- Add GET /api/wallet/scan endpoint that shells out to detect.py
- Add CORS config and detect.py script path to application.properties
- walletService.js now calls the real scan endpoint instead of mock
- Replace UtxoCard-based ReportScreen with FindingCard-based layout
- FindingCard: collapsible card with data-driven details panel (address groups, string lists, key-value scalars)
- VulnerabilityBadge: all 14 finding types labeled, severity lowercased, critical style added
- ReportScreen: summary bar shows findings/warnings/txs analyzed; clean banner; separate warnings section
Replace flat string findings with typed objects following a unified
{ type, severity, description, details } envelope across all 12
detectors. Full TXIDs and addresses, no truncation.
When a descriptor is passed directly, strip its checksum, derive the
missing external/internal counterpart, and normalize both through
getdescriptorinfo before importing — matching the full address set
that --wallet produces.
- Replace frontend mock with real fetch calls to POST /api/wallet/analyze and GET /api/wallet/{id}/utxos
- Add Vite dev proxy for /api to avoid CORS in development
- Implement WalletResource.java with the two endpoints
- Add WalletMockData.java with the 5-UTXO dataset
- Configure CORS and port in application.properties
- Add backend/requests/wallet.http with kulala tests (29 assertions, all passing)
Three-screen state machine (input → loading → report) for analyzing
Bitcoin wallet descriptor privacy. Includes mock UTXO data with
ADDRESS_REUSE, DUST_SPEND, CONSOLIDATION, and CIOH vulnerability types.
Add full README covering purpose, the four privacy vulnerabilities
detected (address reuse, dust spend, UTXO consolidation, CIOH),
usage instructions, project structure, and a privacy notice.
