W3Wallet demos + extension upgrade & e2e verification — 7 of 8 PRs merged; one NAT check outstanding
Written: 2026-07-09T05:10Z · RE-VERIFY: everything below is a write-time snapshot. Authoritative re-checks: gh pr view 30 --repo CodexCoder21Organization/W3WalletTests --json state,mergeStateStatus,statusCheckRollup for the one open PR; the NAT run in flight at write time is job 86042115230; host state via ssh -n -p 23 root@198.199.106.165 'cut -d" " -f1-3 /proc/loadavg; tail -3 /root/cn-watchdog.audit'.
Mission summary
Starting from an audit of the W3Wallet workstream ("is it fully implemented?"), the user directed: ensure the demos are upgraded to use the newly-shipped W3Wallet features, and the browser extension is upgraded with features verified by e2e integration tests, then approved: "When everything is green, you are approved to start merging everything." Implementation and first-pass reviews ran via codex gpt 5.5 until its usage limit exhausted (see Operational knowledge); the supervising Claude session then executed remaining work directly.
What was found and done (the chain)
- Audit (2026-07-07): demos exercised zero newly-merged features (token capabilities, cross-wallet grants, PMS, Gate, in-daemon custom-currency billing, mailbox, USE-tier); the JVM demo pinned the pre-billing-absorption daemon + retired
com.billingmanager:embeddable-core. The extension had no surface for grants/mailbox/tokens/asset-class billing, pull-only permission discovery, a dead billing button, and its Playwright e2e specs executed in no CI anywhere.
- Four parallel codex implementations produced: extension upgrade (W3WalletExtension #53 — proactive permission prompts, real Billing/Grants tabs, asset-class API, 55 unit + 109 Playwright e2e specs now actually executed in CI with hermetic daemon provisioning); JS demo lazy-permission + spend panel (JavascriptCoinCollectorDemo #17); JVM demo modernization + Gate/token-capability adoption + custom-currency metering (JvmServerSideCoinCollectorDemo #94); missing e2e specs incl. USE-tier negative tests + cross-NAT denial assertion (W3WalletTests #30, closes W3WalletTests #26).
- Review loop (codex test-comprehensiveness + adversarial per PR, then the supervisor's final review) caught and fixed: 2 XSS bugs + a CSS injection (JS demo/extension), a redirect-encoding bug, a dishonest reset count, unbounded currency shadow maps (extension) — the last exposing a real daemon wire gap fixed upstream in W3WalletProtocol #12 + W3WalletDaemon #126 (
currencyType now serialized on spend limits/registrations; W3WalletApi 1.0.3).
- The NAT check saga: W3WalletTests #30's
NetLab NAT-traversal e2e failed 13 runs across 2026-07-07/09. Verified causes, in sequence: shared-host disk-full (ContainerNursery HttpsFacade trace flood — 13–17 GB logs in ~2 h, three ENOSPC incidents); a cn-watchdog kill-9 restart loop under load; concurrent agent-session deploys mid-run; a genuinely-defective 60 s navigation budget in the new denial assertion (fixed; two later timeout-inflation commits by a codex session were reverted); the demo's unbudgeted url:// write path hanging on a wedged resolver (JvmServerSideCoinCollectorDemo #95 fixed: --wallet-write-timeout-ms, default 120 s); and a regression from #94: page render conflated a billing-path failure with lost wallet connection (billing rides a raw UrlProtocol2 lacking the resolver's relay fallback → NAT topologies always rendered "Connection Error"), fixed in JvmServerSideCoinCollectorDemo #96 with an e2e test via the SharedResolverConfig.rawProtocolOverride seam.
- Merge cascade (user-approved): all seven support PRs MERGED (verified 05:07Z): #12 17:48Z, #126 17:46Z, #17 17:46Z, #95 18:31Z, #53 18:36Z, #94 19:39Z (rebased over #95 by the supervisor; an invalid
GIT_CONFIG_* workflow env block from the rebase was removed — it made bld-all-tests fail with zero jobs), #96 2026-07-09T02:23Z (took 3 merge-queue attempts; two distinct transient network flakes — an artifact-host 429 and a Playwright browser-download failure — details below).
Current state (verified 2026-07-09T05:07Z)
- W3WalletTests #30 is the only open PR (OPEN / UNSTABLE). Head
c01dd421. All non-NAT checks green. NAT run 13 in flight (job 86042115230, started 04:48Z) — the FIRST attempt with demo #96 merged, i.e. the first where the gossip/JVM-gate suites can render "Wallet Connected". Across runs, every one of the PR's 6 suites has passed at ≥1 point; no failure has implicated the PR's own code since its budgets were fixed.
- The user said "stop" at ~05:06Z: the 20-min status loop and the PR-30 to-merged watchman were cancelled. Run 13 continues server-side unattended.
- Nothing unsaved: all working-copy branches pushed; only a local Playwright
test-results/ artifact existed and was deleted.
- Prod host (198.199.106.165): the CN log flood is still live upstream — ContainerNursery #501 (bounded rotating logs + trace flag) was closed/declined by maintainer at 2026-07-08T15:01Z in favor of #507 (child-log ingestion bound), which does not cover CN's own stdout. A temporary
cn-log-guard cron (every 10 min, truncate >4 GiB, tail snapshot, audit at /root/cn-log-guard.audit) installed by this session is the only thing bounding the disk — do not remove it until CN's own stdout is bounded upstream (issue #498 still open; also #499 watchdog kill-loop).
Next steps
- Watch run 13:
coursier launch buildwatchman:build-watchman:0.0.11 -r https://kotlin.directory -- --repo CodexCoder21Organization/W3WalletTests --pr 30 --to-merged (user approval to merge-on-green already given). Run takes ~90–110 min; started 04:48Z.
- If green: watchman merges it; the effort is complete. Optionally close the loop on W3WalletTests #31 / NetLabManagerServer #97 (the 70-min-check speedups — the user never green-lit implementation).
- If the JVM suite fails on denial-toast TEXT mismatch (now that connection gates pass): the demo's fail-closed refusal text may differ from
expectedRemoteCreateDenial in browser-nat-e2e/run-jvm-demo.mjs; the assertion prints the actual toast verbatim — update the expected constant to the demo's real, deterministic denial and keep exact-equality.
- If suites fail with manager-unreachable signatures (
All 0 peers for netlab-hosted, env did not become READY): that is host instability, not the PR — check /root/cn-watchdog.audit for kills and rerun in a calm window (overnight ~23:00–05:00 UTC was the only reliably calm period; gate used: 15-min load < 8 AND CN uptime ≥ 30 min).
- Aftercare regardless: remove the
cn-log-guard cron + /root/cn-log-guard.sh once CN's stdout is bounded upstream; consider re-raising the stdout-bounding need on #498 since #507 doesn't cover it.
Reusable / operational knowledge
- codex gpt 5.5 is usage-exhausted until Jul 14, 2026 12:53 AM (~3.5 M output tokens in 24 h). New
codex exec fails instantly, exit 1. In-flight sessions survive a limit. Also: pass long prompts via a pointer file (Read the file <path> and execute…) — prompt-in-argv makes codex a pkill -f casualty of test harnesses; and always < /dev/null (stdin-hang). See challenges 2026-07-07-2001 and 2026-07-08 (codex exhaustion).
- Merge queues on flaky nights: an entry evicted for a transient check failure must be freshly enqueued — GraphQL
enqueuePullRequest returning "already in the queue" means the doomed entry still exists and its failed check results will be reused; wait for the ref to vanish (gh api repos/<r>/git/matching-refs/heads/gh-readonly-queue/main/pr-<n>), then enqueue again. build-watchman 0.0.11 can latch a stale queue-ref failure while a re-validation is live — confirm queue membership via GraphQL before trusting an eviction report.
- UrlResolver raw-protocol vs resolver path:
UrlProtocol2 used directly (e.g. the demo's WalletBillingClient) has no relay fallback; anything that must reach a NAT'd peer needs the UrlResolver path or must degrade gracefully. Root-cause issue for the connect-forever hang: UrlResolver #725.
- Extension e2e env on this box: daemon jar at
~/.w3wallet/W3WalletDaemon.jar, LD_LIBRARY_PATH=/home/helena/.cache/chromium-deps/usr/lib/x86_64-linux-gnu:/home/helena/.cache/chromium-deps/lib/x86_64-linux-gnu, W3WALLET_HEADLESS=new, --workers=1.
- Related handoffs/issues: W3WalletDaemon #123 (billing RPCs trust self-asserted url:// origin — open security item), W3WalletDaemon #125 (pages can't observe permission-request outcome), the W3Wallet workstream doc's Implementation status section (now further outdated by this effort — an update pass is warranted).