smartcontractkit · cll-gg · May 26, 2025 · May 26, 2025 · May 26, 2025 · May 26, 2025
@@ -24,15 +24,16 @@ var (
 
 // LOOPP commands and vars
 var (
-	MedianPlugin   = NewPlugin("median")
-	MercuryPlugin  = NewPlugin("mercury")
-	AptosPlugin    = NewPlugin("aptos")
-	EVMPlugin      = NewPlugin("evm")
-	CosmosPlugin   = NewPlugin("cosmos")
-	SolanaPlugin   = NewPlugin("solana")
-	StarknetPlugin = NewPlugin("starknet")
-	TronPlugin     = NewPlugin("tron")
-	TONPlugin      = NewPlugin("ton")
+	MedianPlugin     = NewPlugin("median")
+	MercuryPlugin    = NewPlugin("mercury")
+	AptosPlugin      = NewPlugin("aptos")
+	EVMPlugin        = NewPlugin("evm")
+	CosmosPlugin     = NewPlugin("cosmos")
+	SecureMintPlugin = NewPlugin("securemint")
+	SolanaPlugin     = NewPlugin("solana")
+	StarknetPlugin   = NewPlugin("starknet")
+	TronPlugin       = NewPlugin("tron")
+	TONPlugin        = NewPlugin("ton")
 	// PrometheusDiscoveryHostName is the externally accessible hostname
 	// published by the node in the `/discovery` endpoint. Generally, it is expected to match
 	// the public hostname of node.

@@ -167,7 +167,7 @@ func (o *orm) AssertBridgesExist(ctx context.Context, p pipeline.Pipeline) error
 	return nil
 }
 
-// CreateJob creates the job, and it's associated spec record.
+// CreateJob creates the job, and its associated spec record.
 // Expects an unmarshalled job spec as the jb argument i.e. output from ValidatedXX.
 // Scans all persisted records back into jb
 func (o *orm) CreateJob(ctx context.Context, jb *Job) error {
@@ -643,7 +643,7 @@ func (o *orm) insertGatewaySpec(ctx context.Context, spec *GatewaySpec) (specID
 // ValidateKeyStoreMatch confirms that the key has a valid match in the keystore
 func ValidateKeyStoreMatch(ctx context.Context, spec *OCR2OracleSpec, keyStore keystore.Master, key string) (err error) {
 	switch spec.PluginType {
-	case types.Mercury, types.LLO:
+	case types.Mercury, types.LLO, types.SecureMint:
 		_, err = keyStore.CSA().Get(key)
 		if err != nil {
 			err = errors.Errorf("no CSA key matching: %q", key)

@@ -42,6 +42,7 @@ import (
 	datastreamsllo "github.com/smartcontractkit/chainlink-data-streams/llo"
 	"github.com/smartcontractkit/chainlink-evm/pkg/chains/legacyevm"
 	"github.com/smartcontractkit/chainlink-evm/pkg/keys"
+	"github.com/smartcontractkit/por_mock_ocr3plugin/por"
 
 	"github.com/smartcontractkit/chainlink/v2/core/bridges"
 	gatewayconnector "github.com/smartcontractkit/chainlink/v2/core/capabilities/gateway_connector"
@@ -67,6 +68,8 @@ import (
 	ocr2keeper21core "github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/ocr2keeper/evmregistry/v21/core"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/vault"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocr2/validate"
+	"github.com/smartcontractkit/chainlink/v2/core/services/ocr3/securemint"
+	sm_adapter "github.com/smartcontractkit/chainlink/v2/core/services/ocr3/securemint/keyringadapter"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocrcommon"
 	"github.com/smartcontractkit/chainlink/v2/core/services/pipeline"
 	"github.com/smartcontractkit/chainlink/v2/core/services/relay"
@@ -550,6 +553,8 @@ func (d *Delegate) ServicesForSpec(ctx context.Context, jb job.Job) ([]job.Servi
 
 	case types.VaultPlugin:
 		return d.newServicesVaultPlugin(ctx, lggr, jb, d.gatewayConnectorServiceWrapper)
+	case types.SecureMint:
+		return d.newServicesSecureMint(ctx, lggr, jb, bootstrapPeers, kb, ocrDB, lc)
 
 	default:
 		return nil, errors.Errorf("plugin type %s not supported", spec.PluginType)
@@ -1202,6 +1207,54 @@ func (d *Delegate) newServicesMedian(
 	return medianServices, err2
 }
 
+func (d *Delegate) newServicesSecureMint(
+	ctx context.Context,
+	lggr logger.SugaredLogger,
+	jb job.Job,
+	bootstrapPeers []commontypes.BootstrapperLocator,
+	kb ocr2key.KeyBundle,
+	ocrDB *db,
+	lc ocrtypes.LocalConfig,
+) ([]job.ServiceCtx, error) {
+	spec := jb.OCR2OracleSpec
+	rid, err := spec.RelayID()
+	if err != nil {
+		return nil, ErrJobSpecNoRelayer{Err: err, PluginName: "securemint"}
+	}
+
+	ocrLogger := ocrcommon.NewOCRWrapper(lggr, d.cfg.OCR2().TraceLogging(), func(ctx context.Context, msg string) {
+		lggr.ErrorIf(d.jobORM.RecordError(ctx, jb.ID, msg), "unable to record error")
+	})
+
+	oracleArgsNoPlugin := libocr2.OCR3OracleArgs[por.ChainSelector]{
+		BinaryNetworkEndpointFactory: d.peerWrapper.Peer2,
+		V2Bootstrappers:              bootstrapPeers,
+		Database:                     ocrDB,
+		LocalConfig:                  lc,
+		Logger:                       ocrLogger,
+		MonitoringEndpoint:           d.monitoringEndpointGen.GenMonitoringEndpoint(rid.Network, rid.ChainID, spec.ContractID, synchronization.OCR2Median),
+		OffchainKeyring:              kb,
+		OnchainKeyring:               sm_adapter.NewSecureMintOCR3OnchainKeyringAdapter(kb),
+		MetricsRegisterer:            prometheus.WrapRegistererWith(map[string]string{"job_name": jb.Name.ValueOrZero()}, prometheus.DefaultRegisterer),
+	}
+
+	smConfig := securemint.NewJobConfig(
+		d.cfg.JobPipeline().MaxSuccessfulRuns(),
+		d.cfg.JobPipeline().ResultWriteQueueDepth(),
+		d.cfg,
+	)
+
+	relayer, err := d.RelayGetter.Get(rid)
+	if err != nil {
+		return nil, ErrRelayNotEnabled{Err: err, PluginName: "securemint", Relay: spec.Relay}
+	}
+
+	secureMintServices, err := securemint.NewSecureMintServices(ctx, jb, d.isNewlyCreatedJob, relayer, d.pipelineRunner, lggr, oracleArgsNoPlugin, smConfig)
+	secureMintServices = append(secureMintServices, ocrLogger)
+
+	return secureMintServices, err
+}
+
 func (d *Delegate) newServicesOCR2Keepers(
 	ctx context.Context,
 	lggr logger.SugaredLogger,

@@ -12,23 +12,22 @@ import (
 	"github.com/pelletier/go-toml"
 	pkgerrors "github.com/pkg/errors"
 
-	libocr2 "github.com/smartcontractkit/libocr/offchainreporting2plus"
-
 	"github.com/smartcontractkit/chainlink-common/pkg/logger"
 	"github.com/smartcontractkit/chainlink-common/pkg/loop/reportingplugins"
 	"github.com/smartcontractkit/chainlink-common/pkg/types"
-
 	"github.com/smartcontractkit/chainlink/v2/core/config/env"
 	"github.com/smartcontractkit/chainlink/v2/core/services/job"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/ccip/config"
 	lloconfig "github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/llo/config"
 	mercuryconfig "github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/mercury/config"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocr2/plugins/vault"
+	sm_config "github.com/smartcontractkit/chainlink/v2/core/services/ocr3/securemint/config"
 	"github.com/smartcontractkit/chainlink/v2/core/services/ocrcommon"
 	"github.com/smartcontractkit/chainlink/v2/core/services/pipeline"
 	"github.com/smartcontractkit/chainlink/v2/core/services/relay"
 	evmtypes "github.com/smartcontractkit/chainlink/v2/core/services/relay/evm/types"
 	"github.com/smartcontractkit/chainlink/v2/plugins"
+	libocr2 "github.com/smartcontractkit/libocr/offchainreporting2plus"
 )
 
 // ValidatedOracleSpecToml validates an oracle spec that came from TOML
@@ -129,6 +128,9 @@ func validateSpec(ctx context.Context, tree *toml.Tree, spec job.Job, rc plugins
 		return validateGenericPluginSpec(ctx, spec.OCR2OracleSpec, rc)
 	case types.VaultPlugin:
 		return validateVaultPluginSpec(spec.OCR2OracleSpec.PluginConfig)
+	case types.SecureMint:
+		return validateSecureMintSpec(spec.OCR2OracleSpec.PluginConfig)
+
 	case "":
 		return errors.New("no plugin specified")
 	default:
@@ -390,3 +392,20 @@ func validateOCR2LLOSpec(jsonConfig job.JSONConfig) error {
 	}
 	return pkgerrors.Wrap(pluginConfig.Validate(), "LLO PluginConfig is invalid")
 }
+
+func validateSecureMintSpec(jsonConfig job.JSONConfig) error {
+	if jsonConfig == nil {
+		return errors.New("secure mint plugin config is empty")
+	}
+
+	smConfig, err := sm_config.Parse(jsonConfig.Bytes())
+	if err != nil {
+		return pkgerrors.Wrap(err, "error while parsing secure mint plugin config")
+	}
+
+	if err := smConfig.Validate(); err != nil {
+		return fmt.Errorf("invalid secure mint plugin config: %#v, err: %w", smConfig, err)
+	}
+
+	return nil
+}
@@ -0,0 +1,75 @@
+# SecureMint Plugin
+
+## Overview
+
+The SecureMint plugin is a plugin that allows for secure minting of tokens.
+
+## Validation
+
+Validating whether the SecureMint plugin is working as expected is done by running the integration test.
+
+The test is located in the `core/services/ocr3/securemint` directory.
+
+### Prerequisites:
+```bash
+docker run --name cl-postgres -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -e POSTGRES_DB=dbname -p 5432:5432 -d postgres
+make setup-testdb
+```
+
+### Run test:
+```bash
+ time CL_DATABASE_URL=postgresql://chainlink_dev:insecurepassword@localhost:5432/chainlink_development_test?sslmode=disable go test -timeout 2m -run ^TestIntegration_SecureMint_happy_path$ github.com/smartcontractkit/chainlink/v2/core/services/ocr3/securemint -v 2>&1 | tee all.log | awk '/DEBUG|INFO|WARN|ERROR/ { print > "node_logs.log"; next }; { print > "other.log" }; tail all.log'
+```
+
+### If you change any dependencies:
+```bash
+go mod tidy && go mod vendor
+modvendor -copy="**/*.a **/*.h" -v
+```
+
+(the `modvendor` step might not be necessary, but for me it was (see also https://github.com/marcboeker/go-duckdb/issues/174#issuecomment-1979097864))
+
+### Logs
+
+* other.log: Contains all non-node output from the test run, this can be used to quickly see test failures
+* node_logs.log: Contains all logs from the nodes started up in the test run, this can be used to see the full output of the test run
+* all.log: Contains the complete output of the test run, this can be used to see test failures within the context of the node logs
+
+
+### Debug test with VSCode:
+
+Create a launch.json file in the .vscode directory with the following content:
+
+```json
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Debug Secure Mint Integration Test",
+            "type": "go",
+            "request": "launch",
+            "mode": "test",
+            "program": "${workspaceFolder}/core/services/ocr3/securemint/integrationtest",
+            "args": [
+                "-test.run",
+                "^TestIntegration_SecureMint_happy_path$",
+                "-test.v",
+                "-test.timeout",
+                "2m",
+                "2>&1",
+                "|",
+                "tee",
+                "all.log",
+                "|",
+                "awk '/DEBUG|INFO|WARN|ERROR/ { print > 'node_logs.log'; next }; { print > 'other.log' }'",
+            ],
+            "env": {
+                "ENV": "test",
+                "CL_DATABASE_URL": "postgresql://chainlink_dev:insecurepassword@localhost:5432/chainlink_development_test?sslmode=disable",
+            }
+        }
+    ]
+}
+```
+
+Then run the test by Cmd+P: "Start Debugging".
@@ -0,0 +1,44 @@
+package config
+
+import (
+	"encoding/json"
+
+	"github.com/pkg/errors"
+)
+
+// SecureMintConfig holds secure mint specific configuration
+type SecureMintConfig struct {
+	Token    string `json:"token"`
+	Reserves string `json:"reserves"`
+}
+
+// Parse parses the secure mint configuration from JSON bytes
+func Parse(configBytes []byte) (*SecureMintConfig, error) {
+	if len(configBytes) == 0 {
+		return nil, errors.New("secure mint config cannot be empty")
+	}
+
+	var config SecureMintConfig
+	if err := json.Unmarshal(configBytes, &config); err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal SecureMintConfig")
+	}
+
+	return &config, nil
+}
+
+// Validate validates the secure mint plugin-specific config.
+func (cfg *SecureMintConfig) Validate() error {
+	if cfg == nil {
+		return errors.New("secure mint plugin config cannot be nil")
+	}
+
+	if cfg.Token == "" {
+		return errors.New("token cannot be empty")
+	}
+
+	if cfg.Reserves == "" {
+		return errors.New("reserves cannot be empty")
+	}
+
+	return nil
+}