Skip to content

feat: cashu config + escrow mode — Cashu foundation CF-1#796

Open
grunch wants to merge 1 commit into
mainfrom
feat/cashu-cf1-config
Open

feat: cashu config + escrow mode — Cashu foundation CF-1#796
grunch wants to merge 1 commit into
mainfrom
feat/cashu-cf1-config

Conversation

@grunch

@grunch grunch commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

CF-1 of the Cashu foundation (docs/cashu/01-fundamentals.md §6). Introduces Cashu configuration and escrow-mode resolution, wired to nothing at runtime — only config validation reads it.

  • CashuSettings (src/config/types.rs): { enabled, mint_url, escrow_locktime_days }, all #[serde(default)]; escrow_locktime_days defaults to 15 (the Track A §4B seller-recovery locktime floor). EscrowMode { Lightning, Cashu } enum (locked decision §4.1: one mode per node, never per-order).
  • Settings.cashu: Option<CashuSettings> + panic-free accessors get_cashu() / is_cashu_enabled() / escrow_mode(), mirroring the anti_abuse_bond pattern (get_bond).
  • Startup validation (validate_cashu_settings, standalone & unit-testable):
    • cashu.enabled && anti_abuse_bond.enabled → hard config error (locked decision §4.5, bonds ⊕ cashu).
    • When enabled: mint_url must parse as http/https; escrow_locktime_days >= 1.
  • settings.tpl.toml: commented [cashu] block. Wizard: emits cashu: None (no interactive prompt added — the spec marks it optional; can follow up if maintainers want it).

Backwards-compat guarantee (CF-1 merge gate)

[cashu] absent ⇒ get_cashu() == Noneis_cashu_enabled() == falseescrow_mode() == Lightning. A config that does not mention Cashu validates and boots exactly as before — covered by toml_omits_block. The only touch to existing tests is mechanical: test-helper Settings literals gain cashu: None (compile fallout of the new field; no assertion changed).

Test plan

  • cargo fmt --all
  • cargo clippy --all-targets --all-features -- -D warnings
  • cargo test — 515 passed (503 pre-existing + 12 new: serde defaults ×5, validation ×7 incl. mutual-exclusion, scheme, and zero-locktime rejections)

Independent of CF-0 (#795); both are Wave-0/1 of the CF-0…CF-5 series. CF-4 (DB helpers) next.

Summary by CodeRabbit

  • New Features

    • Added optional Cashu escrow configuration, including support for choosing Cashu or Lightning escrow mode.
    • Added settings for enabling the mode, specifying a mint URL, and setting an escrow locktime minimum.
  • Bug Fixes

    • Added validation to prevent incompatible escrow modes from being enabled together.
    • Improved configuration checks for invalid or unsupported mint URLs and missing locktime values.
  • Tests

    • Expanded test coverage for Cashu configuration parsing and validation.
    • Updated test setup defaults to include the new optional configuration field.

Cashu foundation CF-1 (docs/cashu/01-fundamentals.md, section 6):

- CashuSettings { enabled, mint_url, escrow_locktime_days (default 15) }
  with serde defaults, mirroring anti_abuse_bond; EscrowMode enum.
- Settings.cashu: Option<CashuSettings> (#[serde(default)]) plus
  panic-free accessors get_cashu / is_cashu_enabled / escrow_mode.
- Startup validation (validate_cashu_settings, unit-testable): rejects
  cashu+bonds together (locked decision 4.5); when enabled requires an
  http/https mint_url and escrow_locktime_days >= 1.
- Commented [cashu] block in settings.tpl.toml; wizard emits cashu: None.

Wired to nothing at runtime: only config validation reads it. A config
without [cashu] parses and boots exactly as before (covered by the
toml_omits_block test). Test-helper Settings literals gain cashu: None
(mechanical compile fallout of the new field).

515 tests pass (503 pre-existing + 12 new).
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

This PR adds an opt-in Cashu escrow configuration to the Mostro settings system. It introduces CashuSettings and EscrowMode types, wires an optional cashu field into Settings with accessor methods, adds startup validation (mutual exclusivity with anti_abuse_bond, URL scheme checks, locktime floor), documents the new TOML section, and updates test fixtures.

Changes

Cashu Escrow Configuration

Layer / File(s) Summary
Type definitions
src/config/types.rs
Adds CashuSettings struct (enabled, mint_url, escrow_locktime_days) with serde defaults and Default impl, plus EscrowMode enum (Lightning, Cashu) and related tests.
Settings wiring and accessors
src/config/settings.rs
Adds optional cashu: Option<CashuSettings> field to Settings and new methods get_cashu(), is_cashu_enabled(), escrow_mode().
Startup validation
src/config/util.rs
Adds validate_cashu_settings enforcing mutual exclusivity with anti_abuse_bond, mint URL scheme validation, and minimum escrow_locktime_days, wired into validate_mostro_settings with new tests.
Docs and test fixtures
settings.tpl.toml, src/app/context.rs, src/app/dev_fee.rs, src/app/rate_user.rs, src/config/wizard.rs, src/lightning/mod.rs
Documents the new [cashu] TOML block and adds cashu: None to test/wizard Settings constructions.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

sequenceDiagram
    participant Startup as Mostro Startup
    participant Settings as Settings
    participant Validator as validate_mostro_settings
    participant CashuValidator as validate_cashu_settings

    Startup->>Settings: load configuration (TOML)
    Settings->>Settings: parse [cashu] block into CashuSettings
    Startup->>Validator: validate_mostro_settings()
    Validator->>CashuValidator: validate_cashu_settings(cashu, bond_enabled)
    CashuValidator->>CashuValidator: check mutual exclusivity with anti_abuse_bond
    CashuValidator->>CashuValidator: validate mint_url scheme (http/https)
    CashuValidator->>CashuValidator: check escrow_locktime_days >= 1
    CashuValidator-->>Validator: Ok or startup error
    Validator-->>Startup: Ok(()) or fatal error
Loading

Possibly related PRs

  • MostroP2P/mostro#712: Shares mutual-exclusivity validation logic tied to anti_abuse_bond.enabled.
  • MostroP2P/mostro#758: Introduces the same [cashu]/EscrowMode/Settings/validate_cashu_settings foundation.
  • MostroP2P/mostro#765: Relies on the is_cashu_enabled() accessor and cashu settings added here for its escrow flow branching.

Suggested reviewers: ermeme

Poem

A rabbit hops through config files small,
Adding cashu tokens, escrow for all,
With mutual exclusion and URLs checked twice,
Locktime floors set, oh so precise! 🐇
Hop, hop, hooray — the settings compile nice!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding Cashu config and escrow-mode support for CF-1.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/cashu-cf1-config

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@grunch

grunch commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@grunch

grunch commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Swish!

Reviewed commit: 835f2f2386

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
src/config/settings.rs (1)

137-164: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Re-export CashuSettings and EscrowMode from crate::config. src/config/mod.rs exposes other settings types, but these two are still only reachable through crate::config::types, which makes the new Cashu API awkward for external callers.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/config/settings.rs` around lines 137 - 164, `CashuSettings` and
`EscrowMode` are still only available through `crate::config::types`, which
makes the new Cashu API harder to use externally. Update `src/config/mod.rs` to
re-export these types alongside the other settings exports so callers can access
them directly from `crate::config`, and keep the new `Settings::get_cashu`,
`is_cashu_enabled`, and `escrow_mode` APIs aligned with those public re-exports.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@settings.tpl.toml`:
- Around line 206-217: Update the Cashu configuration comment block to reflect
that it is config-only/validation-only at runtime, not an active escrow
execution path. In the [cashu] section comments, adjust the wording around “runs
WITHOUT LND and escrows trades” so it clearly states the node only validates
Cashu-related settings for now; keep the rest of the guidance in that block
aligned with the current behavior of cashu-enabled configuration handling.

---

Nitpick comments:
In `@src/config/settings.rs`:
- Around line 137-164: `CashuSettings` and `EscrowMode` are still only available
through `crate::config::types`, which makes the new Cashu API harder to use
externally. Update `src/config/mod.rs` to re-export these types alongside the
other settings exports so callers can access them directly from `crate::config`,
and keep the new `Settings::get_cashu`, `is_cashu_enabled`, and `escrow_mode`
APIs aligned with those public re-exports.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b2d6359-5af8-4f07-a414-471c0c5b7503

📥 Commits

Reviewing files that changed from the base of the PR and between 53e0086 and 835f2f2.

📒 Files selected for processing (9)
  • settings.tpl.toml
  • src/app/context.rs
  • src/app/dev_fee.rs
  • src/app/rate_user.rs
  • src/config/settings.rs
  • src/config/types.rs
  • src/config/util.rs
  • src/config/wizard.rs
  • src/lightning/mod.rs

Comment thread settings.tpl.toml
Comment on lines +206 to +217
# Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. When enabled
# the node runs WITHOUT LND and escrows trades in NUT-11 2-of-3 Cashu tokens
# on the single mint configured below. Mutually exclusive with
# [anti_abuse_bond] — enabling both is a startup error.
#
# [cashu]
# enabled = false
# # The one mint this node escrows on (http/https). Required when enabled.
# mint_url = "https://mint.example.com"
# # Seller-recovery locktime floor in days: escrow tokens must carry
# # locktime >= now + this. Sellers may set a longer locktime, never shorter.
# escrow_locktime_days = 15

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Clarify that Cashu is config-only for now.

The block says the node “runs WITHOUT LND and escrows trades,” but the PR context says Cashu is still validation-only at runtime. That wording will mislead operators.

📝 Suggested wording
-# Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. When enabled
-# the node runs WITHOUT LND and escrows trades in NUT-11 2-of-3 Cashu tokens
-# on the single mint configured below. Mutually exclusive with
-# [anti_abuse_bond] — enabling both is a startup error.
+# Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. The block is
+# currently validation-only; runtime wiring is pending. Mutually exclusive with
+# [anti_abuse_bond] — enabling both is a startup error.

Based on PR summary: runtime behavior is still validation-only.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. When enabled
# the node runs WITHOUT LND and escrows trades in NUT-11 2-of-3 Cashu tokens
# on the single mint configured below. Mutually exclusive with
# [anti_abuse_bond] — enabling both is a startup error.
#
# [cashu]
# enabled = false
# # The one mint this node escrows on (http/https). Required when enabled.
# mint_url = "https://mint.example.com"
# # Seller-recovery locktime floor in days: escrow tokens must carry
# # locktime >= now + this. Sellers may set a longer locktime, never shorter.
# escrow_locktime_days = 15
# Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. The block is
# currently validation-only; runtime wiring is pending. Mutually exclusive with
# [anti_abuse_bond] — enabling both is a startup error.
#
# [cashu]
# enabled = false
# # The one mint this node escrows on (http/https). Required when enabled.
# mint_url = "https://mint.example.com"
# # Seller-recovery locktime floor in days: escrow tokens must carry
# # locktime >= now + this. Sellers may set a longer locktime, never shorter.
# escrow_locktime_days = 15
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@settings.tpl.toml` around lines 206 - 217, Update the Cashu configuration
comment block to reflect that it is config-only/validation-only at runtime, not
an active escrow execution path. In the [cashu] section comments, adjust the
wording around “runs WITHOUT LND and escrows trades” so it clearly states the
node only validates Cashu-related settings for now; keep the rest of the
guidance in that block aligned with the current behavior of cashu-enabled
configuration handling.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant