@aztec/cli 5.0.0-nightly.20260703 → 5.0.0-nightly.20260705

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXRoX2pzb25fdjNfd29ya2VyLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY21kcy92YWxpZGF0b3Jfa2V5cy9ldGhfanNvbl92M193b3JrZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9
@@ -0,0 +1 @@
1
+ {"version":3,"file":"eth_json_v3_worker.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/eth_json_v3_worker.ts"],"names":[],"mappings":""}
@@ -0,0 +1,27 @@
1
+ import { Wallet } from '@ethersproject/wallet';
2
+ import { parentPort, workerData } from 'worker_threads';
3
+ function serializeError(error) {
4
+ if (error instanceof Error) {
5
+ return {
6
+ message: error.message,
7
+ name: error.name,
8
+ stack: error.stack
9
+ };
10
+ }
11
+ return {
12
+ message: String(error)
13
+ };
14
+ }
15
+ void (async ()=>{
16
+ try {
17
+ const { privateKeyHex, password } = workerData;
18
+ const json = await new Wallet(privateKeyHex).encrypt(password);
19
+ parentPort?.postMessage({
20
+ json
21
+ });
22
+ } catch (error) {
23
+ parentPort?.postMessage({
24
+ error: serializeError(error)
25
+ });
26
+ }
27
+ })();
@@ -1,4 +1,4 @@
1
1
  import type { LogFn } from '@aztec/foundation/log';
2
2
  import { Command } from 'commander';
3
3
  export declare function injectCommands(program: Command, log: LogFn): Command;
4
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jbWRzL3ZhbGlkYXRvcl9rZXlzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxFQUFFLEtBQUssRUFBRSxNQUFNLHVCQUF1QixDQUFDO0FBRW5ELE9BQU8sRUFBRSxPQUFPLEVBQUUsTUFBTSxXQUFXLENBQUM7QUFLcEMsd0JBQWdCLGNBQWMsQ0FBQyxPQUFPLEVBQUUsT0FBTyxFQUFFLEdBQUcsRUFBRSxLQUFLLFdBc0kxRCJ9
4
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jbWRzL3ZhbGlkYXRvcl9rZXlzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxFQUFFLEtBQUssRUFBRSxNQUFNLHVCQUF1QixDQUFDO0FBRW5ELE9BQU8sRUFBRSxPQUFPLEVBQVUsTUFBTSxXQUFXLENBQUM7QUFLNUMsd0JBQWdCLGNBQWMsQ0FBQyxPQUFPLEVBQUUsT0FBTyxFQUFFLEdBQUcsRUFBRSxLQUFLLFdBb0oxRCJ9
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKpC,wBAAgB,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,WAsI1D"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,OAAO,EAAU,MAAM,WAAW,CAAC;AAK5C,wBAAgB,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,WAoJ1D"}
@@ -1,3 +1,4 @@
1
+ import { Option } from 'commander';
1
2
  import { parseAztecAddress, parseEthereumAddress, parseHex, parseOptionalInteger } from '../../utils/commands.js';
2
3
  import { defaultBlsPath } from './utils.js';
3
4
  export function injectCommands(program, log) {
@@ -7,7 +8,7 @@ export function injectCommands(program, log) {
7
8
  ]).description('Manage validator keystores for node operators');
8
9
  group.command('new').summary('Generate a new validator keystore JSON').description('Generates a new validator keystore with ETH secp256k1 accounts and optional BLS accounts').option('--data-dir <path>', 'Directory to store keystore(s). Defaults to ~/.aztec/keystore').option('--file <name>', 'Keystore file name. Defaults to key1.json (or keyN.json if key1.json exists)').option('--count <N>', 'Number of validators to generate', parseOptionalInteger).option('--publisher-count <N>', 'Number of publisher accounts per validator (default 0)', (value)=>parseOptionalInteger(value, 0)).option('--publishers <privateKeys>', 'Comma-separated list of publisher private keys for all validators.', (value)=>value.split(',').map((key)=>key.trim())).option('--mnemonic <mnemonic>', 'Mnemonic for ETH/BLS derivation').option('--passphrase <str>', 'Optional passphrase for mnemonic').option('--account-index <N>', 'Base account index for ETH/BLS derivation', parseOptionalInteger).option('--address-index <N>', 'Base address index for ETH/BLS derivation', parseOptionalInteger).option('--coinbase <address>', 'Coinbase ETH address to use when proposing. Defaults to attester address.', parseEthereumAddress)// TODO: add funding account back in when implemented
9
10
  // .option('--funding-account <privateKey|address>', 'ETH private key (or address for remote signer setup) to fund publishers')
10
- .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file').option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', (value)=>parseHex(value, 32)).option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`).option('--password <str>', 'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed').option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)').option('--json', 'Echo resulting JSON to stdout').option('--staker-output', 'Generate a single staker output JSON file with an array of validator entries').option('--gse-address <address>', 'GSE contract address (required with --staker-output)', parseEthereumAddress).option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated, required with --staker-output)', (value)=>value.split(',')).option('-c, --l1-chain-id <number>', 'L1 chain ID (required with --staker-output)', (value)=>parseInt(value), 31337).requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress).action(async (options)=>{
11
+ .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file').option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', (value)=>parseHex(value, 32)).option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`).addOption(new Option('--password <str>', 'Shared password for writing ETH JSON V3 and BLS EIP-2335 keystore files').env('AZTEC_KEYSTORE_PASSWORD')).option('--password-file <path>', 'File containing the shared password for writing keystore files').addOption(new Option('--eth-password <str>', 'Password for writing ETH JSON V3 keystore files').env('AZTEC_ETH_KEYSTORE_PASSWORD')).option('--eth-password-file <path>', 'File containing the password for writing ETH JSON V3 keystore files').addOption(new Option('--bls-password <str>', 'Password for writing BLS EIP-2335 keystore files').env('AZTEC_BLS_KEYSTORE_PASSWORD')).option('--bls-password-file <path>', 'File containing the password for writing BLS EIP-2335 keystore files').option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)').option('--json', 'Echo resulting JSON to stdout').option('--staker-output', 'Generate a single staker output JSON file with an array of validator entries').option('--gse-address <address>', 'GSE contract address (required with --staker-output)', parseEthereumAddress).option('--l1-rpc-urls <urls>', 'L1 RPC URLs (comma-separated, required with --staker-output)', (value)=>value.split(',')).option('-c, --l1-chain-id <number>', 'L1 chain ID (required with --staker-output)', (value)=>parseInt(value), 31337).requiredOption('--fee-recipient <address>', 'Aztec address that will receive fees', parseAztecAddress).action(async (options)=>{
11
12
  const { newValidatorKeystore } = await import('./new.js');
12
13
  await newValidatorKeystore(options, log);
13
14
  });
@@ -15,6 +15,11 @@ export type NewValidatorKeystoreOptions = {
15
15
  ikm?: string;
16
16
  blsPath?: string;
17
17
  password?: string;
18
+ passwordFile?: string;
19
+ ethPassword?: string;
20
+ ethPasswordFile?: string;
21
+ blsPassword?: string;
22
+ blsPasswordFile?: string;
18
23
  encryptedKeystoreDir?: string;
19
24
  json?: boolean;
20
25
  feeRecipient: AztecAddress;
@@ -26,4 +31,4 @@ export type NewValidatorKeystoreOptions = {
26
31
  l1ChainId?: number;
27
32
  };
28
33
  export declare function newValidatorKeystore(options: NewValidatorKeystoreOptions, log: LogFn): Promise<void>;
29
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibmV3LmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY21kcy92YWxpZGF0b3Jfa2V5cy9uZXcudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBR0EsT0FBTyxLQUFLLEVBQUUsVUFBVSxFQUFFLE1BQU0sK0JBQStCLENBQUM7QUFDaEUsT0FBTyxLQUFLLEVBQUUsS0FBSyxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLEVBQUUsWUFBWSxFQUFFLE1BQU0sNkJBQTZCLENBQUM7QUF5QmhFLE1BQU0sTUFBTSwyQkFBMkIsR0FBRztJQUN4QyxPQUFPLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDakIsSUFBSSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ2QsS0FBSyxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ2YsY0FBYyxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3hCLFVBQVUsQ0FBQyxFQUFFLE1BQU0sRUFBRSxDQUFDO0lBQ3RCLFFBQVEsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUNsQixVQUFVLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDcEIsWUFBWSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3RCLFlBQVksQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUN0QixpQkFBaUIsQ0FBQyxFQUFFLE9BQU8sQ0FBQztJQUM1QixHQUFHLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDYixPQUFPLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDakIsUUFBUSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ2xCLG9CQUFvQixDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQzlCLElBQUksQ0FBQyxFQUFFLE9BQU8sQ0FBQztJQUNmLFlBQVksRUFBRSxZQUFZLENBQUM7SUFDM0IsUUFBUSxDQUFDLEVBQUUsVUFBVSxDQUFDO0lBQ3RCLFlBQVksQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUN0QixZQUFZLENBQUMsRUFBRSxPQUFPLENBQUM7SUFDdkIsVUFBVSxDQUFDLEVBQUUsVUFBVSxDQUFDO0lBQ3hCLFNBQVMsQ0FBQyxFQUFFLE1BQU0sRUFBRSxDQUFDO0lBQ3JCLFNBQVMsQ0FBQyxFQUFFLE1BQU0sQ0FBQztDQUNwQixDQUFDO0FBRUYsd0JBQXNCLG9CQUFvQixDQUFDLE9BQU8sRUFBRSwyQkFBMkIsRUFBRSxHQUFHLEVBQUUsS0FBSyxpQkF1SjFGIn0=
34
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibmV3LmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY21kcy92YWxpZGF0b3Jfa2V5cy9uZXcudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBR0EsT0FBTyxLQUFLLEVBQUUsVUFBVSxFQUFFLE1BQU0sK0JBQStCLENBQUM7QUFDaEUsT0FBTyxLQUFLLEVBQUUsS0FBSyxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLEVBQUUsWUFBWSxFQUFFLE1BQU0sNkJBQTZCLENBQUM7QUF5QmhFLE1BQU0sTUFBTSwyQkFBMkIsR0FBRztJQUN4QyxPQUFPLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDakIsSUFBSSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ2QsS0FBSyxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ2YsY0FBYyxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3hCLFVBQVUsQ0FBQyxFQUFFLE1BQU0sRUFBRSxDQUFDO0lBQ3RCLFFBQVEsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUNsQixVQUFVLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDcEIsWUFBWSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3RCLFlBQVksQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUN0QixpQkFBaUIsQ0FBQyxFQUFFLE9BQU8sQ0FBQztJQUM1QixHQUFHLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDYixPQUFPLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDakIsUUFBUSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ2xCLFlBQVksQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUN0QixXQUFXLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDckIsZUFBZSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3pCLFdBQVcsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUNyQixlQUFlLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDekIsb0JBQW9CLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDOUIsSUFBSSxDQUFDLEVBQUUsT0FBTyxDQUFDO0lBQ2YsWUFBWSxFQUFFLFlBQVksQ0FBQztJQUMzQixRQUFRLENBQUMsRUFBRSxVQUFVLENBQUM7SUFDdEIsWUFBWSxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3RCLFlBQVksQ0FBQyxFQUFFLE9BQU8sQ0FBQztJQUN2QixVQUFVLENBQUMsRUFBRSxVQUFVLENBQUM7SUFDeEIsU0FBUyxDQUFDLEVBQUUsTUFBTSxFQUFFLENBQUM7SUFDckIsU0FBUyxDQUFDLEVBQUUsTUFBTSxDQUFDO0NBQ3BCLENBQUM7QUFrRkYsd0JBQXNCLG9CQUFvQixDQUFDLE9BQU8sRUFBRSwyQkFBMkIsRUFBRSxHQUFHLEVBQUUsS0FBSyxpQkFxSzFGIn0=
@@ -1 +1 @@
1
- {"version":3,"file":"new.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/new.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAyBhE,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,KAAK,iBAuJ1F"}
1
+ {"version":3,"file":"new.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/new.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAyBhE,MAAM,MAAM,2BAA2B,GAAG;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAkFF,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,EAAE,GAAG,EAAE,KAAK,iBAqK1F"}
@@ -2,13 +2,74 @@ import { prettyPrintJSON } from '@aztec/cli/utils';
2
2
  import { createEthereumChain } from '@aztec/ethereum/chain';
3
3
  import { GSEContract } from '@aztec/ethereum/contracts';
4
4
  import { wordlist } from '@scure/bip39/wordlists/english.js';
5
- import { writeFile } from 'fs/promises';
5
+ import { readFile, writeFile } from 'fs/promises';
6
6
  import { basename, dirname, join } from 'path';
7
7
  import { createPublicClient, fallback, http } from 'viem';
8
8
  import { generateMnemonic, mnemonicToAccount } from 'viem/accounts';
9
9
  import { buildValidatorEntries, logValidatorSummaries, maybePrintJson, resolveKeystoreOutputPath, writeBlsBn254ToFile, writeEthJsonV3ToFile, writeKeystoreFile } from './shared.js';
10
10
  import { processAttesterAccounts } from './staker.js';
11
11
  import { validateBlsPathOptions, validatePublisherOptions, validateRemoteSignerOptions, validateStakerOutputOptions } from './utils.js';
12
+ function validatePassword(password, source) {
13
+ if (password.length === 0) {
14
+ throw new Error(`${source} cannot be empty`);
15
+ }
16
+ return password;
17
+ }
18
+ function stripOneTrailingNewline(password) {
19
+ if (password.endsWith('\n')) {
20
+ password = password.slice(0, -1);
21
+ }
22
+ if (password.endsWith('\r')) {
23
+ password = password.slice(0, -1);
24
+ }
25
+ return password;
26
+ }
27
+ async function resolvePasswordSource(source) {
28
+ if (source.password !== undefined && source.passwordFile !== undefined) {
29
+ throw new Error(`${source.passwordOption} and ${source.passwordFileOption} cannot be used together`);
30
+ }
31
+ if (source.password !== undefined) {
32
+ return validatePassword(source.password, source.passwordOption);
33
+ }
34
+ if (source.passwordFile !== undefined) {
35
+ if (source.passwordFile.length === 0) {
36
+ throw new Error(`${source.passwordFileOption} cannot be empty`);
37
+ }
38
+ const password = stripOneTrailingNewline(await readFile(source.passwordFile, 'utf-8'));
39
+ return validatePassword(password, source.passwordFileOption);
40
+ }
41
+ return undefined;
42
+ }
43
+ async function resolvePasswords(options) {
44
+ const sharedPassword = await resolvePasswordSource({
45
+ password: options.password,
46
+ passwordFile: options.passwordFile,
47
+ passwordOption: '--password',
48
+ passwordFileOption: '--password-file'
49
+ });
50
+ const ethPassword = await resolvePasswordSource({
51
+ password: options.ethPassword,
52
+ passwordFile: options.ethPasswordFile,
53
+ passwordOption: '--eth-password',
54
+ passwordFileOption: '--eth-password-file'
55
+ }) ?? sharedPassword;
56
+ const blsPassword = await resolvePasswordSource({
57
+ password: options.blsPassword,
58
+ passwordFile: options.blsPasswordFile,
59
+ passwordOption: '--bls-password',
60
+ passwordFileOption: '--bls-password-file'
61
+ }) ?? sharedPassword;
62
+ if (ethPassword === undefined && blsPassword === undefined) {
63
+ return {};
64
+ }
65
+ if (ethPassword === undefined || blsPassword === undefined) {
66
+ throw new Error('Both ETH and BLS passwords are required when writing encrypted keystores. Provide --password to use one password for both, or provide both --eth-password and --bls-password.');
67
+ }
68
+ return {
69
+ ethPassword,
70
+ blsPassword
71
+ };
72
+ }
12
73
  export async function newValidatorKeystore(options, log) {
13
74
  // validate bls-path inputs before proceeding with key generation
14
75
  validateBlsPathOptions(options);
@@ -18,9 +79,18 @@ export async function newValidatorKeystore(options, log) {
18
79
  validatePublisherOptions(options);
19
80
  // validate remote signer options
20
81
  validateRemoteSignerOptions(options);
21
- const { dataDir, file, count, publisherCount = 0, publishers, json, coinbase, accountIndex = 0, addressIndex = 0, feeRecipient, remoteSigner, blsPath, ikm, mnemonic: _mnemonic, password, encryptedKeystoreDir, stakerOutput, gseAddress, l1RpcUrls, l1ChainId } = options;
82
+ const { dataDir, file, count, publisherCount = 0, publishers, json, coinbase, accountIndex = 0, addressIndex = 0, feeRecipient, remoteSigner, blsPath, ikm, mnemonic: _mnemonic, password: passwordOption, passwordFile, ethPassword: ethPasswordOption, ethPasswordFile, blsPassword: blsPasswordOption, blsPasswordFile, encryptedKeystoreDir, stakerOutput, gseAddress, l1RpcUrls, l1ChainId } = options;
83
+ const { ethPassword, blsPassword } = await resolvePasswords({
84
+ password: passwordOption,
85
+ passwordFile,
86
+ ethPassword: ethPasswordOption,
87
+ ethPasswordFile,
88
+ blsPassword: blsPasswordOption,
89
+ blsPasswordFile
90
+ });
91
+ const shouldEncryptKeystores = ethPassword !== undefined && blsPassword !== undefined;
22
92
  const mnemonic = _mnemonic ?? generateMnemonic(wordlist);
23
- if (!_mnemonic && !json) {
93
+ if (!_mnemonic && !json && !shouldEncryptKeystores) {
24
94
  log('No mnemonic provided, generating new one...');
25
95
  log(`Using new mnemonic:`);
26
96
  log('');
@@ -44,15 +114,15 @@ export async function newValidatorKeystore(options, log) {
44
114
  remoteSigner
45
115
  });
46
116
  // If password provided, write ETH JSON V3 and BLS BN254 keystores and replace plaintext
47
- if (password !== undefined) {
117
+ if (shouldEncryptKeystores) {
48
118
  const encryptedKeystoreOutDir = encryptedKeystoreDir && encryptedKeystoreDir.length > 0 ? encryptedKeystoreDir : keystoreOutDir;
49
119
  await writeEthJsonV3ToFile(validators, {
50
120
  outDir: encryptedKeystoreOutDir,
51
- password
121
+ password: ethPassword
52
122
  });
53
123
  await writeBlsBn254ToFile(validators, {
54
124
  outDir: encryptedKeystoreOutDir,
55
- password
125
+ password: blsPassword
56
126
  });
57
127
  }
58
128
  const keystore = {
@@ -76,7 +146,7 @@ export async function newValidatorKeystore(options, log) {
76
146
  // Process each validator
77
147
  for(let i = 0; i < validators.length; i++){
78
148
  const validator = validators[i];
79
- const outputs = await processAttesterAccounts(validator.attester, gse, password);
149
+ const outputs = await processAttesterAccounts(validator.attester, gse);
80
150
  // Collect all staker outputs
81
151
  for(let j = 0; j < outputs.length; j++){
82
152
  allStakerOutputs.push(outputs[j]);
@@ -88,7 +158,7 @@ export async function newValidatorKeystore(options, log) {
88
158
  await writeFile(stakerOutputPath, prettyPrintJSON(allStakerOutputs), 'utf-8');
89
159
  }
90
160
  }
91
- const outputData = !_mnemonic ? {
161
+ const outputData = !_mnemonic && !shouldEncryptKeystores ? {
92
162
  ...keystore,
93
163
  generatedMnemonic: mnemonic
94
164
  } : keystore;
@@ -65,4 +65,4 @@ export declare function writeEthJsonV3ToFile(validators: ValidatorKeyStore[], op
65
65
  outDir: string;
66
66
  password: string;
67
67
  }): Promise<void>;
68
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2hhcmVkLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY21kcy92YWxpZGF0b3Jfa2V5cy9zaGFyZWQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBSUEsT0FBTyxLQUFLLEVBQUUsVUFBVSxFQUFFLE1BQU0sK0JBQStCLENBQUM7QUFDaEUsT0FBTyxLQUFLLEVBQUUsS0FBSyxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLEVBQUUsVUFBVSxFQUFFLGFBQWEsRUFBRSxpQkFBaUIsRUFBRSxNQUFNLDRCQUE0QixDQUFDO0FBQy9GLE9BQU8sS0FBSyxFQUFFLFlBQVksRUFBRSxNQUFNLDZCQUE2QixDQUFDO0FBV2hFLE1BQU0sTUFBTSxnQkFBZ0IsR0FBRztJQUFFLFdBQVcsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUFDLFdBQVcsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUFDLFlBQVksQ0FBQyxFQUFFLE1BQU0sRUFBRSxDQUFBO0NBQUUsQ0FBQztBQUV2RyxNQUFNLE1BQU0sb0JBQW9CLEdBQUc7SUFDakMsY0FBYyxFQUFFLE1BQU0sQ0FBQztJQUN2QixjQUFjLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDeEIsVUFBVSxDQUFDLEVBQUUsTUFBTSxFQUFFLENBQUM7SUFDdEIsWUFBWSxFQUFFLE1BQU0sQ0FBQztJQUNyQixnQkFBZ0IsRUFBRSxNQUFNLENBQUM7SUFDekIsUUFBUSxFQUFFLE1BQU0sQ0FBQztJQUNqQixHQUFHLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDYixPQUFPLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDakIsWUFBWSxFQUFFLFlBQVksQ0FBQztJQUMzQixRQUFRLENBQUMsRUFBRSxVQUFVLENBQUM7SUFDdEIsWUFBWSxDQUFDLEVBQUUsTUFBTSxDQUFDO0NBQ3ZCLENBQUM7QUFFRix3QkFBZ0Isa0JBQWtCLENBQUMsSUFBSSxFQUFFLE1BQU0sRUFBRSxZQUFZLEdBQUUsTUFBVSxFQUFFLFlBQVksR0FBRSxNQUFVLFVBcUJsRztBQUVEOzs7O0dBSUc7QUFDSCx3QkFBc0IsNkJBQTZCLENBQUMsYUFBYSxFQUFFLE1BQU0sR0FBRyxPQUFPLENBQUMsTUFBTSxDQUFDLENBRTFGO0FBRUQsd0JBQWdCLGlCQUFpQixDQUMvQixRQUFRLEVBQUUsTUFBTSxFQUNoQixnQkFBZ0IsRUFBRSxNQUFNLEVBQ3hCLFlBQVksRUFBRSxNQUFNLEVBQ3BCLFlBQVksQ0FBQyxFQUFFLE1BQU0sR0FDcEIsVUFBVSxHQUFHLGFBQWEsQ0FLNUI7QUFFRCx3QkFBc0IscUJBQXFCLENBQUMsS0FBSyxFQUFFLG9CQUFvQjs7O0dBdUV0RTtBQUVELHdCQUFzQix5QkFBeUIsQ0FBQyxPQUFPLENBQUMsRUFBRSxNQUFNLEVBQUUsSUFBSSxDQUFDLEVBQUUsTUFBTTs7O0dBb0I5RTtBQUVELHdCQUFzQixpQkFBaUIsQ0FBQyxJQUFJLEVBQUUsTUFBTSxFQUFFLFFBQVEsRUFBRSxPQUFPLGlCQUd0RTtBQUVELHdCQUFnQixxQkFBcUIsQ0FBQyxHQUFHLEVBQUUsS0FBSyxFQUFFLFNBQVMsRUFBRSxnQkFBZ0IsRUFBRSxRQXNCOUU7QUFFRCx3QkFBZ0IsY0FBYyxDQUFDLEdBQUcsRUFBRSxLQUFLLEVBQUUsUUFBUSxFQUFFLE9BQU8sR0FBRyxTQUFTLEVBQUUsR0FBRyxFQUFFLE9BQU8sUUFJckY7QUFFRDs7Ozs7Ozs7Ozs7R0FXRztBQUNILHdCQUFzQixxQkFBcUIsQ0FDekMsTUFBTSxFQUFFLE1BQU0sRUFDZCxZQUFZLEVBQUUsTUFBTSxFQUNwQixRQUFRLEVBQUUsTUFBTSxFQUNoQixhQUFhLEVBQUUsTUFBTSxFQUNyQixTQUFTLEVBQUUsTUFBTSxFQUNqQixjQUFjLEVBQUUsTUFBTSxHQUNyQixPQUFPLENBQUMsTUFBTSxDQUFDLENBU2pCO0FBRUQseUdBQXlHO0FBQ3pHLHdCQUFzQixtQkFBbUIsQ0FDdkMsVUFBVSxFQUFFLGlCQUFpQixFQUFFLEVBQy9CLE9BQU8sRUFBRTtJQUFFLE1BQU0sRUFBRSxNQUFNLENBQUM7SUFBQyxRQUFRLEVBQUUsTUFBTSxDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsTUFBTSxDQUFBO0NBQUUsR0FDOUQsT0FBTyxDQUFDLElBQUksQ0FBQyxDQXVCZjtBQUVELDhFQUE4RTtBQUM5RSx3QkFBc0Isc0JBQXNCLENBQzFDLE1BQU0sRUFBRSxNQUFNLEVBQ2QsWUFBWSxFQUFFLE1BQU0sRUFDcEIsUUFBUSxFQUFFLE1BQU0sRUFDaEIsYUFBYSxFQUFFLE1BQU0sR0FDcEIsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQVFqQjtBQUVELGtHQUFrRztBQUNsRyx3QkFBc0Isb0JBQW9CLENBQ3hDLFVBQVUsRUFBRSxpQkFBaUIsRUFBRSxFQUMvQixPQUFPLEVBQUU7SUFBRSxNQUFNLEVBQUUsTUFBTSxDQUFDO0lBQUMsUUFBUSxFQUFFLE1BQU0sQ0FBQTtDQUFFLEdBQzVDLE9BQU8sQ0FBQyxJQUFJLENBQUMsQ0FzQ2YifQ==
68
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2hhcmVkLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY21kcy92YWxpZGF0b3Jfa2V5cy9zaGFyZWQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBS0EsT0FBTyxLQUFLLEVBQUUsVUFBVSxFQUFFLE1BQU0sK0JBQStCLENBQUM7QUFDaEUsT0FBTyxLQUFLLEVBQUUsS0FBSyxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLEVBQUUsVUFBVSxFQUFFLGFBQWEsRUFBRSxpQkFBaUIsRUFBRSxNQUFNLDRCQUE0QixDQUFDO0FBQy9GLE9BQU8sS0FBSyxFQUFFLFlBQVksRUFBRSxNQUFNLDZCQUE2QixDQUFDO0FBMkRoRSxNQUFNLE1BQU0sZ0JBQWdCLEdBQUc7SUFBRSxXQUFXLENBQUMsRUFBRSxNQUFNLENBQUM7SUFBQyxXQUFXLENBQUMsRUFBRSxNQUFNLENBQUM7SUFBQyxZQUFZLENBQUMsRUFBRSxNQUFNLEVBQUUsQ0FBQTtDQUFFLENBQUM7QUFFdkcsTUFBTSxNQUFNLG9CQUFvQixHQUFHO0lBQ2pDLGNBQWMsRUFBRSxNQUFNLENBQUM7SUFDdkIsY0FBYyxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ3hCLFVBQVUsQ0FBQyxFQUFFLE1BQU0sRUFBRSxDQUFDO0lBQ3RCLFlBQVksRUFBRSxNQUFNLENBQUM7SUFDckIsZ0JBQWdCLEVBQUUsTUFBTSxDQUFDO0lBQ3pCLFFBQVEsRUFBRSxNQUFNLENBQUM7SUFDakIsR0FBRyxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ2IsT0FBTyxDQUFDLEVBQUUsTUFBTSxDQUFDO0lBQ2pCLFlBQVksRUFBRSxZQUFZLENBQUM7SUFDM0IsUUFBUSxDQUFDLEVBQUUsVUFBVSxDQUFDO0lBQ3RCLFlBQVksQ0FBQyxFQUFFLE1BQU0sQ0FBQztDQUN2QixDQUFDO0FBRUYsd0JBQWdCLGtCQUFrQixDQUFDLElBQUksRUFBRSxNQUFNLEVBQUUsWUFBWSxHQUFFLE1BQVUsRUFBRSxZQUFZLEdBQUUsTUFBVSxVQXFCbEc7QUFFRDs7OztHQUlHO0FBQ0gsd0JBQXNCLDZCQUE2QixDQUFDLGFBQWEsRUFBRSxNQUFNLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUUxRjtBQUVELHdCQUFnQixpQkFBaUIsQ0FDL0IsUUFBUSxFQUFFLE1BQU0sRUFDaEIsZ0JBQWdCLEVBQUUsTUFBTSxFQUN4QixZQUFZLEVBQUUsTUFBTSxFQUNwQixZQUFZLENBQUMsRUFBRSxNQUFNLEdBQ3BCLFVBQVUsR0FBRyxhQUFhLENBSzVCO0FBRUQsd0JBQXNCLHFCQUFxQixDQUFDLEtBQUssRUFBRSxvQkFBb0I7OztHQXVFdEU7QUFFRCx3QkFBc0IseUJBQXlCLENBQUMsT0FBTyxDQUFDLEVBQUUsTUFBTSxFQUFFLElBQUksQ0FBQyxFQUFFLE1BQU07OztHQW9COUU7QUFFRCx3QkFBc0IsaUJBQWlCLENBQUMsSUFBSSxFQUFFLE1BQU0sRUFBRSxRQUFRLEVBQUUsT0FBTyxpQkFHdEU7QUFFRCx3QkFBZ0IscUJBQXFCLENBQUMsR0FBRyxFQUFFLEtBQUssRUFBRSxTQUFTLEVBQUUsZ0JBQWdCLEVBQUUsUUFzQjlFO0FBRUQsd0JBQWdCLGNBQWMsQ0FBQyxHQUFHLEVBQUUsS0FBSyxFQUFFLFFBQVEsRUFBRSxPQUFPLEdBQUcsU0FBUyxFQUFFLEdBQUcsRUFBRSxPQUFPLFFBSXJGO0FBRUQ7Ozs7Ozs7Ozs7O0dBV0c7QUFDSCx3QkFBc0IscUJBQXFCLENBQ3pDLE1BQU0sRUFBRSxNQUFNLEVBQ2QsWUFBWSxFQUFFLE1BQU0sRUFDcEIsUUFBUSxFQUFFLE1BQU0sRUFDaEIsYUFBYSxFQUFFLE1BQU0sRUFDckIsU0FBUyxFQUFFLE1BQU0sRUFDakIsY0FBYyxFQUFFLE1BQU0sR0FDckIsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQVNqQjtBQUVELHlHQUF5RztBQUN6Ryx3QkFBc0IsbUJBQW1CLENBQ3ZDLFVBQVUsRUFBRSxpQkFBaUIsRUFBRSxFQUMvQixPQUFPLEVBQUU7SUFBRSxNQUFNLEVBQUUsTUFBTSxDQUFDO0lBQUMsUUFBUSxFQUFFLE1BQU0sQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLE1BQU0sQ0FBQTtDQUFFLEdBQzlELE9BQU8sQ0FBQyxJQUFJLENBQUMsQ0F3QmY7QUFFRCw4RUFBOEU7QUFDOUUsd0JBQXNCLHNCQUFzQixDQUMxQyxNQUFNLEVBQUUsTUFBTSxFQUNkLFlBQVksRUFBRSxNQUFNLEVBQ3BCLFFBQVEsRUFBRSxNQUFNLEVBQ2hCLGFBQWEsRUFBRSxNQUFNLEdBQ3BCLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FPakI7QUFFRCxrR0FBa0c7QUFDbEcsd0JBQXNCLG9CQUFvQixDQUN4QyxVQUFVLEVBQUUsaUJBQWlCLEVBQUUsRUFDL0IsT0FBTyxFQUFFO0lBQUUsTUFBTSxFQUFFLE1BQU0sQ0FBQztJQUFDLFFBQVEsRUFBRSxNQUFNLENBQUE7Q0FBRSxHQUM1QyxPQUFPLENBQUMsSUFBSSxDQUFDLENBeUNmIn0=
@@ -1 +1 @@
1
- {"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/shared.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/F,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAWhE,MAAM,MAAM,gBAAgB,GAAG;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAEvG,MAAM,MAAM,oBAAoB,GAAG;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,GAAE,MAAU,EAAE,YAAY,GAAE,MAAU,UAqBlG;AAED;;;;GAIG;AACH,wBAAsB,6BAA6B,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE1F;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,gBAAgB,EAAE,MAAM,EACxB,YAAY,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,MAAM,GACpB,UAAU,GAAG,aAAa,CAK5B;AAED,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,oBAAoB;;;GAuEtE;AAED,wBAAsB,yBAAyB,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;;;GAoB9E;AAED,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,iBAGtE;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAsB9E;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,EAAE,OAAO,QAIrF;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,yGAAyG;AACzG,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9D,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED,8EAA8E;AAC9E,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED,kGAAkG;AAClG,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC,IAAI,CAAC,CAsCf"}
1
+ {"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../../src/cmds/validator_keys/shared.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/F,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AA2DhE,MAAM,MAAM,gBAAgB,GAAG;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAEvG,MAAM,MAAM,oBAAoB,GAAG;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,GAAE,MAAU,EAAE,YAAY,GAAE,MAAU,UAqBlG;AAED;;;;GAIG;AACH,wBAAsB,6BAA6B,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE1F;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,gBAAgB,EAAE,MAAM,EACxB,YAAY,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,MAAM,GACpB,UAAU,GAAG,aAAa,CAK5B;AAED,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,oBAAoB;;;GAuEtE;AAED,wBAAsB,yBAAyB,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;;;GAoB9E;AAED,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,iBAGtE;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAsB9E;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,EAAE,OAAO,QAIrF;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,yGAAyG;AACzG,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9D,OAAO,CAAC,IAAI,CAAC,CAwBf;AAED,8EAA8E;AAC9E,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAOjB;AAED,kGAAkG;AAClG,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,OAAO,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC,IAAI,CAAC,CAyCf"}
@@ -1,14 +1,58 @@
1
1
  import { prettyPrintJSON } from '@aztec/cli/utils';
2
+ import { asyncPool } from '@aztec/foundation/async-pool';
2
3
  import { deriveBlsPrivateKey } from '@aztec/foundation/crypto/bls';
3
4
  import { createBn254Keystore } from '@aztec/foundation/crypto/bls/bn254_keystore';
4
5
  import { computeBn254G1PublicKeyCompressed } from '@aztec/foundation/crypto/bn254';
5
6
  import { Wallet } from '@ethersproject/wallet';
6
7
  import { constants as fsConstants, mkdirSync } from 'fs';
7
8
  import { access, writeFile } from 'fs/promises';
8
- import { homedir } from 'os';
9
+ import { availableParallelism, homedir } from 'os';
9
10
  import { dirname, isAbsolute, join } from 'path';
10
11
  import { mnemonicToAccount } from 'viem/accounts';
12
+ import { Worker } from 'worker_threads';
11
13
  import { defaultBlsPath } from './utils.js';
14
+ // ethers' default scrypt parameters use substantial memory, so keep worker fan-out bounded.
15
+ const maxEthKeystoreWorkers = Math.max(1, Math.min(4, availableParallelism()));
16
+ function deserializeWorkerError(error) {
17
+ const result = new Error(error.message);
18
+ result.name = error.name ?? result.name;
19
+ result.stack = error.stack;
20
+ return result;
21
+ }
22
+ function encryptEthJsonV3InWorker(privateKeyHex, password) {
23
+ return new Promise((resolve, reject)=>{
24
+ const worker = new Worker(new URL('./eth_json_v3_worker.js', import.meta.url), {
25
+ workerData: {
26
+ privateKeyHex,
27
+ password
28
+ }
29
+ });
30
+ let settled = false;
31
+ worker.once('message', (result)=>{
32
+ settled = true;
33
+ if ('json' in result) {
34
+ resolve(result.json);
35
+ } else {
36
+ reject(deserializeWorkerError(result.error));
37
+ }
38
+ });
39
+ worker.once('error', (error)=>{
40
+ settled = true;
41
+ reject(error);
42
+ });
43
+ worker.once('exit', (code)=>{
44
+ if (!settled) {
45
+ reject(new Error(`ETH JSON V3 worker stopped with exit code ${code}`));
46
+ }
47
+ });
48
+ });
49
+ }
50
+ async function encryptEthJsonV3(privateKeyHex, password) {
51
+ if (process.env.JEST_WORKER_ID !== undefined) {
52
+ return await new Wallet(privateKeyHex).encrypt(password);
53
+ }
54
+ return await encryptEthJsonV3InWorker(privateKeyHex, password);
55
+ }
12
56
  export function withValidatorIndex(path, accountIndex = 0, addressIndex = 0) {
13
57
  // NOTE: The legacy BLS CLI is to allow users who generated keys in 2.1.4 to be able to use the same command
14
58
  // to re-generate their keys. In 2.1.5 we switched how we append addresses to the path so this is to maintain backwards compatibility.
@@ -188,7 +232,7 @@ export function maybePrintJson(log, jsonFlag, obj) {
188
232
  mkdirSync(outDir, {
189
233
  recursive: true
190
234
  });
191
- const keystore = createBn254Keystore(password, privateKeyHex, pubkeyHex, derivationPath);
235
+ const keystore = await createBn254Keystore(password, privateKeyHex, pubkeyHex, derivationPath);
192
236
  const safeBase = fileNameBase.replace(/[^a-zA-Z0-9_-]/g, '_');
193
237
  const outPath = join(outDir, `keystore-${safeBase}.json`);
194
238
  await writeFile(outPath, JSON.stringify(keystore, null, 2), {
@@ -197,16 +241,15 @@ export function maybePrintJson(log, jsonFlag, obj) {
197
241
  return outPath;
198
242
  }
199
243
  /** Replace plaintext BLS keys in validators with { path, password } pointing to BN254 keystore files. */ export async function writeBlsBn254ToFile(validators, options) {
200
- for(let i = 0; i < validators.length; i++){
201
- const v = validators[i];
244
+ await Promise.all(validators.map(async (v, i)=>{
202
245
  if (!v || typeof v !== 'object' || !('attester' in v)) {
203
- continue;
246
+ return;
204
247
  }
205
248
  const att = v.attester;
206
249
  // Shapes: { bls: <hex> } or { eth: <ethAccount>, bls?: <hex> } or plain EthAccount
207
250
  const blsKey = typeof att === 'object' && 'bls' in att ? att.bls : undefined;
208
251
  if (!blsKey || typeof blsKey !== 'string') {
209
- continue;
252
+ return;
210
253
  }
211
254
  const pub = await computeBlsPublicKeyCompressed(blsKey);
212
255
  const path = options.blsPath ?? defaultBlsPath;
@@ -218,15 +261,14 @@ export function maybePrintJson(log, jsonFlag, obj) {
218
261
  password: options.password
219
262
  };
220
263
  }
221
- }
264
+ }));
222
265
  }
223
266
  /** Writes an Ethereum JSON V3 keystore using ethers, returns absolute path */ export async function writeEthJsonV3Keystore(outDir, fileNameBase, password, privateKeyHex) {
224
267
  const safeBase = fileNameBase.replace(/[^a-zA-Z0-9_-]/g, '_');
225
268
  mkdirSync(outDir, {
226
269
  recursive: true
227
270
  });
228
- const wallet = new Wallet(privateKeyHex);
229
- const json = await wallet.encrypt(password);
271
+ const json = await encryptEthJsonV3(privateKeyHex, password);
230
272
  const outPath = join(outDir, `keystore-eth-${safeBase}.json`);
231
273
  await writeFile(outPath, json, {
232
274
  encoding: 'utf-8'
@@ -234,16 +276,18 @@ export function maybePrintJson(log, jsonFlag, obj) {
234
276
  return outPath;
235
277
  }
236
278
  /** Replace plaintext ETH keys in validators with { path, password } pointing to JSON V3 files. */ export async function writeEthJsonV3ToFile(validators, options) {
237
- const maybeEncryptEth = async (account, label)=>{
279
+ const tasks = [];
280
+ const maybeQueueEncryptEth = (account, label, setEncryptedAccount)=>{
238
281
  if (typeof account === 'string' && account.startsWith('0x') && account.length === 66) {
239
- const fileBase = `${label}_${account.slice(2, 10)}`;
240
- const p = await writeEthJsonV3Keystore(options.outDir, fileBase, options.password, account);
241
- return {
242
- path: p,
243
- password: options.password
244
- };
282
+ tasks.push(async ()=>{
283
+ const fileBase = `${label}_${account.slice(2, 10)}`;
284
+ const path = await writeEthJsonV3Keystore(options.outDir, fileBase, options.password, account);
285
+ setEncryptedAccount({
286
+ path,
287
+ password: options.password
288
+ });
289
+ });
245
290
  }
246
- return account;
247
291
  };
248
292
  for(let i = 0; i < validators.length; i++){
249
293
  const v = validators[i];
@@ -253,22 +297,21 @@ export function maybePrintJson(log, jsonFlag, obj) {
253
297
  // attester may be string (eth), object with eth, or remote signer
254
298
  const att = v.attester;
255
299
  if (typeof att === 'string') {
256
- v.attester = await maybeEncryptEth(att, `attester_${i + 1}`);
300
+ maybeQueueEncryptEth(att, `attester_${i + 1}`, (account)=>v.attester = account);
257
301
  } else if (att && typeof att === 'object' && 'eth' in att) {
258
- att.eth = await maybeEncryptEth(att.eth, `attester_${i + 1}`);
302
+ maybeQueueEncryptEth(att.eth, `attester_${i + 1}`, (account)=>att.eth = account);
259
303
  }
260
304
  // publisher can be single or array
261
305
  if ('publisher' in v) {
262
306
  const pub = v.publisher;
263
307
  if (Array.isArray(pub)) {
264
- const out = [];
265
308
  for(let j = 0; j < pub.length; j++){
266
- out.push(await maybeEncryptEth(pub[j], `publisher_${i + 1}_${j + 1}`));
309
+ maybeQueueEncryptEth(pub[j], `publisher_${i + 1}_${j + 1}`, (account)=>pub[j] = account);
267
310
  }
268
- v.publisher = out;
269
311
  } else if (pub !== undefined) {
270
- v.publisher = await maybeEncryptEth(pub, `publisher_${i + 1}`);
312
+ maybeQueueEncryptEth(pub, `publisher_${i + 1}`, (account)=>v.publisher = account);
271
313
  }
272
314
  }
273
315
  }
316
+ await asyncPool(maxEthKeystoreWorkers, tasks, (task)=>task());
274
317
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aztec/cli",
3
- "version": "5.0.0-nightly.20260703",
3
+ "version": "5.0.0-nightly.20260705",
4
4
  "type": "module",
5
5
  "exports": {
6
6
  "./contracts": "./dest/cmds/contracts/index.js",
@@ -77,23 +77,23 @@
77
77
  ]
78
78
  },
79
79
  "dependencies": {
80
- "@aztec/accounts": "5.0.0-nightly.20260703",
81
- "@aztec/archiver": "5.0.0-nightly.20260703",
82
- "@aztec/aztec.js": "5.0.0-nightly.20260703",
83
- "@aztec/constants": "5.0.0-nightly.20260703",
84
- "@aztec/entrypoints": "5.0.0-nightly.20260703",
85
- "@aztec/ethereum": "5.0.0-nightly.20260703",
86
- "@aztec/foundation": "5.0.0-nightly.20260703",
87
- "@aztec/l1-artifacts": "5.0.0-nightly.20260703",
88
- "@aztec/node-keystore": "5.0.0-nightly.20260703",
89
- "@aztec/node-lib": "5.0.0-nightly.20260703",
90
- "@aztec/p2p": "5.0.0-nightly.20260703",
91
- "@aztec/protocol-contracts": "5.0.0-nightly.20260703",
92
- "@aztec/sequencer-client": "5.0.0-nightly.20260703",
93
- "@aztec/slasher": "5.0.0-nightly.20260703",
94
- "@aztec/stdlib": "5.0.0-nightly.20260703",
95
- "@aztec/wallets": "5.0.0-nightly.20260703",
96
- "@aztec/world-state": "5.0.0-nightly.20260703",
80
+ "@aztec/accounts": "5.0.0-nightly.20260705",
81
+ "@aztec/archiver": "5.0.0-nightly.20260705",
82
+ "@aztec/aztec.js": "5.0.0-nightly.20260705",
83
+ "@aztec/constants": "5.0.0-nightly.20260705",
84
+ "@aztec/entrypoints": "5.0.0-nightly.20260705",
85
+ "@aztec/ethereum": "5.0.0-nightly.20260705",
86
+ "@aztec/foundation": "5.0.0-nightly.20260705",
87
+ "@aztec/l1-artifacts": "5.0.0-nightly.20260705",
88
+ "@aztec/node-keystore": "5.0.0-nightly.20260705",
89
+ "@aztec/node-lib": "5.0.0-nightly.20260705",
90
+ "@aztec/p2p": "5.0.0-nightly.20260705",
91
+ "@aztec/protocol-contracts": "5.0.0-nightly.20260705",
92
+ "@aztec/sequencer-client": "5.0.0-nightly.20260705",
93
+ "@aztec/slasher": "5.0.0-nightly.20260705",
94
+ "@aztec/stdlib": "5.0.0-nightly.20260705",
95
+ "@aztec/wallets": "5.0.0-nightly.20260705",
96
+ "@aztec/world-state": "5.0.0-nightly.20260705",
97
97
  "@ethersproject/wallet": "^5.8.0",
98
98
  "@iarna/toml": "^2.2.5",
99
99
  "@libp2p/peer-id-factory": "^3.0.4",
@@ -107,9 +107,9 @@
107
107
  "viem": "npm:@aztec/viem@2.38.2"
108
108
  },
109
109
  "devDependencies": {
110
- "@aztec/aztec-node": "5.0.0-nightly.20260703",
111
- "@aztec/kv-store": "5.0.0-nightly.20260703",
112
- "@aztec/telemetry-client": "5.0.0-nightly.20260703",
110
+ "@aztec/aztec-node": "5.0.0-nightly.20260705",
111
+ "@aztec/kv-store": "5.0.0-nightly.20260705",
112
+ "@aztec/telemetry-client": "5.0.0-nightly.20260705",
113
113
  "@jest/globals": "^30.0.0",
114
114
  "@types/jest": "^30.0.0",
115
115
  "@types/lodash.chunk": "^4.2.9",
@@ -126,15 +126,15 @@
126
126
  "typescript": "^5.3.3"
127
127
  },
128
128
  "peerDependencies": {
129
- "@aztec/accounts": "5.0.0-nightly.20260703",
130
- "@aztec/bb-prover": "5.0.0-nightly.20260703",
131
- "@aztec/ethereum": "5.0.0-nightly.20260703",
132
- "@aztec/l1-artifacts": "5.0.0-nightly.20260703",
133
- "@aztec/noir-contracts.js": "5.0.0-nightly.20260703",
134
- "@aztec/noir-protocol-circuits-types": "5.0.0-nightly.20260703",
135
- "@aztec/noir-test-contracts.js": "5.0.0-nightly.20260703",
136
- "@aztec/protocol-contracts": "5.0.0-nightly.20260703",
137
- "@aztec/stdlib": "5.0.0-nightly.20260703"
129
+ "@aztec/accounts": "5.0.0-nightly.20260705",
130
+ "@aztec/bb-prover": "5.0.0-nightly.20260705",
131
+ "@aztec/ethereum": "5.0.0-nightly.20260705",
132
+ "@aztec/l1-artifacts": "5.0.0-nightly.20260705",
133
+ "@aztec/noir-contracts.js": "5.0.0-nightly.20260705",
134
+ "@aztec/noir-protocol-circuits-types": "5.0.0-nightly.20260705",
135
+ "@aztec/noir-test-contracts.js": "5.0.0-nightly.20260705",
136
+ "@aztec/protocol-contracts": "5.0.0-nightly.20260705",
137
+ "@aztec/stdlib": "5.0.0-nightly.20260705"
138
138
  },
139
139
  "files": [
140
140
  "dest",
@@ -0,0 +1,30 @@
1
+ import { Wallet } from '@ethersproject/wallet';
2
+ import { parentPort, workerData } from 'worker_threads';
3
+
4
+ type EthJsonV3WorkerData = {
5
+ privateKeyHex: string;
6
+ password: string;
7
+ };
8
+
9
+ type SerializedError = {
10
+ message: string;
11
+ name?: string;
12
+ stack?: string;
13
+ };
14
+
15
+ function serializeError(error: unknown): SerializedError {
16
+ if (error instanceof Error) {
17
+ return { message: error.message, name: error.name, stack: error.stack };
18
+ }
19
+ return { message: String(error) };
20
+ }
21
+
22
+ void (async () => {
23
+ try {
24
+ const { privateKeyHex, password } = workerData as EthJsonV3WorkerData;
25
+ const json = await new Wallet(privateKeyHex).encrypt(password);
26
+ parentPort?.postMessage({ json });
27
+ } catch (error) {
28
+ parentPort?.postMessage({ error: serializeError(error) });
29
+ }
30
+ })();
@@ -1,6 +1,6 @@
1
1
  import type { LogFn } from '@aztec/foundation/log';
2
2
 
3
- import { Command } from 'commander';
3
+ import { Command, Option } from 'commander';
4
4
 
5
5
  import { parseAztecAddress, parseEthereumAddress, parseHex, parseOptionalInteger } from '../../utils/commands.js';
6
6
  import { defaultBlsPath } from './utils.js';
@@ -38,10 +38,24 @@ export function injectCommands(program: Command, log: LogFn) {
38
38
  .option('--remote-signer <url>', 'Default remote signer URL for accounts in this file')
39
39
  .option('--ikm <hex>', 'Initial keying material for BLS (alternative to mnemonic)', value => parseHex(value, 32))
40
40
  .option('--bls-path <path>', `EIP-2334 path (default ${defaultBlsPath})`)
41
- .option(
42
- '--password <str>',
43
- 'Password for writing keystore files (ETH JSON V3 and BLS EIP-2335). Empty string allowed',
41
+ .addOption(
42
+ new Option('--password <str>', 'Shared password for writing ETH JSON V3 and BLS EIP-2335 keystore files').env(
43
+ 'AZTEC_KEYSTORE_PASSWORD',
44
+ ),
45
+ )
46
+ .option('--password-file <path>', 'File containing the shared password for writing keystore files')
47
+ .addOption(
48
+ new Option('--eth-password <str>', 'Password for writing ETH JSON V3 keystore files').env(
49
+ 'AZTEC_ETH_KEYSTORE_PASSWORD',
50
+ ),
51
+ )
52
+ .option('--eth-password-file <path>', 'File containing the password for writing ETH JSON V3 keystore files')
53
+ .addOption(
54
+ new Option('--bls-password <str>', 'Password for writing BLS EIP-2335 keystore files').env(
55
+ 'AZTEC_BLS_KEYSTORE_PASSWORD',
56
+ ),
44
57
  )
58
+ .option('--bls-password-file <path>', 'File containing the password for writing BLS EIP-2335 keystore files')
45
59
  .option('--encrypted-keystore-dir <dir>', 'Output directory for encrypted keystore file(s)')
46
60
  .option('--json', 'Echo resulting JSON to stdout')
47
61
  .option('--staker-output', 'Generate a single staker output JSON file with an array of validator entries')
@@ -6,7 +6,7 @@ import type { LogFn } from '@aztec/foundation/log';
6
6
  import type { AztecAddress } from '@aztec/stdlib/aztec-address';
7
7
 
8
8
  import { wordlist } from '@scure/bip39/wordlists/english.js';
9
- import { writeFile } from 'fs/promises';
9
+ import { readFile, writeFile } from 'fs/promises';
10
10
  import { basename, dirname, join } from 'path';
11
11
  import { createPublicClient, fallback, http } from 'viem';
12
12
  import { generateMnemonic, mnemonicToAccount } from 'viem/accounts';
@@ -42,6 +42,11 @@ export type NewValidatorKeystoreOptions = {
42
42
  ikm?: string;
43
43
  blsPath?: string;
44
44
  password?: string;
45
+ passwordFile?: string;
46
+ ethPassword?: string;
47
+ ethPasswordFile?: string;
48
+ blsPassword?: string;
49
+ blsPasswordFile?: string;
45
50
  encryptedKeystoreDir?: string;
46
51
  json?: boolean;
47
52
  feeRecipient: AztecAddress;
@@ -53,6 +58,86 @@ export type NewValidatorKeystoreOptions = {
53
58
  l1ChainId?: number;
54
59
  };
55
60
 
61
+ type PasswordSourceOptions = Pick<
62
+ NewValidatorKeystoreOptions,
63
+ 'password' | 'passwordFile' | 'ethPassword' | 'ethPasswordFile' | 'blsPassword' | 'blsPasswordFile'
64
+ >;
65
+
66
+ type PasswordSource = {
67
+ password?: string;
68
+ passwordFile?: string;
69
+ passwordOption: string;
70
+ passwordFileOption: string;
71
+ };
72
+
73
+ function validatePassword(password: string, source: string): string {
74
+ if (password.length === 0) {
75
+ throw new Error(`${source} cannot be empty`);
76
+ }
77
+ return password;
78
+ }
79
+
80
+ function stripOneTrailingNewline(password: string): string {
81
+ if (password.endsWith('\n')) {
82
+ password = password.slice(0, -1);
83
+ }
84
+ if (password.endsWith('\r')) {
85
+ password = password.slice(0, -1);
86
+ }
87
+ return password;
88
+ }
89
+
90
+ async function resolvePasswordSource(source: PasswordSource): Promise<string | undefined> {
91
+ if (source.password !== undefined && source.passwordFile !== undefined) {
92
+ throw new Error(`${source.passwordOption} and ${source.passwordFileOption} cannot be used together`);
93
+ }
94
+ if (source.password !== undefined) {
95
+ return validatePassword(source.password, source.passwordOption);
96
+ }
97
+ if (source.passwordFile !== undefined) {
98
+ if (source.passwordFile.length === 0) {
99
+ throw new Error(`${source.passwordFileOption} cannot be empty`);
100
+ }
101
+ const password = stripOneTrailingNewline(await readFile(source.passwordFile, 'utf-8'));
102
+ return validatePassword(password, source.passwordFileOption);
103
+ }
104
+
105
+ return undefined;
106
+ }
107
+
108
+ async function resolvePasswords(options: PasswordSourceOptions) {
109
+ const sharedPassword = await resolvePasswordSource({
110
+ password: options.password,
111
+ passwordFile: options.passwordFile,
112
+ passwordOption: '--password',
113
+ passwordFileOption: '--password-file',
114
+ });
115
+ const ethPassword =
116
+ (await resolvePasswordSource({
117
+ password: options.ethPassword,
118
+ passwordFile: options.ethPasswordFile,
119
+ passwordOption: '--eth-password',
120
+ passwordFileOption: '--eth-password-file',
121
+ })) ?? sharedPassword;
122
+ const blsPassword =
123
+ (await resolvePasswordSource({
124
+ password: options.blsPassword,
125
+ passwordFile: options.blsPasswordFile,
126
+ passwordOption: '--bls-password',
127
+ passwordFileOption: '--bls-password-file',
128
+ })) ?? sharedPassword;
129
+
130
+ if (ethPassword === undefined && blsPassword === undefined) {
131
+ return {};
132
+ }
133
+ if (ethPassword === undefined || blsPassword === undefined) {
134
+ throw new Error(
135
+ 'Both ETH and BLS passwords are required when writing encrypted keystores. Provide --password to use one password for both, or provide both --eth-password and --bls-password.',
136
+ );
137
+ }
138
+ return { ethPassword, blsPassword };
139
+ }
140
+
56
141
  export async function newValidatorKeystore(options: NewValidatorKeystoreOptions, log: LogFn) {
57
142
  // validate bls-path inputs before proceeding with key generation
58
143
  validateBlsPathOptions(options);
@@ -78,7 +163,12 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
78
163
  blsPath,
79
164
  ikm,
80
165
  mnemonic: _mnemonic,
81
- password,
166
+ password: passwordOption,
167
+ passwordFile,
168
+ ethPassword: ethPasswordOption,
169
+ ethPasswordFile,
170
+ blsPassword: blsPasswordOption,
171
+ blsPasswordFile,
82
172
  encryptedKeystoreDir,
83
173
  stakerOutput,
84
174
  gseAddress,
@@ -86,9 +176,18 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
86
176
  l1ChainId,
87
177
  } = options;
88
178
 
179
+ const { ethPassword, blsPassword } = await resolvePasswords({
180
+ password: passwordOption,
181
+ passwordFile,
182
+ ethPassword: ethPasswordOption,
183
+ ethPasswordFile,
184
+ blsPassword: blsPasswordOption,
185
+ blsPasswordFile,
186
+ });
187
+ const shouldEncryptKeystores = ethPassword !== undefined && blsPassword !== undefined;
89
188
  const mnemonic = _mnemonic ?? generateMnemonic(wordlist);
90
189
 
91
- if (!_mnemonic && !json) {
190
+ if (!_mnemonic && !json && !shouldEncryptKeystores) {
92
191
  log('No mnemonic provided, generating new one...');
93
192
  log(`Using new mnemonic:`);
94
193
  log('');
@@ -115,11 +214,11 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
115
214
  });
116
215
 
117
216
  // If password provided, write ETH JSON V3 and BLS BN254 keystores and replace plaintext
118
- if (password !== undefined) {
217
+ if (shouldEncryptKeystores) {
119
218
  const encryptedKeystoreOutDir =
120
219
  encryptedKeystoreDir && encryptedKeystoreDir.length > 0 ? encryptedKeystoreDir : keystoreOutDir;
121
- await writeEthJsonV3ToFile(validators, { outDir: encryptedKeystoreOutDir, password });
122
- await writeBlsBn254ToFile(validators, { outDir: encryptedKeystoreOutDir, password });
220
+ await writeEthJsonV3ToFile(validators, { outDir: encryptedKeystoreOutDir, password: ethPassword });
221
+ await writeBlsBn254ToFile(validators, { outDir: encryptedKeystoreOutDir, password: blsPassword });
123
222
  }
124
223
 
125
224
  const keystore = {
@@ -145,7 +244,7 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
145
244
  // Process each validator
146
245
  for (let i = 0; i < validators.length; i++) {
147
246
  const validator = validators[i];
148
- const outputs = await processAttesterAccounts(validator.attester, gse, password);
247
+ const outputs = await processAttesterAccounts(validator.attester, gse);
149
248
 
150
249
  // Collect all staker outputs
151
250
  for (let j = 0; j < outputs.length; j++) {
@@ -160,7 +259,7 @@ export async function newValidatorKeystore(options: NewValidatorKeystoreOptions,
160
259
  }
161
260
  }
162
261
 
163
- const outputData = !_mnemonic ? { ...keystore, generatedMnemonic: mnemonic } : keystore;
262
+ const outputData = !_mnemonic && !shouldEncryptKeystores ? { ...keystore, generatedMnemonic: mnemonic } : keystore;
164
263
 
165
264
  // Handle JSON output
166
265
  if (json) {
@@ -1,4 +1,5 @@
1
1
  import { prettyPrintJSON } from '@aztec/cli/utils';
2
+ import { asyncPool } from '@aztec/foundation/async-pool';
2
3
  import { deriveBlsPrivateKey } from '@aztec/foundation/crypto/bls';
3
4
  import { createBn254Keystore } from '@aztec/foundation/crypto/bls/bn254_keystore';
4
5
  import { computeBn254G1PublicKeyCompressed } from '@aztec/foundation/crypto/bn254';
@@ -10,12 +11,60 @@ import type { AztecAddress } from '@aztec/stdlib/aztec-address';
10
11
  import { Wallet } from '@ethersproject/wallet';
11
12
  import { constants as fsConstants, mkdirSync } from 'fs';
12
13
  import { access, writeFile } from 'fs/promises';
13
- import { homedir } from 'os';
14
+ import { availableParallelism, homedir } from 'os';
14
15
  import { dirname, isAbsolute, join } from 'path';
15
16
  import { mnemonicToAccount } from 'viem/accounts';
17
+ import { Worker } from 'worker_threads';
16
18
 
17
19
  import { defaultBlsPath } from './utils.js';
18
20
 
21
+ type EthJsonV3WorkerResult = { json: string } | { error: { message: string; name?: string; stack?: string } };
22
+
23
+ // ethers' default scrypt parameters use substantial memory, so keep worker fan-out bounded.
24
+ const maxEthKeystoreWorkers = Math.max(1, Math.min(4, availableParallelism()));
25
+
26
+ function deserializeWorkerError(error: { message: string; name?: string; stack?: string }) {
27
+ const result = new Error(error.message);
28
+ result.name = error.name ?? result.name;
29
+ result.stack = error.stack;
30
+ return result;
31
+ }
32
+
33
+ function encryptEthJsonV3InWorker(privateKeyHex: string, password: string): Promise<string> {
34
+ return new Promise<string>((resolve, reject) => {
35
+ const worker = new Worker(new URL('./eth_json_v3_worker.js', import.meta.url), {
36
+ workerData: { privateKeyHex, password },
37
+ });
38
+ let settled = false;
39
+
40
+ worker.once('message', (result: EthJsonV3WorkerResult) => {
41
+ settled = true;
42
+
43
+ if ('json' in result) {
44
+ resolve(result.json);
45
+ } else {
46
+ reject(deserializeWorkerError(result.error));
47
+ }
48
+ });
49
+ worker.once('error', error => {
50
+ settled = true;
51
+ reject(error);
52
+ });
53
+ worker.once('exit', code => {
54
+ if (!settled) {
55
+ reject(new Error(`ETH JSON V3 worker stopped with exit code ${code}`));
56
+ }
57
+ });
58
+ });
59
+ }
60
+
61
+ async function encryptEthJsonV3(privateKeyHex: string, password: string): Promise<string> {
62
+ if (process.env.JEST_WORKER_ID !== undefined) {
63
+ return await new Wallet(privateKeyHex).encrypt(password);
64
+ }
65
+ return await encryptEthJsonV3InWorker(privateKeyHex, password);
66
+ }
67
+
19
68
  export type ValidatorSummary = { attesterEth?: string; attesterBls?: string; publisherEth?: string[] };
20
69
 
21
70
  export type BuildValidatorsInput = {
@@ -228,7 +277,7 @@ export async function writeBn254BlsKeystore(
228
277
  ): Promise<string> {
229
278
  mkdirSync(outDir, { recursive: true });
230
279
 
231
- const keystore = createBn254Keystore(password, privateKeyHex, pubkeyHex, derivationPath);
280
+ const keystore = await createBn254Keystore(password, privateKeyHex, pubkeyHex, derivationPath);
232
281
 
233
282
  const safeBase = fileNameBase.replace(/[^a-zA-Z0-9_-]/g, '_');
234
283
  const outPath = join(outDir, `keystore-${safeBase}.json`);
@@ -241,28 +290,29 @@ export async function writeBlsBn254ToFile(
241
290
  validators: ValidatorKeyStore[],
242
291
  options: { outDir: string; password: string; blsPath?: string },
243
292
  ): Promise<void> {
244
- for (let i = 0; i < validators.length; i++) {
245
- const v = validators[i];
246
- if (!v || typeof v !== 'object' || !('attester' in v)) {
247
- continue;
248
- }
249
- const att = (v as any).attester;
293
+ await Promise.all(
294
+ validators.map(async (v, i) => {
295
+ if (!v || typeof v !== 'object' || !('attester' in v)) {
296
+ return;
297
+ }
298
+ const att = (v as any).attester;
250
299
 
251
- // Shapes: { bls: <hex> } or { eth: <ethAccount>, bls?: <hex> } or plain EthAccount
252
- const blsKey: string | undefined = typeof att === 'object' && 'bls' in att ? (att as any).bls : undefined;
253
- if (!blsKey || typeof blsKey !== 'string') {
254
- continue;
255
- }
300
+ // Shapes: { bls: <hex> } or { eth: <ethAccount>, bls?: <hex> } or plain EthAccount
301
+ const blsKey: string | undefined = typeof att === 'object' && 'bls' in att ? (att as any).bls : undefined;
302
+ if (!blsKey || typeof blsKey !== 'string') {
303
+ return;
304
+ }
256
305
 
257
- const pub = await computeBlsPublicKeyCompressed(blsKey);
258
- const path = options.blsPath ?? defaultBlsPath;
259
- const fileBase = `${String(i + 1)}_${pub.slice(2, 18)}`;
260
- const keystorePath = await writeBn254BlsKeystore(options.outDir, fileBase, options.password, blsKey, pub, path);
306
+ const pub = await computeBlsPublicKeyCompressed(blsKey);
307
+ const path = options.blsPath ?? defaultBlsPath;
308
+ const fileBase = `${String(i + 1)}_${pub.slice(2, 18)}`;
309
+ const keystorePath = await writeBn254BlsKeystore(options.outDir, fileBase, options.password, blsKey, pub, path);
261
310
 
262
- if (typeof att === 'object') {
263
- (att as any).bls = { path: keystorePath, password: options.password };
264
- }
265
- }
311
+ if (typeof att === 'object') {
312
+ (att as any).bls = { path: keystorePath, password: options.password };
313
+ }
314
+ }),
315
+ );
266
316
  }
267
317
 
268
318
  /** Writes an Ethereum JSON V3 keystore using ethers, returns absolute path */
@@ -274,8 +324,7 @@ export async function writeEthJsonV3Keystore(
274
324
  ): Promise<string> {
275
325
  const safeBase = fileNameBase.replace(/[^a-zA-Z0-9_-]/g, '_');
276
326
  mkdirSync(outDir, { recursive: true });
277
- const wallet = new Wallet(privateKeyHex);
278
- const json = await wallet.encrypt(password);
327
+ const json = await encryptEthJsonV3(privateKeyHex, password);
279
328
  const outPath = join(outDir, `keystore-eth-${safeBase}.json`);
280
329
  await writeFile(outPath, json, { encoding: 'utf-8' });
281
330
  return outPath;
@@ -286,13 +335,16 @@ export async function writeEthJsonV3ToFile(
286
335
  validators: ValidatorKeyStore[],
287
336
  options: { outDir: string; password: string },
288
337
  ): Promise<void> {
289
- const maybeEncryptEth = async (account: any, label: string) => {
338
+ const tasks: (() => Promise<void>)[] = [];
339
+
340
+ const maybeQueueEncryptEth = (account: any, label: string, setEncryptedAccount: (account: any) => void) => {
290
341
  if (typeof account === 'string' && account.startsWith('0x') && account.length === 66) {
291
- const fileBase = `${label}_${account.slice(2, 10)}`;
292
- const p = await writeEthJsonV3Keystore(options.outDir, fileBase, options.password, account);
293
- return { path: p, password: options.password };
342
+ tasks.push(async () => {
343
+ const fileBase = `${label}_${account.slice(2, 10)}`;
344
+ const path = await writeEthJsonV3Keystore(options.outDir, fileBase, options.password, account);
345
+ setEncryptedAccount({ path, password: options.password });
346
+ });
294
347
  }
295
- return account;
296
348
  };
297
349
 
298
350
  for (let i = 0; i < validators.length; i++) {
@@ -304,23 +356,23 @@ export async function writeEthJsonV3ToFile(
304
356
  // attester may be string (eth), object with eth, or remote signer
305
357
  const att = (v as any).attester;
306
358
  if (typeof att === 'string') {
307
- (v as any).attester = await maybeEncryptEth(att, `attester_${i + 1}`);
359
+ maybeQueueEncryptEth(att, `attester_${i + 1}`, account => ((v as any).attester = account));
308
360
  } else if (att && typeof att === 'object' && 'eth' in att) {
309
- (att as any).eth = await maybeEncryptEth((att as any).eth, `attester_${i + 1}`);
361
+ maybeQueueEncryptEth((att as any).eth, `attester_${i + 1}`, account => ((att as any).eth = account));
310
362
  }
311
363
 
312
364
  // publisher can be single or array
313
365
  if ('publisher' in v) {
314
366
  const pub = (v as any).publisher;
315
367
  if (Array.isArray(pub)) {
316
- const out: any[] = [];
317
368
  for (let j = 0; j < pub.length; j++) {
318
- out.push(await maybeEncryptEth(pub[j], `publisher_${i + 1}_${j + 1}`));
369
+ maybeQueueEncryptEth(pub[j], `publisher_${i + 1}_${j + 1}`, account => (pub[j] = account));
319
370
  }
320
- (v as any).publisher = out;
321
371
  } else if (pub !== undefined) {
322
- (v as any).publisher = await maybeEncryptEth(pub, `publisher_${i + 1}`);
372
+ maybeQueueEncryptEth(pub, `publisher_${i + 1}`, account => ((v as any).publisher = account));
323
373
  }
324
374
  }
325
375
  }
376
+
377
+ await asyncPool(maxEthKeystoreWorkers, tasks, task => task());
326
378
  }