starknet_transaction_prover: add deployment smoke script and guide by avi-starkware · Pull Request #14052 · starkware-libs/sequencer

avi-starkware · 2026-05-17T15:42:08Z

Adds three operational artifacts:

MANUAL_TESTING_GUIDE.md — comprehensive manual testing reference
(endpoints, negative flows, CORS matrix, compression, concurrency,
load) for deep deployment validation.
DEPLOYMENT_SMOKE_TESTING_GUIDE.md — per-deploy 5-10 minute checklist
covering reachability, core JSON-RPC methods, one real proving flow,
invalid-request handling, and concurrency protection.
deployment_smoke.sh — automated smoke script that mirrors the smoke
guide's checks, prints a PASS/FAIL summary, and supports
KEEP_ARTIFACTS / TX_HASH / LOOKBACK_BLOCKS overrides for debugging.

reviewable-StarkWare · 2026-05-17T15:42:16Z

This change is

avi-starkware · 2026-05-17T15:42:26Z

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

cursor · 2026-05-17T15:42:30Z

PR Summary

Low Risk
Documentation and an external smoke-test script only; no changes to prover runtime, RPC, or proving logic.

Overview
Adds post-deploy operational validation for starknet_transaction_prover: a short DEPLOYMENT_SMOKE_TESTING_GUIDE.md (~5–10 min checklist) and an executable deployment_smoke.sh that runs the same checks and exits with a PASS/FAIL summary.

The guide documents prerequisites (PROVER_URL, CHAIN_RPC_URL, fee-field config for real txs), optional env overrides (TX_HASH, LOOKBACK_BLOCKS, KEEP_ARTIFACTS, OHTTP_SMOKE, TLS_MIN_DAYS, MAX_REQUEST_BODY_SIZE), and manual curl/jq steps for health (starknet_specVersion), compression, TLS, OHTTP keys, oversize bodies, malformed params, a chain-sourced starknet_proveTransaction happy path, and concurrency/recovery (including -32005).

The script automates those checks: it reads SPEC_VERSION from rpc_impl.rs, scans recent blocks (or uses TX_HASH) for an INVOKE v3 tx to build a prove request, tolerates unreachable RPCs under set -e via || true, preserves temp artifacts on failure or when KEEP_ARTIFACTS=true, and skips TLS/OHTTP/body-size checks when not applicable or when python3/openssl are missing.

^{Reviewed by Cursor Bugbot for commit 649e3c3. Bugbot is set up for automated code reviews on this repo. Configure here.}

cursor · 2026-05-20T08:39:28Z

+                -d "$(cat "$TMP_DIR/prove_request_valid.json")" > "$TMP_DIR/concurrency_$i.json"
+        ) &
+        pids+=("$!")
+    done


Concurrency curl calls lack timeout, risking indefinite hang

Low Severity

The three concurrent curl calls in check_concurrency_and_recovery are the only network calls in the script without a --max-time limit. Every other call goes through rpc_call_prover or rpc_call_chain, both of which set --max-time 30. If the prover is slow or unresponsive, the wait loop blocks indefinitely, which is problematic for a script targeting a 5–10 minute runtime and likely used in CI/CD pipelines.

^{Reviewed by Cursor Bugbot for commit 8161746. Configure here.}

cursor

Cursor Bugbot has reviewed your changes and found 5 potential issues.

There are 6 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 649e3c3. Configure here.}

cursor · 2026-06-07T11:47:44Z

+    # `|| true` keeps the script alive when the prover is unreachable so the EXIT trap still
+    # prints PASS/FAIL totals; the check-level code surfaces the empty body via a FAIL entry.
+    curl -sS --max-time 30 "$PROVER_URL" -H 'content-type: application/json' -d "$payload" || true
+}


Prove requests use thirty second timeout

High Severity

rpc_call_prover applies a 30-second curl limit to every prover call, including starknet_proveTransaction. Real proving often exceeds that window, so the happy-path and recovery checks can fail with empty responses even when the service is healthy.

Additional Locations (1)

crates/starknet_transaction_prover/deployment_smoke.sh#L188-L194

^{Reviewed by Cursor Bugbot for commit 649e3c3. Configure here.}

cursor · 2026-06-07T11:47:44Z

+        pass_step "TLS cert valid for $days_left days (≥ $min_days)"
+    else
+        fail_step "TLS cert expires in $days_left days (< $min_days); notAfter=$not_after"
+    fi


TLS expiry parsing needs GNU date

Medium Severity

check_tls_certificate parses OpenSSL’s notAfter with date -d, which is GNU-specific. On macOS or BSD, parsing fails, expiry_epoch becomes 0, and valid certificates are reported as expiring immediately.

^{Reviewed by Cursor Bugbot for commit 649e3c3. Configure here.}

cursor · 2026-06-07T11:47:44Z

+
+        tx_hash=$(rpc_call_chain "{\"jsonrpc\":\"2.0\",\"id\":101,\"method\":\"starknet_getBlockWithTxs\",\"params\":[{\"block_number\":$block_number}]}" \
+            | jq -r --arg tx_type "$tx_type" --arg tx_version "$tx_version" \
+                '[.result.transactions[] | select(.type==$tx_type and .version==$tx_version) | .transaction_hash] | .[0] // empty')


Block scan aborts on RPC errors

Medium Severity

With set -o pipefail, a failed jq filter on a bad starknet_getBlockWithTxs response aborts find_tx_hash instead of skipping that block. The whole script can exit before the PASS/FAIL summary when the chain RPC returns errors for some heights.

^{Reviewed by Cursor Bugbot for commit 649e3c3. Configure here.}

cursor · 2026-06-07T11:47:44Z

+    fi
+    if ! command -v openssl >/dev/null 2>&1; then
+        fail_step "TLS cert check skipped — openssl not installed on this host"
+        return 0


OpenSSL missing still marks failure

Low Severity

When PROVER_URL is HTTPS and openssl is missing, the script calls fail_step with a “skipped” message but still returns without treating the check as optional, so FAIL_COUNT rises and the deployment gate fails.

^{Reviewed by Cursor Bugbot for commit 649e3c3. Configure here.}

cursor · 2026-06-07T11:47:44Z

+        fail_step "/ohttp-keys response missing cache-control header"
+        return 0
+    fi
+    pass_step "/ohttp-keys returns non-empty, cacheable key material"


OHTTP omits non-zero max-age

Low Severity

check_ohttp_keys only requires a cache-control header, while the smoke guide requires a non-zero max-age. Responses like Cache-Control: no-cache can pass the script but fail the documented deployment criteria.

^{Reviewed by Cursor Bugbot for commit 649e3c3. Configure here.}

This was referenced May 17, 2026

starknet_transaction_prover: add committer utils unit tests #14046

Open

starknet_transaction_prover: add prover input validation unit tests #14047

Open

avi-starkware marked this pull request as ready for review May 17, 2026 15:42

This was referenced May 17, 2026

starknet_transaction_prover: add CORS validation unit tests #14048

Open

starknet_transaction_prover: add ServiceConfig validation tests #14049

Open

starknet_transaction_prover: add TLS integration tests #14050

Open

avi-starkware mentioned this pull request May 17, 2026

starknet_transaction_prover: make RPC error spec test exhaustive via enum #14051

Open

cursor Bot reviewed May 17, 2026

View reviewed changes

Comment thread crates/starknet_transaction_prover/deployment_smoke.sh

Comment thread crates/starknet_transaction_prover/deployment_smoke.sh Outdated

avi-starkware force-pushed the avi/privacy/exhaustive-error-spec-test-v2 branch from 5ea83ee to 3457808 Compare May 17, 2026 17:39

avi-starkware force-pushed the avi/privacy/deployment-docs-and-smoke-v2 branch from 49aebc4 to 0d65f02 Compare May 17, 2026 17:39

cursor Bot reviewed May 17, 2026

View reviewed changes

Comment thread crates/starknet_transaction_prover/deployment_smoke.sh Outdated

Comment thread crates/starknet_transaction_prover/deployment_smoke.sh Outdated

avi-starkware force-pushed the avi/privacy/exhaustive-error-spec-test-v2 branch from 3457808 to ac2d30f Compare May 17, 2026 19:07

avi-starkware force-pushed the avi/privacy/deployment-docs-and-smoke-v2 branch from 0d65f02 to 5f72fc7 Compare May 17, 2026 19:07

cursor Bot reviewed May 17, 2026

View reviewed changes

Comment thread crates/starknet_transaction_prover/deployment_smoke.sh

avi-starkware force-pushed the avi/privacy/exhaustive-error-spec-test-v2 branch from ac2d30f to cb3ebef Compare May 20, 2026 08:33

avi-starkware force-pushed the avi/privacy/deployment-docs-and-smoke-v2 branch from 5f72fc7 to 8161746 Compare May 20, 2026 08:33

cursor Bot reviewed May 20, 2026

View reviewed changes

avi-starkware force-pushed the avi/privacy/exhaustive-error-spec-test-v2 branch from cb3ebef to 93accf4 Compare May 31, 2026 10:39

avi-starkware force-pushed the avi/privacy/deployment-docs-and-smoke-v2 branch from 8161746 to e2aec91 Compare May 31, 2026 10:39

cursor Bot reviewed May 31, 2026

View reviewed changes

Comment thread crates/starknet_transaction_prover/deployment_smoke.sh Outdated

starknet_transaction_prover: add deployment smoke script and guide

649e3c3

avi-starkware changed the base branch from avi/privacy/exhaustive-error-spec-test-v2 to graphite-base/14052 June 7, 2026 11:46

avi-starkware force-pushed the graphite-base/14052 branch from 93accf4 to 7a48fbc Compare June 7, 2026 11:46

avi-starkware force-pushed the avi/privacy/deployment-docs-and-smoke-v2 branch from e2aec91 to 649e3c3 Compare June 7, 2026 11:46

avi-starkware changed the base branch from graphite-base/14052 to avi/privacy/manual-testing-guide-v2 June 7, 2026 11:46

This was referenced Jun 7, 2026

starknet_transaction_prover: add request body size limit tests #14403

Merged

starknet_transaction_prover: add manual testing guide #14404

Open

avi-starkware changed the title ~~starknet_transaction_prover: add deployment health docs and smoke script~~ starknet_transaction_prover: add deployment smoke script and guide Jun 7, 2026

cursor Bot reviewed Jun 7, 2026

View reviewed changes

Conversation

avi-starkware commented May 17, 2026

Uh oh!

reviewable-StarkWare commented May 17, 2026

Uh oh!

avi-starkware commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cursor Bot commented May 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Summary

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

cursor Bot May 20, 2026

Choose a reason for hiding this comment

Concurrency curl calls lack timeout, risking indefinite hang

Uh oh!

Uh oh!

cursor Bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor Bot Jun 7, 2026

Choose a reason for hiding this comment

Prove requests use thirty second timeout

Uh oh!

cursor Bot Jun 7, 2026

Choose a reason for hiding this comment

TLS expiry parsing needs GNU date

Uh oh!

cursor Bot Jun 7, 2026

Choose a reason for hiding this comment

Block scan aborts on RPC errors

Uh oh!

cursor Bot Jun 7, 2026

Choose a reason for hiding this comment

OpenSSL missing still marks failure

Uh oh!

cursor Bot Jun 7, 2026

Choose a reason for hiding this comment

OHTTP omits non-zero max-age

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

avi-starkware commented May 17, 2026 •

edited

Loading

cursor Bot commented May 17, 2026 •

edited

Loading