- Rename PrivacyPreservingCircuitInputAccount to InputAccountIdentity (drop the PrivacyPreservingCircuit prefix; add Identity suffix)
- Rename PrivacyPreservingCircuitInput.accounts to account_identities
- Rename AccountManager.accounts() to account_identities() and loop variables to account_identity
- Drop legacy mask-1/2/3 references from variant doc comments and guest comments
- Remove the explanatory comments about deleted parallel-vec tests; moved to the PR description
- Rebake privacy_preserving_circuit and test program artifacts
- Add SealingPublicKey/SealingSecretKey type aliases for seal_for/unseal
- Generalize PrivateGroupPda to PrivatePda with pre-resolved keys
- Rename group_pda_spender to private_pda_spender
- Rename group_pda_accounts to pda_accounts with serde alias
- Remove unused storage_mut()
- Remove stale group_pda_router.bin artifact
Addresses the following review comments from @Arjentix:
- "I think there are too many internal implementation information
exposed here. This structure is used by our users, program devs. And
they should not care about distinction between private or public pda
or different masks"
(on ChainedCall.pda_seeds, same feedback repeated on Claim::Pda)
I rewrote both docstrings to drop internal details (visibility masks,
per-form derivation names, npk handling). Program devs see only that
they emit a seed and the `AccountId` is derived from
`(program_id, seed)` regardless of whether the account is public or
private.
- "Let's reflect the new nuance in the name"
(on compute_authorized_pdas returning public-form derivations only)
I renamed the function to `compute_public_authorized_pdas`. After
the PR #446 rework the function only returns public-form
derivations, the private-form authorization lives in the circuit
guest. Updated the call site in nssa/src/validated_state_diff.rs
and the two unit tests.
Addresses the following review comment:
- "I think this should be a constructor `AccountId::for_private_pda`.
Consider also removing the existing `impl From<(ProgramId, Seed)> for
AccountId` for public pdas in favor of a `AccountId::for_public_pda`
to have a unified way of constructing pdas"
I replaced `impl From<(&ProgramId, &PdaSeed)> for AccountId` with
`AccountId::for_public_pda(program_id: &ProgramId, seed: &PdaSeed) ->
Self` and replaced the free function `private_pda_account_id(...)`
with `AccountId::for_private_pda(program_id: &ProgramId, seed:
&PdaSeed, npk: &NullifierPublicKey) -> Self`. Both live in an inherent
`impl AccountId` block in nssa/core/src/program.rs next to the PDA
derivation logic. Migrated all call sites across nssa/core,
nssa/src/state.rs, nssa/src/validated_state_diff.rs,
program_methods/guest/src/bin/privacy_preserving_circuit.rs,
programs/amm/core, programs/associated_token_account/core, the example
tail-call binary, and the ATA tutorial doc. Test function names that
referenced the old free function were also renamed
(private_pda_account_id_* to for_private_pda_*).
Addresses the following review comments:
- "Shouldn't we use a program that checks authorization in this test as
callee? If not, I'm not sure if we are fully testing what the test
docs describe (namely, that the callee got the input account with
is_authorized=true). Maybe add a variant of the noop that checks the
input account is authorized."
I added test_program_methods/guest/src/bin/auth_asserting_noop.rs:
same shape as noop.rs except it asserts pre.is_authorized == true for
every pre_state before echoing the post_states. Any unauthorized
pre_state panics the guest, failing the whole circuit proof. I added
Program::auth_asserting_noop() as the matching helper. In
caller_pda_seeds_authorize_private_pda_for_callee and
caller_pda_seeds_with_wrong_seed_rejects_private_pda_for_callee, I
swapped Program::noop() for Program::auth_asserting_noop() as the
callee. The positive test now proves the callee actually sees
is_authorized=true, not just that the circuit's consistency check did
not reject. The negative test doubles its evidence, both the
circuit's authorization reconciliation and the callee guest would now
reject a wrong-seed delegation.
- "This branching logic is only correct because we are not supporting
non-authorized private accounts with non-default values. Likely to be
changed in the future. I'm sure there's use cases for this. For
example the multisig program if ran completely private it would need
a private non-default and non-authorized input account."
Agreed. Supporting this needs wallet-supplied `(seed, owner)` side
input so the npk-to-account_id binding can be re-verified for an
existing private PDA without a fresh Claim::Pda or a caller
pda_seeds match. I handled this in the second PR. I added a
TODO(private-pdas-pr-2/3) marker on the `else` branch in
privacy_preserving_circuit.rs:3 => { ... } so the constraint is
visible to future maintainers, along with a comment noting the
multisig use case.
