@aztec/pxe 0.0.1-commit.e558bd1c → 0.0.1-commit.e5a3663dd

package/src/events/event_service.ts

@@ -1,7 +1,8 @@
 import type { Fr } from '@aztec/foundation/curves/bn254';
+import { createLogger } from '@aztec/foundation/log';
 import type { EventSelector } from '@aztec/stdlib/abi';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
-import { siloNullifier } from '@aztec/stdlib/hash';
+import { computePrivateEventCommitment, siloNullifier } from '@aztec/stdlib/hash';
 import type { AztecNode } from '@aztec/stdlib/interfaces/server';
 import type { BlockHeader, TxHash } from '@aztec/stdlib/tx';
 
@@ -13,6 +14,7 @@ export class EventService {
     private readonly aztecNode: AztecNode,
     private readonly privateEventStore: PrivateEventStore,
     private readonly jobId: string,
+    private readonly log = createLogger('pxe:event_service'),
   ) {}
 
   public async validateAndStoreEvent(
@@ -24,6 +26,18 @@ export class EventService {
     txHash: TxHash,
     scope: AztecAddress,
   ): Promise<void> {
+    // Defense-in-depth: the built-in private-event path derives this commitment from content before enqueueing, but
+    // unconstrained PXE-side code (e.g. a custom message handler) can reach this oracle with arbitrary
+    // (content, commitment) pairs. Without this check it could bind arbitrary content to a legitimate tx nullifier,
+    // causing PXE to surface fabricated event data.
+    const recomputedCommitment = await computePrivateEventCommitment(randomness, selector.toField(), content);
+    if (!recomputedCommitment.equals(eventCommitment)) {
+      this.log.warn(
+        `Skipping event whose content does not hash to the provided commitment. contract=${contractAddress}, selector=${selector}, eventCommitment=${eventCommitment}, txHash=${txHash}, recomputedCommitment=${recomputedCommitment}`,
+      );
+      return;
+    }
+
     // While using 'latest' block number would be fine for private events since they cannot be accessed from Aztec.nr
     // (and thus we're less concerned about being ahead of the synced block), we use the synced block number to
     // maintain consistent behavior in the PXE. Additionally, events should never be ahead of the synced block here
@@ -36,19 +50,30 @@ export class EventService {
     const anchorBlockNumber = this.anchorBlockHeader.getBlockNumber();
 
     if (!txEffect) {
-      throw new Error(`Could not find tx effect for tx hash ${txHash}`);
+      // We error out instead of just logging a warning and skipping the event because this would indicate a bug. This
+      // is because the node has already served info about this tx either when obtaining the log (TxScopedL2Log contain
+      // tx info) or when getting metadata for the offchain message (before the message got passed to `process_log`).
+      throw new Error(`Could not find tx effect for tx hash ${txHash} when processing an event.`);
     }
 
     if (txEffect.l2BlockNumber > anchorBlockNumber) {
-      throw new Error(`Could not find tx effect for tx hash ${txHash} as of block number ${anchorBlockNumber}`);
+      // We should never process a message from a tx past the anchor block. If we got here, a preprocessing step made
+      // a mistake.
+      throw new Error(
+        `Obtained a newer tx effect for ${txHash} for an event validation request than the anchor block ${anchorBlockNumber}. This is a bug as smart contracts should not issue event validation requests for events from blocks newer than the anchor block.`,
+      );
     }
 
     // Find the index of the event commitment in the nullifiers array to determine event ordering within the tx
     const eventIndexInTx = txEffect.data.nullifiers.findIndex(n => n.equals(siloedEventCommitment));
     if (eventIndexInTx === -1) {
-      throw new Error(
-        `Event commitment ${eventCommitment} (siloed as ${siloedEventCommitment}) is not present in tx ${txHash}`,
+      // Unlike in NoteService, this might not be a bug since the commitment hasn't been verified yet in the message
+      // processing pipeline. A malformed or malicious message could trigger this condition. Because of this we don't
+      // error out and we just show a warning.
+      this.log.warn(
+        `Skipping event whose commitment is not present in its tx. siloedEventCommitment=${siloedEventCommitment}, contract=${contractAddress}, selector=${selector}, eventCommitment=${eventCommitment}, txHash=${txHash}`,
       );
+      return;
     }
 
     return this.privateEventStore.storePrivateEventLog(

package/src/events/private_event_filter_validator.ts

@@ -1,11 +1,14 @@
 import type { PrivateEventFilter } from '@aztec/aztec.js/wallet';
 import { INITIAL_L2_BLOCK_NUM } from '@aztec/constants';
 import { BlockNumber } from '@aztec/foundation/branded-types';
+import { createLogger } from '@aztec/foundation/log';
 
 import type { PrivateEventStoreFilter } from '../storage/private_event_store/private_event_store.js';
 
 export class PrivateEventFilterValidator {
-  constructor(private lastBlock: BlockNumber) {}
+  private readonly log = createLogger('pxe:private_event_filter_validator');
+
+  constructor(private readonly lastBlock: BlockNumber) {}
 
   validate(filter: PrivateEventFilter): PrivateEventStoreFilter {
     let { fromBlock, toBlock } = filter;
@@ -35,6 +38,23 @@ export class PrivateEventFilterValidator {
       throw new Error('toBlock must be strictly greater than fromBlock');
     }
 
+    // Cap the requested range to the synced block range. Without this, callers that pass a large
+    // toBlock (e.g. Number.MAX_SAFE_INTEGER as a "give me everything" idiom) would silently receive
+    // only the events that happen to be synced and believe they have complete coverage.
+    // We warn + cap rather than throw so callers don't need to query the last synced block before
+    // every request (which would also be unreliable, as the block can advance between the two calls).
+    const syncedUpperBound = BlockNumber(this.lastBlock + 1);
+    if (fromBlock >= syncedUpperBound) {
+      this.log.warn(
+        `Requested fromBlock ${fromBlock} is past last synced block ${this.lastBlock}; no events will be returned until PXE syncs further.`,
+      );
+    } else if (toBlock > syncedUpperBound) {
+      this.log.warn(
+        `Requested toBlock ${toBlock} exceeds last synced block ${this.lastBlock}; capping to ${syncedUpperBound}. Retry once PXE is further synced for complete coverage.`,
+      );
+      toBlock = syncedUpperBound;
+    }
+
     return {
       contractAddress: filter.contractAddress,
       scopes: filter.scopes,

package/src/logs/log_service.ts

@@ -1,16 +1,14 @@
-import type { Fr } from '@aztec/foundation/curves/bn254';
 import { type Logger, type LoggerBindings, createLogger } from '@aztec/foundation/log';
 import type { KeyStore } from '@aztec/key-store';
 import { AztecAddress } from '@aztec/stdlib/aztec-address';
-import type { CompleteAddress } from '@aztec/stdlib/contract';
+import type { L2TipsProvider } from '@aztec/stdlib/block';
 import type { AztecNode } from '@aztec/stdlib/interfaces/server';
-import { DirectionalAppTaggingSecret, PendingTaggedLog, SiloedTag, Tag, TxScopedL2Log } from '@aztec/stdlib/logs';
+import { ExtendedDirectionalAppTaggingSecret, PendingTaggedLog, SiloedTag, Tag } from '@aztec/stdlib/logs';
 import type { BlockHeader } from '@aztec/stdlib/tx';
 
 import type { LogRetrievalRequest } from '../contract_function_simulator/noir-structs/log_retrieval_request.js';
 import { LogRetrievalResponse } from '../contract_function_simulator/noir-structs/log_retrieval_response.js';
 import { AddressStore } from '../storage/address_store/address_store.js';
-import { CapsuleStore } from '../storage/capsule_store/capsule_store.js';
 import type { RecipientTaggingStore } from '../storage/tagging_store/recipient_tagging_store.js';
 import type { SenderAddressBookStore } from '../storage/tagging_store/sender_address_book_store.js';
 import {
@@ -25,8 +23,8 @@ export class LogService {
   constructor(
     private readonly aztecNode: AztecNode,
     private readonly anchorBlockHeader: BlockHeader,
+    private readonly l2TipsStore: L2TipsProvider,
     private readonly keyStore: KeyStore,
-    private readonly capsuleStore: CapsuleStore,
     private readonly recipientTaggingStore: RecipientTaggingStore,
     private readonly senderAddressBookStore: SenderAddressBookStore,
     private readonly addressStore: AddressStore,
@@ -36,17 +34,26 @@ export class LogService {
     this.log = createLogger('pxe:log_service', bindings);
   }
 
-  public async bulkRetrieveLogs(logRetrievalRequests: LogRetrievalRequest[]): Promise<(LogRetrievalResponse | null)[]> {
+  public async fetchLogsByTag(
+    contractAddress: AztecAddress,
+    logRetrievalRequests: LogRetrievalRequest[],
+  ): Promise<(LogRetrievalResponse | null)[]> {
+    for (const request of logRetrievalRequests) {
+      if (!contractAddress.equals(request.contractAddress)) {
+        throw new Error(`Got a log retrieval request from ${request.contractAddress}, expected ${contractAddress}`);
+      }
+    }
+
     return await Promise.all(
       logRetrievalRequests.map(async request => {
         const [publicLog, privateLog] = await Promise.all([
           this.#getPublicLogByTag(request.tag, request.contractAddress),
-          this.#getPrivateLogByTag(await SiloedTag.compute(request.tag, request.contractAddress)),
+          this.#getPrivateLogByTag(await SiloedTag.computeFromTagAndApp(request.tag, request.contractAddress)),
         ]);
 
         if (publicLog !== null && privateLog !== null) {
-          throw new Error(
-            `Found both a public and private log when searching for tag ${request.tag} from contract ${request.contractAddress}`,
+          this.log.warn(
+            `Found both a public and private log for tag ${request.tag} from contract ${request.contractAddress}. This may indicate a contract bug. Returning the public log.`,
           );
         }
 
@@ -68,9 +75,8 @@ export class LogService {
     if (logsForTag.length === 0) {
       return null;
     } else if (logsForTag.length > 1) {
-      // TODO(#11627): handle this case
-      throw new Error(
-        `Got ${logsForTag.length} logs for tag ${tag} and contract ${contractAddress.toString()}. getPublicLogByTag currently only supports a single log per tag`,
+      this.log.warn(
+        `Expected at most 1 public log for tag ${tag} and contract ${contractAddress.toString()}, got ${logsForTag.length}. This may indicate a contract bug. Returning the first log.`,
       );
     }
 
@@ -92,9 +98,8 @@ export class LogService {
     if (logsForTag.length === 0) {
       return null;
     } else if (logsForTag.length > 1) {
-      // TODO(#11627): handle this case
-      throw new Error(
-        `Got ${logsForTag.length} logs for tag ${siloedTag}. getPrivateLogByTag currently only supports a single log per tag`,
+      this.log.warn(
+        `Expected at most 1 private log for tag ${siloedTag}, got ${logsForTag.length}. This may indicate a contract bug. Returning the first log.`,
       );
     }
 
@@ -108,58 +113,50 @@ export class LogService {
     );
   }
 
-  public async fetchTaggedLogs(
-    contractAddress: AztecAddress,
-    pendingTaggedLogArrayBaseSlot: Fr,
-    scopes?: AztecAddress[],
-  ) {
+  public async fetchTaggedLogs(contractAddress: AztecAddress, recipient: AztecAddress): Promise<PendingTaggedLog[]> {
     this.log.verbose(`Fetching tagged logs for ${contractAddress.toString()}`);
 
     // We only load logs from block up to and including the anchor block number
     const anchorBlockNumber = this.anchorBlockHeader.getBlockNumber();
     const anchorBlockHash = await this.anchorBlockHeader.hash();
 
-    // Determine recipients: use scopes if provided, otherwise get all accounts
-    const recipients = scopes && scopes.length > 0 ? scopes : await this.keyStore.getAccounts();
-
-    // For each recipient, fetch secrets, load logs, and store them.
-    // We run these per-recipient tasks in parallel so that logs are loaded for all recipients concurrently.
-    await Promise.all(
-      recipients.map(async recipient => {
-        // Get all secrets for this recipient (one per sender)
-        const secrets = await this.#getSecretsForSenders(contractAddress, recipient);
-
-        // Load logs for all sender-recipient pairs in parallel
-        const logArrays = await Promise.all(
-          secrets.map(secret =>
-            loadPrivateLogsForSenderRecipientPair(
-              secret,
-              contractAddress,
-              this.aztecNode,
-              this.recipientTaggingStore,
-              anchorBlockNumber,
-              anchorBlockHash,
-              this.jobId,
-            ),
-          ),
-        );
-
-        // Flatten all logs from all secrets
-        const allLogs = logArrays.flat();
-
-        // Store the logs for this recipient
-        if (allLogs.length > 0) {
-          await this.#storePendingTaggedLogs(contractAddress, pendingTaggedLogArrayBaseSlot, recipient, allLogs);
-        }
-      }),
+    const l2Tips = await this.l2TipsStore.getL2Tips();
+    const currentTimestamp = this.anchorBlockHeader.globalVariables.timestamp;
+    // Get all secrets for this recipient (one per sender)
+    const secrets = await this.#getSecretsForSenders(contractAddress, recipient);
+
+    // Load logs for all sender-recipient pairs in parallel
+    const logArrays = await Promise.all(
+      secrets.map(secret =>
+        loadPrivateLogsForSenderRecipientPair(
+          secret,
+          this.aztecNode,
+          this.recipientTaggingStore,
+          anchorBlockNumber,
+          anchorBlockHash,
+          currentTimestamp,
+          l2Tips.finalized.block.number,
+          this.jobId,
+        ),
+      ),
     );
+
+    return logArrays
+      .flat()
+      .map(
+        scopedLog =>
+          new PendingTaggedLog(scopedLog.logData, scopedLog.txHash, scopedLog.noteHashes, scopedLog.firstNullifier),
+      );
   }
 
   async #getSecretsForSenders(
     contractAddress: AztecAddress,
     recipient: AztecAddress,
-  ): Promise<DirectionalAppTaggingSecret[]> {
-    const recipientCompleteAddress = await this.#getCompleteAddress(recipient);
+  ): Promise<ExtendedDirectionalAppTaggingSecret[]> {
+    const recipientCompleteAddress = await this.addressStore.getCompleteAddress(recipient);
+    if (!recipientCompleteAddress) {
+      return [];
+    }
     const recipientIvsk = await this.keyStore.getMasterIncomingViewingSecretKey(recipient);
 
     // We implicitly add all PXE accounts as senders, this helps us decrypt tags on notes that we send to ourselves
@@ -172,49 +169,24 @@ export class LogService {
     );
 
     return Promise.all(
-      deduplicatedSenders.map(sender => {
-        return DirectionalAppTaggingSecret.compute(
+      deduplicatedSenders.map(async sender => {
+        const secret = await ExtendedDirectionalAppTaggingSecret.compute(
           recipientCompleteAddress,
           recipientIvsk,
           sender,
           contractAddress,
           recipient,
         );
-      }),
-    );
-  }
-
-  #storePendingTaggedLogs(
-    contractAddress: AztecAddress,
-    capsuleArrayBaseSlot: Fr,
-    recipient: AztecAddress,
-    privateLogs: TxScopedL2Log[],
-  ) {
-    // Build all pending tagged logs from the scoped logs
-    const pendingTaggedLogs = privateLogs.map(scopedLog => {
-      const pendingTaggedLog = new PendingTaggedLog(
-        scopedLog.logData,
-        scopedLog.txHash,
-        scopedLog.noteHashes,
-        scopedLog.firstNullifier,
-        recipient,
-      );
 
-      return pendingTaggedLog.toFields();
-    });
-
-    // TODO: This looks like it could belong more at the oracle interface level
-    return this.capsuleStore.appendToCapsuleArray(contractAddress, capsuleArrayBaseSlot, pendingTaggedLogs, this.jobId);
-  }
+        if (!secret) {
+          // Note that all senders originate from either the SenderAddressBookStore or the KeyStore.
+          throw new Error(
+            `Failed to compute a tagging secret for sender ${sender} - this implies this is an invalid address, which should not happen as they have been previously registered in PXE.`,
+          );
+        }
 
-  async #getCompleteAddress(account: AztecAddress): Promise<CompleteAddress> {
-    const completeAddress = await this.addressStore.getCompleteAddress(account);
-    if (!completeAddress) {
-      throw new Error(
-        `No public key registered for address ${account}.
-				Register it by calling pxe.addAccount(...).\nSee docs for context: https://docs.aztec.network/developers/resources/debugging/aztecnr-errors#simulation-error-no-public-key-registered-for-address-0x0-register-it-by-calling-pxeregisterrecipient-or-pxeregisteraccount`,
-      );
-    }
-    return completeAddress;
+        return secret;
+      }),
+    );
   }
 }

package/src/messages/message_context_service.ts

@@ -0,0 +1,44 @@
+import { Fr } from '@aztec/foundation/curves/bn254';
+import type { AztecNode } from '@aztec/stdlib/interfaces/server';
+import { MessageContext } from '@aztec/stdlib/logs';
+import { TxHash } from '@aztec/stdlib/tx';
+
+/** Resolves transaction hashes into the context needed to process messages. */
+export class MessageContextService {
+  constructor(private readonly aztecNode: AztecNode) {}
+
+  /**
+   * Resolves a list of tx hashes into their message contexts.
+   *
+   * For each tx hash, looks up the corresponding tx effect and extracts the note hashes and first nullifier needed to
+   * process messages that originated from that transaction. Returns `null` for tx hashes that are zero, not yet
+   * available, or in blocks beyond the anchor block.
+   */
+  getMessageContextsByTxHash(txHashes: Fr[], anchorBlockNumber: number): Promise<(MessageContext | null)[]> {
+    // TODO: optimize, we might be hitting the node to get the same txHash repeatedly
+    return Promise.all(
+      txHashes.map(async txHashField => {
+        // A zero tx hash indicates a tx-less offchain message (e.g. one not tied to any onchain transaction).
+        // These messages don't have a transaction context to resolve, so we return null.
+        if (txHashField.isZero()) {
+          return null;
+        }
+
+        const txHash = TxHash.fromField(txHashField);
+        const txEffect = await this.aztecNode.getTxEffect(txHash);
+        if (!txEffect || txEffect.l2BlockNumber > anchorBlockNumber) {
+          return null;
+        }
+
+        // Every tx has at least one nullifier (the first nullifier derived from the tx hash). Hitting this condition
+        // would mean a buggy node, but since we need to access data.nullifiers[0], the defensive check does no harm.
+        const data = txEffect.data;
+        if (data.nullifiers.length === 0) {
+          throw new Error(`Tx effect for ${txHash} has no nullifiers`);
+        }
+
+        return new MessageContext(data.txHash, data.noteHashes, data.nullifiers[0]);
+      }),
+    );
+  }
+}

package/src/notes/note_service.ts

@@ -31,7 +31,7 @@ export class NoteService {
     owner: AztecAddress | undefined,
     storageSlot: Fr,
     status: NoteStatus,
-    scopes?: AztecAddress[],
+    scopes: AztecAddress[],
   ) {
     const noteDaos = await this.noteStore.getNotes(
       {
@@ -70,10 +70,10 @@ export class NoteService {
    *
    * @param contractAddress - The contract whose notes should be checked and nullified.
    */
-  public async syncNoteNullifiers(contractAddress: AztecAddress): Promise<void> {
+  public async syncNoteNullifiers(contractAddress: AztecAddress, scopes: AztecAddress[]): Promise<void> {
     const anchorBlockHash = await this.anchorBlockHeader.hash();
 
-    const contractNotes = await this.noteStore.getNotes({ contractAddress }, this.jobId);
+    const contractNotes = await this.noteStore.getNotes({ contractAddress, scopes }, this.jobId);
 
     if (contractNotes.length === 0) {
       return;
@@ -120,7 +120,7 @@ export class NoteService {
     noteHash: Fr,
     nullifier: Fr,
     txHash: TxHash,
-    recipient: AztecAddress,
+    scope: AztecAddress,
   ): Promise<void> {
     // We are going to store the new note in the NoteStore, which will let us later return it via `getNotes`.
     // There's two things we need to check before we do this however:
@@ -154,16 +154,28 @@ export class NoteService {
       this.aztecNode.findLeavesIndexes(anchorBlockHash, MerkleTreeId.NULLIFIER_TREE, [siloedNullifier]),
     ]);
     if (!txEffect) {
-      throw new Error(`Could not find tx effect for tx hash ${txHash}`);
+      // We error out instead of just logging a warning and skipping the note because this would indicate a bug. This
+      // is because the node has already served info about this tx either when obtaining the log (TxScopedL2Log contain
+      // tx info) or when getting metadata for the offchain message (before the message got passed to `process_log`).
+      throw new Error(`Could not find tx effect for tx hash ${txHash} when processing a note.`);
     }
 
     if (txEffect.l2BlockNumber > anchorBlockNumber) {
-      throw new Error(`Could not find tx effect for tx hash ${txHash} as of block number ${anchorBlockNumber}`);
+      // If the message was delivered onchain, this would indicate a bug: log sync should never load logs from blocks
+      // newer than the anchor block. If the note came via an offchain message, it would likely also be a bug, since we
+      // sync a new anchor block before calling `process_message`. For this not to be a bug, the message would need to
+      // come from a newer block than the anchor served by the node, implying the node isn't properly synced.
+      //     We therefore error out here rather than assuming the offchain message was constructed by a malicious
+      // sender with the intention of bricking recipient's PXE (if we assumed that we would just ignore the message).
+      throw new Error(
+        `Obtained a newer tx effect for ${txHash} for a note validation request than the anchor block ${anchorBlockNumber}. This is a bug as we should not ever be processing a note from a newer block than the anchor block.`,
+      );
     }
 
     // Find the index of the note hash in the noteHashes array to determine note ordering within the tx
     const noteIndexInTx = txEffect.data.noteHashes.findIndex(nh => nh.equals(uniqueNoteHash));
     if (noteIndexInTx === -1) {
+      // Similar to the comment above - we error out as this would indicate a bug in nonce discovery.
       throw new Error(`Note hash ${noteHash} (uniqued as ${uniqueNoteHash}) is not present in tx ${txHash}`);
     }
 
@@ -183,8 +195,7 @@ export class NoteService {
       noteIndexInTx,
     );
 
-    // The note was found by `recipient`, so we use that as the scope when storing the note.
-    await this.noteStore.addNotes([noteDao], recipient, this.jobId);
+    await this.noteStore.addNotes([noteDao], scope, this.jobId);
 
     if (nullifierIndex !== undefined) {
       // We found nullifier index which implies that the note has already been nullified.

package/src/notes_filter.ts

@@ -0,0 +1,24 @@
+import type { Fr } from '@aztec/foundation/curves/bn254';
+import type { AztecAddress } from '@aztec/stdlib/aztec-address';
+import type { NoteStatus } from '@aztec/stdlib/note';
+
+/**
+ * A filter used to fetch notes.
+ * @remarks This filter is applied as an intersection of all its params.
+ */
+export type NotesFilter = {
+  /**
+   * The contract address the note belongs to.
+   * @remarks Providing a contract address is required as we need that information to trigger private state sync.
+   */
+  contractAddress: AztecAddress;
+  /** The owner of the note. */
+  owner?: AztecAddress;
+  /** The specific storage location of the note on the contract. */
+  storageSlot?: Fr;
+  /** The status of the note. Defaults to 'ACTIVE'. */
+  status?: NoteStatus;
+  /** The siloed nullifier for the note. */
+  siloedNullifier?: Fr;
+  scopes: AztecAddress[];
+};

package/src/oracle_version.ts

@@ -1,12 +1,22 @@
-/// The ORACLE_VERSION constant is used to check that the oracle interface is in sync between PXE and Aztec.nr. We need
-/// to version the oracle interface to ensure that developers get a reasonable error message if they use incompatible
-/// versions of Aztec.nr and PXE. The Noir counterpart is in `noir-projects/aztec-nr/aztec/src/oracle/version.nr`.
+/// The oracle version constants are used to check that the oracle interface is in sync between PXE and Aztec.nr.
+/// We version the oracle interface as `major.minor` where:
+///   - `major` = backward-breaking changes (must match exactly between PXE and Aztec.nr)
+///   - `minor` = oracle additions (non-breaking; PXE minor >= contract minor)
 ///
-/// @dev Whenever a contract function or Noir test is run, the `utilityAssertCompatibleOracleVersion` oracle is called
-/// and if the oracle version is incompatible an error is thrown.
-export const ORACLE_VERSION = 11;
+/// The Noir counterparts are in `noir-projects/aztec-nr/aztec/src/oracle/version.nr`.
+///
+/// @dev Whenever a contract function or Noir test is run, the `aztec_utl_assertCompatibleOracleVersion` oracle is called.
+/// If the major version is incompatible, an error is thrown immediately. The minor version is recorded by the PXE and
+/// used to provide helpful error messages if a contract calls an oracle that doesn't exist. We don't throw immediately
+/// if AZTEC_NR_MINOR > PXE_MINOR because if a contract is updated to use a newer Aztec.nr dependency without actually
+/// using any of the new oracles then there is no reason to throw.
+export const ORACLE_VERSION_MAJOR = 22;
+export const ORACLE_VERSION_MINOR = 2;
 
-/// This hash is computed as by hashing the Oracle interface and it is used to detect when the Oracle interface changes,
-/// which in turn implies that you need to update the ORACLE_VERSION constant in this file and in
-/// `noir-projects/aztec-nr/aztec/src/oracle/version.nr`.
-export const ORACLE_INTERFACE_HASH = '20c4d02d8cd5e448c11001a5f72ea2e0927630aeda75e537550872a9627bf40b';
+/// This hash is computed from the Oracle interface and is used to detect when that interface changes. When it does,
+/// you need to either:
+/// - increment `ORACLE_VERSION_MAJOR` and reset `ORACLE_VERSION_MINOR` to zero if the change is breaking, or
+/// - increment only `ORACLE_VERSION_MINOR` if the change is additive (a new oracle was added).
+///
+/// These constants must be kept in sync between this file and `noir-projects/aztec-nr/aztec/src/oracle/version.nr`.
+export const ORACLE_INTERFACE_HASH = '193fe3f9fee6a84d26803e636c9746dd805a4f389d44a0618de75c2c5eb4912e';

package/src/private_kernel/hints/{compute_tx_include_by_timestamp.ts → compute_tx_expiration_timestamp.ts}

@@ -1,4 +1,4 @@
-import { MAX_INCLUDE_BY_TIMESTAMP_DURATION } from '@aztec/constants';
+import { MAX_TX_LIFETIME } from '@aztec/constants';
 import type { PrivateKernelCircuitPublicInputs } from '@aztec/stdlib/kernel';
 import type { UInt64 } from '@aztec/stdlib/types';
 
@@ -8,12 +8,12 @@ const ROUNDED_DURATIONS = [
   1, // 1 second
 ];
 
-function roundTimestamp(blockTimestamp: bigint, includeByTimestamp: bigint): UInt64 {
+function roundTimestamp(blockTimestamp: bigint, expirationTimestamp: bigint): UInt64 {
   return ROUNDED_DURATIONS.reduce((timestamp, duration) => {
     if (timestamp <= blockTimestamp) {
       // The timestamp must be greater than the block timestamp.
       // If it is too small, round it down again using a smaller duration.
-      const totalDuration = includeByTimestamp - blockTimestamp;
+      const totalDuration = expirationTimestamp - blockTimestamp;
       const roundedDuration = totalDuration - (totalDuration % BigInt(duration));
       return blockTimestamp + roundedDuration;
     }
@@ -21,36 +21,36 @@ function roundTimestamp(blockTimestamp: bigint, includeByTimestamp: bigint): UIn
   }, 0n);
 }
 
-export function computeTxIncludeByTimestamp(
+export function computeTxExpirationTimestamp(
   previousKernel: PrivateKernelCircuitPublicInputs,
-  maxDuration = MAX_INCLUDE_BY_TIMESTAMP_DURATION,
+  txLifetime = MAX_TX_LIFETIME,
 ): UInt64 {
-  if (maxDuration > MAX_INCLUDE_BY_TIMESTAMP_DURATION) {
+  if (txLifetime > MAX_TX_LIFETIME) {
     throw new Error(
-      `Custom max duration cannot be greater than the max allowed. Max allowed: ${MAX_INCLUDE_BY_TIMESTAMP_DURATION}. Custom value: ${maxDuration}.`,
+      `Custom tx lifetime cannot be greater than the max allowed. Max allowed: ${MAX_TX_LIFETIME}. Custom value: ${txLifetime}.`,
     );
   }
 
   const anchorBlockTimestamp = previousKernel.constants.anchorBlockHeader.globalVariables.timestamp;
-  const maxTimestamp = anchorBlockTimestamp + BigInt(maxDuration);
-  const includeByTimestamp = previousKernel.includeByTimestamp;
+  const maxTimestamp = anchorBlockTimestamp + BigInt(txLifetime);
+  const expirationTimestamp = previousKernel.expirationTimestamp;
 
-  // If the includeByTimestamp set during the tx execution is greater than or equal to the max allowed duration,
+  // If the expirationTimestamp set during the tx execution is greater than or equal to the max allowed duration,
   // use the maximum allowed timestamp.
   // Note: It shouldn't be larger than the max allowed duration, but we check for it anyway.
-  if (includeByTimestamp >= maxTimestamp) {
+  if (expirationTimestamp >= maxTimestamp) {
     return maxTimestamp;
   }
 
   // Round it down to the nearest hour/min/second to reduce precision and avoid revealing the exact value.
   // This makes it harder for others to infer what function calls may have been used to produce a specific timestamp.
-  const roundedTimestamp = roundTimestamp(anchorBlockTimestamp, includeByTimestamp);
+  const roundedTimestamp = roundTimestamp(anchorBlockTimestamp, expirationTimestamp);
 
   // The tx can't be published if the timestamp is the same or less than the anchor block's timestamp.
   // Future blocks will have a greater timestamp, so the tx would never be included.
   if (roundedTimestamp <= anchorBlockTimestamp) {
     throw new Error(
-      `Include-by timestamp must be greater than the anchor block timestamp. Anchor block timestamp: ${anchorBlockTimestamp}. Include-by timestamp: ${includeByTimestamp}.`,
+      `Include-by timestamp must be greater than the anchor block timestamp. Anchor block timestamp: ${anchorBlockTimestamp}. Include-by timestamp: ${expirationTimestamp}.`,
     );
   }
 

package/src/private_kernel/hints/index.ts

@@ -1,2 +1,2 @@
 export * from './private_kernel_reset_private_inputs_builder.js';
-export * from './compute_tx_include_by_timestamp.js';
+export * from './compute_tx_expiration_timestamp.js';