AztecProtocol
diff --git a/‎docs/docs-developers/docs/resources/migration_notes.md‎
Lines changed: 36 additions & 1 deletion b/‎docs/docs-developers/docs/resources/migration_notes.md‎
Lines changed: 36 additions & 1 deletion
diff --git a/‎noir-projects/aztec-nr/aztec/src/context/private_context.nr‎
Lines changed: 39 additions & 17 deletions b/‎noir-projects/aztec-nr/aztec/src/context/private_context.nr‎
Lines changed: 39 additions & 17 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/context/public_context.nr‎
Lines changed: 17 additions & 3 deletions b/‎noir-projects/aztec-nr/aztec/src/context/public_context.nr‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/event/event_emission.nr‎
Lines changed: 8 additions & 14 deletions b/‎noir-projects/aztec-nr/aztec/src/event/event_emission.nr‎
Lines changed: 8 additions & 14 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/messages/logs/partial_note.nr‎
Lines changed: 1 addition & 30 deletions b/‎noir-projects/aztec-nr/aztec/src/messages/logs/partial_note.nr‎
Lines changed: 1 addition & 30 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/messages/logs/utils.nr‎
Lines changed: 14 additions & 33 deletions b/‎noir-projects/aztec-nr/aztec/src/messages/logs/utils.nr‎
Lines changed: 14 additions & 33 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/messages/message_delivery.nr‎
Lines changed: 9 additions & 7 deletions b/‎noir-projects/aztec-nr/aztec/src/messages/message_delivery.nr‎
Lines changed: 9 additions & 7 deletions
@@ -9,6 +9,42 @@ Aztec is in active development. Each version may introduce breaking changes that
 
 ## TBD
 
+### [Aztec.nr] Domain-separated tags on log emission
+
+All logs emitted through the Aztec.nr framework now include a domain-separated tag at `fields[0]`. Each log category uses its own domain separator via `compute_log_tag(raw_tag, dom_sep)`:
+
+- **Events** (`DOM_SEP__EVENT_LOG_TAG`): the event type ID is the raw tag.
+- **Message delivery** (`DOM_SEP__UNCONSTRAINED_MSG_LOG_TAG`): the discovery tag is the raw tag.
+- **Partial note completion logs** (`DOM_SEP__NOTE_COMPLETION_LOG_TAG`): the partial note's `commitment` field is the raw tag.
+
+The low-level emit methods now take `tag` as an explicit first parameter and have been renamed with an `_unsafe` suffix. Previously the tag was included as `log[0]` — it has now been extracted into its own parameter, and `log` no longer contains it:
+
+```diff
+- context.emit_private_log(log, length);
++ context.emit_private_log_unsafe(tag, log, length);
+- context.emit_raw_note_log(log, length, note_hash_counter);
++ context.emit_raw_note_log_unsafe(tag, log, length, note_hash_counter);
+- context.emit_public_log(log);
++ context.emit_public_log_unsafe(tag, log);
+```
+
+Prefer the higher-level APIs (`emit` for events, `MessageDelivery` for messages) which handle tagging automatically.
+
+### [Aztec.nr] Public events no longer include the event type selector at the end of the payload
+
+`emit_event_in_public` previously appended the event type selector as the last field. It now prepends a domain-separated tag at `fields[0]` instead. The payload after the tag contains only the serialized event fields.
+
+If you were reading public event directly from node logs (i.e. via `node.getPublicLogs` and not via `wallet.getPublicEvents`), update your parsing:
+
+```diff
+- // Old: fields = [serialized_event..., event_type_selector]
+- const selector = EventSelector.fromField(fields[fields.length - 1]);
+- const event = decodeFromAbi([abiType], fields);
++ // New: fields = [domain_separated_tag, serialized_event...]
++ const eventFields = log.getEmittedFieldsWithoutTag();
++ const event = decodeFromAbi([abiType], eventFields);
+```
+
 ### [Aztec.nr] Capsule operations are now addressed by scope
 
 All capsule operations (`store`, `load`, `delete`, `copy`) and `CapsuleArray` now require a `scope: AztecAddress` parameter. This scopes capsule storage by address, providing isolation between different accounts within the same PXE.
@@ -62,7 +98,6 @@ The `CustomMessageHandler` function type now receives an additional `scope: Azte
 ```
 
 **Impact**: Contracts that implement a custom message handler must update the function signature.
-
 ### [aztec.js] `DeployMethod.send()` always returns `{ contract, receipt, instance }`
 
 The `returnReceipt` option in deploy wait options has been removed. `DeployMethod.send()` now always returns an object with `contract`, `receipt`, and `instance` at the top level, provided the user waits for the transaction to be included.
 
@@ -37,7 +37,7 @@ use crate::protocol::{
         MAX_KEY_VALIDATION_REQUESTS_PER_CALL, MAX_L2_TO_L1_MSGS_PER_CALL, MAX_NOTE_HASH_READ_REQUESTS_PER_CALL,
         MAX_NOTE_HASHES_PER_CALL, MAX_NULLIFIER_READ_REQUESTS_PER_CALL, MAX_NULLIFIERS_PER_CALL,
         MAX_PRIVATE_CALL_STACK_LENGTH_PER_CALL, MAX_PRIVATE_LOGS_PER_CALL, MAX_TX_LIFETIME,
-        NULL_MSG_SENDER_CONTRACT_ADDRESS, PRIVATE_LOG_SIZE_IN_FIELDS,
+        NULL_MSG_SENDER_CONTRACT_ADDRESS, PRIVATE_LOG_CIPHERTEXT_LEN,
     },
     hash::poseidon2_hash,
     messaging::l2_to_l1_message::L2ToL1Message,
@@ -878,22 +878,33 @@ impl PrivateContext {
     /// about _which_ function has been executed. A tx which leaks such information does not contribute to the privacy
     /// set of the network.
     ///
-    /// * Unlike `emit_raw_note_log`, this log is not tied to any specific note
+    /// * Unlike `emit_raw_note_log_unsafe`, this log is not tied to any specific note
     ///
     /// # Arguments
+    /// * `tag` - A tag placed at `fields[0]` of the emitted log. Used by recipients and nodes to identify and
+    /// filter for relevant logs without scanning all of them.
     /// * `log` - The log data that will be publicly broadcast (so make sure it's already been encrypted before you
-    /// call this function). Private logs are bounded in size (PRIVATE_LOG_SIZE_IN_FIELDS), to encourage all logs from
-    /// all smart contracts look identical.
-    /// * `length` - The actual length of the `log` (measured in number of Fields). Although the input log has a max
-    /// size of PRIVATE_LOG_SIZE_IN_FIELDS, the latter values of the array might all be 0's for small logs. This
-    /// `length` should reflect the trimmed length of the array. The protocol's kernel circuits can then append random
-    /// fields as "padding" after the `length`, so that the logs of this smart contract look indistinguishable from
-    /// (the same length as) the logs of all other applications. It's up to wallets how much padding to apply, so
-    /// ideally all wallets should agree on standards for this.
-    pub fn emit_private_log(&mut self, log: [Field; PRIVATE_LOG_SIZE_IN_FIELDS], length: u32) {
+    /// call this function). Private logs are bounded in size (`PRIVATE_LOG_CIPHERTEXT_LEN`), to encourage all logs
+    /// from all smart contracts look identical.
+    /// * `length` - The actual length of `log` (measured in number of Fields). Although the input log has a max
+    /// size of `PRIVATE_LOG_CIPHERTEXT_LEN`, the latter values of the array might all be 0's for small logs. This
+    /// `length` should reflect the trimmed length of the array. The protocol's kernel circuits can then append
+    /// random fields as "padding" after the `length`, so that the logs of this smart contract look
+    /// indistinguishable from (the same length as) the logs of all other applications. It's up to wallets how much
+    /// padding to apply, so ideally all wallets should agree on standards for this.
+    ///
+    /// ## Safety
+    ///
+    /// The `tag` should be domain-separated (e.g. via [`crate::protocol::hash::compute_log_tag`]) to prevent
+    /// collisions between logs from different sources. Without domain separation, two unrelated log types that
+    /// happen to share a raw tag value become indistinguishable. Prefer the higher-level APIs
+    /// ([`crate::messages::message_delivery::MessageDelivery`] for messages, `self.emit(event)` for events) which
+    /// handle tagging automatically.
+    pub fn emit_private_log_unsafe(&mut self, tag: Field, log: [Field; PRIVATE_LOG_CIPHERTEXT_LEN], length: u32) {
         let counter = self.next_counter();
-        let private_log = PrivateLogData { log: PrivateLog::new(log, length), note_hash_counter: 0 }.count(counter);
-        self.private_logs.push(private_log);
+        let full_log = [tag].concat(log);
+        self.private_logs.push(PrivateLogData { log: PrivateLog::new(full_log, length + 1), note_hash_counter: 0 }
+            .count(counter));
     }
 
     // TODO: rename.
@@ -903,20 +914,31 @@ impl PrivateContext {
     /// This linkage is important in case the note gets squashed (due to being read later in this same tx), since we
     /// can then squash the log as well.
     ///
-    /// See `emit_private_log` for more info about private log emission.
+    /// See `emit_private_log_unsafe` for more info about private log emission.
     ///
     /// # Arguments
+    /// * `tag` - A tag placed at `fields[0]`. See `emit_private_log_unsafe`.
     /// * `log` - The log data as an array of Field elements
     /// * `length` - The actual length of the `log` (measured in number of Fields).
     /// * `note_hash_counter` - The side-effect counter that was assigned to the new note_hash when it was pushed to
     /// this `PrivateContext`.
     ///
     /// Important: If your application logic requires the log to always be emitted regardless of note squashing,
-    /// consider using `emit_private_log` instead, or emitting additional events.
+    /// consider using `emit_private_log_unsafe` instead, or emitting additional events.
     ///
-    pub fn emit_raw_note_log(&mut self, log: [Field; PRIVATE_LOG_SIZE_IN_FIELDS], length: u32, note_hash_counter: u32) {
+    /// ## Safety
+    ///
+    /// Same as [`PrivateContext::emit_private_log_unsafe`]: the `tag` should be domain-separated.
+    pub fn emit_raw_note_log_unsafe(
+        &mut self,
+        tag: Field,
+        log: [Field; PRIVATE_LOG_CIPHERTEXT_LEN],
+        length: u32,
+        note_hash_counter: u32,
+    ) {
         let counter = self.next_counter();
-        let private_log = PrivateLogData { log: PrivateLog::new(log, length), note_hash_counter };
+        let full_log = [tag].concat(log);
+        let private_log = PrivateLogData { log: PrivateLog::new(full_log, length + 1), note_hash_counter };
         self.private_logs.push(private_log.count(counter));
     }
 
 
@@ -11,6 +11,7 @@ use crate::protocol::{
     address::{AztecAddress, EthAddress},
     constants::{MAX_U32_VALUE, NULL_MSG_SENDER_CONTRACT_ADDRESS},
     traits::{Empty, FromField, Packable, Serialize, ToField},
+    utils::writer::Writer,
 };
 
 /// # PublicContext
@@ -96,14 +97,27 @@ impl PublicContext {
     /// Emits a _public_ log that will be visible onchain to everyone.
     ///
     /// # Arguments
-    /// * `log` - The data to log, must implement Serialize trait
+    /// * `tag` - A tag placed at `fields[0]` of the emitted log. Nodes index logs by this value, allowing
+    /// clients to efficiently query for matching logs without scanning all of them.
+    /// * `log` - The data to log, must implement Serialize trait.
     ///
-    pub fn emit_public_log<T>(_self: Self, log: T)
+    /// ## Safety
+    ///
+    /// The `tag` should be domain-separated (e.g. via [`crate::protocol::hash::compute_log_tag`]) to prevent
+    /// collisions between logs from different sources. Without domain separation, two unrelated log types that
+    /// happen to share a raw tag value become indistinguishable. Prefer `self.emit(event)` for events, which
+    /// handles tagging automatically.
+    pub fn emit_public_log_unsafe<T>(_self: Self, tag: Field, log: T)
     where
         T: Serialize,
     {
+        // We use a Writer to serialize the log directly after the tag, avoiding an extra O(n) copy that would
+        // result from serializing first and then prepending the tag.
+        let mut writer: Writer<1 + <T as Serialize>::N> = Writer::new();
+        writer.write(tag);
+        Serialize::stream_serialize(log, &mut writer);
         // Safety: AVM opcodes are constrained by the AVM itself
-        unsafe { avm::emit_public_log(Serialize::serialize(log).as_vector()) };
+        unsafe { avm::emit_public_log(writer.finish().as_vector()) };
     }
 
     /// Checks if a given note hash exists in the note hash tree at a particular leaf_index.
 
@@ -3,7 +3,7 @@ use crate::{
     event::{event_interface::{compute_private_event_commitment, EventInterface}, EventMessage},
     oracle::random::random,
 };
-use crate::protocol::traits::{Serialize, ToField};
+use crate::protocol::{constants::DOM_SEP__EVENT_LOG_TAG, hash::compute_log_tag, traits::{Serialize, ToField}};
 
 /// An event that was emitted in the current contract call.
 pub struct NewEvent<Event> {
@@ -39,17 +39,11 @@ pub fn emit_event_in_public<Event>(context: PublicContext, event: Event)
 where
     Event: EventInterface + Serialize,
 {
-    let mut log_content = [0; <Event as Serialize>::N + 1];
-
-    let serialized_event = event.serialize();
-    for i in 0..serialized_event.len() {
-        log_content[i] = serialized_event[i];
-    }
-
-    // We put the selector in the "last" place, to avoid reading or assigning to an expression in an index
-    //
-    // TODO(F-224): change this order.
-    log_content[serialized_event.len()] = Event::get_event_type_id().to_field();
-
-    context.emit_public_log(log_content);
+    // We prepend a domain-separated tag derived from the event type ID so that clients can filter for specific
+    // events without scanning all public logs.
+    let log_tag = compute_log_tag(
+        Event::get_event_type_id().to_field(),
+        DOM_SEP__EVENT_LOG_TAG,
+    );
+    context.emit_public_log_unsafe(log_tag, event);
 }
@@ -1,18 +1,12 @@
 use crate::{
     messages::{
         encoding::{encode_message, MAX_MESSAGE_CONTENT_LEN, MESSAGE_EXPANDED_METADATA_LEN},
-        encryption::{aes128::AES128, message_encryption::MessageEncryption},
-        logs::utils::prefix_with_tag,
         msg_type::PARTIAL_NOTE_PRIVATE_MSG_TYPE_ID,
     },
     note::note_interface::NoteType,
     utils::array,
 };
-use crate::protocol::{
-    address::AztecAddress,
-    constants::PRIVATE_LOG_SIZE_IN_FIELDS,
-    traits::{FromField, Packable, ToField},
-};
+use crate::protocol::{address::AztecAddress, traits::{FromField, Packable, ToField}};
 
 /// The number of fields in a private note message content that are not the note's packed representation.
 pub(crate) global PARTIAL_NOTE_PRIVATE_MSG_PLAINTEXT_RESERVED_FIELDS_LEN: u32 = 3;
@@ -25,29 +19,6 @@ pub(crate) global PARTIAL_NOTE_PRIVATE_MSG_PLAINTEXT_NOTE_COMPLETION_LOG_TAG_IND
 pub global MAX_PARTIAL_NOTE_PRIVATE_PACKED_LEN: u32 =
     MAX_MESSAGE_CONTENT_LEN - PARTIAL_NOTE_PRIVATE_MSG_PLAINTEXT_RESERVED_FIELDS_LEN;
 
-// TODO(#16881): once partial notes support delivery via an offchain message we will most likely want to remove this.
-pub fn compute_partial_note_private_content_log<PartialNotePrivateContent>(
-    partial_note_private_content: PartialNotePrivateContent,
-    owner: AztecAddress,
-    randomness: Field,
-    recipient: AztecAddress,
-    note_completion_log_tag: Field,
-    contract_address: AztecAddress,
-) -> [Field; PRIVATE_LOG_SIZE_IN_FIELDS]
-where
-    PartialNotePrivateContent: NoteType + Packable,
-{
-    let message_plaintext = encode_partial_note_private_message(
-        partial_note_private_content,
-        owner,
-        randomness,
-        note_completion_log_tag,
-    );
-    let message_ciphertext = AES128::encrypt(message_plaintext, recipient, contract_address);
-
-    prefix_with_tag(message_ciphertext, recipient)
-}
-
 /// Creates the plaintext for a partial note private message (i.e. one of type [`PARTIAL_NOTE_PRIVATE_MSG_TYPE_ID`]).
 ///
 /// This plaintext is meant to be decoded via [`decode_partial_note_private_message`].
 
@@ -2,63 +2,44 @@ use crate::oracle::notes::{get_next_app_tag_as_sender, get_sender_for_tags};
 use crate::protocol::address::AztecAddress;
 
 // TODO(#14565): Add constrained tagging
-pub(crate) fn prefix_with_tag<let L: u32>(log_without_tag: [Field; L], recipient: AztecAddress) -> [Field; L + 1] {
+/// Returns the next discovery tag for a private log sent to `recipient`.
+///
+/// Private logs are encrypted, so the recipient cannot tell which logs are meant for it just by looking at them.
+/// To solve this, sender and recipient derive a shared secret from their keys, and from that secret they produce a
+/// sequence of one-time tags (tag_0, tag_1, ...). The recipient scans for these tags because it can compute the same
+/// sequence. This function returns the next raw (not domain-separated) tag in the sequence.
+pub(crate) fn compute_discovery_tag(recipient: AztecAddress) -> Field {
     // Safety: we assume that the sender wants for the recipient to find the tagged note, and therefore that they will
     // cooperate and use the correct tag. Usage of a bad tag will result in the recipient not being able to find the
     // note automatically.
-    let tag = unsafe {
+    unsafe {
         let sender = get_sender_for_tags().expect(
             f"Sender for tags is not set when emitting a private log. Set it by calling `set_sender_for_tags(...)`.",
         );
         get_next_app_tag_as_sender(sender, recipient)
-    };
-
-    let mut log_with_tag = [0; L + 1];
-
-    log_with_tag[0] = tag;
-    for i in 0..log_without_tag.len() {
-        log_with_tag[i + 1] = log_without_tag[i];
     }
-
-    log_with_tag
 }
 
 mod test {
     use crate::protocol::{address::AztecAddress, traits::FromField};
-    use super::prefix_with_tag;
+    use super::compute_discovery_tag;
     use std::test::OracleMock;
 
-    #[test(should_fail)]
+    #[test(should_fail_with = "Sender for tags is not set")]
     unconstrained fn no_tag_sender() {
         let recipient = AztecAddress::from_field(2);
-
-        let expected_tag = 42;
-
-        // Mock the tagging oracles - note aztec_prv_getSenderForTags returns none
         let _ = OracleMock::mock("aztec_prv_getSenderForTags").returns(Option::<AztecAddress>::none());
-        let _ = OracleMock::mock("aztec_prv_getNextAppTagAsSender").returns(expected_tag);
-
-        let log_without_tag = [1, 2, 3];
-        let _ = prefix_with_tag(log_without_tag, recipient);
+        let _ = OracleMock::mock("aztec_prv_getNextAppTagAsSender").returns(42);
+        let _ = compute_discovery_tag(recipient);
     }
 
     #[test]
-    unconstrained fn prefixing_with_tag() {
+    unconstrained fn returns_oracle_tag() {
         let sender = AztecAddress::from_field(1);
         let recipient = AztecAddress::from_field(2);
-
         let expected_tag = 42;
-
-        // Mock the tagging oracles
         let _ = OracleMock::mock("aztec_prv_getSenderForTags").returns(Option::some(sender));
         let _ = OracleMock::mock("aztec_prv_getNextAppTagAsSender").returns(expected_tag);
-
-        let log_without_tag = [1, 2, 3];
-        let log_with_tag = prefix_with_tag(log_without_tag, recipient);
-
-        let expected_result = [expected_tag, 1, 2, 3];
-
-        // Check tag was prefixed correctly
-        assert_eq(log_with_tag, expected_result, "Tag was not prefixed correctly");
+        assert_eq(compute_discovery_tag(recipient), expected_tag);
     }
 }
@@ -2,12 +2,12 @@ use crate::{
     context::PrivateContext,
     messages::{
         encryption::{aes128::AES128, message_encryption::MessageEncryption},
-        logs::utils::prefix_with_tag,
+        logs::utils::compute_discovery_tag,
         offchain_messages::deliver_offchain_message,
     },
     utils::remove_constraints::remove_constraints_if,
 };
-use crate::protocol::address::AztecAddress;
+use crate::protocol::{address::AztecAddress, constants::DOM_SEP__UNCONSTRAINED_MSG_LOG_TAG, hash::compute_log_tag};
 
 /// Placeholder struct until Noir adds `enum` support.
 ///
@@ -219,9 +219,11 @@ pub fn do_private_message_delivery<Env, let MESSAGE_PLAINTEXT_LEN: u32>(
     if deliver_as_offchain_message {
         deliver_offchain_message(ciphertext, recipient);
     } else {
-        // Safety: Currently unsafe. See description of ONCHAIN_CONSTRAINED in MessageDeliveryEnum. TODO(#14565):
-        // Implement proper constrained tag prefixing to make this truly ONCHAIN_CONSTRAINED
-        let log_content = prefix_with_tag(ciphertext, recipient);
+        // TODO(#14565): constrained tagging is not yet implemented. Both modes currently use the unconstrained
+        // domain separator because the discovery tag always comes from an oracle. Once constrained tagging lands,
+        // this should branch on `constrained_tagging` to select the appropriate separator.
+        let discovery_tag = compute_discovery_tag(recipient);
+        let log_tag = compute_log_tag(discovery_tag, DOM_SEP__UNCONSTRAINED_MSG_LOG_TAG);
 
         // We forbid this value not being constant to avoid predicating the context calls below, which might result in
         // the context's arrays having unknown compile time write indices and hence dramatically increasing constraints
@@ -235,9 +237,9 @@ pub fn do_private_message_delivery<Env, let MESSAGE_PLAINTEXT_LEN: u32>(
             //
             // Note that the log always has the same length regardless of `MESSAGE_PLAINTEXT_LEN`, because all message
             // ciphertexts also have the same length. This prevents accidental privacy leakage via the log length.
-            context.emit_raw_note_log(log_content, log_content.len(), maybe_note_hash_counter.unwrap());
+            context.emit_raw_note_log_unsafe(log_tag, ciphertext, ciphertext.len(), maybe_note_hash_counter.unwrap());
         } else {
-            context.emit_private_log(log_content, log_content.len());
+            context.emit_private_log_unsafe(log_tag, ciphertext, ciphertext.len());
         }
     }
 }