Merge branch 'main' into MUSD-660-money-account-activity

Author: shane-t

.github/CODEOWNERS

@@ -206,7 +206,7 @@ app/components/Views/Homepage/Sections/Perpetuals/ @MetaMask/perps
 # Social & AI Team
 app/components/Views/SocialLeaderboard/                              @MetaMask/social-ai
 app/components/UI/MarketInsights/                                    @MetaMask/social-ai
-app/components/Views/Homepage/Sections/WhatsHappening/               @MetaMask/social-ai
+app/components/UI/WhatsHappening/                                    @MetaMask/social-ai
 app/components/Views/Homepage/Sections/TopTraders/                   @MetaMask/social-ai
 app/core/Engine/controllers/social-controller-init*                  @MetaMask/social-ai
 app/core/Engine/controllers/social-service-init*                     @MetaMask/social-ai

.github/workflows/ci.yml

@@ -96,10 +96,14 @@ jobs:
     outputs:
       fingerprint: ${{ steps.publish.outputs.fingerprint }}
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-      - uses: actions/setup-node@v4
+      # Use the default ref (refs/pull/N/merge on pull_request, github.sha otherwise) so the
+      # fingerprint is computed against the SAME working tree that `build-android-e2e.yml`,
+      # `build-ios-e2e.yml`, and `run-e2e-workflow.yml` check out and build/test against.
+      # Posting on `pull_request.head.sha` while fingerprinting the PR head tree would let
+      # two PRs with identical heads but different merges collide on the cache key — and the
+      # native build then runs against a different (merge) tree than the one we fingerprinted.
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version-file: '.nvmrc'
           cache: yarn
@@ -115,8 +119,11 @@ jobs:
         uses: ./.github/actions/post-build-source-hash
         with:
           github-token: ${{ github.token }}
-          # .head.sha = PR head (pull_request events); github.sha fallback = pushed/scheduled commit
-          # (push to main, merge_group, schedule) where no PR payload exists.
+          # Commit statuses must be posted on a real commit SHA (not the merge ref).
+          # `find-reusable-build` looks up the status via `run.head_sha` from
+          # `listWorkflowRuns`, which GitHub reports as the PR head SHA for pull_request
+          # events and as the pushed/scheduled commit SHA otherwise — so this is the same
+          # SHA the lookup queries against.
           target-sha: ${{ github.event.pull_request.head.sha || github.sha }}
 
   dedupe:

.github/workflows/nightly-build.yml

@@ -43,7 +43,7 @@ jobs:
       source_branch: main
       environment: rc
       testflight_group: 'MetaMask BETA & Release Candidates'
-      distribute_external: true
+      distribute_external: false
     secrets: inherit
 
   # ── Android exp: ephemeral branch + build ──────────────────────────────

.github/workflows/release-branch-sync.yml

@@ -23,11 +23,11 @@ jobs:
         env:
           BRANCH: ${{ github.event.pull_request.head.ref }}
         run: |
-          if [[ "$BRANCH" =~ ^release/[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Branch '$BRANCH' matches release/X.Y.Z format"
+          if [[ "$BRANCH" =~ ^release/[0-9]+\.[0-9]+\.[0-9]+ ]]; then
+            echo "Branch '$BRANCH' starts with release/X.Y.Z"
             echo "is-valid=true" >> "$GITHUB_OUTPUT"
           else
-            echo "Branch '$BRANCH' does not match release/X.Y.Z format. Skipping."
+            echo "Branch '$BRANCH' does not start with release/X.Y.Z. Skipping."
             echo "is-valid=false" >> "$GITHUB_OUTPUT"
           fi
 
@@ -38,7 +38,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Sync release branches with stable
-        uses: metamask/github-tools/.github/actions/release-branch-sync@v1.2.0
+        uses: metamask/github-tools/.github/actions/release-branch-sync@v1
         with:
           merged-release-branch: ${{ github.event.pull_request.head.ref }}
           github-token: ${{ secrets.STABLE_SYNC_TOKEN }}

CHANGELOG.md

@@ -7,9 +7,69 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [7.76.3]
+
+### Added
+
+- Added Predict transaction publishing hooks to support the Polymarket Deposit Wallet flow. (#29914)
+- Added support for depositing to a Polymarket Deposit Wallet in Predict, while preserving legacy Safe behavior for users with existing Polymarket activity. (#29917)
+- Added Polymarket Deposit Wallet order placement support in Predict. (#29933)
+- Added support for claiming Predict positions through the Polymarket Deposit Wallet. (#29936)
+
+### Fixed
+
+- Disabled Predict withdrawals for Polymarket Deposit Wallet users with a temporary "withdrawals unavailable" bottom sheet, while legacy Safe users keep the existing flow. (#29941)
+
+## [7.76.0]
+
+### Added
+
+- Added the Tempo chain to the additional networks list. (#29515)
+- Added security trust badges in the token list. (#29509)
+- Added a new "Add money" bottom sheet to the Money Account homepage with Convert crypto, Deposit funds, Move mUSD, and Receive from external wallet options. (#29336)
+- Added a developer options button to clear dismissed mUSD conversion asset details CTAs. (#29510)
+- Added a quickbuy smart default. (#29472)
+- Added SOL as a "Pay with" option on Quickbuy. (#29424)
+- Added a transaction fees expandable section to Quickbuy. (#29321)
+- Added a General Settings toggle for haptic feedback and centralized in-app haptics behind a single module, with an optional remote kill switch. (#28975)
+- Added haptic feedback across Top Traders surfaces (Follow, Buy, notification preferences, per-trader notifications). (#29467)
+- Added support for additional sports market types (spreads, totals, halftime result, exact score, player props) on prediction market event detail screens. (#29216)
+- Added inline error banners in the Predict buy bottom sheet for price-changed and order-failed scenarios, replacing the secondary retry sheet and failure toast when the predictBottomSheet flag is enabled. (#29184)
+- Added a Quickbuy half sheet. (#28863)
+- Added a warning flow in bridge quotes when token price data is unavailable. (#29250)
+
 ### Changed
 
-- Aligned previously base-enabled custom network logos (Stable, Flow, XDC, Fraxtal, Hemi, Plasma, Lukso, Rootstock, MSU, Lens, Plume) to a square format consistent with Popular networks (#29943)
+- Enabled Suspicious and Malicious security badges on tokens in the Swaps/Bridge asset picker. (#29570)
+- Updated the description under the "Smart account requests from dapps" setting to clarify that MetaMask will only upgrade to our audited smart account. (#29211)
+- Updated Predict confirmations to display pUSD as the Predict token. (#29450)
+- Updated the token details security trust designs. (#29230)
+- Polished the social leaderboard with podium decorations on the top 3 traders, a tighter loading skeleton, and a chain icon overlay on token avatars in the trader position and quick buy views. (#29408)
+- QR wallet now shares the signing flow with Ledger. (#29087)
+- In-app browser sessions opened from MetaMask Card (manage card and travel) now return to Card Home on close instead of the Explore tab. (#29218)
+- Updated the Bridge/Swaps token warning modal to match the new design and fixed swapped warning/malicious icons in the token selector. (#29197)
+- Updated the account selector to use the full-page list for all users and removed the dropdown arrow from the wallet account picker. (#28701)
+- Refined section and header styles for Perps. (#29009)
+- Refined explore page design patterns. (#29396)
+- Adjusted spacing for money activity filters. (#29463)
+
+### Fixed
+
+- Fixed a bug where the -1%/-2% limit price preset buttons only applied on the first press. (#29373)
+- Fixed Card Home flickering during refresh and kept Add funds available for frozen cards. (#29513)
+- Fixed a bug that caused the MetaMask Card spending limit screen to default to full access when a custom limit was already set. (#29517)
+- Fixed cashback redemption to require an approved Linea funding source. (#29489)
+- Fixed UB2 Transak order details to hide interim provider messages during processing states. (#29131)
+- Fixed a bug where a stale secondary minimum purchase message could briefly appear after entering a valid buy amount. (#29365)
+- Fixed a bug that caused live Predict sports scores to appear in reverse order for some leagues. (#29453)
+- Fixed Ledger BLE transport that prevented reconnecting to a Ledger device after a timeout or completed signing flow. (#29367)
+- Fixed chart re-rendering and flickering. (#29344)
+- Fixed excessive red flashing while entering buy amounts near minimum and maximum provider limits. (#29360)
+- Fixed stale unauthenticated MetaMask Card data after login by refetching when card feature flags change. (#29350)
+- Prevented invalid bridge transaction hashes from being persisted in transaction history. (#29136)
+- Fixed WalletConnect sign requests occasionally displaying a garbled string in the "Request from" field instead of the dapp's domain. (#29102)
+- Fixed Perps Withdraw Max so users actually withdraw their full HyperLiquid balance; replaced 90% with a Max button and aligned Perps home and Withdraw to show the same balance. (#29257)
+- Hid the sponsored label on cross-chain bridge with insufficient balance. (#29490)
 
 ## [7.75.1]
 
@@ -11375,7 +11435,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - [#957](https://github.com/MetaMask/metamask-mobile/pull/957): fix timeouts (#957)
 - [#954](https://github.com/MetaMask/metamask-mobile/pull/954): Bugfix: onboarding navigation (#954)
 
-[Unreleased]: https://github.com/MetaMask/metamask-mobile/compare/v7.75.1...HEAD
+[Unreleased]: https://github.com/MetaMask/metamask-mobile/compare/v7.76.3...HEAD
+[7.76.3]: https://github.com/MetaMask/metamask-mobile/compare/v7.76.0...v7.76.3
+[7.76.0]: https://github.com/MetaMask/metamask-mobile/compare/v7.75.1...v7.76.0
 [7.75.1]: https://github.com/MetaMask/metamask-mobile/compare/v7.75.0...v7.75.1
 [7.75.0]: https://github.com/MetaMask/metamask-mobile/compare/v7.74.3...v7.75.0
 [7.74.3]: https://github.com/MetaMask/metamask-mobile/compare/v7.74.2...v7.74.3

android/gradle.properties.release

@@ -1,7 +1,8 @@
 # Gradle settings for GitHub Actions release/production builds (LG runner, 48GB RAM)
 
 # JVM: 8GB heap to leave room for Metro workers + Kotlin daemon
-org.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=512m -XX:+UseG1GC -XX:G1HeapRegionSize=8m -XX:+UseStringDeduplication -XX:+OptimizeStringConcat -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
+# MaxMetaspaceSize 2g to match gradle.properties.github (512m causes daemon OOM)
+org.gradle.jvmargs=-Xmx8g -XX:MaxMetaspaceSize=2g -XX:+UseG1GC -XX:G1HeapRegionSize=8m -XX:+UseStringDeduplication -XX:+OptimizeStringConcat -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
 
 org.gradle.parallel=true
 org.gradle.configureondemand=true
@@ -16,8 +17,8 @@ org.gradle.vfs.watch=false
 kotlin.incremental=true
 kotlin.incremental.android=true
 kotlin.caching.enabled=true
-# Kotlin daemon: 2GB cap to prevent memory contention
-kotlin.daemon.jvmargs=-Xmx2g -XX:+UseG1GC -XX:+ExitOnOutOfMemoryError
+# Kotlin daemon: 2GB heap, 1GB metaspace to match gradle.properties.github
+kotlin.daemon.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=1g -XX:+UseG1GC -XX:+ExitOnOutOfMemoryError
 
 # File system optimizations
 org.gradle.vfs.verbose=false

app/__mocks__/react-native-vision-camera.ts

@@ -1,4 +1,5 @@
 import React from 'react';
+import { CAMERA_PERMISSION_STATUS } from '../constants/permissions';
 
 const mockDevice = {
   id: 'back',
@@ -21,7 +22,9 @@ const mockDevice = {
 
 const mockPermission = {
   hasPermission: true,
-  requestPermission: jest.fn().mockResolvedValue('granted'),
+  requestPermission: jest
+    .fn()
+    .mockResolvedValue(CAMERA_PERMISSION_STATUS.granted),
 };
 
 let capturedOnCodeScanned:
@@ -76,8 +79,10 @@ const useCodeScanner = jest.fn((config) => {
 // Static methods on Camera - using Object.assign to avoid TypeScript issues
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 (Object as any).assign(Camera, {
-  getCameraPermissionStatus: jest.fn(() => 'granted'),
-  requestCameraPermission: jest.fn().mockResolvedValue('granted'),
+  getCameraPermissionStatus: jest.fn(() => CAMERA_PERMISSION_STATUS.granted),
+  requestCameraPermission: jest
+    .fn()
+    .mockResolvedValue(CAMERA_PERMISSION_STATUS.granted),
 });
 
 export { Camera, useCameraDevice, useCameraPermission, useCodeScanner };

app/components/UI/AssetOverview/Balance/Balance.tsx

@@ -23,8 +23,6 @@ import BadgeWrapper, {
 } from '../../../../component-library/components/Badges/BadgeWrapper';
 import { BadgeVariant } from '../../../../component-library/components/Badges/Badge/Badge.types';
 import Badge from '../../../../component-library/components/Badges/Badge/Badge';
-import AvatarToken from '../../../../component-library/components/Avatars/Avatar/variants/AvatarToken';
-import { AvatarSize } from '../../../../component-library/components/Avatars/Avatar';
 import NetworkAssetLogo from '../../NetworkAssetLogo';
 import Text, {
   TextColor,
@@ -53,6 +51,7 @@ import { ACCOUNT_TYPE_LABELS } from '../../../../constants/account-type-labels';
 import { useRWAToken } from '../../Bridge/hooks/useRWAToken';
 import { BridgeToken } from '../../Bridge/types';
 import StockBadge from '../../shared/StockBadge';
+import AssetLogo from '../../Assets/components/AssetLogo/AssetLogo';
 
 export const ACCOUNT_TYPE_LABEL_TEST_ID = 'account-type-label';
 
@@ -186,13 +185,7 @@ const Balance = ({
       );
     }
 
-    return (
-      <AvatarToken
-        name={asset.symbol}
-        imageSource={{ uri: asset.image }}
-        size={AvatarSize.Lg}
-      />
-    );
+    return <AssetLogo asset={asset} />;
   }, [asset, styles.ethLogo]);
 
   const isDisabled = useMemo(

app/components/UI/Assets/components/Balance/AccountGroupBalance.tsx

@@ -37,6 +37,7 @@ import AccountGroupBalanceChange from '../../components/BalanceChange/AccountGro
 import BalanceEmptyState from '../../../BalanceEmptyState';
 import WalletHomeOnboardingSteps from '../../../WalletHomeOnboardingSteps';
 import { useRampNavigation } from '../../../Ramp/hooks/useRampNavigation';
+import { useWalletHomeOnboardingChecklistFundPress } from '../../../WalletHomeOnboardingSteps/useWalletHomeOnboardingChecklistFundPress';
 
 /**
  * Timeout for account group balance fetch
@@ -82,6 +83,8 @@ const AccountGroupBalance = ({
     selectWalletHomeOnboardingSkipInitialBalanceWait,
   );
   const { goToBuy } = useRampNavigation();
+  const onFundPrimaryPressWithChecklistAnalytics =
+    useWalletHomeOnboardingChecklistFundPress(goToBuy);
   const { popularNetworks } = useNetworkEnablement();
 
   // Stabilize chain IDs by content so selector identity doesn't change every render (avoids max depth / infinite loop).
@@ -266,7 +269,7 @@ const AccountGroupBalance = ({
           isAwaitingBalance={awaitBalanceForPostOnboardingSteps}
           onCoordinatedFlowExit={onCoordinatedFlowExit}
           suspendRiveForCurtain={suspendRiveForCurtain}
-          onFundPrimaryPress={goToBuy}
+          onFundPrimaryPress={onFundPrimaryPressWithChecklistAnalytics}
           canAdvanceFundStepAfterBalance={canAdvanceFundStepAfterBalance}
           onTradePrimaryPress={onTradePrimaryPress}
           onNotificationsPrimaryPress={onNotificationsPrimaryPress}

app/components/UI/Bridge/hooks/useBridgeQuoteData/index.ts

@@ -280,7 +280,12 @@ export const useBridgeQuoteData = ({
   );
 
   const validateQuote = useCallback(async () => {
-    if (!activeQuote || (!isSolanaSwap && !isSolanaToNonSolana)) {
+    if (
+      !activeQuote ||
+      (!isSolanaSwap && !isSolanaToNonSolana) ||
+      // Skip validation for gas-included quotes on Solana
+      activeQuote?.quote?.gasIncluded === true
+    ) {
       lastValidatedQuoteRef.current = null;
       setBlockaidError(null);
       return;