cdk 0.16.0

Core Cashu Development Kit library implementing the Cashu protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241

#![doc = include_str!("./README.md")]

use std::collections::HashMap;
use std::fmt::Debug;
use std::str::FromStr;
use std::sync::Arc;
use std::time::Duration;

use bitcoin::bip32::{ChildNumber, DerivationPath, Xpriv};
use bitcoin::Network;
use cdk_common::amount::FeeAndAmounts;
use cdk_common::database::{self, WalletDatabase};
use cdk_common::parking_lot::RwLock;
use cdk_common::subscription::WalletParams;
use cdk_common::wallet::ProofInfo;
use cdk_common::{PublicKey, SecretKey, SECP256K1};
use getrandom::getrandom;
pub use mint_connector::http_client::{
    AuthHttpClient as BaseAuthHttpClient, HttpClient as BaseHttpClient,
};
use subscription::{ActiveSubscription, SubscriptionManager};
use tokio::sync::RwLock as TokioRwLock;
use tracing::instrument;
use zeroize::Zeroize;

use crate::amount::SplitTarget;
use crate::dhke::construct_proofs;
use crate::error::Error;
use crate::fees::calculate_fee;
use crate::mint_url::MintUrl;
use crate::nuts::nut00::token::Token;
use crate::nuts::nut17::Kind;
use crate::nuts::{
    nut10, CurrencyUnit, Id, Keys, MintInfo, MintQuoteState, PreMintSecrets, Proofs,
    RestoreRequest, SpendingConditions, State,
};
use crate::wallet::mint_metadata_cache::MintMetadataCache;
use crate::wallet::p2pk::{P2PK_ACCOUNT, P2PK_PURPOSE};
use crate::Amount;

mod auth;
pub mod bip321;
#[cfg(feature = "nostr")]
mod nostr_backup;
#[cfg(all(feature = "tor", not(target_arch = "wasm32")))]
pub use mint_connector::TorHttpClient;
mod balance;
mod builder;
mod issue;
mod keysets;
mod melt;
mod mint_connector;
mod mint_metadata_cache;
#[cfg(feature = "npubcash")]
mod npubcash;
mod p2pk;
pub mod payment_request;
mod proofs;
mod receive;
mod reclaim;
mod recovery;
pub(crate) mod saga;
mod send;
#[cfg(not(target_arch = "wasm32"))]
mod streams;
pub mod subscription;
mod swap;
pub mod test_utils;
mod transactions;
pub mod util;
pub mod wallet_repository;
mod wallet_trait;

pub use auth::{AuthMintConnector, AuthWallet};
#[cfg(all(feature = "bip353", not(target_arch = "wasm32")))]
pub use bip321::resolve_bip353_payment_instruction;
pub use bip321::{
    parse_payment_instruction, Bip321UriBuilder, ParsedPaymentInstruction, PaymentRequestBip321Ext,
};
pub use builder::WalletBuilder;
pub use cdk_common::wallet as types;
pub use cdk_common::wallet::{ReceiveOptions, SendMemo, SendOptions};
pub use keysets::KeysetFilter;
pub use melt::{MeltConfirmOptions, MeltOutcome, PendingMelt, PreparedMelt};
pub use mint_connector::transport::Transport as HttpTransport;
pub use mint_connector::{
    AuthHttpClient, HttpClient, LnurlPayInvoiceResponse, LnurlPayResponse, MintConnector,
};
#[cfg(feature = "nostr")]
pub use nostr_backup::{BackupOptions, BackupResult, RestoreOptions, RestoreResult};
pub use payment_request::CreateRequestParams;
#[cfg(feature = "nostr")]
pub use payment_request::NostrWaitInfo;
pub use recovery::RecoveryReport;
pub use send::PreparedSend;
#[cfg(all(feature = "npubcash", not(target_arch = "wasm32")))]
pub use streams::npubcash::NpubCashProofStream;
pub use types::{MeltQuote, MintQuote, SendKind};
pub use wallet_repository::{TokenData, WalletConfig, WalletRepository, WalletRepositoryBuilder};

use crate::nuts::nut00::ProofsMethods;

/// CDK Wallet
///
/// The CDK [`Wallet`] is a high level cashu wallet.
///
/// A [`Wallet`] is for a single mint and single unit.
///
/// # Initialization
///
/// After creating a wallet, call [`Wallet::recover_incomplete_sagas`] to recover
/// from interrupted operations (swap, send, receive, melt). This is required to
/// prevent proofs from being stuck in reserved states after a crash.
///
/// For pending mint quotes, call [`Wallet::mint_unissued_quotes`] which checks
/// quote states with the mint and mints available tokens. This makes network calls.
#[derive(Debug, Clone)]
pub struct Wallet {
    /// Mint Url
    pub mint_url: MintUrl,
    /// Unit
    pub unit: CurrencyUnit,
    /// Storage backend
    pub localstore: Arc<dyn WalletDatabase<database::Error> + Send + Sync>,
    /// Mint metadata cache for this mint (lock-free cached access to keys, keysets, and mint info)
    pub metadata_cache: Arc<MintMetadataCache>,
    /// The targeted amount of proofs to have at each size
    pub target_proof_count: usize,
    metadata_cache_ttl: Arc<RwLock<Option<Duration>>>,
    auth_wallet: Arc<TokioRwLock<Option<AuthWallet>>>,
    #[cfg(feature = "npubcash")]
    npubcash_client: Arc<TokioRwLock<Option<Arc<cdk_npubcash::NpubCashClient>>>>,
    seed: [u8; 64],
    client: Arc<dyn MintConnector + Send + Sync>,
    subscription: SubscriptionManager,
}

const ALPHANUMERIC: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";

/// Wallet Subscription filter
#[derive(Debug, Clone)]
pub enum WalletSubscription {
    /// Proof subscription
    ProofState(Vec<String>),
    /// Mint quote subscription
    Bolt11MintQuoteState(Vec<String>),
    /// Melt quote subscription
    Bolt11MeltQuoteState(Vec<String>),
    /// Melt bolt12 quote subscription
    Bolt12MeltQuoteState(Vec<String>),
    /// Mint bolt12 quote subscription
    Bolt12MintQuoteState(Vec<String>),
    /// Custom melt quote subscription
    MeltQuoteCustom(String, Vec<String>),
}

impl From<WalletSubscription> for WalletParams {
    fn from(val: WalletSubscription) -> Self {
        let mut buffer = vec![0u8; 10];

        getrandom(&mut buffer).expect("Failed to generate random bytes");

        let id = Arc::new(
            buffer
                .iter()
                .map(|&byte| {
                    let index = byte as usize % ALPHANUMERIC.len(); // 62 alphanumeric characters (A-Z, a-z, 0-9)
                    ALPHANUMERIC[index] as char
                })
                .collect::<String>(),
        );

        match val {
            WalletSubscription::ProofState(filters) => WalletParams {
                filters,
                kind: Kind::ProofState,
                id,
            },
            WalletSubscription::Bolt11MintQuoteState(filters) => WalletParams {
                filters,
                kind: Kind::Bolt11MintQuote,
                id,
            },
            WalletSubscription::Bolt11MeltQuoteState(filters) => WalletParams {
                filters,
                kind: Kind::Bolt11MeltQuote,
                id,
            },
            WalletSubscription::Bolt12MintQuoteState(filters) => WalletParams {
                filters,
                kind: Kind::Bolt12MintQuote,
                id,
            },
            WalletSubscription::Bolt12MeltQuoteState(filters) => WalletParams {
                filters,
                kind: Kind::Bolt12MeltQuote,
                id,
            },
            WalletSubscription::MeltQuoteCustom(method, filters) => WalletParams {
                filters,
                kind: Kind::Custom(format!("{}_melt_quote", method)),
                id,
            },
        }
    }
}

pub use cdk_common::wallet::Restored;

impl Wallet {
    /// Create new [`Wallet`] using the builder pattern
    /// # Synopsis
    /// ```rust
    /// use std::sync::Arc;
    ///
    /// use bitcoin::bip32::Xpriv;
    /// use cdk::nuts::CurrencyUnit;
    /// use cdk::wallet::{Wallet, WalletBuilder};
    /// use cdk_sqlite::wallet::memory;
    /// use rand::random;
    ///
    /// async fn test() -> anyhow::Result<()> {
    ///     let seed = random::<[u8; 64]>();
    ///     let mint_url = "https://fake.thesimplekid.dev";
    ///     let unit = CurrencyUnit::Sat;
    ///
    ///     let localstore = memory::empty().await?;
    ///     let wallet = WalletBuilder::new()
    ///         .mint_url(mint_url.parse().unwrap())
    ///         .unit(unit)
    ///         .localstore(Arc::new(localstore))
    ///         .seed(seed)
    ///         .build();
    ///     Ok(())
    /// }
    /// ```
    pub fn new(
        mint_url: &str,
        unit: CurrencyUnit,
        localstore: Arc<dyn WalletDatabase<database::Error> + Send + Sync>,
        seed: [u8; 64],
        target_proof_count: Option<usize>,
    ) -> Result<Self, Error> {
        let mint_url = MintUrl::from_str(mint_url)?;

        WalletBuilder::new()
            .mint_url(mint_url)
            .unit(unit)
            .localstore(localstore)
            .seed(seed)
            .target_proof_count(target_proof_count.unwrap_or(3))
            .build()
    }

    /// Subscribe to events
    pub async fn subscribe<T: Into<WalletParams>>(
        &self,
        query: T,
    ) -> Result<ActiveSubscription, Error> {
        self.subscription
            .subscribe(self.mint_url.clone(), query.into())
            .map_err(|e| Error::SubscriptionError(e.to_string()))
    }

    /// Subscribe to mint quote state changes for the given quote IDs and payment method
    #[instrument(skip(self, method))]
    pub async fn subscribe_mint_quote_state(
        &self,
        quote_ids: Vec<String>,
        method: cdk_common::PaymentMethod,
    ) -> Result<ActiveSubscription, Error> {
        use cdk_common::nut00::KnownMethod;

        let sub = match method {
            cdk_common::PaymentMethod::Known(KnownMethod::Bolt11) => {
                WalletSubscription::Bolt11MintQuoteState(quote_ids)
            }
            cdk_common::PaymentMethod::Known(KnownMethod::Bolt12) => {
                WalletSubscription::Bolt12MintQuoteState(quote_ids)
            }
            cdk_common::PaymentMethod::Custom(_) => {
                return Err(Error::InvalidPaymentMethod);
            }
        };
        self.subscribe(sub).await
    }

    /// Fee required to redeem proof set
    #[instrument(skip_all)]
    pub async fn get_proofs_fee(
        &self,
        proofs: &Proofs,
    ) -> Result<crate::fees::ProofsFeeBreakdown, Error> {
        let proofs_per_keyset = proofs.count_by_keyset();
        self.get_proofs_fee_by_count(proofs_per_keyset).await
    }

    /// Fee required to redeem proof set by count
    pub async fn get_proofs_fee_by_count(
        &self,
        proofs_per_keyset: HashMap<Id, u64>,
    ) -> Result<crate::fees::ProofsFeeBreakdown, Error> {
        let mut fee_per_keyset = HashMap::new();
        let metadata = self
            .metadata_cache
            .load(&self.localstore, &self.client, {
                let ttl = self.metadata_cache_ttl.read();
                *ttl
            })
            .await?;

        for keyset_id in proofs_per_keyset.keys() {
            let mint_keyset_info = metadata
                .keysets
                .get(keyset_id)
                .ok_or(Error::UnknownKeySet)?;
            fee_per_keyset.insert(*keyset_id, mint_keyset_info.input_fee_ppk);
        }

        let fee_breakdown = calculate_fee(&proofs_per_keyset, &fee_per_keyset)?;

        Ok(fee_breakdown)
    }

    /// Get fee for count of proofs in a keyset
    #[instrument(skip_all)]
    pub async fn get_keyset_count_fee(&self, keyset_id: &Id, count: u64) -> Result<Amount, Error> {
        let input_fee_ppk = self
            .metadata_cache
            .load(&self.localstore, &self.client, {
                let ttl = self.metadata_cache_ttl.read();
                *ttl
            })
            .await?
            .keysets
            .get(keyset_id)
            .ok_or(Error::UnknownKeySet)?
            .input_fee_ppk;

        let fee = (input_fee_ppk * count).div_ceil(1000);

        Ok(Amount::from(fee))
    }

    /// Calculate fee for a given number of proofs with the specified keyset
    #[instrument(skip(self))]
    pub async fn calculate_fee(&self, proof_count: u64, keyset_id: Id) -> Result<Amount, Error> {
        self.get_keyset_count_fee(&keyset_id, proof_count).await
    }

    /// Update Mint information and related entries in the event a mint changes
    /// its URL
    #[instrument(skip(self))]
    pub async fn update_mint_url(&mut self, new_mint_url: MintUrl) -> Result<(), Error> {
        self.localstore
            .update_mint_url(self.mint_url.clone(), new_mint_url.clone())
            .await?;

        self.mint_url = new_mint_url;

        Ok(())
    }

    /// Query mint for current mint information
    #[instrument(skip(self))]
    pub async fn fetch_mint_info(&self) -> Result<Option<MintInfo>, Error> {
        let mint_info = self
            .metadata_cache
            .load_from_mint(&self.localstore, &self.client)
            .await?
            .mint_info
            .clone();

        // If mint provides time make sure it is accurate
        if let Some(mint_unix_time) = mint_info.time {
            let current_unix_time = crate::util::unix_time();
            if current_unix_time.abs_diff(mint_unix_time) > 30 {
                tracing::warn!(
                    "Mint time does match wallet time. Mint: {}, Wallet: {}",
                    mint_unix_time,
                    current_unix_time
                );
                return Err(Error::MintTimeExceedsTolerance);
            }
        }

        // Create or update auth wallet
        {
            let mut auth_wallet = self.auth_wallet.write().await;
            match &*auth_wallet {
                Some(auth_wallet) => {
                    let mut protected_endpoints = auth_wallet.protected_endpoints.write().await;
                    *protected_endpoints = mint_info.protected_endpoints();

                    if let Some(oidc_client) = mint_info
                        .openid_discovery()
                        .map(|url| crate::OidcClient::new(url, None))
                    {
                        auth_wallet.set_oidc_client(Some(oidc_client)).await;
                    }
                }
                None => {
                    tracing::info!("Mint has auth enabled creating auth wallet");

                    let oidc_client = mint_info
                        .openid_discovery()
                        .map(|url| crate::OidcClient::new(url, None));
                    let new_auth_wallet = AuthWallet::new(
                        self.mint_url.clone(),
                        None,
                        self.localstore.clone(),
                        self.metadata_cache.clone(),
                        mint_info.protected_endpoints(),
                        oidc_client,
                    );
                    *auth_wallet = Some(new_auth_wallet.clone());

                    self.client
                        .set_auth_wallet(Some(new_auth_wallet.clone()))
                        .await;

                    if let Err(e) = new_auth_wallet.refresh_keysets().await {
                        tracing::error!("Could not fetch auth keysets: {}", e);
                    }
                }
            }
        }

        tracing::trace!("Mint info updated for {}", self.mint_url);

        Ok(Some(mint_info))
    }

    /// Load mint info from cache
    ///
    /// This is a helper function that loads the mint info from the metadata cache
    /// using the configured TTL. Unlike `fetch_mint_info()`, this does not make
    /// a network call if the cache is fresh.
    #[instrument(skip(self))]
    pub async fn load_mint_info(&self) -> Result<MintInfo, Error> {
        let mint_info = self
            .metadata_cache
            .load(&self.localstore, &self.client, {
                let ttl = self.metadata_cache_ttl.read();
                *ttl
            })
            .await?
            .mint_info
            .clone();

        Ok(mint_info)
    }

    /// Get amounts needed to refill proof state
    #[instrument(skip(self))]
    pub(crate) async fn amounts_needed_for_state_target(
        &self,
        fee_and_amounts: &FeeAndAmounts,
    ) -> Result<Vec<Amount>, Error> {
        let unspent_proofs = self
            .get_proofs_with(Some(vec![State::Unspent]), None)
            .await?;

        let amounts_count: HashMap<u64, u64> =
            unspent_proofs
                .iter()
                .fold(HashMap::new(), |mut acc, proof| {
                    let amount = proof.amount;
                    let counter = acc.entry(u64::from(amount)).or_insert(0);
                    *counter += 1;
                    acc
                });

        let needed_amounts =
            fee_and_amounts
                .amounts()
                .iter()
                .fold(Vec::new(), |mut acc, amount| {
                    let count_needed = (self.target_proof_count as u64)
                        .saturating_sub(*amounts_count.get(amount).unwrap_or(&0));

                    for _i in 0..count_needed {
                        acc.push(Amount::from(*amount));
                    }

                    acc
                });
        Ok(needed_amounts)
    }

    /// Determine [`SplitTarget`] for amount based on state
    #[instrument(skip(self))]
    async fn determine_split_target_values(
        &self,
        change_amount: Amount,
        fee_and_amounts: &FeeAndAmounts,
    ) -> Result<SplitTarget, Error> {
        let mut amounts_needed_refill = self
            .amounts_needed_for_state_target(fee_and_amounts)
            .await?;

        amounts_needed_refill.sort();

        let mut values = Vec::new();

        for amount in amounts_needed_refill {
            let values_sum = Amount::try_sum(values.clone().into_iter())?;
            if values_sum + amount <= change_amount {
                values.push(amount);
            }
        }

        Ok(SplitTarget::Values(values))
    }

    /// Restore
    #[instrument(skip(self))]
    pub async fn restore(&self) -> Result<Restored, Error> {
        // Check that mint is in store of mints
        if self
            .localstore
            .get_mint(self.mint_url.clone())
            .await?
            .is_none()
        {
            self.fetch_mint_info().await?;
        }

        let keysets = self.get_mint_keysets(KeysetFilter::All).await?;

        let mut restored_result = Restored::default();

        for keyset in keysets {
            let keys = self.load_keyset_keys(keyset.id).await?;
            let mut empty_batch = 0;
            let mut start_counter = 0;
            // Track the highest counter value that had a signature
            let mut highest_counter: Option<u32> = None;

            while empty_batch.lt(&3) {
                let premint_secrets = PreMintSecrets::restore_batch(
                    keyset.id,
                    &self.seed,
                    start_counter,
                    start_counter + 100,
                )?;

                tracing::debug!(
                    "Attempting to restore counter {}-{} for mint {} keyset {}",
                    start_counter,
                    start_counter + 100,
                    self.mint_url,
                    keyset.id
                );

                let restore_request = RestoreRequest {
                    outputs: premint_secrets.blinded_messages(),
                };

                let response = self.client.post_restore(restore_request).await?;

                if response.signatures.is_empty() {
                    empty_batch += 1;
                    start_counter += 100;
                    continue;
                }

                // Build a map from blinded_secret to signature for O(1) lookup
                // This ensures we match signatures to secrets correctly regardless of response order
                let signature_map: HashMap<_, _> = response
                    .outputs
                    .iter()
                    .zip(response.signatures.iter())
                    .map(|(output, sig)| (output.blinded_secret, sig.clone()))
                    .collect();

                // Enumerate secrets to track their original index (which corresponds to counter value)
                // and match signatures by blinded_secret to ensure correct pairing
                let matched_secrets: Vec<_> = premint_secrets
                    .secrets
                    .iter()
                    .enumerate()
                    .filter_map(|(idx, p)| {
                        signature_map
                            .get(&p.blinded_message.blinded_secret)
                            .map(|sig| (idx, p, sig.clone()))
                    })
                    .collect();

                // Update highest counter based on matched indices
                if let Some(&(max_idx, _, _)) = matched_secrets.last() {
                    let counter_value = start_counter + max_idx as u32;
                    highest_counter =
                        Some(highest_counter.map_or(counter_value, |c| c.max(counter_value)));
                }

                // the response outputs and premint secrets should be the same after filtering
                // blinded messages the mint did not have signatures for
                if response.outputs.len() != matched_secrets.len() {
                    return Err(Error::InvalidMintResponse(format!(
                        "restore response outputs ({}) does not match premint secrets ({})",
                        response.outputs.len(),
                        matched_secrets.len()
                    )));
                }

                // Extract signatures, rs, and secrets in matching order
                // Each tuple (idx, premint, signature) ensures correct pairing
                let proofs = construct_proofs(
                    matched_secrets
                        .iter()
                        .map(|(_, _, sig)| sig.clone())
                        .collect(),
                    matched_secrets
                        .iter()
                        .map(|(_, p, _)| p.r.clone())
                        .collect(),
                    matched_secrets
                        .iter()
                        .map(|(_, p, _)| p.secret.clone())
                        .collect(),
                    &keys,
                )?;

                tracing::debug!("Restored {} proofs", proofs.len());

                let states = self.check_proofs_spent(proofs.clone()).await?;

                let (unspent_proofs, updated_restored) = proofs
                    .into_iter()
                    .zip(states)
                    .filter_map(|(p, state)| {
                        ProofInfo::new(p, self.mint_url.clone(), state.state, keyset.unit.clone())
                            .ok()
                    })
                    .try_fold(
                        (Vec::new(), restored_result),
                        |(mut proofs, mut restored_result), proof_info| {
                            match proof_info.state {
                                State::Spent => {
                                    restored_result.spent += proof_info.proof.amount;
                                }
                                State::Unspent =>  {
                                    restored_result.unspent += proof_info.proof.amount;
                                    proofs.push(proof_info);
                                }
                                State::Pending => {
                                    restored_result.pending += proof_info.proof.amount;
                                    proofs.push(proof_info);
                                }
                                _ => {
                                    unreachable!("These states are unknown to the mint and cannot be returned")
                                }
                            }
                            Ok::<(Vec<ProofInfo>, Restored), Error>((proofs, restored_result))
                        },
                    )?;

                restored_result = updated_restored;

                self.localstore
                    .update_proofs(unspent_proofs, vec![])
                    .await?;

                empty_batch = 0;
                start_counter += 100;
            }

            if let Some(highest) = highest_counter {
                self.localstore
                    .increment_keyset_counter(&keyset.id, highest + 1)
                    .await?;
                tracing::debug!(
                    "Set keyset {} counter to {} after restore",
                    keyset.id,
                    highest + 1
                );
            }
        }
        Ok(restored_result)
    }

    /// Verify all proofs in token have meet the required spend
    /// Can be used to allow a wallet to accept payments offline while reducing
    /// the risk of claiming back to the limits let by the spending_conditions
    #[instrument(skip(self, token))]
    pub async fn verify_token_p2pk(
        &self,
        token: &Token,
        spending_conditions: SpendingConditions,
    ) -> Result<(), Error> {
        let (refund_keys, pubkeys, locktime, num_sigs) = match spending_conditions {
            SpendingConditions::P2PKConditions { data, conditions } => {
                let mut pubkeys = vec![data];

                match conditions {
                    Some(conditions) => {
                        pubkeys.extend(conditions.pubkeys.unwrap_or_default());

                        (
                            conditions.refund_keys,
                            Some(pubkeys),
                            conditions.locktime,
                            conditions.num_sigs,
                        )
                    }
                    None => (None, Some(pubkeys), None, None),
                }
            }
            SpendingConditions::HTLCConditions {
                conditions,
                data: _,
            } => match conditions {
                Some(conditions) => (
                    conditions.refund_keys,
                    conditions.pubkeys,
                    conditions.locktime,
                    conditions.num_sigs,
                ),
                None => (None, None, None, None),
            },
        };

        if refund_keys.is_some() && locktime.is_none() {
            tracing::warn!(
                "Invalid spending conditions set: Locktime must be set if refund keys are allowed"
            );
            return Err(Error::InvalidSpendConditions(
                "Must set locktime".to_string(),
            ));
        }
        if token.mint_url()? != self.mint_url {
            return Err(Error::IncorrectWallet(format!(
                "Should be {} not {}",
                self.mint_url,
                token.mint_url()?
            )));
        }
        // We need the keysets information to properly convert from token proof to proof
        let keysets_info = self.load_mint_keysets().await?;
        let proofs = token.proofs(&keysets_info)?;

        for proof in proofs {
            let secret: nut10::Secret = (&proof.secret).try_into()?;

            let proof_conditions: SpendingConditions = secret.try_into()?;

            if num_sigs.ne(&proof_conditions.num_sigs()) {
                tracing::debug!(
                    "Spending condition requires: {:?} sigs proof secret specifies: {:?}",
                    num_sigs,
                    proof_conditions.num_sigs()
                );

                return Err(Error::P2PKConditionsNotMet(
                    "Num sigs did not match spending condition".to_string(),
                ));
            }

            let spending_condition_pubkeys = pubkeys.clone().unwrap_or_default();
            let proof_pubkeys = proof_conditions.pubkeys().unwrap_or_default();

            // Check the Proof has the required pubkeys
            if proof_pubkeys.len().ne(&spending_condition_pubkeys.len())
                || !proof_pubkeys
                    .iter()
                    .all(|pubkey| spending_condition_pubkeys.contains(pubkey))
            {
                tracing::debug!("Proof did not included Publickeys meeting condition");
                tracing::debug!("{:?}", proof_pubkeys);
                tracing::debug!("{:?}", spending_condition_pubkeys);
                return Err(Error::P2PKConditionsNotMet(
                    "Pubkeys in proof not allowed by spending condition".to_string(),
                ));
            }

            // If spending condition refund keys is allowed (Some(Empty Vec))
            // If spending conition refund keys is allowed to restricted set of keys check
            // it is one of them Check that proof locktime is > condition
            // locktime

            if let Some(proof_refund_keys) = proof_conditions.refund_keys() {
                let proof_locktime = proof_conditions
                    .locktime()
                    .ok_or(Error::LocktimeNotProvided)?;

                if let (Some(condition_refund_keys), Some(condition_locktime)) =
                    (&refund_keys, locktime)
                {
                    // Proof locktime must be greater then condition locktime to ensure it
                    // cannot be claimed back
                    if proof_locktime.lt(&condition_locktime) {
                        return Err(Error::P2PKConditionsNotMet(
                            "Proof locktime less then required".to_string(),
                        ));
                    }

                    // A non empty condition refund key list is used as a restricted set of keys
                    // returns are allowed to An empty list means the
                    // proof can be refunded to anykey set in the secret
                    if !condition_refund_keys.is_empty()
                        && !proof_refund_keys
                            .iter()
                            .all(|refund_key| condition_refund_keys.contains(refund_key))
                    {
                        return Err(Error::P2PKConditionsNotMet(
                            "Refund Key not allowed".to_string(),
                        ));
                    }
                } else {
                    // Spending conditions does not allow refund keys
                    return Err(Error::P2PKConditionsNotMet(
                        "Spending condition does not allow refund keys".to_string(),
                    ));
                }
            }
        }

        Ok(())
    }

    /// Verify all proofs in token have a valid DLEQ proof
    #[instrument(skip(self, token))]
    pub async fn verify_token_dleq(&self, token: &Token) -> Result<(), Error> {
        let mut keys_cache: HashMap<Id, Keys> = HashMap::new();

        // TODO: Get mint url
        // if mint_url != &self.mint_url {
        //     return Err(Error::IncorrectWallet(format!(
        //         "Should be {} not {}",
        //         self.mint_url, mint_url
        //     )));
        // }

        // We need the keysets information to properly convert from token proof to proof
        let keysets_info = self.load_mint_keysets().await?;
        let proofs = token.proofs(&keysets_info)?;
        for proof in proofs {
            let mint_pubkey = match keys_cache.get(&proof.keyset_id) {
                Some(keys) => keys.amount_key(proof.amount),
                None => {
                    let keys = self.load_keyset_keys(proof.keyset_id).await?;

                    let key = keys.amount_key(proof.amount);
                    keys_cache.insert(proof.keyset_id, keys);

                    key
                }
            }
            .ok_or(Error::AmountKey)?;

            proof
                .verify_dleq(mint_pubkey)
                .map_err(|_| Error::CouldNotVerifyDleq)?;
        }

        Ok(())
    }

    /// Set the client (MintConnector) for this wallet
    ///
    /// This allows updating the connector without recreating the wallet.
    pub fn set_client(&mut self, client: Arc<dyn MintConnector + Send + Sync>) {
        self.client = client;
    }

    /// Get the connector used by this wallet.
    pub fn mint_connector(&self) -> Arc<dyn MintConnector + Send + Sync> {
        self.client.clone()
    }

    /// Set the target proof count for this wallet
    ///
    /// This controls how many proofs of each denomination the wallet tries to maintain.
    pub fn set_target_proof_count(&mut self, count: usize) {
        self.target_proof_count = count;
    }

    /// generates and stores public key in database
    pub async fn generate_public_key(&self) -> Result<PublicKey, Error> {
        let public_keys = self.localstore.list_p2pk_keys().await?;

        let mut last_derivation_index = 0;

        for public_key in public_keys {
            if public_key.derivation_index >= last_derivation_index {
                last_derivation_index = public_key.derivation_index + 1;
            }
        }

        let derivation_path = DerivationPath::from(vec![
            ChildNumber::from_hardened_idx(P2PK_PURPOSE)?,
            ChildNumber::from_hardened_idx(P2PK_ACCOUNT)?,
            ChildNumber::from_hardened_idx(0)?,
            ChildNumber::from_hardened_idx(0)?,
            ChildNumber::from_normal_idx(last_derivation_index)?,
        ]);

        let pubkey = p2pk::generate_public_key(&derivation_path, &self.seed).await?;

        self.localstore
            .add_p2pk_key(&pubkey, derivation_path, last_derivation_index)
            .await?;

        Ok(pubkey)
    }

    /// gets public key by it's hex value
    pub async fn get_public_key(
        &self,
        pubkey: &PublicKey,
    ) -> Result<Option<cdk_common::wallet::P2PKSigningKey>, database::Error> {
        self.localstore.get_p2pk_key(pubkey).await
    }

    /// gets list of stored public keys in database
    pub async fn get_public_keys(
        &self,
    ) -> Result<Vec<cdk_common::wallet::P2PKSigningKey>, database::Error> {
        self.localstore.list_p2pk_keys().await
    }

    /// Gets the latest generated P2PK signing key (most recently created)
    pub async fn get_latest_public_key(
        &self,
    ) -> Result<Option<cdk_common::wallet::P2PKSigningKey>, database::Error> {
        self.localstore.latest_p2pk().await
    }

    /// try to get secret key from p2pk signing key in localstore
    async fn get_signing_key(&self, pubkey: &PublicKey) -> Result<Option<SecretKey>, Error> {
        let signing = self.localstore.get_p2pk_key(pubkey).await?;
        if let Some(signing) = signing {
            let xpriv = Xpriv::new_master(Network::Bitcoin, &self.seed)?;
            return Ok(Some(SecretKey::from(
                xpriv
                    .derive_priv(&SECP256K1, &signing.derivation_path)?
                    .private_key,
            )));
        }

        Ok(None)
    }
}

impl Drop for Wallet {
    fn drop(&mut self) {
        self.seed.zeroize();
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::nuts::{BlindSignature, BlindedMessage, PreMint, PreMintSecrets};
    use crate::secret::Secret;

    /// Test that restore signature matching works correctly when response is in order
    #[test]
    fn test_restore_signature_matching_in_order() {
        // Create test data with 3 premint secrets
        let keyset_id = Id::from_bytes(&[0u8; 8]).unwrap();

        // Generate deterministic keys for testing
        let secret1 = Secret::generate();
        let secret2 = Secret::generate();
        let secret3 = Secret::generate();

        let (blinded1, r1) = crate::dhke::blind_message(&secret1.to_bytes(), None).unwrap();
        let (blinded2, r2) = crate::dhke::blind_message(&secret2.to_bytes(), None).unwrap();
        let (blinded3, r3) = crate::dhke::blind_message(&secret3.to_bytes(), None).unwrap();

        let premint1 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(1), keyset_id, blinded1),
            secret: secret1.clone(),
            r: r1.clone(),
            amount: Amount::from(1),
        };
        let premint2 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(2), keyset_id, blinded2),
            secret: secret2.clone(),
            r: r2.clone(),
            amount: Amount::from(2),
        };
        let premint3 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(4), keyset_id, blinded3),
            secret: secret3.clone(),
            r: r3.clone(),
            amount: Amount::from(4),
        };

        let premint_secrets = PreMintSecrets {
            secrets: vec![premint1.clone(), premint2.clone(), premint3.clone()],
            keyset_id,
        };

        // Create mock signatures (just need the structure, not real signatures)
        let sig1 = BlindSignature {
            amount: Amount::from(1),
            keyset_id,
            c: blinded1, // Using blinded as placeholder for signature
            dleq: None,
        };
        let sig2 = BlindSignature {
            amount: Amount::from(2),
            keyset_id,
            c: blinded2,
            dleq: None,
        };
        let sig3 = BlindSignature {
            amount: Amount::from(4),
            keyset_id,
            c: blinded3,
            dleq: None,
        };

        // Response in same order as request
        let response_outputs = [
            premint1.blinded_message.clone(),
            premint2.blinded_message.clone(),
            premint3.blinded_message.clone(),
        ];
        let response_signatures = [sig1.clone(), sig2.clone(), sig3.clone()];

        // Apply the matching logic (same as in restore)
        let signature_map: HashMap<_, _> = response_outputs
            .iter()
            .zip(response_signatures.iter())
            .map(|(output, sig)| (output.blinded_secret, sig.clone()))
            .collect();

        let matched_secrets: Vec<_> = premint_secrets
            .secrets
            .iter()
            .enumerate()
            .filter_map(|(idx, p)| {
                signature_map
                    .get(&p.blinded_message.blinded_secret)
                    .map(|sig| (idx, p, sig.clone()))
            })
            .collect();

        // Verify all 3 matched
        assert_eq!(matched_secrets.len(), 3);

        // Verify correct pairing by checking amounts match
        assert_eq!(matched_secrets[0].2.amount, Amount::from(1));
        assert_eq!(matched_secrets[1].2.amount, Amount::from(2));
        assert_eq!(matched_secrets[2].2.amount, Amount::from(4));

        // Verify indices are preserved
        assert_eq!(matched_secrets[0].0, 0);
        assert_eq!(matched_secrets[1].0, 1);
        assert_eq!(matched_secrets[2].0, 2);
    }

    /// Test that restore signature matching works correctly when response is OUT of order
    /// This is the critical test that verifies the fix for TokenNotVerified
    #[test]
    fn test_restore_signature_matching_out_of_order() {
        let keyset_id = Id::from_bytes(&[0u8; 8]).unwrap();

        let secret1 = Secret::generate();
        let secret2 = Secret::generate();
        let secret3 = Secret::generate();

        let (blinded1, r1) = crate::dhke::blind_message(&secret1.to_bytes(), None).unwrap();
        let (blinded2, r2) = crate::dhke::blind_message(&secret2.to_bytes(), None).unwrap();
        let (blinded3, r3) = crate::dhke::blind_message(&secret3.to_bytes(), None).unwrap();

        let premint1 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(1), keyset_id, blinded1),
            secret: secret1.clone(),
            r: r1.clone(),
            amount: Amount::from(1),
        };
        let premint2 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(2), keyset_id, blinded2),
            secret: secret2.clone(),
            r: r2.clone(),
            amount: Amount::from(2),
        };
        let premint3 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(4), keyset_id, blinded3),
            secret: secret3.clone(),
            r: r3.clone(),
            amount: Amount::from(4),
        };

        let premint_secrets = PreMintSecrets {
            secrets: vec![premint1.clone(), premint2.clone(), premint3.clone()],
            keyset_id,
        };

        let sig1 = BlindSignature {
            amount: Amount::from(1),
            keyset_id,
            c: blinded1,
            dleq: None,
        };
        let sig2 = BlindSignature {
            amount: Amount::from(2),
            keyset_id,
            c: blinded2,
            dleq: None,
        };
        let sig3 = BlindSignature {
            amount: Amount::from(4),
            keyset_id,
            c: blinded3,
            dleq: None,
        };

        // Response in REVERSED order (simulating out-of-order response from mint)
        let response_outputs = [
            premint3.blinded_message.clone(), // index 2 first
            premint1.blinded_message.clone(), // index 0 second
            premint2.blinded_message.clone(), // index 1 third
        ];
        let response_signatures = [sig3.clone(), sig1.clone(), sig2.clone()];

        // Apply the matching logic (same as in restore)
        let signature_map: HashMap<_, _> = response_outputs
            .iter()
            .zip(response_signatures.iter())
            .map(|(output, sig)| (output.blinded_secret, sig.clone()))
            .collect();

        let matched_secrets: Vec<_> = premint_secrets
            .secrets
            .iter()
            .enumerate()
            .filter_map(|(idx, p)| {
                signature_map
                    .get(&p.blinded_message.blinded_secret)
                    .map(|sig| (idx, p, sig.clone()))
            })
            .collect();

        // Verify all 3 matched
        assert_eq!(matched_secrets.len(), 3);

        // Critical: Even though response was out of order, signatures should be
        // correctly paired with their corresponding premint secrets
        // matched_secrets should be in premint order (0, 1, 2) with correct signatures
        assert_eq!(matched_secrets[0].0, 0); // First premint (amount 1)
        assert_eq!(matched_secrets[0].2.amount, Amount::from(1)); // Correct signature

        assert_eq!(matched_secrets[1].0, 1); // Second premint (amount 2)
        assert_eq!(matched_secrets[1].2.amount, Amount::from(2)); // Correct signature

        assert_eq!(matched_secrets[2].0, 2); // Third premint (amount 4)
        assert_eq!(matched_secrets[2].2.amount, Amount::from(4)); // Correct signature
    }

    /// Test that restore handles partial responses correctly
    #[test]
    fn test_restore_signature_matching_partial_response() {
        let keyset_id = Id::from_bytes(&[0u8; 8]).unwrap();

        let secret1 = Secret::generate();
        let secret2 = Secret::generate();
        let secret3 = Secret::generate();

        let (blinded1, r1) = crate::dhke::blind_message(&secret1.to_bytes(), None).unwrap();
        let (blinded2, r2) = crate::dhke::blind_message(&secret2.to_bytes(), None).unwrap();
        let (blinded3, r3) = crate::dhke::blind_message(&secret3.to_bytes(), None).unwrap();

        let premint1 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(1), keyset_id, blinded1),
            secret: secret1.clone(),
            r: r1.clone(),
            amount: Amount::from(1),
        };
        let premint2 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(2), keyset_id, blinded2),
            secret: secret2.clone(),
            r: r2.clone(),
            amount: Amount::from(2),
        };
        let premint3 = PreMint {
            blinded_message: BlindedMessage::new(Amount::from(4), keyset_id, blinded3),
            secret: secret3.clone(),
            r: r3.clone(),
            amount: Amount::from(4),
        };

        let premint_secrets = PreMintSecrets {
            secrets: vec![premint1.clone(), premint2.clone(), premint3.clone()],
            keyset_id,
        };

        let sig1 = BlindSignature {
            amount: Amount::from(1),
            keyset_id,
            c: blinded1,
            dleq: None,
        };
        let sig3 = BlindSignature {
            amount: Amount::from(4),
            keyset_id,
            c: blinded3,
            dleq: None,
        };

        // Response only has signatures for premint1 and premint3 (gap at premint2)
        // Also out of order
        let response_outputs = [
            premint3.blinded_message.clone(),
            premint1.blinded_message.clone(),
        ];
        let response_signatures = [sig3.clone(), sig1.clone()];

        let signature_map: HashMap<_, _> = response_outputs
            .iter()
            .zip(response_signatures.iter())
            .map(|(output, sig)| (output.blinded_secret, sig.clone()))
            .collect();

        let matched_secrets: Vec<_> = premint_secrets
            .secrets
            .iter()
            .enumerate()
            .filter_map(|(idx, p)| {
                signature_map
                    .get(&p.blinded_message.blinded_secret)
                    .map(|sig| (idx, p, sig.clone()))
            })
            .collect();

        // Only 2 should match
        assert_eq!(matched_secrets.len(), 2);

        // Verify correct pairing despite gap and out-of-order response
        assert_eq!(matched_secrets[0].0, 0); // First premint (amount 1)
        assert_eq!(matched_secrets[0].2.amount, Amount::from(1));

        assert_eq!(matched_secrets[1].0, 2); // Third premint (amount 4), index 1 skipped
        assert_eq!(matched_secrets[1].2.amount, Amount::from(4));
    }
}