@aztec/node-keystore 0.0.1-commit.24de95ac

package/dest/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAE3D,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAG/D,eAAO,MAAM,mBAAmB,kDAGK,CAAC;AACtC,eAAO,MAAM,mBAAmB,kDAGK,CAAC;AAgFtC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAYvB,CAAC"}

package/dest/schemas.js

@@ -0,0 +1,103 @@
+/**
+ * Zod schemas for keystore validation using Aztec's validation functions
+ */ import { optional, schemas } from '@aztec/foundation/schemas';
+import { AztecAddress } from '@aztec/stdlib/aztec-address';
+import { z } from 'zod';
+// Use Aztec's validation functions but return string types to match our TypeScript interfaces
+export const ethPrivateKeySchema = z.string().regex(/^0x[0-9a-fA-F]{64}$/, 'Invalid private key (must be 32 bytes with 0x prefix)').transform((s)=>s);
+export const blsPrivateKeySchema = z.string().regex(/^0x[0-9a-fA-F]{64}$/, 'Invalid BLS private key (must be 32 bytes with 0x prefix)').transform((s)=>s);
+const urlSchema = z.string().url('Invalid URL');
+// Remote signer config schema
+const remoteSignerConfigSchema = z.union([
+    urlSchema,
+    z.object({
+        remoteSignerUrl: urlSchema,
+        certPath: optional(z.string()),
+        certPass: optional(z.string())
+    })
+]);
+// Remote signer account schema
+const remoteSignerAccountSchema = z.union([
+    schemas.EthAddress,
+    z.object({
+        address: schemas.EthAddress,
+        remoteSignerUrl: urlSchema,
+        certPath: optional(z.string()),
+        certPass: optional(z.string())
+    })
+]);
+// Encrypted keystore file schema (used for both JSON V3 ETH keys and EIP-2335 BLS keys)
+const encryptedKeyFileSchema = z.object({
+    path: z.string(),
+    password: optional(z.string())
+});
+// Mnemonic config schema
+const mnemonicConfigSchema = z.object({
+    mnemonic: z.string().min(1, 'Mnemonic cannot be empty'),
+    addressIndex: z.number().int().min(0).default(0),
+    accountIndex: z.number().int().min(0).default(0),
+    addressCount: z.number().int().min(1).default(1),
+    accountCount: z.number().int().min(1).default(1)
+});
+// EthAccount schema
+const ethAccountSchema = z.union([
+    ethPrivateKeySchema,
+    remoteSignerAccountSchema,
+    encryptedKeyFileSchema
+]);
+// EthAccounts schema
+const ethAccountsSchema = z.union([
+    ethAccountSchema,
+    z.array(ethAccountSchema),
+    mnemonicConfigSchema
+]);
+// BLSAccount schema
+const blsAccountSchema = z.union([
+    blsPrivateKeySchema,
+    encryptedKeyFileSchema
+]);
+// AttesterAccount schema: either EthAccount or { eth: EthAccount, bls?: BLSAccount }
+const attesterAccountSchema = z.union([
+    ethAccountSchema,
+    z.object({
+        eth: ethAccountSchema,
+        bls: optional(blsAccountSchema)
+    })
+]);
+// AttesterAccounts schema: AttesterAccount | AttesterAccount[] | MnemonicConfig
+const attesterAccountsSchema = z.union([
+    attesterAccountSchema,
+    z.array(attesterAccountSchema),
+    mnemonicConfigSchema
+]);
+// Prover keystore schema
+const proverKeyStoreSchema = z.union([
+    ethAccountSchema,
+    z.object({
+        id: schemas.EthAddress,
+        publisher: ethAccountsSchema
+    })
+]);
+// Validator keystore schema
+const validatorKeyStoreSchema = z.object({
+    attester: attesterAccountsSchema,
+    coinbase: optional(schemas.EthAddress),
+    publisher: optional(ethAccountsSchema),
+    feeRecipient: AztecAddress.schema,
+    remoteSigner: optional(remoteSignerConfigSchema),
+    fundingAccount: optional(ethAccountSchema)
+});
+// Main keystore schema
+export const keystoreSchema = z.object({
+    schemaVersion: z.literal(1),
+    validators: optional(z.array(validatorKeyStoreSchema)),
+    slasher: optional(ethAccountsSchema),
+    remoteSigner: optional(remoteSignerConfigSchema),
+    prover: optional(proverKeyStoreSchema),
+    fundingAccount: optional(ethAccountSchema)
+}).refine((data)=>data.validators || data.prover, {
+    message: 'Keystore must have at least validators or prover configuration',
+    path: [
+        'root'
+    ]
+});

package/dest/signer.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Signer Interface and Implementations
+ *
+ * Common interface for different signing backends (local, remote, encrypted)
+ */
+import type { EthSigner } from '@aztec/ethereum';
+import { Buffer32 } from '@aztec/foundation/buffer';
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import { Signature } from '@aztec/foundation/eth-signature';
+import { type TransactionSerializable, type TypedDataDefinition } from 'viem';
+import type { EthRemoteSignerConfig } from './types.js';
+/**
+ * Error thrown for remote signer HTTP or JSON-RPC failures
+ */
+export declare class SignerError extends Error {
+    method: string;
+    url: string;
+    statusCode?: number | undefined;
+    errorCode?: number | undefined;
+    constructor(message: string, method: string, url: string, statusCode?: number | undefined, errorCode?: number | undefined);
+}
+/**
+ * Local signer that holds an in-memory Secp256k1 private key.
+ */
+export declare class LocalSigner implements EthSigner {
+    private privateKey;
+    private readonly signer;
+    constructor(privateKey: Buffer32);
+    get address(): EthAddress;
+    signMessage(message: Buffer32): Promise<Signature>;
+    signTypedData(typedData: TypedDataDefinition): Promise<Signature>;
+    signTransaction(transaction: TransactionSerializable): Promise<Signature>;
+}
+/**
+ * Remote signer that proxies signing operations to a Web3Signer-compatible HTTP endpoint.
+ */
+export declare class RemoteSigner implements EthSigner {
+    readonly address: EthAddress;
+    private readonly config;
+    private fetch;
+    constructor(address: EthAddress, config: EthRemoteSignerConfig, fetch?: typeof globalThis.fetch);
+    /**
+     * Validates that a web3signer is accessible and that the given addresses are available.
+     * @param remoteSignerUrl - The URL of the web3signer (can be string or EthRemoteSignerConfig)
+     * @param addresses - The addresses to check for availability
+     * @param fetch - Optional fetch implementation for testing
+     * @throws Error if the web3signer is not accessible or if any address is not available
+     */
+    static validateAccess(remoteSignerUrl: EthRemoteSignerConfig, addresses: string[], fetch?: typeof globalThis.fetch): Promise<void>;
+    /**
+     * Sign a message using eth_sign via remote JSON-RPC.
+     */
+    signMessage(message: Buffer32): Promise<Signature>;
+    /**
+     * Sign typed data using eth_signTypedData_v4 via remote JSON-RPC.
+     */
+    signTypedData(typedData: TypedDataDefinition): Promise<Signature>;
+    signTransaction(transaction: TransactionSerializable): Promise<Signature>;
+    /**
+     * Make a JSON-RPC sign request using eth_sign
+     */
+    /**
+     * Make a JSON-RPC eth_sign request.
+     */
+    private makeJsonRpcSignRequest;
+    /**
+     * Make a JSON-RPC eth_signTypedData_v4 request.
+     */
+    private makeJsonRpcSignTypedDataRequest;
+    /**
+     * Make a JSON-RPC eth_signTransaction request.
+     */
+    private makeJsonRpcSignTransactionRequest;
+    /**
+     * Sends a JSON-RPC request and returns its result
+     */
+    private makeJsonRpcRequest;
+    /**
+     * Resolve the effective remote signer URL from config.
+     */
+    private getSignerUrl;
+    /**
+     * Generate an id to use for a JSON-RPC call
+     */
+    private generateId;
+}
+//# sourceMappingURL=signer.d.ts.map

package/dest/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../src/signer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAEpD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,EAAE,SAAS,EAAiC,MAAM,iCAAiC,CAAC;AAI3F,OAAO,EACL,KAAK,uBAAuB,EAC5B,KAAK,mBAAmB,EAKzB,MAAM,MAAM,CAAC;AAEd,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAExD;;GAEG;AACH,qBAAa,WAAY,SAAQ,KAAK;IAG3B,MAAM,EAAE,MAAM;IACd,GAAG,EAAE,MAAM;IACX,UAAU,CAAC,EAAE,MAAM;IACnB,SAAS,CAAC,EAAE,MAAM;gBAJzB,OAAO,EAAE,MAAM,EACR,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,EACX,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,SAAS,CAAC,EAAE,MAAM,YAAA;CAK5B;AAED;;GAEG;AACH,qBAAa,WAAY,YAAW,SAAS;IAG/B,OAAO,CAAC,UAAU;IAF9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAkB;gBAErB,UAAU,EAAE,QAAQ;IAIxC,IAAI,OAAO,IAAI,UAAU,CAExB;IAED,WAAW,CAAC,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;IAIlD,aAAa,CAAC,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,SAAS,CAAC;IAKjE,eAAe,CAAC,WAAW,EAAE,uBAAuB,GAAG,OAAO,CAAC,SAAS,CAAC;CAc1E;AAmBD;;GAEG;AACH,qBAAa,YAAa,YAAW,SAAS;aAE1B,OAAO,EAAE,UAAU;IACnC,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,KAAK;gBAFG,OAAO,EAAE,UAAU,EAClB,MAAM,EAAE,qBAAqB,EACtC,KAAK,GAAE,OAAO,UAAU,CAAC,KAAwB;IAG3D;;;;;;OAMG;WACU,cAAc,CACzB,eAAe,EAAE,qBAAqB,EACtC,SAAS,EAAE,MAAM,EAAE,EACnB,KAAK,GAAE,OAAO,UAAU,CAAC,KAAwB,GAChD,OAAO,CAAC,IAAI,CAAC;IAiEhB;;OAEG;IACG,WAAW,CAAC,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;IAIxD;;OAEG;IACG,aAAa,CAAC,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,SAAS,CAAC;IAIvE,eAAe,CAAC,WAAW,EAAE,uBAAuB,GAAG,OAAO,CAAC,SAAS,CAAC;IAIzE;;OAEG;IACH;;OAEG;YACW,sBAAsB;IAcpC;;OAEG;YACW,+BAA+B;IAkB7C;;OAEG;YACW,iCAAiC;IA+C/C;;OAEG;YACW,kBAAkB;IAyChC;;OAEG;IACH,OAAO,CAAC,YAAY;IAOpB;;OAEG;IACH,OAAO,CAAC,UAAU;CAGnB"}

package/dest/signer.js

@@ -0,0 +1,228 @@
+/**
+ * Signer Interface and Implementations
+ *
+ * Common interface for different signing backends (local, remote, encrypted)
+ */ import { Buffer32 } from '@aztec/foundation/buffer';
+import { Secp256k1Signer, randomBytes, toRecoveryBit } from '@aztec/foundation/crypto';
+import { Signature } from '@aztec/foundation/eth-signature';
+import { jsonStringify } from '@aztec/foundation/json-rpc';
+import { withHexPrefix } from '@aztec/foundation/string';
+import { hashTypedData, keccak256, parseTransaction, serializeTransaction } from 'viem';
+/**
+ * Error thrown for remote signer HTTP or JSON-RPC failures
+ */ export class SignerError extends Error {
+    method;
+    url;
+    statusCode;
+    errorCode;
+    constructor(message, method, url, statusCode, errorCode){
+        super(message), this.method = method, this.url = url, this.statusCode = statusCode, this.errorCode = errorCode;
+        this.name = 'SignerError';
+    }
+}
+/**
+ * Local signer that holds an in-memory Secp256k1 private key.
+ */ export class LocalSigner {
+    privateKey;
+    signer;
+    constructor(privateKey){
+        this.privateKey = privateKey;
+        this.signer = new Secp256k1Signer(privateKey);
+    }
+    get address() {
+        return this.signer.address;
+    }
+    signMessage(message) {
+        return Promise.resolve(this.signer.signMessage(message));
+    }
+    signTypedData(typedData) {
+        const digest = hashTypedData(typedData);
+        return Promise.resolve(this.signer.sign(Buffer32.fromString(digest)));
+    }
+    signTransaction(transaction) {
+        // Taken from viem's `signTransaction` implementation
+        const tx = transaction.type === 'eip4844' ? {
+            ...transaction,
+            sidecars: false
+        } : transaction;
+        const serializedTx = serializeTransaction(tx);
+        const txHash = keccak256(serializedTx);
+        const sig = this.signer.sign(Buffer32.fromString(txHash.slice(2)));
+        return Promise.resolve(new Signature(sig.r, sig.s, toRecoveryBit(sig.v)));
+    }
+}
+/**
+ * Remote signer that proxies signing operations to a Web3Signer-compatible HTTP endpoint.
+ */ export class RemoteSigner {
+    address;
+    config;
+    fetch;
+    constructor(address, config, fetch = globalThis.fetch){
+        this.address = address;
+        this.config = config;
+        this.fetch = fetch;
+    }
+    /**
+   * Validates that a web3signer is accessible and that the given addresses are available.
+   * @param remoteSignerUrl - The URL of the web3signer (can be string or EthRemoteSignerConfig)
+   * @param addresses - The addresses to check for availability
+   * @param fetch - Optional fetch implementation for testing
+   * @throws Error if the web3signer is not accessible or if any address is not available
+   */ static async validateAccess(remoteSignerUrl, addresses, fetch = globalThis.fetch) {
+        const url = typeof remoteSignerUrl === 'string' ? remoteSignerUrl : remoteSignerUrl.remoteSignerUrl;
+        try {
+            // Check if the web3signer is reachable by calling eth_accounts
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json'
+                },
+                body: JSON.stringify({
+                    jsonrpc: '2.0',
+                    method: 'eth_accounts',
+                    params: [],
+                    id: 1
+                })
+            });
+            if (!response.ok) {
+                const errorText = await response.text();
+                throw new SignerError(`Web3Signer validation failed: ${response.status} ${response.statusText} - ${errorText}`, 'eth_accounts', url, response.status);
+            }
+            const result = await response.json();
+            if (result.error) {
+                throw new SignerError(`Web3Signer JSON-RPC error during validation: ${result.error.code} - ${result.error.message}`, 'eth_accounts', url, 200, result.error.code);
+            }
+            if (!result.result || !Array.isArray(result.result)) {
+                throw new Error('Invalid response from Web3Signer: expected array of accounts');
+            }
+            // Normalize addresses to lowercase for comparison
+            const availableAccounts = result.result.map((addr)=>addr.toLowerCase());
+            const requestedAddresses = addresses.map((addr)=>addr.toLowerCase());
+            // Check if all requested addresses are available
+            const missingAddresses = requestedAddresses.filter((addr)=>!availableAccounts.includes(addr));
+            if (missingAddresses.length > 0) {
+                throw new Error(`The following addresses are not available in the web3signer: ${missingAddresses.join(', ')}`);
+            }
+        } catch (error) {
+            if (error instanceof SignerError) {
+                throw error;
+            }
+            if (error.code === 'ECONNREFUSED' || error.cause?.code === 'ECONNREFUSED') {
+                throw new Error(`Unable to connect to web3signer at ${url}. Please ensure it is running and accessible.`);
+            }
+            throw error;
+        }
+    }
+    /**
+   * Sign a message using eth_sign via remote JSON-RPC.
+   */ async signMessage(message) {
+        return await this.makeJsonRpcSignRequest(message);
+    }
+    /**
+   * Sign typed data using eth_signTypedData_v4 via remote JSON-RPC.
+   */ async signTypedData(typedData) {
+        return await this.makeJsonRpcSignTypedDataRequest(typedData);
+    }
+    signTransaction(transaction) {
+        return this.makeJsonRpcSignTransactionRequest(transaction);
+    }
+    /**
+   * Make a JSON-RPC sign request using eth_sign
+   */ /**
+   * Make a JSON-RPC eth_sign request.
+   */ async makeJsonRpcSignRequest(data) {
+        let signatureHex = await this.makeJsonRpcRequest('eth_sign', this.address.toString(), data.toString());
+        if (typeof signatureHex !== 'string') {
+            throw new Error('Invalid signature');
+        }
+        if (!signatureHex.startsWith('0x')) {
+            signatureHex = '0x' + signatureHex;
+        }
+        return Signature.fromString(signatureHex);
+    }
+    /**
+   * Make a JSON-RPC eth_signTypedData_v4 request.
+   */ async makeJsonRpcSignTypedDataRequest(typedData) {
+        let signatureHex = await this.makeJsonRpcRequest('eth_signTypedData', this.address.toString(), jsonStringify(typedData));
+        if (typeof signatureHex !== 'string') {
+            throw new Error('Invalid signature');
+        }
+        if (!signatureHex.startsWith('0x')) {
+            signatureHex = '0x' + signatureHex;
+        }
+        return Signature.fromString(signatureHex);
+    }
+    /**
+   * Make a JSON-RPC eth_signTransaction request.
+   */ async makeJsonRpcSignTransactionRequest(tx) {
+        if (tx.type !== 'eip1559') {
+            throw new Error('This signer does not support tx type: ' + tx.type);
+        }
+        const txObject = {
+            from: this.address.toString(),
+            to: tx.to ?? null,
+            data: tx.data,
+            value: typeof tx.value !== 'undefined' ? withHexPrefix(tx.value.toString(16)) : undefined,
+            nonce: typeof tx.nonce !== 'undefined' ? withHexPrefix(tx.nonce.toString(16)) : undefined,
+            gas: typeof tx.gas !== 'undefined' ? withHexPrefix(tx.gas.toString(16)) : undefined,
+            maxFeePerGas: typeof tx.maxFeePerGas !== 'undefined' ? withHexPrefix(tx.maxFeePerGas.toString(16)) : undefined,
+            maxPriorityFeePerGas: typeof tx.maxPriorityFeePerGas !== 'undefined' ? withHexPrefix(tx.maxPriorityFeePerGas.toString(16)) : undefined
+        };
+        let rawTxHex = await this.makeJsonRpcRequest('eth_signTransaction', txObject);
+        if (typeof rawTxHex !== 'string') {
+            throw new Error('Invalid signed tx');
+        }
+        if (!rawTxHex.startsWith('0x')) {
+            rawTxHex = '0x' + rawTxHex;
+        }
+        // we get back to whole signed tx. Deserialize it in order to read the signature
+        const parsedTxWithSignature = parseTransaction(rawTxHex);
+        if (parsedTxWithSignature.r === undefined || parsedTxWithSignature.s === undefined || parsedTxWithSignature.v === undefined) {
+            throw new Error('Tx not signed by Web3Signer');
+        }
+        return Signature.fromViemTransactionSignature(parsedTxWithSignature);
+    }
+    /**
+   * Sends a JSON-RPC request and returns its result
+   */ async makeJsonRpcRequest(method, ...params) {
+        const url = this.getSignerUrl();
+        const id = this.generateId();
+        const response = await this.fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json'
+            },
+            body: jsonStringify({
+                jsonrpc: '2.0',
+                method,
+                params,
+                id
+            })
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            throw new SignerError(`Web3Signer request failed for ${method} at ${url}: ${response.status} ${response.statusText} - ${errorText}`, method, url, response.status);
+        }
+        const result = await response.json();
+        if (result.error) {
+            throw new SignerError(`Web3Signer JSON-RPC error for ${method} at ${url}: ${result.error.code} - ${result.error.message}`, method, url, response.status, result.error.code);
+        }
+        if (!result.result) {
+            throw new Error('Invalid response from Web3Signer: no result found');
+        }
+        return result.result;
+    }
+    /**
+   * Resolve the effective remote signer URL from config.
+   */ getSignerUrl() {
+        if (typeof this.config === 'string') {
+            return this.config;
+        }
+        return this.config.remoteSignerUrl;
+    }
+    /**
+   * Generate an id to use for a JSON-RPC call
+   */ generateId() {
+        return randomBytes(4).toString('hex');
+    }
+}

package/dest/types.d.ts

@@ -0,0 +1,116 @@
+/**
+ * Keys and Addresses Configuration Types
+ *
+ * TypeScript definitions based on the specification for validator keystore files.
+ * These types define the JSON structure for configuring validators, provers, and
+ * their associated keys and addresses.
+ */
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import type { Hex } from '@aztec/foundation/string';
+import type { AztecAddress } from '@aztec/stdlib/aztec-address';
+/**
+ * An encrypted keystore file config points to a local file with an encrypted private key.
+ * The file may be in different formats:
+ * - JSON V3 format for ETH keys (Ethereum wallet standard)
+ * - EIP-2335 format for BLS keys (Ethereum 2.0 validator standard)
+ */
+export type EncryptedKeyFileConfig = {
+    path: string;
+    password?: string;
+};
+/** A private key is a 32-byte 0x-prefixed hex */
+export type EthPrivateKey = Hex<32>;
+/** A BLS private key is a 32-byte 0x-prefixed hex */
+export type BLSPrivateKey = Hex<32>;
+/** URL type for remote signers */
+export type Url = string;
+/**
+ * A remote signer is configured as an URL to connect to, and optionally a client certificate to use for auth
+ */
+export type EthRemoteSignerConfig = Url | {
+    remoteSignerUrl: Url;
+    certPath?: string;
+    certPass?: string;
+};
+/**
+ * A remote signer account config is equal to the remote signer config, but requires an address to be specified.
+ * If only the address is set, then the default remote signer config from the parent config is used.
+ */
+export type EthRemoteSignerAccount = EthAddress | {
+    address: EthAddress;
+    remoteSignerUrl: Url;
+    certPath?: string;
+    certPass?: string;
+};
+/** An L1 account is a private key, a remote signer configuration, or an encrypted keystore file (JSON V3 format) */
+export type EthAccount = EthPrivateKey | EthRemoteSignerAccount | EncryptedKeyFileConfig;
+/** A mnemonic can be used to define a set of accounts */
+export type MnemonicConfig = {
+    mnemonic: string;
+    addressIndex?: number;
+    accountIndex?: number;
+    addressCount?: number;
+    accountCount?: number;
+};
+/** One or more L1 accounts */
+export type EthAccounts = EthAccount | EthAccount[] | MnemonicConfig;
+export type ProverKeyStoreWithId = {
+    /** Address that identifies the prover. This address will receive the rewards. */
+    id: EthAddress;
+    /** One or more EOAs used for sending proof L1 txs. */
+    publisher: EthAccounts;
+};
+export type ProverKeyStore = ProverKeyStoreWithId | EthAccount;
+/** A BLS account is either a private key, or an EIP-2335 encrypted keystore file */
+export type BLSAccount = BLSPrivateKey | EncryptedKeyFileConfig;
+/** An AttesterAccount is a combined EthAccount and optional BLSAccount */
+export type AttesterAccount = {
+    eth: EthAccount;
+    bls?: BLSAccount;
+} | EthAccount;
+/** One or more attester accounts combining ETH and BLS keys */
+export type AttesterAccounts = AttesterAccount | AttesterAccount[] | MnemonicConfig;
+export type ValidatorKeyStore = {
+    /**
+     * One or more validator attester keys to handle in this configuration block.
+     * An attester address may only appear once across all configuration blocks across all keystore files.
+     */
+    attester: AttesterAccounts;
+    /**
+     * Coinbase address to use when proposing an L2 block as any of the validators in this configuration block.
+     * Falls back to the attester address if not set.
+     */
+    coinbase?: EthAddress;
+    /**
+     * One or more EOAs used for sending block proposal L1 txs for all validators in this configuration block.
+     * Falls back to the attester account if not set.
+     */
+    publisher?: EthAccounts;
+    /**
+     * Fee recipient address to use when proposing an L2 block as any of the validators in this configuration block.
+     */
+    feeRecipient: AztecAddress;
+    /**
+     * Default remote signer for all accounts in this block.
+     */
+    remoteSigner?: EthRemoteSignerConfig;
+    /**
+     * Used for automatically funding publisher accounts in this block.
+     */
+    fundingAccount?: EthAccount;
+};
+export type KeyStore = {
+    /** Schema version of this keystore file (initially 1). */
+    schemaVersion: number;
+    /** Validator configurations. */
+    validators?: ValidatorKeyStore[];
+    /** One or more accounts used for creating slash payloads on L1. Does not create slash payloads if not set. */
+    slasher?: EthAccounts;
+    /** Default config for the remote signer for all accounts in this file. */
+    remoteSigner?: EthRemoteSignerConfig;
+    /** Prover configuration. Only one prover configuration is allowed. */
+    prover?: ProverKeyStore;
+    /** Used for automatically funding publisher accounts if there is none defined in the corresponding  ValidatorKeyStore*/
+    fundingAccount?: EthAccount;
+};
+//# sourceMappingURL=types.d.ts.map

package/dest/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAEhE;;;;;GAKG;AACH,MAAM,MAAM,sBAAsB,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzE,iDAAiD;AACjD,MAAM,MAAM,aAAa,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;AAEpC,qDAAqD;AACrD,MAAM,MAAM,aAAa,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;AAEpC,kCAAkC;AAClC,MAAM,MAAM,GAAG,GAAG,MAAM,CAAC;AAEzB;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAC7B,GAAG,GACH;IACE,eAAe,EAAE,GAAG,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEN;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAC9B,UAAU,GACV;IACE,OAAO,EAAE,UAAU,CAAC;IACpB,eAAe,EAAE,GAAG,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEN,oHAAoH;AACpH,MAAM,MAAM,UAAU,GAAG,aAAa,GAAG,sBAAsB,GAAG,sBAAsB,CAAC;AAEzF,yDAAyD;AACzD,MAAM,MAAM,cAAc,GAAG;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,8BAA8B;AAC9B,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,UAAU,EAAE,GAAG,cAAc,CAAC;AAErE,MAAM,MAAM,oBAAoB,GAAG;IACjC,iFAAiF;IACjF,EAAE,EAAE,UAAU,CAAC;IACf,sDAAsD;IACtD,SAAS,EAAE,WAAW,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG,oBAAoB,GAAG,UAAU,CAAC;AAE/D,oFAAoF;AACpF,MAAM,MAAM,UAAU,GAAG,aAAa,GAAG,sBAAsB,CAAC;AAEhE,0EAA0E;AAC1E,MAAM,MAAM,eAAe,GAAG;IAAE,GAAG,EAAE,UAAU,CAAC;IAAC,GAAG,CAAC,EAAE,UAAU,CAAA;CAAE,GAAG,UAAU,CAAC;AAEjF,+DAA+D;AAC/D,MAAM,MAAM,gBAAgB,GAAG,eAAe,GAAG,eAAe,EAAE,GAAG,cAAc,CAAC;AAEpF,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;;OAGG;IACH,QAAQ,EAAE,gBAAgB,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB;;;OAGG;IACH,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB;;OAEG;IACH,YAAY,EAAE,YAAY,CAAC;IAC3B;;OAEG;IACH,YAAY,CAAC,EAAE,qBAAqB,CAAC;IACrC;;OAEG;IACH,cAAc,CAAC,EAAE,UAAU,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,QAAQ,GAAG;IACrB,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,gCAAgC;IAChC,UAAU,CAAC,EAAE,iBAAiB,EAAE,CAAC;IACjC,8GAA8G;IAC9G,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,0EAA0E;IAC1E,YAAY,CAAC,EAAE,qBAAqB,CAAC;IACrC,sEAAsE;IACtE,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,wHAAwH;IACxH,cAAc,CAAC,EAAE,UAAU,CAAC;CAC7B,CAAC"}

package/dest/types.js

@@ -0,0 +1,7 @@
+/**
+ * Keys and Addresses Configuration Types
+ *
+ * TypeScript definitions based on the specification for validator keystore files.
+ * These types define the JSON structure for configuring validators, provers, and
+ * their associated keys and addresses.
+ */ export { };

package/package.json

@@ -0,0 +1,90 @@
+{
+  "name": "@aztec/node-keystore",
+  "version": "0.0.1-commit.24de95ac",
+  "type": "module",
+  "exports": {
+    ".": "./dest/index.js",
+    "./types": "./dest/types.js",
+    "./validation": "./dest/validation.js",
+    "./loader": "./dest/loader.js"
+  },
+  "typedocOptions": {
+    "entryPoints": [
+      "./src/index.ts"
+    ],
+    "name": "Node Keystore",
+    "tsconfig": "./tsconfig.json"
+  },
+  "scripts": {
+    "build": "yarn clean && tsc -b",
+    "build:dev": "tsc -b --watch",
+    "clean": "rm -rf ./dest .tsbuildinfo",
+    "test": "NODE_NO_WARNINGS=1 node --experimental-vm-modules ../node_modules/.bin/jest --passWithNoTests --maxWorkers=${JEST_MAX_WORKERS:-8}"
+  },
+  "inherits": [
+    "../package.common.json"
+  ],
+  "jest": {
+    "moduleNameMapper": {
+      "^(\\.{1,2}/.*)\\.[cm]?js$": "$1"
+    },
+    "testRegex": "./src/.*\\.test\\.(js|mjs|ts)$",
+    "rootDir": "./src",
+    "transform": {
+      "^.+\\.tsx?$": [
+        "@swc/jest",
+        {
+          "jsc": {
+            "parser": {
+              "syntax": "typescript",
+              "decorators": true
+            },
+            "transform": {
+              "decoratorVersion": "2022-03"
+            }
+          }
+        }
+      ]
+    },
+    "extensionsToTreatAsEsm": [
+      ".ts"
+    ],
+    "reporters": [
+      "default"
+    ],
+    "testTimeout": 120000,
+    "setupFiles": [
+      "../../foundation/src/jest/setup.mjs"
+    ],
+    "testEnvironment": "../../foundation/src/jest/env.mjs",
+    "setupFilesAfterEnv": [
+      "../../foundation/src/jest/setupAfterEnv.mjs"
+    ]
+  },
+  "dependencies": {
+    "@aztec/ethereum": "0.0.1-commit.24de95ac",
+    "@aztec/foundation": "0.0.1-commit.24de95ac",
+    "@aztec/stdlib": "0.0.1-commit.24de95ac",
+    "@ethersproject/wallet": "^5.7.0",
+    "tslib": "^2.4.0",
+    "viem": "npm:@spalladino/viem@2.38.2-eip7594.0",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@jest/globals": "^30.0.0",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^22.15.17",
+    "jest": "^30.0.0",
+    "ts-node": "^10.9.1",
+    "typescript": "^5.3.3"
+  },
+  "files": [
+    "dest",
+    "src",
+    "!*.test.*"
+  ],
+  "types": "./dest/index.d.ts",
+  "engines": {
+    "node": ">=20.10"
+  }
+}

package/src/config.ts

@@ -0,0 +1,16 @@
+import { type ConfigMappingsType, getConfigFromMappings } from '@aztec/foundation/config';
+
+export type KeyStoreConfig = {
+  keyStoreDirectory: string | undefined;
+};
+
+export const keyStoreConfigMappings: ConfigMappingsType<KeyStoreConfig> = {
+  keyStoreDirectory: {
+    env: 'KEY_STORE_DIRECTORY',
+    description: 'Location of key store directory',
+  },
+};
+
+export function getKeyStoreConfigFromEnv(): KeyStoreConfig {
+  return getConfigFromMappings<KeyStoreConfig>(keyStoreConfigMappings);
+}

package/src/index.ts

@@ -0,0 +1,6 @@
+export * from './types.js';
+export * from './loader.js';
+export * from './schemas.js';
+export * from './signer.js';
+export * from './keystore_manager.js';
+export * from './config.js';