From 967e1a0a700cf4c40543643c365946db1bc71eb4 Mon Sep 17 00:00:00 2001
From: Aidan Daly <aidandal@amazon.com>
Date: Thu, 18 Jun 2026 19:42:51 +0000
Subject: [PATCH] test(e2e): use real key formats in payment-validation CDP
 fixtures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #1573 added client-side validation that requires the CoinbaseCDP
apiKeySecret to be a base64-encoded Ed25519 key and walletSecret a
base64-encoded EC P-256 key. The full E2E suite (which runs on push to
main, not on PRs) still seeded those fields with dummy strings, so the
add/remove lifecycle tests now tripped the format check instead of
exercising their intent.

Generate real Ed25519 / P-256 keys for the CDP secret fields. The
whitespace-rejection and StripePrivy format tests are unchanged — they
assert rejection and still pass.
---
 e2e-tests/payment-validation.test.ts | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/e2e-tests/payment-validation.test.ts b/e2e-tests/payment-validation.test.ts
index 09078487d..cb853c97b 100644
--- a/e2e-tests/payment-validation.test.ts
+++ b/e2e-tests/payment-validation.test.ts
@@ -7,7 +7,7 @@
  */
 import { parseJsonOutput, prereqs } from '../src/test-utils/index.js';
 import { runAgentCoreCLI } from './e2e-helper.js';
-import { randomUUID } from 'node:crypto';
+import { generateKeyPairSync, randomUUID } from 'node:crypto';
 import { mkdir, readFile, rm, writeFile } from 'node:fs/promises';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
@@ -15,6 +15,17 @@ import { afterAll, beforeAll, describe, expect, it } from 'vitest';
 
 const canRun = prereqs.npm && prereqs.git && prereqs.uv;
 
+// The CLI validates CDP secret formats at add time: apiKeySecret must be a
+// base64-encoded Ed25519 private key and walletSecret a base64-encoded EC P-256
+// private key. Use real keys so add/remove lifecycle tests exercise their intent
+// rather than tripping the format check.
+const CDP_API_KEY_SECRET = generateKeyPairSync('ed25519')
+  .privateKey.export({ type: 'pkcs8', format: 'der' })
+  .toString('base64');
+const CDP_WALLET_SECRET = generateKeyPairSync('ec', { namedCurve: 'P-256' })
+  .privateKey.export({ type: 'pkcs8', format: 'der' })
+  .toString('base64');
+
 describe.sequential('e2e: payments — validation, config, and remove lifecycle', () => {
   let testDir: string;
   let projectPath: string;
@@ -91,9 +102,9 @@ describe.sequential('e2e: payments — validation, config, and remove lifecycle'
         '--api-key-id',
         'key-id',
         '--api-key-secret',
-        'key-secret',
+        CDP_API_KEY_SECRET,
         '--wallet-secret',
-        'wallet-secret',
+        CDP_WALLET_SECRET,
         '--json',
       ],
       projectPath
@@ -253,9 +264,9 @@ describe.sequential('e2e: payments — validation, config, and remove lifecycle'
         '--api-key-id',
         'a',
         '--api-key-secret',
-        'b',
+        CDP_API_KEY_SECRET,
         '--wallet-secret',
-        'c',
+        CDP_WALLET_SECRET,
         '--json',
       ],
       projectPath
@@ -281,9 +292,9 @@ describe.sequential('e2e: payments — validation, config, and remove lifecycle'
         '--api-key-id',
         'key-id',
         '--api-key-secret',
-        'key-secret',
+        CDP_API_KEY_SECRET,
         '--wallet-secret',
-        'wallet-secret',
+        CDP_WALLET_SECRET,
         '--json',
       ],
       projectPath