feat(multisig): add API routes for multisig escrow operations

ralyodio · claude · ralyodio · commit fdced4da6850 · 2026-03-01T03:46:50.000Z
POST /api/escrow/multisig - Create 2-of-3 multisig escrow
GET  /api/escrow/multisig?id= - Get multisig escrow
POST /api/escrow/multisig/:id/propose - Propose release/refund
POST /api/escrow/multisig/:id/sign - Add signature to proposal
POST /api/escrow/multisig/:id/broadcast - Broadcast approved tx
POST /api/escrow/multisig/:id/dispute - Open dispute

All routes follow existing escrow API patterns with auth middleware.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/app/api/escrow/multisig/[id]/broadcast/route.ts b/src/app/api/escrow/multisig/[id]/broadcast/route.ts
@@ -0,0 +1,61 @@
+/**
+ * POST /api/escrow/multisig/:id/broadcast
+ *
+ * Broadcast an approved multisig proposal on-chain.
+ * Requires the proposal to have reached threshold (2 signatures).
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { createClient } from '@supabase/supabase-js';
+import {
+  broadcastTransaction,
+  broadcastTransactionSchema,
+} from '@/lib/multisig';
+
+function getSupabase() {
+  const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
+  if (!url || !key) throw new Error('Supabase not configured');
+  return createClient(url, key);
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> },
+) {
+  try {
+    const { id: escrowId } = await params;
+    const supabase = getSupabase();
+    const body = await request.json();
+
+    // Validate input
+    const parsed = broadcastTransactionSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: parsed.error.errors[0].message },
+        { status: 400 },
+      );
+    }
+
+    const result = await broadcastTransaction(
+      supabase,
+      escrowId,
+      parsed.data.proposal_id,
+    );
+
+    if (!result.success) {
+      return NextResponse.json({ error: result.error }, { status: 400 });
+    }
+
+    return NextResponse.json({
+      tx_hash: result.tx_hash,
+      proposal: result.proposal,
+    });
+  } catch (error) {
+    console.error('Failed to broadcast transaction:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 },
+    );
+  }
+}
diff --git a/src/app/api/escrow/multisig/[id]/dispute/route.ts b/src/app/api/escrow/multisig/[id]/dispute/route.ts
@@ -0,0 +1,60 @@
+/**
+ * POST /api/escrow/multisig/:id/dispute
+ *
+ * Open a dispute on a funded multisig escrow.
+ * Either depositor or beneficiary can open a dispute.
+ * Once disputed, the arbiter can propose resolution.
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { createClient } from '@supabase/supabase-js';
+import {
+  disputeMultisigEscrow,
+  disputeSchema,
+} from '@/lib/multisig';
+
+function getSupabase() {
+  const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
+  if (!url || !key) throw new Error('Supabase not configured');
+  return createClient(url, key);
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> },
+) {
+  try {
+    const { id: escrowId } = await params;
+    const supabase = getSupabase();
+    const body = await request.json();
+
+    // Validate input
+    const parsed = disputeSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: parsed.error.errors[0].message },
+        { status: 400 },
+      );
+    }
+
+    const result = await disputeMultisigEscrow(
+      supabase,
+      escrowId,
+      parsed.data.signer_pubkey,
+      parsed.data.reason,
+    );
+
+    if (!result.success) {
+      return NextResponse.json({ error: result.error }, { status: 400 });
+    }
+
+    return NextResponse.json(result.escrow);
+  } catch (error) {
+    console.error('Failed to open dispute:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 },
+    );
+  }
+}
diff --git a/src/app/api/escrow/multisig/[id]/propose/route.ts b/src/app/api/escrow/multisig/[id]/propose/route.ts
@@ -0,0 +1,63 @@
+/**
+ * POST /api/escrow/multisig/:id/propose
+ *
+ * Propose a transaction (release or refund) for a multisig escrow.
+ * Returns transaction data that signers need to sign.
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { createClient } from '@supabase/supabase-js';
+import {
+  proposeTransaction,
+  proposeTransactionSchema,
+} from '@/lib/multisig';
+
+function getSupabase() {
+  const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
+  if (!url || !key) throw new Error('Supabase not configured');
+  return createClient(url, key);
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> },
+) {
+  try {
+    const { id: escrowId } = await params;
+    const supabase = getSupabase();
+    const body = await request.json();
+
+    // Validate input
+    const parsed = proposeTransactionSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: parsed.error.errors[0].message },
+        { status: 400 },
+      );
+    }
+
+    const result = await proposeTransaction(
+      supabase,
+      escrowId,
+      parsed.data.proposal_type,
+      parsed.data.to_address,
+      parsed.data.signer_pubkey,
+    );
+
+    if (!result.success) {
+      return NextResponse.json({ error: result.error }, { status: 400 });
+    }
+
+    return NextResponse.json({
+      proposal: result.proposal,
+      tx_data: result.tx_data,
+    }, { status: 201 });
+  } catch (error) {
+    console.error('Failed to propose transaction:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 },
+    );
+  }
+}
diff --git a/src/app/api/escrow/multisig/[id]/sign/route.ts b/src/app/api/escrow/multisig/[id]/sign/route.ts
@@ -0,0 +1,65 @@
+/**
+ * POST /api/escrow/multisig/:id/sign
+ *
+ * Add a signature to a multisig proposal.
+ * Each participant can sign once. When threshold (2) is reached,
+ * the proposal is marked as approved and ready for broadcast.
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { createClient } from '@supabase/supabase-js';
+import {
+  signProposal,
+  signProposalSchema,
+} from '@/lib/multisig';
+
+function getSupabase() {
+  const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
+  if (!url || !key) throw new Error('Supabase not configured');
+  return createClient(url, key);
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> },
+) {
+  try {
+    const { id: escrowId } = await params;
+    const supabase = getSupabase();
+    const body = await request.json();
+
+    // Validate input
+    const parsed = signProposalSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: parsed.error.errors[0].message },
+        { status: 400 },
+      );
+    }
+
+    const result = await signProposal(
+      supabase,
+      escrowId,
+      parsed.data.proposal_id,
+      parsed.data.signer_pubkey,
+      parsed.data.signature,
+    );
+
+    if (!result.success) {
+      return NextResponse.json({ error: result.error }, { status: 400 });
+    }
+
+    return NextResponse.json({
+      signature: result.signature,
+      signatures_collected: result.signatures_collected,
+      threshold_met: result.threshold_met,
+    });
+  } catch (error) {
+    console.error('Failed to sign proposal:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 },
+    );
+  }
+}
diff --git a/src/app/api/escrow/multisig/route.ts b/src/app/api/escrow/multisig/route.ts
@@ -0,0 +1,125 @@
+/**
+ * POST /api/escrow/multisig — Create a new multisig escrow
+ * GET  /api/escrow/multisig — Get a multisig escrow by ID (query param)
+ *
+ * Non-custodial 2-of-3 multisig escrow.
+ * CoinPay is a dispute mediator and co-signer — never a custodian.
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { createClient } from '@supabase/supabase-js';
+import { authenticateRequest } from '@/lib/auth/middleware';
+import {
+  createMultisigEscrow,
+  getMultisigEscrow,
+  createMultisigEscrowSchema,
+  isMultisigEnabled,
+} from '@/lib/multisig';
+
+function getSupabase() {
+  const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
+  if (!url || !key) throw new Error('Supabase not configured');
+  return createClient(url, key);
+}
+
+/**
+ * POST /api/escrow/multisig
+ * Create a new 2-of-3 multisig escrow
+ */
+export async function POST(request: NextRequest) {
+  try {
+    if (!isMultisigEnabled()) {
+      return NextResponse.json(
+        { error: 'Multisig escrow is not enabled' },
+        { status: 503 },
+      );
+    }
+
+    const supabase = getSupabase();
+
+    // Authentication required
+    const authHeader = request.headers.get('authorization');
+    const apiKeyHeader = request.headers.get('x-api-key');
+
+    if (!authHeader && !apiKeyHeader) {
+      return NextResponse.json(
+        { error: 'Authentication required. Provide Authorization header or X-API-Key.' },
+        { status: 401 },
+      );
+    }
+
+    try {
+      const authResult = await authenticateRequest(supabase, authHeader || apiKeyHeader);
+      if (!authResult.success) {
+        return NextResponse.json(
+          { error: 'Invalid or expired authentication' },
+          { status: 401 },
+        );
+      }
+    } catch {
+      return NextResponse.json(
+        { error: 'Authentication failed' },
+        { status: 401 },
+      );
+    }
+
+    const body = await request.json();
+
+    // Validate input
+    const parsed = createMultisigEscrowSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: parsed.error.errors[0].message },
+        { status: 400 },
+      );
+    }
+
+    const result = await createMultisigEscrow(supabase, parsed.data);
+
+    if (!result.success) {
+      return NextResponse.json({ error: result.error }, { status: 400 });
+    }
+
+    return NextResponse.json(result.escrow, { status: 201 });
+  } catch (error) {
+    console.error('Failed to create multisig escrow:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 },
+    );
+  }
+}
+
+/**
+ * GET /api/escrow/multisig?id=<escrow_id>
+ * Get a multisig escrow by ID
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const supabase = getSupabase();
+    const { searchParams } = new URL(request.url);
+    const escrowId = searchParams.get('id');
+
+    if (!escrowId) {
+      return NextResponse.json(
+        { error: 'id query parameter is required' },
+        { status: 400 },
+      );
+    }
+
+    const result = await getMultisigEscrow(supabase, escrowId);
+
+    if (!result.success) {
+      return NextResponse.json({ error: result.error }, { status: 404 });
+    }
+
+    return NextResponse.json(result.escrow);
+  } catch (error) {
+    console.error('Failed to get multisig escrow:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 },
+    );
+  }
+}
