vault: integrate linking service identity resolution

[prashantkumar1982]

Summary

This integrates the Vault capability with the linking service so requests can resolve and verify org identity before they are forwarded to the vault OCR plugin.

The behavior remains gated by VaultOrgIdAsSecretOwnerEnabled.
When that limiter is disabled, the linker is a no-op and request identity fields pass through unchanged.

What Changed

• add a dedicated Vault linker layer that takes org_id and workflow_owner, returns trusted values, or fails
• resolve org_id from workflow_owner through the linking service when needed
• verify workflow_owner -> org_id mappings when both fields are present, and reject mismatches
• wire the linker into Vault CRUD requests and GetSecrets so forwarded plugin requests carry the resolved identity fields
• use the shared OrgResolver path for linking-service calls, including its existing node-JWT-authenticated request flow
• add targeted logging around identity resolution and failure paths

[github-actions]

👋 prashantkumar1982, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[github-actions]

CORA - Pending Reviewers

Codeowners Entry	Overall	Num Files	Owners
*	⏳	1	@smartcontractkit/foundations, @smartcontractkit/core
/core/capabilities/	⏳	4	@smartcontractkit/keystone, @smartcontractkit/capabilities-team
/core/services/ocr*	⏳	1	@smartcontractkit/foundations, @smartcontractkit/core
go.mod	⏳	6	@smartcontractkit/core, @smartcontractkit/foundations
go.sum	⏳	6	@smartcontractkit/core, @smartcontractkit/foundations
integration-tests/go.mod	⏳	1	@smartcontractkit/core, @smartcontractkit/devex-tooling, @smartcontractkit/foundations
integration-tests/go.sum	⏳	1	@smartcontractkit/core, @smartcontractkit/devex-tooling, @smartcontractkit/foundations

Legend: ✅ Approved | ❌ Changes Requested | 💬 Commented | 🚫 Dismissed | ⏳ Pending | ❓ Unknown

For more details, see the full review summary.

[cl-sonarqube-production]

Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[ibrajer]

Should this case go first? All other ones depend on it

[ibrajer]

I'm trying to understand the difference between case normalizedWorkflowOwner != "" and case resolvedIdentity.OrgID != "". Is there any case when both the normalizedWorkflowOwner and resolvedIdentity.OrgID are non-empty?

[ibrajer]

This can probably be extracted as an independent condition about this if statement, because it will be checked again on L95.