Merge branch 'merge-train/barretenberg' into claudebox/fix-nightly-bb-debug-build

Author: federicobarbacovi

.claude/skills/merge-trains/SKILL.md

@@ -18,7 +18,7 @@ A merge train is an automated batching system (inspired by [Rust rollups](https:
 | `merge-train/ci` | CI infrastructure / ci3 | `#help-ci` |
 | `merge-train/docs` | Documentation | `#dev-rels` |
 | `merge-train/fairies` | aztec-nr | `#team-fairies` |
-| `merge-train/spartan` | Spartan / infra / yarn-project sequencer and prover orchestration | `#e-team-alpha` |
+| `merge-train/spartan` | Spartan / infra / yarn-project sequencer and prover orchestration | `#team-alpha` |
 
 ## How to Use a Merge Train
 

.github/workflows/aztec-cli-acceptance-test.yml

@@ -24,7 +24,6 @@ jobs:
       (github.event_name == 'workflow_run'
        && github.event.workflow_run.conclusion == 'success'
        && !contains(github.event.workflow_run.head_branch, '-commit.'))
-    timeout-minutes: 30
     env:
       VERSION: ${{ github.event.inputs.version || github.event.workflow_run.head_branch }}
     steps:
@@ -41,6 +40,7 @@ jobs:
           node-version: 22
 
       - name: Run Aztec CLI acceptance test
+        timeout-minutes: 30
         run: ./aztec-up/test/aztec-cli-acceptance-test/run-test.sh
 
       - name: Notify Slack on success
@@ -49,8 +49,9 @@ jobs:
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
         run: |
           export CI=1
-          ./ci3/slack_notify "#team-fairies" \
-            "Aztec CLI Acceptance Test passed for version ${VERSION} :white_check_mark:"
+          ./ci3/slack_notify \
+            "Aztec CLI Acceptance Test passed for version ${VERSION} :white_check_mark:" \
+            "#team-fairies"
 
       - name: Notify Slack and dispatch ClaudeBox on failure
         if: failure() && github.event_name != 'workflow_dispatch'

.github/workflows/ci3.yml

@@ -499,6 +499,9 @@ jobs:
   ci-release-publish:
     runs-on: ubuntu-latest
     environment: master
+    permissions:
+      id-token: write
+      contents: read
     needs: [ci, ci-compat-e2e]
     if: |
       startsWith(github.ref, 'refs/tags/v')
@@ -514,10 +517,16 @@ jobs:
         with:
           ref: ${{ github.sha }}
 
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: us-east-2
+          role-session-name: ci3-release-publish-${{ github.run_id }}
+          role-duration-seconds: 21600
+
       - name: Run Release Publish
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
           BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
           GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}

.github/workflows/deploy-irm.yml

@@ -69,7 +69,7 @@ jobs:
       CLUSTER_NAME: ${{ inputs.cluster }}
       GKE_CLUSTER_CONTEXT: "gke_testnet-440309_us-west1-a_${{ inputs.cluster }}"
       REGION: us-west1-a
-      INFURA_SECRET_NAME: infura-${{ inputs.l1_network }}-url
+      ETHEREUM_HOSTS_SECRET_NAME: irm-ethereum-hosts-${{ inputs.l1_network }}
 
     runs-on: ubuntu-latest
     steps:
@@ -150,4 +150,4 @@ jobs:
           echo "L1 network: ${{ inputs.l1_network }}"
           echo "Image tag: ${IMAGE_TAG}"
 
-          ./spartan/metrics/irm-monitor/scripts/update-monitoring.sh $NAMESPACE $MONITORING_NAMESPACE ${{ inputs.network }} $INFURA_SECRET_NAME
+          ./spartan/metrics/irm-monitor/scripts/update-monitoring.sh $NAMESPACE $MONITORING_NAMESPACE ${{ inputs.network }} $ETHEREUM_HOSTS_SECRET_NAME

.github/workflows/deploy-network.yml

@@ -10,11 +10,11 @@ on:
         required: true
         type: string
       semver:
-        description: "Semver version (e.g., 2.3.4)"
-        required: true
+        description: "Semver version (e.g., 2.3.4). Used to construct docker image if aztec_docker_image is not set."
+        required: false
         type: string
-      docker_image_tag:
-        description: "Full docker image tag (optional, defaults to semver)"
+      aztec_docker_image:
+        description: "Full Aztec docker image (e.g., aztecprotocol/aztec:2.3.4). If not set, constructed from semver."
         required: false
         type: string
       ref:
@@ -50,11 +50,11 @@ on:
           - testnet
           - mainnet
       semver:
-        description: "Semver version (e.g., 2.3.4)"
-        required: true
+        description: "Semver version (e.g., 2.3.4). Used to construct docker image if aztec_docker_image is not set."
+        required: false
         type: string
-      docker_image_tag:
-        description: "Full docker image tag (optional, defaults to semver)"
+      aztec_docker_image:
+        description: "Full Aztec docker image (e.g., aztecprotocol/aztec:2.3.4). If not set, constructed from semver."
         required: false
         type: string
       namespace:
@@ -76,7 +76,7 @@ on:
         type: string
 
 concurrency:
-  group: deploy-network-${{ inputs.network }}-${{ inputs.namespace || inputs.network }}-${{ inputs.semver }}-${{ github.ref || github.ref_name }}
+  group: deploy-network-${{ inputs.network }}-${{ inputs.namespace || inputs.network }}-${{ inputs.aztec_docker_image || inputs.semver }}-${{ github.ref || github.ref_name }}
   cancel-in-progress: true
 
 jobs:
@@ -120,16 +120,33 @@ jobs:
             exit 1
           fi
 
-          # Validate semver format
-          if ! echo "${{ inputs.semver }}" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+(-.*)?$'; then
-            echo "Error: Invalid semver format '${{ inputs.semver }}'. Expected format: X.Y.Z or X.Y.Z-suffix"
+          # Require at least one of aztec_docker_image or semver
+          if [[ -z "${{ inputs.aztec_docker_image }}" && -z "${{ inputs.semver }}" ]]; then
+            echo "Error: Either 'aztec_docker_image' or 'semver' must be provided"
             exit 1
           fi
 
-          # Extract major version for v2 check
-          major_version="${{ inputs.semver }}"
-          major_version="${major_version%%.*}"
-          echo "MAJOR_VERSION=$major_version" >> $GITHUB_ENV
+          # Validate semver format if provided
+          if [[ -n "${{ inputs.semver }}" ]]; then
+            if ! echo "${{ inputs.semver }}" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+(-.*)?$'; then
+              echo "Error: Invalid semver format '${{ inputs.semver }}'. Expected format: X.Y.Z or X.Y.Z-suffix"
+              exit 1
+            fi
+          fi
+
+          # Resolve the docker image
+          if [[ -n "${{ inputs.aztec_docker_image }}" ]]; then
+            AZTEC_DOCKER_IMAGE="${{ inputs.aztec_docker_image }}"
+          else
+            AZTEC_DOCKER_IMAGE="aztecprotocol/aztec:${{ inputs.semver }}"
+          fi
+          echo "AZTEC_DOCKER_IMAGE=$AZTEC_DOCKER_IMAGE" >> $GITHUB_ENV
+
+          # Only use the separate prover-agent image for official semver builds;
+          # for custom images, let the deploy script fall back to AZTEC_DOCKER_IMAGE
+          if [[ -n "${{ inputs.semver }}" ]]; then
+            echo "PROVER_AGENT_DOCKER_IMAGE=aztecprotocol/aztec-prover-agent:${{ inputs.semver }}" >> $GITHUB_ENV
+          fi
 
       - name: Store the GCP key in a file
         env:
@@ -174,12 +191,12 @@ jobs:
           RUN_ID: ${{ github.run_id }}
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
           GOOGLE_APPLICATION_CREDENTIALS: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
-          REF_NAME: "v${{ inputs.semver }}"
+          REF_NAME: ${{ inputs.semver && format('v{0}', inputs.semver) || '' }}
           GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
           NAMESPACE: ${{ inputs.namespace }}
-          AZTEC_DOCKER_IMAGE: "aztecprotocol/aztec:${{ inputs.docker_image_tag || inputs.semver }}"
+          AZTEC_DOCKER_IMAGE: ${{ env.AZTEC_DOCKER_IMAGE }}
           CREATE_ROLLUP_CONTRACTS: ${{ inputs.deploy_contracts == true && 'true' || '' }}
-          PROVER_AGENT_DOCKER_IMAGE: "aztecprotocol/aztec-prover-agent:${{ inputs.docker_image_tag || inputs.semver }}"
+          PROVER_AGENT_DOCKER_IMAGE: ${{ env.PROVER_AGENT_DOCKER_IMAGE || env.AZTEC_DOCKER_IMAGE }}
           VALIDATOR_HA_DOCKER_IMAGE: ${{ inputs.ha_docker_image || '' }}
         run: |
           echo "Deploying network: ${{ inputs.network }}"
@@ -209,7 +226,7 @@ jobs:
             echo "| Item | Value |"
             echo "|------|-------|"
             echo "| Network | \`${{ inputs.network }}\` |"
-            echo "| Semver | \`${{ inputs.semver }}\` |"
+            echo "| Docker Image | \`${{ env.AZTEC_DOCKER_IMAGE }}\` |"
             echo "| Ref | \`${{ steps.checkout-ref.outputs.ref }}\` |"
             if [[ -n "${{ inputs.source_tag }}" ]]; then
               echo "| Source Tag | [\`${{ inputs.source_tag }}\`](https://github.com/${{ github.repository }}/releases/tag/${{ inputs.source_tag }}) |"
@@ -229,7 +246,7 @@ jobs:
 
           CHANNEL="#alerts-${{ inputs.network }}"
           RUN_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          TEXT="Deploy Network workflow FAILED for *${{ inputs.network }}* (version ${{ inputs.semver }}): <${RUN_URL}|View Run> (🤖)"
+          TEXT="Deploy Network workflow FAILED for *${{ inputs.network }}* (image ${{ env.AZTEC_DOCKER_IMAGE }}): <${RUN_URL}|View Run> (🤖)"
 
           # Post to Slack and capture timestamp for permalink
           RESP=$(curl -sS -X POST https://slack.com/api/chat.postMessage \
@@ -247,11 +264,11 @@ jobs:
           fi
 
           # Dispatch ClaudeBox to investigate the failure
-          PROMPT="Deployment of ${{ inputs.network }} (version ${{ inputs.semver }}) failed. \
+          PROMPT="Deployment of ${{ inputs.network }} (image ${{ env.AZTEC_DOCKER_IMAGE }}) failed. \
           Follow .claude/claudebox/deploy-investigation.md to investigate. \
           GitHub Actions run: ${RUN_URL}. \
-          Network: ${{ inputs.network }}. Version: ${{ inputs.semver }}. \
-          Docker image: ${{ inputs.docker_image_tag || inputs.semver }}. \
+          Network: ${{ inputs.network }}. \
+          Docker image: ${{ env.AZTEC_DOCKER_IMAGE }}. \
           Git ref: ${{ steps.checkout-ref.outputs.ref }}. \
           Namespace: ${{ inputs.namespace || inputs.network }}. \
           Deploy contracts: ${{ inputs.deploy_contracts }}."

.github/workflows/deploy-next-net.yml

@@ -10,7 +10,7 @@ on:
   workflow_dispatch:
     inputs:
       image_tag:
-        description: 'Docker image tag (e.g., 2.3.4, 3.0.0-nightly.20251004-amd64, or leave empty for latest nightly)'
+        description: "Docker image tag (e.g., 2.3.4, 3.0.0-nightly.20251004-amd64, or leave empty for latest nightly)"
         required: false
         type: string
 
@@ -67,6 +67,6 @@ jobs:
     with:
       network: next-net
       semver: ${{ needs.get-image-tag.outputs.semver }}
-      docker_image_tag: ${{ needs.get-image-tag.outputs.tag }}
+      aztec_docker_image: "aztecprotocol/aztec:${{ needs.get-image-tag.outputs.tag }}"
       ref: ${{ github.ref }}
     secrets: inherit

.github/workflows/merge-train-stale-check.yml

@@ -0,0 +1,22 @@
+name: Merge-Train Stale Check
+
+on:
+  schedule:
+    # Daily at 09:15 UTC — once per day, off the round-minute mark.
+    - cron: "15 9 * * *"
+  workflow_dispatch:
+
+jobs:
+  spartan:
+    name: Check merge-train/spartan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - name: Run stale check
+        env:
+          GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+        run: ./ci3/merge_train_stale_check merge-train/spartan '#team-alpha'

.test_patterns.yml

@@ -294,6 +294,14 @@ tests:
     owners:
       - *palla
 
+  # tx_stats_bench's 10 TPS sub-test occasionally returns valid:false from a single IVC
+  # verification under heavy concurrency (8 parallel verifiers, each spawning a fresh bb subprocess
+  # via the bb.js NativeUnixSocket backend introduced in #21564). The serial sub-tests pass.
+  - regex: "tx_stats_bench"
+    error_regex: "tx_stats_bench\\.test\\.ts:[0-9]+:[0-9]+"
+    owners:
+      - *charlie
+
   - regex: "src/e2e_token_bridge_tutorial.test.ts"
     error_regex: "Error: Unable to find low leaf for block"
     owners:

SECURITY.md

@@ -33,3 +33,12 @@ If you believe a vulnerability is actively being exploited or has severe impact
 **Use GitHub Issues** to report bugs or issues that are **not** security-sensitive (performance problems, feature requests, etc.):
 
 Keeping normal bugs and feature requests public helps the community track progress and collaborate on fixes, while keeping security issues private helps protect users until a fix is available.
+
+## Vulnerabilities discovered in Aztec Network v4
+
+The following table contains a list of high and critical vulnerabilities discovered internally and through external audits by 11.05.2026
+
+|Severity | Count |
+|----|----|
+| Critical | 8 |
+| High | 7 |

aztec-up/bin/0.0.1/install

@@ -123,13 +123,13 @@ function install_node {
   # Need to install - check if nvm is available
   if [ ! -f "$HOME/.nvm/nvm.sh" ]; then
     echo "Minimum Node.js version $node_min_version not found (got $node_installed_version)."
-    echo "Installation: nvm install --lts && nvm alias default lts/*"
+    echo "Installation: nvm install $node_min_version && nvm alias default $node_min_version"
     exit 1
   fi
 
   . "$HOME/.nvm/nvm.sh"
-  nvm install --lts
-  nvm alias default lts/*
+  nvm install "$node_min_version"
+  nvm alias default "$node_min_version"
 }
 
 function install_versions_file {