feat: cashu config + escrow mode — Cashu foundation CF-1#796
Conversation
Cashu foundation CF-1 (docs/cashu/01-fundamentals.md, section 6):
- CashuSettings { enabled, mint_url, escrow_locktime_days (default 15) }
with serde defaults, mirroring anti_abuse_bond; EscrowMode enum.
- Settings.cashu: Option<CashuSettings> (#[serde(default)]) plus
panic-free accessors get_cashu / is_cashu_enabled / escrow_mode.
- Startup validation (validate_cashu_settings, unit-testable): rejects
cashu+bonds together (locked decision 4.5); when enabled requires an
http/https mint_url and escrow_locktime_days >= 1.
- Commented [cashu] block in settings.tpl.toml; wizard emits cashu: None.
Wired to nothing at runtime: only config validation reads it. A config
without [cashu] parses and boots exactly as before (covered by the
toml_omits_block test). Test-helper Settings literals gain cashu: None
(mechanical compile fallout of the new field).
515 tests pass (503 pre-existing + 12 new).
WalkthroughThis PR adds an opt-in Cashu escrow configuration to the Mostro settings system. It introduces ChangesCashu Escrow Configuration
Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)sequenceDiagram
participant Startup as Mostro Startup
participant Settings as Settings
participant Validator as validate_mostro_settings
participant CashuValidator as validate_cashu_settings
Startup->>Settings: load configuration (TOML)
Settings->>Settings: parse [cashu] block into CashuSettings
Startup->>Validator: validate_mostro_settings()
Validator->>CashuValidator: validate_cashu_settings(cashu, bond_enabled)
CashuValidator->>CashuValidator: check mutual exclusivity with anti_abuse_bond
CashuValidator->>CashuValidator: validate mint_url scheme (http/https)
CashuValidator->>CashuValidator: check escrow_locktime_days >= 1
CashuValidator-->>Validator: Ok or startup error
Validator-->>Startup: Ok(()) or fatal error
Possibly related PRs
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
@codex review |
|
Codex Review: Didn't find any major issues. Swish! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
src/config/settings.rs (1)
137-164: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winRe-export
CashuSettingsandEscrowModefromcrate::config.src/config/mod.rsexposes other settings types, but these two are still only reachable throughcrate::config::types, which makes the new Cashu API awkward for external callers.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/config/settings.rs` around lines 137 - 164, `CashuSettings` and `EscrowMode` are still only available through `crate::config::types`, which makes the new Cashu API harder to use externally. Update `src/config/mod.rs` to re-export these types alongside the other settings exports so callers can access them directly from `crate::config`, and keep the new `Settings::get_cashu`, `is_cashu_enabled`, and `escrow_mode` APIs aligned with those public re-exports.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@settings.tpl.toml`:
- Around line 206-217: Update the Cashu configuration comment block to reflect
that it is config-only/validation-only at runtime, not an active escrow
execution path. In the [cashu] section comments, adjust the wording around “runs
WITHOUT LND and escrows trades” so it clearly states the node only validates
Cashu-related settings for now; keep the rest of the guidance in that block
aligned with the current behavior of cashu-enabled configuration handling.
---
Nitpick comments:
In `@src/config/settings.rs`:
- Around line 137-164: `CashuSettings` and `EscrowMode` are still only available
through `crate::config::types`, which makes the new Cashu API harder to use
externally. Update `src/config/mod.rs` to re-export these types alongside the
other settings exports so callers can access them directly from `crate::config`,
and keep the new `Settings::get_cashu`, `is_cashu_enabled`, and `escrow_mode`
APIs aligned with those public re-exports.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 6b2d6359-5af8-4f07-a414-471c0c5b7503
📒 Files selected for processing (9)
settings.tpl.tomlsrc/app/context.rssrc/app/dev_fee.rssrc/app/rate_user.rssrc/config/settings.rssrc/config/types.rssrc/config/util.rssrc/config/wizard.rssrc/lightning/mod.rs
| # Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. When enabled | ||
| # the node runs WITHOUT LND and escrows trades in NUT-11 2-of-3 Cashu tokens | ||
| # on the single mint configured below. Mutually exclusive with | ||
| # [anti_abuse_bond] — enabling both is a startup error. | ||
| # | ||
| # [cashu] | ||
| # enabled = false | ||
| # # The one mint this node escrows on (http/https). Required when enabled. | ||
| # mint_url = "https://mint.example.com" | ||
| # # Seller-recovery locktime floor in days: escrow tokens must carry | ||
| # # locktime >= now + this. Sellers may set a longer locktime, never shorter. | ||
| # escrow_locktime_days = 15 |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Clarify that Cashu is config-only for now.
The block says the node “runs WITHOUT LND and escrows trades,” but the PR context says Cashu is still validation-only at runtime. That wording will mislead operators.
📝 Suggested wording
-# Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. When enabled
-# the node runs WITHOUT LND and escrows trades in NUT-11 2-of-3 Cashu tokens
-# on the single mint configured below. Mutually exclusive with
-# [anti_abuse_bond] — enabling both is a startup error.
+# Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. The block is
+# currently validation-only; runtime wiring is pending. Mutually exclusive with
+# [anti_abuse_bond] — enabling both is a startup error.Based on PR summary: runtime behavior is still validation-only.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. When enabled | |
| # the node runs WITHOUT LND and escrows trades in NUT-11 2-of-3 Cashu tokens | |
| # on the single mint configured below. Mutually exclusive with | |
| # [anti_abuse_bond] — enabling both is a startup error. | |
| # | |
| # [cashu] | |
| # enabled = false | |
| # # The one mint this node escrows on (http/https). Required when enabled. | |
| # mint_url = "https://mint.example.com" | |
| # # Seller-recovery locktime floor in days: escrow tokens must carry | |
| # # locktime >= now + this. Sellers may set a longer locktime, never shorter. | |
| # escrow_locktime_days = 15 | |
| # Cashu escrow mode (docs/cashu/). Opt-in, disabled by default. The block is | |
| # currently validation-only; runtime wiring is pending. Mutually exclusive with | |
| # [anti_abuse_bond] — enabling both is a startup error. | |
| # | |
| # [cashu] | |
| # enabled = false | |
| # # The one mint this node escrows on (http/https). Required when enabled. | |
| # mint_url = "https://mint.example.com" | |
| # # Seller-recovery locktime floor in days: escrow tokens must carry | |
| # # locktime >= now + this. Sellers may set a longer locktime, never shorter. | |
| # escrow_locktime_days = 15 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@settings.tpl.toml` around lines 206 - 217, Update the Cashu configuration
comment block to reflect that it is config-only/validation-only at runtime, not
an active escrow execution path. In the [cashu] section comments, adjust the
wording around “runs WITHOUT LND and escrows trades” so it clearly states the
node only validates Cashu-related settings for now; keep the rest of the
guidance in that block aligned with the current behavior of cashu-enabled
configuration handling.
Summary
CF-1 of the Cashu foundation (
docs/cashu/01-fundamentals.md§6). Introduces Cashu configuration and escrow-mode resolution, wired to nothing at runtime — only config validation reads it.CashuSettings(src/config/types.rs):{ enabled, mint_url, escrow_locktime_days }, all#[serde(default)];escrow_locktime_daysdefaults to 15 (the Track A §4B seller-recovery locktime floor).EscrowMode { Lightning, Cashu }enum (locked decision §4.1: one mode per node, never per-order).Settings.cashu: Option<CashuSettings>+ panic-free accessorsget_cashu()/is_cashu_enabled()/escrow_mode(), mirroring theanti_abuse_bondpattern (get_bond).validate_cashu_settings, standalone & unit-testable):cashu.enabled && anti_abuse_bond.enabled→ hard config error (locked decision §4.5, bonds ⊕ cashu).mint_urlmust parse ashttp/https;escrow_locktime_days >= 1.settings.tpl.toml: commented[cashu]block. Wizard: emitscashu: None(no interactive prompt added — the spec marks it optional; can follow up if maintainers want it).Backwards-compat guarantee (CF-1 merge gate)
[cashu]absent ⇒get_cashu() == None⇒is_cashu_enabled() == false⇒escrow_mode() == Lightning. A config that does not mention Cashu validates and boots exactly as before — covered bytoml_omits_block. The only touch to existing tests is mechanical: test-helperSettingsliterals gaincashu: None(compile fallout of the new field; no assertion changed).Test plan
cargo fmt --allcargo clippy --all-targets --all-features -- -D warningscargo test— 515 passed (503 pre-existing + 12 new: serde defaults ×5, validation ×7 incl. mutual-exclusion, scheme, and zero-locktime rejections)Independent of CF-0 (#795); both are Wave-0/1 of the CF-0…CF-5 series. CF-4 (DB helpers) next.
Summary by CodeRabbit
New Features
Bug Fixes
Tests