Skip to content

Commit 88e0185

Browse files
authored
Merge branch 'main' into 24-5-guide-single-provider-extended-guidiance
2 parents 867adc6 + d044424 commit 88e0185

File tree

7 files changed

+33
-10
lines changed

7 files changed

+33
-10
lines changed

public/changelog.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -370,6 +370,13 @@
370370
}
371371
},
372372
"data": [
373+
{
374+
"category": "deprecation",
375+
"date": "2026-02-18",
376+
"description": "We have announced the deprecation of select Data Feeds, scheduled for shutdown on March 4th, 2026. Check [the list of Deprecating Data Feeds to learn more](https://docs.chain.link/data-feeds/deprecating-feeds).",
377+
"title": "Deprecating Data Feeds",
378+
"topic": "Data Feeds"
379+
},
373380
{
374381
"category": "integration",
375382
"date": "2026-02-15",

src/content/ccip/llms-full.txt

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18539,9 +18539,17 @@ Use this configuration when sending only data messages to SVM:
1853918539
Use this configuration when sending both tokens and data in a single message:
1854018540

1854118541
<Aside type="note" title="Key Requirements">
18542-
- `tokenReceiver` must be a PDA the program has authority over
18543-
- `accounts` must include all accounts required by the receiver program
18544-
- The program must contain logic to handle the received data and tokens
18542+
- **Token Security**: The `tokenReceiver` must be an Associated Token Account (ATA) that the receiver program has authority over. Since the program cannot verify that tokens were sent to a specific address, it should validate it received the expected tokens at its own ATA, then forward them to the final destination.
18543+
18544+
- **Account References**: The `accounts` array must include:
18545+
- The program's own ATA (for validation that tokens were received)
18546+
- The final token destination ATA (to forward tokens to)
18547+
- Any other accounts required by the receiver program's `ccip_receive` instruction
18548+
18549+
- **Validation Pattern**: The receiver program should:
18550+
1. Check that it received the expected tokens at its controlled ATA
18551+
2. Forward the tokens to the final destination
18552+
1854518553
- `allowOutOfOrderExecution` **MUST** be set to `true`
1854618554
</Aside>
1854718555

src/content/ccip/tutorials/svm/destination/build-messages.mdx

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -476,9 +476,17 @@ Use this configuration when sending both tokens and data in a single message:
476476

477477
<Aside type="note" title="Key Requirements">
478478

479-
- `tokenReceiver` must be a PDA the program has authority over
480-
- `accounts` must include all accounts required by the receiver program
481-
- The program must contain logic to handle the received data and tokens
479+
- **Token Security**: The `tokenReceiver` must be an Associated Token Account (ATA) that the receiver program has authority over. Since the program cannot verify that tokens were sent to a specific address, it should validate it received the expected tokens at its own ATA, then forward them to the final destination.
480+
481+
- **Account References**: The `accounts` array must include:
482+
- The program's own ATA (for validation that tokens were received)
483+
- The final token destination ATA (to forward tokens to)
484+
- Any other accounts required by the receiver program's `ccip_receive` instruction
485+
486+
- **Validation Pattern**: The receiver program should:
487+
1. Check that it received the expected tokens at its controlled ATA
488+
2. Forward the tokens to the final destination
489+
482490
- `allowOutOfOrderExecution` **MUST** be set to `true`
483491

484492
</Aside>

src/content/cre/capabilities/confidential-http-go.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ Confidential HTTP operates differently from the [regular HTTP capability](/cre/c
3535

3636
1. **Request consensus:** Nodes in the Confidential HTTP DON reach quorum on the request parameters (forwarded by each Workflow DON node).
3737
1. **Secret retrieval:** The Confidential HTTP DON fetches encrypted secrets from the [Vault DON](/cre/guides/workflow/secrets/using-secrets-deployed).
38-
1. **Enclave execution:** Secrets are decrypted and injected into the request inside a secure enclave. The HTTP request executes from the enclave—credentials never exist in accessible memory.
38+
1. **Enclave execution:** Secrets are threshold decrypted using Vault DON. Decryption shares are injected to a secure enclave such that only the secure enclave can combine them to extract plaintext secrets to use in the HTTP request execution—credentials never exist in accessible memory.
3939
1. **Response:** The response is returned to your workflow. If `EncryptOutput` is enabled, the response body is encrypted before leaving the enclave.
4040

4141
This approach ensures:

src/content/cre/capabilities/confidential-http-ts.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ Confidential HTTP operates differently from the [regular HTTP capability](/cre/c
3535

3636
1. **Request consensus:** Nodes in the Confidential HTTP DON reach quorum on the request parameters (forwarded by each Workflow DON node).
3737
1. **Secret retrieval:** The Confidential HTTP DON fetches encrypted secrets from the [Vault DON](/cre/guides/workflow/secrets/using-secrets-deployed).
38-
1. **Enclave execution:** Secrets are decrypted and injected into the request inside a secure enclave. The HTTP request executes from the enclave—credentials never exist in accessible memory.
38+
1. **Enclave execution:** Secrets are threshold decrypted using Vault DON. Decryption shares are injected to a secure enclave such that only the secure enclave can combine them to extract plaintext secrets to use in the HTTP request execution—credentials never exist in accessible memory.
3939
1. **Response:** The response is returned to your workflow. If `EncryptOutput` is enabled, the response body is encrypted before leaving the enclave.
4040

4141
This approach ensures:

src/content/cre/llms-full-go.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8618,7 +8618,7 @@ Confidential HTTP operates differently from the [regular HTTP capability](/cre/c
86188618

86198619
1. **Request consensus:** Nodes in the Confidential HTTP DON reach quorum on the request parameters (forwarded by each Workflow DON node).
86208620
2. **Secret retrieval:** The Confidential HTTP DON fetches encrypted secrets from the [Vault DON](/cre/guides/workflow/secrets/using-secrets-deployed).
8621-
3. **Enclave execution:** Secrets are decrypted and injected into the request inside a secure enclave. The HTTP request executes from the enclave—credentials never exist in accessible memory.
8621+
3. **Enclave execution:** Secrets are threshold decrypted using Vault DON. Decryption shares are injected to a secure enclave such that only the secure enclave can combine them to extract plaintext secrets to use in the HTTP request execution—credentials never exist in accessible memory.
86228622
4. **Response:** The response is returned to your workflow. If `EncryptOutput` is enabled, the response body is encrypted before leaving the enclave.
86238623

86248624
This approach ensures:

src/content/cre/llms-full-ts.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7392,7 +7392,7 @@ Confidential HTTP operates differently from the [regular HTTP capability](/cre/c
73927392

73937393
1. **Request consensus:** Nodes in the Confidential HTTP DON reach quorum on the request parameters (forwarded by each Workflow DON node).
73947394
2. **Secret retrieval:** The Confidential HTTP DON fetches encrypted secrets from the [Vault DON](/cre/guides/workflow/secrets/using-secrets-deployed).
7395-
3. **Enclave execution:** Secrets are decrypted and injected into the request inside a secure enclave. The HTTP request executes from the enclave—credentials never exist in accessible memory.
7395+
3. **Enclave execution:** Secrets are threshold decrypted using Vault DON. Decryption shares are injected to a secure enclave such that only the secure enclave can combine them to extract plaintext secrets to use in the HTTP request execution—credentials never exist in accessible memory.
73967396
4. **Response:** The response is returned to your workflow. If `EncryptOutput` is enabled, the response body is encrypted before leaving the enclave.
73977397

73987398
This approach ensures:

0 commit comments

Comments
 (0)