MetaMask · jeffsmale90 · Apr 23, 2026 · Apr 23, 2026 · Apr 23, 2026 · Apr 23, 2026
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- New decoding rules for `native-token-allowance` and `erc20-token-allowance` ([#8553](https://github.com/MetaMask/core/pull/8553))
+
 ### Changed
 
 - Bump `@metamask/transaction-controller` from `^64.2.0` to `^64.3.0` ([#8482](https://github.com/MetaMask/core/pull/8482))

@@ -53,7 +53,7 @@
     "test:watch": "NODE_OPTIONS=--experimental-vm-modules jest --watch"
   },
   "dependencies": {
-    "@metamask/7715-permission-types": "^0.5.0",
+    "@metamask/7715-permission-types": "^0.6.0",
     "@metamask/abi-utils": "^2.0.3",
     "@metamask/base-controller": "^9.1.0",
     "@metamask/delegation-core": "^0.2.0",

@@ -47,7 +47,9 @@ export type GatorPermissionsControllerInitializeAction = {
  *
  * @returns A decoded permission object suitable for UI consumption and follow-up actions.
  * @throws If the origin is not allowed, the context cannot be decoded into exactly one delegation,
- * or the enforcers/terms do not match a supported permission type.
+ * the enforcers do not match any supported permission type, no candidate type validates
+ * the caveat terms, or more than one permission type successfully validates
+ * (ambiguous delegation).
  */
 export type GatorPermissionsControllerDecodePermissionFromPermissionContextForOriginAction =
   {

@@ -31,8 +31,9 @@ import { DELEGATION_FRAMEWORK_VERSION } from './constants';
 import type { DecodedPermission } from './decodePermission';
 import {
   createPermissionRulesForContracts,
-  findRuleWithMatchingCaveatAddresses,
+  findRulesWithMatchingCaveatAddresses,
   reconstructDecodedPermission,
+  selectUniqueRuleAndDecodedPermission,
 } from './decodePermission';
 import {
   GatorPermissionsFetchError,
@@ -561,7 +562,9 @@ export class GatorPermissionsController extends BaseController<
    *
    * @returns A decoded permission object suitable for UI consumption and follow-up actions.
    * @throws If the origin is not allowed, the context cannot be decoded into exactly one delegation,
-   * or the enforcers/terms do not match a supported permission type.
+   * the enforcers do not match any supported permission type, no candidate type validates
+   * the caveat terms, or more than one permission type successfully validates
+   * (ambiguous delegation).
    */
   public decodePermissionFromPermissionContextForOrigin({
     origin,
@@ -591,24 +594,21 @@ export class GatorPermissionsController extends BaseController<
       const enforcers = caveats.map((caveat) => caveat.enforcer);
       const permissionRules = createPermissionRulesForContracts(contracts);
 
-      // find the single rule where the specified enforcers contain all the required enforcers
-      // and no forbidden enforcers
-      const matchingRule = findRuleWithMatchingCaveatAddresses({
+      // Every rule where enforcer addresses match; multiple types may share the same
+      // caveat pattern and are disambiguated by validateAndDecodePermission.
+      const matchingRules = findRulesWithMatchingCaveatAddresses({
         enforcers,
         permissionRules,
       });
 
-      // validate the terms of each caveat against the matching rule, returning the decoded result
-      // this happens in a single function, as decoding is an inherent part of validation.
-      const decodeResult = matchingRule.validateAndDecodePermission(caveats);
-
-      if (!decodeResult.isValid) {
-        throw new PermissionDecodingError({
-          cause: decodeResult.error,
-        });
-      }
-
-      const { expiry, data } = decodeResult;
+      const {
+        rule: matchingRule,
+        expiry,
+        data,
+      } = selectUniqueRuleAndDecodedPermission({
+        candidateRules: matchingRules,
+        caveats,
+      });
 
       const permission = reconstructDecodedPermission({
         chainId,