CRE Don2Don accept OCR attestation of a response#21607
Merged
Conversation
Contributor
CORA - Pending ReviewersAll codeowners have approved! ✅ Legend: ✅ Approved | ❌ Changes Requested | 💬 Commented | 🚫 Dismissed | ⏳ Pending | ❓ Unknown For more details, see the full review summary. |
Contributor
|
I see you updated files related to
|
Contributor
|
✅ No conflicts with other open PRs targeting |
dhaidashenko
force-pushed
the
feature/PLEX-2611-cre-don2don-accept-ocr-attestatin
branch
from
4a361c5 to
8c09813
Compare
dhaidashenko
force-pushed
the
feature/PLEX-2611-cre-don2don-accept-ocr-attestatin
branch
2 times, most recently
from
2bbab2b to
ec482f1
Compare
patrickhuie19
previously approved these changes
Mar 19, 2026
dhaidashenko
force-pushed
the
feature/PLEX-2611-cre-don2don-accept-ocr-attestatin
branch
2 times, most recently
from
ffd661b to
0d17383
Compare
patrickhuie19
previously approved these changes
Mar 24, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Risk Rating: HIGH (changes remote executable request aggregation/validation logic and adds a new OCR-attestation fast-path)
This PR updates the remote executable capability client to accept and verify OCR-attested responses (rather than requiring a quorum of identical responses), and bumps chainlink-common / keystore dependencies across multiple modules to pick up the needed functionality.
Changes:
- Add OCR attestation verification for capability responses in the remote executable client request path.
- Plumb OCR3 configs through launcher → executable client → request validation.
- Update tests to cover OCR-attested responses and bump
chainlink-common/keystoreversions across modules.
Reviewed changes
Copilot reviewed 14 out of 21 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
core/capabilities/remote/executable/request/client_request.go |
Adds OCR-attestation verification path, metering extraction helper, and new error-handling behavior. |
core/capabilities/remote/executable/request/client_request_test.go |
Extends request tests to cover OCR-attested responses and new constructor signature. |
core/capabilities/remote/executable/request/client_request_internal_test.go |
Adds focused unit tests for attestation verification logic. |
core/capabilities/remote/executable/client.go |
Extends dynamic config + SetConfig to carry OCR3 configs into requests. |
core/capabilities/launcher.go |
Passes OCR3 configs into v2 remote executable client config. |
core/capabilities/remote/executable/client_test.go |
Updates tests for SetConfig signature change. |
core/capabilities/remote/executable/endtoend_test.go |
Updates workflow-node config call signature. |
go.mod |
Bumps github.com/smartcontractkit/chainlink-common and .../keystore versions. |
go.sum |
Checksum updates for bumped dependencies. |
core/scripts/go.mod |
Bumps chainlink-common / keystore versions in scripts module. |
core/scripts/go.sum |
Checksum updates for scripts module. |
deployment/go.mod |
Bumps chainlink-common / keystore versions in deployment module. |
deployment/go.sum |
Checksum updates for deployment module. |
integration-tests/go.mod |
Bumps chainlink-common / keystore versions for integration tests. |
integration-tests/go.sum |
Checksum updates for integration tests. |
integration-tests/load/go.mod |
Bumps chainlink-common / keystore versions for load tests. |
integration-tests/load/go.sum |
Checksum updates for load tests. |
system-tests/lib/go.mod |
Bumps chainlink-common / keystore versions for system-test lib. |
system-tests/lib/go.sum |
Checksum updates for system-test lib. |
system-tests/tests/go.mod |
Bumps chainlink-common / keystore versions for system tests. |
system-tests/tests/go.sum |
Checksum updates for system tests. |
Scrupulous human review focus:
ClientRequest.verifyAttestation(signature bounds checks, config-digest checks, and overall correctness of the “1 response with F+1 sigs” acceptance criteria).ClientRequest.OnMessageerror-handling path forErrResponsePayloadNotAvailableand the interaction with response quorum/timeout behavior.- Operational/logging impact of adding
ocr3ConfigstoSetConfiglogs.
Suggested reviewers (per CODEOWNERS):
- For
/core/capabilities/**:@smartcontractkit/keystone,@smartcontractkit/capabilities-team - For root
go.mod/go.sum:@smartcontractkit/core,@smartcontractkit/foundations - For
/integration-tests/**:@smartcontractkit/devex-tooling,@smartcontractkit/core - For
/deployment/**:@smartcontractkit/ccip-tooling,@smartcontractkit/operations-platform,@smartcontractkit/keystone,@smartcontractkit/core
Comments suppressed due to low confidence (1)
core/capabilities/remote/executable/request/client_request.go:350
OnMessageunmarshals the capability response (pb.UnmarshalCapabilityResponse) to check for OCR attestation, and then for the non-attestation path callsgetMessageHashAndMetadata, which unmarshals the same payload again. Consider refactoring to unmarshal once and reuse the parsed response/metadata when computing the response hash to avoid redundant work on the hot path.
resp, err := pb.UnmarshalCapabilityResponse(msg.Payload)
if err != nil {
return fmt.Errorf("failed to unmarshal capability response: %w", err)
}
if resp.Metadata.OCRAttestation != nil {
rpt, err := extractMeteringFromMetadata(sender, resp.Metadata)
if err != nil {
return fmt.Errorf("failed to extract metering detail from metadata: %w", err)
}
// Since signatures are provided switch to OCR based validation. It's enough to get 1 response with F+1 signatures
// to be confident that the response is honest.
err = c.verifyAttestation(resp, rpt)
if err != nil {
c.lggr.Errorw("failed to verify capability response OCR attestation", "peer", sender, "err", err, "requestID", c.id, "msgPayload", hex.EncodeToString(msg.Payload))
return fmt.Errorf("failed to verify capability response OCR attestation: %w", err)
}
var payload []byte
payload, err = c.encodePayloadWithMetadata(msg, commoncap.ResponseMetadata{Metering: []commoncap.MeteringNodeDetail{rpt}})
if err != nil {
return fmt.Errorf("failed to encode payload with metadata: %w", err)
}
c.sendResponse(clientResponse{Result: payload})
return nil
}
// metering reports per node are aggregated into a single array of values. for any single node message, the
// metering values are extracted from the CapabilityResponse, added to an array, and the CapabilityResponse
// is marshalled without the metering value to get the hash. each node could have a different metering value
// which would result in different hashes. removing the metering detail allows for direct comparison of results.
responseID, metadata, err := c.getMessageHashAndMetadata(msg)
if err != nil {
return fmt.Errorf("failed to get message hash: %w", err)
}
b62fc5a to
9f8971a
Compare
bolekk
previously approved these changes
Apr 22, 2026
patrickhuie19
previously approved these changes
Apr 22, 2026
…attestatin # Conflicts: # deployment/go.mod # integration-tests/go.mod # integration-tests/load/go.mod # system-tests/lib/go.mod
bolekk
previously approved these changes
Apr 23, 2026
ilija42
approved these changes
Apr 23, 2026
github-merge-queue
Bot
removed this pull request from the merge queue due to a conflict with the base branch
…attestatin # Conflicts: # core/scripts/go.sum # deployment/go.sum # go.mod # go.sum # integration-tests/go.sum # integration-tests/load/go.mod # integration-tests/load/go.sum # system-tests/lib/go.sum # system-tests/tests/go.sum
ilija42
previously approved these changes
Apr 23, 2026
|
bolekk
approved these changes
Apr 23, 2026
fernandezlautaro
approved these changes
Apr 23, 2026
ilija42
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow Capabilities Nodes to provide OCR attestation of the response.
Motivation
To reduce the bandwidth used by chain capabilities OCR, for some request types, nodes will exchange hashes of observed RPC responses instead of actual responses. While this greatly reduces the required bandwidth, there is now a high probability that only F+1 chain cap nodes will have the RPC response. Thus, to ensure reliability, we should allow capability nodes to provide OCR attestation so that receiving a response from a single node is sufficient.
All chain capability nodes will still attempt to send the response. If the node has only a report and no RPC payload, it will return a special error indicating that the node must wait for a response from another node.
Changes to Don2Don to ensure that only one capability node returns the report with the payload are out of scope for this PR. And the benefits of that approach are debatable.
Ticket: https://smartcontract-it.atlassian.net/browse/PLEX-2611
Depends on: