@aztec/validator-client 0.0.1-commit.fcb71a6 → 0.0.1-commit.fffb133c

package/src/key_store/ha_key_store.ts

@@ -0,0 +1,269 @@
+/**
+ * High Availability Key Store
+ *
+ * A ValidatorKeyStore wrapper that adds slashing protection for HA validator setups.
+ * When multiple validator nodes are running, only one node will sign for a given duty.
+ */
+import { Buffer32 } from '@aztec/foundation/buffer';
+import type { EthAddress } from '@aztec/foundation/eth-address';
+import type { Signature } from '@aztec/foundation/eth-signature';
+import { createLogger } from '@aztec/foundation/log';
+import type { EthRemoteSignerConfig } from '@aztec/node-keystore';
+import type { AztecAddress } from '@aztec/stdlib/aztec-address';
+import { DutyAlreadySignedError, SlashingProtectionError } from '@aztec/validator-ha-signer/errors';
+import {
+  type HAProtectedSigningContext,
+  type SigningContext,
+  isHAProtectedContext,
+} from '@aztec/validator-ha-signer/types';
+import type { ValidatorHASigner } from '@aztec/validator-ha-signer/validator-ha-signer';
+
+import { type TypedDataDefinition, hashTypedData } from 'viem';
+
+import type { ExtendedValidatorKeyStore } from './interface.js';
+
+/**
+ * High Availability Key Store
+ *
+ * Wraps a base ExtendedValidatorKeyStore and ValidatorHASigner to provide
+ * HA-protected signing operations (when context is provided).
+ *
+ * The extended interface methods (getAttesterAddresses, getCoinbaseAddress, etc.)
+ * are pure pass-through since they don't require HA coordination.
+ *
+ * Usage:
+ * ```typescript
+ * const baseKeyStore = NodeKeystoreAdapter.fromPrivateKeys(privateKeys);
+ * const haSigner = new ValidatorHASigner(db, config);
+ * const haKeyStore = new HAKeyStore(baseKeyStore, haSigner);
+ *
+ * // Without context - signs directly (no HA protection)
+ * const sig = await haKeyStore.signMessageWithAddress(addr, msg);
+ *
+ * // With context - HA protected, throws DutyAlreadySignedError if already signed
+ * const result = await haKeyStore.signMessageWithAddress(addr, msg, {
+ *   slot: 100n,
+ *   blockNumber: 50n,
+ *   dutyType: DutyType.BLOCK_PROPOSAL,
+ * });
+ * ```
+ */
+export class HAKeyStore implements ExtendedValidatorKeyStore {
+  private readonly log = createLogger('ha-key-store');
+
+  constructor(
+    private readonly baseKeyStore: ExtendedValidatorKeyStore,
+    private readonly haSigner: ValidatorHASigner,
+  ) {
+    this.log.info('HAKeyStore initialized', {
+      nodeId: haSigner.nodeId,
+    });
+  }
+
+  /**
+   * Sign typed data with all addresses.
+   * Coordinates across nodes to prevent double-signing for most duty types.
+   * AUTH_REQUEST and TXS duties bypass HA protection since signing multiple times is safe.
+   * Returns only signatures that were successfully claimed by this node.
+   */
+  async signTypedData(typedData: TypedDataDefinition, context: SigningContext): Promise<Signature[]> {
+    // no need for HA protection on auth request and txs signatures
+    if (!isHAProtectedContext(context)) {
+      return this.baseKeyStore.signTypedData(typedData, context);
+    }
+
+    // Sign each address with HA protection
+    const addresses = this.getAddresses();
+    const results = await Promise.allSettled(
+      addresses.map(addr => this.signTypedDataWithAddress(addr, typedData, context)),
+    );
+
+    // Filter out failures (already signed by other nodes or other errors)
+    return results
+      .filter((result): result is PromiseFulfilledResult<Signature> => {
+        if (result.status === 'fulfilled') {
+          return true;
+        }
+        // Log expected HA errors (already signed) at debug level
+        if (result.reason instanceof DutyAlreadySignedError) {
+          this.log.debug(`Duty already signed by another node`, {
+            dutyType: context.dutyType,
+            slot: context.slot,
+            signedByNode: result.reason.signedByNode,
+          });
+          return false;
+        }
+        // Re-throw unexpected errors
+        throw result.reason;
+      })
+      .map(result => result.value);
+  }
+
+  /**
+   * Sign a message with all addresses.
+   * Coordinates across nodes to prevent double-signing for most duty types.
+   * AUTH_REQUEST and TXS duties bypass HA protection since signing multiple times is safe.
+   * Returns only signatures that were successfully claimed by this node.
+   */
+  async signMessage(message: Buffer32, context: SigningContext): Promise<Signature[]> {
+    // no need for HA protection on auth request and txs signatures
+    if (!isHAProtectedContext(context)) {
+      return this.baseKeyStore.signMessage(message, context);
+    }
+
+    // Sign each address with HA protection
+    const addresses = this.getAddresses();
+    const results = await Promise.allSettled(
+      addresses.map(addr => this.signMessageWithAddress(addr, message, context)),
+    );
+
+    // Filter out failures (already signed by other nodes or other errors)
+    return results
+      .filter((result): result is PromiseFulfilledResult<Signature> => {
+        if (result.status === 'fulfilled') {
+          return true;
+        }
+        // Log expected HA errors (already signed) at debug level
+        if (result.reason instanceof DutyAlreadySignedError) {
+          this.log.debug(`Duty already signed by another node`, {
+            dutyType: context.dutyType,
+            slot: context.slot,
+            signedByNode: result.reason.signedByNode,
+          });
+          return false;
+        }
+        // Re-throw unexpected errors
+        throw result.reason;
+      })
+      .map(result => result.value);
+  }
+
+  /**
+   * Sign typed data with a specific address.
+   * Coordinates across nodes to prevent double-signing for most duty types.
+   * AUTH_REQUEST and TXS duties bypass HA protection since signing multiple times is safe.
+   * @throws DutyAlreadySignedError if the duty was already signed by another node
+   * @throws SlashingProtectionError if attempting to sign different data for the same slot
+   */
+  async signTypedDataWithAddress(
+    address: EthAddress,
+    typedData: TypedDataDefinition,
+    context: SigningContext,
+  ): Promise<Signature> {
+    // AUTH_REQUEST and TXS bypass HA protection - multiple signatures are safe
+    if (!isHAProtectedContext(context)) {
+      return this.baseKeyStore.signTypedDataWithAddress(address, typedData, context);
+    }
+
+    // Compute signing root from typed data for HA tracking
+    const digest = hashTypedData(typedData);
+    const messageHash = Buffer32.fromString(digest);
+
+    try {
+      return await this.haSigner.signWithProtection(address, messageHash, context, () =>
+        this.baseKeyStore.signTypedDataWithAddress(address, typedData, context),
+      );
+    } catch (error) {
+      this.processSigningError(error, context);
+      throw error;
+    }
+  }
+
+  /**
+   * Sign a message with a specific address.
+   * Coordinates across nodes to prevent double-signing for most duty types.
+   * AUTH_REQUEST and TXS duties bypass HA protection since signing multiple times is safe.
+   * @throws DutyAlreadySignedError if the duty was already signed by another node
+   * @throws SlashingProtectionError if attempting to sign different data for the same slot
+   */
+  async signMessageWithAddress(address: EthAddress, message: Buffer32, context: SigningContext): Promise<Signature> {
+    // no need for HA protection on auth request and txs signatures
+    if (!isHAProtectedContext(context)) {
+      return this.baseKeyStore.signMessageWithAddress(address, message, context);
+    }
+
+    try {
+      return await this.haSigner.signWithProtection(address, message, context, messageHash =>
+        this.baseKeyStore.signMessageWithAddress(address, messageHash, context),
+      );
+    } catch (error) {
+      this.processSigningError(error, context);
+      throw error;
+    }
+  }
+
+  // ─────────────────────────────────────────────────────────────────────────────
+  // pass-through methods (no HA logic needed)
+  // ─────────────────────────────────────────────────────────────────────────────
+
+  getAddress(index: number): EthAddress {
+    return this.baseKeyStore.getAddress(index);
+  }
+
+  getAddresses(): EthAddress[] {
+    return this.baseKeyStore.getAddresses();
+  }
+
+  getAttesterAddresses(): EthAddress[] {
+    return this.baseKeyStore.getAttesterAddresses();
+  }
+
+  getCoinbaseAddress(attesterAddress: EthAddress): EthAddress {
+    return this.baseKeyStore.getCoinbaseAddress(attesterAddress);
+  }
+
+  getPublisherAddresses(attesterAddress: EthAddress): EthAddress[] {
+    return this.baseKeyStore.getPublisherAddresses(attesterAddress);
+  }
+
+  getFeeRecipient(attesterAddress: EthAddress): AztecAddress {
+    return this.baseKeyStore.getFeeRecipient(attesterAddress);
+  }
+
+  getRemoteSignerConfig(attesterAddress: EthAddress): EthRemoteSignerConfig | undefined {
+    return this.baseKeyStore.getRemoteSignerConfig(attesterAddress);
+  }
+
+  /**
+   * Process signing errors from the HA signer.
+   * Logs expected HA errors (already signed) at appropriate levels.
+   * Re-throws unexpected errors.
+   */
+  private processSigningError(error: unknown, context: HAProtectedSigningContext) {
+    if (error instanceof DutyAlreadySignedError) {
+      this.log.debug(`Duty already signed by another node with the same payload`, {
+        dutyType: context.dutyType,
+        slot: context.slot,
+        signedByNode: error.signedByNode,
+      });
+      return;
+    }
+
+    if (error instanceof SlashingProtectionError) {
+      this.log.warn(`Duty already signed by another node with different payload`, {
+        dutyType: context.dutyType,
+        slot: context.slot,
+        existingMessageHash: error.existingMessageHash,
+        attemptedMessageHash: error.attemptedMessageHash,
+      });
+      return;
+    }
+
+    // Re-throw errors
+    throw error;
+  }
+
+  /**
+   * Start the high-availability key store
+   */
+  public start(): Promise<void> {
+    return Promise.resolve(this.haSigner.start());
+  }
+
+  /**
+   * Stop the high-availability key store
+   */
+  public async stop() {
+    await this.haSigner.stop();
+  }
+}

package/src/key_store/index.ts

@@ -2,3 +2,4 @@ export * from './interface.js';
 export * from './local_key_store.js';
 export * from './node_keystore_adapter.js';
 export * from './web3signer_key_store.js';
+export * from './ha_key_store.js';

package/src/key_store/interface.ts

@@ -3,6 +3,7 @@ import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { Signature } from '@aztec/foundation/eth-signature';
 import type { EthRemoteSignerConfig } from '@aztec/node-keystore';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
+import type { SigningContext } from '@aztec/validator-ha-signer/types';
 
 import type { TypedDataDefinition } from 'viem';
 
@@ -26,17 +27,45 @@ export interface ValidatorKeyStore {
    */
   getAddresses(): EthAddress[];
 
-  signTypedData(typedData: TypedDataDefinition): Promise<Signature[]>;
-  signTypedDataWithAddress(address: EthAddress, typedData: TypedDataDefinition): Promise<Signature>;
+  /**
+   * Sign typed data with all keystore private keys
+   * @param typedData - The complete EIP-712 typed data structure
+   * @param context - Signing context for HA slashing protection
+   * @returns signatures (when context provided with HA, only successfully claimed signatures are returned)
+   */
+  signTypedData(typedData: TypedDataDefinition, context: SigningContext): Promise<Signature[]>;
+
+  /**
+   * Sign typed data with a specific address's private key
+   * @param address - The address of the signer to use
+   * @param typedData - The complete EIP-712 typed data structure
+   * @param context - Signing context for HA slashing protection
+   * @returns signature
+   */
+  signTypedDataWithAddress(
+    address: EthAddress,
+    typedData: TypedDataDefinition,
+    context: SigningContext,
+  ): Promise<Signature>;
+
   /**
    * Flavor of sign message that followed EIP-712 eth signed message prefix
    * Note: this is only required when we are using ecdsa signatures over secp256k1
    *
    * @param message - The message to sign.
-   * @returns The signatures.
+   * @param context - Signing context for HA slashing protection
+   * @returns The signatures (when context provided with HA, only successfully claimed signatures are returned).
    */
-  signMessage(message: Buffer32): Promise<Signature[]>;
-  signMessageWithAddress(address: EthAddress, message: Buffer32): Promise<Signature>;
+  signMessage(message: Buffer32, context: SigningContext): Promise<Signature[]>;
+
+  /**
+   * Sign a message with a specific address's private key
+   * @param address - The address of the signer to use
+   * @param message - The message to sign
+   * @param context - Signing context for HA slashing protection
+   * @returns signature
+   */
+  signMessageWithAddress(address: EthAddress, message: Buffer32, context: SigningContext): Promise<Signature>;
 }
 
 /**
@@ -79,4 +108,14 @@ export interface ExtendedValidatorKeyStore extends ValidatorKeyStore {
    * @returns the remote signer configuration or undefined
    */
   getRemoteSignerConfig(attesterAddress: EthAddress): EthRemoteSignerConfig | undefined;
+
+  /**
+   * Start the key store
+   */
+  start(): Promise<void>;
+
+  /**
+   * Stop the key store
+   */
+  stop(): Promise<void>;
 }

package/src/key_store/local_key_store.ts

@@ -2,6 +2,7 @@ import { Buffer32 } from '@aztec/foundation/buffer';
 import { Secp256k1Signer } from '@aztec/foundation/crypto/secp256k1-signer';
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { Signature } from '@aztec/foundation/eth-signature';
+import type { SigningContext } from '@aztec/validator-ha-signer/types';
 
 import { type TypedDataDefinition, hashTypedData } from 'viem';
 
@@ -46,9 +47,10 @@ export class LocalKeyStore implements ValidatorKeyStore {
   /**
    * Sign a message with all keystore private keys
    * @param typedData - The complete EIP-712 typed data structure (domain, types, primaryType, message)
+   * @param _context - Signing context (ignored by LocalKeyStore, used for HA protection)
    * @return signature
    */
-  public signTypedData(typedData: TypedDataDefinition): Promise<Signature[]> {
+  public signTypedData(typedData: TypedDataDefinition, _context: SigningContext): Promise<Signature[]> {
     const digest = hashTypedData(typedData);
     return Promise.all(this.signers.map(signer => signer.sign(Buffer32.fromString(digest))));
   }
@@ -57,10 +59,15 @@ export class LocalKeyStore implements ValidatorKeyStore {
    * Sign a message with a specific address's private key
    * @param address - The address of the signer to use
    * @param typedData - The complete EIP-712 typed data structure (domain, types, primaryType, message)
+   * @param _context - Signing context (ignored by LocalKeyStore, used for HA protection)
    * @returns signature for the specified address
    * @throws Error if the address is not found in the keystore
    */
-  public signTypedDataWithAddress(address: EthAddress, typedData: TypedDataDefinition): Promise<Signature> {
+  public signTypedDataWithAddress(
+    address: EthAddress,
+    typedData: TypedDataDefinition,
+    _context: SigningContext,
+  ): Promise<Signature> {
     const signer = this.signersByAddress.get(address.toString());
     if (!signer) {
       throw new Error(`No signer found for address ${address.toString()}`);
@@ -73,9 +80,10 @@ export class LocalKeyStore implements ValidatorKeyStore {
    * Sign a message using eth_sign with all keystore private keys
    *
    * @param message - The message to sign
+   * @param _context - Signing context (ignored by LocalKeyStore, used for HA protection)
    * @return signatures
    */
-  public signMessage(message: Buffer32): Promise<Signature[]> {
+  public signMessage(message: Buffer32, _context: SigningContext): Promise<Signature[]> {
     return Promise.all(this.signers.map(signer => signer.signMessage(message)));
   }
 
@@ -83,10 +91,11 @@ export class LocalKeyStore implements ValidatorKeyStore {
    * Sign a message using eth_sign with a specific address's private key
    * @param address - The address of the signer to use
    * @param message - The message to sign
+   * @param _context - Signing context (ignored by LocalKeyStore, used for HA protection)
    * @returns signature for the specified address
    * @throws Error if the address is not found in the keystore
    */
-  public signMessageWithAddress(address: EthAddress, message: Buffer32): Promise<Signature> {
+  public signMessageWithAddress(address: EthAddress, message: Buffer32, _context: SigningContext): Promise<Signature> {
     const signer = this.signersByAddress.get(address.toString());
     if (!signer) {
       throw new Error(`No signer found for address ${address.toString()}`);

package/src/key_store/node_keystore_adapter.ts

@@ -6,6 +6,7 @@ import { KeystoreManager, loadKeystoreFile } from '@aztec/node-keystore';
 import type { EthRemoteSignerConfig } from '@aztec/node-keystore';
 import { AztecAddress } from '@aztec/stdlib/aztec-address';
 import { InvalidValidatorPrivateKeyError } from '@aztec/stdlib/validators';
+import type { SigningContext } from '@aztec/validator-ha-signer/types';
 
 import type { TypedDataDefinition } from 'viem';
 import { privateKeyToAccount } from 'viem/accounts';
@@ -230,9 +231,10 @@ export class NodeKeystoreAdapter implements ExtendedValidatorKeyStore {
   /**
    * Sign typed data with all attester signers across validators.
    * @param typedData EIP-712 typed data
+   * @param _context Signing context (ignored by NodeKeystoreAdapter, used for HA protection)
    * @returns Array of signatures in validator order, flattened
    */
-  async signTypedData(typedData: TypedDataDefinition): Promise<Signature[]> {
+  async signTypedData(typedData: TypedDataDefinition, _context: SigningContext): Promise<Signature[]> {
     const jobs: Promise<Signature>[] = [];
     for (const i of this.validatorIndices()) {
       const v = this.ensureValidator(i);
@@ -246,9 +248,10 @@ export class NodeKeystoreAdapter implements ExtendedValidatorKeyStore {
   /**
    * Sign a message with all attester signers across validators.
    * @param message 32-byte message (already hashed/padded as needed)
+   * @param _context Signing context (ignored by NodeKeystoreAdapter, used for HA protection)
    * @returns Array of signatures in validator order, flattened
    */
-  async signMessage(message: Buffer32): Promise<Signature[]> {
+  async signMessage(message: Buffer32, _context: SigningContext): Promise<Signature[]> {
     const jobs: Promise<Signature>[] = [];
     for (const i of this.validatorIndices()) {
       const v = this.ensureValidator(i);
@@ -264,10 +267,15 @@ export class NodeKeystoreAdapter implements ExtendedValidatorKeyStore {
    * Hydrates caches on-demand when the address is first seen.
    * @param address Address to sign with
    * @param typedData EIP-712 typed data
+   * @param _context Signing context (ignored by NodeKeystoreAdapter, used for HA protection)
    * @returns Signature from the signer matching the address
    * @throws Error when no signer exists for the address
    */
-  async signTypedDataWithAddress(address: EthAddress, typedData: TypedDataDefinition): Promise<Signature> {
+  async signTypedDataWithAddress(
+    address: EthAddress,
+    typedData: TypedDataDefinition,
+    _context: SigningContext,
+  ): Promise<Signature> {
     const entry = this.addressIndex.get(NodeKeystoreAdapter.key(address));
     if (entry) {
       return await this.keystoreManager.signTypedData(entry.signer, typedData);
@@ -290,10 +298,11 @@ export class NodeKeystoreAdapter implements ExtendedValidatorKeyStore {
    * Hydrates caches on-demand when the address is first seen.
    * @param address Address to sign with
    * @param message 32-byte message
+   * @param _context Signing context (ignored by NodeKeystoreAdapter, used for HA protection)
    * @returns Signature from the signer matching the address
    * @throws Error when no signer exists for the address
    */
-  async signMessageWithAddress(address: EthAddress, message: Buffer32): Promise<Signature> {
+  async signMessageWithAddress(address: EthAddress, message: Buffer32, _context: SigningContext): Promise<Signature> {
     const entry = this.addressIndex.get(NodeKeystoreAdapter.key(address));
     if (entry) {
       return await this.keystoreManager.signMessage(entry.signer, message);
@@ -372,4 +381,18 @@ export class NodeKeystoreAdapter implements ExtendedValidatorKeyStore {
     const validatorIndex = this.findValidatorIndexForAttester(attesterAddress);
     return this.keystoreManager.getEffectiveRemoteSignerConfig(validatorIndex, attesterAddress);
   }
+
+  /**
+   * Start the key store - no-op
+   */
+  start(): Promise<void> {
+    return Promise.resolve();
+  }
+
+  /**
+   * Stop the key store - no-op
+   */
+  stop(): Promise<void> {
+    return Promise.resolve();
+  }
 }

package/src/key_store/web3signer_key_store.ts

@@ -2,6 +2,7 @@ import type { Buffer32 } from '@aztec/foundation/buffer';
 import { normalizeSignature } from '@aztec/foundation/crypto/secp256k1-signer';
 import { EthAddress } from '@aztec/foundation/eth-address';
 import { Signature } from '@aztec/foundation/eth-signature';
+import type { SigningContext } from '@aztec/validator-ha-signer/types';
 
 import type { TypedDataDefinition } from 'viem';
 
@@ -44,9 +45,10 @@ export class Web3SignerKeyStore implements ValidatorKeyStore {
   /**
    * Sign EIP-712 typed data with all keystore addresses
    * @param typedData - The complete EIP-712 typed data structure (domain, types, primaryType, message)
+   * @param _context - Signing context (ignored by Web3SignerKeyStore, used for HA protection)
    * @return signatures
    */
-  public signTypedData(typedData: TypedDataDefinition): Promise<Signature[]> {
+  public signTypedData(typedData: TypedDataDefinition, _context: SigningContext): Promise<Signature[]> {
     return Promise.all(this.addresses.map(address => this.makeJsonRpcSignTypedDataRequest(address, typedData)));
   }
 
@@ -54,10 +56,15 @@ export class Web3SignerKeyStore implements ValidatorKeyStore {
    * Sign EIP-712 typed data with a specific address
    * @param address - The address of the signer to use
    * @param typedData - The complete EIP-712 typed data structure (domain, types, primaryType, message)
+   * @param _context - Signing context (ignored by Web3SignerKeyStore, used for HA protection)
    * @returns signature for the specified address
    * @throws Error if the address is not found in the keystore or signing fails
    */
-  public async signTypedDataWithAddress(address: EthAddress, typedData: TypedDataDefinition): Promise<Signature> {
+  public async signTypedDataWithAddress(
+    address: EthAddress,
+    typedData: TypedDataDefinition,
+    _context: SigningContext,
+  ): Promise<Signature> {
     if (!this.addresses.some(addr => addr.equals(address))) {
       throw new Error(`Address ${address.toString()} not found in keystore`);
     }
@@ -69,9 +76,10 @@ export class Web3SignerKeyStore implements ValidatorKeyStore {
    * Sign a message with all keystore addresses using EIP-191 prefix
    *
    * @param message - The message to sign
+   * @param _context - Signing context (ignored by Web3SignerKeyStore, used for HA protection)
    * @return signatures
    */
-  public signMessage(message: Buffer32): Promise<Signature[]> {
+  public signMessage(message: Buffer32, _context: SigningContext): Promise<Signature[]> {
     return Promise.all(this.addresses.map(address => this.makeJsonRpcSignRequest(address, message)));
   }
 
@@ -79,10 +87,15 @@ export class Web3SignerKeyStore implements ValidatorKeyStore {
    * Sign a message with a specific address using EIP-191 prefix
    * @param address - The address of the signer to use
    * @param message - The message to sign
+   * @param _context - Signing context (ignored by Web3SignerKeyStore, used for HA protection)
    * @returns signature for the specified address
    * @throws Error if the address is not found in the keystore or signing fails
    */
-  public async signMessageWithAddress(address: EthAddress, message: Buffer32): Promise<Signature> {
+  public async signMessageWithAddress(
+    address: EthAddress,
+    message: Buffer32,
+    _context: SigningContext,
+  ): Promise<Signature> {
     if (!this.addresses.some(addr => addr.equals(address))) {
       throw new Error(`Address ${address.toString()} not found in keystore`);
     }

package/src/metrics.ts

@@ -1,11 +1,11 @@
 import type { BlockProposal } from '@aztec/stdlib/p2p';
 import {
   Attributes,
+  type Gauge,
   type Histogram,
   Metrics,
   type TelemetryClient,
   type UpDownCounter,
-  ValueType,
 } from '@aztec/telemetry-client';
 
 export class ValidatorMetrics {
@@ -16,55 +16,28 @@ export class ValidatorMetrics {
 
   private reexMana: Histogram;
   private reexTx: Histogram;
-  private reexDuration: Histogram;
+  private reexDuration: Gauge;
 
   constructor(telemetryClient: TelemetryClient) {
     const meter = telemetryClient.getMeter('Validator');
 
-    this.failedReexecutionCounter = meter.createUpDownCounter(Metrics.VALIDATOR_FAILED_REEXECUTION_COUNT, {
-      description: 'The number of failed re-executions',
-      unit: 'count',
-      valueType: ValueType.INT,
-    });
+    this.failedReexecutionCounter = meter.createUpDownCounter(Metrics.VALIDATOR_FAILED_REEXECUTION_COUNT);
 
-    this.successfulAttestationsCount = meter.createUpDownCounter(Metrics.VALIDATOR_ATTESTATION_SUCCESS_COUNT, {
-      description: 'The number of successful attestations',
-      valueType: ValueType.INT,
-    });
+    this.successfulAttestationsCount = meter.createUpDownCounter(Metrics.VALIDATOR_ATTESTATION_SUCCESS_COUNT);
 
     this.failedAttestationsBadProposalCount = meter.createUpDownCounter(
       Metrics.VALIDATOR_ATTESTATION_FAILED_BAD_PROPOSAL_COUNT,
-      {
-        description: 'The number of failed attestations due to invalid block proposals',
-        valueType: ValueType.INT,
-      },
     );
 
     this.failedAttestationsNodeIssueCount = meter.createUpDownCounter(
       Metrics.VALIDATOR_ATTESTATION_FAILED_NODE_ISSUE_COUNT,
-      {
-        description: 'The number of failed attestations due to node issues (timeout, missing data, etc.)',
-        valueType: ValueType.INT,
-      },
     );
 
-    this.reexMana = meter.createHistogram(Metrics.VALIDATOR_RE_EXECUTION_MANA, {
-      description: 'The mana consumed by blocks',
-      valueType: ValueType.DOUBLE,
-      unit: 'Mmana',
-    });
+    this.reexMana = meter.createHistogram(Metrics.VALIDATOR_RE_EXECUTION_MANA);
 
-    this.reexTx = meter.createHistogram(Metrics.VALIDATOR_RE_EXECUTION_TX_COUNT, {
-      description: 'The number of txs in a block proposal',
-      valueType: ValueType.INT,
-      unit: 'tx',
-    });
+    this.reexTx = meter.createHistogram(Metrics.VALIDATOR_RE_EXECUTION_TX_COUNT);
 
-    this.reexDuration = meter.createGauge(Metrics.VALIDATOR_RE_EXECUTION_TIME, {
-      description: 'The time taken to re-execute a transaction',
-      unit: 'ms',
-      valueType: ValueType.INT,
-    });
+    this.reexDuration = meter.createGauge(Metrics.VALIDATOR_RE_EXECUTION_TIME);
   }
 
   public recordReex(time: number, txs: number, mManaTotal: number) {

package/src/tx_validator/index.ts

@@ -0,0 +1,2 @@
+export * from './nullifier_cache.js';
+export * from './tx_validator_factory.js';

package/src/tx_validator/nullifier_cache.ts

@@ -0,0 +1,30 @@
+import type { NullifierSource } from '@aztec/p2p';
+import type { MerkleTreeReadOperations } from '@aztec/stdlib/interfaces/server';
+import { MerkleTreeId } from '@aztec/stdlib/trees';
+
+/**
+ * Implements a nullifier source by checking a DB and an in-memory collection.
+ * Intended for validating transactions as they are added to a block.
+ */
+export class NullifierCache implements NullifierSource {
+  nullifiers: Set<string>;
+
+  constructor(private db: MerkleTreeReadOperations) {
+    this.nullifiers = new Set();
+  }
+
+  public async nullifiersExist(nullifiers: Buffer[]): Promise<boolean[]> {
+    const cacheResults = nullifiers.map(n => this.nullifiers.has(n.toString()));
+    const toCheckDb = nullifiers.filter((_n, index) => !cacheResults[index]);
+    const dbHits = await this.db.findLeafIndices(MerkleTreeId.NULLIFIER_TREE, toCheckDb);
+
+    let dbIndex = 0;
+    return nullifiers.map((_n, index) => cacheResults[index] || dbHits[dbIndex++] !== undefined);
+  }
+
+  public addNullifiers(nullifiers: Buffer[]) {
+    for (const nullifier of nullifiers) {
+      this.nullifiers.add(nullifier.toString());
+    }
+  }
+}