merge w/ merge-train/fairies

Author: vezenovm

.claude/skills/update-doc-references/SKILL.md

@@ -1,3 +1,8 @@
+---
+name: update-doc-references
+description: Analyze source-file changes referenced by documentation, update affected docs when needed, and report documentation reference updates for a PR.
+---
+
 # Update Documentation References
 
 When source files referenced by documentation change in a PR, analyze the

.github/workflows/backport.yml

@@ -122,4 +122,6 @@ jobs:
           gh workflow run claudebox.yml \
             -f prompt="Backport PR #$PR ($TITLE) to $BRANCH. The automatic cherry-pick failed due to conflicts. Follow .claude/claudebox/backport.md to resolve conflicts and create a PR." \
             -f link="${LINK:-$URL}" \
-            -f target_ref="origin/backport-to-${BRANCH}-staging"
+            -f target_ref="origin/backport-to-${BRANCH}-staging" \
+            -f slack_channel="$CHANNEL_ID" \
+            -f slack_thread_ts="$TS"

.github/workflows/ci3-dashboard-deploy.yml

@@ -0,0 +1,35 @@
+name: CI3 Dashboard Deploy
+
+on:
+  push:
+    branches:
+      - next
+    paths:
+      - "ci3/dashboard/**"
+      - ".github/workflows/ci3-dashboard-deploy.yml"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Deploy ci3 dashboard
+        env:
+          BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
+        run: |
+          set -eu
+          mkdir -p ~/.ssh
+          echo "${BUILD_INSTANCE_SSH_KEY}" | base64 --decode > ~/.ssh/build_instance_key
+          chmod 600 ~/.ssh/build_instance_key
+          ssh-keyscan -H ci.aztec-labs.com >> ~/.ssh/known_hosts 2>/dev/null
+
+          ./ci3/dashboard/deploy.sh

.github/workflows/claudebox.yml

@@ -16,10 +16,27 @@ on:
         required: false
         type: string
       target_ref:
-        description: 'Git ref to checkout in the container (e.g., origin/backport-to-v4-next-staging)'
+        description: 'Git ref the session should work against (e.g., origin/merge-train/barretenberg)'
+        required: false
+        type: string
+      slack_channel:
+        description: 'Slack channel ID to thread status into (set by the kickoff script)'
+        required: false
+        type: string
+      slack_thread_ts:
+        description: 'Slack thread timestamp to reply under (set by the kickoff script)'
         required: false
         type: string
 
+# ClaudeBox v2 runs as a public service at https://claudebox.work. CI hands a
+# job off by POSTing to its /run webhook (Bearer-authed with
+# CLAUDEBOX_API_SECRET) and returns immediately — the session reports progress
+# back to the bound Slack thread and to any GitHub comment IDs we pass through.
+# The old v1 server lived on a private build instance reached over an SSH
+# tunnel; that path is retired.
+env:
+  CLAUDEBOX_URL: ${{ vars.CLAUDEBOX_URL || 'https://claudebox.work' }}
+
 jobs:
   claudebox:
     if: >-
@@ -49,41 +66,13 @@ jobs:
             repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions \
             -f content='eyes' || true
 
-      - name: Setup SSH tunnel to ClaudeBox
-        env:
-          BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
-        run: |
-          set -eu
-          mkdir -p ~/.ssh
-          echo "${BUILD_INSTANCE_SSH_KEY}" | base64 --decode > ~/.ssh/build_instance_key
-          chmod 600 ~/.ssh/build_instance_key
-
-          # SSH tunnel: CI runner :4001 → bastion :3000 → (reverse tunnel) → claude-box :3001
-          ssh -f -N -L 4001:localhost:3000 \
-            -o StrictHostKeyChecking=no \
-            -o ServerAliveInterval=30 \
-            -o ServerAliveCountMax=3 \
-            -o ConnectTimeout=15 \
-            -i ~/.ssh/build_instance_key \
-            ubuntu@ci.aztec-labs.com
-
-          # Wait for tunnel
-          for i in $(seq 1 15); do
-            if curl -s -o /dev/null --max-time 2 http://localhost:4001/ 2>/dev/null; then
-              echo "SSH tunnel ready"
-              exit 0
-            fi
-            sleep 1
-          done
-          echo "ERROR: SSH tunnel failed to connect"
-          exit 1
-
       - name: Parse command
         id: parse
         env:
           COMMENT_BODY: ${{ github.event.comment.body || '' }}
           INPUT_PROMPT: ${{ inputs.prompt || '' }}
           INPUT_LINK: ${{ inputs.link || '' }}
+          INPUT_TARGET_REF: ${{ inputs.target_ref || '' }}
         run: |
           if [ -n "$INPUT_PROMPT" ]; then
             PROMPT="$INPUT_PROMPT"
@@ -93,6 +82,14 @@ jobs:
             LINK=""
           fi
 
+          # ClaudeBox v2 has no separate target_ref input; fold it into the
+          # prompt so the agent fetches and bases its branch on the right ref.
+          if [ -n "$INPUT_TARGET_REF" ]; then
+            PROMPT="$PROMPT
+
+          Work against git ref: $INPUT_TARGET_REF. Fetch it and base your branch on it."
+          fi
+
           echo "link=$LINK" >> "$GITHUB_OUTPUT"
           {
             echo "prompt<<PROMPT_EOF"
@@ -120,22 +117,28 @@ jobs:
           echo "run_comment_id=$COMMENT_ID" >> "$GITHUB_OUTPUT"
           echo "Posted status comment: $COMMENT_ID"
 
-      - name: Run ClaudeBox
-        timeout-minutes: 120
+      - name: Dispatch ClaudeBox v2
         env:
-          CLAUDEBOX_URL: http://localhost:4001
           CLAUDEBOX_API_SECRET: ${{ secrets.CLAUDEBOX_API_SECRET }}
           CLAUDEBOX_PROMPT: ${{ steps.parse.outputs.prompt }}
           CLAUDEBOX_LINK: ${{ steps.parse.outputs.link }}
-          CLAUDEBOX_TARGET_REF: ${{ inputs.target_ref || '' }}
           COMMENT_ID: ${{ github.event.comment.id || '' }}
           RUN_COMMENT_ID: ${{ steps.status_comment.outputs.run_comment_id || '' }}
           REPO: ${{ github.repository }}
           RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           AUTHOR: ${{ github.event.comment.user.login || github.actor }}
+          SLACK_CHANNEL: ${{ inputs.slack_channel || '' }}
+          SLACK_THREAD_TS: ${{ inputs.slack_thread_ts || '' }}
+          # Public mode grants the session read-write access to public repos
+          # (aztec-packages). Without it the session only gets the group's
+          # unscoped repos and cannot open PRs against aztec-packages.
+          CLAUDEBOX_MODE: ${{ vars.CLAUDEBOX_MODE || 'public' }}
         run: |
-          AUTH="Authorization: Bearer ${CLAUDEBOX_API_SECRET}"
-          echo "Creating payload..."
+          if [ -z "${CLAUDEBOX_API_SECRET:-}" ]; then
+            echo "ERROR: CLAUDEBOX_API_SECRET is not set; cannot dispatch ClaudeBox v2"
+            exit 1
+          fi
+
           PAYLOAD=$(jq -n \
             --arg prompt "$CLAUDEBOX_PROMPT" \
             --arg user "$AUTHOR" \
@@ -144,41 +147,30 @@ jobs:
             --arg repo "$REPO" \
             --arg run_url "$RUN_URL" \
             --arg link "$CLAUDEBOX_LINK" \
-            --arg target_ref "$CLAUDEBOX_TARGET_REF" \
-            '{prompt: $prompt, user: $user, comment_id: $comment_id, run_comment_id: $run_comment_id, repo: $repo, run_url: $run_url, link: $link, target_ref: $target_ref}')
-
-          echo "Sending payload..."
-          # Start session — returns 202 with log URL
+            --arg slack_channel "$SLACK_CHANNEL" \
+            --arg slack_thread_ts "$SLACK_THREAD_TS" \
+            --arg mode "$CLAUDEBOX_MODE" \
+            '{prompt: $prompt, user: $user, repo: $repo, run_url: $run_url, link: $link, slack_channel: $slack_channel, slack_thread_ts: $slack_thread_ts, mode: $mode}
+             + (if $comment_id != "" then {comment_id: ($comment_id | tonumber)} else {} end)
+             + (if $run_comment_id != "" then {run_comment_id: ($run_comment_id | tonumber)} else {} end)')
+
+          # Fire-and-forget: v2 reports progress to Slack / GitHub comments.
           RESPONSE=$(curl -sS -w "\n%{http_code}" \
-            -H "$AUTH" -H "Content-Type: application/json" \
+            -H "Authorization: Bearer ${CLAUDEBOX_API_SECRET}" \
+            -H "Content-Type: application/json" \
             -d "$PAYLOAD" "${CLAUDEBOX_URL}/run")
 
           HTTP_CODE=$(echo "$RESPONSE" | tail -1)
           BODY=$(echo "$RESPONSE" | head -n -1)
 
           if [ "$HTTP_CODE" -ge 400 ] 2>/dev/null; then
-            echo "ClaudeBox returned HTTP $HTTP_CODE: $BODY"
+            echo "ClaudeBox v2 returned HTTP $HTTP_CODE: $BODY"
             exit 1
           fi
 
-          LOG_URL=$(echo "$BODY" | jq -r '.log_url // empty')
-          SESSION_ID=$(basename "$LOG_URL")
-          echo "Session started: $LOG_URL"
-
-          echo "Session received, polling..."
-          # Poll until completed
-          while true; do
-            sleep 30
-            STATUS_BODY=$(curl -sS -H "$AUTH" "${CLAUDEBOX_URL}/session/${SESSION_ID}" 2>/dev/null || echo '{}')
-            STATUS=$(echo "$STATUS_BODY" | jq -r '.status // "unknown"')
-            echo "$(date -u +%H:%M:%S) status=$STATUS"
-            if [ "$STATUS" != "running" ]; then
-              EXIT_CODE=$(echo "$STATUS_BODY" | jq -r '.exit_code // 1')
-              echo "Session finished: status=$STATUS exit_code=$EXIT_CODE"
-              echo "Log: $LOG_URL"
-              exit "$EXIT_CODE"
-            fi
-          done
+          SESSION_ID=$(echo "$BODY" | jq -r '.session_id // empty')
+          echo "ClaudeBox v2 session: ${CLAUDEBOX_URL}/v2/sessions/${SESSION_ID}"
+          echo "Status: $(echo "$BODY" | jq -r '.status // "unknown"')"
 
   claude-review:
     if: >-
@@ -189,33 +181,6 @@ jobs:
     permissions:
       contents: read
     steps:
-      - name: Setup SSH tunnel to ClaudeBox
-        env:
-          BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
-        run: |
-          set -eu
-          mkdir -p ~/.ssh
-          echo "${BUILD_INSTANCE_SSH_KEY}" | base64 --decode > ~/.ssh/build_instance_key
-          chmod 600 ~/.ssh/build_instance_key
-
-          ssh -f -N -L 4001:localhost:3000 \
-            -o StrictHostKeyChecking=no \
-            -o ServerAliveInterval=30 \
-            -o ServerAliveCountMax=3 \
-            -o ConnectTimeout=15 \
-            -i ~/.ssh/build_instance_key \
-            ubuntu@ci.aztec-labs.com
-
-          for i in $(seq 1 15); do
-            if curl -s -o /dev/null --max-time 2 http://localhost:4001/ 2>/dev/null; then
-              echo "SSH tunnel ready"
-              exit 0
-            fi
-            sleep 1
-          done
-          echo "ERROR: SSH tunnel failed to connect"
-          exit 1
-
       - name: Post review status comment
         id: status_comment
         env:
@@ -232,10 +197,8 @@ jobs:
           echo "run_comment_id=$COMMENT_ID" >> "$GITHUB_OUTPUT"
           echo "Posted review status comment: $COMMENT_ID"
 
-      - name: Trigger ClaudeBox review
-        timeout-minutes: 120
+      - name: Dispatch ClaudeBox v2 review
         env:
-          CLAUDEBOX_URL: http://localhost:4001
           CLAUDEBOX_API_SECRET: ${{ secrets.CLAUDEBOX_API_SECRET }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_TITLE: ${{ github.event.pull_request.title }}
@@ -245,8 +208,12 @@ jobs:
           RUN_COMMENT_ID: ${{ steps.status_comment.outputs.run_comment_id || '' }}
           RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           REPO: ${{ github.repository }}
+          CLAUDEBOX_MODE: ${{ vars.CLAUDEBOX_MODE || 'public' }}
         run: |
-          AUTH="Authorization: Bearer ${CLAUDEBOX_API_SECRET}"
+          if [ -z "${CLAUDEBOX_API_SECRET:-}" ]; then
+            echo "ERROR: CLAUDEBOX_API_SECRET is not set; cannot dispatch ClaudeBox v2"
+            exit 1
+          fi
 
           PROMPT="Review PR #${PR_NUMBER}: ${PR_TITLE}
           ${PR_URL}
@@ -265,36 +232,23 @@ jobs:
             --arg repo "$REPO" \
             --arg run_url "$RUN_URL" \
             --arg link "$PR_URL" \
-            --arg profile "review" \
-            '{prompt: $prompt, user: $user, run_comment_id: $run_comment_id, repo: $repo, run_url: $run_url, link: $link, profile: $profile}')
+            --arg mode "$CLAUDEBOX_MODE" \
+            '{prompt: $prompt, user: $user, repo: $repo, run_url: $run_url, link: $link, mode: $mode}
+             + (if $run_comment_id != "" then {run_comment_id: ($run_comment_id | tonumber)} else {} end)')
 
           RESPONSE=$(curl -sS -w "\n%{http_code}" \
-            -H "$AUTH" -H "Content-Type: application/json" \
+            -H "Authorization: Bearer ${CLAUDEBOX_API_SECRET}" \
+            -H "Content-Type: application/json" \
             -d "$PAYLOAD" "${CLAUDEBOX_URL}/run")
 
           HTTP_CODE=$(echo "$RESPONSE" | tail -1)
           BODY=$(echo "$RESPONSE" | head -n -1)
 
           if [ "$HTTP_CODE" -ge 400 ] 2>/dev/null; then
-            echo "ClaudeBox returned HTTP $HTTP_CODE: $BODY"
-            exit 1
+            echo "ClaudeBox v2 returned HTTP $HTTP_CODE: $BODY"
+            # Review dispatch failures are informational — don't fail the workflow.
+            exit 0
           fi
 
-          LOG_URL=$(echo "$BODY" | jq -r '.log_url // empty')
-          SESSION_ID=$(basename "$LOG_URL")
-          echo "Review session started: $LOG_URL"
-
-          # Poll until completed
-          while true; do
-            sleep 30
-            STATUS_BODY=$(curl -sS -H "$AUTH" "${CLAUDEBOX_URL}/session/${SESSION_ID}" 2>/dev/null || echo '{}')
-            STATUS=$(echo "$STATUS_BODY" | jq -r '.status // "unknown"')
-            echo "$(date -u +%H:%M:%S) status=$STATUS"
-            if [ "$STATUS" != "running" ]; then
-              EXIT_CODE=$(echo "$STATUS_BODY" | jq -r '.exit_code // 1')
-              echo "Review finished: status=$STATUS exit_code=$EXIT_CODE"
-              echo "Log: $LOG_URL"
-              # Don't fail the workflow on review errors — the review itself is informational
-              exit 0
-            fi
-          done
+          SESSION_ID=$(echo "$BODY" | jq -r '.session_id // empty')
+          echo "ClaudeBox v2 review session: ${CLAUDEBOX_URL}/v2/sessions/${SESSION_ID}"

.github/workflows/deploy-network.yml

@@ -294,7 +294,9 @@ jobs:
           gh workflow run claudebox.yml \
             -f prompt="$PROMPT" \
             -f link="${LINK:-$RUN_URL}" \
-            -f target_ref="${{ steps.checkout-ref.outputs.ref }}" || true
+            -f target_ref="${{ steps.checkout-ref.outputs.ref }}" \
+            -f slack_channel="$CHANNEL_ID" \
+            -f slack_thread_ts="$TS" || true
 
   update-irm:
     needs: deploy-network

barretenberg/cpp/pil/vm2/constants_gen.pil

@@ -15,7 +15,6 @@ namespace constants;
     pol MAX_L2_TO_L1_MSGS_PER_TX = 8;
     pol MAX_PACKED_PUBLIC_BYTECODE_SIZE_IN_FIELDS = 3000;
     pol MAX_PROTOCOL_CONTRACTS = 11;
-    pol CANONICAL_AUTH_REGISTRY_ADDRESS = 1;
     pol CONTRACT_INSTANCE_REGISTRY_CONTRACT_ADDRESS = 2;
     pol CONTRACT_CLASS_REGISTRY_CONTRACT_ADDRESS = 3;
     pol MULTI_CALL_ENTRYPOINT_ADDRESS = 4;

barretenberg/cpp/src/barretenberg/aztec/aztec_constants.hpp

@@ -21,7 +21,6 @@
 #define GENESIS_ARCHIVE_ROOT "0x177a4955b31ecaafad999753938a44e526b54c5ba5d536688227f85f15cfbdf5"
 #define MAX_PACKED_PUBLIC_BYTECODE_SIZE_IN_FIELDS 3000
 #define MAX_PROTOCOL_CONTRACTS 11
-#define CANONICAL_AUTH_REGISTRY_ADDRESS 1
 #define CONTRACT_INSTANCE_REGISTRY_CONTRACT_ADDRESS 2
 #define CONTRACT_CLASS_REGISTRY_CONTRACT_ADDRESS 3
 #define MULTI_CALL_ENTRYPOINT_ADDRESS 4
@@ -247,8 +246,7 @@
 #define AVM_EMITPUBLICLOG_DYN_DA_GAS 32
 #define AVM_SSTORE_DYN_DA_GAS 64
 #define AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_HEIGHT 6
-#define AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_INITIAL_ROOT                                                                \
-    "0x13954b76f8ab76c38ab687731f802fc90e5d55e0592fa6f56d0a73024b3f8356"
+#define AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_INITIAL_ROOT "0x13954b76f8ab76c38ab687731f802fc90e5d55e0592fa6f56d0a73024b3f8356"
 #define AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_INITIAL_SIZE 1
 #define AVM_RETRIEVED_BYTECODES_TREE_HEIGHT 5
 #define AVM_RETRIEVED_BYTECODES_TREE_INITIAL_ROOT "0x0ff65ad321f05745d4c80e2e18e94241093d2e49017ff8cc151df4f207a43c12"

boxes/boxes/react/src/contracts/src/main.nr

@@ -21,14 +21,14 @@ contract BoxReact {
         let new_number = FieldNote { value: number };
 
         self.storage.numbers.at(owner).initialize(new_number).deliver(
-            MessageDelivery.ONCHAIN_CONSTRAINED,
+            MessageDelivery::onchain_constrained(),
         );
     }
 
     #[external("private")]
     fn setNumber(number: Field, owner: AztecAddress) {
         self.storage.numbers.at(owner).replace(|_old| FieldNote { value: number }).deliver(
-            MessageDelivery.ONCHAIN_CONSTRAINED,
+            MessageDelivery::onchain_constrained(),
         );
     }