@aztec/aztec 0.0.1-commit.fce3e4f → 0.0.1-commit.ffe5b04ea

package/scripts/init.sh

@@ -1,35 +1,39 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-NARGO=${NARGO:-nargo}
 script_path=$(realpath $(dirname "$0"))
 
-for arg in "$@"; do
-  if [ "$arg" == "--help" ] || [ "$arg" == "-h" ]; then
-    cat << 'EOF'
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --help|-h)
+      cat << 'EOF'
 Aztec Init - Create a new Aztec Noir project in the current directory
 
-Usage: aztec init [OPTIONS]
+Usage: aztec init
 
 Options:
-  --name <NAME>  Name of the package [default: current directory name]
-  --lib          Use a library template
   -h, --help     Print help
 
-This command creates a new Aztec Noir project in the current directory using nargo
-and automatically adds the Aztec.nr dependency to your Nargo.toml file.
+This command creates a new Aztec Noir project in the current directory with
+a workspace containing a contract crate and a test crate, and automatically
+adds the Aztec.nr dependency to both.
 
+If a workspace already exists in the current directory, use
+'aztec new <name>' instead to add another contract.
 EOF
-    exit 0
-  fi
-  if [ "$arg" == "--lib" ]; then
-    is_contract=0
-  fi
+      exit 0
+      ;;
+    *)
+      echo "Error: unexpected argument '$1'"
+      echo "Usage: aztec init"
+      echo "Run 'aztec init --help' for more information"
+      exit 1
+      ;;
+  esac
 done
 
-echo "Initializing Noir project..."
-$NARGO init "$@"
+package_name="$(basename $(pwd))"
 
-if [ "${is_contract:-1}" -eq 1 ]; then
-  $script_path/setup_project.sh
-fi
+echo "Initializing Aztec contract project..."
+$script_path/setup_workspace.sh "$package_name"

package/scripts/new.sh

@@ -1,59 +1,83 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-NARGO=${NARGO:-nargo}
 script_path=$(realpath $(dirname "$0"))
 
-type_arg="--contract"
+project_path=""
 
 while [[ $# -gt 0 ]]; do
   case $1 in
     --help|-h)
       cat << 'EOF'
-Aztec New - Create a new Aztec Noir project in a new directory
+Aztec New - Create a new Aztec Noir project or add a contract to an existing workspace
 
-Usage: aztec new [OPTIONS] <PATH>
+Usage: aztec new <NAME>
 
 Arguments:
-  <PATH>  The path to save the new project
+  <NAME>  The name for the new contract (also used as the directory name when
+          creating a new workspace)
 
 Options:
-  --name <NAME>  Name of the package [default: package directory name]
-  --lib          Create a library template instead of a contract
   -h, --help     Print help
 
-This command creates a new Aztec Noir project using nargo and automatically
-adds the Aztec.nr dependency to your Nargo.toml file.
+When run outside an existing workspace:
+  Creates a new directory with a workspace containing a contract crate and a
+  test crate, and automatically adds the Aztec.nr dependency to both.
+
+When run inside an existing workspace (Nargo.toml with [workspace] exists):
+  Adds a new contract crate and test crate to the existing workspace.
 EOF
       exit 0
       ;;
-    --lib)
-      type_arg="--lib"
-      shift
-      ;;
-    --name)
-      name_arg="--name $2"
-      shift 2
+    -*)
+      echo "Error: unknown option '$1'"
+      echo "Usage: aztec new <NAME>"
+      echo "Run 'aztec new --help' for more information"
+      exit 1
       ;;
     *)
+      if [ -n "$project_path" ]; then
+        echo "Error: unexpected argument '$1'"
+        echo "Usage: aztec new <NAME>"
+        echo "Run 'aztec new --help' for more information"
+        exit 1
+      fi
       project_path=$1
       shift
-      break
       ;;
   esac
 done
 
 if [ -z "$project_path" ]; then
-  echo "Error: PATH argument is required"
-  echo "Usage: aztec new [OPTIONS] <PATH>"
+  echo "Error: NAME argument is required"
+  echo "Usage: aztec new <NAME>"
   echo "Run 'aztec new --help' for more information"
   exit 1
 fi
 
-echo "Creating new Noir project at $project_path..."
-$NARGO new $type_arg ${name_arg:-} $project_path
+package_name="$(basename $project_path)"
+
+# Validate that the name contains only valid Noir identifier characters
+if ! [[ "$package_name" =~ ^[a-zA-Z][a-zA-Z0-9_]*$ ]]; then
+  echo "Error: '$package_name' is not a valid contract name"
+  echo "Name must start with a letter and contain only letters, digits, and underscores"
+  exit 1
+fi
+
+# Check if we're inside an existing workspace
+if [ -f "Nargo.toml" ] && grep -q '\[workspace\]' Nargo.toml; then
+  # Add crate pair to existing workspace
+  echo "Adding contract '$package_name' to existing workspace..."
+  $script_path/add_crate.sh "$package_name"
+else
+  # Create new workspace
+  if [ -d "$project_path" ] && [ "$(ls -A $project_path 2>/dev/null)" ]; then
+    echo "Error: $project_path already exists and is not empty"
+    exit 1
+  fi
 
-if [ "$type_arg" == "--contract" ]; then
-  cd $project_path
-  $script_path/setup_project.sh
+  echo "Creating new Aztec contract project at $project_path..."
+  mkdir -p "$project_path"
+  cd "$project_path"
+  $script_path/setup_workspace.sh "$package_name"
 fi

package/scripts/setup_workspace.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Creates an Aztec contract workspace with a contract crate and a test crate.
+# Usage: setup_workspace.sh <package_name>
+# Must be called from the workspace root directory.
+
+package_name=$1
+script_path=$(realpath $(dirname "$0"))
+
+if [ -z "$package_name" ]; then
+  echo "Error: package name is required"
+  exit 1
+fi
+
+if [ -f "Nargo.toml" ]; then
+  echo "Error: Nargo.toml already exists in the current directory."
+  echo "To add another contract crate to this workspace, use 'aztec new <name>' instead."
+  exit 1
+fi
+
+# Create workspace root Nargo.toml with empty members (add_crate.sh will populate)
+cat > Nargo.toml << 'EOF'
+[workspace]
+members = []
+EOF
+
+# Create the first crate pair
+$script_path/add_crate.sh "$package_name"
+
+# Create README
+cat > README.md << REOF
+# ${package_name}
+
+An Aztec Noir contract project.
+
+## Compile
+
+\`\`\`bash
+aztec compile
+\`\`\`
+
+This compiles all contract crates and outputs artifacts to \`target/\`.
+
+## Test
+
+\`\`\`bash
+aztec test
+\`\`\`
+
+This runs all tests in the workspace.
+
+## Generate TypeScript bindings
+
+\`\`\`bash
+aztec codegen target -o src/artifacts
+\`\`\`
+
+This generates TypeScript contract artifacts from the compiled output in \`target/\` into \`src/artifacts/\`.
+REOF
+
+# Create .gitignore
+cat > .gitignore << 'GEOF'
+target/
+codegenCache.json
+GEOF
+
+echo "Created Aztec contract workspace with crates '${package_name}_contract' and '${package_name}_test'"

package/src/bin/index.ts

@@ -2,7 +2,8 @@
 //
 import { injectCommands as injectBuilderCommands } from '@aztec/builder';
 import { injectCommands as injectAztecNodeCommands } from '@aztec/cli/aztec_node';
-import { enrichEnvironmentWithChainName, enrichEnvironmentWithNetworkConfig } from '@aztec/cli/config';
+import { enrichEnvironmentWithChainName } from '@aztec/cli/config/chain';
+import { enrichEnvironmentWithNetworkConfig } from '@aztec/cli/config/network';
 import { injectCommands as injectContractCommands } from '@aztec/cli/contracts';
 import { injectCommands as injectInfrastructureCommands } from '@aztec/cli/infrastructure';
 import { injectCommands as injectL1Commands } from '@aztec/cli/l1';
@@ -10,12 +11,16 @@ import { injectCommands as injectMiscCommands } from '@aztec/cli/misc';
 import { injectCommands as injectValidatorKeysCommands } from '@aztec/cli/validator_keys';
 import { getActiveNetworkName } from '@aztec/foundation/config';
 import { createConsoleLogger, createLogger } from '@aztec/foundation/log';
+import { getPackageVersion } from '@aztec/stdlib/update-checker';
 
 import { Command } from 'commander';
 
-import { NETWORK_FLAG } from '../cli/aztec_start_options.js';
+import { injectCompileCommand } from '../cli/cmds/compile.js';
+import { injectMigrateCommand } from '../cli/cmds/migrate_ha_db.js';
+import { injectProfileCommand } from '../cli/cmds/profile.js';
 import { injectAztecCommands } from '../cli/index.js';
-import { getCliVersion } from '../cli/release_version.js';
+
+const NETWORK_FLAG = 'network';
 
 const userLog = createConsoleLogger();
 const debugLogger = createLogger('cli');
@@ -42,9 +47,9 @@ async function main() {
   await enrichEnvironmentWithNetworkConfig(networkName);
   enrichEnvironmentWithChainName(networkName);
 
-  const cliVersion = getCliVersion();
+  const cliVersion = getPackageVersion() ?? 'unknown';
   let program = new Command('aztec');
-  program.description('Aztec command line interface').version(cliVersion);
+  program.description('Aztec command line interface').version(cliVersion).enablePositionalOptions();
   program = injectAztecCommands(program, userLog, debugLogger);
   program = injectBuilderCommands(program);
   program = injectContractCommands(program, userLog, debugLogger);
@@ -53,6 +58,9 @@ async function main() {
   program = injectAztecNodeCommands(program, userLog, debugLogger);
   program = injectMiscCommands(program, userLog);
   program = injectValidatorKeysCommands(program, userLog);
+  program = injectCompileCommand(program, userLog);
+  program = injectProfileCommand(program, userLog);
+  program = injectMigrateCommand(program, userLog);
 
   await program.parseAsync(process.argv);
 }

package/src/cli/admin_api_key_store.ts

@@ -0,0 +1,128 @@
+import { randomBytes } from '@aztec/foundation/crypto/random';
+import { sha256Hash } from '@aztec/foundation/json-rpc/server';
+import type { Logger } from '@aztec/foundation/log';
+
+import { promises as fs } from 'fs';
+import { join } from 'path';
+
+/** Subdirectory under dataDirectory for admin API key storage. */
+const ADMIN_STORE_DIR = 'admin';
+const HASH_FILE_NAME = 'api_key_hash';
+
+/**
+ * Result of resolving the admin API key.
+ * Contains the SHA-256 hex hash of the API key to be used by the auth middleware,
+ * and optionally the raw key when newly generated (so the caller can display it).
+ */
+export interface AdminApiKeyResolution {
+  /** The SHA-256 hash of the API key. */
+  apiKeyHash: Buffer;
+  /**
+   * The raw API key, only present when a new key was generated during this call.
+   * The caller MUST display this to the operator — it will not be stored or returned again.
+   */
+  rawKey?: string;
+}
+
+export interface ResolveAdminApiKeyOptions {
+  /** SHA-256 hex hash of a pre-generated API key. When set, the node uses this hash directly. */
+  adminApiKeyHash?: string;
+  /** If true, disable admin API key auth entirely. */
+  disableAdminApiKey?: boolean;
+  /** If true, force-generate a new key even if one is already persisted. */
+  resetAdminApiKey?: boolean;
+  /** Root data directory for persistent storage. */
+  dataDirectory?: string;
+}
+
+/**
+ * Resolves the admin API key for the admin RPC endpoint.
+ *
+ * Strategy:
+ * 1. If opt-out flag is set (`disableAdminApiKey`), return undefined (no auth).
+ * 2. If a pre-generated hash is provided (`adminApiKeyHash`), use it directly.
+ * 3. If a data directory exists, look for a persisted hash file
+ *    at `<dataDirectory>/admin/api_key_hash`:
+ *    - If `resetAdminApiKey` is set, skip loading and force-generate a new key.
+ *    - Found: use the stored hash (operator already saved the key from first run).
+ *    - Not found: auto-generate a random key, display it once, persist the hash.
+ * 3. If no data directory: generate a random key
+ *    each run and display it (cannot persist).
+ *
+ * @param options - The options for resolving the admin API key.
+ * @param log - Logger for outputting the key and status messages.
+ * @returns The resolved API key hash, or undefined if auth is disabled.
+ */
+export async function resolveAdminApiKey(
+  options: ResolveAdminApiKeyOptions,
+  log: Logger,
+): Promise<AdminApiKeyResolution | undefined> {
+  // Operator explicitly opted out of admin auth
+  if (options.disableAdminApiKey) {
+    log.warn('Admin API key authentication is DISABLED (--disable-admin-api-key / AZTEC_DISABLE_ADMIN_API_KEY)');
+    return undefined;
+  }
+
+  // Operator provided a pre-generated hash (e.g. via AZTEC_ADMIN_API_KEY_HASH env var)
+  if (options.adminApiKeyHash) {
+    const hex = options.adminApiKeyHash.trim();
+    if (hex.length !== 64 || !/^[0-9a-f]{64}$/.test(hex)) {
+      throw new Error(`Invalid admin API key hash: expected 64-char hex string, got "${hex}"`);
+    }
+    log.info('Admin API key authentication enabled (using pre-configured key hash)');
+    return { apiKeyHash: Buffer.from(hex, 'hex') };
+  }
+
+  // Persistent storage available, load or generate key
+  if (options.dataDirectory) {
+    const adminDir = join(options.dataDirectory, ADMIN_STORE_DIR);
+    const hashFilePath = join(adminDir, HASH_FILE_NAME);
+
+    // Unless a reset is forced, try to load the existing hash from disk
+    if (!options.resetAdminApiKey) {
+      try {
+        const storedHash = (await fs.readFile(hashFilePath, 'utf-8')).trim();
+        if (storedHash.length === 64) {
+          log.info('Admin API key authentication enabled (loaded stored key hash from disk)');
+          return { apiKeyHash: Buffer.from(storedHash, 'hex') };
+        }
+        log.warn(`Invalid stored admin API key hash at ${hashFilePath}, regenerating...`);
+      } catch (err: any) {
+        if (err.code !== 'ENOENT') {
+          log.warn(`Failed to read admin API key hash from ${hashFilePath}: ${err.message}`);
+        }
+        // File doesn't exist — fall through to generate
+      }
+    } else {
+      log.warn('Admin API key reset requested — generating a new key');
+    }
+
+    // Generate a new key, persist the hash, and return the raw key for the caller to display
+    const { rawKey, hash } = generateApiKey();
+    await fs.mkdir(adminDir, { recursive: true });
+    await fs.writeFile(hashFilePath, hash.toString('hex'), 'utf-8');
+    // Set restrictive permissions (owner read/write only)
+    await fs.chmod(hashFilePath, 0o600);
+
+    log.info('Admin API key authentication enabled (new key generated and hash persisted to disk)');
+    return { apiKeyHash: hash, rawKey };
+  }
+
+  // No data directory, generate a temporary key per session
+  const { rawKey, hash } = generateApiKey();
+
+  log.warn('No data directory configured — admin API key cannot be persisted.');
+  log.warn('A temporary key has been generated for this session only.');
+
+  return { apiKeyHash: hash, rawKey };
+}
+
+/**
+ * Generates a cryptographically random API key and its SHA-256 hash.
+ * @returns The raw key (hex string) and its SHA-256 hash as a Buffer.
+ */
+function generateApiKey(): { rawKey: string; hash: Buffer } {
+  const rawKey = randomBytes(32).toString('hex');
+  const hash = sha256Hash(rawKey);
+  return { rawKey, hash };
+}

package/src/cli/aztec_start_action.ts

@@ -1,17 +1,20 @@
+import { getActiveNetworkName } from '@aztec/foundation/config';
 import {
   type NamespacedApiHandlers,
   createNamespacedSafeJsonRpcServer,
+  getApiKeyAuthMiddleware,
   startHttpRpcServer,
 } from '@aztec/foundation/json-rpc/server';
 import type { LogFn, Logger } from '@aztec/foundation/log';
 import type { ChainConfig } from '@aztec/stdlib/config';
 import { AztecNodeApiSchema } from '@aztec/stdlib/interfaces/client';
+import { getPackageVersion } from '@aztec/stdlib/update-checker';
 import { getVersioningMiddleware } from '@aztec/stdlib/versioning';
 import { getOtelJsonRpcPropagationMiddleware } from '@aztec/telemetry-client';
 
 import { createLocalNetwork } from '../local-network/index.js';
 import { github, splash } from '../splash.js';
-import { getCliVersion } from './release_version.js';
+import { resolveAdminApiKey } from './admin_api_key_store.js';
 import { extractNamespacedOptions, installSignalHandlers } from './util.js';
 import { getVersions } from './versioning.js';
 
@@ -23,7 +26,7 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
   let config: ChainConfig | undefined = undefined;
 
   if (options.localNetwork) {
-    const cliVersion = getCliVersion();
+    const cliVersion = getPackageVersion() ?? 'unknown';
     const localNetwork = extractNamespacedOptions(options, 'local-network');
     localNetwork.testAccounts = true;
     userLog(`${splash}\n${github}\n\n`);
@@ -33,9 +36,13 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
       {
         l1Mnemonic: localNetwork.l1Mnemonic,
         l1RpcUrls: options.l1RpcUrls,
-        deployAztecContractsSalt: localNetwork.deployAztecContractsSalt,
         testAccounts: localNetwork.testAccounts,
         realProofs: false,
+        // Setting the epoch duration to 2 by default for local network. This allows the epoch to be "proven" faster, so
+        // the users can consume out hash without having to wait for a long time.
+        // Note: We are not proving anything in the local network (realProofs == false). But in `createLocalNetwork`,
+        // the EpochTestSettler will set the out hash to the outbox when an epoch is complete.
+        aztecEpochDuration: 2,
       },
       userLog,
     );
@@ -44,18 +51,18 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
     signalHandlers.push(stop);
     services.node = [node, AztecNodeApiSchema];
   } else {
+    // Route --prover-node through startNode
+    if (options.proverNode && !options.node) {
+      options.node = true;
+    }
+
     if (options.node) {
       const { startNode } = await import('./cmds/start_node.js');
-      ({ config } = await startNode(options, signalHandlers, services, adminServices, userLog));
+      const networkName = getActiveNetworkName(options.network);
+      ({ config } = await startNode(options, signalHandlers, services, adminServices, userLog, networkName));
     } else if (options.bot) {
       const { startBot } = await import('./cmds/start_bot.js');
       await startBot(options, signalHandlers, services, userLog);
-    } else if (options.proverNode) {
-      const { startProverNode } = await import('./cmds/start_prover_node.js');
-      ({ config } = await startProverNode(options, signalHandlers, services, userLog));
-    } else if (options.blobSink) {
-      const { startBlobSink } = await import('./cmds/start_blob_sink.js');
-      await startBlobSink(options, signalHandlers, userLog);
     } else if (options.archiver) {
       const { startArchiver } = await import('./cmds/start_archiver.js');
       ({ config } = await startArchiver(options, signalHandlers, services));
@@ -98,14 +105,54 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
 
   // If there are any admin services, start a separate JSON-RPC server for them
   if (Object.entries(adminServices).length > 0) {
+    const adminMiddlewares = [getOtelJsonRpcPropagationMiddleware(), getVersioningMiddleware(versions)];
+
+    // Resolve the admin API key (auto-generated and persisted, or opt-out)
+    const apiKeyResolution = await resolveAdminApiKey(
+      {
+        adminApiKeyHash: options.adminApiKeyHash,
+        disableAdminApiKey: options.disableAdminApiKey,
+        resetAdminApiKey: options.resetAdminApiKey,
+        dataDirectory: options.dataDirectory,
+      },
+      debugLogger,
+    );
+    if (apiKeyResolution) {
+      adminMiddlewares.unshift(getApiKeyAuthMiddleware(apiKeyResolution.apiKeyHash));
+    } else {
+      debugLogger.warn('No admin API key set — admin endpoint is unauthenticated');
+    }
+
     const rpcServer = createNamespacedSafeJsonRpcServer(adminServices, {
       http200OnError: false,
       log: debugLogger,
-      middlewares: [getOtelJsonRpcPropagationMiddleware(), getVersioningMiddleware(versions)],
+      middlewares: adminMiddlewares,
       maxBatchSize: options.rpcMaxBatchSize,
       maxBodySizeBytes: options.rpcMaxBodySize,
     });
     const { port } = await startHttpRpcServer(rpcServer, { port: options.adminPort });
     debugLogger.info(`Aztec Server admin API listening on port ${port}`, versions);
+
+    // Display the API key after the server has started
+    // Uses userLog which is never filtered by LOG_LEVEL.
+    if (apiKeyResolution?.rawKey) {
+      const separator = '='.repeat(70);
+      userLog('');
+      userLog(separator);
+      userLog('  ADMIN API KEY (save this — it will NOT be shown again)');
+      userLog('');
+      userLog(`  ${apiKeyResolution.rawKey}`);
+      userLog('');
+      userLog(`  Use via header:  x-api-key: <key>`);
+      userLog(`  Or via header:   Authorization: Bearer <key>`);
+      if (options.dataDirectory) {
+        userLog('');
+        userLog('  The key hash has been persisted — on next restart, the same key will be used.');
+      }
+      userLog('');
+      userLog('  To disable admin auth: --disable-admin-api-key or AZTEC_DISABLE_ADMIN_API_KEY=true');
+      userLog(separator);
+      userLog('');
+    }
   }
 }