Update localnet scripts to generate TOML config

.github/workflows/ci.yml

@@ -64,7 +64,7 @@ jobs:
 
   docker-launcher-build-and-verify:
     name: "Build MPC Launcher Docker image and verify"
-    runs-on: warp-ubuntu-2404-x64-2x
+    runs-on: warp-ubuntu-2404-x64-8x
     timeout-minutes: 60
     permissions:
       contents: read
@@ -75,10 +75,16 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Install skopeo
+      - name: Install build dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y skopeo
+          sudo apt-get install -y skopeo liblzma-dev
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+        with:
+          save-if: ${{ github.ref == 'refs/heads/main' }}
+          cache-provider: "warpbuild"
 
       - name: Build launcher docker image and verify its hash
         shell: bash

.github/workflows/docker_build_launcher.yml

@@ -13,7 +13,7 @@ on:
 jobs:
   build-and-push-images:
     name: "Build and push Docker launcher image with commit hash"
-    runs-on: warp-ubuntu-2404-x64-2x
+    runs-on: warp-ubuntu-2404-x64-8x
     permissions:
       contents: read
 
@@ -23,17 +23,23 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y skopeo liblzma-dev
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+        with:
+          save-if: ${{ github.ref == 'refs/heads/main' }}
+          cache-provider: "warpbuild"
+
       - name: Login to Docker Hub
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Install skopeo
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y skopeo
-
       - name: Build and push launcher image
         run: |
           export LAUNCHER_IMAGE_NAME=mpc-launcher

Cargo.toml

@@ -13,6 +13,7 @@ members = [
     "crates/foreign-chain-inspector",
     "crates/foreign-chain-rpc-interfaces",
     "crates/include-measurements",
+    "crates/launcher-interface",
     "crates/mpc-attestation",
     "crates/near-mpc-bounded-collections",
     "crates/near-mpc-contract-interface",
@@ -23,6 +24,7 @@ members = [
     "crates/node-types",
     "crates/primitives",
     "crates/tee-authority",
+    "crates/tee-launcher",
     "crates/test-migration-contract",
     "crates/test-parallel-contract",
     "crates/test-utils",
@@ -44,6 +46,7 @@ contract-history = { path = "crates/contract-history" }
 foreign-chain-inspector = { path = "crates/foreign-chain-inspector" }
 foreign-chain-rpc-interfaces = { path = "crates/foreign-chain-rpc-interfaces" }
 include-measurements = { path = "crates/include-measurements" }
+launcher-interface = { path = "crates/launcher-interface" }
 mpc-attestation = { path = "crates/mpc-attestation" }
 mpc-contract = { path = "crates/contract", features = ["dev-utils"] }
 mpc-node = { path = "crates/node" }

crates/launcher-interface/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "launcher-interface"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[dependencies]
+derive_more = { workspace = true }
+mpc-primitives = { workspace = true }
+near-mpc-bounded-collections = { workspace = true }
+serde = { workspace = true }
+thiserror = { workspace = true }
+
+[dev-dependencies]
+assert_matches = { workspace = true }
+insta = { workspace = true }
+serde_json = { workspace = true }
+
+[lints]
+workspace = true

crates/launcher-interface/src/lib.rs

@@ -0,0 +1,176 @@
+pub const MPC_IMAGE_HASH_EVENT: &str = "mpc-image-digest";
+
+pub mod types {
+    use std::fmt;
+    use std::str::FromStr;
+
+    use mpc_primitives::hash::MpcDockerImageHash;
+    use serde::{Deserialize, Serialize};
+
+    /// JSON structure for the approved hashes file written by the MPC node, and read by the launcher.
+    #[derive(Debug, Serialize, Deserialize)]
+    pub struct ApprovedHashes {
+        pub approved_hashes: near_mpc_bounded_collections::NonEmptyVec<DockerSha256Digest>,
+    }
+
+    impl ApprovedHashes {
+        pub fn newest_approved_hash(&self) -> &DockerSha256Digest {
+            self.approved_hashes.first()
+        }
+    }
+
+    const SHA256_PREFIX: &str = "sha256:";
+
+    #[derive(Debug, Clone, PartialEq, Eq, derive_more::From)]
+    pub struct DockerSha256Digest(MpcDockerImageHash);
+
+    impl fmt::Display for DockerSha256Digest {
+        fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+            write!(f, "{SHA256_PREFIX}{}", self.0.as_hex())
+        }
+    }
+
+    #[derive(Debug, thiserror::Error)]
+    pub enum DockerDigestParseError {
+        #[error("missing {SHA256_PREFIX} prefix")]
+        MissingPrefix,
+        #[error(transparent)]
+        InvalidHash(#[from] mpc_primitives::hash::Hash32ParseError),
+    }
+
+    impl DockerSha256Digest {
+        pub fn as_raw_hex(&self) -> String {
+            self.0.as_hex()
+        }
+    }
+
+    impl FromStr for DockerSha256Digest {
+        type Err = DockerDigestParseError;
+
+        fn from_str(s: &str) -> Result<Self, Self::Err> {
+            let hex_str = s
+                .strip_prefix(SHA256_PREFIX)
+                .ok_or(DockerDigestParseError::MissingPrefix)?;
+            Ok(DockerSha256Digest(hex_str.parse()?))
+        }
+    }
+
+    impl Serialize for DockerSha256Digest {
+        fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+        where
+            S: serde::Serializer,
+        {
+            self.to_string().serialize(serializer)
+        }
+    }
+
+    impl<'de> Deserialize<'de> for DockerSha256Digest {
+        fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+        where
+            D: serde::Deserializer<'de>,
+        {
+            let s = String::deserialize(deserializer)?;
+            s.parse().map_err(serde::de::Error::custom)
+        }
+    }
+}
+
+mod paths {}
+
+#[cfg(test)]
+mod tests {
+    use assert_matches::assert_matches;
+
+    use super::types::{ApprovedHashes, DockerDigestParseError, DockerSha256Digest};
+    use mpc_primitives::hash::MpcDockerImageHash;
+
+    fn sample_digest() -> DockerSha256Digest {
+        let hash: MpcDockerImageHash = [0xab; 32].into();
+        DockerSha256Digest::from(hash)
+    }
+
+    #[test]
+    fn serialize_docker_digest() {
+        let digest = sample_digest();
+        let json = serde_json::to_value(&digest).unwrap();
+        insta::assert_json_snapshot!("docker_digest", json);
+    }
+
+    #[test]
+    fn roundtrip_docker_digest() {
+        let digest = sample_digest();
+        let serialized = serde_json::to_string(&digest).unwrap();
+        let deserialized: DockerSha256Digest = serde_json::from_str(&serialized).unwrap();
+        insta::assert_json_snapshot!(
+            "docker_digest_roundtrip",
+            serde_json::to_value(&deserialized).unwrap()
+        );
+    }
+
+    #[test]
+    fn deserialize_rejects_missing_prefix() {
+        let json = serde_json::json!(
+            "abababababababababababababababababababababababababababababababababab"
+        );
+        assert_matches!(
+            serde_json::from_value::<DockerSha256Digest>(json),
+            Err(ref e) if e.to_string().contains("missing sha256: prefix")
+        );
+    }
+
+    #[test]
+    fn deserialize_rejects_invalid_hex() {
+        let json = serde_json::json!("sha256:not_valid_hex!");
+        assert_matches!(serde_json::from_value::<DockerSha256Digest>(json), Err(_));
+    }
+
+    #[test]
+    fn deserialize_rejects_wrong_length() {
+        let json = serde_json::json!("sha256:abab");
+        assert_matches!(serde_json::from_value::<DockerSha256Digest>(json), Err(_));
+    }
+
+    #[test]
+    fn display_docker_digest() {
+        let digest = sample_digest();
+        insta::assert_snapshot!("docker_digest_display", digest.to_string());
+    }
+
+    #[test]
+    fn parse_docker_digest() {
+        let input = "sha256:abababababababababababababababababababababababababababababababab";
+        let parsed: DockerSha256Digest = input.parse().unwrap();
+        assert_eq!(parsed.to_string(), input);
+    }
+
+    #[test]
+    fn parse_rejects_missing_prefix() {
+        let result = "abababababababababababababababababababababababababababababababababab"
+            .parse::<DockerSha256Digest>();
+        assert_matches!(result, Err(DockerDigestParseError::MissingPrefix));
+    }
+
+    #[test]
+    fn parse_rejects_invalid_hex() {
+        let result = "sha256:not_valid_hex!".parse::<DockerSha256Digest>();
+        assert_matches!(result, Err(DockerDigestParseError::InvalidHash(_)));
+    }
+
+    #[test]
+    fn parse_rejects_wrong_length() {
+        let result = "sha256:abab".parse::<DockerSha256Digest>();
+        assert_matches!(result, Err(DockerDigestParseError::InvalidHash(_)));
+    }
+
+    #[test]
+    fn serialize_approved_hashes_file() {
+        let file = ApprovedHashes {
+            approved_hashes: near_mpc_bounded_collections::NonEmptyVec::from_vec(vec![
+                sample_digest(),
+            ])
+            .unwrap(),
+        };
+        let json = serde_json::to_value(&file).unwrap();
+        insta::assert_json_snapshot!("approved_hashes_file", json);
+    }
+}

crates/launcher-interface/src/snapshots/launcher_interface__tests__approved_hashes_file.snap

@@ -0,0 +1,9 @@
+---
+source: crates/launcher-interface/src/lib.rs
+expression: json
+---
+{
+  "approved_hashes": [
+    "sha256:abababababababababababababababababababababababababababababababab"
+  ]
+}

crates/launcher-interface/src/snapshots/launcher_interface__tests__docker_digest.snap

@@ -0,0 +1,5 @@
+---
+source: crates/launcher-interface/src/lib.rs
+expression: json
+---
+"sha256:abababababababababababababababababababababababababababababababab"

crates/launcher-interface/src/snapshots/launcher_interface__tests__docker_digest_display.snap

@@ -0,0 +1,5 @@
+---
+source: crates/launcher-interface/src/lib.rs
+expression: digest.to_string()
+---
+sha256:abababababababababababababababababababababababababababababababab

crates/launcher-interface/src/snapshots/launcher_interface__tests__docker_digest_roundtrip.snap

@@ -0,0 +1,5 @@
+---
+source: crates/launcher-interface/src/lib.rs
+expression: "serde_json::to_value(&deserialized).unwrap()"
+---
+"sha256:abababababababababababababababababababababababababababababababab"

crates/mpc-attestation/Cargo.toml

@@ -13,6 +13,7 @@ borsh = { workspace = true }
 derive_more = { workspace = true }
 hex = { workspace = true }
 include-measurements = { workspace = true }
+launcher-interface = { workspace = true }
 mpc-primitives = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }

crates/mpc-attestation/src/attestation.rs

@@ -13,14 +13,13 @@ pub use attestation::measurements::ExpectedMeasurements;
 use mpc_primitives::hash::{LauncherDockerComposeHash, MpcDockerImageHash};
 
 use borsh::{BorshDeserialize, BorshSerialize};
+use launcher_interface::MPC_IMAGE_HASH_EVENT;
 use serde::{Deserialize, Serialize};
 use sha2::{Digest as _, Sha256};
 
 use crate::alloc::format;
 use crate::alloc::string::ToString;
 
-const MPC_IMAGE_HASH_EVENT: &str = "mpc-image-digest";
-
 // TODO(#1639): extract timestamp from certificate itself
 pub const DEFAULT_EXPIRATION_DURATION_SECONDS: u64 = 60 * 60 * 24 * 7; // 7 days