feat: high-availability validator signer

Fixes [A-352](https://linear.app/aztec-labs/issue/A-352/add-postgresql-integration-for-recording-signed-duties) [A-353](https://linear.app/aztec-labs/issue/A-353/implement-core-slash-protection-logic)

Introduces High-Availability validator signer. The signer uses a Postgres DB that will be used by multiple sequencer nodes, running with the same set of validator keys, in order to ensure that only one payload per duty is signed.

Author: spypsy

yarn-project/foundation/src/config/env_var.ts

@@ -313,4 +313,14 @@ export type EnvVar =
   | 'FISHERMAN_MODE'
   | 'MAX_ALLOWED_ETH_CLIENT_DRIFT_SECONDS'
   | 'LEGACY_BLS_CLI'
-  | 'DEBUG_FORCE_TX_PROOF_VERIFICATION';
+  | 'DEBUG_FORCE_TX_PROOF_VERIFICATION'
+  | 'SLASHING_PROTECTION_NODE_ID'
+  | 'SLASHING_PROTECTION_POLLING_INTERVAL_MS'
+  | 'SLASHING_PROTECTION_SIGNING_TIMEOUT_MS'
+  | 'SLASHING_PROTECTION_ENABLED'
+  | 'VALIDATOR_HA_DATABASE_URL'
+  | 'VALIDATOR_HA_RUN_MIGRATIONS'
+  | 'VALIDATOR_HA_POOL_MAX'
+  | 'VALIDATOR_HA_POOL_MIN'
+  | 'VALIDATOR_HA_POOL_IDLE_TIMEOUT_MS'
+  | 'VALIDATOR_HA_POOL_CONNECTION_TIMEOUT_MS';

yarn-project/package.json

@@ -61,6 +61,7 @@
     "txe",
     "test-wallet",
     "validator-client",
+    "validator-ha-signer",
     "wallet-sdk",
     "world-state"
   ],

yarn-project/tsconfig.json

@@ -29,6 +29,7 @@
     { "path": "aztec.js/tsconfig.json" },
     { "path": "aztec-node/tsconfig.json" },
     { "path": "validator-client/tsconfig.json" },
+    { "path": "validator-ha-signer/tsconfig.json" },
     { "path": "bb-prover/tsconfig.json" },
     { "path": "bot/tsconfig.json" },
     { "path": "constants/tsconfig.json" },

yarn-project/validator-ha-signer/MIGRATIONS.md

@@ -0,0 +1,192 @@
+# Database Migrations Guide
+
+This package uses [node-pg-migrate](https://github.com/salsita/node-pg-migrate) for managing database schema changes.
+
+## Quick Reference
+
+```bash
+# Run pending migrations
+yarn migrate:up
+
+# Rollback last migration
+yarn migrate:down
+
+# Check migration status
+DATABASE_URL=postgresql://... npx node-pg-migrate status
+```
+
+## Migration Files
+
+Migrations are located in the `migrations/` directory and are named with timestamps:
+
+```
+migrations/
+  └── 1_initial-schema.ts
+```
+
+## Creating New Migrations
+
+When you need to modify the database schema:
+
+```bash
+# Generate a new migration file
+npx node-pg-migrate create add-new-field
+
+# This creates: migrations/[timestamp]_add-new-field.ts
+```
+
+Edit the generated file:
+
+```typescript
+import type { MigrationBuilder } from 'node-pg-migrate';
+
+export async function up(pgm: MigrationBuilder): Promise<void> {
+  // Add your schema changes here
+  pgm.addColumn('validator_duties', {
+    new_field: { type: 'text', notNull: false },
+  });
+}
+
+export async function down(pgm: MigrationBuilder): Promise<void> {
+  // Reverse the changes
+  pgm.dropColumn('validator_duties', 'new_field');
+}
+```
+
+## Production Deployment
+
+### Option 1: Kubernetes Init Container
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: validator
+spec:
+  template:
+    spec:
+      initContainers:
+        - name: db-migrate
+          image: validator-image:latest
+          command: ['yarn', 'migrate:up']
+          env:
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: db-credentials
+                  key: connection-string
+      containers:
+        - name: validator
+          image: validator-image:latest
+          # ... validator config
+```
+
+### Option 2: Separate Migration Job
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: validator-migrate-v1
+spec:
+  template:
+    spec:
+      containers:
+        - name: migrate
+          image: validator-image:latest
+          command: ['yarn', 'migrate:up']
+          env:
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: db-credentials
+                  key: connection-string
+      restartPolicy: Never
+```
+
+### Option 3: CI/CD Pipeline
+
+```yaml
+# GitHub Actions example
+- name: Run Database Migrations
+  run: |
+    export DATABASE_URL=${{ secrets.DATABASE_URL }}
+    cd yarn-project/validator-ha-signer
+    yarn migrate:up
+```
+
+## High Availability Considerations
+
+The migrations use idempotent SQL operations (`IF NOT EXISTS`, `ON CONFLICT`, etc.), making them safe to run concurrently from multiple nodes. However, for cleaner logs and faster deployments, we recommend:
+
+1. **Run migrations once** from an init container or migration job
+2. **Then start** multiple validator nodes
+
+If multiple nodes run migrations simultaneously, they will all succeed, but you'll see redundant log output.
+
+## Development Workflow
+
+```bash
+# 1. Create migration
+npx node-pg-migrate create my-feature
+
+# 2. Edit migrations/[timestamp]_my-feature.ts
+
+# 3. Test migration locally
+export DATABASE_URL=postgresql://localhost:5432/validator_dev
+yarn migrate:up
+
+# 4. Test rollback
+yarn migrate:down
+
+# 5. Re-apply
+yarn migrate:up
+
+# 6. Run tests
+yarn test
+```
+
+## Troubleshooting
+
+### Migration Failed Midway
+
+If a migration fails partway through:
+
+```bash
+# Check the current state
+DATABASE_URL=postgresql://... npx node-pg-migrate status
+
+# The failed migration will be marked as running
+# Fix the issue and re-run
+yarn migrate:up
+```
+
+### Reset Development Database
+
+```bash
+# Drop all migrations
+while yarn migrate:down; do :; done
+
+# Or drop the database entirely
+psql -c "DROP DATABASE validator_dev;"
+psql -c "CREATE DATABASE validator_dev;"
+
+# Re-run migrations
+yarn migrate:up
+```
+
+### Check Applied Migrations
+
+```bash
+# Query the migrations table
+psql $DATABASE_URL -c "SELECT * FROM pgmigrations ORDER BY id;"
+```
+
+## Migration Best Practices
+
+1. **Always provide `down()` migrations** for rollback capability
+2. **Test migrations on a copy of production data** before deploying
+3. **Make migrations backward compatible** when possible
+4. **Avoid data migrations in schema migrations** - use separate data migration scripts
+5. **Keep migrations small and focused** - one logical change per migration
+6. **Never modify committed migrations** - create a new migration instead

yarn-project/validator-ha-signer/README.md

@@ -0,0 +1,155 @@
+# Validator HA Signer
+
+Distributed locking and slashing protection for Aztec validators running in high-availability configurations.
+
+## Features
+
+- **Distributed Locking**: Prevents multiple validator nodes from signing the same duty
+- **Slashing Protection**: Blocks attempts to sign conflicting data for the same slot
+- **Automatic Retry**: Failed signing attempts are cleared, allowing other nodes to retry
+- **PostgreSQL Backend**: Shared database for coordination across nodes
+
+## Quick Start
+
+### Option 1: Automatic Migrations (Simplest)
+
+```typescript
+import { createHASigner } from '@aztec/validator-ha-signer/factory';
+
+// Migrations run automatically on startup
+const { signer, db } = await createHASigner({
+  databaseUrl: process.env.DATABASE_URL,
+  enabled: true,
+  nodeId: 'validator-node-1',
+  pollingIntervalMs: 100,
+  signingTimeoutMs: 3000,
+  runMigrations: true, // Auto-run migrations
+});
+
+// Sign with protection
+const signature = await signer.signWithProtection(
+  validatorAddress,
+  signingRoot,
+  { slot: 100n, blockNumber: 50n, dutyType: 'BLOCK_PROPOSAL' },
+  async root => localSigner.signMessage(root),
+);
+
+// Cleanup on shutdown
+await db.close();
+```
+
+### Option 2: Manual Migrations (Recommended for Production)
+
+```bash
+# 1. Run migrations separately (once per deployment)
+export DATABASE_URL=postgresql://user:pass@host:port/db
+yarn migrate:up
+```
+
+```typescript
+// 2. Create signer (migrations already applied)
+import { createHASigner } from '@aztec/validator-ha-signer/factory';
+
+const { signer, db } = await createHASigner({
+  databaseUrl: process.env.DATABASE_URL,
+  enabled: true,
+  nodeId: 'validator-node-1',
+  pollingIntervalMs: 100,
+  signingTimeoutMs: 3000,
+  // runMigrations defaults to false
+});
+```
+
+### Advanced: Manual Database Setup
+
+If you need more control over the database connection:
+
+```typescript
+import { PostgresSlashingProtectionDatabase, ValidatorHASigner } from '@aztec/validator-ha-signer';
+
+import { Pool } from 'pg';
+
+const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+const db = new PostgresSlashingProtectionDatabase(pool);
+
+const signer = new ValidatorHASigner(db, {
+  enabled: true,
+  nodeId: 'validator-node-1',
+});
+```
+
+## Configuration
+
+Set via environment variables or config object:
+
+- `DATABASE_URL`: PostgreSQL connection string (e.g., `postgresql://user:pass@host:port/db`)
+- `SLASHING_PROTECTION_NODE_ID`: Unique identifier for this validator node
+- `SLASHING_PROTECTION_POLLING_INTERVAL_MS`: How often to check duty status (default: 100)
+- `SLASHING_PROTECTION_SIGNING_TIMEOUT_MS`: Max wait for in-progress signing (default: 3000)
+
+## Database Migrations
+
+This package uses `node-pg-migrate` for database schema management.
+
+### Migration Commands
+
+```bash
+# Run pending migrations
+yarn migrate:up
+
+# Rollback last migration
+yarn migrate:down
+
+# Check migration status
+DATABASE_URL=postgresql://... npx node-pg-migrate status
+```
+
+### Creating New Migrations
+
+```bash
+# Generate a new migration file
+npx node-pg-migrate create my-migration-name
+```
+
+### Production Deployment
+
+Run migrations before starting your application:
+
+```yaml
+# Kubernetes example
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: validator-db-migrate
+spec:
+  template:
+    spec:
+      containers:
+        - name: migrate
+          image: your-validator-image
+          command: ['yarn', 'migrate:up']
+          env:
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: db-secret
+                  key: url
+      restartPolicy: OnFailure
+```
+
+## How It Works
+
+When multiple validator nodes attempt to sign:
+
+1. First node acquires lock and signs
+2. Other nodes receive `DutyAlreadySignedError` (expected)
+3. If different data detected: `SlashingProtectionError` (critical)
+4. Failed attempts are auto-cleaned, allowing retry
+
+## Development
+
+```bash
+yarn build    # Build package
+yarn test     # Run tests
+yarn clean    # Clean build artifacts
+```

yarn-project/validator-ha-signer/eslint.config.js

@@ -0,0 +1,3 @@
+import config from '@aztec/foundation/eslint';
+
+export default config;