feat: config registry dynamic networks mobile

[wantedsystem]

Description

Context :

We want the "Additional networks" list to come from a dynamic config API instead of a static list, so we can update featured networks without a client release.

Problem :

Featured networks are hardcoded in the App. Adding or changing featured networks (e.g. Linea, Avalanche) requires a new release.

Solution

We integrated the Config Registry Controller (behind the configRegistryApiEnabled remote feature flag). When the flag is on, the “Additional networks” list is built from the registry API (filtered to featured, active, non-testnet EVM networks and excluding chains already in the wallet). When the flag is off or the API isn’t ready, we keep using the existing static list. The registry is only used to decide which networks to offer to add; it never updates or overwrites networks the user has already added or customized (e.g. custom Linea RPC).

Changelog

CHANGELOG entry: - Integrated the dynamic network registry into MetaMask Extension

• Networks persist across extension restarts
• UI displays dynamic additional networks when available
• Polling starts/stops automatically based on feature flag
• Polling stops when the app is closed

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Medium risk: introduces a new engine controller and polling/fetch flow gated by a remote feature flag, plus new selector-driven UI data that could affect network list rendering and background state persistence.

Overview
Adds dynamic “Additional networks” sourcing via Config Registry. A new ConfigRegistryController is wired into Engine (types, background state change events, initial background state/log snapshots), with a dedicated messenger that also registers/retains ConfigRegistryApiService.

Feature-flag gated fetch + polling. configRegistryControllerInit starts/stops polling based on the configRegistryApiEnabled remote flag (including runtime toggles) and performs an initial async fetch when enabled and no configs are persisted; failures fall back to a stub controller.

UI now consumes a selector-derived list. NetworkMultiSelector switches from the static PopularList to getAdditionalNetworksList, which returns either the static list (flag off/loading/no featured API data) or a mapped list of featured EVM networks not already added.

Stability + visuals tweaks. ExtendedMessenger.unsubscribe becomes tolerant of missing subscriptions, ErrorHandler treats Premature close as non-fatal, and AvatarNetwork can render SVG images via SvgUri (with a new test).

^{Written by Cursor Bugbot for commit 235552b. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​metamask/​config-registry-controller@​0.1.0

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• npm/@metamask/config-registry-controller@0.1.0

View full report

[wantedsystem]

@SocketSecurity ignore npm/@metamask/config-registry-controller@0.1.0

[wantedsystem]

@SocketSecurity ignore npm/@metamask/config-registry-controller@0.1.0

Network access is expected: package fetches dynamic network config from MetaMask’s config registry API only. First-party package, no user-controlled or third-party URLs. Reviewed as legitimate use

[wantedsystem]

@metamaskbot update-mobile-fixture

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

SVG URI detection fails with query parameters

Medium Severity

The SVG detection logic uses imageSource.uri?.endsWith('.svg') which fails for SVG URLs containing query parameters or fragments (e.g. https://cdn.example.com/icon.svg?v=2). Since these network icon URLs come from a dynamic registry API, URLs with cache-busting or auth query strings are common, and affected icons would silently fall through to the Image component which cannot render SVGs.

 

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeAccounts, SmokeConfirmations, SmokeIdentity, SmokeNetworkAbstractions, SmokeNetworkExpansion, SmokeTrade, SmokeWalletPlatform, SmokeCard, SmokePerps, SmokeRamps, SmokeMultiChainAPI, SmokePredictions, FlaskBuildTests
• Selected Performance tags: @PerformanceAccountList, @PerformanceOnboarding, @PerformanceLogin, @PerformanceSwaps, @PerformanceLaunch, @PerformanceAssetLoading, @PerformancePredict, @PerformancePreps
• Risk Level: high
• AI Confidence: 100%

click to see 🤖 AI reasoning details

E2E Test Selection:
Hard rule (controller-version-update): @MetaMask controller package version updated in package.json: @metamask/config-registry-controller. Running all tests.

Performance Test Selection:
Hard rule (controller-version-update): @MetaMask controller package version updated in package.json: @metamask/config-registry-controller. Running all tests.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
91.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
17 value mismatches detected (expected — fixture represents an existing user).
View details