test(e2e): mock static asset endpoints to remove from allowlist (MMQA-1778)

[chrisleewilcox]

Description

Tier 2 of MMQA-1364 (allowlist reduction). Adds default mock matchers for three categories of static asset / health-check requests, then removes the corresponding entries from mock-e2e-allowlist.ts.

Matcher	Response
^https://clients3\.google\.com/generate_204$ (HEAD)	204 No Content, empty body
^https://raw\.githubusercontent\.com/MetaMask/contract-metadata/[^/]+/images/.+\.svg$ (GET)	200, minimal <svg xmlns="http://www.w3.org/2000/svg"/>
^https://token\.api\.cx\.metamask\.io/assets/nativeCurrencyLogos/.+\.svg$ (GET)	200, minimal SVG

Why regex, not exact URLs. The previous allowlist enumerated five specific token icons that today's specs happened to load. Any new spec, new default token, branch rename (master → main), or platform-subset divergence would reintroduce live requests. Regex matchers cover the entire category (any branch, any future token icon) with one entry — a one-time fix instead of a moving target.

generate_204 origin. Confirmed it is fired by @react-native-community/netinfo's InternetReachability._checkInternetReachability via JS-layer fetch. That path is patched by shim.js, so the request reaches mockttp at /proxy?url=… and the matcher fires. (Method is HEAD, hence the new HEAD field on DEFAULT_MOCKS.)

Files changed

• tests/api-mocking/mock-responses/defaults/static-assets.ts — new default mock file with the three matchers
• tests/api-mocking/mock-responses/defaults/index.ts — imported and spread into DEFAULT_MOCKS.GET + new HEAD field
• tests/api-mocking/mock-e2e-allowlist.ts — removed 7 entries (1 generate_204, 5 GitHub raw token SVGs, 1 token.api nativeCurrencyLogos ethereum.svg)

Out of scope

• https://api.avax.network/ext/bc/C/rpc — Tier 4 investigation
• https://metamask.github.io/test-dapp/metamask-fox.svg — handled by MMQA-1367
• Polymarket hosts — separate follow-up tracked in MMQA-1755

Changelog

CHANGELOG entry: null

Related issues

MMQA-1778 — parent epic MMQA-1364

Manual testing steps

Feature: Static asset mocks for E2E tests

  Scenario: NetInfo reachability probe is mocked
    Given the E2E mock server is running with default mocks loaded
    When the app fires the NetInfo reachability probe (HEAD https://clients3.google.com/generate_204)
    Then mockttp returns 204 with empty body
    And validateLiveRequests() does not record a live request

  Scenario: Token icon SVGs are mocked
    Given a spec loads a token list that includes contract-metadata icons
    When the app requests https://raw.githubusercontent.com/MetaMask/contract-metadata/<branch>/images/<token>.svg
    Then mockttp returns 200 with a placeholder SVG
    And the request never reaches GitHub live

  Scenario: Native currency logo SVGs are mocked
    Given a spec loads a chain whose native currency logo is fetched from token.api
    When the app requests https://token.api.cx.metamask.io/assets/nativeCurrencyLogos/<chain>.svg
    Then mockttp returns 200 with a placeholder SVG
    And the request never reaches the live token.api endpoint

Screenshots/Recordings

Before

tests/api-mocking/mock-e2e-allowlist.ts allowlisted 7 entries that bypassed validateLiveRequests():

What this meant on every E2E run:

• NetInfo's reachability probe fired a live HEAD https://clients3.google.com/generate_204 and Google answered. The allowlist silenced the warning, so validateLiveRequests() did not flag it.
• 5 GitHub raw SVG fetches went live whenever notifications rendered token icons (USDC/SHIB/USDT/stETH/rETH from the mocked notification fixtures in @metamask/notification-services-controller).
• 1 token.api SVG went live whenever the Ethereum native-currency logo was loaded (referenced in app/constants/urls.ts:144 and the Ramp Quotes constants).

After

Allowlist with the 7 entries gone — ALLOWLISTED_URLS drops from 16 to 9:

What happens on every E2E run now:

• NetInfo reachability probe → mockttp returns 204 with empty body. NetInfo's reachabilityTest (response.status === 204) passes; the wallet sees the network as reachable. No live request to Google.
• Notification SVG fetches → mockttp returns a placeholder SVG (<svg xmlns="http://www.w3.org/2000/svg"/>). Icons render (visual fidelity not asserted in E2E). No live request to raw.githubusercontent.com for any token icon — current or future.
• Native currency logo fetch → same placeholder SVG. No live request to token.api.cx.metamask.io for any chain's logo.
• validateLiveRequests() records zero leaks for these endpoints.

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Low risk: changes are confined to the E2E mocking layer, replacing live allowlisted static/health-check requests with deterministic mocks (including adding default HEAD mocks).

Overview
Reduces E2E live network allowlisting by removing specific static/health-check URLs (Google generate_204 and token SVG icon URLs) from mock-e2e-allowlist.ts and handling them via default mocks instead.

Adds STATIC_ASSETS_MOCKS with regex-based matchers that return a 204 for HEAD https://clients3.google.com/generate_204 and a minimal SVG for GitHub contract-metadata and token.api native currency logo .svg requests, and wires these into DEFAULT_MOCKS (including a new HEAD entry).

^{Reviewed by Cursor Bugbot for commit 7c90df2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeWalletPlatform, SmokeConfirmations, SmokeIdentity, SmokeNetworkAbstractions, SmokeAccounts
• Selected Performance tags: None (no tests recommended)
• Risk Level: medium
• AI Confidence: 82%

click to see 🤖 AI reasoning details

E2E Test Selection:
These changes are purely in the E2E test infrastructure (API mocking layer). The changes:

1. mock-e2e-allowlist.ts: Removes previously allowlisted live URLs (Google generate_204, token SVG images from GitHub/MetaMask contract-metadata, native currency logos from token API).

2. static-assets.ts (new file): Creates proper mocks for those URLs - HEAD mock for Google connectivity check (204), GET mocks for contract-metadata SVG images and native currency logo SVGs (returns minimal SVG).

3. defaults/index.ts: Integrates the new STATIC_ASSETS_MOCKS into DEFAULT_MOCKS (both GET and HEAD).

Impact: DEFAULT_MOCKS is used in FixtureHelper.ts which is the core fixture infrastructure for ALL E2E tests. The change converts live network calls to deterministic mocks, which is an improvement but could affect tests that display token icons or rely on the Google connectivity check.

Why these tags:

• SmokeWalletPlatform: Token icons appear in wallet home, transaction history, and trending views - most likely to be affected by SVG mocking changes
• SmokeConfirmations: Token approval/transfer confirmations display token icons (ERC-20, ERC-721 tokens)
• SmokeIdentity: The comment in the original allowlist said "Token SVGs in notifications list" - identity/sync tests show notification lists with token icons
• SmokeNetworkAbstractions: Network selector shows native currency logos (now mocked via token.api.cx.metamask.io)
• SmokeAccounts: Account management tests may display token balances with icons

The change is low-risk (improving test determinism) but since it touches DEFAULT_MOCKS used globally, a representative cross-section of tests should validate the mocking infrastructure works correctly.

Performance Test Selection:
These changes are purely in the E2E test infrastructure (API mocking layer) and do not affect any app production code. There is no impact on app rendering performance, data loading, or any user-facing functionality. Performance tests are not warranted.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud