profullstack
diff --git a/‎packages/sdk/test/wallet-backup.test.js‎
Lines changed: 172 additions & 0 deletions b/‎packages/sdk/test/wallet-backup.test.js‎
Lines changed: 172 additions & 0 deletions
diff --git a/‎src/lib/wallet-sdk/backup-wallet.test.ts‎
Lines changed: 142 additions & 0 deletions b/‎src/lib/wallet-sdk/backup-wallet.test.ts‎
Lines changed: 142 additions & 0 deletions
@@ -0,0 +1,172 @@
+/**
+ * CLI wallet backup/decrypt tests
+ *
+ * These tests exercise the `coinpay wallet backup-seed` and
+ * `coinpay wallet decrypt-backup` CLI commands using system gpg.
+ * Tests are skipped if gpg is not installed.
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { execSync } from 'child_process';
+import { existsSync, mkdtempSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
+
+const CLI_PATH = join(import.meta.dirname, '..', 'bin', 'coinpay.js');
+
+// Check if gpg is available
+let hasGpg = false;
+try {
+  execSync('gpg --version', { stdio: 'pipe' });
+  hasGpg = true;
+} catch {
+  hasGpg = false;
+}
+
+/**
+ * Run the CLI and capture merged stdout+stderr.
+ * We merge via shell redirection since the CLI uses both console.log and console.error.
+ * Returns { output, status }.
+ */
+function runCLI(args, { cwd, expectFail } = {}) {
+  const cmd = `node ${CLI_PATH} ${args} 2>&1`;
+  const opts = {
+    encoding: 'utf-8',
+    stdio: ['pipe', 'pipe', 'pipe'],
+    env: { ...process.env, COINPAY_API_KEY: 'cp_test_fake_key' },
+    timeout: 30000,
+    ...(cwd ? { cwd } : {}),
+  };
+
+  try {
+    const output = execSync(cmd, opts);
+    return { output, status: 0 };
+  } catch (err) {
+    if (expectFail) {
+      return {
+        output: (err.stdout || '') + (err.stderr || ''),
+        status: err.status || 1,
+      };
+    }
+    throw err;
+  }
+}
+
+describe('CLI wallet backup commands', () => {
+  let tmpDir;
+
+  beforeAll(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'coinpay-test-'));
+  });
+
+  afterAll(() => {
+    try {
+      execSync(`rm -rf "${tmpDir}"`);
+    } catch {
+      // best effort
+    }
+  });
+
+  describe.skipIf(!hasGpg)('with gpg available', () => {
+    const testSeed =
+      'abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about';
+    const testPassword = 'test-password-123';
+    const testWalletId = 'wid-test-001';
+
+    it('backup-seed should create a .gpg file', () => {
+      const outputPath = join(tmpDir, `wallet_${testWalletId}_seedphrase.txt.gpg`);
+
+      runCLI(
+        `wallet backup-seed --seed "${testSeed}" --password "${testPassword}" --wallet-id "${testWalletId}" --output "${outputPath}"`
+      );
+
+      expect(existsSync(outputPath)).toBe(true);
+    });
+
+    it('decrypt-backup should recover the seed phrase', () => {
+      const outputPath = join(tmpDir, 'decrypt-roundtrip.txt.gpg');
+
+      runCLI(
+        `wallet backup-seed --seed "${testSeed}" --password "${testPassword}" --wallet-id "${testWalletId}" --output "${outputPath}"`
+      );
+
+      const { output } = runCLI(
+        `wallet decrypt-backup "${outputPath}" --password "${testPassword}" --json`
+      );
+
+      const parsed = JSON.parse(output);
+      expect(parsed.mnemonic).toBe(testSeed);
+    });
+
+    it('decrypt-backup with wrong password should show error message', () => {
+      const outputPath = join(tmpDir, 'wrong-pw-test.txt.gpg');
+
+      runCLI(
+        `wallet backup-seed --seed "${testSeed}" --password "${testPassword}" --wallet-id "${testWalletId}" --output "${outputPath}"`
+      );
+
+      // The CLI catches gpg errors and prints a user-friendly message
+      // It may or may not exit non-zero depending on implementation
+      const { output } = runCLI(
+        `wallet decrypt-backup "${outputPath}" --password "wrong-password"`,
+        { expectFail: true }
+      );
+
+      expect(output).toMatch(/failed|error|wrong/i);
+    });
+
+    it('backup-seed should use default filename when --output is not provided', () => {
+      const cmd = `wallet backup-seed --seed "${testSeed}" --password "${testPassword}" --wallet-id "default-name"`;
+      runCLI(cmd, { cwd: tmpDir });
+
+      const expectedFile = join(tmpDir, 'wallet_default-name_seedphrase.txt.gpg');
+      expect(existsSync(expectedFile)).toBe(true);
+    });
+
+    it('decrypt-backup should include wallet ID in raw output', () => {
+      const outputPath = join(tmpDir, 'walletid-check.txt.gpg');
+
+      runCLI(
+        `wallet backup-seed --seed "${testSeed}" --password "${testPassword}" --wallet-id "${testWalletId}" --output "${outputPath}"`
+      );
+
+      const { output } = runCLI(
+        `wallet decrypt-backup "${outputPath}" --password "${testPassword}" --json`
+      );
+
+      const parsed = JSON.parse(output);
+      expect(parsed.raw).toContain(`Wallet ID: ${testWalletId}`);
+    });
+  });
+
+  describe('missing required flags', () => {
+    it('backup-seed without --wallet-id should show error', () => {
+      const { output } = runCLI(
+        'wallet backup-seed --seed "test words" --password "pass"',
+        { expectFail: true }
+      );
+
+      // The CLI prints "Required: --wallet-id <id>" via console.error
+      expect(output).toMatch(/wallet-id/i);
+    });
+
+    it('decrypt-backup without file path should show error or usage info', () => {
+      const { output } = runCLI(
+        'wallet decrypt-backup --password "pass"',
+        { expectFail: true }
+      );
+
+      // The CLI prints "Backup file path required" + example
+      expect(output).toMatch(/file|path|backup|required|example/i);
+    });
+
+    it('decrypt-backup with nonexistent file should show error', () => {
+      const { output } = runCLI(
+        'wallet decrypt-backup /tmp/nonexistent-file-12345.gpg --password "pass"',
+        { expectFail: true }
+      );
+
+      expect(output).toMatch(/not found|error/i);
+    });
+  });
+});
@@ -0,0 +1,142 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { WalletSDKError } from './errors';
+import { encryptSeedPhrase, decryptSeedPhrase } from './backup';
+
+// The Wallet class constructor is private and factories make API calls,
+// so we test the backup methods by:
+// 1. Testing the static decryptBackup independently (it's a thin wrapper)
+// 2. Testing that exportEncryptedBackup throws READ_ONLY when no mnemonic
+// 3. Round-trip testing using the underlying backup module functions
+
+// We need to import Wallet to test its static method and instance behavior
+// We'll mock the API client to avoid network calls
+vi.mock('./client', () => ({
+  WalletAPIClient: vi.fn().mockImplementation(() => ({
+    request: vi.fn().mockResolvedValue({
+      wallet_id: 'test-wallet-id',
+      created_at: new Date().toISOString(),
+      addresses: [],
+    }),
+    setSignatureAuth: vi.fn(),
+    setJWTToken: vi.fn(),
+    clearAuth: vi.fn(),
+  })),
+  hexToUint8Array: vi.fn((hex: string) => new Uint8Array(hex.match(/.{1,2}/g)?.map(b => parseInt(b, 16)) || [])),
+  uint8ArrayToHex: vi.fn((arr: Uint8Array) => Array.from(arr).map(b => b.toString(16).padStart(2, '0')).join('')),
+}));
+
+// Mock the key derivation modules to avoid heavy crypto during tests
+vi.mock('../web-wallet/keys', () => ({
+  generateMnemonic: vi.fn().mockReturnValue(
+    'abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about'
+  ),
+  isValidMnemonic: vi.fn().mockReturnValue(true),
+  deriveWalletBundle: vi.fn().mockResolvedValue({
+    publicKeySecp256k1: 'mock-pub-key-secp',
+    publicKeyEd25519: 'mock-pub-key-ed',
+    privateKeySecp256k1: '0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef',
+    addresses: [],
+  }),
+  deriveKeyForChain: vi.fn(),
+}));
+
+vi.mock('../web-wallet/signing', () => ({
+  signTransaction: vi.fn(),
+}));
+
+vi.mock('../web-wallet/identity', () => ({
+  buildDerivationPath: vi.fn().mockReturnValue("m/44'/60'/0'/0/0"),
+}));
+
+import { Wallet } from './wallet';
+
+describe('Wallet backup methods', () => {
+  const testMnemonic =
+    'abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about';
+  const testPassword = 'Str0ng!P@ssword';
+
+  describe('Wallet.decryptBackup (static)', () => {
+    it('should decrypt data encrypted by encryptSeedPhrase', async () => {
+      const { data } = await encryptSeedPhrase(testMnemonic, testPassword, 'test-wallet');
+      const decrypted = await Wallet.decryptBackup(data, testPassword);
+
+      expect(decrypted).toBe(testMnemonic);
+    });
+
+    it('should return null for wrong password', async () => {
+      const { data } = await encryptSeedPhrase(testMnemonic, testPassword, 'test-wallet');
+      const decrypted = await Wallet.decryptBackup(data, 'wrong-password');
+
+      expect(decrypted).toBeNull();
+    });
+
+    it('should return null for garbage data', async () => {
+      const garbage = new Uint8Array([0xff, 0xfe, 0xfd, 0xfc]);
+      const decrypted = await Wallet.decryptBackup(garbage, testPassword);
+
+      expect(decrypted).toBeNull();
+    });
+  });
+
+  describe('wallet.exportEncryptedBackup (instance)', () => {
+    it('should throw WalletSDKError with READ_ONLY code for read-only wallets', async () => {
+      // fromWalletId creates a read-only wallet (no mnemonic)
+      const readOnlyWallet = Wallet.fromWalletId('test-id', {
+        baseUrl: 'https://test.api.com',
+        apiKey: 'test-key',
+      });
+
+      await expect(readOnlyWallet.exportEncryptedBackup(testPassword))
+        .rejects.toThrow(WalletSDKError);
+
+      try {
+        await readOnlyWallet.exportEncryptedBackup(testPassword);
+      } catch (err) {
+        expect(err).toBeInstanceOf(WalletSDKError);
+        expect((err as WalletSDKError).code).toBe('READ_ONLY');
+      }
+    });
+
+    it('should produce encrypted data when wallet has mnemonic (via create)', async () => {
+      const wallet = await Wallet.create({
+        baseUrl: 'https://test.api.com',
+        apiKey: 'test-key',
+        chains: ['BTC'],
+      });
+
+      const backup = await wallet.exportEncryptedBackup(testPassword);
+
+      expect(backup.data).toBeInstanceOf(Uint8Array);
+      expect(backup.data.length).toBeGreaterThan(0);
+      expect(backup.filename).toMatch(/^wallet_.*_seedphrase\.txt\.gpg$/);
+      expect(backup.walletId).toBeTruthy();
+    });
+
+    it('should produce data that Wallet.decryptBackup can decrypt', async () => {
+      const wallet = await Wallet.create({
+        baseUrl: 'https://test.api.com',
+        apiKey: 'test-key',
+        chains: ['BTC'],
+      });
+
+      const backup = await wallet.exportEncryptedBackup(testPassword);
+      const decrypted = await Wallet.decryptBackup(backup.data, testPassword);
+
+      // The mock generates the known test mnemonic
+      expect(decrypted).toBe(testMnemonic);
+    });
+
+    it('should not decrypt with a wrong password', async () => {
+      const wallet = await Wallet.create({
+        baseUrl: 'https://test.api.com',
+        apiKey: 'test-key',
+        chains: ['BTC'],
+      });
+
+      const backup = await wallet.exportEncryptedBackup(testPassword);
+      const decrypted = await Wallet.decryptBackup(backup.data, 'wrong-pw');
+
+      expect(decrypted).toBeNull();
+    });
+  });
+});