Payjoin persistence

[Mshehu5]

Description

#230 needed to be merged for this to go through
Address #149 also follow up to #200
This PR adds persistance to existing async payjoin integration
This introduces neccessary database model and tables also add commad for resume to allow interrupted sessions to be continued also a particular session either send or receive.
A history commad to view payjoin history and status has been added

Notes to the reviewers

Step to review this include making a payjoin transaction

Run a receiver to get a BIP21 URI then pass it to the sender as seen in docs

bdk-cli/README.md

Lines 121 to 141 in b9cf2ac

	To start a Payjoin session as the receiver with regtest RPC and example OHTTP relays:
	```
	cargo run --features rpc -- --network regtest wallet --wallet payjoin_wallet1 config --ext-descriptor "wpkh(tprv8ZgxMBicQKsPd2PoUEcGNDHPZmVWgtPYERAwMG6qHheX6LN4oaazp3qZU7mykiaAZga1ZB2SJJR6Mriyq8MocMs7QTe7toaabSwTWu5fRFz/84h/1h/0h/0/*)#8guqp7rn" --client-type rpc --database-type sqlite --url "127.0.0.1:18443"
	cargo run --features rpc -- wallet --wallet payjoin_wallet1 sync
	cargo run --features rpc -- wallet --wallet payjoin_wallet1 balance
	cargo run --features rpc -- wallet --wallet payjoin_wallet1 receive_payjoin --amount 400000 --max_fee_rate 1000 --directory "https://payjo.in" --ohttp_relay "https://pj.bobspacebkk.com" --ohttp_relay "https://pj.benalleng.com"
	```
	To send a Payjoin with regtest RPC and example OHTTP relays:
	```
	cargo run --features rpc -- --network regtest wallet --wallet payjoin_wallet2 config --ext-descriptor "wpkh(tprv8ZgxMBicQKsPfBxswkATvZRQ9kDdRbJPtHYZaZCARL2myxcK7DqsqPhRo2G2rRVHFPbowq63BE6S4k2pUMYeF2fUMTT63Q7zhoXtKsM1FaS/84'/1'/0'/0/*)#qf5gnqrf" --client-type rpc --database-type sqlite --url "127.0.0.1:18443"
	cargo run --features rpc -- wallet --wallet payjoin_wallet2 sync
	cargo run --features rpc -- wallet --wallet payjoin_wallet2 balance
	cargo run --features rpc -- wallet --wallet payjoin_wallet2 send_payjoin --ohttp_relay "https://pj.bobspacebkk.com" --ohttp_relay "https://pj.benalleng.com" --fee_rate 1 --uri "<URI>"
	```

To test resumption, interrupt either side with Ctrl+C mid-session then run resume on that side to continue. A few scenarios worth covering: receiver resuming after interrupt and sender resuming after interrupt. Use history after each scenario to confirm the session state was persisted correctly.

docs for this can be seen in 7e4ffd1

Checklists

All Submissions:

• I've signed all my commits
• I followed the contribution guidelines
• I ran cargo fmt and cargo clippy before committing

New Features:

• I've added docs for the new feature

[coveralls]

Pull Request Test Coverage Report for Build 22068931916

Details

• 0 of 763 (0.0%) changed or added relevant lines in 5 files are covered.
• 5 unchanged lines in 3 files lost coverage.
• Overall coverage decreased (-1.9%) to 8.848%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
src/error.rs	0	21	0.0%
src/utils.rs	0	22	0.0%
src/handlers.rs	0	50	0.0%
src/payjoin/db.rs	0	262	0.0%
src/payjoin/mod.rs	0	408	0.0%

Files with Coverage Reduction	New Missed Lines	%
src/utils.rs	1	0.0%
src/handlers.rs	2	12.81%
src/payjoin/mod.rs	2	0.0%

Totals
Change from base Build 21153868360:	-1.9%
Covered Lines:	268
Relevant Lines:	3029

---

💛 - Coveralls

[tvpeter]

Thank you @Mshehu5 for working on this feature.

Below are some of the observations that I think will make the implementation better:

• I noticed that the implementation used only the sqlite db, and since sqlite is a db option in the project, I think it will be ideal if you also include implementation for redb db so users are free to choose any to use.
• The implementation does not provide for pruning/cleanup of data. Given that the db will tend to grow linearly and become sizable over time, I think it will be great to consider adding a pruning subcommand or mechanism that deletes irrelevant data.
• Since the save_event is generated at multiple transitions in a session, I think it will be great if you consider grouping such updates in a db transaction to ensure that entries are saved successfully.

I have also left some comments in the code.

Thank you.

[codecov]

Codecov Report

❌ Patch coverage is 68.38311% with 307 lines in your changes missing coverage. Please review.
✅ Project coverage is 26.28%. Comparing base (7c33b33) to head (54ae896).
⚠️ Report is 5 commits behind head on master.

Files with missing lines	Patch %	Lines
src/payjoin/mod.rs	26.04%	247 Missing ⚠️
src/payjoin/db.rs	95.00%	30 Missing ⚠️
src/handlers.rs	18.18%	27 Missing ⚠️
src/error.rs	0.00%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           master     #242       +/-   ##
===========================================
+ Coverage   10.96%   26.28%   +15.31%     
===========================================
  Files           8        9        +1     
  Lines        2526     3584     +1058     
===========================================
+ Hits          277      942      +665     
- Misses       2249     2642      +393     

Flag	Coverage Δ
rust	26.28% <68.38%> (+15.31%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Mshehu5]

Thank you for the review!

Just wanted some clarifications

The implementation does not provide for pruning/cleanup of data. Given that the db will tend to grow linearly and become sizable over time, I think it will be great to consider adding a pruning subcommand or mechanism that deletes irrelevant data.

For this feature, how would you like it to be implemented? For example should we allow selecting a specific date or session to start pruning from? Or should it apply to all sessions older than a certain date? Alternatively should it target only expired or unsuccessful sessions?

I noticed that the implementation used only the sqlite db, and since sqlite is a db option in the project, I think it will be ideal if you also include implementation for redb db so users are free to choose any to use.

Also for the redb implementation most of the existing integrations have been built around SQLite so it made sense as the initial approach for this implementation. The Redb support may require some additional consideration and it would be good to align with the PayJoin team to ensure the approach is correct and consistent.
Given that would you prefer the Redb implementation to be included in this PR or would it be acceptable to handle it in a follow-up?

It would also be helpful to understand what you consider a hard requirement for this PR versus what can be iterated on in subsequent changes.

[va-an]

Hi @Mshehu5, thanks for this!

Could you update payjoin dependency to 1.0.0-rc.2 and run just pre-push?

I've got some errors from just pre-push like:

error[E0061]: this method takes 1 argument but 2 arguments were supplied
    --> src/payjoin/mod.rs:691:30
     |
 691 |   ...                   .check_payment(
     |                          ^^^^^^^^^^^^^
...
 704 | / ...                       |outpoint| {
 705 | | ...                           let utxo = self.wallet.get_utxo(outpoint);
 706 | | ...                           match utxo {
 707 | | ...                               Some(_) => Ok(false),
...    |
 710 | | ...                       }
     | |___________________________- unexpected argument #2 of type `{closure@src/payjoin/mod.rs:704:33: 704:43}`

[Mshehu5]

@va-an Thanks for the review! I bumped Payjoin to 1.0.0-rc.2 and just pre-push passes locally. Mind giving it a try on your end? Would appreciate your feedback

[Mshehu5]

@tvpeter Would really appreciate your feedback on this: #242 (comment)

It would help move this PR forward.

[tvpeter]

For this feature, how would you like it to be implemented? For example should we allow selecting a specific date or session to start pruning from? Or should it apply to all sessions older than a certain date? Alternatively should it target only expired or unsuccessful sessions?

I think it should apply to all sessions within a specific timeframe, say anything older than 30 days, and if it can be implemented without adding another command, that would be great. This can even go into another PR.

Also for the redb implementation most of the existing integrations have been built around SQLite so it made sense as the initial approach for this implementation. The Redb support may require some additional consideration and it would be good to align with the PayJoin team to ensure the approach is correct and consistent. Given that would you prefer the Redb implementation to be included in this PR or would it be acceptable to handle it in a follow-up?

That is still fine. It can form another PR, but it's one of the things you can consider adding.

It would also be helpful to understand what you consider a hard requirement for this PR versus what can be iterated on in subsequent changes.

The current implementation covering SQLite is good enough (and the most important). Those others can serve as improvements to the persistence feature.

[tvpeter]

@Mshehu5 please rebase

[Mshehu5]

Hello @notmandatory A review/feedback from you on this PR will really help push this forward

[DanGould]

@evanlinjin this might be a PR for us to look at together this week

[va-an]

Tried end-to-end on regtest with pj.bobspacebkk.com. The URI is generated and the persister state is saved correctly, but the first poll request fails:

-> % RUST_LOG=debug cargo run --features rpc -- \
    wallet --wallet payjoin_wallet1 \
    receive_payjoin \
    --amount 400000 \
    --max_fee_rate 1000 \
    --directory "https://payjo.in" \
    --ohttp_relay "https://pj.bobspacebkk.com"
...
[2026-05-26T20:05:14Z DEBUG bdk_cli] network: Testnet
[2026-05-26T20:05:14Z DEBUG bdk_cli::handlers] Sqlite database opened successfully
[2026-05-26T20:05:14Z DEBUG reqwest::connect] starting new connection: https://payjo.in/
[2026-05-26T20:05:14Z DEBUG reqwest::connect] proxy(https://pj.bobspacebkk.com/) intercepts 'https://payjo.in/'
Request Payjoin by sharing this Payjoin Uri:
bitcoin:bcrt1qn0wg553k3yfeg56535tej03wxv5yftzx4gpvpe?amount=0.004&pjos=0&pj=HTTPS://PAYJO.IN/SM6XG5LDPYGLC%23EX10D8PW6S-OH1QYPFLM8XL59R0XV4VGPLS7FRDSSM4TUXL07TXCWC4S0GLVLNK2SE4NQ-RK1QFF9Z8Y93K4TUVGJAHR9AX27SDPSJ88FY8HAC7SQ9DFCMCTJ5LSTZ
[2026-05-26T20:05:15Z DEBUG reqwest::connect] starting new connection: https://pj.bobspacebkk.com/
[2026-05-26T20:05:15Z ERROR bdk_cli] Reqwest error: error sending request for url (https://pj.bobspacebkk.com/https://payjo.in/)

After downgrading Cargo.toml to reqwest = "0.12.23" (the version used by the reference payjoin-cli), the polling succeeds and the CLI hangs waiting for the sender as expected:

-> % RUST_LOG=debug cargo run --features rpc -- \
    wallet --wallet payjoin_wallet1 \
    receive_payjoin \
    --amount 400000 \
    --max_fee_rate 1000 \
    --directory "https://payjo.in" \
    --ohttp_relay "https://pj.bobspacebkk.com"
...
[2026-05-26T20:04:24Z DEBUG bdk_cli] network: Testnet
[2026-05-26T20:04:24Z DEBUG bdk_cli::handlers] Sqlite database opened successfully
[2026-05-26T20:04:24Z DEBUG reqwest::connect] starting new connection: https://payjo.in/
[2026-05-26T20:04:24Z DEBUG reqwest::connect] proxy(https://pj.bobspacebkk.com/) intercepts 'https://payjo.in/'
Request Payjoin by sharing this Payjoin Uri:
bitcoin:bcrt1qn0wg553k3yfeg56535tej03wxv5yftzx4gpvpe?amount=0.004&pjos=0&pj=HTTPS://PAYJO.IN/7X88PY7FGVM07%23EX1F98PW6S-OH1QYPFLM8XL59R0XV4VGPLS7FRDSSM4TUXL07TXCWC4S0GLVLNK2SE4NQ-RK1Q2DC9EW9ECFDEZJ964H9ELY83F8HM7P3AFSJSFNW6VY9D3RPXE80X
[2026-05-26T20:04:25Z DEBUG reqwest::connect] starting new connection: https://pj.bobspacebkk.com/
^C

The reqwest 0.13.2 bump wasn't introduced by this PR (likely came in via a rebase on master), but as it stands the code doesn't work end-to-end.

[DanGould]

Went through this in prep for mob review, although I don't have.

The lack of any explained decision motivation in the commit messages is the fundamental to change first whenever asking for review. Whoever reads the history can see what is done. The commit message exists to tell the history of WHY you made changes. Tell me what you considered so I don't have to imagine.

Some things we'll talk about:

• appropriate use of modules
• rebasing
• Encapsulating payjoin business from cli business
• using the right version
• The right abstraction level for db vs a payjoin-specific storage/manager type

[DanGould]

Seems like the PayjoinManager could encapsulate the ReceiverPersister around the db itself. Why not?

[DanGould]

Why generic error instead of panic if session nonexistence otherwise panics?

[Mshehu5]

saw it in the reference implementation so I just went that direction. looked like the preferred
https://github.com/payjoin/rust-payjoin/blob/fb884d11996acea9d9bd5573b32b549b1bfdc334/payjoin-cli/src/app/v2/mod.rs#L230

[DanGould]

No relay no directory? What's the target of this request? Why not use the fetch function directly if not relay manager?

[DanGould]

This is how the reference does it payjoin/rust-payjoin#1582, though I note the payjoin-cli reference has no vec![] which adds further confusion to my eye

[Mshehu5]

vec![] here is not the request target. In this receiver flow the relay was already selected earlier when we fetched OHTTP keys and that relay is stored in relay_manager so this call just reuses it.

The reason payjoin-cli does not need the extra Vec is that it reads relay candidates from config inside the helper. In bdk-cli, relay candidates come from CLI input so the shared helper takes them as a parameter even though this specific receiver call site does not use them.

I could break down or add a function to just do select relay instead of trying to use unwrap_relay_or_else_fetch and having to settle the vec![] for thr function signature

[DanGould]

why time out after 30 seconds? Seems brief since payjoins are long-running and don't expire by default for 24h

[Mshehu5]

I forgot to talk about this during mob review because it was one of the tradeoff/design decisions in this PR.

This timeout is for a single session resume attempt not the session lifetime. I kept resume synchronous unlike payjoin-cli because the wallet in this codebase is currently handled as a single mutable resource. Making resume concurrent would require a broader refactor around shared wallet access and locking which felt too large (may change alot of things and how the maintainers intend codebase to be ) and beyond the scope of this PR (This is already a big PR ).
Given that, the 30-second outer timeout is there to prevent one resumed session from hanging indefinitely and blocking the rest of the queue. The payjoin session itself is still persisted and can be resumed again later this does not replace the protocol’s longer expiration window.

[Mshehu5]

I forgot to talk about this during mob review because it was one of the tradeoff/design decisions in this PR.

This timeout is for a single session resume attempt not the session lifetime. I kept resume synchronous unlike payjoin-cli because the wallet in this codebase is currently handled as a single mutable resource. Making resume concurrent would require a broader refactor around shared wallet access and locking which felt too large (may change alot of things and how the maintainers intend codebase to be ) and beyond the scope of this PR (This is already a big PR ).
Given that, the 30-second outer timeout is there to prevent one resumed session from hanging indefinitely and blocking the rest of the queue. The payjoin session itself is still persisted and can be resumed again later this does not replace the protocol’s longer expiration window.

[DanGould]

This seems like it's touching things outside of the scope of this PR. Are you sure these feature gates can be removed?

[Mshehu5]

This is related to #242 (comment) . handlers.rs no longer constructs Arc<Mutex> or opens the Payjoin DB before each PayjoinManager::new call. That setup now lives inside PayjoinManager::new.

After that refactor, Arc is no longer used in handlers.rs for rpc/cbf/electrum/esplora and Mutex is not used there at all. The remaining Arc uses are only under redb and compiler so the narrowed cfg matches the actual users.

[evanlinjin]

This struct does not earn it's keep and neither does the Mutex.

I think it would make more sense just to have separate functions instead of methods on Database (that doesn't need to be there).

The ...Persister types should just be:

stuct XxxPersister {
    conn: Rc<Connection>,
    session_id: SessionId,
} 

[Mshehu5]

@va-an Thank you for the review. The reqwest issue is fixed in 7ee0a71. The regression was caused by a separate merged PR that updated reqwest without enabling rustls. I have verified the fix locally and it should be ready for you to retest on your end.