feat: canonical expiration transaction script in miden-standards#3051
Merged
partylikeits1983 merged 6 commits intoJun 12, 2026
Merged
Conversation
partylikeits1983
pushed a commit
that referenced
this pull request
Jun 5, 2026
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
partylikeits1983
pushed a commit
that referenced
this pull request
Jun 6, 2026
Resolves the merge of origin/next into the canonical expiration tx script branch. The 7 textual conflicts (Cargo.lock, Cargo.toml, batch/mod.rs, kernel_tests batch mod + proposed_batch, test_active_note, agglayer bridge_out) were stale copies the PR never touched and take next's version. CHANGELOG.md auto-merged into a broken state (duplicated v0.16.0 entries and a stale v0.15.2 heading), so it was rebuilt from next's copy with the three PR entries (#3028 allowlist, #3028 TransactionScriptRoot, #3051 expiration script) folded into the v0.16.0 Changes list.
partylikeits1983
force-pushed
the
partylikeits1983-claude/canonical-expiration-tx-script
branch
from
3a5817b to
0e1ff1b
Compare
partylikeits1983
force-pushed
the
partylikeits1983-claude/canonical-expiration-tx-script
branch
from
0e1ff1b to
2e98caf
Compare
PhilippGackstatter
approved these changes
Jun 10, 2026
PhilippGackstatter
left a comment
PhilippGackstatter
left a comment
Contributor
There was a problem hiding this comment.
Looks good. I'd just move the script to a different location.
mmagician
approved these changes
Jun 10, 2026
mmagician
left a comment
mmagician
left a comment
Collaborator
There was a problem hiding this comment.
approved with verbosity nits
Adds a canonical expiration transaction script to miden-standards via transaction::ExpirationTransactionScript. The script reads the expiration delta from TX_SCRIPT_ARGS, so a single allowlistable root (ExpirationTransactionScript::script_root) covers any delta - enabling network accounts to set their expiration under the root allowlist introduced in #3028.
Co-authored-by: Philipp Gackstatter <PhilippGackstatter@users.noreply.github.com>
Address review feedback on PR #3051: - Move the type from src/transaction.rs to src/tx_script/expiration_script.rs, alongside SendNotesTransactionScript (the tx_script module added in #3055). - Trim the repeated delta-independence wording, keeping it once on the type doc. - Shorten the CHANGELOG entry and move it under v0.16.0.
partylikeits1983
force-pushed
the
partylikeits1983-claude/canonical-expiration-tx-script
branch
from
ae70892 to
e979bcf
Compare
bobbinth
approved these changes
Jun 10, 2026
bobbinth
left a comment
bobbinth
left a comment
Contributor
There was a problem hiding this comment.
Looks good! Thank you! I left a couple of minor comments inline.
Also, this should be retargeted into main, right?
Contributor
Author
|
@bobbinth, actually I think I was wrong to assume that this would be easy to rebase back to Maybe we need to bring |
Address Bobbin's review on PR #3051 plus pre-push security review: - Document that the kernel's update_expiration_block_delta only accepts a delta in 1..=0xFFFF (failing with ERR_TX_INVALID_EXPIRATION_DELTA otherwise), and that the NonZeroU16 constructor guarantees that range. - Reword "submitted network transaction" to "submitted transaction" since the script works with any transaction. - Correct the allowlist-safety rationale: a standalone single call lets an arbitrary submitter pick any delta up to 0xFFFF (not just tighten an existing window), so safety rests on the delta only bounding the submitter's own transaction validity window - it cannot touch account nonce, state, or assets - and being hard-capped at 0xFFFF blocks. Mirrored fix in the network_account test.
Contributor
Yeah, the assumption was that merging this into |
2 tasks
Address review feedback: clarify that ExpirationTransactionScript cannot trigger a host panic. The NonZeroU16 delta always yields an in-range TX_SCRIPT_ARGS; a hand-crafted out-of-range argument makes the kernel reject the transaction with ERR_TX_INVALID_EXPIRATION_DELTA. Adds a 'Panics if' section to the script doc comment and a note on tx_script_args.
partylikeits1983
deleted the
partylikeits1983-claude/canonical-expiration-tx-script
branch
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #3050. Follow-up to #3028, which added the network-account tx-script allowlist mechanism and explicitly left "defining a frozen canonical expiration script" to a follow-up.
This PR targets
next.What
Adds
miden_standards::transaction::ExpirationTransactionScript:ExpirationTransactionScript::new(delta: NonZeroU16)- the typed script for a given expiration delta.ExpirationTransactionScript::into_parts() -> (TransactionScript, Word)- the compiled script paired with the matchingTX_SCRIPT_ARGSso the two cannot be decoupled.ExpirationTransactionScript::script_root() -> TransactionScriptRoot- the single allowlistable root, shared by every delta.The script is the args-driven form:
At tx-script entry the operand stack holds
[TX_SCRIPT_ARGS, ..], so the top element is the delta;update_expiration_block_deltaconsumes it and the remaining three argument elements are dropped.into_parts()returnsTX_SCRIPT_ARGS = [delta, 0, 0, 0]alongside the script.Why args-driven (one root for all deltas)
Reading the delta from
TX_SCRIPT_ARGSinstead of baking it in means a single MAST root accepts any delta, so every network-account creator can pin the same shared root. This is safe to allowlist on an open network account even though the submitter controls the argument: the kernel only ever lets the expiration delta be tightened, never extended, so the worst a caller can do is make their own transaction expire sooner (see the type docs added in #3028).Validation
scripts/expiration.rs): attaches the script viainto_parts()and asserts the tx-args-supplied delta is applied.miden-testingtest_auth_network_account_accepts_allowlisted_tx_script_with_caller_argsrstest cases (deltas 10 / 30 / u16::MAX) now allowlist and execute this standard script viascript_root(), replacing their local copy - exercising the canonical root end to end.Branch / release
Targets
next. Depends onTransactionScriptRootand the tx-script allowlist from #3028 / #3049, which are present onnext.Follow-ups (not in this PR)
ExpirationTransactionScript::script_root().TX_SCRIPT_ARGS) and the counter-account deploy allowlists the root - see node#2205.