fix: restrict access to scoped capsules#22113
Merged
mverzilli merged 3 commits intoMar 30, 2026
Merged
Conversation
nventuro
approved these changes
Mar 27, 2026
Contributor
|
It'd be good to begin keeping track of patch notes. This technically is a behavioral change in the oracle, it'd be nice to be able to quickly get to this as the source of a new error a user may run into. |
Contributor
Author
Good call. I added a mention on the migration notes, but also created an error code and URI for it. |
Collaborator
|
❌ Failed to cherry-pick to |
AztecBot
pushed a commit
that referenced
this pull request
Mar 30, 2026
AztecBot
added a commit
that referenced
this pull request
Mar 30, 2026
This was referenced Mar 30, 2026
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 30, 2026
BEGIN_COMMIT_OVERRIDE fix: restrict access to scoped capsules (#22113) END_COMMIT_OVERRIDE
AztecBot
added a commit
that referenced
this pull request
Mar 30, 2026
CapsuleService does not exist on v4-next (introduced by #22113 which hasn't landed yet), so all CapsuleService references are reverted to use capsuleStore directly. Migration notes conflict resolved by accepting the new ALL_SCOPES removal documentation.
AztecBot
pushed a commit
that referenced
this pull request
Mar 30, 2026
mverzilli
added a commit
that referenced
this pull request
Mar 30, 2026
## Summary Backport of #22113 to v4-next. Introduces a `CapsuleService` wrapper that enforces scope-based access control on capsule operations invoked through oracles, ensuring they are within the scopes authorized for the current execution context. ## Cherry-pick conflicts Conflicts were in docs files only: - `docs/docs-developers/docs/resources/migration_notes.md` — positional conflict in TBD section (incoming content for capsule scope enforcement note + `## 4.2.0-aztecnr-rc.2` header) - `docs/netlify.toml` — missing `/errors/9` and `/errors/10` redirect entries Both resolved by accepting the incoming content. All TypeScript changes applied cleanly. ## Test plan - [ ] CI passes on backport branch - [ ] Capsule scope enforcement works as described in migration notes
mverzilli
added a commit
that referenced
this pull request
Mar 30, 2026
## Summary Backport of #22136 to v4-next, stacked on #22157 (backport of #22113 scoped capsules). Removes the `ALL_SCOPES` option and `AccessScopes` type, forcing all callers to explicitly specify which addresses are in scope via `AztecAddress[]`. This is a breaking change in the PXE/wallet interface. ## Stacking This PR is stacked on `claudebox/backport-22113-scoped-capsules` (#22157) which introduces CapsuleService. With that base in place, the cherry-pick applies cleanly with no conflicts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces checks that capsule operations invoked through oracles are within the scopes in context of execution
Closes F-505