Skip to content

feat: ledger 9-rc.3 (#1738)#1783

Merged
gilescope merged 2 commits into
release/node-2.0.0from
ozgb-ledger-9.1.0-rc.3-release-branch-rebase
Jun 29, 2026
Merged

feat: ledger 9-rc.3 (#1738)#1783
gilescope merged 2 commits into
release/node-2.0.0from
ozgb-ledger-9.1.0-rc.3-release-branch-rebase

Conversation

@ozgb

@ozgb ozgb commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Overview

Port #1738 to release branch

🗹 TODO before merging

  • Ready

📌 Submission Checklist

  • All commits are signed off (git commit -s) for the DCO
  • Changes are backward-compatible (or flagged if breaking)
  • Pull request description explains why the change is needed
  • Self-reviewed the diff
  • I have included a change file, or skipped for this reason:
  • If the changes introduce a new feature, I have bumped the node minor version
  • Update documentation (if relevant)
  • Updated AGENTS.md if build commands, architecture, or workflows changed
  • No new todos introduced

🧪 Testing Evidence

Please describe any additional testing aside from CI:

  • Additional tests are provided (if possible)

🔱 Fork Strategy

  • Node Runtime Update
  • Node Client Update
  • Other:
  • N/A

Links

* feat: ledger 9-rc.3

Signed-off-by: Giles Cope <gilescope@gmail.com>

* fix: don't touch most envs

Signed-off-by: Giles Cope <gilescope@gmail.com>

* chore: add change files

Signed-off-by: Giles Cope <gilescope@gmail.com>

* fix: use a new tokio rt + spawn_blocking for local prove

We need to do this for 2 reasons:
1. We should not block the executor - awaiting on a new thread for high CPU work is the right choice
2. Ledger 9 no-longer has Send for the tx.prove() method. So our hand is forced here, even for remote proving

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
Assisted-by: Claude:claude-4.8-opus

* build: use schnorr key type to contract operations

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* fix: sign dust registrations over the assembled intent for ledger 9-rc.3

ledger 9-rc.3 folds dust_actions into Intent::data_to_sign (the new
IntentSigningEnvelope), so a dust registration's night_key, dust_address
and allow_fee_payment are now part of the signed payload. Both toolkit
sign-paths computed data_to_sign before attaching the registrations to the
intent, so the signature no longer matched at validation and genesis
generation failed with InvalidDustRegistrationSignature.

Attach the registrations unsigned first, then compute data_to_sign and fill
in each signature, mirroring the ledger's own Transaction::sign. Affects
genesis_generator::add_dust_actions and the helper apply_dust path (new
DustRegistrationBuilder::build_unsigned).

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* chore: fix dev cnight config

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* fix: load v1-circuit verifier keys into ledger-9 dual-stack v2 slot

Under ledger 9-rc.3 ContractOperation is dual-stack: v1 (zk-stdlib v1) circuits
verify their proofs (ProofVersioned::V2) against the v2 slot, holding a 2.x
transient_crypto_old verifier key (verifier-key[v6]); v2 circuits use the v3 slot
(3.x transient_crypto, verifier-key[v7]).

The simple-merkle-tree and counter test contracts are v1 circuits, so their stored
verifier keys are 2.x keys. The toolkit deploy path loaded them via the 3.x
verifier_key()/contract_operation_new(), which could not deserialize the v6 keys
and produced an operation with no verifier key -- contract deploys failed with
VerifierKeyNotSet { operation: check }.

Add verifier_key_v1 (deserializes as 2.x) and a per-generation contract_operation_new_v1:
pre-ledger-9 it is the existing single-stack path; under ledger 9 it places the 2.x
key in ContractOperation::v2. The merkle-tree deploy now uses these. Verified
end-to-end (deploy -> store -> check), the check call's proof verifying against
op.v2_vk().

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* fix: re-sign unshielded offers after attaching dust for ledger 9-rc.3

rc.3 folds dust_actions into Intent::data_to_sign, so the unshielded offer's
input signatures - not just the dust registration signatures - are signed over
a payload that includes the dust. StandardTrasactionInfo::apply_dust attached
dust_actions to the fallible intent *after* IntentInfo::build had already signed
that intent's unshielded offer, leaving those offer signatures stale. Validation
recomputed data_to_sign with the dust and balancing failed with
IntentSignatureVerificationFailure (e.g. generate-txs batches during genesis
generation).

apply_dust now assembles the full intent (offers + unsigned dust) first, then
computes data_to_sign once and re-signs both the unshielded offers and the dust
registrations over it, mirroring the ledger's own Intent::sign. The offer
signing keys are recovered from the originating IntentInfo via a new
BuildIntent::unshielded_signing_keys accessor.

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* chore: rebuild genesis files

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* chore: cargo fmt

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* test: update outdated doc-test values

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* feat: toolkit can now load contract verifier keys v2 and v3

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* chore: set devnet cnight config to empty

Will re-gen properly once I get access to a Cardano preview db-sync

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* docs: clean-up comments

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* Generated cnight config for devnet

Signed-off-by: Lech Głowiak <lech.glowiak@shielded.io>

* chore: consolidate ledger 9.1.0-rc.3 change files

Replace the outdated node file and the four scattered rc.3 toolkit change
files with two consolidated change files (node + toolkit) reflecting the
final state of the branch.

- node: runtime metadata is not regenerated, and only undeployed genesis
  plus the derived .mn fixtures are rebuilt at v18 (devnet genesis still
  needs an AWS-side rebuild). The prior file claimed otherwise.
- toolkit: fold in dual-stack verifier keys, dust-registration and
  unshielded-offer signing over the assembled intent, and the !Send-safe
  proving fix (previously undocumented).

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* Regenerate with new node

Signed-off-by: Lech Głowiak <lech.glowiak@shielded.io>

* chore: rebuild devnet genesis

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* build: bump zkir specifier to ^2.2.0

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* chore: rebuild devnet chainspec

Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>

* fix: toolkit - select correct version for maintainace

Signed-off-by: Giles Cope <gilescope@gmail.com>

---------

Signed-off-by: Giles Cope <gilescope@gmail.com>
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
Signed-off-by: Lech Głowiak <lech.glowiak@shielded.io>
Co-authored-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
Co-authored-by: Lech Głowiak <lech.glowiak@shielded.io>
@ozgb ozgb requested a review from a team as a code owner June 29, 2026 13:22
@datadog-official

datadog-official Bot commented Jun 29, 2026

Copy link
Copy Markdown

Pipelines

⚠️ Warnings

🚦 2 Pipeline jobs failed

+check (format + lint) | Feature Unification Check   View in Datadog   GitHub Actions

Changes Check | check-changes   View in Datadog   GitHub Actions

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: a67723f | Docs | Give us feedback!

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8726121c7a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread ledger/helpers/src/versions/common/contract/maintenance.rs
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
@gilescope gilescope enabled auto-merge June 29, 2026 13:57
@gilescope gilescope merged commit 30f081e into release/node-2.0.0 Jun 29, 2026
33 of 36 checks passed
@gilescope gilescope deleted the ozgb-ledger-9.1.0-rc.3-release-branch-rebase branch June 29, 2026 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants