@aztec/cli 3.0.0-canary.a9708bd → 3.0.0-devnet.20251212

package/src/cmds/l1/update_l1_validators.ts

@@ -1,16 +1,12 @@
-import {
-  GSEContract,
-  RollupContract,
-  createEthereumChain,
-  createExtendedL1Client,
-  createL1TxUtilsFromViemWallet,
-  getL1ContractsConfigEnvVars,
-  getPublicClient,
-  isAnvilTestChain,
-} from '@aztec/ethereum';
+import { createEthereumChain, isAnvilTestChain } from '@aztec/ethereum/chain';
+import { createExtendedL1Client, getPublicClient } from '@aztec/ethereum/client';
+import { getL1ContractsConfigEnvVars } from '@aztec/ethereum/config';
+import { GSEContract, RollupContract } from '@aztec/ethereum/contracts';
+import { createL1TxUtilsFromViemWallet } from '@aztec/ethereum/l1-tx-utils';
 import { EthCheatCodes } from '@aztec/ethereum/test';
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { LogFn, Logger } from '@aztec/foundation/log';
+import { DateProvider } from '@aztec/foundation/timer';
 import { RollupAbi, StakingAssetHandlerAbi } from '@aztec/l1-artifacts';
 import { ZkPassportProofParams } from '@aztec/stdlib/zkpassport';
 
@@ -96,7 +92,7 @@ export async function addL1Validator({
 
   const registrationTuple = await gse.makeRegistrationTuple(blsSecretKey);
 
-  const l1TxUtils = createL1TxUtilsFromViemWallet(l1Client, debugLogger);
+  const l1TxUtils = createL1TxUtilsFromViemWallet(l1Client, { logger: debugLogger });
   const proofParamsObj = ZkPassportProofParams.fromBuffer(proofParams);
   const merkleProofArray = merkleProof.map(proof => addLeadingHex(proof));
 
@@ -120,7 +116,81 @@ export async function addL1Validator({
   await l1Client.waitForTransactionReceipt({ hash: receipt.transactionHash });
   if (isAnvilTestChain(chainId)) {
     dualLog(`Funding validator on L1`);
-    const cheatCodes = new EthCheatCodes(rpcUrls, debugLogger);
+    const cheatCodes = new EthCheatCodes(rpcUrls, new DateProvider(), debugLogger);
+    await cheatCodes.setBalance(attesterAddress, 10n ** 20n);
+  } else {
+    const balance = await l1Client.getBalance({ address: attesterAddress.toString() });
+    dualLog(`Validator balance: ${formatEther(balance)} ETH`);
+    if (balance === 0n) {
+      dualLog(`WARNING: Proposer has no balance. Remember to fund it!`);
+    }
+  }
+}
+
+export async function addL1ValidatorViaRollup({
+  rpcUrls,
+  chainId,
+  privateKey,
+  mnemonic,
+  attesterAddress,
+  withdrawerAddress,
+  blsSecretKey,
+  moveWithLatestRollup,
+  rollupAddress,
+  log,
+  debugLogger,
+}: RollupCommandArgs &
+  LoggerArgs & {
+    blsSecretKey: bigint; // scalar field element of BN254
+    attesterAddress: EthAddress;
+    moveWithLatestRollup: boolean;
+  }) {
+  const dualLog = makeDualLog(log, debugLogger);
+  const account = getAccount(privateKey, mnemonic);
+  const chain = createEthereumChain(rpcUrls, chainId);
+  const l1Client = createExtendedL1Client(rpcUrls, account, chain.chainInfo);
+
+  dualLog(`Adding validator ${attesterAddress} to rollup ${rollupAddress.toString()} via direct deposit`);
+
+  if (!withdrawerAddress) {
+    throw new Error(`Withdrawer address required`);
+  }
+
+  const rollup = getContract({
+    address: rollupAddress.toString(),
+    abi: RollupAbi,
+    client: l1Client,
+  });
+
+  const gseAddress = await rollup.read.getGSE();
+
+  const gse = new GSEContract(l1Client, gseAddress);
+
+  const registrationTuple = await gse.makeRegistrationTuple(blsSecretKey);
+
+  const l1TxUtils = createL1TxUtilsFromViemWallet(l1Client, { logger: debugLogger });
+
+  const { receipt } = await l1TxUtils.sendAndMonitorTransaction({
+    to: rollupAddress.toString(),
+    data: encodeFunctionData({
+      abi: RollupAbi,
+      functionName: 'deposit',
+      args: [
+        attesterAddress.toString(),
+        withdrawerAddress.toString(),
+        registrationTuple.publicKeyInG1,
+        registrationTuple.publicKeyInG2,
+        registrationTuple.proofOfPossession,
+        moveWithLatestRollup,
+      ],
+    }),
+    abi: StakingAssetHandlerAbi,
+  });
+  dualLog(`Transaction hash: ${receipt.transactionHash}`);
+  await l1Client.waitForTransactionReceipt({ hash: receipt.transactionHash });
+  if (isAnvilTestChain(chainId)) {
+    dualLog(`Funding validator on L1`);
+    const cheatCodes = new EthCheatCodes(rpcUrls, new DateProvider(), debugLogger);
     await cheatCodes.setBalance(attesterAddress, 10n ** 20n);
   } else {
     const balance = await l1Client.getBalance({ address: attesterAddress.toString() });
@@ -145,7 +215,7 @@ export async function removeL1Validator({
   const account = getAccount(privateKey, mnemonic);
   const chain = createEthereumChain(rpcUrls, chainId);
   const l1Client = createExtendedL1Client(rpcUrls, account, chain.chainInfo);
-  const l1TxUtils = createL1TxUtilsFromViemWallet(l1Client, debugLogger);
+  const l1TxUtils = createL1TxUtilsFromViemWallet(l1Client, { logger: debugLogger });
 
   dualLog(`Removing validator ${validatorAddress.toString()} from rollup ${rollupAddress.toString()}`);
   const { receipt } = await l1TxUtils.sendAndMonitorTransaction({
@@ -172,7 +242,7 @@ export async function pruneRollup({
   const account = getAccount(privateKey, mnemonic);
   const chain = createEthereumChain(rpcUrls, chainId);
   const l1Client = createExtendedL1Client(rpcUrls, account, chain.chainInfo);
-  const l1TxUtils = createL1TxUtilsFromViemWallet(l1Client, debugLogger);
+  const l1TxUtils = createL1TxUtilsFromViemWallet(l1Client, { logger: debugLogger });
 
   dualLog(`Trying prune`);
   const { receipt } = await l1TxUtils.sendAndMonitorTransaction({
@@ -201,7 +271,7 @@ export async function fastForwardEpochs({
     client: publicClient,
   });
 
-  const cheatCodes = new EthCheatCodes(rpcUrls, debugLogger);
+  const cheatCodes = new EthCheatCodes(rpcUrls, new DateProvider(), debugLogger);
   const currentSlot = await rollup.read.getCurrentSlot();
   const l2SlotsInEpoch = await rollup.read.getEpochDuration();
   const timestamp = await rollup.read.getTimestampForSlot([currentSlot + l2SlotsInEpoch * numEpochs]);
@@ -224,9 +294,9 @@ export async function debugRollup({ rpcUrls, chainId, rollupAddress, log }: Roll
   const publicClient = getPublicClient({ l1RpcUrls: rpcUrls, l1ChainId: chainId });
   const rollup = new RollupContract(publicClient, rollupAddress);
 
-  const pendingNum = await rollup.getBlockNumber();
+  const pendingNum = await rollup.getCheckpointNumber();
   log(`Pending block num: ${pendingNum}`);
-  const provenNum = await rollup.getProvenBlockNumber();
+  const provenNum = await rollup.getProvenCheckpointNumber();
   log(`Proven block num: ${provenNum}`);
   const validators = await rollup.getAttesters();
   log(`Validators: ${validators.map(v => v.toString()).join(', ')}`);
@@ -234,7 +304,7 @@ export async function debugRollup({ rpcUrls, chainId, rollupAddress, log }: Roll
   log(`Committee: ${committee?.map(v => v.toString()).join(', ')}`);
   const archive = await rollup.archive();
   log(`Archive: ${archive}`);
-  const epochNum = await rollup.getEpochNumber();
+  const epochNum = await rollup.getCurrentEpochNumber();
   log(`Current epoch: ${epochNum}`);
   const slot = await rollup.getSlotNumber();
   log(`Current slot: ${slot}`);

package/src/cmds/misc/generate_secret_and_hash.ts

@@ -1,5 +1,5 @@
-import { computeSecretHash } from '@aztec/aztec.js';
-import { Fr } from '@aztec/foundation/fields';
+import { computeSecretHash } from '@aztec/aztec.js/crypto';
+import { Fr } from '@aztec/foundation/curves/bn254';
 import type { LogFn } from '@aztec/foundation/log';
 
 export async function generateSecretAndHash(log: LogFn) {

package/src/cmds/misc/generate_secret_key.ts

@@ -1,4 +1,4 @@
-import { Fr } from '@aztec/aztec.js';
+import { Fr } from '@aztec/aztec.js/fields';
 
 export function generateSecretKey() {
   return { secretKey: Fr.random() };

package/src/cmds/misc/update/npm.ts

@@ -9,7 +9,7 @@ import { type SemVer, parse } from 'semver';
 import type { DependencyChanges } from './common.js';
 import { atomicUpdateFile } from './utils.js';
 
-const deprecatedNpmPackages = new Set<string>(['@aztec/cli', '@aztec/aztec-sandbox']);
+const deprecatedNpmPackages = new Set<string>(['@aztec/cli', '@aztec/aztec-local-network']);
 const npmDeprecationMessage = `
 The following packages have been deprecated and will no longer be updated on the npm registry:
 ${Array.from(deprecatedNpmPackages)

package/src/cmds/validator_keys/add.ts

@@ -0,0 +1,123 @@
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import type { LogFn } from '@aztec/foundation/log';
+import { loadKeystoreFile } from '@aztec/node-keystore/loader';
+import type { KeyStore } from '@aztec/node-keystore/types';
+
+import { wordlist } from '@scure/bip39/wordlists/english.js';
+import { dirname, isAbsolute, join } from 'path';
+import { generateMnemonic } from 'viem/accounts';
+
+import type { NewValidatorKeystoreOptions } from './new.js';
+import {
+  buildValidatorEntries,
+  logValidatorSummaries,
+  maybePrintJson,
+  writeBlsBn254ToFile,
+  writeEthJsonV3ToFile,
+  writeKeystoreFile,
+} from './shared.js';
+import { validateBlsPathOptions, validatePublisherOptions, validateRemoteSignerOptions } from './utils.js';
+
+export type AddValidatorKeysOptions = NewValidatorKeystoreOptions;
+
+export async function addValidatorKeys(existing: string, options: AddValidatorKeysOptions, log: LogFn) {
+  // validate bls-path inputs before proceeding with key generation
+  validateBlsPathOptions(options);
+  // validate publisher options
+  validatePublisherOptions(options);
+  // validate remote signer options
+  validateRemoteSignerOptions(options);
+
+  const {
+    dataDir,
+    file,
+    count,
+    publisherCount = 0,
+    publishers,
+    mnemonic,
+    accountIndex = 0,
+    addressIndex,
+    ikm,
+    blsPath,
+    json,
+    feeRecipient: feeRecipientOpt,
+    coinbase: coinbaseOpt,
+    remoteSigner: remoteSignerOpt,
+    password,
+    encryptedKeystoreDir,
+  } = options;
+
+  const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
+  const baseAddressIndex = addressIndex ?? 0;
+
+  const keystore: KeyStore = loadKeystoreFile(existing);
+
+  if (!keystore.validators || !Array.isArray(keystore.validators)) {
+    throw new Error('Invalid keystore: missing validators array');
+  }
+
+  const first = keystore.validators[0] ?? {};
+  const feeRecipient = feeRecipientOpt ?? first.feeRecipient;
+  if (!feeRecipient) {
+    throw new Error('feeRecipient is required (either present in existing file or via --fee-recipient)');
+  }
+  const coinbase = (coinbaseOpt as EthAddress | undefined) ?? (first.coinbase as EthAddress | undefined);
+  const derivedRemoteSigner = (first.attester as any)?.remoteSignerUrl || (first.attester as any)?.eth?.remoteSignerUrl;
+  const remoteSigner = remoteSignerOpt ?? derivedRemoteSigner;
+
+  // Ensure we always have a mnemonic for key derivation if none was provided
+  const mnemonicToUse = mnemonic ?? generateMnemonic(wordlist);
+
+  // If user explicitly provided --address-index, use it as-is. Otherwise, append after existing validators.
+  const effectiveBaseAddressIndex =
+    addressIndex === undefined ? baseAddressIndex + keystore.validators.length : baseAddressIndex;
+
+  const { validators, summaries } = await buildValidatorEntries({
+    validatorCount,
+    publisherCount,
+    publishers,
+    accountIndex,
+    baseAddressIndex: effectiveBaseAddressIndex,
+    mnemonic: mnemonicToUse,
+    ikm,
+    blsPath,
+    feeRecipient,
+    coinbase,
+    remoteSigner,
+  });
+
+  keystore.validators.push(...validators);
+
+  // If password provided, write ETH JSON V3 and BLS BN254 keystores and replace plaintext
+  if (password !== undefined) {
+    let targetDir: string;
+    if (encryptedKeystoreDir && encryptedKeystoreDir.length > 0) {
+      targetDir = encryptedKeystoreDir;
+    } else if (dataDir && dataDir.length > 0) {
+      targetDir = dataDir;
+    } else {
+      targetDir = dirname(existing);
+    }
+    await writeEthJsonV3ToFile(keystore.validators, { outDir: targetDir, password });
+    await writeBlsBn254ToFile(keystore.validators, { outDir: targetDir, password, blsPath });
+  }
+
+  let outputPath = existing;
+  if (file && file.length > 0) {
+    if (isAbsolute(file)) {
+      outputPath = file;
+    } else if (dataDir && dataDir.length > 0) {
+      outputPath = join(dataDir, file);
+    } else {
+      outputPath = join(dirname(existing), file);
+    }
+  }
+
+  await writeKeystoreFile(outputPath, keystore);
+
+  if (!json) {
+    log(`Updated keystore ${outputPath} with ${validators.length} new validator(s)`);
+    logValidatorSummaries(log, summaries);
+  }
+  maybePrintJson(log, !!json, keystore as unknown as Record<string, any>);
+}

package/src/cmds/validator_keys/generate_bls_keypair.ts

@@ -0,0 +1,34 @@
+import { deriveBlsPrivateKey } from '@aztec/foundation/crypto/bls';
+import type { LogFn } from '@aztec/foundation/log';
+
+import { writeFile } from 'fs/promises';
+
+import { computeBlsPublicKeyCompressed, withValidatorIndex } from './shared.js';
+import { defaultBlsPath } from './utils.js';
+
+export type GenerateBlsKeypairOptions = {
+  mnemonic?: string;
+  ikm?: string;
+  blsPath?: string;
+  g2?: boolean;
+  compressed?: boolean;
+  json?: boolean;
+  out?: string;
+};
+
+export async function generateBlsKeypair(options: GenerateBlsKeypairOptions, log: LogFn) {
+  const { mnemonic, ikm, blsPath, compressed = true, json, out } = options;
+  const path = withValidatorIndex(blsPath ?? defaultBlsPath, 0);
+  const priv = deriveBlsPrivateKey(mnemonic, ikm, path);
+  const pub = await computeBlsPublicKeyCompressed(priv);
+  const result = { path, privateKey: priv, publicKey: pub, format: compressed ? 'compressed' : 'uncompressed' };
+  if (out) {
+    await writeFile(out, JSON.stringify(result, null, 2), { encoding: 'utf-8' });
+    if (!json) {
+      log(`Wrote BLS keypair to ${out}`);
+    }
+  }
+  if (json || !out) {
+    log(JSON.stringify(result, null, 2));
+  }
+}

package/src/cmds/validator_keys/index.ts

@@ -0,0 +1,142 @@
+import type { LogFn } from '@aztec/foundation/log';
+
+import { Command } from 'commander';
+
+import { parseAztecAddress, parseEthereumAddress, parseHex, parseOptionalInteger } from '../../utils/commands.js';
+import { defaultBlsPath } from './utils.js';
+
+export function injectCommands(program: Command, log: LogFn) {
+  const group = program
+    .command('validator-keys')
+    .aliases(['valKeys', 'valkeys'])
+    .description('Manage validator keystores for node operators');
+
+  group
+    .command('new')
+    .summary('Generate a new validator keystore JSON')
+    .description('Generates a new validator keystore with ETH secp256k1 accounts and optional BLS accounts')
+    .option('--data-dir <path>', 'Directory to store keystore(s). Defaults to ~/.aztec/keystore')
+    .option('--file <name>', 'Keystore file name. Defaults to key1.json (or keyN.json if key1.json exists)')
+    .option('--count <N>', 'Number of validators to generate', parseOptionalInteger)
+    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 0)', value =>
+      parseOptionalInteger(value, 0),
+    )
+    .option('--publishers <privateKeys>', 'Comma-separated list of publisher private keys for all validators.', value =>
+      value.split(',').map((key: string) => key.trim()),
+    )
+    .option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation')
+    .option('--passphrase <str>', 'Optional passphrase for mnemonic')
+    .option('--account-index <N>', 'Base account index for ETH/BLS derivation', parseOptionalInteger)
+    .option('--address-index <N>', 'Base address index for ETH/BLS derivation', parseOptionalInteger)
+    .option(
+      '--coinbase <address>',
+      'Coinbase ETH address to use when proposing. Defaults to attester address.',
+      parseEthereumAddress,
+    )
+    // TODO: add funding account back in when implemented
+    // .option('--funding-account <privateKey|address>', 'ETH private key (or address for remote signer setup) to fund publishers')
+    .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
+    .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
+    .option(
+      '--password <str>',
+      'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed',
+    )
+    .option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)')
+    .option('--json', 'Echo resulting JSON to stdout')
+    .option('--staker-output', 'Generate a single staker output JSON file with an array of validator entries')
+    .option('--gse-address <address>', 'GSE contract address (required with --staker-output)', parseEthereumAddress)
+    .option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated, required with --staker-output)', value =>
+      value.split(','),
+    )
+    .option(
+      '-c, --l1-chain-id <number>',
+      'L1 chain ID (required with --staker-output)',
+      value => parseInt(value),
+      31337,
+    )
+    .requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress)
+    .action(async options => {
+      const { newValidatorKeystore } = await import('./new.js');
+
+      await newValidatorKeystore(options, log);
+    });
+
+  group
+    .command('add')
+    .summary('Augment an existing validator keystore JSON')
+    .description('Adds attester/publisher/BLS entries to an existing keystore using the same flags as new')
+    .argument('<existing>', 'Path to existing keystore JSON')
+    .option('--data-dir <path>', 'Directory where keystore(s) live. (default: ~/.aztec/keystore)')
+    .option('--file <name>', 'Override output file name. (default: key<N>.json)')
+    .option('--count <N>', 'Number of validators to add. (default: 1)', parseOptionalInteger)
+    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 0)', value =>
+      parseOptionalInteger(value, 0),
+    )
+    .option('--publishers <privateKeys>', 'Comma-separated list of publisher private keys for all validators.', value =>
+      value.split(',').map((key: string) => key.trim()),
+    )
+    .option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation')
+    .option('--passphrase <str>', 'Optional passphrase for mnemonic')
+    .option('--account-index <N>', 'Base account index for ETH/BLS derivation', parseOptionalInteger)
+    .option('--address-index <N>', 'Base address index for ETH/BLS derivation', parseOptionalInteger)
+    .option(
+      '--coinbase <address>',
+      'Coinbase ETH address to use when proposing. Defaults to attester address.',
+      parseEthereumAddress,
+    )
+    // TODO: add funding account back in when implemented
+    // .option('--funding-account <privateKey|address>', 'ETH private key (or address for remote signer setup) to fund publishers')
+    .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
+    .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
+    .option('--empty', 'Generate an empty skeleton without keys')
+    .option(
+      '--password <str>',
+      'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed',
+    )
+    .option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)')
+    .option('--json', 'Echo resulting JSON to stdout')
+    .requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress)
+    .action(async (existing: string, options) => {
+      const { addValidatorKeys } = await import('./add.js');
+      await addValidatorKeys(existing, options, log);
+    });
+
+  group
+    .command('staker')
+    .summary('Generate staking JSON from keystore')
+    .description(
+      'Reads a validator keystore and outputs staking data with BLS public keys for each attester (skips mnemonics)',
+    )
+    .requiredOption('--from <keystore>', 'Path to keystore JSON file')
+    .option('--password <password>', 'Password for decrypting encrypted keystores (if not specified in keystore file)')
+    .requiredOption('--gse-address <address>', 'GSE contract address', parseEthereumAddress)
+    .option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated)', value => value.split(','), [
+      'http://localhost:8545',
+    ])
+    .option('-c, --l1-chain-id <number>', 'L1 chain ID', value => parseInt(value), 31337)
+    .option('--output <file>', 'Output file path (if not specified, JSON is written to stdout)')
+    .action(async options => {
+      const { generateStakerJson } = await import('./staker.js');
+      await generateStakerJson(options, log);
+    });
+
+  // top-level convenience: aztec generate-bls-keypair
+  program
+    .command('generate-bls-keypair')
+    .description('Generate a BLS keypair with convenience flags')
+    .option('--mnemonic <mnemonic>', 'Mnemonic for BLS derivation')
+    .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
+    .option('--g2', 'Derive on G2 subgroup')
+    .option('--compressed', 'Output compressed public key')
+    .option('--json', 'Print JSON output to stdout')
+    .option('--out <file>', 'Write output to file')
+    .action(async options => {
+      const { generateBlsKeypair } = await import('./generate_bls_keypair.js');
+      await generateBlsKeypair(options, log);
+    });
+
+  return program;
+}