feat: support security alerts API

[vinistevam]

Description

This PR enables the use of the Security Alerts API to validate dApp requests, with a fallback to local PPOM validation if the API request fails.

Environment Variables

Add the following variables to .metamaskrc:

SECURITY_ALERTS_API_URL='http://localhost:3000'
SECURITY_ALERTS_API_ENABLED='true'

Additional Changes

Introduces the security_alert_source property to transaction and signature events, indicating api or local as the source.

Related Repository

Refer to the Security Alerts API repository for more details.

Related issues

Fixes: https://github.com/MetaMask/MetaMask-planning/issues/2514 https://github.com/MetaMask/MetaMask-planning/issues/2515

Manual testing steps

1. Test blockaid regression

2. add the envs

SECURITY_ALERTS_API_URL='https://security-alerts.dev-api.cx.metamask.io'
SECURITY_ALERTS_API_ENABLED='true'

• Go to test dapp and trigger on of the malicious signatures
• To verify in chrome go to dev tools > network. Search for security-alerts and find the call to the API service.

Existing PPOM logic should function as before, even with the above environment variables added, due to the fallback to the controller in the event of an error.

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.70%. Comparing base (d403213) to head (0fbd0e9).
Report is 9 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #25544      +/-   ##
===========================================
+ Coverage    69.69%   69.70%   +0.02%     
===========================================
  Files         1350     1351       +1     
  Lines        47865    47890      +25     
  Branches     13199    13203       +4     
===========================================
+ Hits         33355    33380      +25     
  Misses       14510    14510              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[metamaskbot]

Builds ready [0fbd0e9]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (140 ± 174 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	73	116	93	12	6
		domContentLoaded	9	32	13	5	2
		load	43	1720	140	363	174
		domInteractive	9	32	13	5	2

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 1.62 KiB (0.05%)
• ui: 0 Bytes (0.00%)
• common: 0 Bytes (0.00%)

[matthewwalsh0]

Should we change the message here for clarity, or add separate try catch blocks in each validate method?

[matthewwalsh0]

Should we match mobile and use:

Temporary mechanism to enable security alerts API prior to release

[matthewwalsh0]

Ideally, we want to avoid referencing background types in the frontend.

Could we instead update the shared type?

[matthewwalsh0]

We're adding this to the response, but do we also have to update getBlockaidMetricsProps in ui/helpers/utils/metrics.js to add it to the event?