feat(assets): Arkade asset management + dedicated Arkade Asset payment method

[Kukks]

Arkade asset management + dedicated payment method

Lets a merchant track a managed list of Arkade assets and accept them as payment through a dedicated checkout where the payer picks which asset to send. Replaces the earlier single-asset "acceptance" prototype (never shipped) with a full CRUD + multi-asset model, a dedicated payment method, and asset display.

Design & plan:

• docs/superpowers/specs/2026-05-22-arkade-asset-management-design.md
• docs/superpowers/plans/2026-05-22-arkade-asset-management.md

Part 1 — Asset management (foundation)

• Tracked-asset list (CRUD). ArkadePaymentMethodConfig.TrackedAssets holds a list of TrackedArkadeAsset (asset id, currency code, ticker, name, decimals, rate script, enabled). Add / edit / remove from the store overview's "Asset Payments" modal.
• Add-by-id prefill. Enter an asset id → Fetch pulls ticker/name/decimals from the arkd indexer (GET stores/{id}/asset-metadata) to prefill the form. Add verifies the asset exists on the indexer before tracking it.
• Free-form rate script per asset. Each asset prices via a merchant-authored BTCPay rate rule (e.g. USDARK_USD = 1;). AssetRateResolver combines it into the store's existing rules (primary + fallback) via RateRules.Combine and evaluates the BTC → asset pair through RateFetcher — the global StoreBlob.RateScript is never mutated, and chained legs (asset→USD→BTC) resolve through the store's own rate-source / spread / fallback config.
• Currency registration. ArkadeAssetCurrencyDataProvider registers each tracked code as a BTCPay currency; AssetCurrencyRegistrar reloads CurrencyNameTable after every CRUD op (no restart needed).

Part 2 — Dedicated ARKADE-ASSET payment method (payer picks)

• New payment method, separate from the BTC-VTXO ARKADE method. ArkadeAssetPaymentMethodHandler derives one Ark receive address and prices every enabled asset, exposing one option per asset (asset id, amount due, BIP-321 URI). An asset whose rate can't be evaluated is skipped; the method is unavailable if none resolve.
• Thin enablement. A minimal ArkadeAssetPaymentMethodConfig (wallet id) enables the method; ArkController.SyncAssetPaymentMethod writes it iff the store has ≥1 enabled tracked asset, and clears it otherwise (and on ClearWallet). The asset list stays on the ARKADE config (single source of truth).
• Multi-asset checkout. The arkadeAssetCheckoutBody component renders a picker: select an asset → see its amount due + per-asset QR + pay-in-wallet link. All options settle to the same Ark address.
• BIP-321 asset URI. ArkadeBip21Builder.WithAsset emits ark=<addr>&asset=<id>&amount=<asset display units> (per the Arkade convention, amount denominates the asset when asset is present).
• Settlement. When a VTXO carrying an offered asset arrives at the asset address, the listener matches it by asset id and credits BTC proportional to the asset received (over-payment surfaces in BTCPay accounting, never silently capped); a VTXO carrying none of the offered assets is ignored. The BTC-VTXO ARKADE settlement path is untouched.

Part 3 — Display

• Per-asset badge (formatted amount + ticker, indexer-resolved) under the BTC amount on asset-carrying VTXOs (Vtxos, _VtxoTable).
• Asset balances in the compact dashboard balance line (_ArkBalances).

Removed

The earlier single-asset embedding on the BTC-VTXO prompt is gone: ArkadePromptDetails.Asset* fields, the checkout-model asset block, and the BTC checkout's asset notice. The old rate modes (FixedReferenceCurrency / SatsPerUnit) are replaced by the free-form rate script. No back-compat migration — the asset feature never shipped (releases v2.1.15–v2.1.18 exclude it).

Tests

• Unit (30, no infra): AssetAmount money-math, AssetRateResolver (money-math + input guards), TrackedArkadeAsset validation, ArkadeBip21Asset URI.
• E2E (Playwright): add-asset rejects an unknown id (indexer existence check, config not persisted) and an empty rate script (TrackedArkadeAsset.IsValid, before any indexer lookup).
• Plugin + test projects build clean (0 errors).

Review

An independent review found no critical / settlement / accounting bugs and confirmed the proportional-credit math, the no-double-credit guard (outpoint dedupe under _paymentLock), the enablement lifecycle, and the BTC → asset rate direction. Two minor findings fixed: removed dead DI params on ArkadePaymentMethodHandler; QueueMonitoredInvoices now scans both Arkade methods on startup so an invoice with the BTC-VTXO method excluded but the asset method active still has its contracts re-activated after a restart.

Notes for the reviewer

• Protocol-critical settlement path (ArkContractInvoiceListener) flagged for human sign-off per project rules.
• BIP-321 asset-amount convention confirmed with the maintainer; settlement matches by asset id + server-stored base units regardless, so the URI amount is wallet-prefill UX only.
• SDK (NNark) submodule unchanged by this PR — pinned at the already-released a9e990f, which carries the asset format/ops support.

[arkanaai]

Arkana Code Review — feat/arkade-assets-payment

Well-structured PR. Clean separation between rate model, metadata cache, settlement, and UI. The design doc and test coverage are solid — 11 unit tests on the resolver math, 2 e2e config tests, and the NNark parity work in #94 are all well-motivated. SDK parity analysis is thorough.

That said, the settlement path is protocol-critical (asset VTXOs settling invoices = money), so I'm requesting changes on a few items and flagging for human review.

---

🔴 P0 — Must Fix

1. Overpayment in assets is silently capped — merchant accounting breaks
ArkContractInvoiceListener.cs (new code, ~line 148 in diff):

var ratio = Math.Min(1m, (decimal)received / promptDetails.AssetBaseUnitsDue);
assetCreditBtc = arkPrompt.Calculate().TotalDue * ratio;

The Math.Min(1m, ...) cap means a customer who sends 2x the required asset units gets only 1x BTC credit recorded. BTCPay normally surfaces overpayment to the merchant (refund workflows, accounting reconciliation). Here, excess asset is received on the VTXO but invisible in BTCPay's books.

Fix: Remove the Math.Min(1m, ...) cap and let the proportional credit reflect actual receipt. BTCPay's existing overpayment accounting will handle the rest. If there's a reason to cap (e.g. preventing inflated BTC credit for a non-BTC denomination), document it prominently.

2. Math.Pow precision loss in AssetMetadataService.FormatAmount
AssetMetadataService.cs:50:

var divisor = (decimal)Math.Pow(10, decimals);

Math.Pow returns double. For decimals > 15, 10^decimals exceeds double mantissa precision (2^53 ≈ 9×10^15). The cast to decimal bakes in the rounding error. AssetRateResolver.Pow10 already does this correctly with a decimal loop.

Fix: Extract Pow10 to a shared utility (or duplicate the decimal-loop approach) so both paths are precision-safe. The resolver and the display formatter must agree on the divisor.

---

🟡 P1 — Should Fix

3. Duplicate FormatAmount logic between two services
AssetMetadataService.FormatAmount and AssetRateResolver both format base units → display string, using different approaches (one Math.Pow + "0." + new string('#', …), the other Pow10 + "0." + new string('#', …)). Two paths to render the same number is a correctness risk.

Fix: One canonical FormatAmount, called from both sites.

4. CancellationToken.None in asset-enrichment calls during prompt config
ArkadePaymentMethodHandler.cs (new lines ~107–130):

var assetDetails = await assetMetadataService.GetAssetDetailsAsync(
    acceptance.AssetId, CancellationToken.None);
...
assetDue = await assetRateResolver.ResolveAsync(
    context.Store, acceptance, dueSats, assetDecimals, CancellationToken.None);

If the indexer or rate provider hangs, these block the prompt indefinitely. GetServerInfoAsync already uses a 5-second timeout higher up. These should use a bounded token too.

5. No negative caching in AssetMetadataService
AssetMetadataService.cs:21–30: On indexer failure, the result is not cached, so every subsequent call retries the network round-trip. Under indexer outage, this becomes N×(timeout) per invoice/dashboard render.

Fix: Cache a sentinel null with a short TTL (30–60s) for failed lookups, or use IMemoryCache with expiration.

---

🟢 P2 — Nit / Consider

6. Unbounded ConcurrentDictionary cache
AssetMetadataService.cs:8: Process-lifetime cache with no eviction. Immutable-after-issuance justifies no TTL, but there's no size guard. Fine for a BTCPay plugin (merchants won't configure thousands of assets), but worth a comment acknowledging the assumption.

7. Settlement: TotalDue read outside _paymentLock
ArkContractInvoiceListener.cs (new code ~line 148): arkPrompt.Calculate().TotalDue is computed from the pre-lock inv fetch. Since TotalDue is an invoice-creation-time constant (not affected by subsequent payments), this is safe. But the code would benefit from a comment explaining why the pre-lock read is valid, since the existing HandlePaymentData re-fetches inside the lock for good reason.

8. Asset ID comparison is case-insensitive — confirm this matches arkd
ArkContractInvoiceListener.cs (new code ~line 138):

.Where(a => string.Equals(a.AssetId, promptDetails.AssetId, StringComparison.OrdinalIgnoreCase))

Defensive, but confirm arkd normalizes asset IDs to lowercase hex. If arkd ever returns mixed-case and the prompt stores lowercase, Ordinal would fail — so OrdinalIgnoreCase is the right call. Just verify the assumption.

---

✅ What's Good

• Rate model design is clean: two well-defined modes, reference-currency leg routes through BTCPay's existing pipeline, no invented pseudo-currencies.
• Round-up-never-underpay in AssetRateResolver with ≥1 base unit clamp — correct and well-tested.
• Stray-BTC rejection in settlement (received == 0 → return) prevents wrongful settlement on non-asset VTXOs.
• IsValid validation on ArkadeAssetAcceptance is thorough, server-side (not just JS).
• Indexer existence check before persisting asset config prevents phantom-asset configs.
• Test coverage: 11 unit tests on resolver math pin the rules that matter (rounding, clamping, guards), 2 e2e tests on config validation round-trip.
• Additive schema changes: AssetAcceptance nullable on config, new fields nullable on ArkadePromptDetails — backward-compatible deserialization.
• No cross-repo breakage: all changed types are plugin-internal; NNark submodule bump (#94) is an independent fix.

---

⚠️ Protocol-Critical Flag

The settlement path in ArkContractInvoiceListener.OnVtxoChanged — asset recognition, proportional BTC credit, stray-VTXO rejection — is protocol-critical. Bugs here under/over-credit merchants. Requires human sign-off before merge, per project rules.

---

Verdict: Request Changes (P0 items 1–2). The rest of the PR is solid.

[Kukks]

Thanks for the thorough review — all items addressed in 484c172.

🔴 P0

1. Overpayment cap removed. ArkContractInvoiceListener now credits BTC strictly proportional to asset received (ratio = received / due, no Math.Min). Over-payment in the asset now surfaces as over-payment in BTCPay's books (refund/reconciliation intact). Comment added explaining the proportional credit and why the pre-lock TotalDue read is valid.
2. Math.Pow precision fixed. New shared AssetAmount.Pow10 (decimal loop, exact through 10^18) replaces (decimal)Math.Pow(10, decimals). Regression tests pin exactness incl. Pow10(18) and Format(1, 18) → 0.000000000000000001 (the old approach would drift for decimals > 15).

🟡 P1

3. Single canonical formatter. AssetAmount.Format is now the one base-units→display path; AssetMetadataService.FormatAmount and AssetRateResolver both delegate to it. 24/24 unit tests green (formatter behaviour unchanged for existing vectors).
4. Bounded tokens. ConfigurePrompt wraps the indexer + rate calls in a 10s CancellationTokenSource (mirrors the existing 5s GetServerInfoAsync bound, +headroom for the rate fetch); the catch now also handles OperationCanceledException → PaymentMethodUnavailableException.
5. Negative caching. AssetMetadataService negatively caches failed/empty lookups for 60s (_negativeCache + TTL), so a down indexer isn't re-hit every render. Success cache also clears the negative entry on recovery.

🟢 P2

6. Class-doc comment added acknowledging the unbounded (immutable, small-N) success cache assumption.
7. Comment added explaining the pre-lock TotalDue read is valid (invoice-creation-time constant, unlike the payment list which HandlePaymentData re-fetches under _paymentLock).
8. Comment added on the OrdinalIgnoreCase asset-id compare (arkd returns lowercase hex txid‖groupIndex; case-insensitive is the defensive-correct call).

The protocol-critical settlement path is flagged for human sign-off as you noted — the change there is the cap removal + clarifying comments only.

[arkanaai]

Arkana Follow-Up Review — 484c1724

All P0/P1/P2 items from the previous review are resolved. Checking each:

✅ P0 #1 — Overpayment cap removed

ArkContractInvoiceListener.cs:~151: Math.Min(1m, ...) removed. Ratio is now uncapped so overpayment flows through BTCPay's existing reconciliation. Good comment explaining the TotalDue pre-lock read safety.

✅ P0 #2 — Math.Pow precision

New AssetAmount.Pow10 uses a decimal loop, clamped 0..18. Exact for all asset-decimals values. AssetMetadataService.FormatAmount and AssetRateResolver both delegate to this single implementation.

✅ P1 #3 — Duplicate FormatAmount

Unified into AssetAmount.Format. One canonical path for both display and rate resolution.

✅ P1 #4 — Unbounded CancellationToken.None

ArkadePaymentMethodHandler.cs:~117: 10-second bounded CTS for indexer + rate calls. Catch filter extended to OperationCanceledException. Clean.

✅ P1 #5 — Negative caching

AssetMetadataService.cs: 60-second negative cache via ConcurrentDictionary<string, DateTimeOffset>. Covers both indexer errors and null returns. Cleared on subsequent success.

✅ P2 #6–#8 — Comments

Unbounded cache rationale documented. Pre-lock TotalDue read explained. Case-insensitive asset ID comparison annotated.

New code review — AssetAmount.cs

• Pow10: Correct. Clamp prevents out-of-range. Decimal loop is exact.
• Format: Correct. decimals <= 0 early-return avoids division. Format string "0." + "#"×decimals trims trailing zeros properly. InvariantCulture prevents locale issues.
• Test coverage: 7 Format cases including the 1e-18 regression guard, 5 Pow10 exactness cases, and boundary clamping. Solid.

No new issues found. Approving.

⚠️ Reminder: This PR includes protocol-critical settlement logic (asset VTXO → BTC credit). Human approval still required before merge.

[arkanaai]

Arkana Follow-Up Review — e6bf00b3

Submodule re-pin only. No code changes.

• submodules/NNark: 5509d8a → bbcd960. Verified bbcd960 is HEAD of arkade-os/dotnet-sdk master (squash-merge of PR #94). Old pin 5509d8a was on the now-deleted assets-parity branch — unreachable in fresh clones. Fix is correct.
• docs/...design.md: Text update documenting the re-pin rationale. Accurate.

Previous approval sustained. No new issues.

⚠️ Reminder: Protocol-critical settlement logic — human approval still required before merge.