feat: split request_source to distinguish SDKv1 from MWP

[adonesky1]

Summary

Both SDKv1 (socket relay) and MWP/SDKv2 connections produced the same request_source value (MetaMask-SDK-Remote-Conn) on RPC pipeline events (Transaction Added, Signature Requested, etc.), making them indistinguishable in analytics.

Adds a transport field (socket_relay | mwp) to the analytics param passed to getRpcMethodMiddleware and branches getSource() on it:

• SDKv1: MetaMask-SDK-Remote-Conn (unchanged — preserves data continuity)
• MWP/V2: MetaMask-Connect (new)

Related

• Discussion and decision: https://consensyssoftware.atlassian.net/browse/WAPI-1398

Test plan

• Connect via SDKv1 → trigger a signature or transaction → verify request_source is MetaMask-SDK-Remote-Conn
• Connect via MWP/V2 → trigger a signature or transaction → verify request_source is MetaMask-Connect
• WalletConnect and in-app browser request_source values unchanged

---

Note

Low Risk
Low risk: small, additive analytics metadata change that only affects how request_source is computed for remote SDK connections; main risk is misclassification if transport is omitted or set incorrectly.

Overview
Remote SDK connections now pass an explicit analytics transport (e.g., socket_relay vs mwp) into getRpcMethodMiddleware, and getSource() uses it to split request_source between SDKv1 socket-relay (MetaMask-SDK-Remote-Conn, unchanged) and MWP/SDKv2 (MetaMask-Connect, new).

Adds the shared TransportType enum and wires it into SDKv1 bridge setup and SDKv2 RPC bridge adapter so RPC pipeline events can be attributed correctly in analytics.

^{Reviewed by Cursor Bugbot for commit e27ae07. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeConfirmations, SmokeNetworkAbstractions, SmokeNetworkExpansion, SmokeMultiChainAPI
• Selected Performance tags: None (no tests recommended)
• Risk Level: medium
• AI Confidence: 82%

click to see 🤖 AI reasoning details

E2E Test Selection:
The PR introduces transport type differentiation for SDK connections in the RPC middleware layer:

1. New TransportType enum (SOCKET_RELAY, MWP, WALLETCONNECT) added to analytics types - used to identify the underlying connection transport.

2. New MM_CONNECT request source in AppConstants - a new source label for MWP (MetaMask Wallet Protocol) connections.

3. RPCMethodMiddleware.getSource() now returns MM_CONNECT for MWP transport connections instead of SDK_REMOTE_CONN. This is the most impactful change as it affects how RPC requests are tagged/tracked.

4. getDefaultBridgeParams.ts and setupBridge.ts (SDKConnect/socket relay path): Now explicitly tag analytics with SOCKET_RELAY transport.

5. rpc-bridge-adapter.ts (SDKConnectV2/MWP path): Now explicitly tags analytics with MWP transport.

Risk Assessment:

• The changes are primarily analytics/metadata changes - they don't alter RPC routing logic or permission checks
• However, RPCMethodMiddleware is a critical path for ALL dApp interactions
• The getSource() function change could affect any downstream logic that uses the source value (e.g., PPOM security checks, event tracking)
• SDKConnectV2 (MWP) is the newer QR-based connection mechanism
• These changes affect dApp connection flows, confirmations, and chain permissions

Selected Tags:

• SmokeConfirmations: RPCMethodMiddleware is used in all transaction/signature confirmation flows; the source differentiation could affect confirmation behavior
• SmokeNetworkAbstractions: Chain permission system uses RPC middleware; dApp chain switch requests go through this path
• SmokeNetworkExpansion: Solana/multi-chain connections use the SDK connection infrastructure; MWP transport is relevant here
• SmokeMultiChainAPI: CAIP-25 session management uses RPC middleware for dApp connections; the source tracking affects session handling

Tags NOT selected: SmokeAccounts, SmokeIdentity, SmokeTrade, SmokeWalletPlatform, SmokeRamps, SmokeCard, SmokePerps, SmokePredictions, SmokeSeedlessOnboarding, FlaskBuildTests - these are not directly affected by SDK connection transport type differentiation.

Performance Test Selection:
The changes are purely analytics/metadata differentiation for SDK connection transport types. No UI rendering, state management, data loading, or critical user flow performance is affected. The getSource() function change is a simple conditional check with negligible performance impact. No performance tests are warranted.

View GitHub Actions results

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e27ae07. Configure here.}

[cursor]

Unused TransportType.WALLETCONNECT constant defined but never referenced

Low Severity

TransportType.WALLETCONNECT is defined but never referenced anywhere in the codebase. Only TransportType.MWP and TransportType.SOCKET_RELAY are used. WalletConnect connections pass analytics: {} (no isRemoteConn), so they bypass the transport check entirely in getSource() — making this constant unreachable by design.

 

^{Reviewed by Cursor Bugbot for commit e27ae07. Configure here.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
11 value mismatches detected (expected — fixture represents an existing user).
View details