@parity/product-deploy 0.10.0-rc.2 → 0.10.0-rc.4

package/DEPLOYMENT.md

@@ -1,124 +1,102 @@
-# Deploying your first app
+# Setting up an environment
 
-This guide walks you from zero to a deployed, viewable web app on the [Polkadot Bulletin Chain](https://github.com/paritytech/polkadot-bulletin-chain) testnet, using `bulletin-deploy`.
+This guide is for the **operator / chain admin** standing up `bulletin-deploy` against a Polkadot environment. It covers what you configure and authorize so that deploys work against *your* chain.
 
-> [!NOTE]
-> This targets a **testnet** (`paseo-next-v2`) by default. It is reference/proof-of-concept tooling — see the security notice in the [README](README.md#security).
-
-## Prerequisites
+For **using** the tool once an environment is set up — building and shipping an app — see the [README](README.md). This document is the setup side.
 
-1. **Node.js ≥ 22.**
-   ```sh
-   node --version   # must print v22 or higher
-   ```
-2. **The CLI**, installed globally:
-   ```sh
-   npm install -g bulletin-deploy
-   ```
-3. **A built static site** — a directory of static files (HTML/CSS/JS), for example `./dist`. Build your app however you normally would (`npm run build`, etc.); `bulletin-deploy` uploads the resulting directory as-is.
-4. **An identity to own the name** — choose one:
-   - **Mobile Polkadot wallet (recommended).** No mnemonic on disk; you sign in once by scanning a QR code. See [Sign in](#1-sign-in-recommended) below.
-   - **A testnet mnemonic.** Pass `--mnemonic "..."` (or set the `MNEMONIC` env var) instead of signing in.
+> [!NOTE]
+> `bulletin-deploy` is reference / proof-of-concept tooling — see the security notice in the [README](README.md#security). The defaults target Polkadot testnets.
 
-That is all you need on testnet. You do **not** need testnet funds for the recommended path: a worker account registers the name and uploads the content, then transfers ownership to your account as the final step.
+**Documentation map — read in order:**
+1. **[DEPLOYMENT.md](DEPLOYMENT.md)** (this doc) — set up `bulletin-deploy` for your environment.
+2. **[docs/bootstrap.md](docs/bootstrap.md)** — the `bulletin-bootstrap` reference (Bulletin storage authorization).
+3. **[docs/e2e-bootstrap.md](docs/e2e-bootstrap.md)** — a fully worked setup, end to end, for the E2E test environment.
 
-### Optional: IPFS / Kubo
+(Using the tool to ship an app — not setting it up — is the [README](README.md).)
 
-By default the CLI uses the [IPFS Kubo](https://docs.ipfs.tech/install/) binary to merkleize your site if it is on your `PATH`, and otherwise falls back to a pure-JavaScript implementation. You can force the pure-JS path (no binary required) with `--js-merkle`. If you see `IPFS CLI not installed`, either install Kubo or add `--js-merkle`.
+## What an "environment" is
 
-## Choosing a name
+A `bulletin-deploy` environment is three things, which it expects to already exist for your network:
 
-Apps are addressed by a DotNS name like `myapp.dot`. A few rules:
+- an **Asset Hub** (PolkaVM / `pallet-revive`) with the **DotNS** contracts deployed — names live here;
+- a **Bulletin Chain** — content (your site, chunked + content-addressed) is stored here;
+- an **IPFS gateway** — serves the stored content over HTTP.
 
-- The base label must be **at least 6 characters** (shorter labels are reserved).
-- Pick something not already registered. The CLI tells you during a deploy whether the name is available or already owned by you.
+Setup is: tell `bulletin-deploy` where those are, authorize the accounts that will write to the Bulletin Chain, and (if your DotNS gates registration) grant the registering account personhood. The steps below.
 
-## Deploy
+## 1. Define the environment
 
-### 1. Sign in (recommended)
+`bulletin-deploy` resolves environments from `environments.json`. The built-in presets ship in `assets/environments.json`:
 
 ```sh
-bulletin-deploy login    # scan the QR code with your Polkadot wallet app
-bulletin-deploy whoami   # confirm the signed-in address
+bulletin-deploy --list-environments      # list the built-in environment IDs
 ```
 
-If you would rather sign with a mnemonic, skip this and pass `--mnemonic` on the deploy command instead.
-
-### 2. Deploy your build directory
+Add your network either by adding an entry to `assets/environments.json`, or by supplying one at runtime:
 
 ```sh
-bulletin-deploy ./dist myapp.dot
-# or, without an IPFS binary installed:
-bulletin-deploy ./dist myapp.dot --js-merkle
+bulletin-deploy ./dist myapp.dot --environment-file ./my-env.json
+bulletin-deploy ./dist myapp.dot --env <id> --contract DOTNS_REGISTRAR=0x...   # override single fields
 ```
 
-The CLI will:
+An environment entry provides:
 
-1. Merkleize your directory into content-addressed chunks.
-2. Upload the chunks to the Bulletin Chain and wait for finality.
-3. Register `myapp.dot` in DotNS and point it at your content.
-4. Transfer ownership of the name to your signed-in account.
+- **Chain endpoints** — the `wss://` RPCs for at least the **bulletin** and **asset-hub** chains.
+- **DotNS contract addresses** — the contract set deployed on your Asset Hub (`DOTNS_REGISTRAR`, `POP_RULES`, the resolvers, `STORE_FACTORY`, …).
+- **`nativeToEthRatio`** — `10^(18 − native_decimals)`; e.g. a 10-decimal native token → `100000000`.
+- **`registerStorageDeposit`** — the DotNS registration deposit on your chain.
+- **`autoAccountMapping`** — whether the chain maps accounts to H160 automatically on first tx.
+- **`ipfs`** — the gateway that serves deployed content.
 
-On success it prints a summary:
+Use the `paseo-next-v2` and `summit` entries in `assets/environments.json` as worked examples to copy.
 
-```
-============================================================
-DEPLOYMENT COMPLETE!
-============================================================
-   - Polkadot Desktop: myapp.dot
-   - Polkadot Browser: https://myapp.dot.li
-```
+## 2. Authorize Bulletin storage
 
-### 3. View it
+Writing content to the Bulletin Chain requires each **storage account** to hold a `TransactionStorage` **authorization** — a quota of transactions and bytes. Storage is gated by this quota, **not by balance** (Bulletin has no fee model), so the storage accounts need no funds. `bulletin-deploy` never grants the authorization itself; the chain's **authorizer** must.
 
-- Open **`https://myapp.dot.li`** in any browser.
-- Or open **`myapp.dot`** directly in a Polkadot-aware browser/extension.
+The storage accounts are an upload **pool**, derived as `//deploy/0…N` from `BULLETIN_POOL_MNEMONIC` (default: the well-known `DEV_PHRASE`). The deploy path derives the **same** pool from that env var — so if you use a custom pool, set `BULLETIN_POOL_MNEMONIC` identically for both bootstrap and deploy, or they won't line up.
 
-## If the transfer step fails
-
-If your content uploads but the final ownership transfer fails, the name is registered by the worker and you can claim it separately:
+`bulletin-bootstrap` reports each pool account's authorization status, and — given an authorizer key — grants authorization to the ones that lack it:
 
 ```sh
-bulletin-deploy transfer myapp.dot              # → your signed-in account
-bulletin-deploy transfer myapp.dot --to 0x...   # → an explicit recipient
+bulletin-bootstrap --env <id>                        # list pool accounts + their authorization status
+bulletin-bootstrap --env <id> --authorizer "<seed>"  # grant authorization with the authorizer key
+bulletin-bootstrap --env <id> --pool-size 20         # inspect/authorize a larger pool
 ```
 
-## Choosing a different network
+On a **testnet** the authorizer defaults to `//Alice` (it holds authorization authority there), so no `--authorizer` is needed. On a **production** chain, pass `--authorizer` with the key that actually holds authorization authority — if it can't grant, the tool reports that rather than pretending. See [`docs/bootstrap.md`](docs/bootstrap.md) for the full reference.
 
-```sh
-bulletin-deploy --list-environments      # show available environment IDs
-bulletin-deploy ./dist myapp.dot --env <id>
-```
+## 3. Personhood (if your DotNS gates registration)
 
-The default is `paseo-next-v2`. Override individual fields with `--environment-file <path>` or `--contract KEY=0x...`.
+If your `POP_RULES` contract requires Proof-of-Personhood to register a base name, the **registering account** needs a PoP status granted by the `POP_RULES` owner. (NoStatus-eligible label shapes skip this — see the rules in your DotNS deployment.)
 
-## Bootstrapping your own storage pool
+- On Parity's testnets, request a grant by opening an issue on [paritytech/dotns](https://github.com/paritytech/dotns/issues).
+- On your own chain, your `POP_RULES` owner grants it out of band — `bulletin-deploy` cannot upgrade a signer.
 
-On `paseo-next-v2` and the other shared Parity testnets the upload pool is **already authorized** — you don't need to bootstrap anything to deploy. You only need this if you run your own setup: a custom pool mnemonic, your own Bulletin chain, or a testnet that was just reset (a wipe clears all authorizations).
+## 4. Fund the signing accounts
 
-Uploading content to the Bulletin Chain requires the storage account to hold a `TransactionStorage` authorization — a quota of transactions and bytes. `bulletin-deploy` never grants this itself; the account must be authorized by the chain's authorizer first. The separate `bulletin-bootstrap` CLI does that for a pool:
+The accounts that register and transfer names need a balance on your Asset Hub for DotNS fees:
 
-```sh
-bulletin-bootstrap --env <id>                 # authorize the default pool on an environment
-bulletin-bootstrap --env <id> --pool-size 20  # authorize a larger pool
-bulletin-bootstrap --mnemonic "<phrase>"      # authorize a custom pool's accounts
-```
+- **Public testnets** — use the faucet (e.g. [faucet.polkadot.io](https://faucet.polkadot.io/)).
+- **Restricted networks** — fund the accounts out of band; there is no public faucet.
+
+(These are the DotNS signing accounts on the Asset Hub — distinct from the Bulletin storage pool in step 2, which needs authorization, not funds.)
+
+## 5. Content gateway
+
+Deployed content is content-addressed (a CID) on the Bulletin Chain and served over HTTP by the IPFS gateway you set as `ipfs` in step 1. The `.dot` name resolves to that CID via DotNS. Parity's public testnets resolve a deployed name at `https://<name>.dot.li`; your environment uses whatever gateway / resolver you point it at.
+
+## 6. Verify the setup
 
-It derives the pool accounts, authorizes each one for storage, and funds them. On a testnet the authorizer is the dev account (`//Alice`); on a production chain the network's own authorizer must grant authorization — `bulletin-bootstrap` cannot self-authorize there. It's a one-time setup step, not part of a routine deploy. See [`docs/bootstrap.md`](docs/bootstrap.md) for the full operator reference.
+A **test deploy** is the real check — run one (see the [README](README.md)) and confirm it completes and resolves. Two failures map straight back to the steps above:
 
-## Signing modes, in short
+- `not authorized to upload` → the storage account lacks authorization (step 2).
+- a personhood / registration gate → the registering account needs PoP (step 3).
 
-- **Signed in (default):** a worker registers and uploads, then hands the name to your account — zero wallet signatures on testnet.
-- **`--no-transfer-to-signedin-user`:** sign every DotNS transaction with your mobile session instead.
-- **`--mnemonic "..."` / `MNEMONIC`:** use a mnemonic instead of a session.
+If you're working from a **clone of the repository** (not just the npm package), `tools/` has read-only diagnostics that take `--env <id>`: `check-bulletin-auth.mjs` (storage quotas), `check-balances.mjs` (balances + quota), `check-pop-status.mjs` (personhood), `probe-env-health.mjs` (RPC reachability). These ship with the repo, not the published package.
 
-## Troubleshooting
+A concrete, fully worked instance of this setup — for the E2E test environment — lives in [`docs/e2e-bootstrap.md`](docs/e2e-bootstrap.md).
 
-| Symptom | Cause / fix |
-|---|---|
-| `IPFS CLI not installed` | Install [Kubo](https://docs.ipfs.tech/install/), or add `--js-merkle`. |
-| Name rejected as reserved / too short | Use a base label of **6+ characters**. |
-| `Login session unavailable or expired` | Re-run `bulletin-deploy login`. |
-| Not authorized to upload | The storage account lacks a Bulletin `TransactionStorage` authorization. On `paseo-next-v2` the shared pool is already authorized; on your own setup, see [Bootstrapping your own storage pool](#bootstrapping-your-own-storage-pool). On a production chain, request authorization from the network's authorizer. |
+---
 
-For the full option reference, run `bulletin-deploy --help`.
+Once the environment is set up, day-to-day use is in the [README](README.md): build your site, `bulletin-deploy ./dist myapp.dot`, done.

package/bin/bulletin-bootstrap

@@ -13,6 +13,7 @@ const flags = {};
 for (let i = 0; i < args.length; i++) {
   if (args[i] === "--pool-size") { flags.poolSize = parseInt(args[++i], 10); }
   else if (args[i] === "--mnemonic") { flags.mnemonic = args[++i]; }
+  else if (args[i] === "--authorizer") { flags.authorizer = args[++i]; }
   else if (args[i] === "--rpc") { flags.rpc = args[++i]; }
   else if (args[i] === "--env") { flags.env = args[++i]; }
   else if (args[i] === "--version" || args[i] === "-V") { flags.version = true; }
@@ -32,17 +33,27 @@ if (flags.help) {
   console.log(`bulletin-bootstrap v${VERSION}
 
 Usage:
-  bulletin-bootstrap
+  bulletin-bootstrap [options]
+
+Reports the authorization status of each pool account and, when an authorizer
+key is available, grants authorization to any account that needs it.
+
+The Bulletin chain has no fee model — storage access is gated by TransactionStorage
+authorization quota, not account balance. This tool manages that quota.
 
 Options:
-  --mnemonic "..."  Pool root mnemonic (or set BULLETIN_POOL_MNEMONIC / MNEMONIC env var)
-  --rpc wss://...   Bulletin RPC (or set BULLETIN_RPC env var)
-  --env <id>        Load environment by id from environments.json (sets default RPC and V2 flag)
-  --pool-size N     Number of pool accounts to initialize (default: 10)
-  --version         Show version
-  --help            Show this help
-
-Initialize pool accounts for Bulletin storage authorization.`);
+  --mnemonic "..."    Pool root mnemonic used to derive pool accounts
+                      (also readable from BULLETIN_POOL_MNEMONIC or MNEMONIC env var).
+                      Default: the well-known dev phrase (same key the deploy path uses).
+  --authorizer "..."  Seed/mnemonic of the key that holds authorization authority
+                      on this chain (e.g. "//Alice", a full mnemonic, or a hex seed).
+                      On testnets, defaults to //Alice if omitted.
+                      On non-testnets, required to grant — omit to get status only.
+  --rpc wss://...     Bulletin RPC endpoint (or set BULLETIN_RPC env var)
+  --env <id>          Load environment by id from environments.json
+  --pool-size N       Number of pool accounts to check/initialize (default: 10)
+  --version           Show version
+  --help              Show this help`);
   process.exit(0);
 }
 
@@ -52,6 +63,10 @@ const mnemonic = flags.mnemonic ?? process.env.BULLETIN_POOL_MNEMONIC ?? process
 
 const bootstrapOpts = {};
 
+if (flags.authorizer) {
+  bootstrapOpts.authorizerMnemonic = flags.authorizer;
+}
+
 if (flags.env) {
   const envJsonPath = fileURLToPath(new URL("../assets/environments.json", import.meta.url));
   let envDoc;

package/dist/auth/index.js

@@ -8,12 +8,13 @@ import {
   requestResourceAllocation,
   resolveSigner,
   summarizeOutcomes
-} from "../chunk-5OKB3TEB.js";
+} from "../chunk-5FLTDWWP.js";
 import {
   renderLoginStatus,
   renderLogoutStatus,
   renderQrCode
 } from "../chunk-RIRDBSBG.js";
+import "../chunk-TSPERKUS.js";
 import "../chunk-ZOC4GITL.js";
 export {
   BULLETIN_RESOURCE,

package/dist/auth/vendor/index.js

@@ -12,7 +12,8 @@ import {
   resolveSigner,
   sessionRootPublicKey,
   summarizeOutcomes
-} from "../../chunk-5OKB3TEB.js";
+} from "../../chunk-5FLTDWWP.js";
+import "../../chunk-TSPERKUS.js";
 import "../../chunk-ZOC4GITL.js";
 export {
   BULLETIN_RESOURCE,

package/dist/auth-config.js

@@ -9,9 +9,10 @@ import {
   getPeopleChainEndpoints,
   hasPersistedSession,
   resolveBulletinEndpoints
-} from "./chunk-SXWFDMFT.js";
-import "./chunk-4D6STP5G.js";
-import "./chunk-WM5R4O33.js";
+} from "./chunk-3CUIQTSD.js";
+import "./chunk-TSPERKUS.js";
+import "./chunk-76CVW4DE.js";
+import "./chunk-CCTQO2Q4.js";
 import "./chunk-QRKI6MMK.js";
 import "./chunk-ZOC4GITL.js";
 export {

package/dist/bug-report.js

@@ -9,10 +9,10 @@ import {
   offerBugReport,
   scrubSecrets,
   setDeployContext
-} from "./chunk-V5VD5CIC.js";
-import "./chunk-EHQPRWGC.js";
-import "./chunk-4D6STP5G.js";
-import "./chunk-WM5R4O33.js";
+} from "./chunk-XOR2CEKA.js";
+import "./chunk-ZHRQDZIK.js";
+import "./chunk-76CVW4DE.js";
+import "./chunk-CCTQO2Q4.js";
 export {
   buildCliFlagsSummary,
   buildLabels,

package/dist/{chunk-SXWFDMFT.js → chunk-3CUIQTSD.js}

@@ -1,6 +1,9 @@
+import {
+  CLI_NAME
+} from "./chunk-TSPERKUS.js";
 import {
   VERSION
-} from "./chunk-4D6STP5G.js";
+} from "./chunk-76CVW4DE.js";
 import {
   loadEnvironments
 } from "./chunk-QRKI6MMK.js";
@@ -13,7 +16,7 @@ var DOT_DAPP_ID = "polkadot-app-deploy";
 var DOT_PRODUCT_ID = DOT_DAPP_ID;
 var DOT_DERIVATION_INDEX = 0;
 var DOT_HOST_NAME = "polkadot-app-deploy";
-var STALE_SESSION_MESSAGE = 'Stored login session could not be read \u2014 it may have been written by an older version. Run "bulletin-deploy logout", then "bulletin-deploy login" to pair again.';
+var STALE_SESSION_MESSAGE = `Stored login session could not be read \u2014 it may have been written by an older version. Run "${CLI_NAME} logout", then "${CLI_NAME} login" to pair again.`;
 function hasPersistedSession() {
   const dir = join(homedir(), ".polkadot-apps");
   if (!existsSync(dir)) return false;

package/dist/{chunk-4PVJ2JBZ.js → chunk-4IUTMHVB.js}

@@ -34,6 +34,9 @@ function isAuthorizationSufficient(auth, currentBlock) {
   if (Number(auth.expiration ?? 0) <= currentBlock) return false;
   return true;
 }
+function accountsNeedingAuthorization(auths, currentBlock) {
+  return auths.filter((a) => !isAuthorizationSufficient(a, currentBlock));
+}
 function selectAccount(authorizations, random = Math.random, pinnedIndex) {
   if (pinnedIndex != null) {
     const pinned = authorizations.find((a) => a.index === pinnedIndex);
@@ -114,8 +117,16 @@ async function ensureAuthorized(api, address, label) {
     `Bulletin storage account ${who} is not authorized to store. On production the storage account must already carry its own authorization/allowance \u2014 bulletin-deploy cannot grant it.`
   );
 }
-async function bootstrapPool(bulletinRpc, poolSize = 10, mnemonic) {
-  console.log(`Bootstrapping ${poolSize} pool accounts on ${bulletinRpc}...
+function printAuthStatus(a, currentBlock) {
+  if (isAuthorizationSufficient(a, currentBlock)) {
+    const mb = (Number(a.bytes) / 1e6).toFixed(1);
+    console.log(`  [${a.index}] ${a.address}  AUTHORIZED \u2014 ${a.transactions} txs / ${mb}MB remaining, expires @${a.expiration}`);
+  } else {
+    console.log(`  [${a.index}] ${a.address}  NOT AUTHORIZED`);
+  }
+}
+async function bootstrapPool(bulletinRpc, poolSize = 10, mnemonic, opts = {}) {
+  console.log(`Checking ${poolSize} pool accounts on ${bulletinRpc}...
 `);
   await cryptoWaitReady();
   const accounts = derivePoolAccounts(poolSize, mnemonic);
@@ -124,57 +135,78 @@ async function bootstrapPool(bulletinRpc, poolSize = 10, mnemonic) {
     { heartbeatTimeout: WS_HEARTBEAT_TIMEOUT_MS }
   ));
   const api = client.getUnsafeApi();
-  const keyring = new Keyring({ type: "sr25519" });
-  const alice = keyring.addFromUri("//Alice");
-  const aliceSigner = getPolkadotSigner(alice.publicKey, "Sr25519", (data) => alice.sign(data));
-  const aliceAccount = await api.query.System.Account.getValue(alice.address);
-  const aliceBalance = BigInt(aliceAccount.data.free);
-  console.log(`Alice balance: ${formatPasBalance(aliceBalance)} PAS
+  try {
+    const currentBlock = await api.query.System.Number.getValue();
+    const auths = await fetchPoolAuthorizations(api, accounts);
+    console.log("Pool authorization status:");
+    for (const a of auths) {
+      printAuthStatus(a, currentBlock);
+    }
+    console.log("");
+    const needsAuth = accountsNeedingAuthorization(auths, currentBlock);
+    if (needsAuth.length === 0) {
+      console.log("All pool accounts are authorized. Nothing to do.");
+      return;
+    }
+    console.log(`${needsAuth.length} account(s) need authorization.
 `);
-  console.log(`Authorizing accounts (${TOPUP_TRANSACTIONS} txs / ${Number(TOPUP_BYTES) / 1e6}MB)
+    let authorizerSigner;
+    const keyring = new Keyring({ type: "sr25519" });
+    if (opts.authorizerMnemonic) {
+      const authKey = keyring.addFromUri(opts.authorizerMnemonic);
+      authorizerSigner = getPolkadotSigner(authKey.publicKey, "Sr25519", (data) => authKey.sign(data));
+      console.log(`Using provided authorizer: ${authKey.address}
 `);
-  for (const account of accounts) {
-    console.log(`Account ${account.index}: ${account.address}`);
-    try {
-      const tx = api.tx.TransactionStorage.authorize_account({
-        who: account.address,
-        transactions: clampU32(BigInt(TOPUP_TRANSACTIONS), "transactions"),
-        bytes: TOPUP_BYTES
-      });
-      const result = await tx.signAndSubmit(aliceSigner);
-      if (!result.ok) throw new Error("dispatch failed");
-      console.log(`  Authorized: ${TOPUP_TRANSACTIONS} txs / ${Number(TOPUP_BYTES) / 1e6}MB`);
-    } catch (e) {
-      console.log(`  Authorization failed: ${e.message?.slice(0, 80)}`);
+    } else {
+      const isTestnet = await detectTestnet(api);
+      if (isTestnet) {
+        const alice = keyring.addFromUri("//Alice");
+        authorizerSigner = getPolkadotSigner(alice.publicKey, "Sr25519", (data) => alice.sign(data));
+        console.log(`Testnet detected \u2014 defaulting to //Alice as authorizer (${alice.address})
+`);
+      } else {
+        console.log(
+          'Authorization is needed but no authorizer key was provided.\nRe-run with --authorizer "<seed>" to grant authorization.'
+        );
+        return;
+      }
     }
-    try {
-      const transfer = api.tx.Balances.transfer_allow_death({
-        dest: Enum("Id", account.address),
-        value: 100000000000n
-        // 0.1 PAS
-      });
-      const result = await transfer.signAndSubmit(aliceSigner);
-      if (!result.ok) throw new Error("dispatch failed");
-      console.log(`  Transferred 0.1 PAS`);
-    } catch (e) {
-      console.log(`  Transfer failed: ${e.message?.slice(0, 80)}`);
+    console.log(`Authorizing ${needsAuth.length} account(s) (${TOPUP_TRANSACTIONS} txs / ${Number(TOPUP_BYTES) / 1e6}MB each):
+`);
+    for (const account of needsAuth) {
+      console.log(`  [${account.index}] ${account.address}`);
+      try {
+        const tx = api.tx.TransactionStorage.authorize_account({
+          who: account.address,
+          transactions: clampU32(BigInt(TOPUP_TRANSACTIONS), "transactions"),
+          bytes: TOPUP_BYTES
+        });
+        const result = await tx.signAndSubmit(authorizerSigner);
+        if (!result.ok) throw new Error("dispatch failed");
+        console.log(`    granted: ${TOPUP_TRANSACTIONS} txs / ${Number(TOPUP_BYTES) / 1e6}MB`);
+      } catch (e) {
+        console.log(`    could not grant \u2014 is this key the chain's authorizer? (${e.message?.slice(0, 80)})`);
+      }
     }
     console.log("");
+    console.log("=".repeat(60));
+    console.log("Final pool authorization status:");
+    console.log("=".repeat(60));
+    const finalBlock = await api.query.System.Number.getValue();
+    const finalAuths = await fetchPoolAuthorizations(api, accounts);
+    for (const a of finalAuths) {
+      printAuthStatus(a, finalBlock);
+    }
+  } finally {
+    client.destroy();
   }
-  console.log("=".repeat(60));
-  console.log("Pool Summary");
-  console.log("=".repeat(60));
-  const auths = await fetchPoolAuthorizations(api, accounts);
-  for (const a of auths) {
-    console.log(`  ${a.index}: ${a.address} | txs: ${a.transactions} | bytes: ${Number(a.bytes) / 1e6}MB`);
-  }
-  client.destroy();
 }
 
 export {
   formatPasBalance,
   derivePoolAccounts,
   isAuthorizationSufficient,
+  accountsNeedingAuthorization,
   selectAccount,
   fetchPoolAuthorizations,
   isTestnetSpecName,

package/dist/{chunk-5OKB3TEB.js → chunk-5FLTDWWP.js}

@@ -1,3 +1,6 @@
+import {
+  CLI_NAME
+} from "./chunk-TSPERKUS.js";
 import {
   NonRetryableError
 } from "./chunk-ZOC4GITL.js";
@@ -66,7 +69,7 @@ function createSessionSigner(session, ref) {
           clearPoll = setInterval(() => {
             if (noAllowanceMsg) {
               reject(new NonRetryableError(
-                "Session signing allowance has expired (~2-3 days after login). Run `bulletin-deploy login` to renew."
+                `Session signing allowance has expired (~2-3 days after login). Run \`${CLI_NAME} login\` to renew.`
               ));
             }
           }, 200);

package/dist/{chunk-UJJQME5K.js → chunk-5V2RCZXO.js}

@@ -3,7 +3,7 @@ import {
 } from "./chunk-GRPLHUYC.js";
 import {
   DOT_DAPP_ID
-} from "./chunk-SXWFDMFT.js";
+} from "./chunk-3CUIQTSD.js";
 
 // src/sss-allowance-cache.ts
 import { mkdir, readFile, writeFile, unlink } from "fs/promises";

package/dist/{chunk-4D6STP5G.js → chunk-76CVW4DE.js}

@@ -1,7 +1,7 @@
 import {
   package_default,
   writeRunState
-} from "./chunk-WM5R4O33.js";
+} from "./chunk-CCTQO2Q4.js";
 
 // src/memory-report.ts
 import * as fs2 from "fs";

package/dist/{chunk-XX6LNB74.js → chunk-BZRRNX7T.js}

@@ -1,15 +1,16 @@
 import {
   pessimisticSizePreflight
-} from "./chunk-RI3ZLNPN.js";
+} from "./chunk-WIMRJK32.js";
 import {
+  BLAKE2B_256_MULTIHASH_CODE,
   encodeContenthash,
   resolveDotnsConnectOptions,
   storeDirectory,
   storeFile
-} from "./chunk-C74YSAWC.js";
+} from "./chunk-CJHVSSSR.js";
 import {
   DotNS
-} from "./chunk-I7UEBFP5.js";
+} from "./chunk-GRWWVYSV.js";
 import {
   getPopSelfServeConfig,
   loadEnvironments,
@@ -43,7 +44,7 @@ async function publishManifest(opts) {
 Manifest publish \u2014 ${config.domain}`);
   console.log(`  Loaded config: ${sourcePath}`);
   console.log(`  Uploading icon (${iconBytes.length} B)\u2026`);
-  const iconCid = await storeFile(iconBytes);
+  const iconCid = await storeFile(iconBytes, { hashCode: BLAKE2B_256_MULTIHASH_CODE });
   console.log(`  Icon CID: ${iconCid}`);
   const executableCids = {};
   for (const exec of config.executables) {

package/dist/{chunk-WM5R4O33.js → chunk-CCTQO2Q4.js}

@@ -6,7 +6,7 @@ import * as path from "path";
 // package.json
 var package_default = {
   name: "@parity/product-deploy",
-  version: "0.10.0-rc.2",
+  version: "0.10.0-rc.4",
   private: false,
   repository: {
     type: "git",