From 9cd8e213bb995eb603d19b0ad400af2e8d48165f Mon Sep 17 00:00:00 2001
From: Senorespecial <yarohosea@gmail.com>
Date: Fri, 19 Jun 2026 12:15:02 +0000
Subject: [PATCH] fix: harden TextField tests, API base validation, CSP
 headers, and event log sanitization

Resolves the four GrantFox OSS campaign issues assigned to @senorespecial:

- #18: Add JSDoc to TextField.tsx and cover label / aria / description /
  error wiring with role-based queries in
  src/components/__tests__/TextField.test.tsx (8 tests, 100% component
  coverage). aria-invalid now always emits true|false so screen readers
  see a stable signal.

- #24: Introduce src/lib/resolveApiBase.ts that validates
  NEXT_PUBLIC_AGENTPAY_API_BASE: trims whitespace, falls back to
  http://localhost:3001, strips trailing slashes, requires https in
  production unless the host is localhost / 127.0.0.1, and warns in
  development for non-https production-like hosts. Adopted by
  src/lib/apiClient.ts, src/app/export/page.tsx, and
  src/app/usage/page.tsx. Co-located tests in
  src/lib/__tests__/apiClient.test.ts hit 100% statement + branch
  coverage.

- #25: Build a CSP + hardening-header map in src/lib/securityHeaders.ts
  (buildCsp + defaultSecurityHeaders) and wire it into every response
  via next.config.ts headers(). The CSP tracks the API origin for
  connect-src and includes 'unsafe-inline' in script-src so Next.js
  hydration still works with the static headers() pipeline. HSTS is
  emitted only in production. Tests in src/__tests__/securityHeaders.test.ts
  cover prod / dev / fallback paths at 100%.

- #26: Add safeStringify + safeFormatTimestamp to src/lib/format.ts.
  safeStringify handles circular references, BigInt, symbols,
  functions, undefined, oversized payloads (capped at
  EVENT_PAYLOAD_MAX_CHARS = 5000 with a visible \u2026(truncated) marker)
  and never throws. safeFormatTimestamp falls back to '\u2014' for
  nullish / non-finite values. Adopted by src/app/events/page.tsx
  along with a safe String() coercion for the React key to avoid
  duplicate-key warnings. Tests in src/lib/__tests__/format.test.ts
  cover all branches.

Additional fixes:
- jest.setup.ts adds a minimal Response polyfill so the new
  apiClient tests using  work in jest-environment-jsdom.
- src/lib/apiClient.ts: reordered the fetch options spread so the
  default Content-Type: application/json is preserved when callers
  supply init.headers.
- src/lib/apiClient.ts: split the throw line into two statements so
  the v8 coverage engine correctly marks the throw branch as covered.

Verification:
- npm run typecheck: exit 0
- npx jest: 14/14 suites, 96/96 tests pass
- Coverage on new modules: 100% statements / functions / lines
  (applies to TextField.tsx, apiClient.ts, resolveApiBase.ts,
  securityHeaders.ts; format.ts is 100% stmt/func/line and 92.7%
  branch on intentionally-hard-to-hit defensive guards).

Note: 5 pre-existing lint errors (react-hooks/set-state-in-effect
in search/page.tsx, ThemeToggle.tsx, useApi.ts, useLocalState.ts and
react-hooks/purity in TimeAgo.tsx) live on main and are out of scope
for this PR; they are documented in the PR description for the
maintainers.
---
 README.md                                   |  18 ++
 jest.setup.ts                               |  24 ++
 next.config.ts                              |  25 +-
 package-lock.json                           |  30 +-
 src/__tests__/securityHeaders.test.ts       | 136 +++++++++
 src/app/events/page.tsx                     |  20 +-
 src/app/export/page.tsx                     |   5 +-
 src/app/usage/page.tsx                      |   4 +-
 src/components/TextField.tsx                |  15 +-
 src/components/__tests__/TextField.test.tsx |  99 +++++++
 src/lib/__tests__/apiClient.test.ts         | 291 ++++++++++++++++++++
 src/lib/__tests__/format.test.ts            | 121 +++++++-
 src/lib/apiClient.ts                        |  18 +-
 src/lib/format.ts                           |  86 ++++++
 src/lib/resolveApiBase.ts                   |  83 ++++++
 src/lib/securityHeaders.ts                  | 108 ++++++++
 16 files changed, 1047 insertions(+), 36 deletions(-)
 create mode 100644 src/__tests__/securityHeaders.test.ts
 create mode 100644 src/components/__tests__/TextField.test.tsx
 create mode 100644 src/lib/__tests__/apiClient.test.ts
 create mode 100644 src/lib/resolveApiBase.ts
 create mode 100644 src/lib/securityHeaders.ts

diff --git a/README.md b/README.md
index 90152d3..a049986 100644
--- a/README.md
+++ b/README.md
@@ -52,14 +52,32 @@ agentpay-frontend/
     └── ci.yml            # CI: build, test
 ```
 
+## Environment variables
+
+| Variable | Visibility | Default | Purpose |
+|----------|------------|---------|---------|
+| `NEXT_PUBLIC_AGENTPAY_API_BASE` | public (bundled into client JS) | `http://localhost:3001` | Base URL for the AgentPay backend. Validated by `resolveApiBase()` in `src/lib/resolveApiBase.ts` and rejected in production if non-https except for `localhost` / `127.0.0.1`. |
+
+Because the variable is `NEXT_PUBLIC_*`, its value is exposed to the browser. Never put API secrets in it - it is used only for routing public HTTP requests.
+
+## Security headers
+
+A baseline security header set (CSP, `X-Frame-Options: DENY`, `Referrer-Policy`, `X-Content-Type-Options`, `Permissions-Policy`, HSTS) is wired up in `next.config.ts` via `src/lib/securityHeaders.ts`. The CSP `connect-src` directive tracks `NEXT_PUBLIC_AGENTPAY_API_BASE` automatically; `<a href>` links to external sites (`https://stellar.org`, etc.) remain navigable.
+
+## Event log rendering
+
+The `/events` page renders server-supplied JSON payloads. Each payload is serialised through `safeStringify` (`src/lib/format.ts`) with a hard cap (`EVENT_PAYLOAD_MAX_CHARS`, default 5,000 chars) and a visible `…(truncated)` marker. Circular references, `BigInt`, functions, and malformed timestamps are replaced with safe sentinels so a bad payload can't crash the page.
+
 ## Commands
 
 | Command | Description |
 |--------|-------------|
 | `npm run build` | Production build |
 | `npm test` | Run Jest tests |
+| `npm run test:coverage` | Run Jest with coverage |
 | `npm run dev` | Development server |
 | `npm run lint` | Run ESLint |
+| `npm run typecheck` | Run the TypeScript compiler |
 
 ## CI/CD
 
diff --git a/jest.setup.ts b/jest.setup.ts
index d0de870..dca6f06 100644
--- a/jest.setup.ts
+++ b/jest.setup.ts
@@ -1 +1,25 @@
 import "@testing-library/jest-dom";
+
+// Minimal Response polyfill for the jsdom test environment: jest-environment-jsdom
+// 29 sometimes strips the native Response global, so a tiny shim lets the
+// apiFetch tests use `new Response(JSON.stringify(body), { status })` without
+// pulling in undici.
+if (typeof global.Response === "undefined") {
+  class ResponsePolyfill {
+    body: string;
+    status: number;
+    constructor(body?: BodyInit | null, init?: ResponseInit) {
+      this.body =
+        typeof body === "string" ? body : body == null ? "" : String(body);
+      this.status = init?.status ?? 200;
+    }
+    get ok() {
+      return this.status >= 200 && this.status < 300;
+    }
+    async json() {
+      return JSON.parse(this.body || "null");
+    }
+  }
+  (global as unknown as { Response: typeof ResponsePolyfill }).Response =
+    ResponsePolyfill as unknown as typeof global.Response;
+}
diff --git a/next.config.ts b/next.config.ts
index e9ffa30..4fa7670 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -1,7 +1,30 @@
 import type { NextConfig } from "next";
+import { defaultSecurityHeaders } from "./src/lib/securityHeaders";
+import { resolveApiBase } from "./src/lib/resolveApiBase";
+
+// Resolve the API base once at build time so the CSP matches what the client
+// will fetch against at runtime.
+const apiBase = resolveApiBase();
 
 const nextConfig: NextConfig = {
-  /* config options here */
+  // Apply the security headers to every response served by Next.js. Routes
+  // can override individually later, but the baseline locks the dashboard
+  // down by default.
+  async headers() {
+    const headers = defaultSecurityHeaders({
+      apiBase,
+      isDev: process.env.NODE_ENV !== "production",
+    });
+    return [
+      {
+        source: "/:path*",
+        headers: Object.entries(headers).map(([key, value]) => ({
+          key,
+          value,
+        })),
+      },
+    ];
+  },
 };
 
 export default nextConfig;
diff --git a/package-lock.json b/package-lock.json
index e14abca..f27c228 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -80,7 +80,6 @@
       "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.29.0",
         "@babel/generator": "^7.29.0",
@@ -2340,6 +2339,7 @@
       "integrity": "sha512-o4PXJQidqJl82ckFaXUeoAW+XysPLauYI43Abki5hABd853iMhitooc6znOnczgbTYmEP6U6/y1ZyKAIsvMKGg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.10.4",
         "@babel/runtime": "^7.12.5",
@@ -2360,6 +2360,7 @@
       "integrity": "sha512-b0P0sZPKtyu8HkeRAfCq0IfURZK+SuwMjY1UXGBU27wpAiTwQAIlq56IbIO+ytk/JjS1fMR14ee5WBBfKi5J6A==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "dependencies": {
         "dequal": "^2.0.3"
       }
@@ -2473,7 +2474,8 @@
       "resolved": "https://registry.npmjs.org/@types/aria-query/-/aria-query-5.0.4.tgz",
       "integrity": "sha512-rfT93uj5s0PRL7EzccGMs3brplhcrghnDoV26NqKhCAS1hVo+WdNsPvE/yb6ilfr5hi2MEk6d5EWJTKdxg8jVw==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/@types/babel__core": {
       "version": "7.20.5",
@@ -2642,7 +2644,6 @@
       "integrity": "sha512-8kzdPJ3FsNsVIurqBs7oodNnCEVbni9yUEkaHbgptDACOPW04jimGagZ51E6+lXUwJjgnBw+hyko/lkFWCldqw==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "undici-types": "~6.21.0"
       }
@@ -2653,7 +2654,6 @@
       "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "csstype": "^3.2.2"
       }
@@ -2664,7 +2664,6 @@
       "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "peerDependencies": {
         "@types/react": "^19.2.0"
       }
@@ -2745,7 +2744,6 @@
       "integrity": "sha512-XZzOmihLIr8AD1b9hL9ccNMzEMWt/dE2u7NyTY9jJG6YNiNthaD5XtUHVF2uCXZ15ng+z2hT3MVuxnUYhq6k1g==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.57.0",
         "@typescript-eslint/types": "8.57.0",
@@ -3279,7 +3277,6 @@
       "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -3830,7 +3827,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.9.0",
         "caniuse-lite": "^1.0.30001759",
@@ -4439,6 +4435,7 @@
       "integrity": "sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=6"
       }
@@ -4501,7 +4498,8 @@
       "resolved": "https://registry.npmjs.org/dom-accessibility-api/-/dom-accessibility-api-0.5.16.tgz",
       "integrity": "sha512-X7BJ2yElsnOJ30pZF4uIIDfBEVgF4XEBxL9Bxhy6dnrm5hkzqmsWHGTiHqRiITNhMyFLyAiWndIJP7Z1NTteDg==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/domexception": {
       "version": "4.0.0",
@@ -4825,7 +4823,6 @@
       "integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -5011,7 +5008,6 @@
       "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@rtsao/scc": "^1.1.0",
         "array-includes": "^3.1.9",
@@ -8095,6 +8091,7 @@
       "integrity": "sha512-h5bgJWpxJNswbU7qCrV0tIKQCaS3blPDrqKWx+QxzuzL1zGUzij9XCWLrSLsJPu5t+eWA/ycetzYAO5IOMcWAQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "lz-string": "bin/bin.js"
       }
@@ -8916,6 +8913,7 @@
       "integrity": "sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "ansi-regex": "^5.0.1",
         "ansi-styles": "^5.0.0",
@@ -8931,6 +8929,7 @@
       "integrity": "sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=10"
       },
@@ -8943,7 +8942,8 @@
       "resolved": "https://registry.npmjs.org/react-is/-/react-is-17.0.2.tgz",
       "integrity": "sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/prompts": {
       "version": "2.4.2",
@@ -9044,7 +9044,6 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.2.3.tgz",
       "integrity": "sha512-Ku/hhYbVjOQnXDZFv2+RibmLFGwFdeeKHFcOTlrt7xplBnya5OGn/hIRDsqDiSUcfORsDC7MPxwork8jBwsIWA==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -9054,7 +9053,6 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.3.tgz",
       "integrity": "sha512-yELu4WmLPw5Mr/lmeEpox5rw3RETacE++JgHqQzd2dg+YbJuat3jH4ingc+WPZhxaoFzdv9y33G+F7Nl5O0GBg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "scheduler": "^0.27.0"
       },
@@ -9996,7 +9994,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -10072,7 +10069,6 @@
       "integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@cspotcode/source-map-support": "^0.8.0",
         "@tsconfig/node10": "^1.0.7",
@@ -10263,7 +10259,6 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -10780,7 +10775,6 @@
       "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }
diff --git a/src/__tests__/securityHeaders.test.ts b/src/__tests__/securityHeaders.test.ts
new file mode 100644
index 0000000..8fe04b8
--- /dev/null
+++ b/src/__tests__/securityHeaders.test.ts
@@ -0,0 +1,136 @@
+import {
+  buildCsp,
+  defaultSecurityHeaders,
+  originOf,
+  type BuildSecurityHeadersOptions,
+} from "../lib/securityHeaders";
+
+const prod: BuildSecurityHeadersOptions = {
+  apiBase: "https://api.example.com",
+};
+const dev: BuildSecurityHeadersOptions = {
+  apiBase: "https://api.example.com",
+  isDev: true,
+};
+
+describe("originOf", () => {
+  it("returns origin for a fully qualified URL", () => {
+    expect(originOf("https://api.example.com/v1")).toBe("https://api.example.com");
+  });
+
+  it("returns origin for a URL with a port", () => {
+    expect(originOf("http://localhost:3001")).toBe("http://localhost:3001");
+  });
+
+  it("falls back to the localhost default origin for unparseable input", () => {
+    expect(originOf("not a url")).toBe("http://localhost:3001");
+  });
+});
+
+describe("buildCsp", () => {
+  it("includes default-src 'self'", () => {
+    expect(buildCsp(prod)).toMatch(/default-src 'self'/);
+  });
+
+  it("includes the api origin in connect-src", () => {
+    const csp = buildCsp({ apiBase: "https://api.example.com" });
+    expect(csp).toContain("connect-src 'self' https://api.example.com");
+  });
+
+  it("preserves a localhost origin in connect-src", () => {
+    const csp = buildCsp({ apiBase: "http://localhost:3001" });
+    expect(csp).toContain("connect-src 'self' http://localhost:3001");
+  });
+
+  it("includes 'self' for script-src in production", () => {
+    expect(buildCsp(prod)).toMatch(/script-src 'self'/);
+    expect(buildCsp(prod)).not.toMatch(/script-src[^;]*'unsafe-eval'/);
+  });
+
+  it("includes 'unsafe-inline' in production script-src so Next.js hydration scripts run", () => {
+    // next.config.ts headers() does not participate in the middleware nonce
+    // pipeline; without 'unsafe-inline' the inline __NEXT_DATA__ block would
+    // be blocked. If a future change removes this, add nonce-aware middleware
+    // at the same time.
+    expect(buildCsp(prod)).toMatch(/script-src[^;]*'unsafe-inline'/);
+  });
+
+  it("adds 'unsafe-eval' to script-src in development for Fast Refresh", () => {
+    expect(buildCsp(dev)).toContain("'unsafe-eval'");
+  });
+
+  it("includes 'unsafe-inline' for style-src because next/font injects styles", () => {
+    expect(buildCsp(prod)).toContain("style-src 'self' 'unsafe-inline'");
+  });
+
+  it("adds font data: uri support for icon fonts and font subsets", () => {
+    expect(buildCsp(prod)).toContain("font-src 'self' data:");
+  });
+
+  it("adds img-src data: support", () => {
+    expect(buildCsp(prod)).toContain("img-src 'self' data:");
+  });
+
+  it("disallows framing (clickjacking protection) via frame-ancestors", () => {
+    expect(buildCsp(prod)).toContain("frame-ancestors 'none'");
+  });
+
+  it("disallows object-src entirely", () => {
+    expect(buildCsp(prod)).toContain("object-src 'none'");
+  });
+
+  it("locks down form-action and base-uri to self", () => {
+    expect(buildCsp(prod)).toContain("form-action 'self'");
+    expect(buildCsp(prod)).toContain("base-uri 'self'");
+  });
+
+  it("does not include a `navigate-to` directive so external <a> links open normally", () => {
+    expect(buildCsp(prod)).not.toMatch(/navigate-to/);
+  });
+
+  it("separates directives with semicolons", () => {
+    const csp = buildCsp(prod);
+    const segments = csp.split("; ");
+    expect(segments.length).toBeGreaterThanOrEqual(8);
+  });
+});
+
+describe("defaultSecurityHeaders", () => {
+  it("returns every required hardening header (including HSTS) in production", () => {
+    const headers = defaultSecurityHeaders(prod);
+    expect(headers["Content-Security-Policy"]).toBeTruthy();
+    expect(headers["X-Content-Type-Options"]).toBe("nosniff");
+    expect(headers["Referrer-Policy"]).toBe("strict-origin-when-cross-origin");
+    expect(headers["X-Frame-Options"]).toBe("DENY");
+    expect(headers["Permissions-Policy"]).toBeTruthy();
+    expect(headers["Strict-Transport-Security"]).toMatch(/max-age=/);
+  });
+
+  it("omits Strict-Transport-Security in development so browsers don't cache the upgrade", () => {
+    const headers = defaultSecurityHeaders({ apiBase: "http://localhost:3001", isDev: true });
+    expect(headers["Strict-Transport-Security"]).toBeUndefined();
+    // Baseline headers should still be present in dev.
+    expect(headers["X-Content-Type-Options"]).toBe("nosniff");
+    expect(headers["X-Frame-Options"]).toBe("DENY");
+    expect(headers["Referrer-Policy"]).toBe("strict-origin-when-cross-origin");
+    expect(headers["Content-Security-Policy"]).toContain("script-src 'self' 'unsafe-inline' 'unsafe-eval'");
+  });
+
+  it("disables a wide set of potentially sensitive browser features by default", () => {
+    const pp = defaultSecurityHeaders(prod)["Permissions-Policy"];
+    expect(pp).toContain("camera=()");
+    expect(pp).toContain("microphone=()");
+    expect(pp).toContain("geolocation=()");
+    expect(pp).toContain("payment=()");
+    expect(pp).toContain("interest-cohort=()");
+  });
+
+  it("derives the CSP connect-src from the api base", () => {
+    const headers = defaultSecurityHeaders({
+      apiBase: "https://api.staging.agentpay.io/v2",
+    });
+    expect(headers["Content-Security-Policy"]).toContain(
+      "connect-src 'self' https://api.staging.agentpay.io"
+    );
+  });
+});
diff --git a/src/app/events/page.tsx b/src/app/events/page.tsx
index ace2edc..d396482 100644
--- a/src/app/events/page.tsx
+++ b/src/app/events/page.tsx
@@ -2,6 +2,10 @@
 
 import { useEffect, useState } from "react";
 import { apiGet } from "@/lib/apiClient";
+import {
+  safeFormatTimestamp,
+  safeStringify,
+} from "@/lib/format";
 
 type AppEvent = {
   id: string;
@@ -38,17 +42,19 @@ export default function EventsPage() {
       )}
       {items && items.length > 0 && (
         <ol className="flex flex-col gap-2 text-sm">
-          {items.map((e) => (
+          {items.map((e, i) => (
             <li
-              key={e.id}
+              // Combine the position with the (possibly missing) id so that
+              // events without an id still get unique React keys.
+              key={`${i}-${String(e.id ?? "")}`}
               className="rounded border border-zinc-200 p-3 font-mono text-xs dark:border-zinc-800"
             >
-              <div className="flex justify-between text-zinc-500">
-                <span>{e.type}</span>
-                <span>{new Date(e.ts).toISOString()}</span>
+              <div className="flex justify-between gap-4 text-zinc-500">
+                <span className="break-all">{String(e.type ?? "")}</span>
+                <span className="shrink-0">{safeFormatTimestamp(e.ts)}</span>
               </div>
-              <pre className="mt-2 whitespace-pre-wrap break-words">
-                {JSON.stringify(e.payload, null, 2)}
+              <pre className="mt-2 max-h-96 overflow-auto whitespace-pre-wrap break-words">
+                {safeStringify(e.payload)}
               </pre>
             </li>
           ))}
diff --git a/src/app/export/page.tsx b/src/app/export/page.tsx
index 1a161bb..a311556 100644
--- a/src/app/export/page.tsx
+++ b/src/app/export/page.tsx
@@ -1,5 +1,6 @@
-const API_BASE =
-  process.env.NEXT_PUBLIC_AGENTPAY_API_BASE ?? "http://localhost:3001";
+import { resolveApiBase } from "@/lib/resolveApiBase";
+
+const API_BASE = resolveApiBase();
 
 export const metadata = { title: "Export" };
 
diff --git a/src/app/usage/page.tsx b/src/app/usage/page.tsx
index 185ba27..8320672 100644
--- a/src/app/usage/page.tsx
+++ b/src/app/usage/page.tsx
@@ -1,6 +1,7 @@
 "use client";
 
 import { useState } from "react";
+import { resolveApiBase } from "@/lib/resolveApiBase";
 
 type QueryResult = {
   agent: string;
@@ -8,8 +9,7 @@ type QueryResult = {
   total: number;
 } | null;
 
-const API_BASE =
-  process.env.NEXT_PUBLIC_AGENTPAY_API_BASE ?? "http://localhost:3001";
+const API_BASE = resolveApiBase();
 
 export default function UsagePage() {
   const [agent, setAgent] = useState("");
diff --git a/src/components/TextField.tsx b/src/components/TextField.tsx
index cbd82bc..283a5b1 100644
--- a/src/components/TextField.tsx
+++ b/src/components/TextField.tsx
@@ -1,11 +1,24 @@
 import { type InputHTMLAttributes, type ReactNode, useId } from "react";
 
 type TextFieldProps = InputHTMLAttributes<HTMLInputElement> & {
+  /** Visible label rendered above the input. */
   label: ReactNode;
+  /** Optional helper text rendered beneath the input. Linked via aria-describedby. */
   description?: ReactNode;
+  /** Optional error message; when present flips aria-invalid and exposes the message via aria-describedby. */
   error?: ReactNode;
 };
 
+/**
+ * Accessible text input with a label, optional description, and optional
+ * error message. Generates a stable internal id when none is supplied so the
+ * label, description, and error message all stay linked to the input via
+ * `htmlFor` / `id` / `aria-describedby` / `aria-invalid`.
+ *
+ * @example
+ *   <TextField label="Email" description="We never share it" />
+ *   <TextField label="Email" error="Please enter a valid address" />
+ */
 export function TextField({
   label,
   description,
@@ -27,7 +40,7 @@ export function TextField({
       <input
         id={inputId}
         aria-describedby={[descId, errId].filter(Boolean).join(" ") || undefined}
-        aria-invalid={error ? true : undefined}
+        aria-invalid={Boolean(error)}
         className="rounded-md border border-zinc-300 px-3 py-2 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-500 dark:border-zinc-700 dark:bg-zinc-900"
         {...rest}
       />
diff --git a/src/components/__tests__/TextField.test.tsx b/src/components/__tests__/TextField.test.tsx
new file mode 100644
index 0000000..8fecfb3
--- /dev/null
+++ b/src/components/__tests__/TextField.test.tsx
@@ -0,0 +1,99 @@
+import { render, screen } from "@testing-library/react";
+import { TextField } from "../TextField";
+
+// Query through the accessible name (via <label htmlFor>) rather than
+// screen.getByLabelText, so the tests don't depend on whether the label
+// text is rendered as a direct text node or wrapped in a `<span>`.
+const emailInput = () =>
+  screen.getByRole("textbox", { name: /email/i }) as HTMLInputElement;
+
+describe("TextField", () => {
+  it("renders the label and associates it with the input via htmlFor + id", () => {
+    render(<TextField label="Email" />);
+    const input = emailInput();
+    // The label htmlFor must match the input id so clicks / screen readers
+    // focus the right control.
+    expect(input.tagName).toBe("INPUT");
+  });
+
+  it("uses a caller-provided id when supplied", () => {
+    render(<TextField label="Email" id="custom-email" />);
+    const input = emailInput();
+    expect(input).toHaveAttribute("id", "custom-email");
+  });
+
+  it("does not emit aria-describedby when neither description nor error are present", () => {
+    render(<TextField label="Email" />);
+    const input = emailInput();
+    expect(input).not.toHaveAttribute("aria-describedby");
+    // aria-invalid is always emitted so screen readers get a stable signal.
+    expect(input).toHaveAttribute("aria-invalid", "false");
+  });
+
+  it("links description via aria-describedby and does not mark the input invalid", () => {
+    render(<TextField label="Email" description="We never share it" />);
+    const input = emailInput();
+    expect(input).toHaveAttribute("aria-invalid", "false");
+    const descId = input.getAttribute("aria-describedby");
+    expect(descId).toBeTruthy();
+    expect(screen.getByText("We never share it")).toHaveAttribute(
+      "id",
+      descId as string
+    );
+  });
+
+  it("links error via aria-describedby, marks the input invalid, and announces via role=alert", () => {
+    render(<TextField label="Email" error="Please enter a valid address" />);
+    const input = emailInput();
+    expect(input).toHaveAttribute("aria-invalid", "true");
+    const errId = input.getAttribute("aria-describedby");
+    expect(errId).toBeTruthy();
+    const errorEl = screen.getByRole("alert");
+    expect(errorEl).toHaveTextContent("Please enter a valid address");
+    expect(errorEl).toHaveAttribute("id", errId as string);
+  });
+
+  it("links both description and error via a single space-joined aria-describedby", () => {
+    render(
+      <TextField
+        label="Email"
+        description="We never share it"
+        error="Please enter a valid address"
+      />
+    );
+    const input = emailInput();
+    const describedBy = input.getAttribute("aria-describedby");
+    expect(describedBy).toBeTruthy();
+    const ids = (describedBy as string).split(" ");
+    expect(ids).toHaveLength(2);
+    expect(screen.getByText("We never share it")).toHaveAttribute("id", ids[0]);
+    expect(screen.getByText("Please enter a valid address")).toHaveAttribute(
+      "id",
+      ids[1]
+    );
+  });
+
+  it("passes through additional input attributes (e.g. required, disabled, placeholder)", () => {
+    render(
+      <TextField
+        label="Email"
+        placeholder="you@example.com"
+        required
+        disabled
+        type="email"
+      />
+    );
+    const input = emailInput();
+    expect(input).toBeRequired();
+    expect(input).toBeDisabled();
+    expect(input).toHaveAttribute("placeholder", "you@example.com");
+    expect(input).toHaveAttribute("type", "email");
+  });
+
+  it("flips aria-invalid back to false when the error prop is later removed", () => {
+    const { rerender } = render(<TextField label="Email" error="Bad" />);
+    expect(emailInput()).toHaveAttribute("aria-invalid", "true");
+    rerender(<TextField label="Email" />);
+    expect(emailInput()).toHaveAttribute("aria-invalid", "false");
+  });
+});
diff --git a/src/lib/__tests__/apiClient.test.ts b/src/lib/__tests__/apiClient.test.ts
new file mode 100644
index 0000000..c2d07ef
--- /dev/null
+++ b/src/lib/__tests__/apiClient.test.ts
@@ -0,0 +1,291 @@
+import { apiDelete, apiFetch, apiGet, apiPatch, apiPost, ApiError } from "../apiClient";
+import { resolveApiBase } from "../resolveApiBase";
+
+describe("resolveApiBase", () => {
+  const baseEnv: NodeJS.ProcessEnv = {
+    NEXT_PUBLIC_AGENTPAY_API_BASE: undefined,
+    NODE_ENV: "test",
+  };
+
+  it("falls back to the localhost default when the env var is unset", () => {
+    expect(resolveApiBase({ env: baseEnv })).toBe("http://localhost:3001");
+  });
+
+  it("falls back when the env var is an empty string", () => {
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toBe("http://localhost:3001");
+  });
+
+  it("falls back when the env var is whitespace only", () => {
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "   ",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toBe("http://localhost:3001");
+  });
+
+  it("returns the origin for an https origin-only base", () => {
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "https://api.example.com",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toBe("https://api.example.com");
+  });
+
+  it("strips a single trailing slash from the origin", () => {
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "https://api.example.com/",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toBe("https://api.example.com");
+  });
+
+  it("strips multiple trailing slashes", () => {
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "https://api.example.com///",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toBe("https://api.example.com");
+  });
+
+  it("preserves a base path while stripping trailing slashes", () => {
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "https://api.example.com/v1/",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toBe("https://api.example.com/v1");
+  });
+
+  it("trims surrounding whitespace from the env var", () => {
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "  https://api.example.com  ",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toBe("https://api.example.com");
+  });
+
+  it("allows http://localhost without warning", () => {
+    const warn = jest.fn();
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "http://localhost:3001",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+        warn,
+      })
+    ).toBe("http://localhost:3001");
+    expect(warn).not.toHaveBeenCalled();
+  });
+
+  it("allows http on 127.0.0.1 without warning", () => {
+    const warn = jest.fn();
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "http://127.0.0.1:4000",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+        warn,
+      })
+    ).toBe("http://127.0.0.1:4000");
+    expect(warn).not.toHaveBeenCalled();
+  });
+
+  it("warns (dev) but still returns http on a non-localhost host", () => {
+    const warn = jest.fn();
+    expect(
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "http://api.example.com",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+        warn,
+      })
+    ).toBe("http://api.example.com");
+    expect(warn).toHaveBeenCalledTimes(1);
+    expect(warn.mock.calls[0][0]).toMatch(/https/);
+  });
+
+  it("refuses http on non-localhost in production", () => {
+    expect(() =>
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "http://api.example.com",
+          NODE_ENV: "production",
+        } satisfies NodeJS.ProcessEnv,
+        isProduction: true,
+      })
+    ).toThrow(/non-https.*production/i);
+  });
+
+  it("refuses to parse garbage", () => {
+    expect(() =>
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "not-a-url",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toThrow(/Invalid NEXT_PUBLIC_AGENTPAY_API_BASE/);
+  });
+
+  it("refuses unsupported protocols (e.g. ftp:)", () => {
+    expect(() =>
+      resolveApiBase({
+        env: {
+          NEXT_PUBLIC_AGENTPAY_API_BASE: "ftp://api.example.com",
+          NODE_ENV: "test",
+        } satisfies NodeJS.ProcessEnv,
+      })
+    ).toThrow(/Unsupported protocol/);
+  });
+});
+
+describe("apiFetch", () => {
+  const originalFetch = global.fetch;
+
+  afterEach(() => {
+    global.fetch = originalFetch;
+  });
+
+  function mockFetch(
+    impl: jest.Mock | ((url: string, init?: RequestInit) => Promise<Response>)
+  ) {
+    global.fetch = impl as unknown as typeof fetch;
+  }
+
+  it("sends a JSON GET and returns the parsed body on success", async () => {
+    mockFetch(
+      jest.fn(async (url, init) => {
+        expect(url).toMatch(/^http:\/\/localhost:3001\/api\/v1\/things/);
+        expect(init?.method).toBeUndefined();
+        expect((init?.headers as Record<string, string>)["Content-Type"]).toBe(
+          "application/json"
+        );
+        return new Response(JSON.stringify({ ok: true }), { status: 200 });
+      })
+    );
+    const body = await apiGet<{ ok: boolean }>("/api/v1/things");
+    expect(body).toEqual({ ok: true });
+  });
+
+  it("serialises POST bodies as JSON and forwards the method", async () => {
+    mockFetch(
+      jest.fn(async (_url, init) => {
+        expect(init?.method).toBe("POST");
+        expect(init?.body).toBe(JSON.stringify({ hello: "world" }));
+        return new Response(JSON.stringify({ ok: true }), { status: 200 });
+      })
+    );
+    const body = await apiPost<{ ok: boolean }>("/api/v1/things", {
+      hello: "world",
+    });
+    expect(body).toEqual({ ok: true });
+  });
+
+  it("forwards PATCH and DELETE verbs", async () => {
+    const calls: Array<{ method?: string }> = [];
+    mockFetch(
+      jest.fn(async (_url, init) => {
+        calls.push({ method: init?.method });
+        return new Response("{}", { status: 200 });
+      })
+    );
+    await apiPatch("/api/v1/things/1", { on: true });
+    await apiDelete("/api/v1/things/1");
+    expect(calls.map((c) => c.method)).toEqual(["PATCH", "DELETE"]);
+  });
+
+  it("merges caller headers with the default Content-Type", async () => {
+    mockFetch(
+      jest.fn(async (_url, init) => {
+        const h = init?.headers as Record<string, string>;
+        expect(h["Content-Type"]).toBe("application/json");
+        expect(h["X-Request-Id"]).toBe("abc");
+        return new Response("{}", { status: 200 });
+      })
+    );
+    await apiFetch("/api/v1/x", {
+      headers: { "X-Request-Id": "abc" },
+    });
+  });
+
+  it("returns undefined for 204 No Content", async () => {
+    mockFetch(
+      jest.fn(async () => new Response(null, { status: 204 }))
+    );
+    const body = await apiDelete("/api/v1/x");
+    expect(body).toBeUndefined();
+  });
+
+  it("throws an ApiError with the backend message when response is not ok", async () => {
+    mockFetch(
+      jest.fn(async () =>
+        new Response(
+          JSON.stringify({ error: "not_found", message: "Nope", requestId: "r1" }),
+          { status: 404 }
+        )
+      )
+    );
+    await expect(apiGet("/api/v1/things/1")).rejects.toMatchObject({
+      message: "Nope",
+      error: "not_found",
+      requestId: "r1",
+    } satisfies Partial<ApiError>);
+  });
+
+  it("wraps a thrown fetch rejection with the original error message", async () => {
+    mockFetch(
+      jest.fn(async () => {
+        throw new Error("network down");
+      })
+    );
+    await expect(apiGet("/api/v1/x")).rejects.toThrow(/network down/);
+  });
+
+  it("copies all ApiError fields onto the thrown Error object", async () => {
+    mockFetch(
+      jest.fn(async () =>
+        new Response(
+          JSON.stringify({
+            error: "rate_limit",
+            message: "Too many requests",
+            requestId: "req-42",
+          }),
+          { status: 429 }
+        )
+      )
+    );
+    const caught = (await apiGet("/api/v1/x").catch((e) => e)) as Error;
+    expect(caught).toBeInstanceOf(Error);
+    expect(caught.message).toBe("Too many requests");
+    const apiErr = caught as unknown as ApiError;
+    expect(apiErr.error).toBe("rate_limit");
+    expect(apiErr.requestId).toBe("req-42");
+  });
+});
diff --git a/src/lib/__tests__/format.test.ts b/src/lib/__tests__/format.test.ts
index 3b59341..56a3e58 100644
--- a/src/lib/__tests__/format.test.ts
+++ b/src/lib/__tests__/format.test.ts
@@ -1,4 +1,12 @@
-import { formatRequests, formatStroops, formatTime } from "../format";
+import {
+  EVENT_PAYLOAD_MAX_CHARS,
+  EVENT_PAYLOAD_TRUNCATED_MARKER,
+  formatRequests,
+  formatStroops,
+  formatTime,
+  safeFormatTimestamp,
+  safeStringify,
+} from "../format";
 
 describe("format", () => {
   it("formatStroops scales to XLM", () => {
@@ -13,3 +21,114 @@ describe("format", () => {
     expect(formatTime(0)).toBe("00:00:00");
   });
 });
+
+describe("safeStringify", () => {
+  it("stringifies a plain object", () => {
+    expect(safeStringify({ a: 1 })).toBe('{\n  "a": 1\n}');
+  });
+
+  it("returns an empty `{}` / `[]` shape for empty objects / arrays", () => {
+    expect(safeStringify({})).toBe("{}");
+    expect(safeStringify([])).toBe("[]");
+  });
+
+  it("serialises arrays and primitives", () => {
+    expect(safeStringify([1, "two", null])).toBe('[\n  1,\n  "two",\n  null\n]');
+  });
+
+  it("handles null and undefined safely", () => {
+    expect(safeStringify(null)).toBe("null");
+    // JSON.stringify(undefined) returns `undefined`; we surface a placeholder
+    // rather than dumping a raw `undefined` to the DOM.
+    expect(safeStringify(undefined)).toBe("[undefined]");
+  });
+
+  it("handles symbols and functions at the top level via a stable sentinel", () => {
+    expect(safeStringify(Symbol("x"))).toBe("[symbol]");
+    expect(safeStringify(() => undefined)).toBe("[function]");
+  });
+
+  it("handles circular references by replacing them with [Circular]", () => {
+    const o: Record<string, unknown> = { name: "loop" };
+    o.self = o;
+    const result = safeStringify(o);
+    expect(result).toContain("[Circular]");
+    expect(result).toContain('"name": "loop"');
+  });
+
+  it("handles deeply nested arrays with circular references", () => {
+    const arr: unknown[] = [1];
+    arr.push(arr);
+    const result = safeStringify(arr);
+    // `JSON.stringify([1, [Circular]])` pretty-printed in 2-space indent.
+    expect(result).toContain("[Circular]");
+    expect(result).toContain("1");
+  });
+
+  it("replaces bigint values with a tagged marker instead of throwing", () => {
+    const result = safeStringify({ amount: BigInt(10) });
+    expect(result).toContain("[BigInt:10]");
+  });
+
+  it("replaces functions and undefined leaves with safe markers", () => {
+    const result = safeStringify({ fn: () => undefined, missing: undefined });
+    expect(result).toContain("[Function]");
+    expect(result).toContain("[undefined]");
+  });
+
+  it("truncates oversized payloads and appends the visible marker", () => {
+    const huge = { data: "x".repeat(EVENT_PAYLOAD_MAX_CHARS * 2) };
+    const result = safeStringify(huge);
+    expect(result.length).toBeLessThanOrEqual(
+      EVENT_PAYLOAD_MAX_CHARS + EVENT_PAYLOAD_TRUNCATED_MARKER.length + 32
+    );
+    expect(result).toContain(EVENT_PAYLOAD_TRUNCATED_MARKER.trim());
+  });
+
+  it("leaves small payloads untouched", () => {
+    const small = { hi: 1 };
+    const result = safeStringify(small);
+    expect(result.endsWith(EVENT_PAYLOAD_TRUNCATED_MARKER.trim())).toBe(false);
+  });
+
+  it("falls back to a sentinel string instead of throwing if stringify explodes", () => {
+    const trap: Record<string, unknown> = {};
+    Object.defineProperty(trap, "boom", {
+      enumerable: true,
+      get() {
+        throw new Error("nope");
+      },
+    });
+    expect(safeStringify(trap)).toBe("[unserialisable]");
+  });
+});
+
+describe("safeFormatTimestamp", () => {
+  it("returns an ISO string for a finite numeric timestamp", () => {
+    expect(safeFormatTimestamp(0)).toBe("1970-01-01T00:00:00.000Z");
+  });
+
+  it("parses numeric strings that represent a finite value", () => {
+    expect(safeFormatTimestamp("1700000000000")).toBe(
+      new Date(1700000000000).toISOString()
+    );
+  });
+
+  it("falls back for NaN, Infinity, and non-numeric input", () => {
+    expect(safeFormatTimestamp(NaN)).toBe("—");
+    expect(safeFormatTimestamp(Infinity)).toBe("—");
+    expect(safeFormatTimestamp("not a date")).toBe("—");
+    expect(safeFormatTimestamp(undefined)).toBe("—");
+    expect(safeFormatTimestamp(null)).toBe("—");
+  });
+
+  it("honours a custom fallback string", () => {
+    expect(safeFormatTimestamp(NaN, "n/a")).toBe("n/a");
+  });
+
+  it("returns the default em-dash fallback when none is provided", () => {
+    // The renderer uses the em dash by default so the missing-time placeholder
+    // doesn't visually collide with a numeric timestamp.
+    expect(safeFormatTimestamp(NaN)).toBe("\u2014");
+  });
+});
diff --git a/src/lib/apiClient.ts b/src/lib/apiClient.ts
index defc298..5edc017 100644
--- a/src/lib/apiClient.ts
+++ b/src/lib/apiClient.ts
@@ -2,8 +2,11 @@
 // Centralises base URL resolution and error handling so call sites stay
 // small.
 
-const API_BASE =
-  process.env.NEXT_PUBLIC_AGENTPAY_API_BASE ?? "http://localhost:3001";
+import { resolveApiBase } from "./resolveApiBase";
+
+// Resolved at module load time so any misconfiguration surfaces during boot
+// rather than at the first fetch.
+const API_BASE = resolveApiBase();
 
 export type ApiError = {
   error: string;
@@ -15,14 +18,21 @@ export async function apiFetch<T>(
   path: string,
   init: RequestInit = {}
 ): Promise<T> {
+  // Spread `init` first so caller-provided top-level keys win, then re-apply
+  // `headers` so our default `Content-Type: application/json` is preserved
+  // unless the caller explicitly overrides it via `init.headers`.
   const res = await fetch(`${API_BASE}${path}`, {
-    headers: { "Content-Type": "application/json", ...(init.headers ?? {}) },
     ...init,
+    headers: {
+      "Content-Type": "application/json",
+      ...(init.headers ?? {}),
+    },
   });
   if (res.status === 204) return undefined as T;
   const body = (await res.json()) as T | ApiError;
   if (!res.ok) {
-    throw Object.assign(new Error((body as ApiError).message), body as ApiError);
+    const err = new Error((body as ApiError).message);
+    throw Object.assign(err, body as ApiError);
   }
   return body as T;
 }
diff --git a/src/lib/format.ts b/src/lib/format.ts
index 57522d7..731670a 100644
--- a/src/lib/format.ts
+++ b/src/lib/format.ts
@@ -16,3 +16,89 @@ export function formatTime(ms: number): string {
   const d = new Date(ms);
   return d.toISOString().slice(11, 19);
 }
+
+/**
+ * Maximum number of characters any single serialised payload is allowed to
+ * occupy in the event log before the renderer truncates it with a marker.
+ *
+ * Lower so a single event never dominates the page (DOM cost + scroll). Keep
+ * the value stable so callers / tests can rely on it.
+ */
+export const EVENT_PAYLOAD_MAX_CHARS = 5000;
+
+/** Marker appended to truncated payloads so readers can spot the cut-off. */
+export const EVENT_PAYLOAD_TRUNCATED_MARKER = "\n…(truncated)";
+
+/**
+ * Safely serialise an arbitrary value to JSON, defending against:
+ *   - circular references (replaced with `[Circular]`)
+ *   - values JSON can't represent natively, e.g. `BigInt` (replaced with a
+ *     stringified marker)
+ * Then truncate the result to at most `maxChars` characters and append a
+ * visible marker so the operator can see the cut-off.
+ *
+ * The function never throws so it can be used inside render code without
+ * needing an error boundary.
+ */
+export function safeStringify(
+  value: unknown,
+  maxChars: number = EVENT_PAYLOAD_MAX_CHARS
+): string {
+  // Top-level `undefined` / functions / symbols: `JSON.stringify` returns
+  // `undefined` and never invokes the replacer consistently. Surface them
+  // as a sentinel so callers always get a renderable string.
+  if (
+    value === undefined ||
+    typeof value === "function" ||
+    typeof value === "symbol"
+  ) {
+    return `[${typeof value}]`;
+  }
+  const seen = new WeakSet<object>();
+  let serialised = "";
+  try {
+    serialised = JSON.stringify(
+      value,
+      (_key, v) => {
+        if (typeof v === "bigint") return `[BigInt:${v.toString()}]`;
+        if (typeof v === "function") return "[Function]";
+        if (typeof v === "symbol") return "[Symbol]";
+        if (typeof v === "undefined") return "[undefined]";
+        if (v !== null && typeof v === "object") {
+          if (seen.has(v)) return "[Circular]";
+          seen.add(v);
+        }
+        return v;
+      },
+      2
+    );
+  } catch {
+    // Defensive: JSON.stringify should be total after the replacer above,
+    // but we still refuse to throw inside render code.
+    return "[unserialisable]";
+  }
+  if (serialised === undefined) return "[undefined]";
+  if (serialised.length <= maxChars) return serialised;
+  return (
+    serialised.slice(0, Math.max(0, maxChars)) + EVENT_PAYLOAD_TRUNCATED_MARKER
+  );
+}
+
+type TimestampInput = number | string | null | undefined;
+
+/**
+ * Format a timestamp that may be malformed into a safe ISO string. Non-finite
+ * numbers, nullish arguments, and unparseable values fall back to the
+ * placeholder so the page never throws `Invalid time value`.
+ */
+export function safeFormatTimestamp(
+  value: TimestampInput,
+  fallback: string = "\u2014"
+): string {
+  if (value === null || value === undefined) return fallback;
+  const n = typeof value === "number" ? value : Number(value);
+  if (!Number.isFinite(n)) return fallback;
+  const d = new Date(n);
+  if (Number.isNaN(d.getTime())) return fallback;
+  return d.toISOString();
+}
diff --git a/src/lib/resolveApiBase.ts b/src/lib/resolveApiBase.ts
new file mode 100644
index 0000000..3db4857
--- /dev/null
+++ b/src/lib/resolveApiBase.ts
@@ -0,0 +1,83 @@
+// Validates and normalizes the NEXT_PUBLIC_AGENTPAY_API_BASE env var so
+// downstream code can safely concatenate a path onto the result.
+//
+// Behaviour:
+//   - Trims surrounding whitespace.
+//   - Falls back to http://localhost:3001 when unset.
+//   - Strips trailing slashes from the resulting origin/path string.
+//   - Requires the value to parse as a URL; throws on malformed input.
+//   - In production, requires https unless the host is localhost / 127.0.0.1.
+//   - In development, logs a console warning instead of throwing for the same
+//     case so contributors can run the app against a local backend.
+
+export const DEFAULT_API_BASE = "http://localhost:3001";
+export const NEXT_PUBLIC_AGENTPAY_API_BASE_ENV =
+  "NEXT_PUBLIC_AGENTPAY_API_BASE";
+
+export type ResolveApiBaseOptions = {
+  /**
+   * Override the env var lookup. Useful for tests.
+   */
+  env?: NodeJS.ProcessEnv;
+  /**
+   * Override the current NODE_ENV check. Useful for tests.
+   */
+  isProduction?: boolean;
+  /**
+   * Inject a logger so tests can assert on warnings without polluting
+   * stderr. Defaults to `console.warn` when omitted.
+   */
+  warn?: (message: string) => void;
+};
+
+function isLocalHost(hostname: string): boolean {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+}
+
+export function resolveApiBase(opts: ResolveApiBaseOptions = {}): string {
+  const env = opts.env ?? process.env;
+  const warn = opts.warn ?? ((msg) => console.warn(msg));
+  const isProduction =
+    opts.isProduction ?? env.NODE_ENV === "production";
+
+  const raw = env[NEXT_PUBLIC_AGENTPAY_API_BASE_ENV]?.trim();
+  const candidate = raw && raw.length > 0 ? raw : DEFAULT_API_BASE;
+
+  let url: URL;
+  try {
+    url = new URL(candidate);
+  } catch {
+    throw new Error(
+      `Invalid NEXT_PUBLIC_AGENTPAY_API_BASE: ${JSON.stringify(candidate)}. ` +
+        "Expected an absolute URL such as https://api.example.com or http://localhost:3001."
+    );
+  }
+
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    throw new Error(
+      `Unsupported protocol ${JSON.stringify(url.protocol)} in ` +
+        "NEXT_PUBLIC_AGENTPAY_API_BASE. Use https (or http for localhost)."
+    );
+  }
+
+  if (isProduction && url.protocol === "http:" && !isLocalHost(url.hostname)) {
+    throw new Error(
+      "Refusing to use a non-https NEXT_PUBLIC_AGENTPAY_API_BASE in production. " +
+        "Set https://... (localhost / 127.0.0.1 are still allowed)."
+    );
+  }
+
+  if (url.protocol === "http:" && !isLocalHost(url.hostname)) {
+    warn(
+      "NEXT_PUBLIC_AGENTPAY_API_BASE uses http on a non-localhost host. " +
+        "Use https in production to keep credentials and traffic private."
+    );
+  }
+
+  // Normalise to "origin + pathname-without-trailing-slash". We preserve any
+  // configured base path (e.g. https://api.example.com/v1) so call sites can
+  // continue to do `${API_BASE}/api/v1/...`.
+  const origin = url.origin;
+  const path = url.pathname.replace(/\/+$/, "");
+  return path && path !== "/" ? `${origin}${path}` : origin;
+}
diff --git a/src/lib/securityHeaders.ts b/src/lib/securityHeaders.ts
new file mode 100644
index 0000000..76ac237
--- /dev/null
+++ b/src/lib/securityHeaders.ts
@@ -0,0 +1,108 @@
+// Builds the Content-Security-Policy and other security hardening headers
+// served by every route in the dashboard.
+//
+// Designed to be consumed by `next.config.ts`'s `headers()` callback at
+// build time. `apiBase` is read from `NEXT_PUBLIC_AGENTPAY_API_BASE` so
+// `connect-src` always lines up with the backend the client actually fetches.
+
+import { DEFAULT_API_BASE } from "./resolveApiBase";
+
+const DEFAULT_PERMISSIONS_POLICY = [
+  "camera=()",
+  "microphone=()",
+  "geolocation=()",
+  "payment=()",
+  "browsing-topics=()",
+  "interest-cohort=()",
+].join(", ");
+
+export type BuildSecurityHeadersOptions = {
+  /** Resolved API base URL; the `origin` is added to `connect-src`. */
+  apiBase: string;
+  /** Whether the build is a development build (drives script-src). */
+  isDev?: boolean;
+};
+
+/**
+ * Extract the origin from a resolved API base URL. Falls back to the
+ * localhost default if `apiBase` cannot be parsed. We always preserve the
+ * scheme (http / https) so the CSP matches the request actually issued.
+ */
+export function originOf(apiBase: string): string {
+  try {
+    return new URL(apiBase).origin;
+  } catch {
+    return new URL(DEFAULT_API_BASE).origin;
+  }
+}
+
+/**
+ * Build a Content-Security-Policy value that:
+ *   - restricts scripts to self with `'unsafe-inline'` in production (Next.js
+ *     emits an inline bootstrap script for hydration when CSP is set via
+ *     `next.config.ts` `headers()` rather than nonce-aware middleware) and
+ *     adds `'unsafe-eval'` in development for Fast Refresh
+ *   - restricts styles to self with `'unsafe-inline'` because next/font and
+ *     Next.js inject style tags at build time
+ *   - allows `connect-src` to the configured API origin + 'self'
+ *   - blocks framing, dangerous objects, and base-uri injection
+ *   - keeps `<a href>` navigation to external sites working (the CSP spec
+ *     does not restrict top-level navigations unless you opt into
+ *     `navigate-to`, which we deliberately don't)
+ */
+export function buildCsp(options: BuildSecurityHeadersOptions): string {
+  const { apiBase, isDev = false } = options;
+  const apiOrigin = originOf(apiBase);
+
+  const scriptSrc = ["'self'", "'unsafe-inline'", isDev ? "'unsafe-eval'" : ""]
+    .filter(Boolean)
+    .join(" ");
+
+  const directives: Record<string, string[]> = {
+    "default-src": ["'self'"],
+    "script-src": [scriptSrc],
+    "style-src": ["'self'", "'unsafe-inline'"],
+    "font-src": ["'self'", "data:"],
+    "img-src": ["'self'", "data:"],
+    "connect-src": ["'self'", apiOrigin],
+    "frame-ancestors": ["'none'"],
+    "form-action": ["'self'"],
+    "base-uri": ["'self'"],
+    "object-src": ["'none'"],
+  };
+
+  return Object.entries(directives)
+    .map(([key, values]) => `${key} ${values.join(" ")}`)
+    .join("; ");
+}
+
+/**
+ * Build the full map of HTTP response headers served by the app. The keys
+ * match what Next.js's `headers()` callback accepts.
+ *
+ * `Strict-Transport-Security` is intentionally omitted in development so
+ * browsers don't cache the upgrade decision against the dev server.
+ */
+export function defaultSecurityHeaders(
+  options: BuildSecurityHeadersOptions
+): Record<string, string> {
+  const { isDev = false } = options;
+  const headers: Record<string, string> = {
+    "Content-Security-Policy": buildCsp(options),
+    "X-Content-Type-Options": "nosniff",
+    "Referrer-Policy": "strict-origin-when-cross-origin",
+    "X-Frame-Options": "DENY",
+    "Permissions-Policy": DEFAULT_PERMISSIONS_POLICY,
+  };
+  if (!isDev) {
+    headers["Strict-Transport-Security"] =
+      "max-age=63072000; includeSubDomains; preload";
+  }
+  return headers;
+}
+
+/**
+ * Resolve the API base URL in a way that works both at build time (when
+ * `next.config.ts` runs) and at runtime (re-export for tests).
+ */
+export { resolveApiBase } from "./resolveApiBase";