@aztec/cli 3.0.0-nightly.20251111 → 3.0.0-nightly.20251112

package/README.md

@@ -4,7 +4,7 @@ The Aztec CLI `aztec-cli` is a command-line interface (CLI) tool for interacting
 
 ## Installation
 
-1. In your terminal, download the sandbox by running
+1. In your terminal, download the local network by running
 
 ```
 bash -i <(curl -s https://install.aztec.network)

package/dest/cmds/misc/update/npm.js

@@ -6,7 +6,7 @@ import { parse } from 'semver';
 import { atomicUpdateFile } from './utils.js';
 const deprecatedNpmPackages = new Set([
     '@aztec/cli',
-    '@aztec/aztec-sandbox'
+    '@aztec/aztec-local-network'
 ]);
 const npmDeprecationMessage = `
 The following packages have been deprecated and will no longer be updated on the npm registry:

package/dest/cmds/validator_keys/add.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"add.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/add.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAQnD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,UAAU,CAAC;AAU5D,MAAM,MAAM,uBAAuB,GAAG,2BAA2B,CAAC;AAElE,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,uBAAuB,EAAE,GAAG,EAAE,KAAK,iBA2FpG"}
+{"version":3,"file":"add.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/add.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAQnD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,UAAU,CAAC;AAU5D,MAAM,MAAM,uBAAuB,GAAG,2BAA2B,CAAC;AAElE,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,uBAAuB,EAAE,GAAG,EAAE,KAAK,iBAyFpG"}

package/dest/cmds/validator_keys/add.js

@@ -4,7 +4,7 @@ import { dirname, isAbsolute, join } from 'path';
 import { generateMnemonic } from 'viem/accounts';
 import { buildValidatorEntries, logValidatorSummaries, maybePrintJson, writeBlsBn254ToFile, writeEthJsonV3ToFile, writeKeystoreFile } from './shared.js';
 export async function addValidatorKeys(existing, options, log) {
-    const { dataDir, file, count, publisherCount = 0, mnemonic, accountIndex = 0, addressIndex, ikm, blsPath, blsOnly, json, feeRecipient: feeRecipientOpt, coinbase: coinbaseOpt, fundingAccount: fundingAccountOpt, remoteSigner: remoteSignerOpt, password, outDir } = options;
+    const { dataDir, file, count, publisherCount = 0, mnemonic, accountIndex = 0, addressIndex, ikm, blsPath, json, feeRecipient: feeRecipientOpt, coinbase: coinbaseOpt, fundingAccount: fundingAccountOpt, remoteSigner: remoteSignerOpt, password, outDir } = options;
     const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
     const baseAddressIndex = addressIndex ?? 0;
     const keystore = loadKeystoreFile(existing);
@@ -32,7 +32,6 @@ export async function addValidatorKeys(existing, options, log) {
         mnemonic: mnemonicToUse,
         ikm,
         blsPath,
-        blsOnly,
         feeRecipient,
         coinbase,
         remoteSigner,

package/dest/cmds/validator_keys/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,wBAAgB,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,WAyF1D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,wBAAgB,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,WAqH1D"}

package/dest/cmds/validator_keys/index.js

@@ -1,16 +1,23 @@
 import { parseAztecAddress, parseEthereumAddress, parseHex, parseOptionalInteger } from '../../utils/commands.js';
 export function injectCommands(program, log) {
     const group = program.command('validator-keys').aliases([
-        'valKeys'
+        'valKeys',
+        'valkeys'
     ]).description('Manage validator keystores for node operators');
-    group.command('new').summary('Generate a new validator keystore JSON').description('Generates a new validator keystore with ETH secp256k1 accounts and optional BLS accounts').option('--data-dir <path>', 'Directory to store keystore(s). Defaults to ~/.aztec/keystore').option('--file <name>', 'Keystore file name. Defaults to key1.json (or keyN.json if key1.json exists)').option('--count <N>', 'Number of validators to generate', parseOptionalInteger).option('--publisher-count <N>', 'Number of publisher accounts per validator (default 1)', (value)=>parseOptionalInteger(value, 0)).option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation').option('--passphrase <str>', 'Optional passphrase for mnemonic').option('--account-index <N>', 'Base account index for ETH derivation', parseOptionalInteger).option('--address-index <N>', 'Base address index for ETH derivation', parseOptionalInteger).option('--coinbase <address>', 'Coinbase ETH address to use when proposing', parseEthereumAddress).option('--funding-account <address>', 'ETH account to fund publishers', parseEthereumAddress).option('--remote-signer <url>', 'Default remote signer URL for accounts in this file').option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', (value)=>parseHex(value, 32)).option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)').option('--bls-only', 'Generate only BLS keys').option('--password <str>', 'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed').option('--out-dir <dir>', 'Output directory for generated keystore file(s)').option('--json', 'Echo resulting JSON to stdout').requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress).action(async (options)=>{
+    group.command('new').summary('Generate a new validator keystore JSON').description('Generates a new validator keystore with ETH secp256k1 accounts and optional BLS accounts').option('--data-dir <path>', 'Directory to store keystore(s). Defaults to ~/.aztec/keystore').option('--file <name>', 'Keystore file name. Defaults to key1.json (or keyN.json if key1.json exists)').option('--count <N>', 'Number of validators to generate', parseOptionalInteger).option('--publisher-count <N>', 'Number of publisher accounts per validator (default 1)', (value)=>parseOptionalInteger(value, 0)).option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation').option('--passphrase <str>', 'Optional passphrase for mnemonic').option('--account-index <N>', 'Base account index for ETH derivation', parseOptionalInteger).option('--address-index <N>', 'Base address index for ETH derivation', parseOptionalInteger).option('--coinbase <address>', 'Coinbase ETH address to use when proposing', parseEthereumAddress).option('--funding-account <address>', 'ETH account to fund publishers', parseEthereumAddress).option('--remote-signer <url>', 'Default remote signer URL for accounts in this file').option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', (value)=>parseHex(value, 32)).option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)').option('--password <str>', 'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed').option('--out-dir <dir>', 'Output directory for generated keystore file(s)').option('--json', 'Echo resulting JSON to stdout').option('--staker-output', 'Generate staker output JSON files for each attester').option('--gse-address <address>', 'GSE contract address (required with --staker-output)', parseEthereumAddress).option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated, required with --staker-output)', (value)=>value.split(',')).option('-c, --l1-chain-id <number>', 'L1 chain ID (required with --staker-output)', (value)=>parseInt(value), 31337).requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress).action(async (options)=>{
         const { newValidatorKeystore } = await import('./new.js');
         await newValidatorKeystore(options, log);
     });
-    group.command('add').summary('Augment an existing validator keystore JSON').description('Adds attester/publisher/BLS entries to an existing keystore using the same flags as new').argument('<existing>', 'Path to existing keystore JSON').option('--data-dir <path>', 'Directory where keystore(s) live').option('--file <name>', 'Override output file name').option('--count <N>', 'Number of validators to add', parseOptionalInteger).option('--publisher-count <N>', 'Number of publisher accounts per validator (default 1)', (value)=>parseOptionalInteger(value, 0)).option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation').option('--passphrase <str>', 'Optional passphrase for mnemonic').option('--account-index <N>', 'Base account index for ETH derivation', parseOptionalInteger).option('--address-index <N>', 'Base address index for ETH derivation', parseOptionalInteger).option('--coinbase <address>', 'Coinbase ETH address to use when proposing', parseEthereumAddress).option('--funding-account <address>', 'ETH account to fund publishers', parseEthereumAddress).option('--remote-signer <url>', 'Default remote signer URL for accounts in this file').option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', (value)=>parseHex(value, 32)).option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)').option('--bls-only', 'Generate only BLS keys').option('--empty', 'Generate an empty skeleton without keys').option('--password <str>', 'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed').option('--out-dir <dir>', 'Output directory for generated keystore file(s)').option('--json', 'Echo resulting JSON to stdout').requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress).action(async (existing, options)=>{
+    group.command('add').summary('Augment an existing validator keystore JSON').description('Adds attester/publisher/BLS entries to an existing keystore using the same flags as new').argument('<existing>', 'Path to existing keystore JSON').option('--data-dir <path>', 'Directory where keystore(s) live').option('--file <name>', 'Override output file name').option('--count <N>', 'Number of validators to add', parseOptionalInteger).option('--publisher-count <N>', 'Number of publisher accounts per validator (default 1)', (value)=>parseOptionalInteger(value, 0)).option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation').option('--passphrase <str>', 'Optional passphrase for mnemonic').option('--account-index <N>', 'Base account index for ETH derivation', parseOptionalInteger).option('--address-index <N>', 'Base address index for ETH derivation', parseOptionalInteger).option('--coinbase <address>', 'Coinbase ETH address to use when proposing', parseEthereumAddress).option('--funding-account <address>', 'ETH account to fund publishers', parseEthereumAddress).option('--remote-signer <url>', 'Default remote signer URL for accounts in this file').option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', (value)=>parseHex(value, 32)).option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)').option('--empty', 'Generate an empty skeleton without keys').option('--password <str>', 'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed').option('--out-dir <dir>', 'Output directory for generated keystore file(s)').option('--json', 'Echo resulting JSON to stdout').requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress).action(async (existing, options)=>{
         const { addValidatorKeys } = await import('./add.js');
         await addValidatorKeys(existing, options, log);
     });
+    group.command('staker').summary('Generate staking JSON from keystore').description('Reads a validator keystore and outputs staking data with BLS public keys for each attester (skips mnemonics)').requiredOption('--from <keystore>', 'Path to keystore JSON file').option('--password <password>', 'Password for decrypting encrypted keystores (if not specified in keystore file)').requiredOption('--gse-address <address>', 'GSE contract address', parseEthereumAddress).option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated)', (value)=>value.split(','), [
+        'http://localhost:8545'
+    ]).option('-c, --l1-chain-id <number>', 'L1 chain ID', (value)=>parseInt(value), 31337).option('--output <file>', 'Output file path (if not specified, JSON is written to stdout)').action(async (options)=>{
+        const { generateStakerJson } = await import('./staker.js');
+        await generateStakerJson(options, log);
+    });
     // top-level convenience: aztec generate-bls-keypair
     program.command('generate-bls-keypair').description('Generate a BLS keypair with convenience flags').option('--mnemonic <mnemonic>', 'Mnemonic for BLS derivation').option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', (value)=>parseHex(value, 32)).option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)').option('--g2', 'Derive on G2 subgroup').option('--compressed', 'Output compressed public key').option('--json', 'Print JSON output to stdout').option('--out <file>', 'Write output to file').action(async (options)=>{
         const { generateBlsKeypair } = await import('./generate_bls_keypair.js');

package/dest/cmds/validator_keys/new.d.ts

@@ -13,7 +13,6 @@ export type NewValidatorKeystoreOptions = {
     separatePublisher?: boolean;
     ikm?: string;
     blsPath?: string;
-    blsOnly?: boolean;
     password?: string;
     outDir?: string;
     json?: boolean;
@@ -21,6 +20,10 @@ export type NewValidatorKeystoreOptions = {
     coinbase?: EthAddress;
     remoteSigner?: string;
     fundingAccount?: EthAddress;
+    stakerOutput?: boolean;
+    gseAddress?: EthAddress;
+    l1RpcUrls?: string[];
+    l1ChainId?: number;
 };
 export declare function newValidatorKeystore(options: NewValidatorKeystoreOptions, log: LogFn): Promise<void>;
 //# sourceMappingURL=new.d.ts.map

package/dest/cmds/validator_keys/new.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"new.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/new.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAgBhE,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,UAAU,CAAC;CAC7B,CAAC;AAEF,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,KAAK,iBA+E1F"}
+{"version":3,"file":"new.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/new.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAmBhE,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,UAAU,CAAC;IAC5B,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,KAAK,iBA+J1F"}

package/dest/cmds/validator_keys/new.js

@@ -1,13 +1,37 @@
+import { prettyPrintJSON } from '@aztec/cli/utils';
+import { GSEContract, createEthereumChain } from '@aztec/ethereum';
 import { wordlist } from '@scure/bip39/wordlists/english.js';
-import { dirname } from 'path';
+import { writeFile } from 'fs/promises';
+import { basename, dirname, join } from 'path';
+import { createPublicClient, fallback, http } from 'viem';
 import { generateMnemonic, mnemonicToAccount } from 'viem/accounts';
 import { buildValidatorEntries, logValidatorSummaries, maybePrintJson, resolveKeystoreOutputPath, writeBlsBn254ToFile, writeEthJsonV3ToFile, writeKeystoreFile } from './shared.js';
+import { processAttesterAccounts } from './staker.js';
 export async function newValidatorKeystore(options, log) {
-    const { dataDir, file, count, publisherCount = 0, json, coinbase, accountIndex = 0, addressIndex = 0, feeRecipient, remoteSigner, fundingAccount, blsOnly, blsPath, ikm, mnemonic: _mnemonic, password, outDir } = options;
+    const { dataDir, file, count, publisherCount = 0, json, coinbase, accountIndex = 0, addressIndex = 0, feeRecipient, remoteSigner, fundingAccount, blsPath, ikm, mnemonic: _mnemonic, password, outDir, stakerOutput, gseAddress, l1RpcUrls, l1ChainId } = options;
+    // Validate staker output requirements
+    if (stakerOutput) {
+        if (!gseAddress) {
+            throw new Error('--gse-address is required when using --staker-output');
+        }
+        if (!l1RpcUrls || l1RpcUrls.length === 0) {
+            throw new Error('--l1-rpc-urls is required when using --staker-output');
+        }
+        if (l1ChainId === undefined) {
+            throw new Error('--l1-chain-id is required when using --staker-output');
+        }
+    }
     if (remoteSigner && !_mnemonic) {
         throw new Error('Using --remote-signer requires a deterministic key source. Provide --mnemonic to derive keys, or omit --remote-signer to write new private keys to keystore.');
     }
     const mnemonic = _mnemonic ?? generateMnemonic(wordlist);
+    if (!_mnemonic && !json) {
+        log('No mnemonic provided, generating new one...');
+        log(`Using new mnemonic:`);
+        log('');
+        log(mnemonic);
+        log('');
+    }
     const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
     const { outputPath } = await resolveKeystoreOutputPath(dataDir, file);
     const { validators, summaries } = await buildValidatorEntries({
@@ -18,7 +42,6 @@ export async function newValidatorKeystore(options, log) {
         mnemonic,
         ikm,
         blsPath,
-        blsOnly,
         feeRecipient,
         coinbase,
         remoteSigner,
@@ -41,13 +64,59 @@ export async function newValidatorKeystore(options, log) {
         validators
     };
     await writeKeystoreFile(outputPath, keystore);
-    maybePrintJson(log, json, keystore);
-    if (!json) {
+    // Generate staker outputs if requested
+    const allStakerOutputs = [];
+    if (stakerOutput && gseAddress && l1RpcUrls && l1ChainId !== undefined) {
+        const chain = createEthereumChain(l1RpcUrls, l1ChainId);
+        const publicClient = createPublicClient({
+            chain: chain.chainInfo,
+            transport: fallback(l1RpcUrls.map((url)=>http(url)))
+        });
+        const gse = new GSEContract(publicClient, gseAddress);
+        const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
+        // Extract keystore base name without extension for unique staker output filenames
+        const keystoreBaseName = basename(outputPath, '.json');
+        // Process each validator
+        for(let i = 0; i < validators.length; i++){
+            const validator = validators[i];
+            const outputs = await processAttesterAccounts(validator.attester, gse, password);
+            // Save each attester's staker output
+            for(let j = 0; j < outputs.length; j++){
+                const attesterIndex = i + 1;
+                const stakerOutputPath = join(keystoreOutDir, `${keystoreBaseName}_attester${attesterIndex}_staker_output.json`);
+                await writeFile(stakerOutputPath, prettyPrintJSON(outputs[j]), 'utf-8');
+                allStakerOutputs.push(outputs[j]);
+            }
+        }
+    }
+    const outputData = !_mnemonic ? {
+        ...keystore,
+        generatedMnemonic: mnemonic
+    } : keystore;
+    // Handle JSON output
+    if (json) {
+        if (stakerOutput && allStakerOutputs.length > 0) {
+            const combinedOutput = {
+                keystore: outputData,
+                staker: allStakerOutputs
+            };
+            maybePrintJson(log, json, combinedOutput);
+        } else {
+            maybePrintJson(log, json, outputData);
+        }
+    } else {
         log(`Wrote validator keystore to ${outputPath}`);
+        if (stakerOutput && allStakerOutputs.length > 0) {
+            const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
+            log(`Wrote ${allStakerOutputs.length} staker output file(s) to ${keystoreOutDir}`);
+            log('');
+        }
     }
-    // Always print a concise summary of public keys (addresses and BLS pubkeys)
-    logValidatorSummaries(log, summaries);
-    if (!blsOnly && mnemonic && remoteSigner) {
+    // print a concise summary of public keys (addresses and BLS pubkeys) if no --json options was selected
+    if (!json) {
+        logValidatorSummaries(log, summaries);
+    }
+    if (mnemonic && remoteSigner && !json) {
         for(let i = 0; i < validatorCount; i++){
             const addrIdx = addressIndex + i;
             const acct = mnemonicToAccount(mnemonic, {
@@ -57,4 +126,9 @@ export async function newValidatorKeystore(options, log) {
             log(`attester address: ${acct.address} remoteSignerUrl: ${remoteSigner}`);
         }
     }
+    // Log staker outputs if not in JSON mode
+    if (!json && stakerOutput && allStakerOutputs.length > 0) {
+        log('\nStaker outputs:');
+        log(prettyPrintJSON(allStakerOutputs));
+    }
 }

package/dest/cmds/validator_keys/shared.d.ts

@@ -15,7 +15,6 @@ export type BuildValidatorsInput = {
     mnemonic: string;
     ikm?: string;
     blsPath?: string;
-    blsOnly?: boolean;
     feeRecipient: AztecAddress;
     coinbase?: EthAddress;
     remoteSigner?: string;

package/dest/cmds/validator_keys/shared.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/shared.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/F,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAShE,MAAM,MAAM,gBAAgB,GAAG;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAEvG,MAAM,MAAM,oBAAoB,GAAG;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,UAAU,CAAC;CAC7B,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,UAO7D;AAED;;;;GAIG;AACH,wBAAsB,6BAA6B,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE1F;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,gBAAgB,EAAE,MAAM,EACxB,YAAY,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,MAAM,GACpB,UAAU,GAAG,aAAa,CAK5B;AAED,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,oBAAoB;;;GA6EtE;AAED,wBAAsB,yBAAyB,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;;;GAoB9E;AAED,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,iBAGtE;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAsB9E;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,EAAE,OAAO,QAIrF;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,yGAAyG;AACzG,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED,8EAA8E;AAC9E,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED,kGAAkG;AAClG,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC,IAAI,CAAC,CA2Cf"}
+{"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/shared.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/F,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAShE,MAAM,MAAM,gBAAgB,GAAG;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAEvG,MAAM,MAAM,oBAAoB,GAAG;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,UAAU,CAAC;CAC7B,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,UAO7D;AAED;;;;GAIG;AACH,wBAAsB,6BAA6B,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE1F;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,gBAAgB,EAAE,MAAM,EACxB,YAAY,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,MAAM,GACpB,UAAU,GAAG,aAAa,CAK5B;AAED,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,oBAAoB;;;GAsEtE;AAED,wBAAsB,yBAAyB,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;;;GAoB9E;AAED,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,iBAGtE;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAsB9E;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,EAAE,OAAO,QAIrF;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,yGAAyG;AACzG,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED,8EAA8E;AAC9E,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED,kGAAkG;AAClG,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC,IAAI,CAAC,CA2Cf"}

package/dest/cmds/validator_keys/shared.js

@@ -33,7 +33,7 @@ export function deriveEthAttester(mnemonic, baseAccountIndex, addressIndex, remo
     } : '0x' + Buffer.from(acct.getHdKey().privateKey).toString('hex');
 }
 export async function buildValidatorEntries(input) {
-    const { validatorCount, publisherCount = 0, accountIndex, baseAddressIndex, mnemonic, ikm, blsPath, blsOnly, feeRecipient, coinbase, remoteSigner, fundingAccount } = input;
+    const { validatorCount, publisherCount = 0, accountIndex, baseAddressIndex, mnemonic, ikm, blsPath, feeRecipient, coinbase, remoteSigner, fundingAccount } = input;
     const defaultBlsPath = 'm/12381/3600/0/0/0';
     const summaries = [];
     const validators = await Promise.all(Array.from({
@@ -42,20 +42,8 @@ export async function buildValidatorEntries(input) {
         const addressIndex = baseAddressIndex + i;
         const basePath = blsPath ?? defaultBlsPath;
         const perValidatorPath = withValidatorIndex(basePath, addressIndex);
-        const blsPrivKey = blsOnly || ikm || mnemonic ? deriveBlsPrivateKey(mnemonic, ikm, perValidatorPath) : undefined;
+        const blsPrivKey = ikm || mnemonic ? deriveBlsPrivateKey(mnemonic, ikm, perValidatorPath) : undefined;
         const blsPubCompressed = blsPrivKey ? await computeBlsPublicKeyCompressed(blsPrivKey) : undefined;
-        if (blsOnly) {
-            const attester = {
-                bls: blsPrivKey
-            };
-            summaries.push({
-                attesterBls: blsPubCompressed
-            });
-            return {
-                attester,
-                feeRecipient
-            };
-        }
         const ethAttester = deriveEthAttester(mnemonic, accountIndex, addressIndex, remoteSigner);
         const attester = blsPrivKey ? {
             eth: ethAttester,

package/dest/cmds/validator_keys/staker.d.ts

@@ -0,0 +1,38 @@
+import { GSEContract } from '@aztec/ethereum';
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import type { LogFn } from '@aztec/foundation/log';
+import type { AttesterAccounts } from '@aztec/node-keystore/types';
+export type StakerOptions = {
+    from: string;
+    password?: string;
+    output?: string;
+    gseAddress: EthAddress;
+    l1RpcUrls: string[];
+    l1ChainId: number;
+};
+export type StakerOutput = {
+    attester: string;
+    publicKeyG1: {
+        x: string;
+        y: string;
+    };
+    publicKeyG2: {
+        x0: string;
+        x1: string;
+        y0: string;
+        y1: string;
+    };
+    proofOfPossession: {
+        x: string;
+        y: string;
+    };
+};
+/**
+ * Process AttesterAccounts (which can be a single attester, array, or mnemonic)
+ */
+export declare function processAttesterAccounts(attesterAccounts: AttesterAccounts, gse: GSEContract, password?: string): Promise<StakerOutput[]>;
+/**
+ * Main staker command function
+ */
+export declare function generateStakerJson(options: StakerOptions, log: LogFn): Promise<void>;
+//# sourceMappingURL=staker.d.ts.map

package/dest/cmds/validator_keys/staker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"staker.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/staker.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAuB,MAAM,iBAAiB,CAAC;AAGnE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,KAAK,EAEV,gBAAgB,EAKjB,MAAM,4BAA4B,CAAC;AAOpC,MAAM,MAAM,aAAa,GAAG;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,UAAU,CAAC;IACvB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE;QACX,CAAC,EAAE,MAAM,CAAC;QACV,CAAC,EAAE,MAAM,CAAC;KACX,CAAC;IACF,WAAW,EAAE;QACX,EAAE,EAAE,MAAM,CAAC;QACX,EAAE,EAAE,MAAM,CAAC;QACX,EAAE,EAAE,MAAM,CAAC;QACX,EAAE,EAAE,MAAM,CAAC;KACZ,CAAC;IACF,iBAAiB,EAAE;QACjB,CAAC,EAAE,MAAM,CAAC;QACV,CAAC,EAAE,MAAM,CAAC;KACX,CAAC;CACH,CAAC;AA2KF;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,gBAAgB,EAAE,gBAAgB,EAClC,GAAG,EAAE,WAAW,EAChB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,EAAE,CAAC,CAqBzB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,aAAa,EAAE,GAAG,EAAE,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CA8C1F"}

package/dest/cmds/validator_keys/staker.js

@@ -0,0 +1,206 @@
+import { prettyPrintJSON } from '@aztec/cli/utils';
+import { GSEContract, createEthereumChain } from '@aztec/ethereum';
+import { computeBn254G1PublicKey, computeBn254G2PublicKey } from '@aztec/foundation/crypto';
+import { decryptBn254Keystore } from '@aztec/foundation/crypto/bls/bn254_keystore';
+import { Fr } from '@aztec/foundation/fields';
+import { loadKeystoreFile } from '@aztec/node-keystore/loader';
+import { Wallet } from '@ethersproject/wallet';
+import { readFileSync, writeFileSync } from 'fs';
+import { createPublicClient, fallback, http } from 'viem';
+import { privateKeyToAddress } from 'viem/accounts';
+/**
+ * Check if an object is a MnemonicConfig
+ */ function isMnemonicConfig(obj) {
+    return typeof obj === 'object' && obj !== null && 'mnemonic' in obj;
+}
+/**
+ * Check if a value is an encrypted keystore file config
+ */ function isEncryptedKeyFileConfig(value) {
+    return typeof value === 'object' && value !== null && 'path' in value;
+}
+/**
+ * Check if a BLSAccount is a private key string (not an encrypted keystore file)
+ */ function isBlsPrivateKey(bls) {
+    return typeof bls === 'string' && bls.startsWith('0x');
+}
+/**
+ * Check if an EthAccount is a private key string (66 chars: 0x + 64 hex)
+ */ function isEthPrivateKey(eth) {
+    return typeof eth === 'string' && eth.startsWith('0x') && eth.length === 66;
+}
+/**
+ * Check if a string is an Ethereum address (42 chars: 0x + 40 hex)
+ */ function isEthAddress(value) {
+    return typeof value === 'string' && /^0x[0-9a-fA-F]{40}$/.test(value);
+}
+/**
+ * Decrypt a BLS private key from an encrypted keystore file
+ */ function decryptBlsKey(bls, password) {
+    if (isBlsPrivateKey(bls)) {
+        return bls;
+    }
+    if (isEncryptedKeyFileConfig(bls)) {
+        if (!password && !bls.password) {
+            return undefined; // Can't decrypt without password
+        }
+        const pwd = password ?? bls.password;
+        return decryptBn254Keystore(bls.path, pwd);
+    }
+    return undefined;
+}
+/**
+ * Decrypt an Ethereum private key from an encrypted keystore file
+ */ async function decryptEthKey(eth, password) {
+    if (isEthPrivateKey(eth)) {
+        return eth;
+    }
+    if (isEncryptedKeyFileConfig(eth)) {
+        if (!password && !eth.password) {
+            return undefined; // Can't decrypt without password
+        }
+        const pwd = password ?? eth.password;
+        const json = readFileSync(eth.path, 'utf-8');
+        const wallet = await Wallet.fromEncryptedJson(json, pwd);
+        return wallet.privateKey;
+    }
+    return undefined;
+}
+/**
+ * Extract Ethereum address from an EthAccount (or private key)
+ */ async function getEthAddress(eth, password) {
+    // Case 1: It's a private key string - derive the address
+    if (isEthPrivateKey(eth)) {
+        return privateKeyToAddress(eth);
+    }
+    // Case 2: It's just an address string directly (EthRemoteSignerAccount can be just EthAddress)
+    if (isEthAddress(eth)) {
+        return eth;
+    }
+    // Case 3: It's an object with an address property (remote signer config)
+    if (typeof eth === 'object' && eth !== null && 'address' in eth) {
+        return eth.address;
+    }
+    // Case 4: It's an encrypted keystore file - decrypt and derive address
+    if (isEncryptedKeyFileConfig(eth)) {
+        const privateKey = await decryptEthKey(eth, password);
+        if (privateKey) {
+            return privateKeyToAddress(privateKey);
+        }
+        return undefined;
+    }
+    return undefined;
+}
+/**
+ * Extract BLS private key and Ethereum address from an AttesterAccount
+ */ async function extractAttesterInfo(attester, password) {
+    // Case 1: attester is { eth: EthAccount, bls?: BLSAccount }
+    if (typeof attester === 'object' && attester !== null && 'eth' in attester) {
+        const ethAddress = await getEthAddress(attester.eth, password);
+        const blsPrivateKey = attester.bls ? decryptBlsKey(attester.bls, password) : undefined;
+        return {
+            blsPrivateKey,
+            ethAddress
+        };
+    }
+    // Case 2: attester is just an EthAccount directly (no BLS key)
+    return {
+        blsPrivateKey: undefined,
+        ethAddress: await getEthAddress(attester, password)
+    };
+}
+/**
+ * Process a single attester entry and output staking JSON
+ */ async function processAttester(attester, gse, password) {
+    const { blsPrivateKey, ethAddress } = await extractAttesterInfo(attester, password);
+    // Skip if no BLS private key or no Ethereum address
+    if (!blsPrivateKey || !ethAddress) {
+        return undefined;
+    }
+    // Derive G1 and G2 public keys
+    const g1PublicKey = await computeBn254G1PublicKey(blsPrivateKey);
+    const g2PublicKey = await computeBn254G2PublicKey(blsPrivateKey);
+    // Generate proof of possession
+    const bn254SecretKeyFieldElement = Fr.fromString(blsPrivateKey);
+    const registrationTuple = await gse.makeRegistrationTuple(bn254SecretKeyFieldElement.toBigInt());
+    return {
+        attester: String(ethAddress),
+        publicKeyG1: {
+            x: '0x' + g1PublicKey.x.toString(16).padStart(64, '0'),
+            y: '0x' + g1PublicKey.y.toString(16).padStart(64, '0')
+        },
+        publicKeyG2: {
+            x0: '0x' + g2PublicKey.x.c0.toString(16).padStart(64, '0'),
+            x1: '0x' + g2PublicKey.x.c1.toString(16).padStart(64, '0'),
+            y0: '0x' + g2PublicKey.y.c0.toString(16).padStart(64, '0'),
+            y1: '0x' + g2PublicKey.y.c1.toString(16).padStart(64, '0')
+        },
+        proofOfPossession: {
+            x: '0x' + registrationTuple.proofOfPossession.x.toString(16),
+            y: '0x' + registrationTuple.proofOfPossession.y.toString(16)
+        }
+    };
+}
+/**
+ * Process AttesterAccounts (which can be a single attester, array, or mnemonic)
+ */ export async function processAttesterAccounts(attesterAccounts, gse, password) {
+    // Skip mnemonic configs
+    if (isMnemonicConfig(attesterAccounts)) {
+        return [];
+    }
+    // Handle array of attesters
+    if (Array.isArray(attesterAccounts)) {
+        const results = [];
+        for (const attester of attesterAccounts){
+            const result = await processAttester(attester, gse, password);
+            if (result) {
+                results.push(result);
+            }
+        }
+        return results;
+    }
+    // Handle single attester
+    const result = await processAttester(attesterAccounts, gse, password);
+    return result ? [
+        result
+    ] : [];
+}
+/**
+ * Main staker command function
+ */ export async function generateStakerJson(options, log) {
+    const { from, password, gseAddress, l1RpcUrls, l1ChainId, output } = options;
+    // Load the keystore file
+    const keystore = loadKeystoreFile(from);
+    if (!gseAddress) {
+        throw new Error('GSE contract address is required');
+    }
+    log(`Calling GSE contract ${gseAddress} on chain ${l1ChainId}, using ${l1RpcUrls.join(', ')} to get staker outputs`);
+    if (!keystore.validators || keystore.validators.length === 0) {
+        log('No validators found in keystore');
+        return;
+    }
+    const allOutputs = [];
+    // L1 client for proof of possession
+    const chain = createEthereumChain(l1RpcUrls, l1ChainId);
+    const publicClient = createPublicClient({
+        chain: chain.chainInfo,
+        transport: fallback(l1RpcUrls.map((url)=>http(url)))
+    });
+    const gse = new GSEContract(publicClient, gseAddress);
+    // Process each validator
+    for (const validator of keystore.validators){
+        const outputs = await processAttesterAccounts(validator.attester, gse, password);
+        allOutputs.push(...outputs);
+    }
+    if (allOutputs.length === 0) {
+        log('No attesters with BLS keys found (skipping mnemonics and encrypted keystores without password)');
+        return;
+    }
+    const jsonOutput = prettyPrintJSON(allOutputs);
+    // Write to file if output is specified, otherwise log to stdout
+    if (output) {
+        writeFileSync(output, jsonOutput, 'utf-8');
+        log(`Wrote staking data to ${output}`);
+    } else {
+        log(jsonOutput);
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aztec/cli",
-  "version": "3.0.0-nightly.20251111",
+  "version": "3.0.0-nightly.20251112",
   "type": "module",
   "exports": {
     "./contracts": "./dest/cmds/contracts/index.js",
@@ -71,21 +71,21 @@
     ]
   },
   "dependencies": {
-    "@aztec/accounts": "3.0.0-nightly.20251111",
-    "@aztec/archiver": "3.0.0-nightly.20251111",
-    "@aztec/aztec.js": "3.0.0-nightly.20251111",
-    "@aztec/constants": "3.0.0-nightly.20251111",
-    "@aztec/entrypoints": "3.0.0-nightly.20251111",
-    "@aztec/ethereum": "3.0.0-nightly.20251111",
-    "@aztec/foundation": "3.0.0-nightly.20251111",
-    "@aztec/l1-artifacts": "3.0.0-nightly.20251111",
-    "@aztec/node-keystore": "3.0.0-nightly.20251111",
-    "@aztec/node-lib": "3.0.0-nightly.20251111",
-    "@aztec/p2p": "3.0.0-nightly.20251111",
-    "@aztec/protocol-contracts": "3.0.0-nightly.20251111",
-    "@aztec/stdlib": "3.0.0-nightly.20251111",
-    "@aztec/test-wallet": "3.0.0-nightly.20251111",
-    "@aztec/world-state": "3.0.0-nightly.20251111",
+    "@aztec/accounts": "3.0.0-nightly.20251112",
+    "@aztec/archiver": "3.0.0-nightly.20251112",
+    "@aztec/aztec.js": "3.0.0-nightly.20251112",
+    "@aztec/constants": "3.0.0-nightly.20251112",
+    "@aztec/entrypoints": "3.0.0-nightly.20251112",
+    "@aztec/ethereum": "3.0.0-nightly.20251112",
+    "@aztec/foundation": "3.0.0-nightly.20251112",
+    "@aztec/l1-artifacts": "3.0.0-nightly.20251112",
+    "@aztec/node-keystore": "3.0.0-nightly.20251112",
+    "@aztec/node-lib": "3.0.0-nightly.20251112",
+    "@aztec/p2p": "3.0.0-nightly.20251112",
+    "@aztec/protocol-contracts": "3.0.0-nightly.20251112",
+    "@aztec/stdlib": "3.0.0-nightly.20251112",
+    "@aztec/test-wallet": "3.0.0-nightly.20251112",
+    "@aztec/world-state": "3.0.0-nightly.20251112",
     "@ethersproject/wallet": "^5.8.0",
     "@iarna/toml": "^2.2.5",
     "@libp2p/peer-id-factory": "^3.0.4",
@@ -114,15 +114,15 @@
     "typescript": "^5.3.3"
   },
   "peerDependencies": {
-    "@aztec/accounts": "3.0.0-nightly.20251111",
-    "@aztec/bb-prover": "3.0.0-nightly.20251111",
-    "@aztec/ethereum": "3.0.0-nightly.20251111",
-    "@aztec/l1-artifacts": "3.0.0-nightly.20251111",
-    "@aztec/noir-contracts.js": "3.0.0-nightly.20251111",
-    "@aztec/noir-protocol-circuits-types": "3.0.0-nightly.20251111",
-    "@aztec/noir-test-contracts.js": "3.0.0-nightly.20251111",
-    "@aztec/protocol-contracts": "3.0.0-nightly.20251111",
-    "@aztec/stdlib": "3.0.0-nightly.20251111"
+    "@aztec/accounts": "3.0.0-nightly.20251112",
+    "@aztec/bb-prover": "3.0.0-nightly.20251112",
+    "@aztec/ethereum": "3.0.0-nightly.20251112",
+    "@aztec/l1-artifacts": "3.0.0-nightly.20251112",
+    "@aztec/noir-contracts.js": "3.0.0-nightly.20251112",
+    "@aztec/noir-protocol-circuits-types": "3.0.0-nightly.20251112",
+    "@aztec/noir-test-contracts.js": "3.0.0-nightly.20251112",
+    "@aztec/protocol-contracts": "3.0.0-nightly.20251112",
+    "@aztec/stdlib": "3.0.0-nightly.20251112"
   },
   "files": [
     "dest",

package/src/cmds/misc/update/npm.ts

@@ -9,7 +9,7 @@ import { type SemVer, parse } from 'semver';
 import type { DependencyChanges } from './common.js';
 import { atomicUpdateFile } from './utils.js';
 
-const deprecatedNpmPackages = new Set<string>(['@aztec/cli', '@aztec/aztec-sandbox']);
+const deprecatedNpmPackages = new Set<string>(['@aztec/cli', '@aztec/aztec-local-network']);
 const npmDeprecationMessage = `
 The following packages have been deprecated and will no longer be updated on the npm registry:
 ${Array.from(deprecatedNpmPackages)

package/src/cmds/validator_keys/add.ts

@@ -30,7 +30,6 @@ export async function addValidatorKeys(existing: string, options: AddValidatorKe
     addressIndex,
     ikm,
     blsPath,
-    blsOnly,
     json,
     feeRecipient: feeRecipientOpt,
     coinbase: coinbaseOpt,
@@ -75,7 +74,6 @@ export async function addValidatorKeys(existing: string, options: AddValidatorKe
     mnemonic: mnemonicToUse,
     ikm,
     blsPath,
-    blsOnly,
     feeRecipient,
     coinbase,
     remoteSigner,

package/src/cmds/validator_keys/index.ts

@@ -7,7 +7,7 @@ import { parseAztecAddress, parseEthereumAddress, parseHex, parseOptionalInteger
 export function injectCommands(program: Command, log: LogFn) {
   const group = program
     .command('validator-keys')
-    .aliases(['valKeys'])
+    .aliases(['valKeys', 'valkeys'])
     .description('Manage validator keystores for node operators');
 
   group
@@ -29,13 +29,23 @@ export function injectCommands(program: Command, log: LogFn) {
     .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
     .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
     .option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)')
-    .option('--bls-only', 'Generate only BLS keys')
     .option(
       '--password <str>',
       'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed',
     )
     .option('--out-dir <dir>', 'Output directory for generated keystore file(s)')
     .option('--json', 'Echo resulting JSON to stdout')
+    .option('--staker-output', 'Generate staker output JSON files for each attester')
+    .option('--gse-address <address>', 'GSE contract address (required with --staker-output)', parseEthereumAddress)
+    .option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated, required with --staker-output)', value =>
+      value.split(','),
+    )
+    .option(
+      '-c, --l1-chain-id <number>',
+      'L1 chain ID (required with --staker-output)',
+      value => parseInt(value),
+      31337,
+    )
     .requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress)
     .action(async options => {
       const { newValidatorKeystore } = await import('./new.js');
@@ -62,7 +72,6 @@ export function injectCommands(program: Command, log: LogFn) {
     .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
     .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
     .option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)')
-    .option('--bls-only', 'Generate only BLS keys')
     .option('--empty', 'Generate an empty skeleton without keys')
     .option(
       '--password <str>',
@@ -76,6 +85,25 @@ export function injectCommands(program: Command, log: LogFn) {
       await addValidatorKeys(existing, options, log);
     });
 
+  group
+    .command('staker')
+    .summary('Generate staking JSON from keystore')
+    .description(
+      'Reads a validator keystore and outputs staking data with BLS public keys for each attester (skips mnemonics)',
+    )
+    .requiredOption('--from <keystore>', 'Path to keystore JSON file')
+    .option('--password <password>', 'Password for decrypting encrypted keystores (if not specified in keystore file)')
+    .requiredOption('--gse-address <address>', 'GSE contract address', parseEthereumAddress)
+    .option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated)', value => value.split(','), [
+      'http://localhost:8545',
+    ])
+    .option('-c, --l1-chain-id <number>', 'L1 chain ID', value => parseInt(value), 31337)
+    .option('--output <file>', 'Output file path (if not specified, JSON is written to stdout)')
+    .action(async options => {
+      const { generateStakerJson } = await import('./staker.js');
+      await generateStakerJson(options, log);
+    });
+
   // top-level convenience: aztec generate-bls-keypair
   program
     .command('generate-bls-keypair')

package/src/cmds/validator_keys/new.ts

@@ -1,9 +1,13 @@
+import { prettyPrintJSON } from '@aztec/cli/utils';
+import { GSEContract, createEthereumChain } from '@aztec/ethereum';
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { LogFn } from '@aztec/foundation/log';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
 
 import { wordlist } from '@scure/bip39/wordlists/english.js';
-import { dirname } from 'path';
+import { writeFile } from 'fs/promises';
+import { basename, dirname, join } from 'path';
+import { createPublicClient, fallback, http } from 'viem';
 import { generateMnemonic, mnemonicToAccount } from 'viem/accounts';
 
 import {
@@ -15,6 +19,7 @@ import {
   writeEthJsonV3ToFile,
   writeKeystoreFile,
 } from './shared.js';
+import { processAttesterAccounts } from './staker.js';
 
 export type NewValidatorKeystoreOptions = {
   dataDir?: string;
@@ -28,7 +33,6 @@ export type NewValidatorKeystoreOptions = {
   separatePublisher?: boolean;
   ikm?: string;
   blsPath?: string;
-  blsOnly?: boolean;
   password?: string;
   outDir?: string;
   json?: boolean;
@@ -36,6 +40,10 @@ export type NewValidatorKeystoreOptions = {
   coinbase?: EthAddress;
   remoteSigner?: string;
   fundingAccount?: EthAddress;
+  stakerOutput?: boolean;
+  gseAddress?: EthAddress;
+  l1RpcUrls?: string[];
+  l1ChainId?: number;
 };
 
 export async function newValidatorKeystore(options: NewValidatorKeystoreOptions, log: LogFn) {
@@ -51,14 +59,30 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
     feeRecipient,
     remoteSigner,
     fundingAccount,
-    blsOnly,
     blsPath,
     ikm,
     mnemonic: _mnemonic,
     password,
     outDir,
+    stakerOutput,
+    gseAddress,
+    l1RpcUrls,
+    l1ChainId,
   } = options;
 
+  // Validate staker output requirements
+  if (stakerOutput) {
+    if (!gseAddress) {
+      throw new Error('--gse-address is required when using --staker-output');
+    }
+    if (!l1RpcUrls || l1RpcUrls.length === 0) {
+      throw new Error('--l1-rpc-urls is required when using --staker-output');
+    }
+    if (l1ChainId === undefined) {
+      throw new Error('--l1-chain-id is required when using --staker-output');
+    }
+  }
+
   if (remoteSigner && !_mnemonic) {
     throw new Error(
       'Using --remote-signer requires a deterministic key source. Provide --mnemonic to derive keys, or omit --remote-signer to write new private keys to keystore.',
@@ -67,6 +91,14 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
 
   const mnemonic = _mnemonic ?? generateMnemonic(wordlist);
 
+  if (!_mnemonic && !json) {
+    log('No mnemonic provided, generating new one...');
+    log(`Using new mnemonic:`);
+    log('');
+    log(mnemonic);
+    log('');
+  }
+
   const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
   const { outputPath } = await resolveKeystoreOutputPath(dataDir, file);
 
@@ -78,7 +110,6 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
     mnemonic,
     ikm,
     blsPath,
-    blsOnly,
     feeRecipient,
     coinbase,
     remoteSigner,
@@ -99,15 +130,66 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
 
   await writeKeystoreFile(outputPath, keystore);
 
-  maybePrintJson(log, json, keystore as unknown as Record<string, any>);
-  if (!json) {
+  // Generate staker outputs if requested
+  const allStakerOutputs: any[] = [];
+  if (stakerOutput && gseAddress && l1RpcUrls && l1ChainId !== undefined) {
+    const chain = createEthereumChain(l1RpcUrls, l1ChainId);
+    const publicClient = createPublicClient({
+      chain: chain.chainInfo,
+      transport: fallback(l1RpcUrls.map(url => http(url))),
+    });
+    const gse = new GSEContract(publicClient, gseAddress);
+
+    const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
+    // Extract keystore base name without extension for unique staker output filenames
+    const keystoreBaseName = basename(outputPath, '.json');
+
+    // Process each validator
+    for (let i = 0; i < validators.length; i++) {
+      const validator = validators[i];
+      const outputs = await processAttesterAccounts(validator.attester, gse, password);
+
+      // Save each attester's staker output
+      for (let j = 0; j < outputs.length; j++) {
+        const attesterIndex = i + 1;
+        const stakerOutputPath = join(
+          keystoreOutDir,
+          `${keystoreBaseName}_attester${attesterIndex}_staker_output.json`,
+        );
+        await writeFile(stakerOutputPath, prettyPrintJSON(outputs[j]), 'utf-8');
+        allStakerOutputs.push(outputs[j]);
+      }
+    }
+  }
+
+  const outputData = !_mnemonic ? { ...keystore, generatedMnemonic: mnemonic } : keystore;
+
+  // Handle JSON output
+  if (json) {
+    if (stakerOutput && allStakerOutputs.length > 0) {
+      const combinedOutput = {
+        keystore: outputData,
+        staker: allStakerOutputs,
+      };
+      maybePrintJson(log, json, combinedOutput as unknown as Record<string, any>);
+    } else {
+      maybePrintJson(log, json, outputData as unknown as Record<string, any>);
+    }
+  } else {
     log(`Wrote validator keystore to ${outputPath}`);
+    if (stakerOutput && allStakerOutputs.length > 0) {
+      const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
+      log(`Wrote ${allStakerOutputs.length} staker output file(s) to ${keystoreOutDir}`);
+      log('');
+    }
   }
 
-  // Always print a concise summary of public keys (addresses and BLS pubkeys)
-  logValidatorSummaries(log, summaries);
+  // print a concise summary of public keys (addresses and BLS pubkeys) if no --json options was selected
+  if (!json) {
+    logValidatorSummaries(log, summaries);
+  }
 
-  if (!blsOnly && mnemonic && remoteSigner) {
+  if (mnemonic && remoteSigner && !json) {
     for (let i = 0; i < validatorCount; i++) {
       const addrIdx = addressIndex + i;
       const acct = mnemonicToAccount(mnemonic, {
@@ -117,4 +199,10 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
       log(`attester address: ${acct.address} remoteSignerUrl: ${remoteSigner}`);
     }
   }
+
+  // Log staker outputs if not in JSON mode
+  if (!json && stakerOutput && allStakerOutputs.length > 0) {
+    log('\nStaker outputs:');
+    log(prettyPrintJSON(allStakerOutputs));
+  }
 }

package/src/cmds/validator_keys/shared.ts

@@ -23,7 +23,6 @@ export type BuildValidatorsInput = {
   mnemonic: string;
   ikm?: string;
   blsPath?: string;
-  blsOnly?: boolean;
   feeRecipient: AztecAddress;
   coinbase?: EthAddress;
   remoteSigner?: string;
@@ -69,7 +68,6 @@ export async function buildValidatorEntries(input: BuildValidatorsInput) {
     mnemonic,
     ikm,
     blsPath,
-    blsOnly,
     feeRecipient,
     coinbase,
     remoteSigner,
@@ -85,15 +83,9 @@ export async function buildValidatorEntries(input: BuildValidatorsInput) {
       const basePath = blsPath ?? defaultBlsPath;
       const perValidatorPath = withValidatorIndex(basePath, addressIndex);
 
-      const blsPrivKey = blsOnly || ikm || mnemonic ? deriveBlsPrivateKey(mnemonic, ikm, perValidatorPath) : undefined;
+      const blsPrivKey = ikm || mnemonic ? deriveBlsPrivateKey(mnemonic, ikm, perValidatorPath) : undefined;
       const blsPubCompressed = blsPrivKey ? await computeBlsPublicKeyCompressed(blsPrivKey) : undefined;
 
-      if (blsOnly) {
-        const attester = { bls: blsPrivKey! };
-        summaries.push({ attesterBls: blsPubCompressed });
-        return { attester, feeRecipient } as ValidatorKeyStore;
-      }
-
       const ethAttester = deriveEthAttester(mnemonic, accountIndex, addressIndex, remoteSigner);
       const attester = blsPrivKey ? { eth: ethAttester, bls: blsPrivKey } : ethAttester;
 

package/src/cmds/validator_keys/staker.ts

@@ -0,0 +1,298 @@
+import { prettyPrintJSON } from '@aztec/cli/utils';
+import { GSEContract, createEthereumChain } from '@aztec/ethereum';
+import { computeBn254G1PublicKey, computeBn254G2PublicKey } from '@aztec/foundation/crypto';
+import { decryptBn254Keystore } from '@aztec/foundation/crypto/bls/bn254_keystore';
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import { Fr } from '@aztec/foundation/fields';
+import type { LogFn } from '@aztec/foundation/log';
+import { loadKeystoreFile } from '@aztec/node-keystore/loader';
+import type {
+  AttesterAccount,
+  AttesterAccounts,
+  BLSAccount,
+  EncryptedKeyFileConfig,
+  EthAccount,
+  MnemonicConfig,
+} from '@aztec/node-keystore/types';
+
+import { Wallet } from '@ethersproject/wallet';
+import { readFileSync, writeFileSync } from 'fs';
+import { createPublicClient, fallback, http } from 'viem';
+import { privateKeyToAddress } from 'viem/accounts';
+
+export type StakerOptions = {
+  from: string;
+  password?: string;
+  output?: string;
+  gseAddress: EthAddress;
+  l1RpcUrls: string[];
+  l1ChainId: number;
+};
+
+export type StakerOutput = {
+  attester: string;
+  publicKeyG1: {
+    x: string;
+    y: string;
+  };
+  publicKeyG2: {
+    x0: string;
+    x1: string;
+    y0: string;
+    y1: string;
+  };
+  proofOfPossession: {
+    x: string;
+    y: string;
+  };
+};
+
+/**
+ * Check if an object is a MnemonicConfig
+ */
+function isMnemonicConfig(obj: unknown): obj is MnemonicConfig {
+  return typeof obj === 'object' && obj !== null && 'mnemonic' in obj;
+}
+
+/**
+ * Check if a value is an encrypted keystore file config
+ */
+function isEncryptedKeyFileConfig(value: unknown): value is EncryptedKeyFileConfig {
+  return typeof value === 'object' && value !== null && 'path' in value;
+}
+
+/**
+ * Check if a BLSAccount is a private key string (not an encrypted keystore file)
+ */
+function isBlsPrivateKey(bls: unknown): bls is string {
+  return typeof bls === 'string' && bls.startsWith('0x');
+}
+
+/**
+ * Check if an EthAccount is a private key string (66 chars: 0x + 64 hex)
+ */
+function isEthPrivateKey(eth: unknown): eth is string {
+  return typeof eth === 'string' && eth.startsWith('0x') && eth.length === 66;
+}
+
+/**
+ * Check if a string is an Ethereum address (42 chars: 0x + 40 hex)
+ */
+function isEthAddress(value: unknown): value is string {
+  return typeof value === 'string' && /^0x[0-9a-fA-F]{40}$/.test(value);
+}
+
+/**
+ * Decrypt a BLS private key from an encrypted keystore file
+ */
+function decryptBlsKey(bls: BLSAccount, password?: string): string | undefined {
+  if (isBlsPrivateKey(bls)) {
+    return bls;
+  }
+
+  if (isEncryptedKeyFileConfig(bls)) {
+    if (!password && !bls.password) {
+      return undefined; // Can't decrypt without password
+    }
+    const pwd = password ?? bls.password!;
+    return decryptBn254Keystore(bls.path, pwd);
+  }
+
+  return undefined;
+}
+
+/**
+ * Decrypt an Ethereum private key from an encrypted keystore file
+ */
+async function decryptEthKey(eth: EthAccount, password?: string): Promise<string | undefined> {
+  if (isEthPrivateKey(eth)) {
+    return eth;
+  }
+
+  if (isEncryptedKeyFileConfig(eth)) {
+    if (!password && !eth.password) {
+      return undefined; // Can't decrypt without password
+    }
+    const pwd = password ?? eth.password!;
+    const json = readFileSync(eth.path, 'utf-8');
+    const wallet = await Wallet.fromEncryptedJson(json, pwd);
+    return wallet.privateKey as string;
+  }
+
+  return undefined;
+}
+
+/**
+ * Extract Ethereum address from an EthAccount (or private key)
+ */
+async function getEthAddress(eth: EthAccount | string, password?: string): Promise<EthAddress | undefined> {
+  // Case 1: It's a private key string - derive the address
+  if (isEthPrivateKey(eth)) {
+    return privateKeyToAddress(eth as `0x${string}`) as unknown as EthAddress;
+  }
+
+  // Case 2: It's just an address string directly (EthRemoteSignerAccount can be just EthAddress)
+  if (isEthAddress(eth)) {
+    return eth as unknown as EthAddress;
+  }
+
+  // Case 3: It's an object with an address property (remote signer config)
+  if (typeof eth === 'object' && eth !== null && 'address' in eth) {
+    return (eth as any).address as EthAddress;
+  }
+
+  // Case 4: It's an encrypted keystore file - decrypt and derive address
+  if (isEncryptedKeyFileConfig(eth)) {
+    const privateKey = await decryptEthKey(eth, password);
+    if (privateKey) {
+      return privateKeyToAddress(privateKey as `0x${string}`) as unknown as EthAddress;
+    }
+    return undefined;
+  }
+
+  return undefined;
+}
+
+/**
+ * Extract BLS private key and Ethereum address from an AttesterAccount
+ */
+async function extractAttesterInfo(
+  attester: AttesterAccount,
+  password?: string,
+): Promise<{ blsPrivateKey?: string; ethAddress?: EthAddress }> {
+  // Case 1: attester is { eth: EthAccount, bls?: BLSAccount }
+  if (typeof attester === 'object' && attester !== null && 'eth' in attester) {
+    const ethAddress = await getEthAddress(attester.eth, password);
+    const blsPrivateKey = attester.bls ? decryptBlsKey(attester.bls, password) : undefined;
+    return { blsPrivateKey, ethAddress };
+  }
+
+  // Case 2: attester is just an EthAccount directly (no BLS key)
+  return {
+    blsPrivateKey: undefined,
+    ethAddress: await getEthAddress(attester as EthAccount, password),
+  };
+}
+
+/**
+ * Process a single attester entry and output staking JSON
+ */
+async function processAttester(
+  attester: AttesterAccount,
+  gse: GSEContract,
+  password?: string,
+): Promise<StakerOutput | undefined> {
+  const { blsPrivateKey, ethAddress } = await extractAttesterInfo(attester, password);
+
+  // Skip if no BLS private key or no Ethereum address
+  if (!blsPrivateKey || !ethAddress) {
+    return undefined;
+  }
+
+  // Derive G1 and G2 public keys
+  const g1PublicKey = await computeBn254G1PublicKey(blsPrivateKey);
+  const g2PublicKey = await computeBn254G2PublicKey(blsPrivateKey);
+
+  // Generate proof of possession
+  const bn254SecretKeyFieldElement = Fr.fromString(blsPrivateKey);
+  const registrationTuple = await gse.makeRegistrationTuple(bn254SecretKeyFieldElement.toBigInt());
+
+  return {
+    attester: String(ethAddress),
+    publicKeyG1: {
+      x: '0x' + g1PublicKey.x.toString(16).padStart(64, '0'),
+      y: '0x' + g1PublicKey.y.toString(16).padStart(64, '0'),
+    },
+    publicKeyG2: {
+      x0: '0x' + g2PublicKey.x.c0.toString(16).padStart(64, '0'),
+      x1: '0x' + g2PublicKey.x.c1.toString(16).padStart(64, '0'),
+      y0: '0x' + g2PublicKey.y.c0.toString(16).padStart(64, '0'),
+      y1: '0x' + g2PublicKey.y.c1.toString(16).padStart(64, '0'),
+    },
+    proofOfPossession: {
+      x: '0x' + registrationTuple.proofOfPossession.x.toString(16),
+      y: '0x' + registrationTuple.proofOfPossession.y.toString(16),
+    },
+  };
+}
+
+/**
+ * Process AttesterAccounts (which can be a single attester, array, or mnemonic)
+ */
+export async function processAttesterAccounts(
+  attesterAccounts: AttesterAccounts,
+  gse: GSEContract,
+  password?: string,
+): Promise<StakerOutput[]> {
+  // Skip mnemonic configs
+  if (isMnemonicConfig(attesterAccounts)) {
+    return [];
+  }
+
+  // Handle array of attesters
+  if (Array.isArray(attesterAccounts)) {
+    const results: StakerOutput[] = [];
+    for (const attester of attesterAccounts) {
+      const result = await processAttester(attester, gse, password);
+      if (result) {
+        results.push(result);
+      }
+    }
+    return results;
+  }
+
+  // Handle single attester
+  const result = await processAttester(attesterAccounts, gse, password);
+  return result ? [result] : [];
+}
+
+/**
+ * Main staker command function
+ */
+export async function generateStakerJson(options: StakerOptions, log: LogFn): Promise<void> {
+  const { from, password, gseAddress, l1RpcUrls, l1ChainId, output } = options;
+
+  // Load the keystore file
+  const keystore = loadKeystoreFile(from);
+
+  if (!gseAddress) {
+    throw new Error('GSE contract address is required');
+  }
+  log(`Calling GSE contract ${gseAddress} on chain ${l1ChainId}, using ${l1RpcUrls.join(', ')} to get staker outputs`);
+
+  if (!keystore.validators || keystore.validators.length === 0) {
+    log('No validators found in keystore');
+    return;
+  }
+
+  const allOutputs: StakerOutput[] = [];
+
+  // L1 client for proof of possession
+  const chain = createEthereumChain(l1RpcUrls, l1ChainId);
+  const publicClient = createPublicClient({
+    chain: chain.chainInfo,
+    transport: fallback(l1RpcUrls.map(url => http(url))),
+  });
+  const gse = new GSEContract(publicClient, gseAddress);
+
+  // Process each validator
+  for (const validator of keystore.validators) {
+    const outputs = await processAttesterAccounts(validator.attester, gse, password);
+    allOutputs.push(...outputs);
+  }
+
+  if (allOutputs.length === 0) {
+    log('No attesters with BLS keys found (skipping mnemonics and encrypted keystores without password)');
+    return;
+  }
+
+  const jsonOutput = prettyPrintJSON(allOutputs);
+
+  // Write to file if output is specified, otherwise log to stdout
+  if (output) {
+    writeFileSync(output, jsonOutput, 'utf-8');
+    log(`Wrote staking data to ${output}`);
+  } else {
+    log(jsonOutput);
+  }
+}