@aztec/cli 0.0.1-fake-c83136db25 → 0.0.1-private.d0bedffd

package/src/cmds/validator_keys/staker.ts

@@ -0,0 +1,301 @@
+import { prettyPrintJSON } from '@aztec/cli/utils';
+import { createEthereumChain } from '@aztec/ethereum/chain';
+import { GSEContract } from '@aztec/ethereum/contracts';
+import { decryptBn254Keystore } from '@aztec/foundation/crypto/bls/bn254_keystore';
+import { computeBn254G1PublicKey, computeBn254G2PublicKey } from '@aztec/foundation/crypto/bn254';
+import { Fr } from '@aztec/foundation/curves/bn254';
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import type { LogFn } from '@aztec/foundation/log';
+import { loadKeystoreFile } from '@aztec/node-keystore/loader';
+import type {
+  AttesterAccount,
+  AttesterAccounts,
+  BLSAccount,
+  EncryptedKeyFileConfig,
+  EthAccount,
+  MnemonicConfig,
+} from '@aztec/node-keystore/types';
+
+import { Wallet } from '@ethersproject/wallet';
+import { readFileSync, writeFileSync } from 'fs';
+import { basename, dirname, join } from 'path';
+import { createPublicClient, fallback, http } from 'viem';
+import { privateKeyToAddress } from 'viem/accounts';
+
+export type StakerOptions = {
+  from: string;
+  password?: string;
+  output?: string;
+  gseAddress: EthAddress;
+  l1RpcUrls: string[];
+  l1ChainId: number;
+};
+
+export type StakerOutput = {
+  attester: string;
+  publicKeyG1: {
+    x: string;
+    y: string;
+  };
+  publicKeyG2: {
+    x0: string;
+    x1: string;
+    y0: string;
+    y1: string;
+  };
+  proofOfPossession: {
+    x: string;
+    y: string;
+  };
+};
+
+/**
+ * Check if an object is a MnemonicConfig
+ */
+function isMnemonicConfig(obj: unknown): obj is MnemonicConfig {
+  return typeof obj === 'object' && obj !== null && 'mnemonic' in obj;
+}
+
+/**
+ * Check if a value is an encrypted keystore file config
+ */
+function isEncryptedKeyFileConfig(value: unknown): value is EncryptedKeyFileConfig {
+  return typeof value === 'object' && value !== null && 'path' in value;
+}
+
+/**
+ * Check if a BLSAccount is a private key string (not an encrypted keystore file)
+ */
+function isBlsPrivateKey(bls: unknown): bls is string {
+  return typeof bls === 'string' && bls.startsWith('0x');
+}
+
+/**
+ * Check if an EthAccount is a private key string (66 chars: 0x + 64 hex)
+ */
+function isEthPrivateKey(eth: unknown): eth is string {
+  return typeof eth === 'string' && eth.startsWith('0x') && eth.length === 66;
+}
+
+/**
+ * Check if a string is an Ethereum address (42 chars: 0x + 40 hex)
+ */
+function isEthAddress(value: unknown): value is string {
+  return typeof value === 'string' && /^0x[0-9a-fA-F]{40}$/.test(value);
+}
+
+/**
+ * Decrypt a BLS private key from an encrypted keystore file
+ */
+function decryptBlsKey(bls: BLSAccount, password?: string): string | undefined {
+  if (isBlsPrivateKey(bls)) {
+    return bls;
+  }
+
+  if (isEncryptedKeyFileConfig(bls)) {
+    if (!password && !bls.password) {
+      return undefined; // Can't decrypt without password
+    }
+    const pwd = password ?? bls.password!;
+    return decryptBn254Keystore(bls.path, pwd);
+  }
+
+  return undefined;
+}
+
+/**
+ * Decrypt an Ethereum private key from an encrypted keystore file
+ */
+async function decryptEthKey(eth: EthAccount, password?: string): Promise<string | undefined> {
+  if (isEthPrivateKey(eth)) {
+    return eth;
+  }
+
+  if (isEncryptedKeyFileConfig(eth)) {
+    if (!password && !eth.password) {
+      return undefined; // Can't decrypt without password
+    }
+    const pwd = password ?? eth.password!;
+    const json = readFileSync(eth.path, 'utf-8');
+    const wallet = await Wallet.fromEncryptedJson(json, pwd);
+    return wallet.privateKey as string;
+  }
+
+  return undefined;
+}
+
+/**
+ * Extract Ethereum address from an EthAccount (or private key)
+ */
+async function getEthAddress(eth: EthAccount | string, password?: string): Promise<EthAddress | undefined> {
+  // Case 1: It's a private key string - derive the address
+  if (isEthPrivateKey(eth)) {
+    return privateKeyToAddress(eth as `0x${string}`) as unknown as EthAddress;
+  }
+
+  // Case 2: It's just an address string directly (EthRemoteSignerAccount can be just EthAddress)
+  if (isEthAddress(eth)) {
+    return eth as unknown as EthAddress;
+  }
+
+  // Case 3: It's an object with an address property (remote signer config)
+  if (typeof eth === 'object' && eth !== null && 'address' in eth) {
+    return (eth as any).address as EthAddress;
+  }
+
+  // Case 4: It's an encrypted keystore file - decrypt and derive address
+  if (isEncryptedKeyFileConfig(eth)) {
+    const privateKey = await decryptEthKey(eth, password);
+    if (privateKey) {
+      return privateKeyToAddress(privateKey as `0x${string}`) as unknown as EthAddress;
+    }
+    return undefined;
+  }
+
+  return undefined;
+}
+
+/**
+ * Extract BLS private key and Ethereum address from an AttesterAccount
+ */
+async function extractAttesterInfo(
+  attester: AttesterAccount,
+  password?: string,
+): Promise<{ blsPrivateKey?: string; ethAddress?: EthAddress }> {
+  // Case 1: attester is { eth: EthAccount, bls?: BLSAccount }
+  if (typeof attester === 'object' && attester !== null && 'eth' in attester) {
+    const ethAddress = await getEthAddress(attester.eth, password);
+    const blsPrivateKey = attester.bls ? decryptBlsKey(attester.bls, password) : undefined;
+    return { blsPrivateKey, ethAddress };
+  }
+
+  // Case 2: attester is just an EthAccount directly (no BLS key)
+  return {
+    blsPrivateKey: undefined,
+    ethAddress: await getEthAddress(attester as EthAccount, password),
+  };
+}
+
+/**
+ * Process a single attester entry and output staking JSON
+ */
+async function processAttester(
+  attester: AttesterAccount,
+  gse: GSEContract,
+  password?: string,
+): Promise<StakerOutput | undefined> {
+  const { blsPrivateKey, ethAddress } = await extractAttesterInfo(attester, password);
+
+  // Skip if no BLS private key or no Ethereum address
+  if (!blsPrivateKey || !ethAddress) {
+    return undefined;
+  }
+
+  // Derive G1 and G2 public keys
+  const g1PublicKey = await computeBn254G1PublicKey(blsPrivateKey);
+  const g2PublicKey = await computeBn254G2PublicKey(blsPrivateKey);
+
+  // Generate proof of possession
+  const bn254SecretKeyFieldElement = Fr.fromString(blsPrivateKey);
+  const registrationTuple = await gse.makeRegistrationTuple(bn254SecretKeyFieldElement.toBigInt());
+
+  return {
+    attester: String(ethAddress),
+    publicKeyG1: {
+      x: '0x' + g1PublicKey.x.toString(16).padStart(64, '0'),
+      y: '0x' + g1PublicKey.y.toString(16).padStart(64, '0'),
+    },
+    publicKeyG2: {
+      x0: '0x' + g2PublicKey.x.c0.toString(16).padStart(64, '0'),
+      x1: '0x' + g2PublicKey.x.c1.toString(16).padStart(64, '0'),
+      y0: '0x' + g2PublicKey.y.c0.toString(16).padStart(64, '0'),
+      y1: '0x' + g2PublicKey.y.c1.toString(16).padStart(64, '0'),
+    },
+    proofOfPossession: {
+      x: '0x' + registrationTuple.proofOfPossession.x.toString(16),
+      y: '0x' + registrationTuple.proofOfPossession.y.toString(16),
+    },
+  };
+}
+
+/**
+ * Process AttesterAccounts (which can be a single attester, array, or mnemonic)
+ */
+export async function processAttesterAccounts(
+  attesterAccounts: AttesterAccounts,
+  gse: GSEContract,
+  password?: string,
+): Promise<StakerOutput[]> {
+  // Skip mnemonic configs
+  if (isMnemonicConfig(attesterAccounts)) {
+    return [];
+  }
+
+  // Handle array of attesters
+  if (Array.isArray(attesterAccounts)) {
+    const results: StakerOutput[] = [];
+    for (const attester of attesterAccounts) {
+      const result = await processAttester(attester, gse, password);
+      if (result) {
+        results.push(result);
+      }
+    }
+    return results;
+  }
+
+  // Handle single attester
+  const result = await processAttester(attesterAccounts, gse, password);
+  return result ? [result] : [];
+}
+
+/**
+ * Main staker command function
+ */
+export async function generateStakerJson(options: StakerOptions, log: LogFn): Promise<void> {
+  const { from, password, gseAddress, l1RpcUrls, l1ChainId, output } = options;
+
+  // Load the keystore file
+  const keystore = loadKeystoreFile(from);
+
+  if (!gseAddress) {
+    throw new Error('GSE contract address is required');
+  }
+  log(`Calling GSE contract ${gseAddress} on chain ${l1ChainId}, using ${l1RpcUrls.join(', ')} to get staker outputs`);
+
+  if (!keystore.validators || keystore.validators.length === 0) {
+    log('No validators found in keystore');
+    return;
+  }
+
+  const allOutputs: StakerOutput[] = [];
+
+  // L1 client for proof of possession
+  const chain = createEthereumChain(l1RpcUrls, l1ChainId);
+  const publicClient = createPublicClient({
+    chain: chain.chainInfo,
+    transport: fallback(l1RpcUrls.map(url => http(url, { batch: false }))),
+  });
+  const gse = new GSEContract(publicClient, gseAddress);
+
+  const keystoreBaseName = basename(from, '.json');
+  const outputDir = output ? output : dirname(from);
+
+  for (let i = 0; i < keystore.validators.length; i++) {
+    const validator = keystore.validators[i];
+    const outputs = await processAttesterAccounts(validator.attester, gse, password);
+
+    for (let j = 0; j < outputs.length; j++) {
+      allOutputs.push(outputs[j]);
+    }
+  }
+
+  if (allOutputs.length === 0) {
+    log('No attesters with BLS keys found (skipping mnemonics and encrypted keystores without password)');
+    return;
+  }
+
+  // Write a single JSON file with all staker outputs
+  const stakerOutputPath = join(outputDir, `${keystoreBaseName}_staker_output.json`);
+  writeFileSync(stakerOutputPath, prettyPrintJSON(allOutputs), 'utf-8');
+  log(`Wrote staker output for ${allOutputs.length} validator(s) to ${stakerOutputPath}`);
+}

package/src/cmds/validator_keys/utils.ts

@@ -0,0 +1,81 @@
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import { ethPrivateKeySchema } from '@aztec/node-keystore/schemas';
+import type { EthPrivateKey } from '@aztec/node-keystore/types';
+
+export const defaultBlsPath = 'm/12381/3600/0/0/0';
+
+export function validateBlsPathOptions(options: {
+  count?: number;
+  publisherCount?: number;
+  accountIndex?: number;
+  addressIndex?: number;
+  blsPath?: string;
+  ikm?: string;
+}) {
+  if (options.blsPath && options.blsPath !== defaultBlsPath) {
+    if (
+      (options.count && options.count !== 1) ||
+      (options.publisherCount && options.publisherCount > 0) ||
+      (options.accountIndex && options.accountIndex !== 0) ||
+      (options.addressIndex && options.addressIndex !== 0)
+    ) {
+      throw new Error('--bls-path cannot be used with --count, --publisher-count, --account-index, or --address-index');
+    }
+  }
+}
+
+export function validateStakerOutputOptions(options: {
+  stakerOutput?: boolean;
+  gseAddress?: EthAddress;
+  l1RpcUrls?: string[];
+  l1ChainId?: number;
+}) {
+  if (!options.stakerOutput) {
+    return;
+  }
+  // Required options for staker output
+  if (!options.gseAddress) {
+    throw new Error('--gse-address is required when using --staker-output');
+  }
+  if (!options.l1RpcUrls || options.l1RpcUrls.length === 0) {
+    throw new Error('--l1-rpc-urls is required when using --staker-output');
+  }
+
+  if (options.l1ChainId === undefined) {
+    throw new Error('--l1-chain-id is required when using --staker-output');
+  }
+}
+
+export function validateRemoteSignerOptions(options: { remoteSigner?: string; mnemonic?: string }) {
+  if (options.remoteSigner && !options.mnemonic) {
+    throw new Error(
+      'Using --remote-signer requires a deterministic key source. Provide --mnemonic to derive keys, or omit --remote-signer to write new private keys to keystore.',
+    );
+  }
+}
+
+export function validatePublisherOptions(options: { publishers?: string[]; publisherCount?: number }) {
+  if (options.publisherCount && options.publisherCount > 0 && options.publishers && options.publishers.length > 0) {
+    throw new Error('--publishers and --publisher-count cannot be used together');
+  }
+
+  if (options.publishers && options.publishers.length > 0) {
+    // Normalize each private key by adding 0x prefix if missing
+    const normalizedKeys: string[] = [];
+    for (const key of options.publishers) {
+      let privateKey = key.trim();
+      if (!privateKey.startsWith('0x')) {
+        privateKey = '0x' + privateKey;
+      }
+
+      try {
+        ethPrivateKeySchema.parse(privateKey);
+        normalizedKeys.push(privateKey);
+      } catch (error) {
+        throw new Error(`Invalid publisher private key: ${error instanceof Error ? error.message : String(error)}`);
+      }
+    }
+    // Update the options with the normalized keys
+    options.publishers = normalizedKeys as EthPrivateKey[];
+  }
+}

package/src/config/cached_fetch.ts

@@ -1,24 +1,48 @@
 import { createLogger } from '@aztec/aztec.js/log';
 
-import { mkdir, readFile, stat, writeFile } from 'fs/promises';
+import { mkdir, readFile, writeFile } from 'fs/promises';
 import { dirname } from 'path';
 
 export interface CachedFetchOptions {
-  /** Cache duration in milliseconds */
-  cacheDurationMs: number;
-  /** The cache file */
+  /** The cache file path for storing data. If not provided, no caching is performed. */
   cacheFile?: string;
+  /** Fallback max-age in milliseconds when server sends no Cache-Control header. Defaults to 5 minutes. */
+  defaultMaxAgeMs?: number;
+}
+
+/** Cache metadata stored in a sidecar .meta file alongside the data file. */
+interface CacheMeta {
+  etag?: string;
+  expiresAt: number;
+}
+
+const DEFAULT_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes
+
+/** Extracts max-age value in milliseconds from a Response's Cache-Control header. Returns undefined if not present. */
+export function parseMaxAge(response: { headers: { get(name: string): string | null } }): number | undefined {
+  const cacheControl = response.headers.get('cache-control');
+  if (!cacheControl) {
+    return undefined;
+  }
+  const match = cacheControl.match(/max-age=(\d+)/);
+  if (!match) {
+    return undefined;
+  }
+  return parseInt(match[1], 10) * 1000;
 }
 
 /**
- * Fetches data from a URL with file-based caching support.
- * This utility can be used by both remote config and bootnodes fetching.
+ * Fetches data from a URL with file-based HTTP conditional caching.
+ *
+ * Data is stored as raw JSON in the cache file (same format as the server returns).
+ * Caching metadata (ETag, expiry) is stored in a separate sidecar `.meta` file.
+ * This keeps the data file human-readable and backward-compatible with older code.
  *
  * @param url - The URL to fetch from
- * @param networkName - Network name for cache directory structure
- * @param options - Caching and error handling options
- * @param cacheDir - Optional cache directory (defaults to no caching)
- * @returns The fetched and parsed JSON data, or undefined if fetch fails and throwOnError is false
+ * @param options - Caching options
+ * @param fetch - Fetch implementation (defaults to globalThis.fetch)
+ * @param log - Logger instance
+ * @returns The fetched and parsed JSON data, or undefined if fetch fails
  */
 export async function cachedFetch<T = any>(
   url: string,
@@ -26,42 +50,106 @@ export async function cachedFetch<T = any>(
   fetch = globalThis.fetch,
   log = createLogger('cached_fetch'),
 ): Promise<T | undefined> {
-  const { cacheDurationMs, cacheFile } = options;
+  const { cacheFile, defaultMaxAgeMs = DEFAULT_MAX_AGE_MS } = options;
+
+  // If no cacheFile, just fetch normally without caching
+  if (!cacheFile) {
+    return fetchAndParse<T>(url, fetch, log);
+  }
+
+  const metaFile = cacheFile + '.meta';
 
-  // Try to read from cache first
+  // Try to read metadata
+  let meta: CacheMeta | undefined;
   try {
-    if (cacheFile) {
-      const info = await stat(cacheFile);
-      if (info.mtimeMs + cacheDurationMs > Date.now()) {
-        const cachedData = JSON.parse(await readFile(cacheFile, 'utf-8'));
-        return cachedData;
-      }
-    }
+    meta = JSON.parse(await readFile(metaFile, 'utf-8'));
   } catch {
-    log.trace('Failed to read data from cache');
+    log.trace('No usable cache metadata found');
   }
 
+  // Try to read cached data
+  let cachedData: T | undefined;
   try {
-    const response = await fetch(url);
+    cachedData = JSON.parse(await readFile(cacheFile, 'utf-8'));
+  } catch {
+    log.trace('No usable cached data found');
+  }
+
+  // If metadata and data exist and cache is fresh, return directly
+  if (meta && cachedData !== undefined && meta.expiresAt > Date.now()) {
+    return cachedData;
+  }
+
+  // Cache is stale or missing — make a (possibly conditional) request
+  try {
+    const headers: Record<string, string> = {};
+    if (meta?.etag && cachedData !== undefined) {
+      headers['If-None-Match'] = meta.etag;
+    }
+
+    const response = await fetch(url, { headers });
+
+    if (response.status === 304 && cachedData !== undefined) {
+      // Not modified — recompute expiry from new response headers and return cached data
+      const maxAgeMs = parseMaxAge(response) ?? defaultMaxAgeMs;
+      await writeMetaFile(metaFile, { etag: meta?.etag, expiresAt: Date.now() + maxAgeMs }, log);
+      return cachedData;
+    }
+
     if (!response.ok) {
       log.warn(`Failed to fetch from ${url}: ${response.status} ${response.statusText}`);
-      return undefined;
+      return cachedData;
     }
 
-    const data = await response.json();
+    // 200 — parse new data and cache it
+    const data = (await response.json()) as T;
+    const maxAgeMs = parseMaxAge(response) ?? defaultMaxAgeMs;
+    const etag = response.headers.get('etag') ?? undefined;
 
-    try {
-      if (cacheFile) {
-        await mkdir(dirname(cacheFile), { recursive: true });
-        await writeFile(cacheFile, JSON.stringify(data), 'utf-8');
-      }
-    } catch (err) {
-      log.warn('Failed to cache data on disk: ' + cacheFile, { cacheFile, err });
-    }
+    await ensureDir(cacheFile, log);
+    await Promise.all([
+      writeFile(cacheFile, JSON.stringify(data), 'utf-8'),
+      writeFile(metaFile, JSON.stringify({ etag, expiresAt: Date.now() + maxAgeMs }), 'utf-8'),
+    ]);
 
     return data;
+  } catch (err) {
+    log.warn(`Failed to fetch from ${url}`, { err });
+    return cachedData;
+  }
+}
+
+async function fetchAndParse<T>(
+  url: string,
+  fetch: typeof globalThis.fetch,
+  log: ReturnType<typeof createLogger>,
+): Promise<T | undefined> {
+  try {
+    const response = await fetch(url);
+    if (!response.ok) {
+      log.warn(`Failed to fetch from ${url}: ${response.status} ${response.statusText}`);
+      return undefined;
+    }
+    return (await response.json()) as T;
   } catch (err) {
     log.warn(`Failed to fetch from ${url}`, { err });
     return undefined;
   }
 }
+
+async function ensureDir(filePath: string, log: ReturnType<typeof createLogger>) {
+  try {
+    await mkdir(dirname(filePath), { recursive: true });
+  } catch (err) {
+    log.warn('Failed to create cache directory for: ' + filePath, { err });
+  }
+}
+
+async function writeMetaFile(metaFile: string, meta: CacheMeta, log: ReturnType<typeof createLogger>) {
+  try {
+    await mkdir(dirname(metaFile), { recursive: true });
+    await writeFile(metaFile, JSON.stringify(meta), 'utf-8');
+  } catch (err) {
+    log.warn('Failed to write cache metadata: ' + metaFile, { err });
+  }
+}