Updating Stable with Main

.env.example

@@ -90,7 +90,11 @@ NEXT_PUBLIC_NOTICE_BANNER_TEXT=
 BREVO_API_KEY=
 # List ID from: Brevo Dashboard → Contacts → Lists (numeric ID)
 BREVO_LIST_ID=
-
+BREVO_LIST_ID=
+# Brevo Conversations (Chat Widget)
+# Get from: Brevo Dashboard → Conversations → Settings
+NEXT_PUBLIC_BREVO_CONVERSATIONS_ID=
+NEXT_PUBLIC_BREVO_CONVERSATIONS_GROUP_ID=
 # =============================================================================
 # Campaign Management (BlockFest)
 # =============================================================================

__tests__/SECURITY_REPORT.md

@@ -0,0 +1,261 @@
+# **SECURITY ANALYSIS REPORT: NOBLOCKS **
+
+**Date:** December 4, 2025  
+**Version:** 1.0.0  
+**Branch:** main 
+
+## **Executive Summary**
+
+The noblocks application is a Next.js-based cryptocurrency-to-fiat payment platform with significant security implications due to its handling of financial transactions, private keys, and sensitive user data. **The current testing infrastructure has critical gaps that expose the application to substantial security risks.**
+
+---
+
+## ** CRITICAL SECURITY FINDINGS**
+
+### **1. TESTING INFRASTRUCTURE - HIGH RISK**
+
+#### **Current State:**
+- **❌ NO unit tests** for the noblocks frontend application
+- **❌ NO integration tests** for API endpoints
+- **❌ NO security-focused tests** for authentication/authorization
+- **❌ NO input validation testing** for wallet addresses and transactions
+- **❌ NO cryptographic function tests** for encryption/decryption
+- **❌ NO rate limiting tests** for API abuse prevention
+
+#### **Risk Impact:**
+- **CRITICAL**: Security vulnerabilities undetected in production
+- **HIGH**: Authentication/authorization bypasses possible
+- **HIGH**: Financial transaction manipulation risks
+- **MEDIUM**: API abuse and DoS attack vulnerabilities
+
+---
+
+## ** SECURITY-CRITICAL AREAS REQUIRING IMMEDIATE TESTING**
+
+### **A. Authentication & Authorization Security**
+
+**Components Requiring Testing:**
+
+1. **JWT Verification (`/app/lib/jwt.ts`)**
+   ```typescript
+   // CRITICAL: No tests for JWT verification logic
+   export async function verifyJWT(token: string, config: JWTProviderConfig)
+   ```
+
+2. **Middleware Authentication (`/middleware.ts`)**
+   ```typescript
+   // CRITICAL: No tests for auth middleware bypass attempts
+   async function authorizationMiddleware(req: NextRequest)
+   ```
+
+3. **Wallet Address Validation (`/app/lib/validation.ts`)**
+   ```typescript
+   // HIGH RISK: No tests for address validation bypass
+   export function isValidEvmAddress(address: string): boolean
+   ```
+
+### **B. Financial Transaction Security**
+
+**Components Requiring Testing:**
+
+1. **Transaction API (`/app/api/v1/transactions/route.ts`)**
+   ```typescript
+   // CRITICAL: No tests for wallet address mismatch attacks
+   if (normalizedBodyWalletAddress !== walletAddress) {
+     return NextResponse.json({ success: false, error: "Unauthorized" }, { status: 403 });
+   }
+   ```
+
+2. **Transfer Hooks (`/app/hooks/useSmartWalletTransfer.ts`)**
+   ```typescript
+   // HIGH RISK: No tests for token validation and transfer logic
+   const transfer = useCallback(async ({ amount, token, recipientAddress })
+   ```
+
+3. **Rate Limiting (`/app/lib/rate-limit.ts`)**
+   ```typescript
+   // MEDIUM RISK: No tests for rate limit bypass techniques
+   const rateLimiter = new RateLimiterMemory({ points: 100, duration: 60 })
+   ```
+
+### **C. Cryptographic Security**
+
+**Components Requiring Testing:**
+
+1. **Encryption Utilities (`/app/utils.ts`)**
+   ```typescript
+   // HIGH RISK: No tests for encryption implementation
+   export function publicKeyEncrypt(data: unknown, publicKeyPEM: string): string
+   ```
+
+2. **KYC Signature Verification (`/app/components/KycModal.tsx`)**
+   ```typescript
+   // CRITICAL: No tests for signature verification bypass
+   const message = `I accept the KYC Policy...with nonce ${nonce}`;
+   ```
+
+---
+
+## ** PRIORITY SECURITY VULNERABILITIES**
+
+### **1. Authentication Bypass Risks**
+
+**Severity: CRITICAL**
+
+- **JWT Token Manipulation**: No validation tests for malformed, expired, or tampered tokens
+- **Middleware Bypass**: No tests for header manipulation or auth bypass attempts
+- **Wallet Address Spoofing**: No validation for wallet ownership verification
+
+### **2. Financial Transaction Vulnerabilities**
+
+**Severity: HIGH**
+
+- **Amount Manipulation**: No tests for negative amounts, precision attacks, or overflow conditions
+- **Recipient Address Injection**: No tests for malicious address formats or injection attempts
+- **Transaction Replay**: No tests for nonce validation or replay attack prevention
+
+### **3. Input Validation Gaps**
+
+**Severity: HIGH**
+
+- **XSS Prevention**: No tests for script injection in transaction forms
+- **SQL Injection**: No tests for database query parameter sanitization
+- **Address Format Validation**: No comprehensive tests for EVM address validation
+
+### **4. Rate Limiting & DoS Protection**
+
+**Severity: MEDIUM**
+
+- **Rate Limit Bypass**: No tests for IP spoofing or distributed request attacks
+- **Resource Exhaustion**: No tests for memory or CPU intensive operations
+- **API Abuse**: No tests for bulk request handling
+
+---
+
+## ** RECOMMENDED TESTING STRATEGY**
+
+### **Phase 1: Critical Security Tests (IMMEDIATE - Week 1-2)**
+
+#### **1.1 Authentication Security Tests**
+
+```typescript
+// Example test structure needed
+describe('JWT Security', () => {
+  test('should reject malformed JWT tokens', () => {});
+  test('should reject expired JWT tokens', () => {});
+  test('should reject tokens with invalid signatures', () => {});
+  test('should reject tokens with missing required claims', () => {});
+});
+
+describe('Middleware Security', () => {
+  test('should block requests without Authorization header', () => {});
+  test('should validate wallet address matches JWT claims', () => {});
+  test('should prevent wallet address mismatch attacks', () => {});
+});
+```
+
+#### **1.2 Input Validation Security Tests**
+
+```typescript
+describe('Wallet Address Validation', () => {
+  test('should reject invalid address formats', () => {});
+  test('should reject addresses with wrong checksums', () => {});
+  test('should prevent injection attacks via addresses', () => {});
+});
+
+describe('Transaction Input Validation', () => {
+  test('should validate amount precision and limits', () => {});
+  test('should sanitize recipient address inputs', () => {});
+  test('should prevent negative amount transactions', () => {});
+});
+```
+
+#### **1.3 Rate Limiting & Abuse Prevention Tests**
+
+```typescript
+describe('Rate Limiting Security', () => {
+  test('should enforce rate limits per IP', () => {});
+  test('should prevent rate limit bypass via header manipulation', () => {});
+  test('should handle burst requests correctly', () => {});
+});
+```
+
+### **Phase 2: Integration Security Tests (Week 3-4)**
+
+#### **2.1 API Endpoint Security Tests**
+
+```typescript
+describe('Transaction API Security', () => {
+  test('should prevent unauthorized transaction creation', () => {});
+  test('should validate wallet ownership before operations', () => {});
+  test('should prevent SQL injection in query parameters', () => {});
+  test('should sanitize and validate all input fields', () => {});
+});
+
+describe('KYC Flow Security', () => {
+  test('should validate signature authenticity', () => {});
+  test('should prevent replay attacks with nonces', () => {});
+  test('should enforce proper wallet ownership', () => {});
+});
+```
+
+#### **2.2 Database Security Tests**
+
+```typescript
+describe('Supabase RLS Security', () => {
+  test('should enforce row-level security policies', () => {});
+  test('should prevent cross-wallet data access', () => {});
+  test('should validate service role key usage', () => {});
+});
+```
+
+### **Phase 3: End-to-End Security Tests (Week 5-6)**
+
+#### **3.1 UI Security Tests (Using Cypress)**
+
+```typescript
+describe('Frontend Security', () => {
+  test('should prevent XSS attacks in transaction forms', () => {});
+  test('should validate wallet connection state', () => {});
+  test('should prevent CSRF attacks on sensitive operations', () => {});
+});
+```
+
+#### **3.2 Network Layer Security Tests**
+
+```typescript
+describe('Network Security', () => {
+  test('should enforce HTTPS for all sensitive operations', () => {});
+  test('should validate RPC endpoint responses', () => {});
+  test('should handle network switching securely', () => {});
+});
+```
+
+---
+
+## ** RISK ASSESSMENT MATRIX**
+
+| Component | Vulnerability Risk | Test Coverage | Priority |
+|-----------|-------------------|---------------|----------|
+| JWT Verification | **CRITICAL** | 0% | **P0** |
+| Transaction API | **CRITICAL** | 0% | **P0** |
+| Wallet Validation | **HIGH** | 0% | **P1** |
+| Rate Limiting | **MEDIUM** | 0% | **P1** |
+| Encryption Utils | **HIGH** | 0% | **P1** |
+| KYC Flow | **HIGH** | 0% | **P2** |
+| UI Forms | **MEDIUM** | 0% | **P2** |
+| Database Access | **HIGH** | 0% | **P2** |
+
+---
+
+## ** CONCLUSION**
+
+The noblocks application currently operates without adequate security testing coverage, creating significant risks in a financial application handling cryptocurrency transactions. Implementing the recommended security testing framework is **critical** for protecting user funds and maintaining platform integrity.
+
+**Immediate action is required** to establish security testing infrastructure and validate the security posture of authentication, transaction processing, and data validation components.
+
+---
+
+**Report Generated:** December 4, 2025  
+**Next Review:** Weekly until critical tests are implemented  
+**Contact:** Security Team - implement tests following this report priorities

app/components/AppLayout.tsx

@@ -28,20 +28,25 @@ export default function AppLayout({ children }: { children: React.ReactNode }) {
 
         <PWAInstall />
       </div>
-
       {/* Brevo Chat Widget */}
-      {/^[a-f0-9]{24}$/i.test(config.brevoConversationsId) && (
+      {/^[a-f0-9]{24}$/i.test(config.brevoConversationsId) && config.brevoConversationsGroupId && (
         <>
-          {" "}
           <Script id="brevo-chat-config" strategy="afterInteractive">
-            {" "}
-            {`window.BrevoConversationsID=${JSON.stringify(config.brevoConversationsId)};window.BrevoConversations=window.BrevoConversations||function(){(window.BrevoConversations.q=window.BrevoConversations.q||[]).push(arguments)};`}{" "}
-          </Script>{" "}
+            {`window.BrevoConversationsID=${JSON.stringify(config.brevoConversationsId)};
+            window.BrevoConversations=window.BrevoConversations||function(){
+            (window.BrevoConversations.q=window.BrevoConversations.q||[]).push(arguments)};
+            window.BrevoConversationsSetup=${
+              config.brevoConversationsGroupId 
+                ? `{groupId:${JSON.stringify(config.brevoConversationsGroupId)}}` 
+                : '{}'
+            };
+            `}
+          </Script>
           <Script
             id="brevo-chat-widget"
             src="https://conversations-widget.brevo.com/brevo-conversations.js"
             strategy="afterInteractive"
-          />{" "}
+          />
         </>
       )}
     </Providers>

app/components/CopyAddressWarningModal.tsx

@@ -40,11 +40,11 @@ export const CopyAddressWarningModal: React.FC<
   const [dontShowAgain, setDontShowAgain] = useState(false);
 
   // Filter networks based on wallet type (same logic as NetworksDropdown):
-  // - If isInjectedWallet is true: show all networks (including Celo and Hedera Mainnet)
-  // - If isInjectedWallet is false: filter out Celo and Hedera Mainnet (smart wallet only)
+  // - If isInjectedWallet is true: show all networks (including Celo)
+  // - If isInjectedWallet is false: filter out Celo  (smart wallet only)
   const supportedNetworks = networks.filter((network) => {
     if (useInjectedWallet) return true;
-    return network.chain.name !== "Celo" && network.chain.name !== "Hedera Mainnet";
+    return network.chain.name !== "Celo";
   });
 
   // Check localStorage on mount to see if user has opted out

app/components/Footer.tsx

@@ -203,8 +203,8 @@ export const Footer = () => {
         </div>
         <motion.img
           key={rocketStatus}
-          src="/images/footer-rocket-illustration.svg"
-          alt="Footer Rocket Image"
+          src="/images/footer-santa-illustration.svg"
+          alt="Footer Santa Image"
           height={100}
           width={100}
           initial="pending"

app/components/FundWalletForm.tsx

@@ -69,11 +69,11 @@ export const FundWalletForm: React.FC<{
   }));
 
   // Networks for network selection
-  // Filter out Celo and Hedera Mainnet for non-injected wallets (smart wallets)
+  // Filter out Celo for non-injected wallets (smart wallets)
   const availableNetworks = networks
     .filter((network) => {
       if (useInjectedWallet) return true;
-      return network.chain.name !== "Celo" && network.chain.name !== "Hedera Mainnet";
+      return network.chain.name !== "Celo";
     })
     .map((network) => ({
       name: network.chain.name,