Open
Conversation
This pull request updates the default value of the `TimeOffset` parameter throughout the codebase from 30,000 (milliseconds) to 30,000,000,000 (nanoseconds). This change ensures that time values are handled with nanosecond precision, aligning with expected time representations. The update is reflected in the parameter definition, as well as in all related tests and migration logic. Parameter precision update: * Changed the default `TimeOffset` in `DefaultParams` from 30,000 to 30,000,000,000 (nanoseconds), updating the comment to clarify the unit. (`x/jwk/types/params.go`) Test consistency: * Updated all test assertions to expect `TimeOffset` as 30,000,000,000 instead of 30,000, ensuring tests match the new default value. (`x/jwk/types/params_test.go`, `x/jwk/types/types_test.go`, `x/jwk/keeper/migrations_test.go`, `x/jwk/migrations/v1/migration_test.go`) [[1]](diffhunk://#diff-cb0b809ac4d8e2ee6df82c9cd7a2159e5d173d851abccbe914e610f160261f84L219-R219) [[2]](diffhunk://#diff-64fe9b0ec5e0940dc92128d5c035680d1774ef5a0540390532b510f864e575abL51-R51) [[3]](diffhunk://#diff-f084a59b36872240de7925b9bda565c5cea4de07539a534fd96d1b3c896c007fL27-R27) [[4]](diffhunk://#diff-15846506ea9459a8005bc9309b99eabf73583308edeab86279bb711596ffc2e8L44-R44) [[5]](diffhunk://#diff-15846506ea9459a8005bc9309b99eabf73583308edeab86279bb711596ffc2e8L67-R67) --------- Co-authored-by: Kostas Demiris <kostasdemiris@gmail.com>
Standardize @burnt-labs/burnt-devops to @burnt-labs/burnt-engineering/burnt-devops to match the nested team structure used in other repos.
This pull request updates the application and documentation to reflect the new upgrade version v29, and prepares the codebase for future module additions by generalizing upgrade logic. The most important changes are grouped below by theme. Upgrade version update: * Changed the upgrade version constant in `app/upgrades.go` from `v28` to `v29` to reflect the new upgrade. * Updated the API documentation version in `client/docs/config.yaml`, `client/docs/static/openapi.json`, and `client/docs/static/swagger.json` from `v28.1.0` to `v29.0.0`. [[1]](diffhunk://#diff-f8c6defcc262f9da2d31c779a3bf423772af16800e312eb9f0ef4fb861688252L5-R5) [[2]](diffhunk://#diff-386a246a0b4d1f3bb64a258ce2cb6f1f41a779c5d6d0b76d21a77dfc95d67fcaL6-R6) [[3]](diffhunk://#diff-29ed015c57a76af9d207430ce4bdb8a1a999afde18d1e069e7a03be7953dfcdaL6-R6) Generalization of upgrade logic for modules: * Removed direct references to `zk` and `dkim` modules in `app/upgrades.go`, replacing them with generalized placeholders for future module initialization and store upgrades. This makes the upgrade handler more flexible for adding new modules. [[1]](diffhunk://#diff-aeec7ddb4cf8b7e9e6e57625770d369cce5f377cc350b42c3aca0427bba8dfbcL13-R15) [[2]](diffhunk://#diff-aeec7ddb4cf8b7e9e6e57625770d369cce5f377cc350b42c3aca0427bba8dfbcL40-R42) [[3]](diffhunk://#diff-aeec7ddb4cf8b7e9e6e57625770d369cce5f377cc350b42c3aca0427bba8dfbcL99-R98) Linter configuration: * Added a specific rule for the `unused` linter in `.golangci.yml` to target `app/upgrades.go`, improving code quality checks for this file.
## 🤖 Installing Claude Code GitHub App This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository. ### What is Claude Code? [Claude Code](https://claude.com/claude-code) is an AI coding agent that can help with: - Bug fixes and improvements - Documentation updates - Implementing new features - Code reviews and suggestions - Writing tests - And more! ### How it works Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment. Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action. ### Important Notes - **This workflow won't take effect until this PR is merged** - **@claude mentions won't work until after the merge is complete** - The workflow runs automatically whenever Claude is mentioned in PR or issue comments - Claude gets access to the entire PR or issue context including files, diffs, and previous comments ### Security - Our Anthropic API key is securely stored as a GitHub Actions secret - Only users with write access to the repository can trigger the workflow - All Claude runs are stored in the GitHub Actions run history - Claude's default tools are limited to reading/writing files and interacting with our repo by creating comments, branches, and commits. - We can add more allowed tools by adding them to the workflow file like: ``` allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test) ``` There's more information in the [Claude Code action repo](https://github.com/anthropics/claude-code-action). After merging this PR, let's try mentioning @claude in a comment on any PR to get started! --------- Signed-off-by: Kostas Demiris <kostasdemiris@gmail.com> Co-authored-by: TwiceBurnt <169301814+2xburnt@users.noreply.github.com>
…#490) This pull request introduces two new query endpoints for JWS and JWT handling, improves security and usability, and deprecates the older `ValidateJWT` endpoint in favor of a more comprehensive `DecodeJWT`. The changes include updates to the protobuf definitions, CLI commands, keeper logic, and thorough test coverage for the new functionality. **New query endpoints and deprecation:** * Added `VerifyJWS` and `DecodeJWT` RPC endpoints to the `proto/xion/jwk/v1/query.proto`, including their request and response message types. `ValidateJWT` is now deprecated in favor of `DecodeJWT`, which returns all claims. [[1]](diffhunk://#diff-52bf6c4f29d0bb9b709ea5be5244fc833a3c2f6cd1342c4322246cebf59ec1ffL36-R53) [[2]](diffhunk://#diff-52bf6c4f29d0bb9b709ea5be5244fc833a3c2f6cd1342c4322246cebf59ec1ffR170-R207) * Marked the keeper's `ValidateJWT` method as deprecated and provided guidance to use `DecodeJWT` instead. **CLI enhancements:** * Added new CLI commands `CmdDecodeJWT` and `CmdVerifyJWS` for the respective new endpoints, and deprecated the `CmdValidateJWT` command. [[1]](diffhunk://#diff-ddecc4de8ab1741e8178d7c095a7b23abce78d70761c9976f3e8e57a55631b7cR29-R30) [[2]](diffhunk://#diff-5a3366d18d67a117e514fda8cbb65c2888365d3a00334ac712cd2150b9a7ac54R16-R21) [[3]](diffhunk://#diff-5a3366d18d67a117e514fda8cbb65c2888365d3a00334ac712cd2150b9a7ac54R54-R90) [[4]](diffhunk://#diff-35c2adabcfce4de31b1e639c1ae6cdd8ebef89bf772643a45a2c6069b1d0d244R1-R49) **Keeper implementation and security:** * Implemented `DecodeJWT` and `VerifyJWS` methods in the keeper, enforcing strict compact serialization checks for JWT/JWS and returning all claims or payloads as appropriate. [[1]](diffhunk://#diff-65ab6497f62b1e97ce8efd958871789d0fa3970bd967de9b9552705dc3afc8d2R1-R149) [[2]](diffhunk://#diff-bffe632bd0c002b9258cfd94ef380e0b43a1a44108b32da02fcaa6749d76a144R1-R81) **Test coverage:** * Added comprehensive tests for `DecodeJWT` and `VerifyJWS` covering edge cases, security checks, and successful scenarios in `x/jwk/keeper/query_decode_jwt_test.go` and `x/jwk/keeper/query_verify_jws_test.go`. [[1]](diffhunk://#diff-2237a48b9a864c0a0a0bd39bd39afa051d0b5bcb040aa57e714d910ab210b5ceR1-R140) [[2]](diffhunk://#diff-b3c3600a63c4c83cad436b9049239b3b39c2fc594da42838a23a587a524c6422R1-R168) --------- Signed-off-by: TwiceBurnt <169301814+2xburnt@users.noreply.github.com> Co-authored-by: TwiceBurnt <169301814+2xburnt@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: OpenClaw <openclaw@burnt.com> Co-authored-by: Crucible <crucible-burnt@users.noreply.github.com> Co-authored-by: crucible-burnt <179aborting+crucible-burnt@users.noreply.github.com>
This pull request updates the workflow configuration for triggering downstream releases, focusing on improving how release tags are passed and simplifying the workflow structure. The main changes are grouped below: Workflow structure changes: * The `trigger-types` job in `.github/workflows/release-downstream.yaml` now uses a local workflow file (`trigger-types.yaml`) instead of referencing the remote workflow in `xion-types`. Release tag input handling: * The `trigger-types.yaml` workflow now requires the `release_tag` input for both `workflow_call` and `workflow_dispatch` triggers, removing the previous default/fallback behavior. * The `release-types` job in `trigger-types.yaml` now passes the `release_tag` input directly, instead of using a fallback to `github.event.release.tag_name`.
## feat(x/zk): Barretenberg UltraHonk backend + ProofSystem enum
### Summary
Adds native UltraHonk ZK proof verification to the `x/zk` module via a
CGo binding to
Aztec's Barretenberg library (v4.0.4), and replaces the freeform
`proof_system` string
field with a typed protobuf enum. Validators can now verify both Groth16
(circom/gnark)
and UltraHonk (Noir/Aztec) proofs on-chain.
### What's changing
**Protocol**
- New `ProofSystem` enum in `params.proto` — `GROTH16=1`,
`ULTRA_HONK_ZK=4` (2–3 reserved)
- `proof_system` field in `MsgAddVKey`, `MsgUpdateVKey`, and `VKey`
promoted from `string → ProofSystem`
- Zero-value defaults to Groth16; no migration required for fresh
deployments
**x/zk module**
- Keeper, query server, CLI, and type validators updated end-to-end for
the typed enum
- `ValidateVKeyForProofSystem` routes to Barretenberg or gnark based on
enum value
**Barretenberg CGo binding** (`x/zk/barretenberg/`)
- Per-platform link files (`link_linux_amd64.go`,
`link_darwin_arm64.go`, `link_darwin_amd64.go`) following the wasmvm
pattern; `barretenberg_stub` build tag for stub-only dev builds
- `wrapper/barretenberg_wrapper.cpp` — thin C++ shim over
`bb::UltraZKVerifier` exposing a plain C API (`bb_verify_proof`,
`bb_vkey_from_bytes`, etc.)
- `wrapper/build-wrapper.sh` — downloads pinned `libbb-external.a` from
the Aztec v4.0.4 release, sparse-checks out barretenberg headers,
creates stubs for external deps (Tracy profiler, msgpack-c), compiles
wrapper, merges into `lib/{platform}/libbarretenberg.a`
- `verifier.go` — pre-call `num_public_inputs` cross-check for clear
version-mismatch errors
**Build & CI**
- `.github/workflows/build-barretenberg.yml` — 3 jobs: `ubuntu-latest`
(linux/amd64), `macos-latest` (darwin/arm64), `macos-13` (darwin/amd64 —
native Intel)
- `make barretenberg-build-wrapper` builds for the current platform;
hooked into `build` and `build-local`
### Key files
| Area | Path |
|------|------|
| Protobuf enum | `proto/xion/zk/v1/params.proto` |
| Keeper routing | `x/zk/keeper/query_server.go`,
`x/zk/keeper/keeper.go` |
| C++ shim | `x/zk/barretenberg/wrapper/barretenberg_wrapper.cpp` |
| Build script | `x/zk/barretenberg/wrapper/build-wrapper.sh` |
| CGo bindings | `x/zk/barretenberg/bindings.go`, `link_*.go` |
| CI workflow | `.github/workflows/build-barretenberg.yml` |
### Operator notes
- `libbarretenberg.a` is a build artifact (git-ignored); CI builds it
before the binary build step
- UltraHonk verification requires KZG CRS files — validators must
pre-populate `~/.bb-crs` or set `BB_CRS_PATH`
- Test vectors in `testdata/statics/` must be regenerated with
`bb@4.0.4` (`./testdata/generate.sh`)
---------
Signed-off-by: Kehinde Faleye <Kenny.fale.kf@gmail.com>
Co-authored-by: 2xburnt <169301814+2xburnt@users.noreply.github.com>
Co-authored-by: Ash <96692350+ash-burnt@users.noreply.github.com>
Co-authored-by: Ash <ash@burnt.com>
Co-authored-by: Eduardo Diaz <eduardo.j.diaz.rodriguez@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Kushal7788 <kushshah777888@gmail.com>
Co-authored-by: Kushal <41788348+Kushal7788@users.noreply.github.com>
Co-authored-by: Eduardo Díaz <edjroz@users.noreply.github.com>
Co-authored-by: jburnt <j@burnt.com>
Co-authored-by: Kostas Demiris <kostasdemiris@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Satyam bansal <satyamb@burnt.com>
…rifyProof (#503) - Add zk module params for max byte sizes: Groth16 proof / public inputs (UTF-8 string length) and UltraHonk proof / public inputs (raw bytes). - Enforce those limits in VerifyProof so oversized payloads are rejected before verification. - Add v3 zk migration to set defaults for the new fields. - Extend keeper/query tests and adjust related types, errors, and genesis handling. --------- Signed-off-by: TwiceBurnt <169301814+2xburnt@users.noreply.github.com> Co-authored-by: TwiceBurnt <169301814+2xburnt@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Replace nested @burnt-labs/burnt-engineering/* team references with correct flat slug format per org CODEOWNERS policy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use @burnt-labs/burnt-devops and @burnt-labs/burnt-protocol directly — nested team references are ignored by GitHub and cause unexpected ownership assignment.
… update docs (#510) ## Summary - **`x/dkim/types/poseidon.go`**: `ToLittleEndianWithLeadingZerosTrimming` now returns `[]byte{0x00}` for the zero field element instead of an empty slice, preventing a hash collision. - **`x/jwk/types/messages_audience.go`**: Added `validateJWKKeyTypeAlgConsistency` and called it from `ValidateBasic` in both `MsgCreateAudience` and `MsgUpdateAudience` to reject mismatched `kty`/`alg` combinations (e.g. `kty=oct, alg=RS256`). - **`app/app.go`**: Replaced stale "TODO missing a key?" comment with an audit note. - **`x/xion/types/feegrant.go`**: Expanded TODO comment to reference the gas accounting work in `x/zk` and `x/dkim`. - **`SECURITY.md`**: Documented two frequently-raised non-issues (DKIM public keys on-chain, Bank MsgSend fee exemption as governance parameter). ## Details ### Poseidon zero-field collision `ToLittleEndianWithLeadingZerosTrimming` skips all-zero leading bytes from a big-endian BN254 field element before reversing to little-endian. For the zero element (all 32 bytes are `0x00`), this produced an empty `[]byte{}`. Two distinct inputs whose field representation happens to be all-zero would produce identical Poseidon hashes, breaking the collision-resistance property relied upon by the DKIM circuit. Fix: detect when all bytes were skipped and return `[]byte{0x00}` to preserve distinctness. ### JWK kty/alg consistency The existing `ValidateBasic` blocklist only covered HMAC algorithms (`HS256`/`HS384`/`HS512`) and `NoSignature`. A JWK with `kty=oct` (symmetric) and `alg=RS256` passed validation, was stored in state, and would cause JWT verification to fail permanently for that audience because the verifier would attempt to use symmetric key material with an RSA algorithm. Fix: `validateJWKKeyTypeAlgConsistency` enforces: - RSA algorithms (`RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `PS512`) → `kty=RSA` - ECDSA algorithms (`ES256`, `ES384`, `ES512`) → `kty=EC` - `EdDSA` → `kty=OKP` ## Test plan - [ ] Existing `x/dkim` Poseidon hash tests pass - [ ] New test: `ToLittleEndianWithLeadingZerosTrimming(make([]byte, 32))` returns `[]byte{0x00}`, not `[]byte{}` - [ ] Existing `x/jwk` ValidateBasic tests pass - [ ] New test: `kty=oct, alg=RS256` is rejected by `ValidateBasic` on both Create and Update - [ ] New test: `kty=RSA, alg=ES256` is rejected - [ ] `kty=RSA, alg=RS256` still passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: 2xburnt <169301814+2xburnt@users.noreply.github.com>
## Summary - `x/jwk/keeper/msg_server_audience.go`: `UpdateAudience` now transfers the `AudienceClaim` KV entry to the new admin when `msg.NewAdmin != msg.Admin`. ## Background `UpdateAudience` wrote the new admin address into the `Audience` record but left the `AudienceClaim` pointing at the old admin. This created two problems: 1. The new admin held no audience claim, so they could not call `CreateAudienceClaim` to re-assert ownership or `DeleteAudienceClaim` to remove it. 2. The old admin still held the claim and could call `CreateAudience` again for the same `aud` value (after deleting the existing audience), effectively reclaiming a resource they had transferred away. ## Fix After updating the `Audience` record, if the admin is changing, remove the old admin's `AudienceClaim` for the audience's SHA-256 hash and write a new `AudienceClaim` for the new admin. ## Test plan - [ ] Existing `x/jwk` unit tests pass - [ ] New scenario: create audience → update admin → verify old admin claim is gone → verify new admin claim exists - [ ] New scenario: create audience → update admin → old admin attempts CreateAudienceClaim → should fail with "audience already claimed" 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary - `x/zk/keeper/query_server.go`: `ProofVerify` (Groth16/BN254) and `ProofVerifyUltraHonk` now consume gas proportional to proof + public input sizes before running the cryptographic verification. - `x/dkim/keeper/query_server.go`: `Authenticate` now consumes gas proportional to the number of public inputs before running Groth16 verification. - Gas constants added to `x/zk/types/params.go` and `x/dkim/types/params.go`. Both endpoints are Stargate-whitelisted and CosmWasm-callable. Without gas accounting, a contract can loop these endpoints and saturate validator CPU at zero cost. Gas is charged as a flat base cost plus a per-byte (or per-element) rate, applied after the size-limit checks and immediately before the expensive cryptographic work begins. ## Test plan - [ ] Existing unit tests pass - [ ] Manual: submit a `ProofVerify` query and confirm gas usage is non-zero in the response - [ ] Manual: submit an `Authenticate` query and confirm gas usage is non-zero in the response - [ ] Confirm that simulate mode still works (simulate skips the fee check but still tracks gas) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary - Adds four new `Params` fields (`MaxGroth16ProofSizeBytes`, `MaxGroth16PublicInputSizeBytes`, `MaxUltraHonkProofSizeBytes`, `MaxUltraHonkPublicInputSizeBytes`) that bound proof and public-input payload sizes in `ProofVerify` and `ProofVerifyUltraHonk`. - Introduces `MinProofOrInputSizeBytes` (1 KiB) floor constant. `Validate()` now rejects any size-limit param below this floor with `ErrInvalidParams`, preventing governance from accidentally setting limits so low that all ZK verification fails. - Documents the rationale for default values with inline comments (Groth16 proof ~200 bytes → 4 KiB default; public inputs 30 KiB; UltraHonk proof 20 KiB; UltraHonk public inputs 10 KiB). - Clarifies `WithMaxLimitDefaults()` upgrade-compatibility semantics in both the helper and `MsgUpdateParams.ValidateBasic()` comments. - Refactors `TestQueryProofVerify`: replaces name-based switch for error-type assertions with an `expectedErr` field on the test-case struct. - Adds migration v3 to seed existing chains with the new param defaults. ## Test plan - [ ] `go test ./x/zk/...` passes - [ ] `go test ./x/zk/types/...` — `TestParamsValidate` covers zero-value, positive, and below-floor cases - [ ] `TestQueryProofVerify` uses struct-level `expectedErr` field; no name-based switch - [ ] `TestQueryProofVerify_ParamMaxSizeEnforced` validates tightened limits reject real payloads - [ ] Migration test confirms existing zero-value chains get defaults applied 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary - Update `go.mod` replace directive for `burnt-labs/wasmd` from `v0.61.8-xion.2` to `v0.61.9-xion.1` - The new wasmd tag includes Go 1.25 compatibility fixes: Dockerfile base image, `bytedance/sonic` upgrade, and ConsensusVersion migration test fix ## Test plan - [ ] CI lint passes - [ ] Unit tests pass - [ ] E2E tests pass - [ ] `go mod tidy` produces no diff 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
4 tasks
2xburnt
commented
Mar 30, 2026
2xburnt
commented
Mar 30, 2026
Peartes
reviewed
Mar 31, 2026
This pull request introduces several improvements and enhancements to the DKIM and ZK modules, as well as a minor update to the Dockerfile for architecture compatibility. The main changes are the addition of a minimum RSA key size parameter to DKIM params, improved documentation for proto fields, and a correction to the enumeration values for ZK proof systems. **DKIM module enhancements:** * Added a new `min_rsa_key_bits` parameter to the `Params` struct in `xion.dkim.v1`, allowing governance to set a minimum acceptable RSA key size for DKIM keys. This includes full protobuf and reflection support, defaulting to 1024 bits for legacy compatibility. [[1]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR1987) [[2]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR1996) [[3]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2082-R2087) [[4]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2109-R2110) [[5]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2133-R2134) [[6]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2160-R2162) [[7]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2189-R2190) [[8]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2220-R2221) [[9]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2242-R2243) [[10]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2323-R2325) [[11]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2355-R2359) [[12]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2507-R2525) [[13]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aL2720-R2787) [[14]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aR2831-R2837) [[15]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aL2817-R2890) [[16]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aL2829-R2917) * Improved and expanded proto documentation for `IndexRange`, `PublicInputIndices`, and related fields for clarity and maintainability. [[1]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aL2581-R2638) [[2]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aL2625-R2697) **ZK module improvements:** * Corrected the `ProofSystem` enum values: `PROOF_SYSTEM_ULTRA_HONK_ZK` now uses value 2 instead of 4, and added/clarified documentation for enum values. [[1]](diffhunk://#diff-70ad98ae588ab81abc698f3873a7fd9a85660cd7d752f73f8c35fa52aa5f0f3eL723-R745) [[2]](diffhunk://#diff-70ad98ae588ab81abc698f3873a7fd9a85660cd7d752f73f8c35fa52aa5f0f3eL909-R913) * Improved comments for proof size and public input size configuration fields for both Groth16 and UltraHonk proof systems. **Build and architecture support:** * Updated the `Dockerfile` to use the `TARGETARCH` build argument for downloading the correct Cosmovisor binary for the target architecture, improving multi-arch compatibility. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: crucible-burnt <260729324+crucible-burnt@users.noreply.github.com> Co-authored-by: Claude <claude@anthropic.com>
## Summary - remove the post-v28 DKIM MinRsa backfill/migration changes from the v29 release track - keep the MinRSA wiring that already exists in the v28 baseline - collapse the rollback into a single commit on top of `release/v29` ## What stays - existing v28-era `MinRsaKeyBits` schema and validation wiring - existing DKIM type/proto support already present in `release/v29` ## What is removed - the later v29 backfill logic added after the v28 baseline - the extra DKIM v2->v3 migration path and related test expectations - the E2E/test adjustments that were only needed for that later backfill path ## Validation - `go test ./x/dkim/...`
…age gates (#542) ## Summary - Mark files generated by `make proto-all` as generated in GitHub diffs via `.gitattributes` - Keep source proto files (`proto/**/*.proto`) reviewable - Add explicit `CODEOWNERS` rules so coverage-requirement and coverage-gating files require DevOps sign-off ## Why - Reduce PR noise from generated artifacts - Ensure policy changes to test coverage requirements are reviewed by DevOps ## Included coverage-governance paths - `.coveragerc` - `.codecov.yml` - `make/coverage.mk` - `make/test.mk` - `scripts/coverage-analyze.sh` - `.github/workflows/tests.yaml` - `.github/workflows/build-test.yaml`
This pull request updates the generated protobuf files for the DKIM genesis types, reflecting a reduction in the number of fields and a simplification of the schema. The primary changes are in the serialized descriptors and the removal of a field from the `Params` message, which results in a smaller and simpler binary descriptor. **Protobuf Descriptor and Schema Updates:** * The gzipped `FileDescriptorProto` in `x/dkim/types/genesis.pb.go` was reduced from 618 bytes to 593 bytes, indicating a simplification of the protobuf schema. * In `api/xion/dkim/v1/genesis.pulsar.go`, the serialized protobuf descriptor was updated to match the new schema, including a reduction in the size of the `Params` message and the removal of the `min_rsa_key_bits` field. [[1]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aL2831-R2831) [[2]](diffhunk://#diff-709c7524e74dd3abb5e27120acd265b953104abca8d707aeb435def3b921706aL2843-R2855) These changes are generated and do not impact application logic, but they do reflect a streamlined and less complex protobuf contract for DKIM genesis state.
Contributor
There was a problem hiding this comment.
Pull request overview
Release/v29 updates the chain to support Barretenberg UltraHonk verification alongside existing Groth16 flows, adds multiple DoS-hardening validations/limits across zk/jwk/dkim, and refreshes build/CI/release plumbing for the new native dependency.
Changes:
- Add UltraHonk proof system support to
x/zk(vkey storage w/proof_system, new query endpoint, params/migrations, CLI + E2E coverage). - Harden validation/limits across modules (BN254 vkey coordinate bounds, zk params caps/overflow checks, DKIM proof-size cap + safer parsing, JWK key-size/type checks + new decode/verify queries).
- Update release infrastructure (deps, Docker/GoReleaser/CI workflows, proto/gateway outputs) for v29.
Reviewed changes
Copilot reviewed 132 out of 143 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| x/zk/types/vkey.go | Adds proof-system-aware vkey validation + BN254 field coordinate checks. |
| x/zk/types/vkey_test.go | Tests BN254 coordinate boundary enforcement. |
| x/zk/types/query.pb.gw.go | Generated grpc-gateway route for UltraHonk verify. |
| x/zk/types/params.go | Adds Groth16/UltraHonk proof & input size params + hard ceilings + gas overflow check. |
| x/zk/types/params_test.go | Covers new params validation and default backfilling. |
| x/zk/types/msgs.go | Adds vkey name/desc length limits + proof_system enum aliases. |
| x/zk/types/msgs_test.go | Updates MsgAddVKey ValidateBasic expectations. |
| x/zk/types/genesis.go | Validates vkeys by proof system; backfills new params on genesis load. |
| x/zk/types/errors.go | Adds new ErrProofTooLarge / ErrPublicInputsTooLarge. |
| x/zk/module.go | Bumps consensus version and wires v2→v3 migration. |
| x/zk/module_test.go | Updates consensus version test. |
| x/zk/migrations/v3/migrate.go | Backfills newly-added zk param limits for existing chains. |
| x/zk/migrations/v3/migrate_test.go | Tests zk v2→v3 param backfill + idempotency. |
| x/zk/keeper/testdata/barretenberg/vk | Adds UltraHonk verification key test vector (binary). |
| x/zk/keeper/testdata/barretenberg/public_inputs | Adds UltraHonk public inputs test vector (binary). |
| x/zk/keeper/testdata/barretenberg/proof | Adds UltraHonk proof test vector (binary). |
| x/zk/keeper/msg_server.go | Passes proof_system through to keeper for vkey persistence/validation. |
| x/zk/keeper/msg_server_test.go | Adjusts tests to expect keeper-side vkey validation behavior. |
| x/zk/keeper/migrator.go | Adds migrator entry for zk v2→v3. |
| x/zk/keeper/migrator_test.go | Tests zk migrator v2→v3 param backfill. |
| x/zk/keeper/keeper.go | Enforces canonical BN254 scalar public inputs; stores proof_system on vkeys; backfills params on Get/Set/InitGenesis. |
| x/zk/client/cli/tx.go | Adds proof-system CLI arg for add/update vkey; removes local vkey parsing validation. |
| x/zk/client/cli/query.go | Adds verify-ultrahonk query command. |
| x/zk/client/cli/query_test.go | Adds tests for new UltraHonk query command + updates command count. |
| x/xion/types/feegrant.go | Adds recursion depth cap for nested MultiAnyAllowance validation. |
| x/xion/keeper/msg_server.go | Hardens MultiSend address parsing; changes minimum-denom enforcement semantics; adds platform % cap; uses ceiling division in fee calc. |
| x/xion/keeper/msg_server_test.go | Updates platform fee rounding tests for ceiling division. |
| x/xion/keeper/genesis.go | Uses keeper getter for platform percentage export. |
| x/jwk/types/types.go | Introduces gas constants for VerifyJWS query. |
| x/jwk/types/messages_audience.go | Adds JWK size/alg/kty consistency validation + rejects private keys; enforces aud/key size caps. |
| x/jwk/types/key_size_test.go | Tests RSA key bit-length limits and boundary behavior. |
| x/jwk/types/genesis.go | Adds genesis-time JWK parsing/alg checks with pre-parse size guard. |
| x/jwk/types/genesis_test.go | Expands genesis tests for JWK acceptance/rejection cases. |
| x/jwk/types/codec.go | Registers additional message types for audience claims. |
| x/jwk/module.go | Adds v2→v3 migration + bumps consensus version. |
| x/jwk/module_test.go | Updates consensus version assertions. |
| x/jwk/migrations/v3/migrate.go | Corrects TimeOffset param written incorrectly by prior migration. |
| x/jwk/migrations/v3/migrate_test.go | Tests TimeOffset correction migration. |
| x/jwk/keeper/query_verify_jws.go | Adds VerifyJWS query w/ compact-only enforcement + gas charging + key-size checks. |
| x/jwk/keeper/query_verify_jws_test.go | Tests VerifyJWS behavior incl. JSON-serialization rejection. |
| x/jwk/keeper/query_validate_jwt.go | Marks ValidateJWT deprecated; adds key-size validation + clarifies gas rationale. |
| x/jwk/keeper/query_decode_jwt.go | Adds DecodeJWT query returning standard+private claims deterministically. |
| x/jwk/keeper/query_decode_jwt_test.go | Tests DecodeJWT claim extraction + JSON-serialization rejection. |
| x/jwk/keeper/msg_server_audience.go | Ensures audience-claim cleanup/transfer on Update/Delete operations. |
| x/jwk/keeper/migrations.go | Wires jwk v2→v3 migrator. |
| x/jwk/keeper/migrations_test.go | Tests jwk v2→v3 correction via migrator. |
| x/jwk/genesis_test.go | Updates genesis validation tests to use valid JWK; adds invalid-key case. |
| x/jwk/client/cli/query.go | Adds decode-jwt + verify-jws CLI commands. |
| x/jwk/client/cli/query_verify_jws.go | Implements verify-jws CLI query. |
| x/jwk/client/cli/query_validate_jwt.go | Deprecates validate-jwt CLI and adds decode-jwt command. |
| x/jwk/client/cli/cli_test.go | Adds CLI metadata/arg/run-path tests for new queries. |
| x/globalfee/ante/fee.go | Fixes default return path for MaxTotalBypassMinFeeMsgGasUsage. |
| x/dkim/types/pubkey.go | Clarifies key-size enforcement location; refactors parsing error handling. |
| x/dkim/types/pubkey_test.go | Adds test ensuring legacy small RSA keys are accepted by parser. |
| x/dkim/types/poseidon.go | Fixes little-endian conversion trimming to preserve zero sentinel; avoids unsafe RSA type assertion. |
| x/dkim/types/poseidon_test.go | Updates tests for zero-sentinel behavior. |
| x/dkim/types/params.go | Adds DKIM proof size cap constant and requires positive vkey_identifier. |
| x/dkim/types/params_test.go | Tests vkey_identifier validation. |
| x/dkim/types/msgs.go | Strengthens message ValidateBasic; splits DKIM key validation modes (genesis vs msg path); adds decode-with-limit. |
| x/dkim/types/genesis.pb.go | Generated comment improvements for public-input indices structs. |
| x/dkim/types/genesis.go | Accepts 32-byte sha256 hashes in revoked list; improves error context. |
| x/dkim/types/genesis_test.go | Adds test for revoked sha256-hash acceptance. |
| x/dkim/types/errors.go | Adds ErrProofTooLarge. |
| x/dkim/module_test.go | Updates invalid-genesis fixture for new required params. |
| x/dkim/keeper/query_server.go | Adds Authenticate proof-size cap; improves email-host validation; increases pagination key buffer size. |
| x/dkim/keeper/query_server_test.go | Updates assertions for revised email-host errors. |
| x/dkim/keeper/msg_server.go | Enforces min RSA size in msg path; scopes revocation iteration by domain; adds size-limited pubkey decode. |
| x/dkim/keeper/msg_server_test.go | Removes obsolete ValidateRSAPubKey tests (function removed). |
| x/dkim/keeper/keeper.go | Panics on revoked key iteration decode failure during genesis export. |
| wasmbindings/stargate_whitelist.go | Whitelists zk ProofVerifyUltraHonk query for CosmWasm Stargate. |
| SECURITY.md | Adds “Frequently Raised Non-Issues” clarifications. |
| proto/xion/zk/v1/tx.proto | Adds proof_system to vkey tx messages; updates field docs. |
| proto/xion/zk/v1/query.proto | Adds ProofVerifyUltraHonk RPC + vkey proof_system field. |
| proto/xion/zk/v1/params.proto | Introduces ProofSystem enum + new zk size-limit params. |
| proto/xion/jwk/v1/query.proto | Deprecates ValidateJWT and adds VerifyJWS + DecodeJWT RPCs + message types. |
| proto/xion/dkim/v1/genesis.proto | Improves comments/formatting for public input indices. |
| make/test.mk | Adds UltraHonk E2E test target + includes it in sim deterministic set. |
| make/proto.mk | Splits proto-all into staged generation steps (gogo/pulsar/openapi). |
| make/coverage.mk | Centralizes build tags variable for coverage run. |
| make/build.mk | Adds barretenberg-build-wrapper and wires it into make build. |
| go.mod | Bumps wasmd fork + abstract-account; adds barretenberg-go dependency; bumps sonic. |
| go.sum | Updates sums for bumped/added deps. |
| e2e_tests/zk/params_vkey_test.go | Updates zk add-vkey CLI call to include groth16 proof-system arg. |
| e2e_tests/zk/ultrahonk_verify_test.go | Adds E2E: upload UltraHonk vkey + verify proof by name/id. |
| e2e_tests/testdata/keys/zk-transaction-icloud.json | Adds new Groth16 proof test vector. |
| e2e_tests/testdata/keys/zk-auth-icloud.json | Adds new Groth16 proof test vector. |
| e2e_tests/testdata/keys/barretenberg/vk | Adds UltraHonk vk test vector (binary). |
| e2e_tests/testdata/keys/barretenberg/public_inputs | Adds UltraHonk inputs test vector (binary). |
| e2e_tests/testdata/keys/barretenberg/proof | Adds UltraHonk proof test vector (binary). |
| e2e_tests/jwk/jwt_aa_test.go | Makes E2E assertions explicit by verifying committed tx result before balance checks. |
| e2e_tests/go.mod | Bumps abstract-account; includes barretenberg-go indirect; bumps sonic. |
| e2e_tests/go.sum | Updates sums for bumped/added deps. |
| Dockerfile | Installs libc++ for linking barretenberg; fixes cosmovisor arch download. |
| client/docs/config.yaml | Bumps swagger docs version to v29.0.0. |
| CLAUDE.md | Adds repo workflow/commands documentation for Claude agents. |
| app/upgrades.go | Sets upgrade name to v29 and removes module-specific init logic (commented template). |
| app/app.go | Adds AA transient store key; removes BeginBlocker panic recovery. |
| app/ante_test.go | Adds test ensuring AA signer address does not persist across block boundary. |
| api/xion/zk/v1/query_grpc.pb.go | Generated gRPC client/server stubs for ProofVerifyUltraHonk. |
| api/xion/jwk/v1/query_grpc.pb.go | Generated gRPC stubs for VerifyJWS + DecodeJWT; marks ValidateJWT deprecated. |
| api/xion/dkim/v1/genesis.pulsar.go | Generated pulsar types with improved field comments. |
| .goreleaser/build.yaml | Downloads libbarretenberg during builds; installs libc++ for arm64; adds BB_LIB env. |
| .golangci.yml | Adds lint rule override for app/upgrades.go unused. |
| .gitignore | Ignores local barretenberg lib directory. |
| .github/workflows/tests.yaml | Splits into coverage + race jobs; installs clang/libc++; downloads barretenberg wrapper; switches to depot runners. |
| .github/workflows/e2e-tests.yaml | Switches to depot runners; runs zk tests as separate regex types; downloads barretenberg wrapper. |
| .github/workflows/verify-installers.yaml | Switches runner labels to depot images. |
| .github/workflows/update-swagger.yaml | Switches runner to depot. |
| .github/workflows/trigger-types.yaml | Makes release_tag required for workflow_call and dispatch; simplifies passing. |
| .github/workflows/release-downstream.yaml | Uses local trigger-types reusable workflow. |
| .github/workflows/publish-release.yaml | Switches runner to depot. |
| .github/workflows/heighliner.yaml | Migrates docker build to Depot actions and depot runners. |
| .github/workflows/golangci-lint.yaml | Switches runner to depot and disables setup-go cache. |
| .github/workflows/exec-goreleaser.yaml | Switches runner to depot and disables setup-go cache. |
| .github/workflows/docker-scout.yaml | Switches runner to depot. |
| .github/workflows/docker-push.yaml | Switches runner to depot. |
| .github/workflows/docker-build.yaml | Migrates docker build to Depot actions and depot runners. |
| .github/workflows/claude.yml | Adds Claude Code workflow. |
| .github/workflows/claude-code-review.yml | Adds Claude Code Review workflow. |
| .github/workflows/binaries-linux.yaml | Switches runner to depot and disables setup-go cache. |
| .github/workflows/binaries-darwin.yaml | Switches runner to depot and disables setup-go cache. |
| .github/CODEOWNERS | Updates ownership mappings and adds DevOps ownership for build/coverage infra. |
| .gitattributes | Marks generated proto outputs as linguist-generated; keeps proto sources reviewable. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…lready zero (#551) ## Summary The bypass path in `FeeDecorator.AnteHandle` clears the validator-local min-gas-prices from the context when a bypass-eligible transaction submits zero fees. This is required when the validator has a non-zero local minimum configured, because without the clear, downstream ante decorators would see the validator's local minimum and reject a legitimately fee-free bypass message (e.g. an IBC relayer packet). However, the clear was unconditional: it fired even when `ctx.MinGasPrices()` was already empty. On nodes running with no local minimum — including the standard test environment and some validators — this unnecessary context replacement was disrupting mint inflation accounting that reads the fee context downstream. ## Before ```go if feeCoins.IsZero() { return next(ctx.WithMinGasPrices(sdk.DecCoins{}), tx, simulate) } return next(ctx, tx, simulate) ``` With zero `min-gas-prices`, the bypass path still replaced the context object with a fresh empty `DecCoins{}`, triggering downstream side effects in nodes that rely on the fee context being undisturbed. ## After ```go if feeCoins.IsZero() && !ctx.MinGasPrices().IsZero() { return next(ctx.WithMinGasPrices(sdk.DecCoins{}), tx, simulate) } return next(ctx, tx, simulate) ``` The clear only fires when there is actually a non-zero local minimum to clear. When `ctx.MinGasPrices()` is already empty the code falls through to `return next(ctx, tx, simulate)` and the context is left untouched. ## What this does and does not change - **Validators with a non-zero local `min-gas-prices`:** behaviour is unchanged. Zero-fee bypass transactions still have the local minimum cleared from context before being passed downstream. - **Validators with no local `min-gas-prices` (empty):** the context is no longer replaced unnecessarily. The guard is a no-op from an observable fee-validation standpoint. - **Non-bypass transactions:** not affected — they go through `GetTxFeeRequired` and the `WithMinGasPrices(feeRequired)` path as before. - **Simulations:** not affected — the early `simulate` return precedes this block.
…y calls (#548) ## Summary The JWK module wraps `lestrrat-go/jwx` calls with `defer/recover` after experiencing panics in production. The same risk exists unguarded in the ZK and DKIM modules — this PR adds the same defensive pattern to all affected call sites. **Affected libraries:** - `vocdoni/circom2gnark` / `gnark` (BN254 Groth16) — can panic on malformed proofs or VKeys that pass JSON parsing but have invalid curve points - `burnt-labs/barretenberg-go` (UltraHonk, CGo) — Go-level panics from the CGo wrapper would crash the validator - `iden3/go-iden3-crypto/poseidon` — can panic on zero-denominator inputs in the permutation **Changes:** - `x/zk/keeper/keeper.go` (`Verify`): wrap `ConvertCircomToGnark` + `VerifyProof` - `x/zk/keeper/query_server.go` (`ProofVerifyUltraHonk`): wrap all Barretenberg CGo calls - `x/dkim/keeper/query_server.go` (`Authenticate`): wrap `UnmarshalCircomProofJSON` + `ZkKeeper.Verify` - `x/dkim/types/poseidon.go` (`ComputePoseidonHash`): wrap `poseidon.Hash` — called from msg server and genesis paths **Note on Barretenberg:** A true C++ SIGSEGV cannot be caught by Go's `defer/recover`. The guard here catches Go-level panics from the CGo wrapper (nil dereference, bounds check, etc.). The existing size limits (20KB proof, 10KB inputs) remain the primary DoS governor for the C++ layer. ## Test plan - [x] Existing ZK and DKIM unit tests pass - [x] Verify that invalid proof inputs return errors (not panics) in each guarded path - [x] Confirm `ProofVerifyUltraHonk` returns `codes.Internal` on panic rather than crashing the node All 53 CI checks passing (Go unit tests, lint, build linux/amd64 + arm64, 47 E2E tests including ZK and DKIM suites). --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…enesisState.Validate (#552) ## Summary - `GenesisState.Validate` now calls `ValidateJWKKeySize(parsedKey)` to reject RSA keys > 4096 bits and any private key material stored on-chain - Also calls `validateJWKKeyTypeAlgConsistency(parsedKey, sigAlg)` to reject kty/alg mismatches (e.g. `kty=RSA` with `alg=ES256`) - Adds two new test cases to `genesis_test.go` covering both rejection paths Fixes Copilot review comment on `release/v29`: `MsgCreateAudience`/`MsgUpdateAudience` both enforce these checks but `GenesisState.Validate` did not, allowing a genesis file that passes validation to result in unusable audiences post-startup. ## Test plan - [ ] `TestGenesisState_Validate` — existing cases pass, new "RSA private key rejected" and "kty/alg mismatch rejected" cases pass - [ ] No regression in `x/jwk/` tests 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: 2xburnt <169301814+2xburnt@users.noreply.github.com>
Co-authored-by: crucible-burnt <260729324+crucible-burnt@users.noreply.github.com> Co-authored-by: 2xburnt <169301814+2xburnt@users.noreply.github.com>
Upgrades barretenberg-go from v0.1.3 to v0.2.0 for release/v29. ## Changes - barretenberg-go v0.2.0 now includes prebuilt lib/ directory for all platforms - Removed unnecessary artifact download hook from goreleaser - Updated go.mod and e2e_tests/go.mod to use v0.2.0 - Simplified build process - no runtime artifact downloads needed ## Benefits - Faster, more reproducible builds - No external network dependency during build - Library files included in Go module cache
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 133 out of 148 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (6)
x/globalfee/ante/fee.go:1
- The default return constant
types.DefaultmaxTotalBypassMinFeeMsgGasUsagelooks like a casing typo and is likely undefined (compile break) given the surrounding naming conventions. Rename it to the actual exported default constant inx/globalfee/types(e.g.,DefaultMaxTotalBypassMinFeeMsgGasUsage) and ensure it matches the param key semantics.
x/jwk/keeper/query_decode_jwt.go:1 jwt.Settings(...)updates global package-level settings. Calling it inside a query handler can create cross-request interference and data races under concurrent query load. Prefer enforcing compact-only via per-call parse/verify options (or a local pre-check like the leading-byte guard + a compact-only parse mode passed intojwt.Parse), and avoid mutating global JWT settings at request time.
x/jwk/keeper/query_verify_jws.go:1- The gas calculation multiplies
JWSVerifyPerByteGas * len(audience.Key)without overflow or a hard upper bound on the stored serialized key size. If a legacy/invalid state contains a very large (but parseable) JWK string,types.JWSVerifyPerByteGas*len(...)can overflowuint64, undercharging gas and weakening the intended DoS protection. Consider (mandatory) enforcinglen(audience.Key) <= types.MaxJWKKeySizein this query path (return FailedPrecondition if exceeded) and/or explicitly checking for multiplication/accumulation overflow before consuming gas.
app/app.go:1 - This removes the previous BeginBlocker panic recovery. Without a top-level guard, any panic from a module BeginBlock can crash the process and halt the node until restart. If panic recovery is still required in v29, reintroduce a bounded recovery mechanism (ideally logging and converting into an error path consistent with app execution), or ensure an equivalent centralized panic-recovery layer exists elsewhere.
x/dkim/keeper/keeper.go:1 - Panicking during genesis export can bring down the process (e.g.,
xiond export) due to a single iterator/key decode issue, which is a sharp operational failure mode. Since this function can’t return an error, prefer logging the error and continuing (previous behavior), or refactor the API so export can surface an error to the caller instead of panicking.
x/zk/types/vkey_test.go:1 - The test ignores the
json.Marshalerror (data, _ := ...). Even though marshaling this map is expected to succeed, the test should assertrequire.NoError(t, err)(or equivalent) to avoid silently passing with unexpected zero-value data if the marshal ever changes/fails.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
satyambnsal
previously approved these changes
Apr 1, 2026
satyambnsal
left a comment
satyambnsal
left a comment
There was a problem hiding this comment.
went through ZK specific changes. LGTM!
This pull request updates several dependencies in both the main `go.mod` and the `e2e_tests/go.mod` files, primarily focusing on upgrading the `wasmd` and `abstract-account` packages. These changes ensure the project uses the latest features and fixes from these dependencies. **Dependency upgrades:** * Upgraded `github.com/CosmWasm/wasmd` to version `v0.61.10` in both `go.mod` and `e2e_tests/go.mod`, and updated the forked replacement to `v0.61.10-xion.1` for compatibility and latest improvements. [[1]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L11-R11) [[2]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L49-R52) [[3]](diffhunk://#diff-5f2f2c5726f23bafa9934ed5573c2f1a2824b15209699a00986d8cc8f462a3c0L13-R13) [[4]](diffhunk://#diff-5f2f2c5726f23bafa9934ed5573c2f1a2824b15209699a00986d8cc8f462a3c0L44-R46) * Upgraded `github.com/burnt-labs/abstract-account` to version `v0.1.5` in both `go.mod` and `e2e_tests/go.mod` for bug fixes and enhancements. [[1]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L49-R52) [[2]](diffhunk://#diff-5f2f2c5726f23bafa9934ed5573c2f1a2824b15209699a00986d8cc8f462a3c0L44-R46)
…governance param (#554) This pull request strengthens DKIM RSA public key validation by enforcing a minimum key size of 1024 bits for message validation, while allowing legacy keys for genesis or state-loading scenarios. It also adds comprehensive tests to ensure the correct enforcement of these rules. **Key changes:** Validation logic improvements: * Enforced a minimum RSA key size of 1024 bits in the `ValidateDkimPubKeysWithRevocation` function for message validation paths, rejecting weaker keys as cryptographically unsafe. (`x/dkim/types/msgs.go`, [[1]](diffhunk://#diff-1eb2d8495a411eb7d105ba57af78127e2164ad0e3fc76c9dd53fcaff2a945c9fL177-R177) [[2]](diffhunk://#diff-1eb2d8495a411eb7d105ba57af78127e2164ad0e3fc76c9dd53fcaff2a945c9fR202-R205) * Introduced the `MinRSAKeyBits` constant to define the minimum allowed RSA key size, with documentation clarifying its purpose and exceptions for legacy keys. (`x/dkim/types/params.go`, [x/dkim/types/params.goR12-R16](diffhunk://#diff-60f3a3045e0559b57448ebadb0739c3b98d934d0b0bd3cd28386cd3d5b4f89e9R12-R16)) Testing enhancements: * Added tests to verify that sub-1024-bit RSA keys are rejected when minimum key size enforcement is enabled, and accepted when it is disabled (e.g., during genesis). These tests construct weak keys directly to bypass Go's stricter key generation. (`x/dkim/types/msgs_test.go`, [[1]](diffhunk://#diff-61d9bc4ff9a7b4f86a69ff25c0a94ee7c54704b150851529b08c5238b8d8f466R11) [[2]](diffhunk://#diff-61d9bc4ff9a7b4f86a69ff25c0a94ee7c54704b150851529b08c5238b8d8f466R453-R492) --------- Co-authored-by: 2xburnt <169301814+2xburnt@users.noreply.github.com>
## Summary
- **C1 (Critical)**: `VerifyGnark` (gnark native Groth16 BN254) lacked
panic recovery, unlike `Verify` (circom Groth16) and
`ProofVerifyUltraHonk`. Since `ProofVerifyGnark` is
Stargate-whitelisted, any CosmWasm contract can reach this code path — a
panic in gnark deserialization or pairing would halt the chain.
- **M3 (Resolved)**: Confirmed gnark's `witness.UnmarshalBinary()`
already rejects non-canonical BN254 field elements via
`smallerThanModulus()` in gnark-crypto's `BigEndian.Element()`. No
additional scalar field validation needed (unlike the circom path which
required explicit checks due to circom2gnark's silent modular
reduction).
## Changes
- Wrap all gnark deserialization and verification calls in
`VerifyGnark()` with `defer func() { recover() }()`, matching the
existing pattern in `Verify()` at keeper.go:246-260
## Test plan
- [x] `go build ./x/zk/...` passes
- [x] `go vet ./x/zk/...` passes
- [x] `go test ./x/zk/... -count=1` — all 6 packages pass
- [ ] E2E: `make test-zk-all`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
## Summary - **Testnet cleanup**: Remove `poc-leaked-private-key` audience in v29 upgrade handler — this audience contains leaked RSA private key material and would fail the stricter `ValidateGenesis` checks added in v29, blocking any future genesis export/import on testnet-2 - **Stale comment fix**: Update comment in `ValidateJWT` that incorrectly claimed it was the only `jwt.Parse()` call site (`DecodeJWT` also calls it) - **Deduplicate BN254 prime**: Remove duplicate `bn254ScalarFieldPrime` constant in `query_server.go`, reuse `bn254ScalarPrime` from `keeper.go` - **Remove dead constant**: Delete unused `ProofVerifyGas` constant from `params.go` ## Test plan - [ ] `go build ./...` passes - [ ] `go vet ./...` passes - [ ] Existing unit tests pass (`make test`) - [ ] Verify upgrade handler runs cleanly on testnet-2 (audience removal is conditional — no-op on mainnet) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
## Summary - Remove `.cache/barretenberg-go/v0.1.9/darwin_arm64/libbarretenberg.a` (48MB binary) accidentally committed in #553 - Add `.cache/` to `.gitignore` ## Test plan - [x] `git ls-files .cache/` returns empty after commit 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 133 out of 147 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
## Summary - Add missing `ProofSystemGnark` typed alias for `ProofSystem_PROOF_SYSTEM_GROTH16_GNARK`, matching the existing `ProofSystemGroth16` and `ProofSystemUltraHonk` aliases ## Test plan - [x] `go build ./x/zk/...` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
## Summary - Replaces cross-compiled Linux binary builds with extraction from natively-built Docker images - Fixes the arm64 linker failure caused by barretenberg-go's libc++ static lib vs goreleaser-cross's libstdc++ - Adds `extract-binaries-linux.yaml` reusable workflow that loads Docker tarballs and copies `/usr/bin/xiond` out - Reorders `create-release.yaml`: Docker images build first (no pre-built binary dependency), then linux binaries are extracted from them - Darwin builds are completely unchanged - `binaries-linux.yaml` left in place but no longer called from the release pipeline ## Pipeline flow (before → after) **Before:** ``` build-linux + build-darwin → build-docker → push/e2e/scout → goreleaser ``` **After:** ``` build-docker → extract-linux-binaries ─┐ build-darwin ──────────────────────────→├→ goreleaser push/e2e/scout ────────────────────────┘ ``` ## Test plan - [ ] Trigger `create-release.yaml` via `workflow_dispatch` on this branch - [ ] Verify Docker images build without pre-built binaries (goreleaser fallback path) - [ ] Verify `extract-binaries-linux.yaml` extracts binaries with correct directory structure - [ ] Verify `exec-goreleaser` finds linux + darwin binaries at expected paths - [ ] Verify Docker push, scout, and e2e jobs still pass 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
## Summary - Fixes the `exec-goreleaser.yaml` "Move artifacts" step which failed with `no such file or directory` after the extract-from-docker change (#561) - The old `mv ${{ runner.temp }}/*/xiond* dist` glob relied on a specific directory hierarchy from upload-artifact that isn't guaranteed with `merge-multiple: true` - New logic uses `find` to locate all `xiond-*` binaries, parses os/arch from filenames, and creates the exact directory structure goreleaser's `prebuilt` builder expects: `dist/xiond_<os>_<arch>_<variant>/bin/xiond-<os>-<arch>` - Adds diagnostic output to help debug artifact issues ## Test plan - [ ] Trigger `create-release.yaml` via `workflow_dispatch` on this branch - [ ] Verify "Move artifacts" step shows correct file placement - [ ] Verify goreleaser successfully imports all prebuilt binaries 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.