refactor: load Nostr private key from file instead of config

.gitignore

@@ -3,6 +3,7 @@
 mostro.db*
 mostro.log
 lnurl-test-server/target
+vendor
 
 # IDE's
 .idea

README.md

@@ -492,8 +492,8 @@ payment_retries_interval = 60  # seconds between retries
 #### Nostr Configuration
 ```toml
 [nostr]
-# Your Mostro daemon's private key (nsec format)
-nsec_privkey = 'nsec1...'
+# Path to a file containing your Mostro daemon's private key (nsec format)
+nsec_privkey_file = '/home/user/.mostro/nostr-key.nsec'
 
 # Relays to connect to
 relays = [
@@ -509,6 +509,10 @@ relays = [
 rana --vanity mostro
 ```
 
+Save the generated `nsec` in the file referenced by `nsec_privkey_file`.
+Mostro expects that file to contain only the `nsec` value.
+Inline `nostr.nsec_privkey` is no longer supported and startup will fail until you move the key into a file.
+
 **Important**: Never reuse keys between Mostro instances. Each daemon needs a unique identity.
 
 ---

docs/STARTUP_AND_CONFIG.md

@@ -89,8 +89,10 @@ Configuration is loaded from `~/.mostro/settings.toml` (template: `settings.tpl.
   - Example (absolute path; use a real path — **do not** use `~`; SQLx does not expand tilde): `"sqlite:///home/youruser/.mostro/mostro.db"`
   - Default: `"sqlite://mostro.db"`
 
-**Nostr** (`src/config/types.rs:47-54`):
-- `nsec_privkey` (String): Mostro's Nostr private key in nsec format
+**Nostr** (`src/config/types.rs`):
+- `nsec_privkey_file` (String): Path to a file containing Mostro's Nostr private key in nsec format
+  - The file should contain only the `nsec` value
+  - Inline `nsec_privkey` is no longer supported and causes startup validation to fail
 - `relays` (Vec<String>): List of Nostr relay URLs for event broadcasting
   - Default: `['ws://localhost:7000']`
   - Note: At least one relay required

settings.tpl.toml

@@ -19,7 +19,7 @@ payment_attempts = 3
 payment_retries_interval = 60
 
 [nostr]
-nsec_privkey = 'nsec1...'
+nsec_privkey_file = '/home/user/nostr-key.nsec'
 relays = ['ws://localhost:7000']
 
 [mostro]

src/app/context.rs

@@ -85,7 +85,7 @@ impl AppContext {
 
     /// Mostro's Nostr signing keys.
     ///
-    /// Parsed once at startup from `settings.nostr.nsec_privkey`.
+    /// Parsed once at startup from `settings.nostr.nsec_privkey_file`.
     /// Use this instead of `get_keys()` to avoid re-parsing on every call.
     pub fn keys(&self) -> &Keys {
         &self.keys
@@ -99,6 +99,7 @@ pub mod test_utils {
         DatabaseSettings, ExpirationSettings, LightningSettings, MostroSettings, NostrSettings,
         RpcSettings,
     };
+    use std::sync::atomic::{AtomicU64, Ordering};
 
     /// Test helper wrapper for inspecting the shared order-message queue.
     #[derive(Debug, Clone)]
@@ -228,10 +229,17 @@ pub mod test_utils {
                 .order_msg_queue
                 .unwrap_or_else(|| Arc::new(RwLock::new(Vec::new())));
 
-            // Use provided keys or parse from settings
+            // Use provided keys or load from nsec_privkey_file
             let keys = self.keys.unwrap_or_else(|| {
-                Keys::parse(&settings.nostr.nsec_privkey)
-                    .expect("TestContextBuilder: invalid nsec_privkey in settings")
+                let nsec = std::fs::read_to_string(&settings.nostr.nsec_privkey_file)
+                    .unwrap_or_else(|e| {
+                        panic!(
+                            "TestContextBuilder: failed to read nsec_privkey_file '{}': {}",
+                            settings.nostr.nsec_privkey_file, e
+                        )
+                    });
+                Keys::parse(nsec.trim())
+                    .expect("TestContextBuilder: invalid nsec in nsec_privkey_file")
             });
 
             AppContext::new(pool, nostr_client, settings, order_msg_queue, keys)
@@ -251,17 +259,29 @@ pub mod test_utils {
         }
     }
 
+    static TEST_KEY_FILE_COUNTER: AtomicU64 = AtomicU64::new(0);
+
     /// Generate deterministic test settings with sensible defaults.
     pub fn test_settings() -> Settings {
+        let nsec_key = "nsec13as48eum93hkg7plv526r9gjpa0uc52zysqm93pmnkca9e69x6tsdjmdxd";
+        let counter = TEST_KEY_FILE_COUNTER.fetch_add(1, Ordering::Relaxed);
+        let nsec_dir = std::env::temp_dir().join(format!(
+            "mostro-test-{}-{}",
+            std::process::id(),
+            counter
+        ));
+        std::fs::create_dir_all(&nsec_dir).expect("failed to create test nsec key directory");
+        let nsec_path = nsec_dir.join("nostr-key.nsec");
+        std::fs::write(&nsec_path, nsec_key).expect("failed to write test nsec key file");
+
         Settings {
             database: DatabaseSettings {
                 url: "sqlite::memory:".to_string(),
             },
             nostr: NostrSettings {
-                // Valid test nsec from src/config/mod.rs tests
-                nsec_privkey: "nsec13as48eum93hkg7plv526r9gjpa0uc52zysqm93pmnkca9e69x6tsdjmdxd"
-                    .to_string(),
+                nsec_privkey_file: nsec_path.to_string_lossy().to_string(),
                 relays: vec!["wss://relay.test".to_string()],
+                ..Default::default()
             },
             mostro: MostroSettings::default(),
             lightning: LightningSettings::default(),

src/app/release.rs

@@ -678,14 +678,14 @@ async fn create_order_event(
 
     // If user has sent the order with his identity key means that he wants to be rate so we can just
     // check if we have identity key in db - if present we have to send reputation tags otherwise no.
-    let mostro_pubkey = my_keys.public_key().to_hex();
+    let mostro_pubkey = my_keys.public_key();
     let tags = match crate::db::is_user_present(pool, identity_pubkey.to_string()).await {
         Ok(user) => order_to_tags(
             new_order,
             Some((user.total_rating, user.total_reviews, user.created_at)),
-            Some(&mostro_pubkey),
+            &mostro_pubkey,
         )?,
-        Err(_) => order_to_tags(new_order, Some((0.0, 0, 0)), Some(&mostro_pubkey))?,
+        Err(_) => order_to_tags(new_order, Some((0.0, 0, 0)), &mostro_pubkey)?,
     };
 
     // Prepare new child order event for sending (kind 38383 for orders)

src/bitcoin_price.rs

@@ -63,7 +63,7 @@ impl BitcoinPriceManager {
 
     /// Publishes exchange rates to Nostr as a NIP-33 addressable event (kind 30078)
     async fn publish_rates_to_nostr(rates: &HashMap<String, f64>) -> Result<(), MostroError> {
-        let keys = get_keys().map_err(|e| {
+        let keys = get_keys().await.map_err(|e| {
             error!("Failed to get Mostro keys: {}", e);
             MostroInternalErr(ServiceError::IOError(e.to_string()))
         })?;

src/config/mod.rs

@@ -59,7 +59,7 @@ mod tests {
 
     // Fake settings for the test
     const NOSTR_SETTINGS: &str = r#"[nostr]
-                                    nsec_privkey = 'nsec13as48eum93hkg7plv526r9gjpa0uc52zysqm93pmnkca9e69x6tsdjmdxd'
+                                    nsec_privkey_file = '/tmp/mostro-test-nostr-key.nsec'
                                     relays = ['wss://relay.damus.io','wss://relay.mostro.network']"#;
 
     const LIGHTNING_SETTINGS: &str = r#"[lightning]
@@ -194,15 +194,32 @@ mod tests {
         let nostr_settings: StubSettingsNostr =
             toml::from_str(NOSTR_SETTINGS).expect("Failed to deserialize");
         assert_eq!(
-            nostr_settings.nostr.nsec_privkey,
-            "nsec13as48eum93hkg7plv526r9gjpa0uc52zysqm93pmnkca9e69x6tsdjmdxd"
+            nostr_settings.nostr.nsec_privkey_file,
+            "/tmp/mostro-test-nostr-key.nsec"
         );
+        assert_eq!(nostr_settings.nostr.nsec_privkey, None);
         assert_eq!(
             nostr_settings.nostr.relays,
             vec!["wss://relay.damus.io", "wss://relay.mostro.network"]
         );
     }
 
+    #[test]
+    fn test_nostr_settings_legacy_inline_key() {
+        let legacy_settings = r#"[nostr]
+                                    nsec_privkey = 'nsec13as48eum93hkg7plv526r9gjpa0uc52zysqm93pmnkca9e69x6tsdjmdxd'
+                                    relays = ['wss://relay.damus.io']"#;
+        let nostr_settings: StubSettingsNostr =
+            toml::from_str(legacy_settings).expect("Failed to deserialize");
+
+        assert_eq!(nostr_settings.nostr.nsec_privkey_file, "");
+        assert_eq!(
+            nostr_settings.nostr.nsec_privkey.as_deref(),
+            Some("nsec13as48eum93hkg7plv526r9gjpa0uc52zysqm93pmnkca9e69x6tsdjmdxd")
+        );
+        assert_eq!(nostr_settings.nostr.relays, vec!["wss://relay.damus.io"]);
+    }
+
     #[test]
     fn test_mostro_settings() {
         // Parse TOML content

src/config/types.rs

@@ -125,8 +125,12 @@ pub struct LightningSettings {
 /// Nostr configuration settings
 #[derive(Debug, Deserialize, Serialize, Default, Clone)]
 pub struct NostrSettings {
-    /// Nostr private key
-    pub nsec_privkey: String,
+    /// Path to file containing the Nostr private key (nsec)
+    #[serde(default)]
+    pub nsec_privkey_file: String,
+    /// Legacy inline Nostr private key kept for backward compatibility.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub nsec_privkey: Option<String>,
     /// Nostr relays list
     pub relays: Vec<String>,
 }

src/config/util.rs

@@ -32,6 +32,19 @@ fn validate_mostro_settings(settings: &Settings) -> Result<(), MostroError> {
         ))));
     }
 
+    if settings.nostr.nsec_privkey.is_some() {
+        return Err(MostroInternalErr(ServiceError::IOError(
+            "nostr.nsec_privkey is no longer supported; move the key to nostr.nsec_privkey_file"
+                .to_string(),
+        )));
+    }
+
+    if settings.nostr.nsec_privkey_file.trim().is_empty() {
+        return Err(MostroInternalErr(ServiceError::IOError(
+            "Missing Nostr private key file configuration".to_string(),
+        )));
+    }
+
     Ok(())
 }
 
@@ -100,3 +113,52 @@ pub fn init_configuration_file(config_path: Option<String>) -> Result<(), Mostro
 
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::config::types::{
+        DatabaseSettings, LightningSettings, MostroSettings, NostrSettings, RpcSettings,
+    };
+
+    fn make_settings(nostr: NostrSettings) -> Settings {
+        Settings {
+            database: DatabaseSettings::default(),
+            lightning: LightningSettings::default(),
+            nostr,
+            mostro: MostroSettings::default(),
+            rpc: RpcSettings::default(),
+            expiration: None,
+        }
+    }
+
+    #[test]
+    fn validate_mostro_settings_rejects_legacy_inline_nsec() {
+        let settings = make_settings(NostrSettings {
+            nsec_privkey: Some(
+                "nsec13as48eum93hkg7plv526r9gjpa0uc52zysqm93pmnkca9e69x6tsdjmdxd".to_string(),
+            ),
+            relays: vec!["wss://relay.test".to_string()],
+            ..Default::default()
+        });
+
+        let error = validate_mostro_settings(&settings).expect_err("inline nsec must be rejected");
+        assert!(error
+            .to_string()
+            .contains("nostr.nsec_privkey is no longer supported"));
+    }
+
+    #[test]
+    fn validate_mostro_settings_requires_private_key_file() {
+        let settings = make_settings(NostrSettings {
+            relays: vec!["wss://relay.test".to_string()],
+            ..Default::default()
+        });
+
+        let error =
+            validate_mostro_settings(&settings).expect_err("missing key file must be rejected");
+        assert!(error
+            .to_string()
+            .contains("Missing Nostr private key file configuration"));
+    }
+}

src/config/wizard.rs

@@ -58,7 +58,7 @@ fn run_setup_wizard(settings_dir: &Path, config_file_path: &Path) -> Result<Sett
 
     println!("\n--- Nostr Configuration ---\n");
 
-    let nostr = prompt_nostr_settings()?;
+    let nostr = prompt_nostr_settings(settings_dir)?;
 
     println!("\n--- Mostro Configuration ---\n");
 
@@ -142,14 +142,14 @@ fn prompt_lightning_settings() -> Result<LightningSettings, MostroError> {
     })
 }
 
-fn prompt_nostr_settings() -> Result<NostrSettings, MostroError> {
+fn prompt_nostr_settings(settings_dir: &Path) -> Result<NostrSettings, MostroError> {
     let has_nsec = Confirm::new()
         .with_prompt("Do you have an existing nsec key?")
         .default(false)
         .interact()
         .map_err(|e| MostroInternalErr(ServiceError::IOError(e.to_string())))?;
 
-    let nsec_privkey = if has_nsec {
+    let nsec = if has_nsec {
         Input::new()
             .with_prompt("Enter your nsec private key")
             .validate_with(|input: &String| validate_nsec(input))
@@ -174,6 +174,34 @@ fn prompt_nostr_settings() -> Result<NostrSettings, MostroError> {
         nsec
     };
 
+    // Write the nsec key to a file in the settings directory
+    let nsec_privkey_file = settings_dir.join("nostr-key.nsec");
+    {
+        #[cfg(unix)]
+        let file = {
+            use std::os::unix::fs::OpenOptionsExt;
+            std::fs::OpenOptions::new()
+                .write(true)
+                .create(true)
+                .truncate(true)
+                .mode(0o600)
+                .open(&nsec_privkey_file)
+        };
+        #[cfg(not(unix))]
+        let file = {
+            std::fs::OpenOptions::new()
+                .write(true)
+                .create(true)
+                .truncate(true)
+                .open(&nsec_privkey_file)
+        };
+        let mut file = file.map_err(|e| MostroInternalErr(ServiceError::IOError(e.to_string())))?;
+        file.write_all(nsec.as_bytes())
+            .map_err(|e| MostroInternalErr(ServiceError::IOError(e.to_string())))?;
+    }
+
+    println!("  Private key saved to {}", nsec_privkey_file.display());
+
     let relays_input: String = Input::new()
         .with_prompt("Nostr relays (comma-separated)")
         .default("wss://relay.mostro.network".to_string())
@@ -188,8 +216,9 @@ fn prompt_nostr_settings() -> Result<NostrSettings, MostroError> {
         .collect();
 
     Ok(NostrSettings {
-        nsec_privkey,
+        nsec_privkey_file: nsec_privkey_file.to_string_lossy().to_string(),
         relays,
+        ..Default::default()
     })
 }
 

src/main.rs

@@ -66,7 +66,7 @@ async fn main() -> Result<()> {
     };
 
     // Get mostro keys
-    let mostro_keys = util::get_keys()?;
+    let mostro_keys = util::get_keys().await?;
 
     let subscription = Filter::new()
         .pubkey(mostro_keys.public_key())