@chainsafe/lodestar 1.35.0-dev.c88a6ed255 → 1.35.0-dev.c9deb9b59f

package/src/cmds/beacon/initBeaconState.ts

@@ -0,0 +1,275 @@
+import {
+  IBeaconDb,
+  IBeaconNodeOptions,
+  checkAndPersistAnchorState,
+  getStateTypeFromBytes,
+  initStateFromEth1,
+} from "@lodestar/beacon-node";
+import {BeaconConfig, ChainForkConfig, createBeaconConfig} from "@lodestar/config";
+import {
+  BeaconStateAllForks,
+  ensureWithinWeakSubjectivityPeriod,
+  isWithinWeakSubjectivityPeriod,
+  loadState,
+  loadStateAndValidators,
+} from "@lodestar/state-transition";
+import {ssz} from "@lodestar/types";
+import {Checkpoint} from "@lodestar/types/phase0";
+import {Logger, formatBytes, toRootHex} from "@lodestar/utils";
+import {
+  fetchWeakSubjectivityState,
+  getCheckpointFromArg,
+  getCheckpointFromState,
+  getGenesisFileUrl,
+  getGenesisStateRoot,
+} from "../../networks/index.js";
+import {GlobalArgs, defaultNetwork} from "../../options/globalOptions.js";
+import {downloadOrLoadFile, wrapFnError} from "../../util/index.js";
+import {BeaconArgs} from "./options.js";
+
+type StateWithBytes = {state: BeaconStateAllForks; stateBytes: Uint8Array};
+
+async function initAndVerifyWeakSubjectivityState(
+  config: BeaconConfig,
+  db: IBeaconDb,
+  logger: Logger,
+  dbStateBytes: StateWithBytes,
+  wsStateBytes: StateWithBytes,
+  wsCheckpoint: Checkpoint,
+  opts: {ignoreWeakSubjectivityCheck?: boolean} = {}
+): Promise<{anchorState: BeaconStateAllForks; wsCheckpoint: Checkpoint}> {
+  const dbState = dbStateBytes.state;
+  const wsState = wsStateBytes.state;
+  // Check if the store's state and wsState are compatible
+  if (
+    dbState.genesisTime !== wsState.genesisTime ||
+    !ssz.Root.equals(dbState.genesisValidatorsRoot, wsState.genesisValidatorsRoot)
+  ) {
+    throw new Error(
+      "Db state and checkpoint state are not compatible, either clear the db or verify your checkpoint source"
+    );
+  }
+
+  // Pick the state which is ahead as an anchor to initialize the beacon chain
+  let anchorState = wsStateBytes;
+  let anchorCheckpoint = wsCheckpoint;
+  let isCheckpointState = true;
+  if (dbState.slot > wsState.slot) {
+    anchorState = dbStateBytes;
+    anchorCheckpoint = getCheckpointFromState(dbState);
+    isCheckpointState = false;
+    logger.verbose(
+      "Db state is ahead of the provided checkpoint state, using the db state to initialize the beacon chain"
+    );
+  }
+
+  // Throw error unless user explicitly asked not to, in testnets can happen that wss period is too small
+  // that even some epochs of non finalization can cause finalized checkpoint to be out of valid range
+  const wssCheck = wrapFnError(() => ensureWithinWeakSubjectivityPeriod(config, anchorState.state, anchorCheckpoint));
+  const isWithinWeakSubjectivityPeriod = wssCheck.err === null;
+  if (!isWithinWeakSubjectivityPeriod && !opts.ignoreWeakSubjectivityCheck) {
+    throw wssCheck.err;
+  }
+
+  await checkAndPersistAnchorState(config, db, logger, anchorState.state, anchorState.stateBytes, {
+    isWithinWeakSubjectivityPeriod,
+    isCheckpointState,
+  });
+
+  // Return the latest anchorState but still return original wsCheckpoint to validate in backfill
+  return {anchorState: anchorState.state, wsCheckpoint};
+}
+
+/**
+ * Initialize a beacon state, picking the strategy based on the `IBeaconArgs`
+ *
+ * State is initialized in one of three ways:
+ * 1. restore from weak subjectivity state (possibly downloaded from a remote beacon node)
+ * 2. restore from db
+ * 3. restore from genesis state (possibly downloaded via URL)
+ * 4. create genesis state from eth1
+ */
+export async function initBeaconState(
+  options: IBeaconNodeOptions,
+  args: BeaconArgs & GlobalArgs,
+  chainForkConfig: ChainForkConfig,
+  db: IBeaconDb,
+  logger: Logger,
+  signal: AbortSignal
+): Promise<{anchorState: BeaconStateAllForks; wsCheckpoint?: Checkpoint}> {
+  if (args.forceCheckpointSync && !(args.checkpointState || args.checkpointSyncUrl)) {
+    throw new Error("Forced checkpoint sync without specifying a checkpointState or checkpointSyncUrl");
+  }
+  // fetch the latest state stored in the db which will be used in all cases, if it exists, either
+  //   i)  used directly as the anchor state
+  //   ii) used to load and verify a weak subjectivity state,
+  const lastDbSlot = await db.stateArchive.lastKey();
+  let stateBytes = lastDbSlot !== null ? await db.stateArchive.getBinary(lastDbSlot) : null;
+  // Convert to `Uint8Array` to avoid unexpected behavior such as `Buffer.prototype.slice` not copying memory
+  stateBytes = stateBytes ? new Uint8Array(stateBytes.buffer, stateBytes.byteOffset, stateBytes.byteLength) : null;
+  let lastDbState: BeaconStateAllForks | null = null;
+  let lastDbValidatorsBytes: Uint8Array | null = null;
+  let lastDbStateWithBytes: StateWithBytes | null = null;
+  if (stateBytes) {
+    logger.verbose("Found the last archived state", {slot: lastDbSlot, size: formatBytes(stateBytes.length)});
+    const {state, validatorsBytes} = loadStateAndValidators(chainForkConfig, stateBytes);
+    lastDbState = state;
+    lastDbValidatorsBytes = validatorsBytes;
+    lastDbStateWithBytes = {state, stateBytes: stateBytes};
+  }
+
+  if (lastDbState) {
+    const config = createBeaconConfig(chainForkConfig, lastDbState.genesisValidatorsRoot);
+    const wssCheck = isWithinWeakSubjectivityPeriod(config, lastDbState, getCheckpointFromState(lastDbState));
+
+    // Explicitly force syncing from checkpoint state
+    if (args.forceCheckpointSync) {
+      // Forcing to sync from checkpoint is only recommended if node is taking too long to sync from last db state.
+      // It is important to remind the user to remove this flag again unless it is absolutely necessary.
+      if (wssCheck) {
+        logger.warn(
+          `Forced syncing from checkpoint even though db state at slot ${lastDbState.slot} is within weak subjectivity period`
+        );
+        logger.warn("Please consider removing --forceCheckpointSync flag unless absolutely necessary");
+      }
+    } else {
+      // All cases when we want to directly use lastDbState as the anchor state:
+      //  - if no checkpoint sync args provided, or
+      //  - the lastDbState is within weak subjectivity period:
+      if ((!args.checkpointState && !args.checkpointSyncUrl) || wssCheck) {
+        if (stateBytes === null) {
+          // this never happens
+          throw Error(`There is no stateBytes for the lastDbState at slot ${lastDbState.slot}`);
+        }
+        await checkAndPersistAnchorState(config, db, logger, lastDbState, stateBytes, {
+          isWithinWeakSubjectivityPeriod: wssCheck,
+          isCheckpointState: false,
+        });
+        return {anchorState: lastDbState};
+      }
+    }
+  }
+
+  // See if we can sync state using checkpoint sync args or else start from genesis
+  if (args.checkpointState) {
+    return readWSState(
+      lastDbStateWithBytes,
+      lastDbValidatorsBytes,
+      {
+        checkpointState: args.checkpointState,
+        wssCheckpoint: args.wssCheckpoint,
+        ignoreWeakSubjectivityCheck: args.ignoreWeakSubjectivityCheck,
+      },
+      chainForkConfig,
+      db,
+      logger
+    );
+  }
+
+  if (args.checkpointSyncUrl) {
+    return fetchWSStateFromBeaconApi(
+      lastDbStateWithBytes,
+      lastDbValidatorsBytes,
+      {
+        checkpointSyncUrl: args.checkpointSyncUrl,
+        wssCheckpoint: args.wssCheckpoint,
+        ignoreWeakSubjectivityCheck: args.ignoreWeakSubjectivityCheck,
+      },
+      chainForkConfig,
+      db,
+      logger
+    );
+  }
+
+  const genesisStateFile = args.genesisStateFile || getGenesisFileUrl(args.network || defaultNetwork);
+  if (genesisStateFile && !args.forceGenesis) {
+    let stateBytes = await downloadOrLoadFile(genesisStateFile);
+    // Convert to `Uint8Array` to avoid unexpected behavior such as `Buffer.prototype.slice` not copying memory
+    stateBytes = new Uint8Array(stateBytes.buffer, stateBytes.byteOffset, stateBytes.byteLength);
+    const anchorState = getStateTypeFromBytes(chainForkConfig, stateBytes).deserializeToViewDU(stateBytes);
+    // Validate genesis state root
+    const stateRoot = toRootHex(anchorState.hashTreeRoot());
+    const expectedRoot = getGenesisStateRoot(args.network);
+    if (expectedRoot !== null && stateRoot !== expectedRoot) {
+      throw Error(`Genesis state root mismatch expected=${expectedRoot} received=${stateRoot}`);
+    }
+    const config = createBeaconConfig(chainForkConfig, anchorState.genesisValidatorsRoot);
+    const wssCheck = isWithinWeakSubjectivityPeriod(config, anchorState, getCheckpointFromState(anchorState));
+    await checkAndPersistAnchorState(config, db, logger, anchorState, stateBytes, {
+      isWithinWeakSubjectivityPeriod: wssCheck,
+      isCheckpointState: true,
+    });
+    return {anchorState};
+  }
+
+  // Only place we will not bother checking isWithinWeakSubjectivityPeriod as forceGenesis passed by user
+  const anchorState = await initStateFromEth1({config: chainForkConfig, db, logger, opts: options.eth1, signal});
+  return {anchorState};
+}
+
+async function readWSState(
+  lastDbStateBytes: StateWithBytes | null,
+  lastDbValidatorsBytes: Uint8Array | null,
+  wssOpts: {checkpointState: string; wssCheckpoint?: string; ignoreWeakSubjectivityCheck?: boolean},
+  chainForkConfig: ChainForkConfig,
+  db: IBeaconDb,
+  logger: Logger
+): Promise<{anchorState: BeaconStateAllForks; wsCheckpoint?: Checkpoint}> {
+  // weak subjectivity sync from a provided state file:
+  // if a weak subjectivity checkpoint has been provided, it is used for additional verification
+  // otherwise, the state itself is used for verification (not bad, because the trusted state has been explicitly provided)
+  const {checkpointState, wssCheckpoint, ignoreWeakSubjectivityCheck} = wssOpts;
+  const lastDbState = lastDbStateBytes?.state ?? null;
+
+  const stateBytes = await downloadOrLoadFile(checkpointState);
+  let wsState: BeaconStateAllForks;
+  if (lastDbState && lastDbValidatorsBytes) {
+    // use lastDbState to load wsState if possible to share the same state tree
+    wsState = loadState(chainForkConfig, lastDbState, stateBytes, lastDbValidatorsBytes).state;
+  } else {
+    wsState = getStateTypeFromBytes(chainForkConfig, stateBytes).deserializeToViewDU(stateBytes);
+  }
+  const config = createBeaconConfig(chainForkConfig, wsState.genesisValidatorsRoot);
+  const wsStateBytes = {state: wsState, stateBytes};
+  const store = lastDbStateBytes ?? wsStateBytes;
+  const checkpoint = wssCheckpoint ? getCheckpointFromArg(wssCheckpoint) : getCheckpointFromState(wsState);
+  return initAndVerifyWeakSubjectivityState(config, db, logger, store, wsStateBytes, checkpoint, {
+    ignoreWeakSubjectivityCheck,
+  });
+}
+
+async function fetchWSStateFromBeaconApi(
+  lastDbStateBytes: StateWithBytes | null,
+  lastDbValidatorsBytes: Uint8Array | null,
+  wssOpts: {checkpointSyncUrl: string; wssCheckpoint?: string; ignoreWeakSubjectivityCheck?: boolean},
+  chainForkConfig: ChainForkConfig,
+  db: IBeaconDb,
+  logger: Logger
+): Promise<{anchorState: BeaconStateAllForks; wsCheckpoint?: Checkpoint}> {
+  // weak subjectivity sync from a state that needs to be fetched:
+  // if a weak subjectivity checkpoint has been provided, it is used to inform which state to download and used for additional verification
+  // otherwise, the 'finalized' state is downloaded and the state itself is used for verification (all trust delegated to the remote beacon node)
+  try {
+    // Validate the weakSubjectivityServerUrl and only log the origin to mask the
+    // username password credentials
+    const checkpointSyncUrl = new URL(wssOpts.checkpointSyncUrl);
+    logger.info("Fetching checkpoint state", {
+      checkpointSyncUrl: checkpointSyncUrl.origin,
+    });
+  } catch (e) {
+    logger.error("Invalid", {checkpointSyncUrl: wssOpts.checkpointSyncUrl}, e as Error);
+    throw e;
+  }
+
+  const {wsState, wsStateBytes, wsCheckpoint} = await fetchWeakSubjectivityState(chainForkConfig, logger, wssOpts, {
+    lastDbState: lastDbStateBytes?.state ?? null,
+    lastDbValidatorsBytes,
+  });
+
+  const config = createBeaconConfig(chainForkConfig, wsState.genesisValidatorsRoot);
+  const wsStateWithBytes = {state: wsState, stateBytes: wsStateBytes};
+  const store = lastDbStateBytes ?? wsStateWithBytes;
+  return initAndVerifyWeakSubjectivityState(config, db, logger, store, wsStateWithBytes, wsCheckpoint, {
+    ignoreWeakSubjectivityCheck: wssOpts.ignoreWeakSubjectivityCheck,
+  });
+}

package/src/cmds/beacon/initPeerIdAndEnr.ts

@@ -0,0 +1,199 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import {generateKeyPair} from "@libp2p/crypto/keys";
+import type {PrivateKey} from "@libp2p/interface";
+import {peerIdFromPrivateKey} from "@libp2p/peer-id";
+import {Multiaddr} from "@multiformats/multiaddr";
+import {SignableENR} from "@chainsafe/enr";
+import {Logger} from "@lodestar/utils";
+import {exportToJSON, readPrivateKey} from "../../config/index.js";
+import {parseListenArgs} from "../../options/beaconNodeOptions/network.js";
+import {writeFile600Perm} from "../../util/file.js";
+import {BeaconArgs} from "./options.js";
+
+/**
+ * Check if multiaddr belongs to the local network interfaces.
+ */
+export function isLocalMultiAddr(multiaddr: Multiaddr | undefined): boolean {
+  if (!multiaddr) return false;
+
+  const protoNames = multiaddr.protoNames();
+  if (protoNames.length !== 2 && protoNames[1] !== "udp") {
+    throw new Error("Invalid udp multiaddr");
+  }
+
+  const interfaces = os.networkInterfaces();
+  const tuples = multiaddr.tuples();
+  const family = tuples[0][0];
+  const isIPv4: boolean = family === 4;
+  const ip = tuples[0][1];
+
+  if (!ip) {
+    return false;
+  }
+
+  const ipStr = isIPv4
+    ? Array.from(ip).join(".")
+    : Array.from(Uint16Array.from(ip))
+        .map((n) => n.toString(16))
+        .join(":");
+
+  for (const networkInterfaces of Object.values(interfaces)) {
+    for (const networkInterface of networkInterfaces || []) {
+      // since node version 18, the netowrkinterface family returns 4 | 6 instead of ipv4 | ipv6,
+      // even though the documentation says otherwise.
+      // This might be a bug that would be corrected in future version, in the meantime
+      // the check using endsWith ensures things work in node version 18 and earlier
+      if (String(networkInterface.family).endsWith(String(family)) && networkInterface.address === ipStr) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Only update the enr if the value has changed
+ */
+function maybeUpdateEnr<T extends "ip" | "tcp" | "udp" | "ip6" | "tcp6" | "udp6">(
+  enr: SignableENR,
+  key: T,
+  value: SignableENR[T] | undefined
+): void {
+  if (enr[key] !== value) {
+    enr[key] = value;
+  }
+}
+
+export function overwriteEnrWithCliArgs(
+  enr: SignableENR,
+  args: BeaconArgs,
+  logger: Logger,
+  opts?: {newEnr?: boolean; bootnode?: boolean}
+): void {
+  const preSeq = enr.seq;
+  const {port, discoveryPort, port6, discoveryPort6} = parseListenArgs(args);
+  maybeUpdateEnr(enr, "ip", args["enr.ip"] ?? enr.ip);
+  maybeUpdateEnr(enr, "ip6", args["enr.ip6"] ?? enr.ip6);
+  maybeUpdateEnr(enr, "udp", args["enr.udp"] ?? discoveryPort ?? enr.udp);
+  maybeUpdateEnr(enr, "udp6", args["enr.udp6"] ?? discoveryPort6 ?? enr.udp6);
+  if (!opts?.bootnode) {
+    maybeUpdateEnr(enr, "tcp", args["enr.tcp"] ?? port ?? enr.tcp);
+    maybeUpdateEnr(enr, "tcp6", args["enr.tcp6"] ?? port6 ?? enr.tcp6);
+  }
+
+  function testMultiaddrForLocal(mu: Multiaddr, ip4: boolean): void {
+    const isLocal = isLocalMultiAddr(mu);
+    if (args.nat) {
+      if (isLocal) {
+        logger.warn("--nat flag is set with no purpose");
+      }
+    } else {
+      if (!isLocal) {
+        logger.warn(
+          `Configured ENR ${ip4 ? "IPv4" : "IPv6"} address is not local, clearing ENR ${ip4 ? "ip" : "ip6"} and ${
+            ip4 ? "udp" : "udp6"
+          }. Set the --nat flag to prevent this`
+        );
+        if (ip4) {
+          enr.delete("ip");
+          enr.delete("udp");
+        } else {
+          enr.delete("ip6");
+          enr.delete("udp6");
+        }
+      }
+    }
+  }
+  const udpMultiaddr4 = enr.getLocationMultiaddr("udp4");
+  if (udpMultiaddr4) {
+    testMultiaddrForLocal(udpMultiaddr4, true);
+  }
+  const udpMultiaddr6 = enr.getLocationMultiaddr("udp6");
+  if (udpMultiaddr6) {
+    testMultiaddrForLocal(udpMultiaddr6, false);
+  }
+
+  if (enr.seq !== preSeq) {
+    // If the enr is newly created, its sequence number can be set to 1
+    // It's especially clean for fully configured bootnodes whose enrs never change
+    // Otherwise, we can increment the sequence number as little as possible
+    if (opts?.newEnr) {
+      enr.seq = BigInt(1);
+    } else {
+      enr.seq = preSeq + BigInt(1);
+    }
+    // invalidate cached signature
+    // biome-ignore lint/complexity/useLiteralKeys: `_signature` is a private attribute
+    delete enr["_signature"];
+  }
+}
+
+/**
+ * Create new PeerId and ENR by default, unless persistNetworkIdentity is provided
+ */
+export async function initPrivateKeyAndEnr(
+  args: BeaconArgs,
+  beaconDir: string,
+  logger: Logger,
+  bootnode?: boolean
+): Promise<{privateKey: PrivateKey; enr: SignableENR}> {
+  const {persistNetworkIdentity} = args;
+
+  const newPrivateKeyAndENR = async (): Promise<{privateKey: PrivateKey; enr: SignableENR}> => {
+    const privateKey = await generateKeyPair("secp256k1");
+    const enr = SignableENR.createFromPrivateKey(privateKey);
+    return {privateKey, enr};
+  };
+
+  const readPersistedPrivateKeyAndENR = async (
+    peerIdFile: string,
+    enrFile: string
+  ): Promise<{privateKey: PrivateKey; enr: SignableENR; newEnr: boolean}> => {
+    let privateKey: PrivateKey;
+    let enr: SignableENR;
+
+    // attempt to read stored private key
+    try {
+      privateKey = readPrivateKey(peerIdFile);
+    } catch (e) {
+      if ((e as {code: string}).code === "ENOENT") {
+        logger.debug("peerIdFile not found, creating a new peer id", {peerIdFile});
+      } else {
+        logger.warn("Unable to read peerIdFile, creating a new peer id", {peerIdFile}, e as Error);
+      }
+      return {...(await newPrivateKeyAndENR()), newEnr: true};
+    }
+    // attempt to read stored enr
+    try {
+      enr = SignableENR.decodeTxt(fs.readFileSync(enrFile, "utf-8"), privateKey.raw);
+    } catch (_e) {
+      logger.warn("Unable to decode stored local ENR, creating a new ENR");
+      enr = SignableENR.createFromPrivateKey(privateKey);
+      return {privateKey, enr, newEnr: true};
+    }
+    // check stored peer id against stored enr
+    if (!peerIdFromPrivateKey(privateKey).equals(enr.peerId)) {
+      logger.warn("Stored local ENR doesn't match peerIdFile, creating a new ENR");
+      enr = SignableENR.createFromPrivateKey(privateKey);
+      return {privateKey, enr, newEnr: true};
+    }
+    return {privateKey, enr, newEnr: false};
+  };
+
+  if (persistNetworkIdentity) {
+    const enrFile = path.join(beaconDir, "enr");
+    const peerIdFile = path.join(beaconDir, "peer-id.json");
+    const {privateKey, enr, newEnr} = await readPersistedPrivateKeyAndENR(peerIdFile, enrFile);
+    overwriteEnrWithCliArgs(enr, args, logger, {newEnr, bootnode});
+    // Re-persist peer-id and enr
+    writeFile600Perm(peerIdFile, exportToJSON(privateKey));
+    writeFile600Perm(enrFile, enr.encodeTxt());
+    return {privateKey, enr};
+  }
+  const {privateKey, enr} = await newPrivateKeyAndENR();
+  overwriteEnrWithCliArgs(enr, args, logger, {newEnr: true, bootnode});
+  return {privateKey, enr};
+}

package/src/cmds/beacon/options.ts

@@ -0,0 +1,214 @@
+import {CliCommandOptions, CliOptionDefinition} from "@lodestar/utils";
+import {BeaconNodeArgs, beaconNodeOptions, paramsOptions} from "../../options/index.js";
+import {LogArgs, logOptions} from "../../options/logOptions.js";
+import {BeaconPaths, defaultBeaconPaths} from "./paths.js";
+
+type BeaconExtraArgs = {
+  forceGenesis?: boolean;
+  genesisStateFile?: string;
+  configFile?: string;
+  bootnodesFile?: string;
+  checkpointSyncUrl?: string;
+  checkpointState?: string;
+  wssCheckpoint?: string;
+  forceCheckpointSync?: boolean;
+  ignoreWeakSubjectivityCheck?: boolean;
+  beaconDir?: string;
+  dbDir?: string;
+  persistInvalidSszObjectsDir?: string;
+  persistInvalidSszObjectsRetentionHours?: number;
+  persistOrphanedBlocksDir?: string;
+  peerStoreDir?: string;
+  persistNetworkIdentity?: boolean;
+  private?: boolean;
+  validatorMonitorLogs?: boolean;
+  attachToGlobalThis?: boolean;
+  disableLightClientServer?: boolean;
+};
+
+export const beaconExtraOptions: CliCommandOptions<BeaconExtraArgs> = {
+  forceGenesis: {
+    description: "Force beacon to create genesis without file",
+    type: "boolean",
+    hidden: true,
+  },
+
+  genesisStateFile: {
+    description: "Path or URL to download a genesis state file in ssz-encoded format",
+    type: "string",
+  },
+
+  configFile: {
+    hidden: true,
+    description: "[DEPRECATED] Beacon node configuration file path",
+    type: "string",
+  },
+
+  bootnodesFile: {
+    hidden: true,
+    description: "Bootnodes file path",
+    type: "string",
+  },
+
+  checkpointSyncUrl: {
+    description:
+      "Server url hosting Beacon Node APIs to fetch weak subjectivity state. Fetch latest finalized by default, else set --wssCheckpoint",
+    type: "string",
+    group: "weak subjectivity",
+  },
+
+  checkpointState: {
+    description: "Set a checkpoint state to start syncing from",
+    type: "string",
+    group: "weak subjectivity",
+  },
+
+  wssCheckpoint: {
+    description:
+      "Start beacon node off a state at the provided weak subjectivity checkpoint, to be supplied in <blockRoot>:<epoch> format. For example, 0x1234:100 will sync and start off from the weak subjectivity state at checkpoint of epoch 100 with block root 0x1234.",
+    type: "string",
+    group: "weak subjectivity",
+  },
+
+  forceCheckpointSync: {
+    description:
+      "Force syncing from checkpoint state even if db state is within weak subjectivity period. This helps to avoid long sync times after node has been offline for a while.",
+    type: "boolean",
+    group: "weak subjectivity",
+  },
+
+  ignoreWeakSubjectivityCheck: {
+    description:
+      "Ignore the checkpoint sync state failing the weak subjectivity check. This is relevant in testnets where the weak subjectivity period is too small for even few epochs of non finalization causing last finalized to be out of range. This flag is not recommended for mainnet use.",
+    type: "boolean",
+    group: "weak subjectivity",
+  },
+
+  beaconDir: {
+    description: "Beacon root directory",
+    defaultDescription: defaultBeaconPaths.beaconDir,
+    hidden: true,
+    type: "string",
+  },
+
+  dbDir: {
+    description: "Beacon DB directory",
+    defaultDescription: defaultBeaconPaths.dbDir,
+    hidden: true,
+    type: "string",
+  },
+
+  persistInvalidSszObjectsDir: {
+    description: "Enable and specify a directory to persist invalid ssz objects",
+    defaultDescription: defaultBeaconPaths.persistInvalidSszObjectsDir,
+    hidden: true,
+    type: "string",
+  },
+
+  persistInvalidSszObjectsRetentionHours: {
+    description: "Number of hours to keep invalid SSZ objects on local disk",
+    hidden: true,
+    type: "number",
+  },
+
+  persistOrphanedBlocksDir: {
+    description: "Enable and specify a directory to persist orphaned blocks",
+    defaultDescription: defaultBeaconPaths.persistOrphanedBlocksDir,
+    hidden: true,
+    type: "string",
+  },
+
+  peerStoreDir: {
+    hidden: true,
+    description: "Peer store directory",
+    defaultDescription: defaultBeaconPaths.peerStoreDir,
+    type: "string",
+  },
+
+  persistNetworkIdentity: {
+    description:
+      "Whether to reuse the same peer-id across restarts. Validator custody requires custody group count to persist relative to a given ENR. Setting to false will reset ENR and validator custody requirements on restarts.",
+    default: true,
+    type: "boolean",
+  },
+
+  private: {
+    description:
+      "Do not send implementation details over p2p identify protocol and in builder, execution engine and eth1 requests",
+    type: "boolean",
+  },
+
+  validatorMonitorLogs: {
+    description: "Log validator monitor events as info.",
+    type: "boolean",
+  },
+
+  attachToGlobalThis: {
+    hidden: true,
+    description: "Attach the beacon node to `globalThis`. Useful to inspect a running beacon node.",
+    type: "boolean",
+  },
+
+  disableLightClientServer: {
+    description: "Disable light client server.",
+    type: "boolean",
+  },
+};
+
+type ENRArgs = {
+  "enr.ip"?: string;
+  "enr.tcp"?: number;
+  "enr.ip6"?: string;
+  "enr.udp"?: number;
+  "enr.tcp6"?: number;
+  "enr.udp6"?: number;
+  nat?: boolean;
+};
+
+const enrOptions: CliCommandOptions<ENRArgs> = {
+  "enr.ip": {
+    description: "Override ENR IP entry",
+    type: "string",
+    group: "enr",
+  },
+  "enr.tcp": {
+    description: "Override ENR TCP entry",
+    type: "number",
+    group: "enr",
+  },
+  "enr.udp": {
+    description: "Override ENR UDP entry",
+    type: "number",
+    group: "enr",
+  },
+  "enr.ip6": {
+    description: "Override ENR IPv6 entry",
+    type: "string",
+    group: "enr",
+  },
+  "enr.tcp6": {
+    description: "Override ENR (IPv6-specific) TCP entry",
+    type: "number",
+    group: "enr",
+  },
+  "enr.udp6": {
+    description: "Override ENR (IPv6-specific) UDP entry",
+    type: "number",
+    group: "enr",
+  },
+  nat: {
+    type: "boolean",
+    description: "Allow configuration of non-local addresses",
+    group: "enr",
+  },
+};
+
+export type BeaconArgs = BeaconExtraArgs & LogArgs & BeaconPaths & BeaconNodeArgs & ENRArgs;
+
+export const beaconOptions: {[k: string]: CliOptionDefinition} = {
+  ...beaconExtraOptions,
+  ...logOptions,
+  ...beaconNodeOptions,
+  ...paramsOptions,
+  ...enrOptions,
+};