@aztec/aztec 0.0.1-commit.c7c42ec → 0.0.1-commit.cf93bcc56

package/src/cli/admin_api_key_store.ts

@@ -0,0 +1,128 @@
+import { randomBytes } from '@aztec/foundation/crypto/random';
+import { sha256Hash } from '@aztec/foundation/json-rpc/server';
+import type { Logger } from '@aztec/foundation/log';
+
+import { promises as fs } from 'fs';
+import { join } from 'path';
+
+/** Subdirectory under dataDirectory for admin API key storage. */
+const ADMIN_STORE_DIR = 'admin';
+const HASH_FILE_NAME = 'api_key_hash';
+
+/**
+ * Result of resolving the admin API key.
+ * Contains the SHA-256 hex hash of the API key to be used by the auth middleware,
+ * and optionally the raw key when newly generated (so the caller can display it).
+ */
+export interface AdminApiKeyResolution {
+  /** The SHA-256 hash of the API key. */
+  apiKeyHash: Buffer;
+  /**
+   * The raw API key, only present when a new key was generated during this call.
+   * The caller MUST display this to the operator — it will not be stored or returned again.
+   */
+  rawKey?: string;
+}
+
+export interface ResolveAdminApiKeyOptions {
+  /** SHA-256 hex hash of a pre-generated API key. When set, the node uses this hash directly. */
+  adminApiKeyHash?: string;
+  /** If true, disable admin API key auth entirely. */
+  noAdminApiKey?: boolean;
+  /** If true, force-generate a new key even if one is already persisted. */
+  resetAdminApiKey?: boolean;
+  /** Root data directory for persistent storage. */
+  dataDirectory?: string;
+}
+
+/**
+ * Resolves the admin API key for the admin RPC endpoint.
+ *
+ * Strategy:
+ * 1. If opt-out flag is set (`noAdminApiKey`), return undefined (no auth).
+ * 2. If a pre-generated hash is provided (`adminApiKeyHash`), use it directly.
+ * 3. If a data directory exists, look for a persisted hash file
+ *    at `<dataDirectory>/admin/api_key_hash`:
+ *    - If `resetAdminApiKey` is set, skip loading and force-generate a new key.
+ *    - Found: use the stored hash (operator already saved the key from first run).
+ *    - Not found: auto-generate a random key, display it once, persist the hash.
+ * 3. If no data directory: generate a random key
+ *    each run and display it (cannot persist).
+ *
+ * @param options - The options for resolving the admin API key.
+ * @param log - Logger for outputting the key and status messages.
+ * @returns The resolved API key hash, or undefined if auth is disabled.
+ */
+export async function resolveAdminApiKey(
+  options: ResolveAdminApiKeyOptions,
+  log: Logger,
+): Promise<AdminApiKeyResolution | undefined> {
+  // Operator explicitly opted out of admin auth
+  if (options.noAdminApiKey) {
+    log.warn('Admin API key authentication is DISABLED (--no-admin-api-key / AZTEC_NO_ADMIN_API_KEY)');
+    return undefined;
+  }
+
+  // Operator provided a pre-generated hash (e.g. via AZTEC_ADMIN_API_KEY_HASH env var)
+  if (options.adminApiKeyHash) {
+    const hex = options.adminApiKeyHash.trim();
+    if (hex.length !== 64 || !/^[0-9a-f]{64}$/.test(hex)) {
+      throw new Error(`Invalid admin API key hash: expected 64-char hex string, got "${hex}"`);
+    }
+    log.info('Admin API key authentication enabled (using pre-configured key hash)');
+    return { apiKeyHash: Buffer.from(hex, 'hex') };
+  }
+
+  // Persistent storage available, load or generate key
+  if (options.dataDirectory) {
+    const adminDir = join(options.dataDirectory, ADMIN_STORE_DIR);
+    const hashFilePath = join(adminDir, HASH_FILE_NAME);
+
+    // Unless a reset is forced, try to load the existing hash from disk
+    if (!options.resetAdminApiKey) {
+      try {
+        const storedHash = (await fs.readFile(hashFilePath, 'utf-8')).trim();
+        if (storedHash.length === 64) {
+          log.info('Admin API key authentication enabled (loaded stored key hash from disk)');
+          return { apiKeyHash: Buffer.from(storedHash, 'hex') };
+        }
+        log.warn(`Invalid stored admin API key hash at ${hashFilePath}, regenerating...`);
+      } catch (err: any) {
+        if (err.code !== 'ENOENT') {
+          log.warn(`Failed to read admin API key hash from ${hashFilePath}: ${err.message}`);
+        }
+        // File doesn't exist — fall through to generate
+      }
+    } else {
+      log.warn('Admin API key reset requested — generating a new key');
+    }
+
+    // Generate a new key, persist the hash, and return the raw key for the caller to display
+    const { rawKey, hash } = generateApiKey();
+    await fs.mkdir(adminDir, { recursive: true });
+    await fs.writeFile(hashFilePath, hash.toString('hex'), 'utf-8');
+    // Set restrictive permissions (owner read/write only)
+    await fs.chmod(hashFilePath, 0o600);
+
+    log.info('Admin API key authentication enabled (new key generated and hash persisted to disk)');
+    return { apiKeyHash: hash, rawKey };
+  }
+
+  // No data directory, generate a temporary key per session
+  const { rawKey, hash } = generateApiKey();
+
+  log.warn('No data directory configured — admin API key cannot be persisted.');
+  log.warn('A temporary key has been generated for this session only.');
+
+  return { apiKeyHash: hash, rawKey };
+}
+
+/**
+ * Generates a cryptographically random API key and its SHA-256 hash.
+ * @returns The raw key (hex string) and its SHA-256 hash as a Buffer.
+ */
+function generateApiKey(): { rawKey: string; hash: Buffer } {
+  const rawKey = randomBytes(32).toString('hex');
+  const hash = sha256Hash(rawKey);
+  return { rawKey, hash };
+}

package/src/cli/aztec_start_action.ts

@@ -1,6 +1,7 @@
 import {
   type NamespacedApiHandlers,
   createNamespacedSafeJsonRpcServer,
+  getApiKeyAuthMiddleware,
   startHttpRpcServer,
 } from '@aztec/foundation/json-rpc/server';
 import type { LogFn, Logger } from '@aztec/foundation/log';
@@ -11,6 +12,7 @@ import { getOtelJsonRpcPropagationMiddleware } from '@aztec/telemetry-client';
 
 import { createLocalNetwork } from '../local-network/index.js';
 import { github, splash } from '../splash.js';
+import { resolveAdminApiKey } from './admin_api_key_store.js';
 import { getCliVersion } from './release_version.js';
 import { extractNamespacedOptions, installSignalHandlers } from './util.js';
 import { getVersions } from './versioning.js';
@@ -35,6 +37,11 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
         l1RpcUrls: options.l1RpcUrls,
         testAccounts: localNetwork.testAccounts,
         realProofs: false,
+        // Setting the epoch duration to 4 by default for local network. This allows the epoch to be "proven" faster, so
+        // the users can consume out hash without having to wait for a long time.
+        // Note: We are not proving anything in the local network (realProofs == false). But in `createLocalNetwork`,
+        // the EpochTestSettler will set the out hash to the outbox when an epoch is complete.
+        aztecEpochDuration: 4,
       },
       userLog,
     );
@@ -43,15 +50,17 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
     signalHandlers.push(stop);
     services.node = [node, AztecNodeApiSchema];
   } else {
+    // Route --prover-node through startNode
+    if (options.proverNode && !options.node) {
+      options.node = true;
+    }
+
     if (options.node) {
       const { startNode } = await import('./cmds/start_node.js');
       ({ config } = await startNode(options, signalHandlers, services, adminServices, userLog));
     } else if (options.bot) {
       const { startBot } = await import('./cmds/start_bot.js');
       await startBot(options, signalHandlers, services, userLog);
-    } else if (options.proverNode) {
-      const { startProverNode } = await import('./cmds/start_prover_node.js');
-      ({ config } = await startProverNode(options, signalHandlers, services, userLog));
     } else if (options.archiver) {
       const { startArchiver } = await import('./cmds/start_archiver.js');
       ({ config } = await startArchiver(options, signalHandlers, services));
@@ -94,14 +103,54 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
 
   // If there are any admin services, start a separate JSON-RPC server for them
   if (Object.entries(adminServices).length > 0) {
+    const adminMiddlewares = [getOtelJsonRpcPropagationMiddleware(), getVersioningMiddleware(versions)];
+
+    // Resolve the admin API key (auto-generated and persisted, or opt-out)
+    const apiKeyResolution = await resolveAdminApiKey(
+      {
+        adminApiKeyHash: options.adminApiKeyHash,
+        noAdminApiKey: options.noAdminApiKey,
+        resetAdminApiKey: options.resetAdminApiKey,
+        dataDirectory: options.dataDirectory,
+      },
+      debugLogger,
+    );
+    if (apiKeyResolution) {
+      adminMiddlewares.unshift(getApiKeyAuthMiddleware(apiKeyResolution.apiKeyHash));
+    } else {
+      debugLogger.warn('No admin API key set — admin endpoint is unauthenticated');
+    }
+
     const rpcServer = createNamespacedSafeJsonRpcServer(adminServices, {
       http200OnError: false,
       log: debugLogger,
-      middlewares: [getOtelJsonRpcPropagationMiddleware(), getVersioningMiddleware(versions)],
+      middlewares: adminMiddlewares,
       maxBatchSize: options.rpcMaxBatchSize,
       maxBodySizeBytes: options.rpcMaxBodySize,
     });
     const { port } = await startHttpRpcServer(rpcServer, { port: options.adminPort });
     debugLogger.info(`Aztec Server admin API listening on port ${port}`, versions);
+
+    // Display the API key after the server has started
+    // Uses userLog which is never filtered by LOG_LEVEL.
+    if (apiKeyResolution?.rawKey) {
+      const separator = '='.repeat(70);
+      userLog('');
+      userLog(separator);
+      userLog('  ADMIN API KEY (save this — it will NOT be shown again)');
+      userLog('');
+      userLog(`  ${apiKeyResolution.rawKey}`);
+      userLog('');
+      userLog(`  Use via header:  x-api-key: <key>`);
+      userLog(`  Or via header:   Authorization: Bearer <key>`);
+      if (options.dataDirectory) {
+        userLog('');
+        userLog('  The key hash has been persisted — on next restart, the same key will be used.');
+      }
+      userLog('');
+      userLog('  To disable admin auth: --no-admin-api-key or AZTEC_NO_ADMIN_API_KEY=true');
+      userLog(separator);
+      userLog('');
+    }
   }
 }

package/src/cli/aztec_start_options.ts

@@ -19,7 +19,7 @@ import { proverAgentConfigMappings, proverBrokerConfigMappings } from '@aztec/pr
 import { proverNodeConfigMappings } from '@aztec/prover-node/config';
 import { allPxeConfigMappings } from '@aztec/pxe/config';
 import { sequencerClientConfigMappings } from '@aztec/sequencer-client/config';
-import { chainConfigMappings } from '@aztec/stdlib/config';
+import { chainConfigMappings, nodeRpcConfigMappings } from '@aztec/stdlib/config';
 import { telemetryClientConfigMappings } from '@aztec/telemetry-client/config';
 import { worldStateConfigMappings } from '@aztec/world-state/config';
 
@@ -142,12 +142,37 @@ export const aztecStartOptions: { [key: string]: AztecStartOption[] } = {
       env: 'AZTEC_ADMIN_PORT',
       parseVal: val => parseInt(val, 10),
     },
+    {
+      flag: '--admin-api-key-hash <value>',
+      description:
+        'SHA-256 hex hash of a pre-generated admin API key. When set, the node uses this hash for authentication instead of auto-generating a key.',
+      defaultValue: undefined,
+      env: 'AZTEC_ADMIN_API_KEY_HASH',
+    },
+    {
+      flag: '--no-admin-api-key',
+      description:
+        'Disable API key authentication on the admin RPC endpoint. By default, a key is auto-generated, displayed once, and its hash is persisted.',
+      defaultValue: false,
+      env: 'AZTEC_NO_ADMIN_API_KEY',
+      parseVal: val => val === 'true' || val === '1',
+    },
+    {
+      flag: '--reset-admin-api-key',
+      description:
+        'Force-generate a new admin API key, replacing any previously persisted key hash. The new key is displayed once at startup.',
+      defaultValue: false,
+      env: 'AZTEC_RESET_ADMIN_API_KEY',
+      parseVal: val => val === 'true' || val === '1',
+    },
     {
       flag: '--api-prefix <value>',
       description: 'Prefix for API routes on any service that is started',
       defaultValue: '',
       env: 'API_PREFIX',
     },
+    configToFlag('--rpcMaxBatchSize', nodeRpcConfigMappings.rpcMaxBatchSize),
+    configToFlag('--rpcMaxBodySize', nodeRpcConfigMappings.rpcMaxBodySize),
   ],
   ETHEREUM: [
     configToFlag('--l1-chain-id', l1ReaderConfigMappings.l1ChainId),
@@ -168,7 +193,7 @@ export const aztecStartOptions: { [key: string]: AztecStartOption[] } = {
   'WORLD STATE': [
     configToFlag('--world-state-data-directory', worldStateConfigMappings.worldStateDataDirectory),
     configToFlag('--world-state-db-map-size-kb', worldStateConfigMappings.worldStateDbMapSizeKb),
-    configToFlag('--world-state-block-history', worldStateConfigMappings.worldStateBlockHistory),
+    configToFlag('--world-state-checkpoint-history', worldStateConfigMappings.worldStateCheckpointHistory),
   ],
   // We can't easily auto-generate node options as they're parts of modules defined below
   'AZTEC NODE': [
@@ -220,12 +245,8 @@ export const aztecStartOptions: { [key: string]: AztecStartOption[] } = {
       'proverNode',
       omitConfigMappings(proverNodeConfigMappings, [
         // filter out options passed separately
-        ...getKeys(archiverConfigMappings),
         ...getKeys(proverBrokerConfigMappings),
         ...getKeys(proverAgentConfigMappings),
-        ...getKeys(p2pConfigMappings),
-        ...getKeys(worldStateConfigMappings),
-        ...getKeys(sharedNodeConfigMappings),
       ]),
     ),
   ],

package/src/cli/cli.ts

@@ -31,63 +31,19 @@ export function injectAztecCommands(program: Command, userLog: LogFn, debugLogge
 
   program.configureHelp({ sortSubcommands: true });
 
-  program.addHelpText(
-    'after',
-    `
-
-  Additional commands:
-
-    init [folder] [options]: creates a new Noir project
-      Options:
-        --name <name>       Name of the package
-        --contract          Use a contract template (default)
-        --lib               Use a library template
-        --bin               Use a binary template
-      Examples:
-        $ aztec init                    # creates a contract project in current directory
-        $ aztec init --lib              # creates a library project
-
-    new <path> [options]: creates a new Noir project in a new directory
-      Options:
-        --name <name>       Name of the package
-        --contract          Use a contract template (default)
-        --lib               Use a library template
-        --bin               Use a binary template
-      Examples:
-        $ aztec new my-project          # creates a contract project in ./my-project
-        $ aztec new my-lib --lib        # creates a library project in ./my-lib
-
-    compile [options]: compiles Aztec Noir contracts
-      Compiles contracts with nargo compile and then postprocesses them to generate Aztec-specific artifacts including:
-        - Transpiled contract artifacts
-        - Verification keys
-      The compiled contracts will be placed in the target/ directory by default.
-      Supports standard nargo compile options.
-
-    fmt [options]: formats Noir code using nargo fmt
-      Example:
-        $ aztec fmt                     # formats all Noir files in the project
-
-    check [options]: type-checks Noir code without compiling using nargo check
-      Example:
-        $ aztec check                   # checks all Noir files in the project
-
-    test [options]: starts a dockerized TXE node via
-      $ aztec start --txe
-    then runs
-      $ aztec test --silence-warnings --oracle-resolver=<TXE_ADDRESS> [options]
-
-    lsp: starts the Nargo Language Server Protocol server
-      Runs nargo lsp in a Docker container for IDE integration with Noir.
-      This command is typically used by IDE extensions and not called directly by users.
-      Example:
-        $ aztec lsp                     # starts the LSP server
-
-    preload-crs: Downloads and caches the Common Reference String (CRS) data required for zero-knowledge proofs.
-      Example:
-        $ aztec preload-crs             # preloads CRS data
+  if (process.env.AZTEC_SHELL_WRAPPER) {
+    program.addHelpText(
+      'after',
+      `
+Additional commands:
+
+  init [folder] [options]  creates a new Aztec Noir project.
+  new <path> [options]     creates a new Aztec Noir project in a new directory.
+  compile [options]        compiles Aztec Noir contracts.
+  test [options]           starts a TXE and runs "nargo test" using it as the oracle resolver.
     `,
-  );
+    );
+  }
 
   program
     .command('preload-crs')

package/src/cli/cmds/migrate_ha_db.ts

@@ -0,0 +1,43 @@
+import { runMigrations } from '@aztec/validator-ha-signer/migrations';
+
+import type { Command } from 'commander';
+
+export function injectMigrateCommand(program: Command, log: (msg: string) => void): Command {
+  const migrateCommand = program.command('migrate-ha-db').description('Run validator-ha-signer database migrations');
+
+  migrateCommand
+    .command('up')
+    .description('Apply pending migrations')
+    .requiredOption('--database-url <string>', 'PostgreSQL connection string', process.env.DATABASE_URL)
+    .option('--verbose', 'Enable verbose output', false)
+    .action(async options => {
+      const migrations = await runMigrations(options.databaseUrl, {
+        direction: 'up',
+        verbose: options.verbose,
+      });
+      if (migrations.length > 0) {
+        log(`Applied migrations: ${migrations.join(', ')}`);
+      } else {
+        log('No migrations to apply - schema is up to date');
+      }
+    });
+
+  migrateCommand
+    .command('down')
+    .description('Rollback the last migration')
+    .requiredOption('--database-url <string>', 'PostgreSQL connection string', process.env.DATABASE_URL)
+    .option('--verbose', 'Enable verbose output', false)
+    .action(async options => {
+      const migrations = await runMigrations(options.databaseUrl, {
+        direction: 'down',
+        verbose: options.verbose,
+      });
+      if (migrations.length > 0) {
+        log(`Rolled back migrations: ${migrations.join(', ')}`);
+      } else {
+        log('No migrations to rollback');
+      }
+    });
+
+  return program;
+}

package/src/cli/cmds/start_archiver.ts

@@ -1,16 +1,9 @@
-import {
-  Archiver,
-  type ArchiverConfig,
-  KVArchiverDataStore,
-  archiverConfigMappings,
-  getArchiverConfigFromEnv,
-} from '@aztec/archiver';
+import { type ArchiverConfig, archiverConfigMappings, createArchiver, getArchiverConfigFromEnv } from '@aztec/archiver';
 import { createLogger } from '@aztec/aztec.js/log';
 import { type BlobClientConfig, blobClientConfigMapping, createBlobClient } from '@aztec/blob-client/client';
 import { getL1Config } from '@aztec/cli/config';
 import type { NamespacedApiHandlers } from '@aztec/foundation/json-rpc/server';
 import { type DataStoreConfig, dataConfigMappings } from '@aztec/kv-store/config';
-import { createStore } from '@aztec/kv-store/lmdb-v2';
 import { ArchiverApiSchema } from '@aztec/stdlib/interfaces/server';
 import { getConfigEnvVars as getTelemetryClientConfig, initTelemetryClient } from '@aztec/telemetry-client';
 
@@ -47,13 +40,9 @@ export async function startArchiver(
   archiverConfig.l1Contracts = addresses;
   archiverConfig = { ...archiverConfig, ...l1Config };
 
-  const storeLog = createLogger('archiver:lmdb');
-  const store = await createStore('archiver', KVArchiverDataStore.SCHEMA_VERSION, archiverConfig, storeLog);
-  const archiverStore = new KVArchiverDataStore(store, archiverConfig.maxLogs);
-
   const telemetry = await initTelemetryClient(getTelemetryClientConfig());
   const blobClient = createBlobClient(archiverConfig, { logger: createLogger('archiver:blob-client:client') });
-  const archiver = await Archiver.createAndSync(archiverConfig, archiverStore, { telemetry, blobClient }, true);
+  const archiver = await createArchiver(archiverConfig, { telemetry, blobClient }, { blockUntilSync: true });
   services.archiver = [archiver, ArchiverApiSchema];
   signalHandlers.push(archiver.stop);
 

package/src/cli/cmds/start_bot.ts

@@ -10,9 +10,9 @@ import {
   initTelemetryClient,
   makeTracedFetch,
 } from '@aztec/telemetry-client';
-import { TestWallet } from '@aztec/test-wallet/server';
+import { EmbeddedWallet } from '@aztec/wallets/embedded';
 
-import { extractRelevantOptions } from '../util.js';
+import { extractRelevantOptions, stringifyConfig } from '../util.js';
 import { getVersions } from '../versioning.js';
 
 export async function startBot(
@@ -38,22 +38,25 @@ export async function startBot(
   const aztecNode = createAztecNodeClient(config.nodeUrl, getVersions(), fetch);
 
   const pxeConfig = extractRelevantOptions<PXEConfig & CliPXEOptions>(options, allPxeConfigMappings, 'pxe');
-  const wallet = await TestWallet.create(aztecNode, pxeConfig);
+  userLog(`Creating bot wallet with config ${stringifyConfig(pxeConfig)}`);
+  const wallet = await EmbeddedWallet.create(aztecNode, { pxeConfig });
 
   const telemetry = await initTelemetryClient(getTelemetryClientConfig());
-  await addBot(options, signalHandlers, services, wallet, aztecNode, telemetry, undefined);
+  await addBot(options, signalHandlers, services, wallet, aztecNode, telemetry, undefined, userLog);
 }
 
 export async function addBot(
   options: any,
   signalHandlers: (() => Promise<void>)[],
   services: NamespacedApiHandlers,
-  wallet: TestWallet,
+  wallet: EmbeddedWallet,
   aztecNode: AztecNode,
   telemetry: TelemetryClient,
   aztecNodeAdmin?: AztecNodeAdmin,
+  userLog?: LogFn,
 ) {
   const config = extractRelevantOptions<BotConfig>(options, botConfigMappings, 'bot');
+  userLog?.(`Starting bot with config ${stringifyConfig(config)}`);
 
   const db = await (config.dataDirectory
     ? createStore('bot', BotStore.SCHEMA_VERSION, config)

package/src/cli/cmds/start_node.ts

@@ -6,16 +6,19 @@ import { getL1Config } from '@aztec/cli/config';
 import { getPublicClient } from '@aztec/ethereum/client';
 import { SecretValue } from '@aztec/foundation/config';
 import type { NamespacedApiHandlers } from '@aztec/foundation/json-rpc/server';
+import { Agent, makeUndiciFetch } from '@aztec/foundation/json-rpc/undici';
 import type { LogFn } from '@aztec/foundation/log';
+import { ProvingJobConsumerSchema, createProvingJobBrokerClient } from '@aztec/prover-client/broker';
 import { type CliPXEOptions, type PXEConfig, allPxeConfigMappings } from '@aztec/pxe/config';
 import { AztecNodeAdminApiSchema, AztecNodeApiSchema } from '@aztec/stdlib/interfaces/client';
-import { P2PApiSchema } from '@aztec/stdlib/interfaces/server';
+import { P2PApiSchema, ProverNodeApiSchema, type ProvingJobBroker } from '@aztec/stdlib/interfaces/server';
 import {
   type TelemetryClientConfig,
   initTelemetryClient,
+  makeTracedFetch,
   telemetryClientConfigMappings,
 } from '@aztec/telemetry-client';
-import { TestWallet } from '@aztec/test-wallet/server';
+import { EmbeddedWallet } from '@aztec/wallets/embedded';
 import { getGenesisValues } from '@aztec/world-state/testing';
 
 import { createAztecNode } from '../../local-network/index.js';
@@ -25,6 +28,8 @@ import {
   preloadCrsDataForVerifying,
   setupUpdateMonitor,
 } from '../util.js';
+import { getVersions } from '../versioning.js';
+import { startProverBroker } from './start_prover_broker.js';
 
 export async function startNode(
   options: any,
@@ -45,9 +50,32 @@ export async function startNode(
     ...relevantOptions,
   };
 
+  // Prover node configuration and broker setup
+  // REFACTOR: Move the broker setup out of here and into the prover-node factory
+  let broker: ProvingJobBroker | undefined = undefined;
   if (options.proverNode) {
-    userLog(`Running a Prover Node within a Node is not yet supported`);
-    process.exit(1);
+    nodeConfig.enableProverNode = true;
+    if (nodeConfig.proverAgentCount === 0) {
+      userLog(
+        `Running prover node without local prover agent. Connect prover agents or pass --proverAgent.proverAgentCount`,
+      );
+    }
+    if (nodeConfig.proverBrokerUrl) {
+      // at 1TPS we'd enqueue ~1k chonk verifier proofs and ~1k AVM proofs immediately
+      // set a lower connection limit such that we don't overload the server
+      // Keep retrying up to 30s
+      const fetch = makeTracedFetch(
+        [1, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3],
+        false,
+        makeUndiciFetch(new Agent({ connections: 100 })),
+      );
+      broker = createProvingJobBrokerClient(nodeConfig.proverBrokerUrl, getVersions(nodeConfig), fetch);
+    } else if (options.proverBroker) {
+      ({ broker } = await startProverBroker(options, signalHandlers, services, userLog));
+    } else {
+      userLog(`--prover-broker-url or --prover-broker is required to start a Prover Node`);
+      process.exit(1);
+    }
   }
 
   await preloadCrsDataForVerifying(nodeConfig, userLog);
@@ -101,12 +129,17 @@ export async function startNode(
       ...extractNamespacedOptions(options, 'sequencer'),
     };
     // If no publisher private keys have been given, use the first validator key
-    if (sequencerConfig.publisherPrivateKeys === undefined || !sequencerConfig.publisherPrivateKeys.length) {
+    if (
+      sequencerConfig.sequencerPublisherPrivateKeys === undefined ||
+      !sequencerConfig.sequencerPublisherPrivateKeys.length
+    ) {
       if (sequencerConfig.validatorPrivateKeys?.getValue().length) {
-        sequencerConfig.publisherPrivateKeys = [new SecretValue(sequencerConfig.validatorPrivateKeys.getValue()[0])];
+        sequencerConfig.sequencerPublisherPrivateKeys = [
+          new SecretValue(sequencerConfig.validatorPrivateKeys.getValue()[0]),
+        ];
       }
     }
-    nodeConfig.publisherPrivateKeys = sequencerConfig.publisherPrivateKeys;
+    nodeConfig.sequencerPublisherPrivateKeys = sequencerConfig.sequencerPublisherPrivateKeys;
   }
 
   if (nodeConfig.p2pEnabled) {
@@ -120,13 +153,22 @@ export async function startNode(
   const telemetry = await initTelemetryClient(telemetryConfig);
 
   // Create and start Aztec Node
-  const node = await createAztecNode(nodeConfig, { telemetry }, { prefilledPublicData });
+  const node = await createAztecNode(nodeConfig, { telemetry, proverBroker: broker }, { prefilledPublicData });
 
   // Add node and p2p to services list
   services.node = [node, AztecNodeApiSchema];
   services.p2p = [node.getP2P(), P2PApiSchema];
   adminServices.nodeAdmin = [node, AztecNodeAdminApiSchema];
 
+  // Register prover-node services if the prover node subsystem is running
+  const proverNode = node.getProverNode();
+  if (proverNode) {
+    services.prover = [proverNode, ProverNodeApiSchema];
+    if (!nodeConfig.proverBrokerUrl) {
+      services.provingJobSource = [proverNode.getProver().getProvingJobSource(), ProvingJobConsumerSchema];
+    }
+  }
+
   // Add node stop function to signal handlers
   signalHandlers.push(node.stop.bind(node));
 
@@ -135,7 +177,7 @@ export async function startNode(
     const { addBot } = await import('./start_bot.js');
 
     const pxeConfig = extractRelevantOptions<PXEConfig & CliPXEOptions>(options, allPxeConfigMappings, 'pxe');
-    const wallet = await TestWallet.create(node, pxeConfig);
+    const wallet = await EmbeddedWallet.create(node, { pxeConfig });
 
     await addBot(options, signalHandlers, services, wallet, node, telemetry, undefined);
   }

package/src/cli/cmds/start_p2p_bootstrap.ts

@@ -1,6 +1,6 @@
 import { jsonStringify } from '@aztec/foundation/json-rpc';
 import type { NamespacedApiHandlers } from '@aztec/foundation/json-rpc/server';
-import { type LogFn, createLogger } from '@aztec/foundation/log';
+import type { LogFn } from '@aztec/foundation/log';
 import { createStore } from '@aztec/kv-store/lmdb-v2';
 import { type BootnodeConfig, BootstrapNode, bootnodeConfigMappings } from '@aztec/p2p';
 import { emptyChainConfig } from '@aztec/stdlib/config';
@@ -27,7 +27,7 @@ export async function startP2PBootstrap(
   const telemetryConfig = extractRelevantOptions<TelemetryClientConfig>(options, telemetryClientConfigMappings, 'tel');
   const telemetryClient = await initTelemetryClient(telemetryConfig);
 
-  const store = await createStore('p2p-bootstrap', 1, config, createLogger('p2p:bootstrap:store'));
+  const store = await createStore('p2p-bootstrap', 1, config);
   const node = new BootstrapNode(store, telemetryClient);
   await node.start(config);
   signalHandlers.push(() => node.stop());

package/src/cli/cmds/start_prover_agent.ts

@@ -4,9 +4,9 @@ import { Agent, makeUndiciFetch } from '@aztec/foundation/json-rpc/undici';
 import type { LogFn } from '@aztec/foundation/log';
 import { buildServerCircuitProver } from '@aztec/prover-client';
 import {
-  InlineProofStore,
   type ProverAgentConfig,
   ProvingAgent,
+  createProofStore,
   createProvingJobBrokerClient,
   proverAgentConfigMappings,
 } from '@aztec/prover-client/broker';
@@ -55,18 +55,10 @@ export async function startProverAgent(
 
   const telemetry = await initTelemetryClient(extractRelevantOptions(options, telemetryClientConfigMappings, 'tel'));
   const prover = await buildServerCircuitProver(config, telemetry);
-  const proofStore = new InlineProofStore();
+  const proofStore = await createProofStore(config.proofStore);
   const agents = times(
     config.proverAgentCount,
-    () =>
-      new ProvingAgent(
-        broker,
-        proofStore,
-        prover,
-        config.proverAgentProofTypes,
-        config.proverAgentPollIntervalMs,
-        telemetry,
-      ),
+    () => new ProvingAgent(broker, proofStore, prover, config.proverAgentProofTypes, config.proverAgentPollIntervalMs),
   );
 
   // expose all agents as individual services