chore: pass cached security data from token list to token details cp-7.76.0

[sahar-fehri]

Description

When the token list security badges feature flag is enabled, read the already-fetched security data from the TanStack Query
cache on item press and forward it via navigation params, eliminating the on-demand fetch in TokenDetails.

Changelog

CHANGELOG entry: remove on demand api call to get security data when passed from token list and FF is ON

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Changes the token list tap navigation payload to optionally include cached TokenSecurityData from TanStack Query, which could affect the Asset Details screen’s behavior when the security-badges feature flag is enabled. Risk is limited by feature-flag gating but still touches navigation params and cache key usage.

Overview
When selectTokenListSecurityBadgesEnabled is on and a CAIP asset id has been resolved, tapping a token in TokenListItem now reads TokenSecurityData from the TanStack Query cache (tokenListSecurityBadgeKeys.byAsset(caipId)) and forwards it to the Asset route via securityData navigation params.

Adds/updates unit tests to mock useQueryClient + CAIP resolution and assert securityData is included only when the flag is enabled and cached data exists.

^{Reviewed by Cursor Bugbot for commit 224e470. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[sahar-fehri]

When a user taps a token, we read the already-fetched security data from the TanStack Query cache and pass it via nav params. useTokenSecurityData on the details side already supports prefetchedData and skips its on-demand fetch when provided. When the flag is OFF, nothing changes; the on-demand fetch fires as before. One file changed (TokenListItem.tsx).

Alternative approach for later: Once we remove the feature flag and the security badge fetch is always-on, we could replace useTokenSecurityData in TokenDetails with useTokenListSecurityBadgeQuery directly. TokenDetails would check the TanStack cache itself and fetch only if needed .. no nav params, no manual cache read in onItemPress. This works regardless of how the user navigates to Token Details. But it's a bigger-ish change: add an enabled option to the hook, add CAIP address normalization so list and details share the same cache key, swap the hook in TokenDetails, and potentially remove useTokenSecurityData + migrate its tests.

[bergarces]

The fetching we have means that it shouldn't do two calls even if we call it both here and inside TokenListSecurityBadge.

We can definitely do it like this, and it's perfectly ok, but there's a beauty in just using the hook we have and nothing else.

[sahar-fehri]

@bergarces by just using the hook we have, you are referencing the alternative approach i mention here ?
remove the on demand call and make it use tanstack query if no prefetched security data passed?

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeWalletPlatform
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 88%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes are confined to TokenListItem.tsx and its test file. The modification adds a small enhancement to the onItemPress callback: when the tokenListSecurityBadges feature flag is enabled and a CAIP asset ID is resolved, cached security data is read from the React Query client and passed as navigation params to the Asset details screen. This is a feature-flag-gated, cache-read-only change with no new network calls or state mutations. The TokenListItem is used in the main wallet token list (homepage Tokens section), making SmokeWalletPlatform the most relevant E2E tag. No confirmations, swaps, staking, or other flows are directly impacted. The test file adds unit test coverage for the three scenarios (flag ON with data, flag OFF, flag ON with no cached data).

Performance Test Selection:
The change only reads from an existing React Query cache on user press (not on render), so there is no meaningful impact on rendering performance, asset loading times, or any other measured performance metric. No performance tests are warranted.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[juanmigdr]

Very confused about the implementation... I dont think you need to pass the security data to token details. You can just reuse the hook in token details and pass down the token address. This way it will make the API call if necessary or fetch from cache otherwise. ANd that way we have reused logic in token details page and tokens list