@aztec/cli 0.0.1-commit.b655e406 → 0.0.1-commit.d3ec352c

package/src/cmds/validator_keys/new.ts

@@ -1,9 +1,13 @@
+import { prettyPrintJSON } from '@aztec/cli/utils';
+import { GSEContract, createEthereumChain } from '@aztec/ethereum';
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { LogFn } from '@aztec/foundation/log';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
 
 import { wordlist } from '@scure/bip39/wordlists/english.js';
-import { dirname } from 'path';
+import { writeFile } from 'fs/promises';
+import { basename, dirname, join } from 'path';
+import { createPublicClient, fallback, http } from 'viem';
 import { generateMnemonic, mnemonicToAccount } from 'viem/accounts';
 
 import {
@@ -15,12 +19,20 @@ import {
   writeEthJsonV3ToFile,
   writeKeystoreFile,
 } from './shared.js';
+import { processAttesterAccounts } from './staker.js';
+import {
+  validateBlsPathOptions,
+  validatePublisherOptions,
+  validateRemoteSignerOptions,
+  validateStakerOutputOptions,
+} from './utils.js';
 
 export type NewValidatorKeystoreOptions = {
   dataDir?: string;
   file?: string;
   count?: number;
   publisherCount?: number;
+  publishers?: string[];
   mnemonic?: string;
   passphrase?: string;
   accountIndex?: number;
@@ -28,68 +40,85 @@ export type NewValidatorKeystoreOptions = {
   separatePublisher?: boolean;
   ikm?: string;
   blsPath?: string;
-  blsOnly?: boolean;
   password?: string;
-  outDir?: string;
+  encryptedKeystoreDir?: string;
   json?: boolean;
   feeRecipient: AztecAddress;
   coinbase?: EthAddress;
   remoteSigner?: string;
-  fundingAccount?: EthAddress;
+  stakerOutput?: boolean;
+  gseAddress?: EthAddress;
+  l1RpcUrls?: string[];
+  l1ChainId?: number;
 };
 
 export async function newValidatorKeystore(options: NewValidatorKeystoreOptions, log: LogFn) {
+  // validate bls-path inputs before proceeding with key generation
+  validateBlsPathOptions(options);
+  // validate staker output options before proceeding with key generation
+  validateStakerOutputOptions(options);
+  // validate publisher options
+  validatePublisherOptions(options);
+  // validate remote signer options
+  validateRemoteSignerOptions(options);
+
   const {
     dataDir,
     file,
     count,
     publisherCount = 0,
+    publishers,
     json,
     coinbase,
     accountIndex = 0,
     addressIndex = 0,
     feeRecipient,
     remoteSigner,
-    fundingAccount,
-    blsOnly,
     blsPath,
     ikm,
     mnemonic: _mnemonic,
     password,
-    outDir,
+    encryptedKeystoreDir,
+    stakerOutput,
+    gseAddress,
+    l1RpcUrls,
+    l1ChainId,
   } = options;
 
-  if (remoteSigner && !_mnemonic) {
-    throw new Error(
-      'Using --remote-signer requires a deterministic key source. Provide --mnemonic to derive keys, or omit --remote-signer to write new private keys to keystore.',
-    );
-  }
-
   const mnemonic = _mnemonic ?? generateMnemonic(wordlist);
 
+  if (!_mnemonic && !json) {
+    log('No mnemonic provided, generating new one...');
+    log(`Using new mnemonic:`);
+    log('');
+    log(mnemonic);
+    log('');
+  }
+
   const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
   const { outputPath } = await resolveKeystoreOutputPath(dataDir, file);
+  const keystoreOutDir = dirname(outputPath);
 
   const { validators, summaries } = await buildValidatorEntries({
     validatorCount,
     publisherCount,
+    publishers,
     accountIndex,
     baseAddressIndex: addressIndex,
     mnemonic,
     ikm,
     blsPath,
-    blsOnly,
     feeRecipient,
     coinbase,
     remoteSigner,
-    fundingAccount,
   });
 
   // If password provided, write ETH JSON V3 and BLS BN254 keystores and replace plaintext
   if (password !== undefined) {
-    const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
-    await writeEthJsonV3ToFile(validators, { outDir: keystoreOutDir, password });
-    await writeBlsBn254ToFile(validators, { outDir: keystoreOutDir, password });
+    const encryptedKeystoreOutDir =
+      encryptedKeystoreDir && encryptedKeystoreDir.length > 0 ? encryptedKeystoreDir : keystoreOutDir;
+    await writeEthJsonV3ToFile(validators, { outDir: encryptedKeystoreOutDir, password });
+    await writeBlsBn254ToFile(validators, { outDir: encryptedKeystoreOutDir, password });
   }
 
   const keystore = {
@@ -99,15 +128,66 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
 
   await writeKeystoreFile(outputPath, keystore);
 
-  maybePrintJson(log, json, keystore as unknown as Record<string, any>);
-  if (!json) {
+  // Generate staker outputs if requested
+  const allStakerOutputs: any[] = [];
+  if (stakerOutput && gseAddress && l1RpcUrls && l1ChainId !== undefined) {
+    const chain = createEthereumChain(l1RpcUrls, l1ChainId);
+    const publicClient = createPublicClient({
+      chain: chain.chainInfo,
+      transport: fallback(l1RpcUrls.map(url => http(url))),
+    });
+    const gse = new GSEContract(publicClient, gseAddress);
+
+    // Extract keystore base name without extension for unique staker output filenames
+    const keystoreBaseName = basename(outputPath, '.json');
+
+    // Process each validator
+    for (let i = 0; i < validators.length; i++) {
+      const validator = validators[i];
+      const outputs = await processAttesterAccounts(validator.attester, gse, password);
+
+      // Collect all staker outputs
+      for (let j = 0; j < outputs.length; j++) {
+        allStakerOutputs.push(outputs[j]);
+      }
+    }
+
+    // Write a single JSON file with all staker outputs
+    if (allStakerOutputs.length > 0) {
+      const stakerOutputPath = join(keystoreOutDir, `${keystoreBaseName}_staker_output.json`);
+      await writeFile(stakerOutputPath, prettyPrintJSON(allStakerOutputs), 'utf-8');
+    }
+  }
+
+  const outputData = !_mnemonic ? { ...keystore, generatedMnemonic: mnemonic } : keystore;
+
+  // Handle JSON output
+  if (json) {
+    if (stakerOutput && allStakerOutputs.length > 0) {
+      const combinedOutput = {
+        keystore: outputData,
+        staker: allStakerOutputs,
+      };
+      maybePrintJson(log, json, combinedOutput as unknown as Record<string, any>);
+    } else {
+      maybePrintJson(log, json, outputData as unknown as Record<string, any>);
+    }
+  } else {
     log(`Wrote validator keystore to ${outputPath}`);
+    if (stakerOutput && allStakerOutputs.length > 0) {
+      const keystoreBaseName = basename(outputPath, '.json');
+      const stakerOutputPath = join(keystoreOutDir, `${keystoreBaseName}_staker_output.json`);
+      log(`Wrote staker output for ${allStakerOutputs.length} validator(s) to ${stakerOutputPath}`);
+      log('');
+    }
   }
 
-  // Always print a concise summary of public keys (addresses and BLS pubkeys)
-  logValidatorSummaries(log, summaries);
+  // print a concise summary of public keys (addresses and BLS pubkeys) if no --json options was selected
+  if (!json) {
+    logValidatorSummaries(log, summaries);
+  }
 
-  if (!blsOnly && mnemonic && remoteSigner) {
+  if (mnemonic && remoteSigner && !json) {
     for (let i = 0; i < validatorCount; i++) {
       const addrIdx = addressIndex + i;
       const acct = mnemonicToAccount(mnemonic, {
@@ -117,4 +197,10 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
       log(`attester address: ${acct.address} remoteSignerUrl: ${remoteSigner}`);
     }
   }
+
+  // Log staker outputs if not in JSON mode
+  if (!json && stakerOutput && allStakerOutputs.length > 0) {
+    log('\nStaker outputs:');
+    log(prettyPrintJSON(allStakerOutputs));
+  }
 }

package/src/cmds/validator_keys/shared.ts

@@ -13,27 +13,42 @@ import { homedir } from 'os';
 import { dirname, isAbsolute, join } from 'path';
 import { mnemonicToAccount } from 'viem/accounts';
 
+import { defaultBlsPath } from './utils.js';
+
 export type ValidatorSummary = { attesterEth?: string; attesterBls?: string; publisherEth?: string[] };
 
 export type BuildValidatorsInput = {
   validatorCount: number;
   publisherCount?: number;
+  publishers?: string[];
   accountIndex: number;
   baseAddressIndex: number;
   mnemonic: string;
   ikm?: string;
   blsPath?: string;
-  blsOnly?: boolean;
   feeRecipient: AztecAddress;
   coinbase?: EthAddress;
   remoteSigner?: string;
-  fundingAccount?: EthAddress;
 };
 
-export function withValidatorIndex(path: string, index: number) {
+export function withValidatorIndex(path: string, accountIndex: number = 0, addressIndex: number = 0) {
+  // NOTE: The legacy BLS CLI is to allow users who generated keys in 2.1.4 to be able to use the same command
+  // to re-generate their keys. In 2.1.5 we switched how we append addresses to the path so this is to maintain backwards compatibility.
+  const useLegacyBlsCli = ['true', '1', 'yes', 'y'].includes(process.env.LEGACY_BLS_CLI ?? '');
+
+  const defaultBlsPathParts = defaultBlsPath.split('/');
+
   const parts = path.split('/');
-  if (parts.length >= 4 && parts[0] === 'm' && parts[1] === '12381' && parts[2] === '3600') {
-    parts[3] = String(index);
+  if (parts.length == defaultBlsPathParts.length && parts.every((part, index) => part === defaultBlsPathParts[index])) {
+    if (useLegacyBlsCli) {
+      // In 2.1.4, we were using address-index in parts[3] and did NOT use account-index, check lines 32 & 84
+      // https://github.com/AztecProtocol/aztec-packages/blob/v2.1.4/yarn-project/cli/src/cmds/validator_keys/shared.ts
+
+      parts[3] = String(addressIndex);
+    } else {
+      parts[3] = String(accountIndex);
+      parts[5] = String(addressIndex);
+    }
     return parts.join('/');
   }
   return path;
@@ -64,42 +79,37 @@ export async function buildValidatorEntries(input: BuildValidatorsInput) {
   const {
     validatorCount,
     publisherCount = 0,
+    publishers,
     accountIndex,
     baseAddressIndex,
     mnemonic,
     ikm,
     blsPath,
-    blsOnly,
     feeRecipient,
     coinbase,
     remoteSigner,
-    fundingAccount,
   } = input;
 
-  const defaultBlsPath = 'm/12381/3600/0/0/0';
   const summaries: ValidatorSummary[] = [];
 
   const validators = await Promise.all(
     Array.from({ length: validatorCount }, async (_unused, i) => {
       const addressIndex = baseAddressIndex + i;
       const basePath = blsPath ?? defaultBlsPath;
-      const perValidatorPath = withValidatorIndex(basePath, addressIndex);
+      const perValidatorPath = withValidatorIndex(basePath, accountIndex, addressIndex);
 
-      const blsPrivKey = blsOnly || ikm || mnemonic ? deriveBlsPrivateKey(mnemonic, ikm, perValidatorPath) : undefined;
+      const blsPrivKey = ikm || mnemonic ? deriveBlsPrivateKey(mnemonic, ikm, perValidatorPath) : undefined;
       const blsPubCompressed = blsPrivKey ? await computeBlsPublicKeyCompressed(blsPrivKey) : undefined;
 
-      if (blsOnly) {
-        const attester = { bls: blsPrivKey! };
-        summaries.push({ attesterBls: blsPubCompressed });
-        return { attester, feeRecipient } as ValidatorKeyStore;
-      }
-
       const ethAttester = deriveEthAttester(mnemonic, accountIndex, addressIndex, remoteSigner);
       const attester = blsPrivKey ? { eth: ethAttester, bls: blsPrivKey } : ethAttester;
 
       let publisherField: EthAccount | EthPrivateKey | (EthAccount | EthPrivateKey)[] | undefined;
       const publisherAddresses: string[] = [];
-      if (publisherCount > 0) {
+      if (publishers && publishers.length > 0) {
+        publisherAddresses.push(...publishers);
+        publisherField = publishers.length === 1 ? (publishers[0] as EthPrivateKey) : (publishers as EthPrivateKey[]);
+      } else if (publisherCount > 0) {
         const publishersBaseIndex = baseAddressIndex + validatorCount + i * publisherCount;
         const publisherAccounts = Array.from({ length: publisherCount }, (_unused2, j) => {
           const publisherAddressIndex = publishersBaseIndex + j;
@@ -130,8 +140,7 @@ export async function buildValidatorEntries(input: BuildValidatorsInput) {
         attester,
         ...(publisherField !== undefined ? { publisher: publisherField } : {}),
         feeRecipient,
-        coinbase,
-        fundingAccount,
+        coinbase: coinbase ?? attesterEthAddress,
       } as ValidatorKeyStore;
     }),
   );
@@ -229,7 +238,7 @@ export async function writeBn254BlsKeystore(
 /** Replace plaintext BLS keys in validators with { path, password } pointing to BN254 keystore files. */
 export async function writeBlsBn254ToFile(
   validators: ValidatorKeyStore[],
-  options: { outDir: string; password: string },
+  options: { outDir: string; password: string; blsPath?: string },
 ): Promise<void> {
   for (let i = 0; i < validators.length; i++) {
     const v = validators[i];
@@ -245,7 +254,7 @@ export async function writeBlsBn254ToFile(
     }
 
     const pub = await computeBlsPublicKeyCompressed(blsKey);
-    const path = 'm/12381/3600/0/0/0';
+    const path = options.blsPath ?? defaultBlsPath;
     const fileBase = `${String(i + 1)}_${pub.slice(2, 18)}`;
     const keystorePath = await writeBn254BlsKeystore(options.outDir, fileBase, options.password, blsKey, pub, path);
 
@@ -312,10 +321,5 @@ export async function writeEthJsonV3ToFile(
         (v as any).publisher = await maybeEncryptEth(pub, `publisher_${i + 1}`);
       }
     }
-
-    // Optional fundingAccount within validator
-    if ('fundingAccount' in v) {
-      (v as any).fundingAccount = await maybeEncryptEth((v as any).fundingAccount, `funding_${i + 1}`);
-    }
   }
 }

package/src/cmds/validator_keys/staker.ts

@@ -0,0 +1,300 @@
+import { prettyPrintJSON } from '@aztec/cli/utils';
+import { GSEContract, createEthereumChain } from '@aztec/ethereum';
+import { computeBn254G1PublicKey, computeBn254G2PublicKey } from '@aztec/foundation/crypto';
+import { decryptBn254Keystore } from '@aztec/foundation/crypto/bls/bn254_keystore';
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import { Fr } from '@aztec/foundation/fields';
+import type { LogFn } from '@aztec/foundation/log';
+import { loadKeystoreFile } from '@aztec/node-keystore/loader';
+import type {
+  AttesterAccount,
+  AttesterAccounts,
+  BLSAccount,
+  EncryptedKeyFileConfig,
+  EthAccount,
+  MnemonicConfig,
+} from '@aztec/node-keystore/types';
+
+import { Wallet } from '@ethersproject/wallet';
+import { readFileSync, writeFileSync } from 'fs';
+import { basename, dirname, join } from 'path';
+import { createPublicClient, fallback, http } from 'viem';
+import { privateKeyToAddress } from 'viem/accounts';
+
+export type StakerOptions = {
+  from: string;
+  password?: string;
+  output?: string;
+  gseAddress: EthAddress;
+  l1RpcUrls: string[];
+  l1ChainId: number;
+};
+
+export type StakerOutput = {
+  attester: string;
+  publicKeyG1: {
+    x: string;
+    y: string;
+  };
+  publicKeyG2: {
+    x0: string;
+    x1: string;
+    y0: string;
+    y1: string;
+  };
+  proofOfPossession: {
+    x: string;
+    y: string;
+  };
+};
+
+/**
+ * Check if an object is a MnemonicConfig
+ */
+function isMnemonicConfig(obj: unknown): obj is MnemonicConfig {
+  return typeof obj === 'object' && obj !== null && 'mnemonic' in obj;
+}
+
+/**
+ * Check if a value is an encrypted keystore file config
+ */
+function isEncryptedKeyFileConfig(value: unknown): value is EncryptedKeyFileConfig {
+  return typeof value === 'object' && value !== null && 'path' in value;
+}
+
+/**
+ * Check if a BLSAccount is a private key string (not an encrypted keystore file)
+ */
+function isBlsPrivateKey(bls: unknown): bls is string {
+  return typeof bls === 'string' && bls.startsWith('0x');
+}
+
+/**
+ * Check if an EthAccount is a private key string (66 chars: 0x + 64 hex)
+ */
+function isEthPrivateKey(eth: unknown): eth is string {
+  return typeof eth === 'string' && eth.startsWith('0x') && eth.length === 66;
+}
+
+/**
+ * Check if a string is an Ethereum address (42 chars: 0x + 40 hex)
+ */
+function isEthAddress(value: unknown): value is string {
+  return typeof value === 'string' && /^0x[0-9a-fA-F]{40}$/.test(value);
+}
+
+/**
+ * Decrypt a BLS private key from an encrypted keystore file
+ */
+function decryptBlsKey(bls: BLSAccount, password?: string): string | undefined {
+  if (isBlsPrivateKey(bls)) {
+    return bls;
+  }
+
+  if (isEncryptedKeyFileConfig(bls)) {
+    if (!password && !bls.password) {
+      return undefined; // Can't decrypt without password
+    }
+    const pwd = password ?? bls.password!;
+    return decryptBn254Keystore(bls.path, pwd);
+  }
+
+  return undefined;
+}
+
+/**
+ * Decrypt an Ethereum private key from an encrypted keystore file
+ */
+async function decryptEthKey(eth: EthAccount, password?: string): Promise<string | undefined> {
+  if (isEthPrivateKey(eth)) {
+    return eth;
+  }
+
+  if (isEncryptedKeyFileConfig(eth)) {
+    if (!password && !eth.password) {
+      return undefined; // Can't decrypt without password
+    }
+    const pwd = password ?? eth.password!;
+    const json = readFileSync(eth.path, 'utf-8');
+    const wallet = await Wallet.fromEncryptedJson(json, pwd);
+    return wallet.privateKey as string;
+  }
+
+  return undefined;
+}
+
+/**
+ * Extract Ethereum address from an EthAccount (or private key)
+ */
+async function getEthAddress(eth: EthAccount | string, password?: string): Promise<EthAddress | undefined> {
+  // Case 1: It's a private key string - derive the address
+  if (isEthPrivateKey(eth)) {
+    return privateKeyToAddress(eth as `0x${string}`) as unknown as EthAddress;
+  }
+
+  // Case 2: It's just an address string directly (EthRemoteSignerAccount can be just EthAddress)
+  if (isEthAddress(eth)) {
+    return eth as unknown as EthAddress;
+  }
+
+  // Case 3: It's an object with an address property (remote signer config)
+  if (typeof eth === 'object' && eth !== null && 'address' in eth) {
+    return (eth as any).address as EthAddress;
+  }
+
+  // Case 4: It's an encrypted keystore file - decrypt and derive address
+  if (isEncryptedKeyFileConfig(eth)) {
+    const privateKey = await decryptEthKey(eth, password);
+    if (privateKey) {
+      return privateKeyToAddress(privateKey as `0x${string}`) as unknown as EthAddress;
+    }
+    return undefined;
+  }
+
+  return undefined;
+}
+
+/**
+ * Extract BLS private key and Ethereum address from an AttesterAccount
+ */
+async function extractAttesterInfo(
+  attester: AttesterAccount,
+  password?: string,
+): Promise<{ blsPrivateKey?: string; ethAddress?: EthAddress }> {
+  // Case 1: attester is { eth: EthAccount, bls?: BLSAccount }
+  if (typeof attester === 'object' && attester !== null && 'eth' in attester) {
+    const ethAddress = await getEthAddress(attester.eth, password);
+    const blsPrivateKey = attester.bls ? decryptBlsKey(attester.bls, password) : undefined;
+    return { blsPrivateKey, ethAddress };
+  }
+
+  // Case 2: attester is just an EthAccount directly (no BLS key)
+  return {
+    blsPrivateKey: undefined,
+    ethAddress: await getEthAddress(attester as EthAccount, password),
+  };
+}
+
+/**
+ * Process a single attester entry and output staking JSON
+ */
+async function processAttester(
+  attester: AttesterAccount,
+  gse: GSEContract,
+  password?: string,
+): Promise<StakerOutput | undefined> {
+  const { blsPrivateKey, ethAddress } = await extractAttesterInfo(attester, password);
+
+  // Skip if no BLS private key or no Ethereum address
+  if (!blsPrivateKey || !ethAddress) {
+    return undefined;
+  }
+
+  // Derive G1 and G2 public keys
+  const g1PublicKey = await computeBn254G1PublicKey(blsPrivateKey);
+  const g2PublicKey = await computeBn254G2PublicKey(blsPrivateKey);
+
+  // Generate proof of possession
+  const bn254SecretKeyFieldElement = Fr.fromString(blsPrivateKey);
+  const registrationTuple = await gse.makeRegistrationTuple(bn254SecretKeyFieldElement.toBigInt());
+
+  return {
+    attester: String(ethAddress),
+    publicKeyG1: {
+      x: '0x' + g1PublicKey.x.toString(16).padStart(64, '0'),
+      y: '0x' + g1PublicKey.y.toString(16).padStart(64, '0'),
+    },
+    publicKeyG2: {
+      x0: '0x' + g2PublicKey.x.c0.toString(16).padStart(64, '0'),
+      x1: '0x' + g2PublicKey.x.c1.toString(16).padStart(64, '0'),
+      y0: '0x' + g2PublicKey.y.c0.toString(16).padStart(64, '0'),
+      y1: '0x' + g2PublicKey.y.c1.toString(16).padStart(64, '0'),
+    },
+    proofOfPossession: {
+      x: '0x' + registrationTuple.proofOfPossession.x.toString(16),
+      y: '0x' + registrationTuple.proofOfPossession.y.toString(16),
+    },
+  };
+}
+
+/**
+ * Process AttesterAccounts (which can be a single attester, array, or mnemonic)
+ */
+export async function processAttesterAccounts(
+  attesterAccounts: AttesterAccounts,
+  gse: GSEContract,
+  password?: string,
+): Promise<StakerOutput[]> {
+  // Skip mnemonic configs
+  if (isMnemonicConfig(attesterAccounts)) {
+    return [];
+  }
+
+  // Handle array of attesters
+  if (Array.isArray(attesterAccounts)) {
+    const results: StakerOutput[] = [];
+    for (const attester of attesterAccounts) {
+      const result = await processAttester(attester, gse, password);
+      if (result) {
+        results.push(result);
+      }
+    }
+    return results;
+  }
+
+  // Handle single attester
+  const result = await processAttester(attesterAccounts, gse, password);
+  return result ? [result] : [];
+}
+
+/**
+ * Main staker command function
+ */
+export async function generateStakerJson(options: StakerOptions, log: LogFn): Promise<void> {
+  const { from, password, gseAddress, l1RpcUrls, l1ChainId, output } = options;
+
+  // Load the keystore file
+  const keystore = loadKeystoreFile(from);
+
+  if (!gseAddress) {
+    throw new Error('GSE contract address is required');
+  }
+  log(`Calling GSE contract ${gseAddress} on chain ${l1ChainId}, using ${l1RpcUrls.join(', ')} to get staker outputs`);
+
+  if (!keystore.validators || keystore.validators.length === 0) {
+    log('No validators found in keystore');
+    return;
+  }
+
+  const allOutputs: StakerOutput[] = [];
+
+  // L1 client for proof of possession
+  const chain = createEthereumChain(l1RpcUrls, l1ChainId);
+  const publicClient = createPublicClient({
+    chain: chain.chainInfo,
+    transport: fallback(l1RpcUrls.map(url => http(url))),
+  });
+  const gse = new GSEContract(publicClient, gseAddress);
+
+  const keystoreBaseName = basename(from, '.json');
+  const outputDir = output ? output : dirname(from);
+
+  for (let i = 0; i < keystore.validators.length; i++) {
+    const validator = keystore.validators[i];
+    const outputs = await processAttesterAccounts(validator.attester, gse, password);
+
+    for (let j = 0; j < outputs.length; j++) {
+      allOutputs.push(outputs[j]);
+    }
+  }
+
+  if (allOutputs.length === 0) {
+    log('No attesters with BLS keys found (skipping mnemonics and encrypted keystores without password)');
+    return;
+  }
+
+  // Write a single JSON file with all staker outputs
+  const stakerOutputPath = join(outputDir, `${keystoreBaseName}_staker_output.json`);
+  writeFileSync(stakerOutputPath, prettyPrintJSON(allOutputs), 'utf-8');
+  log(`Wrote staker output for ${allOutputs.length} validator(s) to ${stakerOutputPath}`);
+}