feat(authwit): introduce hand-written AuthRegistryInterface for public flow

dbanks12 · dbanks12 · commit dc5e0e60de67 · 2026-05-13T21:14:43.000Z
diff --git a/noir-projects/aztec-nr/aztec/src/authwit/auth_registry_interface.nr b/noir-projects/aztec-nr/aztec/src/authwit/auth_registry_interface.nr
@@ -0,0 +1,86 @@
+use crate::context::calls::{PublicCall, PublicStaticCall};
+use crate::protocol::{abis::function_selector::FunctionSelector, address::AztecAddress, traits::ToField};
+
+/// Hand-written interface stub for the `AuthRegistry` canonical contract.
+///
+/// The `AuthRegistry` contract records public authentication witnesses
+/// (`set_authorized`, `set_reject_all`) and atomically consumes them at
+/// the consumer (`consume`). Consumer code in aztec-nr's `authwit::public`
+/// module calls into the registry via this interface.
+///
+/// The selectors are derived with `comptime { FunctionSelector::from_signature(...) }`,
+/// which matches exactly what the `#[aztec]` macro generates for the real contract.
+pub struct AuthRegistryInterface {
+    pub target_contract: AztecAddress,
+}
+
+impl AuthRegistryInterface {
+    pub fn at(target_contract: AztecAddress) -> Self {
+        Self { target_contract }
+    }
+
+    pub fn _set_authorized(
+        self,
+        approver: AztecAddress,
+        message_hash: Field,
+        authorize: bool,
+    ) -> PublicCall<15, 3, ()> {
+        let selector = comptime { FunctionSelector::from_signature("_set_authorized((Field),Field,bool)") };
+        PublicCall::new(
+            self.target_contract,
+            selector,
+            "_set_authorized",
+            [approver.to_field(), message_hash, authorize as Field],
+        )
+    }
+
+    pub fn consume(self, on_behalf_of: AztecAddress, inner_hash: Field) -> PublicCall<7, 2, Field> {
+        let selector = comptime { FunctionSelector::from_signature("consume((Field),Field)") };
+        PublicCall::new(
+            self.target_contract,
+            selector,
+            "consume",
+            [on_behalf_of.to_field(), inner_hash],
+        )
+    }
+
+    pub fn is_consumable(self, on_behalf_of: AztecAddress, message_hash: Field) -> PublicStaticCall<13, 2, bool> {
+        let selector = comptime { FunctionSelector::from_signature("is_consumable((Field),Field)") };
+        PublicStaticCall::new(
+            self.target_contract,
+            selector,
+            "is_consumable",
+            [on_behalf_of.to_field(), message_hash],
+        )
+    }
+
+    pub fn is_reject_all(self, on_behalf_of: AztecAddress) -> PublicStaticCall<13, 1, bool> {
+        let selector = comptime { FunctionSelector::from_signature("is_reject_all((Field))") };
+        PublicStaticCall::new(
+            self.target_contract,
+            selector,
+            "is_reject_all",
+            [on_behalf_of.to_field()],
+        )
+    }
+
+    pub fn set_authorized(self, message_hash: Field, authorize: bool) -> PublicCall<14, 2, ()> {
+        let selector = comptime { FunctionSelector::from_signature("set_authorized(Field,bool)") };
+        PublicCall::new(
+            self.target_contract,
+            selector,
+            "set_authorized",
+            [message_hash, authorize as Field],
+        )
+    }
+
+    pub fn set_reject_all(self, reject: bool) -> PublicCall<14, 1, ()> {
+        let selector = comptime { FunctionSelector::from_signature("set_reject_all(bool)") };
+        PublicCall::new(
+            self.target_contract,
+            selector,
+            "set_reject_all",
+            [reject as Field],
+        )
+    }
+}
diff --git a/noir-projects/aztec-nr/aztec/src/authwit/mod.nr b/noir-projects/aztec-nr/aztec/src/authwit/mod.nr
@@ -1,6 +1,7 @@
 //! Authorization.
 
 pub mod account;
+pub mod auth_registry_interface;
 pub mod authorization_interface;
 mod authorization_selector;
 pub use authorization_selector::AuthorizationSelector;
diff --git a/noir-projects/aztec-nr/aztec/src/authwit/public.nr b/noir-projects/aztec-nr/aztec/src/authwit/public.nr
@@ -1,5 +1,7 @@
-use crate::{authwit::utils::{compute_inner_authwit_hash, IS_VALID_SELECTOR}, context::{gas::GasOpts, PublicContext}};
-use crate::protocol::{abis::function_selector::FunctionSelector, address::AztecAddress, traits::ToField};
+use crate::authwit::auth_registry_interface::AuthRegistryInterface;
+use crate::authwit::utils::{compute_inner_authwit_hash, IS_VALID_SELECTOR};
+use crate::context::PublicContext;
+use crate::protocol::{address::AztecAddress, traits::ToField};
 use standard_addresses::AUTH_REGISTRY_ADDRESS;
 
 /// Public-flow authwit helpers.
@@ -86,14 +88,8 @@ pub unconstrained fn assert_inner_hash_valid_authwit_public(
     on_behalf_of: AztecAddress,
     inner_hash: Field,
 ) {
-    let results: [Field] = context.call_public_function(
-        AUTH_REGISTRY_ADDRESS,
-        comptime { FunctionSelector::from_signature("consume((Field),Field)") },
-        [on_behalf_of.to_field(), inner_hash],
-        GasOpts::default(),
-    );
-    assert(results.len() == 1, "Invalid response from registry");
-    assert(results[0] == IS_VALID_SELECTOR, "Message not authorized by account");
+    let result = AuthRegistryInterface::at(AUTH_REGISTRY_ADDRESS).consume(on_behalf_of, inner_hash).call(context);
+    assert(result == IS_VALID_SELECTOR, "Message not authorized by account");
 }
 
 /// Helper function to set the authorization status of a message hash
@@ -103,13 +99,7 @@ pub unconstrained fn assert_inner_hash_valid_authwit_public(
 /// @param message_hash The hash of the message to authorize @param authorize True if the message should be authorized,
 /// false if it should be revoked
 pub unconstrained fn set_authorized(context: PublicContext, message_hash: Field, authorize: bool) {
-    let res = context.call_public_function(
-        AUTH_REGISTRY_ADDRESS,
-        comptime { FunctionSelector::from_signature("set_authorized(Field,bool)") },
-        [message_hash, authorize as Field],
-        GasOpts::default(),
-    );
-    assert(res.len() == 0);
+    AuthRegistryInterface::at(AUTH_REGISTRY_ADDRESS).set_authorized(message_hash, authorize).call(context);
 }
 
 /// Helper function to reject all authwits
@@ -118,11 +108,5 @@ pub unconstrained fn set_authorized(context: PublicContext, message_hash: Field,
 ///
 /// @param reject True if all authwits should be rejected, false otherwise
 pub unconstrained fn set_reject_all(context: PublicContext, reject: bool) {
-    let res = context.call_public_function(
-        AUTH_REGISTRY_ADDRESS,
-        comptime { FunctionSelector::from_signature("set_reject_all(bool)") },
-        [reject as Field],
-        GasOpts::default(),
-    );
-    assert(res.len() == 0);
+    AuthRegistryInterface::at(AUTH_REGISTRY_ADDRESS).set_reject_all(reject).call(context);
 }
