Merge branch 'main' into audit/may-use-token

.github/actions/live-tests-shared/action.yml

@@ -29,7 +29,7 @@ runs:
         cat profiling.md >> $GITHUB_STEP_SUMMARY
       shell: bash
     - name: Upload Mina logs
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       continue-on-error: true
       if: always()
       with:

.github/workflows/benchmarks.yml

@@ -3,7 +3,6 @@ on:
   push:
     branches:
       - main
-      - berkeley
       - develop
   pull_request:
   workflow_dispatch: {}

.github/workflows/build-action.yml

@@ -3,7 +3,6 @@ on:
   push:
     branches:
       - main
-      - berkeley
       - develop
   pull_request:
   workflow_dispatch: {}
@@ -68,7 +67,7 @@ jobs:
       - name: Execute E2E tests
         run: npm run test:e2e
       - name: Upload E2E test artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         continue-on-error: true
         if: always()
         with:
@@ -95,9 +94,10 @@ jobs:
           npm ci
           npm run build
       - name: Publish to NPM if version has changed
-        uses: JS-DevTools/npm-publish@v1
+        uses: JS-DevTools/npm-publish@v3
         with:
           token: ${{ secrets.NPM_TOKEN }}
+          strategy: upgrade
         env:
           INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -121,9 +121,10 @@ jobs:
           npm ci
           npm run prepublishOnly
       - name: Publish to NPM if version has changed
-        uses: JS-DevTools/npm-publish@v1
+        uses: JS-DevTools/npm-publish@v3
         with:
           token: ${{ secrets.NPM_TOKEN }}
           package: './src/mina-signer/package.json'
+          strategy: upgrade
         env:
           INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/doc.yml

@@ -9,19 +9,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
-
+        uses: actions/checkout@v4
       - name: Setup Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: '16'
-
+          node-version: '18'
       - name: Run typedoc
         run: |
           git submodule update --init --recursive
           npm ci
           npx typedoc --tsconfig tsconfig.node.json src/index.ts
-
       - name: Deploy
         uses: peaceiris/actions-gh-pages@v3
         with:

.github/workflows/live-tests.yml

@@ -3,22 +3,18 @@ on:
   push:
     branches:
       - main
-      - berkeley
-      - develop
   pull_request:
     branches:
       - main
-      - berkeley
-      - develop
   workflow_dispatch: {}
 
 jobs:
-  berkeley:
+  master:
     timeout-minutes: 45
     runs-on: ubuntu-latest
     services:
       mina-local-network:
-        image: o1labs/mina-local-network:berkeley-latest-lightnet
+        image: o1labs/mina-local-network:master-latest-lightnet
         env:
           NETWORK_TYPE: 'single-node'
           PROOF_LEVEL: 'none'
@@ -36,4 +32,28 @@ jobs:
       - name: Use shared steps for live testing jobs
         uses: ./.github/actions/live-tests-shared
         with:
-          mina-branch-name: berkeley
+          mina-branch-name: master
+  compatible:
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    services:
+      mina-local-network:
+        image: o1labs/mina-local-network:compatible-latest-lightnet
+        env:
+          NETWORK_TYPE: 'single-node'
+          PROOF_LEVEL: 'none'
+        ports:
+          - 3085:3085
+          - 5432:5432
+          - 8080:8080
+          - 8181:8181
+          - 8282:8282
+        volumes:
+          - /tmp:/root/logs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Use shared steps for live testing jobs
+        uses: ./.github/actions/live-tests-shared
+        with:
+          mina-branch-name: compatible

CHANGELOG.md

@@ -17,8 +17,45 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased](https://github.com/o1-labs/o1js/compare/ed198f305...HEAD)
 
+### Breaking changes
+
+- Fixed a vulnerability in `OffchainState` where it didn't store the `IndexedMerkleTree` length onchain and left it unconstrained https://github.com/o1-labs/o1js/pull/1676
+
+### Added
+
+- A warning about the current reducer API limitations, as well as a mention of active work to mitigate them was added to doc comments and examples https://github.com/o1-labs/o1js/pull/1728
+
+- `ForeignField`-based representation of scalars via `ScalarField` https://github.com/o1-labs/o1js/pull/1705
+- Introduced new V2 methods for nullifier operations: `isUnusedV2()`, `assertUnusedV2()`, and `setUsedV2()` https://github.com/o1-labs/o1js/pull/1715
+- `Experimental.BatchReducer` to reduce actions in batches https://github.com/o1-labs/o1js/pull/1676
+  - Avoids the account update limit
+  - Handles arbitrary numbers of pending actions thanks to recursive validation of the next batch
+- Add conditional versions of all preconditions: `.requireEqualsIf()` https://github.com/o1-labs/o1js/pull/1676
+- `AccountUpdate.createIf()` to conditionally add an account update to the current transaction https://github.com/o1-labs/o1js/pull/1676
+- `IndexedMerkleMap.setIf()` to set a key-value pair conditionally https://github.com/o1-labs/o1js/pull/1676
+- `Provable.assertEqualIf()` to conditionally assert that two values are equal https://github.com/o1-labs/o1js/pull/1676
+- Add `offchainState.setContractClass()` which enables us to declare the connected contract at the top level, without creating a contract instance https://github.com/o1-labs/o1js/pull/1676
+  - This is enough to call `offchainState.compile()`
+- More low-level methods to interact with `MerkleList` https://github.com/o1-labs/o1js/pull/1676
+  - `popIfUnsafe()`, `toArrayUnconstrained()` and `lengthUnconstrained()`
+
+### Changed
+
+- Improve error message when o1js global state is accessed in an invalid way https://github.com/o1-labs/o1js/pull/1676
+- Start developing an internal framework for local zkapp testing https://github.com/o1-labs/o1js/pull/1676
+- Internally upgrade o1js to TypeScript 5.4 https://github.com/o1-labs/o1js/pull/1676
+
+### Deprecated
+
+- Deprecated `Nullifier.isUnused()`, `Nullifier.assertUnused()`, and `Nullifier.setUsed()` methods https://github.com/o1-labs/o1js/pull/1715
+- `createEcdsa`, `createForeignCurve`, `ForeignCurve` and `EcdsaSignature` deprecated in favor of `V2` versions due to a security vulnerability found in the current implementation https://github.com/o1-labs/o1js/pull/1703
+- Deprecate `AccountUpdate.defaultAccountUpdate()` in favor of `AccountUpdate.default()` https://github.com/o1-labs/o1js/pull/1676
+
 ### Fixed
 
+- Fix reversed order of account updates when using `TokenContract.approveAccountUpdates()` https://github.com/o1-labs/o1js/pull/1722
+- Fixed the static `check()` method in Struct classes to properly handle inheritance, preventing issues with under-constrained circuits. Added error handling to avoid using Struct directly as a field type. https://github.com/o1-labs/o1js/pull/1707
+- Fixed that `Option` could not be used as `@state` or event https://github.com/o1-labs/o1js/pull/1736
 - Address potential incorrect token inheritance handling with `MayUseToken` in AccountUpdates https://github.com/o1-labs/o1js/pull/1716
   - Modified isParentsOwnToken() to return false when inheritFromParent is true, preventing potential misuse of token inheritance.
   - Added check() method to ensure parentsOwnToken and inheritFromParent flags are not both set to true simultaneously.
@@ -35,7 +72,6 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 ### Deprecated
 
 - `MerkleMap.computeRootAndKey()` deprecated in favor of `MerkleMap.computeRootAndKeyV2()` due to a potential issue of computing hash collisions in key indicies https://github.com/o1-labs/o1js/pull/1694
-- `createEcdsa`, `createForeignCurve`, `ForeignCurve` and `EcdsaSignature` deprecated in favor of `V2` versions due to a security vulnerability found in the current implementation https://github.com/o1-labs/o1js/pull/1703
 
 ## [1.3.1](https://github.com/o1-labs/o1js/compare/1ad7333e9e...40c597775) - 2024-06-11
 

README-dev.md

@@ -82,29 +82,33 @@ o1js uses these types to ensure that the constants used in the protocol are cons
 
 ## Development
 
-### Branch Compatibility
+### Branching Policy
 
-If you work on o1js, create a feature branch off of one of these base branches. It's encouraged to submit your work-in-progress as a draft PR to raise visibility! When working with submodules and various interconnected parts of the stack, ensure you are on the correct branches that are compatible with each other.
+| o1js base branches | Is default? |
+| ------------------ | ----------- |
+| main               | **Yes**     |
+| develop            | No          |
 
-#### How to Use the Branches
+When you start your work on o1js, please create the feature branch off of one of the above base branches.  
+It's encouraged to submit your work-in-progress as a draft PR to raise visibility!  
+When working with submodules and various interconnected parts of the stack, ensure you are on the correct branches that are compatible with each other.
 
 **Default to `main` as the base branch**.
 
-The other base branches (`berkeley` and `develop`) are used only in specific scenarios where you want to adapt o1js to changes in the sibling repos on those other branches. Even then, consider whether it is feasible to land your changes to `main` and merge to `berkeley` and `develop` afterwards. Only changes in `main` will ever be released, so anything in the other branches has to be backported and reconciled with `main` eventually.
+Other base branches (currently `develop` only) are used in specific scenarios where you want to adapt o1js to changes in the sibling repos on those other branches. Even then, consider whether it is feasible to land your changes to `main` and merge to `develop` afterwards. Only changes in `main` will ever be released, so anything in other branches has to be backported and reconciled with the `main` branch eventually.
 
-| Repository | mina -> o1js -> o1js-bindings    |
-| ---------- | -------------------------------- |
-| Branches   | o1js-main -> main -> main        |
-|            | berkeley -> berkeley -> berkeley |
-|            | develop -> develop -> develop    |
+#### Relationship Between Repositories and Branches
 
-- `o1js-main`: The `o1js-main` branch in the Mina repository corresponds to the `main` branch in both o1js and o1js-bindings repositories. This branch is where stable releases and ramp-up features are maintained. The `o1js-main` branch runs in parallel to the Mina `berkeley` branch and does not have a subset or superset relationship with it. The branching structure is as follows (<- means direction to merge):
+| Repository | o1js &rarr; | o1js-bindings &rarr; | mina       |
+| ---------- | ----------- | -------------------- | ---------- |
+| Branches   | main        | main                 | compatible |
+|            | develop     | develop              | develop    |
 
-  - `develop` <- `o1js-main` <- `current testnet` - Typically, the current Testnet often corresponds to the rampup branch.
+Where:
 
-- `berkeley`: The `berkeley` branch is maintained across all three repositories. This branch is used for features and updates specific to the Berkeley release of the project.
+- `compatible`: This is the [Mina repository](https://github.com/MinaProtocol/mina) branch. It corresponds to the `main` branch in both o1js and o1js-bindings repositories. This branch is where stable releases and soft-fork features are maintained.
 
-- `develop`: The `develop` branch is also maintained across all three repositories. It is used for ongoing development, testing new features, and integration work.
+- `develop`: This branch is maintained across all three repositories. It is used for ongoing (next hard-fork) development, testing new features and integration work.
 
 ### Running Tests
 
@@ -193,7 +197,7 @@ docker run --rm --pull=missing -it \
   -p 8080:8080 \
   -p 8181:8181 \
   -p 8282:8282 \
-  o1labs/mina-local-network:o1js-main-latest-lightnet
+  o1labs/mina-local-network:compatible-latest-lightnet
 ```
 
 See the [Docker Hub repository](https://hub.docker.com/r/o1labs/mina-local-network) for more information.

package.json

@@ -96,7 +96,7 @@
     "typedoc": "^0.25.8",
     "typedoc-plugin-markdown": "^4.0.0-next.53",
     "typedoc-plugin-merge-modules": "^5.1.0",
-    "typescript": "5.1"
+    "typescript": "^5.4.5"
   },
   "dependencies": {
     "blakejs": "1.2.1",

src/examples/nullifier.ts

@@ -28,10 +28,10 @@ class PayoutOnlyOnce extends SmartContract {
     );
 
     // we compute the current root and make sure the entry is set to 0 (= unused)
-    nullifier.assertUnused(nullifierWitness, nullifierRoot);
+    nullifier.assertUnusedV2(nullifierWitness, nullifierRoot);
 
     // we set the nullifier to 1 (= used) and calculate the new root
-    let newRoot = nullifier.setUsed(nullifierWitness);
+    let newRoot = nullifier.setUsedV2(nullifierWitness);
 
     // we update the on-chain root
     this.nullifierRoot.set(newRoot);

src/examples/zkapps/dex/dex-with-actions.ts

@@ -2,7 +2,11 @@
  * This DEX implementation differs from ./dex.ts in two ways:
  * - More minimal & realistic; stuff designed only for testing protocol features was removed
  * - Uses an async pattern with actions that lets users claim funds later and reduces account updates
- */
+ * 
+ * Warning: The reducer API in o1js is currently not safe to use in production applications. The `reduce()` 
+ * method breaks if more than the hard-coded number (default: 32) of actions are pending. Work is actively 
+ * in progress to mitigate this limitation.
+ */ 
 import {
   Account,
   AccountUpdate,

src/examples/zkapps/reducer/actions-as-merkle-list-iterator.ts

@@ -4,7 +4,11 @@
  *
  * This is mainly intended as an example for using `Iterator` and `MerkleList`, but it might also be useful as
  * a blueprint for processing actions in a custom and more explicit way.
- */
+ * 
+ * Warning: The reducer API in o1js is currently not safe to use in production applications. The `reduce()` 
+ * method breaks if more than the hard-coded number (default: 32) of actions are pending. Work is actively 
+ * in progress to mitigate this limitation.
+ */ 
 import {
   Field,
   Mina,

src/examples/zkapps/reducer/actions-as-merkle-list.ts

@@ -4,7 +4,11 @@
  *
  * This is mainly intended as an example for using `MerkleList`, but it might also be useful as
  * a blueprint for processing actions in a custom and more explicit way.
- */
+ * 
+ * Warning: The reducer API in o1js is currently not safe to use in production applications. The `reduce()` 
+ * method breaks if more than the hard-coded number (default: 32) of actions are pending. Work is actively 
+ * in progress to mitigate this limitation.
+ */ 
 import {
   Bool,
   Mina,

src/examples/zkapps/reducer/map.ts

@@ -22,6 +22,10 @@ In this example, the keys are public keys, and the values are arbitrary field el
 
 This utilizes the `Reducer` as an append online list of actions, which are then looked at to find the value corresponding to a specific key.
 
+Warning: The reducer API in o1js is currently not safe to use in production applications. The reduce() 
+method breaks if more than the hard-coded number (default: 32) of actions are pending. Work is actively 
+in progress to mitigate this limitation.
+  
 
 ```ts 
 // js

src/examples/zkapps/reducer/reducer-composite.ts

@@ -1,3 +1,11 @@
+/**
+ * This example demonstrates a pattern to use actions for concurrent state updates. 
+ * 
+ * Warning: The reducer API in o1js is currently not safe to use in production applications. The `reduce()` 
+ * method breaks if more than the hard-coded number (default: 32) of actions are pending. Work is actively 
+ * in progress to mitigate this limitation.
+ */ 
+
 import {
   Field,
   state,

src/examples/zkapps/voting/demo.ts

@@ -1,5 +1,12 @@
-// used to do a dry run, without tests
-// ./run ./src/examples/zkapps/voting/demo.ts
+
+/*
+ * used to do a dry run, without tests
+ * ./run ./src/examples/zkapps/voting/demo.ts
+ * 
+ * Warning: The reducer API in o1js is currently not safe to use in production applications. The `reduce()` 
+ * method breaks if more than the hard-coded number (default: 32) of actions are pending. Work is actively 
+ * in progress to mitigate this limitation.
+ */ 
 
 import { Mina, AccountUpdate, PrivateKey, UInt64, Reducer, Bool } from 'o1js';
 import { VotingApp, VotingAppParams } from './factory.js';

src/examples/zkapps/voting/membership.ts

@@ -1,3 +1,8 @@
+/*
+ * Warning: The reducer API in o1js is currently not safe to use in production applications. The `reduce()` 
+ * method breaks if more than the hard-coded number (default: 32) of actions are pending. Work is actively 
+ * in progress to mitigate this limitation.
+ */ 
 import {
   Field,
   SmartContract,

src/examples/zkapps/voting/voting.ts

@@ -1,3 +1,8 @@
+/*
+ * Warning: The reducer API in o1js is currently not safe to use in production applications. The `reduce()` 
+ * method breaks if more than the hard-coded number (default: 32) of actions are pending. Work is actively 
+ * in progress to mitigate this limitation.
+ */ 
 import {
   Field,
   SmartContract,

src/examples/zkprogram/program-with-input.ts

@@ -35,7 +35,7 @@ MyProgram.publicOutputType satisfies Provable<void>;
 
 let MyProof = ZkProgram.Proof(MyProgram);
 
-console.log('program digest', MyProgram.digest());
+console.log('program digest', await MyProgram.digest());
 
 console.log('compiling MyProgram...');
 let { verificationKey } = await MyProgram.compile();