chore: bump @metamask/{keyring,seedless-onboarding}-controller (#37454)

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->
Depends on MetaMask/core#7128

## **Description**

<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->
Bumping `keyring-controller` and `seedless-onboarding-controller` to
pick up the latest changes. `@metamask/browser-passworder` is also being
bumped to `^6.0.0`, and the encryptor factory has been adjusted to
include `keyFromPassword`, `generateSalt` and `exportKey` as they are
required by `KeyringController`.


[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/37454?quickstart=1)

## **Changelog**

<!--
If this PR is not End-User-Facing and should not show up in the
CHANGELOG, you can choose to either:
1. Write `CHANGELOG entry: null`
2. Label with `no-changelog`

If this PR is End-User-Facing, please write a short User-Facing
description in the past tense like:
`CHANGELOG entry: Added a new tab for users to see their NFTs`
`CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker`

(This helps the Release Engineer do their job more quickly and
accurately)
-->

CHANGELOG entry: null

## **Related issues**

Fixes:

## **Manual testing steps**

1. Go to this page...
2.
3.

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I’ve included tests if applicable
- [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Upgrades keyring, seedless onboarding, and passworder deps and updates
controller init, types, tests, and policies to the new encryptor API
(removes `cacheEncryptionKey`).
> 
> - **Dependencies**:
> - Bump `@metamask/keyring-controller` to `^25.0.0`,
`@metamask/seedless-onboarding-controller` to `^7.0.0`, and
`@metamask/browser-passworder` to `^6.0.0`.
> - **Controller Init**:
> - `keyring-controller-init`: remove `cacheEncryptionKey` when
constructing `KeyringController`.
> - `seedless-onboarding-controller-init`: use
`SeedlessOnboardingController<CryptoKey | EncryptionKey>` and pass
`encryptor` directly (drop custom wrapper).
> - **Types**:
> - Change `encryptor` type from optional `ExportableKeyEncryptor` to
required `Encryptor` in `controller-init/types`.
> - **Tests/Mocks**:
> - Update expectations for encryptor methods (`encryptWithKey`,
`isVaultUpdated`, `exportKey`, `generateSalt`, `keyFromPassword`).
> - Adjust mock encryptor to implement `importKey` returning parsed key
and new `exportKey`.
>   - Remove `cacheEncryptionKey` from test expectation.
> - **Security Policy**:
> - Update LavaMoat policies to reflect `browser-passworder` changes
(remove nested package allowances, adjust to `@metamask/utils`).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
3733c29. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: MetaMask Bot <[email protected]>

Author: mikesposito

app/scripts/controller-init/keyring-controller-init.test.ts

@@ -65,7 +65,6 @@ describe('KeyringControllerInit', () => {
     expect(controllerMock).toHaveBeenCalledWith({
       messenger: expect.any(Object),
       state: undefined,
-      cacheEncryptionKey: true,
       encryptor: expect.any(Object),
       keyringBuilders: expect.any(Array),
     });

app/scripts/controller-init/keyring-controller-init.ts

@@ -109,11 +109,9 @@ export const KeyringControllerInit: ControllerInitFunction<
   additionalKeyrings.push(snapKeyringBuilder);
   ///: END:ONLY_INCLUDE_IF
 
-  // @ts-expect-error: The types for the encryptor are not correct.
   const controller = new KeyringController({
     state: persistedState.KeyringController,
     messenger: controllerMessenger,
-    cacheEncryptionKey: true,
     keyringBuilders: additionalKeyrings,
     encryptor: encryptor || encryptorFactory(600_000),
   });

app/scripts/controller-init/seedless-onboarding/seedless-onboarding-controller-init.test.ts

@@ -71,7 +71,12 @@ describe('SeedlessOnboardingControllerInit', () => {
         decryptWithKey: expect.any(Function),
         encrypt: expect.any(Function),
         encryptWithDetail: expect.any(Function),
+        encryptWithKey: expect.any(Function),
+        isVaultUpdated: expect.any(Function),
         importKey: expect.any(Function),
+        exportKey: expect.any(Function),
+        generateSalt: expect.any(Function),
+        keyFromPassword: expect.any(Function),
       },
       passwordOutdatedCacheTTL: expect.any(Number),
       refreshJWTToken: expect.any(Function),

app/scripts/controller-init/seedless-onboarding/seedless-onboarding-controller-init.ts

@@ -3,7 +3,7 @@ import {
   SeedlessOnboardingControllerMessenger,
   Web3AuthNetwork,
 } from '@metamask/seedless-onboarding-controller';
-import { EncryptionKey, EncryptionResult } from '@metamask/browser-passworder';
+import { EncryptionKey } from '@metamask/browser-passworder';
 import { ControllerInitFunction } from '../types';
 import { encryptorFactory } from '../../lib/encryptor-factory';
 import { isDevOrTestBuild } from '../../services/oauth/config';
@@ -24,7 +24,9 @@ export const SeedlessOnboardingControllerInit: ControllerInitFunction<
 
   const network = loadWeb3AuthNetwork();
 
-  const controller = new SeedlessOnboardingController({
+  const controller = new SeedlessOnboardingController<
+    CryptoKey | EncryptionKey
+  >({
     messenger: controllerMessenger,
     state: persistedState.SeedlessOnboardingController,
     network,
@@ -41,24 +43,7 @@ export const SeedlessOnboardingControllerInit: ControllerInitFunction<
     renewRefreshToken: (...args) =>
       initMessenger.call('OAuthService:renewRefreshToken', ...args),
 
-    encryptor: {
-      decrypt: (key, encryptedData) => encryptor.decrypt(key, encryptedData),
-      decryptWithDetail: (key, encryptedData) =>
-        encryptor.decryptWithDetail(key, encryptedData),
-      decryptWithKey(key, encryptedData) {
-        let payload: EncryptionResult;
-        if (typeof encryptedData === 'string') {
-          payload = JSON.parse(encryptedData);
-        } else {
-          payload = encryptedData;
-        }
-
-        return encryptor.decryptWithKey(key as EncryptionKey, payload);
-      },
-      encrypt: (key, data) => encryptor.encrypt(key, data),
-      encryptWithDetail: (key, data) => encryptor.encryptWithDetail(key, data),
-      importKey: (key) => encryptor.importKey(key),
-    },
+    encryptor,
   });
 
   return {

app/scripts/controller-init/types.ts

@@ -7,7 +7,7 @@ import { Duplex } from 'readable-stream';
 import { SubjectType } from '@metamask/permission-controller';
 import { PreinstalledSnap } from '@metamask/snaps-controllers';
 import { Browser } from 'webextension-polyfill';
-import { ExportableKeyEncryptor } from '@metamask/keyring-controller';
+import { Encryptor } from '@metamask/keyring-controller';
 import { KeyringClass } from '@metamask/keyring-utils';
 import { QrKeyringScannerBridge } from '@metamask/eth-qr-keyring';
 import type { TransactionMetricsRequest } from '../../../shared/types';
@@ -83,7 +83,7 @@ export type ControllerInitRequest<
    * An instance of an encryptor to use for encrypting and decrypting
    * sensitive data.
    */
-  encryptor?: ExportableKeyEncryptor;
+  encryptor: Encryptor;
 
   /**
    * The extension browser API.

lavamoat/browserify/beta/policy.json

@@ -978,7 +978,7 @@
         "crypto.subtle.importKey": true
       },
       "packages": {
-        "@metamask/browser-passworder>@metamask/utils": true,
+        "@metamask/utils": true,
         "browserify>buffer": true
       }
     },
@@ -1496,7 +1496,6 @@
       "packages": {
         "@ethereumjs/tx>@ethereumjs/util": true,
         "@metamask/base-controller": true,
-        "@metamask/browser-passworder": true,
         "@metamask/keyring-controller>@metamask/eth-hd-keyring": true,
         "@metamask/eth-sig-util": true,
         "@metamask/keyring-controller>@metamask/eth-simple-keyring": true,
@@ -2450,21 +2449,6 @@
         "semver": true
       }
     },
-    "@metamask/browser-passworder>@metamask/utils": {
-      "globals": {
-        "TextDecoder": true,
-        "TextEncoder": true
-      },
-      "packages": {
-        "@metamask/superstruct": true,
-        "@noble/hashes": true,
-        "@scure/base": true,
-        "browserify>buffer": true,
-        "nock>debug": true,
-        "@metamask/utils>pony-cause": true,
-        "semver": true
-      }
-    },
     "@ngraveio/bc-ur": {
       "packages": {
         "@ngraveio/bc-ur>@keystonehq/alias-sampling": true,

lavamoat/browserify/experimental/policy.json

@@ -978,7 +978,7 @@
         "crypto.subtle.importKey": true
       },
       "packages": {
-        "@metamask/browser-passworder>@metamask/utils": true,
+        "@metamask/utils": true,
         "browserify>buffer": true
       }
     },
@@ -1496,7 +1496,6 @@
       "packages": {
         "@ethereumjs/tx>@ethereumjs/util": true,
         "@metamask/base-controller": true,
-        "@metamask/browser-passworder": true,
         "@metamask/keyring-controller>@metamask/eth-hd-keyring": true,
         "@metamask/eth-sig-util": true,
         "@metamask/keyring-controller>@metamask/eth-simple-keyring": true,
@@ -2450,21 +2449,6 @@
         "semver": true
       }
     },
-    "@metamask/browser-passworder>@metamask/utils": {
-      "globals": {
-        "TextDecoder": true,
-        "TextEncoder": true
-      },
-      "packages": {
-        "@metamask/superstruct": true,
-        "@noble/hashes": true,
-        "@scure/base": true,
-        "browserify>buffer": true,
-        "nock>debug": true,
-        "@metamask/utils>pony-cause": true,
-        "semver": true
-      }
-    },
     "@ngraveio/bc-ur": {
       "packages": {
         "@ngraveio/bc-ur>@keystonehq/alias-sampling": true,

lavamoat/browserify/flask/policy.json

@@ -978,7 +978,7 @@
         "crypto.subtle.importKey": true
       },
       "packages": {
-        "@metamask/browser-passworder>@metamask/utils": true,
+        "@metamask/utils": true,
         "browserify>buffer": true
       }
     },
@@ -1496,7 +1496,6 @@
       "packages": {
         "@ethereumjs/tx>@ethereumjs/util": true,
         "@metamask/base-controller": true,
-        "@metamask/browser-passworder": true,
         "@metamask/keyring-controller>@metamask/eth-hd-keyring": true,
         "@metamask/eth-sig-util": true,
         "@metamask/keyring-controller>@metamask/eth-simple-keyring": true,
@@ -2450,21 +2449,6 @@
         "semver": true
       }
     },
-    "@metamask/browser-passworder>@metamask/utils": {
-      "globals": {
-        "TextDecoder": true,
-        "TextEncoder": true
-      },
-      "packages": {
-        "@metamask/superstruct": true,
-        "@noble/hashes": true,
-        "@scure/base": true,
-        "browserify>buffer": true,
-        "nock>debug": true,
-        "@metamask/utils>pony-cause": true,
-        "semver": true
-      }
-    },
     "@ngraveio/bc-ur": {
       "packages": {
         "@ngraveio/bc-ur>@keystonehq/alias-sampling": true,

lavamoat/browserify/main/policy.json

@@ -978,7 +978,7 @@
         "crypto.subtle.importKey": true
       },
       "packages": {
-        "@metamask/browser-passworder>@metamask/utils": true,
+        "@metamask/utils": true,
         "browserify>buffer": true
       }
     },
@@ -1496,7 +1496,6 @@
       "packages": {
         "@ethereumjs/tx>@ethereumjs/util": true,
         "@metamask/base-controller": true,
-        "@metamask/browser-passworder": true,
         "@metamask/keyring-controller>@metamask/eth-hd-keyring": true,
         "@metamask/eth-sig-util": true,
         "@metamask/keyring-controller>@metamask/eth-simple-keyring": true,
@@ -2450,21 +2449,6 @@
         "semver": true
       }
     },
-    "@metamask/browser-passworder>@metamask/utils": {
-      "globals": {
-        "TextDecoder": true,
-        "TextEncoder": true
-      },
-      "packages": {
-        "@metamask/superstruct": true,
-        "@noble/hashes": true,
-        "@scure/base": true,
-        "browserify>buffer": true,
-        "nock>debug": true,
-        "@metamask/utils>pony-cause": true,
-        "semver": true
-      }
-    },
     "@ngraveio/bc-ur": {
       "packages": {
         "@ngraveio/bc-ur>@keystonehq/alias-sampling": true,

lavamoat/webpack/mv2/policy.json

@@ -982,7 +982,7 @@
         "crypto.subtle.importKey": true
       },
       "packages": {
-        "@metamask/browser-passworder>@metamask/utils": true,
+        "@metamask/utils": true,
         "buffer": true
       }
     },
@@ -1484,7 +1484,6 @@
       "packages": {
         "@ethereumjs/tx>@ethereumjs/util": true,
         "@metamask/base-controller": true,
-        "@metamask/browser-passworder": true,
         "@metamask/keyring-controller>@metamask/eth-hd-keyring": true,
         "@metamask/eth-sig-util": true,
         "@metamask/keyring-controller>@metamask/eth-simple-keyring": true,
@@ -2307,22 +2306,6 @@
         "semver": true
       }
     },
-    "@metamask/browser-passworder>@metamask/utils": {
-      "globals": {
-        "Buffer": true,
-        "TextDecoder": true,
-        "TextEncoder": true
-      },
-      "packages": {
-        "@metamask/superstruct": true,
-        "@noble/hashes": true,
-        "@scure/base": true,
-        "buffer": true,
-        "nock>debug": true,
-        "@metamask/utils>pony-cause": true,
-        "semver": true
-      }
-    },
     "@ngraveio/bc-ur": {
       "globals": {
         "Buffer.alloc": true,