AztecProtocol
diff --git a/‎barretenberg/cpp/pil/vm2/constants_gen.pil‎
Lines changed: 0 additions & 1 deletion b/‎barretenberg/cpp/pil/vm2/constants_gen.pil‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎barretenberg/cpp/src/barretenberg/aztec/aztec_constants.hpp‎
Lines changed: 0 additions & 1 deletion b/‎barretenberg/cpp/src/barretenberg/aztec/aztec_constants.hpp‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎docs/docs-developers/docs/foundational-topics/transactions.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/docs-developers/docs/foundational-topics/transactions.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/docs-developers/docs/resources/migration_notes.md‎
Lines changed: 23 additions & 0 deletions b/‎docs/docs-developers/docs/resources/migration_notes.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/authwit/auth.nr‎
Lines changed: 5 additions & 6 deletions b/‎noir-projects/aztec-nr/aztec/src/authwit/auth.nr‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/lib.nr‎
Lines changed: 1 addition & 0 deletions b/‎noir-projects/aztec-nr/aztec/src/lib.nr‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/standard_addresses.nr‎
Lines changed: 6 additions & 0 deletions b/‎noir-projects/aztec-nr/aztec/src/standard_addresses.nr‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎noir-projects/aztec-nr/aztec/src/test/helpers/authwit.nr‎
Lines changed: 3 additions & 5 deletions b/‎noir-projects/aztec-nr/aztec/src/test/helpers/authwit.nr‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎noir-projects/noir-contracts/Nargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎noir-projects/noir-contracts/Nargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎noir-projects/noir-contracts/contracts/protocol/aztec_sublib/src/authwit/auth.nr‎
Lines changed: 5 additions & 7 deletions b/‎noir-projects/noir-contracts/contracts/protocol/aztec_sublib/src/authwit/auth.nr‎
Lines changed: 5 additions & 7 deletions
@@ -15,7 +15,6 @@ namespace constants;
     pol MAX_L2_TO_L1_MSGS_PER_TX = 8;
     pol MAX_PACKED_PUBLIC_BYTECODE_SIZE_IN_FIELDS = 3000;
     pol MAX_PROTOCOL_CONTRACTS = 11;
-    pol CANONICAL_AUTH_REGISTRY_ADDRESS = 1;
     pol CONTRACT_INSTANCE_REGISTRY_CONTRACT_ADDRESS = 2;
     pol CONTRACT_CLASS_REGISTRY_CONTRACT_ADDRESS = 3;
     pol MULTI_CALL_ENTRYPOINT_ADDRESS = 4;
 
@@ -21,7 +21,6 @@
 #define GENESIS_ARCHIVE_ROOT "0x177a4955b31ecaafad999753938a44e526b54c5ba5d536688227f85f15cfbdf5"
 #define MAX_PACKED_PUBLIC_BYTECODE_SIZE_IN_FIELDS 3000
 #define MAX_PROTOCOL_CONTRACTS 11
-#define CANONICAL_AUTH_REGISTRY_ADDRESS 1
 #define CONTRACT_INSTANCE_REGISTRY_CONTRACT_ADDRESS 2
 #define CONTRACT_CLASS_REGISTRY_CONTRACT_ADDRESS 3
 #define MULTI_CALL_ENTRYPOINT_ADDRESS 4
 
@@ -120,7 +120,7 @@ The setup phase runs before the user's application logic. Fee-related bookkeepin
 - The fee payer is nominated via a call to the protocol's `set_as_fee_payer()` function. An FPC typically calls this in its entrypoint; a user paying directly with Fee Juice does it implicitly via the default entrypoint.
 - `end_setup()` is called to mark the boundary between the non-revertible and revertible phases. Everything committed before `end_setup()` stands regardless of whether later phases revert.
 
-Because the setup phase is non-revertible, the protocol restricts which public function calls are allowed during it. The default allowlist permits only protocol-contract setup functions (for example those on `AuthRegistry` and `FeeJuice`); in v4.2.0, public token functions such as `transfer_in_public` and `_increase_public_balance` were removed from it. See the [migration note](../resources/migration_notes.md#custom-token-fpcs-removed-from-default-public-setup-allowlist) for details.
+Because the setup phase is non-revertible, the protocol restricts which public function calls are allowed during it. The default allowlist permits a small set of trusted setup functions (for example those on `AuthRegistry` and `FeeJuice`); in v4.2.0, public token functions such as `transfer_in_public` and `_increase_public_balance` were removed from it. See the [migration note](../resources/migration_notes.md#custom-token-fpcs-removed-from-default-public-setup-allowlist) for details.
 
 Practical consequences:
 
 
@@ -39,6 +39,29 @@ Aztec is in active development. Each version may introduce breaking changes that
 ```
 
 **Impact**: Code importing or referencing `ExtendedDirectionalAppTaggingSecret` should update to `AppTaggingSecret`.
+
+### [Aztec.nr] `auth_registry` demoted from protocol contract
+
+`auth_registry` is no longer a protocol contract. Its address is now derived from its artifact rather than hardcoded at `1`. The aztec-nr constant has moved and been renamed:
+
+```diff
+- use protocol_types::constants::CANONICAL_AUTH_REGISTRY_ADDRESS;
++ use crate::standard_addresses::STANDARD_AUTH_REGISTRY_ADDRESS;
+```
+
+PXE no longer auto-registers `AuthRegistry` on startup. If your wallet needs it, register it explicitly (as the `EmbeddedWallet` entrypoints do):
+
+```ts
+import { getStandardAuthRegistry } from '@aztec/standard-contracts/auth-registry';
+
+const { instance, artifact } = await getStandardAuthRegistry();
+await pxe.registerContract({ instance, artifact });
+```
+
+For browser bundles, import from `@aztec/standard-contracts/auth-registry/lazy` instead.
+
+Deploy `AuthRegistry` once per fresh rollup: `aztec-wallet deploy auth_registry_contract@AuthRegistry --salt 1 --universal -f <fee-paying-account>`.
+
 ### [Aztec.nr] `public_checks` helpers moved to `aztec-nr`
 
 The `privately_check_timestamp`, `privately_check_block_number`, and related caller helpers previously in `noir-contracts/contracts/protocol/public_checks_contract/src/utils.nr` are now in `aztec-nr/aztec/src/public_checks.nr`. Consumer contracts should update their imports:
 
@@ -8,12 +8,11 @@ use crate::{
 use crate::protocol::{
     abis::function_selector::FunctionSelector,
     address::AztecAddress,
-    constants::{
-        CANONICAL_AUTH_REGISTRY_ADDRESS, DOM_SEP__AUTHWIT_INNER, DOM_SEP__AUTHWIT_NULLIFIER, DOM_SEP__AUTHWIT_OUTER,
-    },
+    constants::{DOM_SEP__AUTHWIT_INNER, DOM_SEP__AUTHWIT_NULLIFIER, DOM_SEP__AUTHWIT_OUTER},
     hash::poseidon2_hash_with_separator,
     traits::{Serialize, ToField},
 };
+use crate::standard_addresses::STANDARD_AUTH_REGISTRY_ADDRESS;
 
 /// Authentication witness helper library
 ///
@@ -318,7 +317,7 @@ pub unconstrained fn assert_inner_hash_valid_authwit_public(
     inner_hash: Field,
 ) {
     let results: [Field] = context.call_public_function(
-        CANONICAL_AUTH_REGISTRY_ADDRESS,
+        STANDARD_AUTH_REGISTRY_ADDRESS,
         comptime { FunctionSelector::from_signature("consume((Field),Field)") },
         [on_behalf_of.to_field(), inner_hash],
         GasOpts::default(),
@@ -399,7 +398,7 @@ pub fn compute_authwit_message_hash(
 /// false if it should be revoked
 pub unconstrained fn set_authorized(context: PublicContext, message_hash: Field, authorize: bool) {
     let res = context.call_public_function(
-        CANONICAL_AUTH_REGISTRY_ADDRESS,
+        STANDARD_AUTH_REGISTRY_ADDRESS,
         comptime { FunctionSelector::from_signature("set_authorized(Field,bool)") },
         [message_hash, authorize as Field],
         GasOpts::default(),
@@ -414,7 +413,7 @@ pub unconstrained fn set_authorized(context: PublicContext, message_hash: Field,
 /// @param reject True if all authwits should be rejected, false otherwise
 pub unconstrained fn set_reject_all(context: PublicContext, reject: bool) {
     let res = context.call_public_function(
-        CANONICAL_AUTH_REGISTRY_ADDRESS,
+        STANDARD_AUTH_REGISTRY_ADDRESS,
         comptime { FunctionSelector::from_signature("set_reject_all(bool)") },
         [reject as Field],
         GasOpts::default(),
 
@@ -48,5 +48,6 @@ pub mod utils;
 pub mod authwit;
 pub mod public_checks;
 pub mod macros;
+pub mod standard_addresses;
 
 pub mod test;
@@ -0,0 +1,6 @@
+// GENERATED FILE - DO NOT EDIT. RUN `yarn workspace @aztec/standard-contracts run generate`.
+use protocol_types::{address::AztecAddress, traits::FromField};
+
+pub global STANDARD_AUTH_REGISTRY_ADDRESS: AztecAddress = AztecAddress::from_field(
+    0x10ee94aaade35b40c82ec78d87269e55c39aa874ce585866ae43207da8c09c0e,
+);
@@ -5,10 +5,8 @@ use crate::{
     test::helpers::{test_environment::TestEnvironment, txe_oracles},
 };
 
-use crate::protocol::{
-    abis::function_selector::FunctionSelector, address::AztecAddress, constants::CANONICAL_AUTH_REGISTRY_ADDRESS,
-    traits::ToField,
-};
+use crate::protocol::{abis::function_selector::FunctionSelector, address::AztecAddress, traits::ToField};
+use crate::standard_addresses::STANDARD_AUTH_REGISTRY_ADDRESS;
 
 pub unconstrained fn add_private_authwit_from_call<let M: u32, let N: u32, T>(
     env: TestEnvironment,
@@ -48,7 +46,7 @@ pub unconstrained fn add_public_authwit_from_call<let M: u32, let N: u32, T>(
     env.call_public(
         on_behalf_of,
         PublicCall::<_, _, ()>::new(
-            CANONICAL_AUTH_REGISTRY_ADDRESS,
+            STANDARD_AUTH_REGISTRY_ADDRESS,
             comptime { FunctionSelector::from_signature("set_authorized(Field,bool)") },
             "set_authorized",
             [message_hash, true as Field],
 
@@ -27,7 +27,7 @@ members = [
     "contracts/fees/fpc_contract",
     "contracts/fees/sponsored_fpc_contract",
     "contracts/message_discovery/handshake_registry_contract",
-    "contracts/protocol/auth_registry_contract",
+    "contracts/standard/auth_registry_contract",
     "contracts/protocol/contract_class_registry_contract",
     "contracts/protocol/contract_instance_registry_contract",
     "contracts/protocol/fee_juice_contract",
 
@@ -2,13 +2,11 @@ use crate::context::{gas::GasOpts, PrivateContext, PublicContext};
 use crate::protocol::{
     abis::function_selector::FunctionSelector,
     address::AztecAddress,
-    constants::{
-        CANONICAL_AUTH_REGISTRY_ADDRESS, DOM_SEP__AUTHWIT_INNER, DOM_SEP__AUTHWIT_NULLIFIER,
-        DOM_SEP__AUTHWIT_OUTER,
-    },
+    constants::{DOM_SEP__AUTHWIT_INNER, DOM_SEP__AUTHWIT_NULLIFIER, DOM_SEP__AUTHWIT_OUTER},
     hash::poseidon2_hash_with_separator,
     traits::ToField,
 };
+use crate::standard_addresses::STANDARD_AUTH_REGISTRY_ADDRESS;
 
 /// Success indicator for authwit - 4 last bytes of poseidon2_hash_bytes("IS_VALID()")
 pub global IS_VALID_SELECTOR: Field = 0x47dacd73;
@@ -78,7 +76,7 @@ pub unconstrained fn assert_inner_hash_valid_authwit_public(
     inner_hash: Field,
 ) {
     let results: [Field] = context.call_public_function(
-        CANONICAL_AUTH_REGISTRY_ADDRESS,
+        STANDARD_AUTH_REGISTRY_ADDRESS,
         comptime { FunctionSelector::from_signature("consume((Field),Field)") },
         [on_behalf_of.to_field(), inner_hash],
         GasOpts::default(),
@@ -129,7 +127,7 @@ pub fn compute_authwit_message_hash(
 /// @param authorize True if the message should be authorized, false if it should be revoked
 pub unconstrained fn set_authorized(context: PublicContext, message_hash: Field, authorize: bool) {
     let res = context.call_public_function(
-        CANONICAL_AUTH_REGISTRY_ADDRESS,
+        STANDARD_AUTH_REGISTRY_ADDRESS,
         comptime { FunctionSelector::from_signature("set_authorized(Field,bool)") },
         [message_hash, authorize as Field],
         GasOpts::default(),
@@ -142,7 +140,7 @@ pub unconstrained fn set_authorized(context: PublicContext, message_hash: Field,
 /// @param reject True if all authwits should be rejected, false otherwise
 pub unconstrained fn set_reject_all(context: PublicContext, reject: bool) {
     let res = context.call_public_function(
-        CANONICAL_AUTH_REGISTRY_ADDRESS,
+        STANDARD_AUTH_REGISTRY_ADDRESS,
         comptime { FunctionSelector::from_signature("set_reject_all(bool)") },
         [reject as Field],
         GasOpts::default(),