Merge branch 'main' into DEVSVCS-5269/enforce-rate-limit

Author: tarcisiozf

cmd/secrets/common/handler.go

@@ -100,14 +100,13 @@ type Handler struct {
 func NewHandler(execCtx context.Context, ctx *runtime.Context, secretsFilePath, secretsAuth string) (*Handler, error) {
 	var pk *ecdsa.PrivateKey
 	var err error
-	if ctx.Settings.User.EthPrivateKey.IsSet() {
-		pk, err = crypto.HexToECDSA(ctx.Settings.User.EthPrivateKey.Hex())
+	if ethKey := ctx.Settings.User.PrivateKey(settings.EVM); ethKey != "" {
+		pk, err = crypto.HexToECDSA(ethKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decode the provided private key: %w", err)
 		}
 	} else {
-		ctx.Logger.Debug().Msg("No EthPrivateKey found in settings; assuming a multisig request.")
-
+		ctx.Logger.Debug().Msg("No EVM private key found in settings; assuming a multisig request.")
 	}
 
 	h := &Handler{

cmd/secrets/common/handler_test.go

@@ -404,7 +404,7 @@ func TestNewHandler_WorkflowRegistryClient(t *testing.T) {
 			Logger:        &logger,
 			ClientFactory: cf,
 			Settings: &settings.Settings{
-				User:     settings.UserSettings{EthPrivateKey: ""},
+				User:     settings.UserSettings{PrivateKeys: map[string]string{settings.EVM.Name: ""}},
 				Workflow: settings.WorkflowSettings{},
 			},
 			EnvironmentSet: &environments.EnvironmentSet{GatewayURL: "http://localhost"},
@@ -446,7 +446,7 @@ func TestNewHandler_GatewayURL(t *testing.T) {
 		Logger:        &logger,
 		ClientFactory: cf,
 		Settings: &settings.Settings{
-			User:     settings.UserSettings{EthPrivateKey: ""},
+			User:     settings.UserSettings{PrivateKeys: map[string]string{settings.EVM.Name: ""}},
 			Workflow: settings.WorkflowSettings{},
 		},
 		EnvironmentSet: &environments.EnvironmentSet{GatewayURL: "https://embedded.example.com/"},

cmd/workflow/activate/activate_test.go

@@ -21,7 +21,7 @@ func TestNonInteractive_WithoutYes_ReturnsError(t *testing.T) {
 	ctx := simulatedEnvironment.NewRuntimeContext()
 	ctx.Settings = &settings.Settings{
 		User: settings.UserSettings{
-			EthPrivateKey: chainsim.TestPrivateKey,
+			PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 		},
 	}
 	ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA
@@ -48,7 +48,7 @@ func TestNonInteractive_WithYes_PassesGuard(t *testing.T) {
 	ctx := simulatedEnvironment.NewRuntimeContext()
 	ctx.Settings = &settings.Settings{
 		User: settings.UserSettings{
-			EthPrivateKey: chainsim.TestPrivateKey,
+			PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 		},
 	}
 	ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA
@@ -163,7 +163,7 @@ func TestWorkflowActivateCommand(t *testing.T) {
 				ctx := simulatedEnvironment.NewRuntimeContext()
 				ctx.Settings = &settings.Settings{
 					User: settings.UserSettings{
-						EthPrivateKey: chainsim.TestPrivateKey,
+						PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 					},
 				}
 				ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA

cmd/workflow/delete/delete_test.go

@@ -21,7 +21,7 @@ func TestNonInteractive_WithoutYes_ReturnsError(t *testing.T) {
 	ctx := simulatedEnvironment.NewRuntimeContext()
 	ctx.Settings = &settings.Settings{
 		User: settings.UserSettings{
-			EthPrivateKey: chainsim.TestPrivateKey,
+			PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 		},
 	}
 	ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA
@@ -47,7 +47,7 @@ func TestNonInteractive_WithYes_Proceeds(t *testing.T) {
 	ctx := simulatedEnvironment.NewRuntimeContext()
 	ctx.Settings = &settings.Settings{
 		User: settings.UserSettings{
-			EthPrivateKey: chainsim.TestPrivateKey,
+			PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 		},
 	}
 	ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA
@@ -134,7 +134,7 @@ func TestWorkflowDeleteCommand(t *testing.T) {
 				ctx := simulatedEnvironment.NewRuntimeContext()
 				ctx.Settings = &settings.Settings{
 					User: settings.UserSettings{
-						EthPrivateKey: chainsim.TestPrivateKey,
+						PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 					},
 				}
 				ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA

cmd/workflow/hash/hash.go

@@ -56,7 +56,7 @@ func New(runtimeContext *runtime.Context) *cobra.Command {
 				WorkflowName:      s.Workflow.UserWorkflowSettings.WorkflowName,
 				WorkflowPath:      s.Workflow.WorkflowArtifactSettings.WorkflowPath,
 				OwnerFromSettings: s.Workflow.UserWorkflowSettings.WorkflowOwnerAddress,
-				PrivateKey:        s.User.EthPrivateKey.Hex(),
+				PrivateKey:        s.User.PrivateKey(settings.EVM),
 				SkipTypeChecks:    v.GetBool(cmdcommon.SkipTypeChecksCLIFlag),
 				RegistryType:      registryType,
 				DerivedOwner:      runtimeContext.DerivedWorkflowOwner,

cmd/workflow/pause/pause_test.go

@@ -21,7 +21,7 @@ func TestNonInteractive_WithoutYes_ReturnsError(t *testing.T) {
 	ctx := simulatedEnvironment.NewRuntimeContext()
 	ctx.Settings = &settings.Settings{
 		User: settings.UserSettings{
-			EthPrivateKey: chainsim.TestPrivateKey,
+			PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 		},
 	}
 	ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA
@@ -47,7 +47,7 @@ func TestNonInteractive_WithYes_PassesGuard(t *testing.T) {
 	ctx := simulatedEnvironment.NewRuntimeContext()
 	ctx.Settings = &settings.Settings{
 		User: settings.UserSettings{
-			EthPrivateKey: chainsim.TestPrivateKey,
+			PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 		},
 	}
 	ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA
@@ -141,7 +141,7 @@ func TestWorkflowPauseCommand(t *testing.T) {
 				ctx := simulatedEnvironment.NewRuntimeContext()
 				ctx.Settings = &settings.Settings{
 					User: settings.UserSettings{
-						EthPrivateKey: chainsim.TestPrivateKey,
+						PrivateKeys: map[string]string{settings.EVM.Name: chainsim.TestPrivateKey},
 					},
 				}
 				ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerType = constants.WorkflowOwnerTypeEOA

cmd/workflow/simulate/chain/evm/capabilities.go

@@ -11,6 +11,8 @@ import (
 	"github.com/smartcontractkit/chainlink-common/pkg/logger"
 	"github.com/smartcontractkit/chainlink/v2/core/capabilities"
 	"github.com/smartcontractkit/chainlink/v2/core/capabilities/fakes"
+
+	"github.com/smartcontractkit/cre-cli/cmd/workflow/simulate/chain"
 )
 
 // EVMChainCapabilities holds the EVM chain capability servers created for simulation.
@@ -29,7 +31,7 @@ func NewEVMChainCapabilities(
 	forwarders map[uint64]string,
 	privateKey *ecdsa.PrivateKey,
 	dryRunChainWrite bool,
-	limits EVMChainLimits,
+	limits chain.Limits,
 ) (*EVMChainCapabilities, error) {
 	evmChains := make(map[uint64]*ManualEVMChain)
 	for sel, client := range clients {
@@ -48,11 +50,7 @@ func NewEVMChainCapabilities(
 			dryRunChainWrite,
 		)
 
-		// Wrap with limits enforcement if limits are provided
-		var evmCap evmserver.ClientCapability = evm
-		if limits != nil {
-			evmCap = NewLimitedEVMChain(evm, limits)
-		}
+		evmCap := NewLimitedEVMChain(evm, limits)
 
 		manualEVM := NewManualEVMChain(evmCap)
 		evmServer := evmserver.NewClientServer(manualEVM)

cmd/workflow/simulate/chain/evm/chaintype.go

@@ -94,6 +94,10 @@ func (ct *EVMChainType) ResolveClients(v *viper.Viper) (chain.ResolvedChains, er
 	}
 
 	for _, ec := range expChains {
+		// Empty chain-type falls back to this chain type
+		if ec.ChainType != "" && !strings.EqualFold(ec.ChainType, ct.Name()) {
+			continue
+		}
 		if ec.ChainSelector == 0 {
 			return chain.ResolvedChains{}, fmt.Errorf("experimental chain missing chain-selector")
 		}
@@ -161,13 +165,9 @@ func (ct *EVMChainType) RegisterCapabilities(ctx context.Context, cfg chain.Capa
 	// cfg.Limits is the generic chain.Limits contract. The EVM chain type
 	// needs the wider EVMChainLimits contract (adds ChainWriteGasLimit). A
 	// nil cfg.Limits disables enforcement entirely.
-	var evmLimits EVMChainLimits
+	var evmLimits chain.Limits
 	if cfg.Limits != nil {
-		el, ok := cfg.Limits.(EVMChainLimits)
-		if !ok {
-			return nil, fmt.Errorf("EVM chain type: limits value does not implement evm.EVMChainLimits (got %T)", cfg.Limits)
-		}
-		evmLimits = el
+		evmLimits = ExtractLimits(cfg.Limits)
 	}
 
 	evmCaps, err := NewEVMChainCapabilities(
@@ -254,12 +254,13 @@ func (ct *EVMChainType) RunHealthCheck(resolved chain.ResolvedChains) error {
 // is true, an invalid or default-sentinel key is a hard error. Otherwise a
 // sentinel key is used with a warning so non-broadcast simulations can run.
 func (ct *EVMChainType) ResolveKey(creSettings *settings.Settings, broadcast bool) (interface{}, error) {
-	pk, err := crypto.HexToECDSA(creSettings.User.EthPrivateKey.Hex())
+	pk, err := crypto.HexToECDSA(creSettings.User.PrivateKey(settings.EVM))
 	if err != nil {
 		// If the user explicitly set a key that looks like a hex string but is
 		// malformed (wrong length, invalid chars), always error with guidance.
 		// Skip placeholder values like DefaultEthPrivateKeyEnvPlaceholder from the default .env template.
-		if creSettings.User.EthPrivateKey.IsSet() && isHexString(creSettings.User.EthPrivateKey.Hex()) {
+		evmKey := creSettings.User.PrivateKey(settings.EVM)
+		if evmKey != "" && isHexString(evmKey) {
 			return nil, fmt.Errorf(
 				"invalid private key: expected 64 hex characters (256 bits), got %d characters.\n\n"+
 					"The CLI reads CRE_ETH_PRIVATE_KEY from your .env file or system environment.\n"+
@@ -268,7 +269,7 @@ func (ct *EVMChainType) ResolveKey(creSettings *settings.Settings, broadcast boo
 					"  • Pasted an Ethereum address (40 chars) instead of a private key (64 chars)\n"+
 					"  • Value has extra quotes — use CRE_ETH_PRIVATE_KEY=abc123... without wrapping quotes\n"+
 					"  • Key was truncated during copy-paste",
-				len(creSettings.User.EthPrivateKey.Hex()))
+				len(creSettings.User.PrivateKey(settings.EVM)))
 		}
 		if broadcast {
 			return nil, fmt.Errorf(

cmd/workflow/simulate/chain/evm/chaintype_test.go

@@ -163,7 +163,7 @@ func TestEVMChainType_ResolveKey(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ct := newEVMChainType()
-			s := &settings.Settings{User: settings.UserSettings{EthPrivateKey: settings.EthPrivateKeyHex(tt.pk)}}
+			s := &settings.Settings{User: settings.UserSettings{PrivateKeys: map[string]string{settings.EVM.Name: tt.pk}}}
 
 			var got interface{}
 			var err error
@@ -369,3 +369,16 @@ func TestEVMChainType_CollectCLIInputs_DefaultsOnly(t *testing.T) {
 	result := ct.CollectCLIInputs(v)
 	assert.Empty(t, result)
 }
+
+func TestEVMChainType_RegisterCapabilities_WrongPrivateKeyType(t *testing.T) {
+	t.Parallel()
+	ct := newEVMChainType()
+	cfg := chain.CapabilityConfig{
+		Clients:    map[uint64]chain.ChainClient{},
+		Forwarders: map[uint64]string{},
+		PrivateKey: "not-an-ecdsa-key",
+	}
+	_, err := ct.RegisterCapabilities(context.Background(), cfg)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "private key is not *ecdsa.PrivateKey")
+}

cmd/workflow/simulate/chain/evm/limited_capabilities.go

@@ -13,42 +13,30 @@ import (
 	"github.com/smartcontractkit/cre-cli/cmd/workflow/simulate/chain"
 )
 
-// EVMChainLimits is the EVM-scoped limit contract LimitedEVMChain enforces.
-// It extends chain.Limits with EVM-specific accessors (e.g. gas limit) so
-// non-EVM chain types cannot accidentally depend on EVM semantics.
-type EVMChainLimits interface {
-	chain.Limits
-	ChainWriteGasLimit() uint64
-}
-
 // LimitedEVMChain wraps an evmserver.ClientCapability and enforces chain write
 // report size and gas limits.
 type LimitedEVMChain struct {
 	inner  evmserver.ClientCapability
-	limits EVMChainLimits
+	limits chain.Limits
 }
 
 var _ evmserver.ClientCapability = (*LimitedEVMChain)(nil)
 
-func NewLimitedEVMChain(inner evmserver.ClientCapability, limits EVMChainLimits) *LimitedEVMChain {
+func NewLimitedEVMChain(inner evmserver.ClientCapability, limits chain.Limits) *LimitedEVMChain {
 	return &LimitedEVMChain{inner: inner, limits: limits}
 }
 
 func (l *LimitedEVMChain) WriteReport(ctx context.Context, metadata commonCap.RequestMetadata, input *evmcappb.WriteReportRequest) (*commonCap.ResponseAndMetadata[*evmcappb.WriteReportReply], caperrors.Error) {
-	// Check report size
-	reportLimit := l.limits.ChainWriteReportSizeLimit()
-	if reportLimit > 0 && input.Report != nil && len(input.Report.RawReport) > reportLimit {
+	if l.limits.ReportSize > 0 && input.Report != nil && len(input.Report.RawReport) > l.limits.ReportSize {
 		return nil, caperrors.NewPublicUserError(
-			fmt.Errorf("simulation limit exceeded: chain write report size %d bytes exceeds limit of %d bytes", len(input.Report.RawReport), reportLimit),
+			fmt.Errorf("simulation limit exceeded: chain write report size %d bytes exceeds limit of %d bytes", len(input.Report.RawReport), l.limits.ReportSize),
 			caperrors.ResourceExhausted,
 		)
 	}
 
-	// Check gas limit
-	gasLimit := l.limits.ChainWriteGasLimit()
-	if gasLimit > 0 && input.GasConfig != nil && input.GasConfig.GasLimit > gasLimit {
+	if l.limits.GasLimit > 0 && input.GasConfig != nil && input.GasConfig.GasLimit > l.limits.GasLimit {
 		return nil, caperrors.NewPublicUserError(
-			fmt.Errorf("simulation limit exceeded: EVM gas limit %d exceeds maximum of %d", input.GasConfig.GasLimit, gasLimit),
+			fmt.Errorf("simulation limit exceeded: EVM gas limit %d exceeds maximum of %d", input.GasConfig.GasLimit, l.limits.GasLimit),
 			caperrors.ResourceExhausted,
 		)
 	}