From c6062cdbb455dfe62643ecee3e91c73aa481e055 Mon Sep 17 00:00:00 2001
From: Gajesh Naik <26431906+Gajesh2007@users.noreply.github.com>
Date: Tue, 23 Jun 2026 15:13:12 -0700
Subject: [PATCH 1/2] fix(console-ui): allow WalletConnect domains in CSP
 connect-src

Privy's wallet-login (WalletConnect) flow was blocked by the console-ui
Content-Security-Policy. The connect-src directive omitted the
WalletConnect domains, so the browser refused to:

- fetch the WalletConnect wallet registry from explorer-api.walletconnect.com
- open the relay websocket at wss://relay.walletconnect.com / .org
- post analytics to pulse.walletconnect.org

This surfaced as "Refused to connect ... violates the document's Content
Security Policy" and "TypeError: Failed to fetch", leaving the wallet list
empty and wallet login broken.

Add https/wss wildcards for *.walletconnect.com and *.walletconnect.org to
connect-src so the registry fetch, relay socket, and pulse analytics are
permitted. CSP host wildcards match a single subdomain label, which covers
explorer-api / relay / pulse. No other directives change.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 console-ui/next.config.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/console-ui/next.config.ts b/console-ui/next.config.ts
index 3216fc2e..ae0a939c 100644
--- a/console-ui/next.config.ts
+++ b/console-ui/next.config.ts
@@ -4,7 +4,7 @@ import type { NextConfig } from "next";
 // - 'unsafe-inline' for style-src: required by Next.js for injected styles.
 // - 'unsafe-inline' + 'unsafe-eval' for script-src: required by Privy SDK
 //   and Next.js dev mode. Tighten to nonce-based CSP when feasible.
-// - connect-src: coordinator API, Privy auth, Google Analytics, Stripe.
+// - connect-src: coordinator API, Privy auth, WalletConnect (Privy wallet login), Google Analytics, Stripe.
 // - frame-src: Privy auth iframes, Stripe Checkout iframes.
 const cspDirectives = [
   "default-src 'self'",
@@ -12,7 +12,7 @@ const cspDirectives = [
   "style-src 'self' 'unsafe-inline'",
   "img-src 'self' data: blob: https:",
   "font-src 'self' data:",
-  "connect-src 'self' https://api.darkbloom.dev https://*.privy.io wss://*.privy.io https://www.google-analytics.com https://api.stripe.com",
+  "connect-src 'self' https://api.darkbloom.dev https://*.privy.io wss://*.privy.io https://www.google-analytics.com https://api.stripe.com https://*.walletconnect.com wss://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.org",
   "frame-src https://auth.privy.io https://js.stripe.com",
   "frame-ancestors 'none'",
   "base-uri 'self'",

From 6a9251540d9b25a4b36cd42339db970822a57613 Mon Sep 17 00:00:00 2001
From: Gajesh Naik <26431906+Gajesh2007@users.noreply.github.com>
Date: Tue, 23 Jun 2026 15:21:01 -0700
Subject: [PATCH 2/2] fix(console-ui): allow full Privy/WalletConnect/Turnstile
 stack in CSP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The deployed console-ui was fully non-interactive ("can't click
anywhere"). Root cause: Privy's React provider stack throws during
initialization when its WalletConnect / Privy-RPC / captcha network
calls are blocked by the Content-Security-Policy. The uncaught throw
aborts React hydration, so the entire SPA never becomes interactive.

The earlier connect-src WalletConnect-only patch was necessary but not
sufficient — the policy still omitted several domains the Privy +
WalletConnect + Cloudflare-Turnstile stack requires. This applies the
full policy from Privy's official CSP guide plus Cloudflare Turnstile's
requirements:

- script-src: add https://challenges.cloudflare.com (Turnstile = Privy
  captcha).
- connect-src: add https://*.rpc.privy.systems (Privy RPC),
  https://*.walletconnect.com/.org + wss://*.walletconnect.com/.org
  (explorer-api, relay sockets, pulse), and wss://www.walletlink.org
  (Coinbase Wallet).
- frame-src: add https://challenges.cloudflare.com and
  https://verify.walletconnect.com/.org (WalletConnect verify iframes);
  add 'self'.
- child-src: new directive for the Privy auth iframe + WalletConnect
  verify iframes (older browsers fall back to child-src).
- worker-src: 'self' blob: (Privy/wagmi may spawn blob: workers).

Existing https://*.privy.io / wss://*.privy.io (broader than
auth.privy.io) and the Stripe + Google Analytics entries are retained.
admin-ui CSP is intentionally untouched (no Privy/WalletConnect there).

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 console-ui/next.config.ts | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/console-ui/next.config.ts b/console-ui/next.config.ts
index ae0a939c..bdb7a6fa 100644
--- a/console-ui/next.config.ts
+++ b/console-ui/next.config.ts
@@ -4,16 +4,22 @@ import type { NextConfig } from "next";
 // - 'unsafe-inline' for style-src: required by Next.js for injected styles.
 // - 'unsafe-inline' + 'unsafe-eval' for script-src: required by Privy SDK
 //   and Next.js dev mode. Tighten to nonce-based CSP when feasible.
-// - connect-src: coordinator API, Privy auth, WalletConnect (Privy wallet login), Google Analytics, Stripe.
-// - frame-src: Privy auth iframes, Stripe Checkout iframes.
+// - script-src: GA/GTM, Stripe.js, Cloudflare Turnstile (Privy captcha).
+// - connect-src: coordinator API, Privy auth + RPC, WalletConnect/WalletLink
+//   relays & explorer, Google Analytics, Stripe.
+// - frame-src / child-src: Privy auth iframe, WalletConnect verify iframes,
+//   Cloudflare Turnstile, Stripe Checkout.
+// - worker-src: app workers (Privy/wagmi may spawn blob: workers).
 const cspDirectives = [
   "default-src 'self'",
-  "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://js.stripe.com",
+  "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://js.stripe.com https://challenges.cloudflare.com",
   "style-src 'self' 'unsafe-inline'",
   "img-src 'self' data: blob: https:",
   "font-src 'self' data:",
-  "connect-src 'self' https://api.darkbloom.dev https://*.privy.io wss://*.privy.io https://www.google-analytics.com https://api.stripe.com https://*.walletconnect.com wss://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.org",
-  "frame-src https://auth.privy.io https://js.stripe.com",
+  "connect-src 'self' https://api.darkbloom.dev https://*.privy.io wss://*.privy.io https://*.rpc.privy.systems https://www.google-analytics.com https://api.stripe.com https://*.walletconnect.com wss://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.org wss://www.walletlink.org",
+  "frame-src 'self' https://auth.privy.io https://js.stripe.com https://challenges.cloudflare.com https://verify.walletconnect.com https://verify.walletconnect.org",
+  "child-src 'self' https://auth.privy.io https://verify.walletconnect.com https://verify.walletconnect.org",
+  "worker-src 'self' blob:",
   "frame-ancestors 'none'",
   "base-uri 'self'",
   "form-action 'self'",