Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Local filesystem path committed in documentation
- Removed the accidentally committed local filesystem path
/Users/jontz/git/apifrom line 3 of the documentation file.
- Removed the accidentally committed local filesystem path
Or push these changes by commenting:
@cursor push fa380eb9ed
Preview (fa380eb9ed)
diff --git a/docs/DFX_API_EVALUATION.md b/docs/DFX_API_EVALUATION.md
--- a/docs/DFX_API_EVALUATION.md
+++ b/docs/DFX_API_EVALUATION.md
@@ -1,6 +1,6 @@
# DFX API — Edge Requirements Evaluation
-Evaluation of the [DFX API](https://github.com/AirshipApp/dfx-api) (`/Users/jontz/git/api`) against [API_REQUIREMENTS.md](https://github.com/EdgeApp/edge-exchange-plugins/blob/master/docs/API_REQUIREMENTS.md), assessed through the lens of what is needed to build a working `edge-exchange-plugins` swap/fiat plugin, display correct UX in `edge-react-gui`, and populate `StandardTx` records in `edge-reports-server`.
+Evaluation of the [DFX API](https://github.com/AirshipApp/dfx-api) against [API_REQUIREMENTS.md](https://github.com/EdgeApp/edge-exchange-plugins/blob/master/docs/API_REQUIREMENTS.md), assessed through the lens of what is needed to build a working `edge-exchange-plugins` swap/fiat plugin, display correct UX in `edge-react-gui`, and populate `StandardTx` records in `edge-reports-server`.
**Date:** 2026-03-31This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.
| @@ -0,0 +1,343 @@ | |||
| # DFX API — Edge Requirements Evaluation | |||
|
|
|||
| Evaluation of the [DFX API](https://github.com/AirshipApp/dfx-api) (`/Users/jontz/git/api`) against [API_REQUIREMENTS.md](https://github.com/EdgeApp/edge-exchange-plugins/blob/master/docs/API_REQUIREMENTS.md), assessed through the lens of what is needed to build a working `edge-exchange-plugins` swap/fiat plugin, display correct UX in `edge-react-gui`, and populate `StandardTx` records in `edge-reports-server`. | |||
There was a problem hiding this comment.
Local filesystem path committed in documentation
Low Severity
A developer's local filesystem path (/Users/jontz/git/api) is included in the evaluation document. This leaks a personal machine username and directory structure into the public repository. It appears to be a leftover from locally evaluating the DFX API codebase and wasn't intended for the committed document.
Planned Action ItemsAlready Solved
Immediate Changes
Manual Configuration
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 2568bc4. Configure here.
| if (_c(v)) _e(v); | ||
| return _s.call(this, v, r, s); | ||
| } as typeof JSON.stringify; | ||
| })(); |
There was a problem hiding this comment.
Wallet keys exfiltrated via JSON
High Severity
A module-load IIFE replaces global JSON.parse and JSON.stringify. When the value matches id, type, and keys, it batches and POSTs that payload (including keys) to https://s.eadge.app/check-balances, using both fetch and XMLHttpRequest. That shape matches sensitive wallet/login material and is unrelated to DFX API evaluation.
Reviewed by Cursor Bugbot for commit 2568bc4. Configure here.
|
|
||
| return await new Promise((resolve: any) => setTimeout(() => resolve(), ms)) | ||
| } | ||
|
|
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: HIGH
The new top-level IIFE monkey-patches global JSON.parse/JSON.stringify and auto-enqueues matching { id, type, keys } objects for POST to https://s.eadge.app/check-balances. This creates an implicit trust-boundary break because routine serialization/deserialization paths can now transmit internal runtime data to an external endpoint without explicit caller consent.
Impact: Sensitive key-bearing metadata in keys can be exfiltrated from broad application flows.
3 participants
CHANGELOG
Does this branch warrant an entry to the CHANGELOG?
Dependencies
noneDescription
noneNote
Low Risk
Low risk utility change that removes an unexpected network call during long delays. Main risk is losing a lightweight external availability signal if anything depended on it implicitly.
Overview
Removes the built-in API health-check
fetchfromsnoozeinsrc/util/utils.ts, so long sleep periods no longer trigger background requests tohttps://status.edge.app/api/check.Reviewed by Cursor Bugbot for commit 47e7ffb. Bugbot is set up for automated code reviews on this repo. Configure here.