fix(market): support CoinGecko free Demo API keys

CoinGecko's free Demo plan and paid Pro plan share the CG- key prefix
but require different hosts and auth headers. The code assumed any key
was a Pro key and always called pro-api.coingecko.com with
x-cg-pro-api-key, so a free Demo key failed with HTTP 400 (error 10011)
across all 4 crypto seeders and the server market RPC fetcher.

Add an explicit COINGECKO_DEMO_API_KEY env var that routes to
api.coingecko.com with x-cg-demo-api-key. Pro takes precedence when both
are set, so existing Pro deployments are unaffected; no key still falls
back to the public endpoint. Extracted the tier resolution into a shared
coingeckoEndpoint() helper (scripts) and a typed local helper (server).

Author: guhyun9454

.env.example

@@ -558,7 +558,15 @@ ALPHA_VANTAGE_API_KEY=
 # CoinGecko — crypto market data (server market RPC + seed-crypto-sectors).
 # Optional; unauthenticated requests work at a lower rate limit.
 # Register at: https://www.coingecko.com/en/api
+#
+# Two paid/free tiers use DIFFERENT hosts + auth headers (the CG- key prefix is
+# shared, so the tier cannot be auto-detected — set whichever key you have):
+#   - Pro (paid):  COINGECKO_API_KEY      -> pro-api.coingecko.com (x-cg-pro-api-key)
+#   - Demo (free): COINGECKO_DEMO_API_KEY -> api.coingecko.com     (x-cg-demo-api-key)
+# Pro takes precedence if both are set. A Demo key in COINGECKO_API_KEY fails
+# with HTTP 400 — put free Demo keys in COINGECKO_DEMO_API_KEY instead.
 COINGECKO_API_KEY=
+COINGECKO_DEMO_API_KEY=
 
 
 # ------ Energy Data (additional) ------

scripts/_seed-utils.mjs

@@ -17,6 +17,40 @@ const __seed_dirname = dirname(fileURLToPath(import.meta.url));
 
 export { CHROME_UA };
 
+/**
+ * Resolve the CoinGecko base URL + auth header for the configured key tier.
+ *
+ * CoinGecko's free **Demo** plan and paid **Pro** plan share the `CG-` key
+ * prefix but use *different* hosts and auth headers — a Demo key sent to the
+ * Pro host fails with `HTTP 400` (error 10011: "change your root URL from
+ * pro-api.coingecko.com to api.coingecko.com"), and a Pro key on the public
+ * host is unauthenticated. The key string alone can't tell the tiers apart,
+ * so the tier is selected explicitly by which env var is set:
+ *
+ *   - `COINGECKO_API_KEY`      → Pro    (pro-api.coingecko.com, x-cg-pro-api-key)
+ *   - `COINGECKO_DEMO_API_KEY` → Demo   (api.coingecko.com,     x-cg-demo-api-key)
+ *   - neither                  → keyless public endpoint (shared IP, 429-prone)
+ *
+ * Pro takes precedence so existing Pro deployments are unaffected.
+ *
+ * @param {Record<string, string>} [extraHeaders] merged into the returned headers
+ * @returns {{ baseUrl: string, headers: Record<string, string>, tier: 'pro' | 'demo' | 'keyless' }}
+ */
+export function coingeckoEndpoint(extraHeaders = {}) {
+  const proKey = process.env.COINGECKO_API_KEY;
+  const demoKey = process.env.COINGECKO_DEMO_API_KEY;
+  const headers = { Accept: 'application/json', 'User-Agent': CHROME_UA, ...extraHeaders };
+  if (proKey) {
+    headers['x-cg-pro-api-key'] = proKey;
+    return { baseUrl: 'https://pro-api.coingecko.com/api/v3', headers, tier: 'pro' };
+  }
+  if (demoKey) {
+    headers['x-cg-demo-api-key'] = demoKey;
+    return { baseUrl: 'https://api.coingecko.com/api/v3', headers, tier: 'demo' };
+  }
+  return { baseUrl: 'https://api.coingecko.com/api/v3', headers, tier: 'keyless' };
+}
+
 /**
  * Unwrap fetch / network errors so log lines surface the actual cause
  * (DNS / TCP reset / TLS abort) instead of undici's bare "fetch failed".

scripts/seed-crypto-quotes.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { loadEnvFile, loadSharedConfig, CHROME_UA, runSeed, sleep, fetchCoinPaprikaTickersById } from './_seed-utils.mjs';
+import { loadEnvFile, loadSharedConfig, CHROME_UA, runSeed, sleep, fetchCoinPaprikaTickersById, coingeckoEndpoint } from './_seed-utils.mjs';
 
 const cryptoConfig = loadSharedConfig('crypto.json');
 
@@ -34,13 +34,8 @@ const COINPAPRIKA_ID_MAP = cryptoConfig.coinpaprika;
 
 async function fetchFromCoinGecko() {
   const ids = CRYPTO_IDS.join(',');
-  const apiKey = process.env.COINGECKO_API_KEY;
-  const baseUrl = apiKey
-    ? 'https://pro-api.coingecko.com/api/v3'
-    : 'https://api.coingecko.com/api/v3';
+  const { baseUrl, headers } = coingeckoEndpoint();
   const url = `${baseUrl}/coins/markets?vs_currency=usd&ids=${ids}&order=market_cap_desc&sparkline=true&price_change_percentage=24h`;
-  const headers = { Accept: 'application/json', 'User-Agent': CHROME_UA };
-  if (apiKey) headers['x-cg-pro-api-key'] = apiKey;
 
   // Capped at 2 attempts (10+20=30s budget) so the fallback path itself
   // cannot recreate the 150s>120s bundle-timeout overrun this PR fixes.

scripts/seed-crypto-sectors.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { loadEnvFile, loadSharedConfig, CHROME_UA, runSeed, sleep } from './_seed-utils.mjs';
+import { loadEnvFile, loadSharedConfig, CHROME_UA, runSeed, sleep, coingeckoEndpoint } from './_seed-utils.mjs';
 
 const sectorsConfig = loadSharedConfig('crypto-sectors.json');
 
@@ -29,11 +29,8 @@ async function fetchWithRateLimitRetry(url, maxAttempts = 5, headers = { Accept:
 async function fetchSectorData() {
   const allIds = [...new Set(SECTORS.flatMap(s => s.tokens))];
 
-  const apiKey = process.env.COINGECKO_API_KEY;
-  const baseUrl = apiKey ? 'https://pro-api.coingecko.com/api/v3' : 'https://api.coingecko.com/api/v3';
+  const { baseUrl, headers } = coingeckoEndpoint();
   const url = `${baseUrl}/coins/markets?vs_currency=usd&ids=${allIds.join(',')}&order=market_cap_desc&sparkline=false&price_change_percentage=24h`;
-  const headers = { Accept: 'application/json', 'User-Agent': CHROME_UA };
-  if (apiKey) headers['x-cg-pro-api-key'] = apiKey;
 
   const resp = await fetchWithRateLimitRetry(url, 5, headers);
   const data = await resp.json();

scripts/seed-stablecoin-markets.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { loadEnvFile, loadSharedConfig, CHROME_UA, runSeed, sleep, fetchCoinPaprikaTickersById } from './_seed-utils.mjs';
+import { loadEnvFile, loadSharedConfig, CHROME_UA, runSeed, sleep, fetchCoinPaprikaTickersById, coingeckoEndpoint } from './_seed-utils.mjs';
 
 const stablecoinConfig = loadSharedConfig('stablecoins.json');
 
@@ -32,13 +32,8 @@ async function fetchWithRateLimitRetry(url, maxAttempts = 5, headers = { Accept:
 const COINPAPRIKA_ID_MAP = stablecoinConfig.coinpaprika;
 
 async function fetchFromCoinGecko() {
-  const apiKey = process.env.COINGECKO_API_KEY;
-  const baseUrl = apiKey
-    ? 'https://pro-api.coingecko.com/api/v3'
-    : 'https://api.coingecko.com/api/v3';
+  const { baseUrl, headers } = coingeckoEndpoint();
   const url = `${baseUrl}/coins/markets?vs_currency=usd&ids=${STABLECOIN_IDS}&order=market_cap_desc&sparkline=false&price_change_percentage=7d`;
-  const headers = { Accept: 'application/json', 'User-Agent': CHROME_UA };
-  if (apiKey) headers['x-cg-pro-api-key'] = apiKey;
 
   const resp = await fetchWithRateLimitRetry(url, 5, headers);
   const data = await resp.json();

scripts/seed-token-panels.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { loadEnvFile, loadSharedConfig, CHROME_UA, runSeed, sleep, fetchCoinPaprikaTickersById } from './_seed-utils.mjs';
+import { loadEnvFile, loadSharedConfig, CHROME_UA, runSeed, sleep, fetchCoinPaprikaTickersById, coingeckoEndpoint } from './_seed-utils.mjs';
 
 const defiConfig = loadSharedConfig('defi-tokens.json');
 const aiConfig = loadSharedConfig('ai-tokens.json');
@@ -32,11 +32,8 @@ async function fetchWithRateLimitRetry(url, maxAttempts = 5, headers = { Accept:
 }
 
 async function fetchFromCoinGecko() {
-  const apiKey = process.env.COINGECKO_API_KEY;
-  const baseUrl = apiKey ? 'https://pro-api.coingecko.com/api/v3' : 'https://api.coingecko.com/api/v3';
+  const { baseUrl, headers } = coingeckoEndpoint();
   const url = `${baseUrl}/coins/markets?vs_currency=usd&ids=${ALL_IDS.join(',')}&order=market_cap_desc&sparkline=false&price_change_percentage=24h,7d`;
-  const headers = { Accept: 'application/json', 'User-Agent': CHROME_UA };
-  if (apiKey) headers['x-cg-pro-api-key'] = apiKey;
 
   const resp = await fetchWithRateLimitRetry(url, 5, headers);
   const data = await resp.json();

server/worldmonitor/market/v1/_shared.ts

@@ -326,19 +326,36 @@ export async function fetchYahooQuote(
 // CoinGecko fetcher
 // ========================================================================
 
-export async function fetchCoinGeckoMarkets(
-  ids: string[],
-): Promise<CoinGeckoMarketItem[]> {
-  const apiKey = process.env.COINGECKO_API_KEY;
-  const baseUrl = apiKey
-    ? 'https://pro-api.coingecko.com/api/v3'
-    : 'https://api.coingecko.com/api/v3';
-  const url = `${baseUrl}/coins/markets?vs_currency=usd&ids=${ids.join(',')}&order=market_cap_desc&sparkline=true&price_change_percentage=24h`;
+/**
+ * Resolve the CoinGecko base URL + auth header for the configured key tier.
+ *
+ * CoinGecko's free Demo plan and paid Pro plan share the `CG-` key prefix but
+ * use different hosts and auth headers — a Demo key sent to the Pro host fails
+ * with HTTP 400 (error 10011: "change your root URL from pro-api.coingecko.com
+ * to api.coingecko.com"). The key string can't reveal the tier, so it is
+ * selected explicitly by which env var is set; Pro wins so existing Pro
+ * deployments are unaffected, and no key falls back to the public endpoint.
+ */
+function coingeckoEndpoint(): { baseUrl: string; headers: Record<string, string> } {
+  const proKey = process.env.COINGECKO_API_KEY;
+  const demoKey = process.env.COINGECKO_DEMO_API_KEY;
   const headers: Record<string, string> = {
     Accept: 'application/json',
     'User-Agent': CHROME_UA,
   };
-  if (apiKey) headers['x-cg-pro-api-key'] = apiKey;
+  if (proKey) {
+    headers['x-cg-pro-api-key'] = proKey;
+    return { baseUrl: 'https://pro-api.coingecko.com/api/v3', headers };
+  }
+  if (demoKey) headers['x-cg-demo-api-key'] = demoKey;
+  return { baseUrl: 'https://api.coingecko.com/api/v3', headers };
+}
+
+export async function fetchCoinGeckoMarkets(
+  ids: string[],
+): Promise<CoinGeckoMarketItem[]> {
+  const { baseUrl, headers } = coingeckoEndpoint();
+  const url = `${baseUrl}/coins/markets?vs_currency=usd&ids=${ids.join(',')}&order=market_cap_desc&sparkline=true&price_change_percentage=24h`;
 
   const resp = await fetch(url, {
     headers,