feat: merge-train/barretenberg

.claude/agents/network-logs.md

@@ -62,10 +62,31 @@ You can read this output directly — no parsing needed.
 --format='table[no-heading](timestamp, resource.labels.pod_name, jsonPayload.message.slice(0,150))'
 ```
 
+## Cluster Mapping
+
+Aztec runs two GKE clusters:
+
+| Cluster | Aztec namespaces |
+|---------|-----------------|
+| `aztec-gke-private` | `mainnet` (ignition — active), `next-net`, `staging-ignition`, `staging-public`, and various test/scenario namespaces |
+| `aztec-gke-public` | `mainnet` (public — currently in standby), `testnet`, and other public-facing infrastructure |
+
+**Important: `mainnet` exists in BOTH clusters.**
+- The **private** cluster's `mainnet` runs the **ignition** network (active, fisherman mode).
+- The **public** cluster's `mainnet` is the next rollup upgrade (currently in standby, waiting for L1 contract alignment). It also runs in fisherman mode.
+
+When querying `mainnet`, you MUST include a `resource.labels.cluster_name` filter to disambiguate:
+- If the user says "mainnet" without qualification, query the **private** cluster (ignition) by default — it's the active one.
+- If the user says "mainnet public", "public cluster mainnet", or "mainnet on public", query the **public** cluster.
+- If uncertain, query **both** clusters in parallel and report results separately.
+
+For all other namespaces, the cluster filter is optional but recommended for clarity.
+
 ## GCP Log Structure
 
 Aztec network logs use:
 - `resource.type="k8s_container"`
+- `resource.labels.cluster_name` — the GKE cluster (`aztec-gke-private` or `aztec-gke-public`)
 - `resource.labels.namespace_name` — the deployment namespace
 - `resource.labels.pod_name` — the specific pod
 - `resource.labels.container_name` — usually `aztec`
@@ -92,7 +113,7 @@ Pods follow the pattern `{namespace}-{component}-{index}`:
 ## Deployment-Specific Notes
 
 - **next-net** redeploys every morning at ~4am UTC. Always use timestamp range filters (not `--freshness`) when querying next-net for a specific date, and expect logs to only cover a single instance of the network. Because next-net resets daily, its block height should start near 0 after ~4am UTC. If you are running a morning healthcheck and the block height is unexpectedly large (e.g., hundreds or thousands), flag this as an error — it likely means the nightly redeploy failed and the network is running a stale instance.
-- **mainnet** does not run sequencer validators. Instead, it runs infrastructure in **fisherman mode**: nodes simulate building a block for every slot but never actually submit the L1 transaction. This means you will see "built block" or similar messages but no "Published checkpoint" or L1 submission logs. Errors with hash `0xf3e591ac` are a known artifact of fisherman mode and are safe to ignore.
+- **mainnet** (both private/ignition and public) does not run sequencer validators. Both deployments run in **fisherman mode**: nodes simulate building a block for every slot but never actually submit the L1 transaction. This means you will see "built block" or similar messages but no "Published checkpoint" or L1 submission logs. Errors with hash `0xf3e591ac` are a known artifact of fisherman mode and are safe to ignore. See the Cluster Mapping section above for how to disambiguate between the two mainnet deployments.
 
 ## Filter Building
 

.github/workflows/ci3-external.yml

@@ -22,6 +22,9 @@ jobs:
     runs-on: ubuntu-latest
     # exclusive with ci3.yml, only run on forks.
     if: github.event.pull_request.head.repo.fork
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

.github/workflows/deploy-staging-public.yml

@@ -26,40 +26,39 @@ jobs:
           token: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
           fetch-depth: 0
 
-      - name: Read version from manifest
-        id: manifest
-        run: |
-          VERSION=$(jq -r '."."' .release-please-manifest.json)
-          echo "version=$VERSION"
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-
-      - name: Poll for tag at HEAD
+      - name: Poll for semver tag at HEAD
         id: poll-tag
         run: |
-          # wait for tag to be pushed (either RC or stable release)
-          VERSION="${{ steps.manifest.outputs.version }}"
           HEAD_SHA=$(git rev-parse HEAD)
           MAX_ATTEMPTS=60
-          echo "Looking for tag matching v${VERSION} or v${VERSION}-rc.* at HEAD ($HEAD_SHA)"
+          echo "Looking for any semver tag at HEAD ($HEAD_SHA)"
 
           for i in $(seq 1 $MAX_ATTEMPTS); do
             git fetch --tags --force
 
-            TAG=$(git tag --points-at HEAD | grep -E "^v${VERSION}(-rc\.[0-9]+)?$" | sort -V | tail -n 1 || true)
+            # Collect all valid semver tags pointing at HEAD
+            SEMVER_TAGS=()
+            for t in $(git tag --points-at HEAD); do
+              if ci3/semver check "$t"; then
+                SEMVER_TAGS+=("$t")
+              fi
+            done
 
-            if [ -n "$TAG" ]; then
+            # If we found valid semver tags, pick the highest
+            if [ ${#SEMVER_TAGS[@]} -gt 0 ]; then
+              TAG=$(ci3/semver sort "${SEMVER_TAGS[@]}" | tail -n 1)
               echo "Found tag: $TAG"
               SEMVER="${TAG#v}"
               echo "tag=$TAG" >> $GITHUB_OUTPUT
               echo "semver=$SEMVER" >> $GITHUB_OUTPUT
               exit 0
             fi
 
-            echo "Attempt $i/$MAX_ATTEMPTS: No matching tag yet, waiting 10s..."
+            echo "Attempt $i/$MAX_ATTEMPTS: No semver tag yet, waiting 10s..."
             sleep 10
           done
 
-          echo "Error: No tag found for v${VERSION} at HEAD after 10 minutes"
+          echo "Error: No semver tag found at HEAD after 10 minutes"
           exit 1
 
   wait-for-ci3:

.gitignore

@@ -33,3 +33,4 @@ docs/docs/protocol-specs/public-vm/gen/
 __pycache__
 
 *.local.md
+.claude/settings.local.json

.test_patterns.yml

@@ -339,6 +339,12 @@ tests:
     owners:
       - *palla
 
+  # http://ci.aztec-labs.com/153f5dcbb0f3799c
+  - regex: "src/e2e_offchain_payment.test.ts"
+    error_regex: "✕ reprocesses an offchain-delivered payment after an L1 reorg"
+    owners:
+      - *martin
+
   - regex: "yarn-project/scripts/run_test.sh bb-prover/src/avm_proving_tests/avm_"
     error_regex: "timeout: sending signal"
     owners:

Makefile

@@ -235,7 +235,7 @@ bb-sol: bb-cpp-native bb-crs
 # Barretenberg Tests
 #==============================================================================
 
-bb-cpp-native-tests: bb-cpp-native
+bb-cpp-native-tests: bb-cpp-native bb-crs
 	$(call test,$@,barretenberg/cpp,native)
 
 bb-cpp-wasm-threads-tests: bb-cpp-wasm-threads

aztec-up/bin/0.0.1/aztec-install

@@ -3,6 +3,9 @@
 # This script installs aztec-up and then delegates to it for version installation.
 # Usage: bash -i <(curl -s https://install.aztec.network)
 #    or: VERSION=0.85.0 bash -i <(curl -s https://install.aztec.network)
+
+# Guard against truncated curl downloads: bash must parse the entire {} block before executing any of it.
+{
 set -euo pipefail
 
 # Colors (truecolor with 256-color fallback)
@@ -30,12 +33,20 @@ VERSION=${VERSION:-0.0.1}
 # Install URI (root, not version-specific)
 INSTALL_URI="${INSTALL_URI:-https://install.aztec-labs.com}"
 
+# Check if version string is valid semver
+function is_semver {
+  local version="$1"
+  local semver_regex='^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.]+)?$'
+  [[ "$version" =~ $semver_regex ]]
+}
+
 # Resolve alias (like "nightly") to actual version number.
 function resolve_version {
   local version="$1"
-  local semver_regex='^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.]+)?$'
-  if [[ "$version" =~ $semver_regex ]]; then
-    echo "$version"
+  # Strip leading v from semver-like inputs (v0.85.0 -> 0.85.0), but not aliases (v4-nightly)
+  local stripped="${version#v}"
+  if is_semver "$stripped"; then
+    echo "$stripped"
   else
     local resolved
     if ! resolved=$(curl -fsSL "$INSTALL_URI/aliases/$version" 2>/dev/null); then
@@ -194,7 +205,7 @@ function update_path_env_var {
   if grep -q '\.aztec' "$shell_profile" 2>/dev/null; then
     # Remove old aztec PATH entries.
     local tmp_file=$(mktemp)
-    grep -Ev 'export PATH=.*/\.aztec/' "$shell_profile" > "$tmp_file" || true
+    grep -Ev 'export PATH="\$(HOME/\.aztec/|PATH:.*\.aztec/)' "$shell_profile" > "$tmp_file" || true
     mv "$tmp_file" "$shell_profile"
   fi
 
@@ -242,3 +253,7 @@ function main {
 }
 
 main "$@"
+
+# Explicit exit prevents bash from reading past the closing brace.
+exit
+}

aztec-up/bin/0.0.1/aztec-up

@@ -103,8 +103,10 @@ function is_semver {
 # Resolve alias (like "nightly") to actual version number
 function resolve_version {
   local version="$1"
-  if is_semver "$version"; then
-    echo "$version"
+  # Strip leading v from semver-like inputs (v0.85.0 -> 0.85.0), but not aliases (v4-nightly)
+  local stripped="${version#v}"
+  if is_semver "$stripped"; then
+    echo "$stripped"
   else
     # Fetch alias file to get actual version
     local resolved
@@ -314,6 +316,11 @@ function cmd_uninstall {
     exit 1
   fi
 
+  if ! is_semver "$version"; then
+    echo "Error: Invalid version '$version'. Expected a semver string (e.g. 0.85.0)."
+    exit 1
+  fi
+
   local current_version
   current_version=$(get_current_version)
 

aztec-up/bin/0.0.1/install

@@ -2,6 +2,9 @@
 # Per-version installer script
 # This script is called by aztec-up to install a specific version of the Aztec toolchain.
 # It expects VERSION and INSTALL_URI to be set.
+
+# Guard against truncated curl downloads: bash must parse the entire {} block before executing any of it.
+{
 set -euo pipefail
 
 # Colors
@@ -232,3 +235,7 @@ function main {
 }
 
 main "$@"
+
+# Explicit exit prevents bash from reading past the closing brace.
+exit
+}

barretenberg/acir_tests/browser-test-app/src/index.ts

@@ -97,7 +97,7 @@ function installChonkGlobal() {
     logger.debug("starting test...");
     const bb = await Barretenberg.new({ threads, logger: bbLogger });
     const backend = new AztecClientBackend(acirBufs, bb, circuitNames);
-    const [_, proof, verificationKey] = await backend.prove(
+    const { proof, vk: verificationKey } = await backend.prove(
       witnessBufs,
       vkBufs
     );

barretenberg/cpp/bootstrap.sh

@@ -380,6 +380,8 @@ case "$cmd" in
     build
     ;;
   "ci")
+    # Ensure CRS is downloaded before running tests
+    ../crs/bootstrap.sh
     build
     test
     ;;

barretenberg/cpp/pil/vm2/bytecode/bc_retrieval.pil

@@ -140,16 +140,18 @@ pol commit instance_exists; // @boolean (by lookup into contract_instance_retrie
 #[CONTRACT_INSTANCE_RETRIEVAL]
 sel {
     address,
-    current_class_id,
-    instance_exists,
+    nullifier_tree_root,
     public_data_tree_root,
-    nullifier_tree_root
+    instance_exists,
+    current_class_id
 } in contract_instance_retrieval.sel {
     contract_instance_retrieval.address,
-    contract_instance_retrieval.current_class_id,
-    contract_instance_retrieval.exists,
+    contract_instance_retrieval.nullifier_tree_root,
     contract_instance_retrieval.public_data_tree_root,
-    contract_instance_retrieval.nullifier_tree_root
+    contract_instance_retrieval.exists,
+    // Note: don't need deployer_addr for bc retrieval
+    contract_instance_retrieval.current_class_id
+    // Note: don't need init_hash for bc retrieval
 };
 
 ////////////////////////////////////////////////