test(e2e): mock static asset endpoints to remove from allowlist (MMQA-1778) (MetaMask#29576)

## **Description**

Tier 2 of MMQA-1364 (allowlist reduction). Adds default mock matchers
for three categories of static asset / health-check requests, then
removes the corresponding entries from `mock-e2e-allowlist.ts`.

| Matcher | Response |
| --- | --- |
| `^https://clients3\.google\.com/generate_204$` (HEAD) | `204 No
Content`, empty body |
|
`^https://raw\.githubusercontent\.com/MetaMask/contract-metadata/[^/]+/images/.+\.svg$`
(GET) | `200`, minimal `<svg xmlns="http://www.w3.org/2000/svg"/>` |
|
`^https://token\.api\.cx\.metamask\.io/assets/nativeCurrencyLogos/.+\.svg$`
(GET) | `200`, minimal SVG |

**Why regex, not exact URLs.** The previous allowlist enumerated five
specific token icons that today's specs happened to load. Any new spec,
new default token, branch rename (`master` → `main`), or platform-subset
divergence would reintroduce live requests. Regex matchers cover the
entire category (any branch, any future token icon) with one entry — a
one-time fix instead of a moving target.

**`generate_204` origin.** Confirmed it is fired by
`@react-native-community/netinfo`'s
`InternetReachability._checkInternetReachability` via JS-layer `fetch`.
That path is patched by `shim.js`, so the request reaches mockttp at
`/proxy?url=…` and the matcher fires. (Method is `HEAD`, hence the new
`HEAD` field on `DEFAULT_MOCKS`.)

### Files changed
- `tests/api-mocking/mock-responses/defaults/static-assets.ts` — new
default mock file with the three matchers
- `tests/api-mocking/mock-responses/defaults/index.ts` — imported and
spread into `DEFAULT_MOCKS.GET` + new `HEAD` field
- `tests/api-mocking/mock-e2e-allowlist.ts` — removed 7 entries (1
generate_204, 5 GitHub raw token SVGs, 1 token.api nativeCurrencyLogos
ethereum.svg)

### Out of scope
- `https://api.avax.network/ext/bc/C/rpc` — Tier 4 investigation
- `https://metamask.github.io/test-dapp/metamask-fox.svg` — handled by
MMQA-1367
- Polymarket hosts — separate follow-up tracked in MMQA-1755

## **Changelog**

CHANGELOG entry: null

## **Related issues**

[MMQA-1778](https://consensyssoftware.atlassian.net/browse/MMQA-1778) —
parent epic
[MMQA-1364](https://consensyssoftware.atlassian.net/browse/MMQA-1364)

## **Manual testing steps**

```gherkin
Feature: Static asset mocks for E2E tests

  Scenario: NetInfo reachability probe is mocked
    Given the E2E mock server is running with default mocks loaded
    When the app fires the NetInfo reachability probe (HEAD https://clients3.google.com/generate_204)
    Then mockttp returns 204 with empty body
    And validateLiveRequests() does not record a live request

  Scenario: Token icon SVGs are mocked
    Given a spec loads a token list that includes contract-metadata icons
    When the app requests https://raw.githubusercontent.com/MetaMask/contract-metadata/<branch>/images/<token>.svg
    Then mockttp returns 200 with a placeholder SVG
    And the request never reaches GitHub live

  Scenario: Native currency logo SVGs are mocked
    Given a spec loads a chain whose native currency logo is fetched from token.api
    When the app requests https://token.api.cx.metamask.io/assets/nativeCurrencyLogos/<chain>.svg
    Then mockttp returns 200 with a placeholder SVG
    And the request never reaches the live token.api endpoint
```

## **Screenshots/Recordings**

### **Before**

`tests/api-mocking/mock-e2e-allowlist.ts` allowlisted 7 entries that
bypassed `validateLiveRequests()`:


What this meant on every E2E run:
- NetInfo's reachability probe fired a live `HEAD
https://clients3.google.com/generate_204` and Google answered. The
allowlist silenced the warning, so `validateLiveRequests()` did not flag
it.
- 5 GitHub raw SVG fetches went live whenever notifications rendered
token icons (USDC/SHIB/USDT/stETH/rETH from the mocked notification
fixtures in `@metamask/notification-services-controller`).
- 1 `token.api` SVG went live whenever the Ethereum native-currency logo
was loaded (referenced in `app/constants/urls.ts:144` and the Ramp
Quotes constants).

### **After**

Allowlist with the 7 entries gone — `ALLOWLISTED_URLS` drops from 16 to
9:


What happens on every E2E run now:
- **NetInfo reachability probe** → mockttp returns `204` with empty
body. NetInfo's `reachabilityTest` (`response.status === 204`) passes;
the wallet sees the network as reachable. No live request to Google.
- **Notification SVG fetches** → mockttp returns a placeholder SVG
(`<svg xmlns="http://www.w3.org/2000/svg"/>`). Icons render (visual
fidelity not asserted in E2E). No live request to
`raw.githubusercontent.com` for any token icon — current or future.
- **Native currency logo fetch** → same placeholder SVG. No live request
to `token.api.cx.metamask.io` for any chain's logo.
- `validateLiveRequests()` records **zero** leaks for these endpoints.

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

#### Performance checks (if applicable)

- [ ] I've tested on Android
  - Ideally on a mid-range device; emulator is acceptable
- [ ] I've tested with a power user scenario
- Use these [power-user
SRPs](https://consensyssoftware.atlassian.net/wiki/spaces/TL1/pages/edit-v2/401401446401?draftShareId=9d77e1e1-4bdc-4be1-9ebb-ccd916988d93)
to import wallets with many accounts and tokens
- [ ] I've instrumented key operations with Sentry traces for production
performance metrics
- See [`trace()`](/app/util/trace.ts) for usage and
[`addToken`](/app/components/Views/AddAsset/components/AddCustomToken/AddCustomToken.tsx#L274)
for an example

For performance guidelines and tooling, see the [Performance
Guide](https://consensyssoftware.atlassian.net/wiki/spaces/TL1/pages/400085549067/Performance+Guide+for+Engineers).

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.


[MMQA-1778]:
https://consensyssoftware.atlassian.net/browse/MMQA-1778?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes are confined to the E2E mocking layer, replacing
live allowlisted static/health-check requests with deterministic mocks
(including adding default `HEAD` mocks).
> 
> **Overview**
> Reduces E2E live network allowlisting by removing specific
static/health-check URLs (Google `generate_204` and token SVG icon URLs)
from `mock-e2e-allowlist.ts` and handling them via default mocks
instead.
> 
> Adds `STATIC_ASSETS_MOCKS` with regex-based matchers that return a
`204` for `HEAD https://clients3.google.com/generate_204` and a minimal
SVG for GitHub contract-metadata and `token.api` native currency logo
`.svg` requests, and wires these into `DEFAULT_MOCKS` (including a new
`HEAD` entry).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
7c90df2. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chrisleewilcox

tests/api-mocking/mock-e2e-allowlist.ts

@@ -22,15 +22,7 @@ export const ALLOWLISTED_HOSTS = [
 
 export const ALLOWLISTED_URLS = [
   // Temporarily allow existing live requests during migration
-  'https://clients3.google.com/generate_204',
   'https://api.avax.network/ext/bc/C/rpc',
-  // Token SVGs in notifications list
-  'https://raw.githubusercontent.com/MetaMask/contract-metadata/master/images/usdc.svg',
-  'https://raw.githubusercontent.com/MetaMask/contract-metadata/master/images/shib.svg',
-  'https://raw.githubusercontent.com/MetaMask/contract-metadata/master/images/usdt.svg',
-  'https://token.api.cx.metamask.io/assets/nativeCurrencyLogos/ethereum.svg',
-  'https://raw.githubusercontent.com/MetaMask/contract-metadata/master/images/stETH.svg',
-  'https://raw.githubusercontent.com/MetaMask/contract-metadata/master/images/rETH.svg',
   'https://signature-insights.api.cx.metamask.io/v1/signature?chainId=0x539',
   'https://mainnet.era.zksync.io/',
   'https://rpc.atlantischain.network/',

tests/api-mocking/mock-responses/defaults/index.ts

@@ -31,6 +31,7 @@ import { TRENDING_API_MOCKS } from '../trending-api-mocks.ts';
 import { TX_SENTINEL_NETWORKS_MAP } from '../tx-sentinel-networks-map.ts';
 import { DIGEST_API_MOCKS } from './digest-api.ts';
 import { MONEY_ACCOUNT_MOCKS } from './money-account.ts';
+import { STATIC_ASSETS_MOCKS } from './static-assets.ts';
 
 // Get auth mocks
 const authMocks = getAuthMocks();
@@ -59,6 +60,7 @@ export const DEFAULT_MOCKS = {
     ...(TRENDING_API_MOCKS.GET || []),
     ...(DIGEST_API_MOCKS.GET || []),
     ...(MONEY_ACCOUNT_MOCKS.GET || []),
+    ...(STATIC_ASSETS_MOCKS.GET || []),
     // Chains Network Mock - Provides blockchain network data
     {
       urlEndpoint: 'https://chainid.network/chains.json',
@@ -205,4 +207,5 @@ export const DEFAULT_MOCKS = {
   ],
   DELETE: [],
   PATCH: [],
+  HEAD: [...(STATIC_ASSETS_MOCKS.HEAD || [])],
 };

tests/api-mocking/mock-responses/defaults/static-assets.ts

@@ -0,0 +1,27 @@
+import { MockEventsObject } from '../../../framework';
+
+const MINIMAL_SVG = '<svg xmlns="http://www.w3.org/2000/svg"/>';
+
+export const STATIC_ASSETS_MOCKS: MockEventsObject = {
+  HEAD: [
+    {
+      urlEndpoint: /^https:\/\/clients3\.google\.com\/generate_204$/,
+      responseCode: 204,
+      response: '',
+    },
+  ],
+  GET: [
+    {
+      urlEndpoint:
+        /^https:\/\/raw\.githubusercontent\.com\/MetaMask\/contract-metadata\/[^/]+\/images\/.+\.svg$/,
+      responseCode: 200,
+      response: MINIMAL_SVG,
+    },
+    {
+      urlEndpoint:
+        /^https:\/\/token\.api\.cx\.metamask\.io\/assets\/nativeCurrencyLogos\/.+\.svg$/,
+      responseCode: 200,
+      response: MINIMAL_SVG,
+    },
+  ],
+};