Adds support for executing workflow WASM binaries inside TEE enclaves instead of locally on the node. The workflow engine detects confidential workflows via on-chain attributes and delegates execution to an enclave via a new LOOP capability.
Corresponding confidential-compute PR: https://github.com/smartcontractkit/confidential-compute/pull/279
Corresponding chainlink-common PR: smartcontractkit/chainlink-common#1899
Corresponding chainlink-common follow-up PR: smartcontractkit/chainlink-common#1948
Split from #21603 into reviewable pieces.
PR chain
PRs 1, 2, 4 are independent and can merge in any order. PR 5 depends on 1, 2, 4.
Components
- Gateway handler: Fans out enclave requests to relay DON nodes, F+1 quorum aggregation
- Relay DON handler: Validates Nitro attestation, proxies to VaultDON and capabilities
- ConfidentialModule: Strategy pattern replacing local WASM execution with enclave dispatch
- Syncer routing: Detects confidential workflows via attributes, routes to ConfidentialModule
- Config/DB: New TOML config for relay, DB column for workflow attributes
Adds support for executing workflow WASM binaries inside TEE enclaves instead of locally on the node. The workflow engine detects confidential workflows via on-chain attributes and delegates execution to an enclave via a new LOOP capability.
Corresponding confidential-compute PR: https://github.com/smartcontractkit/confidential-compute/pull/279
Corresponding chainlink-common PR: smartcontractkit/chainlink-common#1899
Corresponding chainlink-common follow-up PR: smartcontractkit/chainlink-common#1948
Split from #21603 into reviewable pieces.
PR chain
PRs 1, 2, 4 are independent and can merge in any order. PR 5 depends on 1, 2, 4.
[CRE] [3/5] Allow capability DONs to discover remote capabilities #21640 [3/5] Launcher fixClosed. Relay DON configured as workflow DON instead (CC E2E config change).Components