create-aztec-privacy-template 0.1.1 → 0.2.0

package/dist/constants.js

@@ -4,6 +4,7 @@ export const OVERLAY_EXAMPLES_DIR = 'overlays/examples';
 export const EXAMPLE_OVERLAY_ORDER = ['aave', 'lido', 'uniswap'];
 export const SUPPORTED_EXAMPLE_SELECTIONS = ['none', ...EXAMPLE_OVERLAY_ORDER, 'all'];
 export const TEMPLATE_COPY_ENTRIES = [
+    '.env.deploy.example',
     '.solhint.json',
     'gitignore',
     'Makefile',

package/dist/helpers/post-init.js

@@ -2,7 +2,7 @@ import { access, chmod } from 'node:fs/promises';
 import { join } from 'node:path';
 const POST_INIT_HOOKS = [
     verifyRequiredLayoutHook,
-    ensureCompileScriptExecutableHook,
+    ensureScriptExecutablesHook,
 ];
 export async function runPostInitHooks(context) {
     for (const hook of POST_INIT_HOOKS) {
@@ -16,6 +16,9 @@ async function verifyRequiredLayoutHook(context) {
         join('contracts', 'l1'),
         join('contracts', 'aztec'),
         join('scripts', 'compile-aztec-contract.sh'),
+        join('scripts', 'deploy.sh'),
+        join('scripts', 'integration-test-deployment.sh'),
+        join('scripts', 'verify-deployment.sh'),
     ];
     if (context.exampleSelection === 'all') {
         requiredPaths.push(join('examples', 'aave'), join('examples', 'lido'), join('examples', 'uniswap'));
@@ -27,7 +30,13 @@ async function verifyRequiredLayoutHook(context) {
         await access(join(context.absoluteTargetPath, relativePath));
     }
 }
-async function ensureCompileScriptExecutableHook(context) {
+async function ensureScriptExecutablesHook(context) {
     const compileScript = join(context.absoluteTargetPath, 'scripts', 'compile-aztec-contract.sh');
+    const deployScript = join(context.absoluteTargetPath, 'scripts', 'deploy.sh');
+    const integrationDeploymentScript = join(context.absoluteTargetPath, 'scripts', 'integration-test-deployment.sh');
+    const verifyDeploymentScript = join(context.absoluteTargetPath, 'scripts', 'verify-deployment.sh');
     await chmod(compileScript, 0o755);
+    await chmod(deployScript, 0o755);
+    await chmod(integrationDeploymentScript, 0o755);
+    await chmod(verifyDeploymentScript, 0o755);
 }

package/dist/templates/index.js

@@ -1,5 +1,5 @@
 import { cp, mkdir } from 'node:fs/promises';
-import { join } from 'node:path';
+import { join, relative, sep } from 'node:path';
 import { EXAMPLE_OVERLAY_ORDER, OVERLAY_EXAMPLES_DIR, SCAFFOLD_DIR, TEMPLATE_COPY_ENTRIES, } from '../constants.js';
 export function resolveTemplateInstallPlan(generatorRoot, exampleSelection) {
     return {
@@ -18,6 +18,7 @@ export async function installTemplatePlan(absoluteTargetPath, plan) {
             errorOnExist: true,
             force: false,
             preserveTimestamps: true,
+            filter: createTemplateCopyFilter(plan.base.sourceDir),
         });
     }
     for (const overlay of plan.overlays) {
@@ -26,9 +27,25 @@ export async function installTemplatePlan(absoluteTargetPath, plan) {
             errorOnExist: false,
             force: true,
             preserveTimestamps: true,
+            filter: createTemplateCopyFilter(overlay.sourceDir),
         });
     }
 }
+const GENERATED_ARTIFACT_PREFIXES = [
+    'contracts/l1/cache',
+    'contracts/l1/out',
+    'contracts/aztec/target',
+];
+function createTemplateCopyFilter(sourceRoot) {
+    return (sourcePath) => {
+        const relPath = relative(sourceRoot, sourcePath);
+        if (relPath === '') {
+            return true;
+        }
+        const normalizedRelPath = relPath.split(sep).join('/');
+        return !GENERATED_ARTIFACT_PREFIXES.some((prefix) => normalizedRelPath === prefix || normalizedRelPath.startsWith(`${prefix}/`));
+    };
+}
 function getBaseTemplate(generatorRoot) {
     return {
         mode: 'base',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-aztec-privacy-template",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "description": "CLI to scaffold protocol-agnostic Aztec privacy starter projects",
   "license": "MIT",
   "repository": {

package/scaffold/.env.deploy.example

@@ -0,0 +1,28 @@
+# Copy this file to .env.deploy and edit values for your environment.
+# Usage example:
+#   set -a && source .env.deploy && set +a && bash scripts/deploy.sh
+
+# Common
+PROTOCOL_ID=0xe9b9beae393069af7271ea16e89d289254d64491636d5137dcc231679d9eb042
+RELAYER_ADDRESS=
+AZTEC_ACCOUNT_ALIAS=
+AZTEC_CONTRACT_ALIAS=generic-privacy-adapter
+WALLET_DATA_DIR=.aztec-wallet
+# Integration test helpers (used by make test-deployment)
+RELAYER_PRIVATE_KEY=
+OPERATOR_PRIVATE_KEY=
+INTEGRATION_AMOUNT_WEI=1000000000000000
+FAILURE_TIMEOUT_BLOCKS=1
+# FAILURE_TARGET=0x000000000000000000000000000000000000dEaD
+
+# Local devnet defaults (aztec start --local-network)
+L1_RPC_URL=http://127.0.0.1:8545
+AZTEC_NODE_URL=http://127.0.0.1:8080
+DEPLOYER_PRIVATE_KEY=0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
+SKIP_BUILD=0
+
+# Sepolia / Aztec testnet example values
+# L1_RPC_URL=https://ethereum-sepolia-rpc.publicnode.com
+# AZTEC_NODE_URL=https://devnet-6.aztec-labs.com
+# DEPLOYER_PRIVATE_KEY=0x...
+# SPONSORED_FPC_ADDRESS=0x1586f476995be97f07ebd415340a14be48dc28c6c661cc6bdddb80ae790caa4e

package/scaffold/Makefile

@@ -10,7 +10,7 @@ SOLIDITY_FMT_FILES := $(shell find contracts/l1 -type f -name '*.sol' -not -path
 
 AZTEC_CONTRACT_DIRS := contracts/aztec
 
-.PHONY: help install verify-toolchain fmt fmt-check lint test _test-core _test-flow build build-aztec check clean
+.PHONY: help install verify-toolchain fmt fmt-check lint test _test-core _test-flow build build-aztec deploy test-deployment verify-deployment integration-deployment check clean
 
 help:
 	@printf "Aztec Privacy Starter Make Targets\n\n"
@@ -28,6 +28,11 @@ help:
 	@printf "Build\n"
 	@printf "  make build            Build Solidity + Aztec artifacts\n"
 	@printf "  make build-aztec      Compile Aztec Noir contract\n\n"
+	@printf "Deploy\n"
+	@printf "  make deploy           Deploy scaffold contracts (local or sepolia/testnet)\n"
+	@printf "  make test-deployment  Run live post-deploy integration checks\n"
+	@printf "  make verify-deployment Run deployment invariant checks only\n"
+	@printf "  make integration-deployment Run state-changing integration flow only\n\n"
 	@printf "Cleanup\n"
 	@printf "  make clean            Remove build artifacts\n"
 
@@ -147,6 +152,32 @@ build:
 	@mkdir -p target
 	@echo "Build complete."
 
+deploy:
+	@bash scripts/deploy.sh
+
+test-deployment:
+	@if [ -n "$(DEPLOYMENT_FILE)" ]; then \
+		bash scripts/verify-deployment.sh "$(DEPLOYMENT_FILE)"; \
+		bash scripts/integration-test-deployment.sh "$(DEPLOYMENT_FILE)"; \
+	else \
+		bash scripts/verify-deployment.sh; \
+		bash scripts/integration-test-deployment.sh; \
+	fi
+
+verify-deployment:
+	@if [ -n "$(DEPLOYMENT_FILE)" ]; then \
+		bash scripts/verify-deployment.sh "$(DEPLOYMENT_FILE)"; \
+	else \
+		bash scripts/verify-deployment.sh; \
+	fi
+
+integration-deployment:
+	@if [ -n "$(DEPLOYMENT_FILE)" ]; then \
+		bash scripts/integration-test-deployment.sh "$(DEPLOYMENT_FILE)"; \
+	else \
+		bash scripts/integration-test-deployment.sh; \
+	fi
+
 check:
 	@$(MAKE) fmt-check
 	@$(MAKE) lint
@@ -157,4 +188,5 @@ clean:
 	@rm -rf target
 	@rm -rf cache out
 	@rm -rf contracts/l1/cache contracts/l1/out
+	@rm -rf contracts/aztec/target
 	@rm -rf coverage .turbo .nyc_output

package/scaffold/README.md

@@ -42,13 +42,16 @@ Important integration boundary:
 ```text
 .
 |-- contracts/
-|   |-- l1/                            # BasePortal, EscapeHatch, GenericPortal + tests
+|   |-- l1/                            # BasePortal, EscapeHatch, GenericPortal, GenericActionExecutor + tests
 |   `-- aztec/                         # Generic Noir adapter skeleton
 |-- docs/
-|   |-- DEPLOYMENT.md                  # deployment/configuration runbook (manual until script is added)
+|   |-- DEPLOYMENT.md                  # deployment/configuration runbook + script usage
 |   `-- RELAYER_SPEC.md                # minimal relayer operational spec
 |-- scripts/
-|   `-- compile-aztec-contract.sh
+|   |-- compile-aztec-contract.sh
+|   |-- deploy.sh
+|   |-- integration-test-deployment.sh
+|   `-- verify-deployment.sh
 |-- Makefile
 `-- package.json
 ```
@@ -85,10 +88,16 @@ Compile Solidity and Aztec contract artifacts.
 2. `make test`  
 Run all starter Solidity tests (`BasePortal`, `EscapeHatch`, `GenericPortal` flow).
 
+3. `bash scripts/deploy.sh`  
+Deploy scaffold contracts to local Aztec/Anvil or Aztec testnet + Sepolia.
+
+4. `make test-deployment`  
+Run live post-deploy checks (invariants + state-changing integration flow).
+
 ## Adaptation workflow
 
 1. Start from `contracts/l1/GenericPortal.sol`.
-2. Replace `IGenericActionExecutor` wiring with your protocol integration call(s).
+2. Adapt `contracts/l1/GenericActionExecutor.sol` target allowlist + forwarding payload to your protocol integration.
 3. Extend `contracts/aztec/src/main.nr` intent fields to match your private flow.
 4. Define a single completion payload schema and keep it identical in `GenericPortal` success emission, relayer transport,
    and Noir `finalize_action` hashing.
@@ -119,7 +128,7 @@ Use `docs/DEPLOYMENT.md` as the source of truth for:
 3. address dependency planning between L1 and L2 contracts
 4. deployment validation checks
 
-This template will include a deployment script in a future iteration. Until then, use the runbook for manual or custom automation.
+Use `bash scripts/deploy.sh` for scaffold deployment automation, and keep `docs/DEPLOYMENT.md` as the source of truth for environment values.
 
 ## Relayer Operational Spec
 

package/scaffold/contracts/l1/BasePortal.sol

@@ -20,10 +20,12 @@ abstract contract BasePortal {
 
     /// @notice protocol identifier used in message derivation.
     bytes32 public immutable PROTOCOL_ID;
-    /// @notice bound L2 portal contract address.
-    address public immutable L2_CONTRACT;
+    /// @notice bound L2 portal contract identifier (Aztec contract address bytes32).
+    bytes32 public L2_CONTRACT;
     /// @notice authorized relayer address.
     address public immutable RELAYER;
+    /// @notice one-time configuration admin for deferred L2 binding.
+    address public immutable CONFIG_ADMIN;
     /// @notice monotonic message nonce.
     uint64 public messageNonce;
 
@@ -33,35 +35,40 @@ abstract contract BasePortal {
     error EmptyRecipient();
     error InvalidL2Contract();
     error InvalidRelayer();
+    error L2ContractAlreadyConfigured();
+    error L2ContractNotConfigured();
     error MessageAlreadyIssued();
     error MessageAlreadyConsumed();
     error MessageNotIssued();
+    error UnauthorizedConfigAdmin();
     error UnauthorizedCaller();
 
+    event L2ContractConfigured(bytes32 indexed l2Contract);
+
     /// @notice Initializes the portal with immutable protocol metadata.
     /// @param protocolId_ protocol identifier used for hashing messages.
-    /// @param l2Contract_ bound L2 contract address (Aztec adapter for this flow).
+    /// @param l2Contract_ bound L2 contract identifier (`bytes32` Aztec address for this flow).
+    /// `bytes32(0)` is allowed for deferred one-time initialization via `setL2Contract`.
     /// @param relayer_ authorized relayer/service address.
     /// @dev Value source guidance is documented in scaffold docs/DEPLOYMENT.md.
-    constructor(bytes32 protocolId_, address l2Contract_, address relayer_) {
-        if (l2Contract_ == address(0)) {
-            revert InvalidL2Contract();
-        }
-
+    constructor(bytes32 protocolId_, bytes32 l2Contract_, address relayer_) {
         if (relayer_ == address(0)) {
             revert InvalidRelayer();
         }
 
         PROTOCOL_ID = protocolId_;
-        L2_CONTRACT = l2Contract_;
         RELAYER = relayer_;
+        CONFIG_ADMIN = msg.sender;
         messageNonce = 0;
+
+        if (l2Contract_ != bytes32(0)) {
+            L2_CONTRACT = l2Contract_;
+            emit L2ContractConfigured(l2Contract_);
+        }
     }
 
     modifier onlyRelayer() {
-        if (msg.sender != RELAYER) {
-            revert UnauthorizedCaller();
-        }
+        _onlyRelayer();
         _;
     }
 
@@ -70,6 +77,8 @@ abstract contract BasePortal {
     /// @param sender Message sender address.
     /// @return messageHash Derived message hash.
     function _sendL1ToL2Message(bytes32 content, address sender) internal returns (bytes32 messageHash) {
+        _assertL2ContractConfigured();
+
         if (sender == address(0)) {
             revert EmptyRecipient();
         }
@@ -85,6 +94,7 @@ abstract contract BasePortal {
     }
 
     function _consumeL2ToL1Message(bytes32 content, address sender, uint64 nonce) internal onlyRelayer {
+        _assertL2ContractConfigured();
         bytes32 messageHash = _buildMessageHash(content, sender, nonce);
 
         if (!issuedMessages[messageHash]) {
@@ -105,9 +115,43 @@ abstract contract BasePortal {
     /// @param nonce Monotonic nonce.
     /// @return Hashed message payload.
     function _buildMessageHash(bytes32 content, address sender, uint64 nonce) internal view returns (bytes32) {
+        _assertL2ContractConfigured();
+        // forge-lint: disable-next-line(asm-keccak256)
         return keccak256(abi.encodePacked(PROTOCOL_ID, L2_CONTRACT, content, sender, nonce));
     }
 
+    function _onlyRelayer() private view {
+        if (msg.sender != RELAYER) {
+            revert UnauthorizedCaller();
+        }
+    }
+
+    function _assertL2ContractConfigured() private view {
+        if (L2_CONTRACT == bytes32(0)) {
+            revert L2ContractNotConfigured();
+        }
+    }
+
+    /// @notice Configures the L2 contract binding exactly once.
+    /// @param l2Contract_ Aztec contract address (`bytes32`) bound to this portal.
+    function setL2Contract(bytes32 l2Contract_) external {
+        if (msg.sender != CONFIG_ADMIN) {
+            revert UnauthorizedConfigAdmin();
+        }
+        if (l2Contract_ == bytes32(0)) {
+            revert InvalidL2Contract();
+        }
+        if (L2_CONTRACT != bytes32(0)) {
+            revert L2ContractAlreadyConfigured();
+        }
+        if (messageNonce != 0) {
+            revert MessageAlreadyIssued();
+        }
+
+        L2_CONTRACT = l2Contract_;
+        emit L2ContractConfigured(l2Contract_);
+    }
+
     /// @notice Checks if a message hash was already issued.
     /// @param messageHash Message hash.
     /// @return Whether the message has been issued.

package/scaffold/contracts/l1/GenericActionExecutor.sol

@@ -0,0 +1,97 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.33;
+
+import {IGenericActionExecutor} from "./GenericPortal.sol";
+
+/// @title GenericActionExecutor
+/// @author aztec-privacy-template
+/// @notice Generic L1 executor that forwards validated actions to allowlisted targets.
+/// @dev `actionData` schema: `abi.encode(address target, uint256 value, bytes callData)`.
+contract GenericActionExecutor is IGenericActionExecutor {
+    /// @notice Current operator allowed to configure this executor.
+    address public operator;
+    /// @notice Generic portal authorized to invoke `executeAction`.
+    address public portal;
+    /// @notice Allowlist of protocol targets callable by this executor.
+    mapping(address target => bool allowed) public allowedTargets;
+
+    error InvalidAddress();
+    error UnauthorizedCaller();
+    error PortalAlreadyConfigured();
+    error TargetNotAllowed(address target);
+
+    event OperatorUpdated(address indexed previousOperator, address indexed newOperator);
+    event PortalConfigured(address indexed portal);
+    event TargetPermissionSet(address indexed target, bool allowed);
+    event ActionForwarded(address indexed actor, uint256 amount, address indexed target, uint256 value, bool success);
+
+    constructor(address operator_) {
+        if (operator_ == address(0)) {
+            revert InvalidAddress();
+        }
+        operator = operator_;
+    }
+
+    modifier onlyOperator() {
+        if (msg.sender != operator) {
+            revert UnauthorizedCaller();
+        }
+        _;
+    }
+
+    modifier onlyPortal() {
+        if (msg.sender != portal) {
+            revert UnauthorizedCaller();
+        }
+        _;
+    }
+
+    /// @notice Sets the portal once after deployment.
+    function setPortal(address portal_) external onlyOperator {
+        if (portal_ == address(0)) {
+            revert InvalidAddress();
+        }
+        if (portal != address(0)) {
+            revert PortalAlreadyConfigured();
+        }
+        portal = portal_;
+        emit PortalConfigured(portal_);
+    }
+
+    /// @notice Transfers executor configuration rights.
+    function setOperator(address nextOperator) external onlyOperator {
+        if (nextOperator == address(0)) {
+            revert InvalidAddress();
+        }
+        address previous = operator;
+        operator = nextOperator;
+        emit OperatorUpdated(previous, nextOperator);
+    }
+
+    /// @notice Sets target allowlist status for forwarded calls.
+    function setTargetPermission(address target, bool allowed) external onlyOperator {
+        if (target == address(0)) {
+            revert InvalidAddress();
+        }
+        allowedTargets[target] = allowed;
+        emit TargetPermissionSet(target, allowed);
+    }
+
+    /// @inheritdoc IGenericActionExecutor
+    function executeAction(address actor, uint256 amount, bytes calldata actionData)
+        external
+        onlyPortal
+        returns (bool)
+    {
+        (address target, uint256 value, bytes memory callData) = abi.decode(actionData, (address, uint256, bytes));
+        if (!allowedTargets[target]) {
+            revert TargetNotAllowed(target);
+        }
+
+        (bool success,) = target.call{value: value}(callData);
+        emit ActionForwarded(actor, amount, target, value, success);
+        return success;
+    }
+
+    receive() external payable {}
+}

package/scaffold/contracts/l1/GenericPortal.sol

@@ -73,11 +73,12 @@ contract GenericPortal is BasePortal, EscapeHatch {
 
     /// @notice Creates a new generic portal.
     /// @param protocolId_ Protocol identifier used in deterministic message hashing.
-    /// @param l2Contract_ L2 adapter contract address for this flow.
+    /// @param l2Contract_ L2 adapter contract identifier (`bytes32` Aztec contract address) for this flow.
+    /// `bytes32(0)` enables deferred one-time binding via `setL2Contract`.
     /// @param relayer_ Relayer/service address authorized to execute inbound messages.
     /// @param executor_ Protocol execution hook for concrete integration.
     /// @dev See scaffold docs/DEPLOYMENT.md for value sources and address planning guidance.
-    constructor(bytes32 protocolId_, address l2Contract_, address relayer_, address executor_)
+    constructor(bytes32 protocolId_, bytes32 l2Contract_, address relayer_, address executor_)
         BasePortal(protocolId_, l2Contract_, relayer_)
     {
         if (executor_ == address(0)) {
@@ -140,6 +141,7 @@ contract GenericPortal is BasePortal, EscapeHatch {
         }
 
         bytes32 messageHash = _buildMessageHash(content, sender, nonce);
+        // forge-lint: disable-next-line(asm-keccak256)
         bytes32 actionHash = keccak256(actionData);
 
         _assertFlowRequest(messageHash, sender, amount, actionHash);

package/scaffold/contracts/l1/README.md

@@ -5,6 +5,7 @@ This folder contains all Solidity contracts for the starter:
 1. `BasePortal.sol`
 2. `EscapeHatch.sol`
 3. `GenericPortal.sol`
+4. `GenericActionExecutor.sol`
 
 It also includes tests under `test/`.
 
@@ -20,6 +21,8 @@ It also includes tests under `test/`.
 These contracts define deterministic message content and local request state. For real cross-chain delivery, integrate
 your relayer with Aztec canonical Inbox/Outbox contracts (or their current equivalent on your target network).
 
+`BasePortal` supports deferred one-time L2 binding via `setL2Contract(bytes32)` for deployment sequencing.
+
 ## Deployment parameters
 
 See `../../docs/DEPLOYMENT.md` for constructor input requirements and value sources for:
@@ -37,10 +40,18 @@ See `../../docs/RELAYER_SPEC.md` for minimum relayer responsibilities, nonce/ide
 
 1. Keep hash construction consistent between Aztec and L1.
 2. Keep `onlyRelayer` on execution/finalization entrypoints.
-3. Wire your real protocol integration in `IGenericActionExecutor`.
+3. Adapt `GenericActionExecutor` target allowlist + payload schema to your protocol integration.
 4. Preserve escape registration behavior on execution failure.
 5. Extend tests in `test/GenericPortal.t.sol` for protocol-specific invariants.
 
+## Default executor payload
+
+`GenericActionExecutor` expects:
+
+1. `actionData = abi.encode(address target, uint256 value, bytes callData)`
+2. `target` must be allowlisted via `setTargetPermission(target, true)`
+3. `executeAction` forwards `callData` to `target` and returns call success
+
 ## Personalization examples
 
 Example A: lend/repay style flow

package/scaffold/contracts/l1/test/BasePortal.t.sol

@@ -1,10 +1,10 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.33;
 
-import "../BasePortal.sol";
+import {BasePortal} from "../BasePortal.sol";
 
 contract BasePortalHarness is BasePortal {
-    constructor(bytes32 protocolId, address l2Contract, address relayer) BasePortal(protocolId, l2Contract, relayer) {}
+    constructor(bytes32 protocolId, bytes32 l2Contract, address relayer) BasePortal(protocolId, l2Contract, relayer) {}
 
     function sendMessage(bytes32 content, address sender) external returns (bytes32) {
         return _sendL1ToL2Message(content, sender);
@@ -20,23 +20,22 @@ contract BasePortalHarness is BasePortal {
 }
 
 contract UnauthorizedPortalCaller {
+    function configure(BasePortalHarness portal, bytes32 l2Contract) external {
+        portal.setL2Contract(l2Contract);
+    }
+
     function consume(BasePortalHarness portal, bytes32 content, address sender, uint64 nonce) external {
         portal.consumeMessage(content, sender, nonce);
     }
 }
 
 contract BasePortalTest {
-    function testBasePortalConstructorRejectsInvalidAddresses() external {
-        bool invalidL2 = false;
-        try new BasePortalHarness(bytes32("BASE_PORTAL"), address(0), address(this)) {
-            invalidL2 = false;
-        } catch {
-            invalidL2 = true;
-        }
-        assert(invalidL2);
+    bytes32 private constant PROTOCOL_ID = keccak256("BASE_PORTAL");
+    bytes32 private constant L2_CONTRACT_ID = keccak256("L2_CONTRACT");
 
+    function testBasePortalConstructorRejectsInvalidRelayer() external {
         bool invalidRelayer = false;
-        try new BasePortalHarness(bytes32("BASE_PORTAL"), address(0xA11CE), address(0)) {
+        try new BasePortalHarness(PROTOCOL_ID, L2_CONTRACT_ID, address(0)) {
             invalidRelayer = false;
         } catch {
             invalidRelayer = true;
@@ -44,8 +43,34 @@ contract BasePortalTest {
         assert(invalidRelayer);
     }
 
+    function testBasePortalDeferredL2Configuration() external {
+        BasePortalHarness portal = new BasePortalHarness(PROTOCOL_ID, bytes32(0), address(this));
+        UnauthorizedPortalCaller unauthorized = new UnauthorizedPortalCaller();
+
+        assert(portal.L2_CONTRACT() == bytes32(0));
+
+        bool unauthorizedReverted = false;
+        try unauthorized.configure(portal, L2_CONTRACT_ID) {
+            unauthorizedReverted = false;
+        } catch {
+            unauthorizedReverted = true;
+        }
+        assert(unauthorizedReverted);
+
+        portal.setL2Contract(L2_CONTRACT_ID);
+        assert(portal.L2_CONTRACT() == L2_CONTRACT_ID);
+
+        bool cannotReconfigure = false;
+        try portal.setL2Contract(keccak256("other")) {
+            cannotReconfigure = false;
+        } catch {
+            cannotReconfigure = true;
+        }
+        assert(cannotReconfigure);
+    }
+
     function testBasePortalSendGeneratesDeterministicHashesAndMonotonicNonce() external {
-        BasePortalHarness portal = new BasePortalHarness(bytes32("BASE_PORTAL"), address(0xA11CE), address(this));
+        BasePortalHarness portal = new BasePortalHarness(PROTOCOL_ID, L2_CONTRACT_ID, address(this));
 
         bytes32 content = keccak256("content-key");
         address sender = address(0xB0B);
@@ -66,7 +91,7 @@ contract BasePortalTest {
     }
 
     function testBasePortalRejectsEmptyRecipientMessageSend() external {
-        BasePortalHarness portal = new BasePortalHarness(bytes32("BASE_PORTAL"), address(0xA11CE), address(this));
+        BasePortalHarness portal = new BasePortalHarness(PROTOCOL_ID, L2_CONTRACT_ID, address(this));
 
         bool reverted = false;
 
@@ -80,7 +105,7 @@ contract BasePortalTest {
     }
 
     function testBasePortalConsumptionFlow() external {
-        BasePortalHarness portal = new BasePortalHarness(bytes32("BASE_PORTAL"), address(0xA11CE), address(this));
+        BasePortalHarness portal = new BasePortalHarness(PROTOCOL_ID, L2_CONTRACT_ID, address(this));
         UnauthorizedPortalCaller unauthorized = new UnauthorizedPortalCaller();
 
         bytes32 content = keccak256("consume-key");

package/scaffold/contracts/l1/test/EscapeHatch.t.sol

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.33;
 
-import "../EscapeHatch.sol";
+import {EscapeHatch} from "../EscapeHatch.sol";
 
 interface IHevm {
     function roll(uint256) external;