feat: add decoding rules for erc20-token-allowance and native-token-allowance

[jeffsmale90]

Explanation

Adds Advanced Permission type decoding rules for new permission types:

• erc20-token-allowance - grants a fixed allowance of a specified ERC20 token
• native-token-allowance - grants a fixed allowance of the native token

Previous to this change, the decoding logic required a single permission type to match the caveat types included in the delegation. Because these new permissions use the same caveats as the periodic permission types, the decoding logic is updated to filter permission types where the rules match, and require a single matching permission type to successfully validate and decode. erc20-token-periodic and native-token-periodic rules were updated to require periodDuration be less than the maximum allowed by the snap (10 years).

References

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

---

Note

Medium Risk
Updates permission-type identification to handle multiple candidate rules sharing the same enforcer set, which can change how delegations are classified and surfaced to the UI. While well-covered by new unit tests, decoding/validation logic changes can impact permission interpretation across supported chains.

Overview
Adds decoding support for new advanced permission types native-token-allowance and erc20-token-allowance, including strict term validation/decoding (e.g., UINT256_MAX period duration, non-zero amounts, positive start times) and corresponding test coverage.

Refactors permission-type selection during decodePermissionFromPermissionContextForOrigin to first gather all rules matching the caveat enforcer addresses and then disambiguate by validating caveat terms via selectUniqueRuleAndDecodedPermission, with clearer error cases for no match, no valid candidate, or ambiguous validation.

Tightens decoding constraints for existing native-token-periodic/erc20-token-periodic by enforcing periodDuration <= MAX_PERIOD_DURATION (10 years) and bumps @metamask/7715-permission-types to ^0.6.0.

^{Reviewed by Cursor Bugbot for commit a9868cb. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​7715-permission-types@​0.5.0 ⏵ 0.6.0			+1	+1

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 925b27f. Configure here.}