Remove optional modules and other cleanup

NOTICE

@@ -41,22 +41,6 @@ Copyright (c) 2022 ICON Foundation
 Licensed under the Apache License, Version 2.0
 https://github.com/icon-project/blst-java
 
---------------------------------------------------------------------------
-rapidsnark — Native Groth16 Prover (incubator/zeroj-prover-rapidsnark)
---------------------------------------------------------------------------
-Copyright (c) 2021 0KIMS Association
-Licensed under the GNU Lesser General Public License v3.0 (LGPL-3.0)
-https://github.com/iden3/rapidsnark
-
-The zeroj-prover-rapidsnark module downloads pre-compiled rapidsnark
-shared libraries (librapidsnark.so/.dylib) from GitHub releases and
-loads them via Java FFM at runtime. The binaries are NOT distributed
-in this repository. As a dynamically-linked library, your own
-application code is NOT subject to the LGPL. You may replace the
-library with your own modified build. See
-incubator/zeroj-prover-rapidsnark/NOTICE for LGPL-specific obligations.
-
---------------------------------------------------------------------------
 halo2 — Zero-Knowledge Proving System (incubator/zeroj-verifier-halo2)
 --------------------------------------------------------------------------
 Copyright (c) 2020-2024 The Electric Coin Company
@@ -104,11 +88,3 @@ Apache License, Version 2.0
 
 A copy of the Apache License, Version 2.0 is available at:
 https://www.apache.org/licenses/LICENSE-2.0
-
-==========================================================================
-GNU Lesser General Public License v3.0
-==========================================================================
-
-A copy of the LGPL-3.0 is included in:
-incubator/zeroj-prover-rapidsnark/LICENSES/LGPL-3.0.txt
-incubator/zeroj-prover-rapidsnark/LICENSES/GPL-3.0.txt

README.md

@@ -29,9 +29,9 @@ ZeroJ lets Java developers **define ZK circuits**, **generate proofs**, **verify
 
 ### Verify On-Chain (Cardano Plutus V3)
 - **Groth16 BLS12-381** — reusable Plutus V3 spending validator via Julc
-- **PlonK BLS12-381** — full on-chain PlonK verifier with Fiat-Shamir transcript
+- **PlonK BLS12-381** — experimental Julc prototype; Fiat-Shamir/inverse checks work, KZG pairing check is still deferred
 - VK baked at deploy time, proof passed as redeemer, public inputs as datum
-- **Proven end-to-end**: Java DSL circuit → pure Java prove → Yaci DevKit on-chain verify
+- **Proven end-to-end for Groth16**: Java DSL circuit → pure Java prove → Yaci DevKit on-chain verify
 
 ### Anchor on Cardano L1
 - 4 anchor patterns: proof hash, state root + proof hash, full verification ref, nullifier commitment
@@ -88,7 +88,10 @@ For production setup, use an MPC ceremony `.zkey` instead of `PowersOfTauBLS381.
 ```java
 // Same circuit, but prove via gnark (10-50x faster, requires Go native lib)
 try (var prover = new GnarkProver()) {
-    var result = prover.groth16FullProve(r1csBytes, witnessBytes, "bls12381");
+    var result = prover.groth16FullProve(r1cs, witness, CurveId.BLS12_381);
+    String proofJson = result.proveResponse().proofJson();
+    String vkJson = result.vkJson();
+    List<BigInteger> publicSignals = result.proveResponse().publicSignals();
 }
 ```
 
@@ -124,9 +127,12 @@ The **pure Java prover and verifier require no optional dependencies**.
 ## Building
 
 ```bash
-# Build everything (no native dependencies needed)
+# Build the full repository, including opt-in WASM/native modules
 ./gradlew build
 
+# Build the core privacy path only
+./gradlew :zeroj-bom-core:build :zeroj-verifier-core:build :zeroj-verifier-groth16:build :zeroj-verifier-plonk:build :zeroj-crypto:build :zeroj-onchain-julc:build
+
 # Run all tests (2680+ tests)
 ./gradlew test
 
@@ -164,7 +170,7 @@ The **pure Java prover and verifier require no optional dependencies**.
 
 ### Module Organization
 
-#### Core Modules
+#### Core Modules (`zeroj-bom-core`)
 
 | Module | Description |
 |--------|-------------|
@@ -174,35 +180,47 @@ The **pure Java prover and verifier require no optional dependencies**.
 | [`zeroj-verifier-core`](zeroj-verifier-core/) | Verifier orchestration and backend routing |
 | [`zeroj-verifier-groth16`](zeroj-verifier-groth16/) | Groth16 verification — BN254 (pure Java) + BLS12-381 (pure Java / blst) |
 | [`zeroj-verifier-plonk`](zeroj-verifier-plonk/) | PlonK verification — BN254 + BLS12-381 (pure Java) |
+| [`zeroj-bls12381`](zeroj-bls12381/) | Pure Java BLS12-381 field, curve, and pairing primitives |
 | [`zeroj-blst`](zeroj-blst/) | BLS12-381 pairing operations via blst native library |
 | [`zeroj-crypto`](zeroj-crypto/) | **Pure Java prover** — Montgomery field arithmetic, EC operations, Groth16 + PlonK for BN254 and BLS12-381 |
 | [`zeroj-circuit-dsl`](zeroj-circuit-dsl/) | Java Circuit DSL — define circuits with CircuitSpec, compile to R1CS/PlonK/Halo2 |
 | [`zeroj-circuit-lib`](zeroj-circuit-lib/) | Circuit standard library — Poseidon, PoseidonN, MiMC, MiMCSponge, Merkle, comparators, AliasCheck |
+| [`zeroj-prover-spi`](zeroj-prover-spi/) | Minimal prover request/response SPI shared by prover implementations |
 | [`zeroj-prover-gnark`](zeroj-prover-gnark/) | gnark native prover (Groth16 + PlonK) via FFM |
 | [`zeroj-patterns`](zeroj-patterns/) | High-level ZK patterns — state transitions, nullifier claims, membership proofs |
-| [`zeroj-submission`](zeroj-submission/) | Proof submission wire format, Ed25519 signatures |
-| [`zeroj-ingestion`](zeroj-ingestion/) | Submission ingestion pipeline, governance, security checks |
 | [`zeroj-cardano`](zeroj-cardano/) | Cardano anchoring — proof anchor model, metadata encoding |
 | [`zeroj-ccl`](zeroj-ccl/) | Cardano Client Lib integration — fluent transaction helpers |
-| [`zeroj-onchain-julc`](zeroj-onchain-julc/) | Reusable Plutus V3 on-chain verifiers (Groth16 + PlonK) via Julc |
+| [`zeroj-onchain-julc`](zeroj-onchain-julc/) | Reusable Plutus V3 on-chain verifiers via Julc; Groth16 is production, PlonK is an experimental prototype |
+
+#### Mainline Opt-In Modules (`zeroj-bom-all` only)
+
+| Module | Description |
+|--------|-------------|
+| [`zeroj-bbs`](zeroj-bbs/) | BBS/BBS+ selective disclosure credential backend |
+| [`zeroj-bbs-wasm`](zeroj-bbs-wasm/) | WASM-backed BBS provider |
+| [`zeroj-bls12381-wasm`](zeroj-bls12381-wasm/) | WASM-backed BLS12-381 provider |
+
+#### Support Modules
+
+| Module | Description |
+|--------|-------------|
 | [`zeroj-test-vectors`](zeroj-test-vectors/) | Shared test fixtures — pre-generated proofs and VKs |
 | [`zeroj-examples`](zeroj-examples/) | End-to-end demos: circuit definition to on-chain verification |
+| [`zeroj-bom-core`](zeroj-bom-core/) | BOM for the stable v3 core path |
+| [`zeroj-bom-all`](zeroj-bom-all/) | BOM for core plus opt-in and incubator modules |
 
 #### Incubator Modules (`incubator/`)
 
 | Module | Description |
 |--------|-------------|
-| [`zeroj-prover-rapidsnark`](incubator/zeroj-prover-rapidsnark/) | RapidSNARK native prover — BN254 Groth16 via FFM |
-| [`zeroj-prover-sidecar`](incubator/zeroj-prover-sidecar/) | HTTP client for external prover services |
 | [`zeroj-prover-wasm`](incubator/zeroj-prover-wasm/) | Circom witness calculation via GraalVM WebAssembly |
 | [`zeroj-verifier-halo2`](incubator/zeroj-verifier-halo2/) | Halo2 IPA verification via Rust FFM (no trusted setup) |
-| [`zeroj-onchain-experimental`](incubator/zeroj-onchain-experimental/) | On-chain helpers — proof preparation, budget estimation |
 
 ## Dependency (Gradle)
 
 ```gradle
 dependencies {
-    implementation platform('com.bloxbean.cardano:zeroj-bom:0.1.0')
+    implementation platform('com.bloxbean.cardano:zeroj-bom-core:0.1.0')
 
     // Circuit definition + standard library
     implementation 'com.bloxbean.cardano:zeroj-circuit-dsl'
@@ -230,9 +248,9 @@ dependencies {
 - **[Getting Started](docs/getting-started.md)** — end-to-end: circuit to on-chain verification
 - **[Pure Java Prover Guide](docs/pure-java-prover-guide.md)** — zero-dependency proving pipeline
 - **[Circuit DSL User Guide](docs/circuit-dsl-user-guide.md)** — CircuitSpec, Signal API, standard library
-- **[Alternate Prover Backends](docs/alternate-prover-backends.md)** — gnark FFM, rapidsnark, snarkjs
+- **[Alternate Prover Backends](docs/alternate-prover-backends.md)** — gnark FFM and snarkjs
 - **[Architecture Overview](docs/architecture-overview.md)** — module design and layer separation
-- **[PlonK Support](docs/plonk-support.md)** — PlonK proving and on-chain verification
+- **[PlonK Support](docs/plonk-support.md)** — PlonK proving, off-chain verification, and the experimental Julc prototype
 
 ### Use Cases
 - **[ZK Use Cases on Cardano](docs/usecases/README.md)** — 8 real-world applications with secret/public input breakdowns

build.gradle

@@ -33,8 +33,8 @@ subprojects {
         version = "${project.version}".replace("-SNAPSHOT", "-${commit_id}-SNAPSHOT")
     }
 
-    // The BOM module uses java-platform, which is incompatible with java-library
-    if (project.name == 'zeroj-bom') {
+    // BOM modules use java-platform, which is incompatible with java-library
+    if (project.name.startsWith('zeroj-bom')) {
         return
     }
 
@@ -80,7 +80,7 @@ subprojects {
     }
 
     // Publishing for publishable modules
-    def nonPublishable = ['zeroj-test-vectors', 'zeroj-examples', 'zeroj-prover-rapidsnark']
+    def nonPublishable = ['zeroj-test-vectors', 'zeroj-examples']
     if (!nonPublishable.contains(project.name)) {
         apply plugin: 'maven-publish'
         apply plugin: 'signing'

docs/adr/0006-separation-of-crypto-and-policy-verification.md

@@ -1,13 +1,18 @@
 # ADR-0006: Separation of Cryptographic and Policy Verification
 
 ## Status
-Accepted
+Superseded by [ADR-0020](0020-module-cleanup-and-core-restructure.md)
 
 ## Date
 2026-03-25
 
 ## Context
 
+> Historical note: the crypto-vs-policy separation remains a useful design
+> principle, but the generic `zeroj-ingestion` submission pipeline described
+> here was removed by ADR-0020. Application-specific policy validation now
+> belongs outside the ZeroJ core modules.
+
 A proof can be cryptographically valid but still unacceptable. Consider:
 - A valid Groth16 proof for the wrong circuit
 - A valid proof with a stale previous state root

docs/adr/0007-module-structure-and-boundaries.md

@@ -1,13 +1,19 @@
 # ADR-0007: Multi-Module Structure and Boundaries
 
 ## Status
-Accepted
+Superseded by [ADR-0020](0020-module-cleanup-and-core-restructure.md)
 
 ## Date
 2026-03-25
 
 ## Context
 
+> Historical note: this ADR describes the original broad module structure.
+> ADR-0020 removes `zeroj-submission`, `zeroj-ingestion`,
+> `zeroj-prover-sidecar`, `zeroj-prover-rapidsnark`,
+> `zeroj-onchain-experimental`, and replaces `zeroj-bom` with
+> `zeroj-bom-core` / `zeroj-bom-all`.
+
 ZeroJ serves three distinct audiences:
 1. **Java developers** who want a standalone ZK verification library (no Cardano dependency)
 2. **Network operators** who want proof-verified app-layer consensus

docs/adr/0010-java-circuit-dsl.md

@@ -1,11 +1,17 @@
 # ADR-0010: Java DSL for ZK Circuit Definition
 
 ## Status
-Proposed
+Updated by ADR-0020
 
 ## Date
 2026-03-28
 
+## 2026-05-17 Update
+
+ADR-0020 removed the RapidSNARK module from ZeroJ. The Java circuit DSL remains
+part of the core direction, but active proving paths are gnark FFM and pure Java
+proving where implemented.
+
 ## Context
 
 ZeroJ provides verification, proving (via FFM), and submission infrastructure for ZK proofs. However, defining circuits still requires external languages:
@@ -23,7 +29,7 @@ This forces Java developers to learn a different language, switch toolchains, an
 | Define circuit | circom / gnark Go | circom / Go |
 | Compile circuit | circom CLI / go build | Rust / Go |
 | Calculate witness | snarkjs (Node.js) OR GraalWasm | JS / WASM |
-| Prove | gnark FFM / rapidsnark FFM | Go / C++ |
+| Prove | gnark FFM / pure Java where implemented | Go / Java |
 | Verify | **Pure Java** (zeroj-verifier-*) | Java |
 
 ### Prior art
@@ -127,12 +133,12 @@ Compiles the constraint graph to R1CS: `(A · w) × (B · w) = (C · w)`.
 Each multiplication gate becomes one R1CS constraint. Addition gates are free (linear combinations absorbed into A, B, C vectors).
 
 Output formats:
-- **iden3 `.r1cs` binary** — standard format consumed by snarkjs, rapidsnark
+- **iden3 `.r1cs` binary** — standard format consumed by snarkjs-compatible tooling and gnark import flows
 - **In-memory R1CS** — for pure Java Groth16 prover (future)
 
 ```java
 var r1cs = circuit.compileR1CS(CurveId.BN254);
-byte[] r1csBytes = r1cs.toIden3Binary();  // feed to rapidsnark
+byte[] r1csBytes = r1cs.toIden3Binary();  // feed to snarkjs-compatible tooling or gnark import flows
 BigInteger[] witness = r1cs.calculateWitness(inputs);
 byte[] wtnsBytes = WitnessExporter.toWtns(witness, r1cs.prime(), r1cs.n32());
 ```
@@ -220,7 +226,6 @@ The compiled constraint system feeds into existing zeroj provers:
 
 | Backend | Output | Prover | Curve support |
 |---------|--------|--------|---------------|
-| R1CS | iden3 `.r1cs` + `.wtns` | rapidsnark FFM | BN254 |
 | R1CS | iden3 `.r1cs` + `.wtns` | gnark FFM (Groth16) | BN254 + BLS12-381 |
 | R1CS | in-memory | Pure Java prover (future) | BN254 + BLS12-381 |
 | PlonK | gnark SparseR1CS | gnark FFM (PlonK) | BN254 + BLS12-381 |
@@ -285,12 +290,13 @@ A future ADR may address **automatic Julc verifier generation** from circuit def
 - `CircuitBuilder`, `CircuitAPI`, `Variable`, `ConstraintGraph`, `Gate`
 - `R1CSCompiler` + `R1CSSerializer` (iden3 format)
 - `WitnessCalculator`
-- Test: multiplier circuit → R1CS → rapidsnark prove → pure Java verify
+- Test: multiplier circuit → R1CS → gnark or pure Java prove → pure Java verify
 
 ### Phase 2: PlonK backend
 - `PlonKCompiler` (gate table + permutation σ)
 - `PlonKSerializer` (gnark SparseR1CS format)
-- Test: same multiplier circuit → PlonK → gnark prove → pure Java verify
+- Test: same multiplier circuit → PlonK → pure Java prove/verify, or gnark
+  prove with gnark native verification until a structured proof adapter is added
 
 ### Phase 3: Standard library (zeroj-circuit-lib)
 - Poseidon hash (ZK-friendly, low constraint count)