Wire transaction events into devnet

[niran]

Summary

• Adds devnet Vector configuration to tail transaction event JSONL files and ship NDJSON to audit-archiver.
• Enables transaction event journal paths for devnet services and adds a proxyd transaction-events image/config for local verification.
• Adds a smoke script that exercises devnet transactions and checks audit transaction event ingestion.

Verification

• Not rerun after splitting; this branch contains the devnet wiring previously used for local transaction observability verification.

Stack Context

This PR is based on #3628 and contains only devnet/Vector wiring for local verification. It is intentionally reviewed separately from service producer code.

type=routine
risk=low
impact=sev5

[github-actions]

The runtime stage uses the full Go SDK image (golang:v1-24-ub22) rather than a minimal base. The original Dockerfile.proxyd uses alpine:3.20 for the runtime, which is orders of magnitude smaller. Since the runtime only needs the proxyd binary (and curl for healthchecks), consider using a slim base image to reduce image size and attack surface.

Also worth noting: the healthcheck in docker-compose.ingress.yml runs curl, but this Dockerfile doesn't explicitly install it. It may work because the Ubuntu-based Go image likely ships curl, but this is an implicit dependency — if the base image changes, the healthcheck will silently break.

[github-actions]

The TOML config sets enabled = false, but the docker-compose.ingress.yml sets TRANSACTION_EVENTS_ENABLED=true as an environment variable. If proxyd uses env-var overrides for its TOML config, this works as intended (TOML default = off, env override = on). But if proxyd reads the TOML file without env-var override support, transaction events won't be enabled despite the env var.

Could you confirm that proxyd supports environment variable overrides for the [transaction_events] TOML section? If it does, this pattern is fine. If not, this should be enabled = true (or the env var approach is dead code).

[github-actions]

The audit-archiver port is hardcoded to 9100 here. While Vector YAML doesn't support Docker Compose variable interpolation, this creates a silent coupling with AUDIT_RPC_PORT=9100 in devnet-env. If someone changes AUDIT_RPC_PORT, they'd also need to find and update this file — consider adding a comment noting this dependency.

[github-actions]

Review Summary

This PR wires transaction event observability into the devnet infrastructure — adding Vector as a log collector, Postgres for event storage, a smoke test script, and environment/compose configuration for the full pipeline. No Rust source code changes beyond a single CLI flag addition.

Findings

The inline comments from the previous review run cover the main issues:

1. Dockerfile runtime image (Dockerfile.proxyd.transaction-events:14): The runtime stage uses the full Go SDK image instead of a minimal base like the original Dockerfile.proxyd (which uses alpine:3.20). This significantly inflates image size and attack surface for a binary that just needs to run a static Go binary.

2. proxyd TOML vs env var (proxyd.toml): enabled = false in TOML with TRANSACTION_EVENTS_ENABLED=true in compose — needs confirmation that proxyd supports env-var overrides for this section.

3. Hardcoded port in Vector config (transaction-events-vector.yaml:52): Port 9100 is hardcoded in the Vector sink URI, silently coupled to AUDIT_RPC_PORT in devnet-env.

Other observations (no action needed)

• The _ha → _base change in Justfile ingress recipes is a correctness fix — ingress should compose against the base config, not the HA config.
• Bootnode IPs moved from .10/.11 to .41/.40 to avoid conflicts with new infrastructure services at .30-.32. No IP collisions in the /24 subnet.
• The docker-bake.hcl refactor using DEVNET_TARGETS / INGRESS_EXTRA_TARGETS variables with concat() is a clean way to keep the target lists DRY.
• The smoke test script is well-structured with proper error handling (set -euo pipefail), a 60-second retry loop, and clear failure diagnostics.

[github-actions]

✅ base-std fork tests: all 616 passed

base/base is fully in sync with the base-std spec.

Dependency	Ref	Commit
base-std	main	d4b531cd
base-anvil	0092692587d8d064dd2c6923ce26a682c58f3694	00926925