refactor: migrate gift-wrap to mostro-core 0.10 dual identity/trade keys

[grunch]

Summary

• Bump mostro-core 0.9.1 → 0.10.0 to pick up the updated NIP-59 transport that splits signing across a long-lived identity key (seals, kind 13) and a per-trade trade key (rumor, kind 1 + inner tuple signature), as specified in mostro.network/protocol/key_management and docs/NIP59_TRANSPORT.md.
• Thread the dual-key pair through send_dm, send_plain_text_dm, and the internal publish_gift_wrap helper, then update every CLI call site accordingly:
  • User order flows (new_order, take_order, add_invoice, orders_info, rate_user, send_msg, send_dm) → ctx.identity_keys + per-order trade keys.
  • Account-scoped requests (restore, last_trade_index) and admin flows (take_dispute, admin_send_dm, adm_send_dm) → same key for both (full-privacy-mode wrap, per the spec).
  • NIP-17 kind-14 DMs (to_user = true) continue to sign with trade keys directly (no seal involved).
• Refresh unit tests for the new API and add a full-privacy-mode assertion (identity == sender when the same Keys is passed).

Test plan

• cargo fmt --all
• cargo clippy --all-targets --all-features -- -D warnings
• cargo test (all existing suites green)
• Manual smoke test against a live Mostro node: new order, take order, add invoice, fiat-sent, release, restore, last-trade-index, admin take-dispute.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated mostro-core dependency to version 0.10.0

• Refactor

  • Enhanced the authentication mechanism for all direct messaging operations by implementing an improved key management system that better separates identity and trading credentials across all CLI commands

[coderabbitai]

Warning

Rate limit exceeded

@grunch has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 40 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 10 minutes and 40 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a2466938-71b8-4766-90b9-6db454b60a74

📥 Commits

Reviewing files that changed from the base of the PR and between 88ab6e7 and 72bdc75.

📒 Files selected for processing (2)

• .codex
• src/cli/orders_info.rs

Walkthrough

Upgrades the mostro-core crate from 0.9.1 to 0.10.0 and propagates resulting API changes throughout the codebase, splitting DM/gift-wrap signing into distinct identity_keys (for sealing) and trade_keys (for rumor authoring) instead of a single signer key. All CLI commands and utilities updated to pass both key types.

Changes

Cohort / File(s)	Summary
Dependency Update Cargo.toml	Updated mostro-core crate dependency from 0.9.1 to 0.10.0.
Messaging API Refactoring src/util/messaging.rs, src/util/storage.rs	Refactored DM-sending APIs to accept dual-key parameters: identity_keys (for outer seal) and trade_keys (for inner rumor). Updated send_dm and send_plain_text_dm signatures and their internal wrap_message calls; adjusted admin_send_dm helper to pass admin keys for both roles.
CLI DM-Sending Commands src/cli/add_invoice.rs, src/cli/adm_send_dm.rs, src/cli/last_trade_index.rs, src/cli/new_order.rs, src/cli/orders_info.rs, src/cli/rate_user.rs, src/cli/restore.rs, src/cli/send_dm.rs, src/cli/send_msg.rs, src/cli/take_dispute.rs, src/cli/take_order.rs	Updated send_dm and send_plain_text_dm invocations across all CLI command handlers to supply ctx.identity_keys alongside existing parameters; also adjusted calls to pass admin_keys twice where applicable (seal and rumor).
Test Coverage tests/parser_dms.rs	Updated gift-wrap test setup to generate and supply distinct sender_identity_keys and sender_trade_keys to wrap_message invocations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Migrate to mostro-core 0.9.1 centralized NIP-59 transport (wrap_message / unwrap_message / validate_response) mostro#714 — Both changes migrate DM/gift-wrap transport to rely on updated mostro-core; touching the same messaging/wrap interfaces and adapting to the dual-key identity/trade split.
• Migrate NIP-59 gift-wrap transport to mostro-core 0.9 (wrap_message / unwrap_message / validate_response) app#101 — Both modify NIP-59 gift-wrap transport and messaging callsites (wrap/unwrap/send_dm), continuing migration to account for the dual-key split.

Possibly related PRs

• fix for giftwrap with pow creation #161 — Modifies gift-wrap creation/signing pipeline in src/util/messaging.rs (seal→giftwrap construction and PoW application), directly overlapping with the core messaging refactoring in this PR.
• Code refactoring and small fixes #90 — Modifies DM sending API and all its callers (send_dm/send_plain_text_dm signatures and how identity keys are threaded through).
• Rate user #102 — Updates DM/messaging API call sites and function signatures across multiple CLI commands, addressing the same messaging layer refactoring.

Suggested reviewers

• Catrya

Poem

🐰✨ A message split in two—
One key seals, the other speaks true;
Gift-wrapped with care, no more, no less,
Identity and trade in dual finesse! 🎁

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: migrating to mostro-core 0.10 with a dual identity/trade key architecture for gift-wrap messaging.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch migrate/mostro-core-0.10.0-dual-key-giftwrap

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/cli/orders_info.rs (1)

30-53: ⚠️ Potential issue | 🟡 Minor

Use identity keys for both seal and rumor to match other account-scoped endpoints.

The orders_info endpoint queries arbitrary order IDs — a request not bound to a single trade, semantically similar to restore and last_trade_index. Both those account-scoped endpoints use (identity_keys, identity_keys) with explicit comments explaining that Mostro indexes users by identity pubkey. For consistency, orders_info should do the same: pass &ctx.identity_keys as both the seal signer (3rd argument) and rumor author, and likely set trade_index to None in the message.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/cli/orders_info.rs` around lines 30 - 53, The orders_info handler builds
a Message with a trade-scoped seal/rumor and uses ctx.trade_index; change
Message::new_order to use None for the trade_index (i.e., account-scoped) and
pass &ctx.identity_keys for both the seal signer and rumor author when calling
send_dm (replace the current &ctx.trade_keys third-arg with &ctx.identity_keys)
so it matches restore/last_trade_index behavior and add a short comment that
Mostro indexes by identity pubkey.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/cli/orders_info.rs`:
- Around line 30-53: The orders_info handler builds a Message with a
trade-scoped seal/rumor and uses ctx.trade_index; change Message::new_order to
use None for the trade_index (i.e., account-scoped) and pass &ctx.identity_keys
for both the seal signer and rumor author when calling send_dm (replace the
current &ctx.trade_keys third-arg with &ctx.identity_keys) so it matches
restore/last_trade_index behavior and add a short comment that Mostro indexes by
identity pubkey.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: df6f44f3-e333-4924-992b-2ba71f7c77a8

📥 Commits

Reviewing files that changed from the base of the PR and between e30a1d5 and 88ab6e7.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (15)

• Cargo.toml
• src/cli/add_invoice.rs
• src/cli/adm_send_dm.rs
• src/cli/last_trade_index.rs
• src/cli/new_order.rs
• src/cli/orders_info.rs
• src/cli/rate_user.rs
• src/cli/restore.rs
• src/cli/send_dm.rs
• src/cli/send_msg.rs
• src/cli/take_dispute.rs
• src/cli/take_order.rs
• src/util/messaging.rs
• src/util/storage.rs
• tests/parser_dms.rs