@aztec/aztec 0.0.0-test.0 → 0.0.1-commit.001888fc

package/README.md

@@ -8,7 +8,7 @@ Aztec is a package that allows for a simple development environment on Aztec sta
 
 The easiest way to run is by using `docker compose up`. This will create two containers:
 
-1. The sandbox listening on port `8080`
+1. The local network listening on port `8080`
 2. An anvil instance listening on port `8545`
 
 ### Node Server

package/dest/bin/index.d.ts

@@ -1,3 +1,3 @@
 #!/usr/bin/env node
 export {};
-//# sourceMappingURL=index.d.ts.map
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9iaW4vaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9

package/dest/bin/index.js

@@ -1,19 +1,23 @@
 #!/usr/bin/env node
 //
 import { injectCommands as injectBuilderCommands } from '@aztec/builder';
-import { injectCommands as injectWalletCommands } from '@aztec/cli-wallet';
+import { injectCommands as injectAztecNodeCommands } from '@aztec/cli/aztec_node';
+import { enrichEnvironmentWithChainName } from '@aztec/cli/config/chain';
+import { enrichEnvironmentWithNetworkConfig } from '@aztec/cli/config/network';
 import { injectCommands as injectContractCommands } from '@aztec/cli/contracts';
-import { injectCommands as injectDevnetCommands } from '@aztec/cli/devnet';
 import { injectCommands as injectInfrastructureCommands } from '@aztec/cli/infrastructure';
 import { injectCommands as injectL1Commands } from '@aztec/cli/l1';
 import { injectCommands as injectMiscCommands } from '@aztec/cli/misc';
-import { injectCommands as injectPXECommands } from '@aztec/cli/pxe';
+import { injectCommands as injectValidatorKeysCommands } from '@aztec/cli/validator_keys';
+import { getActiveNetworkName } from '@aztec/foundation/config';
 import { createConsoleLogger, createLogger } from '@aztec/foundation/log';
-import { fileURLToPath } from '@aztec/foundation/url';
+import { getPackageVersion } from '@aztec/stdlib/update-checker';
 import { Command } from 'commander';
-import { readFileSync } from 'fs';
-import { dirname, resolve } from 'path';
+import { injectCompileCommand } from '../cli/cmds/compile.js';
+import { injectMigrateCommand } from '../cli/cmds/migrate_ha_db.js';
+import { injectProfileCommand } from '../cli/cmds/profile.js';
 import { injectAztecCommands } from '../cli/index.js';
+const NETWORK_FLAG = 'network';
 const userLog = createConsoleLogger();
 const debugLogger = createLogger('cli');
 /** CLI & full node main entrypoint */ async function main() {
@@ -22,19 +26,30 @@ const debugLogger = createLogger('cli');
     };
     process.once('SIGINT', shutdown);
     process.once('SIGTERM', shutdown);
-    const packageJsonPath = resolve(dirname(fileURLToPath(import.meta.url)), '../../package.json');
-    const cliVersion = JSON.parse(readFileSync(packageJsonPath).toString()).version;
+    // Intercept the setting of a network and enrich the environment with defaults for that network
+    let networkValue;
+    const args = process.argv.slice(2);
+    const networkIndex = args.findIndex((arg)=>arg.startsWith(`--${NETWORK_FLAG}=`) || arg === `--${NETWORK_FLAG}`);
+    if (networkIndex !== -1) {
+        networkValue = args[networkIndex].split('=')[1] || args[networkIndex + 1];
+    }
+    const networkName = getActiveNetworkName(networkValue);
+    await enrichEnvironmentWithNetworkConfig(networkName);
+    enrichEnvironmentWithChainName(networkName);
+    const cliVersion = getPackageVersion() ?? 'unknown';
     let program = new Command('aztec');
-    program.description('Aztec command line interface').version(cliVersion);
+    program.description('Aztec command line interface').version(cliVersion).enablePositionalOptions();
     program = injectAztecCommands(program, userLog, debugLogger);
     program = injectBuilderCommands(program);
     program = injectContractCommands(program, userLog, debugLogger);
-    program = injectInfrastructureCommands(program, userLog, debugLogger);
+    program = injectInfrastructureCommands(program, userLog);
     program = injectL1Commands(program, userLog, debugLogger);
-    program = injectPXECommands(program, userLog, debugLogger);
+    program = injectAztecNodeCommands(program, userLog, debugLogger);
     program = injectMiscCommands(program, userLog);
-    program = injectDevnetCommands(program, userLog, debugLogger);
-    program = injectWalletCommands(program, userLog, debugLogger);
+    program = injectValidatorKeysCommands(program, userLog);
+    program = injectCompileCommand(program, userLog);
+    program = injectProfileCommand(program, userLog);
+    program = injectMigrateCommand(program, userLog);
     await program.parseAsync(process.argv);
 }
 main().catch((err)=>{

package/dest/cli/admin_api_key_store.d.ts

@@ -0,0 +1,45 @@
+import type { Logger } from '@aztec/foundation/log';
+/**
+ * Result of resolving the admin API key.
+ * Contains the SHA-256 hex hash of the API key to be used by the auth middleware,
+ * and optionally the raw key when newly generated (so the caller can display it).
+ */
+export interface AdminApiKeyResolution {
+    /** The SHA-256 hash of the API key. */
+    apiKeyHash: Buffer;
+    /**
+     * The raw API key, only present when a new key was generated during this call.
+     * The caller MUST display this to the operator — it will not be stored or returned again.
+     */
+    rawKey?: string;
+}
+export interface ResolveAdminApiKeyOptions {
+    /** SHA-256 hex hash of a pre-generated API key. When set, the node uses this hash directly. */
+    adminApiKeyHash?: string;
+    /** If true, disable admin API key auth entirely. */
+    disableAdminApiKey?: boolean;
+    /** If true, force-generate a new key even if one is already persisted. */
+    resetAdminApiKey?: boolean;
+    /** Root data directory for persistent storage. */
+    dataDirectory?: string;
+}
+/**
+ * Resolves the admin API key for the admin RPC endpoint.
+ *
+ * Strategy:
+ * 1. If opt-out flag is set (`disableAdminApiKey`), return undefined (no auth).
+ * 2. If a pre-generated hash is provided (`adminApiKeyHash`), use it directly.
+ * 3. If a data directory exists, look for a persisted hash file
+ *    at `<dataDirectory>/admin/api_key_hash`:
+ *    - If `resetAdminApiKey` is set, skip loading and force-generate a new key.
+ *    - Found: use the stored hash (operator already saved the key from first run).
+ *    - Not found: auto-generate a random key, display it once, persist the hash.
+ * 3. If no data directory: generate a random key
+ *    each run and display it (cannot persist).
+ *
+ * @param options - The options for resolving the admin API key.
+ * @param log - Logger for outputting the key and status messages.
+ * @returns The resolved API key hash, or undefined if auth is disabled.
+ */
+export declare function resolveAdminApiKey(options: ResolveAdminApiKeyOptions, log: Logger): Promise<AdminApiKeyResolution | undefined>;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWRtaW5fYXBpX2tleV9zdG9yZS5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2NsaS9hZG1pbl9hcGlfa2V5X3N0b3JlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUVBLE9BQU8sS0FBSyxFQUFFLE1BQU0sRUFBRSxNQUFNLHVCQUF1QixDQUFDO0FBU3BEOzs7O0dBSUc7QUFDSCxNQUFNLFdBQVcscUJBQXFCO0lBQ3BDLHVDQUF1QztJQUN2QyxVQUFVLEVBQUUsTUFBTSxDQUFDO0lBQ25COzs7T0FHRztJQUNILE1BQU0sQ0FBQyxFQUFFLE1BQU0sQ0FBQztDQUNqQjtBQUVELE1BQU0sV0FBVyx5QkFBeUI7SUFDeEMsK0ZBQStGO0lBQy9GLGVBQWUsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUN6QixvREFBb0Q7SUFDcEQsa0JBQWtCLENBQUMsRUFBRSxPQUFPLENBQUM7SUFDN0IsMEVBQTBFO0lBQzFFLGdCQUFnQixDQUFDLEVBQUUsT0FBTyxDQUFDO0lBQzNCLGtEQUFrRDtJQUNsRCxhQUFhLENBQUMsRUFBRSxNQUFNLENBQUM7Q0FDeEI7QUFFRDs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FpQkc7QUFDSCx3QkFBc0Isa0JBQWtCLENBQ3RDLE9BQU8sRUFBRSx5QkFBeUIsRUFDbEMsR0FBRyxFQUFFLE1BQU0sR0FDVixPQUFPLENBQUMscUJBQXFCLEdBQUcsU0FBUyxDQUFDLENBMkQ1QyJ9

package/dest/cli/admin_api_key_store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin_api_key_store.d.ts","sourceRoot":"","sources":["../../src/cli/admin_api_key_store.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AASpD;;;;GAIG;AACH,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,yBAAyB;IACxC,+FAA+F;IAC/F,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oDAAoD;IACpD,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,kDAAkD;IAClD,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,yBAAyB,EAClC,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,qBAAqB,GAAG,SAAS,CAAC,CA2D5C"}

package/dest/cli/admin_api_key_store.js

@@ -0,0 +1,98 @@
+import { randomBytes } from '@aztec/foundation/crypto/random';
+import { sha256Hash } from '@aztec/foundation/json-rpc/server';
+import { promises as fs } from 'fs';
+import { join } from 'path';
+/** Subdirectory under dataDirectory for admin API key storage. */ const ADMIN_STORE_DIR = 'admin';
+const HASH_FILE_NAME = 'api_key_hash';
+/**
+ * Resolves the admin API key for the admin RPC endpoint.
+ *
+ * Strategy:
+ * 1. If opt-out flag is set (`disableAdminApiKey`), return undefined (no auth).
+ * 2. If a pre-generated hash is provided (`adminApiKeyHash`), use it directly.
+ * 3. If a data directory exists, look for a persisted hash file
+ *    at `<dataDirectory>/admin/api_key_hash`:
+ *    - If `resetAdminApiKey` is set, skip loading and force-generate a new key.
+ *    - Found: use the stored hash (operator already saved the key from first run).
+ *    - Not found: auto-generate a random key, display it once, persist the hash.
+ * 3. If no data directory: generate a random key
+ *    each run and display it (cannot persist).
+ *
+ * @param options - The options for resolving the admin API key.
+ * @param log - Logger for outputting the key and status messages.
+ * @returns The resolved API key hash, or undefined if auth is disabled.
+ */ export async function resolveAdminApiKey(options, log) {
+    // Operator explicitly opted out of admin auth
+    if (options.disableAdminApiKey) {
+        log.warn('Admin API key authentication is DISABLED (--disable-admin-api-key / AZTEC_DISABLE_ADMIN_API_KEY)');
+        return undefined;
+    }
+    // Operator provided a pre-generated hash (e.g. via AZTEC_ADMIN_API_KEY_HASH env var)
+    if (options.adminApiKeyHash) {
+        const hex = options.adminApiKeyHash.trim();
+        if (hex.length !== 64 || !/^[0-9a-f]{64}$/.test(hex)) {
+            throw new Error(`Invalid admin API key hash: expected 64-char hex string, got "${hex}"`);
+        }
+        log.info('Admin API key authentication enabled (using pre-configured key hash)');
+        return {
+            apiKeyHash: Buffer.from(hex, 'hex')
+        };
+    }
+    // Persistent storage available, load or generate key
+    if (options.dataDirectory) {
+        const adminDir = join(options.dataDirectory, ADMIN_STORE_DIR);
+        const hashFilePath = join(adminDir, HASH_FILE_NAME);
+        // Unless a reset is forced, try to load the existing hash from disk
+        if (!options.resetAdminApiKey) {
+            try {
+                const storedHash = (await fs.readFile(hashFilePath, 'utf-8')).trim();
+                if (storedHash.length === 64) {
+                    log.info('Admin API key authentication enabled (loaded stored key hash from disk)');
+                    return {
+                        apiKeyHash: Buffer.from(storedHash, 'hex')
+                    };
+                }
+                log.warn(`Invalid stored admin API key hash at ${hashFilePath}, regenerating...`);
+            } catch (err) {
+                if (err.code !== 'ENOENT') {
+                    log.warn(`Failed to read admin API key hash from ${hashFilePath}: ${err.message}`);
+                }
+            // File doesn't exist — fall through to generate
+            }
+        } else {
+            log.warn('Admin API key reset requested — generating a new key');
+        }
+        // Generate a new key, persist the hash, and return the raw key for the caller to display
+        const { rawKey, hash } = generateApiKey();
+        await fs.mkdir(adminDir, {
+            recursive: true
+        });
+        await fs.writeFile(hashFilePath, hash.toString('hex'), 'utf-8');
+        // Set restrictive permissions (owner read/write only)
+        await fs.chmod(hashFilePath, 0o600);
+        log.info('Admin API key authentication enabled (new key generated and hash persisted to disk)');
+        return {
+            apiKeyHash: hash,
+            rawKey
+        };
+    }
+    // No data directory, generate a temporary key per session
+    const { rawKey, hash } = generateApiKey();
+    log.warn('No data directory configured — admin API key cannot be persisted.');
+    log.warn('A temporary key has been generated for this session only.');
+    return {
+        apiKeyHash: hash,
+        rawKey
+    };
+}
+/**
+ * Generates a cryptographically random API key and its SHA-256 hash.
+ * @returns The raw key (hex string) and its SHA-256 hash as a Buffer.
+ */ function generateApiKey() {
+    const rawKey = randomBytes(32).toString('hex');
+    const hash = sha256Hash(rawKey);
+    return {
+        rawKey,
+        hash
+    };
+}

package/dest/cli/aztec_start_action.d.ts

@@ -1,3 +1,3 @@
 import type { LogFn, Logger } from '@aztec/foundation/log';
 export declare function aztecStart(options: any, userLog: LogFn, debugLogger: Logger): Promise<void>;
-//# sourceMappingURL=aztec_start_action.d.ts.map
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXp0ZWNfc3RhcnRfYWN0aW9uLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvY2xpL2F6dGVjX3N0YXJ0X2FjdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFPQSxPQUFPLEtBQUssRUFBRSxLQUFLLEVBQUUsTUFBTSxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFhM0Qsd0JBQXNCLFVBQVUsQ0FBQyxPQUFPLEVBQUUsR0FBRyxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUUsV0FBVyxFQUFFLE1BQU0saUJBMklqRiJ9

package/dest/cli/aztec_start_action.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"aztec_start_action.d.ts","sourceRoot":"","sources":["../../src/cli/aztec_start_action.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAmB3D,wBAAsB,UAAU,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,iBAyFjF"}
+{"version":3,"file":"aztec_start_action.d.ts","sourceRoot":"","sources":["../../src/cli/aztec_start_action.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAa3D,wBAAsB,UAAU,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,iBA2IjF"}

package/dest/cli/aztec_start_action.js

@@ -1,33 +1,36 @@
-import { createNamespacedSafeJsonRpcServer, startHttpRpcServer } from '@aztec/foundation/json-rpc/server';
-import { fileURLToPath } from '@aztec/foundation/url';
-import { AztecNodeApiSchema, PXESchema } from '@aztec/stdlib/interfaces/client';
+import { getActiveNetworkName } from '@aztec/foundation/config';
+import { createNamespacedSafeJsonRpcServer, getApiKeyAuthMiddleware, startHttpRpcServer } from '@aztec/foundation/json-rpc/server';
+import { AztecNodeAdminApiSchema, AztecNodeApiSchema } from '@aztec/stdlib/interfaces/client';
+import { getPackageVersion } from '@aztec/stdlib/update-checker';
 import { getVersioningMiddleware } from '@aztec/stdlib/versioning';
 import { getOtelJsonRpcPropagationMiddleware } from '@aztec/telemetry-client';
-import { readFileSync } from 'fs';
-import { dirname, resolve } from 'path';
-import { createSandbox } from '../sandbox/index.js';
+import { createLocalNetwork } from '../local-network/index.js';
 import { github, splash } from '../splash.js';
-import { enrichEnvironmentWithChainConfig } from './chain_l2_config.js';
+import { resolveAdminApiKey } from './admin_api_key_store.js';
 import { extractNamespacedOptions, installSignalHandlers } from './util.js';
 import { getVersions } from './versioning.js';
-const packageJsonPath = resolve(dirname(fileURLToPath(import.meta.url)), '../../package.json');
-const cliVersion = JSON.parse(readFileSync(packageJsonPath).toString()).version;
 export async function aztecStart(options, userLog, debugLogger) {
     // list of 'stop' functions to call when process ends
     const signalHandlers = [];
     const services = {};
+    const adminServices = {};
+    const packageVersion = getPackageVersion();
     let config = undefined;
-    if (options.sandbox) {
-        const sandboxOptions = extractNamespacedOptions(options, 'sandbox');
-        const nodeOptions = extractNamespacedOptions(options, 'node');
+    if (options.localNetwork) {
+        const localNetwork = extractNamespacedOptions(options, 'local-network');
+        localNetwork.testAccounts = true;
         userLog(`${splash}\n${github}\n\n`);
-        userLog(`Setting up Aztec Sandbox ${cliVersion}, please stand by...`);
-        const { node, pxe, stop } = await createSandbox({
-            l1Mnemonic: options.l1Mnemonic,
+        userLog(`Setting up Aztec local network ${packageVersion ?? 'unknown'}, please stand by...`);
+        const { node, stop } = await createLocalNetwork({
+            l1Mnemonic: localNetwork.l1Mnemonic,
             l1RpcUrls: options.l1RpcUrls,
-            l1Salt: nodeOptions.deployAztecContractsSalt,
-            noPXE: sandboxOptions.noPXE,
-            testAccounts: sandboxOptions.testAccounts
+            testAccounts: localNetwork.testAccounts,
+            realProofs: false,
+            // Setting the epoch duration to 2 by default for local network. This allows the epoch to be "proven" faster, so
+            // the users can consume out hash without having to wait for a long time.
+            // Note: We are not proving anything in the local network (realProofs == false). But in `createLocalNetwork`,
+            // the EpochTestSettler will set the out hash to the outbox when an epoch is complete.
+            aztecEpochDuration: 2
         }, userLog);
         // Start Node and PXE JSON-RPC server
         signalHandlers.push(stop);
@@ -35,34 +38,22 @@ export async function aztecStart(options, userLog, debugLogger) {
             node,
             AztecNodeApiSchema
         ];
-        if (!sandboxOptions.noPXE) {
-            services.pxe = [
-                pxe,
-                PXESchema
-            ];
-        } else {
-            userLog(`Not exposing PXE API through JSON-RPC server`);
-        }
+        adminServices.node = [
+            node,
+            AztecNodeAdminApiSchema
+        ];
     } else {
-        // If a network is specified, enrich the environment with the chain config
-        if (options.network) {
-            await enrichEnvironmentWithChainConfig(options.network);
+        // Route --prover-node through startNode
+        if (options.proverNode && !options.node) {
+            options.node = true;
         }
         if (options.node) {
             const { startNode } = await import('./cmds/start_node.js');
-            ({ config } = await startNode(options, signalHandlers, services, userLog));
+            const networkName = getActiveNetworkName(options.network);
+            ({ config } = await startNode(options, signalHandlers, services, adminServices, userLog, networkName));
         } else if (options.bot) {
             const { startBot } = await import('./cmds/start_bot.js');
             await startBot(options, signalHandlers, services, userLog);
-        } else if (options.proverNode) {
-            const { startProverNode } = await import('./cmds/start_prover_node.js');
-            ({ config } = await startProverNode(options, signalHandlers, services, userLog));
-        } else if (options.blobSink) {
-            const { startBlobSink } = await import('./cmds/start_blob_sink.js');
-            await startBlobSink(options, signalHandlers, userLog);
-        } else if (options.pxe) {
-            const { startPXE } = await import('./cmds/start_pxe.js');
-            ({ config } = await startPXE(options, signalHandlers, services, userLog));
         } else if (options.archiver) {
             const { startArchiver } = await import('./cmds/start_archiver.js');
             ({ config } = await startArchiver(options, signalHandlers, services));
@@ -81,9 +72,6 @@ export async function aztecStart(options, userLog, debugLogger) {
         } else if (options.sequencer) {
             userLog(`Cannot run a standalone sequencer without a node`);
             process.exit(1);
-        } else if (options.faucet) {
-            const { startFaucet } = await import('./cmds/start_faucet.js');
-            await startFaucet(options, signalHandlers, services, userLog);
         } else {
             userLog(`No module specified to start`);
             process.exit(1);
@@ -91,18 +79,75 @@ export async function aztecStart(options, userLog, debugLogger) {
     }
     installSignalHandlers(debugLogger.info, signalHandlers);
     const versions = getVersions(config);
+    const versioningOpts = {
+        packageVersion
+    };
+    // Start the main JSON-RPC server
     if (Object.entries(services).length > 0) {
         const rpcServer = createNamespacedSafeJsonRpcServer(services, {
             http200OnError: false,
             log: debugLogger,
             middlewares: [
                 getOtelJsonRpcPropagationMiddleware(),
-                getVersioningMiddleware(versions)
-            ]
+                getVersioningMiddleware(versions, versioningOpts)
+            ],
+            maxBatchSize: options.rpcMaxBatchSize,
+            maxBodySizeBytes: options.rpcMaxBodySize
         });
         const { port } = await startHttpRpcServer(rpcServer, {
             port: options.port
         });
         debugLogger.info(`Aztec Server listening on port ${port}`, versions);
     }
+    // If there are any admin services, start a separate JSON-RPC server for them
+    if (Object.entries(adminServices).length > 0) {
+        const adminMiddlewares = [
+            getOtelJsonRpcPropagationMiddleware(),
+            getVersioningMiddleware(versions, versioningOpts)
+        ];
+        // Resolve the admin API key (auto-generated and persisted, or opt-out)
+        const apiKeyResolution = await resolveAdminApiKey({
+            adminApiKeyHash: options.adminApiKeyHash,
+            disableAdminApiKey: options.disableAdminApiKey,
+            resetAdminApiKey: options.resetAdminApiKey,
+            dataDirectory: options.dataDirectory
+        }, debugLogger);
+        if (apiKeyResolution) {
+            adminMiddlewares.unshift(getApiKeyAuthMiddleware(apiKeyResolution.apiKeyHash));
+        } else {
+            debugLogger.warn('No admin API key set — admin endpoint is unauthenticated');
+        }
+        const rpcServer = createNamespacedSafeJsonRpcServer(adminServices, {
+            http200OnError: false,
+            log: debugLogger,
+            middlewares: adminMiddlewares,
+            maxBatchSize: options.rpcMaxBatchSize,
+            maxBodySizeBytes: options.rpcMaxBodySize
+        });
+        const { port } = await startHttpRpcServer(rpcServer, {
+            port: options.adminPort
+        });
+        debugLogger.info(`Aztec Server admin API listening on port ${port}`, versions);
+        // Display the API key after the server has started
+        // Uses userLog which is never filtered by LOG_LEVEL.
+        if (apiKeyResolution?.rawKey) {
+            const separator = '='.repeat(70);
+            userLog('');
+            userLog(separator);
+            userLog('  ADMIN API KEY (save this — it will NOT be shown again)');
+            userLog('');
+            userLog(`  ${apiKeyResolution.rawKey}`);
+            userLog('');
+            userLog(`  Use via header:  x-api-key: <key>`);
+            userLog(`  Or via header:   Authorization: Bearer <key>`);
+            if (options.dataDirectory) {
+                userLog('');
+                userLog('  The key hash has been persisted — on next restart, the same key will be used.');
+            }
+            userLog('');
+            userLog('  To disable admin auth: --disable-admin-api-key or AZTEC_DISABLE_ADMIN_API_KEY=true');
+            userLog(separator);
+            userLog('');
+        }
+    }
 }

package/dest/cli/aztec_start_options.d.ts

@@ -2,14 +2,16 @@ import { type ConfigMapping, type EnvVar } from '@aztec/foundation/config';
 export interface AztecStartOption {
     flag: string;
     description: string;
-    defaultValue: any | undefined;
+    defaultValue: any;
     printDefault?: (val: any) => string;
-    envVar: EnvVar | undefined;
+    env: EnvVar | undefined;
+    fallback?: EnvVar[];
     parseVal?: (val: string) => any;
 }
 export declare const getOptions: (namespace: string, configMappings: Record<string, ConfigMapping>) => AztecStartOption[];
 export declare const universalOptions: string[];
+export declare const NETWORK_FLAG = "network";
 export declare const aztecStartOptions: {
     [key: string]: AztecStartOption[];
 };
-//# sourceMappingURL=aztec_start_options.d.ts.map
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXp0ZWNfc3RhcnRfb3B0aW9ucy5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2NsaS9henRlY19zdGFydF9vcHRpb25zLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQU9BLE9BQU8sRUFDTCxLQUFLLGFBQWEsRUFDbEIsS0FBSyxNQUFNLEVBSVosTUFBTSwwQkFBMEIsQ0FBQztBQWVsQyxNQUFNLFdBQVcsZ0JBQWdCO0lBQy9CLElBQUksRUFBRSxNQUFNLENBQUM7SUFDYixXQUFXLEVBQUUsTUFBTSxDQUFDO0lBQ3BCLFlBQVksRUFBRSxHQUFHLENBQUM7SUFDbEIsWUFBWSxDQUFDLEVBQUUsQ0FBQyxHQUFHLEVBQUUsR0FBRyxLQUFLLE1BQU0sQ0FBQztJQUNwQyxHQUFHLEVBQUUsTUFBTSxHQUFHLFNBQVMsQ0FBQztJQUN4QixRQUFRLENBQUMsRUFBRSxNQUFNLEVBQUUsQ0FBQztJQUNwQixRQUFRLENBQUMsRUFBRSxDQUFDLEdBQUcsRUFBRSxNQUFNLEtBQUssR0FBRyxDQUFDO0NBQ2pDO0FBRUQsZUFBTyxNQUFNLFVBQVUsMEZBb0J0QixDQUFDO0FBdUJGLGVBQU8sTUFBTSxnQkFBZ0IsVUFZNUIsQ0FBQztBQUVGLGVBQU8sTUFBTSxZQUFZLFlBQVksQ0FBQztBQUd0QyxlQUFPLE1BQU0saUJBQWlCLEVBQUU7SUFBRSxDQUFDLEdBQUcsRUFBRSxNQUFNLEdBQUcsZ0JBQWdCLEVBQUUsQ0FBQTtDQXNPbEUsQ0FBQyJ9

package/dest/cli/aztec_start_options.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"aztec_start_options.d.ts","sourceRoot":"","sources":["../../src/cli/aztec_start_options.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,MAAM,EAIZ,MAAM,0BAA0B,CAAC;AAelC,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,GAAG,GAAG,SAAS,CAAC;IAC9B,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,MAAM,CAAC;IACpC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,GAAG,CAAC;CACjC;AAED,eAAO,MAAM,UAAU,cAAe,MAAM,kBAAkB,OAAO,MAAM,EAAE,aAAa,CAAC,uBAiB1F,CAAC;AAGF,eAAO,MAAM,gBAAgB,UAA2E,CAAC;AAGzG,eAAO,MAAM,iBAAiB,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,EAAE,CAAA;CAwTlE,CAAC"}
+{"version":3,"file":"aztec_start_options.d.ts","sourceRoot":"","sources":["../../src/cli/aztec_start_options.ts"],"names":[],"mappings":"AAOA,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,MAAM,EAIZ,MAAM,0BAA0B,CAAC;AAelC,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,GAAG,CAAC;IAClB,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,MAAM,CAAC;IACpC,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,GAAG,CAAC;CACjC;AAED,eAAO,MAAM,UAAU,0FAoBtB,CAAC;AAuBF,eAAO,MAAM,gBAAgB,UAY5B,CAAC;AAEF,eAAO,MAAM,YAAY,YAAY,CAAC;AAGtC,eAAO,MAAM,iBAAiB,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,EAAE,CAAA;CAsOlE,CAAC"}