@wopr-network/platform-ui-core 1.1.8 → 1.1.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/platform-ui-core",
-  "version": "1.1.8",
+  "version": "1.1.10",
   "description": "Brand-agnostic AI agent platform UI — deploy as any brand via env vars",
   "repository": {
     "type": "git",

package/src/__tests__/buy-crypto-credits-panel.test.tsx

@@ -103,7 +103,7 @@ describe("BuyCryptoCreditPanel", () => {
     });
 
     mockCreateCryptoCheckout.mockResolvedValue({
-      url: "https://payram.io/checkout/abc123",
+      url: "https://btcpay.example.com/i/abc123",
       referenceId: "ref-abc123",
     });
     mockIsAllowedRedirectUrl.mockReturnValue(true);
@@ -116,8 +116,8 @@ describe("BuyCryptoCreditPanel", () => {
     await user.click(screen.getByRole("button", { name: "Pay with crypto" }));
 
     expect(mockCreateCryptoCheckout).toHaveBeenCalledWith(50);
-    expect(mockIsAllowedRedirectUrl).toHaveBeenCalledWith("https://payram.io/checkout/abc123");
-    expect(hrefSetter).toHaveBeenCalledWith("https://payram.io/checkout/abc123");
+    expect(mockIsAllowedRedirectUrl).toHaveBeenCalledWith("https://btcpay.example.com/i/abc123");
+    expect(hrefSetter).toHaveBeenCalledWith("https://btcpay.example.com/i/abc123");
   });
 
   it("shows error when redirect URL is not allowed", async () => {
@@ -139,7 +139,7 @@ describe("BuyCryptoCreditPanel", () => {
     ).toBeInTheDocument();
   });
 
-  it("shows Opening PayRam... while checkout is in progress", async () => {
+  it("shows Opening checkout... while checkout is in progress", async () => {
     mockCreateCryptoCheckout.mockReturnValue(
       new Promise(() => {
         /* intentionally pending */
@@ -153,7 +153,7 @@ describe("BuyCryptoCreditPanel", () => {
     await user.click(screen.getByText("$100"));
     await user.click(screen.getByRole("button", { name: "Pay with crypto" }));
 
-    expect(await screen.findByText("Opening PayRam...")).toBeInTheDocument();
+    expect(await screen.findByText("Opening checkout...")).toBeInTheDocument();
   });
 
   it("shows error when crypto checkout API call fails", async () => {

package/src/__tests__/dividend-calculator.test.tsx

@@ -17,4 +17,19 @@ describe("DividendCalculator", () => {
 
     expect(screen.getByText(/the earlier you join/i)).toBeInTheDocument();
   });
+
+  it("renders without crash when no API context is available (unauthenticated)", async () => {
+    // DividendCalculator is a static component with no API dependencies.
+    // This test verifies it renders completely in an environment where
+    // fetch is stubbed to reject (simulating unauthenticated pricing page).
+    // If a future refactor adds data fetching, this test catches regressions.
+    const { DividendCalculator } = await import("@/components/pricing/dividend-calculator");
+    const { container } = render(<DividendCalculator />);
+
+    // Component should render two Card sections
+    expect(screen.getByTestId("net-cost")).toBeInTheDocument();
+    expect(screen.getByText(/early adopter advantage/i)).toBeInTheDocument();
+    // No error text or crash indicators
+    expect(container.querySelector(".text-red-500")).toBeNull();
+  });
 });

package/src/__tests__/dividend-stats.test.tsx

@@ -1,4 +1,4 @@
-import { render, screen } from "@testing-library/react";
+import { render, screen, waitFor } from "@testing-library/react";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
 // Stub fetch globally before any module imports
@@ -13,9 +13,10 @@ vi.mock("@/lib/api-config", () => ({
 describe("DividendStats", () => {
   beforeEach(() => {
     mockFetch.mockReset();
+    vi.resetModules();
   });
 
-  it("renders fallback values when API returns null", async () => {
+  it("renders fallback dashes when API returns non-ok response (no error message shown)", async () => {
     mockFetch.mockResolvedValue({
       ok: false,
       status: 500,
@@ -26,9 +27,14 @@ describe("DividendStats", () => {
     const { DividendStats } = await import("@/components/pricing/dividend-stats");
     render(<DividendStats />);
 
-    expect(screen.getByTestId("pool-amount")).toBeInTheDocument();
-    expect(screen.getByTestId("active-users")).toBeInTheDocument();
-    expect(screen.getByTestId("projected-dividend")).toBeInTheDocument();
+    // Wait for fetch to complete (loaded=true), then verify fallback dashes
+    await waitFor(() => {
+      expect(screen.getByTestId("pool-amount")).toHaveTextContent("--");
+    });
+    expect(screen.getByTestId("active-users")).toHaveTextContent("--");
+    expect(screen.getByTestId("projected-dividend")).toHaveTextContent("--");
+    // fetchDividendStats returns null (no throw) → .catch() never runs → no red error paragraph
+    expect(screen.queryByText(/failed to load/i)).not.toBeInTheDocument();
   });
 
   it("renders live data when API succeeds", async () => {
@@ -45,9 +51,12 @@ describe("DividendStats", () => {
     const { DividendStats } = await import("@/components/pricing/dividend-stats");
     render(<DividendStats />);
 
-    expect(screen.getByTestId("pool-amount")).toBeInTheDocument();
-    expect(screen.getByTestId("active-users")).toBeInTheDocument();
-    expect(screen.getByTestId("projected-dividend")).toBeInTheDocument();
+    // useCountUp with prefers-reduced-motion: true sets value immediately
+    await waitFor(() => {
+      expect(screen.getByTestId("pool-amount")).toHaveTextContent("$2500.00");
+    });
+    expect(screen.getByTestId("active-users")).toHaveTextContent("8,000");
+    expect(screen.getByTestId("projected-dividend")).toHaveTextContent("~$0.31");
   });
 
   it("renders fallback dashes when fetch rejects (network error)", async () => {
@@ -56,9 +65,42 @@ describe("DividendStats", () => {
     const { DividendStats } = await import("@/components/pricing/dividend-stats");
     render(<DividendStats />);
 
-    // fetchDividendStats catches network errors and returns null — component shows "--"
-    expect(screen.getByTestId("pool-amount")).toBeInTheDocument();
-    expect(screen.getByTestId("active-users")).toBeInTheDocument();
-    expect(screen.getByTestId("projected-dividend")).toBeInTheDocument();
+    // Wait for fetch to complete, then verify fallback dashes
+    await waitFor(() => {
+      expect(mockFetch).toHaveBeenCalled();
+    });
+    // fetchDividendStats catches network errors and returns null → component shows "--"
+    await waitFor(() => {
+      expect(screen.getByTestId("pool-amount")).toHaveTextContent("--");
+    });
+    expect(screen.getByTestId("active-users")).toHaveTextContent("--");
+    expect(screen.getByTestId("projected-dividend")).toHaveTextContent("--");
+  });
+
+  it("renders error message when fetchDividendStats throws", async () => {
+    // To hit the component's .catch() branch, mock the API module directly
+    // so fetchDividendStats rejects instead of catching internally
+    vi.doMock("@/lib/api", async (importOriginal) => {
+      const orig = await importOriginal<typeof import("@/lib/api")>();
+      return {
+        ...orig,
+        fetchDividendStats: vi.fn().mockRejectedValue(new Error("Unexpected failure")),
+      };
+    });
+
+    const { DividendStats } = await import("@/components/pricing/dividend-stats");
+    render(<DividendStats />);
+
+    await waitFor(() => {
+      expect(screen.getByText("Unexpected failure")).toBeInTheDocument();
+    });
+    // Error text should be red
+    expect(screen.getByText("Unexpected failure")).toHaveClass("text-red-500");
+    // Data fields should show "--" (never populated)
+    expect(screen.getByTestId("pool-amount")).toHaveTextContent("--");
+    expect(screen.getByTestId("active-users")).toHaveTextContent("--");
+    expect(screen.getByTestId("projected-dividend")).toHaveTextContent("--");
+
+    vi.unmock("@/lib/api"); // clean up factory registration so future tests are unaffected
   });
 });

package/src/__tests__/validate-redirect-url.test.ts

@@ -19,18 +19,9 @@ describe("isAllowedRedirectUrl", () => {
     expect(isAllowedRedirectUrl("https://billing.stripe.com/p/session/test_abc")).toBe(true);
   });
 
-  it("allows Coinbase Commerce URLs", () => {
-    expect(isAllowedRedirectUrl("https://commerce.coinbase.com/charges/ABC123")).toBe(true);
-  });
-
-  it("allows PayRam URLs", () => {
-    expect(isAllowedRedirectUrl("https://payram.io/checkout/abc")).toBe(true);
-    expect(isAllowedRedirectUrl("https://app.payram.io/pay/abc")).toBe(true);
-  });
-
-  it("allows same-origin URLs", () => {
-    // jsdom defaults to http://localhost
+  it("allows same-origin URLs (BTCPay checkout is same-origin in local dev)", () => {
     expect(isAllowedRedirectUrl("http://localhost/billing/success")).toBe(true);
+    expect(isAllowedRedirectUrl("http://localhost/i/invoice123")).toBe(true);
     expect(isAllowedRedirectUrl("/billing/success")).toBe(true);
   });
 
@@ -58,4 +49,8 @@ describe("isAllowedRedirectUrl", () => {
     expect(ALLOWED_REDIRECT_ORIGINS).toBeInstanceOf(Set);
     expect(ALLOWED_REDIRECT_ORIGINS.has("https://checkout.stripe.com")).toBe(true);
   });
+
+  it("does not include defunct payment providers", () => {
+    expect(ALLOWED_REDIRECT_ORIGINS.has("https://payram.io")).toBe(false);
+  });
 });

package/src/components/billing/buy-crypto-credits-panel.tsx

@@ -52,7 +52,7 @@ export function BuyCryptoCreditPanel() {
             Pay with Crypto
           </CardTitle>
           <p className="text-xs text-muted-foreground">
-            Pay with ETH, USDC, USDT, or other cryptocurrencies via PayRam. Minimum $10.
+            Pay with BTC or other cryptocurrencies. Minimum $10.
           </p>
         </CardHeader>
         <CardContent className="space-y-4">
@@ -87,7 +87,7 @@ export function BuyCryptoCreditPanel() {
             variant="outline"
             className="w-full sm:w-auto"
           >
-            {loading ? "Opening PayRam..." : "Pay with crypto"}
+            {loading ? "Opening checkout..." : "Pay with crypto"}
           </Button>
         </CardContent>
       </Card>

package/src/lib/validate-redirect-url.ts

@@ -1,12 +1,30 @@
-/** Origins that are allowed as redirect targets from backend checkout responses. */
-export const ALLOWED_REDIRECT_ORIGINS: ReadonlySet<string> = new Set([
+/** Origins that are always allowed as redirect targets from checkout responses. */
+const STATIC_ALLOWED_ORIGINS: readonly string[] = [
   "https://checkout.stripe.com",
   "https://billing.stripe.com",
-  "https://commerce.coinbase.com",
-  "https://pay.coinbase.com",
-  "https://payram.io",
-  "https://app.payram.io",
-]);
+];
+
+/**
+ * Build the full allowed origins set, including any configured BTCPay Server origin.
+ * BTCPay is self-hosted so its URL varies per deployment — read from env var.
+ */
+function getAllowedOrigins(): ReadonlySet<string> {
+  const origins = new Set(STATIC_ALLOWED_ORIGINS);
+
+  // BTCPay Server (self-hosted, URL varies per deployment)
+  const btcpayUrl = process.env.NEXT_PUBLIC_BTCPAY_URL?.trim();
+  if (btcpayUrl) {
+    try {
+      origins.add(new URL(btcpayUrl).origin);
+    } catch (_err) {
+      // Invalid URL — skip silently; BTCPay checkout will fall back to same-origin
+    }
+  }
+
+  return origins;
+}
+
+export const ALLOWED_REDIRECT_ORIGINS: ReadonlySet<string> = getAllowedOrigins();
 
 /**
  * Returns true if `url` is safe to navigate to.

package/src/proxy.ts

@@ -9,7 +9,11 @@ const apiOrigin = process.env.NEXT_PUBLIC_API_URL
   ? new URL(process.env.NEXT_PUBLIC_API_URL).origin
   : "";
 
-const isSecureOrigin = process.env.NODE_ENV === "production";
+/**
+ * Only add upgrade-insecure-requests when actually serving over HTTPS.
+ * Checking NODE_ENV breaks local dev in Docker (NODE_ENV=production but no TLS).
+ * Computed per-request in buildCsp() from the request URL protocol.
+ */
 
 /**
  * Nonce-based style-src toggle.
@@ -21,7 +25,8 @@ const isSecureOrigin = process.env.NODE_ENV === "production";
 const NONCE_STYLES_ENABLED = true;
 
 /** Build the CSP header value with a per-request nonce. */
-function buildCsp(nonce: string): string {
+function buildCsp(nonce: string, requestUrl?: string): string {
+  const isHttps = requestUrl ? requestUrl.startsWith("https://") : false;
   return [
     "default-src 'self'",
     `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https://js.stripe.com`,
@@ -36,7 +41,7 @@ function buildCsp(nonce: string): string {
     "base-uri 'self'",
     "form-action 'self'",
     "object-src 'none'",
-    ...(isSecureOrigin ? ["upgrade-insecure-requests"] : []),
+    ...(isHttps ? ["upgrade-insecure-requests"] : []),
   ].join("; ");
 }
 
@@ -160,7 +165,7 @@ export default async function middleware(request: NextRequest) {
 
   // Generate a per-request nonce for CSP
   const nonce = crypto.randomUUID();
-  const cspHeaderValue = buildCsp(nonce);
+  const cspHeaderValue = buildCsp(nonce, request.url);
 
   /** Apply CSP and cache-busting headers to any response before returning it. */
   function withCsp(response: NextResponse): NextResponse {