fix: guard against invalid CBOR in addTransaction and transaction card

[QSchlegel]

Summary

Two-part defense against the bug reported in #211, where a transaction added via POST /api/v1/addTransaction with a non-standard 4-element CBOR wrapper was persisted as-is, then later crashed the Transactions page for the wallet — locking up its UTxOs with no way to recover because the Delete button lived on the same page that was crashing.

• src/pages/api/v1/addTransaction.ts: reject unparseable txCbor (via csl.Transaction.from_hex) and unparseable txJson up front with HTTP 400, so no more malformed rows can be created.
• src/components/pages/wallet/transactions/transaction-card.tsx: wrap JSON.parse(transaction.txJson) in try/catch. On failure, render a degraded "Unreadable transaction" card that still exposes a Reject & Delete button wired to the existing deleteTransaction mutation, so already-poisoned wallets can recover.
• Adds src/__tests__/addTransaction.test.ts covering the four new validation branches plus the happy path.

Closes #211

Test plan

• npx jest src/__tests__/addTransaction.test.ts — 5/5 pass
• Full npx jest — no new failures introduced (pre-existing unrelated failures in apiSecurity, botBallotsUpsert, governanceActiveProposals, multisigSDK, signTransaction remain)
• npx tsc --noEmit — no new errors on touched files
• Manual: POST /api/v1/addTransaction with junk txCbor → 400 {error: "Invalid transaction CBOR: ..."}
• Manual (preprod): open the Transactions page for a wallet with a known bad row (e.g. cmmoyccbt0003le04veswn9b5, cmmuuxyg40001l204bmcb6jim from Bug: Added transactions via API -> Cannot load 'Transactions' page #211) and confirm the page loads, the bad row shows the degraded card, and Reject & Delete frees its UTxOs.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
multisig	Ready	Preview, Comment	Apr 23, 2026 0:08am