AztecProtocol
diff --git a/‎yarn-project/.prettierignore‎
Lines changed: 1 addition & 0 deletions b/‎yarn-project/.prettierignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎yarn-project/standard-contracts/src/auth-registry/pinned/AuthRegistry.artifact.json‎
Lines changed: 1 addition & 0 deletions b/‎yarn-project/standard-contracts/src/auth-registry/pinned/AuthRegistry.artifact.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎yarn-project/standard-contracts/src/auth-registry/reproducibility.test.ts‎
Lines changed: 34 additions & 0 deletions b/‎yarn-project/standard-contracts/src/auth-registry/reproducibility.test.ts‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎yarn-project/standard-contracts/src/multi-call-entrypoint/pinned/MultiCallEntrypoint.artifact.json‎
Lines changed: 1 addition & 0 deletions b/‎yarn-project/standard-contracts/src/multi-call-entrypoint/pinned/MultiCallEntrypoint.artifact.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎yarn-project/standard-contracts/src/multi-call-entrypoint/reproducibility.test.ts‎
Lines changed: 34 additions & 0 deletions b/‎yarn-project/standard-contracts/src/multi-call-entrypoint/reproducibility.test.ts‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎yarn-project/standard-contracts/src/public-checks/pinned/PublicChecks.artifact.json‎
Lines changed: 1 addition & 0 deletions b/‎yarn-project/standard-contracts/src/public-checks/pinned/PublicChecks.artifact.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎yarn-project/standard-contracts/src/public-checks/reproducibility.test.ts‎
Lines changed: 34 additions & 0 deletions b/‎yarn-project/standard-contracts/src/public-checks/reproducibility.test.ts‎
Lines changed: 34 additions & 0 deletions
@@ -5,6 +5,7 @@ noir-contracts.js/**/*.json
 noir-contracts.js/src
 noir-test-contracts.js/**/*.json
 noir-test-contracts.js/src
+standard-contracts/src/**/pinned/*.json
 noir-protocol-circuits-types/src/target/*
 *.md
 end-to-end/src/fixtures/dumps/*.json
 
@@ -0,0 +1,34 @@
+// Release-branch reproducibility gate for the auth_registry contract.
+//
+// Symmetric to the freshness gate in `derive_auth_registry.test.ts`: that test asserts the
+// committed `.nr` stamp / TS twin stay aligned with the freshly-built artifact. This test goes
+// one level further and pins the *full artifact JSON* so a release branch can detect any
+// unintended bytecode drift between the pinned release artifact and the current build output.
+//
+// TODO: enable on release branches. Run manually with:
+//   yarn workspace @aztec/standard-contracts test src/auth-registry/reproducibility.test.ts
+// and then drop the `it.skip` once the release branch is cut.
+import { createHash } from 'node:crypto';
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { ARTIFACT_PATH } from './derive_auth_registry.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const PINNED_ARTIFACT_PATH = path.join(__dirname, 'pinned/AuthRegistry.artifact.json');
+
+const REGEN_HINT =
+  'auth_registry pinned artifact is stale; if this drift is intentional on a release branch, copy ' +
+  `${ARTIFACT_PATH} over ${PINNED_ARTIFACT_PATH} and commit the result.`;
+
+describe('auth_registry artifact reproducibility', () => {
+  it.skip('committed pinned artifact matches the freshly-built artifact byte-for-byte', async () => {
+    const [pinned, fresh] = await Promise.all([fs.readFile(PINNED_ARTIFACT_PATH), fs.readFile(ARTIFACT_PATH)]);
+    const pinnedHash = createHash('sha256').update(pinned).digest('hex');
+    const freshHash = createHash('sha256').update(fresh).digest('hex');
+    if (pinnedHash !== freshHash) {
+      throw new Error(`${REGEN_HINT}\n  pinned sha256 = ${pinnedHash}\n  fresh  sha256 = ${freshHash}`);
+    }
+  });
+});
@@ -0,0 +1,34 @@
+// Release-branch reproducibility gate for the multi_call_entrypoint contract.
+//
+// Symmetric to the freshness gate in `derive_multi_call_entrypoint.test.ts`: that test asserts
+// the committed TS twin stays aligned with the freshly-built artifact. This test goes one level
+// further and pins the *full artifact JSON* so a release branch can detect any unintended
+// bytecode drift between the pinned release artifact and the current build output.
+//
+// TODO: enable on release branches. Run manually with:
+//   yarn workspace @aztec/standard-contracts test src/multi-call-entrypoint/reproducibility.test.ts
+// and then drop the `it.skip` once the release branch is cut.
+import { createHash } from 'node:crypto';
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { ARTIFACT_PATH } from './derive_multi_call_entrypoint.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const PINNED_ARTIFACT_PATH = path.join(__dirname, 'pinned/MultiCallEntrypoint.artifact.json');
+
+const REGEN_HINT =
+  'multi_call_entrypoint pinned artifact is stale; if this drift is intentional on a release branch, copy ' +
+  `${ARTIFACT_PATH} over ${PINNED_ARTIFACT_PATH} and commit the result.`;
+
+describe('multi_call_entrypoint artifact reproducibility', () => {
+  it.skip('committed pinned artifact matches the freshly-built artifact byte-for-byte', async () => {
+    const [pinned, fresh] = await Promise.all([fs.readFile(PINNED_ARTIFACT_PATH), fs.readFile(ARTIFACT_PATH)]);
+    const pinnedHash = createHash('sha256').update(pinned).digest('hex');
+    const freshHash = createHash('sha256').update(fresh).digest('hex');
+    if (pinnedHash !== freshHash) {
+      throw new Error(`${REGEN_HINT}\n  pinned sha256 = ${pinnedHash}\n  fresh  sha256 = ${freshHash}`);
+    }
+  });
+});
@@ -0,0 +1,34 @@
+// Release-branch reproducibility gate for the public_checks contract.
+//
+// Symmetric to the freshness gate in `derive_public_checks.test.ts`: that test asserts the
+// committed `.nr` stamp / TS twin stay aligned with the freshly-built artifact. This test goes
+// one level further and pins the *full artifact JSON* so a release branch can detect any
+// unintended bytecode drift between the pinned release artifact and the current build output.
+//
+// TODO: enable on release branches. Run manually with:
+//   yarn workspace @aztec/standard-contracts test src/public-checks/reproducibility.test.ts
+// and then drop the `it.skip` once the release branch is cut.
+import { createHash } from 'node:crypto';
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { ARTIFACT_PATH } from './derive_public_checks.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const PINNED_ARTIFACT_PATH = path.join(__dirname, 'pinned/PublicChecks.artifact.json');
+
+const REGEN_HINT =
+  'public_checks pinned artifact is stale; if this drift is intentional on a release branch, copy ' +
+  `${ARTIFACT_PATH} over ${PINNED_ARTIFACT_PATH} and commit the result.`;
+
+describe('public_checks artifact reproducibility', () => {
+  it.skip('committed pinned artifact matches the freshly-built artifact byte-for-byte', async () => {
+    const [pinned, fresh] = await Promise.all([fs.readFile(PINNED_ARTIFACT_PATH), fs.readFile(ARTIFACT_PATH)]);
+    const pinnedHash = createHash('sha256').update(pinned).digest('hex');
+    const freshHash = createHash('sha256').update(fresh).digest('hex');
+    if (pinnedHash !== freshHash) {
+      throw new Error(`${REGEN_HINT}\n  pinned sha256 = ${pinnedHash}\n  fresh  sha256 = ${freshHash}`);
+    }
+  });
+});