feat(ramp): headless buy fixes

[saustrie-consensys]

Description

Fixes from Goktug's May 12 headless-buy testing thread, plus a small utility MetaMask Pay needs for mid-typing validation.

Independent of Phase 9.5 (#30104) in runtime — #30104 is currently git-stacked on this branch, so GitHub will auto-retarget its base to main when this PR merges. Either can land first.

Fixes from Goktug's May 12 testing

Three issues he filed; the fourth (empty white screen) is scoped to PR #30104.

• Fix Change inpage/inpage.js -> entry/entry.js #2 — getQuotes no longer silently eats provider rejections. A 5 EUR amount under the provider's minimum used to return an empty success list and no error, so the consumer was stuck waiting. Now getQuotes throws a typed HeadlessBuyError AND fires onError + onClose on the active session. The error code is LIMIT_EXCEEDED for limit messages and QUOTE_FAILED for everything else (rate-limit messages are NOT mis-classified as limit-exceeded).
• Fix Implement loading spinner during page loads #3.1 — onOrderCreated now hands the consumer the full order. Was (orderId) => void, now (orderId, order: RampsOrder) => void. Consumers can read order.walletAddress / order.provider.id straight from the callback without a separate lookup.
• Fix Implement loading spinner during page loads #3.2 — JSDoc clarifying the asymmetric callback contract. onError does NOT fire when an order is created and then later fails (e.g. 3-D Secure rejection on a card). Consumers need to branch on the order's .status, or poll for settlement themselves — useFiatOrderStatus in feat: Add fiat payment confirmation flow with headless ramp integration placeholder #28152 is the canonical pattern (polls RampsController.getOrder directly).

Pre-quote static bounds (Suggestions #1 + #2 — MetaMask Pay)

Originally deferred; MMPay confirmed they want both pieces.

• Inject inpage js #1 — Expose getProviderBuyLimit from the public headless barrel. Lets a consumer check whether a typed-in amount is in-bounds for (provider, currency, paymentMethod) without a network call — handy for disabling a "Get quote" button while the user types.
• Change inpage/inpage.js -> entry/entry.js #2 — getQuotes runs that same check before paying the network round-trip. If every requested provider × payment-method has known bounds that reject the amount, it rejects synchronously with LIMIT_EXCEEDED. A single "passes" or "unknown bounds" candidate keeps the network call alive — same conservative posture UB2 takes.

Out of scope / deferred:

• Fix Inject inpage js #1 (empty white screen) → Phase 9.5 PR feat(ramp): make HeadlessHost invisible (Phase 9.5) #30104.
• getUserLimits swallow at useTransakRouting.ts:241 — not in Goktug's filed complaints; tracked separately.
• The Deposit feature's identically-named navigateToOrderProcessingCallback is unrelated (different session machinery) — intentionally skipped.
• Consumer-side updates in MetaMask Pay (useFiatConfirm / useFiatOrderStatus consuming the new onOrderCreated arg + getProviderBuyLimit) — lives in their own PRs.

Changelog

CHANGELOG entry: null

(internal API addition — no end-user-facing change in this PR; MMPay's user-visible loading UI lands in their downstream PRs.)

Related issues

Fixes: https://consensyssoftware.atlassian.net/jira/software/c/projects/TRAM/boards/1568?assignee=712020%3Afd12f7ea-d9e1-4a0a-8a26-36804c9e11c9&selectedIssue=TRAM-3530

Replaces the relevant Phase 9 scope of the combined PR #29930 (close after this + #30104 are open).

Parallel Phase 9.5 PR: #30104 (HeadlessHost goes invisible). No runtime merge-order dependency; #30104 is git-stacked on this branch.

Slack — Goktug's May 12 testing thread: https://consensys.slack.com/archives/C0AK3NXRM7W/p1778577403631269

Manual testing steps

Feature: Headless buy fixes from Goktug's May 12 testing thread

  Scenario: 5 EUR provider rejection surfaces to consumer (Fix #2 — Goktug complaint #2)
    Given an active headless session via `startHeadlessBuy`
    When the consumer calls `getQuotes` with a fiat amount below the provider's minimum
    Then `onError` fires with `{ code: 'LIMIT_EXCEEDED', details: { providerErrors: [...], source: 'network-reject' } }`
    And `onClose` fires with `{ reason: 'unknown' }`
    And the session is removed from the registry
    And the consumer's `await getQuotes(...)` catch also receives the same structured error

  Scenario: onOrderCreated fires with the order snapshot (Fix #3.1)
    Given a card order created with the Transak test card 4242 4242 4242 4242
    When `onOrderCreated(orderId, order)` fires
    Then the second arg is a valid `RampsOrder` with `walletAddress` and `provider.id`
    And the consumer can branch on `order.status` or poll `RampsController.getOrder` for settlement

  Scenario: Pre-quote static bounds short-circuit (Suggestion #2)
    Given a Provider catalog where `transak-native`'s minAmount for EUR + card is 10
    When the consumer calls `getQuotes({ amount: 5, currency: 'EUR', providerIds: ['transak-native'], paymentMethodIds: ['debit-credit-card'] })`
    Then `getQuotes` rejects synchronously with `{ code: 'LIMIT_EXCEEDED', details: { source: 'static-bounds', rejections: [...] } }`
    And no network call to `RampsController.getQuotes` was made

  Scenario: Pre-quote skip when at least one candidate accepts (Suggestion #2)
    Given two providers — transak (min 10 EUR) and moonpay (min 1 EUR), both card-supporting
    When the consumer calls `getQuotes({ amount: 5, providerIds: ['transak', 'moonpay'], paymentMethodIds: ['debit-credit-card'] })`
    Then the pre-flight does NOT short-circuit (moonpay would accept)
    And the network call proceeds normally

Screenshots/Recordings

N/A — internal API addition. No user-facing UI change in this PR.

Before

N/A

After

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable (525 jest tests across app/components/UI/Ramp/{headless,hooks,Views/Checkout,Views/HeadlessPlayground}; covers Fix Change inpage/inpage.js -> entry/entry.js #2 response-inspection + classification, Fix Implement loading spinner during page loads #3.1 fire-site 2nd-arg passthrough at Checkout and useTransakRouting, and Suggestion Change inpage/inpage.js -> entry/entry.js #2 static bounds short-circuit with mixed-candidate edge cases)
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (team-money-movement)

Performance checks (if applicable)

• I've tested on Android
• I've tested with a power user scenario
• I've instrumented key operations with Sentry traces for production performance metrics

(N/A for this phase — internal API addition. The next consumer-facing change lands in MMPay's downstream PR.)

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Expands the headless public callback API and changes useHeadlessBuy.getQuotes behavior to throw and auto-fail active sessions, which could break existing consumers and alter control flow around quote fetching and session lifecycle.

Overview
Headless buy now surfaces quote failures instead of silently returning empty results: useHeadlessBuy.getQuotes throws typed errors (LIMIT_EXCEEDED vs QUOTE_FAILED), and when a headless session is active it routes these through failSession to trigger onError + onClose and end the session.

Adds a pre-network static bounds check using provider catalog limits; if all requested provider×payment-method candidates have known bounds that reject the amount, getQuotes short-circuits with LIMIT_EXCEEDED. getProviderBuyLimit is also re-exported from the public headless barrel for consumer-side validation.

Widens the headless session callback signature to onOrderCreated(orderId, order) and plumbs the order snapshot through the headless success paths (Checkout callback flow and useTransakRouting), updating the playground and tests accordingly, plus clarifying JSDoc about post-creation order status behavior.

^{Reviewed by Cursor Bugbot for commit e0a95a4. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 85.93750% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.75%. Comparing base (3751d9a) to head (4257d6a).
⚠️ Report is 119 commits behind head on main.

Files with missing lines	Patch %	Lines
...mp/Views/HeadlessPlayground/HeadlessPlayground.tsx	76.00%	8 Missing and 4 partials ⚠️
.../components/UI/Ramp/headless/orderTerminalState.ts	93.05%	2 Missing and 3 partials ⚠️
app/components/UI/Ramp/headless/useHeadlessBuy.ts	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #30103      +/-   ##
==========================================
+ Coverage   81.54%   81.75%   +0.20%     
==========================================
  Files        5343     5388      +45     
  Lines      142128   143619    +1491     
  Branches    32411    32803     +392     
==========================================
+ Hits       115899   117410    +1511     
+ Misses      18299    18185     -114     
- Partials     7930     8024      +94     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 5a02bbd. Configure here.}

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeMoney
• Selected Performance tags: None (no tests recommended)
• Risk Level: medium
• AI Confidence: 88%

click to see 🤖 AI reasoning details

E2E Test Selection:
All 12 changed files are within the Ramp/fiat on-ramp subsystem (app/components/UI/Ramp/). The changes include:

1. API signature change: onOrderCreated callback widened from (orderId: string) to (orderId: string, order: RampsOrder) — a breaking change for headless buy consumers.
2. New static bounds pre-check in useHeadlessBuy.getQuotes: validates amount against provider limits before making network calls, with LIMIT_EXCEEDED error classification.
3. Provider error classification in getQuotes: distinguishes LIMIT_EXCEEDED vs QUOTE_FAILED from network responses.
4. useTransakRouting: Updated to pass full order object to onOrderCreated in both the bank transfer and WebView paths.
5. Checkout.tsx: Updated headless session callback to pass rampsOrder as second argument.
6. index.ts: Exports getProviderBuyLimit utility.

These changes directly affect the on-ramp/buy flow (unified buy, Transak routing, checkout WebView), which is covered by SmokeMoney tests (specifically onramp-unified-buy.spec.ts, deeplink-to-buy-flow.spec.ts, deeplink-to-sell-flow.spec.ts). No other subsystems (confirmations, accounts, network, swaps, etc.) are affected. The headless playground is a dev/test tool and not covered by E2E tests directly.

Performance Test Selection:
The changes are confined to the Ramp/fiat on-ramp subsystem and involve API signature changes, error classification logic, and callback updates. These are not performance-sensitive changes — they don't affect UI rendering, list components, app startup, login flows, or any of the performance-critical paths measured by the available performance test tags.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
94.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud