fix: update tests for security hardening changes (wallet validation, CORS deny-all, health check)

- Use valid base58 wallet addresses in tests (was 'WalletA', now fails param validation)

- Update CORS tests to expect deny-all default (was allow-all)

- Update health/ready test to accept additional bags dependency field

- Fix BagsClient test mock to match ClaimTransaction Zod schema

- Fix BagsSdkAdapter type casts (Record<string,unknown> -> direct property access)

Author: Matt-Aurora-Ventures

backend/src/clients/BagsSdkAdapter.ts

@@ -138,23 +138,23 @@ export class BagsSdkAdapter implements BagsAdapter {
       otherAmountThreshold: sdkQuote.minOutAmount, // SDK maps this
       priceImpactPct: sdkQuote.priceImpactPct,
       slippageBps: sdkQuote.slippageBps,
-      routePlan: sdkQuote.routePlan?.map((leg: Record<string, unknown>) => ({
-        venue: (leg.venue as string) ?? '',
-        inAmount: (leg.inAmount as string) ?? '',
-        outAmount: (leg.outAmount as string) ?? '',
-        inputMint: (leg.inputMint as string) ?? '',
-        outputMint: (leg.outputMint as string) ?? '',
-        inputMintDecimals: (leg.inputMintDecimals as number) ?? 0,
-        outputMintDecimals: (leg.outputMintDecimals as number) ?? 0,
-        marketKey: (leg.marketKey as string) ?? '',
-        data: (leg.data as string) ?? '',
+      routePlan: sdkQuote.routePlan?.map((leg) => ({
+        venue: String(leg.venue ?? ''),
+        inAmount: String(leg.inAmount ?? ''),
+        outAmount: String(leg.outAmount ?? ''),
+        inputMint: String(leg.inputMint ?? ''),
+        outputMint: String(leg.outputMint ?? ''),
+        inputMintDecimals: Number(leg.inputMintDecimals ?? 0),
+        outputMintDecimals: Number(leg.outputMintDecimals ?? 0),
+        marketKey: String(leg.marketKey ?? ''),
+        data: String(leg.data ?? ''),
       })) ?? [],
       platformFee: {
-        amount: (sdkQuote.platformFee as Record<string, unknown>)?.amount as string ?? '0',
-        feeBps: (sdkQuote.platformFee as Record<string, unknown>)?.feeBps as number ?? 0,
-        feeAccount: (sdkQuote.platformFee as Record<string, unknown>)?.feeAccount as string ?? '',
-        segmenterFeeAmount: (sdkQuote.platformFee as Record<string, unknown>)?.segmenterFeeAmount as string ?? '0',
-        segmenterFeePct: (sdkQuote.platformFee as Record<string, unknown>)?.segmenterFeePct as number ?? 0,
+        amount: String(sdkQuote.platformFee?.amount ?? '0'),
+        feeBps: Number(sdkQuote.platformFee?.feeBps ?? 0),
+        feeAccount: String(sdkQuote.platformFee?.feeAccount ?? ''),
+        segmenterFeeAmount: String(sdkQuote.platformFee?.segmenterFeeAmount ?? '0'),
+        segmenterFeePct: Number(sdkQuote.platformFee?.segmenterFeePct ?? 0),
       },
       outTransferFee: sdkQuote.outTransferFee ?? '0',
       simulatedComputeUnits: sdkQuote.simulatedComputeUnits ?? 0,

backend/tests/api-routes.test.ts

@@ -38,7 +38,7 @@ function createMockDb() {
 
 const mockStrategy = {
   strategyId: 'strat-0001',
-  ownerWallet: 'WalletA',
+  ownerWallet: '7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL',
   source: 'CLAIMABLE_POSITIONS' as const,
   distributionToken: '',
   swapConfig: { slippageBps: 50, maxPriceImpactBps: 300 },
@@ -159,7 +159,7 @@ function createMockOpenRouterClient() {
 const mockUserKey = {
   keyId: 'uk-0001',
   strategyId: 'strat-0001',
-  holderWallet: 'WalletA',
+  holderWallet: '7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL',
   openrouterKeyHash: 'key-hash-001',
   spendingLimitUsd: 10,
   currentUsageUsd: 2.5,
@@ -277,13 +277,13 @@ describe('Strategy Routes', () => {
       method: 'POST',
       url: '/api/strategies',
       headers: AUTH_HEADER,
-      payload: { ownerWallet: 'NewWallet' },
+      payload: { ownerWallet: '9xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkNew' },
     });
     expect(res.statusCode).toBe(200);
     expect(res.json().strategyId).toBe('strat-new-001');
-    expect(res.json().ownerWallet).toBe('NewWallet');
+    expect(res.json().ownerWallet).toBe('9xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkNew');
     expect(deps.strategyService.create).toHaveBeenCalledWith(
-      expect.objectContaining({ ownerWallet: 'NewWallet' }),
+      expect.objectContaining({ ownerWallet: '9xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkNew' }),
     );
     await app.close();
   });
@@ -603,7 +603,7 @@ describe('Key Routes', () => {
     const keyResponse = res.json()[0];
     expect(keyResponse).not.toHaveProperty('openrouterKey');
     expect(keyResponse).not.toHaveProperty('openrouter_key');
-    expect(keyResponse.holderWallet).toBe('WalletA');
+    expect(keyResponse.holderWallet).toBe('7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL');
     expect(deps.keyManagerService.getKeysByStrategy).toHaveBeenCalledWith('strat-0001');
     await app.close();
   });
@@ -816,8 +816,8 @@ describe('Wallet Key Routes', () => {
     });
     expect(res.statusCode).toBe(200);
     expect(res.json().keyId).toBe('uk-0001');
-    expect(res.json().holderWallet).toBe('WalletA');
-    expect(deps.keyManagerService.getActiveKeyByWallet).toHaveBeenCalledWith('WalletA');
+    expect(res.json().holderWallet).toBe('7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL');
+    expect(deps.keyManagerService.getActiveKeyByWallet).toHaveBeenCalledWith('7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL');
     await app.close();
   });
 
@@ -846,8 +846,8 @@ describe('Wallet Key Routes', () => {
     });
     expect(res.statusCode).toBe(200);
     expect(res.json().revoked).toBe(true);
-    expect(res.json().wallet).toBe('WalletA');
-    expect(deps.keyManagerService.getActiveKeyByWallet).toHaveBeenCalledWith('WalletA');
+    expect(res.json().wallet).toBe('7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL');
+    expect(deps.keyManagerService.getActiveKeyByWallet).toHaveBeenCalledWith('7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL');
     expect(deps.keyManagerService.revokeKey).toHaveBeenCalledWith('uk-0001');
     await app.close();
   });
@@ -953,7 +953,7 @@ describe('Wallet Key Routes', () => {
     expect(res.statusCode).toBe(200);
     expect(res.json()).toHaveLength(1);
     expect(res.json()[0].key_hash).toBe('key-hash-001');
-    expect(deps.keyManagerService.getActiveKeyByWallet).toHaveBeenCalledWith('WalletA');
+    expect(deps.keyManagerService.getActiveKeyByWallet).toHaveBeenCalledWith('7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL');
     expect(deps.usageTrackingService.getKeyUsage).toHaveBeenCalledWith('key-hash-001');
     await app.close();
   });

backend/tests/clients/BagsClient.test.ts

@@ -198,7 +198,10 @@ describe('BagsClient', () => {
   describe('getClaimTransactions', () => {
     it('returns claim transactions for a position', async () => {
       const mockTx = [
-        { transaction: 'base64-tx-1', computeUnits: 150000 },
+        {
+          tx: 'base58-encoded-tx-1',
+          blockhash: { blockhash: 'hash-abc', lastValidBlockHeight: 1000 },
+        },
       ];
       mockPost.mockResolvedValue({ data: mockTx, headers: {} });
 
@@ -210,7 +213,7 @@ describe('BagsClient', () => {
       const result = await client.getClaimTransactions('feeClaimer123', mockPosition);
 
       expect(result).toHaveLength(1);
-      expect(result[0].transaction).toBe('base64-tx-1');
+      expect(result[0].tx).toBe('base58-encoded-tx-1');
       expect(mockPost).toHaveBeenCalledWith(
         '/fees/claim/transactions',
         expect.objectContaining({

backend/tests/integration/e2e-pipeline.test.ts

@@ -83,7 +83,7 @@ const mockBagsClient = {
       dammPoolClaimableLamportsUserShare: 0,
       dammPoolAddress: 'damm-address',
       claimableDisplayAmount: 10,
-      user: 'e2e-wallet',
+      user: '5xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkE2E',
       claimerIndex: 0,
       userBps: 10000,
       customFeeVault: '',
@@ -137,7 +137,7 @@ const mockSignAndSendSwap = vi.fn().mockResolvedValue('mock-swap-sig');
 
 const mockStrategy = {
   strategyId: STRATEGY_ID,
-  ownerWallet: 'e2e-wallet',
+  ownerWallet: '5xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkE2E',
   source: 'CLAIMABLE_POSITIONS' as const,
   distributionToken: 'mint-abc',
   swapConfig: { slippageBps: 50, maxPriceImpactBps: 300 },
@@ -475,14 +475,14 @@ describe('E2E: Full pipeline integration (7 phases)', () => {
       url: '/api/strategies',
       headers: AUTH_HEADER,
       payload: {
-        ownerWallet: 'e2e-wallet',
+        ownerWallet: '5xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkE2E',
         distributionToken: 'mint-abc',
       },
     });
 
     expect(res.statusCode).toBe(200);
     const body = res.json();
-    expect(body.ownerWallet).toBe('e2e-wallet');
+    expect(body.ownerWallet).toBe('5xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkE2E');
     expect(body.strategyId).toBe(STRATEGY_ID);
   });
 
@@ -566,7 +566,7 @@ describe('E2E: Full pipeline integration (7 phases)', () => {
 
   it('verify mocks were called with correct data flow', () => {
     // BagsClient called to get claimable positions
-    expect(mockBagsClient.getClaimablePositions).toHaveBeenCalledWith('e2e-wallet');
+    expect(mockBagsClient.getClaimablePositions).toHaveBeenCalledWith('5xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkE2E');
 
     // In dry-run mode, claim phase returns early before fetching claim transactions.
     // Only verify positions were queried.

backend/tests/server.test.ts

@@ -276,7 +276,8 @@ describe('GET /health/ready', () => {
     expect(body.status).toBe('ok');
     expect(body).toHaveProperty('timestamp');
     expect(body).toHaveProperty('uptime');
-    expect(body.dependencies).toEqual({ openrouter: true, database: true });
+    expect(body.dependencies.openrouter).toBe(true);
+    expect(body.dependencies.database).toBe(true);
     expect(body).toHaveProperty('responseTimeMs');
 
     await app.close();
@@ -580,7 +581,7 @@ describe('Request logging', () => {
 // ─── CORS configuration tests ───────────────────────────────────
 
 describe('CORS configuration', () => {
-  it('allows all origins by default (corsOrigins not set)', async () => {
+  it('denies all origins by default (corsOrigins not set)', async () => {
     const deps = createDeps();
     const app = await buildApp(deps);
 
@@ -593,11 +594,8 @@ describe('CORS configuration', () => {
       },
     });
 
-    // With origin: true, the Vary header should be set to Origin
-    // and the response should indicate CORS is allowed
-    expect(response.headers['vary']?.toLowerCase()).toContain('origin');
-    // origin: true echoes the requesting origin back
-    expect(response.headers['access-control-allow-origin']).toBe('https://evil-site.com');
+    // With origin: false (deny-all default), no CORS header echoed
+    expect(response.headers['access-control-allow-origin']).toBeUndefined();
 
     await app.close();
   });
@@ -641,7 +639,7 @@ describe('CORS configuration', () => {
     await app.close();
   });
 
-  it('handles empty corsOrigins string as allow-all', async () => {
+  it('handles empty corsOrigins string as deny-all', async () => {
     const deps = createDeps();
     deps.corsOrigins = '';
     const app = await buildApp(deps);
@@ -655,8 +653,8 @@ describe('CORS configuration', () => {
       },
     });
 
-    // Empty string should still allow all origins (dev default)
-    expect(response.headers['access-control-allow-origin']).toBe('https://any-origin.com');
+    // Empty string = deny-all (production safe default)
+    expect(response.headers['access-control-allow-origin']).toBeUndefined();
 
     await app.close();
   });
@@ -748,7 +746,7 @@ describe('Error detail leakage prevention', () => {
     const mockKey = {
       keyId: 'or-key-123',
       strategyId: 'test-strategy',
-      holderWallet: 'WalletA',
+      holderWallet: '7xKpPqREhiP1B6d3wTgs8MTwbLj5GhXFsJAiGbrZkQbL',
       openrouterKeyHash: 'abc123',
       spendingLimitUsd: 10,
       currentUsageUsd: 0,