rofl-appd-localnet: Add appd for Localnet

.github/workflows/ci-lint.yml

@@ -38,6 +38,7 @@ jobs:
         uses: ./.github/actions/lint-rust
         with:
           features: debug-logging,test,unsafe-allow-debug
+          exclude: rofl-appd-localnet
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Lint Rust code (mock TEE)
@@ -51,6 +52,7 @@ jobs:
         uses: ./.github/actions/lint-rust
         with:
           features: tdx
+          exclude: rofl-appd-localnet
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Lint Hello contract code

.github/workflows/ci-test.yaml

@@ -29,7 +29,6 @@ permissions:
 
 jobs:
   test-rust:
-    # NOTE: This name appears in GitHub's Checks API.
     name: test-rust
     runs-on: ubuntu-latest
     steps:
@@ -56,18 +55,56 @@ jobs:
       - name: Test Rust code
         uses: ./.github/actions/test-rust
 
+  test-rust-rofl-appd-localnet:
+    name: test-rust-rofl-appd-localnet
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Rust
+        run: rustup show
+
+      - name: Test rofl-appd-localnet code
+        uses: ./.github/actions/test-rust
+        with:
+          manifest_path: rofl-appd-localnet/Cargo.toml
+
+  test-rust-hello-contract:
+    name: test-rust-hello-contract
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Rust
+        run: rustup show
+
+      - name: Build test contracts
+        working-directory: tests/contracts/hello
+        run: cargo build --target wasm32-unknown-unknown --release
+
       - name: Test Hello contract code
         uses: ./.github/actions/test-rust
         with:
           manifest_path: tests/contracts/hello/Cargo.toml
 
+  test-rust-oas20-contract:
+    name: test-rust-oas20-contract
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Rust
+        run: rustup show
+
       - name: Test OAS-20 contract
         uses: ./.github/actions/test-rust
         with:
           manifest_path: contract-sdk/specs/token/oas20/Cargo.toml
 
   test-rust-sgx:
-    # NOTE: This name appears in GitHub's Checks API.
     name: test-rust-sgx
     runs-on: ubuntu-latest
     steps:
@@ -94,7 +131,6 @@ jobs:
           CC_x86_64_fortanix_unknown_sgx: clang-18
 
   check-core-versions:
-    # NOTE: This name appears in GitHub's Checks API.
     name: check-core-versions
     runs-on: ubuntu-latest
     steps:
@@ -105,7 +141,6 @@ jobs:
         run: ./tests/check-core-versions.sh
 
   test-go:
-    # NOTE: This name appears in GitHub's Checks API.
     name: test-go
     runs-on: ubuntu-latest
     steps:
@@ -128,7 +163,6 @@ jobs:
           use_oidc: true  # Upload authentication to avoid rate-limiting
 
   test-go-tools:
-    # NOTE: This name appears in GitHub's Checks API.
     name: test-tools
     runs-on: ubuntu-latest
     steps:
@@ -149,7 +183,6 @@ jobs:
         run: go build
 
   typecheck:
-    # NOTE: This name appears in GitHub's Checks API.
     name: typecheck
     runs-on: ubuntu-latest
     steps:
@@ -204,7 +237,6 @@ jobs:
         run: npx typedoc
 
   e2e-ts-web-core:
-    # NOTE: This name appears in GitHub's Checks API.
     name: e2e-ts-web-core
     runs-on: ubuntu-latest
     steps:
@@ -279,7 +311,6 @@ jobs:
             /tmp/oasis-net-runner-sdk-core/**/*.log
 
   e2e-ts-web-ext-utils:
-    # NOTE: This name appears in GitHub's Checks API.
     name: e2e-ts-web-ext-utils
     runs-on: ubuntu-latest
     steps:
@@ -317,7 +348,6 @@ jobs:
           path: client-sdk/ts-web/ext-utils/cypress/screenshots
 
   e2e-ts-web-rt:
-    # NOTE: This name appears in GitHub's Checks API.
     name: e2e-ts-web-rt
     runs-on: ubuntu-latest
     env:
@@ -407,7 +437,6 @@ jobs:
             /tmp/fixture.json
 
   e2e-rt:
-    # NOTE: This name appears in GitHub's Checks API.
     name: e2e-rt
     runs-on: ubuntu-latest
     steps:
@@ -521,7 +550,6 @@ jobs:
         run: npx typedoc
 
   ts-web-core-reflect:
-    # NOTE: This name appears in GitHub's Checks API.
     name: ts-web-core-reflect
     runs-on: ubuntu-latest
     steps:
@@ -548,7 +576,6 @@ jobs:
           diff -u --color=always /tmp/current.ts /tmp/reflect-out.ts || true
 
   ts-web-rt-reflect:
-    # NOTE: This name appears in GitHub's Checks API.
     name: ts-web-rt-reflect
     runs-on: ubuntu-latest
     steps:
@@ -562,7 +589,6 @@ jobs:
           npm run-script check-missing-methods
 
   benchmark-rt:
-    # NOTE: This name appears in GitHub's Checks API.
     name: benchmark-rt
     runs-on: ubuntu-latest
     timeout-minutes: 30

.github/workflows/release-rofl-appd-localnet.yml

@@ -0,0 +1,32 @@
+name: release-rofl-appd-localnet
+
+on:
+  push:
+    tags:
+      - "rofl-appd-localnet/v[0-9]+.[0-9]+*"
+
+permissions:
+  contents: write
+
+jobs:
+  release-rofl-appd-localnet:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Oasis CLI
+        uses: oasisprotocol/setup-cli-action@0.0.2
+        with:
+          version: '0.18.5'
+
+      - name: Build rofl-appd-localnet for Localnet
+        working-directory: rofl-appd-localnet
+        run: oasis rofl build --deployment localnet --offline
+
+      - name: Publish the release
+        uses: ncipollo/release-action@v1
+        with:
+          artifacts: rofl-appd-localnet/rofl-appd-localnet.localnet.orc
+          token: ${{ secrets.GITHUB_TOKEN }}
+          artifactErrorsFailBuild: true

.github/workflows/release-rofl-scheduler.yml

@@ -22,11 +22,11 @@ jobs:
 
       - name: Build rofl-scheduler for Testnet
         working-directory: rofl-scheduler
-        run: ../oasis rofl build --deployment testnet --offline --verify
+        run: oasis rofl build --deployment testnet --offline --verify
 
       - name: Build rofl-scheduler for Mainnet
         working-directory: rofl-scheduler
-        run: ../oasis rofl build --deployment mainnet --offline --verify
+        run: oasis rofl build --deployment mainnet --offline --verify
 
       - name: Publish the release
         uses: ncipollo/release-action@v1

Cargo.toml

@@ -35,6 +35,8 @@ members = [
     "tests/runtimes/components-rofl",
 ]
 exclude = [
+    # Localnet-only ROFL. Conflicts with production TDX flags.
+    "rofl-appd-localnet",
     # Test contracts.
     "tests/contracts",
     # Example contracts and runtimes.

rofl-appd-localnet/.cargo/config.toml

@@ -0,0 +1,7 @@
+[build]
+rustflags = ["-C", "target-feature=+aes,+ssse3"]
+rustdocflags = ["-C", "target-feature=+aes,+ssse3"]
+
+[test]
+rustflags = ["-C", "target-feature=+aes,+ssse3"]
+rustdocflags = ["-C", "target-feature=+aes,+ssse3"]

rofl-appd-localnet/.gitignore

@@ -0,0 +1 @@
+*.orc

rofl-appd-localnet/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "rofl-appd-localnet"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+# Oasis SDK.
+oasis-runtime-sdk = { path = "../runtime-sdk", features = ["debug-mock-sgx"] }
+rofl-app-core = { path = "../rofl-app-core" }
+rofl-appd = { path = "../rofl-appd" }
+
+# Third-party dependencies.
+async-trait = "0.1.77"
+tokio = { version = "1.38", features = ["rt", "rt-multi-thread"] }
+
+[features]
+# Mock SGX in non-SGX builds.
+debug-mock-sgx = []

rofl-appd-localnet/rofl.yaml

@@ -0,0 +1,32 @@
+name: rofl-appd-localnet
+version: 0.1.0
+tee: sgx
+kind: raw
+resources:
+  memory: 512
+  cpus: 1
+artifacts:
+  builder: ghcr.io/oasisprotocol/rofl-dev:v0.1.0@sha256:1d2b77c25811f70219f366153265702417e0e4a08067a68cce4d132e253d7607
+deployments:
+  localnet:
+    app_id: rofl1qqn9xndja7e2pnxhttktmecvwzz0yqwxsquqyxdf
+    network: testnet
+    paratime: sapphire
+    admin: test:bob
+    debug: true
+    policy:
+      quotes:
+        pcs:
+          tcb_validity_period: 30
+          min_tcb_evaluation_data_number: 18
+      enclaves:
+        - id: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+        - id: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+        - id: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
+        - id: 0+tTmlVjUvP0eIHXH7Dld3svPppCUdKDwYxnzplndLdOPdSOjtlloBWDuG9YL6TzIL975QTZJ8zMhMUdWMkR8A==
+      endorsements:
+        - any: {}
+      fees: endorsing_node
+      max_expiration: 3
+tooling:
+  version: 0.18.5

rofl-appd-localnet/rust-toolchain.toml

@@ -0,0 +1,5 @@
+[toolchain]
+channel = "nightly-2025-05-09"
+components = ["rustfmt", "clippy"]
+targets = ["x86_64-fortanix-unknown-sgx", "x86_64-unknown-linux-musl"]
+profile = "minimal"

rofl-appd-localnet/src/main.rs

@@ -0,0 +1,54 @@
+use std::sync::Arc;
+
+use oasis_runtime_sdk::core::common::{logger::get_logger, process};
+use rofl_app_core::prelude::*;
+use rofl_appd::services;
+
+/// UNIX socket address where the REST API server will listen on.
+const ROFL_APPD_ADDRESS: &str = "unix:/rofls/rofl-appd.sock";
+
+struct AppdLocalnetApp;
+
+#[async_trait]
+impl App for AppdLocalnetApp {
+    /// Application version.
+    const VERSION: Version = sdk::version_from_cargo!();
+
+    async fn post_registration_init(self: Arc<Self>, env: Environment<Self>) {
+        let logger = get_logger("post_registration_init");
+
+        // Start the key management service and wait for it to initialize.
+        let kms: Arc<dyn services::kms::KmsService> =
+            Arc::new(services::kms::OasisKmsService::new(env.clone()));
+        let kms_task = kms.clone();
+        tokio::spawn(async move { kms_task.start().await });
+        let _ = kms.wait_ready().await;
+
+        // Initialize the metadata service.
+        let metadata = match services::metadata::OasisMetadataService::new(env.clone()).await {
+            Ok(service) => Arc::new(service) as Arc<dyn services::metadata::MetadataService>,
+            Err(err) => {
+                slog::error!(logger, "failed to create metadata service"; "err" => ?err);
+                process::abort();
+            }
+        };
+
+        // Start the REST API server.
+        slog::info!(logger, "starting the API server");
+        let cfg = rofl_appd::Config {
+            address: ROFL_APPD_ADDRESS,
+            kms,
+            metadata,
+        };
+        tokio::spawn(async move {
+            if let Err(err) = rofl_appd::start(cfg, env).await {
+                slog::error!(logger, "failed to start API server"; "err" => ?err);
+                process::abort();
+            }
+        });
+    }
+}
+
+fn main() {
+    AppdLocalnetApp.start();
+}

rofl-appd/Cargo.toml

@@ -6,9 +6,9 @@ edition = "2021"
 [dependencies]
 # Oasis SDK.
 cbor = { version = "0.5.1", package = "oasis-cbor" }
-oasis-runtime-sdk = { path = "../runtime-sdk", features = ["tdx"] }
+oasis-runtime-sdk = { path = "../runtime-sdk" }
 oasis-runtime-sdk-evm = { path = "../runtime-sdk/modules/evm" }
-rofl-app-core = { path = "../rofl-app-core", features = ["tdx"] }
+rofl-app-core = { path = "../rofl-app-core" }
 
 # Third party.
 anyhow = "1.0.86"
@@ -37,5 +37,7 @@ serde_json = "1.0"
 
 [features]
 default = ["tx"]
+# TDX build.
+tdx = ["oasis-runtime-sdk/tdx", "rofl-app-core/tdx"]
 # Add routes for transaction submission.
 tx = []

rofl-containers/Cargo.toml

@@ -8,7 +8,7 @@ edition = "2021"
 cbor = { version = "0.5.1", package = "oasis-cbor" }
 oasis-runtime-sdk = { path = "../runtime-sdk", features = ["tdx"] }
 rofl-app-core = { path = "../rofl-app-core", features = ["tdx"] }
-rofl-appd = { path = "../rofl-appd" }
+rofl-appd = { path = "../rofl-appd", features = ["tdx"] }
 rofl-proxy = { path = "../rofl-proxy" }
 
 # Third party.