feat(ramp): surface headless buy errors as data (Phase 7) (#29612)

## **Description**

This PR closes **Phase 7** of the incremental **Unified Buy (v2)
headless buy** plan (`app/components/UI/Ramp/headless/PLAN.md`):
headless consumers now receive structured `HeadlessBuyError` data for
hard failures instead of depending on Ramp UI surfaces like banners,
ErrorViews, or order toasts.

**Reason**

- Phase 6
([#29340](#29340)) fired
`onOrderCreated` and bypassed the order-details redirect on success, but
several failure paths were still UI-coupled. Limit failures could be
wrapped into generic display errors, Checkout/WebView failures rendered
local UI, and one Transak success path could still show a toast before a
headless consumer regained control.

**What changed**

- **`HeadlessBuyErrorCode` + `failSession`** — centralizes error
normalization in `sessionRegistry`, preserving explicit error
codes/details and closing the session with failed terminal semantics
after `onError` fires.
- **`HeadlessHost`** — uses `failSession` for auth errors, malformed
asset ids, and `continueWithQuote` rejections so the consumer receives
one structured `onError` callback and one terminal close.
- **`useTransakRouting`** — preserves `LimitExceededError` as
`LIMIT_EXCEEDED`, forwards checkout-processing failures through
`onError`, and suppresses the manual-bank-transfer toast path when a
live headless session owns the flow.
- **`Checkout`** — routes callback-processing failures and primary
WebView HTTP errors through `onError` for headless sessions, then
unwinds the ramp stack instead of rendering the checkout ErrorView.
- **`BuildQuote`** — keeps legacy headless params from falling back to
banner-only error handling if they are encountered.
- **`PLAN.md`** — marks Phase 7 complete.

**References**

- **Stacked on Phase 6**:
[#29340](#29340)
(`poc/headless-buy-phase-6`). **This PR's base is
`poc/headless-buy-phase-6`** so the diff is Phase 7-only.
- Continues from **Phase 5**:
[#29338](#29338)
(Headless Host + quote-first start).

**Tests**

- `yarn eslint app/components/UI/Ramp/headless/types.ts
app/components/UI/Ramp/headless/sessionRegistry.ts
app/components/UI/Ramp/headless/sessionRegistry.test.ts
app/components/UI/Ramp/Views/HeadlessHost/HeadlessHost.tsx
app/components/UI/Ramp/Views/HeadlessHost/HeadlessHost.test.tsx
app/components/UI/Ramp/hooks/useTransakRouting.ts
app/components/UI/Ramp/hooks/useTransakRouting.test.ts
app/components/UI/Ramp/Views/Checkout/Checkout.tsx
app/components/UI/Ramp/Views/Checkout/Checkout.test.tsx
app/components/UI/Ramp/Views/BuildQuote/BuildQuote.tsx`
- `yarn jest --watchman=false
app/components/UI/Ramp/headless/sessionRegistry.test.ts
app/components/UI/Ramp/Views/HeadlessHost/HeadlessHost.test.tsx
app/components/UI/Ramp/hooks/useTransakRouting.test.ts
app/components/UI/Ramp/Views/Checkout/Checkout.test.tsx
app/components/UI/Ramp/Views/BuildQuote/BuildQuote.test.tsx`
- `yarn lint:tsc` was attempted, but the local run is blocked by
unrelated existing type errors in SocialLeaderboard tests and controller
messenger types.

## **Changelog**

CHANGELOG entry: null

## **Related issues**

Fixes: _No GitHub issue — incremental POC on branch
`saustrie-consensys/headless-buy-phase-7`._

Continuity:
[#29340](#29340) (Phase
6 — headless order success callback + stack unwind).
[#29338](#29338) (Phase
5 — Headless Host + quote-first start).

## **Manual testing steps**

```gherkin
Feature: Headless Buy Phase 7 (structured errors)

  Scenario: Native Transak limit failure surfaces as data
    Given the app is an internal build and I am signed in
    And I open Settings → Fiat on-ramp → Headless Buy playground
    When I start a headless native quote that exceeds the user's Transak limit
    Then the playground event log should show `onError({ code: "LIMIT_EXCEEDED" })`
    And the session should close without showing a Ramp-only toast or order-details redirect

  Scenario: Aggregator Checkout failure surfaces as data
    Given I start a headless aggregator quote from the playground
    When the Checkout callback or primary WebView request fails
    Then the consumer should receive `onError({ code: "UNKNOWN", message })`
    And the app should unwind out of the Ramp stack instead of rendering the Checkout ErrorView

  Scenario: Non-headless Buy flow is unchanged
    Given I open Wallet → Buy through the regular flow
    When a quote, checkout, or limit error occurs
    Then the existing Ramp UI surfaces should render as before
```

## **Screenshots/Recordings**

### **Before**

N/A — Phase 7 changes error/callback plumbing only.

### **After**

N/A — no user-facing UI changes, but here's a video anyways.


https://github.com/user-attachments/assets/2ce3a5a7-7205-4490-9174-8be7672ae464



## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I've applied the right labels on the PR

#### Performance checks (if applicable)

- [ ] I've tested on Android
- [ ] I've tested with a power user scenario
- [ ] I've instrumented key operations with Sentry traces for production
performance metrics

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes error handling and navigation unwinding for headless Unified
Buy flows across `HeadlessHost`, `Checkout`, and `useTransakRouting`,
which could affect session lifecycle and user recovery paths if
misrouted. Scope is contained to headless-mode branches with added test
coverage, but touches core buy/checkout flow control.
> 
> **Overview**
> **Headless buy errors are now surfaced as structured data instead of
Ramp UI.** A new `failSession` helper in `headless/sessionRegistry`
normalizes thrown/native errors into `HeadlessBuyError` (including
`LIMIT_EXCEEDED` mapping and optional `details`), fires `onError`, and
closes the session with failed terminal semantics.
> 
> Headless flows now consistently use this failure path: `HeadlessHost`
forwards auth/asset/continue failures via `failSession`, `Checkout`
sends callback-processing and primary WebView HTTP errors through
`onError` and pops the ramp stack instead of rendering an ErrorView, and
`useTransakRouting` preserves `LimitExceededError` details, suppresses
toasts when a live headless session is present, and routes post-checkout
processing failures through `failSession` + stack unwind. Tests are
updated/added to cover these headless-specific error paths and
regression guards.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
7bdaa03. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: saustrie-consensys <270766059+saustrie-consensys@users.noreply.github.com>

Author: saustrie-consensys

app/components/UI/Ramp/Views/BuildQuote/BuildQuote.tsx

@@ -69,6 +69,7 @@ import {
 
 import TruncatedError from '../../components/TruncatedError';
 import { PROVIDER_LINKS } from '../../Aggregator/types';
+import { failSession } from '../../headless/sessionRegistry';
 const BAILED_ORDER_STATUSES = new Set<RampsOrderStatus>([
   RampsOrderStatus.Precreated,
   RampsOrderStatus.IdExpired,
@@ -159,10 +160,24 @@ function BuildQuote() {
 
   useEffect(() => {
     if (params?.nativeFlowError) {
+      if (
+        params.headlessSessionId &&
+        failSession(
+          params.headlessSessionId,
+          {
+            code: 'AUTH_FAILED',
+            message: params.nativeFlowError,
+          },
+          'AUTH_FAILED',
+        )
+      ) {
+        navigation.setParams({ nativeFlowError: undefined });
+        return;
+      }
       setRampsError(params.nativeFlowError);
       navigation.setParams({ nativeFlowError: undefined });
     }
-  }, [params?.nativeFlowError, navigation]);
+  }, [params?.headlessSessionId, params?.nativeFlowError, navigation]);
 
   const {
     userRegion,
@@ -627,6 +642,9 @@ function BuildQuote() {
         assetId: selectedToken?.assetId ?? '',
       });
     } catch (err) {
+      if (failSession(params?.headlessSessionId, err)) {
+        return;
+      }
       setRampsError((err as Error).message);
     } finally {
       setIsContinueLoading(false);
@@ -642,6 +660,7 @@ function BuildQuote() {
     selectedPaymentMethod?.id,
     rampRoutingDecision,
     userRegion?.regionCode,
+    params?.headlessSessionId,
     trackEvent,
     createEventBuilder,
     continueWithQuote,

app/components/UI/Ramp/Views/Checkout/Checkout.test.tsx

@@ -58,6 +58,7 @@ jest.mock('../../utils/v2OrderToast', () => ({
 jest.mock('../../headless/sessionRegistry', () => ({
   getSession: jest.fn(),
   closeSession: jest.fn(),
+  failSession: jest.fn(),
 }));
 
 jest.mock('../../../../../util/Logger', () => ({
@@ -618,6 +619,8 @@ describe('Checkout', () => {
       .getSession as jest.Mock;
     const mockCloseSession = jest.requireMock('../../headless/sessionRegistry')
       .closeSession as jest.Mock;
+    const mockFailSession = jest.requireMock('../../headless/sessionRegistry')
+      .failSession as jest.Mock;
     const showV2OrderToastMock = jest.requireMock('../../utils/v2OrderToast')
       .showV2OrderToast as jest.Mock;
 
@@ -641,6 +644,7 @@ describe('Checkout', () => {
     beforeEach(() => {
       mockGetSession.mockReset();
       mockCloseSession.mockReset();
+      mockFailSession.mockReset();
       mockParentPop = jest.fn();
       mockNavigation.getParent.mockReturnValue({ pop: mockParentPop });
       mockGetOrderFromCallback.mockResolvedValue(mockOrder);
@@ -740,6 +744,52 @@ describe('Checkout', () => {
       expect(mockParentPop).toHaveBeenCalled();
     });
 
+    it('surfaces callback processing failures through onError and skips the ErrorView', async () => {
+      mockUseParams.mockReturnValue(callbackFlowParams);
+      mockGetOrderFromCallback.mockRejectedValueOnce(
+        new Error('callback failed'),
+      );
+      mockFailSession.mockReturnValue({
+        code: 'UNKNOWN',
+        message: 'callback failed',
+      });
+
+      const { getByTestId, queryByText } = renderWithProvider(
+        <Checkout />,
+        {},
+        true,
+        false,
+      );
+
+      await act(async () => {
+        fireEvent.press(getByTestId('trigger-callback-navigation'));
+      });
+
+      await waitFor(() => {
+        expect(mockFailSession).toHaveBeenCalledWith('hs-1', expect.any(Error));
+      });
+      expect(mockParentPop).toHaveBeenCalled();
+      expect(showV2OrderToastMock).not.toHaveBeenCalled();
+      expect(queryByText('callback failed')).toBeNull();
+    });
+
+    it('surfaces provider WebView HTTP errors through onError when headless', async () => {
+      mockUseParams.mockReturnValue(callbackFlowParams);
+      mockFailSession.mockReturnValue({
+        code: 'UNKNOWN',
+        message: 'fiat_on_ramp_aggregator.webview_received_error',
+      });
+
+      const { getByTestId } = renderWithProvider(<Checkout />, {}, true, false);
+
+      await act(async () => {
+        fireEvent.press(getByTestId('trigger-http-error-main-uri'));
+      });
+
+      expect(mockFailSession).toHaveBeenCalledWith('hs-1', expect.any(Error));
+      expect(mockParentPop).toHaveBeenCalled();
+    });
+
     it('falls back to the regular reset + toast when session id is present but session is missing from registry', async () => {
       mockGetSession.mockReturnValue(undefined);
       mockUseParams.mockReturnValue(callbackFlowParams);

app/components/UI/Ramp/Views/Checkout/Checkout.tsx

@@ -27,7 +27,11 @@ import {
 import HeaderCompactStandard from '../../../../../component-library/components-temp/HeaderCompactStandard';
 import useRampsUnifiedV2Enabled from '../../hooks/useRampsUnifiedV2Enabled';
 import { showV2OrderToast } from '../../utils/v2OrderToast';
-import { closeSession, getSession } from '../../headless/sessionRegistry';
+import {
+  closeSession,
+  failSession,
+  getSession,
+} from '../../headless/sessionRegistry';
 import { useStyles } from '../../../../hooks/useStyles';
 import styleSheet from './Checkout.styles';
 import Device from '../../../../../util/device';
@@ -120,6 +124,18 @@ const Checkout = () => {
     }
   }, [uri, createEventBuilder, trackEvent, rampRoutingDecision]);
 
+  const failHeadlessCheckout = useCallback(
+    (checkoutError: unknown) => {
+      if (!failSession(headlessSessionId, checkoutError)) {
+        return false;
+      }
+      // @ts-expect-error navigation prop mismatch
+      navigation.getParent()?.pop();
+      return true;
+    },
+    [headlessSessionId, navigation],
+  );
+
   useEffect(() => {
     // For external-browser flows (e.g. PayPal), addPrecreatedOrder is called in
     // BuildQuote; the user never reaches Checkout. For WebView flows,
@@ -234,6 +250,9 @@ const Checkout = () => {
         Logger.error(navError as Error, {
           message: 'UnifiedCheckout: error handling callback',
         });
+        if (failHeadlessCheckout(navError)) {
+          return;
+        }
         setError((navError as Error)?.message);
       }
     },
@@ -248,6 +267,7 @@ const Checkout = () => {
       isV2Enabled,
       params?.cryptocurrency,
       headlessSessionId,
+      failHeadlessCheckout,
     ],
   );
 
@@ -344,6 +364,9 @@ const Checkout = () => {
                 'fiat_on_ramp_aggregator.webview_received_error',
                 { code: nativeEvent.statusCode },
               );
+              if (failHeadlessCheckout(new Error(webviewHttpError))) {
+                return;
+              }
               setError(webviewHttpError);
             } else {
               Logger.log(

app/components/UI/Ramp/Views/HeadlessHost/HeadlessHost.test.tsx

@@ -348,6 +348,25 @@ describe('HeadlessHost', () => {
       expect(screen.getByText('quote expired')).toBeOnTheScreen();
     });
 
+    it('surfaces limit failures as onError(LIMIT_EXCEEDED, ...)', async () => {
+      const limitError = new Error('Daily limit exceeded');
+      limitError.name = 'LimitExceededError';
+      mockContinueWithQuote.mockRejectedValueOnce(limitError);
+      const quote = buildNativeQuote();
+      const session = seedSession(quote);
+      const callbacks = session.callbacks;
+      renderHost({ headlessSessionId: session.id });
+      await waitFor(() => {
+        expect(callbacks.onError).toHaveBeenCalledWith({
+          code: 'LIMIT_EXCEEDED',
+          message: 'Daily limit exceeded',
+        });
+      });
+      expect(callbacks.onClose).toHaveBeenCalledWith({ reason: 'unknown' });
+      expect(getSession(session.id)).toBeUndefined();
+      expect(screen.getByText('Daily limit exceeded')).toBeOnTheScreen();
+    });
+
     it('does not run the continueWithQuote rejection path after unmount', async () => {
       let rejectDeferred: ((error: Error) => void) | undefined;
       mockContinueWithQuote.mockImplementation(

app/components/UI/Ramp/Views/HeadlessHost/HeadlessHost.tsx

@@ -27,7 +27,7 @@ import Logger from '../../../../../util/Logger';
 // Going through the barrel would leave the registry exports `undefined`
 // at evaluation time inside this module.
 import {
-  closeSession,
+  failSession,
   getSession,
   setStatus,
 } from '../../headless/sessionRegistry';
@@ -132,26 +132,17 @@ function HeadlessHost() {
     if (!nativeFlowError) {
       return;
     }
-    const liveSession = getSession(headlessSessionId);
-    if (!liveSession) {
-      return;
-    }
-    setErrorMessage(nativeFlowError);
-    try {
-      liveSession.callbacks.onError({
-        code: 'AUTH_FAILED',
-        message: nativeFlowError,
-      });
-    } catch (e) {
-      Logger.error(e as Error, 'HeadlessHost: onError callback threw');
-    }
-    closeSession(
+    const headlessError = failSession(
       headlessSessionId,
-      { reason: 'unknown' },
       {
-        terminalStatus: 'failed',
+        code: 'AUTH_FAILED',
+        message: nativeFlowError,
       },
+      'AUTH_FAILED',
     );
+    if (headlessError) {
+      setErrorMessage(headlessError.message ?? nativeFlowError);
+    }
   }, [nativeFlowError, headlessSessionId]);
 
   // Process the session. Uses `useEffect` (not `useFocusEffect`) so that
@@ -202,25 +193,11 @@ function HeadlessHost() {
     if (!chainId) {
       const message = `HeadlessHost: invalid assetId "${currentSession.params.assetId}"`;
       Logger.error(new Error(message));
-      try {
-        currentSession.callbacks.onError({
-          code: 'UNKNOWN',
-          message,
-        });
-      } catch (e) {
-        Logger.error(e as Error, 'HeadlessHost: onError callback threw');
-      }
       // closeSession alone does not trigger a re-render; without setState the
       // render-time `session` ref stays truthy and the loader would spin
       // forever. Surface the same message in UI as other error paths.
       setErrorMessage(message);
-      closeSession(
-        headlessSessionId,
-        { reason: 'unknown' },
-        {
-          terminalStatus: 'failed',
-        },
-      );
+      failSession(headlessSessionId, { code: 'UNKNOWN', message });
       return;
     }
     // Defer until walletAddress resolves — avoids calling continueWithQuote
@@ -270,22 +247,8 @@ function HeadlessHost() {
       if (!liveSession) {
         return;
       }
-      setErrorMessage(message);
-      try {
-        liveSession.callbacks.onError({
-          code: 'UNKNOWN',
-          message,
-        });
-      } catch (e) {
-        Logger.error(e as Error, 'HeadlessHost: onError callback threw');
-      }
-      closeSession(
-        headlessSessionId,
-        { reason: 'unknown' },
-        {
-          terminalStatus: 'failed',
-        },
-      );
+      const headlessError = failSession(headlessSessionId, error);
+      setErrorMessage(headlessError?.message ?? message);
     });
     return () => {
       cancelled = true;

app/components/UI/Ramp/headless/PLAN.md

@@ -14,7 +14,7 @@
 - [x] **Phase 5 (revised)** — Quote-first headless start path — `startHeadlessBuy({ quote, redirectUrl? })` creates a session carrying the quote, navigates to Headless Host, Host calls `continueWithQuote(quote, ctx)` and re-orchestrates after auth loops
 - [ ] **Phase 5b (deferred)** — `startHeadlessBuy({ assetId, amount, paymentMethodId, providerId? })` "open BuildQuote / Host fetches quotes" mode — picked up after the quote-first path is stable
 - [x] **Phase 6** — Bypass order-processing redirect in Transak/aggregator routing when headless; fire `onOrderCreated` and end session
-- [ ] **Phase 7** — Extract UI-coupled error/limit surfacing; route errors through `onError` as typed `HeadlessBuyError`
+- [x] **Phase 7** — Extract UI-coupled error/limit surfacing; route errors through `onError` as typed `HeadlessBuyError`
 - [ ] **Phase 8** — Cancellation + `onClose` semantics (including user-dismissed detection)
 - [ ] **Phase 9** — Expose `getOrder` / `refreshOrder` from hook and show in playground
 - [ ] **Phase 10** — Playground polish — event log, input persistence, aggregator/native presets