fix: batch resolve security + bug issues #55-#74 (#75)

* fix: batch resolve security + bug issues #55-#74

VERIFY issues:
- #55: Signup already correctly calls /api/auth/register + redirects to /dashboard (verified OK)
- #56/#65: Set metadataBase to https://coinpayportal.com, replaced all localhost:8080 fallbacks in WalletContext, SDK, and docs
- #57: Enhanced signup form with email format validation, password strength (8+ chars, uppercase, lowercase, number), inline field errors, disabled submit while invalid
- #58: Escrow page count now shows recurring series alongside one-time escrows; empty state already checks both
- #59: Header already uses isHydrated guard with loading placeholder (verified OK)

SECURITY issues:
- #62: Replaced CORS wildcard with strict origin whitelist (coinpayportal.com, www.coinpayportal.com) in proxy.ts
- #63/#71: Added rate limiting to proxy.ts (60 req/min general, 10 req/min auth) with X-RateLimit-* headers
- #64: Admin page now returns notFound()
- #66: Wallet creation rate limiting already working via checkRateLimitAsync (verified OK)
- #67: Wallet signature auth already has replay protection via checkAndRecordSignature + ±5min timestamp window (verified OK)
- #69: Removed unsafe-eval from CSP in proxy.ts; unsafe-inline documented as required by Next.js
- #70: Replaced specific RPC URLs in CSP connect-src with generic https: wss: patterns
- #72: /api/reputation root endpoint now returns 404 instead of listing all endpoints
- #73: Webhook receiver returns generic 401 instead of revealing config status
- #74: Added *.log, strix_runs/, strix_*.log to .gitignore; removed tracked debug files

Skipped: #38 (invoicing), #60 (multi-sig) — too large
No SKILL.md found for #68

Note: 1 pre-existing test failure in businesses/[id]/page.test.tsx (unrelated to these changes)

* fix: address Copilot review comments on PR #75

Author: ralyodio

.gitignore

@@ -24,6 +24,11 @@ node_modules
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+*.log
+
+# strix agent runs
+strix_runs/
+strix_*.log
 
 # local env files
 .env*.local

src/app/admin/page.tsx

@@ -1,8 +1,5 @@
+import { notFound } from 'next/navigation';
+
 export default function AdminPage() {
-  return (
-    <div className="container mx-auto px-4 py-16">
-      <h1 className="text-4xl font-bold mb-8">Admin Panel</h1>
-      <p className="text-gray-600">Admin dashboard coming soon...</p>
-    </div>
-  );
-}
+  notFound();
+}

src/app/api/reputation/route.ts

@@ -1,25 +1,8 @@
 import { NextResponse } from 'next/server';
 
 export async function GET() {
-  return NextResponse.json({
-    service: 'reputation',
-    endpoints: [
-      '/api/reputation/agent/:did/reputation',
-      '/api/reputation/badge/:did',
-      '/api/reputation/check',
-      '/api/reputation/trust',
-      '/api/reputation/attest',
-      '/api/reputation/credential/:id',
-      '/api/reputation/credentials',
-      '/api/reputation/did/register',
-      '/api/reputation/did/claim',
-      '/api/reputation/did/me',
-      '/api/reputation/issuers',
-      '/api/reputation/receipt',
-      '/api/reputation/receipts',
-      '/api/reputation/verify',
-      '/api/reputation/platform-action',
-      '/api/reputation/revocation-list',
-    ],
-  });
+  return NextResponse.json(
+    { success: false, error: 'Not found' },
+    { status: 404 }
+  );
 }

src/app/api/webhook-receiver/route.ts

@@ -76,7 +76,7 @@ export async function POST(request: NextRequest) {
     if (!webhookSecret) {
       console.error('WEBHOOK_SECRET environment variable is not set');
       return NextResponse.json(
-        { success: false, error: 'Webhook receiver not configured' },
+        { error: 'Internal server error' },
         { status: 500 }
       );
     }

src/app/escrow/page.tsx

@@ -370,6 +370,7 @@ export default function EscrowDashboardPage() {
             ))}
             <p className="text-center text-sm text-gray-400 mt-4">
               Showing {escrows.length} of {total} escrows
+              {series.length > 0 && ` + ${series.length} recurring series`}
             </p>
           </div>
 

src/app/layout.tsx

@@ -6,7 +6,7 @@ import { Providers } from '@/components/Providers';
 import './globals.css';
 
 export const metadata: Metadata = {
-  metadataBase: new URL('https://coinpayportal.com'),
+  metadataBase: new URL(process.env.NEXT_PUBLIC_APP_URL || 'https://coinpayportal.com'),
   title: 'CoinPay - Non-Custodial Crypto Payment Gateway',
   description: 'Accept cryptocurrency payments in your e-commerce store with automatic fee handling and real-time processing',
   keywords: ['cryptocurrency', 'payment gateway', 'crypto payments', 'non-custodial', 'blockchain', 'bitcoin', 'ethereum'],

src/app/signup/page.tsx

@@ -13,23 +13,51 @@ export default function SignupPage() {
     name: '',
   });
   const [error, setError] = useState('');
+  const [fieldErrors, setFieldErrors] = useState<Record<string, string>>({});
   const [loading, setLoading] = useState(false);
 
+  const validateEmail = (email: string): string | null => {
+    if (!email) return 'Email is required';
+    if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) return 'Invalid email format';
+    return null;
+  };
+
+  const validatePassword = (password: string): string | null => {
+    if (!password) return 'Password is required';
+    if (password.length < 8) return 'Must be at least 8 characters';
+    if (!/[A-Z]/.test(password)) return 'Must contain an uppercase letter';
+    if (!/[a-z]/.test(password)) return 'Must contain a lowercase letter';
+    if (!/[0-9]/.test(password)) return 'Must contain a number';
+    return null;
+  };
+
+  const isFormValid = (): boolean => {
+    return (
+      !validateEmail(formData.email) &&
+      !validatePassword(formData.password) &&
+      formData.password === formData.confirmPassword &&
+      formData.password.length > 0
+    );
+  };
+
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault();
     setError('');
 
-    // Validate passwords match
+    // Inline validation
+    const errors: Record<string, string> = {};
+    const emailErr = validateEmail(formData.email);
+    if (emailErr) errors.email = emailErr;
+    const passErr = validatePassword(formData.password);
+    if (passErr) errors.password = passErr;
     if (formData.password !== formData.confirmPassword) {
-      setError('Passwords do not match');
-      return;
+      errors.confirmPassword = 'Passwords do not match';
     }
-
-    // Validate password strength
-    if (formData.password.length < 8) {
-      setError('Password must be at least 8 characters');
+    if (Object.keys(errors).length > 0) {
+      setFieldErrors(errors);
       return;
     }
+    setFieldErrors({});
 
     setLoading(true);
 
@@ -118,12 +146,16 @@ export default function SignupPage() {
                 type="email"
                 required
                 value={formData.email}
-                onChange={(e) =>
-                  setFormData({ ...formData, email: e.target.value })
-                }
-                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent placeholder:text-gray-400 text-gray-900"
+                onChange={(e) => {
+                  setFormData({ ...formData, email: e.target.value });
+                  if (fieldErrors.email) setFieldErrors((prev) => ({ ...prev, email: '' }));
+                }}
+                className={`w-full px-4 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent placeholder:text-gray-400 text-gray-900 ${fieldErrors.email ? 'border-red-400' : 'border-gray-300'}`}
                 placeholder="you@example.com"
               />
+              {fieldErrors.email && (
+                <p className="mt-1 text-xs text-red-600">{fieldErrors.email}</p>
+              )}
             </div>
 
             <div>
@@ -138,12 +170,16 @@ export default function SignupPage() {
                 type="password"
                 required
                 value={formData.password}
-                onChange={(e) =>
-                  setFormData({ ...formData, password: e.target.value })
-                }
-                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent placeholder:text-gray-400 text-gray-900"
+                onChange={(e) => {
+                  setFormData({ ...formData, password: e.target.value });
+                  if (fieldErrors.password) setFieldErrors((prev) => ({ ...prev, password: '' }));
+                }}
+                className={`w-full px-4 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent placeholder:text-gray-400 text-gray-900 ${fieldErrors.password ? 'border-red-400' : 'border-gray-300'}`}
                 placeholder="••••••••"
               />
+              {fieldErrors.password && (
+                <p className="mt-1 text-xs text-red-600">{fieldErrors.password}</p>
+              )}
               <p className="mt-1 text-xs text-gray-500">
                 Must be at least 8 characters with uppercase, lowercase, and numbers
               </p>
@@ -161,17 +197,21 @@ export default function SignupPage() {
                 type="password"
                 required
                 value={formData.confirmPassword}
-                onChange={(e) =>
-                  setFormData({ ...formData, confirmPassword: e.target.value })
-                }
-                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent placeholder:text-gray-400 text-gray-900"
+                onChange={(e) => {
+                  setFormData({ ...formData, confirmPassword: e.target.value });
+                  if (fieldErrors.confirmPassword) setFieldErrors((prev) => ({ ...prev, confirmPassword: '' }));
+                }}
+                className={`w-full px-4 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent placeholder:text-gray-400 text-gray-900 ${fieldErrors.confirmPassword ? 'border-red-400' : 'border-gray-300'}`}
                 placeholder="••••••••"
               />
+              {fieldErrors.confirmPassword && (
+                <p className="mt-1 text-xs text-red-600">{fieldErrors.confirmPassword}</p>
+              )}
             </div>
 
             <button
               type="submit"
-              disabled={loading}
+              disabled={loading || !isFormValid()}
               className="w-full bg-purple-600 text-white py-3 px-4 rounded-lg font-semibold hover:bg-purple-500 focus:outline-none focus:ring-2 focus:ring-purple-500 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed transition-colors"
             >
               {loading ? 'Creating account...' : 'Sign up'}

src/components/docs/WebWalletDocs.tsx

@@ -93,7 +93,7 @@ pnpm coinpay-wallet create --chains BTC,ETH,SOL`}
       <div className="mb-8 p-4 bg-slate-800/50 rounded-lg">
         <h4 className="text-white font-semibold text-sm mb-2">Environment Variables</h4>
         <div className="space-y-1 text-sm text-gray-300">
-          <p><code className="text-purple-400">COINPAY_API_URL</code> — API base URL (default: <code>http://localhost:8080</code>)</p>
+          <p><code className="text-purple-400">NEXT_PUBLIC_API_URL</code> — API base URL (default: <code>https://coinpayportal.com</code>). The legacy <code>COINPAY_API_URL</code> is also supported by the CLI.</p>
           <p><code className="text-purple-400">COINPAY_AUTH_TOKEN</code> — JWT token for read-only operations</p>
           <p><code className="text-purple-400">COINPAY_MNEMONIC</code> — Mnemonic phrase (required for <code>send</code> and <code>derive-missing</code>)</p>
         </div>

src/components/web-wallet/WalletContext.tsx

@@ -102,7 +102,7 @@ function getBaseUrl(): string {
   if (typeof window !== 'undefined') {
     return window.location.origin;
   }
-  return process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:8080';
+  return process.env.NEXT_PUBLIC_APP_URL || (process.env.NODE_ENV === 'production' ? 'https://coinpayportal.com' : 'http://localhost:3000');
 }
 
 export function WebWalletProvider({ children }: { children: ReactNode }) {

src/lib/sdk/index.ts

@@ -94,7 +94,7 @@ export function createCoinPayClient(
 ): InstanceType<typeof SDKCoinPayClient> {
   return new SDKCoinPayClient({
     apiKey,
-    baseUrl: baseUrl || process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8080',
+    baseUrl: baseUrl || process.env.NEXT_PUBLIC_API_URL || (process.env.NODE_ENV === 'production' ? 'https://coinpayportal.com' : 'http://localhost:8080'),
   });
 }