feat(profile-metrics-service): add proof signing system (MetaMask#9016)

## Explanation

<!--
Thanks for your contribution! Take a moment to answer these questions so
that reviewers have the information they need to properly understand
your changes:

* What is the current state of things and why does it need to change?
* What is the solution your changes offer and how does it work?
* Are there any changes whose purpose might not obvious to those
unfamiliar with the domain?
* If your primary goal was to update one package but you found you had
to update another one along the way, why did you do so?
* If you had to upgrade a dependency, why did you do so?
-->

## References

Related to: https://consensyssoftware.atlassian.net/browse/MUL-1844

## Checklist

- [x] I've updated the test suite for new or updated code as appropriate
- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or
updated code as appropriate
- [x] I've communicated my changes to consumers by [updating changelogs
for packages I've
changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md)
- [ ] I've introduced [breaking
changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md)
in this PR and have prepared draft pull requests for clients and
consumer packages to resolve them

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **High Risk**
> Introduces cryptographic signing paths (keyring personal_sign and
internal snap RPC) that must preserve correct message canonicalization
and snap trust boundaries; hosts must delegate KeyringController and
SnapController actions on the service messenger.
> 
> **Overview**
> Adds **`ProofOfOwnershipService`** to
`@metamask/profile-metrics-controller` so wallets can produce
server-verifiable ownership proofs bound to auth API nonces, for use on
`AccountWithScopes.proof` when submitting profile metrics.
> 
> **`ProofOfOwnershipService:sign({ account, nonce })`** picks the
signer from the **first CAIP-2 scope**: `eip155` uses
**`KeyringController:signPersonalMessage`** (EIP-191) on
`metamask:proof-of-ownership:<nonce>:<canonical address>`; **Solana,
Tron, and Bitcoin** use silent **`SnapController:handleRequest`**
(`onClientRequest`, `signProofOfOwnership`) against
`account.metadata.snap.id`. Unsupported or missing scopes throw
**`ProofUnsupportedNamespaceError`**.
> 
> Package surface: new snaps + `uuid` deps, auto-generated messenger
action types, **`proofOfOwnershipServiceName`** export, and
**`profileMetricsServiceName`** alias. Import paths for profile-metrics
method-action types are tightened to explicit files (no barrel). Broad
unit tests cover EVM/snap routing, canonical addresses, and error paths.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
26fc73d. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: mathieuartu

packages/profile-metrics-controller/CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add `ProofOfOwnershipService` for signing chain-native proofs of account ownership ([#9016](https://github.com/MetaMask/core/pull/9016))
+  - Exposes `ProofOfOwnershipService:sign({ account, nonce })`, dispatching by the CAIP-2 namespace of the account's first scope.
+  - EVM accounts are signed via `KeyringController:signPersonalMessage` (EIP-191); Solana, Tron, and Bitcoin accounts are signed via `SnapController:handleRequest` with the `onClientRequest` handler against the snap declared in `account.metadata.snap.id`, which keeps the request silent and client-internal.
+  - The non-EVM snaps are expected to implement a `signProofOfOwnership` JSON-RPC method that validates the message prefix `metamask:proof-of-ownership:` before signing.
+  - Add `profileMetricsServiceName` alias for the existing `serviceName` export, to disambiguate it from the new `proofOfOwnershipServiceName`. The original `serviceName` export is unchanged.
+
 ### Changed
 
 - Bump `@metamask/transaction-controller` from `^67.0.0` to `^67.1.0` ([#9066](https://github.com/MetaMask/core/pull/9066))

packages/profile-metrics-controller/package.json

@@ -60,10 +60,14 @@
     "@metamask/messenger": "^1.2.0",
     "@metamask/polling-controller": "^16.0.6",
     "@metamask/profile-sync-controller": "^28.1.1",
+    "@metamask/snaps-controllers": "^19.0.0",
+    "@metamask/snaps-sdk": "^11.0.0",
+    "@metamask/snaps-utils": "^12.1.2",
     "@metamask/superstruct": "^3.1.0",
     "@metamask/transaction-controller": "^67.1.0",
     "@metamask/utils": "^11.9.0",
-    "async-mutex": "^0.5.0"
+    "async-mutex": "^0.5.0",
+    "uuid": "^8.3.2"
   },
   "devDependencies": {
     "@metamask/auto-changelog": "^6.1.0",

packages/profile-metrics-controller/src/ProfileMetricsController.ts

@@ -19,9 +19,9 @@ import { TransactionControllerTransactionSubmittedEvent } from '@metamask/transa
 import { Duration, inMilliseconds } from '@metamask/utils';
 import { Mutex } from 'async-mutex';
 
-import type { ProfileMetricsServiceMethodActions } from '.';
-import type { ProfileMetricsControllerMethodActions } from '.';
+import type { ProfileMetricsControllerMethodActions } from './ProfileMetricsController-method-action-types';
 import type { AccountWithScopes } from './ProfileMetricsService';
+import type { ProfileMetricsServiceMethodActions } from './ProfileMetricsService-method-action-types';
 
 /**
  * The name of the {@link ProfileMetricsController}, used to namespace the

packages/profile-metrics-controller/src/ProfileMetricsService.ts

@@ -14,7 +14,7 @@ import {
 } from '@metamask/superstruct';
 import type { IDisposable } from 'cockatiel';
 
-import type { ProfileMetricsServiceMethodActions } from '.';
+import type { ProfileMetricsServiceMethodActions } from './ProfileMetricsService-method-action-types';
 
 /**
  * The shape of an entry in the `POST /api/v2/nonce/batch` response body.

packages/profile-metrics-controller/src/ProofOfOwnershipService-method-action-types.ts

@@ -0,0 +1,32 @@
+/**
+ * This file is auto generated.
+ * Do not edit manually.
+ */
+
+import type { ProofOfOwnershipService } from './ProofOfOwnershipService';
+
+/**
+ * Sign a proof of ownership for the given account and server-issued nonce.
+ *
+ * The returned proof is shaped to drop directly into
+ * `AccountWithScopes.proof` for `ProfileMetricsService:submitMetrics`.
+ *
+ * @param data - The account to prove ownership of and the nonce to bind
+ * the proof to.
+ * @returns The proof of ownership (nonce echo + signature).
+ * @throws {ProofUnsupportedNamespaceError} if the account's first scope
+ * carries a namespace this service does not know how to sign for, or if
+ * the account has no scopes.
+ * @throws if the underlying signer (keyring or snap) rejects, or if the
+ * snap returns a malformed response.
+ */
+export type ProofOfOwnershipServiceSignAction = {
+  type: `ProofOfOwnershipService:sign`;
+  handler: ProofOfOwnershipService['sign'];
+};
+
+/**
+ * Union of all ProofOfOwnershipService action types.
+ */
+export type ProofOfOwnershipServiceMethodActions =
+  ProofOfOwnershipServiceSignAction;