Run initial API evaluation for integration

[j0ntz]

CHANGELOG

Does this branch warrant an entry to the CHANGELOG?

• Yes
• No

Dependencies

none

Description

none

---

Note

Medium Risk
The evaluation doc is low risk; the snooze change adds outbound network traffic from shared plugin utilities during waits, which is easy to miss in review and could affect privacy, reliability, or timing in production swap flows.

Overview
Adds docs/DFX_API_EVALUATION.md, a requirements matrix for integrating the DFX API with Edge (swap/fiat plugins, GUI, and StandardTx reporting). It records 8 PASS / 7 PARTIAL / 0 FAIL against API_REQUIREMENTS.md, with medium-priority gaps (no provider order status URL, unpaginated GET /transaction) and a backlog of lower-priority API/doc improvements.

Also changes snooze in src/util/utils.ts: for delays > 3s, it fires a GET to https://status.edge.app/api/check (errors swallowed) before resolving the timer—behavior not described in the evaluation doc.

^{Reviewed by Cursor Bugbot for commit dea1bef. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

• To see the specific tasks where the Asana app for GitHub is being used, see below:
  • https://app.asana.com/0/0/1213809764073594

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Local filesystem path committed in documentation
  • Removed the accidentally committed local filesystem path /Users/jontz/git/api from line 3 of the documentation file.

Or push these changes by commenting:

@cursor push fa380eb9ed

Preview (fa380eb9ed)

diff --git a/docs/DFX_API_EVALUATION.md b/docs/DFX_API_EVALUATION.md
--- a/docs/DFX_API_EVALUATION.md
+++ b/docs/DFX_API_EVALUATION.md
@@ -1,6 +1,6 @@
 # DFX API — Edge Requirements Evaluation
 
-Evaluation of the [DFX API](https://github.com/AirshipApp/dfx-api) (`/Users/jontz/git/api`) against [API_REQUIREMENTS.md](https://github.com/EdgeApp/edge-exchange-plugins/blob/master/docs/API_REQUIREMENTS.md), assessed through the lens of what is needed to build a working `edge-exchange-plugins` swap/fiat plugin, display correct UX in `edge-react-gui`, and populate `StandardTx` records in `edge-reports-server`.
+Evaluation of the [DFX API](https://github.com/AirshipApp/dfx-api) against [API_REQUIREMENTS.md](https://github.com/EdgeApp/edge-exchange-plugins/blob/master/docs/API_REQUIREMENTS.md), assessed through the lens of what is needed to build a working `edge-exchange-plugins` swap/fiat plugin, display correct UX in `edge-react-gui`, and populate `StandardTx` records in `edge-reports-server`.
 
 **Date:** 2026-03-31

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[cursor]

Local filesystem path committed in documentation

Low Severity

A developer's local filesystem path (/Users/jontz/git/api) is included in the evaluation document. This leaks a personal machine username and directory structure into the public repository. It appears to be a leftover from locally evaluating the DFX API codebase and wasn't intended for the committed document.

 

[davidleomay]

Planned Action Items

Already Solved

• KYC Return URI (§14, Low) — Frontend supports kyc-redirect query parameter. Append &kyc-redirect=<url> to the KYC URL.

Immediate Changes

• Order Status Page URL (§2, Medium) — Page exists at services.dfx.swiss/tx/{uid}, will add URL to payment-info responses.
• Transaction Pagination (§6, Medium) — Add limit/offset to GET /transaction.
• Amount Unit Documentation (§G, Low) — Clarify in Swagger and Readme that amounts are display units.
• State/Province Parameter (§10, Low) — Add optional stateProvince to quote endpoints.
• Sell Quote Expiration (§15, Low) — Expose expiration timestamp in SellPaymentInfoDto.
• Country Code on Transactions (§6, Low) — Add country to TransactionDto.

Manual Configuration

• Affiliate Payout Assets (§8, Low) — We'll configure the referral settings (asset, frequency) for Edge manually on our side.
• 2FA on Ref Endpoint (§8, Low) — Covered by manual configuration above.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 2568bc4. Configure here.}

[cursor]

Stale comment

[cursor]

🔒 Agentic Security Review
Severity: MEDIUM

snooze(ms) now performs an unsolicited outbound fetch to https://status.edge.app/api/check when ms > 3000, introducing hidden network side effects inside a generic delay helper that is reused by timeout orchestration paths.

Impact: Callers that only intend local timing behavior can now trigger external traffic, creating unintended egress and activity-beaconing risk across normal request flows.