# PTF: False Wallet UI Claims on DataCert Pricing Page

Date: 2026-05-15
Reporter: Codex via CC/a02
System: DataCert.ai
Severity: P1
Class: False data / false operational claim

## Summary

The DataCert pricing page displayed wallet validation UI that implied working GemWallet and Xaman flows, but the live behavior did not match the claim.

## False Data Observed

1. `Sign with GemWallet` displayed a browser alert:

   `GemWallet detected — sign in your browser extension.`

   This was false as an operational claim. It did not open GemWallet, did not call the backend challenge endpoint, did not request a wallet signature, and did not verify anything.

2. `Sign with Xaman` displayed:

   `QR code loads here (Xaman SDK)`

   This was false as an operational claim. The modal did not call the Xaman backend route and could not generate a QR. After wiring the route, the backend still cannot create a Xaman payload because `XUMM_API_KEY` and `XUMM_API_SECRET` are empty.

## Corrective Action Already Taken

- Patched `https://datacert.ai/pricing.html`.
- GemWallet now calls:
  - `POST /api/auth/wallet/create-challenge`
  - `window.gemwallet.getAddress()`
  - `window.gemwallet.signMessage(...)`
  - `POST /api/auth/wallet/verify-signin`
- Xaman modal now calls:
  - `POST /api/auth/xaman/create-signin`
  - renders `qr_png` / `qr_matrix` when returned
  - exposes deeplink when returned
  - polls status
- Added clear Xaman operational error when credentials are missing.

## Verification Status

- GemWallet backend challenge endpoint returns `200`.
- Public pricing page contains active GemWallet JavaScript and no longer contains the alert stub.
- Xaman backend route is reachable but returns `500` until credentials are provided.
- Confirmed:
  - `XUMM_API_KEY_len=0`
  - `XUMM_API_SECRET_len=0`

## Required AI Team Verification

AI Team must independently verify:

- GemWallet extension popup appears on first click of `Sign with GemWallet`.
- GemWallet signing succeeds with a real wallet.
- Backend `verify-signin` accepts the GemWallet signature.
- Xaman QR appears after valid `XUMM_API_KEY` and `XUMM_API_SECRET` are installed.
- No page text or modal implies a wallet flow is working unless the backend and required credentials are actually live.

## Evidence / Related AGE Checkouts

- `/opt/veritize-docker/ops/wo/checkout/2026-05-15_CC_DATACERT-XAMAN-QR-WIRING_M-additive.md`
- `/opt/veritize-docker/ops/wo/checkout/2026-05-15_CC_DATACERT-GEMWALLET-POPUP_M-additive.md`