setup.sh starts bitcoind with -datadir=bitcoin-data, but bitcoin_rpc.py
was calling bitcoin-cli without it, so it looked in ~/.bitcoin for the
auth cookie and failed with "Incorrect rpcuser or rpcpassword".
Add datadir config to config.ini and resolve it in _build_base_args().
- Update loading screen messages to match actual backend processing steps
- Verified walletService.js, App.jsx, ReportScreen.jsx, FindingCard.jsx
have no dead code or legacy endpoint references
- Cache get_input_addresses() and get_output_addresses() results in TxGraph
to avoid redundant parsing across 12 detector functions
- TxGraph.fetch_tx() already cached raw RPC calls; now parsed results are
cached too, eliminating repeated iteration over vin/vout arrays
- JSON output structure remains identical (no breaking changes)
- Delete verify.py (test script, not in critical path)
- Delete test_vulnerabilities.py (test script, not in critical path)
- Delete create_random_transactions.py (data generation, not in critical path)
- Delete setup_signet.sh (signet workflow, not used in regtest)
- Delete mine_blocks.sh (utility script, not in critical path)
- Delete run_all.sh (orchestrator script, not needed)
- Delete openconf.sh (config viewer, not needed)
- Add a `correction` field to every `finding()` call in detect.py with
actionable remediation advice for all 12 vulnerability types
- Add `CorrectionPanel` component to FindingCard.jsx that renders the
correction text under the technical details when a card is expanded
- Add `.correction` CSS styles with accent-tinted background and a
"HOW TO FIX" label to visually distinguish remediation from details
- Add GET /api/wallet/scan endpoint that shells out to detect.py
- Add CORS config and detect.py script path to application.properties
- walletService.js now calls the real scan endpoint instead of mock
- Replace UtxoCard-based ReportScreen with FindingCard-based layout
- FindingCard: collapsible card with data-driven details panel (address groups, string lists, key-value scalars)
- VulnerabilityBadge: all 14 finding types labeled, severity lowercased, critical style added
- ReportScreen: summary bar shows findings/warnings/txs analyzed; clean banner; separate warnings section
Replace flat string findings with typed objects following a unified
{ type, severity, description, details } envelope across all 12
detectors. Full TXIDs and addresses, no truncation.
When a descriptor is passed directly, strip its checksum, derive the
missing external/internal counterpart, and normalize both through
getdescriptorinfo before importing — matching the full address set
that --wallet produces.
- Replace frontend mock with real fetch calls to POST /api/wallet/analyze and GET /api/wallet/{id}/utxos
- Add Vite dev proxy for /api to avoid CORS in development
- Implement WalletResource.java with the two endpoints
- Add WalletMockData.java with the 5-UTXO dataset
- Configure CORS and port in application.properties
- Add backend/requests/wallet.http with kulala tests (29 assertions, all passing)
Three-screen state machine (input → loading → report) for analyzing
Bitcoin wallet descriptor privacy. Includes mock UTXO data with
ADDRESS_REUSE, DUST_SPEND, CONSOLIDATION, and CIOH vulnerability types.
Add full README covering purpose, the four privacy vulnerabilities
detected (address reuse, dust spend, UTXO consolidation, CIOH),
usage instructions, project structure, and a privacy notice.
