@aztec/node-keystore 2.0.3 → 2.1.0-rc.10

package/dest/keystore_manager.d.ts

@@ -8,7 +8,7 @@ import { Buffer32 } from '@aztec/foundation/buffer';
 import { EthAddress } from '@aztec/foundation/eth-address';
 import type { Signature } from '@aztec/foundation/eth-signature';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
-import type { TypedDataDefinition } from 'viem';
+import type { TypedDataDefinition } from '@spalladino/viem';
 import type { EthAccounts, EthRemoteSignerConfig, KeyStore, ProverKeyStore, ValidatorKeyStore as ValidatorKeystoreConfig } from './types.js';
 /**
  * Error thrown when keystore operations fail
@@ -28,6 +28,11 @@ export declare class KeystoreManager {
      * @param keystore Parsed keystore configuration
      */
     constructor(keystore: KeyStore);
+    /**
+     * Validates all remote signers in the keystore are accessible and have the required addresses.
+     * Should be called after construction if validation is needed.
+     */
+    validateSigners(): Promise<void>;
     /**
      * Validates that attester addresses are unique across all validators
      * Only checks simple private key attesters, not JSON-V3 or mnemonic attesters,
@@ -40,6 +45,10 @@ export declare class KeystoreManager {
      * This is used at construction time to check for obvious duplicates without throwing for invalid inputs.
      */
     private extractAddressesWithoutSensitiveOperations;
+    /**
+     * Extract addresses from EthAccounts without sensitive operations (no decryption/derivation).
+     */
+    private extractAddressesFromEthAccountsNonSensitive;
     /**
      * Create signers for validator attester accounts
      */
@@ -69,9 +78,9 @@ export declare class KeystoreManager {
      */
     getValidatorCount(): number;
     /**
-     * Get coinbase address for validator (falls back to first attester address)
+     * Get coinbase address for validator (falls back to the specific attester address)
      */
-    getCoinbaseAddress(validatorIndex: number): EthAddress;
+    getCoinbaseAddress(validatorIndex: number, attesterAddress: EthAddress): EthAddress;
     /**
      * Get fee recipient for validator
      */
@@ -124,5 +133,7 @@ export declare class KeystoreManager {
      * Precedence: account-level override > validator-level config > file-level default
      */
     getEffectiveRemoteSignerConfig(validatorIndex: number, attesterAddress: EthAddress): EthRemoteSignerConfig | undefined;
+    /** Extract ETH accounts from AttesterAccounts */
+    private extractEthAccountsFromAttester;
 }
 //# sourceMappingURL=keystore_manager.d.ts.map

package/dest/keystore_manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keystore_manager.d.ts","sourceRoot":"","sources":["../src/keystore_manager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAC3D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAKhE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,MAAM,CAAC;AAKhD,OAAO,KAAK,EAEV,WAAW,EAIX,qBAAqB,EACrB,QAAQ,EACR,cAAc,EACd,iBAAiB,IAAI,uBAAuB,EAC7C,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;IAGpB,KAAK,CAAC,EAAE,KAAK;gBAD7B,OAAO,EAAE,MAAM,EACC,KAAK,CAAC,EAAE,KAAK,YAAA;CAKhC;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAW;IAEpC;;;;OAIG;gBACS,QAAQ,EAAE,QAAQ;IAK9B;;;;;OAKG;IACH,OAAO,CAAC,+BAA+B;IAkBvC;;;OAGG;IACH,OAAO,CAAC,0CAA0C;IAoDlD;;OAEG;IACH,qBAAqB,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE;IAK1D;;OAEG;IACH,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE;IAc3D,kCAAkC,IAAI,SAAS,EAAE;IAWjD;;OAEG;IACH,oBAAoB,IAAI,SAAS,EAAE;IAQnC;;OAEG;IACH,mBAAmB,IAAI;QAAE,EAAE,EAAE,UAAU,GAAG,SAAS,CAAC;QAAC,OAAO,EAAE,SAAS,EAAE,CAAA;KAAE,GAAG,SAAS;IAkCvF;;OAEG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,uBAAuB;IAOpD;;OAEG;IACH,iBAAiB,IAAI,MAAM;IAI3B;;OAEG;IACH,kBAAkB,CAAC,cAAc,EAAE,MAAM,GAAG,UAAU;IAgBtD;;OAEG;IACH,eAAe,CAAC,cAAc,EAAE,MAAM,GAAG,YAAY;IAKrD;;;OAGG;IACH,kBAAkB,IAAI,WAAW,GAAG,SAAS;IAI7C;;;OAGG;IACH,eAAe,IAAI,cAAc,GAAG,SAAS;IAI7C;;;OAGG;IACH,uCAAuC,IAAI,IAAI;IAqB/C;;OAEG;IACH,OAAO,CAAC,4BAA4B;IA+BpC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA2ClC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAkD9B;;OAEG;IACH,OAAO,CAAC,gCAAgC;IAwBxC;;OAEG;IACH,OAAO,CAAC,yBAAyB;IA8BjC;;OAEG;IACG,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;IAI3E;;OAEG;IACG,aAAa,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,SAAS,CAAC;IAI1F;;;OAGG;IACH,8BAA8B,CAC5B,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,UAAU,GAC1B,qBAAqB,GAAG,SAAS;CAkHrC"}
+{"version":3,"file":"keystore_manager.d.ts","sourceRoot":"","sources":["../src/keystore_manager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAC3D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAGhE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAO5D,OAAO,KAAK,EAGV,WAAW,EAEX,qBAAqB,EAErB,QAAQ,EAER,cAAc,EACd,iBAAiB,IAAI,uBAAuB,EAC7C,MAAM,YAAY,CAAC;AAEpB;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;IAGpB,KAAK,CAAC,EAAE,KAAK;gBAD7B,OAAO,EAAE,MAAM,EACC,KAAK,CAAC,EAAE,KAAK,YAAA;CAKhC;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAW;IAEpC;;;;OAIG;gBACS,QAAQ,EAAE,QAAQ;IAK9B;;;OAGG;IACG,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;IAwEtC;;;;;OAKG;IACH,OAAO,CAAC,+BAA+B;IAkBvC;;;OAGG;IACH,OAAO,CAAC,0CAA0C;IAKlD;;OAEG;IACH,OAAO,CAAC,2CAA2C;IA+CnD;;OAEG;IACH,qBAAqB,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE;IAM1D;;OAEG;IACH,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,EAAE;IAc3D,kCAAkC,IAAI,SAAS,EAAE;IAWjD;;OAEG;IACH,oBAAoB,IAAI,SAAS,EAAE;IAQnC;;OAEG;IACH,mBAAmB,IAAI;QAAE,EAAE,EAAE,UAAU,GAAG,SAAS,CAAC;QAAC,OAAO,EAAE,SAAS,EAAE,CAAA;KAAE,GAAG,SAAS;IAiCvF;;OAEG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,uBAAuB;IAOpD;;OAEG;IACH,iBAAiB,IAAI,MAAM;IAI3B;;OAEG;IACH,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE,eAAe,EAAE,UAAU,GAAG,UAAU;IAWnF;;OAEG;IACH,eAAe,CAAC,cAAc,EAAE,MAAM,GAAG,YAAY;IAKrD;;;OAGG;IACH,kBAAkB,IAAI,WAAW,GAAG,SAAS;IAI7C;;;OAGG;IACH,eAAe,IAAI,cAAc,GAAG,SAAS;IAI7C;;;OAGG;IACH,uCAAuC,IAAI,IAAI;IAqB/C;;OAEG;IACH,OAAO,CAAC,4BAA4B;IA+BpC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA2ClC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAkD9B;;OAEG;IACH,OAAO,CAAC,gCAAgC;IAwBxC;;OAEG;IACH,OAAO,CAAC,yBAAyB;IA8BjC;;OAEG;IACG,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;IAI3E;;OAEG;IACG,aAAa,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,SAAS,CAAC;IAI1F;;;OAGG;IACH,8BAA8B,CAC5B,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,UAAU,GAC1B,qBAAqB,GAAG,SAAS;IA0GpC,iDAAiD;IACjD,OAAO,CAAC,8BAA8B;CAyBvC"}

package/dest/keystore_manager.js

@@ -4,9 +4,9 @@
  * Manages keystore configuration and delegates signing operations to appropriate signers.
  */ import { Buffer32 } from '@aztec/foundation/buffer';
 import { Wallet } from '@ethersproject/wallet';
+import { mnemonicToAccount } from '@spalladino/viem/accounts';
 import { readFileSync, readdirSync, statSync } from 'fs';
 import { extname, join } from 'path';
-import { mnemonicToAccount } from 'viem/accounts';
 import { ethPrivateKeySchema } from './schemas.js';
 import { LocalSigner, RemoteSigner } from './signer.js';
 /**
@@ -31,6 +31,70 @@ import { LocalSigner, RemoteSigner } from './signer.js';
         this.validateUniqueAttesterAddresses();
     }
     /**
+   * Validates all remote signers in the keystore are accessible and have the required addresses.
+   * Should be called after construction if validation is needed.
+   */ async validateSigners() {
+        // Collect all remote signers with their addresses grouped by URL
+        const remoteSignersByUrl = new Map();
+        // Helper to extract remote signer URL from config
+        const getUrl = (config)=>{
+            return typeof config === 'string' ? config : config.remoteSignerUrl;
+        };
+        // Helper to collect remote signers from accounts
+        const collectRemoteSigners = (accounts, defaultRemoteSigner)=>{
+            const processAccount = (account)=>{
+                if (typeof account === 'object' && !('path' in account) && !('mnemonic' in account)) {
+                    // This is a remote signer account
+                    const remoteSigner = account;
+                    const address = 'address' in remoteSigner ? remoteSigner.address : remoteSigner;
+                    let url;
+                    if ('remoteSignerUrl' in remoteSigner && remoteSigner.remoteSignerUrl) {
+                        url = remoteSigner.remoteSignerUrl;
+                    } else if (defaultRemoteSigner) {
+                        url = getUrl(defaultRemoteSigner);
+                    } else {
+                        return; // No remote signer URL available
+                    }
+                    if (!remoteSignersByUrl.has(url)) {
+                        remoteSignersByUrl.set(url, new Set());
+                    }
+                    remoteSignersByUrl.get(url).add(address.toString());
+                }
+            };
+            if (Array.isArray(accounts)) {
+                accounts.forEach((account)=>collectRemoteSigners(account, defaultRemoteSigner));
+            } else if (typeof accounts === 'object' && 'mnemonic' in accounts) {
+            // Skip mnemonic configs
+            } else {
+                processAccount(accounts);
+            }
+        };
+        // Collect from validators
+        const validatorCount = this.getValidatorCount();
+        for(let i = 0; i < validatorCount; i++){
+            const validator = this.getValidator(i);
+            const remoteSigner = validator.remoteSigner || this.keystore.remoteSigner;
+            collectRemoteSigners(this.extractEthAccountsFromAttester(validator.attester), remoteSigner);
+            if (validator.publisher) {
+                collectRemoteSigners(validator.publisher, remoteSigner);
+            }
+        }
+        // Collect from slasher
+        if (this.keystore.slasher) {
+            collectRemoteSigners(this.keystore.slasher, this.keystore.remoteSigner);
+        }
+        // Collect from prover
+        if (this.keystore.prover && typeof this.keystore.prover === 'object' && 'publisher' in this.keystore.prover) {
+            collectRemoteSigners(this.keystore.prover.publisher, this.keystore.remoteSigner);
+        }
+        // Validate each remote signer URL with all its addresses
+        for (const [url, addresses] of remoteSignersByUrl.entries()){
+            if (addresses.size > 0) {
+                await RemoteSigner.validateAccess(url, Array.from(addresses));
+            }
+        }
+    }
+    /**
    * Validates that attester addresses are unique across all validators
    * Only checks simple private key attesters, not JSON-V3 or mnemonic attesters,
    * these are validated when decrypting the JSON-V3 keystore files
@@ -54,32 +118,31 @@ import { LocalSigner, RemoteSigner } from './signer.js';
    * Best-effort address extraction that avoids decryption/derivation (no JSON-V3 or mnemonic processing).
    * This is used at construction time to check for obvious duplicates without throwing for invalid inputs.
    */ extractAddressesWithoutSensitiveOperations(accounts) {
+        const ethAccounts = this.extractEthAccountsFromAttester(accounts);
+        return this.extractAddressesFromEthAccountsNonSensitive(ethAccounts);
+    }
+    /**
+   * Extract addresses from EthAccounts without sensitive operations (no decryption/derivation).
+   */ extractAddressesFromEthAccountsNonSensitive(accounts) {
         const results = [];
         const handleAccount = (account)=>{
-            // String cases: private key or address or remote signer address
             if (typeof account === 'string') {
                 if (account.startsWith('0x') && account.length === 66) {
-                    // Private key -> derive address locally without external deps
                     try {
                         const signer = new LocalSigner(Buffer32.fromString(ethPrivateKeySchema.parse(account)));
                         results.push(signer.address);
                     } catch  {
-                    // Ignore invalid private key at construction time
+                    // ignore invalid private key at construction time
                     }
-                    return;
                 }
-                // Any other string cannot be confidently resolved here
                 return;
             }
-            // JSON V3 keystore: skip (requires decryption)
             if ('path' in account) {
                 return;
             }
-            // Mnemonic: skip (requires derivation and may throw on invalid mnemonics)
             if ('mnemonic' in account) {
                 return;
             }
-            // Remote signer account. If it contains 'address' then extract, otherwise it IS the address
             const remoteSigner = account;
             if ('address' in remoteSigner) {
                 results.push(remoteSigner.address);
@@ -89,11 +152,13 @@ import { LocalSigner, RemoteSigner } from './signer.js';
         };
         if (Array.isArray(accounts)) {
             for (const account of accounts){
-                const subResults = this.extractAddressesWithoutSensitiveOperations(account);
-                results.push(...subResults);
+                handleAccount(account);
             }
             return results;
         }
+        if (typeof accounts === 'object' && accounts !== null && 'mnemonic' in accounts) {
+            return results;
+        }
         handleAccount(accounts);
         return results;
     }
@@ -101,7 +166,8 @@ import { LocalSigner, RemoteSigner } from './signer.js';
    * Create signers for validator attester accounts
    */ createAttesterSigners(validatorIndex) {
         const validator = this.getValidator(validatorIndex);
-        return this.createSignersFromEthAccounts(validator.attester, validator.remoteSigner || this.keystore.remoteSigner);
+        const ethAccounts = this.extractEthAccountsFromAttester(validator.attester);
+        return this.createSignersFromEthAccounts(ethAccounts, validator.remoteSigner || this.keystore.remoteSigner);
     }
     /**
    * Create signers for validator publisher accounts (falls back to attester if not specified)
@@ -173,18 +239,14 @@ import { LocalSigner, RemoteSigner } from './signer.js';
         return this.keystore.validators?.length || 0;
     }
     /**
-   * Get coinbase address for validator (falls back to first attester address)
-   */ getCoinbaseAddress(validatorIndex) {
+   * Get coinbase address for validator (falls back to the specific attester address)
+   */ getCoinbaseAddress(validatorIndex, attesterAddress) {
         const validator = this.getValidator(validatorIndex);
         if (validator.coinbase) {
             return validator.coinbase;
         }
-        // Fall back to first attester address
-        const attesterSigners = this.createAttesterSigners(validatorIndex);
-        if (attesterSigners.length === 0) {
-            throw new KeystoreError(`No attester signers found for validator ${validatorIndex}`);
-        }
-        return attesterSigners[0].address;
+        // Fall back to the specific attester address
+        return attesterAddress;
     }
     /**
    * Get fee recipient for validator
@@ -212,7 +274,7 @@ import { LocalSigner, RemoteSigner } from './signer.js';
         const validatorCount = this.getValidatorCount();
         for(let validatorIndex = 0; validatorIndex < validatorCount; validatorIndex++){
             const validator = this.getValidator(validatorIndex);
-            const signers = this.createSignersFromEthAccounts(validator.attester, validator.remoteSigner || this.keystore.remoteSigner);
+            const signers = this.createSignersFromEthAccounts(this.extractEthAccountsFromAttester(validator.attester), validator.remoteSigner || this.keystore.remoteSigner);
             for (const signer of signers){
                 const address = signer.address.toString().toLowerCase();
                 if (seenAddresses.has(address)) {
@@ -466,34 +528,52 @@ import { LocalSigner, RemoteSigner } from './signer.js';
             // Just an address, use defaults
             return validator.remoteSigner || this.keystore.remoteSigner;
         };
-        // Check the attester configuration
-        const { attester } = validator;
+        // Normalize attester to EthAccounts and search
+        const normalized = this.extractEthAccountsFromAttester(validator.attester);
+        const findInEthAccounts = (accs)=>{
+            if (typeof accs === 'string') {
+                return checkAccount(accs);
+            }
+            if (Array.isArray(accs)) {
+                for (const a of accs){
+                    const res = checkAccount(a);
+                    if (res !== undefined) {
+                        return res;
+                    }
+                }
+                return undefined;
+            }
+            if (typeof accs === 'object' && accs !== null && 'mnemonic' in accs) {
+                // mnemonic-derived keys are local signers; no remote signer config
+                return undefined;
+            }
+            return checkAccount(accs);
+        };
+        return findInEthAccounts(normalized);
+    }
+    /** Extract ETH accounts from AttesterAccounts */ extractEthAccountsFromAttester(attester) {
         if (typeof attester === 'string') {
-            const result = checkAccount(attester);
-            return result === undefined ? undefined : result;
+            return attester;
         }
         if (Array.isArray(attester)) {
-            for (const account of attester){
-                const result = checkAccount(account);
-                if (result !== undefined) {
-                    return result;
+            const out = [];
+            for (const item of attester){
+                if (typeof item === 'string') {
+                    out.push(item);
+                } else if ('eth' in item) {
+                    out.push(item.eth);
+                } else if (!('mnemonic' in item)) {
+                    out.push(item);
                 }
             }
-            return undefined;
+            return out;
         }
-        // Mnemonic configuration
         if ('mnemonic' in attester) {
-            try {
-                const signers = this.createSignersFromMnemonic(attester);
-                const matches = signers.some((s)=>s.address.equals(attesterAddress));
-                // Mnemonic-derived keys are local signers
-                return matches ? undefined : undefined;
-            } catch  {
-                return undefined;
-            }
+            return attester;
+        }
+        if ('eth' in attester) {
+            return attester.eth;
         }
-        // Single account object
-        const result = checkAccount(attester);
-        return result === undefined ? undefined : result;
+        return attester;
     }
 }

package/dest/loader.js

@@ -236,19 +236,38 @@ const logger = createLogger('node-keystore:loader');
  * @param attester The attester configuration in any supported shape.
  * @returns Array of string keys used to detect duplicates.
  */ function extractAttesterKeys(attester) {
+    // String forms (private key or other) - return as-is for coarse uniqueness
     if (typeof attester === 'string') {
         return [
             attester
         ];
     }
+    // Arrays of attester items
     if (Array.isArray(attester)) {
-        return attester.map((a)=>typeof a === 'string' ? a : JSON.stringify(a));
+        const keys = [];
+        for (const item of attester){
+            keys.push(...extractAttesterKeys(item));
+        }
+        return keys;
     }
-    if (attester && typeof attester === 'object' && 'address' in attester) {
+    if (attester && typeof attester === 'object') {
+        const obj = attester;
+        // New shape: { eth: EthAccount, bls?: BLSAccount }
+        if ('eth' in obj) {
+            return extractAttesterKeys(obj.eth);
+        }
+        // Remote signer account object shape: { address, remoteSignerUrl?, ... }
+        if ('address' in obj) {
+            return [
+                String(obj.address)
+            ];
+        }
+        // Mnemonic or other object shapes: stringify
         return [
-            attester.address
+            JSON.stringify(attester)
         ];
     }
+    // Fallback stringify for anything else (null/undefined)
     return [
         JSON.stringify(attester)
     ];