DF-21405 Secure mint plugin integration

core/config/env/env.go

@@ -24,15 +24,16 @@ var (
 
 // LOOPP commands and vars
 var (
-	MedianPlugin   = NewPlugin("median")
-	MercuryPlugin  = NewPlugin("mercury")
-	AptosPlugin    = NewPlugin("aptos")
-	EVMPlugin      = NewPlugin("evm")
-	CosmosPlugin   = NewPlugin("cosmos")
-	SolanaPlugin   = NewPlugin("solana")
-	StarknetPlugin = NewPlugin("starknet")
-	TronPlugin     = NewPlugin("tron")
-	TONPlugin      = NewPlugin("ton")
+	MedianPlugin     = NewPlugin("median")
+	MercuryPlugin    = NewPlugin("mercury")
+	AptosPlugin      = NewPlugin("aptos")
+	EVMPlugin        = NewPlugin("evm")
+	CosmosPlugin     = NewPlugin("cosmos")
+	SolanaPlugin     = NewPlugin("solana")
+	StarknetPlugin   = NewPlugin("starknet")
+	TronPlugin       = NewPlugin("tron")
+	TONPlugin        = NewPlugin("ton")
+	SecureMintPlugin = NewPlugin("securemint")
 	// PrometheusDiscoveryHostName is the externally accessible hostname
 	// published by the node in the `/discovery` endpoint. Generally, it is expected to match
 	// the public hostname of node.

core/scripts/go.mod

@@ -47,12 +47,12 @@ require (
 	github.com/shopspring/decimal v1.4.0
 	github.com/smartcontractkit/chainlink-automation v0.8.1
 	github.com/smartcontractkit/chainlink-ccip v0.1.1-solana.0.20250825135846-84f0d5167f8f
-	github.com/smartcontractkit/chainlink-common v0.9.5-0.20250908082700-aa3f5927af8c
+	github.com/smartcontractkit/chainlink-common v0.9.5-0.20250909120425-33154edc7a38
 	github.com/smartcontractkit/chainlink-data-streams v0.1.2
 	github.com/smartcontractkit/chainlink-deployments-framework v0.42.0
 	github.com/smartcontractkit/chainlink-evm v0.3.3-0.20250903140346-aacd485a7dea
 	github.com/smartcontractkit/chainlink-evm/gethwrappers v0.0.0-20250827130336-5922343458be
-	github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20250829155125-f4655b0b4605
+	github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20250905211734-167560f092c1
 	github.com/smartcontractkit/chainlink-protos/job-distributor v0.13.1
 	github.com/smartcontractkit/chainlink-testing-framework/framework v0.10.17
 	github.com/smartcontractkit/chainlink-testing-framework/framework/components/dockercompose v0.1.13

core/scripts/go.sum

@@ -1538,8 +1538,8 @@ github.com/smartcontractkit/chainlink-ccip/chains/solana v0.0.0-20250805210128-7
 github.com/smartcontractkit/chainlink-ccip/chains/solana v0.0.0-20250805210128-7f8a0f403c3a/go.mod h1:Ve1xD71bl193YIZQEoJMmBqLGQJdNs29bwbuObwvbhQ=
 github.com/smartcontractkit/chainlink-ccip/chains/solana/gobindings v0.0.0-20250805210128-7f8a0f403c3a h1:38dAlTPRUQHZus5dCnBnQyf/V4oYn0p2svWlbPgHDQ4=
 github.com/smartcontractkit/chainlink-ccip/chains/solana/gobindings v0.0.0-20250805210128-7f8a0f403c3a/go.mod h1:xtZNi6pOKdC3sLvokDvXOhgHzT+cyBqH/gWwvxTxqrg=
-github.com/smartcontractkit/chainlink-common v0.9.5-0.20250908082700-aa3f5927af8c h1:2cnAGt0nedGS/M0deXRCIJVsxTWi6CzYPXkTxqVwViY=
-github.com/smartcontractkit/chainlink-common v0.9.5-0.20250908082700-aa3f5927af8c/go.mod h1:b5KI42+P0ZmUXuvOFzSH9uIB8K83wvXq1GNVoY+ePeg=
+github.com/smartcontractkit/chainlink-common v0.9.5-0.20250909120425-33154edc7a38 h1:dCvWsUaZsEkX6iH6CwsmtDORH6rHoAHQ9Vi0H/Zb444=
+github.com/smartcontractkit/chainlink-common v0.9.5-0.20250909120425-33154edc7a38/go.mod h1:1diMLMwfIACeqJFt7ySGaBrJIeUwHTLhVVYlb41EyKk=
 github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.1 h1:ca2z5OXgnbBPQRxpwXwBLJsUA1+cAp5ncfW4Ssvd6eY=
 github.com/smartcontractkit/chainlink-common/pkg/chipingress v0.0.1/go.mod h1:NZv/qKYGFRnkjOYBouajnDfFoZ+WDa6H2KNmSf1dnKc=
 github.com/smartcontractkit/chainlink-common/pkg/monitoring v0.0.0-20250415235644-8703639403c7 h1:9wh1G+WbXwPVqf0cfSRSgwIcaXTQgvYezylEAfwmrbw=
@@ -1564,8 +1564,8 @@ github.com/smartcontractkit/chainlink-framework/multinode v0.0.0-20250729142306-
 github.com/smartcontractkit/chainlink-framework/multinode v0.0.0-20250729142306-508e798f6a5d/go.mod h1:2JTBNp3FlRdO/nHc4dsc9bfxxMClMO1Qt8sLJgtreBY=
 github.com/smartcontractkit/chainlink-protos/billing/go v0.0.0-20250722225531-876fd6b94976 h1:mF3FiDUoV0QbJcks9R2y7ydqntNL1Z0VCPBJgx/Ms+0=
 github.com/smartcontractkit/chainlink-protos/billing/go v0.0.0-20250722225531-876fd6b94976/go.mod h1:HHGeDUpAsPa0pmOx7wrByCitjQ0mbUxf0R9v+g67uCA=
-github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20250829155125-f4655b0b4605 h1:yVH5tLDzW2ZBUpmkHF5nci1SRSXTcU3A1VZ8iS5qudA=
-github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20250829155125-f4655b0b4605/go.mod h1:jUC52kZzEnWF9tddHh85zolKybmLpbQ1oNA4FjOHt1Q=
+github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20250905211734-167560f092c1 h1:HZt/80mhcNw6/MlYBIRracxfHWNqFF0iZ5nZEVZBUgo=
+github.com/smartcontractkit/chainlink-protos/cre/go v0.0.0-20250905211734-167560f092c1/go.mod h1:jUC52kZzEnWF9tddHh85zolKybmLpbQ1oNA4FjOHt1Q=
 github.com/smartcontractkit/chainlink-protos/job-distributor v0.13.1 h1:PWwLGimBt37eDzpbfZ9V/ZkW4oCjcwKjKiAwKlSfPc0=
 github.com/smartcontractkit/chainlink-protos/job-distributor v0.13.1/go.mod h1:/dVVLXrsp+V0AbcYGJo3XMzKg3CkELsweA/TTopCsKE=
 github.com/smartcontractkit/chainlink-protos/orchestrator v0.10.0 h1:0eroOyBwmdoGUwUdvMI0/J7m5wuzNnJDMglSOK1sfNY=

core/services/job/orm.go

@@ -167,7 +167,7 @@ func (o *orm) AssertBridgesExist(ctx context.Context, p pipeline.Pipeline) error
 	return nil
 }
 
-// CreateJob creates the job, and it's associated spec record.
+// CreateJob creates the job, and its associated spec record.
 // Expects an unmarshalled job spec as the jb argument i.e. output from ValidatedXX.
 // Scans all persisted records back into jb
 func (o *orm) CreateJob(ctx context.Context, jb *Job) error {
@@ -647,7 +647,7 @@ func (o *orm) insertGatewaySpec(ctx context.Context, spec *GatewaySpec) (specID
 // ValidateKeyStoreMatch confirms that the key has a valid match in the keystore
 func ValidateKeyStoreMatch(ctx context.Context, spec *OCR2OracleSpec, keyStore keystore.Master, key string) (err error) {
 	switch spec.PluginType {
-	case types.Mercury, types.LLO:
+	case types.Mercury, types.LLO, types.SecureMint:
 		_, err = keyStore.CSA().Get(key)
 		if err != nil {
 			err = errors.Errorf("no CSA key matching: %q", key)

core/services/ocr2/delegate.go

@@ -45,6 +45,7 @@ import (
 	"github.com/smartcontractkit/chainlink-common/pkg/types"
 	cciptypes "github.com/smartcontractkit/chainlink-common/pkg/types/ccip"
 	"github.com/smartcontractkit/chainlink-common/pkg/types/core"
+	sm "github.com/smartcontractkit/chainlink-common/pkg/types/core/securemint"
 	llotypes "github.com/smartcontractkit/chainlink-common/pkg/types/llo"
 	"github.com/smartcontractkit/chainlink-common/pkg/utils/mailbox"
 	"github.com/smartcontractkit/chainlink-common/pkg/workflows/dontime"
@@ -79,6 +80,8 @@ import (
 	ocr2keeper21core "github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/ocr2keeper/evmregistry/v21/core"
 	vaultocrplugin "github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/vault"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocr2/validate"
+	"github.com/smartcontractkit/chainlink/v2/core/services/ocr3/securemint"
+	sm_adapter "github.com/smartcontractkit/chainlink/v2/core/services/ocr3/securemint/keyringadapter"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocrcommon"
 	"github.com/smartcontractkit/chainlink/v2/core/services/pipeline"
 	"github.com/smartcontractkit/chainlink/v2/core/services/relay"
@@ -579,6 +582,8 @@ func (d *Delegate) ServicesForSpec(ctx context.Context, jb job.Job) ([]job.Servi
 
 	case types.DonTimePlugin:
 		return d.newDonTimePlugin(ctx, lggr, jb, bootstrapPeers, kb, ocrDB, lc)
+	case types.SecureMint:
+		return d.newServicesSecureMint(ctx, lggr, jb, bootstrapPeers, kb, ocrDB, lc)
 
 	default:
 		return nil, errors.Errorf("plugin type %s not supported", spec.PluginType)
@@ -1498,6 +1503,54 @@ func (d *Delegate) newServicesMedian(
 	return medianServices, err2
 }
 
+func (d *Delegate) newServicesSecureMint(
+	ctx context.Context,
+	lggr logger.SugaredLogger,
+	jb job.Job,
+	bootstrapPeers []commontypes.BootstrapperLocator,
+	kb ocr2key.KeyBundle,
+	ocrDB *db,
+	lc ocrtypes.LocalConfig,
+) ([]job.ServiceCtx, error) {
+	spec := jb.OCR2OracleSpec
+	rid, err := spec.RelayID()
+	if err != nil {
+		return nil, ErrJobSpecNoRelayer{Err: err, PluginName: "securemint"}
+	}
+
+	ocrLogger := ocrcommon.NewOCRWrapper(lggr, d.cfg.OCR2().TraceLogging(), func(ctx context.Context, msg string) {
+		lggr.ErrorIf(d.jobORM.RecordError(ctx, jb.ID, msg), "unable to record error")
+	})
+
+	oracleArgsNoPlugin := libocr2.OCR3OracleArgs[sm.ChainSelector]{
+		BinaryNetworkEndpointFactory: d.peerWrapper.Peer2,
+		V2Bootstrappers:              bootstrapPeers,
+		Database:                     ocrDB,
+		LocalConfig:                  lc,
+		Logger:                       ocrLogger,
+		MonitoringEndpoint:           d.monitoringEndpointGen.GenMonitoringEndpoint(rid.Network, rid.ChainID, spec.ContractID, synchronization.OCR2Median),
+		OffchainKeyring:              kb,
+		OnchainKeyring:               sm_adapter.NewSecureMintOCR3OnchainKeyringAdapter(kb),
+		MetricsRegisterer:            prometheus.WrapRegistererWith(map[string]string{"job_name": jb.Name.ValueOrZero()}, prometheus.DefaultRegisterer),
+	}
+
+	smConfig := securemint.NewJobConfig(
+		d.cfg.JobPipeline().MaxSuccessfulRuns(),
+		d.cfg.JobPipeline().ResultWriteQueueDepth(),
+		d.cfg,
+	)
+
+	relayer, err := d.RelayGetter.Get(rid)
+	if err != nil {
+		return nil, ErrRelayNotEnabled{Err: err, PluginName: "securemint", Relay: spec.Relay}
+	}
+
+	secureMintServices, err := securemint.NewSecureMintServices(ctx, jb, d.isNewlyCreatedJob, relayer, d.pipelineRunner, lggr, oracleArgsNoPlugin, smConfig, d.capabilitiesRegistry)
+	secureMintServices = append(secureMintServices, ocrLogger)
+
+	return secureMintServices, err
+}
+
 func (d *Delegate) newServicesOCR2Keepers(
 	ctx context.Context,
 	lggr logger.SugaredLogger,

core/services/ocr2/validate/validate.go

@@ -12,8 +12,6 @@ import (
 	"github.com/pelletier/go-toml"
 	pkgerrors "github.com/pkg/errors"
 
-	libocr2 "github.com/smartcontractkit/libocr/offchainreporting2plus"
-
 	"github.com/smartcontractkit/chainlink-common/pkg/logger"
 	"github.com/smartcontractkit/chainlink-common/pkg/loop/reportingplugins"
 	"github.com/smartcontractkit/chainlink-common/pkg/types"
@@ -25,11 +23,13 @@ import (
 	lloconfig "github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/llo/config"
 	mercuryconfig "github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/mercury/config"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/vault"
+	sm_config "github.com/smartcontractkit/chainlink/v2/core/services/ocr3/securemint/config"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocrcommon"
 	"github.com/smartcontractkit/chainlink/v2/core/services/pipeline"
 	"github.com/smartcontractkit/chainlink/v2/core/services/relay"
 	evmtypes "github.com/smartcontractkit/chainlink/v2/core/services/relay/evm/types"
 	"github.com/smartcontractkit/chainlink/v2/plugins"
+	libocr2 "github.com/smartcontractkit/libocr/offchainreporting2plus"
 )
 
 // ValidatedOracleSpecToml validates an oracle spec that came from TOML
@@ -132,6 +132,8 @@ func validateSpec(ctx context.Context, tree *toml.Tree, spec job.Job, rc plugins
 		return validateVaultPluginSpec(spec.OCR2OracleSpec.PluginConfig)
 	case types.DonTimePlugin:
 		return validateDonTimePluginSpec(spec.OCR2OracleSpec.PluginConfig)
+	case types.SecureMint:
+		return validateSecureMintSpec(spec.OCR2OracleSpec.PluginConfig)
 	case "":
 		return errors.New("no plugin specified")
 	default:
@@ -405,3 +407,20 @@ func validateOCR2LLOSpec(jsonConfig job.JSONConfig) error {
 	}
 	return pkgerrors.Wrap(pluginConfig.Validate(), "LLO PluginConfig is invalid")
 }
+
+func validateSecureMintSpec(jsonConfig job.JSONConfig) error {
+	if jsonConfig == nil {
+		return errors.New("secure mint plugin config is empty")
+	}
+
+	smConfig, err := sm_config.Parse(jsonConfig.Bytes())
+	if err != nil {
+		return pkgerrors.Wrap(err, "error while parsing secure mint plugin config")
+	}
+
+	if err := smConfig.Validate(); err != nil {
+		return fmt.Errorf("invalid secure mint plugin config: %#v, err: %w", smConfig, err)
+	}
+
+	return nil
+}

core/services/ocr3/securemint/README.md

@@ -0,0 +1,117 @@
+# SecureMint Plugin
+
+## Overview
+
+The SecureMint plugin is a plugin that allows for secure minting of tokens.
+It's looppified, its implementation can be found in https://github.com/smartcontractkit/chainlink-secure-mint/. 
+Make sure to install the plugin before running the integration test.
+
+### Secure mint plugin version
+
+The current code works with [v0.1 of the secure mint plugin](https://github.com/smartcontractkit/chainlink-secure-mint/commit/548f7e4753a11b2bcd69f53345ca6a0d696dff9d).
+
+## Validation
+
+Validating whether the SecureMint plugin is working as expected is done by running the integration test.
+
+The test is located in the `core/services/ocr3/securemint` directory.
+
+### Prerequisites:
+```bash
+docker run --name cl-postgres -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -e POSTGRES_DB=dbname -p 5432:5432 -d postgres
+make setup-testdb
+```
+
+### Run test:
+```bash
+ time CL_SECUREMINT_CMD=chainlink-secure-mint CL_DATABASE_URL=postgresql://chainlink_dev:insecurepassword@localhost:5432/chainlink_development_test?sslmode=disable go test -timeout 2m -run ^TestIntegration_SecureMint_happy_path$ github.com/smartcontractkit/chainlink/v2/core/services/ocr3/securemint -v 2>&1 | tee all.log | awk '/DEBUG|INFO|WARN|ERROR/ { print > "node_logs.log"; next }; { print > "other.log" }; tail all.log'
+```
+
+### If you change any dependencies:
+```bash
+go mod tidy && go mod vendor && modvendor -copy="**/*.a **/*.h" -v
+```
+
+(the `modvendor` step might not be necessary, but for me it was (see also https://github.com/marcboeker/go-duckdb/issues/174#issuecomment-1979097864))
+
+### Logs
+
+* other.log: Contains all non-node output from the test run, this can be used to quickly see test failures
+* node_logs.log: Contains all logs from the nodes started up in the test run, this can be used to see the full output of the test run
+* all.log: Contains the complete output of the test run, this can be used to see test failures within the context of the node logs
+
+
+### Debug test with VSCode:
+
+Create a launch.json file in the .vscode directory with the following content:
+
+```json
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Debug Secure Mint Integration Test",
+            "type": "go",
+            "request": "launch",
+            "mode": "test",
+            "program": "${workspaceFolder}/core/services/ocr3/securemint/integrationtest",
+            "args": [
+                "-test.run",
+                "^TestIntegration_SecureMint_happy_path$",
+                "-test.v",
+                "-test.timeout",
+                "2m",
+                "2>&1",
+                "|",
+                "tee",
+                "all.log",
+                "|",
+                "awk '/DEBUG|INFO|WARN|ERROR/ { print > 'node_logs.log'; next }; { print > 'other.log' }'",
+            ],
+            "env": {
+                "ENV": "test",
+                "CL_DATABASE_URL": "postgresql://chainlink_dev:insecurepassword@localhost:5432/chainlink_development_test?sslmode=disable",
+                "CL_SECUREMINT_CMD": "chainlink-secure-mint",
+            }
+        }
+    ]
+}
+```
+
+Then run the test by Cmd+P: "Start Debugging".
+
+## Hacks
+
+
+### XXX_SingletonTransmitter
+
+This is a hack to allow the `TestIntegration_SecureMint_happy_path` integration test to assess whether secure mint reports are being transmitted as a trigger to a Workflow.
+
+It gives the integration test access to the SecureMint transmitter, which is used to assert on the number of transmissions.
+
+
+## Secure Mint Workflow 
+
+The Secure Mint plugin's reports are triggers for a CRE Workflow. 
+
+The secure mint workflow, and specifically the securemint aggregator (see `chainlink-common/pkg/capabilities/consensus/ocr3/datafeeds/securemint_aggregator.go`) are tested in `core/capabilities/integration_tests/keystone/securemint_workflow_test.go`. 
+
+You can run the `Test_runSecureMintWorkflow` test as follows:
+```bash
+time CL_DATABASE_URL=postgresql://chainlink_dev:insecurepassword@localhost:5432/chainlink_development_test?sslmode=disable go test -timeout 2m -run ^Test_runSecureMintWorkflow$ github.com/smartcontractkit/chainlink/v2/core/capabilities/integration_tests/keystone -v 2>&1 | tee all.log | awk '/DEBUG|INFO|WARN|ERROR/ { print > "node_logs.log"; next }; { print > "other.log" }'; tail all.log
+```
+
+### Layers of abstraction in sending a Workflow trigger
+
+When sending a Workflow trigger, the SecureMint report is wrapped in several layers of abstraction.
+
+From top to bottom: 
+
+The secure mint transmitter sends a:
+- `capabilities.TriggerResponse{Event: capabilities.TriggerEvent, Err}`, which contains a:
+- `capabilities.TriggerEvent{TriggerType: 0, ID: "securemint-trigger", Outputs: values.Map, Payload: nil}`, which contains:
+- `values.Map{"sigs": signatures, "configDigest": cfgDigest, "seqNr": seqNr, "report": <ocr3types.ReportWithInfo>}`, which contains a
+- `ocr3types.ReportWithInfo{Report: json-marshaled PorReport, Info: chainSelector}`, which contains a
+- `securemint.Report{ConfigDigest, SeqNr, Block, Mintable}`, which:
+
+is created by the secure mint plugin.

core/services/ocr3/securemint/config/config.go

@@ -0,0 +1,57 @@
+package config
+
+import (
+	"encoding/json"
+
+	"github.com/pkg/errors"
+)
+
+// SecureMintConfig holds secure mint specific configuration
+type SecureMintConfig struct {
+	Token          string   `json:"token"`
+	Reserves       string   `json:"reserves"`
+	ChainSelectors []string `json:"chainSelectors"`
+
+	// Trigger capability configuration
+	TriggerCapabilityName        string `json:"triggerCapabilityName"`
+	TriggerCapabilityVersion     string `json:"triggerCapabilityVersion"`
+	TriggerTickerMinResolutionMs int    `json:"triggerTickerMinResolutionMs"`
+	TriggerSendChannelBufferSize int    `json:"triggerSendChannelBufferSize"`
+}
+
+// SecureMintTriggerConfig holds configuration for secure mint trigger subscribers
+type SecureMintTriggerConfig struct {
+	// The interval in milliseconds after which a new trigger event is generated.
+	MaxFrequencyMs uint64 `json:"maxFrequencyMs" yaml:"maxFrequencyMs" mapstructure:"maxFrequencyMs"`
+}
+
+// Parse parses the secure mint configuration from JSON bytes
+func Parse(configBytes []byte) (*SecureMintConfig, error) {
+	if len(configBytes) == 0 {
+		return nil, errors.New("secure mint config cannot be empty")
+	}
+
+	var config SecureMintConfig
+	if err := json.Unmarshal(configBytes, &config); err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal SecureMintConfig")
+	}
+
+	return &config, nil
+}
+
+// Validate validates the secure mint plugin-specific config.
+func (cfg *SecureMintConfig) Validate() error {
+	if cfg == nil {
+		return errors.New("secure mint plugin config cannot be nil")
+	}
+
+	if cfg.Token == "" {
+		return errors.New("token cannot be empty")
+	}
+
+	if cfg.Reserves == "" {
+		return errors.New("reserves cannot be empty")
+	}
+
+	return nil
+}