@aztec/cli 3.0.0-nightly.20251118 → 3.0.0-nightly.20251120

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aztec/cli",
-  "version": "3.0.0-nightly.20251118",
+  "version": "3.0.0-nightly.20251120",
   "type": "module",
   "exports": {
     "./contracts": "./dest/cmds/contracts/index.js",
@@ -71,21 +71,21 @@
     ]
   },
   "dependencies": {
-    "@aztec/accounts": "3.0.0-nightly.20251118",
-    "@aztec/archiver": "3.0.0-nightly.20251118",
-    "@aztec/aztec.js": "3.0.0-nightly.20251118",
-    "@aztec/constants": "3.0.0-nightly.20251118",
-    "@aztec/entrypoints": "3.0.0-nightly.20251118",
-    "@aztec/ethereum": "3.0.0-nightly.20251118",
-    "@aztec/foundation": "3.0.0-nightly.20251118",
-    "@aztec/l1-artifacts": "3.0.0-nightly.20251118",
-    "@aztec/node-keystore": "3.0.0-nightly.20251118",
-    "@aztec/node-lib": "3.0.0-nightly.20251118",
-    "@aztec/p2p": "3.0.0-nightly.20251118",
-    "@aztec/protocol-contracts": "3.0.0-nightly.20251118",
-    "@aztec/stdlib": "3.0.0-nightly.20251118",
-    "@aztec/test-wallet": "3.0.0-nightly.20251118",
-    "@aztec/world-state": "3.0.0-nightly.20251118",
+    "@aztec/accounts": "3.0.0-nightly.20251120",
+    "@aztec/archiver": "3.0.0-nightly.20251120",
+    "@aztec/aztec.js": "3.0.0-nightly.20251120",
+    "@aztec/constants": "3.0.0-nightly.20251120",
+    "@aztec/entrypoints": "3.0.0-nightly.20251120",
+    "@aztec/ethereum": "3.0.0-nightly.20251120",
+    "@aztec/foundation": "3.0.0-nightly.20251120",
+    "@aztec/l1-artifacts": "3.0.0-nightly.20251120",
+    "@aztec/node-keystore": "3.0.0-nightly.20251120",
+    "@aztec/node-lib": "3.0.0-nightly.20251120",
+    "@aztec/p2p": "3.0.0-nightly.20251120",
+    "@aztec/protocol-contracts": "3.0.0-nightly.20251120",
+    "@aztec/stdlib": "3.0.0-nightly.20251120",
+    "@aztec/test-wallet": "3.0.0-nightly.20251120",
+    "@aztec/world-state": "3.0.0-nightly.20251120",
     "@ethersproject/wallet": "^5.8.0",
     "@iarna/toml": "^2.2.5",
     "@libp2p/peer-id-factory": "^3.0.4",
@@ -99,9 +99,9 @@
     "viem": "npm:@spalladino/viem@2.38.2-eip7594.0"
   },
   "devDependencies": {
-    "@aztec/aztec-node": "3.0.0-nightly.20251118",
-    "@aztec/kv-store": "3.0.0-nightly.20251118",
-    "@aztec/telemetry-client": "3.0.0-nightly.20251118",
+    "@aztec/aztec-node": "3.0.0-nightly.20251120",
+    "@aztec/kv-store": "3.0.0-nightly.20251120",
+    "@aztec/telemetry-client": "3.0.0-nightly.20251120",
     "@jest/globals": "^30.0.0",
     "@types/jest": "^30.0.0",
     "@types/lodash.chunk": "^4.2.9",
@@ -117,20 +117,21 @@
     "typescript": "^5.3.3"
   },
   "peerDependencies": {
-    "@aztec/accounts": "3.0.0-nightly.20251118",
-    "@aztec/bb-prover": "3.0.0-nightly.20251118",
-    "@aztec/ethereum": "3.0.0-nightly.20251118",
-    "@aztec/l1-artifacts": "3.0.0-nightly.20251118",
-    "@aztec/noir-contracts.js": "3.0.0-nightly.20251118",
-    "@aztec/noir-protocol-circuits-types": "3.0.0-nightly.20251118",
-    "@aztec/noir-test-contracts.js": "3.0.0-nightly.20251118",
-    "@aztec/protocol-contracts": "3.0.0-nightly.20251118",
-    "@aztec/stdlib": "3.0.0-nightly.20251118"
+    "@aztec/accounts": "3.0.0-nightly.20251120",
+    "@aztec/bb-prover": "3.0.0-nightly.20251120",
+    "@aztec/ethereum": "3.0.0-nightly.20251120",
+    "@aztec/l1-artifacts": "3.0.0-nightly.20251120",
+    "@aztec/noir-contracts.js": "3.0.0-nightly.20251120",
+    "@aztec/noir-protocol-circuits-types": "3.0.0-nightly.20251120",
+    "@aztec/noir-test-contracts.js": "3.0.0-nightly.20251120",
+    "@aztec/protocol-contracts": "3.0.0-nightly.20251120",
+    "@aztec/stdlib": "3.0.0-nightly.20251120"
   },
   "files": [
     "dest",
     "src",
-    "!*.test.*"
+    "!*.test.*",
+    "public_include_metric_prefixes.json"
   ],
   "types": "./dest/index.d.ts",
   "engines": {

package/public_include_metric_prefixes.json

@@ -0,0 +1 @@
+["aztec.validator", "aztec.tx_collector", "aztec.mempool", "aztec.p2p.gossip.agg_", "aztec.ivc_verifier.agg_"]

package/src/cmds/validator_keys/add.ts

@@ -16,15 +16,24 @@ import {
   writeEthJsonV3ToFile,
   writeKeystoreFile,
 } from './shared.js';
+import { validateBlsPathOptions, validatePublisherOptions, validateRemoteSignerOptions } from './utils.js';
 
 export type AddValidatorKeysOptions = NewValidatorKeystoreOptions;
 
 export async function addValidatorKeys(existing: string, options: AddValidatorKeysOptions, log: LogFn) {
+  // validate bls-path inputs before proceeding with key generation
+  validateBlsPathOptions(options);
+  // validate publisher options
+  validatePublisherOptions(options);
+  // validate remote signer options
+  validateRemoteSignerOptions(options);
+
   const {
     dataDir,
     file,
     count,
     publisherCount = 0,
+    publishers,
     mnemonic,
     accountIndex = 0,
     addressIndex,
@@ -36,7 +45,7 @@ export async function addValidatorKeys(existing: string, options: AddValidatorKe
     fundingAccount: fundingAccountOpt,
     remoteSigner: remoteSignerOpt,
     password,
-    outDir,
+    encryptedKeystoreDir,
   } = options;
 
   const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
@@ -69,6 +78,7 @@ export async function addValidatorKeys(existing: string, options: AddValidatorKe
   const { validators, summaries } = await buildValidatorEntries({
     validatorCount,
     publisherCount,
+    publishers,
     accountIndex,
     baseAddressIndex: effectiveBaseAddressIndex,
     mnemonic: mnemonicToUse,
@@ -84,10 +94,16 @@ export async function addValidatorKeys(existing: string, options: AddValidatorKe
 
   // If password provided, write ETH JSON V3 and BLS BN254 keystores and replace plaintext
   if (password !== undefined) {
-    const targetDir =
-      outDir && outDir.length > 0 ? outDir : dataDir && dataDir.length > 0 ? dataDir : dirname(existing);
+    let targetDir: string;
+    if (encryptedKeystoreDir && encryptedKeystoreDir.length > 0) {
+      targetDir = encryptedKeystoreDir;
+    } else if (dataDir && dataDir.length > 0) {
+      targetDir = dataDir;
+    } else {
+      targetDir = dirname(existing);
+    }
     await writeEthJsonV3ToFile(keystore.validators, { outDir: targetDir, password });
-    await writeBlsBn254ToFile(keystore.validators, { outDir: targetDir, password });
+    await writeBlsBn254ToFile(keystore.validators, { outDir: targetDir, password, blsPath });
   }
 
   let outputPath = existing;

package/src/cmds/validator_keys/generate_bls_keypair.ts

@@ -4,6 +4,7 @@ import type { LogFn } from '@aztec/foundation/log';
 import { writeFile } from 'fs/promises';
 
 import { computeBlsPublicKeyCompressed, withValidatorIndex } from './shared.js';
+import { defaultBlsPath } from './utils.js';
 
 export type GenerateBlsKeypairOptions = {
   mnemonic?: string;
@@ -17,7 +18,7 @@ export type GenerateBlsKeypairOptions = {
 
 export async function generateBlsKeypair(options: GenerateBlsKeypairOptions, log: LogFn) {
   const { mnemonic, ikm, blsPath, compressed = true, json, out } = options;
-  const path = withValidatorIndex(blsPath ?? 'm/12381/3600/0/0/0', 0);
+  const path = withValidatorIndex(blsPath ?? defaultBlsPath, 0);
   const priv = deriveBlsPrivateKey(mnemonic, ikm, path);
   const pub = await computeBlsPublicKeyCompressed(priv);
   const result = { path, privateKey: priv, publicKey: pub, format: compressed ? 'compressed' : 'uncompressed' };

package/src/cmds/validator_keys/index.ts

@@ -3,6 +3,7 @@ import type { LogFn } from '@aztec/foundation/log';
 import { Command } from 'commander';
 
 import { parseAztecAddress, parseEthereumAddress, parseHex, parseOptionalInteger } from '../../utils/commands.js';
+import { defaultBlsPath } from './utils.js';
 
 export function injectCommands(program: Command, log: LogFn) {
   const group = program
@@ -17,25 +18,32 @@ export function injectCommands(program: Command, log: LogFn) {
     .option('--data-dir <path>', 'Directory to store keystore(s). Defaults to ~/.aztec/keystore')
     .option('--file <name>', 'Keystore file name. Defaults to key1.json (or keyN.json if key1.json exists)')
     .option('--count <N>', 'Number of validators to generate', parseOptionalInteger)
-    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 1)', value =>
+    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 0)', value =>
       parseOptionalInteger(value, 0),
     )
+    .option('--publishers <privateKeys>', 'Comma-separated list of publisher private keys for all validators.', value =>
+      value.split(',').map((key: string) => key.trim()),
+    )
     .option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation')
     .option('--passphrase <str>', 'Optional passphrase for mnemonic')
-    .option('--account-index <N>', 'Base account index for ETH derivation', parseOptionalInteger)
-    .option('--address-index <N>', 'Base address index for ETH derivation', parseOptionalInteger)
-    .option('--coinbase <address>', 'Coinbase ETH address to use when proposing', parseEthereumAddress)
+    .option('--account-index <N>', 'Base account index for ETH/BLS derivation', parseOptionalInteger)
+    .option('--address-index <N>', 'Base address index for ETH/BLS derivation', parseOptionalInteger)
+    .option(
+      '--coinbase <address>',
+      'Coinbase ETH address to use when proposing. Defaults to attester address.',
+      parseEthereumAddress,
+    )
     .option('--funding-account <address>', 'ETH account to fund publishers', parseEthereumAddress)
     .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
     .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
-    .option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)')
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
     .option(
       '--password <str>',
       'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed',
     )
-    .option('--out-dir <dir>', 'Output directory for generated keystore file(s)')
+    .option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)')
     .option('--json', 'Echo resulting JSON to stdout')
-    .option('--staker-output', 'Generate staker output JSON files for each attester')
+    .option('--staker-output', 'Generate a single staker output JSON file with an array of validator entries')
     .option('--gse-address <address>', 'GSE contract address (required with --staker-output)', parseEthereumAddress)
     .option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated, required with --staker-output)', value =>
       value.split(','),
@@ -49,6 +57,7 @@ export function injectCommands(program: Command, log: LogFn) {
     .requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress)
     .action(async options => {
       const { newValidatorKeystore } = await import('./new.js');
+
       await newValidatorKeystore(options, log);
     });
 
@@ -57,27 +66,34 @@ export function injectCommands(program: Command, log: LogFn) {
     .summary('Augment an existing validator keystore JSON')
     .description('Adds attester/publisher/BLS entries to an existing keystore using the same flags as new')
     .argument('<existing>', 'Path to existing keystore JSON')
-    .option('--data-dir <path>', 'Directory where keystore(s) live')
-    .option('--file <name>', 'Override output file name')
-    .option('--count <N>', 'Number of validators to add', parseOptionalInteger)
-    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 1)', value =>
+    .option('--data-dir <path>', 'Directory where keystore(s) live. (default: ~/.aztec/keystore)')
+    .option('--file <name>', 'Override output file name. (default: key<N>.json)')
+    .option('--count <N>', 'Number of validators to add. (default: 1)', parseOptionalInteger)
+    .option('--publisher-count <N>', 'Number of publisher accounts per validator (default 0)', value =>
       parseOptionalInteger(value, 0),
     )
+    .option('--publishers <privateKeys>', 'Comma-separated list of publisher private keys for all validators.', value =>
+      value.split(',').map((key: string) => key.trim()),
+    )
     .option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation')
     .option('--passphrase <str>', 'Optional passphrase for mnemonic')
-    .option('--account-index <N>', 'Base account index for ETH derivation', parseOptionalInteger)
-    .option('--address-index <N>', 'Base address index for ETH derivation', parseOptionalInteger)
-    .option('--coinbase <address>', 'Coinbase ETH address to use when proposing', parseEthereumAddress)
+    .option('--account-index <N>', 'Base account index for ETH/BLS derivation', parseOptionalInteger)
+    .option('--address-index <N>', 'Base address index for ETH/BLS derivation', parseOptionalInteger)
+    .option(
+      '--coinbase <address>',
+      'Coinbase ETH address to use when proposing. Defaults to attester address.',
+      parseEthereumAddress,
+    )
     .option('--funding-account <address>', 'ETH account to fund publishers', parseEthereumAddress)
     .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
     .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
-    .option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)')
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
     .option('--empty', 'Generate an empty skeleton without keys')
     .option(
       '--password <str>',
       'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed',
     )
-    .option('--out-dir <dir>', 'Output directory for generated keystore file(s)')
+    .option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)')
     .option('--json', 'Echo resulting JSON to stdout')
     .requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress)
     .action(async (existing: string, options) => {
@@ -110,7 +126,7 @@ export function injectCommands(program: Command, log: LogFn) {
     .description('Generate a BLS keypair with convenience flags')
     .option('--mnemonic <mnemonic>', 'Mnemonic for BLS derivation')
     .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
-    .option('--bls-path <path>', 'EIP-2334 path (default m/12381/3600/0/0/0)')
+    .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
     .option('--g2', 'Derive on G2 subgroup')
     .option('--compressed', 'Output compressed public key')
     .option('--json', 'Print JSON output to stdout')

package/src/cmds/validator_keys/new.ts

@@ -20,12 +20,19 @@ import {
   writeKeystoreFile,
 } from './shared.js';
 import { processAttesterAccounts } from './staker.js';
+import {
+  validateBlsPathOptions,
+  validatePublisherOptions,
+  validateRemoteSignerOptions,
+  validateStakerOutputOptions,
+} from './utils.js';
 
 export type NewValidatorKeystoreOptions = {
   dataDir?: string;
   file?: string;
   count?: number;
   publisherCount?: number;
+  publishers?: string[];
   mnemonic?: string;
   passphrase?: string;
   accountIndex?: number;
@@ -34,7 +41,7 @@ export type NewValidatorKeystoreOptions = {
   ikm?: string;
   blsPath?: string;
   password?: string;
-  outDir?: string;
+  encryptedKeystoreDir?: string;
   json?: boolean;
   feeRecipient: AztecAddress;
   coinbase?: EthAddress;
@@ -47,11 +54,21 @@ export type NewValidatorKeystoreOptions = {
 };
 
 export async function newValidatorKeystore(options: NewValidatorKeystoreOptions, log: LogFn) {
+  // validate bls-path inputs before proceeding with key generation
+  validateBlsPathOptions(options);
+  // validate staker output options before proceeding with key generation
+  validateStakerOutputOptions(options);
+  // validate publisher options
+  validatePublisherOptions(options);
+  // validate remote signer options
+  validateRemoteSignerOptions(options);
+
   const {
     dataDir,
     file,
     count,
     publisherCount = 0,
+    publishers,
     json,
     coinbase,
     accountIndex = 0,
@@ -63,32 +80,13 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
     ikm,
     mnemonic: _mnemonic,
     password,
-    outDir,
+    encryptedKeystoreDir,
     stakerOutput,
     gseAddress,
     l1RpcUrls,
     l1ChainId,
   } = options;
 
-  // Validate staker output requirements
-  if (stakerOutput) {
-    if (!gseAddress) {
-      throw new Error('--gse-address is required when using --staker-output');
-    }
-    if (!l1RpcUrls || l1RpcUrls.length === 0) {
-      throw new Error('--l1-rpc-urls is required when using --staker-output');
-    }
-    if (l1ChainId === undefined) {
-      throw new Error('--l1-chain-id is required when using --staker-output');
-    }
-  }
-
-  if (remoteSigner && !_mnemonic) {
-    throw new Error(
-      'Using --remote-signer requires a deterministic key source. Provide --mnemonic to derive keys, or omit --remote-signer to write new private keys to keystore.',
-    );
-  }
-
   const mnemonic = _mnemonic ?? generateMnemonic(wordlist);
 
   if (!_mnemonic && !json) {
@@ -101,10 +99,12 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
 
   const validatorCount = typeof count === 'number' && Number.isFinite(count) && count > 0 ? Math.floor(count) : 1;
   const { outputPath } = await resolveKeystoreOutputPath(dataDir, file);
+  const keystoreOutDir = dirname(outputPath);
 
   const { validators, summaries } = await buildValidatorEntries({
     validatorCount,
     publisherCount,
+    publishers,
     accountIndex,
     baseAddressIndex: addressIndex,
     mnemonic,
@@ -118,9 +118,10 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
 
   // If password provided, write ETH JSON V3 and BLS BN254 keystores and replace plaintext
   if (password !== undefined) {
-    const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
-    await writeEthJsonV3ToFile(validators, { outDir: keystoreOutDir, password });
-    await writeBlsBn254ToFile(validators, { outDir: keystoreOutDir, password });
+    const encryptedKeystoreOutDir =
+      encryptedKeystoreDir && encryptedKeystoreDir.length > 0 ? encryptedKeystoreDir : keystoreOutDir;
+    await writeEthJsonV3ToFile(validators, { outDir: encryptedKeystoreOutDir, password });
+    await writeBlsBn254ToFile(validators, { outDir: encryptedKeystoreOutDir, password });
   }
 
   const keystore = {
@@ -140,7 +141,6 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
     });
     const gse = new GSEContract(publicClient, gseAddress);
 
-    const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
     // Extract keystore base name without extension for unique staker output filenames
     const keystoreBaseName = basename(outputPath, '.json');
 
@@ -149,17 +149,17 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
       const validator = validators[i];
       const outputs = await processAttesterAccounts(validator.attester, gse, password);
 
-      // Save each attester's staker output
+      // Collect all staker outputs
       for (let j = 0; j < outputs.length; j++) {
-        const attesterIndex = i + 1;
-        const stakerOutputPath = join(
-          keystoreOutDir,
-          `${keystoreBaseName}_attester${attesterIndex}_staker_output.json`,
-        );
-        await writeFile(stakerOutputPath, prettyPrintJSON(outputs[j]), 'utf-8');
         allStakerOutputs.push(outputs[j]);
       }
     }
+
+    // Write a single JSON file with all staker outputs
+    if (allStakerOutputs.length > 0) {
+      const stakerOutputPath = join(keystoreOutDir, `${keystoreBaseName}_staker_output.json`);
+      await writeFile(stakerOutputPath, prettyPrintJSON(allStakerOutputs), 'utf-8');
+    }
   }
 
   const outputData = !_mnemonic ? { ...keystore, generatedMnemonic: mnemonic } : keystore;
@@ -178,8 +178,9 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
   } else {
     log(`Wrote validator keystore to ${outputPath}`);
     if (stakerOutput && allStakerOutputs.length > 0) {
-      const keystoreOutDir = outDir && outDir.length > 0 ? outDir : dirname(outputPath);
-      log(`Wrote ${allStakerOutputs.length} staker output file(s) to ${keystoreOutDir}`);
+      const keystoreBaseName = basename(outputPath, '.json');
+      const stakerOutputPath = join(keystoreOutDir, `${keystoreBaseName}_staker_output.json`);
+      log(`Wrote staker output for ${allStakerOutputs.length} validator(s) to ${stakerOutputPath}`);
       log('');
     }
   }

package/src/cmds/validator_keys/shared.ts

@@ -13,11 +13,14 @@ import { homedir } from 'os';
 import { dirname, isAbsolute, join } from 'path';
 import { mnemonicToAccount } from 'viem/accounts';
 
+import { defaultBlsPath } from './utils.js';
+
 export type ValidatorSummary = { attesterEth?: string; attesterBls?: string; publisherEth?: string[] };
 
 export type BuildValidatorsInput = {
   validatorCount: number;
   publisherCount?: number;
+  publishers?: string[];
   accountIndex: number;
   baseAddressIndex: number;
   mnemonic: string;
@@ -30,10 +33,23 @@ export type BuildValidatorsInput = {
 };
 
 export function withValidatorIndex(path: string, accountIndex: number = 0, addressIndex: number = 0) {
+  // NOTE: The legacy BLS CLI is to allow users who generated keys in 2.1.4 to be able to use the same command
+  // to re-generate their keys. In 2.1.5 we switched how we append addresses to the path so this is to maintain backwards compatibility.
+  const useLegacyBlsCli = ['true', '1', 'yes', 'y'].includes(process.env.LEGACY_BLS_CLI ?? '');
+
+  const defaultBlsPathParts = defaultBlsPath.split('/');
+
   const parts = path.split('/');
-  if (parts.length == 6 && parts[0] === 'm' && parts[1] === '12381' && parts[2] === '3600') {
-    parts[3] = String(accountIndex);
-    parts[5] = String(addressIndex);
+  if (parts.length == defaultBlsPathParts.length && parts.every((part, index) => part === defaultBlsPathParts[index])) {
+    if (useLegacyBlsCli) {
+      // In 2.1.4, we were using address-index in parts[3] and did NOT use account-index, check lines 32 & 84
+      // https://github.com/AztecProtocol/aztec-packages/blob/v2.1.4/yarn-project/cli/src/cmds/validator_keys/shared.ts
+
+      parts[3] = String(addressIndex);
+    } else {
+      parts[3] = String(accountIndex);
+      parts[5] = String(addressIndex);
+    }
     return parts.join('/');
   }
   return path;
@@ -64,6 +80,7 @@ export async function buildValidatorEntries(input: BuildValidatorsInput) {
   const {
     validatorCount,
     publisherCount = 0,
+    publishers,
     accountIndex,
     baseAddressIndex,
     mnemonic,
@@ -75,7 +92,6 @@ export async function buildValidatorEntries(input: BuildValidatorsInput) {
     fundingAccount,
   } = input;
 
-  const defaultBlsPath = 'm/12381/3600/0/0/0';
   const summaries: ValidatorSummary[] = [];
 
   const validators = await Promise.all(
@@ -92,7 +108,10 @@ export async function buildValidatorEntries(input: BuildValidatorsInput) {
 
       let publisherField: EthAccount | EthPrivateKey | (EthAccount | EthPrivateKey)[] | undefined;
       const publisherAddresses: string[] = [];
-      if (publisherCount > 0) {
+      if (publishers && publishers.length > 0) {
+        publisherAddresses.push(...publishers);
+        publisherField = publishers.length === 1 ? (publishers[0] as EthPrivateKey) : (publishers as EthPrivateKey[]);
+      } else if (publisherCount > 0) {
         const publishersBaseIndex = baseAddressIndex + validatorCount + i * publisherCount;
         const publisherAccounts = Array.from({ length: publisherCount }, (_unused2, j) => {
           const publisherAddressIndex = publishersBaseIndex + j;
@@ -123,7 +142,7 @@ export async function buildValidatorEntries(input: BuildValidatorsInput) {
         attester,
         ...(publisherField !== undefined ? { publisher: publisherField } : {}),
         feeRecipient,
-        coinbase,
+        coinbase: coinbase ?? attesterEthAddress,
         fundingAccount,
       } as ValidatorKeyStore;
     }),
@@ -222,7 +241,7 @@ export async function writeBn254BlsKeystore(
 /** Replace plaintext BLS keys in validators with { path, password } pointing to BN254 keystore files. */
 export async function writeBlsBn254ToFile(
   validators: ValidatorKeyStore[],
-  options: { outDir: string; password: string },
+  options: { outDir: string; password: string; blsPath?: string },
 ): Promise<void> {
   for (let i = 0; i < validators.length; i++) {
     const v = validators[i];
@@ -238,7 +257,7 @@ export async function writeBlsBn254ToFile(
     }
 
     const pub = await computeBlsPublicKeyCompressed(blsKey);
-    const path = 'm/12381/3600/0/0/0';
+    const path = options.blsPath ?? defaultBlsPath;
     const fileBase = `${String(i + 1)}_${pub.slice(2, 18)}`;
     const keystorePath = await writeBn254BlsKeystore(options.outDir, fileBase, options.password, blsKey, pub, path);
 

package/src/cmds/validator_keys/staker.ts

@@ -17,6 +17,7 @@ import type {
 
 import { Wallet } from '@ethersproject/wallet';
 import { readFileSync, writeFileSync } from 'fs';
+import { basename, dirname, join } from 'path';
 import { createPublicClient, fallback, http } from 'viem';
 import { privateKeyToAddress } from 'viem/accounts';
 
@@ -275,10 +276,16 @@ export async function generateStakerJson(options: StakerOptions, log: LogFn): Pr
   });
   const gse = new GSEContract(publicClient, gseAddress);
 
-  // Process each validator
-  for (const validator of keystore.validators) {
+  const keystoreBaseName = basename(from, '.json');
+  const outputDir = output ? output : dirname(from);
+
+  for (let i = 0; i < keystore.validators.length; i++) {
+    const validator = keystore.validators[i];
     const outputs = await processAttesterAccounts(validator.attester, gse, password);
-    allOutputs.push(...outputs);
+
+    for (let j = 0; j < outputs.length; j++) {
+      allOutputs.push(outputs[j]);
+    }
   }
 
   if (allOutputs.length === 0) {
@@ -286,13 +293,8 @@ export async function generateStakerJson(options: StakerOptions, log: LogFn): Pr
     return;
   }
 
-  const jsonOutput = prettyPrintJSON(allOutputs);
-
-  // Write to file if output is specified, otherwise log to stdout
-  if (output) {
-    writeFileSync(output, jsonOutput, 'utf-8');
-    log(`Wrote staking data to ${output}`);
-  } else {
-    log(jsonOutput);
-  }
+  // Write a single JSON file with all staker outputs
+  const stakerOutputPath = join(outputDir, `${keystoreBaseName}_staker_output.json`);
+  writeFileSync(stakerOutputPath, prettyPrintJSON(allOutputs), 'utf-8');
+  log(`Wrote staker output for ${allOutputs.length} validator(s) to ${stakerOutputPath}`);
 }

package/src/cmds/validator_keys/utils.ts

@@ -0,0 +1,80 @@
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import { type EthPrivateKey, ethPrivateKeySchema } from '@aztec/node-keystore';
+
+export const defaultBlsPath = 'm/12381/3600/0/0/0';
+
+export function validateBlsPathOptions(options: {
+  count?: number;
+  publisherCount?: number;
+  accountIndex?: number;
+  addressIndex?: number;
+  blsPath?: string;
+  ikm?: string;
+}) {
+  if (options.blsPath && options.blsPath !== defaultBlsPath) {
+    if (
+      (options.count && options.count !== 1) ||
+      (options.publisherCount && options.publisherCount > 0) ||
+      (options.accountIndex && options.accountIndex !== 0) ||
+      (options.addressIndex && options.addressIndex !== 0)
+    ) {
+      throw new Error('--bls-path cannot be used with --count, --publisher-count, --account-index, or --address-index');
+    }
+  }
+}
+
+export function validateStakerOutputOptions(options: {
+  stakerOutput?: boolean;
+  gseAddress?: EthAddress;
+  l1RpcUrls?: string[];
+  l1ChainId?: number;
+}) {
+  if (!options.stakerOutput) {
+    return;
+  }
+  // Required options for staker output
+  if (!options.gseAddress) {
+    throw new Error('--gse-address is required when using --staker-output');
+  }
+  if (!options.l1RpcUrls || options.l1RpcUrls.length === 0) {
+    throw new Error('--l1-rpc-urls is required when using --staker-output');
+  }
+
+  if (options.l1ChainId === undefined) {
+    throw new Error('--l1-chain-id is required when using --staker-output');
+  }
+}
+
+export function validateRemoteSignerOptions(options: { remoteSigner?: string; mnemonic?: string }) {
+  if (options.remoteSigner && !options.mnemonic) {
+    throw new Error(
+      'Using --remote-signer requires a deterministic key source. Provide --mnemonic to derive keys, or omit --remote-signer to write new private keys to keystore.',
+    );
+  }
+}
+
+export function validatePublisherOptions(options: { publishers?: string[]; publisherCount?: number }) {
+  if (options.publisherCount && options.publisherCount > 0 && options.publishers && options.publishers.length > 0) {
+    throw new Error('--publishers and --publisher-count cannot be used together');
+  }
+
+  if (options.publishers && options.publishers.length > 0) {
+    // Normalize each private key by adding 0x prefix if missing
+    const normalizedKeys: string[] = [];
+    for (const key of options.publishers) {
+      let privateKey = key.trim();
+      if (!privateKey.startsWith('0x')) {
+        privateKey = '0x' + privateKey;
+      }
+
+      try {
+        ethPrivateKeySchema.parse(privateKey);
+        normalizedKeys.push(privateKey);
+      } catch (error) {
+        throw new Error(`Invalid publisher private key: ${error instanceof Error ? error.message : String(error)}`);
+      }
+    }
+    // Update the options with the normalized keys
+    options.publishers = normalizedKeys as EthPrivateKey[];
+  }
+}