tempo/

tempo_cmd.rs

use std::{
    fs::OpenOptions,
    io::Write as _,
    net::{IpAddr, SocketAddr},
    path::{Path, PathBuf},
    str::FromStr,
    sync::Arc,
};

use alloy::hex::ToHexExt;
use alloy_network::EthereumWallet;
use alloy_primitives::{Address, B256, Bytes};
use alloy_provider::{Provider, ProviderBuilder};
use alloy_rpc_types_eth::TransactionRequest;
use alloy_signer_aws::{AwsSigner, aws_config, aws_sdk_kms};
use alloy_signer_gcp::{GcpKeyRingRef, GcpSigner, KeySpecifier, gcloud_sdk};
use alloy_signer_ledger::{HDPath as LedgerHDPath, LedgerSigner};
use alloy_signer_local::PrivateKeySigner;
use alloy_signer_trezor::{HDPath as TrezorHDPath, TrezorSigner};
use alloy_sol_types::SolCall;
use clap::Subcommand;
use commonware_codec::{DecodeExt as _, Encode as _, ReadExt as _};
use commonware_consensus::types::{Epocher as _, FixedEpocher, Height};
use commonware_cryptography::{
    Signer as _,
    ed25519::{PrivateKey, PublicKey},
};
use commonware_math::algebra::Random as _;
use commonware_utils::{NZU64, ordered};
use eyre::{OptionExt as _, Report, WrapErr as _, bail, eyre};
use reth_chainspec::EthChainSpec;
use reth_cli_runner::CliRunner;
use reth_ethereum_cli::ExtendedCommand;
use serde::Serialize;
use tempo_alloy::TempoNetwork;
use tempo_chainspec::spec::{TempoChainSpec, TempoChainSpecParser};
use tempo_consensus_config::{SigningKey, SigningKeyPassphrase};
use tempo_contracts::precompiles::{
    IValidatorConfigV2::{self, Validator},
    VALIDATOR_CONFIG_V2_ADDRESS,
};
use tempo_dkg_onchain_artifacts::OnchainDkgOutcome;
use tempo_precompiles::validator_config_v2::{VALIDATOR_NS_ADD, VALIDATOR_NS_ROTATE};
use tempo_validator_config::ValidatorConfig;

use crate::{init_state, p2p_proxy::P2pProxyArgs, regenesis};

fn get_env(key: &str) -> eyre::Result<String> {
    std::env::var(key).wrap_err_with(|| format!("failed reading environment variable `{key}`"))
}

/// Passthrough args for extension management commands.
///
/// These commands are defined here so they appear in `tempo --help`, but
/// the actual implementation lives in `tempo_ext::run()`. We capture all
/// trailing arguments and re-dispatch.
#[derive(Debug, clap::Args)]
pub struct ExtArgs {
    #[arg(trailing_var_arg = true, allow_hyphen_values = true, hide = true)]
    args: Vec<String>,
}

/// Tempo-specific subcommands that extend the reth CLI.
#[derive(Debug, Subcommand)]
pub enum TempoSubcommand {
    /// Consensus-related commands.
    #[command(subcommand)]
    Consensus(ConsensusSubcommand),

    /// Run a proxy P2P node that serves cached block data fetched from an RPC endpoint.
    P2pProxy(P2pProxyArgs),

    /// Initialize state from a binary dump file.
    ///
    /// Loads TIP20 storage slots from a binary file generated by `tempo-xtask generate-state-bloat`
    /// and applies them to the genesis state.
    InitFromBinaryDump(Box<init_state::InitFromBinaryDump<TempoChainSpecParser>>),

    /// Patch a virgin block-0 database to use a new genesis header.
    Regenesis(Box<regenesis::Regenesis<TempoChainSpecParser>>),

    /// Install an extension (e.g., `tempo add wallet`).
    #[command(
        override_usage = "tempo add <EXT> [VERSION]",
        after_help = "Examples:\n  tempo add wallet\n  tempo add wallet 0.2.0"
    )]
    Add(ExtArgs),

    /// Update tempo and/or extensions.
    #[command(
        override_usage = "tempo update [EXT]",
        after_help = "Examples:\n  tempo update          # update tempo + all extensions\n  tempo update wallet   # update a single extension"
    )]
    Update(ExtArgs),

    /// Remove an extension.
    #[command(
        override_usage = "tempo remove <EXT>",
        after_help = "Example: tempo remove wallet"
    )]
    Remove(ExtArgs),

    /// List installed extensions.
    #[command(override_usage = "tempo list")]
    List(ExtArgs),
}

impl ExtendedCommand for TempoSubcommand {
    fn execute(self, runner: CliRunner) -> eyre::Result<()> {
        match self {
            Self::Consensus(cmd) => {
                runner.run_blocking_until_ctrl_c(cmd.run())?;
                Ok(())
            }
            Self::P2pProxy(cmd) => runner.run_command_until_exit(|_| cmd.run()),
            Self::InitFromBinaryDump(cmd) => {
                let runtime = runner.runtime();
                runner.run_blocking_until_ctrl_c(
                    cmd.execute::<tempo_node::node::TempoNode>(runtime),
                )?;
                Ok(())
            }
            Self::Regenesis(cmd) => {
                let runtime = runner.runtime();
                runner.run_blocking_until_ctrl_c(
                    cmd.execute::<tempo_node::node::TempoNode>(runtime),
                )?;
                Ok(())
            }
            Self::Add(_) | Self::Update(_) | Self::Remove(_) | Self::List(_) => {
                let code = tempo_ext::run(std::env::args_os()).map_err(|e| eyre!("{e}"))?;
                if code != 0 {
                    std::process::exit(code);
                }
                Ok(())
            }
        }
    }
}

#[derive(Debug, Subcommand)]
pub enum ConsensusSubcommand {
    /// Add a new validator to the validator config contract.
    AddValidator(AddValidator),
    /// Shows the verification key for an ed25519 signing key.
    #[command(alias = "calculate-public-key")]
    ShowVerificationKey(ShowVerificationKey),
    /// Create an ed25519 signature for `addValidator`.
    CreateAddValidatorSignature(CreateAddValidatorSignatureArgs),
    /// Create an ed25519 signature for `rotateValidator`.
    CreateRotateValidatorSignature(CreateRotateValidatorSignatureArgs),
    /// Deactivate a validator
    DeactivateValidator(DeactivateValidator),
    /// Encrypt an existing ed25519 signing key using a passphrase.
    EncryptSigningKey(EncryptSigningKey),
    /// Generates an ed25519 signing key pair to be used in consensus.
    #[command(alias = "generate-private-key")]
    GenerateSigningKey(GenerateSigningKey),
    /// Rotate a validator to a new identity.
    RotateValidator(RotateValidator),
    /// Set the validator Ip Address
    SetValidatorIpAddress(SetValidatorIpAddress),
    /// Set the validator fee recipient
    SetValidatorFeeRecipient(SetValidatorFeeRecipient),
    /// Transfer validator ownership
    TransferValidatorOwnership(TransferValidatorOwnership),
    /// Look up a validator by etheruem address, e25519 public key, or index.
    Validator(ValidatorInfo),
    /// Query current committee information from the previous epoch's DKG outcome and current contract state.
    #[command(alias = "validators-info")]
    Info(Info),
}

impl ConsensusSubcommand {
    async fn run(self) -> eyre::Result<()> {
        match self {
            Self::AddValidator(args) => args.run().await,
            Self::DeactivateValidator(args) => args.run().await,
            Self::TransferValidatorOwnership(args) => args.run().await,
            Self::RotateValidator(args) => args.run().await,
            Self::CreateAddValidatorSignature(args) => args.run().await,
            Self::CreateRotateValidatorSignature(args) => args.run().await,
            Self::SetValidatorIpAddress(args) => args.run().await,
            Self::SetValidatorFeeRecipient(args) => args.run().await,
            Self::EncryptSigningKey(args) => args.run(),
            Self::GenerateSigningKey(args) => args.run(),
            Self::ShowVerificationKey(args) => args.run(),
            Self::Validator(args) => args.run().await,
            Self::Info(args) => args.run().await,
        }
    }
}

#[derive(Clone, Debug)]
enum ValidatorId {
    Address(Address),
    Index(u64),
    PublicKey(B256),
}

impl FromStr for ValidatorId {
    type Err = eyre::Report;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        if let Ok(idx) = s.parse::<u64>() {
            Ok(Self::Index(idx))
        } else if let Ok(address) = s.parse::<Address>() {
            Ok(Self::Address(address))
        } else if let Ok(pubkey) = s.parse::<B256>() {
            Ok(Self::PublicKey(pubkey))
        } else {
            Err(eyre!(
                "validator identifier must be an index, ethereum address, or ed25519 public key"
            ))
        }
    }
}

async fn read_validator_from_contract(
    provider: &impl Provider<TempoNetwork>,
    lookup: ValidatorId,
) -> eyre::Result<Validator> {
    let calldata: Vec<u8> = match lookup {
        ValidatorId::Address(addr) => IValidatorConfigV2::validatorByAddressCall {
            validatorAddress: addr,
        }
        .abi_encode(),
        ValidatorId::Index(idx) => {
            IValidatorConfigV2::validatorByIndexCall { index: idx }.abi_encode()
        }
        ValidatorId::PublicKey(pubkey) => {
            IValidatorConfigV2::validatorByPublicKeyCall { publicKey: pubkey }.abi_encode()
        }
    };

    let tx = TransactionRequest::default()
        .to(VALIDATOR_CONFIG_V2_ADDRESS)
        .input(calldata.into());

    let resp = provider
        .call(tx.into())
        .await
        .wrap_err("failed to read contract")?;

    let validator = match lookup {
        ValidatorId::Address(_) => {
            IValidatorConfigV2::validatorByAddressCall::abi_decode_returns(&resp)
        }
        ValidatorId::Index(_) => {
            IValidatorConfigV2::validatorByIndexCall::abi_decode_returns(&resp)
        }
        ValidatorId::PublicKey(_) => {
            IValidatorConfigV2::validatorByPublicKeyCall::abi_decode_returns(&resp)
        }
    }
    .wrap_err("failed to decode validator")?;

    Ok(validator)
}

/// Shared validator identity arguments used across add/rotate/sign commands.
#[derive(Debug, clap::Args)]
pub struct ValidatorIdentityArgs {
    /// The validator's Ethereum address
    #[arg(long, value_name = "ETHEREUM_ADDRESS")]
    validator_address: Address,
    /// The validator's signing key address (0x-prefixed hex).
    #[arg(
        long = "consensus.public-key",
        value_name = "IDENTITY_PUBLIC_KEY_ADDRESS"
    )]
    public_key: B256,
    /// The inbound address for the validator.
    #[arg(long, value_name = "IP:PORT")]
    ingress: SocketAddr,
    /// The outbound address for the validator.
    #[arg(long, value_name = "IP")]
    egress: IpAddr,
}

impl ValidatorIdentityArgs {
    fn to_config(&self, chain_id: u64) -> ValidatorConfig {
        ValidatorConfig {
            chain_id,
            validator_address: self.validator_address,
            public_key: self.public_key,
            ingress: self.ingress,
            egress: self.egress,
        }
    }
}

/// Either a pre-computed signature or a signing key to compute it from.
#[derive(Debug, clap::Args)]
#[group(required = true, multiple = false, args = ["signature", "signing_key"])]
pub struct ValidatorSignatureArgs {
    /// A pre-computed ed25519 signature over the validator identity.
    #[arg(long, value_name = "SIGNATURE")]
    signature: Option<Bytes>,

    #[command(flatten)]
    signing_key: Option<SigningKeyArgs>,
}

impl ValidatorSignatureArgs {
    fn resolve(self, namespace: &[u8], message: &B256) -> eyre::Result<Bytes> {
        let Self {
            signature,
            signing_key,
        } = self;

        match (signature, signing_key) {
            (Some(sig), _) => Ok(sig),
            (None, Some(signing_key)) => {
                let key = signing_key.read()?;
                let private_key = key.into_inner();
                let sig = private_key.sign(namespace, message.as_slice());
                Ok(sig.encode().into())
            }
            (None, None) => unreachable!("clap requires either --signature or --signing-key"),
        }
    }
}

#[derive(Debug, clap::Args)]
pub struct SigningKeyArgs {
    /// Passphrase source for decrypting `--signing-key`.
    ///
    /// A FIFO path, including shell process substitution like `<(...)`, is preferred.
    /// If omitted, the signing key is read as plaintext hex.
    #[arg(long, alias = "consensus.secret", value_name = "PATH")]
    secret: Option<PathBuf>,

    /// Path to the ed25519 signing private key file.
    ///
    /// In commands that also accept `--signature`, the signature is computed
    /// automatically so a separate `create-*-signature` step is not needed.
    #[arg(long, alias = "consensus.signing-key", value_name = "FILE")]
    signing_key: PathBuf,
}

impl SigningKeyArgs {
    fn read(self) -> eyre::Result<SigningKey> {
        let Self {
            signing_key,
            secret,
        } = self;
        read_signing_key(signing_key, secret)
    }
}

#[derive(Debug, clap::Args)]
pub struct WalletArgs {
    /// Path to the file holding the validator's Ethereum private key.
    #[arg(long, value_name = "FILE", help_heading = "Wallet options - raw")]
    wallet_key: Option<PathBuf>,

    /// Use a Ledger hardware wallet.
    #[arg(long, help_heading = "Wallet options - hardware wallet")]
    ledger: bool,

    /// Use a Trezor hardware wallet.
    #[arg(long, help_heading = "Wallet options - hardware wallet")]
    trezor: bool,

    /// Use AWS KMS. Requires AWS_KMS_KEY_ID env var
    #[arg(long, help_heading = "Wallet options - remote")]
    aws: bool,

    /// Use GCP KMS. Requires GCP_PROJECT_ID, GCP_LOCATION, GCP_KEY_RING, GCP_KEY_NAME,
    /// GCP_KEY_VERSION env vars
    #[arg(long, help_heading = "Wallet options - remote")]
    gcp: bool,
}

impl WalletArgs {
    async fn build(&self) -> eyre::Result<EthereumWallet> {
        if self.ledger {
            let signer = LedgerSigner::new(LedgerHDPath::LedgerLive(0), None)
                .await
                .wrap_err("failed to connect to Ledger device")?;

            Ok(EthereumWallet::new(signer))
        } else if self.trezor {
            let signer = TrezorSigner::new(TrezorHDPath::TrezorLive(0), None)
                .await
                .wrap_err("failed to connect to Trezor device")?;

            Ok(EthereumWallet::new(signer))
        } else if self.aws {
            let key_id = get_env("AWS_KMS_KEY_ID")?;
            let config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
            let client = aws_sdk_kms::Client::new(&config);
            let signer = AwsSigner::new(client, key_id, None)
                .await
                .wrap_err("failed to create AWS KMS signer")?;

            Ok(EthereumWallet::new(signer))
        } else if self.gcp {
            let project = get_env("GCP_PROJECT_ID")?;
            let location = get_env("GCP_LOCATION")?;
            let keyring = get_env("GCP_KEY_RING")?;
            let key_name = get_env("GCP_KEY_NAME")?;
            let key_version: u64 = get_env("GCP_KEY_VERSION")?
                .parse()
                .wrap_err("GCP_KEY_VERSION must be a valid u64")?;

            let keyring_ref = GcpKeyRingRef::new(&project, &location, &keyring);
            let specifier = KeySpecifier::new(keyring_ref, &key_name, key_version);

            let client = gcloud_sdk::GoogleApi::from_function(
                gcloud_sdk::google::cloud::kms::v1::key_management_service_client::KeyManagementServiceClient::new,
                "https://cloudkms.googleapis.com",
                None,
            )
            .await
            .wrap_err("failed to create GCP KMS client")?;

            let signer = GcpSigner::new(client, specifier, None)
                .await
                .wrap_err("failed to create GCP KMS signer")?;

            Ok(EthereumWallet::new(signer))
        } else if let Some(path) = &self.wallet_key {
            let signer = key_from_file(path).wrap_err_with(|| {
                format!("failed reading private key from file `{}`", path.display())
            })?;

            Ok(EthereumWallet::new(signer))
        } else {
            bail!("no wallet provided")
        }
    }
}

/// Shared arguments for commands that update the validator config contract.
#[derive(Debug, clap::Args)]
pub struct ValidatorTransactionArgs {
    #[command(flatten)]
    wallet: WalletArgs,

    /// The RPC URL to submit the transaction to.
    #[arg(long, default_value = "https://rpc.presto.tempo.xyz")]
    rpc_url: String,

    /// Skip the interactive confirmation prompt.
    #[arg(long, short = 'y')]
    yes: bool,

    /// Prints transaction and exits. Does not send sign or send the transaction.
    #[arg(long)]
    dry_run: bool,
}

impl ValidatorTransactionArgs {
    async fn call<T: SolCall + Serialize>(&self, call: &T) -> eyre::Result<()> {
        let tx = TransactionRequest::default()
            .to(VALIDATOR_CONFIG_V2_ADDRESS)
            .input(call.abi_encode().into());

        let mut output: Box<dyn std::io::Write + Send> = if self.yes {
            Box::new(std::io::stderr())
        } else {
            Box::new(std::io::stdout())
        };

        writeln!(output, "{}", serde_json::json!(tx))?;
        if self.dry_run {
            return Ok(());
        }

        if !self.yes {
            write!(output, "\nSubmit this transaction? [y/N] ")?;
            output.flush()?;

            let mut input = String::new();
            std::io::stdin().read_line(&mut input)?;

            if !matches!(input.trim(), "y" | "Y" | "yes" | "YES") {
                bail!("transaction cancelled by user")
            }
        }

        let wallet = self
            .wallet
            .build()
            .await
            .wrap_err("failed to open wallet to send transaction")?;

        let provider = ProviderBuilder::new_with_network::<TempoNetwork>()
            .with_gas_estimation()
            .wallet(wallet)
            .connect(&self.rpc_url)
            .await
            .wrap_err("failed to connect to RPC")?;

        let pending = provider
            .send_transaction(tx.into())
            .await
            .wrap_err("failed to send transaction")?;

        let tx_hash = pending.tx_hash();
        writeln!(output, "{tx_hash}")?;

        Ok(())
    }

    async fn provider(&self) -> eyre::Result<impl Provider<TempoNetwork>> {
        let provider = ProviderBuilder::new_with_network::<TempoNetwork>()
            .fetch_chain_id()
            .connect(&self.rpc_url)
            .await
            .wrap_err("failed to connect to RPC")?;

        Ok(provider)
    }
}

#[derive(Debug, clap::Args)]
pub struct AddValidator {
    #[command(flatten)]
    identity: ValidatorIdentityArgs,
    #[command(flatten)]
    sig: ValidatorSignatureArgs,

    /// The fee recipient address
    #[arg(long, value_name = "ETHEREUM_ADDRESS")]
    fee_recipient: Address,

    #[command(flatten)]
    submit: ValidatorTransactionArgs,
}

impl AddValidator {
    async fn run(self) -> eyre::Result<()> {
        let provider = self.submit.provider().await?;

        let chain_id = provider
            .get_chain_id()
            .await
            .wrap_err("failed to get chain id")?;

        let config = self.identity.to_config(chain_id);
        let signature = self.sig.resolve(
            VALIDATOR_NS_ADD,
            &config.add_validator_message_hash(self.fee_recipient),
        )?;

        config
            .check_add_validator_signature(self.fee_recipient, signature.as_ref())
            .wrap_err("add-validator signature check failed")?;

        let call = IValidatorConfigV2::addValidatorCall {
            validatorAddress: self.identity.validator_address,
            publicKey: self.identity.public_key,
            ingress: self.identity.ingress.to_string(),
            egress: self.identity.egress.to_string(),
            signature,
            feeRecipient: self.fee_recipient,
        };

        self.submit.call(&call).await?;
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
pub struct TransferValidatorOwnership {
    /// Validator ethereum address, ed25519 public key, or index
    #[arg()]
    id: ValidatorId,
    /// Path to the file holding the private key of the new validator address
    #[arg(long, value_name = "FILE")]
    new_private_key: PathBuf,

    #[command(flatten)]
    submit: ValidatorTransactionArgs,
}

impl TransferValidatorOwnership {
    async fn run(self) -> eyre::Result<()> {
        let provider = self.submit.provider().await?;

        let new_signer = key_from_file(&self.new_private_key).wrap_err_with(|| {
            format!(
                "failed reading private key from file `{}`",
                self.new_private_key.display()
            )
        })?;

        let new_validator_address = new_signer.address();

        let validator = read_validator_from_contract(&provider, self.id).await?;

        let call = IValidatorConfigV2::transferValidatorOwnershipCall {
            idx: validator.index,
            newAddress: new_validator_address,
        };

        self.submit.call(&call).await?;
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
pub struct RotateValidator {
    #[command(flatten)]
    identity: ValidatorIdentityArgs,
    #[command(flatten)]
    sig: ValidatorSignatureArgs,
    #[command(flatten)]
    submit: ValidatorTransactionArgs,
}

impl RotateValidator {
    async fn run(self) -> eyre::Result<()> {
        let provider = self.submit.provider().await?;

        let chain_id = provider
            .get_chain_id()
            .await
            .wrap_err("failed to get chain id")?;

        let config = self.identity.to_config(chain_id);

        let signature = self
            .sig
            .resolve(VALIDATOR_NS_ROTATE, &config.rotate_validator_message_hash())?;

        config
            .check_rotate_validator_signature(signature.as_ref())
            .wrap_err("rotate-validator signature check failed")?;

        let lookup = ValidatorId::Address(self.identity.validator_address);
        let validator = read_validator_from_contract(&provider, lookup).await?;

        let call = IValidatorConfigV2::rotateValidatorCall {
            idx: validator.index,
            publicKey: self.identity.public_key,
            ingress: self.identity.ingress.to_string(),
            egress: self.identity.egress.to_string(),
            signature,
        };

        self.submit.call(&call).await?;
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
#[group(required = true, args = ["signing_key"])]
pub struct CreateAddValidatorSignatureArgs {
    #[command(flatten)]
    identity: ValidatorIdentityArgs,
    /// The fee recipient address
    #[arg(long, value_name = "ETHEREUM_ADDRESS")]
    fee_recipient: Address,
    /// RPC used to fetch the chain id
    #[arg(
        long,
        value_name = "RPC_URL",
        default_value = "https://rpc.presto.tempo.xyz"
    )]
    chain_id_from_rpc_url: String,
    #[command(flatten)]
    signing_key: SigningKeyArgs,
}

impl CreateAddValidatorSignatureArgs {
    async fn run(self) -> eyre::Result<()> {
        let signing_key = self.signing_key.read()?;

        let provider = ProviderBuilder::new_with_network::<TempoNetwork>()
            .connect(&self.chain_id_from_rpc_url)
            .await
            .wrap_err("failed to connect to RPC")?;

        let chain_id = provider
            .get_chain_id()
            .await
            .wrap_err("failed to get chain id")?;

        let config = self.identity.to_config(chain_id);
        let message = config.add_validator_message_hash(self.fee_recipient);

        let private_key = signing_key.into_inner();
        let signature = private_key.sign(VALIDATOR_NS_ADD, message.as_slice());
        let encoded = signature.encode();
        println!("{}", alloy_primitives::hex::encode_prefixed(encoded));
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
#[group(required = true, args = ["signing_key"])]
pub struct CreateRotateValidatorSignatureArgs {
    #[command(flatten)]
    identity: ValidatorIdentityArgs,
    /// RPC used to fetch the chain id
    #[arg(
        long,
        value_name = "RPC_URL",
        default_value = "https://rpc.presto.tempo.xyz"
    )]
    chain_id_from_rpc_url: String,
    #[command(flatten)]
    signing_key: SigningKeyArgs,
}

impl CreateRotateValidatorSignatureArgs {
    async fn run(self) -> eyre::Result<()> {
        let signing_key = self.signing_key.read()?;

        let provider = ProviderBuilder::new_with_network::<TempoNetwork>()
            .connect(&self.chain_id_from_rpc_url)
            .await
            .wrap_err("failed to connect to RPC")?;

        let chain_id = provider
            .get_chain_id()
            .await
            .wrap_err("failed to get chain id")?;

        let config = self.identity.to_config(chain_id);
        let message = config.rotate_validator_message_hash();

        let private_key = signing_key.into_inner();
        let signature = private_key.sign(VALIDATOR_NS_ROTATE, message.as_slice());
        let encoded = signature.encode();
        println!("{}", alloy_primitives::hex::encode_prefixed(encoded));
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
pub struct SetValidatorIpAddress {
    /// Validator ethereum address, ed25519 public key, or index
    #[arg()]
    id: ValidatorId,
    /// The inbound address for the validator.
    #[arg(long, value_name = "IP:PORT")]
    ingress: Option<SocketAddr>,
    /// The outbound address for the validator.
    #[arg(long, value_name = "IP")]
    egress: Option<IpAddr>,

    #[command(flatten)]
    submit: ValidatorTransactionArgs,
}

impl SetValidatorIpAddress {
    async fn run(self) -> eyre::Result<()> {
        let provider = self.submit.provider().await?;

        if self.ingress.is_none() && self.egress.is_none() {
            return Err(eyre!("at least one of --ingress or --egress must be set"));
        }

        let validator = read_validator_from_contract(&provider, self.id).await?;

        let call = IValidatorConfigV2::setIpAddressesCall {
            idx: validator.index,
            ingress: self.ingress.map_or(validator.ingress, |v| v.to_string()),
            egress: self.egress.map_or(validator.egress, |v| v.to_string()),
        };

        self.submit.call(&call).await?;
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
pub struct DeactivateValidator {
    /// Validator ethereum address, ed25519 public key, or index
    #[arg()]
    id: ValidatorId,

    #[command(flatten)]
    submit: ValidatorTransactionArgs,
}

impl DeactivateValidator {
    async fn run(self) -> eyre::Result<()> {
        let provider = self.submit.provider().await?;

        let validator = read_validator_from_contract(&provider, self.id).await?;

        let call = IValidatorConfigV2::deactivateValidatorCall {
            idx: validator.index,
        };

        self.submit.call(&call).await?;
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
pub struct SetValidatorFeeRecipient {
    /// Validator ethereum address, ed25519 public key, or index
    #[arg()]
    id: ValidatorId,
    /// The fee recipient address
    #[arg(long, value_name = "ETHEREUM_ADDRESS")]
    fee_recipient: Address,

    #[command(flatten)]
    submit: ValidatorTransactionArgs,
}

impl SetValidatorFeeRecipient {
    async fn run(self) -> eyre::Result<()> {
        let provider = self.submit.provider().await?;
        let validator = read_validator_from_contract(&provider, self.id).await?;

        let call = IValidatorConfigV2::setFeeRecipientCall {
            idx: validator.index,
            feeRecipient: self.fee_recipient,
        };

        self.submit.call(&call).await?;
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
pub struct GenerateSigningKey {
    /// Destination of the generated signing key.
    #[arg(long, short, value_name = "FILE")]
    output: PathBuf,

    /// Passphrase source for encrypting the generated signing key.
    ///
    /// A FIFO path, including shell process substitution like `<(...)`, is preferred.
    /// If omitted, the signing key is written unencrypted for compatibility.
    #[arg(long, value_name = "PATH")]
    secret: Option<PathBuf>,

    /// Whether to override `output`, if it already exists.
    #[arg(long, short)]
    force: bool,
}

impl GenerateSigningKey {
    fn run(self) -> eyre::Result<()> {
        let Self {
            output,
            secret,
            force,
        } = self;
        let signing_key = PrivateKey::random(&mut rand_08::thread_rng());
        let public_key = signing_key.public_key();
        let signing_key = SigningKey::from(signing_key);
        let passphrase = secret
            .as_ref()
            .map(|secret| {
                read_secret(secret).wrap_err_with(|| {
                    format!(
                        "failed reading signing-key encryption passphrase from `{}`",
                        secret.display()
                    )
                })
            })
            .transpose()?;

        if passphrase.is_none() {
            warn_unencrypted_signing_key_deprecation();
        }

        OpenOptions::new()
            .write(true)
            .create_new(!force)
            .create(force)
            .truncate(force)
            .open(&output)
            .map_err(Report::new)
            .and_then(|f| match passphrase {
                Some(passphrase) => signing_key
                    .write_encrypted(f, passphrase)
                    .map_err(Report::new),
                None => signing_key.to_writer_unencrypted(f).map_err(Report::new),
            })
            .wrap_err_with(|| format!("failed writing signing key to `{}`", output.display()))?;
        eprintln!(
            "wrote signing key to: {}\npublic key: {public_key}",
            output.display()
        );

        Ok(())
    }
}

fn warn_unencrypted_signing_key_deprecation() {
    eprintln!(
        "\
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: generated consensus signing key will be written UNENCRYPTED.
This compatibility mode is deprecated and will be removed in a future release.
Pass `--secret <PATH>` (preferably a FIFO, for example `--secret <(cmd)`) to encrypt the key at rest.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
    );
}

fn read_secret<P: AsRef<Path>>(path: P) -> eyre::Result<SigningKeyPassphrase> {
    let path = path.as_ref();
    let (passphrase, is_fifo) =
        tempo_consensus_config::read_secret(path).wrap_err("failed reading from secret path")?;
    if !is_fifo {
        eprintln!(
            "WARNING: signing-key passphrase was read from a non-FIFO path `{}`; prefer a FIFO to avoid persisting the passphrase on disk.",
            path.display()
        );
    }
    Ok(passphrase)
}

fn read_signing_key<P1: AsRef<Path>, P2: AsRef<Path>>(
    key_path: P1,
    secret_path: Option<P2>,
) -> eyre::Result<SigningKey> {
    let key_path = key_path.as_ref();
    match secret_path.as_ref().map(AsRef::<Path>::as_ref) {
        Some(secret_path) => {
            let passphrase = read_secret(secret_path).wrap_err_with(|| {
                format!(
                    "failed reading signing-key passphrase from `{}`",
                    secret_path.display()
                )
            })?;

            SigningKey::read_from_file_encrypted(key_path, passphrase).wrap_err_with(|| {
                format!(
                    "failed decrypting signing key from `{}`",
                    key_path.display()
                )
            })
        }
        None => SigningKey::read_from_file_unencrypted(key_path)
            .wrap_err_with(|| format!("failed reading signing key from `{}`", key_path.display())),
    }
}

#[derive(Debug, clap::Args)]
pub struct EncryptSigningKey {
    /// Existing plaintext ed25519 signing key file.
    #[arg(long, short, value_name = "FILE")]
    input: PathBuf,

    /// Destination for the passphrase-encrypted signing key.
    #[arg(long, short, value_name = "FILE")]
    output: PathBuf,

    /// Passphrase source. A FIFO path, including shell process substitution like `<(...)`, is preferred.
    #[arg(long, value_name = "PATH")]
    secret: PathBuf,

    /// Whether to override `output`, if it already exists.
    #[arg(long, short)]
    force: bool,
}

impl EncryptSigningKey {
    fn run(self) -> eyre::Result<()> {
        let Self {
            input,
            output,
            secret,
            force,
        } = self;

        let signing_key = SigningKey::read_from_file_unencrypted(&input).wrap_err_with(|| {
            format!(
                "failed reading plaintext signing key from `{}`",
                input.display()
            )
        })?;
        let passphrase = read_secret(&secret).wrap_err_with(|| {
            format!(
                "failed reading signing-key encryption passphrase from `{}`",
                secret.display()
            )
        })?;

        OpenOptions::new()
            .write(true)
            .create_new(!force)
            .create(force)
            .truncate(force)
            .open(&output)
            .map_err(Report::new)
            .and_then(|f| {
                signing_key
                    .write_encrypted(f, passphrase)
                    .map_err(Report::new)
            })
            .wrap_err_with(|| {
                format!(
                    "failed writing encrypted signing key to `{}`",
                    output.display()
                )
            })?;

        eprintln!("wrote encrypted signing key to: {}", output.display());
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
pub struct ShowVerificationKey {
    /// Signing key to show the verification key for.
    #[arg(long, short, value_name = "FILE")]
    private_key: PathBuf,

    /// Passphrase source for decrypting the signing key.
    ///
    /// A FIFO path, including shell process substitution like `<(...)`, is preferred.
    /// If omitted, the signing key is read as plaintext hex.
    #[arg(long, value_name = "PATH")]
    secret: Option<PathBuf>,
}

impl ShowVerificationKey {
    fn run(self) -> eyre::Result<()> {
        let Self {
            private_key,
            secret,
        } = self;
        let private_key = read_signing_key(&private_key, secret.as_deref())?;

        let validating_key = private_key.public_key();
        println!("public key: {validating_key}");
        Ok(())
    }
}

#[derive(Debug, clap::Args)]
pub struct ValidatorInfo {
    /// Validator ethereum address, ed25519 public key, or index
    #[arg()]
    id: ValidatorId,

    /// RPC URL to query.
    #[arg(long, default_value = "https://rpc.presto.tempo.xyz")]
    rpc_url: String,

    /// Chain spec override for local/unknown chains (mainnet, testnet, moderato, or path to
    /// chainspec file). Resolved automatically from the RPC chain id when omitted.
    #[arg(long, short, value_parser = tempo_chainspec::spec::chain_value_parser)]
    chain: Option<Arc<TempoChainSpec>>,

    /// Skip crosschecking the validator with the last DKG round.
    #[arg(long)]
    no_dkg_information: bool,
}

#[derive(Debug, Serialize)]
struct ValidatorOutput {
    #[serde(skip_serializing_if = "Option::is_none")]
    is_dkg_player: Option<bool>,
    #[serde(skip_serializing_if = "Option::is_none")]
    is_dkg_dealer: Option<bool>,
    #[serde(skip_serializing_if = "Option::is_none")]
    in_committee: Option<bool>,

    #[serde(flatten)]
    validator: Validator,
}

/// Output for the single-validator lookup enriched with DKG role and epoch context.
#[derive(Debug, Serialize)]
struct ValidatorInfoOutput {
    current_epoch: u64,
    current_height: u64,
    #[serde(flatten)]
    validator: ValidatorOutput,
}

impl ValidatorInfo {
    async fn run(self) -> eyre::Result<()> {
        let provider = ProviderBuilder::new_with_network::<TempoNetwork>()
            .connect(&self.rpc_url)
            .await
            .wrap_err("failed to connect to RPC")?;

        let chain_id = provider
            .get_chain_id()
            .await
            .wrap_err("failed to get chain id")?;

        let chain = match self.chain {
            Some(chain) => {
                let spec_chain_id = chain.chain().id();
                if spec_chain_id != chain_id {
                    eprintln!(
                        "warning: --chain spec has chain id {spec_chain_id} but RPC returned {chain_id}"
                    );
                }
                chain
            }
            None => tempo_chainspec::spec::chainspec_from_chain_id(chain_id)
                .ok_or_else(|| eyre!("unknown chain id {chain_id}, pass --chain explicitly"))?,
        };

        let epoch_length = chain
            .info
            .epoch_length()
            .ok_or_eyre("epochLength not found in chainspec")?;

        let validator = read_validator_from_contract(&provider, self.id).await?;
        let pubkey_bytes = validator.publicKey.0;

        let latest_block_number = provider
            .get_block_number()
            .await
            .wrap_err("failed to get latest block number")?;

        let epoch_strategy = FixedEpocher::new(NZU64!(epoch_length));
        let current_height = Height::new(latest_block_number);
        let current_epoch_info = epoch_strategy
            .containing(current_height)
            .ok_or_else(|| eyre!("failed to determine epoch for height {latest_block_number}"))?;
        let current_epoch = current_epoch_info.epoch();

        let mut is_dkg_dealer = None;
        let mut is_dkg_player = None;
        let mut in_committee = None;

        if !self.no_dkg_information {
            use alloy_consensus::BlockHeader;

            let boundary_height = current_epoch
                .previous()
                .map(|epoch| epoch_strategy.last(epoch).expect("valid epoch"))
                .unwrap_or_default();

            let boundary_block = provider
                .get_block_by_number(boundary_height.get().into())
                .hashes()
                .await
                .wrap_err_with(|| {
                    format!(
                        "failed to get block header at height {}",
                        boundary_height.get()
                    )
                })?
                .ok_or_eyre("boundary block not found")?;

            let extra_data = boundary_block.header.extra_data();
            if extra_data.is_empty() {
                return Err(eyre!(
                    "boundary block at height {} has no DKG outcome in extra_data",
                    boundary_height.get()
                ));
            }

            let dkg_outcome = OnchainDkgOutcome::read(&mut extra_data.as_ref())
                .wrap_err("failed to decode DKG outcome from extra_data")?;

            let key = PublicKey::decode(&mut &pubkey_bytes[..])
                .wrap_err("failed decoding on-chain ed25519 key")?;

            let committee = dkg_outcome.players().position(&key).is_some();
            is_dkg_dealer = Some(committee);
            is_dkg_player = Some(dkg_outcome.next_players().position(&key).is_some());
            in_committee = Some(committee);
        }

        let output = ValidatorInfoOutput {
            current_epoch: current_epoch.get(),
            current_height: current_height.get(),
            validator: ValidatorOutput {
                validator,
                is_dkg_dealer,
                is_dkg_player,
                in_committee,
            },
        };

        println!("{}", serde_json::to_string_pretty(&output)?);
        Ok(())
    }
}

/// Validator info output structure
#[derive(Debug, Serialize)]
struct InfoOutput {
    /// The current epoch (at the time of query)
    current_epoch: u64,
    /// The current height (at the time of query)
    current_height: u64,
    // The boundary height from which the DKG outcome was read
    last_boundary: u64,
    // The epoch length as set in the chain spec
    epoch_length: u64,
    /// Whether this is a full DKG (new polynomial) or reshare
    is_next_full_dkg: bool,
    /// The epoch at which the next full DKG ceremony will be triggered (from contract)
    next_full_dkg_epoch: u64,
    /// List of validators participating in the DKG
    validators: Vec<ValidatorOutput>,
}

#[derive(Debug, clap::Args)]
pub struct Info {
    /// RPC URL to query. Defaults to <https://rpc.presto.tempo.xyz>
    #[arg(long, default_value = "https://rpc.presto.tempo.xyz")]
    rpc_url: String,

    /// Chain spec override for local/unknown chains (mainnet, testnet, moderato, or path to
    /// chainspec file). Resolved automatically from the RPC chain id when omitted.
    #[arg(long, short, value_parser = tempo_chainspec::spec::chain_value_parser)]
    chain: Option<Arc<TempoChainSpec>>,
}

impl Info {
    async fn run(self) -> eyre::Result<()> {
        use alloy_consensus::BlockHeader;
        use alloy_provider::ProviderBuilder;

        let provider = ProviderBuilder::new_with_network::<TempoNetwork>()
            .connect(&self.rpc_url)
            .await
            .wrap_err("failed to connect to RPC")?;

        let chain_id = provider
            .get_chain_id()
            .await
            .wrap_err("failed to get chain id")?;

        let chain = match self.chain {
            Some(chain) => {
                let spec_chain_id = chain.chain().id();
                if spec_chain_id != chain_id {
                    eprintln!(
                        "warning: --chain spec has chain id {spec_chain_id} but RPC returned {chain_id}"
                    );
                }
                chain
            }
            None => tempo_chainspec::spec::chainspec_from_chain_id(chain_id)
                .ok_or_else(|| eyre!("unknown chain id {chain_id}, pass --chain explicitly"))?,
        };

        let epoch_length = chain
            .info
            .epoch_length()
            .ok_or_eyre("epochLength not found in chainspec")?;

        let latest_block_number = provider
            .get_block_number()
            .await
            .wrap_err("failed to get latest block number")?;

        let epoch_strategy = FixedEpocher::new(NZU64!(epoch_length));
        let current_height = Height::new(latest_block_number);
        let current_epoch_info = epoch_strategy
            .containing(current_height)
            .ok_or_else(|| eyre!("failed to determine epoch for height {latest_block_number}"))?;

        let current_epoch = current_epoch_info.epoch();
        let boundary_height = current_epoch
            .previous()
            .map(|epoch| epoch_strategy.last(epoch).expect("valid epoch"))
            .unwrap_or_default();

        let boundary_block = provider
            .get_block_by_number(boundary_height.get().into())
            .hashes()
            .await
            .wrap_err_with(|| {
                format!(
                    "failed to get block header at height {}",
                    boundary_height.get()
                )
            })?
            .ok_or_eyre("boundary block not found")?;

        let extra_data = boundary_block.header.extra_data();
        if extra_data.is_empty() {
            return Err(eyre!(
                "boundary block at height {} has no DKG outcome in extra_data",
                boundary_height.get()
            ));
        }

        let dkg_outcome = OnchainDkgOutcome::read(&mut extra_data.as_ref())
            .wrap_err("failed to decode DKG outcome from extra_data")?;

        let next_dkg_result = provider
            .call(
                TransactionRequest::default()
                    .to(VALIDATOR_CONFIG_V2_ADDRESS)
                    .input(
                        IValidatorConfigV2::getNextNetworkIdentityRotationEpochCall {}
                            .abi_encode()
                            .into(),
                    )
                    .into(),
            )
            .number(latest_block_number)
            .await
            .wrap_err("failed to call getNextNetworkIdentityRotationEpoch")?;

        let next_full_dkg_epoch =
            IValidatorConfigV2::getNextNetworkIdentityRotationEpochCall::abi_decode_returns(
                &next_dkg_result,
            )
            .wrap_err("failed to decode getNextNetworkIdentityRotationEpoch response")?;

        let active_validators_result = provider
            .call(
                TransactionRequest::default()
                    .to(VALIDATOR_CONFIG_V2_ADDRESS)
                    .input(
                        IValidatorConfigV2::getActiveValidatorsCall {}
                            .abi_encode()
                            .into(),
                    )
                    .into(),
            )
            .number(latest_block_number)
            .await
            .wrap_err("failed to call getActiveValidators")?;

        let active_validators = IValidatorConfigV2::getActiveValidatorsCall::abi_decode_returns(
            &active_validators_result,
        )
        .wrap_err("failed to decode getActiveValidators response")?;

        let active_validators_by_public_key = active_validators
            .into_iter()
            .map(|v| (v.publicKey, v))
            .collect::<std::collections::BTreeMap<_, _>>();

        let players = dkg_outcome.players();
        let next_players = dkg_outcome.next_players();
        let dkg_players = ordered::Set::from_iter_dedup(players.iter().chain(next_players));

        // Add validators that are active onchain
        let mut validators_by_public_key = active_validators_by_public_key.clone();

        // Add validators that are in the dkg outcome but no longer active onchain
        for public_key in dkg_players {
            let key = B256::from_slice(public_key.as_ref());
            if let std::collections::btree_map::Entry::Vacant(e) =
                validators_by_public_key.entry(key)
            {
                let id = ValidatorId::PublicKey(key);
                match read_validator_from_contract(&provider, id).await {
                    Ok(v) => _ = e.insert(v),
                    Err(e) => eprintln!("failed to lookup validator {}: {e}", key.encode_hex()),
                }
            }
        }

        let mut validators: Vec<ValidatorOutput> = Vec::new();
        for (key, validator) in validators_by_public_key {
            let public_key = match PublicKey::decode(key.as_ref()) {
                Ok(key) => key,
                Err(e) => {
                    let index = validator.index;
                    eprintln!("invalid ed25519 public key found on validator index {index}: {e}",);
                    continue;
                }
            };

            validators.push(ValidatorOutput {
                validator,
                is_dkg_dealer: Some(players.position(&public_key).is_some()),
                is_dkg_player: Some(next_players.position(&public_key).is_some()),
                in_committee: Some(players.position(&public_key).is_some()),
            })
        }

        let output = InfoOutput {
            validators,
            current_epoch: current_epoch.get(),
            current_height: current_height.get(),
            last_boundary: boundary_height.get(),
            epoch_length,
            is_next_full_dkg: dkg_outcome.is_next_full_dkg,
            next_full_dkg_epoch,
        };

        println!("{}", serde_json::to_string_pretty(&output)?);
        Ok(())
    }
}

fn key_from_file<P: AsRef<Path>>(p: P) -> eyre::Result<PrivateKeySigner> {
    let raw = std::fs::read(p).wrap_err("failed reading key from file")?;
    let bytes = alloy::hex::decode(&raw).wrap_err("failed decoding file contents from hex")?;
    PrivateKeySigner::from_slice(&bytes)
        .wrap_err("failed converting file decoded hex bytes to private key")
}

#[cfg(test)]
mod tests {
    use super::*;
    use clap::Parser;
    use reth_ethereum_cli::Cli;
    use reth_rpc_server_types::{RethRpcModule, RpcModuleSelection, RpcModuleValidator};
    use tempo_chainspec::spec::TempoChainSpecParser;

    type TempoCli = Cli<
        TempoChainSpecParser,
        crate::TempoArgs,
        crate::TempoRpcModuleValidator,
        TempoSubcommand,
    >;

    const TEST_VALIDATOR_ADDRESS: &str = "0x0000000000000000000000000000000000000001";
    const TEST_FEE_RECIPIENT: &str = "0x0000000000000000000000000000000000000002";
    const TEST_PUBLIC_KEY: &str =
        "0x1111111111111111111111111111111111111111111111111111111111111111";
    const TEST_SIGNATURE: &str = "0x11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111";
    const TEST_INGRESS: &str = "127.0.0.1:8000";
    const TEST_EGRESS: &str = "127.0.0.1";

    #[test]
    fn parse_p2p_proxy_defaults() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "p2p-proxy",
            "--rpc-url",
            "https://rpc.moderato.tempo.xyz",
        ])
        .unwrap();

        assert!(matches!(
            cli.command,
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::P2pProxy(_))
        ));
    }

    #[test]
    fn parse_p2p_proxy_all_args() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "p2p-proxy",
            "--rpc-url",
            "ws://localhost:8546",
            "--chain",
            "moderato",
            "--port",
            "9999",
            "--discovery-port",
            "9998",
            "--max-inbound",
            "50",
            "--max-concurrent-inbound",
            "10",
            "--cache-blocks",
            "1000",
            "--p2p-secret-key",
            "/tmp/test-enode.key",
        ])
        .unwrap();

        assert!(matches!(
            cli.command,
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::P2pProxy(_))
        ));
    }

    #[test]
    fn parse_p2p_proxy_missing_rpc_url_fails() {
        let result = TempoCli::try_parse_from(["tempo", "p2p-proxy"]);
        assert!(result.is_err());
    }

    #[test]
    fn parse_encrypt_signing_key() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            "encrypt-signing-key",
            "--input",
            "/tmp/signing.key",
            "--output",
            "/tmp/signing.key.age",
            "--secret",
            "/dev/fd/11",
        ])
        .unwrap();

        let EncryptSigningKey {
            input,
            output,
            secret,
            force,
        } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::EncryptSigningKey(cmd),
            )) => cmd,
            other => panic!("expected variant EncryptSigningKey, got `{other:?}`"),
        };
        assert_eq!(&input, "/tmp/signing.key");
        assert_eq!(&output, "/tmp/signing.key.age");
        assert_eq!(&secret, "/dev/fd/11");
        assert!(!force);
    }

    #[test]
    fn parse_show_verification_key_with_secret() {
        assert_parse_show_verification_key("show-verification-key");
    }

    #[test]
    fn parse_calculate_public_key_alias_with_secret() {
        assert_parse_show_verification_key("calculate-public-key");
    }

    #[track_caller]
    fn assert_parse_show_verification_key(command: &str) {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            command,
            "--private-key",
            "/tmp/signing.key.age",
            "--secret",
            "/dev/fd/11",
        ])
        .unwrap();

        let ShowVerificationKey {
            private_key,
            secret,
        } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::ShowVerificationKey(cmd),
            )) => cmd,
            other => panic!("expected ShowVerificationKey, got `{other:?}`"),
        };
        assert_eq!(&private_key, "/tmp/signing.key.age");
        assert_eq!(&secret.unwrap(), "/dev/fd/11");
    }

    #[test]
    fn parse_generate_signing_key_command() {
        assert_parse_generate_signing_key("generate-signing-key");
    }

    #[test]
    fn parse_generate_private_key_alias() {
        assert_parse_generate_signing_key("generate-private-key");
    }

    #[test]
    fn parse_generate_signing_key_with_secret() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            "generate-signing-key",
            "--output",
            "/tmp/signing.key",
            "--secret",
            "/dev/fd/11",
        ])
        .unwrap();

        let GenerateSigningKey {
            output,
            secret,
            force,
        } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::GenerateSigningKey(cmd),
            )) => cmd,
            other => panic!("expected GenerateSigningKey, got `{other:?}`"),
        };
        assert!(!force);
        assert_eq!(&output, "/tmp/signing.key");
        assert_eq!(&secret.unwrap(), "/dev/fd/11");
    }

    #[track_caller]
    fn assert_parse_generate_signing_key(command: &str) {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            command,
            "--output",
            "/tmp/signing.key",
        ])
        .unwrap();

        let GenerateSigningKey { output, .. } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::GenerateSigningKey(cmd),
            )) => cmd,
            other => panic!("expected GenerateSigningKey, got `{other:?}`"),
        };
        assert_eq!(&output, "/tmp/signing.key");
    }

    #[test]
    fn parse_create_add_validator_signature_with_secret() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            "create-add-validator-signature",
            "--validator-address",
            TEST_VALIDATOR_ADDRESS,
            "--consensus.public-key",
            TEST_PUBLIC_KEY,
            "--ingress",
            TEST_INGRESS,
            "--egress",
            TEST_EGRESS,
            "--fee-recipient",
            TEST_FEE_RECIPIENT,
            "--signing-key",
            "/tmp/signing.key.age",
            "--secret",
            "/dev/fd/11",
        ])
        .unwrap();

        let CreateAddValidatorSignatureArgs { signing_key, .. } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::CreateAddValidatorSignature(cmd),
            )) => cmd,
            other => panic!("expected CreateAddValidatorSignature, got `{other:?}`"),
        };
        assert_eq!(&signing_key.signing_key, "/tmp/signing.key.age");
        assert_eq!(&signing_key.secret.unwrap(), "/dev/fd/11");
    }

    #[test]
    fn parse_create_rotate_validator_signature_with_secret() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            "create-rotate-validator-signature",
            "--validator-address",
            TEST_VALIDATOR_ADDRESS,
            "--consensus.public-key",
            TEST_PUBLIC_KEY,
            "--ingress",
            TEST_INGRESS,
            "--egress",
            TEST_EGRESS,
            "--signing-key",
            "/tmp/signing.key.age",
            "--secret",
            "/dev/fd/11",
        ])
        .unwrap();

        let CreateRotateValidatorSignatureArgs { signing_key, .. } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::CreateRotateValidatorSignature(cmd),
            )) => cmd,
            other => panic!("expected CreateRotateValidatorSignature, got `{other:?}`"),
        };
        assert_eq!(&signing_key.signing_key, "/tmp/signing.key.age");
        assert_eq!(&signing_key.secret.unwrap(), "/dev/fd/11");
    }

    #[test]
    fn parse_add_validator_with_signature_does_not_require_signing_key() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            "add-validator",
            "--validator-address",
            TEST_VALIDATOR_ADDRESS,
            "--consensus.public-key",
            TEST_PUBLIC_KEY,
            "--ingress",
            TEST_INGRESS,
            "--egress",
            TEST_EGRESS,
            "--fee-recipient",
            TEST_FEE_RECIPIENT,
            "--signature",
            TEST_SIGNATURE,
        ])
        .unwrap();

        let AddValidator { sig, .. } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::AddValidator(cmd),
            )) => cmd,
            other => panic!("expected AddValidator, got `{other:?}`"),
        };
        assert!(sig.signing_key.is_none());
    }

    #[test]
    fn parse_add_validator_rejects_signature_and_signing_key() {
        let err = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            "add-validator",
            "--validator-address",
            TEST_VALIDATOR_ADDRESS,
            "--consensus.public-key",
            TEST_PUBLIC_KEY,
            "--ingress",
            TEST_INGRESS,
            "--egress",
            TEST_EGRESS,
            "--fee-recipient",
            TEST_FEE_RECIPIENT,
            "--signature",
            TEST_SIGNATURE,
            "--signing-key",
            "/tmp/signing.key.age",
        ])
        .unwrap_err();

        assert_eq!(err.kind(), clap::error::ErrorKind::ArgumentConflict);
    }

    #[test]
    fn parse_add_validator_with_consensus_signing_key_secret() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            "add-validator",
            "--validator-address",
            TEST_VALIDATOR_ADDRESS,
            "--consensus.public-key",
            TEST_PUBLIC_KEY,
            "--ingress",
            TEST_INGRESS,
            "--egress",
            TEST_EGRESS,
            "--fee-recipient",
            TEST_FEE_RECIPIENT,
            "--consensus.signing-key",
            "/tmp/signing.key.age",
            "--consensus.secret",
            "/dev/fd/11",
        ])
        .unwrap();

        let AddValidator { sig, .. } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::AddValidator(cmd),
            )) => cmd,
            other => panic!("expected AddValidator, got `{other:?}`"),
        };
        let signing_key = sig.signing_key.unwrap();
        assert_eq!(&signing_key.signing_key, "/tmp/signing.key.age");
        assert_eq!(&signing_key.secret.unwrap(), "/dev/fd/11");
    }

    #[test]
    fn parse_rotate_validator_with_consensus_signing_key_secret() {
        let cli = TempoCli::try_parse_from([
            "tempo",
            "consensus",
            "rotate-validator",
            "--validator-address",
            TEST_VALIDATOR_ADDRESS,
            "--consensus.public-key",
            TEST_PUBLIC_KEY,
            "--ingress",
            TEST_INGRESS,
            "--egress",
            TEST_EGRESS,
            "--consensus.signing-key",
            "/tmp/signing.key.age",
            "--consensus.secret",
            "/dev/fd/11",
        ])
        .unwrap();

        let RotateValidator { sig, .. } = match cli.command {
            reth_ethereum::cli::Commands::Ext(TempoSubcommand::Consensus(
                ConsensusSubcommand::RotateValidator(cmd),
            )) => cmd,
            other => panic!("expected RotateValidator, got `{other:?}`"),
        };
        let signing_key = sig.signing_key.unwrap();
        assert_eq!(&signing_key.signing_key, "/tmp/signing.key.age");
        assert_eq!(&signing_key.secret.unwrap(), "/dev/fd/11");
    }

    #[test]
    fn tempo_rpc_module_validator_allows_tempo_custom_modules() {
        for module in ["consensus", "operator", "tempo", "token"] {
            let selection = crate::TempoRpcModuleValidator::parse_selection(module).unwrap();

            assert_eq!(
                selection,
                RpcModuleSelection::from([RethRpcModule::Other(module.to_string())])
            );
        }
    }

    #[test]
    fn tempo_rpc_module_validator_rejects_unknown_modules() {
        let err = crate::TempoRpcModuleValidator::parse_selection("not-a-real-module").unwrap_err();

        assert!(err.contains("Unknown RPC module: 'not-a-real-module'"));
    }
}