This is the single source of truth for project status. Updated: 2026-04-07 Fork of: profullstack/coinpayportal Deployed at: https://coinpay.eww-pew.com (Coolify, Docker Compose build pack)
| File | Purpose | Status |
|---|---|---|
PROJECT_STATUS.md (this file) |
Single source of truth — overall status | ✅ Current |
TODO.md |
Active sprint checklist — web wallet launch | ✅ Current |
SECURITY_AUDIT.md |
Security audit findings (Feb 2026) | ✅ Current — findings unresolved |
.drewrox2009/FORK_TRACKING.md |
Fork-specific ops: Docker, Coolify, env vars | ✅ Current |
README.md |
Public-facing project overview and quick start | ✅ Current |
docs/ |
Architecture, API, database, security reference docs | ✅ Reference |
archive/PROGRESS.md |
❌ Frozen Nov 2025 — merchant gateway only | Archived |
archive/IMPLEMENTATION_STATUS.md |
❌ Frozen Nov 2025 — broken phase numbering | Archived |
archive/IMPLEMENTATION_PLAN.md |
❌ Pre-build planning doc, wrong fee (2% not 0.5%) | Archived |
| Item | Detail |
|---|---|
| Production URL | https://coinpay.eww-pew.com |
| Host | Coolify (self-hosted) |
| Build | Docker Compose — docker/docker-compose.yml |
| Port | App listens on 8080 |
| Builder | Docker Compose build pack (context: .., dockerfile: docker/Dockerfile) |
| Railway | railway.json forces Railpack, ignores Dockerfile |
See .drewrox2009/FORK_TRACKING.md for full deployment history and gotchas.
- Authentication system (JWT + API keys, bcrypt, PBKDF2)
- Exchange rates via Tatum API (BTC, ETH, SOL, POL, USDC, 5-min cache)
- QR code generation (BIP21/EIP681, PNG + SVG)
- Fee calculations (platform: 0.5%, merchant receives: 99.5%)
- Business management (CRUD, API key regen, webhook secrets, wallet config)
- Payment creation, status tracking, history
- Webhook system (HMAC-SHA256, exponential backoff, logging)
- Payment forwarding (99.5% merchant / 0.5% platform split, batch, retry)
- Email notifications (Resend primary, Mailgun fallback)
- Business Collection Payments (
POST/GET /api/business-collection) - Analytics event tracking
- Landing page with live payment demo, pricing, SDK preview
- Wallet connections via Reown AppKit (MetaMask, WalletConnect, Phantom, Solflare, Coinbase)
- Real-time payment status (
usePaymentStatushook, countdown, confirmations) - 409+ tests passing (>80% coverage)
- Stripe connected accounts
- Business name on Stripe statement descriptor
-
platform_fee_amountcolumn instripe_transactions - Crypto Transactions / Escrows / Payouts tabs in dashboard
- Merchant info, Stripe fee, connected account email in transactions view
- BIP39 mnemonic generation (12/24 words,
@scure/bip39) - BIP32/BIP44 HD key derivation for BTC, BCH, ETH, POL, SOL
- Auth-Lite: challenge/response, per-request signature, JWT convenience
- Replay attack prevention (timestamp + nonce)
- Full wallet API (
create,import,derive,balances,transactions,broadcast) - Balance indexer for all chains + USDC variants (with TTL caching)
- Transaction history with pagination + filtering
- Unsigned TX preparation + fee estimation (all chains)
- Client-side signing library (ETH EIP-1559, BTC P2PKH, BCH, SOL)
- TX broadcast + retry + confirmation tracking
- Bot SDK (
@coinpayportal/wallet-sdk) — create, import, send, events, CLI - Full Web Wallet UI (
/web-wallet) — create, import, dashboard, send, receive, history, settings - Seed phrase display/verification, AES-256-GCM localStorage encryption
- Auto-lock on inactivity, memory clearing after signing
- Spend limit checks, address whitelist checks (backend)
- Multi-wallet UI with wallet selector (Feb 2026)
- GPG seed backup with wallet label
- Docker multi-stage build (Node 20 Alpine)
- Coolify Docker Compose deployment (working — see FORK_TRACKING.md)
- Railway Railpack config (ignores Dockerfile)
-
.env.examplefully audited with allprocess.envreferences - Mnemonic generation script (
scripts/gen-mnemonic.mjs) -
SECURITY_AUDIT.md— full security audit performed
- Non-custodial architecture confirmed ✅ (server never receives private keys)
- Key management: LOW risk
- Authentication: LOW risk
- Transaction signing: LOW risk
- XSS: LOW risk (React auto-escaping, no dangerouslySetInnerHTML)
- CSRF: LOW risk (Authorization headers, not cookies)
- CSP headers — no Content-Security-Policy configured (
next.config.mjs) — HIGH - Security response headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy — HIGH
- HSTS header — Strict-Transport-Security — MEDIUM
- Redis rate limiting — currently in-memory only (breaks under multi-server) — MEDIUM
- CORS configuration for API routes — LOW
- E2E tests (Playwright): UI wallet create, import, send, receive, settings
- Send transaction flow on testnet (integration test)
- Load/stress testing (indexer, API, concurrent wallet ops)
- Color contrast accessibility review (4.5:1 minimum)
- Test on various screen sizes (responsive design QA)
- SDK README with quick start
- Document all SDK API methods
- Create SDK usage examples
- Publish
@coinpayportal/wallet-sdkto npm
- Daily spend limit setting UI (backend exists)
- Address whitelist management UI (backend exists)
- Deploy indexer service (separate process)
- Set up monitoring dashboards
- Set up alerting
- Internal testing complete sign-off
- Beta user testing
- Rollback plan documented
- Support channels ready
- Add
pnpm auditto CI pipeline
| Item | Value |
|---|---|
| Platform fee | 0.5% (merchant receives 99.5%) |
| Test count | 409+ tests passing |
| Supported chains | BTC, BCH, ETH, POL, SOL, USDC (ETH/POL/SOL) |
| Wallet encryption | AES-256-GCM, PBKDF2 600k iterations |
| Seed: server stores? | No — non-custodial, client-only |
| Auth | JWT (1hr) + per-request signature auth |
| Resend (primary), Mailgun (fallback) |
For the detailed sprint checklist (web wallet phases 5–6), see TODO.md.
For security remediations to implement, see SECURITY_AUDIT.md → Section 10 (Recommendations Summary).
Last updated: 2026-04-07 by drewrox2009