--- taskmaster_id: "7" status: "pending" priority: "high" depends_on: [] parent_id: "" source: "taskmaster" generated_at: "2026-05-28T11:49:27.076Z" --- # 7 - Per-(buyer, sellerOffer) ephemeral RN destination wallets - [ ] 7 - Per-(buyer, sellerOffer) ephemeral RN destination wallets #taskmaster #priority/high #status/pending โซ ๐Ÿ†” tm-7 ## Metadata | Field | Value | | --- | --- | | Taskmaster ID | 7 | | Status | pending | | Priority | high | | Dependencies | None | | Parent | None | ## Description Replace the single shared Amanat destination wallet with a per-(buyerId, sellerOfferId) HD-derived address sent to Request Network on intent creation, plus sweep-on-approval and an admin UI. ## Details See PRD - Wallet, Multichain, Confirmations, AML, Trezor.md ยง1. Files: new backend/src/services/payment/wallets/derivedDestinations.ts (getDestinationFor(buyerId, sellerOfferId) โ†’ {address, derivationPath, chainId}); Payment schema add metadata.derivedDestination; requestNetworkPayInService.ts override destinationId before POST /v2/secure-payments (we confirmed RN accepts different destinations per intent); new sweep cron + admin manual-trigger endpoint gated on Transaction Safety Provider; admin UI at /dashboard/admin/derived-destinations with address, balance, last sweep tx (BscScan link), ownership status. Open questions to settle first: HD vs disposable EOAs vs smart-forwarder (recommended HD); sweep cadence (recommended immediate); granularity (recommended per-(buyer, seller), not per-payment); re-use vs rotate after sweep. KMS-rooted seed; backend never holds raw private keys; signing via KMS API (Task #11 Trezor flow is the longer-term replacement). Acceptance: two payments from one buyer to two sellers land on two different addresses; RN webhook fires for both; sweep is idempotent; master seed never leaves KMS. ## Verification _No verification strategy._