fix: enforce UIVK uniqueness at merchant registration

Reject duplicate viewing keys before INSERT — the DB UNIQUE constraint
on the encrypted ufvk column was ineffective (AES-GCM random nonce
produces different ciphertext each time). Check via deterministic
payment_address instead. Returns 409 Conflict with clear error message.

Author: Kenbak

ROADMAP.md

@@ -96,11 +96,14 @@ Privacy-preserving Zcash payment gateway. Non-custodial, shielded-only.
 - [x] **@cipherpay/mcp** — MCP server for Claude/Cursor (invoices, rates, x402 verify, sessions)
 - [x] **Agent sessions** — prepaid credit system: deposit ZEC, get bearer token, pay per-request
 - [x] **Agent wallet CLI** (`@cipherpay/zipher-cli`) — headless Zcash wallet for agents (pay, sessions, x402, MPP)
+- [x] **UIVK uniqueness enforcement** — reject registration if viewing key already belongs to a merchant (prevents duplicate scanning, double billing, cross-merchant payment confusion). Applies to both dashboard and programmatic registration.
 - [ ] **Programmatic merchant registration** — agents create their own merchant accounts via API
   - `POST /api/merchants/register` with `{ ufvk, payment_address }`
   - Requires ~$10 USD deposit in shielded ZEC (anti-spam)
   - Deposit split: portion kept as CipherPay activation fee, remainder credited to merchant fee balance
-  - Returns `{ merchant_id, api_key }` — no dashboard, no password
+  - Returns `{ merchant_id, api_key }` — no dashboard, no password, API-only
+  - Agent merchants have no dashboard access by design (no credentials to leak via prompt injection)
+  - If human wants dashboard: register normally, hand API key to agent
   - Enables fully autonomous agent-to-agent commerce
   - Rate limited + UFVK validation before scanner activation
 - [ ] **@cipherpay/wallet-mcp** — MCP server wrapping `zipher-cli` so AI agents can send ZEC

src/api/merchants.rs

@@ -17,10 +17,17 @@ pub async fn create(
     match create_merchant(pool.get_ref(), &body, &config.encryption_key).await {
         Ok(resp) => HttpResponse::Created().json(resp),
         Err(e) => {
-            tracing::error!(error = %e, "Failed to create merchant");
-            HttpResponse::InternalServerError().json(serde_json::json!({
-                "error": "Failed to create merchant"
-            }))
+            let msg = e.to_string();
+            if msg.contains("already registered") {
+                HttpResponse::Conflict().json(serde_json::json!({
+                    "error": msg
+                }))
+            } else {
+                tracing::error!(error = %e, "Failed to create merchant");
+                HttpResponse::InternalServerError().json(serde_json::json!({
+                    "error": "Failed to create merchant"
+                }))
+            }
         }
     }
 }

src/merchants/mod.rs

@@ -81,6 +81,18 @@ pub async fn create_merchant(
         .map_err(|e| anyhow::anyhow!("Invalid viewing key — could not derive address: {}", e))?;
     let payment_address = derived.ua_string;
 
+    // Reject if this viewing key is already registered (same UIVK = same derived address)
+    let existing: Option<(String,)> = sqlx::query_as(
+        "SELECT id FROM merchants WHERE payment_address = ?"
+    )
+    .bind(&payment_address)
+    .fetch_optional(pool)
+    .await?;
+
+    if existing.is_some() {
+        anyhow::bail!("A merchant with this viewing key is already registered");
+    }
+
     let id = Uuid::new_v4().to_string();
     let api_key = generate_api_key();
     let key_hash = hash_key(&api_key);