feat: ledger 9-rc.3 (#1738)#1783
Merged
gilescope merged 2 commits intoJun 29, 2026
Merged
Conversation
* feat: ledger 9-rc.3
Signed-off-by: Giles Cope <gilescope@gmail.com>
* fix: don't touch most envs
Signed-off-by: Giles Cope <gilescope@gmail.com>
* chore: add change files
Signed-off-by: Giles Cope <gilescope@gmail.com>
* fix: use a new tokio rt + spawn_blocking for local prove
We need to do this for 2 reasons:
1. We should not block the executor - awaiting on a new thread for high CPU work is the right choice
2. Ledger 9 no-longer has Send for the tx.prove() method. So our hand is forced here, even for remote proving
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
Assisted-by: Claude:claude-4.8-opus
* build: use schnorr key type to contract operations
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* fix: sign dust registrations over the assembled intent for ledger 9-rc.3
ledger 9-rc.3 folds dust_actions into Intent::data_to_sign (the new
IntentSigningEnvelope), so a dust registration's night_key, dust_address
and allow_fee_payment are now part of the signed payload. Both toolkit
sign-paths computed data_to_sign before attaching the registrations to the
intent, so the signature no longer matched at validation and genesis
generation failed with InvalidDustRegistrationSignature.
Attach the registrations unsigned first, then compute data_to_sign and fill
in each signature, mirroring the ledger's own Transaction::sign. Affects
genesis_generator::add_dust_actions and the helper apply_dust path (new
DustRegistrationBuilder::build_unsigned).
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* chore: fix dev cnight config
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* fix: load v1-circuit verifier keys into ledger-9 dual-stack v2 slot
Under ledger 9-rc.3 ContractOperation is dual-stack: v1 (zk-stdlib v1) circuits
verify their proofs (ProofVersioned::V2) against the v2 slot, holding a 2.x
transient_crypto_old verifier key (verifier-key[v6]); v2 circuits use the v3 slot
(3.x transient_crypto, verifier-key[v7]).
The simple-merkle-tree and counter test contracts are v1 circuits, so their stored
verifier keys are 2.x keys. The toolkit deploy path loaded them via the 3.x
verifier_key()/contract_operation_new(), which could not deserialize the v6 keys
and produced an operation with no verifier key -- contract deploys failed with
VerifierKeyNotSet { operation: check }.
Add verifier_key_v1 (deserializes as 2.x) and a per-generation contract_operation_new_v1:
pre-ledger-9 it is the existing single-stack path; under ledger 9 it places the 2.x
key in ContractOperation::v2. The merkle-tree deploy now uses these. Verified
end-to-end (deploy -> store -> check), the check call's proof verifying against
op.v2_vk().
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* fix: re-sign unshielded offers after attaching dust for ledger 9-rc.3
rc.3 folds dust_actions into Intent::data_to_sign, so the unshielded offer's
input signatures - not just the dust registration signatures - are signed over
a payload that includes the dust. StandardTrasactionInfo::apply_dust attached
dust_actions to the fallible intent *after* IntentInfo::build had already signed
that intent's unshielded offer, leaving those offer signatures stale. Validation
recomputed data_to_sign with the dust and balancing failed with
IntentSignatureVerificationFailure (e.g. generate-txs batches during genesis
generation).
apply_dust now assembles the full intent (offers + unsigned dust) first, then
computes data_to_sign once and re-signs both the unshielded offers and the dust
registrations over it, mirroring the ledger's own Intent::sign. The offer
signing keys are recovered from the originating IntentInfo via a new
BuildIntent::unshielded_signing_keys accessor.
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* chore: rebuild genesis files
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* chore: cargo fmt
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* test: update outdated doc-test values
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* feat: toolkit can now load contract verifier keys v2 and v3
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* chore: set devnet cnight config to empty
Will re-gen properly once I get access to a Cardano preview db-sync
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* docs: clean-up comments
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* Generated cnight config for devnet
Signed-off-by: Lech Głowiak <lech.glowiak@shielded.io>
* chore: consolidate ledger 9.1.0-rc.3 change files
Replace the outdated node file and the four scattered rc.3 toolkit change
files with two consolidated change files (node + toolkit) reflecting the
final state of the branch.
- node: runtime metadata is not regenerated, and only undeployed genesis
plus the derived .mn fixtures are rebuilt at v18 (devnet genesis still
needs an AWS-side rebuild). The prior file claimed otherwise.
- toolkit: fold in dual-stack verifier keys, dust-registration and
unshielded-offer signing over the assembled intent, and the !Send-safe
proving fix (previously undocumented).
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* Regenerate with new node
Signed-off-by: Lech Głowiak <lech.glowiak@shielded.io>
* chore: rebuild devnet genesis
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* build: bump zkir specifier to ^2.2.0
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* chore: rebuild devnet chainspec
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
* fix: toolkit - select correct version for maintainace
Signed-off-by: Giles Cope <gilescope@gmail.com>
---------
Signed-off-by: Giles Cope <gilescope@gmail.com>
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
Signed-off-by: Lech Głowiak <lech.glowiak@shielded.io>
Co-authored-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
Co-authored-by: Lech Głowiak <lech.glowiak@shielded.io>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8726121c7a
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Signed-off-by: Oscar Bailey <79094698+ozgb@users.noreply.github.com>
LGLO
approved these changes
Jun 29, 2026
gilescope
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Port #1738 to release branch
🗹 TODO before merging
📌 Submission Checklist
git commit -s) for the DCO🧪 Testing Evidence
Please describe any additional testing aside from CI:
🔱 Fork Strategy
Links