@aztec/cli 0.0.1-commit.24de95ac → 0.0.1-commit.2e2504e2

package/src/cmds/l1/update_l1_validators.ts

@@ -1,25 +1,18 @@
-import {
-  GSEContract,
-  RollupContract,
-  createEthereumChain,
-  createExtendedL1Client,
-  createL1TxUtilsFromViemWallet,
-  getL1ContractsConfigEnvVars,
-  getPublicClient,
-  isAnvilTestChain,
-} from '@aztec/ethereum';
+import { createEthereumChain, isAnvilTestChain } from '@aztec/ethereum/chain';
+import { createExtendedL1Client, getPublicClient } from '@aztec/ethereum/client';
+import { getL1ContractsConfigEnvVars } from '@aztec/ethereum/config';
+import { GSEContract, RollupContract } from '@aztec/ethereum/contracts';
+import { createL1TxUtilsFromViemWallet } from '@aztec/ethereum/l1-tx-utils';
 import { EthCheatCodes } from '@aztec/ethereum/test';
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { LogFn, Logger } from '@aztec/foundation/log';
 import { DateProvider } from '@aztec/foundation/timer';
-import { RollupAbi, StakingAssetHandlerAbi } from '@aztec/l1-artifacts';
+import { RollupAbi, StakingAssetHandlerAbi, TestERC20Abi } from '@aztec/l1-artifacts';
 import { ZkPassportProofParams } from '@aztec/stdlib/zkpassport';
 
-import { encodeFunctionData, formatEther, getContract } from 'viem';
+import { encodeFunctionData, formatEther, getContract, maxUint256 } from 'viem';
 import { generatePrivateKey, mnemonicToAccount, privateKeyToAccount } from 'viem/accounts';
 
-import { addLeadingHex } from '../../utils/aztec.js';
-
 export interface RollupCommandArgs {
   rpcUrls: string[];
   chainId: number;
@@ -58,8 +51,8 @@ export async function addL1Validator({
   privateKey,
   mnemonic,
   attesterAddress,
+  withdrawerAddress,
   stakingAssetHandlerAddress,
-  merkleProof,
   proofParams,
   blsSecretKey,
   log,
@@ -68,8 +61,8 @@ export async function addL1Validator({
   LoggerArgs & {
     blsSecretKey: bigint; // scalar field element of BN254
     attesterAddress: EthAddress;
+    withdrawerAddress: EthAddress;
     proofParams: Buffer;
-    merkleProof: string[];
   }) {
   const dualLog = makeDualLog(log, debugLogger);
   const account = getAccount(privateKey, mnemonic);
@@ -92,33 +85,61 @@ export async function addL1Validator({
   });
 
   const gseAddress = await rollup.read.getGSE();
-
   const gse = new GSEContract(l1Client, gseAddress);
-
   const registrationTuple = await gse.makeRegistrationTuple(blsSecretKey);
 
   const l1TxUtils = createL1TxUtilsFromViemWallet(l1Client, { logger: debugLogger });
   const proofParamsObj = ZkPassportProofParams.fromBuffer(proofParams);
-  const merkleProofArray = merkleProof.map(proof => addLeadingHex(proof));
 
-  const { receipt } = await l1TxUtils.sendAndMonitorTransaction({
+  // Step 1: Claim STK tokens from the faucet
+  dualLog(`Claiming STK tokens from faucet`);
+  const { receipt: claimReceipt } = await l1TxUtils.sendAndMonitorTransaction({
     to: stakingAssetHandlerAddress.toString(),
     data: encodeFunctionData({
       abi: StakingAssetHandlerAbi,
-      functionName: 'addValidator',
+      functionName: 'claim',
+      args: [proofParamsObj.toViem()],
+    }),
+    abi: StakingAssetHandlerAbi,
+  });
+  dualLog(`Claim transaction hash: ${claimReceipt.transactionHash}`);
+  await l1Client.waitForTransactionReceipt({ hash: claimReceipt.transactionHash });
+
+  // Step 2: Approve the rollup to spend STK tokens
+  const stakingAssetAddress = await stakingAssetHandler.read.STAKING_ASSET();
+  dualLog(`Approving rollup to spend STK tokens`);
+  const { receipt: approveReceipt } = await l1TxUtils.sendAndMonitorTransaction({
+    to: stakingAssetAddress,
+    data: encodeFunctionData({
+      abi: TestERC20Abi,
+      functionName: 'approve',
+      args: [rollupAddress, maxUint256],
+    }),
+    abi: TestERC20Abi,
+  });
+  await l1Client.waitForTransactionReceipt({ hash: approveReceipt.transactionHash });
+
+  // Step 3: Deposit into the rollup to register as a validator
+  dualLog(`Depositing into rollup to register validator`);
+  const { receipt } = await l1TxUtils.sendAndMonitorTransaction({
+    to: rollupAddress,
+    data: encodeFunctionData({
+      abi: RollupAbi,
+      functionName: 'deposit',
       args: [
         attesterAddress.toString(),
-        merkleProofArray,
-        proofParamsObj.toViem(),
+        withdrawerAddress.toString(),
         registrationTuple.publicKeyInG1,
         registrationTuple.publicKeyInG2,
         registrationTuple.proofOfPossession,
+        false, // moveWithLatestRollup
       ],
     }),
-    abi: StakingAssetHandlerAbi,
+    abi: RollupAbi,
   });
-  dualLog(`Transaction hash: ${receipt.transactionHash}`);
+  dualLog(`Deposit transaction hash: ${receipt.transactionHash}`);
   await l1Client.waitForTransactionReceipt({ hash: receipt.transactionHash });
+
   if (isAnvilTestChain(chainId)) {
     dualLog(`Funding validator on L1`);
     const cheatCodes = new EthCheatCodes(rpcUrls, new DateProvider(), debugLogger);
@@ -299,9 +320,9 @@ export async function debugRollup({ rpcUrls, chainId, rollupAddress, log }: Roll
   const publicClient = getPublicClient({ l1RpcUrls: rpcUrls, l1ChainId: chainId });
   const rollup = new RollupContract(publicClient, rollupAddress);
 
-  const pendingNum = await rollup.getBlockNumber();
+  const pendingNum = await rollup.getCheckpointNumber();
   log(`Pending block num: ${pendingNum}`);
-  const provenNum = await rollup.getProvenBlockNumber();
+  const provenNum = await rollup.getProvenCheckpointNumber();
   log(`Proven block num: ${provenNum}`);
   const validators = await rollup.getAttesters();
   log(`Validators: ${validators.map(v => v.toString()).join(', ')}`);

package/src/cmds/misc/generate_secret_and_hash.ts

@@ -1,5 +1,5 @@
 import { computeSecretHash } from '@aztec/aztec.js/crypto';
-import { Fr } from '@aztec/foundation/fields';
+import { Fr } from '@aztec/foundation/curves/bn254';
 import type { LogFn } from '@aztec/foundation/log';
 
 export async function generateSecretAndHash(log: LogFn) {

package/src/cmds/misc/index.ts

@@ -1,5 +1,4 @@
 import type { LogFn } from '@aztec/foundation/log';
-import { printENR } from '@aztec/p2p/enr';
 
 import type { Command } from 'commander';
 
@@ -49,6 +48,7 @@ export function injectCommands(program: Command, log: LogFn) {
     .description('Decodes and ENR record')
     .argument('<enr>', 'The encoded ENR string')
     .action(async (enr: string) => {
+      const { printENR } = await import('@aztec/p2p/enr');
       await printENR(enr, log);
     });
 

package/src/cmds/misc/update/npm.ts

@@ -9,7 +9,7 @@ import { type SemVer, parse } from 'semver';
 import type { DependencyChanges } from './common.js';
 import { atomicUpdateFile } from './utils.js';
 
-const deprecatedNpmPackages = new Set<string>(['@aztec/cli', '@aztec/aztec-sandbox']);
+const deprecatedNpmPackages = new Set<string>(['@aztec/cli', '@aztec/aztec-local-network']);
 const npmDeprecationMessage = `
 The following packages have been deprecated and will no longer be updated on the npm registry:
 ${Array.from(deprecatedNpmPackages)

package/src/cmds/validator_keys/add.ts

@@ -16,28 +16,35 @@ import {
   writeEthJsonV3ToFile,
   writeKeystoreFile,
 } from './shared.js';
+import { validateBlsPathOptions, validatePublisherOptions, validateRemoteSignerOptions } from './utils.js';
 
 export type AddValidatorKeysOptions = NewValidatorKeystoreOptions;
 
 export async function addValidatorKeys(existing: string, options: AddValidatorKeysOptions, log: LogFn) {
+  // validate bls-path inputs before proceeding with key generation
+  validateBlsPathOptions(options);
+  // validate publisher options
+  validatePublisherOptions(options);
+  // validate remote signer options
+  validateRemoteSignerOptions(options);
+
   const {
     dataDir,
     file,
     count,
     publisherCount = 0,
+    publishers,
     mnemonic,
     accountIndex = 0,
     addressIndex,
     ikm,
     blsPath,
-    blsOnly,
     json,
     feeRecipient: feeRecipientOpt,
     coinbase: coinbaseOpt,
-    fundingAccount: fundingAccountOpt,
     remoteSigner: remoteSignerOpt,
     password,
-    outDir,
+    encryptedKeystoreDir,
   } = options;
 
   const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
@@ -55,8 +62,6 @@ export async function addValidatorKeys(existing: string, options: AddValidatorKe
     throw new Error('feeRecipient is required (either present in existing file or via --fee-recipient)');
   }
   const coinbase = (coinbaseOpt as EthAddress | undefined) ?? (first.coinbase as EthAddress | undefined);
-  const fundingAccount =
-    (fundingAccountOpt as EthAddress | undefined) ?? (first.fundingAccount as EthAddress | undefined);
   const derivedRemoteSigner = (first.attester as any)?.remoteSignerUrl || (first.attester as any)?.eth?.remoteSignerUrl;
   const remoteSigner = remoteSignerOpt ?? derivedRemoteSigner;
 
@@ -70,26 +75,31 @@ export async function addValidatorKeys(existing: string, options: AddValidatorKe
   const { validators, summaries } = await buildValidatorEntries({
     validatorCount,
     publisherCount,
+    publishers,
     accountIndex,
     baseAddressIndex: effectiveBaseAddressIndex,
     mnemonic: mnemonicToUse,
     ikm,
     blsPath,
-    blsOnly,
     feeRecipient,
     coinbase,
     remoteSigner,
-    fundingAccount,
   });
 
   keystore.validators.push(...validators);
 
   // If password provided, write ETH JSON V3 and BLS BN254 keystores and replace plaintext
   if (password !== undefined) {
-    const targetDir =
-      outDir && outDir.length > 0 ? outDir : dataDir && dataDir.length > 0 ? dataDir : dirname(existing);
+    let targetDir: string;
+    if (encryptedKeystoreDir && encryptedKeystoreDir.length > 0) {
+      targetDir = encryptedKeystoreDir;
+    } else if (dataDir && dataDir.length > 0) {
+      targetDir = dataDir;
+    } else {
+      targetDir = dirname(existing);
+    }
     await writeEthJsonV3ToFile(keystore.validators, { outDir: targetDir, password });
-    await writeBlsBn254ToFile(keystore.validators, { outDir: targetDir, password });
+    await writeBlsBn254ToFile(keystore.validators, { outDir: targetDir, password, blsPath });
   }
 
   let outputPath = existing;

package/src/cmds/validator_keys/generate_bls_keypair.ts

@@ -1,9 +1,10 @@
-import { deriveBlsPrivateKey } from '@aztec/foundation/crypto';
+import { deriveBlsPrivateKey } from '@aztec/foundation/crypto/bls';
 import type { LogFn } from '@aztec/foundation/log';
 
 import { writeFile } from 'fs/promises';
 
 import { computeBlsPublicKeyCompressed, withValidatorIndex } from './shared.js';
+import { defaultBlsPath } from './utils.js';
 
 export type GenerateBlsKeypairOptions = {
   mnemonic?: string;
@@ -17,7 +18,7 @@ export type GenerateBlsKeypairOptions = {
 
 export async function generateBlsKeypair(options: GenerateBlsKeypairOptions, log: LogFn) {
   const { mnemonic, ikm, blsPath, compressed = true, json, out } = options;
-  const path = withValidatorIndex(blsPath ?? 'm/12381/3600/0/0/0', 0);
+  const path = withValidatorIndex(blsPath ?? defaultBlsPath, 0);
   const priv = deriveBlsPrivateKey(mnemonic, ikm, path);
   const pub = await computeBlsPublicKeyCompressed(priv);
   const result = { path, privateKey: priv, publicKey: pub, format: compressed ? 'compressed' : 'uncompressed' };

package/src/cmds/validator_keys/index.ts

@@ -3,11 +3,12 @@ import type { LogFn } from '@aztec/foundation/log';
 import { Command } from 'commander';
 
 import { parseAztecAddress, parseEthereumAddress, parseHex, parseOptionalInteger } from '../../utils/commands.js';
+import { defaultBlsPath } from './utils.js';
 
 export function injectCommands(program: Command, log: LogFn) {
   const group = program
     .command('validator-keys')
-    .aliases(['valKeys'])
+    .aliases(['valKeys', 'valkeys'])
     .description('Manage validator keystores for node operators');
 
   group
@@ -17,28 +18,47 @@ export function injectCommands(program: Command, log: LogFn) {
     .option('--data-dir <path>', 'Directory to store keystore(s). Defaults to ~/.aztec/keystore')
     .option('--file <name>', 'Keystore file name. Defaults to key1.json (or keyN.json if key1.json exists)')
     .option('--count <N>', 'Number of validators to generate', parseOptionalInteger)
-    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 1)', value =>
+    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 0)', value =>
       parseOptionalInteger(value, 0),
     )
+    .option('--publishers <privateKeys>', 'Comma-separated list of publisher private keys for all validators.', value =>
+      value.split(',').map((key: string) => key.trim()),
+    )
     .option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation')
     .option('--passphrase <str>', 'Optional passphrase for mnemonic')
-    .option('--account-index <N>', 'Base account index for ETH derivation', parseOptionalInteger)
-    .option('--address-index <N>', 'Base address index for ETH derivation', parseOptionalInteger)
-    .option('--coinbase <address>', 'Coinbase ETH address to use when proposing', parseEthereumAddress)
-    .option('--funding-account <address>', 'ETH account to fund publishers', parseEthereumAddress)
+    .option('--account-index <N>', 'Base account index for ETH/BLS derivation', parseOptionalInteger)
+    .option('--address-index <N>', 'Base address index for ETH/BLS derivation', parseOptionalInteger)
+    .option(
+      '--coinbase <address>',
+      'Coinbase ETH address to use when proposing. Defaults to attester address.',
+      parseEthereumAddress,
+    )
+    // TODO: add funding account back in when implemented
+    // .option('--funding-account <privateKey|address>', 'ETH private key (or address for remote signer setup) to fund publishers')
     .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
     .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
-    .option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)')
-    .option('--bls-only', 'Generate only BLS keys')
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
     .option(
       '--password <str>',
       'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed',
     )
-    .option('--out-dir <dir>', 'Output directory for generated keystore file(s)')
+    .option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)')
     .option('--json', 'Echo resulting JSON to stdout')
+    .option('--staker-output', 'Generate a single staker output JSON file with an array of validator entries')
+    .option('--gse-address <address>', 'GSE contract address (required with --staker-output)', parseEthereumAddress)
+    .option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated, required with --staker-output)', value =>
+      value.split(','),
+    )
+    .option(
+      '-c, --l1-chain-id <number>',
+      'L1 chain ID (required with --staker-output)',
+      value => parseInt(value),
+      31337,
+    )
     .requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress)
     .action(async options => {
       const { newValidatorKeystore } = await import('./new.js');
+
       await newValidatorKeystore(options, log);
     });
 
@@ -47,28 +67,35 @@ export function injectCommands(program: Command, log: LogFn) {
     .summary('Augment an existing validator keystore JSON')
     .description('Adds attester/publisher/BLS entries to an existing keystore using the same flags as new')
     .argument('<existing>', 'Path to existing keystore JSON')
-    .option('--data-dir <path>', 'Directory where keystore(s) live')
-    .option('--file <name>', 'Override output file name')
-    .option('--count <N>', 'Number of validators to add', parseOptionalInteger)
-    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 1)', value =>
+    .option('--data-dir <path>', 'Directory where keystore(s) live. (default: ~/.aztec/keystore)')
+    .option('--file <name>', 'Override output file name. (default: key<N>.json)')
+    .option('--count <N>', 'Number of validators to add. (default: 1)', parseOptionalInteger)
+    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 0)', value =>
       parseOptionalInteger(value, 0),
     )
+    .option('--publishers <privateKeys>', 'Comma-separated list of publisher private keys for all validators.', value =>
+      value.split(',').map((key: string) => key.trim()),
+    )
     .option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation')
     .option('--passphrase <str>', 'Optional passphrase for mnemonic')
-    .option('--account-index <N>', 'Base account index for ETH derivation', parseOptionalInteger)
-    .option('--address-index <N>', 'Base address index for ETH derivation', parseOptionalInteger)
-    .option('--coinbase <address>', 'Coinbase ETH address to use when proposing', parseEthereumAddress)
-    .option('--funding-account <address>', 'ETH account to fund publishers', parseEthereumAddress)
+    .option('--account-index <N>', 'Base account index for ETH/BLS derivation', parseOptionalInteger)
+    .option('--address-index <N>', 'Base address index for ETH/BLS derivation', parseOptionalInteger)
+    .option(
+      '--coinbase <address>',
+      'Coinbase ETH address to use when proposing. Defaults to attester address.',
+      parseEthereumAddress,
+    )
+    // TODO: add funding account back in when implemented
+    // .option('--funding-account <privateKey|address>', 'ETH private key (or address for remote signer setup) to fund publishers')
     .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
     .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
-    .option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)')
-    .option('--bls-only', 'Generate only BLS keys')
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
     .option('--empty', 'Generate an empty skeleton without keys')
     .option(
       '--password <str>',
       'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed',
     )
-    .option('--out-dir <dir>', 'Output directory for generated keystore file(s)')
+    .option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)')
     .option('--json', 'Echo resulting JSON to stdout')
     .requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress)
     .action(async (existing: string, options) => {
@@ -76,13 +103,32 @@ export function injectCommands(program: Command, log: LogFn) {
       await addValidatorKeys(existing, options, log);
     });
 
+  group
+    .command('staker')
+    .summary('Generate staking JSON from keystore')
+    .description(
+      'Reads a validator keystore and outputs staking data with BLS public keys for each attester (skips mnemonics)',
+    )
+    .requiredOption('--from <keystore>', 'Path to keystore JSON file')
+    .option('--password <password>', 'Password for decrypting encrypted keystores (if not specified in keystore file)')
+    .requiredOption('--gse-address <address>', 'GSE contract address', parseEthereumAddress)
+    .option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated)', value => value.split(','), [
+      'http://localhost:8545',
+    ])
+    .option('-c, --l1-chain-id <number>', 'L1 chain ID', value => parseInt(value), 31337)
+    .option('--output <file>', 'Output file path (if not specified, JSON is written to stdout)')
+    .action(async options => {
+      const { generateStakerJson } = await import('./staker.js');
+      await generateStakerJson(options, log);
+    });
+
   // top-level convenience: aztec generate-bls-keypair
   program
     .command('generate-bls-keypair')
     .description('Generate a BLS keypair with convenience flags')
     .option('--mnemonic <mnemonic>', 'Mnemonic for BLS derivation')
     .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
-    .option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)')
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
     .option('--g2', 'Derive on G2 subgroup')
     .option('--compressed', 'Output compressed public key')
     .option('--json', 'Print JSON output to stdout')

package/src/cmds/validator_keys/new.ts

@@ -1,9 +1,14 @@
+import { prettyPrintJSON } from '@aztec/cli/utils';
+import { createEthereumChain } from '@aztec/ethereum/chain';
+import { GSEContract } from '@aztec/ethereum/contracts';
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { LogFn } from '@aztec/foundation/log';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
 
 import { wordlist } from '@scure/bip39/wordlists/english.js';
-import { dirname } from 'path';
+import { writeFile } from 'fs/promises';
+import { basename, dirname, join } from 'path';
+import { createPublicClient, fallback, http } from 'viem';
 import { generateMnemonic, mnemonicToAccount } from 'viem/accounts';
 
 import {
@@ -15,12 +20,20 @@ import {
   writeEthJsonV3ToFile,
   writeKeystoreFile,
 } from './shared.js';
+import { processAttesterAccounts } from './staker.js';
+import {
+  validateBlsPathOptions,
+  validatePublisherOptions,
+  validateRemoteSignerOptions,
+  validateStakerOutputOptions,
+} from './utils.js';
 
 export type NewValidatorKeystoreOptions = {
   dataDir?: string;
   file?: string;
   count?: number;
   publisherCount?: number;
+  publishers?: string[];
   mnemonic?: string;
   passphrase?: string;
   accountIndex?: number;
@@ -28,68 +41,85 @@ export type NewValidatorKeystoreOptions = {
   separatePublisher?: boolean;
   ikm?: string;
   blsPath?: string;
-  blsOnly?: boolean;
   password?: string;
-  outDir?: string;
+  encryptedKeystoreDir?: string;
   json?: boolean;
   feeRecipient: AztecAddress;
   coinbase?: EthAddress;
   remoteSigner?: string;
-  fundingAccount?: EthAddress;
+  stakerOutput?: boolean;
+  gseAddress?: EthAddress;
+  l1RpcUrls?: string[];
+  l1ChainId?: number;
 };
 
 export async function newValidatorKeystore(options: NewValidatorKeystoreOptions, log: LogFn) {
+  // validate bls-path inputs before proceeding with key generation
+  validateBlsPathOptions(options);
+  // validate staker output options before proceeding with key generation
+  validateStakerOutputOptions(options);
+  // validate publisher options
+  validatePublisherOptions(options);
+  // validate remote signer options
+  validateRemoteSignerOptions(options);
+
   const {
     dataDir,
     file,
     count,
     publisherCount = 0,
+    publishers,
     json,
     coinbase,
     accountIndex = 0,
     addressIndex = 0,
     feeRecipient,
     remoteSigner,
-    fundingAccount,
-    blsOnly,
     blsPath,
     ikm,
     mnemonic: _mnemonic,
     password,
-    outDir,
+    encryptedKeystoreDir,
+    stakerOutput,
+    gseAddress,
+    l1RpcUrls,
+    l1ChainId,
   } = options;
 
-  if (remoteSigner && !_mnemonic) {
-    throw new Error(
-      'Using --remote-signer requires a deterministic key source. Provide --mnemonic to derive keys, or omit --remote-signer to write new private keys to keystore.',
-    );
-  }
-
   const mnemonic = _mnemonic ?? generateMnemonic(wordlist);
 
+  if (!_mnemonic && !json) {
+    log('No mnemonic provided, generating new one...');
+    log(`Using new mnemonic:`);
+    log('');
+    log(mnemonic);
+    log('');
+  }
+
   const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
   const { outputPath } = await resolveKeystoreOutputPath(dataDir, file);
+  const keystoreOutDir = dirname(outputPath);
 
   const { validators, summaries } = await buildValidatorEntries({
     validatorCount,
     publisherCount,
+    publishers,
     accountIndex,
     baseAddressIndex: addressIndex,
     mnemonic,
     ikm,
     blsPath,
-    blsOnly,
     feeRecipient,
     coinbase,
     remoteSigner,
-    fundingAccount,
   });
 
   // If password provided, write ETH JSON V3 and BLS BN254 keystores and replace plaintext
   if (password !== undefined) {
-    const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
-    await writeEthJsonV3ToFile(validators, { outDir: keystoreOutDir, password });
-    await writeBlsBn254ToFile(validators, { outDir: keystoreOutDir, password });
+    const encryptedKeystoreOutDir =
+      encryptedKeystoreDir && encryptedKeystoreDir.length > 0 ? encryptedKeystoreDir : keystoreOutDir;
+    await writeEthJsonV3ToFile(validators, { outDir: encryptedKeystoreOutDir, password });
+    await writeBlsBn254ToFile(validators, { outDir: encryptedKeystoreOutDir, password });
   }
 
   const keystore = {
@@ -99,15 +129,66 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
 
   await writeKeystoreFile(outputPath, keystore);
 
-  maybePrintJson(log, json, keystore as unknown as Record<string, any>);
-  if (!json) {
+  // Generate staker outputs if requested
+  const allStakerOutputs: any[] = [];
+  if (stakerOutput && gseAddress && l1RpcUrls && l1ChainId !== undefined) {
+    const chain = createEthereumChain(l1RpcUrls, l1ChainId);
+    const publicClient = createPublicClient({
+      chain: chain.chainInfo,
+      transport: fallback(l1RpcUrls.map(url => http(url, { batch: false }))),
+    });
+    const gse = new GSEContract(publicClient, gseAddress);
+
+    // Extract keystore base name without extension for unique staker output filenames
+    const keystoreBaseName = basename(outputPath, '.json');
+
+    // Process each validator
+    for (let i = 0; i < validators.length; i++) {
+      const validator = validators[i];
+      const outputs = await processAttesterAccounts(validator.attester, gse, password);
+
+      // Collect all staker outputs
+      for (let j = 0; j < outputs.length; j++) {
+        allStakerOutputs.push(outputs[j]);
+      }
+    }
+
+    // Write a single JSON file with all staker outputs
+    if (allStakerOutputs.length > 0) {
+      const stakerOutputPath = join(keystoreOutDir, `${keystoreBaseName}_staker_output.json`);
+      await writeFile(stakerOutputPath, prettyPrintJSON(allStakerOutputs), 'utf-8');
+    }
+  }
+
+  const outputData = !_mnemonic ? { ...keystore, generatedMnemonic: mnemonic } : keystore;
+
+  // Handle JSON output
+  if (json) {
+    if (stakerOutput && allStakerOutputs.length > 0) {
+      const combinedOutput = {
+        keystore: outputData,
+        staker: allStakerOutputs,
+      };
+      maybePrintJson(log, json, combinedOutput as unknown as Record<string, any>);
+    } else {
+      maybePrintJson(log, json, outputData as unknown as Record<string, any>);
+    }
+  } else {
     log(`Wrote validator keystore to ${outputPath}`);
+    if (stakerOutput && allStakerOutputs.length > 0) {
+      const keystoreBaseName = basename(outputPath, '.json');
+      const stakerOutputPath = join(keystoreOutDir, `${keystoreBaseName}_staker_output.json`);
+      log(`Wrote staker output for ${allStakerOutputs.length} validator(s) to ${stakerOutputPath}`);
+      log('');
+    }
   }
 
-  // Always print a concise summary of public keys (addresses and BLS pubkeys)
-  logValidatorSummaries(log, summaries);
+  // print a concise summary of public keys (addresses and BLS pubkeys) if no --json options was selected
+  if (!json) {
+    logValidatorSummaries(log, summaries);
+  }
 
-  if (!blsOnly && mnemonic && remoteSigner) {
+  if (mnemonic && remoteSigner && !json) {
     for (let i = 0; i < validatorCount; i++) {
       const addrIdx = addressIndex + i;
       const acct = mnemonicToAccount(mnemonic, {
@@ -117,4 +198,10 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
       log(`attester address: ${acct.address} remoteSignerUrl: ${remoteSigner}`);
     }
   }
+
+  // Log staker outputs if not in JSON mode
+  if (!json && stakerOutput && allStakerOutputs.length > 0) {
+    log('\nStaker outputs:');
+    log(prettyPrintJSON(allStakerOutputs));
+  }
 }