RMNRemote: curse admin management + legacy rmn removal [CCIP-10871] (#1991)

* Add failing tests

* feat: implement curse admin management and access control

* refactor: fix formatting of applyCurseAdminUpdates and isCurseAdmin functions

* refactor: remove legacy IRMN interface (isBlessed functionality) from RMNRemote contract

* fix: regenerating operations

* refactor: update comment

* refactor: update RMNRemote to use AuthorizedCallers and adjust constructor parameters

* refactor: simplify RMNRemote to remove blessing related and OCR related code

* refactor: replace IRMNRemote with IRMN in contracts and tests

* refactor: remove onlyOwnerOrCurseAdmin modifier and inline validation in curse function

* refactor: rename RMNRemote to RMN

* fix: go bindings after rename

* fix: go bindings after rename - missing generated

* fix: make sure only one contract per test. remove unused tests. rename rmnremot to rmn.

* refactor: update gas snapshot for RMNRemote tests after renaming and restructuring

* refactor: rename RMNRemote test files and update imports to RMNSetup

* review comments

* gas snapshot

* refactor: improve curse function to skip already-cursed subjects and optimize event emission

* feat: add RMN deployment changeset (#2008)

* feat: add RMN deployment changeset

* feat: add test

* chore: clean up

* feat: create new v2_1_0 directory and move rmn related code under it

* fix: old import

* feat: add rmn admin management changeset

* feat: add cursing/uncursing sequences and changesets

* feat: add curse adapter for v2_1_0

* chore: remove unused changeset

* feat: add chain-agnostic AuthorizedCallers adapter with EVM implementation (#2038)

* feat: add chain-agnostic AuthorizedCallers adapter with EVM implementation

Introduce a registry-backed AuthorizedCallers system mirroring the
existing fastcurse pattern:

- deployment/authorizedcallers: chain-agnostic interface, registry
  singleton, and ConfigureAuthorizedCallersChangeset
- chains/evm/deployment/v2_1_0/adapters: EVMAuthorizedCallersAdapter
  backed by injected per-contract generated ops so MCMS metadata
  (ContractType, ABI) is accurate per target contract
- init.go registers (EVM, RMN, v2.1.0); additional contracts follow
  the same NewEVMAuthorizedCallersAdapter pattern

* fix: tests

* chore: remove non-used changeset in favor of the authorized callers adaptor

* fix: bump to latest cl-ccip/deployment

* fix: bump to latest cl-ccip/deployment

Author: asoliman92

chains/evm/.gas-snapshot

@@ -2,7 +2,7 @@
 pragma solidity ^0.8.24;
 
 import {ICrossChainVerifierV1} from "../../interfaces/ICrossChainVerifierV1.sol";
-import {IRMNRemote} from "../../interfaces/IRMNRemote.sol";
+import {IRMN} from "../../interfaces/IRMN.sol";
 import {IRouter} from "../../interfaces/IRouter.sol";
 import {ITypeAndVersion} from "@chainlink/contracts/src/v0.8/shared/interfaces/ITypeAndVersion.sol";
 
@@ -60,7 +60,7 @@ abstract contract BaseVerifier is ICrossChainVerifierV1, ITypeAndVersion {
   }
 
   /// @dev The rmn contract.
-  IRMNRemote internal immutable i_rmn;
+  IRMN internal immutable i_rmn;
   /// @dev The version tag that this instance of the verifier supports. This could be used as a domain separator, but
   /// should never be the primary defense against signature replay attacks across different verifiers. The primary
   /// defense should be using non-overlapping signer sets for different verifiers, and the version tag should only be
@@ -93,7 +93,7 @@ abstract contract BaseVerifier is ICrossChainVerifierV1, ITypeAndVersion {
     if (_versionTag == bytes4(0)) revert VersionTagCannotBeZero();
     i_versionTag = _versionTag;
 
-    i_rmn = IRMNRemote(rmnAddress);
+    i_rmn = IRMN(rmnAddress);
   }
 
   /// @notice Updates the storage locations.

chains/evm/contracts/ccvs/components/BaseVerifier.sol

@@ -3,22 +3,17 @@ pragma solidity ^0.8.0;
 
 /// @notice This interface contains the only RMN-related functions that might be used on-chain by other CCIP contracts.
 interface IRMN {
-  /// @notice A Merkle root tagged with the address of the commit store contract it is destined for.
-  struct TaggedRoot {
-    address commitStore;
-    bytes32 root;
-  }
-
-  /// @notice Callers MUST NOT cache the return value as a blessed tagged root could become unblessed.
-  function isBlessed(
-    TaggedRoot calldata taggedRoot
-  ) external view returns (bool);
+  /// @notice gets the current set of cursed subjects.
+  /// @return subjects the list of cursed subjects.
+  function getCursedSubjects() external view returns (bytes16[] memory subjects);
 
   /// @notice Iff there is an active global or legacy curse, this function returns true.
+  /// @return bool true if there is an active global curse.
   function isCursed() external view returns (bool);
 
   /// @notice Iff there is an active global curse, or an active curse for `subject`, this function returns true.
   /// @param subject To check whether a particular chain is cursed, set to bytes16(uint128(chainSelector)).
+  /// @return bool true if the provided subject is cursed *or* if there is an active global curse.
   function isCursed(
     bytes16 subject
   ) external view returns (bool);

chains/evm/contracts/interfaces/IRMN.sol

@@ -7,7 +7,7 @@ import {ICrossChainVerifierResolver} from "../interfaces/ICrossChainVerifierReso
 import {ICrossChainVerifierV1} from "../interfaces/ICrossChainVerifierV1.sol";
 import {IPoolV1} from "../interfaces/IPool.sol";
 import {IPoolV2} from "../interfaces/IPoolV2.sol";
-import {IRMNRemote} from "../interfaces/IRMNRemote.sol";
+import {IRMN} from "../interfaces/IRMN.sol";
 import {IRouter} from "../interfaces/IRouter.sol";
 import {ITokenAdminRegistry} from "../interfaces/ITokenAdminRegistry.sol";
 import {ITypeAndVersion} from "@chainlink/contracts/src/v0.8/shared/interfaces/ITypeAndVersion.sol";
@@ -69,7 +69,7 @@ contract OffRamp is ITypeAndVersion, Ownable2StepMsgSender {
   struct StaticConfig {
     uint64 localChainSelector; // ──╮ Local chainSelector
     uint16 gasForCallExactCheck; // │ Gas for call exact check
-    IRMNRemote rmnRemote; // ───────╯ RMN Verification Contract
+    IRMN rmnRemote; // ───────╯ RMN Verification Contract
     address tokenAdminRegistry; // ───────╮ Token admin registry address
     uint32 maxGasBufferToUpdateState; // ─╯ Max Gas Buffer to Update State
   }
@@ -102,7 +102,7 @@ contract OffRamp is ITypeAndVersion, Ownable2StepMsgSender {
   /// @dev ChainSelector of this chain.
   uint64 internal immutable i_chainSelector;
   /// @dev The RMN verification contract.
-  IRMNRemote internal immutable i_rmnRemote;
+  IRMN internal immutable i_rmnRemote;
   /// @dev The address of the token admin registry.
   address internal immutable i_tokenAdminRegistry;
   /// @dev The minimum amount of gas to perform the call with exact gas.

chains/evm/contracts/interfaces/IRMNRemote.sol

@@ -8,7 +8,7 @@ import {IExecutor} from "../interfaces/IExecutor.sol";
 import {IFeeQuoter} from "../interfaces/IFeeQuoter.sol";
 import {IPoolV1} from "../interfaces/IPool.sol";
 import {IPoolV2} from "../interfaces/IPoolV2.sol";
-import {IRMNRemote} from "../interfaces/IRMNRemote.sol";
+import {IRMN} from "../interfaces/IRMN.sol";
 import {IRouter} from "../interfaces/IRouter.sol";
 import {ITokenAdminRegistry} from "../interfaces/ITokenAdminRegistry.sol";
 import {ITypeAndVersion} from "@chainlink/contracts/src/v0.8/shared/interfaces/ITypeAndVersion.sol";
@@ -78,7 +78,7 @@ contract OnRamp is IEVM2AnyOnRampClient, ITypeAndVersion, Ownable2StepMsgSender
   // solhint-disable-next-line gas-struct-packing
   struct StaticConfig {
     uint64 chainSelector; // ─────────╮ Local chain selector.
-    IRMNRemote rmnRemote; //          │ RMN remote address.
+    IRMN rmnRemote; //          │ RMN remote address.
     uint32 maxUSDCentsPerMessage; // ─╯ Maximum USD cent value per message.
     address tokenAdminRegistry; // Token admin registry address.
   }
@@ -150,7 +150,7 @@ contract OnRamp is IEVM2AnyOnRampClient, ITypeAndVersion, Ownable2StepMsgSender
   /// @dev The chain ID of the source chain that this contract is deployed to.
   uint64 private immutable i_localChainSelector;
   /// @dev The rmn contract.
-  IRMNRemote private immutable i_rmnRemote;
+  IRMN private immutable i_rmnRemote;
   /// @dev The address of the token admin registry.
   address private immutable i_tokenAdminRegistry;
   /// @dev The maximum USD cent value per message. Used to reduce impact of potential misconfigurations.

chains/evm/contracts/offRamp/OffRamp.sol

@@ -0,0 +1,124 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.24;
+
+import {IRMN} from "../interfaces/IRMN.sol";
+import {ITypeAndVersion} from "@chainlink/contracts/src/v0.8/shared/interfaces/ITypeAndVersion.sol";
+
+import {AuthorizedCallers} from "@chainlink/contracts/src/v0.8/shared/access/AuthorizedCallers.sol";
+import {EnumerableSet} from "@chainlink/contracts/src/v0.8/shared/enumerable/EnumerableSetWithBytes16.sol";
+
+/// @dev An active curse on this subject will cause isCursed() and isCursed(bytes16) to return true. Use this subject
+/// for issues affecting all of CCIP chains, or pertaining to the chain that this contract is deployed on, instead of
+/// using the local chain selector as a subject.
+bytes16 constant GLOBAL_CURSE_SUBJECT = 0x01000000000000000000000000000001;
+
+/// @notice This contract supports cursing and uncursing of chains.
+contract RMN is AuthorizedCallers, ITypeAndVersion, IRMN {
+  using EnumerableSet for EnumerableSet.Bytes16Set;
+
+  error NotCursed(bytes16 subject);
+
+  event Cursed(bytes16[] subjects);
+  event Uncursed(bytes16[] subjects);
+
+  string public constant override typeAndVersion = "RMN 2.1.0";
+
+  EnumerableSet.Bytes16Set private s_cursedSubjects;
+
+  /// @param curseAdmins initial set of addresses authorized to call curse.
+  constructor(
+    address[] memory curseAdmins
+  ) AuthorizedCallers(curseAdmins) {}
+
+  // ================================================================
+  // │                           Cursing                            │
+  // ================================================================
+
+  /// @notice Curse a single subject.
+  /// @param subject The subject to curse.
+  function curse(
+    bytes16 subject
+  ) external {
+    bytes16[] memory subjects = new bytes16[](1);
+    subjects[0] = subject;
+    curse(subjects);
+  }
+
+  /// @notice Curse an array of subjects. Already-cursed subjects (including duplicates within the array) are silently
+  /// skipped so that a single redundant entry does not block the remaining subjects from being cursed.
+  /// @param subjects the subjects to curse.
+  function curse(
+    bytes16[] memory subjects
+  ) public {
+    // Allow both the owner and authorized callers to curse subjects.
+    // Skip validation for the owner; validate authorization for others.
+    if (msg.sender != owner()) {
+      _validateCaller();
+    }
+    // Pre-allocate scratch space equal to the input length; track how many were actually new.
+    bytes16[] memory newSubjects = new bytes16[](subjects.length);
+    uint256 count = 0;
+    for (uint256 i = 0; i < subjects.length; ++i) {
+      if (s_cursedSubjects.add(subjects[i])) {
+        newSubjects[count++] = subjects[i];
+      }
+    }
+    if (count == 0) return;
+    // Truncate the memory array to the number of newly cursed subjects before emitting
+    assembly {
+      mstore(newSubjects, count)
+    }
+    emit Cursed(newSubjects);
+  }
+
+  /// @notice Uncurse a single subject.
+  /// @param subject the subject to uncurse.
+  function uncurse(
+    bytes16 subject
+  ) external {
+    bytes16[] memory subjects = new bytes16[](1);
+    subjects[0] = subject;
+    uncurse(subjects);
+  }
+
+  /// @notice Uncurse an array of subjects.
+  /// @param subjects the subjects to uncurse.
+  /// @dev reverts if any of the subjects are not cursed or if there is a duplicate.
+  function uncurse(
+    bytes16[] memory subjects
+  ) public onlyOwner {
+    for (uint256 i = 0; i < subjects.length; ++i) {
+      if (!s_cursedSubjects.remove(subjects[i])) {
+        revert NotCursed(subjects[i]);
+      }
+    }
+    emit Uncursed(subjects);
+  }
+
+  /// @inheritdoc IRMN
+  function getCursedSubjects() external view returns (bytes16[] memory subjects) {
+    return s_cursedSubjects.values();
+  }
+
+  /// @inheritdoc IRMN
+  function isCursed() external view override returns (bool) {
+    // There are zero curses under normal circumstances, which means it's cheaper to check for the absence of curses.
+    // than to check the subject list for the global curse subject.
+    if (s_cursedSubjects.length() == 0) {
+      return false;
+    }
+    return s_cursedSubjects.contains(GLOBAL_CURSE_SUBJECT);
+  }
+
+  /// @inheritdoc IRMN
+  function isCursed(
+    bytes16 subject
+  ) external view override returns (bool) {
+    // There are zero curses under normal circumstances, which means it's cheaper to check for the absence of curses.
+    // than to check the subject list twice, as we have to check for both the given and global curse subjects.
+    if (s_cursedSubjects.length() == 0) {
+      return false;
+    }
+    return s_cursedSubjects.contains(subject) || s_cursedSubjects.contains(GLOBAL_CURSE_SUBJECT);
+  }
+}