test(e2e): remove Tenderly hosts from E2E allowlist (MMQA-1787)

[chrisleewilcox]

Description

Removes all four Tenderly host entries from ALLOWLISTED_HOSTS in tests/api-mocking/mock-e2e-allowlist.ts. Parent epic MMQA-1364.

The parent epic carved Tenderly out of scope on the assumption that fork-based tests required live Tenderly virtual networks for contract simulation. Re-investigation showed that assumption no longer holds.

Disposition per host:

Entry	Disposition
api.tenderly.co	Delete — zero references in tests/app code
rpc.tenderly.co	Delete — zero references in tests/app code
virtual.linea.rpc.tenderly.co	Delete — already mocked by cardholder-mocks.ts:247-268 for the only specs that exercise it (card-home-add-funds.spec.ts, card-button.spec.ts)
virtual.mainnet.rpc.tenderly.co	Default RPC mock added with regex matcher (URL has UUID path); returns 0x0 to standard JSON-RPC methods, mirroring the avax / zksync entries from MMQA-1785

Bonus cleanup: tests/helpers/tenderly/tenderly.js is deleted. Its only function (Tenderly.addFunds() calling tenderly_setBalance) was never called from anywhere in the codebase — that helper was the original reason for the Tenderly carve-out, and it's dead code.

The Detox blacklist entry .*rpc.tenderly.co/.* in blacklistURLs.json is also dropped — those URLs are now intercepted by the mock server.

After this lands, ALLOWLISTED_HOSTS is down to 7 entries (4 local + Polymarket carve-out + metamask.github.io).

Changelog

CHANGELOG entry: null

Related issues

MMQA-1787
Parent epic: MMQA-1364

Fixes:

Manual testing steps

Feature: E2E mock coverage for Tenderly virtual networks

  Scenario: on-ramp specs that load Tenderly Mainnet no longer leak live requests
    Given the on-ramp spec onramp-unified-buy.spec.ts is run
    And it builds a fixture with withNetworkController(CustomNetworks.Tenderly.Mainnet.providerConfig)

    When the wallet boots and the NetworkController initializes
    Then requests to virtual.mainnet.rpc.tenderly.co are answered by the default RPC mock
    And no entry for that host is required in mock-e2e-allowlist.ts

  Scenario: card specs continue to pass with Tenderly Linea host removed from allowlist
    Given the card spec card-home-add-funds.spec.ts is run

    When the wallet wires Tenderly.Linea and the test exercises the card flow
    Then RPC calls to virtual.linea.rpc.tenderly.co are intercepted by cardholder-mocks.ts
    And the spec passes without a live request leak

  Scenario: removed Tenderly helper does not break compilation
    Given tests/helpers/tenderly/tenderly.js has been deleted

    When the test suite is type-checked and built
    Then there are no broken import references

Screenshots/Recordings

Before

tests/api-mocking/mock-e2e-allowlist.ts:

export const ALLOWLISTED_HOSTS = [
  '0.0.0.0',
  '127.0.0.1',
  'localhost',
  '10.0.2.2',
  'api.tenderly.co',
  'rpc.tenderly.co',
  'virtual.mainnet.rpc.tenderly.co',
  'virtual.linea.rpc.tenderly.co',
  'gamma-api.polymarket.com',
  '*.polymarket.com',
  'metamask.github.io',
];

tests/resources/blacklistURLs.json — Detox dropping the host at the network layer:

".*rpc.tenderly.co/.*"

tests/helpers/tenderly/tenderly.js — dead helper class with Tenderly.addFunds().

After

tests/api-mocking/mock-e2e-allowlist.ts — four hosts removed:

export const ALLOWLISTED_HOSTS = [
  '0.0.0.0',
  '127.0.0.1',
  'localhost',
  '10.0.2.2',
  'gamma-api.polymarket.com',
  '*.polymarket.com',
  'metamask.github.io',
];

tests/api-mocking/mock-responses/defaults/rpc-endpoints.ts — new entry for Tenderly mainnet:

{
  urlEndpoint: /^https:\/\/virtual\.mainnet\.rpc\.tenderly\.co\/.+$/,
  responseCode: 200,
  response: { jsonrpc: '2.0', id: 1, result: '0x0' },
},

tests/resources/blacklistURLs.json — Tenderly entry removed.

tests/helpers/tenderly/tenderly.js — file deleted.

CI verification will be added once smoke tests complete on this PR.

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Low risk test-infrastructure change that tightens E2E network mocking; main risk is unintended interception/mismatch of Tenderly RPC URLs causing E2E failures.

Overview
Removes all Tenderly domains from the E2E ALLOWLISTED_HOSTS, reducing live-network carve-outs.

Adds a default RPC mock for virtual.mainnet.rpc.tenderly.co using a regex URL matcher, deletes the unused tests/helpers/tenderly/tenderly.js helper, and drops the Detox .*rpc.tenderly.co/.* blacklist entry so these requests are handled by the mock server instead.

^{Reviewed by Cursor Bugbot for commit 485d840. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeMoney, SmokeNetworkAbstractions, SmokeSwap, SmokeConfirmations
• Selected Performance tags: None (no tests recommended)
• Risk Level: medium
• AI Confidence: 78%

click to see 🤖 AI reasoning details

E2E Test Selection:
These changes are test infrastructure modifications related to how Tenderly virtual test networks are mocked in E2E tests:

1. mock-e2e-allowlist.ts: Removed Tenderly hosts from the allowlist — Tenderly requests must now be properly mocked rather than allowed through to the real network.

2. rpc-endpoints.ts: Added a mock for virtual.mainnet.rpc.tenderly.co (regex pattern) to the DEFAULT_RPC_ENDPOINT_MOCKS, compensating for the allowlist removal. This ensures mainnet Tenderly RPC calls return a default 0x0 response.

3. tenderly.js (deleted): The Tenderly helper class was deleted. No importers were found, so this is a safe removal of dead code.

4. blacklistURLs.json: Removed .*rpc.tenderly.co/.* from the Detox URL blacklist. Tenderly URLs are now handled by the mock interceptor rather than being blocked at the Detox network level.

Affected test areas:

• SmokeMoney: Card tests (card-home-add-funds.spec.ts, card-button.spec.ts) use CustomNetworks.Tenderly.Linea — Linea Tenderly RPC is already mocked in cardholder-mocks.ts, but the allowlist/blacklist changes need validation.
• SmokeNetworkAbstractions: network-manager2.spec.ts uses CustomNetworks.Tenderly.Polygon — need to verify Polygon Tenderly RPC is properly handled.
• SmokeSwap/SmokeConfirmations: Ramps tests (onramp-unified-buy.spec.ts) use CustomNetworks.Tenderly.Mainnet — now covered by the new mock in rpc-endpoints.ts.

The key risk is that removing Tenderly from the allowlist while adding mocks could cause test failures if any Tenderly RPC calls aren't fully covered by the new mocks (e.g., Polygon Tenderly has no explicit mock added). Running the affected test suites validates the mocking strategy works end-to-end.

Performance Test Selection:
These changes are purely test infrastructure modifications (mock configuration, allowlist, blacklist, deleted helper). They do not affect any app source code, UI components, state management, or runtime behavior. No performance impact is expected.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud