BitcoinErrorLog
diff --git a/‎app/src/main/java/to/bitkit/paykit/services/DirectoryService.kt‎
Lines changed: 65 additions & 7 deletions b/‎app/src/main/java/to/bitkit/paykit/services/DirectoryService.kt‎
Lines changed: 65 additions & 7 deletions
diff --git a/‎app/src/main/java/to/bitkit/paykit/services/PubkyRingBridge.kt‎
Lines changed: 57 additions & 0 deletions b/‎app/src/main/java/to/bitkit/paykit/services/PubkyRingBridge.kt‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎app/src/main/java/to/bitkit/paykit/services/SecureHandoffHandler.kt‎
Lines changed: 61 additions & 8 deletions b/‎app/src/main/java/to/bitkit/paykit/services/SecureHandoffHandler.kt‎
Lines changed: 61 additions & 8 deletions
diff --git a/‎app/src/main/java/to/bitkit/paykit/viewmodels/SubscriptionsViewModel.kt‎
Lines changed: 6 additions & 0 deletions b/‎app/src/main/java/to/bitkit/paykit/viewmodels/SubscriptionsViewModel.kt‎
Lines changed: 6 additions & 0 deletions
@@ -197,7 +197,10 @@ class DirectoryService @Inject constructor(
     val isConfigured: Boolean get() = authenticatedTransport != null
 
     /**
-     * Discover noise endpoint for a recipient
+     * Discover noise endpoint for a recipient.
+     * 
+     * First tries the FFI-based discovery, then falls back to direct HTTP fetch
+     * (which works better in Android emulators that can't resolve pkarr DNS).
      */
     suspend fun discoverNoiseEndpoint(recipientPubkey: String): NoiseEndpointInfo? {
         val transport = unauthenticatedTransport ?: run {
@@ -208,14 +211,68 @@ class DirectoryService @Inject constructor(
             }
         }
 
-        return try {
-discoverNoiseEndpoint(transport, recipientPubkey)
+        // Try FFI-based discovery first
+        val ffiResult = try {
+            discoverNoiseEndpoint(transport, recipientPubkey)
         } catch (e: Exception) {
-            Logger.error("Failed to discover Noise endpoint for $recipientPubkey", e, context = TAG)
+            Logger.warn("FFI discover Noise endpoint failed for $recipientPubkey: ${e.message}, trying direct HTTP", context = TAG)
             null
         }
+
+        if (ffiResult != null) {
+            return ffiResult
+        }
+
+        // Fallback: fetch via direct HTTP using our Kotlin adapter
+        return discoverNoiseEndpointViaHttp(recipientPubkey)
     }
 
+    /**
+     * Fallback: Discover Noise endpoint via direct HTTP request.
+     * This works in Android emulators where pkarr DNS resolution fails.
+     * Uses withContext(Dispatchers.IO) to run the blocking HTTP call off the main thread.
+     */
+    private suspend fun discoverNoiseEndpointViaHttp(recipientPubkey: String): NoiseEndpointInfo? =
+        kotlinx.coroutines.withContext(kotlinx.coroutines.Dispatchers.IO) {
+            // Ensure we use the default homeserver if not configured
+            val effectiveHomeserverURL = homeserverURL ?: HomeserverDefaults.defaultHomeserverURL
+            val adapter = pubkyStorage.createUnauthenticatedAdapter(effectiveHomeserverURL)
+            val noisePath = PaykitV0Protocol.noiseEndpointPath()
+            Logger.debug("Fetching Noise endpoint via HTTP: ${effectiveHomeserverURL.value}$noisePath for $recipientPubkey", context = TAG)
+
+            try {
+                val result = adapter.get(recipientPubkey, noisePath)
+                if (!result.success || result.content == null) {
+                    Logger.debug("No Noise endpoint found for $recipientPubkey via HTTP", context = TAG)
+                    return@withContext null
+                }
+
+                // Parse the JSON response
+                val json = org.json.JSONObject(result.content!!)
+                val host = json.optString("host") ?: ""
+                val port = json.optInt("port", 0)
+                val pubkey = json.optString("pubkey") ?: ""
+                val metadata: String? = if (json.has("metadata")) json.optString("metadata") else null
+
+                if (pubkey.isEmpty()) {
+                    Logger.warn("Noise endpoint for $recipientPubkey has no pubkey", context = TAG)
+                    return@withContext null
+                }
+
+                Logger.debug("Discovered Noise endpoint for $recipientPubkey via HTTP: $host:$port", context = TAG)
+                NoiseEndpointInfo(
+                    recipientPubkey = recipientPubkey,
+                    host = host,
+                    port = port.toUShort(),
+                    serverNoisePubkey = pubkey,
+                    metadata = metadata,
+                )
+            } catch (e: Exception) {
+                Logger.error("Failed to discover Noise endpoint via HTTP for $recipientPubkey", e, context = TAG)
+                null
+            }
+        }
+
     /**
      * Publish our noise endpoint to the directory
      */
@@ -551,7 +608,7 @@ removeNoiseEndpoint(transport)
     suspend fun publishSubscriptionProposal(
         proposal: to.bitkit.paykit.models.SubscriptionProposal,
         subscriberPubkey: String,
-    ) {
+    ) = kotlinx.coroutines.withContext(kotlinx.coroutines.Dispatchers.IO) {
         // Auto-restore from keychain if not configured
         if (!isConfigured) tryRestoreFromKeychain()
         val adapter = authenticatedAdapter ?: throw DirectoryError.NotConfigured
@@ -855,9 +912,10 @@ removeNoiseEndpoint(transport)
     }
 
     /**
-     * Publish profile to Pubky directory
+     * Publish profile to Pubky directory.
+     * Uses withContext(Dispatchers.IO) to run the blocking HTTP call off the main thread.
      */
-    suspend fun publishProfile(profile: PubkyProfile) {
+    suspend fun publishProfile(profile: PubkyProfile) = withContext(Dispatchers.IO) {
         // Auto-restore from keychain if not configured
         if (!isConfigured) tryRestoreFromKeychain()
         val adapter = authenticatedAdapter ?: throw DirectoryError.NotConfigured
 
@@ -62,6 +62,7 @@ class PubkyRingBridge @Inject constructor(
     private val pubkyStorageAdapter: PubkyStorageAdapter,
     private val callbackParser: PubkyRingCallbackParser,
     private val secureHandoffHandler: SecureHandoffHandler,
+    private val keyManager: to.bitkit.paykit.KeyManager,
 ) {
 
     companion object {
@@ -648,6 +649,7 @@ class PubkyRingBridge @Inject constructor(
                     val session = pollRelayForSession(requestId)
                     if (session != null) {
                         sessionCache[session.pubkey] = session
+                        persistSession(session)
                         pendingCrossDeviceRequestId = null
                         pendingCrossDeviceEphemeralSk = null
                         return@withContext session
@@ -1032,6 +1034,11 @@ class PubkyRingBridge @Inject constructor(
         try {
             val json = kotlinx.serialization.json.Json.encodeToString(PubkySession.serializer(), session)
             keychainStorage.setString("pubky.session.${session.pubkey}", json)
+            // Also store in DirectoryService format so tryRestoreFromKeychain works
+            keychainStorage.setString("pubky.identity.public", session.pubkey)
+            keychainStorage.setString("pubky.session.secret", session.sessionSecret)
+            // Also update KeyManager with the identity's public key for subscription operations
+            keyManager.storePublicKey(session.pubkey)
             Logger.debug("Persisted session for ${session.pubkey.take(12)}...", context = TAG)
         } catch (e: Exception) {
             Logger.error("Failed to persist session", e, context = TAG)
@@ -1049,7 +1056,15 @@ class PubkyRingBridge @Inject constructor(
                 val json = keychainStorage.getString(key) ?: continue
                 val session = kotlinx.serialization.json.Json.decodeFromString<PubkySession>(json)
                 sessionCache[session.pubkey] = session
+                // Update KeyManager with identity pubkey (ensures subscriptions work after app restart)
+                keyManager.storePublicKey(session.pubkey)
+                // Also store in DirectoryService format so tryRestoreFromKeychain works
+                keychainStorage.setString("pubky.identity.public", session.pubkey)
+                keychainStorage.setString("pubky.session.secret", session.sessionSecret)
                 Logger.info("Restored session for ${session.pubkey.take(12)}...", context = TAG)
+                
+                // Verify Noise endpoint is published (fallback publish if Ring didn't)
+                verifyOrPublishNoiseEndpoint(session.pubkey)
             } catch (e: Exception) {
                 Logger.error("Failed to restore session from $key", e, context = TAG)
             }
@@ -1058,6 +1073,48 @@ class PubkyRingBridge @Inject constructor(
         Logger.info("Restored ${sessionCache.size} sessions from keychain", context = TAG)
     }
 
+    /**
+     * Verify that Noise endpoint is published for a pubkey, publishing it if not.
+     * This is needed when Ring fails to publish during handoff.
+     */
+    private suspend fun verifyOrPublishNoiseEndpoint(pubkey: String) {
+        try {
+            // Get cached keypair from KeyManager (uses epoch 0 by default)
+            val keypair = keyManager.getCachedNoiseKeypair()
+            if (keypair != null) {
+                secureHandoffHandler.ensureNoiseEndpointPublished(
+                    pubkey = pubkey,
+                    noisePubkeyHex = keypair.publicKeyHex,
+                    deviceId = keypair.deviceId,
+                )
+            } else {
+                // Just verify - can't publish without keypair
+                val isPublished = secureHandoffHandler.verifyNoiseEndpointPublished(pubkey)
+                if (!isPublished) {
+                    Logger.warn("Cannot publish Noise endpoint: no keypair cached for ${pubkey.take(12)}...", context = TAG)
+                }
+            }
+        } catch (e: Exception) {
+            Logger.warn("Error checking Noise endpoint for ${pubkey.take(12)}...: ${e.message}", context = TAG)
+        }
+    }
+    
+    /**
+     * Ensure any cached session's pubkey is stored in KeyManager.
+     * Call this if sessions exist in memory but weren't properly persisted.
+     */
+    suspend fun ensureIdentitySynced() {
+        for (session in sessionCache.values) {
+            keyManager.storePublicKey(session.pubkey)
+            // Also persist the session if not already persisted
+            val existingJson = keychainStorage.getString("pubky.session.${session.pubkey}")
+            if (existingJson == null) {
+                persistSession(session)
+                Logger.info("Synced session for ${session.pubkey.take(12)}...", context = TAG)
+            }
+        }
+    }
+
     /**
      * Get all cached sessions
      */
 
@@ -73,15 +73,9 @@ class SecureHandoffHandler @Inject constructor(
         cacheAndPersistResult(result, payload.deviceId, scope, onSessionPersisted)
         schedulePayloadDeletion(result.session, requestId, scope)
 
-        // Verify Ring published the Noise endpoint (non-blocking diagnostic)
+        // Verify Ring published the Noise endpoint, or publish it ourselves as fallback
         scope.launch {
-            val noisePublished = verifyNoiseEndpointPublished(pubkey)
-            if (!noisePublished) {
-                Logger.warn(
-                    "Noise endpoint was not published by Ring - encrypted payment channels may not work",
-                    context = TAG,
-                )
-            }
+            ensureNoiseEndpointPublished(pubkey, result.noiseKeypair0?.publicKey, payload.deviceId)
         }
 
         result
@@ -275,6 +269,65 @@ class SecureHandoffHandler @Inject constructor(
         }
     }
 
+    /**
+     * Ensure the Noise endpoint is published for discoverability.
+     * 
+     * First verifies if Ring already published it. If not, publishes it ourselves
+     * using the keypair and session we received during handoff.
+     *
+     * @param pubkey The user's pubkey in z32 format
+     * @param noisePubkeyHex The X25519 Noise public key (hex encoded) from epoch 0
+     * @param deviceId The device ID used for this connection
+     */
+    suspend fun ensureNoiseEndpointPublished(
+        pubkey: String,
+        noisePubkeyHex: String?,
+        deviceId: String,
+    ) = withContext(Dispatchers.IO) {
+        try {
+            Logger.debug("Verifying Noise endpoint for ${pubkey.take(12)}...", context = TAG)
+            
+            // Check if endpoint already exists and is valid
+            val endpoint = directoryServiceProvider.get().discoverNoiseEndpoint(pubkey)
+            if (endpoint != null && endpoint.host != "pending") {
+                Logger.info(
+                    "Noise endpoint already published for ${pubkey.take(12)}...: host=${endpoint.host}, port=${endpoint.port}",
+                    context = TAG,
+                )
+                return@withContext
+            }
+            
+            // Endpoint missing or has placeholder values - publish it ourselves
+            if (noisePubkeyHex == null) {
+                Logger.warn("Cannot publish Noise endpoint: no keypair available", context = TAG)
+                return@withContext
+            }
+            
+            Logger.info("Ring did not publish Noise endpoint - publishing as fallback", context = TAG)
+            
+            // Publish with "pending" host/port - will be updated when Noise server starts
+            val directoryService = directoryServiceProvider.get()
+            if (!directoryService.isConfigured) {
+                if (!directoryService.tryRestoreFromKeychain()) {
+                    Logger.warn("Cannot publish Noise endpoint: DirectoryService not configured", context = TAG)
+                    return@withContext
+                }
+            }
+            
+            directoryService.publishNoiseEndpoint(
+                host = "pending",
+                port = 0,
+                noisePubkey = noisePubkeyHex,
+                metadata = """{"provisioned_by":"bitkit-fallback","device_id":"$deviceId"}""",
+            )
+            Logger.info("Published Noise endpoint for ${pubkey.take(12)}... as fallback", context = TAG)
+        } catch (e: CancellationException) {
+            throw e
+        } catch (e: Exception) {
+            Logger.warn("Error ensuring Noise endpoint: ${e.message}", e, context = TAG)
+        }
+    }
+
     /**
      * Verify that Ring published the Noise endpoint during handoff.
      * 
 
@@ -8,6 +8,7 @@ import kotlinx.coroutines.flow.asStateFlow
 import kotlinx.coroutines.flow.update
 import kotlinx.coroutines.launch
 import to.bitkit.paykit.KeyManager
+import to.bitkit.paykit.services.PubkyRingBridge
 import to.bitkit.paykit.models.AutoPayRule
 import to.bitkit.paykit.models.PeerSpendingLimit
 import to.bitkit.paykit.models.Subscription
@@ -31,6 +32,7 @@ class SubscriptionsViewModel @Inject constructor(
     private val directoryService: DirectoryService,
     private val autoPayStorage: AutoPayStorage,
     private val keyManager: KeyManager,
+    private val pubkyRingBridge: PubkyRingBridge,
 ) : ViewModel() {
     companion object {
         private const val TAG = "SubscriptionsViewModel"
@@ -49,6 +51,10 @@ class SubscriptionsViewModel @Inject constructor(
     val showingAddSubscription: StateFlow<Boolean> = _showingAddSubscription.asStateFlow()
 
     init {
+        // Ensure any cached session's pubkey is synced to KeyManager
+        viewModelScope.launch {
+            pubkyRingBridge.ensureIdentitySynced()
+        }
         loadSubscriptions()
         loadIncomingProposals()
     }