Integrate LavaDome private key protection

[weizman]

Description

New LavaDome tool can help to better hide the private key from potential malicious code running in the app when the user asks to see it.

Related issues

None

Manual testing steps

This PR changes the "show private key" dialog, not in terms of appearance, and not in terms of interaction but only in terms of "behind the scenes" security, so nothing should change in terms of manual interaction with this feature - that is the most important thing to check here QA-wise.

One thing that is changed, is that the private key text is no longer selectable as it was before, and now the only way to copy it is to use the copy-to-clipboard button.

That is on purpose, allowing selection of sensitive information such as the private key is unsafe, and disablement of selection capabilities of sensitive info is done intentionally to enhance security.

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I’ve followed MetaMask Coding Standards.
• I've clearly explained what problem this PR is solving and how it is solved.
• I've linked related issues
• I've included manual testing steps
• I've included screenshots/recordings if applicable
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.
• I’ve properly set the pull request status:
  • In case it's not yet "ready for review", I've set it to "draft".
  • In case it's "ready for review", I've changed it from "draft" to "non-draft".

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@lavamoat/lavadome-core@0.0.10	None	0	22.5 kB	weizman
npm/@lavamoat/lavadome-react@0.0.10	Transitive: environment	+9	3.61 MB	weizman

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

[weizman]

Once LavaMoat/LavaDome#18 is merged and published, eab7582 should work too

[metamaskbot]

Builds ready [65c6f87]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4
  • common: 0, 1, 2, 3, 4, 5, 6, 7
  • content-script: 0
  • contentscript: contentscript
  • disable-console: disable-console
  • inpage: inpage
  • policy-load: policy-load
  • sentry-install: sentry-install
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (852 ± 46 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	97	154	118	16	8
		domContentLoaded	10	55	20	13	6
		load	736	1184	852	97	46
		domInteractive	10	55	20	13	6

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 156 Bytes (0.00%)
• ui: 4.29 KiB (0.06%)
• common: 0 Bytes (0.00%)

[danjm]

The code changes look good to me. I will approve when we get another QA pass

[danjm]

actually, I will QA this myself

[danjm]

QA passed, all following scenarios have been tested:

user can still reveal their private key
user can still copy their private key using the copy button
user cannot copy their private key any other way (i.e. the can't select the text and copy it)
private key cannot be seen if the html is inspected with the browser tools

These tests continue to pass, and I can also see the implemented message upon clicking the private key

[metamaskbot]

Builds ready [1394bad]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4
  • common: 0, 1, 2, 3, 4, 5, 6, 7
  • content-script: 0
  • contentscript: contentscript
  • disable-console: disable-console
  • inpage: inpage
  • policy-load: policy-load
  • sentry-install: sentry-install
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (798 ± 55 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	85	168	112	19	9
		domContentLoaded	9	45	20	11	5
		load	704	1206	798	114	55
		domInteractive	9	45	19	11	5

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 156 Bytes (0.00%)
• ui: 5.07 KiB (0.07%)
• common: 0 Bytes (0.00%)

[georgewrmarshall]

LGTM! Tested and it works well. Nice use of component-library components. Left 2 non-blocking comments

[georgewrmarshall]

nit: could we reduce html bloat and increase the click area of the text slightly by moving the onClick to the wrapping Text component?

[weizman]

d531a67

[georgewrmarshall]

non-blocking: To improve the accessibility here we could add an ariaLabel={t('copyPrivateKey')} which would need to be created in messages.json. ariaLabel is a a required prop for the ButtonIcon component

[weizman]

7ceba33