feat: merge-train/fairies (#23804)

BEGIN_COMMIT_OVERRIDE
feat(aztec-nr): Add a delivery mode to handshake notes (#23783)
fix(pxe): enforce full field consumption at oracle boundaries (#23802)
chore(ci): Static oracle version check (#23805)
END_COMMIT_OVERRIDE

Author: AztecBot

noir-projects/aztec-nr/aztec/src/messages/message_delivery.nr

@@ -28,8 +28,10 @@ pub struct MessageDelivery {
 }
 
 global OFFCHAIN: u8 = 1;
-global ONCHAIN_UNCONSTRAINED: u8 = 2;
-global ONCHAIN_CONSTRAINED: u8 = 3;
+/// Delivery variant identifier for on-chain message delivery without constrained encryption/tagging.
+pub global ONCHAIN_UNCONSTRAINED: u8 = 2;
+/// Delivery variant identifier for on-chain message delivery with constrained encryption/tagging.
+pub global ONCHAIN_CONSTRAINED: u8 = 3;
 
 impl MessageDelivery {
     /// Delivers the message fully off-chain, with no guarantees whatsoever.

noir-projects/noir-contracts/contracts/message_discovery/handshake_registry_contract/src/main.nr

@@ -9,7 +9,7 @@ pub(crate) global NON_INTERACTIVE_HANDSHAKE: u8 = 1;
 /// Registry for the constrained-delivery shared-secret handshake protocol.
 ///
 /// The registry establishes a master shared-secret point `S` between a sender and a recipient and stores one current
-/// note for each `(recipient, sender)` pair. The raw `S` never leaves the registry: app contracts call
+/// note for each `(recipient, sender, mode)` tuple. The raw `S` never leaves the registry: app contracts call
 /// [`HandshakeRegistry::non_interactive_handshake`] to receive the secret already siloed to the caller, call
 /// [`HandshakeRegistry::get_app_siloed_secret`] offchain for an existing handshake, and use
 /// [`HandshakeRegistry::validate_handshake`] to check an app-siloed secret against the current stored handshake. The
@@ -25,7 +25,7 @@ pub contract HandshakeRegistry {
         macros::{functions::external, storage::storage},
         messages::{
             encryption::{aes128::AES128, message_encryption::MessageEncryption},
-            message_delivery::MessageDelivery,
+            message_delivery::{MessageDelivery, ONCHAIN_CONSTRAINED, ONCHAIN_UNCONSTRAINED},
         },
         protocol::{
             address::AztecAddress, constants::DOM_SEP__NON_INTERACTIVE_HANDSHAKE_LOG_TAG, hash::compute_log_tag,
@@ -36,18 +36,21 @@ pub contract HandshakeRegistry {
 
     #[storage]
     struct Storage<Context> {
-        /// One current [`HandshakeNote`] per `(recipient, sender)` pair. Re-handshaking for the same pair replaces the
-        /// prior sender-owned note, so only the latest handshake remains valid.
-        handshakes: Map<AztecAddress, Owned<PrivateMutable<HandshakeNote, Context>, Context>, Context>,
+        /// One current [`HandshakeNote`] per `(recipient, sender, mode)` tuple. Re-handshaking for the same tuple
+        /// replaces the prior sender-owned note, so only the latest handshake remains valid for that mode.
+        handshakes: Map<AztecAddress, Map<u8, Owned<PrivateMutable<HandshakeNote, Context>, Context>, Context>, Context>,
     }
 
     /// Performs a non-interactive handshake from `sender` to `recipient` and returns the app-siloed shared secret
     /// for the calling contract.
     ///
+    /// `mode` sets the delivery mode for messages tagged with this handshake ([`ONCHAIN_UNCONSTRAINED`] or
+    /// [`ONCHAIN_CONSTRAINED`]); the handshake note itself is always stored onchain.
+    ///
     /// Generates a fresh ephemeral key pair `(eph_sk, eph_pk)`, computes the raw ECDH shared secret point
     /// `S = eph_sk * recipient_address_point`, and produces three effects:
     ///
-    /// 1. Inserts or replaces a [`HandshakeNote`] owned by `sender`, holding the raw point `S`.
+    /// 1. Inserts or replaces a [`HandshakeNote`] owned by `sender` for `mode`, holding the raw point `S`.
     /// 2. Emits an encrypted private log under a recipient-keyed tag with payload `[eph_pk.x]`. The recipient
     ///    discovers handshakes addressed to them by scanning their tag and recovers `S` from `eph_pk` via their own
     ///    ECDH (`recipient_isk * eph_pk`). `eph_pk.y` is fixed positive by the
@@ -56,11 +59,15 @@ pub contract HandshakeRegistry {
     ///    tag" into one call without a second hop into the registry.
     ///
     /// # Panics
+    /// If `mode` is not a recognized delivery mode.
+    ///
     /// If `recipient` is not a valid curve point. There are no upstream side effects in this call frame to
     /// protect, and a fallback would insert a permanent note recording a handshake with an invalid recipient,
     /// polluting registry state.
     #[external("private")]
-    fn non_interactive_handshake(sender: AztecAddress, recipient: AztecAddress) -> Field {
+    fn non_interactive_handshake(sender: AztecAddress, recipient: AztecAddress, mode: u8) -> Field {
+        assert((mode == ONCHAIN_UNCONSTRAINED) | (mode == ONCHAIN_CONSTRAINED), "unrecognized delivery mode");
+
         let recipient_point = recipient.to_address_point().expect(f"recipient address is not on the curve");
 
         let (eph_sk, eph_pk) = generate_positive_ephemeral_key_pair();
@@ -72,7 +79,7 @@ pub contract HandshakeRegistry {
         // discover the handshake via the encrypted log emitted below, not via the sender's note.
         // We use onchain unconstrained delivery rather than `OFFCHAIN` so the note is
         // discoverable via normal PXE sync.
-        self.storage.handshakes.at(recipient).at(sender).initialize_or_replace(|_| note).deliver(
+        self.storage.handshakes.at(recipient).at(mode).at(sender).initialize_or_replace(|_| note).deliver(
             MessageDelivery::onchain_unconstrained().with_sender(sender),
         );
 
@@ -87,19 +94,23 @@ pub contract HandshakeRegistry {
         note.siloed_for(self.msg_sender())
     }
 
-    /// Asserts that `app_siloed_secret` is the silo of a stored handshake from `sender` to `recipient`, for the
-    /// caller (`msg_sender()`).
+    /// Asserts that `app_siloed_secret` is the silo of a stored handshake from `sender` to `recipient` in `mode`, for
+    /// the caller (`msg_sender()`).
     ///
     /// Apps that receive an `app_siloed_secret` from an untrusted source call this once to validate that secret
     /// against the registry's stored handshake.
     ///
     /// # Panics
-    /// If no stored handshake for `(sender, recipient)` silos to `app_siloed_secret` under the calling contract's
-    /// address.
+    /// If `mode` is not a recognized delivery mode.
+    ///
+    /// If no stored handshake for `(sender, recipient, mode)` silos to `app_siloed_secret` under the calling
+    /// contract's address.
     #[external("private")]
-    fn validate_handshake(sender: AztecAddress, recipient: AztecAddress, app_siloed_secret: Field) {
+    fn validate_handshake(sender: AztecAddress, recipient: AztecAddress, mode: u8, app_siloed_secret: Field) {
+        assert((mode == ONCHAIN_UNCONSTRAINED) | (mode == ONCHAIN_CONSTRAINED), "unrecognized delivery mode");
+
         let caller = self.msg_sender();
-        let replacement_note_message = self.storage.handshakes.at(recipient).at(sender).get_note();
+        let replacement_note_message = self.storage.handshakes.at(recipient).at(mode).at(sender).get_note();
         let note = replacement_note_message.get_note();
 
         assert(note.siloed_for(caller) == app_siloed_secret, "no matching handshake");
@@ -109,23 +120,28 @@ pub contract HandshakeRegistry {
         replacement_note_message.deliver(MessageDelivery::onchain_unconstrained());
     }
 
-    /// Returns the app-siloed shared secret for an existing handshake.
+    /// Returns the app-siloed shared secret for an existing handshake in `mode`.
+    ///
+    /// This is the existing-handshake retrieval surface. It returns `silo(S, caller)`, never raw `S`; a different
+    /// caller receives a different app-siloed value for the same registry note.
+    /// Contracts should still call [HandshakeRegistry::validate_handshake] when they need a constrained proof that a
+    /// supplied app-siloed secret matches the current handshake.
     ///
-    /// This is the existing-handshake retrieval surface for constrained delivery. It returns only `silo(S, caller)`,
-    /// never raw `S`; a different caller receives a different app-siloed value for the same registry note. This is
-    /// a utility function because it is a local read helper. Contracts should still call
-    /// [HandshakeRegistry::validate_handshake] when they need a constrained proof that a supplied app-siloed secret
-    /// matches the current handshake.
+    /// # Panics
+    /// If `mode` is not a recognized delivery mode.
     #[external("utility")]
     unconstrained fn get_app_siloed_secret(
         sender: AztecAddress,
         recipient: AztecAddress,
+        mode: u8,
         // TODO(F-671): replace with `self.msg_sender()` once utility context exposes it. The
-        // explicit param forces hooks to also gate on `params[2]`; otherwise any contract that
+        // explicit param forces hooks to also gate on the caller; otherwise any contract that
         // can authorize (target, selector) can read another caller's siloed secret.
         caller: AztecAddress,
     ) -> Option<Field> {
-        let handshake = self.storage.handshakes.at(recipient).at(sender);
+        assert((mode == ONCHAIN_UNCONSTRAINED) | (mode == ONCHAIN_CONSTRAINED), "unrecognized delivery mode");
+
+        let handshake = self.storage.handshakes.at(recipient).at(mode).at(sender);
 
         if handshake.is_initialized() {
             Option::some(handshake.view_note().siloed_for(caller))