Summary
Code review identified several test suite gaps common across all four location proof plugins. These don't block demos or happy-path usage, but they leave important boundaries untested — particularly where untrusted data enters the system.
This issue tracks the same gaps across all four plugins:
- location-proofs/plugin-gpsd
- location-proofs/plugin-geoclue
- location-proofs/plugin-wifi-mls
- location-proofs/plugin-ip-geolocation
What's missing
1. No integration tests (collect → create → sign → verify)
Each module is tested in isolation with hand-built fixtures. There's no test that runs the full stamp lifecycle end-to-end, so interface mismatches between modules would go undetected.
2. No signals.data validation or negative tests in create.ts
Every plugin's create.ts casts signals.data as unknown as XxxReading with no runtime validation. No test passes malformed data (missing fields, wrong types) to verify behavior. For a system ingesting data from external sources (GPSD, D-Bus, WiFi scan, IP API), this is a real attack surface.
3. No sign.ts tests / custom StampSigner path untested
The signStamp function supports both default wallet signing and a custom StampSigner interface (for hardware wallets, TEE signers). The custom signer path has zero test coverage in any plugin.
4. No negative tests on collect with malformed upstream data
Collect functions accept data from external sources but tests only cover well-formed responses. Missing coverage for non-numeric coordinates, missing fields, and unexpected data types from upstream.
Per-plugin specifics
- plugin-gpsd:
collect.ts accepts non-numeric lat/lon via as number cast. Still uses Date.now() instead of GPS fix time from TPV time field.
- plugin-geoclue: Loose
[^']+ regex on D-Bus location path. GeoClue2 client never stopped after use (resource leak). CollectOptions.timeout silently ignored.
- plugin-wifi-mls:
readWifi happy path only tested at individual function level, not as integrated flow.
- plugin-ip-geolocation: No
privateKey validation at construction time.
Why this matters
Location proofs are security-sensitive. The boundaries where untrusted data enters the system (device sensors, D-Bus, network APIs) are exactly where test coverage matters most. Current tests verify internal correctness well but don't stress adversarial or malformed inputs.
Priority
Low — not blocking demos or current development. Address before production hardening.
Summary
Code review identified several test suite gaps common across all four location proof plugins. These don't block demos or happy-path usage, but they leave important boundaries untested — particularly where untrusted data enters the system.
This issue tracks the same gaps across all four plugins:
What's missing
1. No integration tests (collect → create → sign → verify)
Each module is tested in isolation with hand-built fixtures. There's no test that runs the full stamp lifecycle end-to-end, so interface mismatches between modules would go undetected.
2. No
signals.datavalidation or negative tests increate.tsEvery plugin's
create.tscastssignals.data as unknown as XxxReadingwith no runtime validation. No test passes malformed data (missing fields, wrong types) to verify behavior. For a system ingesting data from external sources (GPSD, D-Bus, WiFi scan, IP API), this is a real attack surface.3. No
sign.tstests / custom StampSigner path untestedThe
signStampfunction supports both default wallet signing and a customStampSignerinterface (for hardware wallets, TEE signers). The custom signer path has zero test coverage in any plugin.4. No negative tests on
collectwith malformed upstream dataCollect functions accept data from external sources but tests only cover well-formed responses. Missing coverage for non-numeric coordinates, missing fields, and unexpected data types from upstream.
Per-plugin specifics
collect.tsaccepts non-numeric lat/lon viaas numbercast. Still usesDate.now()instead of GPS fix time from TPVtimefield.[^']+regex on D-Bus location path. GeoClue2 client never stopped after use (resource leak).CollectOptions.timeoutsilently ignored.readWifihappy path only tested at individual function level, not as integrated flow.privateKeyvalidation at construction time.Why this matters
Location proofs are security-sensitive. The boundaries where untrusted data enters the system (device sensors, D-Bus, network APIs) are exactly where test coverage matters most. Current tests verify internal correctness well but don't stress adversarial or malformed inputs.
Priority
Low — not blocking demos or current development. Address before production hardening.