Update to use Guardians

espresso/environment/enclave_helpers.go

@@ -288,7 +288,9 @@ func RegisterEnclaveHash(ctx context.Context, sys *e2esys.System, pcr0Bytes []by
 	if err != nil {
 		return fmt.Errorf("failed to create transactor: %w", err)
 	}
-	registrationTx, err := nitroVerifier.SetEnclaveHash(opts, crypto.Keccak256Hash(pcr0Bytes), true)
+	// ServiceType: 0 = BatchPoster, 1 = CaffNode
+	const serviceTypeBatchPoster uint8 = 0
+	registrationTx, err := nitroVerifier.SetEnclaveHash(opts, crypto.Keccak256Hash(pcr0Bytes), true, serviceTypeBatchPoster)
 	if err != nil {
 		return fmt.Errorf("failed to create registration transaction: %w", err)
 	}

justfile

@@ -69,9 +69,11 @@ forge_artifacts_dir:="packages/contracts-bedrock/forge-artifacts"
 bindings_dir:="op-batcher/bindings"
 gen_bindings_cmd:="./espresso/scripts/gen_bindings.sh"
 gen-bindings:
-  {{gen_bindings_cmd}} {{forge_artifacts_dir}}/BatchInbox.sol/BatchInbox.json > ./{{bindings_dir}}/batch_inbox.go
-  {{gen_bindings_cmd}} {{forge_artifacts_dir}}/BatchAuthenticator.sol/BatchAuthenticator.json > ./{{bindings_dir}}/batch_authenticator.go
-  {{gen_bindings_cmd}} {{forge_artifacts_dir}}/OPSuccinctFaultDisputeGame.sol/OPSuccinctFaultDisputeGame.json > ./{{bindings_dir}}/opsuccinct_fault_dispute_game.go
+  {{ gen_bindings_cmd }} {{ forge_artifacts_dir }}/BatchInbox.sol/BatchInbox.json > ./{{ bindings_dir }}/batch_inbox.go
+  {{ gen_bindings_cmd }} {{ forge_artifacts_dir }}/BatchAuthenticator.sol/BatchAuthenticator.json > ./{{ bindings_dir }}/batch_authenticator.go
+  {{ gen_bindings_cmd }} {{ forge_artifacts_dir }}/EspressoNitroTEEVerifier.sol/EspressoNitroTEEVerifier.json > ./{{ bindings_dir }}/espresso_nitro_tee_verifier.go
+  {{ gen_bindings_cmd }} {{ forge_artifacts_dir }}/EspressoTEEVerifier.sol/EspressoTEEVerifier.json > ./{{ bindings_dir }}/espresso_tee_verifier.go
+  {{ gen_bindings_cmd }} {{ forge_artifacts_dir }}/OPSuccinctFaultDisputeGame.sol/OPSuccinctFaultDisputeGame.json > ./{{ bindings_dir }}/opsuccinct_fault_dispute_game.go
 
 smoke-tests: compile-contracts
  go test -run ^TestEspressoDockerDevNodeSmokeTest$ ./espresso/environment -v

op-batcher/enclave-tools/enclave-tools.go

@@ -95,7 +95,15 @@ func RegisterEnclaveHash(ctx context.Context, authenticatorAddress common.Addres
 	if err != nil {
 		return fmt.Errorf("failed to create transactor: %w", err)
 	}
-	registrationTx, err := nitroVerifier.SetEnclaveHash(opts, crypto.Keccak256Hash(pcr0Bytes), true)
+
+	// Convert hash to [32]byte for the contract call
+	var enclaveHash [32]byte
+	copy(enclaveHash[:], crypto.Keccak256(pcr0Bytes))
+
+	// ServiceType.BatchPoster = 0
+	const serviceTypeBatchPoster uint8 = 0
+
+	registrationTx, err := nitroVerifier.SetEnclaveHash(opts, enclaveHash, true, serviceTypeBatchPoster)
 	if err != nil {
 		return fmt.Errorf("failed to create registration transaction: %w", err)
 	}

packages/contracts-bedrock/foundry.toml

@@ -35,12 +35,13 @@ ast = true
 evm_version = 'cancun'
 
 remappings = [
+  'lib/espresso-tee-contracts/:@openzeppelin/contracts-upgradeable/=lib/espresso-tee-contracts/lib/openzeppelin-contracts-upgradeable/contracts',
+  'lib/espresso-tee-contracts/:@openzeppelin/contracts/=lib/espresso-tee-contracts/lib/openzeppelin-contracts/contracts',
+  'lib/espresso-tee-contracts/:solady/=lib/solady/src',
   '@openzeppelin/contracts-upgradeable/=lib/openzeppelin-contracts-upgradeable/contracts',
   '@espresso-tee-contracts/=lib/espresso-tee-contracts/src',
   '@nitro-validator/=lib/espresso-tee-contracts/lib/nitro-validator/src',
   'aws-nitro-enclave-attestation/=lib/espresso-tee-contracts/lib/aws-nitro-enclave-attestation/contracts/src',
-  'lib/espresso-tee-contracts/:@openzeppelin/contracts/=lib/espresso-tee-contracts/lib/openzeppelin-contracts/contracts',
-  'lib/espresso-tee-contracts/:solady/=lib/solady/src',
   '@openzeppelin/contracts/=lib/openzeppelin-contracts/contracts',
   '@openzeppelin/contracts-v5/=lib/openzeppelin-contracts-v5/contracts',
   '@rari-capital/solmate/=lib/solmate',

packages/contracts-bedrock/interfaces/L1/IBatchAuthenticator.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.0;
+pragma solidity ^0.8.22;
 
 interface IBatchAuthenticator {
     event Initialized(uint8 version);
@@ -42,10 +42,23 @@ interface IBatchAuthenticator {
 
     function switchBatcher() external;
 
-    function __constructor__(
+    function initialize(
         address _espressoTEEVerifier,
         address _teeBatcher,
         address _nonTeeBatcher,
         address _owner
     ) external;
+
+    function validateBatch(address sender, bytes calldata data) external view;
+
+    // Guardian functions
+    function addGuardian(address guardian) external;
+
+    function removeGuardian(address guardian) external;
+
+    function isGuardian(address account) external view returns (bool);
+
+    function getGuardians() external view returns (address[] memory);
+
+    function guardianCount() external view returns (uint256);
 }

packages/contracts-bedrock/interfaces/L1/IBatchInbox.sol

@@ -1,10 +1,13 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.0;
 
+/// @title IBatchInbox
+/// @notice Interface for the BatchInbox contract.
+/// @dev Note: This contract intentionally has no public/external view functions to ensure
+///      ALL calls route to the fallback function. This prevents function selector collisions
+///      that could bypass batch authentication.
 interface IBatchInbox {
     fallback() external;
 
-    function version() external view returns (string memory);
-
-    function __constructor__(address _batchAuthenticator, address _owner) external;
+    function __constructor__(address batchAuthenticator_) external;
 }

packages/contracts-bedrock/scripts/deploy/DeployAWSNitroVerifier.s.sol

@@ -8,27 +8,39 @@ import { Script } from "forge-std/Script.sol";
 import { Solarray } from "scripts/libraries/Solarray.sol";
 import { DeployUtils } from "scripts/libraries/DeployUtils.sol";
 import { INitroEnclaveVerifier } from "aws-nitro-enclave-attestation/interfaces/INitroEnclaveVerifier.sol";
+import { ERC1967Proxy } from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+import { ServiceType } from "@espresso-tee-contracts/types/Types.sol";
 
 contract MockEspressoNitroTEEVerifier is IEspressoNitroTEEVerifier {
     constructor() { }
 
-    function registeredSigners(address signer) external pure override returns (bool) {
+    function isSignerValid(address signer, ServiceType) external pure override returns (bool) {
         // Added this special condition for test TestE2eDevnetWithUnattestedBatcherKey
         if (signer == address(0xe16d5c4080C0faD6D2Ef4eb07C657674a217271C)) {
             return false;
         }
         return true;
     }
 
-    function registeredEnclaveHash(bytes32) external pure override returns (bool) {
+    function registeredEnclaveHash(bytes32, ServiceType) external pure override returns (bool) {
         return true;
     }
 
-    function registerSigner(bytes calldata, bytes calldata) external override { }
+    function registerService(bytes calldata, bytes calldata, ServiceType) external override { }
 
-    function setEnclaveHash(bytes32, bool) external override { }
+    function setEnclaveHash(bytes32, bool, ServiceType) external override { }
 
-    function deleteRegisteredSigners(address[] memory) external override { }
+    function deleteEnclaveHashes(bytes32[] memory, ServiceType) external override { }
+
+    function setNitroEnclaveVerifier(address) external override { }
+
+    function nitroEnclaveVerifier() external pure override returns (INitroEnclaveVerifier) {
+        return INitroEnclaveVerifier(address(0));
+    }
+
+    function teeVerifier() external pure override returns (address) {
+        return address(0);
+    }
 }
 
 contract DeployAWSNitroVerifierInput is BaseDeployIO {
@@ -88,19 +100,36 @@ contract DeployAWSNitroVerifier is Script {
         public
         returns (IEspressoNitroTEEVerifier)
     {
-        vm.broadcast(msg.sender);
-        bytes32 enclaveHash = input.enclaveHash();
         address nitroEnclaveVerifier = input.nitroEnclaveVerifier();
 
-        IEspressoNitroTEEVerifier impl;
+        IEspressoNitroTEEVerifier proxyAddr;
         if (nitroEnclaveVerifier == address(0)) {
-            impl = new MockEspressoNitroTEEVerifier();
+            // Deploy mock without proxy for testing
+            vm.broadcast(msg.sender);
+            proxyAddr = new MockEspressoNitroTEEVerifier();
+            vm.label(address(proxyAddr), "MockNitroTEEVerifier");
         } else {
-            impl = new EspressoNitroTEEVerifier(enclaveHash, INitroEnclaveVerifier(nitroEnclaveVerifier));
+            // Deploy implementation
+            vm.broadcast(msg.sender);
+            EspressoNitroTEEVerifier impl = new EspressoNitroTEEVerifier();
+            vm.label(address(impl), "NitroTEEVerifierImpl");
+
+            // Prepare initialization data
+            bytes memory initData = abi.encodeWithSelector(
+                EspressoNitroTEEVerifier.initialize.selector,
+                INitroEnclaveVerifier(nitroEnclaveVerifier),
+                msg.sender // initial owner
+            );
+
+            // Deploy proxy
+            vm.broadcast(msg.sender);
+            ERC1967Proxy proxy = new ERC1967Proxy(address(impl), initData);
+            vm.label(address(proxy), "NitroTEEVerifierProxy");
+            proxyAddr = IEspressoNitroTEEVerifier(address(proxy));
         }
-        vm.label(address(impl), "NitroTEEVerifierImpl");
-        output.set(output.nitroTEEVerifierAddress.selector, address(impl));
-        return impl;
+
+        output.set(output.nitroTEEVerifierAddress.selector, address(proxyAddr));
+        return proxyAddr;
     }
 
     function checkOutput(DeployAWSNitroVerifierOutput output) public view {

packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol

@@ -1,16 +1,18 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.22;
+pragma solidity ^0.8.22;
 
 import { BaseDeployIO } from "scripts/deploy/BaseDeployIO.sol";
 import { IBatchInbox } from "interfaces/L1/IBatchInbox.sol";
 import { Script } from "forge-std/Script.sol";
 import { DeployUtils } from "scripts/libraries/DeployUtils.sol";
 import { Solarray } from "scripts/libraries/Solarray.sol";
 import { IBatchAuthenticator } from "interfaces/L1/IBatchAuthenticator.sol";
+import { BatchAuthenticator } from "src/L1/BatchAuthenticator.sol";
 import { IEspressoNitroTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoNitroTEEVerifier.sol";
 import { IEspressoSGXTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoSGXTEEVerifier.sol";
 import { IEspressoTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoTEEVerifier.sol";
 import { EspressoTEEVerifier } from "@espresso-tee-contracts/EspressoTEEVerifier.sol";
+import { ERC1967Proxy } from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
 import { console2 as console } from "forge-std/console2.sol";
 
 contract DeployEspressoInput is BaseDeployIO {
@@ -84,7 +86,7 @@ contract DeployEspresso is Script {
     function run(DeployEspressoInput input, DeployEspressoOutput output, address deployerAddress) public {
         IEspressoTEEVerifier teeVerifier = deployTEEVerifier(input);
         IBatchAuthenticator batchAuthenticator = deployBatchAuthenticator(input, output, teeVerifier, deployerAddress);
-        deployBatchInbox(input, output, batchAuthenticator, deployerAddress);
+        deployBatchInbox(input, output, batchAuthenticator);
         checkOutput(output);
     }
 
@@ -97,43 +99,53 @@ contract DeployEspresso is Script {
         public
         returns (IBatchAuthenticator)
     {
-        bytes32 salt = input.salt();
+        // Deploy implementation
         vm.broadcast(msg.sender);
-        IBatchAuthenticator impl = IBatchAuthenticator(
-            DeployUtils.create2({
-                _name: "BatchAuthenticator",
-                _salt: salt,
-                _args: DeployUtils.encodeConstructor(
-                    abi.encodeCall(
-                        IBatchAuthenticator.__constructor__,
-                        (address(teeVerifier), input.teeBatcher(), input.nonTeeBatcher(), owner)
-                    )
-                )
-            })
-        );
+        BatchAuthenticator impl = new BatchAuthenticator();
         vm.label(address(impl), "BatchAuthenticatorImpl");
 
-        output.set(output.batchAuthenticatorAddress.selector, address(impl));
-        return impl;
+        // Prepare initialization data
+        bytes memory initData = abi.encodeWithSelector(
+            BatchAuthenticator.initialize.selector, teeVerifier, input.teeBatcher(), input.nonTeeBatcher(), owner
+        );
+
+        // Deploy proxy
+        vm.broadcast(msg.sender);
+        ERC1967Proxy proxy = new ERC1967Proxy(address(impl), initData);
+        vm.label(address(proxy), "BatchAuthenticatorProxy");
+
+        output.set(output.batchAuthenticatorAddress.selector, address(proxy));
+        return IBatchAuthenticator(address(proxy));
     }
 
     function deployTEEVerifier(DeployEspressoInput input) public returns (IEspressoTEEVerifier) {
         IEspressoNitroTEEVerifier nitroTEEVerifier = IEspressoNitroTEEVerifier(input.nitroTEEVerifier());
+
+        // Deploy implementation
         vm.broadcast(msg.sender);
-        IEspressoTEEVerifier impl = new EspressoTEEVerifier(
-            // SGX TEE verifier is not yet implemented
-            IEspressoSGXTEEVerifier(address(0)),
-            nitroTEEVerifier
-        );
+        EspressoTEEVerifier impl = new EspressoTEEVerifier();
         vm.label(address(impl), "EspressoTEEVerifierImpl");
-        return impl;
+
+        // Prepare initialization data
+        bytes memory initData = abi.encodeWithSelector(
+            EspressoTEEVerifier.initialize.selector,
+            IEspressoSGXTEEVerifier(address(0)), // SGX TEE verifier not yet implemented
+            nitroTEEVerifier,
+            msg.sender // initial owner
+        );
+
+        // Deploy proxy
+        vm.broadcast(msg.sender);
+        ERC1967Proxy proxy = new ERC1967Proxy(address(impl), initData);
+        vm.label(address(proxy), "EspressoTEEVerifierProxy");
+
+        return IEspressoTEEVerifier(address(proxy));
     }
 
     function deployBatchInbox(
         DeployEspressoInput input,
         DeployEspressoOutput output,
-        IBatchAuthenticator batchAuthenticator,
-        address owner
+        IBatchAuthenticator batchAuthenticator
     )
         public
     {
@@ -144,7 +156,7 @@ contract DeployEspresso is Script {
                 _name: "BatchInbox",
                 _salt: salt,
                 _args: DeployUtils.encodeConstructor(
-                    abi.encodeCall(IBatchInbox.__constructor__, (address(batchAuthenticator), owner))
+                    abi.encodeCall(IBatchInbox.__constructor__, (address(batchAuthenticator)))
                 )
             })
         );