Apply Copilot PR feedback

nolag · nolag · commit ba2d7f224c3d · 2026-06-22T12:57:21.000-04:00
diff --git a/go.mod b/go.mod
@@ -45,7 +45,7 @@ require (
 	github.com/smartcontractkit/chain-selectors v1.0.100
 	github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.11-0.20260528204832-58c7145c53f8
 	github.com/smartcontractkit/chainlink-protos/billing/go v0.0.0-20251024234028-0988426d98f4
-	github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20260622134419-a97fce3dedf3
+	github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20260622152157-c8e129347b8b
 	github.com/smartcontractkit/chainlink-protos/linking-service/go v0.0.0-20251002192024-d2ad9222409b
 	github.com/smartcontractkit/chainlink-protos/node-platform v0.0.0-20260205130626-db2a2aab956b
 	github.com/smartcontractkit/chainlink-protos/storage-service v0.3.0
diff --git a/go.sum b/go.sum
diff --git a/pkg/workflows/host/execution_restrictions.go b/pkg/workflows/host/execution_restrictions.go
@@ -93,7 +93,7 @@ func (e *executionRestrictionsWithRawSecrets) GetRawSecrets(ctx context.Context,
 var _ ExecutionHelperWithRawSecrets = (*executionRestrictionsWithRawSecrets)(nil)
 
 // NewRestrictedExecutionHelper wraps ExecutionHelper with restriction enforcement derived from r.
-// If r implements ExecutionHelperWithRawSecrets, the returned value will as well.
+// If inner implements ExecutionHelperWithRawSecrets, the returned value will as well.
 // If r is nil, ExecutionHelper is returned unchanged.
 func NewRestrictedExecutionHelper(inner ExecutionHelper, r *sdk.Restrictions) ExecutionHelper {
 	if r == nil {
@@ -158,21 +158,23 @@ func (e *executionRestrictions) reserveCapabilityCall(request *sdk.CapabilityReq
 		return false
 	}
 
-	switch request.Payload.MessageName() {
-	case confHttpRequest:
-		conf := &confidentialhttp.ConfidentialHTTPRequest{}
-		if err := request.Payload.UnmarshalTo(conf); err != nil {
-			return false
-		}
-
-		secrets := conf.GetVaultDonSecrets()
-		for _, secret := range secrets {
-			if !e.reserveSecret(&sdk.SecretRequest{
-				Id:        secret.Key,
-				Namespace: secret.Namespace,
-			}) {
+	if request.Payload != nil {
+		switch request.Payload.MessageName() {
+		case confHttpRequest:
+			conf := &confidentialhttp.ConfidentialHTTPRequest{}
+			if err := request.Payload.UnmarshalTo(conf); err != nil {
 				return false
 			}
+
+			secrets := conf.GetVaultDonSecrets()
+			for _, secret := range secrets {
+				if !e.reserveSecret(&sdk.SecretRequest{
+					Id:        secret.Key,
+					Namespace: secret.Namespace,
+				}) {
+					return false
+				}
+			}
 		}
 	}
 
diff --git a/pkg/workflows/host/execution_restrictions_test.go b/pkg/workflows/host/execution_restrictions_test.go
@@ -419,6 +419,20 @@ func TestRequirementSelectingModule_ConfidentialHTTPWithRestrictions(t *testing.
 		assert.Same(t, want, got)
 	})
 
+	t.Run("nil payload is not treated as confidential http and reaches inner", func(t *testing.T) {
+		// A capability call sharing the confidential-http method id but carrying no
+		// payload must skip the vault-secret reservation branch entirely (guarded by
+		// request.Payload != nil) and fall through to the normal method check.
+		inner := mocks.NewMockExecutionHelper(t)
+		want := &sdk.CapabilityResponse{}
+		inner.EXPECT().CallCapability(matches.AnyContext, mock.Anything).Return(want, nil)
+		h := host.NewRestrictedExecutionHelper(inner, restrictions())
+
+		got, err := h.CallCapability(t.Context(), &sdk.CapabilityRequest{Id: "confhttp@1.0.0", Method: "Call"})
+		require.NoError(t, err)
+		assert.Same(t, want, got)
+	})
+
 	t.Run("disallowed confidential http call is denied without calling inner", func(t *testing.T) {
 		inner := mocks.NewMockExecutionHelper(t) // no expectations: inner must not be called
 		h := host.NewRestrictedExecutionHelper(inner, restrictions())
diff --git a/pkg/workflows/host/module.go b/pkg/workflows/host/module.go
@@ -56,7 +56,7 @@ type ExecutionHelperWithRawSecrets interface {
 
 // RestrictionAwareModule allows the module to know of the user-enforced restrictions.
 // Enforcement by this module is NOT to be trusted by the host,
-// however a violation is considered an indicator of a serious issues, such as compromise
+// however a violation is considered an indicator of a serious issue, such as compromise.
 type RestrictionAwareModule interface {
 	Module
 
diff --git a/pkg/workflows/host/requirement_selecting_module.go b/pkg/workflows/host/requirement_selecting_module.go
@@ -128,6 +128,12 @@ func (r *requirementSelectingModule) trigger(ctx context.Context, request *sdk.E
 			if err != nil {
 				return nil, fmt.Errorf("pre-hook execution failed: %w", err)
 			}
+
+			switch preHookResult.Result.(type) {
+			case *sdk.ExecutionResult_Error:
+				return preHookResult, nil
+			}
+
 			restrictions := preHookResult.GetRestrictions()
 
 			handler = NewRestrictedExecutionHelper(handler, restrictions)
diff --git a/pkg/workflows/host/requirement_selecting_module_test.go b/pkg/workflows/host/requirement_selecting_module_test.go
@@ -598,6 +598,43 @@ func TestRequirementSelectingModule_PreHook(t *testing.T) {
 		assert.True(t, isRestricted, "additional module should receive a restricted helper")
 	})
 
+	t.Run("pre-hook error result is returned directly without running the trigger", func(t *testing.T) {
+		errResult := &sdk.ExecutionResult{
+			Result: &sdk.ExecutionResult_Error{Error: "denied by pre-hook"},
+		}
+
+		var helperSeenByAdditional ExecutionHelper
+		main := ModuleAndHandler{Module: &stubModule{
+			executeFn: func(_ context.Context, req *sdk.ExecuteRequest, _ ExecutionHelper) (*sdk.ExecutionResult, error) {
+				if _, ok := req.Request.(*sdk.ExecuteRequest_PreHook); ok {
+					return errResult, nil
+				}
+				return subscribeResult(subWithReqsAndPreHook(teeReqs)), nil
+			},
+		}}
+		add := ModuleAndHandler{
+			Module: &stubModule{
+				executeFn: func(_ context.Context, _ *sdk.ExecuteRequest, h ExecutionHelper) (*sdk.ExecutionResult, error) {
+					helperSeenByAdditional = h
+					t.Fatal("additional module should not be called when pre-hook returns an error result")
+					return nil, nil
+				},
+			},
+			RequirementsHandler: RequirementsHandler{Tee: func(context.Context, *sdk.Tee) bool { return true }},
+		}
+
+		m := NewRequirementSelectingModule(main, []ModuleAndHandler{add})
+		m.Start()
+
+		_, err := m.Execute(t.Context(), subscribeRequest(), nil)
+		require.NoError(t, err)
+
+		got, err := m.Execute(t.Context(), triggerRequest(0), &stubExecutionHelper{})
+		require.NoError(t, err)
+		assert.Same(t, errResult, got, "pre-hook error result should be returned unchanged")
+		assert.Nil(t, helperSeenByAdditional, "additional module must not be invoked")
+	})
+
 	t.Run("pre-hook error propagates", func(t *testing.T) {
 		main := ModuleAndHandler{Module: &stubModule{
 			executeFn: func(_ context.Context, req *sdk.ExecuteRequest, _ ExecutionHelper) (*sdk.ExecutionResult, error) {
diff --git a/pkg/workflows/host/tee_provider_test.go b/pkg/workflows/host/tee_provider_test.go
@@ -137,12 +137,12 @@ func TestNewTeeProvider(t *testing.T) {
 		assert.False(t, provides(tee))
 	})
 
-	t.Run("returns true when tee item is nil", func(t *testing.T) {
+	t.Run("returns true when tee is nil", func(t *testing.T) {
 		provides := NewTeeProvider(sdkpb.TeeType_TEE_TYPE_AWS_NITRO, []string{"us-west-2"})
 		assert.True(t, provides(nil))
 	})
 
-	t.Run("returns false when tee item is nil", func(t *testing.T) {
+	t.Run("returns false when tee.Item item is nil", func(t *testing.T) {
 		provides := NewTeeProvider(sdkpb.TeeType_TEE_TYPE_AWS_NITRO, []string{"us-west-2"})
 		tee := &sdkpb.Tee{}
 		assert.False(t, provides(tee))
diff --git a/pkg/workflows/wasm/host/module.go b/pkg/workflows/wasm/host/module.go
@@ -682,7 +682,7 @@ func runWasm[I, O proto.Message](
 		1,  // memories
 	)
 
-	deadline := *m.cfg.Timeout / m.cfg.TickInterval
+	deadline := maxTimeout / m.cfg.TickInterval
 	store.SetEpochDeadline(uint64(deadline))
 
 	h := fnv.New64a()
@@ -744,7 +744,7 @@ func runWasm[I, O proto.Message](
 	// Note - there is no other reliable signal on the error that can be used to infer it is due to epoch deadline
 	// being reached, so if an error is returned after the deadline it is assumed it is due to that and return
 	// context.DeadlineExceeded.
-	if err != nil && ((executionDuration >= *m.cfg.Timeout-m.cfg.TickInterval) || ctx.Err() != nil) { // As start could be called just before epoch update 1 tick interval is deducted to account for this
+	if err != nil && ((executionDuration >= maxTimeout-m.cfg.TickInterval) || ctx.Err() != nil) { // As start could be called just before epoch update 1 tick interval is deducted to account for this
 		m.cfg.Logger.Errorw("start function returned error after deadline reached, returning deadline exceeded error", "errFromStartFunction", err)
 		return o, context.DeadlineExceeded
 	}
diff --git a/pkg/workflows/wasm/host/standard_test.go b/pkg/workflows/wasm/host/standard_test.go
@@ -706,7 +706,6 @@ func makeTestModuleByName(t *testing.T, testPath, testName string, cfg *ModuleCo
 
 	cmd := exec.Command("make", wasmName) // #nosec
 	cmd.Dir = absPath
-	fmt.Printf("Compiling test module from %s with command %s\n:", cmd.Dir, cmd.String())
 
 	output, err := cmd.CombinedOutput()
 	require.NoError(t, err, string(output))
