1
0
forked from GRIN/grim
Commit Graph

197 Commits

Author SHA1 Message Date
2ro 9bdc0e2c60 locales: apply firm zh-CN audit corrections + mirror to zh-TW
Fix 21 keys (23 substitutions) flagged in the zh-CN Goblin-string audit,
and apply the equivalent Traditional corrections to the matching zh-TW keys
so both stay correct and consistent:
- 7 leftover-English strings (you/username/handle/kind) translated
- 3 stray formal 您 -> informal 你 (plus Nostr -> nostr where en is lowercase)
- 7 terminology tweaks (机构->授权方, kind->类型, 活动->动态, 费用->手续费)
- 4 half-width -> full-width commas
Judgment-call rows (review_btn/title, pairing.title) intentionally not applied.
2026-07-08 02:22:53 -04:00
2ro e623271476 locales: add Traditional Chinese (zh-TW)
Full native-quality Traditional Chinese (Taiwan) locale covering all 910
keys. Shared GRIM-inherited keys use jasperli2026's zh-TC values verbatim;
goblin.* namespace translated from the corrected Simplified source into
Taiwan-idiom Traditional (OpenCC s2twp plus a manual Taiwan post-fix and
review pass), keeping Jasper's voice and crypto-wallet register. Cangjie
keyboard labels reused from zh-CN; lang_name set to 繁體中文.

Wired into the i18n drift test (OTHER_LOCALES) and README attribution;
rust_i18n auto-loads it and the language picker labels it via lang_name.
System locale zh-TW auto-selects; news folds zh-TW to zh (shared with
Simplified) as noted in news_locale_code.
2026-07-08 02:22:53 -04:00
2ro 8bbb7853ef locales: adopt corrected Simplified Chinese from jasperli2026 (keep Cangjie keyboard + Goblin title) 2026-07-08 02:22:53 -04:00
2ro f2781fb5a9 locales: fix zh-CN lang_name to native 简体中文
The Chinese locale self-label read 英语 (the word for "English"). Use the
native Simplified Chinese name so the language picker row is correct.
2026-07-08 02:22:53 -04:00
2ro 35c9ea3bbc Remove dormant Nym/mixnet transport, commit fully to Tor
The wallet pivoted from the Nym mixnet to Tor in build134; the Nym code
had been left on disk behind an optional, always-off "nym" feature and
never ran since. Delete it entirely: no Nym/mixnet fallback and no
Nym/mixnet mentions remain. Tor is the sole transport.

- Delete src/nym/ (mod, transport, streamexit, dns, nymproc) and its
  `#[cfg(feature = "nym")] pub mod nym;` declaration in lib.rs.
- Cargo.toml: drop the `nym` feature and the commented-out Nym-only
  path deps (nym-sdk, smolmix, hickory-proto); rewrite the mixnet-era
  comments on the rustls/tokio-rustls/arti/openssl deps to the current
  Tor reality. No active dependency changed: rustls, tokio-rustls and
  webpki-roots stay (used by the Tor HTTPS client in tor/mod.rs).
- settings/config.rs: remove the persisted nym_entry_gateway /
  nym_last_ipr fields and their getters/setters. No serde
  deny_unknown_fields, so existing on-disk configs that still carry
  those keys keep deserializing (the removed keys are ignored and
  dropped on next save; same path the price-cache-removal test guards).
- Rename the Nym/mixnet-named i18n keys (values already said "Tor")
  across all 9 locales and their t!() call sites: connected_nym ->
  connected_tor, nym_ready -> tor_ready, connecting_nym ->
  connecting_tor, mixnet_routing -> tor_routing, over_mixnet ->
  over_tor. Displayed strings unchanged.
- Rewrite the Nym/mixnet-referencing comments in the active Tor files
  (tor/engine.rs, tor/mod.rs, nostr/client.rs, nostr/pool.rs,
  nostr/mod.rs, lib.rs, wallet/wallet.rs, node/node.rs,
  gui widgets/mod/onboarding, Android BackgroundService) to describe
  Tor; drop the now-broken [crate::nym::*] intra-doc links. No active
  code behavior changed.

The pool's `exit` schema slot and exit_for/exit_for_host/has_exit
helpers are kept (comments de-Nym'd): they are inert under Tor but let
a pool document that carries an exit still parse.
2026-07-08 02:22:53 -04:00
2ro 4337580806 goblin: full wallet backup (seed + all identities) with restore
The .backup file now seals the money seed AND every held identity in one
encrypted, versioned envelope, and the caption's promise ("Contains your
wallet and all identities.") is finally true.

Format (nostr/identity.rs): a JSON envelope tagged goblin_backup:2. The
seed phrase is sealed with seal_secret_text() and each identity with the
existing per-identity to_encrypted_backup() (so every element is itself a
valid v1 identity envelope). Both layers reuse the in-tree NIP-49 ncryptsec
+ NIP-44 primitives under one password: no new crypto, no new dependency.
The plaintext seed is assembled and sealed in memory (the zeroizing
recovery string drops at scope end) and never written to disk. Old v1
single-identity backups keep restoring unchanged; is_full_backup() is
checked before the v1 path so the two never collide.

Build (wallet.rs): create_full_backup() gathers the seed via the existing
recovery API (which proves the wallet password) plus every unlocked held
identity. restore_full_backup_identities() reinstates them into a freshly
created wallet, re-encrypting each under the new wallet password, making the
backup's active identity active, and reusing the held-index/service-rebuild
plumbing. The identity-only import paths now reject a full backup with a
clear pointer to wallet creation.

Restore (onboarding.rs): the restore-from-seed step gains a .backup picker;
unlocking it decrypts the seed into the standard 24-word creation grid and
stashes the identities, which a worker reinstates once the wallet opens.

Copy: backup caption, title, blurb, and saved-sub updated across all nine
locales; two new restore strings added in all nine.

Tests: full_backup_roundtrips_seed_identities_and_active,
old_single_identity_backup_is_not_a_full_backup,
seal_secret_text_roundtrips_and_is_opaque; i18n drift + news tests green.
2026-07-07 19:21:05 -04:00
2ro 5ea549abf4 goblin: restructure Advanced page into Advanced Nostr Settings + Danger Zone
Group the Advanced settings page under two grey/red section kickers:

- ADVANCED NOSTR SETTINGS: the Nostr key, and directly below it the
  single always-everything .backup download (one button, no checklist).
  Moved the .backup off the main Settings identity card so it has one
  home (no duplicated exposure). Caption states what the file truly
  holds: the current identity's key and username.
- DANGER ZONE (red kicker): Delete wallet, now password-gated. The old
  tap-twice confirm is replaced by a wallet-password gate
  (get_recovery), with an inline "Download backup" button before the
  password field wired to the same seal action. Copy states the delete
  also removes every identity and urges a backup first.

Add w::kicker_danger; BackupState.anchor_delete routes the seal form to
whichever section opened it. New strings in all nine locales; clear the
backup password from memory on leaving the page.
2026-07-07 19:21:05 -04:00
2ro 54af417ec0 goblin: Grin-mark anon/self avatars + Export archive caption, archive under Advanced privacy
Anonymous-mode censored avatar now composites the Grin mark (the same path,
90% scale, and 67%-black ink a normal gradient avatar draws) over the flat
#FED60E tile instead of the Goblin head. The user's own top-right avatar on
the Home, Pay, and Activity surfaces always renders as that same flat yellow
+ Grin-mark tile (new avatar_self), never a picture or per-identity gradient;
Activity gains the settings avatar to match Home and Pay.

Export archive gains a caption describing exactly what it copies (contacts,
payment history, and requests, to the clipboard as JSON), localized across all
nine locales. The standalone Archive section is removed from the main settings
page; Export archive and Wipe payment history now live inside Advanced privacy.
2026-07-07 14:22:46 -04:00
2ro 51de695d4e ja: align with removed rotate/import keys + learn_more 2026-07-07 01:49:58 -04:00
2ro 705b954fe9 es: fix handle-loanword and verb-form inconsistencies
Full read-through of the just-landed es and ko locales against en.yml.
ko needed no changes. es had three spots that drifted from its own
established style:

- share_handle / n05_blurb translated "handle" as "identificador(es)"
  while every other occurrence in the file (search_hint, no_contacts,
  scan_not_recipient, enter_recipient) keeps it as the loanword
  "handle" — switched these two to match, consistent with the
  fr/de/tr precedent of treating "handle" as an untranslated loanword.
- scan_to_pay_me used the imperative "Escanea" while every sibling
  label (scan_to_pay, scan_to_request, tab_scan, scan_qr) uses the
  infinitive "Escanear" — aligned it to match.
2026-07-07 01:49:48 -04:00
2ro 78c5667a18 Add Japanese (ja) as ninth Goblin wallet locale
Full translation of all 918 goblin.* leaf keys from en.yml, byte-matching
key order and %{...} placeholders, standard polite desu/masu register.
House terms follow the es/ko precedent: Goblin/GoblinPay/GRIM/Tor/Nostr/
slatepack/npub/nsec stay untranslated; wallet = ウォレット, recovery
phrase = リカバリーフレーズ, identity = アイデンティティ, relay = リレー,
handle stays as a katakana loanword (ハンドル) throughout.

Font: verified glyph-by-glyph against fonts/noto_sc_reg.otf (already
wired into every font family stack) that it covers every character used
in ja.yml, including hiragana/katakana and kokuji kanji not used in
Chinese, so no new Japanese font file is needed.

Keyboard block keeps literal QWERTY romaji like en/es/fr/de: the custom
on-screen keyboard widget is dead code in this fork (no_soft_keyboard is
always true; native OS keyboards handle all text entry), so there is no
functional need for a kana layout, per zh-CN precedent review.

Registers ja in tests/i18n_keys.rs OTHER_LOCALES and refreshes locale
count/list comments in src/lib.rs, src/gui/views/goblin/mod.rs and
src/gui/views/goblin/data.rs.
2026-07-07 01:49:48 -04:00
2ro e3b4545dc4 goblin: remove Settings Import identity (replace-current) flow
Owner correction: importing an existing identity belongs at first-run
(onboarding, restored in the previous commit), not in Settings. The
Settings > Identity "Import identity" row was the destructive
replace-the-current-identity action, redundant now that add-identity and
the identity switcher cover bringing in keys non-destructively. Removes
the settings row, the inline ImportState/import_nsec_ui flow, and the
five now-unused settings keys (import_identity, import_identity_title,
import_blurb, identity_replaced, now_using) across all eight locales.

Wallet::import_nostr_identity stays: the onboarding import panel calls
it. The shared settings.* strings the onboarding panel reuses
(importing, import_failed, import_nsec_hint, backup_read_failed,
choose_backup_file, backup_password_hint, import_btn, cancel, close)
also stay. Drift + call-site tests green.
2026-07-07 01:49:48 -04:00
2ro 26d3d41790 Revert "goblin: remove the Import identity option from onboarding"
This reverts commit b1baa14b85.
2026-07-07 01:49:48 -04:00
2ro 811eff825c goblin: remove the rotate-nostr-identity feature
Rotation just does Keys::generate (IdentitySource::Random) — the old
seed-derived path was dropped in Build 8 — so it is functionally a random
add-identity-and-switch, and it does NOT carry the username or profile
over (it RELEASES the old name and hands the new key a nameless identity).
It therefore adds nothing over the identity switcher, so remove it: the
Settings entry row, the inline rotate flow (RotateState + rotate_ui) and
the now-unreachable Wallet::rotate_nostr_identity. Shared helpers
(unlock_all_identities, create_random, nip05::unregister) are untouched.
Drops the fifteen unused goblin.settings.rotate_* / key_rotated /
new_npub / backup_new_key / copy_new_nsec / rotation_failed keys from all
eight locales; drift + call-site tests green.
2026-07-07 01:49:48 -04:00
2ro 44f9363ecf goblin: remove the Import identity option from onboarding
Onboarding import replaces the just-created identity and is risky, so the
owner ruled it out of the first-run flow; returning users import via the
normal identity-management flow in Settings instead. Removes both entry
points added earlier (the wallet-step import chip and the identity-step
centered button) and the now-unreachable onboarding import sub-flow
(OnbImport state + import_ui), leaving the Settings import path fully
intact. Drops the unused goblin.onboarding.wallet.import_identity{,_hint}
and goblin.onboarding.identity.import_{existing,title,blurb} keys from all
eight locales; drift + call-site tests green.
2026-07-07 01:49:48 -04:00
2ro 3b80650972 goblin: shorten Username name-authority copy + add Learn more link
Replace the long name-authority blurb on the Username page with one brief
line, plus a "Learn more" link that opens the name-authority docs chapter
(https://docs.goblin.st/features/name-authority.html) via the same
open_url idiom used elsewhere in Settings. Authority list, free-type and
save behaviour are unchanged. New goblin.username.learn_more key and the
shortened authority_blurb across all eight locales; drift + call-site
tests green.
2026-07-07 01:49:48 -04:00
2ro 773589a2f1 Add Spanish and Korean locales (es, ko)
Translates every en.yml key into es.yml and ko.yml (918 keys each,
placeholder-parity verified), wires both into the drift/call-site test
(tests/i18n_keys.rs), and bundles a Hangul font subset (noto_kr_reg.otf,
~1.9MB, Noto Sans CJK KR Regular subset to Hangul + Jamo + Latin/CJK
punctuation) as a proportional/monospace fallback so Korean UI text
actually renders instead of showing tofu boxes. The Chinese font already
covers Han but not Hangul, which is a disjoint Unicode block.

Language registration itself needed no code changes: rust_i18n::i18n!
auto-discovers yml files in locales/, the locale-detection fallback in
setup_i18n already matches on bare subtags generically, and the language
picker iterates rust_i18n::available_locales!() and renders each
locale's own lang_name key (Espanol, and Hangul for Korean).
2026-07-06 23:09:45 -04:00
2ro 7223e65a7a goblin: promote "Import identity" to first-class onboarding buttons
The returning-user identity-import path (a .backup file or a bare nsec,
existing plumbing since Build 92) is now surfaced as proper centered
buttons instead of a small left-aligned text link.

- Wallet step: a first-class "Import identity" choice stands alongside
  Create new / Restore from seed. It composes with either seed choice; the
  import panel itself opens on the identity step once the wallet exists.
- Identity step: the left-aligned "Already have an identity? Import it"
  link is replaced by a centered secondary button labelled "Import
  identity", consistent with the other onboarding buttons. The panel behind
  it clearly offers BOTH a .backup file picker and an nsec field.

New keys goblin.onboarding.wallet.import_identity{,_hint} in all six
locales; drift test green.
2026-07-06 22:11:00 -04:00
2ro 6af8fd1c26 goblin: Settings redesign (Username + Advanced Privacy pages)
Two new Settings pages, each the single home for its feature.

Username (SettingsPage::Username) consolidates everything name-related
off the main Settings and out of the identity card: claim a name if you
have none, release the one you own, and choose the name authority from a
known list OR a free-typed custom server. Reuses the existing claim_ui and
claim/release worker flow; the old inline name-authority editor and the
main-settings claim card are removed (single home).

Advanced Privacy (SettingsPage::AdvancedPrivacy) replaces the lone
"hide amounts" toggle. Notifications section: hide amounts (existing),
hide names, or hide all details (a generic localized private alert that
leaks no name or amount; an empty amount collapses the Android
notification template to just the private line). Anonymous mode: one
toggle that censors STRICTLY the home balance (dots, tap to reveal; the
fiat rate fetch stays off until revealed) and the activity list (dots for
names and amounts, tap a row to reveal and open). Presentation only, with
no money-path or storage change.

Migration: the existing hide_amounts config keeps its exact meaning
(notification amount hiding); the three new fields default off, so no
surprise on upgrade. Covered by a new config test (227 lib tests).

All new strings via t!() in all six locales; drift test green.
2026-07-06 22:11:00 -04:00
2ro f7178254e0 goblin: complete the flow BEFORE return-to-caller + terse trust prompt
Root cause of the broken build 153 QR trust login, confirmed in code:
cb.return_to_caller() fired in the sign handler right after spawning the
callback POST worker. The app backgrounded immediately, the GUI frame pump
stopped, and the rest of the grant lives on that pump: the outcome poll that
consumes the POST result, the session creation, and the session-open channel
publish (which the service loop only sends on its next tick, after
add_session marks the set dirty). Backgrounded, none of that ran, so the
site never received the session and the browser poll never logged in.

The ordering fix, uniform across login, authorize, and trust:
- the sign handlers no longer return-to-caller; the app stays foreground
  (frames pumping) until the flow is fully complete
- login/authorize: the return decision happens in the outcome poll, only on
  a successful POST; a failed POST keeps the user in the wallet with the
  honest toast
- trust: the decision waits further, for the session-open announce to be
  CONFIRMED handed to a relay. announce_new_sessions now records per-channel
  delivery (at least one relay accepted) in NostrService::session_announced;
  the new TrustWait GUI state polls it with a 15s deadline and an honest
  "announce unconfirmed" toast on timeout (goblin.trust.announce_failed x6)
- a freshness bound on all three: a result consumed on a late resume (the
  user backgrounded the wallet themselves mid-flow) shows the toast but
  never bounces them back out
- the decision itself is the pure authuri::should_return_to_caller(allowed,
  post_ok, publish_confirmed), unit-tested: pending, failed, or unconfirmed
  work never returns; rt=0 never returns

Trust prompt copy, owner directive: the gist in one or two lines, detail
tucked away. The modal now leads with a single plain line (act-for-you plus
the money rule) and folds categories, money line, and duration behind the
existing show-full disclosure idiom; the red caution lines stay visible.
goblin.trust.* keys tightened in all six locales, drift test green.
2026-07-06 22:11:00 -04:00
2ro d24a09074a goblin: polish FR stale label + fix raw-key leaks on this branch
FR wallets.tx_stale was 'En attente trop longtemps' (noun + adverb, not
grammatical); now 'En attente trop longue', adjective agreeing with attente.
Other five locales for tx_stale / receipt.stale_note read natural, left as-is.

Also carries the two raw-key leak fixes (goblin.receipt.copied ->
goblin.receive.copied, wallets.canceled -> wallets.tx_canceled) and the
every_t_call_site_key_exists_in_en guard so this branch is clean standalone.
2026-07-06 22:09:05 -04:00
2ro 062cf2f2ab goblin: always offer a manual Cancel on stuck pendings + soft stale nudge
Some pending transactions showed no way to cancel or clear them, stranding
users with stuck pendings (fee-bug leftovers, and payments orphaned after an
identity switch whose nostr meta lives in another identity's store).

Root causes:
- Goblin receipt: both cancel affordances required the payment's nostr tx_meta,
  which is per-identity. A tx orphaned by an identity switch (or left by an old
  build) has no meta in the active store, so neither Cancel button rendered.
- GRIM tx list + tx detail: the Cancel button was gated behind
  wallet.synced_from_node(), so an unreachable/unsynced node hid it entirely.

Fixes (cancellation is unchanged: the plain libwallet cancel_tx that unlocks the
reserved inputs, GRIM parity, no new money behavior):
- Receipt: universal fallback Cancel for any still-cancellable pending the
  nostr-aware paths miss, running WalletTask::Cancel. ReceiptDetail carries
  can_cancel/stale.
- GRIM list/detail: ungate the local Cancel from node sync (only repost/repeat
  still needs a live height).
- Soft "stale" nudge on pendings older than 24h (WalletTx::stale/STALE_AGE_SECS)
  with the Cancel right there. It only colours a label; nothing auto-cancels on
  a timer (a slow interactive send may still complete).
- New tx_stale / receipt.stale_note strings across all six locales.
- Unit tests for can_cancel state coverage and the stale threshold.
2026-07-06 22:09:05 -04:00
2ro fdbcbf0bdd goblin: audit fixes (money replay guard, honest encrypt prompt) + hardening
P2-1: a money-tier request id is reserved the moment its prompt is raised
(money_pending_ids); a replayed envelope (drain overlapping the live
subscription, or deliberate) returns AlreadyPending / the cached result and
can never raise a second prompt or re-sign. Applies to sign and escalated
encrypt. Regression test covers both replay-while-pending and replay-after-
completion.

P2-3: the money modal for a pay-committing encrypt now shows the inspected
plaintext (escaped + truncated exactly like the sign path), so the user sees
what they are agreeing to pay, not a blind label.

Hardening:
- payment marker set widened (amount, total, price, msat), TODO(audit) kept.
- identity dropped mid-session now answers identity_mismatch on the channel
  (refusal_json per op type) instead of silently timing out the site.
- session-end payload carries reason: revoked (wallet end) / expired (TTL or
  idle sweep, newly published by the tick) / logout (site's own).
- decrypt gets its own soft-cap window (30/min) and an honest 'reading your
  messages' notice, distinct from the signing-volume toast (new locale key
  in all six languages).
- money answers route by the session's site channel key, never the display
  domain.
- committed the auditor's env-gated NIP-44 v2 interop test against
  nostr-tools (GOBLIN_CT1 harness).
2026-07-06 19:46:59 -04:00
2ro 5da92d0147 goblin: Authorize Sessions GUI (trust grant, money prompt, Trusted Sites) + 6 locales
- Trust-grant modal: password-gated hold-to-confirm 'Trust <domain>?' showing
  identity + truncated npub, the granted low-tier categories (human labels,
  caution lines for unknown/login-excluded kinds), and the fixed money-asks
  line. Folds login in; creates the session on login-POST success.
- Money-tier per-action modal: the v1-authorize-shaped password + hold-to-confirm
  prompt raised over the channel for a sign or a pay-committing encrypt; declines
  on cancel/timeout.
- Trusted Sites settings page: active sessions, what each signs silently, time
  left, pause/resume, and one-tap end (revocation). Row + count in Settings.
- Dispatch + per-frame router for trust/money; PENDING_TRUST wired.
- goblin.trust.*, goblin.money.*, goblin.trusted_sites.*, settings.trusted_sites
  in all six locales; drift test green.
2026-07-06 19:46:59 -04:00
2ro d4cc7dbe98 goblin: Authorize, one-shot site-requested event signing with per-event approval (Build 151)
goblin:authorize?e=<base64url template>&d=<domain>&cb=<https callback>&c=<64-hex nonce>
(and the nostr: QR twin) asks the wallet to sign exactly one Nostr event.
Fail-closed parser beside loginuri: strict three-key template (kind, content,
tags; any pubkey/created_at/id/sig injection rejects), kind allowlist 1/6/7/30023
(22242 only via login), 4096/2048 size caps, unpadded base64url only, delegation
tags rejected, and the new cb-host-must-belong-to-d binding. Approval modal
mirrors the 150 login machinery: Authorize <domain>? verb, plain-language kind
rendering, 240-char escaped preview with truncation marker and show-full view,
identity picker, wallet password gate, single pending request, 120 s expiry,
single-use. Wallet alone sets pubkey/created_at/id/sig, NIP-01 canonical only;
delivery POSTs {c, d, event} to cb with the shared HttpClient and 15 s timeout,
consumed regardless of outcome, quiet toasts. Dispatchers check authorize before
pay on both the deep-link and QR paths. goblin.authorize.* strings in all six
locales; 29 new authuri tests.
2026-07-06 07:34:03 -04:00
2ro 4b0071fa91 goblin: add-identity sheet gets real Generate/Import buttons, Cancel beneath (Build 150) 2026-07-06 03:27:56 -04:00
2ro b7adae89c7 goblin: sign in with Goblin, one-time login approval + 22242 signer (Build 150) 2026-07-06 03:24:09 -04:00
2ro 3c09baf25a goblin: batch invoice URI with one approval, per-sale addresses (Build 149)
URI schema: pay/invoice URIs gain an optional `count=N` parameter
(goblin:<npub|nprofile>?amount=X&count=N[&memo=...]) asking the wallet to
issue N payment requests in one go. Default 1 when absent (single flow
unchanged), capped at MAX_BATCH_COUNT = 20, fail-closed to 1 on zero/garbage,
first occurrence wins — all payuri conventions, unit-tested.

A count>=2 deep link whose recipient is a direct key (npub/nprofile) with an
amount opens ONE batch-approval modal — "Approve N invoices", with the payer,
per-invoice amount, total, and memo — instead of the send flow. On approve,
the wallet mints N fresh per-sale proof addresses (Wallet::mint_proof_address;
a mint failure stops the batch, already-issued requests stand) and fires the
same NostrRequest task the single flow uses, once per invoice; the requests
appear in activity as they dispatch. Anything else (count on a name that
needs discovery, or no amount) degrades to the single flow with count
ignored. The minted address is recorded on each request's metadata
(TxNostrMeta::proof_address, serde-default None) so the per-sale machinery
can read it; WalletTask::NostrRequest gains the optional address and the
single flow passes None. New goblin.batch.* strings in all six locales.
2026-07-06 02:03:00 -04:00
2ro c0cdeb6d6b goblin: back-hint polish — switcher wording, quiet-toast look (Build 148)
The first-back pill now reads "Press back again to switch wallets"
(re-translated in all six locales) and is styled as a native quiet toast: a
solid soft pill with no border, small regular dim text — no accent colors,
nothing loud. No haptic on the back press (owner's call). Behavior unchanged.
2026-07-06 00:45:54 -04:00
2ro e9f3bd453b goblin: double-back at Home returns to the wallet switcher (Build 148)
At the wallet Home (the top level, where back was silently swallowed), the
first Android back now shows a brief non-blocking pill — "Press back again to
leave this wallet" — and a second back within two seconds DESELECTS the wallet
to the switcher. The wallet stays UNLOCKED (select(None)-style deselection, no
close, no logout), so returning is one tap and its nostr service keeps running
untouched. Quitting the app lives only at the switcher, via GRIM's existing
native exit-confirmation on back (unchanged). In-wallet sub-screens keep
normal back navigation, no hint. The second back never quits directly.

The hint is a bottom-anchored fading pill above the tab bar (goblin view),
armed by the host (WalletsContent::back_exit_at) in the swallowed-no-op
branch; nothing else about back handling changes. New goblin.home.back_again
string in all six locales; drift green.
2026-07-06 00:34:47 -04:00
2ro 9b1cec2063 goblin: min-confirmations setting + integrated node moved to Advanced (148)
MIN CONFIRMATIONS (GRIM parity): the wallet group in Settings gains a
"Minimum confirmations" row just below the Node row, showing the current value
(default 10) and opening a numeric edit modal ported from GRIM's
min_conf_modal_ui (same prompt/error strings, Cancel/Save, CenterTop). The
fork already carried the full backend — WalletConfig::min_confirmations with
MIN_CONFIRMATIONS_DEFAULT=10 and Wallet::update_min_confirmations — and the
value already feeds the spendable/send logic (retrieve_summary_info, send and
receive params) plus the GUI confirmation counts via
data.info.minimum_confirmations, so this only exposes the existing knob.

INTEGRATED NODE -> ADVANCED: the integrated-node tabs (info, metrics, mining
with stratum, node settings) leave main Settings — Goblin is the lighter
client. Their ONE home is now Settings -> Advanced, as a second action on the
"Run your own node" card (live sync status in the label when the node runs),
with back returning to Advanced. The duplicate entry on the node-connection
page is removed too, per the single-home rule; all functionality is kept.
2026-07-06 00:07:21 -04:00
2ro c3d6c31aca goblin: one-toggle add-identity sheet, kill the dead Generate button (Build 148)
The add sheet's "Generate new" was a mode toggle that set import=false — the
mode the sheet already opens in — so it read as a completely dead button, and
the four-button layout (Generate new / Import / Cancel / Add) mixed two silent
mode toggles with two actions.

The sheet now DEFAULTS to generate mode with a one-line note saying a fresh
anonymous key will be created; the standalone "Generate new" button is gone.
One clear toggle sits above the action row and always names the OTHER mode:
"Import an existing identity instead" switches to import mode (revealing the
.backup picker and nsec paste inputs), where it becomes "Create a new key
instead" to switch back. The action row stays exactly Cancel + Add — Add
creates a fresh identity in generate mode and imports in import mode — keeping
the 147 modal-lock, uniform-button and CenterTop conventions. The old
generate/import toggle labels are removed from all six locales and the new
generate_note / import_instead / generate_instead strings added; drift green.
2026-07-05 23:52:59 -04:00
2ro d80218a13c goblin: plain-language identities blurb in all six locales
The top-of-page identities copy now says what identities ARE in end-user
terms — the names you get paid under, all paying into this one wallet — and
what you can do (add, switch, remove). No protocol jargon.
2026-07-05 21:59:17 -04:00
2ro 472e2f0915 goblin: private identity tags + per-row management sheet (Build 146)
PRIVATE TAG: a local, app-only name the user gives an identity. Stored as
NostrIdentity.private_tag in its 0600 identity file (serde-default; it also
rides inside the NIP-44-sealed .backup envelope, which serializes the whole
struct, and is restored on backup import). NEVER published — kind-0 metadata is
built only from the claimed NIP-05 name, untouched. Display precedence
everywhere an identity is shown (switcher rows, delete confirm, transaction-
detail attribution): private tag, else claimed name (bare, no @), else
truncated npub (HeldIdentitySummary::display).

ROW UX: identity rows show the label with a checkmark on the active one; TAP =
instant switch (unchanged). A small pencil affordance per row opens a
management sheet: Rename (set/clear the private tag; saves via
Wallet::rename_nostr_identity, which persists the file and updates the running
service in place — no password needed, the ncryptsec is untouched) on top, and
Delete at the bottom, visually separated and destructive-styled, feeding the
existing double gate (danger card, then the wallet-password modal). Delete only
renders while more than one identity is held. New strings in all six locales.
2026-07-05 21:58:44 -04:00
2ro 2592eadc9f goblin: delete identity (double-gated) and unified import (Build 146)
DELETE: each held identity row gains a trash affordance. Step 1 is a danger
card naming the identity, stating the removal is PERMANENT and prominently
reminding the user to back it up first (unrecoverable without its nsec or
.backup); step 2 is the existing wallet-password modal, which executes
Wallet::delete_nostr_identity. Delete drops the entry from the held-identity
index, removes its on-disk encrypted file, and rebuilds the service without it,
so its pubkey leaves the multi-pubkey gift-wrap subscription and its key leaves
the unlocked in-memory set. The shared balance and all other identities are
untouched. Edge cases: the LAST identity can never be deleted (the trash only
renders with more than one held); deleting the ACTIVE identity promotes a
survivor to active first; deleting the legacy primary (identity.json) promotes
a survivor INTO identity.json so init_nostr's fallback and an older build's
rollback anchor still resolve, never leaving a hole that would mint a fresh key.

IMPORT: the add panel's "Import nsec" is now just "Import" and offers both a
.backup file picker and a paste-an-nsec field. The .backup path reuses the same
from_encrypted_backup + re-encrypt-under-this-wallet's-password flow as the
existing identity import (name and history restored), through the same NIP-49
encrypted store; the pasted-nsec path is unchanged. New strings in all six
locales; drift green.
2026-07-05 21:50:42 -04:00
2ro 2acfd46784 goblin: identity copy for the listen-all model; drop relay-linking framing
Rewrites the identity blurb to say all identities receive into the one balance
at once (switching only chooses which you present and send as), and removes the
privacy note's claim that switching or a shared balance lets a relay link your
identities — the wallet's Tor transport is the answer to that, and the framing
is not something we assert. Drops the now-unused sync-flow strings (syncing,
caught_up, paid_while_away, need_password) across all six locales; drift green.
2026-07-05 20:37:49 -04:00
2ro 6399222908 goblin: identity switcher UX fixes for Build 143
- Password entry is now a MODAL popup mirroring the wallet-open password modal
  (Modal + explanation + masked field + wrong-password line + Cancel/Continue),
  used as the unlock step for BOTH switching and adding. The inline page-top
  password field is gone; tapping a held identity opens the modal to unlock and
  switch, and Add opens it to encrypt+store. A correct password is verified
  synchronously so a wrong one stays in the modal.
- Add no longer force-switches into the new identity ("Add and switch" -> "Add");
  it is added to the held set and the user activates it later via tap -> modal.
  This also removes the switch-triggered publish from the create path, so
  creating an identity only generates a fresh anonymous key and stores it
  encrypted (no name lookup/claim).
- Fixes the import-nsec flow. Root cause: the required password lived in a page-
  top field disconnected from the Add card, so the confirm button's armed gate
  stayed disabled unless that separate field was filled — import (and generate)
  read as inert. Moving the password into the modal removes the disconnected
  gate; the underlying add_nostr_identity(Some(nsec)) path was already sound
  (covered by the new regression test).
- Usernames render WITHOUT a leading "@" (project convention), in the switcher
  and the transaction-detail identity row; unnamed identities show a truncated
  npub. New add_confirm/pass_prompt strings in all six locales (drift green).
2026-07-05 18:36:28 -04:00
2ro 69f647a009 goblin: show the paid/used identity on the transaction detail view
The transaction receipt now has an Identity row telling the user which of the
wallet's held nostr identities was active when that payment was received or
sent. It uses the identity recorded on the transaction (TxNostrMeta's
recipient_pubkey), not a reconstruction, and falls back to the primary
identity for pre-feature rows. It shows the NIP-05 name when the identity has
one (any domain), otherwise a truncated npub, and is always shown on the
detail view (no clutter there whether the wallet holds one identity or many).
The activity list rows are unchanged. New goblin.receipt.identity string added
in all six locales.
2026-07-05 16:15:42 -04:00
2ro 8a382aa308 goblin: identity switcher strings in all six locales
New goblin.identities.* keys for the switcher page, present identically in
en, de, fr, ru, tr and zh-CN so the drift guard stays green.
2026-07-05 16:11:32 -04:00
2ro bdedcba498 goblin: appearance settings additions for Build 140
Three settings-surface additions:

- Hide amounts: a toggle (same switch widget as the incoming-requests
  toggle) under the amount-privacy rows, persisted in the app config
  (serde-default off so old configs load). When on, the received-payment
  notification masks the numeric grin with dots.

- Language: a picker under Appearance beside the theme row. Lists the six
  shipped locales in their own names; tapping one switches and persists the
  active locale.

- Update available: a badge pinned to the right of the settings profile
  panel, shown only when the release check has found a newer build (reuses
  the existing AppConfig::app_update state); tapping it opens the release
  download page.

New user-facing strings added to all six locales.
2026-07-05 13:11:23 -04:00
2ro 210c4ab662 fix(send): show the proof-notify target on the review screen
With proof mode on, a notify= npub on the scanned URI makes the wallet
gift-wrap the full signed payment proof (buyer sender address + kernel) to
that key at finalize, but the review screen never showed the target, a
hidden watcher the payer never saw or consented to.

The proof row now renders a second line, Proof shared with: npub1abc...xyz,
whenever a notify target is present, so the recipient is seen and chosen: if
you scanned it, you asked for it. Display only; nothing about what gets sent
changes. Adds the goblin.send.row_proof_shared key in all six locales.
2026-07-05 06:08:25 -04:00
2ro d5d1212a44 Goblin: fetch fiat rate live on view, kill the 48h price cache
The fiat subline now fetches the CURRENT rate over Tor only while the
balance is actually on screen, and never paints a stale number as if it
were live. No disk cache, no background timer: an idle or payment-
listening wallet never polls (battery).

- price.rs: in-session rate held for a 3-minute freshness window; viewing
  a stale/missing rate kicks a live refetch. New RateState (Fresh/Loading/
  Unavailable) replaces the Option<f64>; failures are tracked so the line
  says "unavailable" instead of spinning or showing an old value. Removed
  the disk seed and the persisted-rate write.
- config.rs: dropped the dead last_rate/last_rate_vs/last_rate_at fields
  and their read/write paths. Old configs still load (serde ignores the
  unknown keys); the fields are simply not written back.
- lib.rs: dropped the cold-start seed_from_disk call.
- GUI: balance hero fiat line renders a subtle "≈ …" while loading and a
  localized "rate unavailable" on failure, requesting a bounded repaint
  while a fetch is pending so the rate pops in on-screen. Pay/send amount
  preview shows nothing until a fresh rate lands.
- New goblin.home.fiat_unavailable string across all six locales.
- Tests: freshness-window bounds, is_fresh boundary, classify state
  machine (fresh/loading/unavailable), and config compat for the removed
  fields.
2026-07-05 04:38:24 -04:00
2ro 3db6375459 Goblin: apply node selection to the running wallet, no silent zero
Selecting a node in Settings > Wallet > Node moved the checkmark and
persisted the choice, but the live session never switched: the node
client is baked into the wallet instance at open time and was only
rebuilt on the next unlock, so a running wallet kept polling the old
(often dead) node. Owners onboarded on an older build still carry the
retired grinnode.live default in connections.toml, which now 502s, so
the wallet showed a stuck zero balance with no way to recover short of
a force-restart.

GRIM's own connection-settings UI reconnects on change (close + reopen);
the Goblin node picker only called update_connection, so this was a
Goblin regression, not inherited upstream.

- Wallet::reconnect_node swaps the live node client's URL + secret in
  place via w2n_client (no close/reopen, so no password re-entry),
  updates the runtime connection so the UI reflects the switch at once,
  clears the stale sync error, and wakes the sync thread to refresh
  against the new node. Wired into all three picker actions.
- node_url_secret factored out of create_node_client so open and live
  reconnect always resolve the same node for a given config.
- balance_hero no longer renders a bare 0 during a node outage: a pure
  balance_subline state machine picks updating / can't-reach-node /
  last-known-balance, so an unreachable node reads honestly instead of
  looking like an emptied wallet. New goblin.home.balance_stale string
  in all six locales (drift green).
- Unit tests for the balance state machine.
2026-07-05 03:38:08 -04:00
2ro a7c2443f3b Goblin: proof-on-request payments (wallet side of the frozen contract)
Implements the Goblin-wallet half of the proof-on-request architecture
(magick payment infra spec section 4/5): the buyer's wallet threads a
native Grin payment proof per transaction, off by default and on only
when the scanned pay URI asks for it, and auto-delivers the proof to the
market and watcher on finalize. Person-to-person sends are unchanged.

W1 pay-URI parser (payuri.rs): PayUri gains proof/order/notify, each
fail-closed (a bad value drops to None and never blocks the payment).
proof is a grin1/tgrin1 slatepack-address shape check, order is an opaque
control-stripped routing key capped at 64 bytes, notify is an npub shape
check. Unknown-param forward-compat and the magick interop tests still
hold. 12 new parser tests.

W2 proof threading: WalletTask::NostrSend carries proof/order/notify; the
handler re-parses proof authoritatively into a SlatepackAddress and calls
w.send(a, Some(addr)) instead of the hard-coded None, setting
payment_proof_recipient_address. The order handle, watcher npub, and
amount persist in TxNostrMeta (new serde-default fields) before dispatch,
so a crash between send and finalize loses nothing.

W3 review indicator: the send-review screen shows a small "proof included"
row when proof mode is active. New t!() keys row_proof / row_proof_val in
all six locales (drift test green).

W4 proof delivery on finalize: when a finalized SEND was sent in proof
mode, the wallet publishes the two contract events: a plain unencrypted
kind-17 "payment sent" receipt to the app relays (payment-request tag =
order handle; proof and kernel deliberately omitted to avoid leaking the
buyer's sender address; flips the page to "detected", never "paid"), and
a NIP-59 gift-wrapped kind-17 rumor to the notify npub carrying the full
proof JSON plus a kernel-excess tag. Both are enrolled in the existing
crash-safe reconcile pass and retried until a relay accepts them.
wrapv3 gains wrap_kind() to gift-wrap an arbitrary rumor kind.

Matching is by the payment-request (invoice number) tag alone; the wallet
never learns magick's internal orderId. No merchant-side auto-receipt is
built: the rewritten spec has the buyer publish on finalize instead.
2026-07-05 03:01:04 -04:00
2ro d4dcbb115f i18n: translate lagging fallback strings and localize settings username hint 2026-07-04 23:13:41 -04:00
2ro ba8e81ef5f Goblin Build 136 - home news panel, faster send confirmation
Home now shows the latest post from the Goblin news key (kind 30023) in
a card with tappable links; the panel stays hidden until a post is seen.
Desktop Home widens to use the available space. Send confirms faster.
2026-07-04 20:07:13 -04:00
2ro 89791793ed Goblin: dedupe balance sync indicator
Remove the Build 135 balance-hero "Updating…" line. During a routine
sync it duplicated the header node card's "Syncing" status, so a funded
wallet showed two updating indicators at once. Keep the established
"Balance updating…" line (zero-balance / first-sync case) and the header
status as the single sync indicators. Drop the now-orphan
goblin.home.updating key from all six locales (i18n drift green).
2026-07-04 12:10:52 -04:00
2ro e8d71afc7e Goblin Build 135 - Tor credit, balance updating indicator, Nym sweep
- Third-party credits: replace the "Nym mixnet" row with "Tor (arti)" (0.43,
  linking the arti repo), matching the other credit rows' hardcoded style. No
  locale strings existed for it (credit labels are hardcoded, not localized).
- Balance: show a quiet "Updating…" line under the balance while the node is
  still warming, reusing the existing wallet.syncing() signal and the
  balance-updating line's muted style; it clears once the node is synced. New
  t!() key goblin.home.updating added to all six locales (i18n drift green).
- Nym sweep: Cargo.toml package description "Nym mixnet" -> "Tor". The only
  other user-facing Nym reference was the credit above. Remaining references
  are the deliberately-dormant `nym` feature/module and internal code comments,
  left as-is; README and all locale values were already Tor.
2026-07-04 06:15:44 -04:00
2ro 30c0ed9a12 Goblin Build 133 - Tor transport (replaces the Nym mixnet)
The wallet's private transport moves from the Nym mixnet to embedded Tor
(arti, copied from GRIM's engine): it dials the relay's pinned .onion, so
the relay never learns your IP, while the relay + NIP-59 gift-wrap hide the
rest - content, sender, and (via a relay-side randomized release) timing.
The Grin node stays on the clear internet as before.

Why leave the mixnet: the Nym free-tier bandwidth this depended on is being
removed upstream (the grant expires at UTC midnight; the paid path requires
holding NYM tokens), so a payments wallet can't stand on it. Tor is
unmetered, embedded in-process on mobile, faster where users wait, and
lighter on the battery.

Preserved intact: the confirm-before-sent guard, relay-gated readiness, and
the lazy warm-on-activity node polling. src/nym/ is feature-gated off (arti
and nym-sdk can't share one binary); full removal is a follow-up.
2026-07-04 03:35:29 -04:00
2ro db793bc13d goblin: log in to nostr apps with your nsec (Advanced -> Nostr key)
Advanced gains a password-gated Nostr key card: reveal the wallet's nsec,
Copy it, or show it as a QR. Scanning that QR (or pasting the copied
nsec) into a nostr app's private-key login - e.g. magick.market - signs
you in with the same identity the wallet uses. The nsec is derived on
demand behind the wallet password and never persisted; wrong password
cannot leak it. Six advanced.* strings added across all six locales.
2026-07-02 15:03:32 -04:00