ce1c071f3c
Wallet: - identity.json (NIP-49 ncryptsec) now written 0600 in a 0700 dir so a local user can't grind the wallet password offline (+ regression test). - Wallet password held as a ZeroingString through init_nostr so it's scrubbed on drop instead of lingering in a plain String for the session. - Replaced 4 .unwrap() on re-read tx_meta with graceful guards (archive wipe mid-send could otherwise panic the nostr/task thread). - Tor::http_request/post: bind the client once via let-else and propagate TLS builder errors, fixing a TOCTOU unwrap panic on concurrent Tor restart. goblin-nip05d server (redeployed to goblin.st, verified live): - One-name-per-pubkey now enforced by a partial UNIQUE index (closes the check-then-insert race); INSERT rows-affected==0 returns 409 not a false 201. - NIP-98 replay protection: one-time auth event-id enforcement within the freshness window; tightened forward skew to +5s. - Rate-limited the unauthenticated GET endpoints; SQLite in WAL mode. - Verified live: replay rejected, second name for a pubkey blocked. Audit verdict: fund-safety invariants (never auto-pay Invoice1; S2/I2 finalization bound to counterparty npub) and Tor-from-day-one all hold. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>