newton-aggregator 0.4.12

newton prover aggregator utils
Documentation
//! Shared request/response types for operator simulation RPC methods.
//!
//! These types are used by both the operator (server) and gateway (client proxy)
//! for the simulation delegation protocol. The gateway forwards simulation requests
//! to operators, which perform all HPKE decryption and WASM execution locally.

use alloy::primitives::Address;
use serde::{Deserialize, Serialize};

/// Request for `newt_simulatePolicyData` (direct mode with caller-provided secrets).
///
/// The operator reads `wasmCid` and `secretsSchemaCid` from the on-chain PolicyData
/// contract, decrypts the HPKE envelope (if provided), validates against the schema,
/// and executes the WASM.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SimulatePolicyDataRpcRequest {
    /// PolicyData contract address.
    pub policy_data_address: Address,
    /// Chain ID the PolicyData contract is deployed on.
    pub chain_id: u64,
    /// HPKE SecureEnvelope JSON containing encrypted secrets (optional).
    /// The operator decrypts this locally using its HPKE private key.
    /// Passed as a raw JSON object — no base64 encoding.
    pub secrets: Option<serde_json::Value>,
    /// Hex-encoded WASM arguments bytes (optional).
    pub wasm_args: Option<String>,
}

/// Request for `newt_simulatePolicyDataWithClient` (stored secrets mode).
///
/// The operator fetches secrets from the database for the given
/// (policy_client, policy_data_address, chain_id) tuple and executes the WASM.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SimulatePolicyDataWithClientRpcRequest {
    /// PolicyData contract address.
    pub policy_data_address: Address,
    /// Chain ID the PolicyData contract is deployed on.
    pub chain_id: u64,
    /// Policy client address for secrets lookup.
    pub policy_client: Address,
    /// Hex-encoded WASM arguments bytes (optional).
    pub wasm_args: Option<String>,
}

/// Response for policy data WASM simulation.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SimulatePolicyDataRpcResponse {
    /// Whether the simulation succeeded.
    pub success: bool,
    /// The policy data WASM execution result (present on success).
    pub policy_data: Option<serde_json::Value>,
    /// Error message (present on failure).
    pub error: Option<String>,
}

/// Input for a single PolicyData source in policy simulation.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PolicyDataInputRpc {
    /// Deployed PolicyData contract address.
    pub policy_data_address: Address,
    /// Hex-encoded wasm_args for this specific data source (optional).
    pub wasm_args: Option<String>,
}

/// Request for `newt_simulatePolicy` (full policy evaluation).
///
/// The operator executes each PolicyData WASM with stored secrets, merges outputs,
/// evaluates the Rego policy, and returns the result.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SimulatePolicyRpcRequest {
    /// Policy client address for secrets lookup and ownership context.
    pub policy_client: Address,
    /// Chain ID.
    pub chain_id: u64,
    /// Rego policy source code.
    pub policy: String,
    /// Sample intent to evaluate.
    pub intent: serde_json::Value,
    /// Policy entrypoint (default: "policy.allow").
    pub entrypoint: Option<String>,
    /// Policy data sources with optional wasm_args.
    pub policy_data: Vec<PolicyDataInputRpc>,
    /// Policy params JSON (default: {}).
    pub policy_params: Option<serde_json::Value>,
    /// Intent signature (optional).
    pub intent_signature: Option<String>,
}

/// Response for full policy simulation.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SimulatePolicyRpcResponse {
    /// Whether the simulation succeeded.
    pub success: bool,
    /// The policy evaluation result (present on success).
    pub evaluation_result: Option<serde_json::Value>,
    /// Error message (present on failure).
    pub error: Option<String>,
    /// Structured error details (present when secrets are missing).
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error_details: Option<serde_json::Value>,
}

/// Request for `newt_validateSecretsSchema` (pre-store schema validation).
///
/// The operator decrypts the HPKE envelope, fetches the secrets schema from
/// chain+IPFS, and validates the plaintext against it. This is called by the
/// gateway before storing encrypted secrets in the database, so malformed
/// data is rejected at upload time rather than at task execution time.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ValidateSecretsSchemaRpcRequest {
    /// PolicyData contract address (used to read `secretsSchemaCid` from chain).
    pub policy_data_address: Address,
    /// Chain ID the PolicyData contract is deployed on.
    pub chain_id: u64,
    /// Raw SecureEnvelope JSON string. The operator decrypts this locally.
    pub envelope: String,
}

/// Response for `newt_validateSecretsSchema`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ValidateSecretsSchemaRpcResponse {
    /// Whether the envelope decrypted successfully and the plaintext matches the schema.
    pub valid: bool,
    /// The secrets schema JSON (present on success or when schema exists).
    pub schema: Option<serde_json::Value>,
    /// Error message (present on failure).
    pub error: Option<String>,
}

/// Request for `newt_getPublicKey`.
///
/// Carries `chain_id` so the operator can resolve the correct per-chain enclave
/// HPKE key. Without this, `Authenticated<T>` cannot bind `expected_chain_id`
/// in the EIP-712 envelope (commit #3 / NEWT operator-rpc-auth).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct GetPublicKeyRpcRequest {
    /// Chain whose HPKE public key the gateway is requesting.
    pub chain_id: u64,
}

/// Response for `newt_getPublicKey`.
///
/// Returns the operator's HPKE public key (X25519) derived from its encryption
/// private key. The gateway uses this to expose via `newt_getPrivacyPublicKey`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct GetPublicKeyRpcResponse {
    /// Hex-encoded X25519 public key. Empty when `error` is set.
    pub public_key: String,
    /// Error message when the operator cannot produce a public key
    /// (e.g. encryption private key not configured).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub error: Option<String>,
}