Derive and match P2SH-P2WPKH addresses

[oritwoen]

DerivedKey currently produces four address formats: P2PKH compressed, P2PKH uncompressed, P2WPKH (bech32), and P2TR (taproot). The matcher checks all four. Missing from both: P2SH-P2WPKH.

P2SH-P2WPKH addresses (the ones starting with 3 on mainnet) were the dominant address format from roughly 2017 through 2021, before native segwit and taproot took over. A lot of funds moved through these addresses. If a vulnerable key had coins sent to its P2SH-P2WPKH address, the current scanner wouldn't find them because DerivedKey never computes that address and Matcher never checks it.

The derivation is straightforward - wrap the P2WPKH witness program in a P2SH script:

1. Take the compressed public key
2. Compute OP_0 <20-byte-pubkey-hash> (the witness program)
3. Hash that script with HASH160
4. Encode as a P2SH address (base58check with version byte 0x05)

The bitcoin crate already supports this via Address::p2shwpkh().

Changes needed:

• Add p2sh_p2wpkh: String field to DerivedKey
• Compute it in KeyDeriver::derive()
• Add P2shP2wpkh variant to AddressType enum
• Include it in DerivedKey::addresses() (becomes 5 elements)
• Update output formats (console CSV columns, storage schema) to include the new field

[coderabbitai]

🔗 Related PRs

#79 - feat(derive): add P2TR (Taproot) address support [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!