feat: merge-train/spartan (#20675)

BEGIN_COMMIT_OVERRIDE
fix: flag stripping error (#20655)
chore: encode LOG_LEVEL (#20678)
chore: HA setup metrics (#20400)
chore: (A-544) reimplement tx dropping for testing (#20651)
chore(e2e): reload keystore with HA setup (#20685)
feat: adding mempool transactions (#20679)
feat: run low priority eviction rule on chain_pruned (#20687)
feat(ci): add ci-network-bench label for spartan benchmarks (#20698)
END_COMMIT_OVERRIDE

Author: AztecBot

.github/workflows/ci3.yml

@@ -238,6 +238,103 @@ jobs:
               --data "$data"
           fi
 
+  # Spartan network benchmarks triggered on-demand from a PR label.
+  # Runs TPS and proving benchmarks in parallel, uploads results to a PR-specific
+  # path on the benchmark dashboard so nightly (bench/next) is never affected.
+  # One-time use: label is removed after the job runs.
+  ci-network-bench:
+    name: ${{ matrix.bench_type }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - bench_type: benchmark
+            ci3_cmd: network-bench
+            scenario: tps-scenario
+            namespace_suffix: bench
+            download_cmd: gh-spartan-bench
+            timeout: 300
+          - bench_type: proving-benchmark
+            ci3_cmd: network-proving-bench
+            scenario: prove-n-tps-fake
+            namespace_suffix: proving-bench
+            download_cmd: gh-spartan-proving-bench
+            timeout: 240
+    needs: ci
+    if: github.event.pull_request.head.repo.fork != true && github.event.pull_request.draft == false && contains(github.event.pull_request.labels.*.name, 'ci-network-bench') && (needs.ci.result == 'success' || needs.ci.result == 'skipped')
+    steps:
+      - name: Remove label (one-time use)
+        env:
+          GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+        run: gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-bench --repo ${{ github.repository }} || true
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Run Network Benchmarks
+        timeout-minutes: ${{ matrix.timeout }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+          # For pushing docker images built from the PR
+          DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+          RUN_ID: ${{ github.run_id }}
+          AWS_SHUTDOWN_TIME: ${{ matrix.timeout }}
+          NO_SPOT: 1
+        run: |
+          namespace=pr-${{ github.event.pull_request.number }}-${{ matrix.namespace_suffix }}
+          echo "NAMESPACE=$namespace" >> $GITHUB_ENV
+          set -x
+          ./.github/ci3.sh ${{ matrix.ci3_cmd }} ${{ matrix.scenario }} "$namespace"
+
+      - name: Cleanup network resources
+        if: always()
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+          NO_SPOT: 1
+        run: ./.github/ci3.sh network-teardown ${{ matrix.scenario }} "${NAMESPACE}" || true
+
+      - name: Download benchmarks
+        if: always()
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: |
+          if ./ci.sh ${{ matrix.download_cmd }}; then
+            echo "ENABLE_DEPLOY_BENCH=1" >> $GITHUB_ENV
+          fi
+
+      - name: Upload benchmarks
+        if: always() && env.ENABLE_DEPLOY_BENCH == '1'
+        uses: benchmark-action/github-action-benchmark@4de1bed97a47495fc4c5404952da0499e31f5c29
+        with:
+          name: Spartan
+          benchmark-data-dir-path: "bench/pr-${{ github.event.pull_request.number }}"
+          tool: "customSmallerIsBetter"
+          output-file-path: ./bench-out/bench.json
+          gh-repository: github.com/AztecProtocol/benchmark-page-data
+          github-token: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          auto-push: true
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          alert-threshold: "120%"
+          comment-on-alert: false
+          fail-on-alert: false
+          max-items-in-chart: 100
+
   # KIND-based e2e tests that run on a local Kubernetes cluster.
   # One-time use: label is removed after the job runs.
   ci-network-kind:

docs/docs-operate/operators/reference/changelog/v4.md

@@ -119,13 +119,13 @@ The admin JSON-RPC endpoint now supports auto-generated API key authentication.
 
 ```bash
 --admin-api-key-hash <hex>                 ($AZTEC_ADMIN_API_KEY_HASH)    # Use a pre-generated SHA-256 key hash
---no-admin-api-key                         ($AZTEC_NO_ADMIN_API_KEY)      # Disable auth entirely
+--disable-admin-api-key                    ($AZTEC_DISABLE_ADMIN_API_KEY) # Disable auth entirely
 --reset-admin-api-key                      ($AZTEC_RESET_ADMIN_API_KEY)   # Force key regeneration
 ```
 
-**Helm charts**: Admin API key auth is disabled by default (`noAdminApiKey: true`). Set to `false` in production values to enable.
+**Helm charts**: Admin API key auth is disabled by default (`disableAdminApiKey: true`). Set to `false` in production values to enable.
 
-**Migration**: No action required — auth is opt-out. To enable, ensure `--no-admin-api-key` is not set and note the key printed at startup.
+**Migration**: No action required — auth is opt-out. To enable, ensure `--disable-admin-api-key` is not set and note the key printed at startup.
 
 ### Transaction pool error codes for RPC callers
 

release-image/bootstrap.sh

@@ -160,8 +160,12 @@ function push_pr {
   echo $DOCKERHUB_PASSWORD | docker login -u ${DOCKERHUB_USERNAME:-aztecprotocolci} --password-stdin
   docker tag aztecprotocol/aztec:$COMMIT_HASH aztecprotocol/aztecdev:$COMMIT_HASH
   do_or_dryrun docker push aztecprotocol/aztecdev:$COMMIT_HASH
-  docker tag aztecprotocol/aztec-prover-agent:$COMMIT_HASH aztecprotocol/aztec-prover-agent-dev:$COMMIT_HASH
-  do_or_dryrun docker push aztecprotocol/aztec-prover-agent-dev:$COMMIT_HASH
+  # Best-effort: push prover-agent image if available.
+  if docker tag aztecprotocol/aztec-prover-agent:$COMMIT_HASH aztecprotocol/aztec-prover-agent-dev:$COMMIT_HASH 2>/dev/null; then
+    do_or_dryrun docker push aztecprotocol/aztec-prover-agent-dev:$COMMIT_HASH || echo "Warning: failed to push prover-agent-dev image, continuing."
+  else
+    echo "Warning: prover-agent image not found locally, skipping push."
+  fi
 }
 
 case "$cmd" in

spartan/aztec-node/templates/_pod-template.yaml

@@ -193,8 +193,8 @@ spec:
         {{- if .Values.node.adminApiKeyHash }}
         - name: AZTEC_ADMIN_API_KEY_HASH
           value: {{ .Values.node.adminApiKeyHash | quote }}
-        {{- else if .Values.node.noAdminApiKey }}
-        - name: AZTEC_NO_ADMIN_API_KEY
+        {{- else if .Values.node.disableAdminApiKey }}
+        - name: AZTEC_DISABLE_ADMIN_API_KEY
           value: "true"
         {{- end }}
         - name: LOG_LEVEL

spartan/aztec-node/values.yaml

@@ -106,7 +106,7 @@ node:
 
   # -- Disable admin API key authentication.
   # Set to false in production to enable API key auth.
-  noAdminApiKey: true
+  disableAdminApiKey: true
 
   # the address that will receive block or proof rewards
   coinbase:

spartan/aztec-validator/values.yaml

@@ -26,7 +26,7 @@ validator:
 
   node:
     # Set to false in production to enable API key auth.
-    noAdminApiKey: true
+    disableAdminApiKey: true
     configMap:
       envEnabled: true
     secret:

spartan/environments/tps-scenario.env

@@ -78,7 +78,6 @@ PROVER_L1_PRIORITY_FEE_RETRY_BUMP_PERCENTAGE=0
 
 # Enable latency mesaruement for p2p messages
 DEBUG_P2P_INSTRUMENT_MESSAGES=true
-P2P_DROP_TX=true
 P2P_DROP_TX_CHANCE=0.2
 
 # Inject artificial delay of proof verification for all nodes