feat(contracts): add Groth16SettlementVerifier

[iap]

Adds Groth16SettlementVerifier implementing IUTXOSettlementVerifier via a swappable IGroth16Verifier contract (generated by snarkjs from the UTXO circuit).

Proof layout (384 bytes): Groth16 proof (256 bytes) + public signals (128 bytes: nullifierHash, commitmentHash, amount, isMint). Amount and isMint are verified on-chain against settlement call parameters before delegating to the circuit verifier.

AttestedSettlementVerifier remains the active production verifier. Groth16SettlementVerifier is ready to activate once the circuit is compiled and a verifier contract is deployed.

Scope: contracts

Verification: 12 new unit tests passing. Full suite 86 tests passing (1 expected failure: bridge integration requires supersim).

Risk: Low. New contract only — no changes to existing contracts or interfaces.

Summary by CodeRabbit

• New Features

  • Added Groth16 proof-based settlement verification with configurable verifier contract deployment
  • Input validation for settlement transactions (intent, module, account, amount parameters)
  • Admin-controlled verifier contract configuration

• Tests

  • Comprehensive test coverage for valid proofs, verification failures, input validation, and configuration scenarios

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

Walkthrough

This PR introduces a Groth16-based proof verifier for settlement transactions. It defines an interface for circuit-generated verifiers, implements a settlement verifier that parses proof payloads and delegates verification, validates inputs for non-zero fields and matching amounts, and includes comprehensive unit tests covering success cases, verification failures, input validation, and admin configuration.

Changes

Groth16 Settlement Verifier

Layer / File(s)	Summary
Interface Definition contracts/src/settlement/interfaces/IGroth16Verifier.sol	IGroth16Verifier interface defines verifyProof(bytes calldata proof, bytes calldata pubSignals) external view returns (bool) with documentation of Groth16 proof structure and expected public signal encoding from snarkjs.
Core Verifier Implementation contracts/src/settlement/verifier/Groth16SettlementVerifier.sol	Groth16SettlementVerifier implements IUTXOSettlementVerifier, stores an admin-configured verifierContract, validates inputs (non-zero intent/module/account, non-zero amount, exact proof length), parses proof bytes and public signals, decodes and matches amount/isMint, and delegates to circuit verifier.
Unit Tests & Validation contracts/test/unit/settlement/Groth16SettlementVerifier.t.sol	Test suite with MockGroth16Verifier, setup with deterministic addresses, _buildProof helper, and 12 test cases: success case, verifier failures (no verifier set, failing verifier), proof/parameter mismatches (amount, isMint, malformed), input validation failures (zero intent/module/account/amount), and admin configuration edge cases (zero address, EOA rejection).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A verifier hops in with Groth16's might,
Proof bytes parsed and signals checked right,
Admin gates the circuit contract's call,
Zero-checks and validation enthrall,
Tests bloom to guard against all the flaws!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically summarizes the main change: addition of Groth16SettlementVerifier contract.
Description check	✅ Passed	The description comprehensively covers the change, includes scope, verification results with specific test counts, and risk assessment, but lacks explicit checklist completion.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/groth16-settlement-verifier

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed6fcb8275

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@contracts/src/settlement/interfaces/IGroth16Verifier.sol`:
- Around line 20-25: The interface comment incorrectly claims compatibility with
snarkjs output while IGroth16Verifier.verifyProof uses bytes calldata proof,
bytes calldata pubSignals; either update the interface docs to remove or clarify
the "Matches the output of snarkjs exportSolidityVerifier" claim, or change the
interface to the snarkjs signature (verifyProof(uint[2] calldata _pA, uint[2][2]
calldata _pB, uint[2] calldata _pC, uint[2] calldata _pubSignals)) and adjust
callers accordingly; if you intentionally use a bytes-encoded adapter, document
that the deployed verifier is a custom adapter and ensure
Groth16SettlementVerifier.sol calls the correct adapter contract that accepts
the bytes encoding.

In `@contracts/src/settlement/verifier/Groth16SettlementVerifier.sol`:
- Line 96: The direct call to verifier_.verifyProof(groth16Proof,
pubSignalsBytes) can revert and should be guarded so reverts return false
instead of bubbling; wrap the external call to verifier_.verifyProof in a
try/catch (using try verifier_.verifyProof(...) returns (bool ok) { return ok; }
catch { return false; } and include catch Error(...) and catch Panic(...) if
desired) so any downstream ABI/runtime/require reverts are caught and the
function returns false; locate this in Groth16SettlementVerifier.sol where
verifier_.verifyProof, groth16Proof and pubSignalsBytes are used.

In `@contracts/test/unit/settlement/Groth16SettlementVerifier.t.sol`:
- Around line 8-19: Add a new mock verifier that reverts from verifyProof (e.g.,
RevertingGroth16Verifier implementing IGroth16Verifier with verifyProof that
revert("mock revert")), deploy it alongside the existing MockGroth16Verifier in
the Groth16SettlementVerifier.t.sol tests, call the contract's
verifySettlement(...) using the reverting mock, and assert the caller-facing
verifySettlement() returns false (after the contract fix) to cover the
downstream revert path; reference MockGroth16Verifier and verifyProof to locate
the existing mock and verifySettlement to locate the call site to extend with
the new test case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b9e52db1-a534-4008-a43f-aac4f6e41174

📥 Commits

Reviewing files that changed from the base of the PR and between 9ce6d97 and ed6fcb8.

📒 Files selected for processing (3)

• contracts/src/settlement/interfaces/IGroth16Verifier.sol
• contracts/src/settlement/verifier/Groth16SettlementVerifier.sol
• contracts/test/unit/settlement/Groth16SettlementVerifier.t.sol