feat: (controllers) stream swap quotes

[micaelae]

Explanation

References

Related to https://github.com/consensys-vertical-apps/va-mmcx-bridge-api/pull/517

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
• I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

---

Note

Introduces server‑sent events quote streaming and integrates incremental quote updates into the bridge controller polling flow.

• Bridge Controller (packages/bridge-controller/src/bridge-controller.ts):
  • Add streaming path in _executePoll using new #fetchBridgeQuoteStream, with abort handling, metrics, and state updates.
  • Incrementally append quotes to state.quotes; set loading/fetched/error statuses; maintain refresh stats; stop polling per feature flags.
  • Track validation failures and errors from stream callbacks.
• Fetch Utils (packages/bridge-controller/src/utils/fetch.ts):
  • Add fetchBridgeQuoteStream using fetchEventSource (SSE) to stream QuoteResponse items, validate each message, and invoke handlers (onValidQuotesReceived, onValidationFailures, onError).
• Dependencies:
  • Add @microsoft/fetch-event-source for SSE support; wire new imports.

^{Written by Cursor Bugbot for commit 5f4179b. This will update automatically on new commits. Configure here.}

[micaelae]

@metamaskbot publish-preview

[cursor]

Bug: Remove Debugging Logs from Function

The fetchBridgeQuoteStream function contains several debug console.log and console.error statements. These appear to be temporary debugging code and should be removed.

Additional Locations (2)

• packages/bridge-controller/src/bridge-controller.ts#L748-L749
• packages/bridge-controller/src/bridge-controller.ts#L758-L759

 

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		@microsoft/fetch-event-source@2.0.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: packages/bridge-controller/package.json → npm/@microsoft/fetch-event-source@2.0.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@microsoft/fetch-event-source@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[micaelae]

@metamaskbot publish-preview

[micaelae]

@metamaskbot publish-preview

[github-actions]

Preview builds have been published. See these instructions for more information about preview builds.

Expand for full list of packages and versions.

{
  "@metamask-previews/account-tree-controller": "1.3.0-preview-5eac8e7",
  "@metamask-previews/accounts-controller": "33.1.0-preview-5eac8e7",
  "@metamask-previews/address-book-controller": "6.1.1-preview-5eac8e7",
  "@metamask-previews/announcement-controller": "7.0.3-preview-5eac8e7",
  "@metamask-previews/app-metadata-controller": "1.0.0-preview-5eac8e7",
  "@metamask-previews/approval-controller": "7.1.3-preview-5eac8e7",
  "@metamask-previews/assets-controllers": "77.0.2-preview-5eac8e7",
  "@metamask-previews/base-controller": "8.4.0-preview-5eac8e7",
  "@metamask-previews/bridge-controller": "47.2.0-preview-5eac8e7",
  "@metamask-previews/bridge-status-controller": "47.2.0-preview-5eac8e7",
  "@metamask-previews/build-utils": "3.0.3-preview-5eac8e7",
  "@metamask-previews/chain-agnostic-permission": "1.1.1-preview-5eac8e7",
  "@metamask-previews/composable-controller": "11.0.0-preview-5eac8e7",
  "@metamask-previews/controller-utils": "11.14.0-preview-5eac8e7",
  "@metamask-previews/delegation-controller": "0.7.0-preview-5eac8e7",
  "@metamask-previews/earn-controller": "8.0.0-preview-5eac8e7",
  "@metamask-previews/eip-5792-middleware": "1.2.0-preview-5eac8e7",
  "@metamask-previews/eip1193-permission-middleware": "1.0.0-preview-5eac8e7",
  "@metamask-previews/ens-controller": "17.0.1-preview-5eac8e7",
  "@metamask-previews/error-reporting-service": "2.1.0-preview-5eac8e7",
  "@metamask-previews/eth-json-rpc-provider": "5.0.0-preview-5eac8e7",
  "@metamask-previews/foundryup": "1.0.1-preview-5eac8e7",
  "@metamask-previews/gas-fee-controller": "24.0.0-preview-5eac8e7",
  "@metamask-previews/gator-permissions-controller": "0.2.0-preview-5eac8e7",
  "@metamask-previews/json-rpc-engine": "10.1.0-preview-5eac8e7",
  "@metamask-previews/json-rpc-middleware-stream": "8.0.7-preview-5eac8e7",
  "@metamask-previews/keyring-controller": "23.1.0-preview-5eac8e7",
  "@metamask-previews/logging-controller": "6.0.4-preview-5eac8e7",
  "@metamask-previews/message-manager": "13.0.0-preview-5eac8e7",
  "@metamask-previews/messenger": "0.3.0-preview-5eac8e7",
  "@metamask-previews/multichain-account-service": "1.4.0-preview-5eac8e7",
  "@metamask-previews/multichain-api-middleware": "1.2.0-preview-5eac8e7",
  "@metamask-previews/multichain-network-controller": "1.0.0-preview-5eac8e7",
  "@metamask-previews/multichain-transactions-controller": "5.0.0-preview-5eac8e7",
  "@metamask-previews/name-controller": "8.0.3-preview-5eac8e7",
  "@metamask-previews/network-controller": "24.2.0-preview-5eac8e7",
  "@metamask-previews/network-enablement-controller": "2.1.0-preview-5eac8e7",
  "@metamask-previews/notification-services-controller": "18.1.0-preview-5eac8e7",
  "@metamask-previews/permission-controller": "11.0.6-preview-5eac8e7",
  "@metamask-previews/permission-log-controller": "4.0.0-preview-5eac8e7",
  "@metamask-previews/phishing-controller": "14.0.0-preview-5eac8e7",
  "@metamask-previews/polling-controller": "14.0.0-preview-5eac8e7",
  "@metamask-previews/preferences-controller": "20.0.1-preview-5eac8e7",
  "@metamask-previews/profile-sync-controller": "25.1.0-preview-5eac8e7",
  "@metamask-previews/rate-limit-controller": "6.0.3-preview-5eac8e7",
  "@metamask-previews/remote-feature-flag-controller": "1.7.0-preview-5eac8e7",
  "@metamask-previews/sample-controllers": "2.0.0-preview-5eac8e7",
  "@metamask-previews/seedless-onboarding-controller": "4.0.0-preview-5eac8e7",
  "@metamask-previews/selected-network-controller": "24.0.0-preview-5eac8e7",
  "@metamask-previews/shield-controller": "0.2.0-preview-5eac8e7",
  "@metamask-previews/signature-controller": "34.0.0-preview-5eac8e7",
  "@metamask-previews/subscription-controller": "0.5.0-preview-5eac8e7",
  "@metamask-previews/token-search-discovery-controller": "3.3.0-preview-5eac8e7",
  "@metamask-previews/transaction-controller": "60.5.0-preview-5eac8e7",
  "@metamask-previews/user-operation-controller": "39.0.0-preview-5eac8e7"
}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​microsoft/​fetch-event-source@​2.0.1

View full report

[micaelae]

@SocketSecurity @microsoft/fetch-event-source@2.0.1