[CRE] [1/5] Gateway handler for confidential relay (#21638)

* [CRE] [1/5] Gateway handler for confidential relay

Add a new gateway handler type "confidential-compute-relay" that fans out
enclave JSON-RPC requests to relay DON nodes and aggregates responses
using F+1 quorum. Supports secrets_get and capability_exec methods.

Part of #21635

* Fix exhaustive switch lint and tidy integration-tests modules

Add missing api.ConflictError and api.LimitExceededError cases to both
switch statements in handler.go. Run go mod tidy on integration-tests
and integration-tests/load.

* Fix goimports formatting in gateway_job.go

* Use ServiceName constants and add RequestTimeoutSec to relay handler

- Replace string literals with ServiceNameVault, ServiceNameWorkflows,
  ServiceNameConfidential constants in all handler constructors.
- Add RequestTimeoutSec to confidentialRelayHandlerConfig, set to
  gateway timeout minus 1s (matching vault handler pattern). Ensures
  the handler times out before the gateway, returning a clean error
  instead of the gateway killing the connection.

* Add comment explaining requestTimeoutSec - 1 in relay handler

* Use fmt.Errorf instead of errors.New with string concatenation

Replace errors.New(x.Error() + ...) and fmt.Sprintf + errors.New
patterns with fmt.Errorf throughout the relay handler and aggregator.
Use %w for error wrapping where appropriate.
Add comment clarifying sendResponse deletes expired requests.

* Improve F+1 quorum comment in relay aggregator

Explain why F+1 is correct: relay nodes proxy already-aggregated DON
responses through deterministic translation, so honest nodes produce
byte-identical outputs.

* Move requestTimeoutSec - 1 to call site for relay handler

Make the buffer visible where handlers are wired up instead of hiding
it inside the constructor. The vault handler does the same subtraction
internally; a follow-up should unify both to use this pattern.

* Extract deleteActiveRequest from sendResponse

sendResponse no longer has the side effect of deleting from
activeRequests. Callers explicitly call deleteActiveRequest after
sendResponse, making the cleanup visible at every call site.

* Rename sendResponse to sendResponseAndCleanup, fix cleanup-on-error bug

The old sendResponse skipped the delete if SendResponse failed, leaving
the request in activeRequests forever. Now the delete always runs
regardless of send outcome. The method name makes the cleanup explicit.

* Handle errQuorumUnobtainable explicitly in aggregation switch

* Merge errorResponse into sendErrorResponseAndCleanup

* Move error sanitization into sendResponseAndCleanup

* Inline send+cleanup into sendResponseAndCleanup and sendSuccessResponseAndCleanup

* Unify sendResponseAndCleanup to handle both success and error paths

* Simplify `sendResponseAndCleanup`.

* Fix exhaustive lint: restore missing switch cases in recordMetrics and constructErrorResponse

* Suppress exhaustive switch warning.

* fan out relay requests to don nodes concurrently

* Clean up confidential relay concurrency test helper

* Remove redundant loop variable copy in relay fanout

* Use atomic counter for relay node send errors

* use cre settings for relay gateway rate limits

* Fail fast when relay quorum becomes impossible

* Run gomodtidy to fix CI module drift

---------

Co-authored-by: pavel-raykov <pavel.raykov@smartcontract.com>
Co-authored-by: vreff <104409744+vreff@users.noreply.github.com>

Author: 3 people

core/services/gateway/handler_factory.go

@@ -17,18 +17,20 @@ import (
 	"github.com/smartcontractkit/chainlink/v2/core/services/gateway/handlers"
 	"github.com/smartcontractkit/chainlink/v2/core/services/gateway/handlers/capabilities"
 	v2 "github.com/smartcontractkit/chainlink/v2/core/services/gateway/handlers/capabilities/v2"
+	"github.com/smartcontractkit/chainlink/v2/core/services/gateway/handlers/confidentialrelay"
 	"github.com/smartcontractkit/chainlink/v2/core/services/gateway/handlers/functions"
 	"github.com/smartcontractkit/chainlink/v2/core/services/gateway/handlers/vault"
 	"github.com/smartcontractkit/chainlink/v2/core/services/gateway/network"
 	workflowsyncerv2 "github.com/smartcontractkit/chainlink/v2/core/services/workflows/syncer/v2"
 )
 
 const (
-	FunctionsHandlerType   HandlerType = "functions"
-	DummyHandlerType       HandlerType = "dummy"
-	WebAPICapabilitiesType HandlerType = "web-api-capabilities" //  Handler for v0.1 HTTP capabilities for DAG workflows
-	HTTPCapabilityType     HandlerType = "http-capabilities"    // Handler for v1.0 HTTP capabilities for NoDAG workflows
-	VaultHandlerType       HandlerType = "vault"
+	FunctionsHandlerType         HandlerType = "functions"
+	DummyHandlerType             HandlerType = "dummy"
+	WebAPICapabilitiesType       HandlerType = "web-api-capabilities" //  Handler for v0.1 HTTP capabilities for DAG workflows
+	HTTPCapabilityType           HandlerType = "http-capabilities"    // Handler for v1.0 HTTP capabilities for NoDAG workflows
+	VaultHandlerType             HandlerType = "vault"
+	ConfidentialRelayHandlerType HandlerType = "confidential-compute-relay"
 )
 
 type handlerFactory struct {
@@ -85,6 +87,8 @@ func (hf *handlerFactory) NewHandler(
 		return v2.NewGatewayHandler(handlerConfig, donConfig, don, hf.httpClient, hf.lggr, hf.lf)
 	case VaultHandlerType:
 		return vault.NewHandler(handlerConfig, donConfig, don, hf.capabilitiesRegistry, hf.workflowRegistrySyncer, hf.lggr, clockwork.NewRealClock(), hf.lf)
+	case ConfidentialRelayHandlerType:
+		return confidentialrelay.NewHandler(handlerConfig, donConfig, don, hf.lggr, clockwork.NewRealClock(), hf.lf)
 	default:
 		return nil, fmt.Errorf("unsupported handler type %s", handlerType)
 	}

core/services/gateway/handlers/confidentialrelay/aggregator.go

@@ -0,0 +1,56 @@
+package confidentialrelay
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	jsonrpc "github.com/smartcontractkit/chainlink-common/pkg/jsonrpc2"
+	"github.com/smartcontractkit/chainlink-common/pkg/logger"
+)
+
+var (
+	errInsufficientResponsesForQuorum = errors.New("insufficient valid responses to reach quorum")
+	errQuorumUnobtainable             = errors.New("quorum unobtainable")
+)
+
+type aggregator struct{}
+
+func (a *aggregator) Aggregate(resps map[string]jsonrpc.Response[json.RawMessage], donF int, donMembersCount int, l logger.Logger) (*jsonrpc.Response[json.RawMessage], error) {
+	// F+1 (QuorumFPlusOne) is sufficient because each relay node calls the
+	// target DON (Vault or capability) through CRE's standard capability
+	// dispatch, which includes DON-level consensus. Every honest relay node
+	// receives the same consensus-aggregated response and performs deterministic
+	// translation, producing byte-identical outputs. F+1 matching responses
+	// therefore guarantees at least one honest node vouched for the result.
+	requiredQuorum := donF + 1
+
+	if len(resps) < requiredQuorum {
+		return nil, errInsufficientResponsesForQuorum
+	}
+
+	shaToCount := map[string]int{}
+	maxShaToCount := 0
+	for _, r := range resps {
+		sha, err := r.Digest()
+		if err != nil {
+			l.Errorw("failed to compute digest of response during quorum validation, skipping...", "error", err)
+			continue
+		}
+		shaToCount[sha]++
+		if shaToCount[sha] > maxShaToCount {
+			maxShaToCount = shaToCount[sha]
+		}
+		if shaToCount[sha] >= requiredQuorum {
+			return &r, nil
+		}
+	}
+
+	remainingResponses := donMembersCount - len(resps)
+	if maxShaToCount+remainingResponses < requiredQuorum {
+		l.Warnw("quorum unattainable for request", "requiredQuorum", requiredQuorum, "remainingResponses", remainingResponses, "maxShaToCount", maxShaToCount)
+		return nil, fmt.Errorf("%w: requiredQuorum=%d, maxShaToCount=%d, remainingResponses=%d", errQuorumUnobtainable, requiredQuorum, maxShaToCount, remainingResponses)
+	}
+
+	return nil, errInsufficientResponsesForQuorum
+}