Merge branch 'main' into rtinianov_teeWorkflows

Author: nolag

go.mod

@@ -49,7 +49,7 @@ require (
 	github.com/smartcontractkit/chainlink-protos/linking-service/go v0.0.0-20251002192024-d2ad9222409b
 	github.com/smartcontractkit/chainlink-protos/node-platform v0.0.0-20260205130626-db2a2aab956b
 	github.com/smartcontractkit/chainlink-protos/storage-service v0.3.0
-	github.com/smartcontractkit/chainlink-protos/workflows/go v0.0.0-20260323124644-faea187e6997
+	github.com/smartcontractkit/chainlink-protos/workflows/go v0.0.0-20260528173149-f5b8336b19d9
 	github.com/smartcontractkit/freeport v0.1.3-0.20250716200817-cb5dfd0e369e
 	github.com/smartcontractkit/grpc-proxy v0.0.0-20240830132753-a7e17fec5ab7
 	github.com/smartcontractkit/libocr v0.0.0-20250912173940-f3ab0246e23d

go.sum

@@ -50,6 +50,7 @@ flowchart
         GatewayHTTPPerNodeRate[\GatewayHTTPPerNodeRate/]:::rate
         GatewayConfidentialRelayGlobalRate[\GatewayConfidentialRelayGlobalRate/]:::rate
         GatewayConfidentialRelayPerNodeRate[\GatewayConfidentialRelayPerNodeRate/]:::rate
+        GatewayHTTPActionMtlsRequestRate[\GatewayHTTPActionMtlsRequestRate/]:::rate
     end
 %%    TODO unused
 %%    PerOrg.ZeroBalancePruningTimeout
@@ -216,6 +217,9 @@ flowchart
         subgraph PerWorkflow.Secrets
             PerWorkflow.Secrets.CallLimit{{CallLimit}}:::bound
         end
+        subgraph PerOrg.HTTPAction
+            PerOrg.HTTPAction.MtlsRateLimit{{PerOrg.HTTPAction.MtlsRateLimit}}:::bound
+        end
     end
     subgraph vault
         VaultCiphertextSizeLimit{{VaultCiphertextSizeLimit}}:::bound

pkg/settings/cresettings/README.md

@@ -13,6 +13,7 @@
 	"GatewayHTTPPerNodeRate": "100rps:100",
 	"GatewayConfidentialRelayGlobalRate": "50rps:10",
 	"GatewayConfidentialRelayPerNodeRate": "10rps:10",
+	"GatewayHTTPActionMtlsRequestRate": "every30s:0",
 	"TriggerRegistrationStatusUpdateTimeout": "0s",
 	"BaseTriggerRetryInterval": "30s",
 	"BaseTriggerMaxRetries": "20",
@@ -38,7 +39,10 @@
 	"PerOrg": {
 		"BaseTriggerRetransmitEnabled": "false",
 		"WorkflowExecutionConcurrencyLimit": "100",
-		"ZeroBalancePruningTimeout": "24h0m0s"
+		"ZeroBalancePruningTimeout": "24h0m0s",
+		"HTTPAction": {
+			"MtlsRateLimit": "every30s:3"
+		}
 	},
 	"PerOwner": {
 		"WorkflowLimit": "1000",

pkg/settings/cresettings/defaults.json

@@ -12,6 +12,7 @@ GatewayHTTPGlobalRate = '500rps:500'
 GatewayHTTPPerNodeRate = '100rps:100'
 GatewayConfidentialRelayGlobalRate = '50rps:10'
 GatewayConfidentialRelayPerNodeRate = '10rps:10'
+GatewayHTTPActionMtlsRequestRate = 'every30s:0'
 TriggerRegistrationStatusUpdateTimeout = '0s'
 BaseTriggerRetryInterval = '30s'
 BaseTriggerMaxRetries = '20'
@@ -40,6 +41,9 @@ BaseTriggerRetransmitEnabled = 'false'
 WorkflowExecutionConcurrencyLimit = '100'
 ZeroBalancePruningTimeout = '24h0m0s'
 
+[PerOrg.HTTPAction]
+MtlsRateLimit = 'every30s:3'
+
 [PerOwner]
 WorkflowLimit = '1000'
 WorkflowExecutionConcurrencyLimit = '5'

pkg/settings/cresettings/defaults.toml

@@ -67,6 +67,7 @@ var Default = Schema{
 	GatewayHTTPPerNodeRate:                 Rate(rate.Limit(100), 100),
 	GatewayConfidentialRelayGlobalRate:     Rate(rate.Limit(50), 10),
 	GatewayConfidentialRelayPerNodeRate:    Rate(rate.Limit(10), 10),
+	GatewayHTTPActionMtlsRequestRate:       Rate(rate.Every(30*time.Second), 0),
 	TriggerRegistrationStatusUpdateTimeout: Duration(0 * time.Second),
 	BaseTriggerRetryInterval:               Duration(30 * time.Second),
 	BaseTriggerMaxRetries:                  Int(20),
@@ -129,6 +130,9 @@ var Default = Schema{
 		BaseTriggerRetransmitEnabled:      Bool(false),
 		WorkflowExecutionConcurrencyLimit: Int(100),
 		ZeroBalancePruningTimeout:         Duration(24 * time.Hour),
+		HTTPAction: perOrgHTTPAction{
+			MtlsRateLimit: Rate(rate.Every(30*time.Second), 3),
+		},
 	},
 	PerOwner: Owners{
 		WorkflowLimit:                     Int(1000),
@@ -263,6 +267,7 @@ type Schema struct {
 	GatewayHTTPPerNodeRate                 Setting[config.Rate]
 	GatewayConfidentialRelayGlobalRate     Setting[config.Rate]
 	GatewayConfidentialRelayPerNodeRate    Setting[config.Rate]
+	GatewayHTTPActionMtlsRequestRate       Setting[config.Rate]
 	TriggerRegistrationStatusUpdateTimeout Setting[time.Duration]
 
 	BaseTriggerRetryInterval   Setting[time.Duration]
@@ -297,6 +302,7 @@ type Orgs struct {
 	BaseTriggerRetransmitEnabled      Setting[bool]
 	WorkflowExecutionConcurrencyLimit Setting[int] `unit:"{workflow}"`
 	ZeroBalancePruningTimeout         Setting[time.Duration]
+	HTTPAction                        perOrgHTTPAction
 }
 
 type Owners struct {
@@ -401,6 +407,9 @@ type httpAction struct {
 	RequestSizeLimit  Setting[config.Size]
 	ResponseSizeLimit Setting[config.Size]
 }
+type perOrgHTTPAction struct {
+	MtlsRateLimit Setting[config.Rate]
+}
 type confidentialHTTP struct {
 	CallLimit         Setting[int] `unit:"{call}"`
 	ConnectionTimeout Setting[time.Duration]

pkg/settings/cresettings/settings.go

@@ -70,7 +70,7 @@ func TestSchema_Unmarshal(t *testing.T) {
 	"GatewayUnauthenticatedRequestRateLimit": "200rps:50",
 	"GatewayUnauthenticatedRequestRateLimitPerIP": "1rps:100",
 	"GatewayIncomingPayloadSizeLimit": "14kb",
-    "GatewayVaultManagementEnabled": "true",
+	"GatewayVaultManagementEnabled": "true",
 	"GatewayConfidentialRelayGlobalRate": "20rps:7",
 	"GatewayConfidentialRelayPerNodeRate": "4rps:2",
 	"PerOrg": {

pkg/settings/cresettings/settings_test.go

@@ -23,6 +23,15 @@ type CacheSettings struct {
 	ReadFromCache bool `json:"readFromCache,omitempty"` // If true, attempt to read a cached response for the request
 }
 
+type Secret []byte
+
+func (s Secret) String() string { return "[REDACTED]" }
+
+type MtlsAuth struct {
+	PrivateKey  Secret `json:"privateKey"`
+	Certificate []byte `json:"certificate"`
+}
+
 // OutboundHTTPRequest represents an HTTP request to be sent from workflow node to the gateway.
 type OutboundHTTPRequest struct {
 	URL    string `json:"url"`              // URL to query, only http and https protocols are supported.
@@ -35,6 +44,7 @@ type OutboundHTTPRequest struct {
 	Body          []byte              `json:"body,omitempty"`         // HTTP request body
 	TimeoutMs     uint32              `json:"timeoutMs,omitempty"`    // Timeout in milliseconds
 	CacheSettings CacheSettings       `json:"cacheSettings"`          // Best-effort cache control for the request
+	Mtls          *MtlsAuth           `json:"mtlsAuth,omitempty"`     // Client certificate for mTLS requests
 
 	// Maximum number of bytes to read from the response body.  If the gateway max response size is smaller than this value, the gateway max response size will be used.
 	MaxResponseBytes uint32 `json:"maxBytes,omitempty"`
@@ -62,6 +72,12 @@ func (req OutboundHTTPRequest) Hash() string {
 
 	s.Write([]byte(strconv.FormatUint(uint64(req.MaxResponseBytes), 10)))
 
+	if req.Mtls != nil {
+		s.Write(req.Mtls.PrivateKey)
+		s.Write(sep)
+		s.Write(req.Mtls.Certificate)
+	}
+
 	return hex.EncodeToString(s.Sum(nil))
 }
 

pkg/types/gateway/action.go

@@ -19,6 +19,15 @@ func TestOutboundHTTPRequest_Hash(t *testing.T) {
 		WorkflowOwner: "owner",
 		MultiHeaders:  map[string][]string{"A": {"1", "2"}},
 	}
+	baseWithMtls := OutboundHTTPRequest{
+		Method:        "GET",
+		URL:           "https://example.com/",
+		WorkflowOwner: "owner",
+		Mtls: &MtlsAuth{
+			PrivateKey:  Secret("priv-key"),
+			Certificate: []byte("cert"),
+		},
+	}
 
 	tests := []struct {
 		name     string
@@ -111,6 +120,80 @@ func TestOutboundHTTPRequest_Hash(t *testing.T) {
 			},
 			sameHash: false,
 		},
+		{
+			name: "Same Mtls values yields same hash",
+			reqA: baseWithMtls,
+			reqB: OutboundHTTPRequest{
+				Method:        "GET",
+				URL:           "https://example.com/",
+				WorkflowOwner: "owner",
+				Mtls: &MtlsAuth{
+					PrivateKey:  Secret("priv-key"),
+					Certificate: []byte("cert"),
+				},
+			},
+			sameHash: true,
+		},
+		{
+			name: "Nil Mtls vs non-nil Mtls yields different hash",
+			reqA: OutboundHTTPRequest{
+				Method:        "GET",
+				URL:           "https://example.com/",
+				WorkflowOwner: "owner",
+			},
+			reqB:     baseWithMtls,
+			sameHash: false,
+		},
+		{
+			name: "Different Mtls PrivateKey yields different hash",
+			reqA: baseWithMtls,
+			reqB: OutboundHTTPRequest{
+				Method:        "GET",
+				URL:           "https://example.com/",
+				WorkflowOwner: "owner",
+				Mtls: &MtlsAuth{
+					PrivateKey:  Secret("other-key"),
+					Certificate: []byte("cert"),
+				},
+			},
+			sameHash: false,
+		},
+		{
+			name: "Different Mtls Certificate yields different hash",
+			reqA: baseWithMtls,
+			reqB: OutboundHTTPRequest{
+				Method:        "GET",
+				URL:           "https://example.com/",
+				WorkflowOwner: "owner",
+				Mtls: &MtlsAuth{
+					PrivateKey:  Secret("priv-key"),
+					Certificate: []byte("other-cert"),
+				},
+			},
+			sameHash: false,
+		},
+		{
+			name: "Shifting bytes between Mtls PrivateKey and Certificate yields different hash",
+			reqA: OutboundHTTPRequest{
+				Method:        "GET",
+				URL:           "https://example.com/",
+				WorkflowOwner: "owner",
+				Mtls: &MtlsAuth{
+					PrivateKey:  Secret("ab"),
+					Certificate: []byte("cd"),
+				},
+			},
+			reqB: OutboundHTTPRequest{
+				Method:        "GET",
+				URL:           "https://example.com/",
+				WorkflowOwner: "owner",
+				Mtls: &MtlsAuth{
+					PrivateKey:  Secret("abc"),
+					Certificate: []byte("d"),
+				},
+			},
+			sameHash: false,
+		},
 	}
 
 	for _, tt := range tests {