--- issue: "018" title: "Trezor Safekeeping has zero frontend implementation — all backend endpoints unreachable from UI" severity: critical domain: trezor labels: [frontend, missing-feature] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 Trezor Safekeeping has zero frontend implementation — all backend endpoints unreachable from UI **Severity:** critical **Domain:** trezor **Labels:** frontend, missing-feature ## Description A comprehensive search of all `.ts` and `.tsx` files in `frontend/src/` finds **zero calls** to any Trezor backend endpoint. There is no: - Trezor registration page - xpub input UI - Trezor Connect SDK import - Admin Trezor signing panel - Any action calling `/api/trezor/*` The only Trezor reference in the entire frontend is a brand logo in `wallet-icons.ts`. The documented 12-step challenge-sign-submit flow exists entirely in the backend but has no frontend surface at any step. Additionally, `confirmReleaseTx` and `confirmRefundTx` in `frontend/src/actions/payment.ts` post `{ txHash, ...extra }` with **no `trezor` object** (message + signature). With `TREZOR_SAFEKEEPING_REQUIRED=true`, every admin release/refund from the UI will be rejected by the backend's `assertTrezorSignatureForOperation` guard. ## Current Behavior - No UI exists for Trezor registration - Admin release/refund with `TREZOR_SAFEKEEPING_REQUIRED=true` always fails (missing signature payload) - All Trezor API endpoints are only testable via curl/Postman ## Expected Behavior A complete frontend implementation covering: 1. Trezor registration page (xpub input, challenge-sign-submit flow) 2. Operation signing UI for admin release/refund (call `POST /api/trezor/operation-message`, prompt sign, attach `trezor` object to confirm body) ## Affected Files - `frontend/src/actions/payment.ts` — `confirmReleaseTx`, `confirmRefundTx` missing `trezor` field - Missing: Trezor registration page component - Missing: Admin Trezor signing integration in dispute/payment admin panels ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Findings C31, C32