merge queue: embarking main (6e65afc) and [#2154 + #2166] together

.github/workflows/gateway-contracts-integrity-checks.yml

@@ -32,6 +32,8 @@ jobs:
             gw-contracts:
               - .github/workflows/gateway-contracts-integrity-checks.yml
               - gateway-contracts/**
+              - ci/check_spdx_licenses.sh
+              - ci/contracts_bindings_update.py
   contract-integrity-checks:
     name: gateway-contracts-integrity-checks/contract-integrity-checks (bpr)
     needs: check-changes
@@ -72,6 +74,10 @@ jobs:
         working-directory: gateway-contracts
         run: make check-mocks
 
+      - name: Check SPDX license headers
+        working-directory: gateway-contracts
+        run: make check-spdx-headers
+
       - name: Check licenses compliance
         working-directory: gateway-contracts
         run: make check-licenses

.github/workflows/host-contracts-integrity-checks.yml

@@ -32,6 +32,8 @@ jobs:
             host-contracts:
               - .github/workflows/host-contracts-integrity-checks.yml
               - host-contracts/**
+              - ci/check_spdx_licenses.sh
+              - ci/contracts_bindings_update.py
 
   contract-integrity-checks:
     name: host-contracts-integrity-checks/contract-integrity-checks (bpr)
@@ -68,3 +70,7 @@ jobs:
       - name: Check contract selectors are up-to-date
         working-directory: host-contracts
         run: make check-selectors
+
+      - name: Check SPDX license headers
+        working-directory: host-contracts
+        run: make check-spdx-headers

.github/workflows/library-solidity-integrity-checks.yml

@@ -0,0 +1,50 @@
+# This workflow verifies that:
+# - Dependency licenses compliance
+name: library-solidity-integrity-checks
+
+on:
+  pull_request:
+
+permissions: {}
+
+concurrency:
+  group: library-solidity-integrity-checks-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  check-changes:
+    name: library-solidity-integrity-checks/check-changes
+    permissions:
+      contents: 'read' # Required to checkout repository code
+    runs-on: ubuntu-latest
+    outputs:
+      changes-library-solidity: ${{ steps.filter.outputs.library-solidity }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
+        id: filter
+        with:
+          filters: |
+            library-solidity:
+              - .github/workflows/library-solidity-integrity-checks.yml
+              - library-solidity/**
+              - ci/check_spdx_licenses.sh
+
+  contract-integrity-checks:
+    name: library-solidity-integrity-checks/contract-integrity-checks (bpr)
+    needs: check-changes
+    if: ${{ needs.check-changes.outputs.changes-library-solidity == 'true' }}
+    permissions:
+      contents: 'read' # Required to checkout repository code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+
+      - name: Check SPDX license headers
+        working-directory: library-solidity
+        run: make check-spdx-headers

ci/check_spdx_licenses.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# Check that all Solidity contracts use the expected SPDX license identifier.
+
+set -euo pipefail
+
+EXPECTED_LICENSE="BSD-3-Clause-Clear"
+EXIT_CODE=0
+DIRS=()
+EXCLUDES=()
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --exclude)
+            EXCLUDES+=("$2")
+            shift 2
+            ;;
+        *)
+            DIRS+=("$1")
+            shift
+            ;;
+    esac
+done
+
+# Default to contracts/ if no directories specified
+if [[ ${#DIRS[@]} -eq 0 ]]; then
+    DIRS=("contracts")
+fi
+
+for dir in "${DIRS[@]}"; do
+    while IFS= read -r -d '' file; do
+        # Check if file matches any exclude pattern
+        skip=false
+        for exclude in ${EXCLUDES[@]+"${EXCLUDES[@]}"}; do
+            if [[ "$file" == *"$exclude"* ]]; then
+                skip=true
+                break
+            fi
+        done
+        if "$skip"; then
+            continue
+        fi
+
+        first_line=$(head -n 1 "$file")
+        if [[ "$first_line" != "// SPDX-License-Identifier: ${EXPECTED_LICENSE}" ]]; then
+            echo "ERROR: Wrong or missing license in $file"
+            echo "  Found:    $first_line"
+            echo "  Expected: // SPDX-License-Identifier: ${EXPECTED_LICENSE}"
+            EXIT_CODE=1
+        fi
+    done < <(find "$dir" -name '*.sol' -print0 | sort -z)
+done
+
+if [ "$EXIT_CODE" -eq 0 ]; then
+    echo "All Solidity files use SPDX-License-Identifier: ${EXPECTED_LICENSE}"
+fi
+
+exit "$EXIT_CODE"

docs/metrics/metrics.md

@@ -228,11 +228,11 @@ Metrics for zkproof-worker are to be added in future releases, if/when needed. C
  - **Alarm**: If the counter is a flat line over a period of time, only for `event_type` `public_decryption_request` and `user_decryption_request`.
    - **Recommendation**: 0 for more than 1 minute, i.e. `increase(counter{event_type="..."}[1m]) == 0`.
 
-#### Metric Name: `kms_connector_gw_listener_event_received_errors`
+#### Metric Name: `kms_connector_gw_listener_event_listening_errors`
  - **Type**: Counter
  - **Labels**:
-   - `event_type`: see [description](#metric-name-kms_connector_gw_listener_event_received_counter)
- - **Description**: Counts the number of errors encountered by the GW listener while receiving events.
+   - `contract`: can be used to filter by contract (decryption, kmsgeneration).
+ - **Description**: Counts the number of errors encountered by the GW listener while listening for events.
  - **Alarm**: If the counter increases over a period of time.
    - **Recommendation**: more than 60 failures in 1 minute, i.e. `sum(increase(counter[1m])) > 60`.
 

gateway-contracts/Makefile

@@ -106,6 +106,10 @@ deploy-setup-contracts:
 ensure-addresses:
 	ENV_PATH=$(ENV_PATH) npx ts-node scripts/ensure_proxy_addresses.ts
 
+# Make sure all Solidity contracts use the expected SPDX license identifier (BSD-3-Clause-Clear)
+check-spdx-headers:
+	bash ../ci/check_spdx_licenses.sh contracts
+
 # Make sure we only use allowed licenses for dependencies
 # Full list of SPDX identifiers can be found here: https://spdx.org/licenses/
 # The following packages are exceptionally excluded from the check:

host-contracts/Makefile

@@ -60,5 +60,10 @@ lint-bindings:
 # Update auto-generated files for conformance checks
 update-conformance: update-bindings update-selectors
 
+# Make sure all Solidity contracts use the expected SPDX license identifier (BSD-3-Clause-Clear)
+# We also check lib/ but exclude external dependencies (forge-std, OpenZeppelin-derived FhevmECDSA).
+check-spdx-headers:
+	bash ../ci/check_spdx_licenses.sh contracts lib --exclude forge-std --exclude cryptography/FhevmECDSA.sol
+
 # Conform to pre-commit checks
 conformance: prettier update-conformance

kms-connector/config/gw-listener.toml

@@ -42,14 +42,22 @@ database_url = "postgres://postgres:postgres@localhost/kms-connector"
 # ENV: KMS_CONNECTOR_TASK_LIMIT
 # task_limit = 1000
 
-# The polling interval for decryption requests (optional, defaults to 1s)
+# The polling interval for decryption requests (optional, defaults to 500ms)
 # ENV: KMS_CONNECTOR_DECRYPTION_POLLING (format: https://docs.rs/humantime/latest/humantime/)
-# decryption_polling = "1s"
+# decryption_polling = "500ms"
 
 # The polling interval for key management requests (optional, defaults to 30s)
 # ENV: KMS_CONNECTOR_KMS_GENERATION_POLLING (format: https://docs.rs/humantime/latest/humantime/)
 # key_management_polling = "30s"
 
+# Maximum number of blocks per eth_getLogs RPC call (optional, defaults to 100)
+# ENV: KMS_CONNECTOR_GET_LOGS_BATCH_SIZE
+# get_logs_batch_size = 100
+
+# Maximum consecutive polling errors before the listener stops (optional, defaults to 20)
+# ENV: KMS_CONNECTOR_MAX_CONSECUTIVE_POLLING_ERRORS
+# max_consecutive_polling_errors = 20
+
 # Block number to start processing decryption events from (optional, defaults to latest block if not set)
 # ENV: KMS_CONNECTOR_DECRYPTION_FROM_BLOCK_NUMBER
 # decryption_from_block_number = 1234

kms-connector/crates/gw-listener/src/core/config.rs

@@ -62,6 +62,14 @@ pub struct Config {
     #[serde(with = "humantime_serde", default = "default_key_management_polling")]
     pub key_management_polling: Duration,
 
+    /// The maximum number of blocks to fetch per `eth_getLogs` request.
+    #[serde(default = "default_get_logs_batch_size")]
+    pub get_logs_batch_size: u64,
+
+    /// Maximum number of consecutive polling errors before stopping the loop.
+    #[serde(default = "default_max_consecutive_polling_errors")]
+    pub max_consecutive_polling_errors: usize,
+
     /// Optional block number to start processing decryption events from.
     pub decryption_from_block_number: Option<u64>,
     /// Optional block number to start processing KMS operation events from.
@@ -75,13 +83,21 @@ fn default_service_name() -> String {
 }
 
 fn default_decryption_polling() -> Duration {
-    Duration::from_secs(1)
+    Duration::from_millis(500)
 }
 
 fn default_key_management_polling() -> Duration {
     Duration::from_secs(30)
 }
 
+fn default_get_logs_batch_size() -> u64 {
+    100
+}
+
+fn default_max_consecutive_polling_errors() -> usize {
+    20
+}
+
 // Default implementation for testing purpose
 impl Default for Config {
     fn default() -> Self {
@@ -101,6 +117,8 @@ impl Default for Config {
             healthcheck_timeout: default_healthcheck_timeout(),
             decryption_polling: default_decryption_polling(),
             key_management_polling: default_key_management_polling(),
+            get_logs_batch_size: default_get_logs_batch_size(),
+            max_consecutive_polling_errors: default_max_consecutive_polling_errors(),
             decryption_from_block_number: None,
             kms_operation_from_block_number: None,
         }
@@ -125,6 +143,8 @@ mod tests {
             env::remove_var("KMS_CONNECTOR_DECRYPTION_CONTRACT__ADDRESS");
             env::remove_var("KMS_CONNECTOR_KMS_GENERATION_CONTRACT__ADDRESS");
             env::remove_var("KMS_CONNECTOR_SERVICE_NAME");
+            env::remove_var("KMS_CONNECTOR_GET_LOGS_BATCH_SIZE");
+            env::remove_var("KMS_CONNECTOR_MAX_CONSECUTIVE_POLLING_ERRORS");
         }
     }
 
@@ -207,15 +227,27 @@ mod tests {
         // Set an environment variable to override the file
         let gateway_chain_id = 77737;
         let service_name = "kms-connector-override";
+        let get_logs_batch_size: u64 = 500;
+        let max_consecutive_polling_errors = 5;
         let mut expected_config = example_config.clone();
         expected_config.gateway_chain_id = gateway_chain_id;
         expected_config.service_name = service_name.to_string();
+        expected_config.get_logs_batch_size = get_logs_batch_size;
+        expected_config.max_consecutive_polling_errors = max_consecutive_polling_errors;
         unsafe {
             env::set_var(
                 "KMS_CONNECTOR_GATEWAY_CHAIN_ID",
                 gateway_chain_id.to_string(),
             );
             env::set_var("KMS_CONNECTOR_SERVICE_NAME", service_name);
+            env::set_var(
+                "KMS_CONNECTOR_GET_LOGS_BATCH_SIZE",
+                get_logs_batch_size.to_string(),
+            );
+            env::set_var(
+                "KMS_CONNECTOR_MAX_CONSECUTIVE_POLLING_ERRORS",
+                max_consecutive_polling_errors.to_string(),
+            );
         }
 
         // Load config from both sources