Add ZK Polls: anonymous voting with Groth16 proofs

Vote template (ERC pattern), VoteCast ZK circuit (14.6k constraints),
poll lifecycle API with server-side proof verification, voting UI at
/poll, and on-chain governance contracts with IVerifier integration.

- erc/vote.go: Vote template with voterRegistry, nullifiers, tallies
- prover/circuits.go: VoteCastCircuit (Merkle inclusion + nullifier binding)
- internal/server/polls.go: CRUD + vote endpoints with ZK verification
- internal/server/auth.go: EIP-191 wallet signature recovery (secp256k1)
- internal/server/ratelimit.go: IP + wallet rate limiting (5/hr)
- solidity/codegen.go: IVerifier interface, proof-gated castVote
- public/poll.html + poll.js: Create/vote/results UI + Foundry bundle download
- Foundry tests: 8/8 pass including double-vote and inactive-poll reverts

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: stackdump

erc/erc000.go

@@ -17,6 +17,7 @@ const (
 	StandardERC04626 Standard = "ERC-04626"
 	StandardERC05725 Standard = "ERC-05725"
 	StandardBridge   Standard = "Bridge"
+	StandardVote     Standard = "Vote"
 )
 
 // TokenMetadata holds common token metadata.

erc/vote.go

@@ -0,0 +1,76 @@
+package erc
+
+import (
+	"github.com/stackdump/bitwrap-io/arc"
+	"github.com/stackdump/bitwrap-io/internal/metamodel"
+)
+
+// Vote represents a ZK Poll voting template.
+type Vote struct {
+	BaseTemplate
+}
+
+// NewVote creates a new ZK Poll voting template.
+func NewVote(name string) *Vote {
+	schema := metamodel.NewSchema(name)
+	schema.Version = "Vote:1.0.0"
+
+	// States
+	schema.AddState(metamodel.State{ID: "voterRegistry", Type: "map[uint256]uint256", Exported: true})
+	schema.AddState(metamodel.State{ID: "nullifiers", Type: "map[uint256]bool", Exported: true})
+	schema.AddState(metamodel.State{ID: "tallies", Type: "map[uint256]uint256", Exported: true})
+	schema.AddState(metamodel.State{ID: "pollConfig", Type: "uint256"})
+
+	// Actions
+	schema.AddAction(metamodel.Action{ID: "createPoll", Guard: "pollConfig == 0", EventID: "PollCreated"})
+	schema.AddAction(metamodel.Action{ID: "castVote", Guard: "pollConfig == 1 && nullifiers[nullifier] == false", EventID: "VoteCast"})
+	schema.AddAction(metamodel.Action{ID: "closePoll", Guard: "pollConfig == 1", EventID: "PollClosed"})
+
+	// Arcs
+	// castVote -> tallies (each vote counts as 1)
+	schema.AddArc(metamodel.Arc{Source: "castVote", Target: "tallies", Keys: []string{"choice"}, Value: "1"})
+	// castVote -> nullifiers (mark nullifier as used to prevent double-voting)
+	schema.AddArc(metamodel.Arc{Source: "castVote", Target: "nullifiers", Keys: []string{"nullifier"}, Value: "true"})
+	// Note: voterRegistry is verified via ZK proof (Merkle inclusion), not via on-chain arc
+
+	// Events
+	schema.AddEvent(metamodel.Event{
+		ID:        "PollCreated",
+		Signature: "PollCreated(uint256,uint256,uint256)",
+		Topic:     "0x1c9c94bf784c3abe5ad5e8f368e489aad039ae0b4efcf53f28d01c8e1f8e0e4a",
+		Parameters: []metamodel.EventParameter{
+			{Name: "epoch", Type: "uint256"},
+			{Name: "seq", Type: "uint256"},
+			{Name: "pollId", Type: "uint256", Indexed: true},
+		},
+	})
+	schema.AddEvent(metamodel.Event{
+		ID:        "VoteCast",
+		Signature: "VoteCast(uint256,uint256,uint256,uint256)",
+		Topic:     "0x3a4d2e8dd6e4076b2f2e9e3b6dbde64e1df44c23e6f5c4e8b19a76c38d4f1b2d",
+		Parameters: []metamodel.EventParameter{
+			{Name: "epoch", Type: "uint256"},
+			{Name: "seq", Type: "uint256"},
+			{Name: "nullifier", Type: "uint256", Indexed: true},
+			{Name: "choice", Type: "uint256"},
+		},
+	})
+	schema.AddEvent(metamodel.Event{
+		ID:        "PollClosed",
+		Signature: "PollClosed(uint256,uint256,uint256)",
+		Topic:     "0x5e2f8a95e5b3c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1",
+		Parameters: []metamodel.EventParameter{
+			{Name: "epoch", Type: "uint256"},
+			{Name: "seq", Type: "uint256"},
+			{Name: "pollId", Type: "uint256", Indexed: true},
+		},
+	})
+
+	model := arc.FromSchema(schema)
+	return &Vote{BaseTemplate: BaseTemplate{
+		schema:   schema,
+		model:    model,
+		metadata: TokenMetadata{Name: name, Symbol: "VOTE", Standard: StandardVote},
+		standard: StandardVote,
+	}}
+}

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/pflow-xyz/go-pflow v0.9.0
 	github.com/piprate/json-gold v0.7.0
 	github.com/rs/zerolog v1.34.0
+	golang.org/x/crypto v0.44.0
 	golang.org/x/sync v0.18.0
 )
 
@@ -36,7 +37,6 @@ require (
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/crypto v0.44.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

internal/server/auth.go

@@ -0,0 +1,148 @@
+package server
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"math/big"
+	"strings"
+
+	"golang.org/x/crypto/sha3"
+)
+
+// secp256k1 curve parameters
+var secp256k1 = &elliptic.CurveParams{
+	P:       fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F"),
+	N:       fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141"),
+	B:       big.NewInt(7),
+	Gx:      fromHex("79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798"),
+	Gy:      fromHex("483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8"),
+	BitSize: 256,
+	Name:    "secp256k1",
+}
+
+func fromHex(s string) *big.Int {
+	n, _ := new(big.Int).SetString(s, 16)
+	return n
+}
+
+// keccak256 computes the Keccak-256 hash.
+func keccak256(data []byte) []byte {
+	h := sha3.NewLegacyKeccak256()
+	h.Write(data)
+	return h.Sum(nil)
+}
+
+// RecoverAddress recovers an Ethereum address from an EIP-191 personal_sign signature.
+// message: the original message text (without prefix)
+// signature: hex-encoded 65-byte signature (r || s || v)
+func RecoverAddress(message string, signature string) (string, error) {
+	sig, err := hex.DecodeString(strings.TrimPrefix(signature, "0x"))
+	if err != nil {
+		return "", fmt.Errorf("invalid signature hex: %w", err)
+	}
+	if len(sig) != 65 {
+		return "", fmt.Errorf("signature must be 65 bytes, got %d", len(sig))
+	}
+
+	// EIP-191 personal_sign prefix
+	prefix := fmt.Sprintf("\x19Ethereum Signed Message:\n%d", len(message))
+	hash := keccak256(append([]byte(prefix), []byte(message)...))
+
+	// Extract r, s, v from signature
+	r := new(big.Int).SetBytes(sig[:32])
+	s := new(big.Int).SetBytes(sig[32:64])
+	v := sig[64]
+
+	// Normalize v (27/28 -> 0/1)
+	if v >= 27 {
+		v -= 27
+	}
+	if v > 1 {
+		return "", errors.New("invalid signature recovery id")
+	}
+
+	// Recover public key
+	pubKey, err := recoverPubKey(hash, r, s, v)
+	if err != nil {
+		return "", fmt.Errorf("public key recovery failed: %w", err)
+	}
+
+	// Derive Ethereum address from public key
+	pubBytes := elliptic.Marshal(secp256k1, pubKey.X, pubKey.Y)
+	addr := keccak256(pubBytes[1:]) // skip 0x04 prefix
+	return "0x" + hex.EncodeToString(addr[12:]), nil
+}
+
+// recoverPubKey recovers the ECDSA public key from a signature.
+func recoverPubKey(hash []byte, r, s *big.Int, v byte) (*ecdsa.PublicKey, error) {
+	// Calculate R point on the curve
+	rx := new(big.Int).Set(r)
+	if v == 1 {
+		rx.Add(rx, secp256k1.N)
+	}
+
+	// Calculate y from x on secp256k1: y^2 = x^3 + 7
+	ry := decompressPoint(rx, v%2 == 1)
+	if ry == nil {
+		return nil, errors.New("invalid signature: point not on curve")
+	}
+
+	// R = (rx, ry)
+	// e = hash as big.Int
+	e := new(big.Int).SetBytes(hash)
+
+	// Recover public key: Q = r^-1 * (s*R - e*G)
+	rInv := new(big.Int).ModInverse(r, secp256k1.N)
+	if rInv == nil {
+		return nil, errors.New("invalid signature: r has no inverse")
+	}
+
+	// s*R
+	sRx, sRy := secp256k1.ScalarMult(rx, ry, s.Bytes())
+
+	// e*G
+	eGx, eGy := secp256k1.ScalarBaseMult(e.Bytes())
+
+	// s*R - e*G
+	eGy.Neg(eGy)
+	eGy.Mod(eGy, secp256k1.P)
+	sumX, sumY := secp256k1.Add(sRx, sRy, eGx, eGy)
+
+	// Q = r^-1 * (s*R - e*G)
+	qx, qy := secp256k1.ScalarMult(sumX, sumY, rInv.Bytes())
+
+	return &ecdsa.PublicKey{Curve: secp256k1, X: qx, Y: qy}, nil
+}
+
+// decompressPoint finds the y coordinate for a given x on secp256k1.
+func decompressPoint(x *big.Int, odd bool) *big.Int {
+	// y^2 = x^3 + 7 (mod p)
+	x3 := new(big.Int).Mul(x, x)
+	x3.Mul(x3, x)
+	x3.Mod(x3, secp256k1.P)
+
+	y2 := new(big.Int).Add(x3, big.NewInt(7))
+	y2.Mod(y2, secp256k1.P)
+
+	// sqrt via Tonelli-Shanks (p ≡ 3 mod 4 for secp256k1)
+	exp := new(big.Int).Add(secp256k1.P, big.NewInt(1))
+	exp.Rsh(exp, 2)
+	y := new(big.Int).Exp(y2, exp, secp256k1.P)
+
+	// Verify
+	check := new(big.Int).Mul(y, y)
+	check.Mod(check, secp256k1.P)
+	if check.Cmp(y2) != 0 {
+		return nil
+	}
+
+	// Adjust parity
+	if odd != (y.Bit(0) == 1) {
+		y.Sub(secp256k1.P, y)
+	}
+
+	return y
+}