@aztec/aztec 0.0.1-commit.f2ce05ee → 0.0.1-commit.f81dbcf

package/dest/testing/epoch_test_settler.js

@@ -1,7 +1,7 @@
 import { RollupCheatCodes } from '@aztec/ethereum/test';
 import { SlotNumber } from '@aztec/foundation/branded-types';
 import { EpochMonitor } from '@aztec/prover-node';
-import { computeL2ToL1MembershipWitnessFromMessagesInEpoch } from '@aztec/stdlib/messaging';
+import { computeEpochOutHash } from '@aztec/stdlib/messaging';
 export class EpochTestSettler {
     l2BlockSource;
     log;
@@ -44,9 +44,8 @@ export class EpochTestSettler {
             }
             messagesInEpoch[checkpointIndex].push(block.body.txEffects.map((txEffect)=>txEffect.l2ToL1Msgs));
         }
-        const [firstMessage] = messagesInEpoch.flat(3);
-        if (firstMessage) {
-            const { root: outHash } = computeL2ToL1MembershipWitnessFromMessagesInEpoch(messagesInEpoch, firstMessage);
+        const outHash = computeEpochOutHash(messagesInEpoch);
+        if (!outHash.isZero()) {
             await this.rollupCheatCodes.insertOutbox(epoch, outHash.toBigInt());
         } else {
             this.log.info(`No L2 to L1 messages in epoch ${epoch}`);

package/dest/testing/index.d.ts

@@ -2,4 +2,5 @@ export { AnvilTestWatcher } from './anvil_test_watcher.js';
 export { EthCheatCodes, RollupCheatCodes } from '@aztec/ethereum/test';
 export { CheatCodes } from './cheat_codes.js';
 export { EpochTestSettler } from './epoch_test_settler.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy90ZXN0aW5nL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBQzNELE9BQU8sRUFBRSxhQUFhLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSxzQkFBc0IsQ0FBQztBQUN2RSxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0sa0JBQWtCLENBQUM7QUFDOUMsT0FBTyxFQUFFLGdCQUFnQixFQUFFLE1BQU0seUJBQXlCLENBQUMifQ==
+export { getTokenAllowedSetupFunctions } from './token_allowed_setup.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy90ZXN0aW5nL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBQzNELE9BQU8sRUFBRSxhQUFhLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSxzQkFBc0IsQ0FBQztBQUN2RSxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0sa0JBQWtCLENBQUM7QUFDOUMsT0FBTyxFQUFFLGdCQUFnQixFQUFFLE1BQU0seUJBQXlCLENBQUM7QUFDM0QsT0FBTyxFQUFFLDZCQUE2QixFQUFFLE1BQU0sMEJBQTBCLENBQUMifQ==

package/dest/testing/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/testing/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/testing/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,6BAA6B,EAAE,MAAM,0BAA0B,CAAC"}

package/dest/testing/index.js

@@ -2,3 +2,4 @@ export { AnvilTestWatcher } from './anvil_test_watcher.js';
 export { EthCheatCodes, RollupCheatCodes } from '@aztec/ethereum/test';
 export { CheatCodes } from './cheat_codes.js';
 export { EpochTestSettler } from './epoch_test_settler.js';
+export { getTokenAllowedSetupFunctions } from './token_allowed_setup.js';

package/dest/testing/token_allowed_setup.d.ts

@@ -0,0 +1,7 @@
+import type { AllowedElement } from '@aztec/stdlib/interfaces/server';
+/**
+ * Returns Token-specific allowlist entries needed for FPC-based fee payments.
+ * These are test-only: FPC-based fee payment with custom tokens won't work on mainnet alpha.
+ */
+export declare function getTokenAllowedSetupFunctions(): Promise<AllowedElement[]>;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidG9rZW5fYWxsb3dlZF9zZXR1cC5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3Rlc3RpbmcvdG9rZW5fYWxsb3dlZF9zZXR1cC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFHQSxPQUFPLEtBQUssRUFBRSxjQUFjLEVBQUUsTUFBTSxpQ0FBaUMsQ0FBQztBQUV0RTs7O0dBR0c7QUFDSCx3QkFBc0IsNkJBQTZCLElBQUksT0FBTyxDQUFDLGNBQWMsRUFBRSxDQUFDLENBUy9FIn0=

package/dest/testing/token_allowed_setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token_allowed_setup.d.ts","sourceRoot":"","sources":["../../src/testing/token_allowed_setup.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AAEtE;;;GAGG;AACH,wBAAsB,6BAA6B,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC,CAS/E"}

package/dest/testing/token_allowed_setup.js

@@ -0,0 +1,20 @@
+import { TokenContractArtifact } from '@aztec/noir-contracts.js/Token';
+import { buildAllowedElement } from '@aztec/p2p/msg_validators';
+import { getContractClassFromArtifact } from '@aztec/stdlib/contract';
+/**
+ * Returns Token-specific allowlist entries needed for FPC-based fee payments.
+ * These are test-only: FPC-based fee payment with custom tokens won't work on mainnet alpha.
+ */ export async function getTokenAllowedSetupFunctions() {
+    const tokenClassId = (await getContractClassFromArtifact(TokenContractArtifact)).id;
+    const target = {
+        classId: tokenClassId
+    };
+    return Promise.all([
+        // Token: needed for private transfers via FPC (transfer_to_public enqueues this)
+        buildAllowedElement(TokenContractArtifact, target, '_increase_public_balance', {
+            onlySelf: true
+        }),
+        // Token: needed for public transfers via FPC (fee_entrypoint_public enqueues this)
+        buildAllowedElement(TokenContractArtifact, target, 'transfer_in_public')
+    ]);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aztec/aztec",
-  "version": "0.0.1-commit.f2ce05ee",
+  "version": "0.0.1-commit.f81dbcf",
   "type": "module",
   "exports": {
     ".": "./dest/index.js",
@@ -28,39 +28,39 @@
     "../package.common.json"
   ],
   "dependencies": {
-    "@aztec/accounts": "0.0.1-commit.f2ce05ee",
-    "@aztec/archiver": "0.0.1-commit.f2ce05ee",
-    "@aztec/aztec-faucet": "0.0.1-commit.f2ce05ee",
-    "@aztec/aztec-node": "0.0.1-commit.f2ce05ee",
-    "@aztec/aztec.js": "0.0.1-commit.f2ce05ee",
-    "@aztec/bb-prover": "0.0.1-commit.f2ce05ee",
-    "@aztec/bb.js": "0.0.1-commit.f2ce05ee",
-    "@aztec/blob-client": "0.0.1-commit.f2ce05ee",
-    "@aztec/bot": "0.0.1-commit.f2ce05ee",
-    "@aztec/builder": "0.0.1-commit.f2ce05ee",
-    "@aztec/cli": "0.0.1-commit.f2ce05ee",
-    "@aztec/constants": "0.0.1-commit.f2ce05ee",
-    "@aztec/entrypoints": "0.0.1-commit.f2ce05ee",
-    "@aztec/ethereum": "0.0.1-commit.f2ce05ee",
-    "@aztec/foundation": "0.0.1-commit.f2ce05ee",
-    "@aztec/kv-store": "0.0.1-commit.f2ce05ee",
-    "@aztec/l1-artifacts": "0.0.1-commit.f2ce05ee",
-    "@aztec/node-lib": "0.0.1-commit.f2ce05ee",
-    "@aztec/noir-contracts.js": "0.0.1-commit.f2ce05ee",
-    "@aztec/noir-protocol-circuits-types": "0.0.1-commit.f2ce05ee",
-    "@aztec/p2p": "0.0.1-commit.f2ce05ee",
-    "@aztec/p2p-bootstrap": "0.0.1-commit.f2ce05ee",
-    "@aztec/protocol-contracts": "0.0.1-commit.f2ce05ee",
-    "@aztec/prover-client": "0.0.1-commit.f2ce05ee",
-    "@aztec/prover-node": "0.0.1-commit.f2ce05ee",
-    "@aztec/pxe": "0.0.1-commit.f2ce05ee",
-    "@aztec/sequencer-client": "0.0.1-commit.f2ce05ee",
-    "@aztec/stdlib": "0.0.1-commit.f2ce05ee",
-    "@aztec/telemetry-client": "0.0.1-commit.f2ce05ee",
-    "@aztec/test-wallet": "0.0.1-commit.f2ce05ee",
-    "@aztec/txe": "0.0.1-commit.f2ce05ee",
-    "@aztec/validator-ha-signer": "0.0.1-commit.f2ce05ee",
-    "@aztec/world-state": "0.0.1-commit.f2ce05ee",
+    "@aztec/accounts": "0.0.1-commit.f81dbcf",
+    "@aztec/archiver": "0.0.1-commit.f81dbcf",
+    "@aztec/aztec-faucet": "0.0.1-commit.f81dbcf",
+    "@aztec/aztec-node": "0.0.1-commit.f81dbcf",
+    "@aztec/aztec.js": "0.0.1-commit.f81dbcf",
+    "@aztec/bb-prover": "0.0.1-commit.f81dbcf",
+    "@aztec/bb.js": "0.0.1-commit.f81dbcf",
+    "@aztec/blob-client": "0.0.1-commit.f81dbcf",
+    "@aztec/bot": "0.0.1-commit.f81dbcf",
+    "@aztec/builder": "0.0.1-commit.f81dbcf",
+    "@aztec/cli": "0.0.1-commit.f81dbcf",
+    "@aztec/constants": "0.0.1-commit.f81dbcf",
+    "@aztec/entrypoints": "0.0.1-commit.f81dbcf",
+    "@aztec/ethereum": "0.0.1-commit.f81dbcf",
+    "@aztec/foundation": "0.0.1-commit.f81dbcf",
+    "@aztec/kv-store": "0.0.1-commit.f81dbcf",
+    "@aztec/l1-artifacts": "0.0.1-commit.f81dbcf",
+    "@aztec/node-lib": "0.0.1-commit.f81dbcf",
+    "@aztec/noir-contracts.js": "0.0.1-commit.f81dbcf",
+    "@aztec/noir-protocol-circuits-types": "0.0.1-commit.f81dbcf",
+    "@aztec/p2p": "0.0.1-commit.f81dbcf",
+    "@aztec/p2p-bootstrap": "0.0.1-commit.f81dbcf",
+    "@aztec/protocol-contracts": "0.0.1-commit.f81dbcf",
+    "@aztec/prover-client": "0.0.1-commit.f81dbcf",
+    "@aztec/prover-node": "0.0.1-commit.f81dbcf",
+    "@aztec/pxe": "0.0.1-commit.f81dbcf",
+    "@aztec/sequencer-client": "0.0.1-commit.f81dbcf",
+    "@aztec/stdlib": "0.0.1-commit.f81dbcf",
+    "@aztec/telemetry-client": "0.0.1-commit.f81dbcf",
+    "@aztec/txe": "0.0.1-commit.f81dbcf",
+    "@aztec/validator-ha-signer": "0.0.1-commit.f81dbcf",
+    "@aztec/wallets": "0.0.1-commit.f81dbcf",
+    "@aztec/world-state": "0.0.1-commit.f81dbcf",
     "@types/chalk": "^2.2.0",
     "abitype": "^0.8.11",
     "chalk": "^5.3.0",

package/scripts/aztec.sh

@@ -21,13 +21,13 @@ function aztec {
 
 case $cmd in
   test)
-    export LOG_LEVEL="${LOG_LEVEL:-error}"
+    export LOG_LEVEL="${LOG_LEVEL:-"error;trace:contract_log"}"
     aztec start --txe --port 8081 &
     server_pid=$!
     trap 'kill $server_pid &>/dev/null || true' EXIT
     while ! nc -z 127.0.0.1 8081 &>/dev/null; do sleep 0.2; done
     export NARGO_FOREIGN_CALL_TIMEOUT=300000
-    nargo test --silence-warnings  --oracle-resolver http://127.0.0.1:8081 "$@"
+    nargo test --silence-warnings --oracle-resolver http://127.0.0.1:8081 --test-threads 16 "$@"
     ;;
   start)
     if [ "${1:-}" == "--local-network" ]; then
@@ -54,9 +54,13 @@ case $cmd in
 
     aztec start "$@"
     ;;
-  compile|new|init|flamegraph)
+  new|init)
     $script_dir/${cmd}.sh "$@"
     ;;
+  flamegraph)
+    echo "Warning: 'aztec flamegraph' is deprecated. Use 'aztec profile flamegraph' instead." >&2
+    aztec profile flamegraph "$@"
+    ;;
   *)
     aztec $cmd "$@"
     ;;

package/src/bin/index.ts

@@ -11,12 +11,14 @@ import { injectCommands as injectMiscCommands } from '@aztec/cli/misc';
 import { injectCommands as injectValidatorKeysCommands } from '@aztec/cli/validator_keys';
 import { getActiveNetworkName } from '@aztec/foundation/config';
 import { createConsoleLogger, createLogger } from '@aztec/foundation/log';
+import { getPackageVersion } from '@aztec/stdlib/update-checker';
 
 import { Command } from 'commander';
 
+import { injectCompileCommand } from '../cli/cmds/compile.js';
 import { injectMigrateCommand } from '../cli/cmds/migrate_ha_db.js';
+import { injectProfileCommand } from '../cli/cmds/profile.js';
 import { injectAztecCommands } from '../cli/index.js';
-import { getCliVersion } from '../cli/release_version.js';
 
 const NETWORK_FLAG = 'network';
 
@@ -45,9 +47,9 @@ async function main() {
   await enrichEnvironmentWithNetworkConfig(networkName);
   enrichEnvironmentWithChainName(networkName);
 
-  const cliVersion = getCliVersion();
+  const cliVersion = getPackageVersion() ?? 'unknown';
   let program = new Command('aztec');
-  program.description('Aztec command line interface').version(cliVersion);
+  program.description('Aztec command line interface').version(cliVersion).enablePositionalOptions();
   program = injectAztecCommands(program, userLog, debugLogger);
   program = injectBuilderCommands(program);
   program = injectContractCommands(program, userLog, debugLogger);
@@ -56,6 +58,8 @@ async function main() {
   program = injectAztecNodeCommands(program, userLog, debugLogger);
   program = injectMiscCommands(program, userLog);
   program = injectValidatorKeysCommands(program, userLog);
+  program = injectCompileCommand(program, userLog);
+  program = injectProfileCommand(program, userLog);
   program = injectMigrateCommand(program, userLog);
 
   await program.parseAsync(process.argv);

package/src/cli/admin_api_key_store.ts

@@ -0,0 +1,128 @@
+import { randomBytes } from '@aztec/foundation/crypto/random';
+import { sha256Hash } from '@aztec/foundation/json-rpc/server';
+import type { Logger } from '@aztec/foundation/log';
+
+import { promises as fs } from 'fs';
+import { join } from 'path';
+
+/** Subdirectory under dataDirectory for admin API key storage. */
+const ADMIN_STORE_DIR = 'admin';
+const HASH_FILE_NAME = 'api_key_hash';
+
+/**
+ * Result of resolving the admin API key.
+ * Contains the SHA-256 hex hash of the API key to be used by the auth middleware,
+ * and optionally the raw key when newly generated (so the caller can display it).
+ */
+export interface AdminApiKeyResolution {
+  /** The SHA-256 hash of the API key. */
+  apiKeyHash: Buffer;
+  /**
+   * The raw API key, only present when a new key was generated during this call.
+   * The caller MUST display this to the operator — it will not be stored or returned again.
+   */
+  rawKey?: string;
+}
+
+export interface ResolveAdminApiKeyOptions {
+  /** SHA-256 hex hash of a pre-generated API key. When set, the node uses this hash directly. */
+  adminApiKeyHash?: string;
+  /** If true, disable admin API key auth entirely. */
+  disableAdminApiKey?: boolean;
+  /** If true, force-generate a new key even if one is already persisted. */
+  resetAdminApiKey?: boolean;
+  /** Root data directory for persistent storage. */
+  dataDirectory?: string;
+}
+
+/**
+ * Resolves the admin API key for the admin RPC endpoint.
+ *
+ * Strategy:
+ * 1. If opt-out flag is set (`disableAdminApiKey`), return undefined (no auth).
+ * 2. If a pre-generated hash is provided (`adminApiKeyHash`), use it directly.
+ * 3. If a data directory exists, look for a persisted hash file
+ *    at `<dataDirectory>/admin/api_key_hash`:
+ *    - If `resetAdminApiKey` is set, skip loading and force-generate a new key.
+ *    - Found: use the stored hash (operator already saved the key from first run).
+ *    - Not found: auto-generate a random key, display it once, persist the hash.
+ * 3. If no data directory: generate a random key
+ *    each run and display it (cannot persist).
+ *
+ * @param options - The options for resolving the admin API key.
+ * @param log - Logger for outputting the key and status messages.
+ * @returns The resolved API key hash, or undefined if auth is disabled.
+ */
+export async function resolveAdminApiKey(
+  options: ResolveAdminApiKeyOptions,
+  log: Logger,
+): Promise<AdminApiKeyResolution | undefined> {
+  // Operator explicitly opted out of admin auth
+  if (options.disableAdminApiKey) {
+    log.warn('Admin API key authentication is DISABLED (--disable-admin-api-key / AZTEC_DISABLE_ADMIN_API_KEY)');
+    return undefined;
+  }
+
+  // Operator provided a pre-generated hash (e.g. via AZTEC_ADMIN_API_KEY_HASH env var)
+  if (options.adminApiKeyHash) {
+    const hex = options.adminApiKeyHash.trim();
+    if (hex.length !== 64 || !/^[0-9a-f]{64}$/.test(hex)) {
+      throw new Error(`Invalid admin API key hash: expected 64-char hex string, got "${hex}"`);
+    }
+    log.info('Admin API key authentication enabled (using pre-configured key hash)');
+    return { apiKeyHash: Buffer.from(hex, 'hex') };
+  }
+
+  // Persistent storage available, load or generate key
+  if (options.dataDirectory) {
+    const adminDir = join(options.dataDirectory, ADMIN_STORE_DIR);
+    const hashFilePath = join(adminDir, HASH_FILE_NAME);
+
+    // Unless a reset is forced, try to load the existing hash from disk
+    if (!options.resetAdminApiKey) {
+      try {
+        const storedHash = (await fs.readFile(hashFilePath, 'utf-8')).trim();
+        if (storedHash.length === 64) {
+          log.info('Admin API key authentication enabled (loaded stored key hash from disk)');
+          return { apiKeyHash: Buffer.from(storedHash, 'hex') };
+        }
+        log.warn(`Invalid stored admin API key hash at ${hashFilePath}, regenerating...`);
+      } catch (err: any) {
+        if (err.code !== 'ENOENT') {
+          log.warn(`Failed to read admin API key hash from ${hashFilePath}: ${err.message}`);
+        }
+        // File doesn't exist — fall through to generate
+      }
+    } else {
+      log.warn('Admin API key reset requested — generating a new key');
+    }
+
+    // Generate a new key, persist the hash, and return the raw key for the caller to display
+    const { rawKey, hash } = generateApiKey();
+    await fs.mkdir(adminDir, { recursive: true });
+    await fs.writeFile(hashFilePath, hash.toString('hex'), 'utf-8');
+    // Set restrictive permissions (owner read/write only)
+    await fs.chmod(hashFilePath, 0o600);
+
+    log.info('Admin API key authentication enabled (new key generated and hash persisted to disk)');
+    return { apiKeyHash: hash, rawKey };
+  }
+
+  // No data directory, generate a temporary key per session
+  const { rawKey, hash } = generateApiKey();
+
+  log.warn('No data directory configured — admin API key cannot be persisted.');
+  log.warn('A temporary key has been generated for this session only.');
+
+  return { apiKeyHash: hash, rawKey };
+}
+
+/**
+ * Generates a cryptographically random API key and its SHA-256 hash.
+ * @returns The raw key (hex string) and its SHA-256 hash as a Buffer.
+ */
+function generateApiKey(): { rawKey: string; hash: Buffer } {
+  const rawKey = randomBytes(32).toString('hex');
+  const hash = sha256Hash(rawKey);
+  return { rawKey, hash };
+}

package/src/cli/aztec_start_action.ts

@@ -1,17 +1,20 @@
+import { getActiveNetworkName } from '@aztec/foundation/config';
 import {
   type NamespacedApiHandlers,
   createNamespacedSafeJsonRpcServer,
+  getApiKeyAuthMiddleware,
   startHttpRpcServer,
 } from '@aztec/foundation/json-rpc/server';
 import type { LogFn, Logger } from '@aztec/foundation/log';
 import type { ChainConfig } from '@aztec/stdlib/config';
 import { AztecNodeApiSchema } from '@aztec/stdlib/interfaces/client';
+import { getPackageVersion } from '@aztec/stdlib/update-checker';
 import { getVersioningMiddleware } from '@aztec/stdlib/versioning';
 import { getOtelJsonRpcPropagationMiddleware } from '@aztec/telemetry-client';
 
 import { createLocalNetwork } from '../local-network/index.js';
 import { github, splash } from '../splash.js';
-import { getCliVersion } from './release_version.js';
+import { resolveAdminApiKey } from './admin_api_key_store.js';
 import { extractNamespacedOptions, installSignalHandlers } from './util.js';
 import { getVersions } from './versioning.js';
 
@@ -20,14 +23,14 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
   const signalHandlers: Array<() => Promise<void>> = [];
   const services: NamespacedApiHandlers = {};
   const adminServices: NamespacedApiHandlers = {};
+  const packageVersion = getPackageVersion();
   let config: ChainConfig | undefined = undefined;
 
   if (options.localNetwork) {
-    const cliVersion = getCliVersion();
     const localNetwork = extractNamespacedOptions(options, 'local-network');
     localNetwork.testAccounts = true;
     userLog(`${splash}\n${github}\n\n`);
-    userLog(`Setting up Aztec local network ${cliVersion}, please stand by...`);
+    userLog(`Setting up Aztec local network ${packageVersion ?? 'unknown'}, please stand by...`);
 
     const { node, stop } = await createLocalNetwork(
       {
@@ -35,11 +38,11 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
         l1RpcUrls: options.l1RpcUrls,
         testAccounts: localNetwork.testAccounts,
         realProofs: false,
-        // Setting the epoch duration to 4 by default for local network. This allows the epoch to be "proven" faster, so
+        // Setting the epoch duration to 2 by default for local network. This allows the epoch to be "proven" faster, so
         // the users can consume out hash without having to wait for a long time.
         // Note: We are not proving anything in the local network (realProofs == false). But in `createLocalNetwork`,
         // the EpochTestSettler will set the out hash to the outbox when an epoch is complete.
-        aztecEpochDuration: 4,
+        aztecEpochDuration: 2,
       },
       userLog,
     );
@@ -48,15 +51,18 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
     signalHandlers.push(stop);
     services.node = [node, AztecNodeApiSchema];
   } else {
+    // Route --prover-node through startNode
+    if (options.proverNode && !options.node) {
+      options.node = true;
+    }
+
     if (options.node) {
       const { startNode } = await import('./cmds/start_node.js');
-      ({ config } = await startNode(options, signalHandlers, services, adminServices, userLog));
+      const networkName = getActiveNetworkName(options.network);
+      ({ config } = await startNode(options, signalHandlers, services, adminServices, userLog, networkName));
     } else if (options.bot) {
       const { startBot } = await import('./cmds/start_bot.js');
       await startBot(options, signalHandlers, services, userLog);
-    } else if (options.proverNode) {
-      const { startProverNode } = await import('./cmds/start_prover_node.js');
-      ({ config } = await startProverNode(options, signalHandlers, services, userLog));
     } else if (options.archiver) {
       const { startArchiver } = await import('./cmds/start_archiver.js');
       ({ config } = await startArchiver(options, signalHandlers, services));
@@ -83,13 +89,14 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
 
   installSignalHandlers(debugLogger.info, signalHandlers);
   const versions = getVersions(config);
+  const versioningOpts = { packageVersion };
 
   // Start the main JSON-RPC server
   if (Object.entries(services).length > 0) {
     const rpcServer = createNamespacedSafeJsonRpcServer(services, {
       http200OnError: false,
       log: debugLogger,
-      middlewares: [getOtelJsonRpcPropagationMiddleware(), getVersioningMiddleware(versions)],
+      middlewares: [getOtelJsonRpcPropagationMiddleware(), getVersioningMiddleware(versions, versioningOpts)],
       maxBatchSize: options.rpcMaxBatchSize,
       maxBodySizeBytes: options.rpcMaxBodySize,
     });
@@ -99,14 +106,54 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
 
   // If there are any admin services, start a separate JSON-RPC server for them
   if (Object.entries(adminServices).length > 0) {
+    const adminMiddlewares = [getOtelJsonRpcPropagationMiddleware(), getVersioningMiddleware(versions, versioningOpts)];
+
+    // Resolve the admin API key (auto-generated and persisted, or opt-out)
+    const apiKeyResolution = await resolveAdminApiKey(
+      {
+        adminApiKeyHash: options.adminApiKeyHash,
+        disableAdminApiKey: options.disableAdminApiKey,
+        resetAdminApiKey: options.resetAdminApiKey,
+        dataDirectory: options.dataDirectory,
+      },
+      debugLogger,
+    );
+    if (apiKeyResolution) {
+      adminMiddlewares.unshift(getApiKeyAuthMiddleware(apiKeyResolution.apiKeyHash));
+    } else {
+      debugLogger.warn('No admin API key set — admin endpoint is unauthenticated');
+    }
+
     const rpcServer = createNamespacedSafeJsonRpcServer(adminServices, {
       http200OnError: false,
       log: debugLogger,
-      middlewares: [getOtelJsonRpcPropagationMiddleware(), getVersioningMiddleware(versions)],
+      middlewares: adminMiddlewares,
       maxBatchSize: options.rpcMaxBatchSize,
       maxBodySizeBytes: options.rpcMaxBodySize,
     });
     const { port } = await startHttpRpcServer(rpcServer, { port: options.adminPort });
     debugLogger.info(`Aztec Server admin API listening on port ${port}`, versions);
+
+    // Display the API key after the server has started
+    // Uses userLog which is never filtered by LOG_LEVEL.
+    if (apiKeyResolution?.rawKey) {
+      const separator = '='.repeat(70);
+      userLog('');
+      userLog(separator);
+      userLog('  ADMIN API KEY (save this — it will NOT be shown again)');
+      userLog('');
+      userLog(`  ${apiKeyResolution.rawKey}`);
+      userLog('');
+      userLog(`  Use via header:  x-api-key: <key>`);
+      userLog(`  Or via header:   Authorization: Bearer <key>`);
+      if (options.dataDirectory) {
+        userLog('');
+        userLog('  The key hash has been persisted — on next restart, the same key will be used.');
+      }
+      userLog('');
+      userLog('  To disable admin auth: --disable-admin-api-key or AZTEC_DISABLE_ADMIN_API_KEY=true');
+      userLog(separator);
+      userLog('');
+    }
   }
 }

package/src/cli/aztec_start_options.ts

@@ -105,8 +105,7 @@ export const aztecStartOptions: { [key: string]: AztecStartOption[] } = {
       env: 'NETWORK',
     },
 
-    configToFlag('--auto-update', sharedNodeConfigMappings.autoUpdate),
-    configToFlag('--auto-update-url', sharedNodeConfigMappings.autoUpdateUrl),
+    configToFlag('--enable-version-check', sharedNodeConfigMappings.enableVersionCheck),
 
     configToFlag('--sync-mode', sharedNodeConfigMappings.syncMode),
     configToFlag('--snapshots-urls', sharedNodeConfigMappings.snapshotsUrls),
@@ -142,6 +141,30 @@ export const aztecStartOptions: { [key: string]: AztecStartOption[] } = {
       env: 'AZTEC_ADMIN_PORT',
       parseVal: val => parseInt(val, 10),
     },
+    {
+      flag: '--admin-api-key-hash <value>',
+      description:
+        'SHA-256 hex hash of a pre-generated admin API key. When set, the node uses this hash for authentication instead of auto-generating a key.',
+      defaultValue: undefined,
+      env: 'AZTEC_ADMIN_API_KEY_HASH',
+    },
+    {
+      flag: '--disable-admin-api-key',
+      description:
+        'Disable API key authentication on the admin RPC endpoint. By default, a key is auto-generated, displayed once, and its hash is persisted.',
+      defaultValue: false,
+      env: 'AZTEC_DISABLE_ADMIN_API_KEY',
+      // undefined means the flag was passed without a value (boolean toggle), treat as true.
+      parseVal: val => val === undefined || val === 'true' || val === '1',
+    },
+    {
+      flag: '--reset-admin-api-key',
+      description:
+        'Force-generate a new admin API key, replacing any previously persisted key hash. The new key is displayed once at startup.',
+      defaultValue: false,
+      env: 'AZTEC_RESET_ADMIN_API_KEY',
+      parseVal: val => val === 'true' || val === '1',
+    },
     {
       flag: '--api-prefix <value>',
       description: 'Prefix for API routes on any service that is started',
@@ -170,7 +193,7 @@ export const aztecStartOptions: { [key: string]: AztecStartOption[] } = {
   'WORLD STATE': [
     configToFlag('--world-state-data-directory', worldStateConfigMappings.worldStateDataDirectory),
     configToFlag('--world-state-db-map-size-kb', worldStateConfigMappings.worldStateDbMapSizeKb),
-    configToFlag('--world-state-block-history', worldStateConfigMappings.worldStateBlockHistory),
+    configToFlag('--world-state-checkpoint-history', worldStateConfigMappings.worldStateCheckpointHistory),
   ],
   // We can't easily auto-generate node options as they're parts of modules defined below
   'AZTEC NODE': [
@@ -222,12 +245,8 @@ export const aztecStartOptions: { [key: string]: AztecStartOption[] } = {
       'proverNode',
       omitConfigMappings(proverNodeConfigMappings, [
         // filter out options passed separately
-        ...getKeys(archiverConfigMappings),
         ...getKeys(proverBrokerConfigMappings),
         ...getKeys(proverAgentConfigMappings),
-        ...getKeys(p2pConfigMappings),
-        ...getKeys(worldStateConfigMappings),
-        ...getKeys(sharedNodeConfigMappings),
       ]),
     ),
   ],

package/src/cli/cli.ts

@@ -39,7 +39,6 @@ Additional commands:
 
   init [folder] [options]  creates a new Aztec Noir project.
   new <path> [options]     creates a new Aztec Noir project in a new directory.
-  compile [options]        compiles Aztec Noir contracts.
   test [options]           starts a TXE and runs "nargo test" using it as the oracle resolver.
     `,
     );

package/src/cli/cmds/compile.ts

@@ -0,0 +1,80 @@
+import type { LogFn } from '@aztec/foundation/log';
+
+import { execFileSync } from 'child_process';
+import type { Command } from 'commander';
+import { readFile, writeFile } from 'fs/promises';
+
+import { readArtifactFiles } from './utils/artifacts.js';
+import { run } from './utils/spawn.js';
+
+/** Returns paths to contract artifacts in the target directory. */
+async function collectContractArtifacts(): Promise<string[]> {
+  let files;
+  try {
+    files = await readArtifactFiles('target');
+  } catch (err: any) {
+    if (err?.message?.includes('does not exist')) {
+      return [];
+    }
+    throw err;
+  }
+  return files.filter(f => Array.isArray(f.content.functions)).map(f => f.filePath);
+}
+
+/** Strips the `__aztec_nr_internals__` prefix from function names in contract artifacts. */
+async function stripInternalPrefixes(artifactPaths: string[]): Promise<void> {
+  for (const path of artifactPaths) {
+    const artifact = JSON.parse(await readFile(path, 'utf-8'));
+    for (const fn of artifact.functions) {
+      if (typeof fn.name === 'string') {
+        fn.name = fn.name.replace(/^__aztec_nr_internals__/, '');
+      }
+    }
+    await writeFile(path, JSON.stringify(artifact, null, 2) + '\n');
+  }
+}
+
+/** Compiles Aztec Noir contracts and postprocesses artifacts. */
+async function compileAztecContract(nargoArgs: string[], log: LogFn): Promise<void> {
+  const nargo = process.env.NARGO ?? 'nargo';
+  const bb = process.env.BB ?? 'bb';
+
+  await run(nargo, ['compile', ...nargoArgs]);
+
+  const artifacts = await collectContractArtifacts();
+
+  if (artifacts.length > 0) {
+    log('Postprocessing contracts...');
+    const bbArgs = artifacts.flatMap(a => ['-i', a]);
+    await run(bb, ['aztec_process', ...bbArgs]);
+
+    // TODO: This should be part of bb aztec_process!
+    await stripInternalPrefixes(artifacts);
+  }
+
+  log('Compilation complete!');
+}
+
+export function injectCompileCommand(program: Command, log: LogFn): Command {
+  program
+    .command('compile')
+    .argument('[nargo-args...]')
+    .passThroughOptions()
+    .allowUnknownOption()
+    .description(
+      'Compile Aztec Noir contracts using nargo and postprocess them to generate transpiled artifacts and verification keys. All options are forwarded to nargo compile.',
+    )
+    .addHelpText('after', () => {
+      // Show nargo's own compile options so users see all available flags in one place.
+      const nargo = process.env.NARGO ?? 'nargo';
+      try {
+        const output = execFileSync(nargo, ['compile', '--help'], { encoding: 'utf-8' });
+        return `\nUnderlying nargo compile options:\n\n${output}`;
+      } catch {
+        return '\n(Run "nargo compile --help" to see available nargo options)';
+      }
+    })
+    .action((nargoArgs: string[]) => compileAztecContract(nargoArgs, log));
+
+  return program;
+}