@aztec/node-keystore 0.0.1-fake-ceab37513c → 0.0.2-commit.217f559981

package/src/loader.ts

@@ -3,10 +3,13 @@
  *
  * Handles loading and parsing keystore configuration files.
  */
+import { EthAddress } from '@aztec/foundation/eth-address';
 import { createLogger } from '@aztec/foundation/log';
+import type { Hex } from '@aztec/foundation/string';
 
 import { readFileSync, readdirSync, statSync } from 'fs';
 import { extname, join } from 'path';
+import { privateKeyToAddress } from 'viem/accounts';
 
 import { keystoreSchema } from './schemas.js';
 import type { EthAccounts, KeyStore } from './types.js';
@@ -205,12 +208,18 @@ export function mergeKeystores(keystores: KeyStore[]): KeyStore {
   // Track attester addresses to prevent duplicates
   const attesterAddresses = new Set<string>();
 
+  // Determine schema version: use v2 if any input is v2
+  const schemaVersion = keystores.some(ks => ks.schemaVersion === 2) ? 2 : 1;
+
   const merged: KeyStore = {
-    schemaVersion: 1,
+    schemaVersion,
     validators: [],
     slasher: undefined,
     remoteSigner: undefined,
     prover: undefined,
+    publisher: undefined,
+    coinbase: undefined,
+    feeRecipient: undefined,
   };
 
   for (let i = 0; i < keystores.length; i++) {
@@ -220,8 +229,9 @@ export function mergeKeystores(keystores: KeyStore[]): KeyStore {
     if (keystore.validators) {
       for (const validator of keystore.validators) {
         // Check for duplicate attester addresses
-        const attesterKeys = extractAttesterKeys(validator.attester);
-        for (const key of attesterKeys) {
+        const attesterKeys = extractAttesterAddresses(validator.attester);
+        for (let key of attesterKeys) {
+          key = key.toLowerCase();
           if (attesterAddresses.has(key)) {
             throw new KeyStoreLoadError(
               `Duplicate attester address ${key} found across keystore files`,
@@ -230,8 +240,18 @@ export function mergeKeystores(keystores: KeyStore[]): KeyStore {
           }
           attesterAddresses.add(key);
         }
+
+        // When merging v1 validators into a v2+ result, preserve original fallback behavior
+        // by explicitly setting publisher/coinbase/feeRecipient if they're missing
+        if (keystore.schemaVersion !== schemaVersion) {
+          throw new KeyStoreLoadError(
+            `Cannot merge keystores with different schema versions: ${keystore.schemaVersion} and ${schemaVersion}`,
+            `keystores[${i}].schemaVersion`,
+          );
+        } else {
+          merged.validators!.push(validator);
+        }
       }
-      merged.validators!.push(...keystore.validators);
     }
 
     // Merge slasher (accumulate all)
@@ -264,6 +284,45 @@ export function mergeKeystores(keystores: KeyStore[]): KeyStore {
       }
       merged.prover = keystore.prover;
     }
+
+    // Merge top-level publisher (accumulate all, unless conflicting MnemonicConfigs)
+    if (keystore.publisher) {
+      if (!merged.publisher) {
+        merged.publisher = keystore.publisher;
+      } else {
+        const isMnemonic = (accounts: EthAccounts): boolean =>
+          typeof accounts === 'object' && accounts !== null && 'mnemonic' in accounts;
+
+        // If either is a mnemonic, warn and use last one (can't merge mnemonics)
+        if (isMnemonic(merged.publisher) || isMnemonic(keystore.publisher)) {
+          logger.warn(
+            'Multiple default publisher configurations found with mnemonic, using the last one (cannot merge mnemonics)',
+          );
+          merged.publisher = keystore.publisher;
+        } else {
+          // Both are non-mnemonic, accumulate them
+          const toArray = (accounts: EthAccounts): unknown[] => (Array.isArray(accounts) ? accounts : [accounts]);
+          const combined = [...toArray(merged.publisher), ...toArray(keystore.publisher)];
+          merged.publisher = combined as unknown as EthAccounts;
+        }
+      }
+    }
+
+    // Merge top-level coinbase (last one wins, but warn about conflicts)
+    if (keystore.coinbase) {
+      if (merged.coinbase) {
+        logger.warn('Multiple default coinbase addresses found, using the last one');
+      }
+      merged.coinbase = keystore.coinbase;
+    }
+
+    // Merge top-level feeRecipient (last one wins, but warn about conflicts)
+    if (keystore.feeRecipient) {
+      if (merged.feeRecipient) {
+        logger.warn('Multiple default feeRecipient addresses found, using the last one');
+      }
+      merged.feeRecipient = keystore.feeRecipient;
+    }
   }
 
   // Clean up empty arrays
@@ -284,38 +343,43 @@ export function mergeKeystores(keystores: KeyStore[]): KeyStore {
  * @param attester The attester configuration in any supported shape.
  * @returns Array of string keys used to detect duplicates.
  */
-function extractAttesterKeys(attester: unknown): string[] {
+function extractAttesterAddresses(attester: unknown): string[] {
   // String forms (private key or other) - return as-is for coarse uniqueness
   if (typeof attester === 'string') {
-    return [attester];
+    if (attester.length === 66) {
+      return [privateKeyToAddress(attester as Hex<32>)];
+    } else {
+      return [attester];
+    }
   }
 
   // Arrays of attester items
   if (Array.isArray(attester)) {
     const keys: string[] = [];
     for (const item of attester) {
-      keys.push(...extractAttesterKeys(item));
+      keys.push(...extractAttesterAddresses(item));
     }
     return keys;
   }
 
   if (attester && typeof attester === 'object') {
+    if (attester instanceof EthAddress) {
+      return [attester.toString()];
+    }
+
     const obj = attester as Record<string, unknown>;
 
     // New shape: { eth: EthAccount, bls?: BLSAccount }
     if ('eth' in obj) {
-      return extractAttesterKeys(obj.eth);
+      return extractAttesterAddresses(obj.eth);
     }
 
     // Remote signer account object shape: { address, remoteSignerUrl?, ... }
     if ('address' in obj) {
       return [String((obj as any).address)];
     }
-
-    // Mnemonic or other object shapes: stringify
-    return [JSON.stringify(attester)];
   }
 
-  // Fallback stringify for anything else (null/undefined)
-  return [JSON.stringify(attester)];
+  // mnemonic, encrypted file just disable early duplicates checking
+  return [];
 }

package/src/schemas.ts

@@ -22,55 +22,65 @@ const urlSchema = z.string().url('Invalid URL');
 // Remote signer config schema
 const remoteSignerConfigSchema = z.union([
   urlSchema,
-  z.object({
-    remoteSignerUrl: urlSchema,
-    certPath: optional(z.string()),
-    certPass: optional(z.string()),
-  }),
+  z
+    .object({
+      remoteSignerUrl: urlSchema,
+      certPath: optional(z.string()),
+      certPass: optional(z.string()),
+    })
+    .strict(),
 ]);
 
 // Remote signer account schema
 const remoteSignerAccountSchema = z.union([
   schemas.EthAddress,
-  z.object({
-    address: schemas.EthAddress,
-    remoteSignerUrl: urlSchema,
-    certPath: optional(z.string()),
-    certPass: optional(z.string()),
-  }),
+  z
+    .object({
+      address: schemas.EthAddress,
+      remoteSignerUrl: urlSchema,
+      certPath: optional(z.string()),
+      certPass: optional(z.string()),
+    })
+    .strict(),
 ]);
 
-// JSON V3 keystore schema
-const jsonKeyFileV3Schema = z.object({
-  path: z.string(),
-  password: optional(z.string()),
-});
+// Encrypted keystore file schema (used for both JSON V3 ETH keys and EIP-2335 BLS keys)
+const encryptedKeyFileSchema = z
+  .object({
+    path: z.string(),
+    password: optional(z.string()),
+  })
+  .strict();
 
 // Mnemonic config schema
-const mnemonicConfigSchema = z.object({
-  mnemonic: z.string().min(1, 'Mnemonic cannot be empty'),
-  addressIndex: z.number().int().min(0).default(0),
-  accountIndex: z.number().int().min(0).default(0),
-  addressCount: z.number().int().min(1).default(1),
-  accountCount: z.number().int().min(1).default(1),
-});
+const mnemonicConfigSchema = z
+  .object({
+    mnemonic: z.string().min(1, 'Mnemonic cannot be empty'),
+    addressIndex: z.number().int().min(0).default(0),
+    accountIndex: z.number().int().min(0).default(0),
+    addressCount: z.number().int().min(1).default(1),
+    accountCount: z.number().int().min(1).default(1),
+  })
+  .strict();
 
 // EthAccount schema
-const ethAccountSchema = z.union([ethPrivateKeySchema, remoteSignerAccountSchema, jsonKeyFileV3Schema]);
+const ethAccountSchema = z.union([ethPrivateKeySchema, remoteSignerAccountSchema, encryptedKeyFileSchema]);
 
 // EthAccounts schema
 const ethAccountsSchema = z.union([ethAccountSchema, z.array(ethAccountSchema), mnemonicConfigSchema]);
 
 // BLSAccount schema
-const blsAccountSchema = z.union([blsPrivateKeySchema, jsonKeyFileV3Schema]);
+const blsAccountSchema = z.union([blsPrivateKeySchema, encryptedKeyFileSchema]);
 
 // AttesterAccount schema: either EthAccount or { eth: EthAccount, bls?: BLSAccount }
 const attesterAccountSchema = z.union([
   ethAccountSchema,
-  z.object({
-    eth: ethAccountSchema,
-    bls: optional(blsAccountSchema),
-  }),
+  z
+    .object({
+      eth: ethAccountSchema,
+      bls: optional(blsAccountSchema),
+    })
+    .strict(),
 ]);
 
 // AttesterAccounts schema: AttesterAccount | AttesterAccount[] | MnemonicConfig
@@ -79,33 +89,87 @@ const attesterAccountsSchema = z.union([attesterAccountSchema, z.array(attesterA
 // Prover keystore schema
 const proverKeyStoreSchema = z.union([
   ethAccountSchema,
-  z.object({
-    id: schemas.EthAddress,
-    publisher: ethAccountsSchema,
-  }),
+  z
+    .object({
+      id: schemas.EthAddress,
+      publisher: ethAccountsSchema,
+    })
+    .strict(),
 ]);
 
-// Validator keystore schema
-const validatorKeyStoreSchema = z.object({
-  attester: attesterAccountsSchema,
-  coinbase: optional(schemas.EthAddress),
-  publisher: optional(ethAccountsSchema),
-  feeRecipient: AztecAddress.schema,
-  remoteSigner: optional(remoteSignerConfigSchema),
-  fundingAccount: optional(ethAccountSchema),
-});
-
-// Main keystore schema
-export const keystoreSchema = z
+// Validator keystore schema for v1 (feeRecipient required)
+const validatorKeyStoreSchemaV1 = z
+  .object({
+    attester: attesterAccountsSchema,
+    coinbase: optional(schemas.EthAddress),
+    publisher: optional(ethAccountsSchema),
+    feeRecipient: AztecAddress.schema,
+    remoteSigner: optional(remoteSignerConfigSchema),
+    fundingAccount: optional(ethAccountSchema),
+  })
+  .strict();
+
+// Validator keystore schema for v2 (feeRecipient optional, can fall back to top-level)
+const validatorKeyStoreSchemaV2 = z
+  .object({
+    attester: attesterAccountsSchema,
+    coinbase: optional(schemas.EthAddress),
+    publisher: optional(ethAccountsSchema),
+    feeRecipient: optional(AztecAddress.schema),
+    remoteSigner: optional(remoteSignerConfigSchema),
+    fundingAccount: optional(ethAccountSchema),
+  })
+  .strict();
+
+// Schema v1 - original format
+const keystoreSchemaV1 = z
   .object({
     schemaVersion: z.literal(1),
-    validators: optional(z.array(validatorKeyStoreSchema)),
+    validators: optional(z.array(validatorKeyStoreSchemaV1)),
     slasher: optional(ethAccountsSchema),
     remoteSigner: optional(remoteSignerConfigSchema),
     prover: optional(proverKeyStoreSchema),
     fundingAccount: optional(ethAccountSchema),
   })
+  .strict()
   .refine(data => data.validators || data.prover, {
     message: 'Keystore must have at least validators or prover configuration',
     path: ['root'],
   });
+
+// Schema v2 - adds top-level publisher, coinbase, feeRecipient
+const keystoreSchemaV2 = z
+  .object({
+    schemaVersion: z.literal(2),
+    validators: optional(z.array(validatorKeyStoreSchemaV2)),
+    slasher: optional(ethAccountsSchema),
+    remoteSigner: optional(remoteSignerConfigSchema),
+    prover: optional(proverKeyStoreSchema),
+    fundingAccount: optional(ethAccountSchema),
+    publisher: optional(ethAccountsSchema),
+    coinbase: optional(schemas.EthAddress),
+    feeRecipient: optional(AztecAddress.schema),
+  })
+  .strict()
+  .refine(data => data.validators || data.prover, {
+    message: 'Keystore must have at least validators or prover configuration',
+    path: ['root'],
+  })
+  .refine(
+    data => {
+      // If validators are present, ensure each validator has a feeRecipient or there's a top-level feeRecipient
+      if (data.validators) {
+        const hasTopLevelFeeRecipient = !!data.feeRecipient;
+        const allValidatorsHaveFeeRecipient = data.validators.every(v => v.feeRecipient);
+        return hasTopLevelFeeRecipient || allValidatorsHaveFeeRecipient;
+      }
+      return true;
+    },
+    {
+      message: 'Each validator must have a feeRecipient, or a top-level feeRecipient must be set for all validators',
+      path: ['feeRecipient'],
+    },
+  );
+
+// Main keystore schema - accepts both v1 and v2
+export const keystoreSchema = z.union([keystoreSchemaV1, keystoreSchemaV2]);

package/src/signer.ts

@@ -3,13 +3,14 @@
  *
  * Common interface for different signing backends (local, remote, encrypted)
  */
-import type { EthSigner } from '@aztec/ethereum';
+import type { EthSigner } from '@aztec/ethereum/eth-signer';
 import { Buffer32 } from '@aztec/foundation/buffer';
-import { Secp256k1Signer, randomBytes, toRecoveryBit } from '@aztec/foundation/crypto';
+import { randomBytes } from '@aztec/foundation/crypto/random';
+import { Secp256k1Signer, toRecoveryBit } from '@aztec/foundation/crypto/secp256k1-signer';
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import { Signature, type ViemTransactionSignature } from '@aztec/foundation/eth-signature';
 import { jsonStringify } from '@aztec/foundation/json-rpc';
-import { withHexPrefix } from '@aztec/foundation/string';
+import { bufferToHex, withHexPrefix } from '@aztec/foundation/string';
 
 import {
   type TransactionSerializable,
@@ -243,10 +244,6 @@ export class RemoteSigner implements EthSigner {
    * Make a JSON-RPC eth_signTransaction request.
    */
   private async makeJsonRpcSignTransactionRequest(tx: TransactionSerializable): Promise<Signature> {
-    if (tx.type !== 'eip1559') {
-      throw new Error('This signer does not support tx type: ' + tx.type);
-    }
-
     const txObject: RemoteSignerTxObject = {
       from: this.address.toString(),
       to: tx.to ?? null,
@@ -260,10 +257,10 @@ export class RemoteSigner implements EthSigner {
           ? withHexPrefix(tx.maxPriorityFeePerGas.toString(16))
           : undefined,
 
-      // maxFeePerBlobGas:
-      //   typeof tx.maxFeePerBlobGas !== 'undefined' ? withHexPrefix(tx.maxFeePerBlobGas.toString(16)) : undefined,
-      // blobVersionedHashes: tx.blobVersionedHashes,
-      // blobs: tx.blobs?.map(blob => (typeof blob === 'string' ? blob : bufferToHex(Buffer.from(blob)))),
+      maxFeePerBlobGas:
+        typeof tx.maxFeePerBlobGas !== 'undefined' ? withHexPrefix(tx.maxFeePerBlobGas.toString(16)) : undefined,
+      blobVersionedHashes: tx.blobVersionedHashes,
+      blobs: tx.blobs?.map(blob => (typeof blob === 'string' ? blob : bufferToHex(Buffer.from(blob)))),
     };
 
     let rawTxHex = await this.makeJsonRpcRequest('eth_signTransaction', txObject);

package/src/types.ts

@@ -6,13 +6,16 @@
  * their associated keys and addresses.
  */
 import type { EthAddress } from '@aztec/foundation/eth-address';
+import type { Hex } from '@aztec/foundation/string';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
 
-/** Parameterized hex string type for specific byte lengths */
-export type Hex<TByteLength extends number> = `0x${string}` & { readonly _length: TByteLength };
-
-/** A json keystore config points to a local file with the encrypted private key, and may require a password for decrypting it */
-export type JsonKeyFileV3Config = { path: string; password?: string };
+/**
+ * An encrypted keystore file config points to a local file with an encrypted private key.
+ * The file may be in different formats:
+ * - JSON V3 format for ETH keys (Ethereum wallet standard)
+ * - EIP-2335 format for BLS keys (Ethereum 2.0 validator standard)
+ */
+export type EncryptedKeyFileConfig = { path: string; password?: string };
 
 /** A private key is a 32-byte 0x-prefixed hex */
 export type EthPrivateKey = Hex<32>;
@@ -47,8 +50,8 @@ export type EthRemoteSignerAccount =
       certPass?: string;
     };
 
-/** An L1 account is a private key, a remote signer configuration, or a standard json key store file */
-export type EthAccount = EthPrivateKey | EthRemoteSignerAccount | JsonKeyFileV3Config;
+/** An L1 account is a private key, a remote signer configuration, or an encrypted keystore file (JSON V3 format) */
+export type EthAccount = EthPrivateKey | EthRemoteSignerAccount | EncryptedKeyFileConfig;
 
 /** A mnemonic can be used to define a set of accounts */
 export type MnemonicConfig = {
@@ -71,8 +74,8 @@ export type ProverKeyStoreWithId = {
 
 export type ProverKeyStore = ProverKeyStoreWithId | EthAccount;
 
-/** A BLS account is either a private key, or a standard json key store file */
-export type BLSAccount = BLSPrivateKey | JsonKeyFileV3Config;
+/** A BLS account is either a private key, or an EIP-2335 encrypted keystore file */
+export type BLSAccount = BLSPrivateKey | EncryptedKeyFileConfig;
 
 /** An AttesterAccount is a combined EthAccount and optional BLSAccount */
 export type AttesterAccount = { eth: EthAccount; bls?: BLSAccount } | EthAccount;
@@ -88,18 +91,19 @@ export type ValidatorKeyStore = {
   attester: AttesterAccounts;
   /**
    * Coinbase address to use when proposing an L2 block as any of the validators in this configuration block.
-   * Falls back to the attester address if not set.
+   * Falls back to the keystore-level coinbase, then to the attester address if not set.
    */
   coinbase?: EthAddress;
   /**
    * One or more EOAs used for sending block proposal L1 txs for all validators in this configuration block.
-   * Falls back to the attester account if not set.
+   * Falls back to the keystore-level publisher, then to the attester account if not set.
    */
   publisher?: EthAccounts;
   /**
    * Fee recipient address to use when proposing an L2 block as any of the validators in this configuration block.
+   * Falls back to the keystore-level feeRecipient if not set.
    */
-  feeRecipient: AztecAddress;
+  feeRecipient?: AztecAddress;
   /**
    * Default remote signer for all accounts in this block.
    */
@@ -111,8 +115,8 @@ export type ValidatorKeyStore = {
 };
 
 export type KeyStore = {
-  /** Schema version of this keystore file (initially 1). */
-  schemaVersion: number;
+  /** Schema version of this keystore file (1 or 2). */
+  schemaVersion: 1 | 2;
   /** Validator configurations. */
   validators?: ValidatorKeyStore[];
   /** One or more accounts used for creating slash payloads on L1. Does not create slash payloads if not set. */
@@ -123,4 +127,10 @@ export type KeyStore = {
   prover?: ProverKeyStore;
   /** Used for automatically funding publisher accounts if there is none defined in the corresponding  ValidatorKeyStore*/
   fundingAccount?: EthAccount;
+  /** Default publisher accounts for all validators in this keystore. Can be overridden by individual validator configs. */
+  publisher?: EthAccounts;
+  /** Default coinbase address for all validators in this keystore. Can be overridden by individual validator configs. */
+  coinbase?: EthAddress;
+  /** Default fee recipient address for all validators in this keystore. Can be overridden by individual validator configs. */
+  feeRecipient?: AztecAddress;
 };