[pull] main from MetaMask:main by pull[bot] · Pull Request #548 · Reality2byte/metamask-mobile

pull · 2026-02-24T17:53:06Z

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

… list and remove leverage skeleton blink [TAT-2544 TAT-2454] cp-7.66.0 (#26052) - fix(perps): decouple home sort from market list and remove leverage skeleton blink [TAT-2544 TAT-2454] cp-7.66.0 (#25977) ## **Description** 1. Decouple Perps Home sorting from Market List sorting The Perps Home sections (Crypto, Stocks, Commodities, Forex) were reading the same sort preference that the Market List search writes to. This meant that when a user changed the sort in the market search (e.g., to "Funding Rate"), the home screen sections would also re-sort — which isn't the intended behavior. Home sections should always surface the highest-volume markets regardless of what the user does in search. The fix removes the dependency on `selectPerpsMarketFilterPreferences` in `usePerpsHomeData` and hardcodes the home sort to Volume descending. The Market List continues to use and persist its own sort preference independently. 2. Remove skeleton loader blink on leverage bottom sheet When adjusting leverage via the slider or preset buttons, the liquidation banner and liquidation price would rapidly toggle between a skeleton placeholder and the actual value. This created a jarring "blink" effect — especially during slider drags, where every tick triggered the skeleton. The current price row right below it just updates its value in place with no loading state, making the inconsistency more noticeable. The fix caches the last valid liquidation price and percentage in refs, so the UI always shows either the latest calculated value or the previously known one. On first open (before any calculation has completed), it shows -- as a placeholder instead of a skeleton shimmer. The banner colors (safe/caution/medium/high) are unaffected because they're driven by the leverage slider position, not the liquidation price calculation. ## **Changelog** CHANGELOG entry: Fixed a flickering skeleton loader on the leverage bottom sheet when adjusting leverage, and decoupled Perps Home sorting from the market search sort preference so home sections always sort by volume. ## **Related issues** Fixes: [TAT-2544](https://consensyssoftware.atlassian.net/browse/TAT-2544) Fixes: [TAT-2454](https://consensyssoftware.atlassian.net/browse/TAT-2454) ## **Manual testing steps** ```gherkin Feature: Perps Home sections sort independently from Market List Scenario: Home sections always sort by volume Given user is on the Perps Home screen When user opens the Market List and changes sort to "Funding Rate" And user navigates back to Perps Home Then all home sections (Crypto, Stocks, Commodities, Forex) remain sorted by descending volume Feature: Leverage bottom sheet liquidation display Scenario: No skeleton blink when dragging leverage slider Given user opens the leverage bottom sheet on any market When user drags the leverage slider back and forth Then the liquidation banner text and price update in place without skeleton flashing And the banner color transitions smoothly based on leverage risk level Scenario: No skeleton blink when tapping preset buttons Given user opens the leverage bottom sheet When user taps different preset leverage buttons (2x, 5x, 10x, etc.) Then the liquidation values tick to the new values without a skeleton placeholder appearing Scenario: Initial open shows placeholder Given user opens the leverage bottom sheet for the first time When the liquidation price has not yet been calculated Then the liquidation price and percentage show "--" until the first value arrives ``` ## **Screenshots/Recordings** https://github.com/user-attachments/assets/f69fdc60-82c9-479f-ba8d-7d7274b1713b https://github.com/user-attachments/assets/ea03375d-1803-4cc5-8066-2169b8e3b130 ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. [TAT-2544]: https://consensyssoftware.atlassian.net/browse/TAT-2544?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ  --- > [!NOTE] > **Medium Risk** > Touches user-facing trading UX and introduces timing/state logic around debounced async liquidation-price updates, which could regress displayed values if edge cases slip through. > > **Overview** > **Perps Home sorting is now fixed to volume defaults.** `usePerpsHomeData` no longer reads persisted market-list sort preferences and instead always sorts home sections by `Volume` with the default direction. > > **Leverage bottom sheet liquidation UI is reworked to avoid flicker and stale data.** The skeleton implementation is replaced with cached/placeholder display plus a recalculation state that only shows shimmer placeholders after user-initiated leverage changes (with a minimum display time to avoid stale async completions), while passive price updates keep showing the last valid value. Styling is tweaked with a fixed `minHeight` on the warning container to prevent layout shifts, and tests are updated/expanded to cover the new placeholder/skeleton behavior and stale-cache prevention. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1e53413. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [f95e2bb](f95e2bb) [TAT-2544]: https://consensyssoftware.atlassian.net/browse/TAT-2544?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ Co-authored-by: Nick Gambino <35090461+gambinish@users.noreply.github.com>

… to toggle between Account Menu and legacy Settings (#26073) - feat(settings): cp-7.66.0 add feature flag to toggle between Account Menu and legacy Settings (#26032) ## **Description** This PR introduces the `mobileUxAccountMenu` feature flag to enable gradual rollout of the Account Menu feature. Originally we wanted to ship for this RC as is in this [PR](#25611) but we found some UI refinements were needed. The feature is being moved behind a feature flag and be hidden from this current RC and to allow for final design refinements for the next RC. **Why is this change required?** The Account Menu feature requires additional refinements before full release. A feature flag allows us to: - Control rollout via LaunchDarkly - Maintain backward compatibility with existing Settings flow - Iterate on design improvements without blocking the next release **What does this PR do?** Adds `selectAccountMenuEnabled` selector and `useAccountMenuEnabled` hook using the `mobileUxAccountMenu` remote feature flag - Implements conditional navigation: enabled → `AccountsMenuView`, disabled → legacy `Settings` - Hides duplicate sections in Settings when Account Menu is enabled (Permissions, Contacts, About MetaMask, Request Feature, Contact Support, Lock) - Hides SDK section in `SecuritySettings` when Account Menu is enabled - Adds unit tests for both enabled/disabled states - Reverts E2E spec files to pre-Account Menu state to avoid test skipping (4 files: account-syncing-settings-toggle, contact-sync-toggle, sync-users-contacts, test-snap-management). The E2E tests will be added again once the feature is ready ## **Changelog**  CHANGELOG entry: Added feature flag mobileUxAccountMenu to control Account Menu rollout ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/TMCU-397 ## **Manual testing steps** ```gherkin Scenario 1: Feature flag disabled (default behavior) Given the mobileUxAccountMenu feature flag is disabled When I tap the Settings tab in TabBar Then I should navigate to the legacy Settings screen And I should see all sections including Permissions, Contacts, About MetaMask, Request Feature, Contact Support, and Lock And I should see the SDK section in Security Settings Scenario 2: Feature flag enabled (new behavior) Given the mobileUxAccountMenu feature flag is enabled When I tap the Settings tab in TabBar Then I should navigate to the AccountsMenuView screen And the legacy Settings screen should hide duplicate sections (Permissions, Contacts, About MetaMask, Request Feature, Contact Support, Lock) And the SDK section should be hidden in Security Settings ``` ## **Screenshots/Recordings** Feature Flag Off https://github.com/user-attachments/assets/65e9a0a2-8c70-4d84-9f26-302d27d5b1c9 Feature Flag On https://github.com/user-attachments/assets/12503ba2-5219-4783-95c6-0fdef0ac8ecb ### **Before** `~` ### **After** `~` ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [x] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [x] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Changes Settings entry routing and conditional visibility of multiple Settings sections, which could break navigation paths or regress discoverability if the flag state is mis-evaluated. > > **Overview** > Introduces a new version-gated remote feature flag (`mobileUxAccountMenu`) via `selectAccountMenuEnabled` and `useAccountMenuEnabled` to control rollout of the Account Menu experience. > > Wires the flag into navigation so the Settings tab and `SettingsFlow` initial route switch between `AccountsMenu` and the legacy `Settings` screen, and conditionally hides legacy Settings/Security Settings sections (e.g., Permissions/Contacts/About/Support/Lock and the SDK connections section) when the account menu is enabled. > > Updates unit snapshots/tests and adjusts smoke/E2E flows to navigate into Settings without relying on Account Menu page objects. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1c5dabc. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [3ef936b](3ef936b) Co-authored-by: Vince Howard <vincenguyenhoward@gmail.com>

… Activity Deposits tab cp-7.66.0 (#26102) - feat(perps): show wallet perps deposits in Activity Deposits tab cp-7.66.0 (#26020)  ## **Description** **Reason for the change:** Perps deposits initiated from the wallet (transaction types `perpsDeposit` and `perpsDepositAndOrder`) were not shown in the Perps Activity "Deposits" tab, so users could not see those deposits in one place. **Improvement/solution:** - **`transformWalletPerpsDepositsToTransactions`** in `transactionTransforms.ts` maps wallet `TransactionMeta` with type `perpsDeposit` or `perpsDepositAndOrder` into the existing `PerpsTransaction` format (deposit title, amount, status, txHash). It uses token transfer data and Arbitrum USDC decimals for amount display. - **`usePerpsTransactionHistory`** now reads wallet transactions and the selected address from Redux, filters to perps deposit types for the current account, runs them through the new transform, and merges the result with REST/live fills. Wallet deposits are included when there are no REST transactions and are merged with non-trade transactions, then everything is sorted by timestamp descending. - **Transaction util** supports `perpsDepositAndOrder` with the same action key and deposit-type handling as `perpsDeposit` so both types are treated as deposits in the app. ## **Changelog**  CHANGELOG entry: Perps Activity Deposits tab now includes wallet-originated perps deposits (deposit and deposit-and-order) for the selected account. ## **Related issues** Jira issue: https://consensyssoftware.atlassian.net/browse/TAT-2552 ## **Manual testing steps** ```gherkin Feature: Perps Activity Deposits tab Scenario: user sees wallet perps deposits in Deposits tab Given the user has completed at least one perps deposit (or deposit-and-order) from the wallet for the selected account When the user opens Perps, goes to Activity, and selects the Deposits tab Then the list includes those wallet deposits with correct amount, status, and timestamp, merged with any REST/live deposit data ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  <img width="1206" height="2622" alt="simulator_screenshot_2B9E7D82-CE2B-4308-BC1E-51358C7D296D" src="https://github.com/user-attachments/assets/a69992b1-0ae2-4db7-ba06-89c2018b77c0" /> ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Changes how perps activity history is assembled by merging Redux wallet transactions with backend history and adds txHash-based deduplication; mistakes could cause missing/duplicated deposits or incorrect amounts/status display. > > **Overview** > Perps Activity **Deposits** now includes wallet-originated perps deposits (`perpsDeposit` and `perpsDepositAndOrder`) for the selected account by pulling non-replaced wallet transactions from Redux, transforming them into `PerpsTransaction` deposits, and merging them into the existing REST/WebSocket activity feed. > > Adds `transformWalletPerpsDepositsToTransactions` to decode USDC transfer amounts/status from wallet `TransactionMeta`, introduces txHash-based deduping against REST deposits (prefer REST when both exist), and updates copy to use new i18n strings for deposit/withdrawal titles and statuses. Transaction utilities are updated so `perpsDepositAndOrder` is treated the same as `perpsDeposit`, and new unit tests cover transform behavior, merge inclusion, and deduplication. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 7e353d9. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  --------- Co-authored-by: Cursor <cursoragent@cursor.com> [80802fa](80802fa) Co-authored-by: Michal Szorad <michal.szorad@consensys.net> Co-authored-by: Cursor <cursoragent@cursor.com>

… execution hook callback cp-7.66.0 (#26103) - fix(perps): show order submitted toast via execution hook callback cp-7.66.0 (#26063)  ## **Description** The "order submitted" toast was previously driven by a `useEffect` that watched `isPlacingOrder`, and was also triggered manually in the deposit-confirm path. That led to timing issues and possible duplicate toasts. In addition, `usePerpsOrderDepositTracking` was using `ToastContext` and calling `toastRef?.current?.closeToast()` on success/failure, which was brittle and coupled the hook to the toast implementation. **Changes:** 1. **usePerpsOrderExecution** – Added an optional `onSubmitted` callback, invoked when the order is successfully submitted to the exchange (before the position fetch). This gives a single, well-defined moment to show the "submitted" toast. 2. **PerpsOrderView** – Removed `hasShownSubmittedToastRef` and the `useEffect` that showed the submitted toast from `isPlacingOrder`. The view now passes an `onSubmitted` handler into `usePerpsOrderExecution` to show the toast. Removed the duplicate submitted toast and ref mutation from the deposit-confirm callback. 3. **usePerpsOrderDepositTracking** – Removed use of `ToastContext` and all `toastRef?.current?.closeToast()` calls. Rely on the normal toast flow (e.g. showing error/success toasts) instead of manually closing toasts. Dropped unused `useContext` and `ToastContext` imports. Result: one place shows the submitted toast (execution hook callback), no duplicate toasts, and deposit tracking no longer depends on the toast ref. ## **Changelog**  CHANGELOG entry: Fixed Perps order "submitted" toast timing and removed duplicate toasts when placing orders (including after deposit). ## **Related issues** Jira issue: https://consensyssoftware.atlassian.net/browse/TAT-2551 ## **Manual testing steps** ```gherkin Feature: Perps order submitted toast Scenario: user places a market order Given user is on Perps order view with a valid order form When user taps Place Order and the order is submitted to the exchange Then a single "order submitted" toast is shown And no duplicate submitted toasts appear And the toast does not disappear after a split of a second ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  https://github.com/user-attachments/assets/66bf7bdd-3152-47e8-a6f9-78177dbf5dd8 ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Changes the timing/source of the Perps "submitted" toast and removes manual toast closing in deposit tracking; low code footprint but affects user-visible order/deposit feedback paths that can regress via race conditions. > > **Overview** > Moves the Perps **"order submitted"** toast to a single, explicit `onSubmitted` callback from `usePerpsOrderExecution`, and removes the prior `isPlacing`-driven `useEffect`/deposit-confirm duplicate triggers in `PerpsOrderView` to prevent double toasts/timing issues. > > Decouples `usePerpsOrderDepositTracking` from `ToastContext` by removing `toastRef` usage and no longer forcibly closing toasts on success/failure, relying instead on normal toast replacement/updates. Adds targeted tests for the new submitted-toast callback behavior and for deposit tracking event/toast handling. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 5573e22. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  --------- Co-authored-by: Cursor <cursoragent@cursor.com> [4e84939](4e84939) Co-authored-by: Michal Szorad <michal.szorad@consensys.net> Co-authored-by: Cursor <cursoragent@cursor.com>

…g when switching in Pay With modal cp-7.66.0 (#26130) - fix(perps): prevent payment token reverting when switching in Pay With modal cp-7.66.0 (#26120) ## **Description** When opening the Perps order view, the component syncs the transaction "pay token" from pending config (e.g. last selected payment token). The previous logic re-ran this sync on every effect run, so if the user changed the token in the "Pay With" modal, a later effect could overwrite their choice with the pending token again. **Changes:** - Pending config is now applied **once per load** (or when `initialAsset` changes). A ref tracks which pending token was already applied so we don’t overwrite the user’s in-session token selection. - When `initialAsset` changes (e.g. user switches from BTC to ETH), the "applied" state is reset so pending config is re-applied for the new asset. - When pending config has no selected token, `setSelectedPaymentToken(null)` is only called once, not on every effect run. This keeps the intended "restore from pending config" behavior on first load and on asset change, without undoing the user’s token choice when they’ve already changed it in the same session. ## **Changelog**  CHANGELOG entry: Fixed Perps order view reverting the user’s payment token selection to the pending config after they had changed it in the Pay With modal. ## **Related issues** Jira issue: https://consensyssoftware.atlassian.net/browse/TAT-2572 Fixes: #26118 ## **Manual testing steps** ```gherkin Feature: Perps order view pay token and pending config Scenario: user changes payment token and it is not overwritten by pending config Given user is on Perps order view with a pending payment token (e.g. USDC) And pay token is initially synced from pending config When user opens Pay With modal and selects a different token (e.g. DAI) Then the selected token remains DAI and is not reverted to the pending token (USDC) Scenario: pending config is re-applied when switching asset Given user is on Perps order view for asset BTC with pending token A And pay token was synced to token A When user switches to asset ETH (e.g. different market) and pending config has token B for ETH Then pay token is synced to token B for the new asset ``` ## **Screenshots/Recordings**  ### **Before**  ### **After** https://github.com/user-attachments/assets/f0d32725-e490-4379-a890-cec76f1691d6 ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Touches Perps order payment-token sync logic that drives transaction parameters; regression could cause incorrect token selection, but change is scoped and covered by new unit tests. > > **Overview** > Prevents the Perps order view from re-applying the *pending trade configuration* payment token on subsequent renders, which previously could revert a user’s in-session selection after using the Pay With modal. > > `PerpsPayRow` now tracks the last pending token applied via a `useRef`, only syncing it once per load and resetting when `initialAsset` changes; it also ensures `setSelectedPaymentToken(null)` is only dispatched once when no pending token exists. Tests were expanded to cover “apply once”, asset-switch re-apply, and no-repeat-null behavior. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 090eb88. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  Co-authored-by: Cursor <cursoragent@cursor.com> [6c5d77a](6c5d77a) Co-authored-by: Michal Szorad <michal.szorad@consensys.net> Co-authored-by: Cursor <cursoragent@cursor.com>

…cp-7.66.0 (#26144) - New Crowdin translations by Github Action cp-7.66.0 (#26058)  --- > [!NOTE] > **Low Risk** > Localization-only JSON string updates with no code-path changes; risk is limited to missing/incorrect keys causing UI copy regressions. > > **Overview** > Refreshes `de.json`, `el.json`, and `es.json` with updated Crowdin translations, converting many remaining English UI strings to localized text across navigation, browser, transactions, token/market, card onboarding, and error states. > > Adds several new translation entries (e.g., `transactions.unavailable`, perps `activity.*`, `pay_with_modal.title_receive`, and additional confirmation/tooltip labels for predict withdraw/receive), though some newly introduced strings remain in English in these locales. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit af8c8dd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  Co-authored-by: metamaskbot <metamaskbot@users.noreply.github.com> [015406f](015406f) Co-authored-by: MetaMask Bot <37885440+metamaskbot@users.noreply.github.com> Co-authored-by: metamaskbot <metamaskbot@users.noreply.github.com>

…suggest deposit or different payment method cp-7.66.0 (#26153) - fix(perps): update no-funds error copy to suggest deposit or different payment method cp-7.66.0 (#26149) 1. **What is the reason for the change?** The previous error "No funds available. Please deposit first" was unclear when the user had some funds but not enough, and did not mention the option to choose another payment method. 2. **What is the improvement/solution?** Copy is updated to: "Not enough funds available. Deposit funds or select a different payment method". This clarifies insufficient (not zero) funds and explicitly suggests depositing or changing payment method. Only the English locale and the tests that assert on this string were updated. ## **Changelog** CHANGELOG entry: Fixed the Perps error message when funds are insufficient to show clearer guidance (deposit or select a different payment method). ## **Related issues** Fixes: Jira issue https://consensyssoftware.atlassian.net/browse/TAT-2569 ## **Manual testing steps** ```gherkin Feature: Perps order – insufficient funds messaging Scenario: user sees updated error when they have no/insufficient funds for selected payment method Given the user is on the Perps order flow with a payment method that has no or insufficient funds When the amount/payment state would show the "no funds" warning Then the message shown is "Not enough funds available. Deposit funds or select a different payment method" ``` ## **Screenshots/Recordings**  ### **Before**  ### **After** <img width="1206" height="2622" alt="simulator_screenshot_397C9500-3F3C-4165-A136-686935C8A0F1" src="https://github.com/user-attachments/assets/6f280947-fd5d-4316-a90b-3b7728bce2ec" /> ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > String-only localization change plus test updates; no business logic or data flow changes. > > **Overview** > Updates the English `perps.deposit.no_funds_available` copy to **“Not enough funds available. Deposit funds or select a different payment method”**. > > Adjusts Perps UI tests (`PerpsOrderView.test.tsx`, `PerpsAmountDisplay.test.tsx`) to assert on the new string. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f033fc7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  Co-authored-by: Cursor <cursoragent@cursor.com> [2631fd7](2631fd7) Co-authored-by: Michal Szorad <michal.szorad@consensys.net> Co-authored-by: Cursor <cursoragent@cursor.com>

…okenDetails page cp-7.66.0 (#26154) - fix: fix marging value on OrderView from tokenDetails page (#26105) ## **Description** When navigating to the Perps order view from the **Token Details** page (Long/Short buttons), the margin value at the bottom of the order screen is permanently stuck at **$0**, regardless of the amount entered. This does not happen when entering from the Perps main flow (Market Details → Long/Short), because an earlier screen (`PerpsMarketStatisticsCard`) subscribes to price data with `includeMarketData: true`, which populates the `HyperLiquidSubscriptionService`'s `#marketDataCache` with oracle prices. ### Root cause The `marginRequired` calculation in `PerpsOrderView` uses `assetData.markPrice` (oracle price). This value comes from `usePerpsLivePrices` → `PriceStreamChannel` → `PerpsController.subscribeToPrices()`. However, the `PriceStreamChannel` **never passes `includeMarketData: true`** in its subscription. Without this flag, the `activeAssetCtx` WebSocket subscription is not created, the `#marketDataCache` stays empty, and `markPrice` is always `undefined` — resulting in a `$0` margin. When the user visits the Perps Market Details page first, `usePerpsMarketStats` subscribes with `includeMarketData: true`, which populates the shared singleton cache. Subsequent price updates from `allMids` then include `markPrice` from the cache. This is why the bug only manifests on a fresh app start when going directly from Token Details. ### Fix Added a `useEffect` in `PerpsOrderViewContentBase` that subscribes to `PerpsController.subscribeToPrices` with `includeMarketData: true` for the traded asset. This creates an `activeAssetCtx` WebSocket subscription that populates the `#marketDataCache` with the oracle price. The existing `usePerpsLivePrices` subscription then picks up `markPrice` from the cache on the next `allMids` update. This mirrors what `usePerpsMarketStats` already does on the Market Details page. ## **Changelog** CHANGELOG entry: Fixed perpetual trading margin display showing $0 when placing orders from the Token Details page ## **Related issues** Fixes: #26106 ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  https://github.com/user-attachments/assets/30213d59-b131-4459-8b74-d37f7f0e152f ### **After**  https://github.com/user-attachments/assets/c0fb6543-1744-46cf-9f92-128f8118cb2b ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Small, localized change that adds a single price subscription gated by controller initialization; main risk is unintended extra websocket subscription or missing cleanup, but it returns the provided unsubscribe. > > **Overview** > Fixes a Perps `OrderView` bug where margin stayed at `$0` when arriving from Token Details by adding a gated `useEffect` that calls `subscribeToPrices({ includeMarketData: true })` for the selected asset, ensuring `markPrice`/oracle price is available for margin calculation. > > Updates tests to mock the new direct `usePerpsConnection` import and the added `usePerpsTrading.subscribeToPrices` function so the view can mount cleanly under Jest. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 90b90ae. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [786871d](786871d) Co-authored-by: sahar-fehri <sahar.fehri@consensys.net>

…o Market when Limit selected cp-7.66.0 (#26165) - fix(perps): prevent order type reverting to Market when Limit selected cp-7.66.0 (#26131) ## **Description** When users changed the Perps order type from "Market" to "Limit" in the dropdown, it reverted back to "Market" after a few seconds. **Reason for the change:** The form state is restored from "pending config" (saved when leaving the order screen) so returning within 5 minutes restores amount, leverage, order type, etc. The restore effect ran whenever `pendingConfig` from Redux was truthy. If `pendingConfig` was missing on first run (e.g. first visit or expired) and appeared later (e.g. state rehydration or async load), the effect would run and overwrite the form with the saved config (often `orderType: 'market'`), undoing the user’s in-session choice of Limit. **Improvement/solution:** Restore from pending config only when it was already available on the first effect run. A ref `skippedRestoreBecausePendingConfigWasFalsy` is set when the effect runs with `pendingConfig` falsy. If `pendingConfig` becomes truthy later, we skip restore so the user’s current form choices (e.g. Limit) are not overwritten. Restore still works when the user returns to the screen with an existing valid pending config. ## **Changelog**  CHANGELOG entry: Fixed Perps order type reverting from Limit back to Market shortly after selection. ## **Related issues** Jira Issue: https://consensyssoftware.atlassian.net/browse/TAT-2574 ## **Manual testing steps** ```gherkin Feature: Perps order type selection Scenario: user selects Limit order and it stays selected Given user is on the Perps order screen (Market or asset view) When user opens the order type dropdown and selects "Limit" Then the order type remains "Limit" and does not revert to "Market" after a few seconds ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  https://github.com/user-attachments/assets/43042398-51e0-40a1-86f8-827b9f02659c ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Small change to a UI state restoration `useEffect`; risk is limited to when/if pending config is applied, potentially affecting restore behavior in edge cases. > > **Overview** > Fixes a Perps order form bug where the user's in-session selections (notably switching to *Limit*) could be reverted when `pendingConfig` becomes available after initial render. > > The pending-config restore effect in `usePerpsOrderForm` is changed to run only once on mount (empty dependency array), removing the ref-based "restore once when `pendingConfig` becomes truthy" behavior and avoiding later state overwrites of `amount`, `leverage`, TP/SL, `limitPrice`, and `type`. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 30bd276. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  --------- Co-authored-by: Cursor <cursoragent@cursor.com> [90b9057](90b9057) Co-authored-by: Michal Szorad <michal.szorad@consensys.net> Co-authored-by: Cursor <cursoragent@cursor.com>

…creen on Android cp-7.66.0 (#26176) - fix(ramps): prevents blank "DepositRoot" screen on Android cp-7.66.0 (#26140)  ## **Description** Fixes a bug where clicking "Buy" / "Add Funds" on Android lands on a blank screen showing only "DepositRoot" in the header, instead of proceeding to the Buy flow. ### Root Cause When the V1 unified buy flag is enabled, selecting a token routes to the Deposit flow's `Root` component. This component renders nothing (`return null`) and relies on an async `useEffect` to check for an existing auth token via `SecureKeychain.getSecureItem()` before navigating to `BuildQuote`. On Android, the Keystore operation can hang indefinitely in certain device states, causing `initializeFlow` to never complete — leaving the user stuck on a blank screen. ### Changes - **Added a 5-second timeout** around `checkExistingToken()` so the flow continues even if the Android Keystore hangs - **Added `.catch()` error handling** on `initializeFlow()` so any unexpected failure falls back to navigating to `BuildQuote` instead of leaving the user stranded - **Replaced `return null` with a loading spinner** so users see visual feedback during initialization instead of a blank page - **Fixed variable shadowing** of `params` inside the effect (renamed to `navParams`) - **Added test coverage** for the error fallback path  ## **Changelog**  CHANGELOG entry: Fixes a buy navigation bug on Android and adds a loading spinner ## **Related issues** Fixes: #26079 ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Changes deposit-flow routing during initialization and adds timeout-based fallback behavior; regressions could misroute users, but impact is limited to the deposit entry path and is covered by tests. > > **Overview** > Fixes the `Deposit` flow `Root` initialization to avoid getting stuck on a blank screen when `checkExistingToken()` hangs or fails. Token checking is now wrapped with a **5s timeout**, errors are **caught and logged** with a fallback navigation to `BUILD_QUOTE`, and the screen renders a **centered loading spinner** instead of `null`. > > Updates navigation param handling to avoid shadowing (`navParams`), and extends tests/snapshots with coverage for the rejection fallback path. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 826a10b. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [727bf6e](727bf6e) Co-authored-by: George Weiler <georgejweiler@gmail.com>

…released version cp-7.66.0 (#26228)

…vbar icons cp-7.66.0 (#26241) - fix: ButtonIconSize for mUSD conversion navbar icons cp-7.66.0 (#26238) ## **Description** Update earn flow header icons from `ButtonIconSize.Lg` to `ButtonIconSize.Md` for the mUSD conversion navbar (`ArrowLeft` back button and `Info` button). The icons were rendering too large due to using the wrong size enum value. **Reason for change:** The mUSD conversion navbar icons were visually oversized, using `ButtonIconSize.Lg` instead of the correct `ButtonIconSize.Md`. **Cherry-pick target:** This fix needs to be cherry-picked into the latest release branch. ```bash git cherry-pick f9cea7c ``` Target branch: `release/7.66.0` --- [Slack Thread](https://consensys.slack.com/archives/C0354T27M5M/p1770909295687339?thread_ts=1770909295.687339&cid=C0354T27M5M) ## **Changelog** CHANGELOG entry: Fixed mUSD conversion navbar icons to use the correct button icon size ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: Earn mUSD conversion navbar icons Scenario: user views the mUSD conversion navbar Given the user has navigated to the Earn mUSD conversion screen When user views the navbar header Then the back (ArrowLeft) and info (Info) icons should display at medium size (Md) And the icons should not appear oversized ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: George Marshall <georgewrmarshall@users.noreply.github.com> [3ad50cd](3ad50cd)  --- > [!NOTE] > **Low Risk** > Purely visual sizing change to two navbar icons with no impact on business logic or data handling. > > **Overview** > Adjusts the Earn mUSD conversion screen navbar icons to render at the correct size by changing the `ArrowLeft` back button and `Info` button from `ButtonIconSize.Lg` to `ButtonIconSize.Md` in `useMusdConversionNavbar`. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 7c4dd1e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  Co-authored-by: George Marshall <george.marshall@consensys.net> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: George Marshall <georgewrmarshall@users.noreply.github.com>

…nd claim amount tracking for merkl bonus claim… (#26257) - feat: cp-7.66.0 MUSD-347 added tx status and claim amount tracking for merkl bonus claim… (#26234)  ## **Description** Added  Adds analytics tracking for Merkl bonus claim transaction status updates. Tracking includes transaction and network context and claimed amount. ## **Changelog**  CHANGELOG entry: added claim status event tracking for bonus claim flow ## **Related issues** Fixes: [MUSD-347: Add missing claim tracking ahead of release](https://consensyssoftware.atlassian.net/browse/MUSD-347) ## **Manual testing steps** ```gherkin Feature: Merkl bonus claim status event tracking Scenario: user submits and confirms a Merkl bonus claim Given user submits a Merkl bonus claim transaction on a supported network When the transaction status updates from approved to confirmed Then a claim bonus status updated analytics event is tracked for each status And the event includes transaction id, status, type, network chain id, network name, and claimed mUSD amount Scenario: user’s Merkl bonus claim does not complete Given user submits a Merkl bonus claim transaction When the transaction status becomes failed or dropped Then a claim bonus status updated analytics event is tracked with the final status And the event includes the same transaction and network context with claim amount when available ``` ## **Screenshots/Recordings**  ### **Before**  N/A ### **After**  ## **Pre-merge author checklist** N/A - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Adds new analytics + contract-read logic during Merkl claim status updates; failures are handled but it increases network/async surface area that could impact performance or event accuracy. > > **Overview** > Adds MetaMetrics tracking for Merkl bonus claim lifecycle updates in `useMerklClaimStatus`, emitting `MUSD_CLAIM_BONUS_STATUS_UPDATED` on `approved`/`confirmed`/`failed`/`dropped` with transaction + network context and (when available) `amount_claimed_decimal`. > > Introduces `getUnclaimedAmountForMerklClaimTx` in `utils/musd` to derive unclaimed/claimable amount by decoding tx calldata and reading already-claimed from the distributor contract (with caching in the hook and partial-data fallback on errors). Network name resolution is centralized into a new `utils/network` helper and reused by both bonus-claim and conversion tracking, and `useMerklClaimAmount` is refactored to use the shared unclaimed-amount helper; unit tests are added/expanded to cover analytics, caching, error paths, and network-name behavior. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 334a011. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [5a30a48](5a30a48) Co-authored-by: Matthew Grainger <46547583+Matt561@users.noreply.github.com>

… calls (#26266) - fix: cp-7.66.0 deduplicate getSeasonStatus calls (#26256)  ## **Description** Deduplicate getSeasonStatus calls when navigating to Rewards tab  ## **Changelog**  CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [x] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [x] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Small, localized change to Rewards UI data-fetch triggering; main risk is stale season status if no other screen initiates a fetch in some navigation paths. > > **Overview** > Prevents duplicate season-status network calls by switching `useSeasonStatus` usage in `SeasonStatus` and `PreviousSeasonSummary` to *explicit-only* mode (`onlyForExplicitFetch: true`). > > These views now rely on manual retry via their existing error banners (and/or the navigator-level fetch) instead of triggering additional focus-based refreshes. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6ba8710. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [523bcf8](523bcf8) Co-authored-by: sophieqgu <37032128+sophieqgu@users.noreply.github.com>

…ring wallet creation #26002 (#26286) - fix: Prompt for biometric access on iOS during wallet creation - cp-7.65.0 (#26002)  ## **Description**  This PR addresses a regression on 7.65.0 where biometrics access is no longer prompted on wallet creation for iOS. The change here adds that back, which should result in a more intuitive user experience + makes it consistent with Android. This is an improvement relative to the code that was removed in #24496 since we're now detecting the auth type prior to the password being stored rather than triggering two storage actions. ## **Changelog**  CHANGELOG entry: ## **Related issues** Fixes: #25998 ## **Manual testing steps** Allowing biometrics - Will be prompted ask for biometric access on wallet creation - If allowed, unlock access control will be stored using biometrics - Future unlock triggers biometrics Rejecting biometrics - Will be prompted ask for biometric access on wallet creation - If rejected, unlock access control will not be stored, forcing user to use password - Future unlock falls back to password entry ## **Screenshots/Recordings**  ### **Before**  ### **After**  Allowing biometrics https://github.com/user-attachments/assets/9a05e870-b1fe-465e-ba8c-6b565198ed9e Rejecting biometrics https://github.com/user-attachments/assets/9ce0be47-2aaf-4ce3-bf6e-c0386559546c ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [x] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [x] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Touches authentication method selection and keychain password storage/fallback paths used during onboarding/import/reset, so mistakes could impact how users are prompted and how unlock methods are persisted; changes are well-covered by updated tests but span multiple critical flows. > > **Overview** > Restores an explicit iOS biometric prompt during wallet creation/import by introducing `Authentication.requestBiometricsAccessControlForIOS` and invoking it from `ChoosePassword` and `ImportFromSecretRecoveryPhrase`, falling back to `PASSWORD` when the user declines/cancels. > > Refactors password persistence by removing `updateAuthTypeStorageFlags` and `storePasswordWithFallback`, making `Authentication.storePassword` public and adding an optional fallback-to-password retry used by `newWalletAndKeychain`/`newWalletAndRestore`/Reset Password. Updates OAuth rehydration and reset-password flows/tests accordingly, and adds/adjusts unit tests to cover iOS decline/success and fallback behavior. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 5639099. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [ff37603](ff37603) Co-authored-by: Cal Leung <cal.leung@consensys.net>

…sync password TO-523 cp-7.66.0 (#26290) - fix: fallbackToPassword for rehydrate and sync password TO-523 cp-7.66.0 (#26133)  ## **Description** Fallback to password on biometric failure for rehydrate and sync password flow. Due to removal of biometric switch on Login Screen and OAuthRehydrate screen, user is required to enable biometric to navigate to Home wallet screen after rehydrate or password changed Biometric failure would causing user to fallback or OAuthRehydrate Screen. Similar behaviour for sync password flow that cause fallback to OAuthRehydrate or Login Screen.  ## **Changelog**  CHANGELOG entry: ## **Related issues** Fixes: #26208 ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user login with social rehydrate and cancel biometric Given user login with social rehydrate When user cancel biometric Then should login with password only ``` ## **Screenshots/Recordings**  ### **Before**  https://github.com/user-attachments/assets/e6f4ad88-b27c-498f-9baa-223041cdc090 ### **After**  https://github.com/user-attachments/assets/75759451-fb44-4f26-af5a-2e66f347d3a3 ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Touches authentication preference persistence and post-login behavior for seedless rehydrate/password-sync flows; mistakes could regress unlock or biometric enablement paths, but changes are scoped and covered by new tests. > > **Overview** > Improves seedless rehydration and password-sync login flows by propagating a new `fallbackToPassword` flag through `Authentication.unlockWallet` → `updateAuthPreference`/`storePassword`, so biometric preference updates can intentionally fall back to plain password storage when those flows occur. > > Adds user-facing alerts on `Login` and `OAuthRehydration` after a successful unlock when biometrics were expected but the device ended up on `PASSWORD` while biometry is available, prompting users to re-set up biometrics. Updates `useAuthentication` to expose `checkIsSeedlessPasswordOutdated`, adds the new alert strings, and extends unit tests to cover the new fallback/alert behavior and case-insensitive error matching in OAuth rehydration tests. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 4db0683. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  --------- Co-authored-by: himanshu <himanshuchawla2014@gmail.com> [e711e5c](e711e5c) --------- Co-authored-by: ieow <4881057+ieow@users.noreply.github.com> Co-authored-by: himanshu <himanshuchawla2014@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

…28hj-76wf cp-7.66.0 (#26427) - chore: allow list audit finding GHSA-378v-28hj-76wf cp-7.66.0 (#26386) add bn.js affected by an infinite loop. No fix available yet (latest is 5.2.1, affected <=5.2.3). Suppressing for now to unblock CI. GHSA-378v-28hj-76wf  ## **Description**  ## **Changelog**  CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Configuration-only change to suppress a specific audit warning; no runtime logic changes, but it reduces audit signal for this known issue. > > **Overview** > Updates Yarn config to ignore the `bn.js` npm audit advisory `GHSA-378v-28hj-76wf` (ID `1113402`) in `npmAuditIgnoreAdvisories`, to unblock CI until a fix is available. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6560f97. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [ebce642](ebce642) Co-authored-by: sethkfman <10342624+sethkfman@users.noreply.github.com>

…ted to super bowl banner on carousel (#26375) - chore(predict): cp-7.66.0 remove code related to super bowl banner on carousel (#26363)  ## **Description** The Carousel previously had special handling for the Predict Superbowl banner: it could replace the entire carousel with a single `PredictMarketSportCardWrapper` when a Superbowl slide with a `marketId` was present, and hid that slide from the normal carousel. This change removes that integration. **What changed:** - **Carousel (`index.tsx`):** Removed Predict/Superbowl imports, the `predictSuperbowlSlide` and `predictSuperbowlMarketId` memos, the early return that rendered `PredictMarketSportCardWrapper`, the filter that excluded `PREDICT_SUPERBOWL_VARIABLE_NAME` from visible slides, and the `handleSportCardDismiss` / `handlePredictSuperbowlLoad` callbacks (including "Banner Display" tracking for the Superbowl card). - **Tests (`index.test.tsx`):** Removed the `PredictMarketSportCardWrapper` mock, the `PREDICT_SUPERBOWL_VARIABLE_NAME` import, and the entire "Carousel Predict Superbowl Integration" describe block and its five tests (render with/without marketId, props, tracking). The Carousel no longer has any Superbowl-specific behavior; any such slides from Contentful would now be treated as normal carousel slides.  ## **Changelog**  CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Removes a time-bound/feature-specific code path and its tests without touching core navigation or data handling; main risk is unintended behavior if Contentful still serves Superbowl slides. > > **Overview** > Removes the Carousel’s special-case Predict Superbowl behavior so it no longer replaces the carousel with a `PredictMarketSportCardWrapper` when a Superbowl slide is present. > > This deletes Superbowl-specific slide detection/metadata handling, explicit filtering of the Superbowl slide from `visibleSlides`, and related dismiss/load callbacks + “Banner Display” tracking. The test suite is updated by dropping the Predict Superbowl mock and all associated integration tests. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 4bde723. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [6eb88ac](6eb88ac) Co-authored-by: Caainã Jeronimo <caainaje@gmail.com>

) ## **Description** Pull-to-refresh gesture was intercepting taps on buttons near the top of the page (e.g., Polymarket "Sign Up" / "Log In" buttons). The gesture handler called `stateManager.activate()` immediately in `onTouchesDown` for the pull zone (`y < 50px`), stealing the touch from the WebView before knowing whether the user intended to tap or pull. ### Changes **Deferred activation for pull-to-refresh**: Instead of activating immediately, the gesture enters a `pending_refresh` state in `onTouchesDown`. New `onTouchesMove` and `onTouchesUp` handlers measure the movement delta: - Downward movement >10px → activate pull-to-refresh - Horizontal/upward movement >10px → fail and let WebView handle - Finger lifts with <10px movement (tap) → fail and let WebView handle **`Gesture.Simultaneous` instead of `Gesture.Race`**: Deferred activation requires that the Native gesture (WebView scroll) does not cancel our Pan while it is deciding. `Gesture.Simultaneous` allows both to run independently — taps pass through to the WebView while our Pan stays in BEGAN state deciding, and when Pan activates for a real pull at the top of the page, the WebView has nothing to scroll so both coexist without visual conflict. ### Why not other approaches - `Gesture.Race` + deferred activation: Native wins the race and cancels Pan before `onTouchesMove` fires - `Gesture.Race` + immediate activation + synthetic JS click replay: Pull-to-refresh works but synthetic events have `isTrusted = false` — React ignores them - `Gesture.Exclusive` + deferred activation: Blocks Native while Pan is in BEGAN — nothing works ## **Changelog** CHANGELOG entry: Fixed pull-to-refresh gesture intercepting taps on buttons near the top of the page in the in-app browser ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/MCWP-352 ## **Manual testing steps** ```gherkin Feature: Browser gesture tap passthrough Scenario: User taps a button near the top of a webpage Given the user is on polymarket.com in the in-app browser And the page is scrolled to the top (not scrolled at all) When user taps the "Log In" or "Sign Up" button Then the login/signup modal should appear Scenario: User pulls to refresh from the top of the page Given the user is on any webpage in the in-app browser And the page is scrolled to the top When user places finger near the top of the page and drags downward Then the refresh indicator should appear And the page should reload when pulled past the threshold Scenario: User swipes back from the left edge Given the user has navigated to at least one page in the in-app browser When user swipes from the left edge of the screen toward the right Then the browser should navigate back to the previous page Scenario: User swipes forward from the right edge Given the user has navigated back at least once in the in-app browser When user swipes from the right edge of the screen toward the left Then the browser should navigate forward Scenario: User scrolls normally in the center of the page Given the user is on any webpage in the in-app browser When user scrolls up or down in the center of the page Then the page should scroll normally without triggering any gestures ``` ## **Screenshots/Recordings** ### **Before**  ### **After**  https://github.com/user-attachments/assets/75c70094-6f39-4086-aab4-368cc6b81177 ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [x] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [x] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Changes low-level gesture activation/composition for the in-app browser, which can subtly affect navigation/scroll behavior across platforms; covered by expanded unit tests but still user-interaction sensitive. > > **Overview** > Fixes in-app browser pull-to-refresh stealing taps near the top of the WebView by **deferring refresh gesture activation**: touches in the pull zone now enter a `pending_refresh` state and only activate refresh after a downward move beyond `PULL_MOVE_ACTIVATION` (10px), otherwise failing on tap, horizontal, or upward movement. > > Switches the WebView gesture composition from `Gesture.Race` to **`Gesture.Simultaneous`** so the WebView’s native gesture can continue handling taps/scroll while the Pan gesture decides whether to activate, and adds comprehensive unit test coverage for the new touch-move/up paths plus the new constant in `constants.ts`. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 4592322. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).   ## **Description**  ## **Changelog**  CHANGELOG entry: ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. Co-authored-by: Aslau Mario-Daniel <marioaslau@gmail.com>

…sion and musd_claim transaction types to transaction-controller metrics_properties (#26433) - feat: cp-7.66.0 MUSD-357 added musd_conversion and musd_claim transaction types to transaction-controller metrics_properties (#26383)  ## **Description** Added musd_conversion and musd_claim transaction types to transaction-controller metrics_properties  ## **Changelog**  CHANGELOG entry: added musd_conversion and musd_claim transaction types to transaction-controller metrics_properties ## **Related issues** Fixes: [MUSD-357: Add musdConversion and musdClaim Transaction Types to "Transaction *" Events](https://consensyssoftware.atlassian.net/browse/MUSD-357) ## **Manual testing steps** ```gherkin Feature: mUSD transaction analytics classification Scenario: user submits mUSD conversion or claim transaction Given user has an mUSD conversion or mUSD claim transaction in the wallet flow When the wallet emits general transaction lifecycle events Then analytics include a specific transaction_type value And transaction_type is "musd_conversion" for conversion transactions And transaction_type is "musd_claim" for claim transactions ``` ## **Screenshots/Recordings**  ### **Before**  N/A ### **After**  N/A ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Small, additive change limited to analytics `transaction_type` labeling plus test coverage; low risk aside from potential downstream dashboard/event-name expectations. > > **Overview** > Adds analytics classification for nested mUSD transactions by mapping `TransactionType.musdConversion` and `TransactionType.musdClaim` to `transaction_type` values `musd_conversion` and `musd_claim` in `getTransactionTypeValue`. > > Extends the existing parameterized test to cover these new nested transaction type mappings. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3aa4ee5. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  [435a464](435a464) Co-authored-by: Matthew Grainger <46547583+Matt561@users.noreply.github.com>

…cation permission. (#23759)" This reverts commit ddd333c.

Cherry-pick #26015 into `7.65.0` release. Applies a Yarn patch to `@metamask/transaction-pay-controller` instead of bumping controller version to avoid unrelated changes. CHANGELOG entry: null Fixes: #25972 - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Touches transaction-pay quoting/totals and stablecoin detection, which can affect displayed costs and max-amount behavior across networks; mitigated by being a targeted patch and limited app-side changes. > > **Overview** > Fixes transaction pay quote/total calculations by **patching `@metamask/transaction-pay-controller` 12.1.0** rather than bumping the dependency. > > The patch centralizes a multi-chain `STABLECOINS` list, treats stablecoins as $1 in token fiat-rate logic, and changes `targetAmount` across quotes/totals to be a `FiatValue` summed via `sumFiat` (avoiding incorrect max/totals math). Relay quote normalization now accounts for `fees.subsidized` by zeroing provider fees when subsidized and optionally including the subsidized amount in the computed target fiat value; Bridge normalization aligns `targetAmount` to fiat-only as well. > > On the mobile side, `useTokenFiatRates` now uses a stablecoin allowlist (Mainnet/Arbitrum/Linea/Polygon) to return a fixed USD rate of `1`, and the related unit test is generalized accordingly. The Transaction Pay controller messenger drops the unused `TokenListController:getState` action, and `package.json`/`yarn.lock` are updated to consume the patched controller via Yarn’s `patch:` protocol. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 61d257e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

This PR updates the change log for 7.65.0. (Hotfix - no test plan generated.) --------- Co-authored-by: metamaskbot <metamaskbot@users.noreply.github.com> Co-authored-by: João Loureiro <175489935+joaoloureirop@users.noreply.github.com>

This PR updates the change log for 7.66.0. (Hotfix - no test plan generated.) Co-authored-by: metamaskbot <metamaskbot@users.noreply.github.com> Co-authored-by: João Loureiro <175489935+joaoloureirop@users.noreply.github.com>

# 🚀 v7.66.0 Testing & Release Quality Process Hi Team, As part of our new **MetaMask Release Quality Process**, here’s a quick overview of the key processes, testing strategies, and milestones to ensure a smooth and high-quality deployment. --- ## 📋 Key Processes ### Testing Strategy - **Developer Teams:** Conduct regression and exploratory testing for your functional areas, including automated and manual tests for critical workflows. - **QA Team:** Focus on exploratory testing across the wallet, prioritize high-impact areas, and triage any Sentry errors found during testing. - **Customer Success Team:** Validate new functionalities and provide feedback to support release monitoring. ### GitHub Signoff - Each team must **sign off on the Release Candidate (RC)** via GitHub by the end of the validation timeline (**Tuesday EOD PT**). - Ensure all tests outlined in the Testing Plan are executed, and any identified issues are addressed. ### Issue Resolution - **Resolve all Release Blockers** (Sev0 and Sev1) by **Tuesday EOD PT**. - For unresolved blockers, PRs may be reverted, or feature flags disabled to maintain release quality and timelines. ### Cherry-Picking Criteria - Only **critical fixes** meeting outlined criteria will be cherry-picked. - Developers must ensure these fixes are thoroughly reviewed, tested, and merged by **Tuesday EOD PT**. --- ## 🗓️ Timeline and Milestones 1. **Today (Friday):** Begin Release Candidate validation. 2. **Tuesday EOD PT:** Finalize RC with all fixes and cherry-picks. 3. **Wednesday:** Buffer day for final checks. 4. **Thursday:** Submit release to app stores and begin rollout to 1% of users. 5. **Monday:** Scale deployment to 10%. 6. **Tuesday:** Full rollout to 100%. --- ## ✅ Signoff Checklist Each team is responsible for signing off via GitHub. Use the checkbox below to track signoff completion: # Team sign-off checklist - [x] Accounts Framework - [x] Assets - [x] Bots Team - [x] Card - [x] Confirmations - [x] Core Platform - [x] Design System - [x] Earn - [x] Engagement - [x] Mobile Platform - [x] Mobile UX - [x] Network Enablement - [x] Networks - [x] Onboarding - [x] Perps - [x] Predict - [x] Ramp - [x] Rewards - [x] Swaps and Bridge - [x] Wallet Integrations This process is a major step forward in ensuring release stability and quality. Let’s stay aligned and make this release a success! 🚀 Feel free to reach out if you have questions or need clarification. Many thanks in advance # Reference - Testing plan sheet - https://docs.google.com/spreadsheets/d/1tsoodlAlyvEUpkkcNcbZ4PM9HuC9cEM80RZeoVv5OCQ/edit?gid=404070372#gid=404070372  --- > [!NOTE] > **Medium Risk** > Touches CI/build workflows and signing setup (AWS Secrets Manager), plus changes account-discovery and settings side effects, so misconfiguration could break builds or alter onboarding behavior; code changes are otherwise localized and mostly additive. > > **Overview** > **Build/CI pipeline changes for release:** moves build configuration to root `builds.yml`, adds `main-beta` plus `signing` metadata per build, and updates workflows to load config/secrets from the new location and run builds via generated yarn scripts with retries, new iOS runner, Android CI Gradle properties, and longer timeouts. > > **Signing & test infrastructure:** introduces a composite GitHub Action `configure-signing` that assumes an AWS role and pulls signing materials from AWS Secrets Manager for Android/iOS, and migrates Detox/E2E paths from `e2e/` to `tests/` (artifacts, reports, lint ignores, workflows, scripts, CODEOWNERS) along with tweaks to smart E2E selection skipping and performance-test output locations. > > **App/test updates:** bumps Android version to `7.66.0`, adds `HeaderCollapsible` (plus hook, stories, and unit tests) to the component library, makes `importNewSecretRecoveryPhrase` always kick off async account discovery with callback reporting (removing state-2 branching), makes `toggleBasicFunctionality` always call `MultichainAccountService.setBasicFunctionality`, and adds a new security setting action/state field `osAuthEnabled`. > > **Developer tooling/docs:** expands unit-testing guidelines (testIDs, matchers, act usage), updates component-view testing docs reference, adds ESLint restriction to import perps controller via `@metamask/perps-controller`, and updates depcheck ignores (including `jest-junit` and perps alias). > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 7927829. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

This PR syncs the stable branch to main for version 7.68.0. *Synchronization Process:* - Fetches the latest changes from the remote repository - Resets the branch to match the stable branch - Attempts to merge changes from main into the branch - Handles merge conflicts if they occur *File Preservation:* Preserves specific files from the stable branch: - CHANGELOG.md - bitrise.yml - android/app/build.gradle - ios/MetaMask.xcodeproj/project.pbxproj - package.json Indicates the next version candidate of main to 7.68.0  --- > [!NOTE] > **Low Risk** > Documentation-only update to `CHANGELOG.md`; no runtime code paths or configuration are modified. > > **Overview** > Updates `CHANGELOG.md` to add a new `7.66.0` release section with its *Added* and *Fixed* notes, and updates the compare links so `[Unreleased]` now diff from `v7.66.0` and includes a new `[7.66.0]` link. > > Also fixes a minor formatting issue in the `7.64.1` entry (duplicate dash/indent). > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b37d807. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

…ail page (#26223) ## **Description** Show the received token symbol and amount in the Activity list, and transaction detail page for post-quote predict withdrawals. Previously these surfaces only showed a generic USD amount; now they resolve the destination token from `metamaskPay` and display it alongside the fiat value. Also relabels "Paid with" → "Receive token", "Bridge fee" → "Provider fee", and "Total" → received total for predict withdraw transactions. Extracted the post-quote display derivation logic in `TransactionElement/utils.js` into a standalone `getPostQuoteDisplay` function. ## **Changelog** CHANGELOG entry: Show withdraw token + amount in activity and on transaction detail page ## **Related issues** Fixes: MetaMask/MetaMask-planning#6968 MetaMask/MetaMask-planning#6969 ## **Manual testing steps** ```gherkin Feature: Predict withdraw any-token UI Scenario: user completes a post-quote predict withdrawal Given the user has a Predict position and initiates a withdraw to an ERC-20 token When the withdrawal transaction confirms The Activity list row shows the received token amount and fiat value And the transaction detail page shows "Receive token" instead of "Paid with" And the transaction detail page shows "Provider fee" instead of "Bridge fee" And the total row reflects the received amount (targetFiat) ``` ## **Screenshots/Recordings** ### **Before** ### **After** Activity list item: <img width="436" height="80" alt="image" src="https://github.com/user-attachments/assets/1f08860d-453f-4029-8138-9644a0dcb122" /> Transaction detail page: <img width="441" height="592" alt="image" src="https://github.com/user-attachments/assets/c4b343e0-46c2-4575-806a-7dd12321a184" /> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Touches transaction/activity rendering and derives display amounts from exchange-rate selectors and global store state, so incorrect/missing rates or edge-case metadata could lead to wrong amounts/labels being shown. > > **Overview** > Post-quote `predictWithdraw` activity items now show the **received token symbol + derived token amount** (computed from `metamaskPay.targetFiat` plus on-chain USD/token rates) instead of only a generic USD value, and the network badge uses the destination `metamaskPay.chainId`. > > Transaction details copy is adjusted for withdraw flows: **"Paid with" → "Receive token"** when `metamaskPay.isPostQuote` is set, **"Bridge fee" → "Provider fee"** for `predictWithdraw`, and the total row prefers `metamaskPay.targetFiat` over `totalFiat` for receive-type transactions. Tests were updated/expanded accordingly and new i18n strings were added. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3cfe91e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).  --------- Signed-off-by: dan437 <80175477+dan437@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>

## **Description** We shouldn't be spreading then accessing process.env variables. It doesn't work correctly with the dev watcher Example: ``` console.log({ x: process.env.METAMASK_ENVIRONMENT, y: { ...process.env }?.METAMASK_ENVIRONMENT, z: { ...process.env }?.NODE_ENV, }); Returns { x: 'dev', y: undefined // IT FAILS z: 'development' } ``` ## **Changelog**  CHANGELOG entry: chore: remove process.env spread ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Small change to a single environment check plus test/build-config updates; low risk aside from any code relying on prior spread behavior. > > **Overview** > Updates `isProduction()` in `app/util/environment.ts` to directly read `process.env.METAMASK_ENVIRONMENT` (removing the `{ ...process.env }` spread that could return `undefined` under the dev watcher). > > Extends `babel.config.tests.js` exclusions to include `app/util/environment.ts` and `app/util/environment.test.ts` so `transform-inline-environment-variables` does not rewrite their runtime env checks during tests. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ae49b39. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

## **Description** This PR fixes recipient-selection regressions in Bridge where externally entered recipients could be overridden and invalid external addresses could still appear selectable. ### What changed - Preserved user-selected external recipient addresses in `useRecipientInitialization` by treating non-internal destination addresses as valid for the current destination chain. - Added `keyboardShouldPersistTaps="handled"` to `RecipientSelectorModal` so recipient list taps work reliably while the keyboard is open. - Added chain-aware validation for externally typed recipient addresses in `MultichainAccountSelectorList`: - EVM destination chains validate with EVM address rules. - Solana destination chains validate with Solana address rules. - Unknown non-EVM chains remain permissive to avoid false blocking. - Added inline error UI and disabled styling for invalid external recipient rows. - Added/updated unit tests for: - preserving external destination addresses - external recipient validation behavior (invalid/valid EVM, invalid Solana, permissive unknown non-EVM) - disabled external account cell interaction ## **Changelog** CHANGELOG entry: Fixed Bridge recipient selection to preserve external recipients and show an error state for invalid recipient addresses. ## **Related issues** Fixes: SWAPS-3928 ## **Manual testing steps** ```gherkin Feature: Bridge recipient selector external address handling Scenario: user enters an invalid EVM recipient address Given user opens Bridge recipient selector on an EVM destination chain When user types an invalid external address that matches no internal account Then an inline invalid-address error is shown and the external row appears disabled Scenario: user enters a valid external EVM recipient address Given user opens Bridge recipient selector on an EVM destination chain When user types a valid external address that matches no internal account Then no error is shown and selecting the external row sets the destination recipient Scenario: user reopens recipient selector after selecting external address Given user selected a valid external recipient address in Bridge When recipient selector or quote refresh initialization runs Then the external destination address remains selected and is not replaced by an internal account ``` ## **Screenshots/Recordings** ### **Before** N/A ### **After** N/A ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Touches Bridge recipient initialization and address validation logic; incorrect compatibility checks could block valid recipients or allow invalid ones across chains. > > **Overview** > Fixes Bridge recipient selection around external addresses. The recipient search list now validates typed external addresses by destination chain (*EVM/Solana strict; unknown chains permissive*), shows an inline "Invalid address" error state, and disables the external row when invalid. > > Recipient initialization now preserves external destination addresses when compatible with the selected destination chain (and reinitializes only when incompatible/missing), and the recipient selector modal keeps list taps working while the keyboard is open (`keyboardShouldPersistTaps="handled"`). Updates/adds tests covering external validation and recipient initialization behavior. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9da0bc3. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

## **Description** Bumps `@metamask/transaction-pay-controller` to include live on-chain balance validation and refresh for MetaMask Pay transactions. ## **Changelog** CHANGELOG entry: null ## **Related issues** Relates to MetaMask/core#7935 ## **Manual testing steps** ## **Screenshots/Recordings** ### **Before** ### **After** ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Touches transaction submission dependencies and gas-fee update gating for additional relay-deposit types, which can impact transaction UX/fees. Dependency upgrades (Pay + bridge/network stack) increase integration risk despite limited local code changes. > > **Overview** > MetaMask Pay dependencies are bumped (notably `@metamask/transaction-pay-controller` to `^16.0.0` and `@metamask/transaction-controller` to `^62.18.0`), along with related lockfile resolution changes (including adding `@metamask/core-backend` to resolutions). > > Relay-deposit behavior is broadened: a new `RELAY_DEPOSIT_TYPES` constant now covers `relayDeposit`, `perpsRelayDeposit`, and `predictRelayDeposit`, and these types are excluded from automatic gas fee updates; analytics mapping is extended to emit `perps_relay_deposit` / `predict_relay_deposit`. > > To keep E2E mUSD smoke tests working with the new Pay balance validation, the `createMusdFixture` helper is made async and seeds an Anvil ERC-20 stub (via `setCode`) at the USDC address to provide a deterministic on-chain balance. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 318cd97. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

## **Description** Use `withKeyring` instead of `getKeyringsByType` for accessing the mnemonic for Snaps. `withKeyring` has more guarantees that should prevent race conditions and `getKeyringsByType` is deprecated for that same reason. Additionally, move `getMnemonic` and `getMnemonicSeed` to utility functions that can be re-used. Mirror extension implementation: MetaMask/metamask-extension#40296 https://consensyssoftware.atlassian.net/browse/WPC-508 ## **Changelog**  CHANGELOG entry: null  --- > [!NOTE] > **Medium Risk** > Touches Snaps entropy/mnemonic retrieval paths and keyring controller messaging, so mistakes could break Snap permissions or produce unexpected errors, though changes are mostly a refactor to a safer API with added unit coverage. > > **Overview** > Switches Snaps entropy access from deprecated `KeyringController:getKeyringsByType` to `KeyringController:withKeyring` to reduce race conditions when retrieving the primary HD keyring mnemonic/seed. > > Introduces reusable permission utilities (`getMnemonic`, `getMnemonicSeed`) and wires them into both `SnapController` initialization (`getMnemonicSeed`) and snap restricted methods, updating the init messenger’s allowed actions accordingly. Adds dedicated unit tests for the new utilities and removes the old controller-init seed test, plus adds `@metamask/keyring-utils` dependency for test typing. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9db8fe8. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

## **Description** Adds agentic debugging and validation capabilities for the perps feature, developed during the TAT-2597/2598 investigation. These tools enable remote inspection and automated testing of the perps trade flow on-device via CDP. - **`cdpEvalAsync()`** — evaluate async expressions via CDP `Runtime.evaluate` with `awaitPromise`, plus new `eval-async` command in cdp-bridge - **Engine on `globalThis`** — expose the Engine instance for CDP runtime access to controllers (NavigationService.ts) - **`test-trade-flow.sh`** — end-to-end validation script: opens a position, verifies streams are live, checks balance updates, closes position - **Documentation** — updated `perps-agentic-feedback-loop.md` with debugging workflow and lessons learned from TAT-2597/2598 ## **Changelog** CHANGELOG entry: null ## **Related issues** Fixes: TAT-2597, TAT-2598 (tooling developed during investigation) ## **Manual testing steps** \`\`\`gherkin Feature: Agentic toolkit for perps debugging Scenario: developer runs eval-async via CDP bridge Given the app is running on a connected device/simulator And cdp-bridge.js is connected via Chrome DevTools Protocol When developer sends an eval-async command with an async expression Then the expression is evaluated with awaitPromise and the result is returned Scenario: developer runs end-to-end trade flow validation Given the app is running with a funded perps account And test-trade-flow.sh is executed When the script opens a position and monitors streams Then it verifies live data, checks balance updates, and closes the position Scenario: developer accesses Engine via globalThis Given the app is running on a connected device/simulator When developer evaluates globalThis.__engine in CDP console Then the Engine instance with all controllers is accessible \`\`\` ## **Screenshots/Recordings** ### **Before**  ### **After**  ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Mostly dev-only tooling, but it exposes powerful globals (`store`, `Engine`, navigation) in `__DEV__`, which could increase local attack surface/misuse if dev builds are shared or if the guard is bypassed. > > **Overview** > Adds a **dev-only agentic debugging bridge** in `NavigationService` that exposes `__AGENTIC__` navigation helpers plus `globalThis.store` and `globalThis.Engine` for remote inspection/control via Hermes CDP. > > Introduces a new `scripts/perps/agentic/` toolkit (`cdp-bridge.js` + shell wrappers) to discover the correct CDP target, support `eval-async`, navigate nested routes, query Redux state, trigger back navigation, manage Metro (start/stop/reload), take cross-platform screenshots, and run an end-to-end perps `test-trade-flow.sh` harness. Documentation is added in `docs/perps/perps-agentic-feedback-loop.md`, and `.agent/` is added to `.gitignore` for generated logs/screenshots. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ad609b8. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

## **Description** `ensureTransportReady()` called `controller.abort()` without a reason, leaving `AbortSignal.reason` as `undefined`. The HyperLiquid SDK propagates this as the rejection value of `transport.ready()`, which then gets re-thrown as raw `undefined` — producing "Unknown error (no details provided)" in Sentry (issues 5E7M, 5EF8, 5GBE, 5G91, affecting versions 7.63.1–7.65.0). Two fixes in `ensureTransportReady()`: 1. Pass a proper `Error` to `controller.abort()` so `AbortSignal.reason` is never `undefined` on timeout. 2. Wrap the non-timeout catch path with `ensureError()` as a safety net against any future non-Error SDK rejections. ## **Changelog** CHANGELOG entry: null ## **Related issues** Fixes: Sentry issues METAMASK-MOBILE-5E7M, METAMASK-MOBILE-5EF8, METAMASK-MOBILE-5GBE, METAMASK-MOBILE-5G91 ## **Manual testing steps** ```gherkin Feature: Perps chart error handling Scenario: user opens and immediately closes the perps chart Given the user is on the main wallet screen When user navigates to the Perps tab and immediately navigates away Then no "Unknown error (no details provided)" error appears in Sentry And the app does not crash ``` ## **Screenshots/Recordings** ### **Before** Sentry issues 5E7M / 5EF8 / 5GBE / 5G91 receive new events on versions 7.63.1–7.65.0. ### **After** No new events on those Sentry issues after this fix ships. ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

…recipients (#26326)  ## **Description** This PR resolves an issue where the "First Time Interaction" warning alert was failing to display correctly during token transactions. Previously, the system checked for interactions with the contract address (txParams.to) rather than the actual recipient of the tokens. By introducing the `useTransferRecipient `hook, we now correctly extract the intended recipient from the transaction data (supporting `transfer`, `transferFrom`, and `safeTransferFrom`), ensuring trust signals and first-time alerts are accurately triggered.  ## **Changelog**  CHANGELOG entry: Fixed first-time interaction alerts trigger for token transfer recipients ## **Related issues** Fixes: #26319 ## **Manual testing steps** 1. Send a Native Token (e.g., ETH) to a new address. Verify the "First Time Interaction" alert appears. 2. Send an ERC20 Token to a new address. 3. Expected Behavior: The alert should appear targeting the token recipient, even though the transaction to field is the contract address. 4. Send tokens to an Internal Account. Verify the alert does not appear. ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings** [first-time.webm](https://github.com/user-attachments/assets/4921c4e2-0063-4126-b0b1-3f5b0eaa514e) [1st time interaction.webm](https://github.com/user-attachments/assets/799ce9c4-38dc-4a35-a609-4e599f6b5ec1)  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Small, localized change to alert recipient selection plus added tests; low risk of regressions outside confirmation alert behavior. > > **Overview** > Ensures the *First Time Interaction* warning uses `useTransferRecipient()` (decoded recipient for token `transfer`/`transferFrom`/`safeTransferFrom`) as the address to evaluate, falling back to `txParams.to` when no transfer recipient is detected. > > Updates `useFirstTimeInteractionAlert` tests to cover recipient prioritization, fallback behavior, and suppression when the derived recipient is an internal account. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 4d0cd28. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

## **Description**  CI is broken due to a vulnerability with bn.js <img width="538" height="612" alt="image" src="https://github.com/user-attachments/assets/9cdeb857-cfde-4e95-aeb9-154de3722904" /> ## **Changelog**  CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Low Risk** > Dependency-only upgrade via Yarn `resolutions`; low behavioral risk, with main concern being potential big-number edge-case differences in packages relying on `bn.js`. > > **Overview** > Updates `bn.js` to patched releases by pinning `bn.js@4.11.6`→`4.12.3` and `bn.js@5.2.1`→`5.2.3` via `package.json` `resolutions`, and bumps the app’s `bnjs4`/`bnjs5` aliases accordingly. > > Aligns TypeScript typings by moving `@types/bnjs5` to `@types/bn.js@^5.2.0`, with corresponding `yarn.lock` updates to remove the older `@types/bn.js`/`bn.js` versions. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 8b51e85. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

## **Description** Phase 3 analytics migration (Batch 3-2): migrate Security's SecureKeychain, ProtectYourWalletModal, and RevealPrivateCredential from MetaMetrics to the new analytics system. **Reason**: Deprecate MetaMetrics in favour of the shared analytics utility and AnalyticsController. **Changes**: - `SecureKeychain.ts` now uses `analytics.trackEvent()` and `analytics.identify()` from `app/util/analytics` instead of `MetaMetrics.getInstance().trackEvent()` and `MetaMetrics.getInstance().addTraitsToUser()`; uses `AnalyticsEventBuilder` instead of `MetricsEventBuilder`. - `ProtectYourWalletModal` now uses `withAnalyticsAwareness` HOC from `app/components/hooks/useAnalytics` instead of `withMetricsAwareness` from `useMetrics`; prop renamed from `metrics` to `analytics`. - `RevealPrivateCredential` now uses `useAnalytics` hook instead of `useMetrics`. - Test mocks updated to mock the analytics utility and `useAnalytics` instead of MetaMetrics and `useMetrics`. ## **Changelog** CHANGELOG entry: null ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/MCWP-301 (Batch 3-2) ## **Manual testing steps** ```gherkin Feature: Security analytics Scenario: user triggers a security flow event Given app is open and user is in a security flow When user performs an action that triggers analytics (e.g. reveal SRP, protect wallet modal interaction, biometric setup) Then the event is tracked on Mixpanel ``` ## **Screenshots/Recordings** N/A – analytics migration, no UI change. ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > **Medium Risk** > Touches security-adjacent flows (keychain credential storage and SRP/wallet-protection tracking) and changes analytics plumbing, so regressions could silently drop events or mis-set user traits, though app behavior should remain unchanged. > > **Overview** > Migrates security analytics instrumentation away from legacy `MetaMetrics`/`useMetrics` to the shared analytics stack. > > `SecureKeychain` now uses `analytics.trackEvent()`/`analytics.identify()` plus `AnalyticsEventBuilder` (replacing `MetaMetrics.getInstance()` and `MetricsEventBuilder`) for hardware-keystore event tracking and authentication-type user trait updates. `ProtectYourWalletModal` and `RevealPrivateCredential` swap `withMetricsAwareness`/`useMetrics` for `withAnalyticsAwareness`/`useAnalytics`, including the prop rename from `metrics` to `analytics`. > > Unit tests are updated to mock the new analytics utility/hooks and to assert calls against `analytics.identify`/event builder usage instead of MetaMetrics mocks. > > Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit eb1430f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).

joaoloureirop and others added 30 commits February 12, 2026 22:30

fix changelog

eb0441a

[skip ci] Bump version number to 3725

9206f37

[skip ci] Bump version number to 3737

6eacf8d

[skip ci] Bump version number to 3740

a363bbf

[skip ci] Bump version number to 3743

fe325db

[skip ci] Bump version number to 3744

e0388eb

[skip ci] Bump version number to 3745

a32d815

[skip ci] Bump version number to 3746

ea97bc1

[skip ci] Bump version number to 3750

db5b7d8

chore(runway): cherry-pick fix: Swap migrations 118 and 119 to match …

87745d1

…released version cp-7.66.0 (#26228)

[skip ci] Bump version number to 3754

26ef604

[skip ci] Bump version number to 3755

3b22c78

[skip ci] Bump version number to 3758

a5dc198

[skip ci] Bump version number to 3759

be0327f

[skip ci] Bump version number to 3760

0c99f3e

metamaskbot and others added 27 commits February 20, 2026 19:21

[skip ci] Bump version number to 3771

818cbe0

[skip ci] Bump version number to 3778

65b53ba

Revert "fix: MUL-1331 modify android manifest file for correct BLE lo…

7cc73af

…cation permission. (#23759)" This reverts commit ddd333c.

release: release/7.65.0-Changelog (#25735)

2dc98a9

This PR updates the change log for 7.65.0. (Hotfix - no test plan generated.) --------- Co-authored-by: metamaskbot <metamaskbot@users.noreply.github.com> Co-authored-by: João Loureiro <175489935+joaoloureirop@users.noreply.github.com>

Merge branch 'stable' into stable-merge-7.65.0

2275358

Merge branch 'release/7.66.0' into stable-merge-7.66.0

7b0a12d

Merge branch 'stable' into release/7.66.0

1ffda33

[skip ci] Bump version number to 3780

7927829

release: release/7.66.0-Changelog (#26044)

9c1c088

This PR updates the change log for 7.66.0. (Hotfix - no test plan generated.) Co-authored-by: metamaskbot <metamaskbot@users.noreply.github.com> Co-authored-by: João Loureiro <175489935+joaoloureirop@users.noreply.github.com>

Merge origin/main into stable-main-7.68.0

b37d807

pull Bot locked and limited conversation to collaborators Feb 24, 2026

pull Bot added the ⤵️ pull label Feb 24, 2026

pull Bot merged commit cc1f719 into Reality2byte:main Feb 24, 2026
0 of 8 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[pull] main from MetaMask:main#548

[pull] main from MetaMask:main#548
pull[bot] merged 64 commits into
Reality2byte:mainfrom
MetaMask:main

pull Bot commented Feb 24, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants

Conversation

pull Bot commented Feb 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants

pull Bot commented Feb 24, 2026 •

edited

Loading