feat(nitro-verifier): add revoker role for automated cert revocation

[leopoldjoy]

Summary

• Adds a dedicated revoker address to NitroEnclaveVerifier that can call revokeCert() without needing the owner multisig key
• Enables an automated service (the registrar) to revoke compromised intermediate certificates with minimal latency
• Settable in the constructor and via setRevoker() (owner-only)

Problem

NitroEnclaveVerifier.revokeCert() is currently onlyOwner (a multisig). If AWS revokes an intermediate cert early (key compromise while still valid), the only mechanism is a manual revokeCert() call by the owner multisig, adding human latency to incident response.

Risk Assessment

A compromised revoker key can only delete cached certs (DoS — increased proving costs since the ZK guest must re-verify more of the certificate chain), not forge attestations. Low blast radius.

Changes

NitroEnclaveVerifier.sol

• State: address public revoker
• Error: CallerNotOwnerOrRevoker()
• Event: RevokerUpdated(address indexed newRevoker)
• Modifier: onlyOwnerOrRevoker — allows either owner() or revoker
• Constructor: Added initialRevoker parameter (can be address(0) to disable)
• setRevoker(address): Owner-only setter, emits RevokerUpdated
• revokeCert(): Changed from onlyOwner to onlyOwnerOrRevoker
• Semver: 0.2.0 → 0.3.0

INitroEnclaveVerifier.sol

• Added revoker() external view returns (address)
• Added setRevoker(address) external
• Updated revokeCert natspec

DeployRiscZeroStack.s.sol

• Updated constructor call with address(0) for initialRevoker

Tests (NitroEnclaveVerifier.t.sol)

9 new tests (72 total, all passing):

• testConstructorSetsRevoker — constructor sets revoker correctly
• testConstructorAcceptsZeroRevoker — address(0) disables the role
• testRevokerCanRevokeCert — revoker can call revokeCert
• testOwnerCanStillRevokeCert — owner retains revokeCert access
• testSetRevoker — owner can update revoker
• testSetRevokerToZeroDisablesRole — setting to zero prevents old revoker
• testSetRevokerEmitsEvent — RevokerUpdated event emitted
• testSetRevokerRevertsIfNotOwner — non-owner cannot set revoker
• testSetRevokerRevertsIfCalledByRevoker — revoker cannot set itself
• testRevokeCertRevertsIfNotOwnerOrRevoker — unauthorized caller gets CallerNotOwnerOrRevoker

Related

• CHAIN-3890
• Stacked on #240 (Step 2: expiry-aware caching)
• Part 3 of the intermediate certificate expiry tracking initiative

[linear]

CHAIN-3890 Add revoker role to NitroEnclaveVerifier for automated cert revocation

[cb-heimdall]

✅ Heimdall Review Status

Requirement	Status	More Info
Reviews	✅ 1/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1