docs: sync vault with Task #7 backend + admin UI shipping (2.6.42)

- Handoff doc: mark Task #7 in-progress with what landed (backend
  modules, admin UI), what remains (cart-aware buyer UX, unit tests,
  live RN divergent-destination probe, optional auto-start cron).
  Promote the followups table from 'depends on' to 'status'.
- Environment Variables: add DERIVED_DESTINATION_* block with KMS /
  Trezor production guidance.

Code is on backend commit c98b3d7 / frontend commit 82d9a70, both
on integrate-main-into-development.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Siavash Sameni
2026-05-28 16:35:18 +04:00
parent 31dd475b73
commit d80892dbaa
2 changed files with 51 additions and 7 deletions

View File

@@ -299,8 +299,22 @@ AUTO_SEED_ON_START=true
ESCROW_WALLET_ADDRESS=0xa3049825c0785095EEd5E7976E0E539466c84044
ADMIN_PAYOUT_WALLET_ADDRESS=
# Derived destinations (per-(buyer, sellerOffer) RN ephemeral wallets — Task #7)
# Backend ONLY needs the xpub. The master seed must live in KMS/Trezor.
DERIVED_DESTINATION_XPUB=
# Only set DERIVED_DESTINATION_XPRIV when DERIVED_DESTINATION_SWEEP_SIGNER=hot-key
# (dev shortcut). For prod, leave this blank and use the Trezor flow (Task #11).
DERIVED_DESTINATION_XPRIV=
DERIVED_DESTINATION_BASE_PATH=m/44'/60'/0'
DERIVED_DESTINATION_CHAIN_ID=56
DERIVED_DESTINATION_SWEEP_SIGNER=build-only
DERIVED_DESTINATION_MIN_SWEEP_AMOUNT=0
DERIVED_DESTINATION_SWEEP_INTERVAL_MS=300000
# OAuth
GOOGLE_CLIENT_ID=
```
> [!tip] Generate `JWT_SECRET` deterministically per environment so you don't accidentally invalidate sessions when restarting. Store it in your team's secret manager.
> [!warning] `DERIVED_DESTINATION_XPRIV` is a development-only shortcut. In production, set `DERIVED_DESTINATION_SWEEP_SIGNER=build-only` and pair with Task #11 Trezor signing so the master seed never sits on the backend host.