@aztec/p2p 0.0.1-commit.7b97ef96e → 0.0.1-commit.7cbc774

package/src/msg_validators/proposal_validator/proposal_validator.ts

@@ -1,34 +1,80 @@
 import type { EpochCacheInterface } from '@aztec/epoch-cache';
 import { NoCommitteeError } from '@aztec/ethereum/contracts';
 import { type Logger, createLogger } from '@aztec/foundation/log';
-import { BlockProposal, CheckpointProposal, PeerErrorSeverity, type ValidationResult } from '@aztec/stdlib/p2p';
+import {
+  type BlockProposal,
+  type CheckpointProposalCore,
+  type CoordinationSignatureContext,
+  PeerErrorSeverity,
+  type ValidationResult,
+  hasValidSignatureContext,
+} from '@aztec/stdlib/p2p';
 
-import { isWithinClockTolerance } from '../clock_tolerance.js';
+import { PipeliningWindow, isWithinClockTolerance } from '../clock_tolerance.js';
 
-export abstract class ProposalValidator<TProposal extends BlockProposal | CheckpointProposal> {
-  protected epochCache: EpochCacheInterface;
-  protected logger: Logger;
-  protected txsPermitted: boolean;
+/** Validates header-level and tx-level fields of block and checkpoint proposals. */
+export class ProposalValidator {
+  private epochCache: EpochCacheInterface;
+  private logger: Logger;
+  private txsPermitted: boolean;
+  private maxTxsPerBlock?: number;
+  private maxBlocksPerCheckpoint?: number;
+  private pipeliningWindow: PipeliningWindow;
+  private skipSlotValidation: boolean;
+  private signatureContext: CoordinationSignatureContext;
 
-  constructor(epochCache: EpochCacheInterface, opts: { txsPermitted: boolean }, loggerName: string) {
+  constructor(
+    epochCache: EpochCacheInterface,
+    opts: {
+      txsPermitted: boolean;
+      maxTxsPerBlock?: number;
+      maxBlocksPerCheckpoint?: number;
+      p2pPropagationTime?: number;
+      skipSlotValidation?: boolean;
+      signatureContext: CoordinationSignatureContext;
+    },
+    loggerName: string,
+  ) {
     this.epochCache = epochCache;
     this.txsPermitted = opts.txsPermitted;
+    this.maxTxsPerBlock = opts.maxTxsPerBlock;
+    this.maxBlocksPerCheckpoint = opts.maxBlocksPerCheckpoint;
+    this.pipeliningWindow = new PipeliningWindow(epochCache, { p2pPropagationTime: opts.p2pPropagationTime });
+    this.skipSlotValidation = opts.skipSlotValidation ?? false;
+    this.signatureContext = opts.signatureContext;
     this.logger = createLogger(loggerName);
   }
 
-  public async validate(proposal: TProposal): Promise<ValidationResult> {
+  /** Validates header-level fields: slot, signature, and proposer. */
+  public async validate(proposal: BlockProposal | CheckpointProposalCore): Promise<ValidationResult> {
     try {
-      // Slot check
-      const { currentSlot, nextSlot } = this.epochCache.getCurrentAndNextSlot();
+      // Cross-chain replay check: reject proposals that carry a foreign signing domain.
+      if (!hasValidSignatureContext(proposal, this.signatureContext)) {
+        this.logger.warn(`Penalizing peer for proposal with foreign signature context`, {
+          chainId: proposal.signatureContext.chainId,
+          rollupAddress: proposal.signatureContext.rollupAddress.toString(),
+          expectedChainId: this.signatureContext.chainId,
+          expectedRollupAddress: this.signatureContext.rollupAddress.toString(),
+        });
+        return { result: 'reject', severity: PeerErrorSeverity.LowToleranceError };
+      }
+
+      // Slot check: use target slots since proposals target pipeline slots (slot + 1 when pipelining).
+      const { targetSlot, nextSlot } = this.epochCache.getTargetAndNextSlot();
+
       const slotNumber = proposal.slotNumber;
-      if (slotNumber !== currentSlot && slotNumber !== nextSlot) {
-        // Check if message is for previous slot and within clock tolerance
-        if (!isWithinClockTolerance(slotNumber, currentSlot, this.epochCache)) {
-          this.logger.warn(`Penalizing peer for invalid slot number ${slotNumber}`, { currentSlot, nextSlot });
+      if (!this.skipSlotValidation && slotNumber !== targetSlot && slotNumber !== nextSlot) {
+        // When pipelining, accept proposals for the current slot (built in the previous slot)
+        // if they're still within the shared proposal acceptance window.
+        if (this.pipeliningWindow.acceptsProposal(slotNumber)) {
+          // Fall through to remaining validation (signature, proposer, etc.)
+        } else if (!isWithinClockTolerance(slotNumber, targetSlot, this.epochCache)) {
+          this.logger.warn(`Penalizing peer for invalid slot number ${slotNumber}`, { targetSlot, nextSlot });
           return { result: 'reject', severity: PeerErrorSeverity.HighToleranceError };
+        } else {
+          this.logger.verbose(`Ignoring proposal for previous slot ${slotNumber} within clock tolerance`);
+          return { result: 'ignore' };
         }
-        this.logger.verbose(`Ignoring proposal for previous slot ${slotNumber} within clock tolerance`);
-        return { result: 'ignore' };
       }
 
       // Signature validity
@@ -38,30 +84,6 @@ export abstract class ProposalValidator<TProposal extends BlockProposal | Checkp
         return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
       }
 
-      // Transactions permitted check
-      const embeddedTxCount = proposal.txs?.length ?? 0;
-      if (!this.txsPermitted && (proposal.txHashes.length > 0 || embeddedTxCount > 0)) {
-        this.logger.warn(
-          `Penalizing peer for proposal with ${proposal.txHashes.length} transaction(s) when transactions are not permitted`,
-        );
-        return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
-      }
-
-      // Embedded txs must be listed in txHashes
-      const hashSet = new Set(proposal.txHashes.map(h => h.toString()));
-      const missingTxHashes =
-        embeddedTxCount > 0
-          ? proposal.txs!.filter(tx => !hashSet.has(tx.getTxHash().toString())).map(tx => tx.getTxHash().toString())
-          : [];
-      if (embeddedTxCount > 0 && missingTxHashes.length > 0) {
-        this.logger.warn('Penalizing peer for embedded transaction(s) not included in txHashes', {
-          embeddedTxCount,
-          txHashesLength: proposal.txHashes.length,
-          missingTxHashes,
-        });
-        return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
-      }
-
       // Proposer check
       const expectedProposer = await this.epochCache.getProposerAttesterAddressInSlot(slotNumber);
       if (expectedProposer !== undefined && !proposer.equals(expectedProposer)) {
@@ -72,13 +94,15 @@ export abstract class ProposalValidator<TProposal extends BlockProposal | Checkp
         return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
       }
 
-      // Validate tx hashes for all txs embedded in the proposal
-      if (!(await Promise.all(proposal.txs?.map(tx => tx.validateTxHash()) ?? [])).every(v => v)) {
-        this.logger.warn(`Penalizing peer for invalid tx hashes in proposal`, {
-          proposer,
-          slotNumber,
-        });
-        return { result: 'reject', severity: PeerErrorSeverity.LowToleranceError };
+      if (
+        this.maxBlocksPerCheckpoint !== undefined &&
+        'indexWithinCheckpoint' in proposal &&
+        proposal.indexWithinCheckpoint >= this.maxBlocksPerCheckpoint
+      ) {
+        this.logger.warn(
+          `Penalizing peer for proposal with indexWithinCheckpoint ${proposal.indexWithinCheckpoint} >= max ${this.maxBlocksPerCheckpoint}`,
+        );
+        return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
       }
 
       return { result: 'accept' };
@@ -89,4 +113,47 @@ export abstract class ProposalValidator<TProposal extends BlockProposal | Checkp
       throw e;
     }
   }
+
+  /** Validates transaction-related fields of a block proposal. */
+  public async validateTxs(proposal: BlockProposal): Promise<ValidationResult> {
+    // Transactions permitted check
+    const embeddedTxCount = proposal.txs?.length ?? 0;
+    if (!this.txsPermitted && (proposal.txHashes.length > 0 || embeddedTxCount > 0)) {
+      this.logger.warn(
+        `Penalizing peer for proposal with ${proposal.txHashes.length} transaction(s) when transactions are not permitted`,
+      );
+      return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
+    }
+
+    // Max txs per block check
+    if (this.maxTxsPerBlock !== undefined && proposal.txHashes.length > this.maxTxsPerBlock) {
+      this.logger.warn(
+        `Penalizing peer for proposal with ${proposal.txHashes.length} transaction(s) when max is ${this.maxTxsPerBlock}`,
+      );
+      return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
+    }
+
+    // Embedded txs must be listed in txHashes
+    const hashSet = new Set(proposal.txHashes.map(h => h.toString()));
+    const missingTxHashes =
+      embeddedTxCount > 0
+        ? proposal.txs!.filter(tx => !hashSet.has(tx.getTxHash().toString())).map(tx => tx.getTxHash().toString())
+        : [];
+    if (embeddedTxCount > 0 && missingTxHashes.length > 0) {
+      this.logger.warn('Penalizing peer for embedded transaction(s) not included in txHashes', {
+        embeddedTxCount,
+        txHashesLength: proposal.txHashes.length,
+        missingTxHashes,
+      });
+      return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
+    }
+
+    // Validate tx hashes for all txs embedded in the proposal
+    if (!(await Promise.all(proposal.txs?.map(tx => tx.validateTxHash()) ?? [])).every(v => v)) {
+      this.logger.warn(`Penalizing peer for invalid tx hashes in proposal`);
+      return { result: 'reject', severity: PeerErrorSeverity.LowToleranceError };
+    }
+
+    return { result: 'accept' };
+  }
 }

package/src/msg_validators/tx_validator/README.md

@@ -0,0 +1,127 @@
+# Transaction Validation
+
+This module defines the transaction validators and the factory functions that assemble them for each entry point into the system.
+
+## Validation Strategy
+
+Transactions enter the system through different paths. **Unsolicited** transactions (gossip and RPC) are fully validated before acceptance. **Solicited** transactions (req/resp and block proposals) are only checked for well-formedness because we must store them for block re-execution — they may ultimately be invalid, which is caught during block building and reported as part of block validation/attestation.
+
+When solicited transactions fail to be mined, they may be migrated to the pending pool. At that point, the pool runs the state-dependent checks that were skipped on initial receipt.
+
+## Entry Points
+
+### 1. Gossip (libp2p pubsub)
+
+**Factory**: `createFirstStageTxValidationsForGossipedTransactions` + `createSecondStageTxValidationsForGossipedTransactions`
+**Called from**: `LibP2PService.handleGossipedTx()` in `libp2p_service.ts`
+
+Unsolicited transactions from any peer. Fully validated in two stages with a pool pre-check in between to avoid wasting CPU on proof verification for transactions the pool would reject:
+
+| Step | What runs | On failure |
+|------|-----------|------------|
+| **Stage 1** (fast) | TxPermitted, Data, Metadata, Timestamp, DoubleSpend, Gas, Phases, BlockHeader | Penalize peer, reject tx |
+| **Pool pre-check** | `canAddPendingTx` — checks for duplicates, pool capacity | Ignore tx (no penalty) |
+| **Stage 2** (slow) | Proof verification | Penalize peer, reject tx |
+| **Pool add** | `addPendingTxs` | Accept, ignore, or reject |
+
+Each stage-1 and stage-2 validator is paired with a `PeerErrorSeverity`. If a validator fails, the sending peer is penalized with that severity. The `doubleSpendValidator` has special handling: its severity is determined by how recently the nullifier appeared (recent = high tolerance, old = low tolerance).
+
+### 2. JSON-RPC
+
+**Factory**: `createTxValidatorForAcceptingTxsOverRPC`
+**Called from**: `AztecNodeService.isValidTx()` in `aztec-node/server.ts`
+
+Unsolicited transactions from a local wallet/PXE. Runs the full set of checks as a single aggregate validator:
+
+- TxPermitted, Size, Data, Metadata, Timestamp, DoubleSpend, Phases, BlockHeader
+- Gas (optional — skipped when `skipFeeEnforcement` is set)
+- Proof verification (optional — skipped for simulations when no verifier is provided)
+
+### 3. Req/resp and block proposals
+
+**Factories**: `createTxValidatorForReqResponseReceivedTxs`, `createTxValidatorForBlockProposalReceivedTxs`
+**Called from**: `LibP2PService.validateRequestedTx()`, `LibP2PService.validateTxsReceivedInBlockProposal()`, and `BatchRequestTxValidator` in `batch-tx-requester/tx_validator.ts`
+
+Solicited transactions — we requested these from peers or received them as part of a block proposal we need to validate. We must accept them for re-execution even if they are invalid against the current state. Only well-formedness is checked:
+
+- Metadata, Size, Data, Proof
+
+State-dependent checks are deferred to either the block building validator (for txs included in blocks) or the pending pool migration validator (for unmined txs migrating to pending).
+
+### 4. Block building
+
+**Factory**: `createTxValidatorForBlockBuilding`
+**Called from**: `CheckpointBuilder.makeBlockBuilderDeps()` in `validator-client/checkpoint_builder.ts`
+
+Transactions already in the pool, about to be sequenced into a block. Re-validates against the current state of the block being built. **This is where invalid txs that entered via req/resp or block proposals are caught** — their invalidity is reported as part of block validation/attestation.
+
+Runs:
+- Timestamp, DoubleSpend, Phases, Gas, BlockHeader
+
+Does **not** run:
+- Proof, Data — already verified on entry (by gossip, RPC, or req/resp validators)
+
+### 5. Pending pool migration
+
+**Factory**: `createTxValidatorForTransactionsEnteringPendingTxPool`
+**Called from**: `TxPoolV2Impl` (injected as the `createTxValidator` factory via `TxPoolV2Dependencies`)
+
+When transactions that arrived via req/resp or block proposals fail to be mined, they may need to be included in our pending pool. These txs only had well-formedness checks on receipt, so the pool runs the state-dependent checks they missed before accepting them.
+
+This validator is invoked on **every** transaction potentially entering the pending pool:
+- `addPendingTxs` — validating each tx before adding
+- `prepareForSlot` — unprotecting txs back to pending after a slot ends
+- `handlePrunedBlocks` — unmining txs from pruned blocks back to pending
+- Startup hydration — revalidating persisted non-mined txs on node restart
+
+Runs:
+- DoubleSpend, BlockHeader, GasLimits, MaxFeePerGas, Timestamp, AllowedSetupCalls
+
+Operates on `TxMetaData` (pre-built by the pool) rather than full `Tx` objects.
+
+The `AllowedSetupCallsMetaValidator` checks a precomputed boolean flag (`TxMetaData.allowedSetupCalls`) rather than re-running the full `PhasesTxValidator`. This flag is computed by `createCheckAllowedSetupCalls` when the tx first enters the pool (via `addProtectedTxs` or startup hydration), so the pool migration validator can reject txs with disallowed setup calls without needing the full `Tx` object or its dependencies.
+
+## Individual Validators
+
+| Validator | What it checks | Benchmarked verification duration |
+|-----------|---------------|---------------|
+| `TxPermittedValidator` | Whether the system is accepting transactions (controlled by config flag) | 1.56 us |
+| `DataTxValidator` | Transaction data integrity — correct structure, non-empty fields | 4.10–18.18 ms |
+| `SizeTxValidator` | Transaction does not exceed maximum size limits | 2.28 us |
+| `MetadataTxValidator` | Chain ID, rollup version, protocol contracts hash, VK tree root | 4.18 us |
+| `TimestampTxValidator` | Transaction has not expired (expiration timestamp vs next slot) | 1.56 us |
+| `DoubleSpendTxValidator` | Nullifiers do not already exist in the nullifier tree | 106.08 us |
+| `GasTxValidator` | Gas limits are within bounds (delegates to `GasLimitsValidator`), max fee per gas meets current block fees (delegates to `MaxFeePerGasValidator`), and fee payer has sufficient FeeJuice balance | 1.02 ms |
+| `GasLimitsValidator` | Gas limits are >= fixed minimums and <= AVM max processable L2 gas. Used standalone in pool migration; also called internally by `GasTxValidator` | 3–10 us |
+| `MaxFeePerGasValidator` | Max fee per gas >= current block gas fees on both dimensions (DA and L2). Used standalone in pool migration; also called internally by `GasTxValidator` | 3–10 us |
+| `PhasesTxValidator` | Public function calls in setup phase are on the allow list | 10.12–13.12 us |
+| `AllowedSetupCallsMetaValidator` | Checks the precomputed `allowedSetupCalls` flag on `TxMetaData`. Used in pool migration instead of the full `PhasesTxValidator` | — |
+| `BlockHeaderTxValidator` | Transaction's anchor block hash exists in the archive tree | 98.88 us |
+| `TxProofValidator` | Client proof verifies correctly | ~250ms |
+
+## Validator Coverage by Entry Point
+
+| Validator | Gossip | RPC | Req/resp | Block building | Pool migration |
+|-----------|--------|-----|----------|----------------|----------------|
+| TxPermitted | Stage 1 | Yes | — | — | — |
+| Data | Stage 1 | Yes | Yes | — | — |
+| Size | — | Yes | Yes | — | — |
+| Metadata | Stage 1 | Yes | Yes | — | — |
+| Timestamp | Stage 1 | Yes | — | Yes | Yes |
+| DoubleSpend | Stage 1 | Yes | — | Yes | Yes |
+| Gas (balance + limits) | Stage 1 | Optional* | — | Yes | — |
+| GasLimits (standalone) | — | — | — | — | Yes |
+| MaxFeePerGas (standalone) | — | — | — | — | Yes |
+| Phases | Stage 1 | Yes | — | Yes | — |
+| AllowedSetupCalls | — | — | — | — | Yes |
+| BlockHeader | Stage 1 | Yes | — | Yes | Yes |
+| Proof | Stage 2 | Optional** | Yes | — | — |
+
+\* Gas balance check is skipped when `skipFeeEnforcement` is set (testing/dev). `GasTxValidator` internally delegates to `GasLimitsValidator` and `MaxFeePerGasValidator` as its first steps, so gas limits and fee-per-gas are checked wherever `GasTxValidator` runs. Pool migration uses `GasLimitsValidator` and `MaxFeePerGasValidator` standalone because it doesn't need the balance check.
+\** Proof verification is skipped for simulations (no verifier provided).
+
+## Fee-Per-Gas Rejection Strategy
+
+The `MaxFeePerGasValidator` and `InsufficientFeePerGasEvictionRule` reject and evict transactions whose `maxFeesPerGas` falls below the current block's gas fees. This is a simple strategy: if a tx can't pay the current fees, it gets rejected on entry and evicted after each new block.
+
+**Caveat**: This may evict transactions that would become valid again if block fees drop. A more nuanced approach would be to define a threshold (e.g., 50%) and only reject/evict when the tx's max fee falls below that fraction of the current fees. The current approach is simpler and ensures the pool doesn't accumulate transactions with low max fees that are unlikely to be mined soon.

package/src/msg_validators/tx_validator/aggregate_tx_validator.ts

@@ -1,32 +1,23 @@
 import type { TxValidationResult, TxValidator } from '@aztec/stdlib/tx';
 
 export class AggregateTxValidator<T> implements TxValidator<T> {
-  #validators: TxValidator<T>[];
+  readonly validators: TxValidator<T>[];
   constructor(...validators: TxValidator<T>[]) {
     if (validators.length === 0) {
       throw new Error('At least one validator must be provided');
     }
 
-    this.#validators = validators;
+    this.validators = validators;
   }
 
   async validateTx(tx: T): Promise<TxValidationResult> {
-    const aggregate: { result: string; reason?: string[] } = { result: 'valid', reason: [] };
-    for (const validator of this.#validators) {
+    const reasons: string[] = [];
+    for (const validator of this.validators) {
       const result = await validator.validateTx(tx);
       if (result.result === 'invalid') {
-        aggregate.result = 'invalid';
-        aggregate.reason!.push(...result.reason);
-      } else if (result.result === 'skipped') {
-        if (aggregate.result === 'valid') {
-          aggregate.result = 'skipped';
-        }
-        aggregate.reason!.push(...result.reason);
+        reasons.push(...result.reason);
       }
     }
-    if (aggregate.result === 'valid') {
-      delete aggregate.reason;
-    }
-    return aggregate as TxValidationResult;
+    return reasons.length > 0 ? { result: 'invalid', reason: reasons } : { result: 'valid' };
   }
 }

package/src/msg_validators/tx_validator/allowed_public_setup.ts

@@ -1,35 +1,30 @@
-import { FPCContract } from '@aztec/noir-contracts.js/FPC';
-import { TokenContractArtifact } from '@aztec/noir-contracts.js/Token';
 import { ProtocolContractAddress } from '@aztec/protocol-contracts';
-import { getContractClassFromArtifact } from '@aztec/stdlib/contract';
+import { FeeJuiceArtifact } from '@aztec/protocol-contracts/fee-juice';
+import { AuthRegistryArtifact, STANDARD_AUTH_REGISTRY_ADDRESS } from '@aztec/standard-contracts/auth-registry';
 import type { AllowedElement } from '@aztec/stdlib/interfaces/server';
 
-let defaultAllowedSetupFunctions: AllowedElement[] | undefined = undefined;
+import { buildAllowedElement } from './allowed_setup_helpers.js';
+
+let defaultAllowedSetupFunctions: AllowedElement[] | undefined;
+
+/** Returns the default list of functions allowed to run in the setup phase of a transaction. */
 export async function getDefaultAllowedSetupFunctions(): Promise<AllowedElement[]> {
   if (defaultAllowedSetupFunctions === undefined) {
-    defaultAllowedSetupFunctions = [
-      // needed for authwit support
-      {
-        address: ProtocolContractAddress.AuthRegistry,
-      },
-      // needed for claiming on the same tx as a spend
-      {
-        address: ProtocolContractAddress.FeeJuice,
-        // We can't restrict the selector because public functions get routed via dispatch.
-        // selector: FunctionSelector.fromSignature('_increase_public_balance((Field),u128)'),
-      },
-      // needed for private transfers via FPC
-      {
-        classId: (await getContractClassFromArtifact(TokenContractArtifact)).id,
-        // We can't restrict the selector because public functions get routed via dispatch.
-        // selector: FunctionSelector.fromSignature('_increase_public_balance((Field),u128)'),
-      },
-      {
-        classId: (await getContractClassFromArtifact(FPCContract.artifact)).id,
-        // We can't restrict the selector because public functions get routed via dispatch.
-        // selector: FunctionSelector.fromSignature('prepare_fee((Field),Field,(Field),Field)'),
-      },
-    ];
+    defaultAllowedSetupFunctions = await Promise.all([
+      // AuthRegistry: needed for authwit support via private path (set_authorized_private enqueues _set_authorized)
+      buildAllowedElement(AuthRegistryArtifact, { address: STANDARD_AUTH_REGISTRY_ADDRESS }, '_set_authorized', {
+        onlySelf: true,
+        rejectNullMsgSender: true,
+      }),
+      // AuthRegistry: needed for authwit support via public path (PublicFeePaymentMethod calls set_authorized directly)
+      buildAllowedElement(AuthRegistryArtifact, { address: STANDARD_AUTH_REGISTRY_ADDRESS }, 'set_authorized', {
+        rejectNullMsgSender: true,
+      }),
+      // FeeJuice: needed for claiming on the same tx as a spend (claim_and_end_setup enqueues this)
+      buildAllowedElement(FeeJuiceArtifact, { address: ProtocolContractAddress.FeeJuice }, '_increase_public_balance', {
+        onlySelf: true,
+      }),
+    ]);
   }
   return defaultAllowedSetupFunctions;
 }

package/src/msg_validators/tx_validator/allowed_setup_helpers.ts

@@ -0,0 +1,31 @@
+import type { Fr } from '@aztec/foundation/curves/bn254';
+import { FunctionSelector, countArgumentsSize, getAllFunctionAbis } from '@aztec/stdlib/abi';
+import type { ContractArtifact } from '@aztec/stdlib/abi';
+import type { AztecAddress } from '@aztec/stdlib/aztec-address';
+import type { AllowedElement } from '@aztec/stdlib/interfaces/server';
+
+/**
+ * Builds an AllowedElement from a contract artifact, deriving both the function selector
+ * and calldata length from the artifact instead of hardcoding signature strings.
+ */
+export async function buildAllowedElement(
+  artifact: ContractArtifact,
+  target: { address: AztecAddress } | { classId: Fr },
+  functionName: string,
+  opts?: { onlySelf?: boolean; rejectNullMsgSender?: boolean },
+): Promise<AllowedElement> {
+  const allFunctions = getAllFunctionAbis(artifact);
+  const fn = allFunctions.find(f => f.name === functionName);
+  if (!fn) {
+    throw new Error(`Unknown function ${functionName} in artifact ${artifact.name}`);
+  }
+  const selector = await FunctionSelector.fromNameAndParameters(fn.name, fn.parameters);
+  const calldataLength = 1 + countArgumentsSize(fn);
+  return {
+    ...target,
+    selector,
+    calldataLength,
+    ...(opts?.onlySelf ? { onlySelf: true } : {}),
+    ...(opts?.rejectNullMsgSender ? { rejectNullMsgSender: true } : {}),
+  } as AllowedElement;
+}

package/src/msg_validators/tx_validator/archive_cache.ts

@@ -15,7 +15,7 @@ export class ArchiveCache implements ArchiveSource {
   }
 
   public async getArchiveIndices(archives: BlockHash[]): Promise<(bigint | undefined)[]> {
-    const toCheckDb = archives.filter(n => !this.archives.has(n.toString())).map(n => n.toFr());
+    const toCheckDb = archives.filter(n => !this.archives.has(n.toString()));
     const dbHits = await this.db.findLeafIndices(MerkleTreeId.ARCHIVE, toCheckDb);
     dbHits.forEach((x, index) => {
       if (x !== undefined) {

package/src/msg_validators/tx_validator/cached_tx_validator.ts

@@ -0,0 +1,31 @@
+import type { Tx, TxValidationResult, TxValidator } from '@aztec/stdlib/tx';
+
+import type { ITxValidationCache } from './tx_validation_cache.js';
+
+/** Wraps a {@link TxValidator} to cache its results in a shared {@link ITxValidationCache}. */
+export class CachedTxValidator<T extends Tx> implements TxValidator<T> {
+  constructor(
+    private readonly inner: TxValidator<T>,
+    private readonly validatorSymbol: symbol,
+    private readonly cache: ITxValidationCache,
+  ) {}
+
+  public static new<T extends Tx>(
+    inner: TxValidator<T> & { identifier: symbol },
+    cache?: ITxValidationCache,
+  ): TxValidator<T> {
+    return CachedTxValidator.newWithIdentifier(inner, inner.identifier, cache);
+  }
+
+  public static newWithIdentifier<T extends Tx>(
+    inner: TxValidator<T>,
+    identifier: symbol,
+    cache?: ITxValidationCache,
+  ): TxValidator<T> {
+    return cache ? new CachedTxValidator(inner, identifier, cache) : inner;
+  }
+
+  public validateTx(tx: T): Promise<TxValidationResult> {
+    return this.cache.getOrValidate(this.validatorSymbol, tx, () => this.inner.validateTx(tx));
+  }
+}

package/src/msg_validators/tx_validator/contract_instance_validator.ts

@@ -0,0 +1,56 @@
+import { type Logger, type LoggerBindings, createLogger } from '@aztec/foundation/log';
+import { ContractInstancePublishedEvent } from '@aztec/protocol-contracts/instance-registry';
+import { computeContractAddressFromInstance } from '@aztec/stdlib/contract';
+import {
+  TX_ERROR_INCORRECT_CONTRACT_ADDRESS,
+  TX_ERROR_MALFORMED_CONTRACT_INSTANCE_LOG,
+  type Tx,
+  type TxValidationResult,
+  type TxValidator,
+} from '@aztec/stdlib/tx';
+
+/** Validates that contract instance deployment logs contain correct addresses. */
+export class ContractInstanceTxValidator implements TxValidator<Tx> {
+  #log: Logger;
+
+  constructor(bindings?: LoggerBindings) {
+    this.#log = createLogger('p2p:tx_validator:contract_instance', bindings);
+  }
+
+  async validateTx(tx: Tx): Promise<TxValidationResult> {
+    const reason = await this.#hasCorrectContractInstanceAddresses(tx);
+    return reason ? { result: 'invalid', reason: [reason] } : { result: 'valid' };
+  }
+
+  async #hasCorrectContractInstanceAddresses(tx: Tx): Promise<string | undefined> {
+    const privateLogs = tx.data.getNonEmptyPrivateLogs();
+    for (const log of privateLogs) {
+      if (!ContractInstancePublishedEvent.isContractInstancePublishedEvent(log)) {
+        continue;
+      }
+
+      let event;
+      try {
+        event = ContractInstancePublishedEvent.fromLog(log);
+      } catch (e) {
+        this.#log.warn(`Rejecting tx ${tx.getTxHash()}: failed to parse contract instance event: ${e}`);
+        return TX_ERROR_MALFORMED_CONTRACT_INSTANCE_LOG;
+      }
+
+      try {
+        const instance = event.toContractInstance();
+        const computedAddress = await computeContractAddressFromInstance(instance);
+        if (!computedAddress.equals(instance.address)) {
+          this.#log.warn(
+            `Rejecting tx ${tx.getTxHash()}: contract instance address mismatch. Claimed ${instance.address}, computed ${computedAddress}`,
+          );
+          return TX_ERROR_INCORRECT_CONTRACT_ADDRESS;
+        }
+      } catch (e) {
+        this.#log.warn(`Rejecting tx ${tx.getTxHash()}: failed to compute contract instance address: ${e}`);
+        return TX_ERROR_MALFORMED_CONTRACT_INSTANCE_LOG;
+      }
+    }
+    return undefined;
+  }
+}

package/src/msg_validators/tx_validator/data_validator.ts

@@ -1,5 +1,7 @@
 import { MAX_FR_CALLDATA_TO_ALL_ENQUEUED_CALLS } from '@aztec/constants';
 import { type Logger, type LoggerBindings, createLogger } from '@aztec/foundation/log';
+import { ContractClassPublishedEvent } from '@aztec/protocol-contracts/class-registry';
+import { computeContractClassId } from '@aztec/stdlib/contract';
 import { computeCalldataHash } from '@aztec/stdlib/hash';
 import {
   TX_ERROR_CALLDATA_COUNT_MISMATCH,
@@ -9,13 +11,17 @@ import {
   TX_ERROR_CONTRACT_CLASS_LOG_LENGTH,
   TX_ERROR_CONTRACT_CLASS_LOG_SORTING,
   TX_ERROR_INCORRECT_CALLDATA,
+  TX_ERROR_INCORRECT_CONTRACT_CLASS_ID,
   TX_ERROR_INCORRECT_HASH,
+  TX_ERROR_MALFORMED_CONTRACT_CLASS_LOG,
   Tx,
   type TxValidationResult,
   type TxValidator,
 } from '@aztec/stdlib/tx';
 
 export class DataTxValidator implements TxValidator<Tx> {
+  public readonly identifier: symbol = Symbol('DataTxValidator');
+
   #log: Logger;
 
   constructor(bindings?: LoggerBindings) {
@@ -26,7 +32,8 @@ export class DataTxValidator implements TxValidator<Tx> {
     const reason =
       (await this.#hasCorrectHash(tx)) ??
       (await this.#hasCorrectCalldata(tx)) ??
-      (await this.#hasCorrectContractClassLogs(tx));
+      (await this.#hasCorrectContractClassLogs(tx)) ??
+      (await this.#hasCorrectContractClassIds(tx));
     return reason ? { result: 'invalid', reason: [reason] } : { result: 'valid' };
   }
 
@@ -127,4 +134,40 @@ export class DataTxValidator implements TxValidator<Tx> {
 
     return undefined;
   }
+
+  async #hasCorrectContractClassIds(tx: Tx): Promise<string | undefined> {
+    const contractClassLogs = tx.getContractClassLogs();
+    for (const log of contractClassLogs) {
+      if (!ContractClassPublishedEvent.isContractClassPublishedEvent(log)) {
+        continue;
+      }
+
+      let event;
+      try {
+        event = ContractClassPublishedEvent.fromLog(log);
+      } catch (e) {
+        this.#log.warn(`Rejecting tx ${tx.getTxHash()}: failed to parse contract class event: ${e}`);
+        return TX_ERROR_MALFORMED_CONTRACT_CLASS_LOG;
+      }
+
+      try {
+        const { publicBytecodeCommitment } = await event.toContractClassPublicWithBytecodeCommitment();
+        const computedClassId = await computeContractClassId({
+          artifactHash: event.artifactHash,
+          privateFunctionsRoot: event.privateFunctionsRoot,
+          publicBytecodeCommitment,
+        });
+        if (!computedClassId.equals(event.contractClassId)) {
+          this.#log.warn(
+            `Rejecting tx ${tx.getTxHash()}: contract class id mismatch. Claimed ${event.contractClassId}, computed ${computedClassId}`,
+          );
+          return TX_ERROR_INCORRECT_CONTRACT_CLASS_ID;
+        }
+      } catch (e) {
+        this.#log.warn(`Rejecting tx ${tx.getTxHash()}: failed to compute contract class id: ${e}`);
+        return TX_ERROR_MALFORMED_CONTRACT_CLASS_LOG;
+      }
+    }
+    return undefined;
+  }
 }