refactor(compliance): remove initial block wallets call (#8365)

## Explanation

This refactor removes the proactive bulk-fetch pattern from
`ComplianceController` and `ComplianceService`.

**Before:** On initialisation, `init()` eagerly fetched the full blocked
wallets list from `GET /v1/blocked-wallets` and persisted all addresses
in `state.blockedWallets`. This meant potentially thousands of
OFAC/sanctioned addresses were stored in client state, refreshed on a
configurable interval, and used as the primary lookup source for
`selectIsWalletBlocked`.

**After:** The controller only performs on-demand per-address API checks
(`checkWalletCompliance` / `checkWalletsCompliance`). Results are cached
in `walletComplianceStatusMap` keyed by address. If a subsequent API
call for the same address fails, the cached result is returned as a
fallback. If no cached result exists, the error is re-thrown.

### Changes

**`ComplianceController`**
- Removed `state.blockedWallets` and `state.blockedWalletsLastFetched`
fields
- Removed `init()`, `updateBlockedWallets()`, `#isBlockedWalletsStale()`
and `#blockedWalletsRefreshInterval`
- `checkWalletCompliance` and `checkWalletsCompliance` now wrap the API
call in try/catch — on failure they fall back to the per-address cache,
re-throwing only when no cached entry exists

**`ComplianceService`**
- Removed `updateBlockedWallets()` method and the `GET
/v1/blocked-wallets` endpoint integration

**`selectors`**
- `selectIsWalletBlocked` now reads solely from
`walletComplianceStatusMap`; the `selectBlockedWallets` intermediate
selector is removed

**`types`**
- Removed `BlockedWalletsInfo` type

**Messenger action types / index**
- Removed `ComplianceControllerInitAction`,
`ComplianceControllerUpdateBlockedWalletsAction`, and
`ComplianceServiceUpdateBlockedWalletsAction`

## References

N/A

## Checklist

- [x] I've updated the test suite for new or updated code as appropriate
- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or
updated code as appropriate
- [ ] I've communicated my changes to consumers by updating changelogs
for packages I've changed
- [ ] I've introduced breaking changes in this PR and have prepared
draft pull requests for clients and consumer packages to resolve them

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **High Risk**
> Breaking public API/state changes remove blocklist fetching and alter
`selectIsWalletBlocked` to depend solely on per-address cached checks,
which can change behavior when the API is down. Consumers must update
persisted-state migrations and remove calls to deleted
controller/service methods.
> 
> **Overview**
> Removes the proactive full blocklist fetch/caching flow, shifting
compliance to **on-demand per-address checks** (`checkWalletCompliance`
/ `checkWalletsCompliance`) with a per-address cache used only as a
fallback when the API is unavailable.
> 
> This is a **breaking change**: `ComplianceControllerState` drops
`blockedWallets`/`blockedWalletsLastFetched`, the controller’s
`init()`/`updateBlockedWallets()` methods and
`blockedWalletsRefreshInterval` option are removed, and
`ComplianceService:updateBlockedWallets` (and `GET /v1/blocked-wallets`)
plus related exported action/types (`BlockedWalletsInfo`, init/update
action types) are deleted. `selectIsWalletBlocked` now reads solely from
`walletComplianceStatusMap`, and tests/changelog are updated
accordingly.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
148c209. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: aganglada

packages/compliance-controller/CHANGELOG.md

@@ -9,6 +9,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- **BREAKING:** Remove proactive bulk-fetch pattern from `ComplianceController` and `ComplianceService` ([#8365](https://github.com/MetaMask/core/pull/8365))
+  - `ComplianceControllerState` no longer includes `blockedWallets` or `blockedWalletsLastFetched`. Consumers storing persisted state must drop these fields on migration.
+  - The `init()` and `updateBlockedWallets()` controller methods have been removed. Consumers should remove any calls to these methods.
+  - The `blockedWalletsRefreshInterval` constructor option has been removed.
+  - The `updateBlockedWallets()` service method and its `GET /v1/blocked-wallets` endpoint integration have been removed.
+  - `ComplianceControllerInitAction`, `ComplianceControllerUpdateBlockedWalletsAction`, and `ComplianceServiceUpdateBlockedWalletsAction` types have been removed from the public API.
+  - The `BlockedWalletsInfo` type has been removed from the public API.
+  - `checkWalletCompliance` and `checkWalletsCompliance` now fall back to the per-address `walletComplianceStatusMap` cache when the API is unavailable, re-throwing only if no cached result exists for a requested address.
+  - `selectIsWalletBlocked` now reads solely from `walletComplianceStatusMap` rather than also checking a cached full blocklist.
 - Bump `@metamask/controller-utils` from `^11.19.0` to `^11.20.0` ([#8344](https://github.com/MetaMask/core/pull/8344))
 - Bump `@metamask/messenger` from `^1.0.0` to `^1.1.0` ([#8364](https://github.com/MetaMask/core/pull/8364))
 

packages/compliance-controller/src/ComplianceController-method-action-types.ts

@@ -5,19 +5,11 @@
 
 import type { ComplianceController } from './ComplianceController';
 
-/**
- * Initializes the controller by fetching the blocked wallets list if it
- * is missing or stale. Call once after construction to ensure the blocklist
- * is ready for `selectIsWalletBlocked` lookups.
- */
-export type ComplianceControllerInitAction = {
-  type: `ComplianceController:init`;
-  handler: ComplianceController['init'];
-};
-
 /**
  * Checks compliance status for a single wallet address via the API and
- * persists the result to state.
+ * persists the result to state. If the API call fails and a previously
+ * cached result exists for the address, the cached result is returned as a
+ * fallback. If no cached result exists, the error is re-thrown.
  *
  * @param address - The wallet address to check.
  * @returns The compliance status of the wallet.
@@ -29,7 +21,10 @@ export type ComplianceControllerCheckWalletComplianceAction = {
 
 /**
  * Checks compliance status for multiple wallet addresses via the API and
- * persists the results to state.
+ * persists the results to state. If the API call fails and every requested
+ * address has a previously cached result, those cached results are returned
+ * as a fallback. If any address lacks a cached result, the error is
+ * re-thrown.
  *
  * @param addresses - The wallet addresses to check.
  * @returns The compliance statuses of the wallets.
@@ -39,17 +34,6 @@ export type ComplianceControllerCheckWalletsComplianceAction = {
   handler: ComplianceController['checkWalletsCompliance'];
 };
 
-/**
- * Fetches the full list of blocked wallets from the API and persists the
- * data to state. This also updates the `blockedWalletsLastFetched` timestamp.
- *
- * @returns The blocked wallets information.
- */
-export type ComplianceControllerUpdateBlockedWalletsAction = {
-  type: `ComplianceController:updateBlockedWallets`;
-  handler: ComplianceController['updateBlockedWallets'];
-};
-
 /**
  * Clears all compliance data from state.
  */
@@ -62,8 +46,6 @@ export type ComplianceControllerClearComplianceStateAction = {
  * Union of all ComplianceController action types.
  */
 export type ComplianceControllerMethodActions =
-  | ComplianceControllerInitAction
   | ComplianceControllerCheckWalletComplianceAction
   | ComplianceControllerCheckWalletsComplianceAction
-  | ComplianceControllerUpdateBlockedWalletsAction
   | ComplianceControllerClearComplianceStateAction;