Add persistent circuit key storage and verifying key endpoints

- prover/keystore.go: save/load pk, vk, cs to disk; export Solidity verifier
- -key-dir flag enables persistence (keys cached after first compile)
- GET /api/vk/{circuit} — download raw verifying key
- GET /api/vk/{circuit}/solidity — download Solidity verifier contract
- Second startup with -key-dir loads cached keys instantly (skips compilation)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: stackdump

CLAUDE.md

@@ -17,6 +17,7 @@ make test             # Run tests
 -data ./data                Data directory for CID storage
 -no-prover                  Disable ZK prover (faster startup)
 -no-solgen                  Disable Solidity generation endpoints
+-key-dir ./keys             Persist circuit keys for fast restarts
 -compile path/to/file.btw   Compile .btw file to JSON schema on stdout
 ```
 
@@ -54,6 +55,8 @@ make test             # Run tests
 - `POST /api/compile` — compile .btw DSL source to schema JSON
 - `GET /api/circuits` — list available ZK circuits
 - `POST /api/prove` — submit witness for ZK proof generation
+- `GET /api/vk/{circuit}` — download verifying key (binary)
+- `GET /api/vk/{circuit}/solidity` — download Solidity verifier contract
 
 ## Dependencies
 

cmd/bitwrap/main.go

@@ -19,6 +19,7 @@ func main() {
 	dataDir := flag.String("data", "./data", "Data directory for storage")
 	noProver := flag.Bool("no-prover", false, "Disable ZK prover (faster startup)")
 	noSolgen := flag.Bool("no-solgen", false, "Disable Solidity generation endpoints")
+	keyDir := flag.String("key-dir", "", "Directory for persistent circuit keys (enables fast restarts)")
 	compile := flag.String("compile", "", "Compile a .btw file and output JSON schema to stdout")
 	flag.Parse()
 
@@ -53,6 +54,7 @@ func main() {
 	srv := server.New(storage, publicFS, server.Options{
 		EnableProver:   !*noProver,
 		EnableSolidity: !*noSolgen,
+		KeyDir:         *keyDir,
 	})
 
 	addr := fmt.Sprintf(":%d", *port)

internal/server/server.go

@@ -24,6 +24,7 @@ import (
 type Options struct {
 	EnableProver   bool
 	EnableSolidity bool
+	KeyDir         string // directory for persistent circuit keys (empty = no persistence)
 }
 
 // Server is the bitwrap HTTP server.
@@ -32,6 +33,7 @@ type Server struct {
 	publicFS   fs.FS
 	opts       Options
 	proverSvc  *prover.Service
+	keyStore   *prover.KeyStore
 }
 
 // New creates a new server.
@@ -40,11 +42,12 @@ func New(s *store.FSStore, publicFS fs.FS, opts Options) *Server {
 	if opts.EnableProver {
 		log.Printf("Initializing ZK prover (compiling circuits)...")
 		start := time.Now()
-		svc, err := prover.NewArcnetService()
+		svc, ks, err := prover.NewArcnetService(opts.KeyDir)
 		if err != nil {
 			log.Printf("WARNING: ZK prover initialization failed: %v", err)
 		} else {
 			srv.proverSvc = svc
+			srv.keyStore = ks
 			log.Printf("ZK prover ready (%d circuits compiled in %v)", len(svc.Prover().ListCircuits()), time.Since(start))
 		}
 	}
@@ -97,6 +100,8 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		s.handleProve(w, r)
 	case r.URL.Path == "/api/circuits":
 		s.handleCircuits(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/vk/"):
+		s.handleVK(w, r)
 	case r.URL.Path == "/api/compile" && r.Method == http.MethodPost:
 		s.handleCompile(w, r)
 
@@ -598,6 +603,48 @@ func (s *Server) handleCircuits(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(map[string]interface{}{"circuits": circuits})
 }
 
+// handleVK serves verifying key data for a circuit.
+// GET /api/vk/{circuit} — raw verifying key bytes
+// GET /api/vk/{circuit}/solidity — Solidity verifier contract
+func (s *Server) handleVK(w http.ResponseWriter, r *http.Request) {
+	if s.keyStore == nil {
+		http.Error(w, "Key store not enabled (start with -key-dir flag)", http.StatusServiceUnavailable)
+		return
+	}
+
+	path := strings.TrimPrefix(r.URL.Path, "/api/vk/")
+	parts := strings.SplitN(path, "/", 2)
+	circuit := parts[0]
+
+	if !s.keyStore.Has(circuit) {
+		http.Error(w, fmt.Sprintf("circuit %q not found", circuit), http.StatusNotFound)
+		return
+	}
+
+	// GET /api/vk/{circuit}/solidity
+	if len(parts) == 2 && parts[1] == "solidity" {
+		sol, err := s.keyStore.ExportSolidityVerifier(circuit)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "text/plain")
+		w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=Verifier_%s.sol", circuit))
+		w.Write(sol)
+		return
+	}
+
+	// GET /api/vk/{circuit} — raw binary key
+	vkBytes, err := s.keyStore.ExportVerifyingKey(circuit)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.vk", circuit))
+	w.Write(vkBytes)
+}
+
 // handleCompile compiles a .btw DSL source to metamodel schema JSON.
 func (s *Server) handleCompile(w http.ResponseWriter, r *http.Request) {
 	src, err := io.ReadAll(io.LimitReader(r.Body, 1<<20))

prover/keystore.go

@@ -0,0 +1,223 @@
+package prover
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/consensys/gnark-crypto/ecc"
+	"github.com/consensys/gnark/backend/groth16"
+	"github.com/consensys/gnark/frontend"
+	"github.com/rs/zerolog/log"
+)
+
+// KeyStore manages persistent storage of compiled circuit keys.
+type KeyStore struct {
+	dir string
+}
+
+// NewKeyStore creates a key store at the given directory.
+func NewKeyStore(dir string) (*KeyStore, error) {
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return nil, fmt.Errorf("create keystore dir: %w", err)
+	}
+	return &KeyStore{dir: dir}, nil
+}
+
+// Has returns true if keys exist for the named circuit.
+func (ks *KeyStore) Has(name string) bool {
+	_, err := os.Stat(ks.pkPath(name))
+	return err == nil
+}
+
+// Save writes a compiled circuit's keys to disk.
+func (ks *KeyStore) Save(name string, cc *CompiledCircuit) error {
+	// Save constraint system
+	{
+		f, err := os.Create(ks.csPath(name))
+		if err != nil {
+			return fmt.Errorf("save cs %s: %w", name, err)
+		}
+		if _, err := cc.CS.WriteTo(f); err != nil {
+			f.Close()
+			return fmt.Errorf("write cs %s: %w", name, err)
+		}
+		f.Close()
+	}
+
+	// Save proving key
+	{
+		f, err := os.Create(ks.pkPath(name))
+		if err != nil {
+			return fmt.Errorf("save pk %s: %w", name, err)
+		}
+		if _, err := cc.ProvingKey.WriteTo(f); err != nil {
+			f.Close()
+			return fmt.Errorf("write pk %s: %w", name, err)
+		}
+		f.Close()
+	}
+
+	// Save verifying key
+	{
+		f, err := os.Create(ks.vkPath(name))
+		if err != nil {
+			return fmt.Errorf("save vk %s: %w", name, err)
+		}
+		if _, err := cc.VerifyingKey.WriteTo(f); err != nil {
+			f.Close()
+			return fmt.Errorf("write vk %s: %w", name, err)
+		}
+		f.Close()
+	}
+
+	log.Debug().Str("circuit", name).Str("dir", ks.dir).Msg("Keys saved")
+	return nil
+}
+
+// Load reads a compiled circuit's keys from disk.
+func (ks *KeyStore) Load(name string) (*CompiledCircuit, error) {
+	cs := groth16.NewCS(ecc.BN254)
+	{
+		f, err := os.Open(ks.csPath(name))
+		if err != nil {
+			return nil, fmt.Errorf("load cs %s: %w", name, err)
+		}
+		if _, err := cs.ReadFrom(f); err != nil {
+			f.Close()
+			return nil, fmt.Errorf("read cs %s: %w", name, err)
+		}
+		f.Close()
+	}
+
+	pk := groth16.NewProvingKey(ecc.BN254)
+	{
+		f, err := os.Open(ks.pkPath(name))
+		if err != nil {
+			return nil, fmt.Errorf("load pk %s: %w", name, err)
+		}
+		if _, err := pk.ReadFrom(f); err != nil {
+			f.Close()
+			return nil, fmt.Errorf("read pk %s: %w", name, err)
+		}
+		f.Close()
+	}
+
+	vk := groth16.NewVerifyingKey(ecc.BN254)
+	{
+		f, err := os.Open(ks.vkPath(name))
+		if err != nil {
+			return nil, fmt.Errorf("load vk %s: %w", name, err)
+		}
+		if _, err := vk.ReadFrom(f); err != nil {
+			f.Close()
+			return nil, fmt.Errorf("read vk %s: %w", name, err)
+		}
+		f.Close()
+	}
+
+	return &CompiledCircuit{
+		Name:         name,
+		CS:           cs,
+		ProvingKey:   pk,
+		VerifyingKey: vk,
+		Constraints:  cs.GetNbConstraints(),
+		PublicVars:   cs.GetNbPublicVariables(),
+		PrivateVars:  cs.GetNbSecretVariables(),
+	}, nil
+}
+
+// CompileAndSave compiles a circuit and persists the keys.
+// If keys already exist on disk, loads them instead (skipping compilation).
+func (ks *KeyStore) CompileAndSave(p *Prover, name string, circuit frontend.Circuit) (*CompiledCircuit, error) {
+	if ks.Has(name) {
+		log.Debug().Str("circuit", name).Msg("Loading cached keys")
+		return ks.Load(name)
+	}
+
+	log.Debug().Str("circuit", name).Msg("Compiling circuit (no cached keys)")
+	cc, err := p.CompileCircuit(name, circuit)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := ks.Save(name, cc); err != nil {
+		log.Warn().Err(err).Str("circuit", name).Msg("Failed to save keys (will recompile next time)")
+	}
+
+	return cc, nil
+}
+
+// ExportVerifyingKey returns the raw bytes of a verifying key.
+func (ks *KeyStore) ExportVerifyingKey(name string) ([]byte, error) {
+	return os.ReadFile(ks.vkPath(name))
+}
+
+// ExportSolidityVerifier generates a Solidity verifier contract for a circuit.
+func (ks *KeyStore) ExportSolidityVerifier(name string) ([]byte, error) {
+	vk := groth16.NewVerifyingKey(ecc.BN254)
+	f, err := os.Open(ks.vkPath(name))
+	if err != nil {
+		return nil, fmt.Errorf("load vk %s: %w", name, err)
+	}
+	if _, err := vk.ReadFrom(f); err != nil {
+		f.Close()
+		return nil, fmt.Errorf("read vk %s: %w", name, err)
+	}
+	f.Close()
+
+	var buf bytes.Buffer
+	if err := vk.ExportSolidity(&buf); err != nil {
+		return nil, fmt.Errorf("export solidity verifier %s: %w", name, err)
+	}
+	return buf.Bytes(), nil
+}
+
+// Purge removes all cached keys for a circuit (forces recompilation).
+func (ks *KeyStore) Purge(name string) error {
+	for _, path := range []string{ks.csPath(name), ks.pkPath(name), ks.vkPath(name)} {
+		os.Remove(path)
+	}
+	log.Debug().Str("circuit", name).Msg("Keys purged")
+	return nil
+}
+
+// PurgeAll removes all cached keys.
+func (ks *KeyStore) PurgeAll() error {
+	entries, err := os.ReadDir(ks.dir)
+	if err != nil {
+		return err
+	}
+	for _, e := range entries {
+		os.Remove(filepath.Join(ks.dir, e.Name()))
+	}
+	log.Debug().Str("dir", ks.dir).Msg("All keys purged")
+	return nil
+}
+
+// RegisterWithKeyStore compiles circuits using the key store for caching.
+func RegisterWithKeyStore(p *Prover, ks *KeyStore, circuits map[string]frontend.Circuit) error {
+	for name, circuit := range circuits {
+		cc, err := ks.CompileAndSave(p, name, circuit)
+		if err != nil {
+			return fmt.Errorf("circuit %s: %w", name, err)
+		}
+		p.StoreCircuit(name, cc)
+	}
+	return nil
+}
+
+// Path helpers
+
+func (ks *KeyStore) csPath(name string) string {
+	return filepath.Join(ks.dir, name+".cs")
+}
+
+func (ks *KeyStore) pkPath(name string) string {
+	return filepath.Join(ks.dir, name+".pk")
+}
+
+func (ks *KeyStore) vkPath(name string) string {
+	return filepath.Join(ks.dir, name+".vk")
+}

prover/service.go

@@ -230,20 +230,48 @@ func (f *ArcnetWitnessFactory) CreateAssignment(circuitName string, witness map[
 }
 
 // NewArcnetService creates a new prover service with arcnet's circuits and witness factory.
-func NewArcnetService() (*Service, error) {
+// If keyDir is non-empty, keys are persisted to disk for fast restarts.
+func NewArcnetService(keyDir string) (*Service, *KeyStore, error) {
 	p := NewProver()
 
 	log.Info().Msg("Registering standard circuits...")
 	start := time.Now()
 
-	if err := RegisterStandardCircuits(p); err != nil {
-		return nil, fmt.Errorf("failed to register circuits: %w", err)
+	var ks *KeyStore
+	if keyDir != "" {
+		var err error
+		ks, err = NewKeyStore(keyDir)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to create keystore: %w", err)
+		}
+
+		circuits := standardCircuits()
+		if err := RegisterWithKeyStore(p, ks, circuits); err != nil {
+			return nil, nil, fmt.Errorf("failed to register circuits: %w", err)
+		}
+	} else {
+		if err := RegisterStandardCircuits(p); err != nil {
+			return nil, nil, fmt.Errorf("failed to register circuits: %w", err)
+		}
 	}
 
 	log.Info().
 		Dur("elapsed", time.Since(start)).
 		Int("circuits", len(p.ListCircuits())).
+		Bool("cached", ks != nil).
 		Msg("Circuits registered")
 
-	return goprover.NewService(p, &ArcnetWitnessFactory{}), nil
+	return goprover.NewService(p, &ArcnetWitnessFactory{}), ks, nil
+}
+
+// standardCircuits returns the circuit definitions (without compiling them).
+func standardCircuits() map[string]frontend.Circuit {
+	return map[string]frontend.Circuit{
+		"transfer":     &TransferCircuit{},
+		"transferFrom": &TransferFromCircuit{},
+		"mint":         &MintCircuit{},
+		"burn":         &BurnCircuit{},
+		"approve":      &ApproveCircuit{},
+		"vestClaim":    &VestingClaimCircuit{},
+	}
 }