test(e2e): remove Tenderly hosts from E2E allowlist (MMQA-1787) (#29760)

## **Description**

Removes all four Tenderly host entries from `ALLOWLISTED_HOSTS` in
`tests/api-mocking/mock-e2e-allowlist.ts`. Parent epic
[MMQA-1364](https://consensyssoftware.atlassian.net/browse/MMQA-1364).

The parent epic carved Tenderly out of scope on the assumption that
fork-based tests required live Tenderly virtual networks for contract
simulation. Re-investigation showed that assumption no longer holds.

**Disposition per host:**

| Entry | Disposition |
| --- | --- |
| `api.tenderly.co` | Delete — zero references in tests/app code |
| `rpc.tenderly.co` | Delete — zero references in tests/app code |
| `virtual.linea.rpc.tenderly.co` | Delete — already mocked by
`cardholder-mocks.ts:247-268` for the only specs that exercise it
(`card-home-add-funds.spec.ts`, `card-button.spec.ts`) |
| `virtual.mainnet.rpc.tenderly.co` | Default RPC mock added with regex
matcher (URL has UUID path); returns `0x0` to standard JSON-RPC methods,
mirroring the avax / zksync entries from
[MMQA-1785](https://consensyssoftware.atlassian.net/browse/MMQA-1785) |

**Bonus cleanup:** `tests/helpers/tenderly/tenderly.js` is deleted. Its
only function (`Tenderly.addFunds()` calling `tenderly_setBalance`) was
never called from anywhere in the codebase — that helper was the
original reason for the Tenderly carve-out, and it's dead code.

The Detox blacklist entry `.*rpc.tenderly.co/.*` in `blacklistURLs.json`
is also dropped — those URLs are now intercepted by the mock server.

After this lands, `ALLOWLISTED_HOSTS` is down to **7** entries (4 local
+ Polymarket carve-out + `metamask.github.io`).

## **Changelog**

CHANGELOG entry: null

## **Related issues**

[MMQA-1787](https://consensyssoftware.atlassian.net/browse/MMQA-1787)
Parent epic:
[MMQA-1364](https://consensyssoftware.atlassian.net/browse/MMQA-1364)

Fixes:

## **Manual testing steps**

```gherkin
Feature: E2E mock coverage for Tenderly virtual networks

  Scenario: on-ramp specs that load Tenderly Mainnet no longer leak live requests
    Given the on-ramp spec onramp-unified-buy.spec.ts is run
    And it builds a fixture with withNetworkController(CustomNetworks.Tenderly.Mainnet.providerConfig)

    When the wallet boots and the NetworkController initializes
    Then requests to virtual.mainnet.rpc.tenderly.co are answered by the default RPC mock
    And no entry for that host is required in mock-e2e-allowlist.ts

  Scenario: card specs continue to pass with Tenderly Linea host removed from allowlist
    Given the card spec card-home-add-funds.spec.ts is run

    When the wallet wires Tenderly.Linea and the test exercises the card flow
    Then RPC calls to virtual.linea.rpc.tenderly.co are intercepted by cardholder-mocks.ts
    And the spec passes without a live request leak

  Scenario: removed Tenderly helper does not break compilation
    Given tests/helpers/tenderly/tenderly.js has been deleted

    When the test suite is type-checked and built
    Then there are no broken import references
```

## **Screenshots/Recordings**

### **Before**

`tests/api-mocking/mock-e2e-allowlist.ts`:

```ts
export const ALLOWLISTED_HOSTS = [
  '0.0.0.0',
  '127.0.0.1',
  'localhost',
  '10.0.2.2',
  'api.tenderly.co',
  'rpc.tenderly.co',
  'virtual.mainnet.rpc.tenderly.co',
  'virtual.linea.rpc.tenderly.co',
  'gamma-api.polymarket.com',
  '*.polymarket.com',
  'metamask.github.io',
];
```

`tests/resources/blacklistURLs.json` — Detox dropping the host at the
network layer:

```
".*rpc.tenderly.co/.*"
```

`tests/helpers/tenderly/tenderly.js` — dead helper class with
`Tenderly.addFunds()`.

### **After**

`tests/api-mocking/mock-e2e-allowlist.ts` — four hosts removed:

```ts
export const ALLOWLISTED_HOSTS = [
  '0.0.0.0',
  '127.0.0.1',
  'localhost',
  '10.0.2.2',
  'gamma-api.polymarket.com',
  '*.polymarket.com',
  'metamask.github.io',
];
```

`tests/api-mocking/mock-responses/defaults/rpc-endpoints.ts` — new entry
for Tenderly mainnet:

```ts
{
  urlEndpoint: /^https:\/\/virtual\.mainnet\.rpc\.tenderly\.co\/.+$/,
  responseCode: 200,
  response: { jsonrpc: '2.0', id: 1, result: '0x0' },
},
```

`tests/resources/blacklistURLs.json` — Tenderly entry removed.

`tests/helpers/tenderly/tenderly.js` — file deleted.

CI verification will be added once smoke tests complete on this PR.

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

#### Performance checks (if applicable)

- [ ] I've tested on Android
  - Ideally on a mid-range device; emulator is acceptable
- [ ] I've tested with a power user scenario
- Use these [power-user
SRPs](https://consensyssoftware.atlassian.net/wiki/spaces/TL1/pages/edit-v2/401401446401?draftShareId=9d77e1e1-4bdc-4be1-9ebb-ccd916988d93)
to import wallets with many accounts and tokens
- [ ] I've instrumented key operations with Sentry traces for production
performance metrics
- See [`trace()`](/app/util/trace.ts) for usage and
[`addToken`](/app/components/Views/AddAsset/components/AddCustomToken/AddCustomToken.tsx#L274)
for an example

For performance guidelines and tooling, see the [Performance
Guide](https://consensyssoftware.atlassian.net/wiki/spaces/TL1/pages/400085549067/Performance+Guide+for+Engineers).

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.


[MMQA-1364]:
https://consensyssoftware.atlassian.net/browse/MMQA-1364?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
[MMQA-1785]:
https://consensyssoftware.atlassian.net/browse/MMQA-1785?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk test-infrastructure change that tightens E2E network mocking;
main risk is unintended interception/mismatch of Tenderly RPC URLs
causing E2E failures.
> 
> **Overview**
> Removes all Tenderly domains from the E2E `ALLOWLISTED_HOSTS`,
reducing live-network carve-outs.
> 
> Adds a default RPC mock for `virtual.mainnet.rpc.tenderly.co` using a
regex URL matcher, deletes the unused
`tests/helpers/tenderly/tenderly.js` helper, and drops the Detox
`.*rpc.tenderly.co/.*` blacklist entry so these requests are handled by
the mock server instead.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
485d840. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chrisleewilcox

tests/api-mocking/mock-e2e-allowlist.ts

@@ -6,10 +6,6 @@ export const ALLOWLISTED_HOSTS = [
   '127.0.0.1',
   'localhost',
   '10.0.2.2', // Android emulator host
-  'api.tenderly.co',
-  'rpc.tenderly.co',
-  'virtual.mainnet.rpc.tenderly.co',
-  'virtual.linea.rpc.tenderly.co',
   'gamma-api.polymarket.com',
   '*.polymarket.com',
   'metamask.github.io', // Test-snaps and test-dapp pages loaded in browser

tests/api-mocking/mock-responses/defaults/rpc-endpoints.ts

@@ -42,5 +42,14 @@ export const DEFAULT_RPC_ENDPOINT_MOCKS: MockEventsObject = {
         result: '0x0',
       },
     },
+    {
+      urlEndpoint: /^https:\/\/virtual\.mainnet\.rpc\.tenderly\.co\/.+$/,
+      responseCode: 200,
+      response: {
+        jsonrpc: '2.0',
+        id: 1,
+        result: '0x0',
+      },
+    },
   ],
 };

tests/helpers/tenderly/tenderly.js

@@ -6,7 +6,6 @@
     ".*api.etherscan.io/.*",
     ".*static.metafi.codefi.network/.*",
     ".*static.cx.metamask.io/.*",
-    ".*rpc.tenderly.co/.*",
     ".*api-goerli.etherscan.io/.*",
     ".*gateway.pinata.cloud/.*",
     ".*stale.*",