refactor(services): unified approveService + TEE commitment-root storage

[drewstone]

Summary

One coherent architectural move that solves three problems left from PR #117:

1. API explosion. approveService, approveServiceWithCommitments, approveServiceWithBls, approveServiceWithCommitmentsAndBls, approveServiceWithTeeCommitments collapse into a single approveService(ApprovalParams). Selectors on TangleServicesFacet go from 10 → 6.
2. Activation gas DoS. TEE commitment storage moves from TeeAttestationCommitment[] (3 slots × N commits per operator, up to 480K gas/operator at cap) to a single keccak256 root + full data emitted as TeeCommitmentsRecorded. Activation cost drops from O(operators × commits × 3 slots) to O(operators).
3. Anti-replay confidence. The TEE commitment array is now committed to as a hash; slashers / provisioning oracles supply the array as a witness and verify keccak256(abi.encode(witness)) == getTeeCommitmentRoot(serviceId, operator) before treating it as authoritative. Same pattern already used by _serviceResourceCommitmentHash for RFQ resource commits.

BLS stays opt-in (zero pubkey = operator skips BLS, no penalty). RFQ paths (createServiceFromQuotes, extendServiceFromQuotes) are unchanged.

Why each change is correct

Unified approveService(ApprovalParams)

The problem. Five entrypoints, each duplicating the auth gates inline, each adding selector overhead. Adding any new optional field (e.g., a future per-job pricing override) doubles the matrix again. Reviewing the matrix is hard because each variant slightly reorders auth/validate/write.

The fix. One entrypoint, ApprovalParams struct with optional fields. Empty/zero = opt-out:

Field	Empty/zero meaning
securityCommitments == []	No per-asset commitment supplied. Acceptable when request has no security requirements OR has only the protocol-default TNT requirement (auto-filled at min).
blsPubkey == [0,0,0,0]	Operator does not register a BLS pubkey for this service. Cannot participate in aggregated job-result signing. No exclusion, no penalty.
teeCommitments == []	Operator does not bind to a TEE attestation profile for this approval.

Order of operations (fail-fast, validate-before-write):

1. _requireApprovingOperator              auth gate, no SSTORE
2. validate security commitments OR       
   auto-fill default TNT                  pure validation
3. validate TEE commitments + compute     pure validation + memory keccak
   keccak root
4. BLS proof-of-possession verify         pure validation
5. SSTORE                                 commits / TEE root / BLS pubkey
6. Mark approved, emit, manager hook,     
   activate-if-threshold                  

Unauthorized callers never reach an SSTORE — they revert at step 1 with Unauthorized. Misshapen TEE / BLS / commitment payloads revert at steps 2–4 before writing.

TEE commitment-root storage

The problem. Audit on PR #117 flagged this as a HIGH operator-economics concern: with MAX_TEE_COMMITMENTS_PER_OPERATOR = 8 and N operators, the activator pays N × 8 × 3 cold SSTOREs (~480K gas/operator). At 10 operators × 8 commits, activation cost approaches 5M gas. At 20+, the activation tx exceeds the block gas limit and the service stalls in pending state forever.

The fix. Store one bytes32 per (requestId, operator) and per (serviceId, operator) instead of a dynamic array. The root is keccak256(abi.encode(commitments)). The full commitment array is emitted in TeeCommitmentsRecorded for indexers; slashers reconstruct from event logs and verify keccak match.

mapping(uint64 => mapping(address => bytes32)) internal _requestTeeCommitmentRoot;
mapping(uint64 => mapping(address => bytes32)) internal _serviceTeeCommitmentRoot;

event TeeCommitmentsRecorded(
    uint64 indexed requestId,
    address indexed operator,
    bytes32 indexed root,
    Types.TeeAttestationCommitment[] commitments
);

Activation gas at 3 operators × 8 commits drops from 2,886,434 gas pre-refactor → expected well under 1M (test asserts <1.5M as a generous ceiling).

This is the same shape _serviceResourceCommitmentHash already uses for RFQ resource commits. It's the standard pattern in modern restaking systems (EigenLayer, Symbiotic) for slashing-safe storage of attestable data.

BLS confirmed opt-in

JobsAggregation.sol reverts with OperatorBlsPubkeyNotRegistered only when an operator who didn't register a BLS pubkey is asked to participate in a BLS aggregate. The protocol accepts any operator at approval time. The PR doesn't change this — it just makes it explicit in the unified entrypoint that blsPubkey == [0,0,0,0] is the documented opt-out.

RFQ unchanged

createServiceFromQuotes / extendServiceFromQuotes keep the signed-quote acceptance flow exactly as it was. The EIP-712 QuoteDetails typehash carries securityCommitments and resourceCommitments but NOT teeCommitments — TEE commitments require a request-derived nonce that doesn't exist until the request is created, so they can't be pre-signed in a quote. If RFQ + TEE is wanted later, extend QuoteDetails at that point.

What this solves

Problem	Pre-refactor	Post-refactor
API surface explosion	5 approval entrypoints, each duplicating auth gates	1 entrypoint, single auth gate, opt-in fields
Selector count on facet	10	6
Activation gas with 3 ops × 8 TEE commits	2.89M	< 1M (test asserts < 1.5M)
Activation gas at 20 operators	~19M, near block-gas limit, services stall	~400K, scales linearly forever
TEE commitment storage	TeeAttestationCommitment[] per (service, op) (variable, expensive)	bytes32 per (service, op) (fixed)
Slashing-safe storage	array reads work but bloat block gas	root + witness verification (standard restaking pattern)
Inconsistency vs resource commits	TEE used array storage; resource commits already used hash	Both use hash storage

Test plan

• forge fmt clean across all changed files
• Old TeeCommitmentApprovalTest.t.sol (16 tests) and TeeCommitmentHardenTest.t.sol (7 tests) deleted
• New test/tangle/ServicesApprovalTest.t.sol (14 tests, every one named after a specific failure mode) covers happy paths + adversarial validation + auth ordering + slasher witness verification + activation-gas regression assertion
• ~50 call sites in test/ and script/ migrated through _approve / _approveWithCommitments / _approveWithBls helpers in BlueprintDefinitionHelper
• Local forge build did not complete on this machine — repeated solc OOM during the 341-file via_ir compile. Same infrastructure issue that's been failing CI on main since PR fix(security): pre-mainnet hardening across deploy, MBSM, beacon, oracles, quotes, BLS #115. Pushed for CI to run the canonical build on dedicated runners.
• CI to run forge build + forge test --match-contract ServicesApprovalTest and the full existing suite for regressions

Audit asks

This PR is intentionally scoped: contract surface refactor + storage shape change. Not bundled with the slashing branch, not bundled with operator-count caps. Looking for the auditor agent to confirm:

1. The keccak root + witness verification is structurally sound for slashing reads.
2. No path remains where the old TeeAttestationCommitment[] storage is read (would silently return zero arrays after refactor).
3. The opt-in semantics on ApprovalParams (empty field = no-op) don't introduce a bypass — e.g., supplying empty securityCommitments when requirements exist must still revert (handled by _isOnlyDefaultTntRequirement check).
4. Activation-time _persistTeeCommitments correctly skips operators with zero root (no-op rather than overwriting an existing service root).
5. No reentrancy or partial-state-on-revert path through the new entrypoint that the old multi-entrypoint structure happened to mask.

Does NOT touch

• fix/slashing-correctness branch (will rebase cleanly after this lands)
• Slashing.sol / SlashingLib.sol
• RFQ flows (QuotesCreate, QuotesExtend, TangleQuotesFacet)
• JobsAggregation.sol (BLS aggregation path)
• Heartbeat, payments, blueprint registry, MBSM, beacon, oracles