Circuit artifact rotation runbook (without breaking historical verification)
This runbook defines how to rotate Groth16 circuit artifacts while preserving historical attestation verification guarantees.
Invariants
- No silent rotation: every artifact change is versioned and committed.
- Manifest is canonical:
ARTIFACT_MANIFEST.jsonpins canonical hashes and zkey path per circuit. - Historical attestations remain verifiable via embedded verification key/hash + profile checks.
- Pin enforcement is explicit: verifier pin checks are enabled by passing
circuitRegistry.
Rotation workflow
- Rebuild circuit artifacts (
.wasm,.r1cs,.zkey,.vkey.json). - If production path, run MPC ceremony and produce transcript JSON.
- Update manifest pins:
npm run manifest:generatenpm run manifest:post-mpc -- --transcript <path> --circuit-dir <dir> --refresh-hashes
- Update
conformance/circuit-registry.example.jsonfrom manifest (or equivalent registry source). - Run audit suite + terminology checks:
npm run test:audit-suitenpm run docs:check-terms
- Commit in provenance order:
- ceremony artifacts
- manifest/governance/docs pinning
Backward-compat policy
- Historical attestation validity: determined by embedded proof + embedded verification key + signature + selected verification profile.
- New registry pin mismatch checks only apply when verifier is configured with
circuitRegistryand attestation includescircuitmetadata. - Deprecation is explicit: mark circuit as deprecated in registry; do not remove old artifacts until retention window ends.
Upgrade matrix
| Attestation | Verifier | Expected result (VDI_VERIFY_STANDARD_V1) | Expected result (VDI_VERIFY_STRICT_V1) |
|---|---|---|---|
| old artifact set | new verifier (no circuitRegistry) | PASS if embedded proof/signature/timestamps pass | PASS if strict checks (revocation + authority binding) pass |
| old artifact set | new verifier (circuitRegistry enabled) | PASS if circuit_hash matches pin; else VDI_ERR_CIRCUIT_HASH_MISMATCH | same as STANDARD + strict-only checks |
| new artifact set | old verifier | PASS if schema fields understood and embedded cryptographic checks pass | PASS/FAIL per old strict implementation semantics |
| new artifact set | new verifier (circuitRegistry enabled) | PASS when manifest/registry pins updated in lockstep | same as STANDARD + strict-only checks |
Emergency rollback
- Revert to prior manifest + registry pins commit.
- Keep prior artifacts available.
- Mark bad artifact version deprecated in registry metadata.
- Re-run
npm run artifact:statusand attach output to incident ticket.
