I reviewed the code packaged in agent-wallet-service.tar.gz and identified a few high-impact issues to fix first.
- In
src/routes/wallet.js,getWalletByAddress(...)is used but not imported fromsrc/services/viem-wallet.jsin one version of the route file. - Impact:
GET /wallet/:addresscan throw at runtime (ReferenceError) and return 500 instead of valid 404/200 behavior. - Fix: Import
getWalletByAddressexplicitly from the wallet service.
tests/test-wallet.jscalls write endpoints (/wallet/create, identity creation) without an API key.- Current middleware requires
X-API-Keyfor protected routes. - Impact: test script fails in normal environments and gives false signals.
- Fix:
- Add support for
TEST_API_KEYenv variable (or load fromapi-keys.jsonfor local smoke tests). - Send
X-API-Keyon protected requests.
- Add support for
- The test script calls
/identity/register, but routes expose/identity/create. - Impact: guaranteed 404 in tests.
- Fix: change test endpoint to
/identity/createand match request body fields (walletAddress,agentName, etc.).
- Root endpoint and health endpoint report different versions in some snapshots (
0.3.0vs0.4.0). - Impact: operational confusion and noisy monitoring/docs mismatch.
- Fix: centralize version in
package.jsonand reference it from handlers.
- Middleware accepts API key via query string (
?apiKey=) as well as header. - Impact: key leakage risk through logs, browser history, and referrer headers.
- Fix: prefer header-only (
X-API-Key) in production; keep query param only behind explicit dev flag.
createClientWithFallbackretries RPC endpoints but only validates public clients withgetBlockNumber().- Impact: wallet-client failures can still surface later at send time.
- Fix: optionally probe wallet paths too (or validate selected RPC once per chain and cache health state).
- Runtime correctness: missing import + endpoint mismatch.
- Test reliability: auth-aware smoke test updates.
- Security: deprecate query-param API keys.
- DX/ops polish: version unification and RPC health improvements.