You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a implementation of no_std support for the payjoin crate,
enabling its use on embedded devices
As discussed in #942, running payjoin logic on a hardware signer enables
stronger security guarantees: the device can verify the fallback transaction,
compare it against the payjoin proposal, and only sign previously-approved
inputs — without trusting the host machine.
Feature Architecture
A new v2-std feature was introduced to separate the state machine logic
from networking dependencies:
Feature
Description
alloc
bare metal support, state machine logic only
v2
async payjoin session logic without networking
v2-std
v2 + networking (url, ohttp, hpke, bhttp, http)
std
full std support with tokio, serde_json, bitcoin/base64
refactor: introduce no_std/alloc feature split in payjoin core
The main structural change — replaces std:: with core::/alloc:: and gates std-only deps behind #[cfg(feature = "std")] or #[cfg(feature = "v2-std")].
fix: gate v2 std-only code behind cfg features
Extends gating to v2 send/receive and persist. Key decisions: HasReplyableError now carries fallback_tx in both configs to preserve fallback through replay; MaybeSuccessTransition::deconstruct uses Save instead of SaveAndClose on success.
fix: update payjoin-ffi for no_std feature split
Minimal FFI updates to match new AsyncSessionPersister bounds.
fix: restore OHTTP test constants and enable v2 feature in test utils KEM, KEY_ID, SYMMETRIC were dropped upstream without updating internal tests. Restores them in payjoin-test-utils/src/v2.rs.
chore: update CI, lock files and flake for no_std targets
Adds thumbv7em-none-eabihf to CI and ARM cross-toolchain to the Nix dev shell.
AI Assistance
This implementation was developed with AI assistance (Claude, Anthropic).
Pull Request Checklist
Please confirm the following before requesting review:
Great to see this take off here. My biggest question is about v2-std which expresses that it's about "networking" but really it's the wire serialization. Is it possible to use the library without that? I'm not sure it is.
My biggest question is about v2-std which expresses that it's about "networking" but really it's the wire serialization. Is it possible to use the library without that? I'm not sure it is.
After reviewing the code, v2-std as a standalone feature had no clear use case, any consumer that needs OHTTP networking will reach for v2-ohttp or io, and v2-std alone didn't even compile correctly due to untested feature combinations. I've collapsed v2-std into v2-ohttp, simplifying the feature hierarchy to: alloc → v2 → v2-ohttp → io.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
benalleng
left a comment
caarloshenriq
force-pushed
the
feat/payjoin-nostd
branch
from
Summary
This is a implementation of
no_stdsupport for thepayjoincrate,enabling its use on embedded devices
As discussed in #942, running payjoin logic on a hardware signer enables
stronger security guarantees: the device can verify the fallback transaction,
compare it against the payjoin proposal, and only sign previously-approved
inputs — without trusting the host machine.
Feature Architecture
A new
v2-stdfeature was introduced to separate the state machine logicfrom networking dependencies:
allocv2v2-stdv2+ networking (url,ohttp,hpke,bhttp,http)stdtokio,serde_json,bitcoin/base64Verified Build Targets
cargo build -p payjoin --no-default-features --features v2,alloccargo build -p payjoin --no-default-features --features v2,alloc --target thumbv7em-none-eabihf-p payjoincargo build -p payjoin --no-default-features --features v2,stdNotes for Reviewers
Please review commit by commit:
refactor: introduce no_std/alloc feature split in payjoin coreThe main structural change — replaces
std::withcore::/alloc::and gates std-only deps behind#[cfg(feature = "std")]or#[cfg(feature = "v2-std")].fix: gate v2 std-only code behind cfg featuresExtends gating to v2 send/receive and persist. Key decisions:
HasReplyableErrornow carriesfallback_txin both configs to preserve fallback through replay;MaybeSuccessTransition::deconstructusesSaveinstead ofSaveAndCloseon success.fix: update payjoin-ffi for no_std feature splitMinimal FFI updates to match new
AsyncSessionPersisterbounds.fix: restore OHTTP test constants and enable v2 feature in test utilsKEM,KEY_ID,SYMMETRICwere dropped upstream without updating internal tests. Restores them inpayjoin-test-utils/src/v2.rs.chore: update CI, lock files and flake for no_std targetsAdds
thumbv7em-none-eabihfto CI and ARM cross-toolchain to the Nix dev shell.AI Assistance
This implementation was developed with AI assistance (Claude, Anthropic).
Pull Request Checklist
Please confirm the following before requesting review:
AI
in the body of this PR.