[CRE] Confidential workflow execution #21635
Description
Adds support for executing workflow WASM binaries inside TEE enclaves instead of locally on the node. The workflow engine detects confidential workflows via on-chain attributes and delegates execution to an enclave via a new LOOP capability.
Corresponding confidential-compute PR: https://github.com/smartcontractkit/confidential-compute/pull/279
Corresponding chainlink-common PR: smartcontractkit/chainlink-common#1899
Corresponding chainlink-common follow-up PR: smartcontractkit/chainlink-common#1948
Split from #21603 into reviewable pieces.
PR chain
PRs 1, 2, 4 are independent and can merge in any order. PR 5 depends on 1, 2, 4.
- [CRE] [1/5] Gateway handler for confidential relay #21638 [1/4] Gateway handler for confidential relay
- [CRE] [2/5] Relay DON node handler for confidential relay #21639 [2/4] Relay DON node handler
-
[CRE] [3/5] Allow capability DONs to discover remote capabilities #21640 [3/5] Launcher fixClosed. Relay DON configured as workflow DON instead (CC E2E config change). - [CRE] [4/5] ConfidentialModule, config, DB migration, syncer routing #21641 [3/4] ConfidentialModule, config, DB migration, syncer routing
- [CRE] [5/5] Wire confidential workflow execution into CRE #21642 [4/4] Wire into CRE, system test support
Components
- Gateway handler: Fans out enclave requests to relay DON nodes, F+1 quorum aggregation
- Relay DON handler: Validates Nitro attestation, proxies to VaultDON and capabilities
- ConfidentialModule: Strategy pattern replacing local WASM execution with enclave dispatch
- Syncer routing: Detects confidential workflows via attributes, routes to ConfidentialModule
- Config/DB: New TOML config for relay, DB column for workflow attributes