fix: pre-public audit cleanup#2
Merged
Merged
Conversation
- Remove dead src/ directory (obsolete circuit versions with weaker 2-limb RSA hashing, superseded by proof_a/proof_b packages) - Add missing location sign verification asserts in selective_disclosure (disclosed lat/lon signs must match exact coordinate signs) - Add LICENSE and VENDORED_FROM.md for vendored noir-rsa - Remove vendor/noir-jwt/js/ (test RSA private key, npm artifacts not needed for circuit compilation) - Update README: nargo beta.18 -> beta.19, Aztec v3 -> v4 devnet, dependency versions to match current Nargo.toml files - Fix Prover.toml: use location_flags field instead of removed center_lat_is_negative/center_lon_is_negative fields Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughRemoves three Noir circuit files, deletes the noir-jwt vendor JS/TS tooling, consolidates two location sign-bit public inputs into one Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
vendor/noir-rsa/VENDORED_FROM.md (1)
3-6: Add upstream commit SHA for immutable vendoring provenance.Source + tag is good, but audits are more reproducible if this file also records the exact upstream commit hash that was vendored.
Suggested doc update
# Vendored: noir_rsa - **Source**: https://github.com/zkpassport/noir_rsa - **Version**: v0.9.1 (with sha512 bumped to v0.1.1 for beta.19 compatibility) +- **Upstream commit**: <full_commit_sha> - **License**: MIT (https://github.com/zkpassport/noir_rsa/blob/main/LICENSE) - **Authors**: [zkpassport](https://zkpassport.id/)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@vendor/noir-rsa/VENDORED_FROM.md` around lines 3 - 6, The VENDORED_FROM.md entry for noir-rsa currently lists Source, Version, License, and Authors but lacks the exact upstream commit SHA; update the file by adding an explicit "Commit" (or "Upstream commit") field containing the full commit hash corresponding to the vendored code (alongside the existing Source and Version lines) so audits are reproducible; ensure the new line follows the same markdown bullet style and references the exact commit for the tag/version noted.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@README.md`:
- Around line 134-140: Update the README entry for noir_rsa to explicitly state
that the dependency table lists the active circuit/runtime dependency versions
(e.g., noir_rsa 0.10.0) and that vendored snapshots may be independently pinned
and differ (e.g., the vendored noir_rsa v0.9.1 noted in VENDORED_FROM.md); add a
short parenthetical or footnote near the noir_rsa row clarifying "table = active
dependencies; vendored copies may show older pinned versions (see
VENDORED_FROM.md)".
In `@selective_disclosure/src/main.nr`:
- Around line 223-228: Cast disclosed_location_flags from Field to a small
unsigned integer (e.g., u8) and constrain it to 2 bits before doing bitwise ops:
convert disclosed_location_flags to an integer variable (flags_u8), assert
flags_u8 < 4 to constrain to 2 bits, compute disclosed_lat_neg = flags_u8 & 1
and disclosed_lon_neg = (flags_u8 >> 1) & 1, then compare those with
exact_lat_is_negative and exact_lon_is_negative via the existing assert calls;
use the same variable names (disclosed_location_flags, disclosed_lat_neg,
disclosed_lon_neg, exact_lat_is_negative, exact_lon_is_negative) so the logic is
identical but uses integer bitwise operators.
---
Nitpick comments:
In `@vendor/noir-rsa/VENDORED_FROM.md`:
- Around line 3-6: The VENDORED_FROM.md entry for noir-rsa currently lists
Source, Version, License, and Authors but lacks the exact upstream commit SHA;
update the file by adding an explicit "Commit" (or "Upstream commit") field
containing the full commit hash corresponding to the vendored code (alongside
the existing Source and Version lines) so audits are reproducible; ensure the
new line follows the same markdown bullet style and references the exact commit
for the tag/version noted.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0a38bc1f-f935-40f8-9a37-8a1668e90706
⛔ Files ignored due to path filters (1)
vendor/noir-jwt/js/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (14)
README.mdproof_a/Prover.tomlselective_disclosure/src/main.nrsrc/main.nrsrc/proof_a.nrsrc/proof_b.nrvendor/noir-jwt/js/package.jsonvendor/noir-jwt/js/scripts/noir-test-data.tsvendor/noir-jwt/js/src/generate-inputs.tsvendor/noir-jwt/js/src/index.tsvendor/noir-jwt/js/src/partial-sha.tsvendor/noir-jwt/js/tsconfig.jsonvendor/noir-rsa/LICENSEvendor/noir-rsa/VENDORED_FROM.md
💤 Files with no reviewable changes (9)
- vendor/noir-jwt/js/src/index.ts
- vendor/noir-jwt/js/tsconfig.json
- vendor/noir-jwt/js/package.json
- vendor/noir-jwt/js/src/partial-sha.ts
- vendor/noir-jwt/js/scripts/noir-test-data.ts
- vendor/noir-jwt/js/src/generate-inputs.ts
- src/proof_a.nr
- src/proof_b.nr
- src/main.nr
…rification Noir does not support bitwise operators on Field types. Cast to u8 with a <= 3 constraint before extracting sign bits. Also clarify vendored noir_rsa version discrepancy in README. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
bit0=lat_neg=0, bit1=lon_neg=1 → flags=2 (was 1, which asserted lat_neg=1 incorrectly) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Audit cleanup before making the circuits repo public.
src/directory — obsolete circuit versions with weaker 2-limb RSA hashing, superseded byproof_a/proof_bpackages. Could confuse reviewers and be mistaken for production code.selective_disclosure—disclosed_location_flagssign bits were described in comments but never actually asserted against exact coordinate signs. An attacker could theoretically claim a southern-hemisphere coordinate is in a northern bounding box.noir-rsa— MIT license from upstream zkpassport repo, plusVENDORED_FROM.mdattribution.vendor/noir-jwt/js/— contained test RSA private key and npm build artifacts not needed for circuit compilation.Nargo.tomlfiles.Prover.toml— update to uselocation_flagsfield instead of removedcenter_lat_is_negative/center_lon_is_negativefields.Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
Documentation
Refactor
Chores