# KeyCrow - Steam Key Trading Platform with Escrow

Technical foundation for a automated Steam key trading platform with escrow system.

## Architecture Overview

```
┌─────────────────────────────────────────────────────────────┐
│                        Client/App                            │
└──────────────────────────┬──────────────────────────────────┘
                           │
                           ▼
┌─────────────────────────────────────────────────────────────┐
│                     Backend API (Express)                   │
├─────────────────────────────────────────────────────────────┤
│  Routes: auth | listings | transactions | theoretical       │
└──────┬──────────────┬──────────────────┬───────────────────┘
       │              │                  │
       ▼              ▼                  ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────────────────┐
│    Store     │ │  Encryption  │ │      Services            │
│ (In-Memory)  │ │   Service    │ │ - PaymentProvider (Mock) │
│              │ │    (AES)     │ │ - KeyActivationProvider  │
└──────────────┘ └──────────────┘ └──────────────────────────┘
```

## What's Implemented

### Realistic Flow (Production-Ready Pattern)
1. **Seller** creates a listing with encrypted Steam key
2. **Buyer** purchases via escrow (payment held)
3. **Platform** delivers decrypted key to buyer
4. **Buyer** confirms key works → money released to seller
5. **Buyer** reports failure → dispute, refund initiated

### Theoretica/Ideal Flow (Mock Only)
- Automated server-side key activation on buyer's Steam account
- **DISABLED by default** - requires `ALLOW_THEORETICAL_ACTIVATION=true`
- Clearly marked as potentially violating Steam ToS

## API Endpoints

### Authentication
- `POST /auth/register` - Register user
- `GET /auth/me` - Get current user
- `POST /auth/auth/steam/login` - Steam login (mock)

### Listings
- `POST /listings` - Create listing
- `GET /listings` - Get active listings
- `GET /listings/:id` - Get listing by ID
- `GET /listings/seller/me` - Get seller's listings
- `DELETE /listings/:id` - Cancel listing

### Transactions
- `POST /transactions` - Create purchase (escrow hold)
- `GET /transactions/:id` - Get transaction
- `GET /transactions/:id/key` - Get decrypted key (buyer only)
- `POST /transactions/:id/confirm` - Confirm key works/failed
- `GET /transactions/buyer/me` - Buyer's transactions
- `GET /transactions/seller/me` - Seller's transactions

### Theoretical (Mock)
- `POST /theoretical/activate` - Attempt automated activation

## Environment Variables

```bash
PORT=3000
ENCRYPTION_KEY=your-256-bit-key
STEAM_API_KEY=your-steam-api-key
STEAM_REDIRECT_URI=http://localhost:3000/auth/steam/callback
ALLOW_THEORETICAL_ACTIVATION=false
```

## Legal Notice

This implementation is a **technical proof-of-concept**. Automated Steam key activation is likely to violate Steam's Terms of Service unless you have an official partnership with Valve.

The "theoretical" module is clearly marked and disabled by default. Use at your own risk.