Limit wallet search query length

[laughlife]

Summary

• cap /wallets?q= search strings at 500 characters before building wallet LIKE filters
• keep 500-character searches accepted while rejecting 501+ characters with a bounded 400 response
• add regression coverage for the wallet search boundary alongside existing control-character/repeated-query checks

Bounty #799

Source report: #798 (comment)

Production evidence before fix

• GET https://mrwk.online/wallets?q=<500 a characters> -> HTTP 200, 3890 bytes.
• GET https://mrwk.online/wallets?q=<501 a characters> -> HTTP 200, 3892 bytes.
• GET https://mrwk.online/wallets?q=<10000 a characters> -> HTTP 200, 25016 bytes.

Current production therefore accepts oversized public wallet search strings instead of failing fast before building SQL LIKE filters.

Duplicate/current check

• Open PR search for wallets + q + length / 500 found no PR covering this scope.
• PR Limit activity query length #858 covers activity q length, not wallet search.
• Existing wallet PRs cover path canonicalization or padded query filters, not oversized wallet search values.
• Public bounty API showed MRWK bounty: 200 MRWK - fix confirmed production issues from accepted reports #799 open with 5 effective awards remaining before this work.

Validation

• uv run --extra dev pytest tests/test_wallet_api.py::test_wallet_pages_reject_control_character_filters -q -> 1 passed, 1 existing Starlette/httpx warning.
• uv run --extra dev pytest tests/test_wallet_api.py -q -> 45 passed, 1 existing Starlette/httpx warning.
• uv run --extra dev ruff check app/public_routes.py tests/test_wallet_api.py -> passed.
• uv run --extra dev ruff format --check app/public_routes.py tests/test_wallet_api.py -> 2 files already formatted.
• uv run --extra dev mypy app/public_routes.py -> success.
• uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok.
• git diff --check origin/main...HEAD -> clean.
• git merge-tree --write-tree origin/main HEAD -> clean tree abda6f4c7b8cc6d19c1ef4bc0fd2711b121cfce1.

Scope

This PR is limited to the public wallet search page input boundary. It does not change wallet registration, wallet signatures, balances, account normalization, ledger mutation, bounty lifecycle, payout execution, treasury mutation, private data, secrets, bridge/exchange/cash-out behavior, or MRWK price behavior.

Summary by CodeRabbit

• New Features
  • Added input validation for wallet search queries with a 500-character maximum limit. Requests exceeding this character threshold will be rejected with a clear validation error message indicating the limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 373e9dd5-170b-4f64-a25c-64606efbe212

📥 Commits

Reviewing files that changed from the base of the PR and between d4d0e48 and fd522b2.

📒 Files selected for processing (2)

• app/public_routes.py
• tests/test_wallet_api.py

---

📝 Walkthrough

Walkthrough

A new 500-character length limit is added to wallet search queries on the /wallets endpoint. The constant definition and validation logic enforce this limit and return a 400 error for oversized queries. Test coverage verifies the boundary behavior at exactly 500 characters (pass) and 501 characters (fail).

Changes

Wallet search query length validation

Layer / File(s)	Summary
Search query length limit constant and validation app/public_routes.py	New WALLET_SEARCH_QUERY_MAX_LENGTH constant set to 500 and enforced in wallets_page_context to reject queries exceeding this length with a 400 HTTP error.
Search query length boundary tests tests/test_wallet_api.py	Test extended with boundary assertions: 500-character query accepted, 501-character query rejected with the validation error message.

Possibly related PRs

• ramimbo/mergework#753: Both PRs modify app/public_routes.py's wallets_page_context to add input validation on the q parameter (control-character rejection in #753, length limits in this PR).
• ramimbo/mergework#520: Both PRs add validation constraints to /wallets search handling in wallets_page_context.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly names the changed surface and accurately summarizes the main change: enforcing a length limit on wallet search queries.
Description check	✅ Passed	The description provides a comprehensive summary, clear evidence of the problem, validation results, and scope limitations, though the test evidence checklist items lack explicit marks.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	PR changes contain no investment, price, cash-out, or fabricated claims. README correctly describes MRWK as native project coin; future bridges require discussion.
Bounty Pr Focus	✅ Passed	Changes match stated files and scope: 500-char wallet search limit constant in public_routes.py, validation before SQL filter construction, and boundary-condition tests in test_wallet_api.py.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[alan747271363-art]

Reviewed current head fd522b22642019d7c78b26360cb1e85f14ad52e7 as a non-author.

The change is focused on the public /wallets HTML search path: app/public_routes.py now rejects q values longer than 500 characters before building the wallet address/label/GitHub-login LIKE filters, while the existing control-character and repeated-query guards remain unchanged. The regression coverage in tests/test_wallet_api.py checks both sides of the boundary: 500 characters still returns 200 and 501 characters returns the bounded 400 response.

Validation I ran on this exact head:

• python -m pytest tests/test_wallet_api.py -q -> 45 passed, 1 existing Starlette/httpx warning.
• python -m pytest tests/test_wallet_api.py::test_wallet_pages_reject_control_character_filters -q -> 1 passed, 1 existing warning.
• python -m ruff check app/public_routes.py tests/test_wallet_api.py -> passed.
• python -m ruff format --check app/public_routes.py tests/test_wallet_api.py -> 2 files already formatted.
• python -m mypy app/public_routes.py -> success.
• python scripts/docs_smoke.py -> docs smoke ok.
• git diff --check origin/main...HEAD -> clean.
• git merge-tree --write-tree origin/main HEAD -> clean tree 20811048e51cb8ba4b2a0a464f33f3bd348b2f8d.

GitHub state checked before review: hosted Quality, readiness, docs, and image checks is successful; mergeable=MERGEABLE; mergeStateStatus=UNSTABLE only because CodeRabbit is still pending. I did not find a code blocker. Maintainers may still want to wait for CodeRabbit before merging.

Scope is limited to public wallet search input validation. No wallet registration, signatures, balances, transfer signing, ledger mutation, bounty lifecycle, payout execution, treasury mutation, private data, secrets, bridge/exchange/cash-out behavior, or MRWK price behavior is changed.

[xiefuzheng713-alt]

Reviewed current head as non-author. /claim #799