author

@piotr-iohk Added it back for now, but we will likely remove it, still waiting for final decision on that...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants