chore(ccip): normalize observer lists on template creation

Reject redundant observer parties when CommitteeVerifier,
PerPartyRouter, and RMNRemote instances are created or updated.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: JohnChangUK

contracts/ccip/committee-verifier/daml/CCIP/CommitteeVerifier.daml

@@ -6,7 +6,7 @@ module CCIP.CommitteeVerifier (
 import qualified DA.Action
 import DA.Crypto.Text (BytesHex, PublicKeyHex, byteCount, keccak256, secp256k1WithEcdsaOnly)
 import DA.Foldable (forA_)
-import DA.List (dedup, (\\))
+import DA.List (dedup, unique, (\\))
 import DA.Map qualified as Map
 import DA.Optional (fromOptional, fromSomeNote)
 
@@ -102,7 +102,9 @@ template CommitteeVerifier
         -- proof limit, no duplicate signer keys, and that map keys match the embedded
         -- sourceChainSelector in each config.
         ensure assertValidInstanceId instanceId
-          && versionTag /= "" && all (\(k, config) -> k == config.sourceChainSelector && isValidSignatureConfig config) (Map.toList signerConfigs)
+          && versionTag /= ""
+          && unique messageSentObservers
+          && all (\(k, config) -> k == config.sourceChainSelector && isValidSignatureConfig config) (Map.toList signerConfigs)
 
         interface instance CCIP.Interfaces.CrossChainVerifier.ICrossChainVerifier for CommitteeVerifier where
             view = CCIP.Interfaces.CrossChainVerifier.CrossChainVerifierView with
@@ -157,6 +159,8 @@ template CommitteeVerifier
                 dynamicConfig : DynamicConfig
             controller owner
             do
+                assertMsg "SetDynamicConfig: duplicate message sent observers"
+                    (unique dynamicConfig.messageSentObservers)
                 create this with 
                     allowListAdmin = dynamicConfig.allowListAdmin
                     messageSentObservers = dynamicConfig.messageSentObservers

contracts/ccip/core/daml/CCIP/RMNRemote.daml

@@ -65,6 +65,9 @@ template RMNRemote
         signatory rmnOwner
         observer ccipOwner, customObservers
         ensure assertValidInstanceId instanceId
+            && length customObservers == length (dedup customObservers)
+            && rmnOwner `notElem` customObservers
+            && ccipOwner `notElem` customObservers
 
         nonconsuming choice Get : RMNRemote
             with

contracts/ccip/runtime/daml/CCIP/PerPartyRouter.daml

@@ -292,7 +292,10 @@ template PerPartyRouter
     where
         signatory ccipOwner
         observer partyOwner :: customObservers
-        ensure assertValidInstanceId instanceId && unique customObservers
+        ensure assertValidInstanceId instanceId
+            && unique customObservers
+            && ccipOwner `notElem` customObservers
+            && partyOwner `notElem` customObservers
 
         nonconsuming choice GetFee : CCIP.OnRamp.GetFeeFromRouterResult
             with

contracts/ccip/test/daml/CCIP/RMNTest/RMNRemoteTest.daml

@@ -6,6 +6,37 @@ import DA.Assert ((===))
 
 import CCIP.RMNRemote
 
+-- RMN creation rejects redundant custom observers.
+testRMNRemote_RejectsRedundantCustomObservers : Script ()
+testRMNRemote_RejectsRedundantCustomObservers = script do
+  rmnOwner <- allocateParty "rmn_owner"
+  ccipOwner <- allocateParty "ccip_owner"
+  observer <- allocateParty "observer"
+
+  submitMustFail rmnOwner do
+    createCmd RMNRemote with
+      instanceId = "rmn-dup-observer-test"
+      rmnOwner
+      ccipOwner
+      customObservers = [observer, observer]
+      cursedSubjects = []
+
+  submitMustFail rmnOwner do
+    createCmd RMNRemote with
+      instanceId = "rmn-owner-observer-test"
+      rmnOwner
+      ccipOwner
+      customObservers = [rmnOwner]
+      cursedSubjects = []
+
+  submitMustFail rmnOwner do
+    createCmd RMNRemote with
+      instanceId = "rmn-ccip-observer-test"
+      rmnOwner
+      ccipOwner
+      customObservers = [ccipOwner]
+      cursedSubjects = []
+
 -- ===========================================================================
 -- UNCURSE MULTIPLE VALIDATION TESTS
 -- ===========================================================================

contracts/ccip/test/daml/CommitteeVerifier/Test.daml

@@ -27,6 +27,44 @@ finalityConfig n =
     then FinalityCodec.WaitForFinality
     else FinalityCodec.BlockDepth n
 
+-- Verifier message-sent observer lists stay unique on create/update.
+testCommitteeVerifier_RejectsDuplicateMessageSentObservers : Script ()
+testCommitteeVerifier_RejectsDuplicateMessageSentObservers = script do
+    owner <- allocateParty "ccv-observer-owner"
+    observer <- allocateParty "ccv-message-observer"
+
+    let signerConfig = CommitteeVerifier.SignatureConfig with
+            sourceChainSelector = 123.0
+            threshold = 1
+            signerKeys = [head PayloadBuilder.pubkeys]
+        deps = CommitteeVerifier.CommitteeVerifierDeps with
+            rmnRemote = RawInstanceAddress.make "ccv-observer-rmn" owner
+        createVerifier instanceId messageSentObservers = createCmd CommitteeVerifier.CommitteeVerifier with
+            instanceId
+            owner
+            ccipOwner = owner
+            versionTag = CommitteeVerifier.versionTagV2_0_0
+            allowListAdmin = None
+            messageSentObservers
+            storageLocations = []
+            storageLocationsAdmin = owner
+            pendingStorageLocationsAdmin = owner
+            remoteChainConfigs = Map.empty
+            signerConfigs = Map.fromList [(123.0, signerConfig)]
+            deps
+
+    submitMustFail owner do
+        createVerifier "ccv-duplicate-message-observer" [observer, observer]
+
+    ccv <- submit owner do
+        createVerifier "ccv-valid-message-observer" [observer]
+
+    submitMustFail owner do
+        exerciseCmd ccv CommitteeVerifier.SetDynamicConfig with
+            dynamicConfig = CommitteeVerifier.DynamicConfig with
+                allowListAdmin = None
+                messageSentObservers = [observer, observer]
+
 -- | Helper to create a fresh ExecutingMessageV1 for each test.
 -- AddCCVVerification is a consuming choice, so each successful verify
 -- consumes the contract.

contracts/ccip/test/daml/PerPartyRouter.daml

@@ -94,6 +94,44 @@ mult m = intToNumeric (truncate (m * 100000000.0))
 cents : Decimal -> Numeric 0
 cents c = intToNumeric (truncate c)
 
+-- Direct router creation rejects redundant custom observers.
+testPerPartyRouterRejectsRedundantCustomObservers : Script ()
+testPerPartyRouterRejectsRedundantCustomObservers = script do
+    ccipOwner <- allocateParty "router-observer-ccip-owner"
+    partyOwner <- allocateParty "router-observer-party-owner"
+    observer <- allocateParty "router-observer-custom"
+
+    let deps = CCIP.PerPartyRouter.PerPartyRouterDeps with
+            onRamp = RawInstanceAddress.make "observer-onramp" ccipOwner
+            offRamp = RawInstanceAddress.make "observer-offramp" ccipOwner
+            globalConfig = RawInstanceAddress.make "observer-globalconfig" ccipOwner
+            tokenAdminRegistry = RawInstanceAddress.make "observer-tar" ccipOwner
+            feeQuoter = RawInstanceAddress.make "observer-feequoter" ccipOwner
+            rmnRemote = RawInstanceAddress.make "observer-rmn" ccipOwner
+        createRouter instanceId customObservers = createCmd CCIP.PerPartyRouter.PerPartyRouter with
+            instanceId
+            ccipOwner
+            partyOwner
+            deps
+            outboundSequenceNumbers = Map.empty
+            executedMessages = Set.empty
+            archivedExecutionContractIds = Map.empty
+            customObservers
+
+    submitMustFail ccipOwner do
+        createRouter "router-duplicate-observer" [observer, observer]
+
+    submitMustFail ccipOwner do
+        createRouter "router-ccip-owner-observer" [ccipOwner]
+
+    submitMustFail ccipOwner do
+        createRouter "router-party-owner-observer" [partyOwner]
+
+    _ <- submit ccipOwner do
+        createRouter "router-valid-observer" [observer]
+
+    pure ()
+
 basicExtraArgs : Int -> CCIP.Client.ExtraArgs
 basicExtraArgs gasLimit = CCIP.Client.V3 CCIP.Client.GenericExtraArgsV3 with
     gasLimit = gasLimit