Bug
src/routes/username.ts:320 calls POST ${INVITE_FAUCET_URL}/api/invite/redeem. That endpoint does not exist on the invite-darshan service.
divine-invite-darshan exposes /v1/consume-invite (and related) under the /v1/ prefix; the /api/invite/redeem path returns 404 from the faucet's route table.
Impact
Any username-claim flow that requires an invite redemption will fail silently (the code/path treats redemption as a precondition to reservation). If INVITE_FAUCET_URL is set in the environment, the redemption call 404s; if it's unset, the branch is skipped. Either way, the redemption side of the flow doesn't happen, and name-server reservations that should be invite-gated are effectively ungated.
Recommended fix
Update the URL to call the real endpoint (${INVITE_FAUCET_URL}/v1/consume-invite) and adjust the request body / auth to match that endpoint's contract. That endpoint requires a NIP-98 auth header signed by the invitee's keypair — if the name-server doesn't have access to the invitee's signer, this redemption path needs an alternative (e.g., a dedicated admin-level endpoint on invite-darshan that consumes a code on behalf of a target pubkey, which would itself be a new feature on invite-darshan).
Alternatively, remove the redemption branch if it's vestigial.
Origin
Identified during ecosystem audit for divine-invite-darshan PR #39. Flagged because it lives in the invite-code redemption path and silently no-ops today.
Bug
src/routes/username.ts:320callsPOST ${INVITE_FAUCET_URL}/api/invite/redeem. That endpoint does not exist on the invite-darshan service.divine-invite-darshanexposes/v1/consume-invite(and related) under the/v1/prefix; the/api/invite/redeempath returns 404 from the faucet's route table.Impact
Any username-claim flow that requires an invite redemption will fail silently (the code/path treats redemption as a precondition to reservation). If
INVITE_FAUCET_URLis set in the environment, the redemption call 404s; if it's unset, the branch is skipped. Either way, the redemption side of the flow doesn't happen, and name-server reservations that should be invite-gated are effectively ungated.Recommended fix
Update the URL to call the real endpoint (
${INVITE_FAUCET_URL}/v1/consume-invite) and adjust the request body / auth to match that endpoint's contract. That endpoint requires a NIP-98 auth header signed by the invitee's keypair — if the name-server doesn't have access to the invitee's signer, this redemption path needs an alternative (e.g., a dedicated admin-level endpoint on invite-darshan that consumes a code on behalf of a target pubkey, which would itself be a new feature on invite-darshan).Alternatively, remove the redemption branch if it's vestigial.
Origin
Identified during ecosystem audit for divine-invite-darshan PR #39. Flagged because it lives in the invite-code redemption path and silently no-ops today.