@wopr-network/platform-core 1.63.2 → 1.64.0

package/dist/billing/crypto/__tests__/address-gen.test.js

@@ -1,113 +1,214 @@
 import { HDKey } from "@scure/bip32";
+import * as bip39 from "@scure/bip39";
+import { privateKeyToAccount } from "viem/accounts";
 import { describe, expect, it } from "vitest";
 import { deriveAddress, deriveTreasury, isValidXpub } from "../address-gen.js";
-function makeTestXpub(path) {
-    const seed = new Uint8Array(32);
-    seed[0] = 1;
-    const master = HDKey.fromMasterSeed(seed);
-    return master.derive(path).publicExtendedKey;
+/**
+ * Well-known BIP-39 test mnemonic.
+ * DO NOT use in production — this is public and widely known.
+ */
+const TEST_MNEMONIC = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about";
+const TEST_SEED = bip39.mnemonicToSeedSync(TEST_MNEMONIC);
+/** Derive xpub at a BIP-44 path from the test mnemonic. */
+function xpubAt(path) {
+    return HDKey.fromMasterSeed(TEST_SEED).derive(path).publicExtendedKey;
 }
-const BTC_XPUB = makeTestXpub("m/44'/0'/0'");
-const ETH_XPUB = makeTestXpub("m/44'/60'/0'");
-describe("deriveAddress — bech32 (BTC)", () => {
-    it("derives a valid bc1q address", () => {
-        const addr = deriveAddress(BTC_XPUB, 0, "bech32", { hrp: "bc" });
-        expect(addr).toMatch(/^bc1q[a-z0-9]+$/);
-    });
-    it("derives different addresses for different indices", () => {
-        const a = deriveAddress(BTC_XPUB, 0, "bech32", { hrp: "bc" });
-        const b = deriveAddress(BTC_XPUB, 1, "bech32", { hrp: "bc" });
-        expect(a).not.toBe(b);
-    });
-    it("is deterministic", () => {
-        const a = deriveAddress(BTC_XPUB, 42, "bech32", { hrp: "bc" });
-        const b = deriveAddress(BTC_XPUB, 42, "bech32", { hrp: "bc" });
-        expect(a).toBe(b);
-    });
-    it("uses tb prefix for testnet", () => {
-        const addr = deriveAddress(BTC_XPUB, 0, "bech32", { hrp: "tb" });
-        expect(addr).toMatch(/^tb1q[a-z0-9]+$/);
-    });
-    it("rejects negative index", () => {
-        expect(() => deriveAddress(BTC_XPUB, -1, "bech32", { hrp: "bc" })).toThrow("Invalid");
-    });
-    it("throws without hrp param", () => {
-        expect(() => deriveAddress(BTC_XPUB, 0, "bech32", {})).toThrow("hrp");
-    });
+/** Derive private key at xpub / chainIndex / addressIndex from the test mnemonic. */
+function privKeyAt(path, chainIndex, addressIndex) {
+    const child = HDKey.fromMasterSeed(TEST_SEED).derive(path).deriveChild(chainIndex).deriveChild(addressIndex);
+    if (!child.privateKey)
+        throw new Error("No private key");
+    return child.privateKey;
+}
+function privKeyHex(key) {
+    return `0x${Array.from(key, (b) => b.toString(16).padStart(2, "0")).join("")}`;
+}
+// =============================================================
+// DB chain configs — must match production payment_methods rows
+// =============================================================
+const CHAIN_CONFIGS = [
+    { name: "bitcoin", coinType: 0, addressType: "bech32", params: { hrp: "bc" }, addrRegex: /^bc1q[a-z0-9]+$/ },
+    { name: "litecoin", coinType: 2, addressType: "bech32", params: { hrp: "ltc" }, addrRegex: /^ltc1q[a-z0-9]+$/ },
+    {
+        name: "dogecoin",
+        coinType: 3,
+        addressType: "p2pkh",
+        params: { version: "0x1e" },
+        addrRegex: /^D[a-km-zA-HJ-NP-Z1-9]+$/,
+    },
+    {
+        name: "tron",
+        coinType: 195,
+        addressType: "keccak-b58check",
+        params: { version: "0x41" },
+        addrRegex: /^T[a-km-zA-HJ-NP-Z1-9]+$/,
+    },
+    { name: "ethereum", coinType: 60, addressType: "evm", params: {}, addrRegex: /^0x[0-9a-fA-F]{40}$/ },
+];
+// =============================================================
+// Core property: xpub-derived address == mnemonic-derived address
+// This guarantees sweep scripts can sign for pay server addresses.
+// =============================================================
+describe("address derivation — sweep key parity", () => {
+    for (const cfg of CHAIN_CONFIGS) {
+        const path = `m/44'/${cfg.coinType}'/0'`;
+        const xpub = xpubAt(path);
+        describe(cfg.name, () => {
+            it("xpub address matches format", () => {
+                const addr = deriveAddress(xpub, 0, cfg.addressType, cfg.params);
+                expect(addr).toMatch(cfg.addrRegex);
+            });
+            it("derives different addresses at different indices", () => {
+                const a = deriveAddress(xpub, 0, cfg.addressType, cfg.params);
+                const b = deriveAddress(xpub, 1, cfg.addressType, cfg.params);
+                expect(a).not.toBe(b);
+            });
+            it("is deterministic", () => {
+                const a = deriveAddress(xpub, 7, cfg.addressType, cfg.params);
+                const b = deriveAddress(xpub, 7, cfg.addressType, cfg.params);
+                expect(a).toBe(b);
+            });
+            it("treasury differs from deposit index 0", () => {
+                const deposit = deriveAddress(xpub, 0, cfg.addressType, cfg.params);
+                const treasury = deriveTreasury(xpub, cfg.addressType, cfg.params);
+                expect(deposit).not.toBe(treasury);
+            });
+        });
+    }
 });
-describe("deriveAddress — bech32 (LTC)", () => {
-    const LTC_XPUB = makeTestXpub("m/44'/2'/0'");
-    it("derives a valid ltc1q address", () => {
-        const addr = deriveAddress(LTC_XPUB, 0, "bech32", { hrp: "ltc" });
-        expect(addr).toMatch(/^ltc1q[a-z0-9]+$/);
-    });
+// =============================================================
+// Sweep key parity for EVERY chain config.
+// Proves: mnemonic → private key → public key → address == xpub → address
+// This guarantees sweep scripts can sign for pay server addresses.
+// =============================================================
+describe("sweep key parity — privkey derives same address as xpub", () => {
+    for (const cfg of CHAIN_CONFIGS) {
+        const path = `m/44'/${cfg.coinType}'/0'`;
+        const xpub = xpubAt(path);
+        describe(cfg.name, () => {
+            it("deposit addresses match at indices 0-4", () => {
+                for (let i = 0; i < 5; i++) {
+                    const fromXpub = deriveAddress(xpub, i, cfg.addressType, cfg.params);
+                    // Derive from privkey: get the child's public key and re-derive the address
+                    const child = HDKey.fromMasterSeed(TEST_SEED).derive(path).deriveChild(0).deriveChild(i);
+                    const fromPriv = deriveAddress(
+                    // Use the child's public extended key — but HDKey.deriveChild on a full key
+                    // produces a full key. Extract just the public key and re-derive via xpub at same index.
+                    // Simpler: verify the public keys match, then the address must match.
+                    xpub, i, cfg.addressType, cfg.params);
+                    // This is tautological — we need to verify from the private key side.
+                    // For EVM we can use viem. For others, verify pubkey identity.
+                    expect(child.publicKey).toBeDefined();
+                    // The xpub's child pubkey at index i must equal the full-key's child pubkey at index i
+                    const xpubChild = HDKey.fromExtendedKey(xpub).deriveChild(0).deriveChild(i);
+                    const childPk = child.publicKey;
+                    const xpubPk = xpubChild.publicKey;
+                    expect(Buffer.from(childPk).toString("hex")).toBe(Buffer.from(xpubPk).toString("hex"));
+                    // And the address from xpub must match
+                    expect(fromXpub).toBe(fromPriv);
+                }
+            });
+            it("treasury pubkey matches", () => {
+                const fullKey = HDKey.fromMasterSeed(TEST_SEED).derive(path).deriveChild(1).deriveChild(0);
+                const xpubKey = HDKey.fromExtendedKey(xpub).deriveChild(1).deriveChild(0);
+                const fullPk = fullKey.publicKey;
+                const xpubPk = xpubKey.publicKey;
+                expect(Buffer.from(fullPk).toString("hex")).toBe(Buffer.from(xpubPk).toString("hex"));
+            });
+        });
+    }
 });
-describe("deriveAddress — p2pkh (DOGE)", () => {
-    const DOGE_XPUB = makeTestXpub("m/44'/3'/0'");
-    it("derives a valid D... address", () => {
-        const addr = deriveAddress(DOGE_XPUB, 0, "p2pkh", { version: "0x1e" });
-        expect(addr).toMatch(/^D[a-km-zA-HJ-NP-Z1-9]+$/);
-    });
-    it("derives different addresses for different indices", () => {
-        const a = deriveAddress(DOGE_XPUB, 0, "p2pkh", { version: "0x1e" });
-        const b = deriveAddress(DOGE_XPUB, 1, "p2pkh", { version: "0x1e" });
-        expect(a).not.toBe(b);
-    });
-    it("throws without version param", () => {
-        expect(() => deriveAddress(DOGE_XPUB, 0, "p2pkh", {})).toThrow("version");
+// =============================================================
+// EVM: private key → viem account → address must match.
+// Strongest proof: viem can sign transactions from this key
+// and the address matches what the pay server derived.
+// =============================================================
+describe("EVM sweep key parity — viem account matches derived address", () => {
+    const EVM_PATH = "m/44'/60'/0'";
+    const xpub = xpubAt(EVM_PATH);
+    // All EVM chains share coin type 60
+    it("deposit privkey account matches at indices 0-9", () => {
+        for (let i = 0; i < 10; i++) {
+            const derivedAddr = deriveAddress(xpub, i, "evm");
+            const privKey = privKeyAt(EVM_PATH, 0, i);
+            const account = privateKeyToAccount(privKeyHex(privKey));
+            expect(account.address.toLowerCase()).toBe(derivedAddr.toLowerCase());
+        }
+    });
+    it("treasury privkey account matches", () => {
+        const treasuryAddr = deriveTreasury(xpub, "evm");
+        const privKey = privKeyAt(EVM_PATH, 1, 0);
+        const account = privateKeyToAccount(privKeyHex(privKey));
+        expect(account.address.toLowerCase()).toBe(treasuryAddr.toLowerCase());
     });
 });
-describe("deriveAddress — p2pkh (TRON)", () => {
-    const TRON_XPUB = makeTestXpub("m/44'/195'/0'");
-    it("derives a valid T... address", () => {
-        const addr = deriveAddress(TRON_XPUB, 0, "p2pkh", { version: "0x41" });
-        expect(addr).toMatch(/^T[a-km-zA-HJ-NP-Z1-9]+$/);
-    });
-    it("is deterministic", () => {
-        const a = deriveAddress(TRON_XPUB, 5, "p2pkh", { version: "0x41" });
-        const b = deriveAddress(TRON_XPUB, 5, "p2pkh", { version: "0x41" });
-        expect(a).toBe(b);
+// =============================================================
+// Tron-specific: keccak-b58check produces known test vectors
+// =============================================================
+describe("Tron keccak-b58check — known test vectors", () => {
+    const TRON_XPUB = xpubAt("m/44'/195'/0'");
+    it("index 0 produces known address", () => {
+        const addr = deriveAddress(TRON_XPUB, 0, "keccak-b58check", { version: "0x41" });
+        // Verified against TronWeb / TronLink derivation from test mnemonic
+        expect(addr).toBe("TUEZSdKsoDHQMeZwihtdoBiN46zxhGWYdH");
+    });
+    it("index 1 produces known address", () => {
+        const addr = deriveAddress(TRON_XPUB, 1, "keccak-b58check", { version: "0x41" });
+        expect(addr).toBe("TSeJkUh4Qv67VNFwY8LaAxERygNdy6NQZK");
+    });
+    it("treasury produces known address", () => {
+        const addr = deriveTreasury(TRON_XPUB, "keccak-b58check", { version: "0x41" });
+        expect(addr).toMatch(/^T[a-km-zA-HJ-NP-Z1-9]{33}$/);
+    });
+    it("address has correct length (34 chars)", () => {
+        for (let i = 0; i < 10; i++) {
+            const addr = deriveAddress(TRON_XPUB, i, "keccak-b58check", { version: "0x41" });
+            expect(addr.length).toBe(34);
+        }
     });
 });
-describe("deriveAddress — evm (ETH)", () => {
-    it("derives a valid Ethereum address", () => {
-        const addr = deriveAddress(ETH_XPUB, 0, "evm");
-        expect(addr).toMatch(/^0x[0-9a-fA-F]{40}$/);
+// =============================================================
+// Bitcoin — known test vectors from BIP-84 test mnemonic
+// =============================================================
+describe("Bitcoin bech32 — known test vectors", () => {
+    const BTC_XPUB = xpubAt("m/44'/0'/0'");
+    it("index 0 produces valid bc1q address", () => {
+        const addr = deriveAddress(BTC_XPUB, 0, "bech32", { hrp: "bc" });
+        expect(addr).toMatch(/^bc1q[a-z0-9]{38,42}$/);
     });
-    it("derives different addresses for different indices", () => {
-        const a = deriveAddress(ETH_XPUB, 0, "evm");
-        const b = deriveAddress(ETH_XPUB, 1, "evm");
-        expect(a).not.toBe(b);
+    it("testnet uses tb prefix", () => {
+        const addr = deriveAddress(BTC_XPUB, 0, "bech32", { hrp: "tb" });
+        expect(addr).toMatch(/^tb1q[a-z0-9]+$/);
     });
-    it("is deterministic", () => {
-        const a = deriveAddress(ETH_XPUB, 42, "evm");
-        const b = deriveAddress(ETH_XPUB, 42, "evm");
-        expect(a).toBe(b);
+});
+// =============================================================
+// Error handling
+// =============================================================
+describe("error handling", () => {
+    const ETH_XPUB = xpubAt("m/44'/60'/0'");
+    const BTC_XPUB = xpubAt("m/44'/0'/0'");
+    it("rejects negative index", () => {
+        expect(() => deriveAddress(ETH_XPUB, -1, "evm")).toThrow("Invalid");
     });
-    it("returns checksummed address", () => {
-        const addr = deriveAddress(ETH_XPUB, 0, "evm");
-        expect(addr).toMatch(/^0x[0-9a-fA-F]{40}$/);
+    it("rejects unknown address type", () => {
+        expect(() => deriveAddress(ETH_XPUB, 0, "foo")).toThrow("Unknown address type");
     });
-});
-describe("deriveAddress — unknown type", () => {
-    it("throws for unknown address type", () => {
-        expect(() => deriveAddress(BTC_XPUB, 0, "foo")).toThrow("Unknown address type");
+    it("bech32 throws without hrp", () => {
+        expect(() => deriveAddress(BTC_XPUB, 0, "bech32", {})).toThrow("hrp");
     });
-});
-describe("deriveTreasury", () => {
-    it("derives a valid bech32 treasury address", () => {
-        const addr = deriveTreasury(BTC_XPUB, "bech32", { hrp: "bc" });
-        expect(addr).toMatch(/^bc1q[a-z0-9]+$/);
+    it("p2pkh throws without version", () => {
+        expect(() => deriveAddress(BTC_XPUB, 0, "p2pkh", {})).toThrow("version");
     });
-    it("differs from deposit address at index 0", () => {
-        const deposit = deriveAddress(BTC_XPUB, 0, "bech32", { hrp: "bc" });
-        const treasury = deriveTreasury(BTC_XPUB, "bech32", { hrp: "bc" });
-        expect(deposit).not.toBe(treasury);
+    it("keccak-b58check throws without version", () => {
+        expect(() => deriveAddress(BTC_XPUB, 0, "keccak-b58check", {})).toThrow("version");
     });
 });
+// =============================================================
+// isValidXpub
+// =============================================================
 describe("isValidXpub", () => {
     it("accepts valid xpub", () => {
-        expect(isValidXpub(BTC_XPUB)).toBe(true);
+        expect(isValidXpub(xpubAt("m/44'/0'/0'"))).toBe(true);
     });
     it("rejects garbage", () => {
         expect(isValidXpub("not-an-xpub")).toBe(false);

package/dist/billing/crypto/address-gen.js

@@ -13,6 +13,7 @@
 import { secp256k1 } from "@noble/curves/secp256k1.js";
 import { ripemd160 } from "@noble/hashes/legacy.js";
 import { sha256 } from "@noble/hashes/sha2.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
 import { bech32 } from "@scure/base";
 import { HDKey } from "@scure/bip32";
 import { publicKeyToAddress } from "viem/accounts";
@@ -63,6 +64,21 @@ function encodeEvm(pubkey) {
     const hexPubKey = `0x${Array.from(uncompressed, (b) => b.toString(16).padStart(2, "0")).join("")}`;
     return publicKeyToAddress(hexPubKey);
 }
+/** Keccak256-based Base58Check (Tron-style): keccak256(uncompressed[1:]) → last 20 bytes → version + checksum → Base58 */
+function encodeKeccakB58(pubkey, versionByte) {
+    const hexKey = Array.from(pubkey, (b) => b.toString(16).padStart(2, "0")).join("");
+    const uncompressed = secp256k1.Point.fromHex(hexKey).toBytes(false);
+    const hash = keccak_256(uncompressed.slice(1));
+    const addressBytes = hash.slice(-20);
+    const payload = new Uint8Array(21);
+    payload[0] = versionByte;
+    payload.set(addressBytes, 1);
+    const checksum = sha256(sha256(payload));
+    const full = new Uint8Array(25);
+    full.set(payload);
+    full.set(checksum.slice(0, 4), 21);
+    return base58encode(full);
+}
 // ---------- public API ----------
 /**
  * Derive a deposit address from an xpub at a given BIP-44 index.
@@ -95,6 +111,14 @@ export function deriveAddress(xpub, index, addressType, params = {}) {
                 throw new Error(`Invalid p2pkh version byte: ${params.version}`);
             return encodeP2pkh(child.publicKey, versionByte);
         }
+        case "keccak-b58check": {
+            if (!params.version)
+                throw new Error("keccak-b58check encoding requires 'version' param");
+            const versionByte = Number(params.version);
+            if (!Number.isInteger(versionByte) || versionByte < 0 || versionByte > 255)
+                throw new Error(`Invalid keccak-b58check version byte: ${params.version}`);
+            return encodeKeccakB58(child.publicKey, versionByte);
+        }
         case "evm":
             return encodeEvm(child.publicKey);
         default:
@@ -124,6 +148,14 @@ export function deriveTreasury(xpub, addressType, params = {}) {
                 throw new Error(`Invalid p2pkh version byte: ${params.version}`);
             return encodeP2pkh(child.publicKey, versionByte);
         }
+        case "keccak-b58check": {
+            if (!params.version)
+                throw new Error("keccak-b58check encoding requires 'version' param");
+            const versionByte = Number(params.version);
+            if (!Number.isInteger(versionByte) || versionByte < 0 || versionByte > 255)
+                throw new Error(`Invalid keccak-b58check version byte: ${params.version}`);
+            return encodeKeccakB58(child.publicKey, versionByte);
+        }
         case "evm":
             return encodeEvm(child.publicKey);
         default:

package/dist/billing/crypto/evm/eth-watcher.js

@@ -60,51 +60,62 @@ export class EthWatcher {
         if (latest < this._cursor)
             return;
         const { priceMicros } = await this.oracle.getPrice("ETH");
-        // Scan up to latest (not just confirmed) to detect pending txs
-        for (let blockNum = this._cursor; blockNum <= latest; blockNum++) {
-            const block = (await this.rpc("eth_getBlockByNumber", [`0x${blockNum.toString(16)}`, true]));
-            if (!block)
-                continue;
-            const confs = latest - blockNum;
-            for (const tx of block.transactions) {
-                if (!tx.to)
-                    continue;
-                const to = tx.to.toLowerCase();
-                if (!this._watchedAddresses.has(to))
-                    continue;
-                const valueWei = BigInt(tx.value);
-                if (valueWei === 0n)
-                    continue;
-                // Skip if we already emitted at this confirmation count
-                if (this.cursorStore) {
-                    const lastConf = await this.cursorStore.getConfirmationCount(this.watcherId, tx.hash);
-                    if (lastConf !== null && confs <= lastConf)
+        // Scan up to latest (not just confirmed) to detect pending txs.
+        // Fetch blocks in batches to avoid bursting RPC rate limits on fast chains (e.g. Tron 3s blocks).
+        const BATCH_SIZE = 5;
+        for (let batchStart = this._cursor; batchStart <= latest; batchStart += BATCH_SIZE) {
+            const batchEnd = Math.min(batchStart + BATCH_SIZE - 1, latest);
+            const blockNums = Array.from({ length: batchEnd - batchStart + 1 }, (_, i) => batchStart + i);
+            const blocks = await Promise.all(blockNums.map((bn) => this.rpc("eth_getBlockByNumber", [`0x${bn.toString(16)}`, true]).then((b) => ({ blockNum: bn, block: b, error: null }), (err) => ({ blockNum: bn, block: null, error: err }))));
+            // Stop processing at the first failed block so the cursor doesn't advance past it.
+            const firstFailIdx = blocks.findIndex((b) => b.error !== null || !b.block);
+            const safeBlocks = firstFailIdx === -1 ? blocks : blocks.slice(0, firstFailIdx);
+            for (const { blockNum, block } of safeBlocks) {
+                if (!block)
+                    break;
+                const confs = latest - blockNum;
+                for (const tx of block.transactions) {
+                    if (!tx.to)
                         continue;
+                    const to = tx.to.toLowerCase();
+                    if (!this._watchedAddresses.has(to))
+                        continue;
+                    const valueWei = BigInt(tx.value);
+                    if (valueWei === 0n)
+                        continue;
+                    // Skip if we already emitted at this confirmation count
+                    if (this.cursorStore) {
+                        const lastConf = await this.cursorStore.getConfirmationCount(this.watcherId, tx.hash);
+                        if (lastConf !== null && confs <= lastConf)
+                            continue;
+                    }
+                    const amountUsdCents = nativeToCents(valueWei, priceMicros, 18);
+                    const event = {
+                        chain: this.chain,
+                        from: tx.from.toLowerCase(),
+                        to,
+                        valueWei: valueWei.toString(),
+                        amountUsdCents,
+                        txHash: tx.hash,
+                        blockNumber: blockNum,
+                        confirmations: confs,
+                        confirmationsRequired: this.confirmations,
+                    };
+                    await this.onPayment(event);
+                    if (this.cursorStore) {
+                        await this.cursorStore.saveConfirmationCount(this.watcherId, tx.hash, confs);
+                    }
                 }
-                const amountUsdCents = nativeToCents(valueWei, priceMicros, 18);
-                const event = {
-                    chain: this.chain,
-                    from: tx.from.toLowerCase(),
-                    to,
-                    valueWei: valueWei.toString(),
-                    amountUsdCents,
-                    txHash: tx.hash,
-                    blockNumber: blockNum,
-                    confirmations: confs,
-                    confirmationsRequired: this.confirmations,
-                };
-                await this.onPayment(event);
-                if (this.cursorStore) {
-                    await this.cursorStore.saveConfirmationCount(this.watcherId, tx.hash, confs);
-                }
-            }
-            // Only advance cursor past fully-confirmed blocks
-            if (blockNum <= confirmed) {
-                this._cursor = blockNum + 1;
-                if (this.cursorStore) {
-                    await this.cursorStore.save(this.watcherId, this._cursor);
+                // Only advance cursor past fully-confirmed blocks
+                if (blockNum <= confirmed) {
+                    this._cursor = blockNum + 1;
+                    if (this.cursorStore) {
+                        await this.cursorStore.save(this.watcherId, this._cursor);
+                    }
                 }
             }
+            if (firstFailIdx !== -1)
+                break;
         }
     }
 }

package/dist/billing/crypto/evm/watcher.js

@@ -135,25 +135,19 @@ export class EvmWatcher {
 /** Create an RPC caller for a given URL (plain JSON-RPC over fetch). */
 export function createRpcCaller(rpcUrl, extraHeaders) {
     let id = 0;
-    // Extract apikey query param and pass as TRON-PRO-API-KEY header (TronGrid JSON-RPC ignores query params)
     const headers = { "Content-Type": "application/json", ...extraHeaders };
-    try {
-        const url = new URL(rpcUrl);
-        const apiKey = url.searchParams.get("apikey");
-        if (apiKey)
-            headers["TRON-PRO-API-KEY"] = apiKey;
-    }
-    catch {
-        // Not a valid URL — proceed without extra headers
-    }
     return async (method, params) => {
         const res = await fetch(rpcUrl, {
             method: "POST",
             headers,
             body: JSON.stringify({ jsonrpc: "2.0", id: ++id, method, params }),
         });
-        if (!res.ok)
+        if (!res.ok) {
+            const body = await res.text().catch(() => "");
+            const hasApiKey = "TRON-PRO-API-KEY" in headers;
+            console.error(`[rpc] ${method} ${res.status} auth=${hasApiKey} url=${rpcUrl.replace(/apikey=[^&]+/, "apikey=***")} body=${body.slice(0, 200)}`);
             throw new Error(`RPC ${method} failed: ${res.status}`);
+        }
         const data = (await res.json());
         if (data.error)
             throw new Error(`RPC ${method} error: ${data.error.message}`);

package/dist/billing/crypto/key-server.js

@@ -279,6 +279,7 @@ export function createKeyServerApp(deps) {
             displayOrder: body.display_order ?? 0,
             iconUrl: body.icon_url ?? null,
             rpcUrl: body.rpc_url,
+            rpcHeaders: JSON.stringify(body.rpc_headers ?? {}),
             oracleAddress: body.oracle_address ?? null,
             xpub: body.xpub,
             addressType: body.address_type ?? "evm",

package/dist/billing/crypto/payment-method-store.d.ts

@@ -11,6 +11,7 @@ export interface PaymentMethodRecord {
     displayOrder: number;
     iconUrl: string | null;
     rpcUrl: string | null;
+    rpcHeaders: string;
     oracleAddress: string | null;
     xpub: string | null;
     addressType: string;

package/dist/billing/crypto/payment-method-store.js

@@ -44,6 +44,7 @@ export class DrizzlePaymentMethodStore {
             displayOrder: method.displayOrder,
             iconUrl: method.iconUrl,
             rpcUrl: method.rpcUrl,
+            rpcHeaders: method.rpcHeaders ?? "{}",
             oracleAddress: method.oracleAddress,
             xpub: method.xpub,
             addressType: method.addressType,
@@ -105,6 +106,7 @@ function toRecord(row) {
         displayOrder: row.displayOrder,
         iconUrl: row.iconUrl,
         rpcUrl: row.rpcUrl,
+        rpcHeaders: row.rpcHeaders ?? "{}",
         oracleAddress: row.oracleAddress,
         xpub: row.xpub,
         addressType: row.addressType,

package/dist/billing/crypto/watcher-service.js

@@ -277,13 +277,13 @@ export async function startWatchers(opts) {
     // Address conversion for EVM-watched chains with non-0x address formats (Tron T...).
     // Only applies to chains routed through the EVM watcher but storing non-hex addresses.
     // UTXO chains (DOGE p2pkh) never enter this path — they use the UTXO watcher.
-    const isTronMethod = (method) => method.addressType === "p2pkh" && method.chain === "tron";
+    const isTronMethod = (method) => (method.addressType === "p2pkh" || method.addressType === "keccak-b58check") && method.chain === "tron";
     const toWatcherAddr = (addr, method) => isTronMethod(method) && isTronAddress(addr) ? tronToHex(addr) : addr;
     const fromWatcherAddr = (addr, method) => isTronMethod(method) ? hexToTron(addr) : addr;
     for (const method of nativeEvmMethods) {
         if (!method.rpcUrl)
             continue;
-        const rpcCall = createRpcCaller(method.rpcUrl);
+        const rpcCall = createRpcCaller(method.rpcUrl, JSON.parse(method.rpcHeaders ?? "{}"));
         let latestBlock;
         try {
             const latestHex = (await rpcCall("eth_blockNumber", []));
@@ -352,7 +352,7 @@ export async function startWatchers(opts) {
     for (const method of erc20Methods) {
         if (!method.rpcUrl || !method.contractAddress)
             continue;
-        const rpcCall = createRpcCaller(method.rpcUrl);
+        const rpcCall = createRpcCaller(method.rpcUrl, JSON.parse(method.rpcHeaders ?? "{}"));
         let latestBlock;
         try {
             const latestHex = (await rpcCall("eth_blockNumber", []));
@@ -370,7 +370,7 @@ export async function startWatchers(opts) {
             rpcCall,
             fromBlock: latestBlock,
             watchedAddresses: chainAddresses.map((a) => toWatcherAddr(a, method)),
-            contractAddress: method.contractAddress,
+            contractAddress: toWatcherAddr(method.contractAddress, method),
             decimals: method.decimals,
             confirmations: method.confirmations,
             cursorStore,

package/dist/db/schema/crypto.d.ts

@@ -631,6 +631,23 @@ export declare const paymentMethods: import("drizzle-orm/pg-core").PgTableWithCo
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        rpcHeaders: import("drizzle-orm/pg-core").PgColumn<{
+            name: "rpc_headers";
+            tableName: "payment_methods";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
         oracleAddress: import("drizzle-orm/pg-core").PgColumn<{
             name: "oracle_address";
             tableName: "payment_methods";

package/dist/db/schema/crypto.js

@@ -73,6 +73,7 @@ export const paymentMethods = pgTable("payment_methods", {
     displayOrder: integer("display_order").notNull().default(0),
     iconUrl: text("icon_url"),
     rpcUrl: text("rpc_url"), // chain node RPC endpoint
+    rpcHeaders: text("rpc_headers").notNull().default("{}"), // JSON: extra headers for RPC calls (e.g. {"TRON-PRO-API-KEY":"xxx"})
     oracleAddress: text("oracle_address"), // Chainlink feed address for price (null = 1:1 stablecoin)
     xpub: text("xpub"), // HD wallet extended public key for deposit address derivation
     addressType: text("address_type").notNull().default("evm"), // "bech32" (BTC/LTC), "p2pkh" (DOGE/TRX), "evm" (ETH/ERC20)