AztecProtocol · alexghr · Feb 19, 2026 · Feb 18, 2026
diff --git a/docs/docs-operate/operators/reference/changelog/v4.md b/docs/docs-operate/operators/reference/changelog/v4.md
@@ -119,13 +119,13 @@ The admin JSON-RPC endpoint now supports auto-generated API key authentication.
 
 ```bash
 --admin-api-key-hash <hex>                 ($AZTEC_ADMIN_API_KEY_HASH)    # Use a pre-generated SHA-256 key hash
---no-admin-api-key                         ($AZTEC_NO_ADMIN_API_KEY)      # Disable auth entirely
+--disable-admin-api-key                    ($AZTEC_DISABLE_ADMIN_API_KEY) # Disable auth entirely
 --reset-admin-api-key                      ($AZTEC_RESET_ADMIN_API_KEY)   # Force key regeneration
 ```
 
-**Helm charts**: Admin API key auth is disabled by default (`noAdminApiKey: true`). Set to `false` in production values to enable.
+**Helm charts**: Admin API key auth is disabled by default (`disableAdminApiKey: true`). Set to `false` in production values to enable.
 
-**Migration**: No action required — auth is opt-out. To enable, ensure `--no-admin-api-key` is not set and note the key printed at startup.
+**Migration**: No action required — auth is opt-out. To enable, ensure `--disable-admin-api-key` is not set and note the key printed at startup.
 
 ### Transaction pool error codes for RPC callers
 

@@ -160,8 +160,12 @@ function push_pr {
   echo $DOCKERHUB_PASSWORD | docker login -u ${DOCKERHUB_USERNAME:-aztecprotocolci} --password-stdin
   docker tag aztecprotocol/aztec:$COMMIT_HASH aztecprotocol/aztecdev:$COMMIT_HASH
   do_or_dryrun docker push aztecprotocol/aztecdev:$COMMIT_HASH
-  docker tag aztecprotocol/aztec-prover-agent:$COMMIT_HASH aztecprotocol/aztec-prover-agent-dev:$COMMIT_HASH
-  do_or_dryrun docker push aztecprotocol/aztec-prover-agent-dev:$COMMIT_HASH
+  # Best-effort: push prover-agent image if available.
+  if docker tag aztecprotocol/aztec-prover-agent:$COMMIT_HASH aztecprotocol/aztec-prover-agent-dev:$COMMIT_HASH 2>/dev/null; then
+    do_or_dryrun docker push aztecprotocol/aztec-prover-agent-dev:$COMMIT_HASH || echo "Warning: failed to push prover-agent-dev image, continuing."
+  else
+    echo "Warning: prover-agent image not found locally, skipping push."
+  fi
 }
 
 case "$cmd" in

diff --git a/spartan/aztec-node/templates/_pod-template.yaml b/spartan/aztec-node/templates/_pod-template.yaml
@@ -193,8 +193,8 @@ spec:
         {{- if .Values.node.adminApiKeyHash }}
         - name: AZTEC_ADMIN_API_KEY_HASH
           value: {{ .Values.node.adminApiKeyHash | quote }}
-        {{- else if .Values.node.noAdminApiKey }}
-        - name: AZTEC_NO_ADMIN_API_KEY
+        {{- else if .Values.node.disableAdminApiKey }}
+        - name: AZTEC_DISABLE_ADMIN_API_KEY
           value: "true"
         {{- end }}
         - name: LOG_LEVEL

diff --git a/spartan/aztec-node/values.yaml b/spartan/aztec-node/values.yaml
@@ -106,7 +106,7 @@ node:
 
   # -- Disable admin API key authentication.
   # Set to false in production to enable API key auth.
-  noAdminApiKey: true
+  disableAdminApiKey: true
 
   # the address that will receive block or proof rewards
   coinbase:

diff --git a/spartan/aztec-validator/values.yaml b/spartan/aztec-validator/values.yaml
@@ -26,7 +26,7 @@ validator:
 
   node:
     # Set to false in production to enable API key auth.
-    noAdminApiKey: true
+    disableAdminApiKey: true
     configMap:
       envEnabled: true
     secret:

diff --git a/yarn-project/aztec/src/cli/admin_api_key_store.test.ts b/yarn-project/aztec/src/cli/admin_api_key_store.test.ts
@@ -22,9 +22,9 @@ describe('resolveAdminApiKey', () => {
     }
   });
 
-  describe('opt-out (noAdminApiKey = true)', () => {
+  describe('opt-out (disableAdminApiKey = true)', () => {
     it('returns undefined when auth is disabled', async () => {
-      const result = await resolveAdminApiKey({ noAdminApiKey: true }, log);
+      const result = await resolveAdminApiKey({ disableAdminApiKey: true }, log);
       expect(result).toBeUndefined();
     });
   });

diff --git a/yarn-project/aztec/src/cli/admin_api_key_store.ts b/yarn-project/aztec/src/cli/admin_api_key_store.ts
@@ -28,7 +28,7 @@ export interface ResolveAdminApiKeyOptions {
   /** SHA-256 hex hash of a pre-generated API key. When set, the node uses this hash directly. */
   adminApiKeyHash?: string;
   /** If true, disable admin API key auth entirely. */
-  noAdminApiKey?: boolean;
+  disableAdminApiKey?: boolean;
   /** If true, force-generate a new key even if one is already persisted. */
   resetAdminApiKey?: boolean;
   /** Root data directory for persistent storage. */
@@ -39,7 +39,7 @@ export interface ResolveAdminApiKeyOptions {
  * Resolves the admin API key for the admin RPC endpoint.
  *
  * Strategy:
- * 1. If opt-out flag is set (`noAdminApiKey`), return undefined (no auth).
+ * 1. If opt-out flag is set (`disableAdminApiKey`), return undefined (no auth).
  * 2. If a pre-generated hash is provided (`adminApiKeyHash`), use it directly.
  * 3. If a data directory exists, look for a persisted hash file
  *    at `<dataDirectory>/admin/api_key_hash`:
@@ -58,8 +58,8 @@ export async function resolveAdminApiKey(
   log: Logger,
 ): Promise<AdminApiKeyResolution | undefined> {
   // Operator explicitly opted out of admin auth
-  if (options.noAdminApiKey) {
-    log.warn('Admin API key authentication is DISABLED (--no-admin-api-key / AZTEC_NO_ADMIN_API_KEY)');
+  if (options.disableAdminApiKey) {
+    log.warn('Admin API key authentication is DISABLED (--disable-admin-api-key / AZTEC_DISABLE_ADMIN_API_KEY)');
     return undefined;
   }
 

diff --git a/yarn-project/aztec/src/cli/aztec_start_action.ts b/yarn-project/aztec/src/cli/aztec_start_action.ts
@@ -109,7 +109,7 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
     const apiKeyResolution = await resolveAdminApiKey(
       {
         adminApiKeyHash: options.adminApiKeyHash,
-        noAdminApiKey: options.noAdminApiKey,
+        disableAdminApiKey: options.disableAdminApiKey,
         resetAdminApiKey: options.resetAdminApiKey,
         dataDirectory: options.dataDirectory,
       },
@@ -148,7 +148,7 @@ export async function aztecStart(options: any, userLog: LogFn, debugLogger: Logg
         userLog('  The key hash has been persisted — on next restart, the same key will be used.');
       }
       userLog('');
-      userLog('  To disable admin auth: --no-admin-api-key or AZTEC_NO_ADMIN_API_KEY=true');
+      userLog('  To disable admin auth: --disable-admin-api-key or AZTEC_DISABLE_ADMIN_API_KEY=true');
       userLog(separator);
       userLog('');
     }

diff --git a/yarn-project/aztec/src/cli/aztec_start_options.ts b/yarn-project/aztec/src/cli/aztec_start_options.ts
@@ -150,12 +150,13 @@ export const aztecStartOptions: { [key: string]: AztecStartOption[] } = {
       env: 'AZTEC_ADMIN_API_KEY_HASH',
     },
     {
-      flag: '--no-admin-api-key',
+      flag: '--disable-admin-api-key',
       description:
         'Disable API key authentication on the admin RPC endpoint. By default, a key is auto-generated, displayed once, and its hash is persisted.',
       defaultValue: false,
-      env: 'AZTEC_NO_ADMIN_API_KEY',
-      parseVal: val => val === 'true' || val === '1',
+      env: 'AZTEC_DISABLE_ADMIN_API_KEY',
+      // undefined means the flag was passed without a value (boolean toggle), treat as true.
+      parseVal: val => val === undefined || val === 'true' || val === '1',
     },
     {
       flag: '--reset-admin-api-key',

diff --git a/yarn-project/foundation/src/config/env_var.ts b/yarn-project/foundation/src/config/env_var.ts
@@ -13,7 +13,7 @@ export type EnvVar =
   | 'ARCHIVER_BATCH_SIZE'
   | 'AZTEC_ADMIN_PORT'
   | 'AZTEC_ADMIN_API_KEY_HASH'
-  | 'AZTEC_NO_ADMIN_API_KEY'
+  | 'AZTEC_DISABLE_ADMIN_API_KEY'
   | 'AZTEC_RESET_ADMIN_API_KEY'
   | 'AZTEC_NODE_ADMIN_URL'
   | 'AZTEC_NODE_URL'