✨ app: wallet provisioning

[aguxez]

Closes #154

Summary by CodeRabbit

• New Features

  • Add wallet provisioning flow: on-screen Apple Pay and Google Wallet buttons, provisioning status and spinner, and ability to add cards to device wallets.

• Chores

  • Platform/build configuration, assets, dependency and packaging updates to enable wallet provisioning and native SDK integrations.
  • Added release metadata and spelling dictionary entry for new vendor.

[changeset-bot]

🦋 Changeset detected

Latest commit: dda713e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@exactly/mobile	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds Meawallet wallet provisioning: new SDK dependency and pod patch, Expo config plugins and entitlement, server helper to fetch provisioning credentials, a React hook for eligibility and provisioning flows, UI WalletButtons, and supporting changes (changesets, spellcheck, npm registry).

Changes

Wallet provisioning flow

Layer / File(s)	Summary
Dependency & Registry /.npmrc, package.json, patches/@meawallet__react-native-mpp.patch	Adds @meawallet registry auth in .npmrc, adds dependency @meawallet/react-native-mpp@^2.2.2 and patchedDependencies entry, and patches Podspec to add s.dependency "React-RCTAppDelegate".
Expo / Build Config app.config.ts	Adds iOS entitlement com.apple.developer.payment-pass-provisioning and three inline ConfigPlugins: copy src/assets/mea_config into platform assets, inject Nexus Maven repo into android/build.gradle (env creds), and inject an iOS Podfile post_install workaround to add modulemap/Swift flags for meawallet-react-native-mpp.
Server helper src/utils/server.ts	Adds exported getWalletCredentials() which authenticates, fetches card with scope provisioning, validates card.provisioning, and returns { cardId, cardSecret }; throws APIError on non-OK responses.
SDK init & Hook src/components/card/useWalletProvisioning.ts	Adds useWalletProvisioning(lastFour, displayName) with cached MeaPushProvisioning init, a query for platform-specific eligibility (iOS Apple Pay / Android Google Pay), provisioning state, and provision workflow that calls getWalletCredentials() and invokes SDK platform flows (addToAppleWallet, addToGoogleWallet).
UI Integration src/components/card/WalletButtons.tsx, src/components/card/WalletButtons.web.tsx, src/components/card/CardDetails.tsx	Adds native WalletButtons component (and web stub) that uses the hook to render Apple/Google wallet buttons and spinner; replaces previous DismissableAlert area in CardDetails with <WalletButtons lastFour={...} displayName={...} />.
Metadata & Lints .changeset/*, cspell.json	Adds two changeset files documenting the patch release and inserts "meawallet" in cspell.json word list.

Sequence Diagram

sequenceDiagram
    participant User
    participant CardDetails
    participant WalletButtons
    participant Hook
    participant MeaSdk as MeaPushProvisioning
    participant Server
    participant iOS
    participant Android

    User->>CardDetails: open card view
    CardDetails->>WalletButtons: render(lastFour, displayName)
    WalletButtons->>Hook: invoke hook

    Hook->>MeaSdk: initialize SDK (cached)
    MeaSdk-->>Hook: initialized

    alt iOS
        Hook->>iOS: check Apple Pay / pass support
        iOS-->>Hook: eligible.apple
    else Android
        Hook->>Android: check Google wallet availability
        Android-->>Hook: eligible.google
    end

    Hook-->>WalletButtons: return eligibility, handlers
    User->>WalletButtons: tap "Add to Apple Wallet"
    WalletButtons->>Hook: call addToAppleWallet
    Hook->>Server: getWalletCredentials()
    Server-->>Hook: {cardId, cardSecret}
    Hook->>MeaSdk: init OEM tokenization / add pass
    Hook->>iOS: present AddPaymentPass
    iOS-->>Hook: result

    User->>WalletButtons: tap "Add to Google Wallet"
    WalletButtons->>Hook: call addToGoogleWallet
    Hook->>Server: getWalletCredentials()
    Server-->>Hook: {cardId, cardSecret}
    Hook->>Android: push card via GooglePay
    Android-->>Hook: result

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• exactly/exa#949: Implements complementary server-side wallet endpoint returning {cardId, cardSecret} used by getWalletCredentials().

Suggested reviewers

• dieguezguille
• cruzdanilo
• nfmelendez

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '✨ app: wallet provisioning' directly matches the main objective of adding wallet provisioning functionality to the app, clearly summarizing the primary change.
Linked Issues check	✅ Passed	The PR addresses the linked issue #154 by implementing wallet provisioning UI with WalletButtons component, useWalletProvisioning hook, and credential fetching, meeting the coding requirements.
Out of Scope Changes check	✅ Passed	All changes are scoped to wallet provisioning implementation: SDK setup, iOS/Android configuration, provisioning logic, UI components, and credential management are all necessary and directly related.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch provisioning

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch provisioning

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request introduces native wallet provisioning for Apple Pay and Google Pay using the MeaWallet SDK. The implementation includes new UI components, a custom hook for provisioning logic, and Expo config plugins to manage native assets and build-time configurations. Feedback highlights a security risk regarding hardcoded credentials in the .npmrc file and points out the fragility of using regex-based string replacements for modifying build.gradle and Podfile, which could lead to silent failures during the build process.

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 57f13078-e054-43d7-ac63-6fce08240922

📥 Commits

Reviewing files that changed from the base of the PR and between 2f6644b and 8417b1d.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• src/assets/images/google-wallet-button.svg is excluded by !**/*.svg

📒 Files selected for processing (15)

• .changeset/gentle-cases-fold.md
• .changeset/rich-months-double.md
• .npmrc
• app.config.ts
• babel.config.js
• common/eslint/base.mjs
• cspell.json
• package.json
• patches/@meawallet__react-native-mpp.patch
• src/assets/mea_config
• src/components/card/CardDetails.tsx
• src/components/card/WalletButtons.tsx
• src/components/card/WalletButtons.web.tsx
• src/components/card/useWalletProvisioning.ts
• src/utils/server.ts

[sentry]

Codecov Report

❌ Patch coverage is 41.10787% with 202 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.71%. Comparing base (48aa917) to head (dda713e).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/components/card/Card.tsx	36.45%	197 Missing ⚠️
src/utils/reportError.ts	85.00%	3 Missing ⚠️
src/utils/server.ts	81.81%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           offramp     #956      +/-   ##
===========================================
- Coverage    71.64%   70.71%   -0.93%     
===========================================
  Files          254      254              
  Lines        10248    10586     +338     
  Branches      3340     3459     +119     
===========================================
+ Hits          7342     7486     +144     
- Misses        2627     2821     +194     
  Partials       279      279              

Flag	Coverage Δ
e2e	70.71% <41.10%> (+0.54%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0ef42f30-9abb-400b-ba0a-92db897d922d

📥 Commits

Reviewing files that changed from the base of the PR and between 8417b1d and 8b193ec.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• src/assets/images/google-wallet-button.svg is excluded by !**/*.svg

📒 Files selected for processing (18)

• .changeset/chilly-suns-dress.md
• .changeset/gentle-cases-fold.md
• .changeset/rich-months-double.md
• .npmrc
• app.config.ts
• cspell.json
• package.json
• patches/@meawallet__react-native-mpp.patch
• server/api/card.ts
• server/test/api/card.test.ts
• server/test/e2e.ts
• server/utils/panda.ts
• src/assets/mea_config
• src/components/card/CardDetails.tsx
• src/components/card/WalletButtons.tsx
• src/components/card/WalletButtons.web.tsx
• src/components/card/useWalletProvisioning.ts
• src/utils/server.ts

[coderabbitai]

Actionable comments posted: 6

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 31e2d088-f9ca-4235-b66b-add0dc743ee6

📥 Commits

Reviewing files that changed from the base of the PR and between 8b193ec and b4872d7.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• src/assets/images/google-wallet-button.svg is excluded by !**/*.svg

📒 Files selected for processing (13)

• .changeset/gentle-cases-fold.md
• .changeset/rich-months-double.md
• .npmrc
• app.config.ts
• cspell.json
• package.json
• patches/@meawallet__react-native-mpp.patch
• src/assets/mea_config
• src/components/card/CardDetails.tsx
• src/components/card/WalletButtons.tsx
• src/components/card/WalletButtons.web.tsx
• src/components/card/useWalletProvisioning.ts
• src/utils/server.ts

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app.config.ts (1)

231-237: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Move the ndk.debugSymbolLevel setting to buildTypes.release and guard both injections against re-application.

Android's official guidance places ndk.debugSymbolLevel under android.buildTypes.release.ndk, not defaultConfig. Setting it in defaultConfig applies the setting to all build types rather than just release builds. Additionally, both string replacements are non-idempotent—without guards, each prebuild will append another ndk { ... } block and OkHttp BOM line. The iOS workaround above (line 218) demonstrates the correct pattern: check if (!contents.includes(...)) before modifying and writing the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e2bf0c92-f419-4cca-a5ec-7e675195e3cf

📥 Commits

Reviewing files that changed from the base of the PR and between b4872d7 and c317097.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• src/assets/images/google-wallet-button.svg is excluded by !**/*.svg

📒 Files selected for processing (13)

• .changeset/gentle-cases-fold.md
• .changeset/rich-months-double.md
• .npmrc
• app.config.ts
• cspell.json
• package.json
• patches/@meawallet__react-native-mpp.patch
• src/assets/mea_config
• src/components/card/CardDetails.tsx
• src/components/card/WalletButtons.tsx
• src/components/card/WalletButtons.web.tsx
• src/components/card/useWalletProvisioning.ts
• src/utils/server.ts

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

src/utils/server.ts (1)

111-113: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate provisioning fields before returning credentials.

Line 112 only guards that provisioning exists. If id or secret is missing/invalid, the failure moves downstream into wallet SDK calls.

proposed fix

-  const card = await parseResponse(response);
-  if (!card.provisioning) throw new Error("bad card provisioning response");
-  return { cardId: card.provisioning.id, cardSecret: card.provisioning.secret };
+  const card = await parseResponse(response);
+  if (
+    !card.provisioning ||
+    typeof card.provisioning.id !== "string" ||
+    typeof card.provisioning.secret !== "string"
+  ) {
+    throw new Error("bad card provisioning response");
+  }
+  return { cardId: card.provisioning.id, cardSecret: card.provisioning.secret };

src/components/card/useWalletProvisioning.ts (1)

42-53: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard against re-entrant provisioning calls.

Line 43 state updates are asynchronous, so rapid taps can execute provision() more than once and fire duplicate provisioning requests.

proposed fix

-import { useState } from "react";
+import { useRef, useState } from "react";
@@
 export default function useWalletProvisioning(lastFour: string, displayName: string) {
   const [provisioning, setProvisioning] = useState(false);
+  const inFlight = useRef(false);
@@
   async function provision(addToWallet: (cardData: MppCardDataParameters) => Promise<unknown>) {
+    if (inFlight.current) return;
+    inFlight.current = true;
     setProvisioning(true);
     try {
       await initSdk();
       const { cardId, cardSecret } = await getWalletCredentials();
       await addToWallet(MppCardDataParameters.withCardSecret(cardId, cardSecret));
     } catch (error) {
       reportError(error);
     } finally {
+      inFlight.current = false;
       setProvisioning(false);
     }
   }

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4f887e6f-788f-4ed0-9f1a-92905cd9432c

📥 Commits

Reviewing files that changed from the base of the PR and between c317097 and fbf6ab6.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• src/assets/images/google-wallet-button.svg is excluded by !**/*.svg

📒 Files selected for processing (12)

• .changeset/gentle-cases-fold.md
• .changeset/rich-months-double.md
• app.config.ts
• cspell.json
• package.json
• patches/@meawallet__react-native-mpp.patch
• src/assets/mea_config
• src/components/card/CardDetails.tsx
• src/components/card/WalletButtons.tsx
• src/components/card/WalletButtons.web.tsx
• src/components/card/useWalletProvisioning.ts
• src/utils/server.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3ba3ac4ab1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7cd965a146

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use card-token checks for Google Wallet eligibility

When an Android user already has any Google Wallet token with the same last four digits, this suffix-only check can treat that unrelated token as belonging to the current Exa card; an ACTIVE match makes getGoogleWalletState return "added" and hides the CTA, while a yellow-path match can send tokenize the wrong token. MeaWallet documents checkWalletForCardSuffix as checking only the provided PAN suffix, while checkWalletForCardToken(cardData) checks the corresponding card (https://dev.meawallet.com/api/mpp/react-native/), so use the card-data/token-id path before deciding this card is added or resumable.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

exa/src/components/send-funds/SendAmount.tsx

Line 219 in 0d4b865

{quoteError ? (

Surface missing exchange-rate quotes

When Bridge's quote endpoint succeeds with deposit details but no quote (the server schema allows this because bridge.getQuote catches rate-provider failures and RampResponse.quote is optional), quoteError remains false while rate is undefined. In that scenario the amount screen just disables Continue via canContinue without showing the exchange-rate error or any retry cue, leaving non-USD offramp users stuck; treat a missing rate as a quote failure here.

---

exa/src/utils/parseAmount.ts

Lines 5 to 6 in 0d4b865

	const cleaned = value.replaceAll(/[^\d.,]/g, "");
	const normalized = cleaned.replaceAll(/[.,](?=.*[.,])/g, "").replace(",", ".");

Handle lone thousands separators as thousands

For pasted or typed whole-number amounts with a single thousands separator, such as 1,234 or 1.234, this keeps the separator and then treats it as the decimal separator, so parseAmount returns 1.234 units instead of 1234. The offramp flow then under-calculates the required USDC and carries the wrong fiat amount into review; strip group separators before normalizing the decimal separator.

---

exa/src/components/send-funds/Review.tsx

Line 169 in 0d4b865

i18nKey={sent ? "Sent to <em>{{recipient}}</em>" : "Sending to <em>{{recipient}}</em>"}

Show the offramp as pending after proposing

For Bridge offramps this mutation only submits the ProposalType.Withdraw proposal returned by useSimulateProposal; waitForCallsStatus confirms that proposal transaction, not that the delayed proposal was executed or that Bridge has delivered funds to the recipient. The existing on-chain send screen treats this same latest-plugin proposal success as Processing with a pending-requests CTA, but this new review screen says Sent to with a success check, so users can be told the bank transfer is complete while it is still only queued.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dda713e2e2

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Do not persist wallet token state

This query returns googleToken under the new ['wallet', ...] cache key, but the global persister in src/utils/queryClient.ts only excludes keys like card, kyc, and lifi, not wallet. As a result, Google Wallet issuer/token ids and stale eligibility state are written to AsyncStorage and restored for up to 30 days; on devices where token state changes or the app account is reused, the UI can briefly call GooglePay.tokenize with a restored stale token before the native recheck completes. Exclude wallet queries from dehydration or keep token ids out of persisted query data.

Useful? React with 👍 / 👎.