feat(NitroEnclaveVerifier): durable on-chain certificate revocation [non-urgent, post-Multiproving]

[leopoldjoy]

Priority

Not urgent. This change can ship after the Multiproving launch (Base V2 upgrade). Multiproving is the primary mitigation for any single-verifier gap; this PR closes a defense-in-depth hole that would otherwise require either a CA key compromise (Tier B) or an honest-but-racing registrar/admin scenario (Tier A) to exploit. There is no known active exploitation path against the current production configuration.

Summary

• Adds a persistent revokedCerts mapping that survives the _cacheNewCert suffix rewrite, so a previously revoked intermediate cert path cannot be silently re-trusted by submitting a new attestation that re-derives the same accumulated path digest.
• Adds unrevokeCert(bytes32) onlyOwner for governed re-trust (two-step: unrevoke, then re-cache via the next successful verify).
• Reverts in _cacheNewCert (Pass 1) and _verifyJournal (Pass 2) when a sentinel-keyed digest is encountered, plus an early short-circuit in checkTrustedIntermediateCerts.
• Bumps semver 0.3.0 → 0.4.0 (additive — no storage layout changes that move existing slots; only a new mapping appended).

Background — Immunefi #75608 / CHAIN-4194

_cacheNewCert previously rewrote suffix entries unconditionally. If the prefix length is 1 (the production registrar default), revoking an intermediate via revokeCert only zeroed the cached entry — a subsequent attestation re-deriving the same accumulated path digest would re-cache and re-trust it. The new revokedCerts[digest] = true sentinel is checked on every code path that would otherwise mark a cert as trusted, making revocation durable across attestations.

Triage: Low. Tier B requires CA key compromise to forge a new chain that hashes back to the revoked digest; Tier A requires a registrar honest-mistake / admin race. Both are mitigated in production today by operational controls and (post-launch) by Multiproving. This PR is hardening, not an incident response.

Changes

• src/L1/proofs/tee/NitroEnclaveVerifier.sol
  • New storage: mapping(bytes32 => bool) public revokedCerts (appended, layout-safe).
  • revokeCert: sets sentinel + zeroes any existing cached entry, emits CertRevoked.
  • unrevokeCert: clears sentinel only, emits CertUnrevoked (re-trust requires a fresh verify call to re-cache).
  • _cacheNewCert: skips writing trusted suffix entries whose accumulated digest is sentineled.
  • _verifyJournal: rejects with CertificateRevoked(digest) when traversal encounters a sentineled digest.
  • checkTrustedIntermediateCerts: short-circuits to false if any digest in the chain is sentineled.
• interfaces/L1/proofs/tee/INitroEnclaveVerifier.sol: declares revokedCerts, unrevokeCert, CertUnrevoked event, CertificateNotRevoked error.
• test/L1/proofs/NitroEnclaveVerifier.t.sol: 8 new tests covering revoke→re-attest rejection, unrevoke flow, sentinel collision behaviour, owner gating, and event emission. All 81/81 NitroEnclaveVerifier and 366/366 L1 proofs tests pass.
• Snapshots regenerated for NitroEnclaveVerifier only.

Compatibility

• Storage layout: strictly append-only. Existing slots untouched. Safe for in-place upgrade.
• Off-chain registrar: the companion offchain PR is backwards compatible with the current (unpatched) deployed contract — it fail-opens (warns + counter-bumps) when revokedCerts is not present, so the offchain change can be deployed in either order relative to this onchain upgrade.

Out of Scope / Notes

• Snapshot regen also produced unrelated drift in snapshots/abi/AggregateVerifier.json; intentionally not included in this PR.

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1