fix(add-bond-invoice): pin newest info event and require a bolt11 reply

- fetch_bond_claim_window_days: select the kind-38385 info event by max
  created_at instead of relying on limit(1) + .first(), so a lagging or
  multi-relay setup can't surface a stale bond_payout_claim_window_days and
  render the wrong, user-facing forfeit deadline.

- execute_add_bond_invoice: the protocol's bond-payout reply is a bolt11, so
  stop forwarding Lightning Addresses verbatim (they'd bounce back as
  cant-do/invalid-invoice from Mostro). Validate the bolt11 locally and fail
  fast with a clear error; drop the now-unused LightningAddress/FromStr imports.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: grunch

src/cli/add_bond_invoice.rs

@@ -4,10 +4,8 @@ use crate::parser::common::{
 use crate::util::{print_dm_events, send_dm, wait_for_dm, WaitForDmTimeout};
 use crate::{cli::Context, db::Order, lightning::is_valid_invoice};
 use anyhow::Result;
-use lnurl::lightning_address::LightningAddress;
 use mostro_core::prelude::*;
 use nostr_sdk::prelude::*;
-use std::str::FromStr;
 use uuid::Uuid;
 
 /// Reply to a Mostro `add-bond-invoice` request: the non-slashed counterparty
@@ -50,18 +48,14 @@ pub async fn execute_add_bond_invoice(order_id: &Uuid, invoice: &str, ctx: &Cont
     ));
     println!("{table}");
     println!("💡 Sending bond payout invoice to Mostro...\n");
-    // Parse invoice (Lightning address or BOLT11) and build payload
-    let ln_addr = LightningAddress::from_str(invoice);
-    let payload = if ln_addr.is_ok() {
-        Payload::PaymentRequest(None, invoice.to_string(), None)
-    } else {
-        match is_valid_invoice(invoice) {
-            Ok(i) => Payload::PaymentRequest(None, i.to_string(), None),
-            Err(e) => {
-                return Err(anyhow::anyhow!("Invalid invoice: {}", e));
-            }
-        }
-    };
+    // The bond payout reply must be a bolt11 sized at the counterparty share.
+    // Lightning Addresses are not accepted here (the protocol's "Bond payout
+    // invoice" reply is a bolt11): validate locally so a bad input fails fast
+    // instead of bouncing back as a `cant-do` / `invalid-invoice` from Mostro.
+    let invoice = is_valid_invoice(invoice)
+        .map_err(|e| anyhow::anyhow!("Invalid invoice: {}", e))?
+        .to_string();
+    let payload = Payload::PaymentRequest(None, invoice, None);
 
     // Create request id
     let request_id = Uuid::new_v4().as_u128() as u64;

src/util/events.rs

@@ -94,16 +94,19 @@ pub fn create_filter(
 pub async fn fetch_bond_claim_window_days(ctx: &crate::cli::Context) -> Option<i64> {
     let filter = Filter::new()
         .author(ctx.mostro_pubkey)
-        .kind(nostr_sdk::Kind::Custom(NOSTR_INFO_EVENT_KIND))
-        .limit(1);
+        .kind(nostr_sdk::Kind::Custom(NOSTR_INFO_EVENT_KIND));
 
     let events = ctx
         .client
         .fetch_events(filter, FETCH_EVENTS_TIMEOUT)
         .await
         .ok()?;
 
-    let event = events.first()?;
+    // kind-38385 is replaceable, but pick the newest revision by `created_at`
+    // explicitly: a lagging relay (or several relays at once) can still surface
+    // an older copy, and a stale claim window would render the wrong, very
+    // user-facing forfeit deadline.
+    let event = events.iter().max_by_key(|e| e.created_at)?;
     for tag in event.tags.iter() {
         let slice = tag.as_slice();
         if slice.first().map(String::as_str) == Some("bond_payout_claim_window_days") {