refactor(llm-workflow): remove mockttp-based MockServerCapability

[cryptotavares]

Description

Removes the MetaMaskMockServerCapability from the LLM workflow system (test/e2e/playwright/llm-workflow/). Network mocking is now handled by Playwright route interception via the mm mock-network CLI command, which is session-scoped and supports both page and service-worker contexts.

What changed:

• Deleted mock-server.ts and mock-server.test.ts (277 lines removed)
• Removed mockServer options from CreateMetaMaskContextOptions and the factory
• Removed mock port allocation from the daemon (3 → 2 ports: anvil + fixture)
• Removed mock server start/stop/rollback from MetaMaskSessionManager
• Removed proxyServer wiring to the browser launcher
• Removed MockServerCapability import from @metamask/client-mcp-core
• Updated all affected tests to remove mock server references
• Documented known limitation: pre-launch mocking is not yet supported

Changelog

CHANGELOG entry: null

Related issues

Manual testing steps

1. Run yarn test:unit test/e2e/playwright/llm-workflow/ — all tests pass
2. Run mm launch — session starts without mock server port allocation
3. Run mm mock-network add '{"id":"test","method":"GET","url":"https://example.com/**","response":{"json":{"ok":true}}}' — Playwright route mock is active
4. Run mm cleanup — clean shutdown without mock server teardown errors

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​client-mcp-core@​0.4.0 ⏵ 0.5.0	+1		+1	+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @metamask/client-mcp-core is 64.0% likely to have a medium risk anomaly Notes: This module itself shows no direct indicators of overt malware (no remote exfiltration, no obfuscated payloads, no eval-based code execution). However, it has a significant security trust boundary: it starts an automation daemon by spawning executables resolved from the target project’s configuration (including project-local node_modules/.bin launchers) and then forwards high-privilege automation instructions (clipboard, navigation, CDP, run-steps JSON) to that daemon. If an attacker can influence the chosen worktree/config/daemon state, the risk is elevated to a potential supply-chain/abuse scenario and should be reviewed/mitigated (e.g., restrict project targeting, validate config/daemon paths, and ensure daemon state integrity). Confidence: 0.64 Severity: 0.66 From: package.json → npm/@metamask/client-mcp-core@0.5.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/client-mcp-core@0.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report