merge queue: embarking main (8f6b016) and [#2083 + #2077 + #2052] together

.github/CODEOWNERS

@@ -18,3 +18,7 @@ test-suite/gateway-stress/Dockerfile @zama-ai/fhevm-devs
 
 # Coprocessor Team ownership
 /coprocessor/ @zama-ai/fhevm-coprocessor
+
+# Enforces changes in Sandboxed AI CI/CD
+.github/squid/sandbox-*.conf @zama-ai/infosec 
+.github/workflows/claude-*.yml @zama-ai/infosec 

.github/squid/sandbox-proxy-rules.conf

@@ -0,0 +1,18 @@
+# Strict domain allowlist for CI sandbox
+# Only these domains are reachable through the Squid proxy.
+# Based on: https://github.com/zama-ai/security-hub/tree/main/docs/how-tos/sandboxed-claude-code
+#
+# To add a new domain: append ".example.com" to the acl below.
+# Leading dot means "this domain and all subdomains".
+
+acl allowed_domains dstdomain \
+  .api.anthropic.com \
+  .platform.claude.com \
+  .github.com
+
+# Allow only explicitly allowed domains
+http_access deny !allowed_domains
+http_access allow allowed_domains
+
+# Deny everything else
+http_access deny all

.github/workflows/test-suite-e2e-operators-tests.yml

@@ -94,6 +94,9 @@ jobs:
       - name: Setup Docker
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
@@ -125,7 +128,7 @@ jobs:
           SNS_WORKER_VERSION: ${{ inputs.sns_worker_version }}
           ZKPROOF_WORKER_VERSION: ${{ inputs.zkproof_worker_version }}
         run: |
-          ./fhevm-cli deploy
+          ./fhevm-cli deploy --coprocessors 2 --coprocessor-threshold 2
 
       - name: All operators tests
         working-directory: test-suite/fhevm
@@ -150,6 +153,15 @@ jobs:
           echo "::group::Transaction Sender Logs (filtered)"
           ./fhevm-cli logs transaction-sender | grep -v "Selected 0 rows to process"
           echo "::endgroup::"
+          echo "::group::Coprocessor 2 - SNS Worker"
+          ./fhevm-cli logs coprocessor-2-sns-worker 2>/dev/null | grep -v "Selected 0 rows to process" || true
+          echo "::endgroup::"
+          echo "::group::Coprocessor 2 - Transaction Sender (filtered)"
+          ./fhevm-cli logs coprocessor-2-transaction-sender 2>/dev/null | grep -v "Selected 0 rows to process" || true
+          echo "::endgroup::"
+          echo "::group::Coprocessor 2 - TFHE Worker"
+          ./fhevm-cli logs coprocessor-2-tfhe-worker 2>/dev/null || true
+          echo "::endgroup::"
 
       - name: Cleanup
         working-directory: test-suite/fhevm

.github/workflows/test-suite-e2e-tests.yml

@@ -121,6 +121,9 @@ jobs:
       - name: Setup Docker
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
@@ -147,9 +150,9 @@ jobs:
           DEPLOY_BUILD: ${{ inputs.deploy-build }}
         run: |
           if [[ "$DEPLOY_BUILD" == 'true' ]]; then
-            ./fhevm-cli deploy --build
+            ./fhevm-cli deploy --build --coprocessors 2 --coprocessor-threshold 2
           else
-            ./fhevm-cli deploy
+            ./fhevm-cli deploy --coprocessors 2 --coprocessor-threshold 2
           fi
 
       # E2E tests on pausing the Host contracts
@@ -262,6 +265,15 @@ jobs:
           echo "::group::TFHE Worker"
           ./fhevm-cli logs coprocessor-tfhe-worker
           echo "::endgroup::"
+          echo "::group::Coprocessor 2 - SNS Worker"
+          ./fhevm-cli logs coprocessor-2-sns-worker 2>/dev/null | grep -v "Selected 0 rows to process" || true
+          echo "::endgroup::"
+          echo "::group::Coprocessor 2 - Transaction Sender (filtered)"
+          ./fhevm-cli logs coprocessor-2-transaction-sender 2>/dev/null | grep -v "Selected 0 rows to process" || true
+          echo "::endgroup::"
+          echo "::group::Coprocessor 2 - TFHE Worker"
+          ./fhevm-cli logs coprocessor-2-tfhe-worker 2>/dev/null || true
+          echo "::endgroup::"
 
       - name: Cleanup
         working-directory: test-suite/fhevm

coprocessor/fhevm-engine/gw-listener/src/gw_listener.rs

@@ -201,19 +201,16 @@ impl<P: Provider<Ethereum> + Clone + 'static, A: AwsS3Interface + Clone + 'stati
                                 continue;
                             }
                             if let Ok(event) = InputVerification::InputVerificationEvents::decode_log(&log.inner) {
-                                match event.data {
-                                    InputVerification::InputVerificationEvents::VerifyProofRequest(request) => {
-                                        self.verify_proof_request(db_pool, request, log.clone()).await.
-                                            inspect(|_| {
-                                                verify_proof_success += 1;
-                                            }).inspect_err(|e| {
-                                                error!(error = %e, "VerifyProofRequest processing failed");
-                                                VERIFY_PROOF_FAIL_COUNTER.inc();
-                                        })?;
-                                    },
-                                    _ => {
-                                        error!(log = ?log, "Unknown InputVerification event");
-                                    }
+                                // This listener only reacts to proof requests. Other known InputVerification
+                                // events are expected when multiple coprocessors interact with the gateway.
+                                if let InputVerification::InputVerificationEvents::VerifyProofRequest(request) = event.data {
+                                    self.verify_proof_request(db_pool, request, log.clone()).await.
+                                        inspect(|_| {
+                                            verify_proof_success += 1;
+                                        }).inspect_err(|e| {
+                                            error!(error = %e, "VerifyProofRequest processing failed");
+                                            VERIFY_PROOF_FAIL_COUNTER.inc();
+                                    })?;
                                 }
                             } else {
                                 error!(log = ?log, "Failed to decode InputVerification event log");

test-suite/e2e/hardhat.config.ts

@@ -165,6 +165,7 @@ const config: HardhatUserConfig = {
   defaultNetwork: DEFAULT_NETWORK,
   mocha: {
     timeout: 300000,
+    rootHooks: require('./test/consensusWatchdog').mochaHooks,
   },
   gasReporter: {
     currency: 'USD',