feat: merge-train/spartan

.claude/bootstrap.sh

@@ -4,7 +4,9 @@
 # `test`. Keeps hook scripts and their tests as a self-contained component.
 source $(git rev-parse --show-toplevel)/ci3/source_bootstrap
 
-hash=$(cache_content_hash ^.claude)
+# Hash everything agents_symlink_test inspects, not just .claude/: the .codex mirrors and the root
+# AGENTS.md/CLAUDE.md symlinks live outside .claude/, so a change there must still rerun the test.
+hash=$(cache_content_hash "^.*.claude" "^.*.codex" "^AGENTS.md" "^CLAUDE.md")
 
 function test_cmds {
   # source_base cd's us into .claude/, so glob relative-to-here, but emit paths

.claude/tests/agents_symlink_test

@@ -82,17 +82,43 @@ while IFS= read -r dir; do
     "$ROOT"/noir/noir-repo/*) continue;;
   esac
   codex="$(dirname "$dir")/.codex"
-  if [[ ! -L "$codex" ]]; then
-    fail "${codex#$ROOT/} is missing or is not a symlink to .claude"
+  rel=${codex#$ROOT/}
+  # A .codex may either be a symlink to its sibling .claude (the repo root keeps this form), or a
+  # real directory whose immediate children symlink into .claude (the per-package form, required
+  # because a sandbox cannot bind-mount a path that is itself a symlink). Either way Codex must see
+  # exactly the same contents as .claude.
+  if [[ -L "$codex" ]]; then
+    resolved=$(cd "$(dirname "$codex")" && cd "$(readlink "$codex")" 2>/dev/null && pwd -P) || resolved=""
+    claude_resolved=$(cd "$dir" && pwd -P)
+    if [[ "$resolved" != "$claude_resolved" ]]; then
+      fail "$rel is a symlink to ${resolved:-?}, expected its sibling .claude ($claude_resolved)"
+    else
+      pass "$rel -> .claude"
+    fi
     continue
   fi
-  resolved=$(cd "$(dirname "$codex")" && cd "$(readlink "$codex")" 2>/dev/null && pwd -P) || resolved=""
-  claude_resolved=$(cd "$dir" && pwd -P)
-  if [[ "$resolved" != "$claude_resolved" ]]; then
-    fail "${codex#$ROOT/} resolves to $resolved, expected $claude_resolved"
+  if [[ ! -d "$codex" ]]; then
+    fail "$rel is missing (expected a directory mirroring .claude via child symlinks)"
     continue
   fi
-  pass "${codex#$ROOT/}"
+  codex_ok=1
+  # Forward: every entry in .claude must have a matching symlink in .codex.
+  while IFS= read -r child; do
+    name=$(basename "$child")
+    if [[ ! -L "$codex/$name" || ! "$codex/$name" -ef "$child" ]]; then
+      fail "$rel/$name should be a symlink to ../.claude/$name"
+      codex_ok=0
+    fi
+  done < <(find "$dir" -mindepth 1 -maxdepth 1)
+  # Reverse: every entry in .codex must correspond to a .claude entry (no stale or dangling links).
+  while IFS= read -r entry; do
+    name=$(basename "$entry")
+    if [[ ! -e "$dir/$name" && ! -L "$dir/$name" ]]; then
+      fail "$rel/$name is stale; no matching .claude/$name"
+      codex_ok=0
+    fi
+  done < <(find "$codex" -mindepth 1 -maxdepth 1)
+  (( codex_ok )) && pass "$rel"
 done < <(find "$ROOT" -type d -name .claude -not -path "$ROOT/noir/*" -not -path "$ROOT/**/node_modules/*")
 
 echo

.github/workflows/deploy-network.yml

@@ -111,7 +111,9 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ steps.checkout-ref.outputs.ref }}
-          fetch-depth: 1
+          # Full history so recursive submodules can checkout pinned commits (not only branch tips).
+          fetch-depth: 0
+          lfs: true
           persist-credentials: false
           submodules: recursive # Initialize git submodules for l1-contracts dependencies
 

.github/workflows/nightly-bench-10tps.yml

@@ -80,7 +80,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
-          ref: next
+          ref: ${{ github.sha }}
 
       - name: Authenticate to Google Cloud
         uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f
@@ -108,7 +108,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
-          ref: next
+          ref: ${{ github.sha }}
 
       - name: Run 10 TPS benchmark
         timeout-minutes: 240

.github/workflows/weekly-proving-bench.yml

@@ -71,7 +71,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
-          ref: next
+          ref: ${{ github.sha }}
 
       - name: Authenticate to Google Cloud
         uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f

.test_patterns.yml

@@ -379,20 +379,6 @@ tests:
     owners:
       - *spyros
 
-  # Multi-validator web3signer suite is unstable under proposer pipelining:
-  # two distinct failure modes have been seen in the same "should build blocks
-  # & attest with multiple validator keys" case — Promise.all index-0
-  # waitForTx aborting with "Tx dropped by P2P node"
-  # (ci.aztec-labs.com/9a5fa90aa18f62e7), and the proposer missing the slot's
-  # 5-attestation deadline ("AttestationTimeoutError" / "Block .* not found .*
-  # reorg") on PR #23344 run 26370196367 (ci.aztec-labs.com/b91d3218b5e88ae4).
-  # Error-regex flake matches still let ci3 retry-and-fail both attempts. Skip
-  # outright on merge-train/spartan until proposer pipelining stabilises.
-  - regex: "yarn-project/end-to-end/scripts/run_test.sh web3signer src/composed/web3signer/e2e_multi_validator_node_key_store.test.ts"
-    skip: true
-    owners:
-      - *palla
-
   # http://ci.aztec-labs.com/98d59d04f85223f8
   # Build-cache flake: module not found during Jest startup
   - regex: "src/e2e_sequencer/gov_proposal.parallel.test.ts"

barretenberg/.codex/agents

@@ -0,0 +1 @@
+../.claude/agents

barretenberg/.codex/skills

@@ -0,0 +1 @@
+../.claude/skills

barretenberg/cpp/.codex/agents

@@ -0,0 +1 @@
+../.claude/agents

barretenberg/ts/src/bb_backends/node/platform.ts

@@ -83,7 +83,8 @@ export function detectPlatform(): Platform | null {
  *
  * Search order:
  * 1. If customPath is provided and exists, return it
- * 2. Otherwise search in <package-root>/build/<platform>/bb
+ * 2. If BB_BINARY_PATH is set and exists, return it
+ * 3. Otherwise search in <package-root>/build/<platform>/bb
  */
 export function findBbBinary(customPath?: string): string | null {
   // Check custom path first if provided
@@ -95,6 +96,14 @@ export function findBbBinary(customPath?: string): string | null {
     return null;
   }
 
+  const envPath = process.env.BB_BINARY_PATH;
+  if (envPath) {
+    if (fs.existsSync(envPath)) {
+      return path.resolve(envPath);
+    }
+    return null;
+  }
+
   // Automatic detection
   const platform = detectPlatform();
   if (!platform) {

ci3/bootstrap_ec2

@@ -83,6 +83,7 @@ else
 fi
 
 [ -n "${INSTANCE_POSTFIX:-}" ] && instance_name+="_$INSTANCE_POSTFIX"
+docker_hostname=$(echo -n "$instance_name" | tr '_' '-' | cut -c 1-63)
 
 if [ "$use_ssh" -eq 1 ]; then
   echo_header "request build instance (SSH)"
@@ -298,7 +299,7 @@ start_build() {
 
   docker run --privileged --rm \${docker_args:-} \
     --name aztec_build \
-    --hostname $instance_name \
+    --hostname $docker_hostname \
     -v bootstrap_ci_local_docker:/var/lib/docker \
     -v bootstrap_ci_repo:/home/aztec-dev/aztec-packages \
     -v \$HOME/.ssh:/home/aztec-dev/.ssh:ro \

docs/.codex/agents

@@ -0,0 +1 @@
+../.claude/agents

docs/.codex/commands

@@ -0,0 +1 @@
+../.claude/commands

spartan/aztec-postgres/templates/statefulset.yaml

@@ -18,6 +18,10 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: {{ .Values.component | default .Chart.Name }}
     spec:
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: postgres
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

spartan/aztec-postgres/values.yaml

@@ -28,3 +28,5 @@ persistence:
 
 service:
   port: 5432
+
+nodeSelector: {}

spartan/environments/mainnet.env

@@ -12,7 +12,8 @@ VERIFY_CONTRACTS=false
 DEPLOY_INTERNAL_BOOTNODE=false
 VALIDATOR_REPLICAS=0
 RPC_REPLICAS=1
-PROVER_REPLICAS=4
+PROVER_REPLICAS=0
+PROVER_ENABLED=false
 
 CREATE_RPC_INGRESS=true
 CREATE_RPC_DNS=true

spartan/environments/next-net.env

@@ -44,13 +44,14 @@ AZTEC_LAG_IN_EPOCHS_FOR_VALIDATOR_SET=2
 AZTEC_LAG_IN_EPOCHS_FOR_RANDAO=2
 AZTEC_INBOX_LAG=2
 
-VALIDATOR_REPLICAS=4
-VALIDATORS_PER_NODE=12
+VALIDATOR_REPLICAS=2
+VALIDATORS_PER_NODE=24
 VALIDATOR_PUBLISHERS_PER_REPLICA=4
 VALIDATOR_PUBLISHER_MNEMONIC_START_INDEX=5000
 
 PUBLISHERS_PER_PROVER=2
 PROVER_PUBLISHER_MNEMONIC_START_INDEX=8000
+PROVER_REPLICAS=4
 
 BOT_TRANSFERS_REPLICAS=1
 BOT_TRANSFERS_TX_INTERVAL_SECONDS=250

spartan/environments/prove-n-tps-fake.env

@@ -22,8 +22,8 @@ FUNDING_PRIVATE_KEY="0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf
 
 OTEL_COLLECTOR_ENDPOINT=REPLACE_WITH_GCP_SECRET
 
-VALIDATOR_REPLICAS=4
-VALIDATORS_PER_NODE=12
+VALIDATOR_REPLICAS=2
+VALIDATORS_PER_NODE=24
 VALIDATOR_PUBLISHERS_PER_REPLICA=4
 VALIDATOR_PUBLISHER_MNEMONIC_START_INDEX=5000
 

spartan/environments/prove-n-tps-real.env

@@ -22,8 +22,8 @@ FUNDING_PRIVATE_KEY="0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf
 
 OTEL_COLLECTOR_ENDPOINT=REPLACE_WITH_GCP_SECRET
 
-VALIDATOR_REPLICAS=4
-VALIDATORS_PER_NODE=12
+VALIDATOR_REPLICAS=2
+VALIDATORS_PER_NODE=24
 VALIDATOR_PUBLISHERS_PER_REPLICA=4
 VALIDATOR_PUBLISHER_MNEMONIC_START_INDEX=5000
 

spartan/environments/staging-public.env

@@ -47,11 +47,11 @@ CREATE_ROLLUP_CONTRACTS=${CREATE_ROLLUP_CONTRACTS:-false}
 P2P_TX_POOL_DELETE_TXS_AFTER_REORG=true
 
 VALIDATOR_REPLICAS=2
-VALIDATORS_PER_NODE=64
+VALIDATORS_PER_NODE=128
 VALIDATOR_PUBLISHERS_PER_REPLICA=4
 VALIDATOR_PUBLISHER_MNEMONIC_START_INDEX=5000
 VALIDATOR_HA_REPLICAS=1
-VALIDATOR_HA_REPLICA_COUNT=4
+VALIDATOR_HA_REPLICA_COUNT=1
 VALIDATOR_RESOURCE_PROFILE="prod"
 
 PROVER_FAILED_PROOF_STORE=gs://aztec-develop/staging-public/failed-proofs

spartan/environments/testnet.env

@@ -76,8 +76,8 @@ RPC_INGRESS_STATIC_IP_NAME=testnet-rpc-ip
 RPC_INGRESS_SSL_CERT_NAMES='["testnet-rpc-cert"]'
 
 
-VALIDATOR_REPLICAS=4
-VALIDATORS_PER_NODE=64
+VALIDATOR_REPLICAS=2
+VALIDATORS_PER_NODE=128
 VALIDATOR_PUBLISHERS_PER_REPLICA=8
 VALIDATOR_PUBLISHER_MNEMONIC_START_INDEX=5000
 VALIDATOR_HA_REPLICAS=1

spartan/scripts/deploy_network.sh

@@ -131,6 +131,7 @@ AZTEC_EPOCHS_LAG=${AZTEC_EPOCHS_LAG:-}
 SEQ_ENFORCE_TIME_TABLE=${SEQ_ENFORCE_TIME_TABLE:-}
 SEQ_SKIP_CHECKPOINT_PUBLISH_PERCENT=${SEQ_SKIP_CHECKPOINT_PUBLISH_PERCENT:-0}
 PROVER_REPLICAS=${PROVER_REPLICAS:-4}
+PROVER_ENABLED=${PROVER_ENABLED:-true}
 PROVER_AGENTS_PER_PROVER=${PROVER_AGENTS_PER_PROVER:-1}
 R2_ACCESS_KEY_ID=${R2_ACCESS_KEY_ID:-}
 R2_SECRET_ACCESS_KEY=${R2_SECRET_ACCESS_KEY:-}
@@ -649,6 +650,7 @@ PROVER_PROOF_STORE = "${PROVER_PROOF_STORE:-}"
 PROVER_BROKER_DEBUG_REPLAY_ENABLED = ${PROVER_BROKER_DEBUG_REPLAY_ENABLED:-false}
 DEPLOY_ARCHIVAL_NODE = ${DEPLOY_ARCHIVAL_NODE}
 PROVER_REPLICAS = ${PROVER_REPLICAS}
+PROVER_ENABLED = ${PROVER_ENABLED}
 
 PROVER_TEST_DELAY_TYPE = "${PROVER_TEST_DELAY_TYPE}"
 PROVER_TEST_VERIFICATION_DELAY_MS = ${PROVER_TEST_VERIFICATION_DELAY_MS}

spartan/scripts/install_deps.sh

@@ -134,6 +134,19 @@ if ! command -v cast &> /dev/null; then
   sudo chmod +x /usr/local/bin/cast
 fi
 
+TERRAFORM_VERSION="1.7.5"
+if ! command -v terraform &> /dev/null; then
+  log "Installing terraform ${TERRAFORM_VERSION}..."
+  tf_os="$(os)"
+  if [ "$tf_os" = "macos" ]; then
+    tf_os="darwin"
+  fi
+  curl -fsSL "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${tf_os}_$(arch).zip" -o terraform.zip
+  unzip -qo terraform.zip
+  sudo mv terraform /usr/local/bin/terraform
+  rm terraform.zip
+fi
+
 require_cmd git
 require_cmd kubectl
 require_cmd terraform

spartan/scripts/source_network_env.sh

@@ -24,6 +24,15 @@ function source_network_env {
       if grep -q "REPLACE_WITH_GCP_SECRET" "$env_file" && command -v gcloud &> /dev/null; then
         echo "Environment file contains GCP secret placeholders. Processing secrets..."
 
+        # Activate GCP credentials before Secret Manager reads (same order as network_deploy.sh).
+        if declare -f gcp_auth >/dev/null 2>&1; then
+          gcp_auth
+        else
+          # shellcheck source=scripts/gcp_auth.sh
+          source "$spartan/scripts/gcp_auth.sh"
+          gcp_auth
+        fi
+
         # Process GCP secrets
         source $spartan/scripts/setup_gcp_secrets.sh "$env_file"
 

spartan/terraform/deploy-aztec-infra/main.tf

@@ -317,7 +317,7 @@ locals {
       wait                 = true
     } : null
 
-    prover = {
+    prover = var.PROVER_ENABLED ? {
       name  = "${var.RELEASE_PREFIX}-prover"
       chart = "aztec-prover-stack"
       values = [
@@ -410,7 +410,7 @@ locals {
       boot_node_host_path  = "node.node.env.BOOT_NODE_HOST"
       bootstrap_nodes_path = "node.node.env.BOOTSTRAP_NODES"
       wait                 = var.WAIT_FOR_PROVER_DEPLOY
-    }
+    } : null
 
     rpc = {
       name  = "${var.RELEASE_PREFIX}-rpc"

spartan/terraform/deploy-aztec-infra/variables.tf

@@ -264,6 +264,12 @@ variable "PROVER_REPLICAS" {
   default     = 4
 }
 
+variable "PROVER_ENABLED" {
+  description = "Whether to deploy the prover stack"
+  type        = bool
+  default     = true
+}
+
 variable "PROVER_TEST_DELAY_TYPE" {
   description = "The type of test delay to introduce in the prover (fixed, realistic)"
   type        = string