fix: set WorkflowOwner and OrgId on vault GetSecretsRequest in relay handler

[nadahalli]

Summary

The confidential relay handler forwards secret-fetch requests from the enclave to the vault DON. It constructs a GetSecretsRequest but only sets the owner on each SecretIdentifier inside Requests, not on the top-level WorkflowOwner and OrgId fields.

The vault plugin's observeGetSecretsRequest reads WorkflowOwner and OrgId from the top-level request fields to validate the TDH2 ciphertext label via EnsureRightLabelOnSecret. When both are empty, expectedLabels is empty and every secret fetch fails with:

secret label [...] does not match any of the provided owner labels; expectedLabels=[]

This was introduced by #21639 which added label validation to GetSecrets (previously only on CreateSecrets).

Also bumps chainlink-common to pick up the OrgID field on SecretsRequestParams (smartcontractkit/chainlink-common#1975).

[github-actions]

👋 nadahalli, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[Copilot]

Pull request overview

Risk Rating: MEDIUM

Fixes confidential relay secret fetches by ensuring the relay handler populates the top-level WorkflowOwner and OrgId fields on the Vault GetSecretsRequest, aligning with Vault plugin label validation introduced in #21639.

Changes:

• Set WorkflowOwner and OrgId on the top-level vault.GetSecretsRequest in the confidential relay handler.
• Bump chainlink-common (and update go.sum) to pick up OrgID support on SecretsRequestParams.
• Bump chainlink-protos/cre/go to the referenced newer version.

Human review focus:

• core/capabilities/confidentialrelay/handler.go:226-244 — confirm WorkflowOwner/OrgId values match what Vault expects for TDH2 label validation (including normalization expectations).
• Dependency bumps (go.mod / go.sum) — ensure no unintended transitive changes affect other capabilities.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
core/capabilities/confidentialrelay/handler.go	Populate top-level Vault request identity fields needed for ciphertext label validation.
go.mod	Bump chainlink-common and chainlink-protos/cre/go versions.
go.sum	Update checksums to match the module version bumps.

[trunk-io]

     

Failed Test	Failure Summary	Logs
Test_CCIPTokenTransfer_EVM2Sui_ManagedTokenPool_NoRateLimit		Logs ↗︎

View Full Report ↗︎ ⋅ Docs

[github-actions]

CORA - Pending Reviewers

Codeowners Entry	Overall	Num Files	Owners
/core/capabilities/	❌	2	@smartcontractkit/keystone, @smartcontractkit/capabilities-team
go.mod	❌	6	@smartcontractkit/core, @smartcontractkit/foundations
go.sum	❌	6	@smartcontractkit/core, @smartcontractkit/foundations
integration-tests/go.mod	❌	1	@smartcontractkit/core, @smartcontractkit/devex-tooling, @smartcontractkit/foundations
integration-tests/go.sum	❌	1	@smartcontractkit/core, @smartcontractkit/devex-tooling, @smartcontractkit/foundations

Legend: ✅ Approved | ❌ Changes Requested | 💬 Commented | 🚫 Dismissed | ⏳ Pending | ❓ Unknown

For more details, see the full review summary.

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[prashantkumar1982]

When is this relay going to be productionized or enabled on staging?
If sometime soon, then lets keep this as a gated behavior like other places.

As examples, see these:

chainlink/core/services/workflows/v2/secrets.go

Lines 202 to 204 in eb25fa1

	if orgIDGateEnabled {
	metadata.OrgID = s.orgID
	}

https://github.com/smartcontractkit/confidential-compute/blob/d15b1f458d2b7e85d314577bdf56dbd2dfd855a3/capabilities/framework/executor.go#L892-L899

[prashantkumar1982]

You need to set OrgID here too, and behind the same gate as this:

chainlink/core/services/workflows/v2/secrets.go

Lines 202 to 204 in eb25fa1

	if orgIDGateEnabled {
	metadata.OrgID = s.orgID
	}