test(api): add env override util and custodial wallet tests

gaboesquivel · gaboesquivel · commit f2d4ad68a056 · 2026-03-18T18:40:00.000Z
fix(deps): update h3, next, socket.io-parser for security
diff --git a/README.md b/README.md
@@ -86,6 +86,10 @@ Run with `pnpm <script>`.
 **Misc**
   - `update-deps` — Update pnpm and all dependencies
 
+## Spec alignment
+
+Implementation and tests follow [`__dev/dynamic-api.md`](__dev/dynamic-api.md) (Dynamic Take-Home Backend). See [Product Definition](https://vencura-docs.vercel.app/docs/product/overview) for the mapping of spec requirements to features.
+
 ## Documentation
 
 Full docs: [vencura-docs.vercel.app](https://vencura-docs.vercel.app/docs)
diff --git a/apps/api/README.md b/apps/api/README.md
@@ -20,6 +20,8 @@ Uses `framework: "fastify"` in vercel.json. Vercel auto-detects `server.ts` as t
 
 Copy `.env.test.example` to `.env.test` (gitignored) for unit tests. Vitest loads it when present. `ALLOWED_ORIGINS` (default `*`) controls CORS and URL validation for auth callbacks.
 
+**Auth in integration tests:** Wallet route tests use API key auth via `getOrCreateSession`. Dynamic JWT auth is exercised in E2E (web wallets spec with Dynamic sandbox).
+
 ## pnpm commands
 
 - `pnpm dev` — Dev server with hot reload (requires db)
diff --git a/apps/api/src/lib/custodial-wallet.spec.ts b/apps/api/src/lib/custodial-wallet.spec.ts
@@ -1,11 +1,27 @@
+import { withTestEnvOverride } from '@test/utils/test-env-override.js'
 import { describe, expect, it } from 'vitest'
+import type { CustodialWallet } from '../db/schema/index.js'
 import {
   decryptPrivateKey,
   encryptPrivateKey,
   generateCustodialWallet,
   getAddress,
+  signWalletMessage,
 } from './custodial-wallet.js'
 
+function createMockWallet(overrides: Partial<CustodialWallet> = {}): CustodialWallet {
+  return {
+    id: 'test',
+    userId: 'test',
+    address: '0x0000000000000000000000000000000000000001',
+    encryptedPrivateKey: 'x',
+    chainId: 11155111,
+    createdAt: new Date(),
+    updatedAt: new Date(),
+    ...overrides,
+  }
+}
+
 describe('custodial-wallet', () => {
   describe('generateCustodialWallet', () => {
     it('should produce address and privateKey', async () => {
@@ -52,4 +68,64 @@ describe('custodial-wallet', () => {
       if (enc2) expect(decryptPrivateKey(enc2)).toBe(privateKey)
     })
   })
+
+  describe('signWalletMessage', () => {
+    it('should return hex signature for valid wallet', async () => {
+      const { address, privateKey } = await generateCustodialWallet()
+      const encrypted = encryptPrivateKey(privateKey)
+      if (!encrypted) throw new Error('encrypt failed')
+
+      const wallet = createMockWallet({ address, encryptedPrivateKey: encrypted })
+      const signed = await signWalletMessage(wallet, 'Hello')
+      expect(signed).toMatch(/^0x[a-fA-F0-9]+$/)
+      expect(signed.length).toBeGreaterThan(130)
+    })
+
+    it('should throw when encrypted key fails to decrypt', async () => {
+      const wallet = createMockWallet({ encryptedPrivateKey: 'invalid' })
+      await expect(signWalletMessage(wallet, 'x')).rejects.toThrow('Failed to decrypt')
+    })
+  })
+
+  describe('getWalletBalance', () => {
+    it('should return balance string when TEST_BALANCE_OVERRIDE is set', async () => {
+      await withTestEnvOverride('TEST_BALANCE_OVERRIDE', '1000000000000000000', async () => {
+        const { getWalletBalance } = await import('./custodial-wallet.js')
+        const wallet = createMockWallet()
+        const balance = await getWalletBalance(wallet)
+        expect(balance).toBe('1000000000000000000')
+      })
+    })
+  })
+
+  describe('sendWalletTransaction', () => {
+    it('should return hash when TEST_SEND_HASH_OVERRIDE is set', async () => {
+      await withTestEnvOverride('TEST_SEND_HASH_OVERRIDE', '0xabcd1234', async () => {
+        const { sendWalletTransaction } = await import('./custodial-wallet.js')
+        const { address, privateKey } = await generateCustodialWallet()
+        const encrypted = encryptPrivateKey(privateKey)
+        if (!encrypted) throw new Error('encrypt failed')
+
+        const wallet = createMockWallet({ address, encryptedPrivateKey: encrypted })
+        const hash = await sendWalletTransaction(
+          wallet,
+          '0x0000000000000000000000000000000000000001',
+          '0.001',
+        )
+        expect(hash).toBe('0xabcd1234')
+      })
+    })
+
+    it('should throw INSUFFICIENT_FUNDS when RPC returns insufficient funds', async () => {
+      const { sendWalletTransaction } = await import('./custodial-wallet.js')
+      const { address, privateKey } = await generateCustodialWallet()
+      const encrypted = encryptPrivateKey(privateKey)
+      if (!encrypted) throw new Error('encrypt failed')
+
+      const wallet = createMockWallet({ address, encryptedPrivateKey: encrypted })
+      await expect(
+        sendWalletTransaction(wallet, '0x0000000000000000000000000000000000000001', '1'),
+      ).rejects.toMatchObject({ code: 'INSUFFICIENT_FUNDS' })
+    })
+  })
 })
diff --git a/apps/api/src/lib/custodial-wallet.ts b/apps/api/src/lib/custodial-wallet.ts
@@ -64,6 +64,10 @@ export function getPublicClient(chainId: number): PublicClient {
 }
 
 export async function getWalletBalance(wallet: CustodialWallet): Promise<string> {
+  // Test-only: read at call time so tests can set process.env per test; NODE_ENV guard prevents prod misuse
+  const testBalance = process.env.NODE_ENV === 'test' && process.env.TEST_BALANCE_OVERRIDE // eslint-disable-line no-restricted-properties
+  if (testBalance) return testBalance
+
   const decrypted = decryptPrivateKey(wallet.encryptedPrivateKey)
   if (!decrypted) throw new Error('Failed to decrypt private key')
 
@@ -86,6 +90,10 @@ export async function sendWalletTransaction(
   to: string,
   amount: string,
 ): Promise<Hash> {
+  // Test-only: read at call time so tests can set process.env per test; NODE_ENV guard prevents prod misuse
+  const testOverride = process.env.NODE_ENV === 'test' && process.env.TEST_SEND_HASH_OVERRIDE // eslint-disable-line no-restricted-properties
+  if (testOverride) return testOverride as Hash
+
   const decrypted = decryptPrivateKey(wallet.encryptedPrivateKey)
   if (!decrypted) throw new Error('Failed to decrypt private key')
 
diff --git a/apps/api/src/routes/wallets/send.test.ts b/apps/api/src/routes/wallets/send.test.ts
@@ -1,5 +1,6 @@
 import { describe, expect, it } from 'vitest'
 import { getOrCreateSession } from '../../../test/utils/auth-helper.js'
+import { withTestEnvOverride } from '../../../test/utils/test-env-override.js'
 import { fastify } from './wallets.spec.js'
 
 describe('POST /wallets/:id/send', () => {
@@ -94,4 +95,32 @@ describe('POST /wallets/:id/send', () => {
     })
     expect(sendRes.statusCode).toBe(404)
   })
+
+  it('should return 200 with transactionHash for successful send', async () => {
+    const fakeHash = '0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcd'
+    await withTestEnvOverride('TEST_SEND_HASH_OVERRIDE', fakeHash, async () => {
+      const token = await getOrCreateSession(fastify, 'wallets-send-success@test.ai')
+
+      const createRes = await fastify.inject({
+        method: 'POST',
+        url: '/wallets',
+        headers: { Authorization: `Bearer ${token}` },
+      })
+      expect(createRes.statusCode).toBe(201)
+      const { id } = JSON.parse(createRes.body)
+
+      const sendRes = await fastify.inject({
+        method: 'POST',
+        url: `/wallets/${id}/send`,
+        headers: { Authorization: `Bearer ${token}` },
+        payload: {
+          to: '0x0000000000000000000000000000000000000001',
+          amount: '0.001',
+        },
+      })
+      expect(sendRes.statusCode).toBe(200)
+      const body = JSON.parse(sendRes.body)
+      expect(body.transactionHash).toBe(fakeHash)
+    })
+  })
 })
diff --git a/apps/api/test/utils/test-env-override.ts b/apps/api/test/utils/test-env-override.ts
@@ -0,0 +1,14 @@
+export async function withTestEnvOverride<T>(
+  name: string,
+  value: string,
+  fn: () => Promise<T>,
+): Promise<T> {
+  const prev = process.env[name]
+  process.env[name] = value
+  try {
+    return await fn()
+  } finally {
+    if (prev !== undefined) process.env[name] = prev
+    else delete process.env[name]
+  }
+}
diff --git a/apps/docu/content/docs/product/overview.mdx b/apps/docu/content/docs/product/overview.mdx
@@ -3,21 +3,23 @@ title: "Product Definition"
 description: "Required and optional features, alignment with Dynamic's Take-Home Backend."
 ---
 
-Vencura Wallet aligns with [Dynamic's Take-Home Backend](https://dynamic-labs.notion.site/Dynamic-s-Take-Home-Backend-cb8efc5140154eea83deb25738a04e91). The product delivers custodial wallets for Web3 with backend-only operations.
+Vencura Wallet aligns with [Dynamic's Take-Home Backend](https://dynamic-labs.notion.site/Dynamic-s-Take-Home-Backend-cb8efc5140154eea83deb25738a04e91). The canonical spec is [`__dev/dynamic-api.md`](https://github.com/blockmatic/vencura/blob/main/__dev/dynamic-api.md) in the repo. The product delivers custodial wallets for Web3 with backend-only operations.
 
 ## Required Features
 
 | Feature | Status | Description |
 |---------|--------|-------------|
 | **Dynamic auth** | Yes | Magic link, OAuth, Web3 sign-in, API keys |
 | **Create account/wallet** | Yes | Authenticated users create at least one custodial wallet |
-| **getBalance()** | Yes | `GET /wallets/:id/balance` returns balance (wei) |
-| **signMessage(msg)** | Yes | `POST /wallets/:id/sign` with `{ msg }` returns signed message |
-| **sendTransaction(to, amount)** | Yes | `POST /wallets/:id/send` with `{ to, amount }` returns transaction hash |
+| **getBalance()** | Yes | `GET /wallets/:id/balance` returns `balance` (string, wei) for safe handling of large numbers |
+| **signMessage(msg)** | Yes | `POST /wallets/:id/sign` with `{ msg }` returns `signedMessage` (string) |
+| **sendTransaction(to, amount)** | Yes | `POST /wallets/:id/send` with `{ to, amount }` — `amount` in ETH (string); returns `transactionHash` (string) |
 | **Basic UI** | Yes | Web dashboard and Expo app to interact with the API |
 
 All wallet interactions are done on the backend via the API. The UI calls the API with a Bearer token (Dynamic JWT or API key).
 
+**API types:** The spec uses `balance: number` and `amount: number` informally. The implementation uses `string` for both: `balance` in wei (18 decimals), `amount` in ETH (e.g. `"0.001"`). Strings avoid JavaScript number precision issues with large wei values.
+
 ## Optional Ideas (Future)
 
 The take-home suggests optional enhancements:
diff --git a/apps/docu/package.json b/apps/docu/package.json
@@ -22,7 +22,7 @@
     "fumadocs-ui": "16.6.0",
     "lucide-react": "^0.564.0",
     "mermaid": "^11.12.2",
-    "next": "16.1.6",
+    "next": "16.1.7",
     "next-themes": "^0.4.6",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
diff --git a/apps/mathler/package.json b/apps/mathler/package.json
@@ -38,7 +38,7 @@
     "input-otp": "1.4.1",
     "lodash-es": "latest",
     "lucide-react": "^0.475.0",
-    "next": "16.1.6",
+    "next": "16.1.7",
     "next-themes": "^0.4.6",
     "nuqs": "^2.8.6",
     "react": "^19.2.3",
diff --git a/apps/web/package.json b/apps/web/package.json
@@ -57,7 +57,7 @@
     "import-in-the-middle": "^3.0.0",
     "jose": "^6.1.3",
     "lucide-react": "^0.564.0",
-    "next": "16.1.6",
+    "next": "16.1.7",
     "next-themes": "^0.4.6",
     "nuqs": "^2.8.8",
     "react": "^19.2.4",
diff --git a/package.json b/package.json
@@ -60,6 +60,9 @@
       "esbuild"
     ],
     "overrides": {
+      "h3": "1.15.6",
+      "next": "16.1.7",
+      "socket.io-parser": "4.2.6",
       "axios@<1.13.5": ">=1.13.5",
       "lightningcss": "1.30.1",
       "tar@<7.5.11": "7.5.11",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
diff --git a/tools/eslint/package.json b/tools/eslint/package.json
diff --git a/turbo.json b/turbo.json
