ArxMint: Sovereign Economy Specification

Verify your mint is who it says it is

Verify keyset IDs against mint pubkeys. Prevent NUT-13 deterministic secret collisions — critical for agent wallets.

Honest reporting of what's available on each backend

Honest per-backend SP availability. SP for Fedimint peg-outs requires a federation module (server-side).

Agents get the minimum access they need, nothing more

WATCH_ONLY → PAY_ONLY → ADMIN tiers. Agents default to WATCH_ONLY. Never give agents admin macaroons.

Agent processes never hold signing keys

Signer config and fail-closed validation are shipped. Full isolated signer transport remains to be finalized.

Pay for services with ecash, not just Lightning

Dual L402 + Cashu flows are implemented; strict production enforcement and deeper testing are still being hardened.

Auto-pick the cheapest, most private way to pay

Auto-select ecash → Lightning → Ark → on-chain based on amount and privacy score.

Real numbers showing community health

Merchant count, active spenders, spend velocity, grant-ready export.

Step-by-step setup for any local business

Multi-step form, QR codes, POS guidance, directory listings.

Generate limited-permission keys for different roles

Generate scoped credentials: pay-only, invoice-only, read-only, agent-commerce.

Temporary wallets that clean up after themselves

In-memory, auto-expire, scoped. No persistent secrets.

Guided federation setup, no DevOps required

Fedimint G-Bot API for guided federation bootstrap with Docker fallback.

Sign in with your Nostr identity — no passwords, no database

NIP-07 browser extension auth (Alby, nos2x). Session persists via localStorage. NIP-98 HTTP auth utilities for future API protection.

Latest security and performance improvements

Generator paths target "Lighthouse" v0.10.0; root local compose still needs full parity.

High-privacy off-chain spending layer

SovereignArkClient interface exists with stub-mode behavior pending full upstream integration.

Production-grade mint with real database and monitoring

CDK generation path exists; default local stack still uses Nutshell for quick start.

Spread trust across multiple ecash providers

Manager and swap scaffolding are in place; operational hardening and broader coverage continue.

Scan or tap to pay, just like a credit card

cashu:// URI format for merchant QR codes and payment requests.

Receive Bitcoin without reusing addresses

Scanner/indexer/key-delegation scaffolding is implemented with remaining protocol-level hardening.

Real-time health dashboards for community operators

Prometheus/Grafana generation is implemented; deployment parity across all compose paths is ongoing.

Ecash automatically converts to Lightning when needed

Bridge flow is implemented with placeholder preimage handling pending final production wiring.

Rules for who runs the shared vault and how

Selection criteria, rotation policy, incident response, quorum management.

Smart contracts for ecash — escrow, subscriptions, automated payments

Conditional tokens: escrow, subscriptions, proof-of-service.

Cryptographic proof that agent wallets are honest

Audit-log + ZK reissuance for stateless agent wallets.

Sign transactions with your hardware device

SP descriptor support and PSBT spending for hardware signing devices.

Multi-mint atomic swaps and proof verification

P2BK, background proof state verification, multi-mint atomic swaps.

Tap your card to pay at any merchant

Tap-to-pay for merchants using Numo NFC cards.

Real businesses, real customers, real sats changing hands

Deploy pilot with merchant and user KPIs, uptime targets, and monitored operations.

Funding to scale from pilot to production

FBCE, OpenSats, and Fedi application templates and workflow support.

Transparent progress tracking for funders

Export monthly/quarterly KPI snapshots and reporting artifacts.

Step-by-step guide for any community to copy this

Open-source "BCE in a box" playbook generated from pilot configuration.

Connect Longmont to other cities on the same rails

Expand pilot model into multi-city commerce via multi-mint and Lightning bridge routes.

Your node, your keys — programmatic access with sandbox mode

L402 macaroon-based auth tokens generated on the merchant's own node. Scoped permissions (read/invoice/pay/admin), key rotation, rate limits. Non-custodial by design.

Get notified instantly when a customer pays — on your own infrastructure

Webhook engine runs on the merchant's node, watching their own LND/Cashu for invoice settlements. HMAC-SHA256 signed payloads, exponential backoff retry, delivery logs.

A payment link on your own domain — no code required

Payment page served from the merchant's node. Invoices generated by their own LND. QR code, real-time SSE status, auto-redirect on completion. ArxMint provides the software; merchant hosts it.

Know exactly when your customer paid

GET /payments/:id on the merchant's own node. SSE for real-time push, WebSocket for POS. Cursor-paginated payment history. All data stays local.

Add payments to any website in 10 lines of code

@arxmint/js and @arxmint/react — connects to the merchant's own endpoint, not a central server. PayButton, CheckoutForm, QRPayment components.

name@pay.merchant.com — scan and pay at any register

Lightning Address and LNURL-pay served from the merchant's own domain. Static QR codes for POS. NFC tag provisioning via Numo. No intermediary.

See every payment, manage your node, track your revenue

Self-hosted dashboard with payments, analytics, auth token management, webhook config, node status. No data leaves the merchant's infrastructure.

Three questions, fifteen minutes — your payment node is live

arxmint merchant init asks three questions (where to run, store name, online or POS), then provisions a complete merchant node: LND (Neutrino — no chain sync), Cashu mint, checkout, dashboard, managed subdomain (storename.arxmint.cloud), auto-HTTPS, and LSP-bootstrapped liquidity. Cloud deploy buttons for DigitalOcean, Vultr, Hetzner. The merchant never sees Docker or SSH.

Customers find you — searchable by category and location

Community-hosted merchant directory. Self-registration via CLI. Search by category, location, payment methods. The only Phase 5 item safe to host centrally (informational, no funds).

No double charges, no duplicate records, hardened for the open internet

Idempotency-Key header on all payment endpoints. Structured error codes. Caddy auto-HTTPS, CSP headers, rate limiting, firewall rules generated by setup wizard.

Updates, backups, and disaster recovery — handled automatically

Three sub-systems: (a) Appliance update engine — signed stack BOMs with auto-rollback on failed health checks, canary rings for staged rollout. (b) Zero-knowledge encrypted backups — LND SCB event-driven on every channel change, Cashu mint DB encrypted with seed-derived key, automated restore rehearsal. (c) One-click restore — fresh host + seed phrase = full recovery.

One-click install from your home node app store

Package the merchant stack for Umbrel and StartOS app stores. Umbrel is the fastest target — Docker Compose maps directly to its packaging format. Checkout endpoints public via App Proxy, admin behind Umbrel auth. StartOS as secondary with richer ops UX.

Manage your node from your phone — the VPS is invisible

React Native app as remote control for the merchant's VPS node. POS terminal, QR generation, daily sales, push notifications on invoice settlement. Wallet unlock via push notification (non-custodial — secret goes to node, never ArxMint). Near-term: PWA dashboard (5.7) covers 80%. Lite mode: LDK on mobile via Breez SDK for pop-up shops — no VPS needed.