- Handoff doc: mark Task #7 in-progress with what landed (backend modules, admin UI), what remains (cart-aware buyer UX, unit tests, live RN divergent-destination probe, optional auto-start cron). Promote the followups table from 'depends on' to 'status'. - Environment Variables: add DERIVED_DESTINATION_* block with KMS / Trezor production guidance. Code is on backend commit c98b3d7 / frontend commit 82d9a70, both on integrate-main-into-development. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
9.9 KiB
Handoff: Request Network In-House Checkout — 2026-05-28
Status: fully end-to-end working on dev.amn.gg as of 2.6.38 backend / 2.6.41 frontend. A 0.01 USDC payment (tx 0x494c77a2…) flowed: page render → wallet connect (Rabby/injected) → approve → transferFromWithReferenceAndFee → RN webhook → backend marks completed → page flips to "پرداخت تأیید شد ✓" → continue → /dashboard/payment/<id>.
What's live
- Backend 2.6.38 —
/api/payment/request-network/intentsreturns aninHouseCheckoutblock (destination, tokenAddress, decimals, chainId, proxyAddress, paymentReference 8-byte hex, feeAmount, feeAddress, amountWei).GET /api/payment/request-network/:paymentId/checkoutrehydrates the block for an existing Payment record (lazy-enriches legacy records that pre-date 2.6.34 by calling RN'sGET /v2/request/:id). PublicGET /api/versionfor the version badge.PaymentCoordinator.updatePurchaseRequestStatusguards bothtemplate-checkout-andtemplate-tc-prefixes (plus regex fallback for any non-ObjectId) — earlier thetemplate-tc-blindspot crashed webhook processing on template-checkout payments and stranded escrow. - Frontend 2.6.41 —
/checkout/request-network/[paymentId]page with wagmi state machine: connect → switch-chain → check-allowance → approve → pay → wait-for-webhook. Destination + payment-reference + approve-tx + pay-tx hashes are copyable and click through to BscScan. Once a pay tx is in flight the page no longer reverts to "approve" even though the proxy call consumed the allowance. A 10-secondGET /api/payment/:idpoll runs as a fallback when the socket missespayment-update. Success-state continue button handles synthetic purchaseRequestId prefixes (template-checkout-,template-tc-) by routing to/dashboard/payment/<id>instead of the 404-prone/dashboard/request/<syntheticId>. WagmiProvider is now rendered unconditionally + the checkout page also self-wraps in its own WagmiProvider for defensive isolation.
Verify which versions are running by hovering the version chip at bottom-left of any page on dev.amn.gg, or curl https://dev.amn.gg/api/version.
Where things stand
A real 0.01 USDC payment ran clean through the in-house path on 2026-05-28. Webhook delivery is durable enough for dev usage; durability for prod is Phase 5 (Cloudflare Worker ingress, not started). Five follow-up tasks were scoped immediately after — see PRD - Wallet, Multichain, Confirmations, AML, Trezor.md and Taskmaster #7..#11.
Known issues / open work
- TypeScript-error CI false-success: pipelines #40 and #41 reported ✅ green in Woodpecker while
yarn buildwas actually failing at the TS step and no image was pushed. Memory entry:woodpecker_silent_build_fail.md. Always verifydev-<version>exists ingit.manko.yogabefore trusting CI green. The wagmichainIdfield requiresas anybecause of its literal-union type — keep that pattern when adding new wagmi calls. - Existing/legacy Payment records (created before backend 2.6.34) don't have RN's request details cached. The GET endpoint lazy-enriches them via
GET /v2/request/:requestIdon first visit, then persists. If RN's API is down at that moment, falls back to the hosted-page link. - Mongo access is denied to the auto-mode classifier on dev — debugging payment records currently requires either the user's mongo creds or relying on the 409
debugblock surfaced through the frontend. - Wagmi provider isolation (2.6.39): The checkout page wraps itself in its own
WagmiProvider. The rootWeb3Provideralso rendersWagmiProviderunconditionally as of 2.6.38. The doubling is intentional defensiveness — if one provider has an issue, the other still serves the checkout flow. Can be simplified later if both prove stable. - PRD Phase 5 — Cloudflare Worker durable webhook ingress — not started. Taskmaster
3.13. Current dev relies ondev.amn.ggbeing up at the moment RN's webhook fires. For prod, RN webhooks need to land in a durable Cloudflare Worker that buffers + replays into the backend.
Files changed (recent)
Backend (/Users/manwe/CascadeProjects/escrow/backend):
src/services/payment/requestNetwork/contract.ts— spreads full RN response intorawsrc/services/payment/requestNetwork/inHouseCheckout.ts— block builder, readspaymentReferencefromrnRaw.requestDetails.paymentReferencesrc/services/payment/requestNetwork/merchantReference.ts,tokens.ts,proxyAddresses.ts,paymentReference.ts— helperssrc/services/payment/requestNetwork/requestNetworkPayInService.ts— callsGET /v2/requestafter intent creationsrc/services/payment/requestNetwork/requestNetworkRoutes.ts—GET /:paymentId/checkout+ lazy enrichment + debug responsesrc/services/payment/requestNetwork/networkClient.ts— already hadgetRequestStatussrc/app.ts—GET /api/version, exempt from rate limit__tests__/rn-in-house-checkout.test.ts— 12 unit tests, all green
Frontend (/Users/manwe/CascadeProjects/escrow/frontend):
src/web3/contracts/rn-fee-proxy.ts— RN proxy + ERC20 ABIssrc/web3/context/wagmi-provider.tsx— removed the mount-gate that causedWagmiProviderNotFoundErrorsrc/web3/components/provider-payment.tsx—router.pushto in-house page + sessionStorage stashsrc/sections/payment/checkout/types.ts+rn-in-house-checkout-view.tsx— state machine, local WagmiProvider wrapsrc/app/checkout/request-network/[paymentId]/page.tsx— app router entrysrc/components/version-logger.tsx— version chip + tooltip showing backend version
Memory entries added
MEMORY.mdindex updated with:arcane_dev_stack.md(env/project IDs, two-step deploy note)woodpecker_silent_build_fail.md(CI green ≠ image pushed)- and existing
rn_webhook_event_field.md,backend_rate_limits.md,telegram_notify_no_parse_mode.md,devEscrow_nginx_after_redeploy.md,parallel_agents_on_escrow.md
Open PRD questions still to decide
From PRD - Request Network In-House Checkout.md §10:
- Proxy address universality across chains (currently BSC + Arb confirmed; Task #8 will probe Polygon/ETH/Base)
- API pricing for hosted-UI-less usage (need RN account-mgmt question)
- Approval UX — exact-amount vs MAX_UINT256 (current: exact-amount)
- Cancel / timeout semantics for abandoned intents
- Telemetry events for in-house vs hosted A/B
Follow-up tasks (Taskmaster + PRD)
Five follow-ups scoped for kimi to pick up independently. Full spec in PRD - Wallet, Multichain, Confirmations, AML, Trezor.md. Quick index:
| # | Task | Priority | Status |
|---|---|---|---|
| 7 | Per-(buyer, sellerOffer) ephemeral RN destination wallets | high | 🟡 In progress — backend + admin UI shipped in 2.6.42, cart-aware buyer UX + tests + live RN-accepts-divergent-destination probe remain |
| 8 | Multichain RN proxy registry + USDC/USDT support | high | ⏳ Not started |
| 9 | Per-chain confirmation thresholds + admin UI | medium | ⏳ Not started |
| 10 | Optional AML screening on incoming payments (seller-paid) | medium | ⏳ Not started |
| 11 | Trezor signing for admin actions (release/refund/sweep) | high | ⏳ Not started |
Task #7 — what landed in 2.6.42
Backend (backend/src/services/payment/wallets/ + plumbing)
DerivedDestinationmodel:(buyerId, sellerOfferId, chainId)→ address, derivation path, status, sweep history.derivedDestinations.ts: xpub-driven HD address derivation, atomic counter-based index allocation, idempotentgetDestinationFor, race-safe upsert. Backend holdsDERIVED_DESTINATION_XPUBonly — master seed lives in KMS / Trezor (Task #11).sweepService.ts: pluggable signer abstraction (build-onlydefault;hot-keyfor dev), ERC-20 balance queries, sweep orchestration, interval-based cron.derivedDestinationRoutes.ts: admin-only REST endpoints (list, sweep-all, sweep-one, config health, cron start/stop/status). Mounted at/api/payment/derived-destinations.requestNetworkPayInService.tsnow callsgetDestinationFor(buyer, sellerOffer, chainId), builds the per-payment merchant reference viabuildMerchantReference, persistsmetadata.derivedDestination, and passes the override to RN.inHouseCheckout.tsaccepts adestinationOverride; the on-chainpaymentReferencecompute-fallback now uses the actual destination (previously readparsed.recipient— hidden bug because RN's response provides the ref directly, but the fallback was broken for derived destinations).TransactionSafetyProvider.resolveExpectedRecipientchecksmetadata.derivedDestination.addressfirst, then legacy fallback.
Frontend (admin only)
/dashboard/admin/derived-destinationspage (table view, filters by status/chain/address, pagination, sweep-all, cron start/stop).- Per-row UI: address with copy + BscScan link, status chip, derivation path, balance, sweep count, last sweep tx link.
Env additions (see backend/.env.example):
DERIVED_DESTINATION_XPUB— required for address derivation.DERIVED_DESTINATION_XPRIV— only whenDERIVED_DESTINATION_SWEEP_SIGNER=hot-key(dev shortcut).DERIVED_DESTINATION_BASE_PATH=m/44'/60'/0'DERIVED_DESTINATION_CHAIN_ID=56DERIVED_DESTINATION_SWEEP_SIGNER=build-onlyDERIVED_DESTINATION_MIN_SWEEP_AMOUNT=0DERIVED_DESTINATION_SWEEP_INTERVAL_MS=300000
Remaining in task #7:
- Cart-aware buyer UX on the in-house checkout (sequential multi-seller approval flow with clear progress UI).
- Unit tests for
derivedDestinations.ts(idempotency, race handling) andsweepService.ts. - Live probe on dev: confirm RN accepts divergent
destinationIdacross consecutivePOST /v2/secure-paymentscalls from the same client. - Optional: auto-start sweep cron on backend boot via
app.ts(currently manual via admin endpoint).