chore(aztec-nr): Public self constructor function to prevent static byte code size blow up (#23062)#23203
Closed
dbanks12 wants to merge 9 commits into
Closed
chore(aztec-nr): Public self constructor function to prevent static byte code size blow up (#23062)#23203dbanks12 wants to merge 9 commits into
dbanks12 wants to merge 9 commits into
Conversation
Cuts the apparent build cycle ("every consumer needs the address; the
address depends on the artifact") with a new
`noir-projects/aztec-nr/auth_registry_address/` crate sitting downstream
of `auth_registry_contract` but upstream of every consumer. The cut
works because auth_registry only calls the private-path authwit helpers
and the public-path wrappers (which inline the address) get tree-shaken
out of its bytecode. The cycle-guard CI script enforces both halves of
that invariant.
Splits `noir-projects/noir-contracts/bootstrap.sh build` into
phase 1 (compile auth_registry) -> stamp (TS script writes lib.nr +
lib.lock.json + TS twin from the artifact) -> phase 2 (compile
everything else); a source-content-hash freshness gate fronts every
partial build and exits with the regen instruction on drift.
Drops `auth_registry_contract` from `protocol_contracts.json`,
`CANONICAL_AUTH_REGISTRY_ADDRESS` from `constants.nr`, the matching
CPP/PIL whitelist entries, and the `AuthRegistry` slot in
`generate_data.ts`. Slot 1 in the protocol-contracts roster stays
vacant (`AztecAddress::zero()`); `MAX_PROTOCOL_CONTRACTS` stays at 11.
Reverts the protocol-contracts roster removal, the bootstrap.sh phase split, and the cascade of TS-side rewrites that depended on them. The build-pipeline ordering (noir-projects builds before yarn-project) means a stamp script that depends on @aztec/foundation/@aztec/stdlib cannot run during noir-projects bootstrap; that's a structural change to make in a follow-up alongside the actual demotion. Keeps the structural Noir-side cut: the new `noir-projects/aztec-nr/auth_registry_address/` crate (alias for the slot-1 magic address while auth_registry remains a protocol contract), 4 Noir consumer migrations to import from it, the cycle-guard CI script, and the stamp-script + tests as utilities for the follow-up.
Demotes auth_registry from a protocol contract (magic slot-1 address) to a regular contract whose address derives from its compiled artifact. Implements the final design at https://gist.github.com/dbanks12/0d818a9ebd654fb7861e9d74beedb880 on top of the alias-crate substrate already in this branch. Highlights: - Drops 'auth_registry_contract-AuthRegistry' from 'noir-projects/noir-contracts/protocol_contracts.json' and 'CANONICAL_AUTH_REGISTRY_ADDRESS' from 'constants.nr' / 'constants.in.ts'. Generated 'constants.gen.ts', 'constants_gen.pil', and 'aztec_constants.hpp' regenerate from those. - Replaces the slot-1 placeholders in the alias crate (noir-projects/aztec-nr/auth_registry_address/{src/lib.nr, lib.lock.json}) and the TS twin (yarn-project/protocol-contracts/src/auth-registry/address.gen.ts) with the artifact-derived address+classId via 'derive_auth_registry.ts'. New yarn script 'regen:auth-registry-address' regenerates them; new test 'auth-registry/derive_auth_registry.test.ts' is the CI freshness gate that re-derives from the freshly-built artifact and asserts byte-equality against the on-disk values. - Rewires 'getCanonicalAuthRegistry()' (in 'auth-registry/index.ts' and 'auth-registry/lazy.ts') to construct the canonical ProtocolContract from the alias-crate values, plus a class-id consistency check between the loaded artifact and the committed stamp. - Migrates the four TS consumers of 'ProtocolContractAddress.AuthRegistry' (aztec.js authwit util, e2e_authwit test, p2p allowed_public_setup) to import 'AUTH_REGISTRY_ADDRESS' from '@aztec/protocol-contracts/auth-registry'. - Adds 'ensureAuthRegistryPublished(wallet, from)' to 'end-to-end/src/fixtures/setup.ts' mirroring 'ensureAccountContractsPublished'; invoked from 'e2e_authwit.test.ts'. Mainnet/testnet chain operators publish auth_registry as a normal transaction in early blocks (out of PR scope). - Refactors 'scripts/derive_auth_registry.ts' to a thin CLI entry that imports renderers / derivation helpers from a new 'auth-registry/derive_auth_registry.ts' module — the prior layout failed type-check ('TS6307') because 'src/scripts' is excluded from the package tsconfig and the freshness test needs the helpers. - generate_data.ts still copies the AuthRegistry.json artifact into protocol-contracts/artifacts/ (consumed by 'getCanonicalAuthRegistry()'); it just no longer appears in 'ProtocolContractName' / 'ProtocolContractAddress' / 'ProtocolContractsList'. Verified locally: - 'nargo compile' + 'bb aztec_process' on auth_registry_contract succeeds; 'yarn workspace @aztec/protocol-contracts run regen:auth-registry-address' is idempotent (byte-identical on-disk outputs). - 'derive_auth_registry.test.ts' (jest, all 7 tests including the on-disk freshness gate) passes against the freshly-built artifact. - 'noir-projects/scripts/auth_registry_cycle_guard.sh' passes — auth_registry's bytecode does not embed its own stamped address. - 'yarn build' (yarn-project) compiles the changed files; the remaining tsc errors in the sandbox are pre-existing missing artifacts unrelated to this change (noir-test-contracts.js / noir-contracts.js / l1-artifacts). Acceptance checklist (intake): - [x] CANONICAL_AUTH_REGISTRY_ADDRESS removed from constants.nr - [x] auth_registry_contract removed from protocol_contracts.json - [x] CPP/PIL whitelists regenerated (constants_gen.pil, aztec_constants.hpp) - [x] generate_data.ts mapping updated - [x] protocolContractsHash recomputes — slot 1 zeroes out (regenerated via update-snapshots.sh in the consumer) - [x] is_magic_protocol_contract_address(AUTH_REGISTRY_ADDRESS) returns false (derived address is outside [1, 11]) - [x] First-use deployment helper for test fixtures - [x] auth_registry_cycle_guard.sh passes - [ ] './bootstrap.sh build' end-to-end — partial: noir-projects builds clean; yarn-project compile reports pre-existing unrelated errors (l1-artifacts/noir-test-contracts.js) - [ ] e2e_authwit* — not runnable in sandbox (anvil + sequencer infra); the test imports + usage are wired and compile
Renames the dependency-cut crate so it can hold canonical addresses
for other contracts that get demoted in the future, not just
auth_registry. AUTH_REGISTRY_ADDRESS / AUTH_REGISTRY_CLASS_ID stay
exported from the new crate (same globals, just a renamed namespace).
- noir-projects/aztec-nr/auth_registry_address/ -> canonical_addresses/
(git mv preserves history)
- Nargo.toml package name + workspace member + dep paths updated in:
aztec-nr/Nargo.toml
aztec-nr/aztec/Nargo.toml
aztec_sublib/Nargo.toml
avm_test_contract/Nargo.toml
- Consumer 'use auth_registry_address::*' lines updated to
'use canonical_addresses::*' in:
aztec-nr/aztec/src/authwit/auth.nr
aztec-nr/aztec/src/test/helpers/authwit.nr
aztec_sublib/src/authwit/auth.nr
avm_test_contract/src/main.nr
- noir-projects/scripts/auth_registry_cycle_guard.sh: NARGO_TOML
grep target + LOCK path + regen instruction updated. The 'no
auth_registry dep on canonical_addresses' invariant still applies.
- yarn-project/protocol-contracts/src/auth-registry/derive_auth_registry.ts:
NR_CRATE_DIR path retargeted; renderNoirLib's doc-comment updated
to drop the stale 'phase 1 of noir-projects/noir-contracts/bootstrap.sh'
reference (no phase split anymore) and instead name the regen
yarn script.
- noir-protocol-circuits/.../constants.nr: comment pointer updated.
Verified:
- nargo compile + bb aztec_process on auth_registry_contract: green;
derived address byte-identical (0x27225abf...) as expected
(auth_registry source unchanged).
- 'yarn workspace @aztec/protocol-contracts run regen:auth-registry-address':
idempotent; refreshes the comment block in lib.nr to point at the
new regen instruction.
- derive_auth_registry.test.ts (7 tests including freshness gate):
PASS.
- auth_registry_cycle_guard.sh: PASS.
- nargo compile of amm_contract (transitive consumer through
aztec_sublib): PASS.
- nargo compile of avm_test_contract (direct consumer): PASS.
…tec.js api The aztec.js protocol-contract wrapper for AuthRegistry was autogenerated from protocol_contracts.json; with auth_registry demoted, the next `yarn generate` deletes that file and the api/protocol.ts re-export becomes a broken import. Consumers use @aztec/noir-contracts.js/AuthRegistry instead.
Now that auth_registry is no longer a magic-address protocol contract, `contracts/protocol/` was misleading. Establishes a `canonical/` sibling directory for non-protocol contracts deployed at well-known artifact-derived addresses (deployed in early blocks, not at genesis, not part of protocolContractsHash). Paths updated in noir-contracts' top-level Nargo.toml, avm_test_contract's dep, the cycle guard script, and derive_auth_registry's AUTH_REGISTRY_SRC_DIR.
…r export Nothing on the Noir side references AUTH_REGISTRY_CLASS_ID — class ids are consumed by contract-instance construction (TS) and class registration (kernels), never from inside contract code. The TS twin in address.gen.ts still exports it for instance construction and the runtime artifact-vs-stamp consistency check; the stamp's lib.lock.json still records classId for the freshness gate.
…al-contracts Drop `noir-projects/aztec-nr/canonical_addresses/lib.lock.json`. Its unique fields (`artifactHash`, `srcContentHash`) are now embedded in the `DO NOT EDIT` comment header of `lib.nr` instead. Update `renderNoirLib` to include both fields and update the cycle guard to extract the stamped address directly from `lib.nr` via grep/sed rather than jq. Create `yarn-project/canonical-contracts/` as a new package `@aztec/canonical- contracts` and move the entire auth-registry sub-package from `@aztec/protocol-contracts` into it. The auth-registry is not a protocol contract (it is deployed on first-use) so it belongs in a sibling package. Update all consumers of `@aztec/protocol-contracts/auth-registry` to import from `@aztec/canonical-contracts/auth-registry` instead.
This was referenced May 12, 2026
Contributor
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please read contributing guidelines and remove this line.
For audit-related pull requests, please use the audit PR template.