Add circuit commitment to ENS registry and verify against vkey

- EnsSpecEntry gains optional circuits field: SHA-256 hashes of
  verification keys keyed by function name
- Admin page presets include circuit hashes for transfer and approve
- prover.ts: add getVkeyHash() to compute SHA-256 of the vkey JSON
- Proof step: after proof verification, checks if the local vkey hash
  matches the hash committed in the ENS registry record
- Shows green "Circuit commitment matches ENS registry" when hashes
  match, or amber warning when not found

The user needs to re-register USDC via the admin page to include
the circuits field in the ENS text record.

Author: Th0rgal

src/app/clear-signing/admin/page.tsx

@@ -24,6 +24,10 @@ const PRESET_SPECS: Record<string, EnsSpecEntry> = {
     type: "token",
     decimals: 6,
     symbol: "USDC",
+    circuits: {
+      transfer: "7a97aa1eb1a3aa3650a45efe1142ef01f45bf8c3b162c382c33f74bfd21d1435",
+      approve: "dd2bcbb99a4830637a7ec903932d134e83d094cd2e51e6ffb38cd48e8251ef0f",
+    },
   },
   "0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D": {
     specName: "UniswapV2Router",

src/app/clear-signing/engine/ens.ts

@@ -23,6 +23,9 @@ export type EnsSpecEntry = {
   type: "token" | "protocol" | "contract" | "ens";
   decimals?: number;
   symbol?: string;
+  /** SHA-256 hashes of verification keys, keyed by function name.
+   *  Pins the exact circuit that was compiled from this spec. */
+  circuits?: Record<string, string>;
 };
 
 // ─── Internals ──────────────────────────────────────────────────────────────

src/app/clear-signing/engine/prover.ts

@@ -78,6 +78,33 @@ function getCircuitName(
   return CIRCUIT_REGISTRY[`${specName}:${functionName}`] ?? null;
 }
 
+/**
+ * Compute the SHA-256 hash of a circuit's verification key.
+ * Used to verify that the circuit matches the ENS registry commitment.
+ */
+export async function getVkeyHash(
+  specName: string,
+  functionName: string
+): Promise<string | null> {
+  const circuitName = getCircuitName(specName, functionName);
+  if (!circuitName) return null;
+
+  const vkeyPath = `/circuits/${circuitName}/vkey.json`;
+  try {
+    const response = await fetch(vkeyPath);
+    const vkeyText = await response.text();
+    const hashBuffer = await crypto.subtle.digest(
+      "SHA-256",
+      new TextEncoder().encode(vkeyText)
+    );
+    return Array.from(new Uint8Array(hashBuffer))
+      .map((b) => b.toString(16).padStart(2, "0"))
+      .join("");
+  } catch {
+    return null;
+  }
+}
+
 // ─── Uint256 Splitting ──────────────────────────────────────────────────────
 
 /**

src/app/clear-signing/page.tsx

@@ -13,8 +13,10 @@ import {
 import {
   hasCircuit,
   generateAndVerifyProof,
+  getVkeyHash,
   type ProofResult,
 } from "./engine/prover";
+import { readSpecFromEns, type EnsSpecEntry } from "./engine/ens";
 import { DEMO_EXAMPLE } from "./engine/examples";
 import type {
   IntentSpec,
@@ -52,6 +54,12 @@ type Step =
       status: "pending" | "success" | "error" | "unavailable";
       result: ProofResult | null;
       error?: string;
+      /** Circuit commitment verification against ENS */
+      circuitCheck?: {
+        ensHash: string | null;
+        localHash: string | null;
+        match: boolean;
+      };
     };
 
 // ─── Helpers ────────────────────────────────────────────────────────────────
@@ -734,6 +742,42 @@ function ProofStep({
           </p>
         </div>
 
+        {step.circuitCheck && (
+          <div className={`px-4 py-3 rounded-lg border ${
+            step.circuitCheck.match
+              ? "border-emerald-200 bg-emerald-50"
+              : "border-amber-200 bg-amber-50"
+          }`}>
+            <p className={`text-[13px] font-medium ${
+              step.circuitCheck.match ? "text-emerald-800" : "text-amber-800"
+            }`}>
+              {step.circuitCheck.match
+                ? "Circuit commitment matches ENS registry"
+                : "Circuit commitment not found in ENS registry"}
+            </p>
+            <div className="mt-1.5 font-mono text-[11px] space-y-0.5">
+              <div className="flex gap-2">
+                <span className={step.circuitCheck.match ? "text-emerald-600" : "text-amber-600"}>
+                  vkey hash:
+                </span>
+                <span className="break-all text-secondary">
+                  {step.circuitCheck.localHash?.slice(0, 16)}...
+                </span>
+              </div>
+              {step.circuitCheck.ensHash && (
+                <div className="flex gap-2">
+                  <span className={step.circuitCheck.match ? "text-emerald-600" : "text-amber-600"}>
+                    ENS record:
+                  </span>
+                  <span className="break-all text-secondary">
+                    {step.circuitCheck.ensHash.slice(0, 16)}...
+                  </span>
+                </div>
+              )}
+            </div>
+          </div>
+        )}
+
         <details>
           <summary className="text-[13px] text-amber-600 cursor-pointer select-none hover:text-amber-700 transition-colors">
             View trust assumption
@@ -902,11 +946,25 @@ export default function ClearSigningPage() {
             params,
             emitted
           );
+
+          // Verify circuit commitment against ENS registry
+          let circuitCheck: { ensHash: string | null; localHash: string | null; match: boolean } | undefined;
+          const ensEntry = await readSpecFromEns(contractAddress);
+          const localHash = await getVkeyHash(spec.contractName, binding.intentFnName);
+          if (ensEntry?.circuits && localHash) {
+            const ensHash = ensEntry.circuits[binding.intentFnName] ?? null;
+            circuitCheck = {
+              ensHash,
+              localHash,
+              match: ensHash === localHash,
+            };
+          }
+
           setSteps((prev) => {
             const updated = [...prev];
             const idx = updated.findIndex((s) => s.kind === "proof");
             if (idx >= 0) {
-              updated[idx] = { kind: "proof", status: "success", result };
+              updated[idx] = { kind: "proof", status: "success", result, circuitCheck };
             }
             return updated;
           });