@aztec/pxe 0.0.1-commit.35158ae7e → 0.0.1-commit.3750d92a7

package/src/logs/log_service.ts

@@ -1,22 +1,13 @@
-import type { Fr } from '@aztec/foundation/curves/bn254';
 import { type Logger, type LoggerBindings, createLogger } from '@aztec/foundation/log';
 import type { KeyStore } from '@aztec/key-store';
 import { AztecAddress } from '@aztec/stdlib/aztec-address';
 import type { AztecNode } from '@aztec/stdlib/interfaces/server';
-import {
-  ExtendedDirectionalAppTaggingSecret,
-  PendingTaggedLog,
-  SiloedTag,
-  Tag,
-  TxScopedL2Log,
-} from '@aztec/stdlib/logs';
+import { ExtendedDirectionalAppTaggingSecret, PendingTaggedLog, SiloedTag, Tag } from '@aztec/stdlib/logs';
 import type { BlockHeader } from '@aztec/stdlib/tx';
 
-import type { AccessScopes } from '../access_scopes.js';
 import type { LogRetrievalRequest } from '../contract_function_simulator/noir-structs/log_retrieval_request.js';
 import { LogRetrievalResponse } from '../contract_function_simulator/noir-structs/log_retrieval_response.js';
 import { AddressStore } from '../storage/address_store/address_store.js';
-import { CapsuleStore } from '../storage/capsule_store/capsule_store.js';
 import type { RecipientTaggingStore } from '../storage/tagging_store/recipient_tagging_store.js';
 import type { SenderAddressBookStore } from '../storage/tagging_store/sender_address_book_store.js';
 import {
@@ -32,7 +23,6 @@ export class LogService {
     private readonly aztecNode: AztecNode,
     private readonly anchorBlockHeader: BlockHeader,
     private readonly keyStore: KeyStore,
-    private readonly capsuleStore: CapsuleStore,
     private readonly recipientTaggingStore: RecipientTaggingStore,
     private readonly senderAddressBookStore: SenderAddressBookStore,
     private readonly addressStore: AddressStore,
@@ -42,7 +32,16 @@ export class LogService {
     this.log = createLogger('pxe:log_service', bindings);
   }
 
-  public async bulkRetrieveLogs(logRetrievalRequests: LogRetrievalRequest[]): Promise<(LogRetrievalResponse | null)[]> {
+  public async fetchLogsByTag(
+    contractAddress: AztecAddress,
+    logRetrievalRequests: LogRetrievalRequest[],
+  ): Promise<(LogRetrievalResponse | null)[]> {
+    for (const request of logRetrievalRequests) {
+      if (!contractAddress.equals(request.contractAddress)) {
+        throw new Error(`Got a log retrieval request from ${request.contractAddress}, expected ${contractAddress}`);
+      }
+    }
+
     return await Promise.all(
       logRetrievalRequests.map(async request => {
         const [publicLog, privateLog] = await Promise.all([
@@ -51,8 +50,8 @@ export class LogService {
         ]);
 
         if (publicLog !== null && privateLog !== null) {
-          throw new Error(
-            `Found both a public and private log when searching for tag ${request.tag} from contract ${request.contractAddress}`,
+          this.log.warn(
+            `Found both a public and private log for tag ${request.tag} from contract ${request.contractAddress}. This may indicate a contract bug. Returning the public log.`,
           );
         }
 
@@ -74,9 +73,8 @@ export class LogService {
     if (logsForTag.length === 0) {
       return null;
     } else if (logsForTag.length > 1) {
-      // TODO(#11627): handle this case
-      throw new Error(
-        `Got ${logsForTag.length} logs for tag ${tag} and contract ${contractAddress.toString()}. getPublicLogByTag currently only supports a single log per tag`,
+      this.log.warn(
+        `Expected at most 1 public log for tag ${tag} and contract ${contractAddress.toString()}, got ${logsForTag.length}. This may indicate a contract bug. Returning the first log.`,
       );
     }
 
@@ -98,9 +96,8 @@ export class LogService {
     if (logsForTag.length === 0) {
       return null;
     } else if (logsForTag.length > 1) {
-      // TODO(#11627): handle this case
-      throw new Error(
-        `Got ${logsForTag.length} logs for tag ${siloedTag}. getPrivateLogByTag currently only supports a single log per tag`,
+      this.log.warn(
+        `Expected at most 1 private log for tag ${siloedTag}, got ${logsForTag.length}. This may indicate a contract bug. Returning the first log.`,
       );
     }
 
@@ -114,46 +111,36 @@ export class LogService {
     );
   }
 
-  public async fetchTaggedLogs(contractAddress: AztecAddress, pendingTaggedLogArrayBaseSlot: Fr, scopes: AccessScopes) {
+  public async fetchTaggedLogs(contractAddress: AztecAddress, recipient: AztecAddress): Promise<PendingTaggedLog[]> {
     this.log.verbose(`Fetching tagged logs for ${contractAddress.toString()}`);
 
     // We only load logs from block up to and including the anchor block number
     const anchorBlockNumber = this.anchorBlockHeader.getBlockNumber();
     const anchorBlockHash = await this.anchorBlockHeader.hash();
 
-    // Determine recipients: use scopes if provided, otherwise get all accounts
-    const recipients = scopes !== 'ALL_SCOPES' && scopes.length > 0 ? scopes : await this.keyStore.getAccounts();
-
-    // For each recipient, fetch secrets, load logs, and store them.
-    // We run these per-recipient tasks in parallel so that logs are loaded for all recipients concurrently.
-    await Promise.all(
-      recipients.map(async recipient => {
-        // Get all secrets for this recipient (one per sender)
-        const secrets = await this.#getSecretsForSenders(contractAddress, recipient);
-
-        // Load logs for all sender-recipient pairs in parallel
-        const logArrays = await Promise.all(
-          secrets.map(secret =>
-            loadPrivateLogsForSenderRecipientPair(
-              secret,
-              this.aztecNode,
-              this.recipientTaggingStore,
-              anchorBlockNumber,
-              anchorBlockHash,
-              this.jobId,
-            ),
-          ),
-        );
-
-        // Flatten all logs from all secrets
-        const allLogs = logArrays.flat();
-
-        // Store the logs for this recipient
-        if (allLogs.length > 0) {
-          await this.#storePendingTaggedLogs(contractAddress, pendingTaggedLogArrayBaseSlot, recipient, allLogs);
-        }
-      }),
+    // Get all secrets for this recipient (one per sender)
+    const secrets = await this.#getSecretsForSenders(contractAddress, recipient);
+
+    // Load logs for all sender-recipient pairs in parallel
+    const logArrays = await Promise.all(
+      secrets.map(secret =>
+        loadPrivateLogsForSenderRecipientPair(
+          secret,
+          this.aztecNode,
+          this.recipientTaggingStore,
+          anchorBlockNumber,
+          anchorBlockHash,
+          this.jobId,
+        ),
+      ),
     );
+
+    return logArrays
+      .flat()
+      .map(
+        scopedLog =>
+          new PendingTaggedLog(scopedLog.logData, scopedLog.txHash, scopedLog.noteHashes, scopedLog.firstNullifier),
+      );
   }
 
   async #getSecretsForSenders(
@@ -176,38 +163,24 @@ export class LogService {
     );
 
     return Promise.all(
-      deduplicatedSenders.map(sender => {
-        return ExtendedDirectionalAppTaggingSecret.compute(
+      deduplicatedSenders.map(async sender => {
+        const secret = await ExtendedDirectionalAppTaggingSecret.compute(
           recipientCompleteAddress,
           recipientIvsk,
           sender,
           contractAddress,
           recipient,
         );
-      }),
-    );
-  }
-
-  #storePendingTaggedLogs(
-    contractAddress: AztecAddress,
-    capsuleArrayBaseSlot: Fr,
-    recipient: AztecAddress,
-    privateLogs: TxScopedL2Log[],
-  ) {
-    // Build all pending tagged logs from the scoped logs
-    const pendingTaggedLogs = privateLogs.map(scopedLog => {
-      const pendingTaggedLog = new PendingTaggedLog(
-        scopedLog.logData,
-        scopedLog.txHash,
-        scopedLog.noteHashes,
-        scopedLog.firstNullifier,
-        recipient,
-      );
 
-      return pendingTaggedLog.toFields();
-    });
+        if (!secret) {
+          // Note that all senders originate from either the SenderAddressBookStore or the KeyStore.
+          throw new Error(
+            `Failed to compute a tagging secret for sender ${sender} - this implies this is an invalid address, which should not happen as they have been previously registered in PXE.`,
+          );
+        }
 
-    // TODO: This looks like it could belong more at the oracle interface level
-    return this.capsuleStore.appendToCapsuleArray(contractAddress, capsuleArrayBaseSlot, pendingTaggedLogs, this.jobId);
+        return secret;
+      }),
+    );
   }
 }

package/src/messages/message_context_service.ts

@@ -1,9 +1,8 @@
 import { Fr } from '@aztec/foundation/curves/bn254';
 import type { AztecNode } from '@aztec/stdlib/interfaces/server';
+import { MessageContext } from '@aztec/stdlib/logs';
 import { TxHash } from '@aztec/stdlib/tx';
 
-import { MessageTxContext } from '../contract_function_simulator/noir-structs/message_tx_context.js';
-
 /** Resolves transaction hashes into the context needed to process messages. */
 export class MessageContextService {
   constructor(private readonly aztecNode: AztecNode) {}
@@ -15,7 +14,7 @@ export class MessageContextService {
    * process messages that originated from that transaction. Returns `null` for tx hashes that are zero, not yet
    * available, or in blocks beyond the anchor block.
    */
-  resolveMessageContexts(txHashes: Fr[], anchorBlockNumber: number): Promise<(MessageTxContext | null)[]> {
+  getMessageContextsByTxHash(txHashes: Fr[], anchorBlockNumber: number): Promise<(MessageContext | null)[]> {
     // TODO: optimize, we might be hitting the node to get the same txHash repeatedly
     return Promise.all(
       txHashes.map(async txHashField => {
@@ -38,7 +37,7 @@ export class MessageContextService {
           throw new Error(`Tx effect for ${txHash} has no nullifiers`);
         }
 
-        return new MessageTxContext(data.txHash, data.noteHashes, data.nullifiers[0]);
+        return new MessageContext(data.txHash, data.noteHashes, data.nullifiers[0]);
       }),
     );
   }

package/src/notes/note_service.ts

@@ -7,7 +7,6 @@ import { Note, NoteDao, NoteStatus } from '@aztec/stdlib/note';
 import { MerkleTreeId } from '@aztec/stdlib/trees';
 import type { BlockHeader, TxHash } from '@aztec/stdlib/tx';
 
-import type { AccessScopes } from '../access_scopes.js';
 import type { NoteStore } from '../storage/note_store/note_store.js';
 
 export class NoteService {
@@ -32,7 +31,7 @@ export class NoteService {
     owner: AztecAddress | undefined,
     storageSlot: Fr,
     status: NoteStatus,
-    scopes: AccessScopes,
+    scopes: AztecAddress[],
   ) {
     const noteDaos = await this.noteStore.getNotes(
       {
@@ -71,7 +70,7 @@ export class NoteService {
    *
    * @param contractAddress - The contract whose notes should be checked and nullified.
    */
-  public async syncNoteNullifiers(contractAddress: AztecAddress, scopes: AccessScopes): Promise<void> {
+  public async syncNoteNullifiers(contractAddress: AztecAddress, scopes: AztecAddress[]): Promise<void> {
     const anchorBlockHash = await this.anchorBlockHeader.hash();
 
     const contractNotes = await this.noteStore.getNotes({ contractAddress, scopes }, this.jobId);
@@ -121,7 +120,7 @@ export class NoteService {
     noteHash: Fr,
     nullifier: Fr,
     txHash: TxHash,
-    recipient: AztecAddress,
+    scope: AztecAddress,
   ): Promise<void> {
     // We are going to store the new note in the NoteStore, which will let us later return it via `getNotes`.
     // There's two things we need to check before we do this however:
@@ -155,16 +154,28 @@ export class NoteService {
       this.aztecNode.findLeavesIndexes(anchorBlockHash, MerkleTreeId.NULLIFIER_TREE, [siloedNullifier]),
     ]);
     if (!txEffect) {
-      throw new Error(`Could not find tx effect for tx hash ${txHash}`);
+      // We error out instead of just logging a warning and skipping the note because this would indicate a bug. This
+      // is because the node has already served info about this tx either when obtaining the log (TxScopedL2Log contain
+      // tx info) or when getting metadata for the offchain message (before the message got passed to `process_log`).
+      throw new Error(`Could not find tx effect for tx hash ${txHash} when processing a note.`);
     }
 
     if (txEffect.l2BlockNumber > anchorBlockNumber) {
-      throw new Error(`Could not find tx effect for tx hash ${txHash} as of block number ${anchorBlockNumber}`);
+      // If the message was delivered onchain, this would indicate a bug: log sync should never load logs from blocks
+      // newer than the anchor block. If the note came via an offchain message, it would likely also be a bug, since we
+      // sync a new anchor block before calling `process_message`. For this not to be a bug, the message would need to
+      // come from a newer block than the anchor served by the node, implying the node isn't properly synced.
+      //     We therefore error out here rather than assuming the offchain message was constructed by a malicious
+      // sender with the intention of bricking recipient's PXE (if we assumed that we would just ignore the message).
+      throw new Error(
+        `Obtained a newer tx effect for ${txHash} for a note validation request than the anchor block ${anchorBlockNumber}. This is a bug as we should not ever be processing a note from a newer block than the anchor block.`,
+      );
     }
 
     // Find the index of the note hash in the noteHashes array to determine note ordering within the tx
     const noteIndexInTx = txEffect.data.noteHashes.findIndex(nh => nh.equals(uniqueNoteHash));
     if (noteIndexInTx === -1) {
+      // Similar to the comment above - we error out as this would indicate a bug in nonce discovery.
       throw new Error(`Note hash ${noteHash} (uniqued as ${uniqueNoteHash}) is not present in tx ${txHash}`);
     }
 
@@ -184,8 +195,7 @@ export class NoteService {
       noteIndexInTx,
     );
 
-    // The note was found by `recipient`, so we use that as the scope when storing the note.
-    await this.noteStore.addNotes([noteDao], recipient, this.jobId);
+    await this.noteStore.addNotes([noteDao], scope, this.jobId);
 
     if (nullifierIndex !== undefined) {
       // We found nullifier index which implies that the note has already been nullified.

package/src/notes_filter.ts

@@ -2,8 +2,6 @@ import type { Fr } from '@aztec/foundation/curves/bn254';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
 import type { NoteStatus } from '@aztec/stdlib/note';
 
-import type { AccessScopes } from './access_scopes.js';
-
 /**
  * A filter used to fetch notes.
  * @remarks This filter is applied as an intersection of all its params.
@@ -22,5 +20,5 @@ export type NotesFilter = {
   status?: NoteStatus;
   /** The siloed nullifier for the note. */
   siloedNullifier?: Fr;
-  scopes: AccessScopes;
+  scopes: AztecAddress[];
 };

package/src/oracle_version.ts

@@ -1,12 +1,22 @@
-/// The ORACLE_VERSION constant is used to check that the oracle interface is in sync between PXE and Aztec.nr. We need
-/// to version the oracle interface to ensure that developers get a reasonable error message if they use incompatible
-/// versions of Aztec.nr and PXE. The Noir counterpart is in `noir-projects/aztec-nr/aztec/src/oracle/version.nr`.
+/// The oracle version constants are used to check that the oracle interface is in sync between PXE and Aztec.nr.
+/// We version the oracle interface as `major.minor` where:
+///   - `major` = backward-breaking changes (must match exactly between PXE and Aztec.nr)
+///   - `minor` = oracle additions (non-breaking; PXE minor >= contract minor)
 ///
-/// @dev Whenever a contract function or Noir test is run, the `aztec_utl_assertCompatibleOracleVersion` oracle is called
-/// and if the oracle version is incompatible an error is thrown.
-export const ORACLE_VERSION = 18;
+/// The Noir counterparts are in `noir-projects/aztec-nr/aztec/src/oracle/version.nr`.
+///
+/// @dev Whenever a contract function or Noir test is run, the `aztec_utl_assertCompatibleOracleVersion` oracle is called.
+/// If the major version is incompatible, an error is thrown immediately. The minor version is recorded by the PXE and
+/// used to provide helpful error messages if a contract calls an oracle that doesn't exist. We don't throw immediately
+/// if AZTEC_NR_MINOR > PXE_MINOR because if a contract is updated to use a newer Aztec.nr dependency without actually
+/// using any of the new oracles then there is no reason to throw.
+export const ORACLE_VERSION_MAJOR = 22;
+export const ORACLE_VERSION_MINOR = 1;
 
-/// This hash is computed as by hashing the Oracle interface and it is used to detect when the Oracle interface changes,
-/// which in turn implies that you need to update the ORACLE_VERSION constant in this file and in
-/// `noir-projects/aztec-nr/aztec/src/oracle/version.nr`.
-export const ORACLE_INTERFACE_HASH = '57e5b07c6d55fb167ef90f8d0f410f9bdb5b154a31159c624a061be40b02a2c2';
+/// This hash is computed from the Oracle interface and is used to detect when that interface changes. When it does,
+/// you need to either:
+/// - increment `ORACLE_VERSION_MAJOR` and reset `ORACLE_VERSION_MINOR` to zero if the change is breaking, or
+/// - increment only `ORACLE_VERSION_MINOR` if the change is additive (a new oracle was added).
+///
+/// These constants must be kept in sync between this file and `noir-projects/aztec-nr/aztec/src/oracle/version.nr`.
+export const ORACLE_INTERFACE_HASH = 'efafa0db2cc1f94e26d794d0079c8f71115261df0c3d0fa8cb5b64f17a12db92';

package/src/pxe.ts

@@ -52,7 +52,6 @@ import {
 
 import { inspect } from 'util';
 
-import type { AccessScopes } from './access_scopes.js';
 import { BlockSynchronizer } from './block_synchronizer/index.js';
 import type { PXEConfig } from './config/index.js';
 import { BenchmarkedNodeFactory } from './contract_function_simulator/benchmarked_node.js';
@@ -96,7 +95,7 @@ export type ProfileTxOpts = {
   /** If true, proof generation is skipped during profiling. Defaults to true. */
   skipProofGeneration?: boolean;
   /** Addresses whose private state and keys are accessible during private execution. */
-  scopes: AccessScopes;
+  scopes: AztecAddress[];
 };
 
 /** Options for PXE.simulateTx. */
@@ -112,7 +111,7 @@ export type SimulateTxOpts = {
   /** State overrides for the simulation, such as contract instances and artifacts. Requires skipKernels: true */
   overrides?: SimulationOverrides;
   /** Addresses whose private state and keys are accessible during private execution */
-  scopes: AccessScopes;
+  scopes: AztecAddress[];
 };
 
 /** Options for PXE.executeUtility. */
@@ -120,7 +119,7 @@ export type ExecuteUtilityOpts = {
   /** The authentication witnesses required for the function call. */
   authwits?: AuthWitness[];
   /** The accounts whose notes we can access in this call */
-  scopes: AccessScopes;
+  scopes: AztecAddress[];
 };
 
 /** Args for PXE.create. */
@@ -368,7 +367,7 @@ export class PXE {
   async #executePrivate(
     contractFunctionSimulator: ContractFunctionSimulator,
     txRequest: TxExecutionRequest,
-    scopes: AccessScopes,
+    scopes: AztecAddress[],
     jobId: string,
   ): Promise<PrivateExecutionResult> {
     const { origin: contractAddress, functionSelector } = txRequest;
@@ -417,7 +416,7 @@ export class PXE {
     contractFunctionSimulator: ContractFunctionSimulator,
     call: FunctionCall,
     authWitnesses: AuthWitness[] | undefined,
-    scopes: AccessScopes,
+    scopes: AztecAddress[],
     jobId: string,
   ) {
     try {
@@ -502,7 +501,9 @@ export class PXE {
    * @returns The synced block header
    */
   public getSyncedBlockHeader(): Promise<BlockHeader> {
-    return this.anchorBlockStore.getBlockHeader();
+    return this.#putInJobQueue(() => {
+      return this.anchorBlockStore.getBlockHeader();
+    });
   }
 
   /**
@@ -559,6 +560,12 @@ export class PXE {
    * TODO: It's strange that we return the address here and I (benesjan) think we should drop the return value.
    */
   public async registerSender(sender: AztecAddress): Promise<AztecAddress> {
+    if (!(await sender.isValid())) {
+      throw new Error(
+        `Address ${sender} is not valid: it does not correspond to a point on the Grumpkin curve. Cannot register it as a sender.`,
+      );
+    }
+
     const accounts = await this.keyStore.getAccounts();
     if (accounts.includes(sender)) {
       this.log.info(`Sender:\n "${sender.toString()}"\n already registered.`);
@@ -1040,7 +1047,7 @@ export class PXE {
           inspect(txRequest),
           `simulatePublic=${simulatePublic}`,
           `skipTxValidation=${skipTxValidation}`,
-          `scopes=${scopes === 'ALL_SCOPES' ? scopes : scopes.map(s => s.toString()).join(', ')}`,
+          `scopes=${scopes.map(s => s.toString()).join(', ')}`,
         );
       }
     });
@@ -1052,7 +1059,7 @@ export class PXE {
    */
   public executeUtility(
     call: FunctionCall,
-    { authwits, scopes }: ExecuteUtilityOpts = { scopes: 'ALL_SCOPES' },
+    { authwits, scopes }: ExecuteUtilityOpts = { scopes: [] },
   ): Promise<UtilityExecutionResult> {
     // We disable concurrent executions since those might execute oracles which read and write to the PXE stores (e.g.
     // to the capsules), and we need to prevent concurrent runs from interfering with one another (e.g. attempting to
@@ -1110,7 +1117,7 @@ export class PXE {
         throw this.#contextualizeError(
           err,
           `executeUtility ${to}:${name}(${stringifiedArgs})`,
-          `scopes=${scopes === 'ALL_SCOPES' ? scopes : scopes.map(s => s.toString()).join(', ')}`,
+          `scopes=${scopes.map(s => s.toString()).join(', ')}`,
         );
       }
     });

package/src/storage/capsule_store/capsule_service.ts

@@ -0,0 +1,90 @@
+import type { Fr } from '@aztec/foundation/curves/bn254';
+import { AztecAddress } from '@aztec/stdlib/aztec-address';
+import type { Capsule } from '@aztec/stdlib/tx';
+
+import type { CapsuleStore } from './capsule_store.js';
+
+/**
+ * Wraps a CapsuleStore with scope-based access control. Each operation asserts that the requested scope is in the
+ * allowed scopes list before delegating to the underlying store.
+ */
+export class CapsuleService {
+  constructor(
+    private readonly capsuleStore: CapsuleStore,
+    private readonly allowedScopes: AztecAddress[],
+  ) {}
+
+  setCapsule(contractAddress: AztecAddress, slot: Fr, capsule: Fr[], jobId: string, scope: AztecAddress) {
+    assertAllowedScope(scope, this.allowedScopes);
+    this.capsuleStore.setCapsule(contractAddress, slot, capsule, jobId, scope);
+  }
+
+  async getCapsule(
+    contractAddress: AztecAddress,
+    slot: Fr,
+    jobId: string,
+    scope: AztecAddress,
+    transientCapsules?: Capsule[],
+  ): Promise<Fr[] | null> {
+    assertAllowedScope(scope, this.allowedScopes);
+
+    // TODO(#12425): On the following line, the pertinent capsule gets overshadowed by the transient one. Tackle this.
+    const maybeTransientCapsule = transientCapsules?.find(
+      c =>
+        c.contractAddress.equals(contractAddress) &&
+        c.storageSlot.equals(slot) &&
+        (c.scope ?? AztecAddress.ZERO).equals(scope),
+    )?.data;
+
+    return maybeTransientCapsule ?? (await this.capsuleStore.getCapsule(contractAddress, slot, jobId, scope));
+  }
+
+  deleteCapsule(contractAddress: AztecAddress, slot: Fr, jobId: string, scope: AztecAddress) {
+    assertAllowedScope(scope, this.allowedScopes);
+    this.capsuleStore.deleteCapsule(contractAddress, slot, jobId, scope);
+  }
+
+  copyCapsule(
+    contractAddress: AztecAddress,
+    srcSlot: Fr,
+    dstSlot: Fr,
+    numEntries: number,
+    jobId: string,
+    scope: AztecAddress,
+  ): Promise<void> {
+    assertAllowedScope(scope, this.allowedScopes);
+    return this.capsuleStore.copyCapsule(contractAddress, srcSlot, dstSlot, numEntries, jobId, scope);
+  }
+
+  appendToCapsuleArray(
+    contractAddress: AztecAddress,
+    baseSlot: Fr,
+    content: Fr[][],
+    jobId: string,
+    scope: AztecAddress,
+  ): Promise<void> {
+    assertAllowedScope(scope, this.allowedScopes);
+    return this.capsuleStore.appendToCapsuleArray(contractAddress, baseSlot, content, jobId, scope);
+  }
+
+  readCapsuleArray(contractAddress: AztecAddress, baseSlot: Fr, jobId: string, scope: AztecAddress): Promise<Fr[][]> {
+    assertAllowedScope(scope, this.allowedScopes);
+    return this.capsuleStore.readCapsuleArray(contractAddress, baseSlot, jobId, scope);
+  }
+
+  setCapsuleArray(contractAddress: AztecAddress, baseSlot: Fr, content: Fr[][], jobId: string, scope: AztecAddress) {
+    assertAllowedScope(scope, this.allowedScopes);
+    return this.capsuleStore.setCapsuleArray(contractAddress, baseSlot, content, jobId, scope);
+  }
+}
+
+function assertAllowedScope(scope: AztecAddress, allowedScopes: AztecAddress[]) {
+  if (scope.equals(AztecAddress.ZERO)) {
+    return;
+  }
+  if (!allowedScopes.some((allowed: AztecAddress) => allowed.equals(scope))) {
+    throw new Error(
+      `Scope ${scope.toString()} is not in the allowed scopes list: [${allowedScopes.map((s: AztecAddress) => s.toString()).join(', ')}]. See https://docs.aztec.network/errors/10`,
+    );
+  }
+}