Payjoin persistence

[Mshehu5]

Description

#230 needed to be merged for this to go through
Address #149 also follow up to #200
This PR adds persistance to existing async payjoin integration
This introduces neccessary database model and tables also add commad for resume to allow interrupted sessions to be continued also a particular session either send or receive.
A history commad to view payjoin history and status has been added

Notes to the reviewers

Step to review this include making a payjoin transaction

Run a receiver to get a BIP21 URI then pass it to the sender as seen in docs

bdk-cli/README.md

Lines 121 to 141 in b9cf2ac

	To start a Payjoin session as the receiver with regtest RPC and example OHTTP relays:
	```
	cargo run --features rpc -- --network regtest wallet --wallet payjoin_wallet1 config --ext-descriptor "wpkh(tprv8ZgxMBicQKsPd2PoUEcGNDHPZmVWgtPYERAwMG6qHheX6LN4oaazp3qZU7mykiaAZga1ZB2SJJR6Mriyq8MocMs7QTe7toaabSwTWu5fRFz/84h/1h/0h/0/*)#8guqp7rn" --client-type rpc --database-type sqlite --url "127.0.0.1:18443"
	cargo run --features rpc -- wallet --wallet payjoin_wallet1 sync
	cargo run --features rpc -- wallet --wallet payjoin_wallet1 balance
	cargo run --features rpc -- wallet --wallet payjoin_wallet1 receive_payjoin --amount 400000 --max_fee_rate 1000 --directory "https://payjo.in" --ohttp_relay "https://pj.bobspacebkk.com" --ohttp_relay "https://pj.benalleng.com"
	```
	To send a Payjoin with regtest RPC and example OHTTP relays:
	```
	cargo run --features rpc -- --network regtest wallet --wallet payjoin_wallet2 config --ext-descriptor "wpkh(tprv8ZgxMBicQKsPfBxswkATvZRQ9kDdRbJPtHYZaZCARL2myxcK7DqsqPhRo2G2rRVHFPbowq63BE6S4k2pUMYeF2fUMTT63Q7zhoXtKsM1FaS/84'/1'/0'/0/*)#qf5gnqrf" --client-type rpc --database-type sqlite --url "127.0.0.1:18443"
	cargo run --features rpc -- wallet --wallet payjoin_wallet2 sync
	cargo run --features rpc -- wallet --wallet payjoin_wallet2 balance
	cargo run --features rpc -- wallet --wallet payjoin_wallet2 send_payjoin --ohttp_relay "https://pj.bobspacebkk.com" --ohttp_relay "https://pj.benalleng.com" --fee_rate 1 --uri "<URI>"
	```

To test resumption, interrupt either side with Ctrl+C mid-session then run resume on that side to continue. A few scenarios worth covering: receiver resuming after interrupt and sender resuming after interrupt. Use history after each scenario to confirm the session state was persisted correctly.

docs for this can be seen in 7e4ffd1

Checklists

All Submissions:

• I've signed all my commits
• I followed the contribution guidelines
• I ran cargo fmt and cargo clippy before committing

New Features:

• I've added docs for the new feature

[coveralls]

Pull Request Test Coverage Report for Build 22068931916

Details

• 0 of 763 (0.0%) changed or added relevant lines in 5 files are covered.
• 5 unchanged lines in 3 files lost coverage.
• Overall coverage decreased (-1.9%) to 8.848%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
src/error.rs	0	21	0.0%
src/utils.rs	0	22	0.0%
src/handlers.rs	0	50	0.0%
src/payjoin/db.rs	0	262	0.0%
src/payjoin/mod.rs	0	408	0.0%

Files with Coverage Reduction	New Missed Lines	%
src/utils.rs	1	0.0%
src/handlers.rs	2	12.81%
src/payjoin/mod.rs	2	0.0%

Totals
Change from base Build 21153868360:	-1.9%
Covered Lines:	268
Relevant Lines:	3029

---

💛 - Coveralls

[tvpeter]

Thank you @Mshehu5 for working on this feature.

Below are some of the observations that I think will make the implementation better:

• I noticed that the implementation used only the sqlite db, and since sqlite is a db option in the project, I think it will be ideal if you also include implementation for redb db so users are free to choose any to use.
• The implementation does not provide for pruning/cleanup of data. Given that the db will tend to grow linearly and become sizable over time, I think it will be great to consider adding a pruning subcommand or mechanism that deletes irrelevant data.
• Since the save_event is generated at multiple transitions in a session, I think it will be great if you consider grouping such updates in a db transaction to ensure that entries are saved successfully.

I have also left some comments in the code.

Thank you.

[codecov]

Codecov Report

❌ Patch coverage is 0.27548% with 724 lines in your changes missing coverage. Please review.
✅ Project coverage is 8.28%. Comparing base (7c33b33) to head (e544ac2).
⚠️ Report is 5 commits behind head on master.

Files with missing lines	Patch %	Lines
src/payjoin/mod.rs	0.00%	341 Missing ⚠️
src/payjoin/db.rs	0.00%	338 Missing ⚠️
src/handlers.rs	7.69%	24 Missing ⚠️
src/error.rs	0.00%	21 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##           master    #242      +/-   ##
=========================================
- Coverage   10.96%   8.28%   -2.69%     
=========================================
  Files           8       9       +1     
  Lines        2526    3344     +818     
=========================================
  Hits          277     277              
- Misses       2249    3067     +818     

Flag	Coverage Δ
rust	8.28% <0.27%> (-2.69%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Mshehu5]

Thank you for the review!

Just wanted some clarifications

The implementation does not provide for pruning/cleanup of data. Given that the db will tend to grow linearly and become sizable over time, I think it will be great to consider adding a pruning subcommand or mechanism that deletes irrelevant data.

For this feature, how would you like it to be implemented? For example should we allow selecting a specific date or session to start pruning from? Or should it apply to all sessions older than a certain date? Alternatively should it target only expired or unsuccessful sessions?

I noticed that the implementation used only the sqlite db, and since sqlite is a db option in the project, I think it will be ideal if you also include implementation for redb db so users are free to choose any to use.

Also for the redb implementation most of the existing integrations have been built around SQLite so it made sense as the initial approach for this implementation. The Redb support may require some additional consideration and it would be good to align with the PayJoin team to ensure the approach is correct and consistent.
Given that would you prefer the Redb implementation to be included in this PR or would it be acceptable to handle it in a follow-up?

It would also be helpful to understand what you consider a hard requirement for this PR versus what can be iterated on in subsequent changes.

[va-an]

Hi @Mshehu5, thanks for this!

Could you update payjoin dependency to 1.0.0-rc.2 and run just pre-push?

I've got some errors from just pre-push like:

error[E0061]: this method takes 1 argument but 2 arguments were supplied
    --> src/payjoin/mod.rs:691:30
     |
 691 |   ...                   .check_payment(
     |                          ^^^^^^^^^^^^^
...
 704 | / ...                       |outpoint| {
 705 | | ...                           let utxo = self.wallet.get_utxo(outpoint);
 706 | | ...                           match utxo {
 707 | | ...                               Some(_) => Ok(false),
...    |
 710 | | ...                       }
     | |___________________________- unexpected argument #2 of type `{closure@src/payjoin/mod.rs:704:33: 704:43}`

[Mshehu5]

@va-an Thanks for the review! I bumped Payjoin to 1.0.0-rc.2 and just pre-push passes locally. Mind giving it a try on your end? Would appreciate your feedback

[Mshehu5]

@tvpeter Would really appreciate your feedback on this: #242 (comment)

It would help move this PR forward.

[tvpeter]

For this feature, how would you like it to be implemented? For example should we allow selecting a specific date or session to start pruning from? Or should it apply to all sessions older than a certain date? Alternatively should it target only expired or unsuccessful sessions?

I think it should apply to all sessions within a specific timeframe, say anything older than 30 days, and if it can be implemented without adding another command, that would be great. This can even go into another PR.

Also for the redb implementation most of the existing integrations have been built around SQLite so it made sense as the initial approach for this implementation. The Redb support may require some additional consideration and it would be good to align with the PayJoin team to ensure the approach is correct and consistent. Given that would you prefer the Redb implementation to be included in this PR or would it be acceptable to handle it in a follow-up?

That is still fine. It can form another PR, but it's one of the things you can consider adding.

It would also be helpful to understand what you consider a hard requirement for this PR versus what can be iterated on in subsequent changes.

The current implementation covering SQLite is good enough (and the most important). Those others can serve as improvements to the persistence feature.

[tvpeter]

Hi @Mshehu5 ,

Thank you so much for continuing to work on this feature. I left some minor comments. After you address them, I will do a final round of testing. Overall, I feel the PR is ready to go.

Well done.

[tvpeter]

ACK d22d8b0

I was unable to test the entire payjoin flow (due to a persistent network error), but I could see the resume and history commands working as expected.

Weldone @Mshehu5

[tvpeter]

@Mshehu5 please rebase

[Mshehu5]

Hello @notmandatory A review/feedback from you on this PR will really help push this forward

[DanGould]

@evanlinjin this might be a PR for us to look at together this week

[va-an]

Tried end-to-end on regtest with pj.bobspacebkk.com. The URI is generated and the persister state is saved correctly, but the first poll request fails:

-> % RUST_LOG=debug cargo run --features rpc -- \
    wallet --wallet payjoin_wallet1 \
    receive_payjoin \
    --amount 400000 \
    --max_fee_rate 1000 \
    --directory "https://payjo.in" \
    --ohttp_relay "https://pj.bobspacebkk.com"
...
[2026-05-26T20:05:14Z DEBUG bdk_cli] network: Testnet
[2026-05-26T20:05:14Z DEBUG bdk_cli::handlers] Sqlite database opened successfully
[2026-05-26T20:05:14Z DEBUG reqwest::connect] starting new connection: https://payjo.in/
[2026-05-26T20:05:14Z DEBUG reqwest::connect] proxy(https://pj.bobspacebkk.com/) intercepts 'https://payjo.in/'
Request Payjoin by sharing this Payjoin Uri:
bitcoin:bcrt1qn0wg553k3yfeg56535tej03wxv5yftzx4gpvpe?amount=0.004&pjos=0&pj=HTTPS://PAYJO.IN/SM6XG5LDPYGLC%23EX10D8PW6S-OH1QYPFLM8XL59R0XV4VGPLS7FRDSSM4TUXL07TXCWC4S0GLVLNK2SE4NQ-RK1QFF9Z8Y93K4TUVGJAHR9AX27SDPSJ88FY8HAC7SQ9DFCMCTJ5LSTZ
[2026-05-26T20:05:15Z DEBUG reqwest::connect] starting new connection: https://pj.bobspacebkk.com/
[2026-05-26T20:05:15Z ERROR bdk_cli] Reqwest error: error sending request for url (https://pj.bobspacebkk.com/https://payjo.in/)

After downgrading Cargo.toml to reqwest = "0.12.23" (the version used by the reference payjoin-cli), the polling succeeds and the CLI hangs waiting for the sender as expected:

-> % RUST_LOG=debug cargo run --features rpc -- \
    wallet --wallet payjoin_wallet1 \
    receive_payjoin \
    --amount 400000 \
    --max_fee_rate 1000 \
    --directory "https://payjo.in" \
    --ohttp_relay "https://pj.bobspacebkk.com"
...
[2026-05-26T20:04:24Z DEBUG bdk_cli] network: Testnet
[2026-05-26T20:04:24Z DEBUG bdk_cli::handlers] Sqlite database opened successfully
[2026-05-26T20:04:24Z DEBUG reqwest::connect] starting new connection: https://payjo.in/
[2026-05-26T20:04:24Z DEBUG reqwest::connect] proxy(https://pj.bobspacebkk.com/) intercepts 'https://payjo.in/'
Request Payjoin by sharing this Payjoin Uri:
bitcoin:bcrt1qn0wg553k3yfeg56535tej03wxv5yftzx4gpvpe?amount=0.004&pjos=0&pj=HTTPS://PAYJO.IN/7X88PY7FGVM07%23EX1F98PW6S-OH1QYPFLM8XL59R0XV4VGPLS7FRDSSM4TUXL07TXCWC4S0GLVLNK2SE4NQ-RK1Q2DC9EW9ECFDEZJ964H9ELY83F8HM7P3AFSJSFNW6VY9D3RPXE80X
[2026-05-26T20:04:25Z DEBUG reqwest::connect] starting new connection: https://pj.bobspacebkk.com/
^C

The reqwest 0.13.2 bump wasn't introduced by this PR (likely came in via a rebase on master), but as it stands the code doesn't work end-to-end.

[va-an]

This import is already on line 22.

Suggested change

use payjoin::send::v2::replay_event_log as replay_sender_event_log;

[va-an]

impl Deref is only used to unwrap the inner i64 for params!. Per C-DEREF, Deref should be implemented only for smart pointers - not for newtypes.

Cleaner: impl ToSql for SessionId (delegating to self.0), then params![self.session_id, ...] works directly. Drop the Deref impl and remove * from every params![*session_id, ...] call site.

Suggested change

	impl core::ops::Deref for SessionId {
	type Target = i64;
	fn deref(&self) -> &Self::Target {
	&self.0
	}
	}
	impl ToSql for SessionId {
	fn to_sql(&self) -> bdk_wallet::rusqlite::Result<ToSqlOutput<'_>> {
	self.0.to_sql()
	}
	}

[va-an]

Stale TODO.

Suggested change

[va-an]

The same 3-line boilerplate is repeated before every PayjoinManager::new:

let relay_manager = Arc::new(Mutex::new(RelayManager::new()));
let db = open_payjoin_db(datadir.clone(), &wallet_name)?;
let mut payjoin_manager = PayjoinManager::new(wallet, relay_manager, db);

Both db and relay_manager are used only by PayjoinManager - callers don't touch them. Move construction inside new:

pub fn new(
    wallet: &'a mut Wallet,
    datadir: Option<PathBuf>,
    wallet_name: &str,
) -> Result<Self, Error> {
    let db = open_payjoin_db(datadir, wallet_name)?;
    let relay_manager = Arc::new(Mutex::new(RelayManager::new()));
    Ok(Self { wallet, relay_manager, db })
}

Callers collapse to one line.

[va-an]

This function should be moved to payjoin/db.rs.

[DanGould]

Went through this in prep for mob review, although I don't have.

The lack of any explained decision motivation in the commit messages is the fundamental to change first whenever asking for review. Whoever reads the history can see what is done. The commit message exists to tell the history of WHY you made changes. Tell me what you considered so I don't have to imagine.

Some things we'll talk about:

• appropriate use of modules
• rebasing
• Encapsulating payjoin business from cli business
• using the right version
• The right abstraction level for db vs a payjoin-specific storage/manager type

[DanGould]

Unless these new error types are needed at this top level visibility, I'd move them into the payjoin::db module. it's in the name. payjoin::db::Error seems like the appropriate place/name for this type.

[DanGould]

Using the latest, payjoin version="0.25.0" for this and keep updating proper 1.0 is going to stay closer to the released api.

[DanGould]

Seems like the PayjoinManager could encapsulate the ReceiverPersister around the db itself. Why not?

[DanGould]

Why generic error instead of panic if session nonexistence otherwise panics?

[DanGould]

No relay no directory? What's the target of this request? Why not use the fetch function directly if not relay manager?

[DanGould]

This is how the reference does it payjoin/rust-payjoin#1582, though I note the payjoin-cli reference has no vec![] which adds further confusion to my eye

[DanGould]

This change that loosens the contract doesn't make sense to me. Still want to enforce that the param is of the correct type even if you convert it to a string in the method body.

[DanGould]

why time out after 30 seconds? Seems brief since payjoins are long-running and don't expire by default for 24h

[DanGould]

This seems like it's touching things outside of the scope of this PR. Are you sure these feature gates can be removed?

[DanGould]

passing wallet and wallet_name which are cloned versions of the same type to this function seems very definitely like a hack. What the heck is going on here?

[DanGould]

This kind of spacing-only change makes me think you haven't reviewed this line-by-line yourself before asking for review here. Please make sure these kinds of formatting issues you can find yourself are addressed beforehand.

[evanlinjin]

This struct does not earn it's keep and neither does the Mutex.

I think it would make more sense just to have separate functions instead of methods on Database (that doesn't need to be there).

The ...Persister types should just be:

stuct XxxPersister {
    conn: Rc<Connection>,
    session_id: SessionId,
}