feat: gasless hw batch tracking

[montelaidev]

Description

This PR uuseHwBatchSignTracker which orchestrates hardware-wallet signing for multi-transaction bridge/swap batches by detecting pending approvals from the ApprovalController, queuing them, and driving sequential device confirmation. It anchors a batchId from the first approved transaction, tracks signing progress through transactionStatusUpdated events, and exposes a cancelCurrentBatch function that aborts all in-flight txs, rejects pending approvals, wipes failed tx nonces to prevent gaps, and resets internal state for retry. A generation counter and stale-batch-ID set ensure that late events from cancelled or retried batches are ignored, while special handling covers smart-transaction (STX) submission failures that arrive after signing succeeds.

Changelog

CHANGELOG entry: null

Related issues

Refs: https://consensyssoftware.atlassian.net/browse/MUL-1718

Manual testing steps

N/A — Cannot be tested. its not wired up.

Screenshots/Recordings

Cannot be tested. its not wired up.

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
New transaction/approval orchestration with cancel, wipe, and STX edge cases is complex and security-adjacent, but the hook is not wired to production flows yet and behavior is heavily unit-tested.

Overview
Adds useHwBatchSignTracker, a new hook that wires hardware-wallet signing to multi-step bridge/swap transaction batches (not yet integrated into the swaps UI per the PR).

When enabled for a fromAddress, it listens to TransactionController and ApprovalController events, maps bridge/swap batch txs to updateHardwareWalletsSwaps events (Signing / Signed / Rejected / TransactionFailed), tracks confirmationTxId, and exposes cancelCurrentBatch to abort in-flight signing, reject scoped pending approvals, drop only pre-broadcast txs, wait for terminal statuses, and wipeTransactions on related chains so failed nonces do not block retries. Stale-batch and retryGenerationRef guards ignore late events from cancelled or retried flows; the approval queue runs through executeHardwareWalletOperation with special handling for device-not-ready retries, Keystone cancel, and STX `STX_NO_HASH_ERROR** after sign.

executeHardwareWalletOperation gains optional showConfirmation (skip awaiting-confirmation UI while still running readiness + execute) and exports HardwareWalletOperationType. Coverage is a large new useHwBatchSignTracker.test.ts suite plus small executeHardwareWalletOperation tests for showConfirmation: false.

^{Reviewed by Cursor Bugbot for commit ebee541. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[mm-token-exchange-service]

PR template — items to address before "Ready for review"

This check is blocking. Address every item below, then push to re-run.

• Pre-merge author checklist has unchecked items (e.g. "I've tested on Android"). Every box must be consciously checked — see docs/readme/ready-for-review.md.

See docs/readme/ready-for-review.md for the full Definition of Ready for Review.

[ccharly]

We should re-use the constants here, otherwise if we change the constant we would have to change this test too!

[ccharly]

Nit: But I think we have a constant for that one now?

[ccharly]

Nit: We should also add a constant for this one!

[ccharly]

What "tracked" means here? I saw you were checking for "approved" tx, or is this tx for the current batch?

We could change the name to something else a bit more descriptive otherwise?

[ccharly]

Not all tx are really cancellable though? Should we also change the name for this one?

[montelaidev]

Yea, these are only the ones that can still be cancelled locally

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit af3f3ea. Configure here.}

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeAccounts, SmokeConfirmations, SmokeSwap
• Selected Performance tags: None (no tests recommended)
• Risk Level: medium
• AI Confidence: 78%

click to see 🤖 AI reasoning details

E2E Test Selection:
The PR introduces:

1. executeHardwareWalletOperation.ts: Adds an optional showConfirmation parameter (defaults to true) that allows skipping the Ledger awaiting-confirmation bottom sheet. This is a backward-compatible change but modifies core hardware wallet signing behavior. This function is used by useLedgerConfirm (confirmations flow) and useHwBatchSignTracker (swap/bridge batch signing).

2. index.ts: Re-exports the new HardwareWalletOperationType type — purely additive.

3. useHwBatchSignTracker.ts: A new 1261-line hook for managing batch hardware wallet signing during swap/bridge flows. It handles approval queuing, cancellation, retry logic, and analytics. Currently only imported by its test file (not yet integrated into any component), so direct E2E impact is limited.

4. Test files: Unit tests for the new functionality.

Tag selection rationale:

• SmokeAccounts: Hardware wallet (QR-based) account management tests are in this tag. The executeHardwareWalletOperation change could affect QR hardware wallet account operations.
• SmokeConfirmations: useLedgerConfirm uses executeHardwareWalletOperation for Ledger transaction/message signing confirmations. The new showConfirmation parameter must not break existing confirmation flows.
• SmokeSwap: The new useHwBatchSignTracker is explicitly designed for hardware wallet swap/bridge batch signing. Even though it's not yet wired into a component, the swap flow is the intended target and should be validated.

Per tag descriptions: SmokeSwap requires SmokeConfirmations (already included). The changes are backward-compatible but touch critical hardware wallet signing paths.

Performance Test Selection:
The changes are focused on hardware wallet signing logic (a new optional parameter and a new batch signing hook). These are not UI rendering, list rendering, or data loading changes that would impact measurable performance metrics. The new useHwBatchSignTracker hook manages async signing state but is not yet integrated into any component, so it has no performance impact on existing flows.

View GitHub Actions results