polkadot-cli 1.10.0 → 1.12.0

package/README.md

@@ -23,6 +23,8 @@ Ships with Polkadot and all system parachains preconfigured with multiple fallba
 - ✅ Batteries included — all system parachains and testnets already setup to be used
 - ✅ File-based commands — run any command from a YAML/JSON file with variable substitution
 - ✅ Parachain sovereign accounts — derive child and sibling addresses from a parachain ID
+- ✅ Message signing — sign arbitrary bytes with account keypairs for use as `MultiSignature` arguments
+- ✅ Bandersnatch member keys — derive Ring VRF member keys from mnemonics for on-chain member sets
 
 ### Preconfigured chains
 
@@ -296,14 +298,14 @@ dot query System.Account 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY
 # Map without key — shows help/usage (use --dump to fetch all entries)
 dot query System.Account
 
-# Dump all map entries (requires --dump, default limit: 100)
-dot query System.Account --dump --limit 10
+# Dump all map entries (requires --dump)
+dot query System.Account --dump
 
 # Enum variant as map key (case-insensitive)
 dot query people-preview.ChunksManager.Chunks R2e9 1
 
 # Pipe-safe — stdout is clean data, progress messages go to stderr
-dot query System.Account --dump --limit 5 | jq '.[0].value.data.free'
+dot query System.Account --dump | jq '.[0].value.data.free'
 dot query System.Number --output json | jq '.+1'
 
 # Query a specific chain using chain prefix
@@ -324,12 +326,9 @@ dot query Staking.ErasStakers 100 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKut
 dot query Staking.ErasStakers 100
 
 # No keys — requires --dump (safety net for large maps)
-dot query Staking.ErasStakers --dump --limit 10
+dot query Staking.ErasStakers --dump
 ```
 
-The `--limit` option applies to partial key results just like it does for
-`--dump` (default: 100, use `--limit 0` for unlimited).
-
 #### Output formatting
 
 Query results automatically convert on-chain types for readability:
@@ -478,8 +477,10 @@ dot tx Balances.transferKeepAlive 5FHneW46xGXgs5mUiveU4sbTyGBzmstUspZC92UhjJM694
 # Submit a raw SCALE-encoded call (e.g. from a multisig proposal or another tool)
 dot tx 0x0503008eaf04151687736326c9fea17e25fc5287613693c912909cb226aa4794f26a48 --from alice
 
-# Batch multiple transfers with Utility.batchAll
-dot tx Utility.batchAll '[{"type":"Balances","value":{"type":"transfer_keep_alive","value":{"dest":"5FHneW46xGXgs5mUiveU4sbTyGBzmstUspZC92UhjJM694ty","value":1000000000000}}},{"type":"Balances","value":{"type":"transfer_keep_alive","value":{"dest":"5FLSigC9HGRKVhB9FiEo4Y3koPsNmBmLJbpXg2mp1hXcS59Y","value":2000000000000}}}]' --from alice
+# Batch multiple transfers with Utility.batchAll (comma-separated encoded calls)
+A=$(dot tx Balances.transfer_keep_alive 5FHneW46xGXgs5mUiveU4sbTyGBzmstUspZC92UhjJM694ty 1000000000000 --encode)
+B=$(dot tx Balances.transfer_keep_alive 5FLSigC9HGRKVhB9FiEo4Y3koPsNmBmLJbpXg2mp1hXcS59Y 2000000000000 --encode)
+dot tx Utility.batchAll $A,$B --from alice
 ```
 
 #### Enum shorthand
@@ -861,6 +862,31 @@ dot hash blake2b256 0xdeadbeef --output json
 
 Run `dot hash` with no arguments to see all available algorithms.
 
+### Sign messages
+
+Sign arbitrary messages with an account keypair. Output is a `Sr25519(0x...)` value directly usable as a `MultiSignature` enum argument in transaction calls.
+
+```bash
+# Sign a text message
+dot sign "hello world" --from alice
+
+# Sign hex-encoded bytes
+dot sign 0xdeadbeef --from alice
+
+# Sign file contents
+dot sign --file ./payload.bin --from alice
+
+# Read from stdin
+echo -n "hello" | dot sign --stdin --from alice
+
+# JSON output (for scripting)
+dot sign "hello" --from alice --output json
+```
+
+Output shows the crypto type, message bytes in hex, raw signature, and an `Enum` value directly pasteable into tx arguments (e.g. `Sr25519(0x...)`).
+
+Use `--type` to select the signature algorithm (default: `sr25519`). Run `dot sign` with no arguments to see usage and examples.
+
 ### Parachain sovereign accounts
 
 Derive the sovereign account addresses for a parachain. These are deterministic accounts derived from a parachain ID — no chain connection required.
@@ -887,6 +913,38 @@ dot parachain 1000 --output json
 
 Run `dot parachain` with no arguments to see usage and examples.
 
+### Bandersnatch member keys
+
+Derive Bandersnatch member keys from account mnemonics for on-chain member set registration (personhood proofs, Ring VRF). Uses the [`verifiablejs`](https://github.com/paritytech/verifiablejs) WASM library.
+
+```bash
+# Derive unkeyed member key (lite person)
+dot verifiable alice
+
+# Derive keyed member key (full person — "candidate" context)
+dot verifiable alice --context candidate
+
+# Arbitrary context string
+dot verifiable alice --context pps
+
+# JSON output (for scripting)
+dot verifiable alice --context candidate --output json
+```
+
+The derivation flow:
+
+```
+Mnemonic → mnemonicToEntropy() → blake2b256(entropy, context?) → member_from_entropy() → 32-byte member key
+```
+
+- **Unkeyed** (no `--context`): `blake2b256(entropy)` — used for lite person registration
+- **With context** (e.g. `--context candidate`): `blake2b256(entropy, key="candidate")` — used for full person registration. The `--context` value is passed as the raw UTF-8 bytes of the blake2b key parameter.
+- Both 12-word and 24-word mnemonics are supported
+
+Derived keys are saved to the account store. For stored accounts, saved keys appear in `dot account inspect` output. When creating a new account with `dot account create`, both unkeyed and `candidate` keys are automatically derived and saved.
+
+Run `dot verifiable` with no arguments to see usage and the full derivation diagram.
+
 ### Getting help
 
 Every command supports `--help` to show its detailed usage, available actions, and examples:
@@ -927,7 +985,6 @@ dot tx.System.remark 0xdead               # shows call help (no error)
 | `--light-client` | Use Smoldot light client |
 | `--output json` | Raw JSON output (default: pretty) |
 | `--dump` | Dump all entries of a storage map (required for keyless map queries) |
-| `--limit <n>` | Max entries for map queries (0 = unlimited, default: 100) |
 | `-w, --wait <level>` | Tx wait level: `broadcast`, `best-block` / `best`, `finalized` (default) |
 
 ### Pipe-safe output

package/dist/cli.mjs

@@ -362,10 +362,9 @@ function tryDerivePublicKey(envVarName, path = "") {
     return null;
   }
 }
-async function resolveAccountSigner(name) {
+async function resolveAccountKeypair(name) {
   if (isDevAccount(name)) {
-    const keypair2 = getDevKeypair(name);
-    return getPolkadotSigner(keypair2.publicKey, "Sr25519", keypair2.sign);
+    return getDevKeypair(name);
   }
   const accountsFile = await loadAccounts();
   const account = findAccount(accountsFile, name);
@@ -378,7 +377,10 @@ async function resolveAccountSigner(name) {
   }
   const secret = resolveSecret(account.secret);
   const isHexSeed = /^0x[0-9a-fA-F]{64}$/.test(secret);
-  const keypair = isHexSeed ? deriveFromHexSeed(secret, account.derivationPath) : deriveFromMnemonic(secret, account.derivationPath);
+  return isHexSeed ? deriveFromHexSeed(secret, account.derivationPath) : deriveFromMnemonic(secret, account.derivationPath);
+}
+async function resolveAccountSigner(name) {
+  const keypair = await resolveAccountKeypair(name);
   return getPolkadotSigner(keypair.publicKey, "Sr25519", keypair.sign);
 }
 var DEV_NAMES;
@@ -510,6 +512,25 @@ var init_output = __esm(() => {
   SPINNER_FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
 });
 
+// src/core/bandersnatch.ts
+var exports_bandersnatch = {};
+__export(exports_bandersnatch, {
+  deriveBandersnatchMember: () => deriveBandersnatchMember
+});
+import { blake2b } from "@noble/hashes/blake2.js";
+import { mnemonicToEntropy as mnemonicToEntropy2 } from "@polkadot-labs/hdkd-helpers";
+import { member_from_entropy } from "verifiablejs/nodejs";
+function deriveBandersnatchMember(mnemonic, context) {
+  const entropy = mnemonicToEntropy2(mnemonic);
+  const opts = { dkLen: 32 };
+  if (context) {
+    opts.key = new TextEncoder().encode(context);
+  }
+  const hashed = blake2b(entropy, opts);
+  return member_from_entropy(hashed);
+}
+var init_bandersnatch = () => {};
+
 // src/utils/errors.ts
 var CliError, ConnectionError, MetadataError;
 var init_errors = __esm(() => {
@@ -1023,8 +1044,12 @@ function typeHint(entry, meta) {
     case "tuple":
       return "a JSON array";
     case "sequence":
-    case "array":
-      return "a JSON array or hex-encoded bytes";
+    case "array": {
+      const inner = resolved.value;
+      if (inner?.type === "primitive" && inner.value === "u8")
+        return "hex-encoded bytes or text";
+      return "a JSON array, comma-separated values, or hex-encoded bytes";
+    }
     default:
       return describeType(meta.lookup, entry.id);
   }
@@ -1233,6 +1258,10 @@ async function parseTypedArg(meta, entry, arg) {
           return normalizeValue(meta.lookup, entry, JSON.parse(arg));
         } catch {}
       }
+      if (arg.includes(",")) {
+        const elements = arg.split(",");
+        return Promise.all(elements.map((el) => parseTypedArg(meta, inner, el.trim())));
+      }
       if (/^0x[0-9a-fA-F]*$/.test(arg))
         return Binary2.fromHex(arg);
       return parseValue(arg);
@@ -1758,7 +1787,6 @@ async function showItemHelp(category, target, opts) {
       console.log();
       console.log(`${BOLD}Options:${RESET}`);
       console.log(`  --dump           Dump all entries of a map (required for keyless map queries)`);
-      console.log(`  --limit <n>      Max entries for map queries (0 = unlimited, default: 100)`);
       console.log();
       return;
     }
@@ -1825,7 +1853,7 @@ var init_focused_inspect = __esm(() => {
 });
 
 // src/core/hash.ts
-import { blake2b } from "@noble/hashes/blake2.js";
+import { blake2b as blake2b2 } from "@noble/hashes/blake2.js";
 import { sha256 } from "@noble/hashes/sha2.js";
 import { keccak_256 } from "@noble/hashes/sha3.js";
 import { bytesToHex, hexToBytes as hexToBytes2 } from "@noble/hashes/utils.js";
@@ -1859,12 +1887,12 @@ var ALGORITHMS;
 var init_hash = __esm(() => {
   ALGORITHMS = {
     blake2b256: {
-      compute: (data) => blake2b(data, { dkLen: 32 }),
+      compute: (data) => blake2b2(data, { dkLen: 32 }),
       outputLen: 32,
       description: "BLAKE2b with 256-bit output"
     },
     blake2b128: {
-      compute: (data) => blake2b(data, { dkLen: 16 }),
+      compute: (data) => blake2b2(data, { dkLen: 16 }),
       outputLen: 16,
       description: "BLAKE2b with 128-bit output"
     },
@@ -2158,7 +2186,7 @@ var init_complete = __esm(() => {
     apis: "apis",
     api: "apis"
   };
-  NAMED_COMMANDS = ["chain", "account", "inspect", "hash", "parachain", "completions"];
+  NAMED_COMMANDS = ["chain", "account", "inspect", "hash", "sign", "parachain", "completions"];
   CHAIN_SUBCOMMANDS = ["add", "remove", "update", "list", "default"];
   ACCOUNT_SUBCOMMANDS = [
     "add",
@@ -2183,13 +2211,13 @@ var init_complete = __esm(() => {
     "--mortality",
     "--at"
   ];
-  QUERY_OPTIONS = ["--limit"];
+  QUERY_OPTIONS = [];
 });
 
 // src/cli.ts
 import cac from "cac";
 // package.json
-var version = "1.10.0";
+var version = "1.12.0";
 
 // src/commands/account.ts
 init_accounts_store();
@@ -2276,19 +2304,26 @@ async function accountCreate(name, opts) {
   const { mnemonic, publicKey } = createNewAccount(path);
   const hexPub = publicKeyToHex(publicKey);
   const address = toSs58(publicKey);
+  const { deriveBandersnatchMember: deriveBandersnatchMember2 } = await Promise.resolve().then(() => (init_bandersnatch(), exports_bandersnatch));
+  const bandersnatch = {};
+  bandersnatch[""] = publicKeyToHex(deriveBandersnatchMember2(mnemonic));
+  bandersnatch.candidate = publicKeyToHex(deriveBandersnatchMember2(mnemonic, "candidate"));
   accountsFile.accounts.push({
     name,
     secret: mnemonic,
     publicKey: hexPub,
-    derivationPath: path
+    derivationPath: path,
+    bandersnatch
   });
   await saveAccounts(accountsFile);
   printHeading("Account Created");
-  console.log(`  ${BOLD}Name:${RESET}     ${name}`);
+  console.log(`  ${BOLD}Name:${RESET}          ${name}`);
   if (path)
-    console.log(`  ${BOLD}Path:${RESET}     ${path}`);
-  console.log(`  ${BOLD}Address:${RESET}  ${address}`);
-  console.log(`  ${BOLD}Mnemonic:${RESET} ${mnemonic}`);
+    console.log(`  ${BOLD}Path:${RESET}          ${path}`);
+  console.log(`  ${BOLD}Address:${RESET}       ${address}`);
+  console.log(`  ${BOLD}Bandersnatch:${RESET}  ${bandersnatch[""]}`);
+  console.log(`    ${BOLD}(candidate)${RESET}  ${bandersnatch.candidate}`);
+  console.log(`  ${BOLD}Mnemonic:${RESET}      ${mnemonic}`);
   console.log();
   console.log(`  ${YELLOW}Save this mnemonic phrase! It is the only way to recover this account.${RESET}`);
   console.log();
@@ -2565,6 +2600,7 @@ async function accountInspect(input, opts) {
   }
   let name;
   let publicKeyHex;
+  let bandersnatch;
   if (isDevAccount(input)) {
     name = input.charAt(0).toUpperCase() + input.slice(1).toLowerCase();
     const devAddr = getDevAddress(input);
@@ -2574,6 +2610,7 @@ async function accountInspect(input, opts) {
     const account = findAccount(accountsFile, input);
     if (account) {
       name = account.name;
+      bandersnatch = account.bandersnatch;
       if (account.publicKey) {
         publicKeyHex = account.publicKey;
       } else if (account.secret !== undefined && isEnvSecret(account.secret)) {
@@ -2604,6 +2641,8 @@ async function accountInspect(input, opts) {
     const result = { publicKey: publicKeyHex, ss58, prefix };
     if (name)
       result.name = name;
+    if (bandersnatch && Object.keys(bandersnatch).length > 0)
+      result.bandersnatch = bandersnatch;
     console.log(formatJson(result));
   } else {
     printHeading("Account Info");
@@ -2611,6 +2650,18 @@ async function accountInspect(input, opts) {
       console.log(`  ${BOLD}Name:${RESET}        ${name}`);
     console.log(`  ${BOLD}Public Key:${RESET}  ${publicKeyHex}`);
     console.log(`  ${BOLD}SS58:${RESET}        ${ss58}`);
+    if (bandersnatch && Object.keys(bandersnatch).length > 0) {
+      const entries = Object.entries(bandersnatch);
+      for (let i = 0;i < entries.length; i++) {
+        const [key, hex] = entries[i];
+        const label = key ? `(${key})` : "";
+        if (i === 0) {
+          console.log(`  ${BOLD}Bandersnatch:${RESET}${label ? ` ${label}` : ""} ${hex}`);
+        } else {
+          console.log(`               ${label ? `${label} ` : ""}${hex}`);
+        }
+      }
+    }
     console.log(`  ${BOLD}Prefix:${RESET}      ${prefix}`);
     console.log();
   }
@@ -3407,7 +3458,6 @@ async function showItemHelp2(category, target, opts) {
       console.log();
       console.log(`${BOLD}Options:${RESET}`);
       console.log(`  --dump           Dump all entries of a map (required for keyless map queries)`);
-      console.log(`  --limit <n>      Max entries for map queries (0 = unlimited, default: 100)`);
       console.log();
       return;
     }
@@ -3967,17 +4017,10 @@ async function handleQuery(target, keys, opts) {
         return;
       }
       const entries = await storageApi.getEntries(...parsedKeys);
-      const limit = Number(opts.limit);
-      const truncated = limit > 0 && entries.length > limit;
-      const display = truncated ? entries.slice(0, limit) : entries;
-      printResult(display.map((e) => ({
+      printResult(entries.map((e) => ({
         keys: e.keyArgs,
         value: e.value
       })), format);
-      if (truncated) {
-        console.error(`
-${DIM}Showing ${limit} of ${entries.length} entries. Use --limit 0 for all.${RESET}`);
-      }
     } else {
       const result = await storageApi.getValue(...parsedKeys);
       printResult(result, format);
@@ -4026,6 +4069,101 @@ async function parseStorageKeys(meta, palletName2, storageItem, args) {
   return Promise.all(args.map((arg) => parseTypedArg(meta, keyEntry, arg)));
 }
 
+// src/commands/sign.ts
+init_accounts();
+init_hash();
+init_output();
+init_errors();
+import { readFile as readFile4 } from "node:fs/promises";
+var SUPPORTED_TYPES = ["sr25519"];
+function isSupportedType(type) {
+  return SUPPORTED_TYPES.includes(type.toLowerCase());
+}
+function variantName(type) {
+  switch (type) {
+    case "sr25519":
+      return "Sr25519";
+  }
+}
+async function resolveInput2(data, opts) {
+  const sources = [data !== undefined, !!opts.file, !!opts.stdin].filter(Boolean).length;
+  if (sources > 1) {
+    throw new CliError("Provide only one of: inline data, --file, or --stdin");
+  }
+  if (sources === 0) {
+    throw new CliError("No input provided. Pass data as argument, or use --file or --stdin");
+  }
+  if (opts.file) {
+    const buf = await readFile4(opts.file);
+    return new Uint8Array(buf);
+  }
+  if (opts.stdin) {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+      chunks.push(chunk);
+    }
+    return new Uint8Array(Buffer.concat(chunks));
+  }
+  return parseInputData(data);
+}
+function printSignHelp() {
+  console.log(`${BOLD}Usage:${RESET} dot sign <message> --from <account> [options]
+`);
+  console.log(`${BOLD}Arguments:${RESET}`);
+  console.log(`  ${CYAN}message${RESET}          ${DIM}Message to sign (text or 0x-prefixed hex)${RESET}`);
+  console.log(`
+${BOLD}Options:${RESET}`);
+  console.log(`  ${CYAN}--from <name>${RESET}    ${DIM}Account to sign with (required)${RESET}`);
+  console.log(`  ${CYAN}--type <algo>${RESET}    ${DIM}Signature type: sr25519 (default)${RESET}`);
+  console.log(`  ${CYAN}--file <path>${RESET}    ${DIM}Sign file contents${RESET}`);
+  console.log(`  ${CYAN}--stdin${RESET}           ${DIM}Read from stdin${RESET}`);
+  console.log(`  ${CYAN}--output json${RESET}    ${DIM}Output as JSON${RESET}`);
+  console.log(`
+${BOLD}Examples:${RESET}`);
+  console.log(`  ${DIM}$ dot sign "hello world" --from alice${RESET}`);
+  console.log(`  ${DIM}$ dot sign 0xdeadbeef --from alice${RESET}`);
+  console.log(`  ${DIM}$ dot sign --file ./payload.bin --from alice${RESET}`);
+  console.log(`  ${DIM}$ echo -n "hello" | dot sign --stdin --from alice${RESET}`);
+  console.log(`  ${DIM}$ dot sign "hello" --from alice --output json${RESET}`);
+}
+function registerSignCommand(cli) {
+  cli.command("sign [message]", "Sign a message with an account keypair").option("--from <name>", "Account to sign with").option("--type <algo>", "Signature type (default: sr25519)").option("--file <path>", "Sign file contents (raw bytes)").option("--stdin", "Read data from stdin").action(async (message, opts) => {
+    if (!message && !opts.file && !opts.stdin) {
+      printSignHelp();
+      return;
+    }
+    if (!opts.from) {
+      throw new CliError("--from is required. Specify the account to sign with.");
+    }
+    const type = opts.type?.toLowerCase() ?? "sr25519";
+    if (!isSupportedType(type)) {
+      throw new CliError(`Unsupported signature type "${opts.type}". Supported: ${SUPPORTED_TYPES.join(", ")}`);
+    }
+    const input = await resolveInput2(message, opts);
+    const keypair = await resolveAccountKeypair(opts.from);
+    const signature = keypair.sign(input);
+    const hexMessage = toHex2(input);
+    const hexSignature = toHex2(signature);
+    const variant = variantName(type);
+    const enumValue = `${variant}(${hexSignature})`;
+    const result = {
+      type: variant,
+      message: hexMessage,
+      signature: hexSignature,
+      enum: enumValue
+    };
+    const format = opts.output ?? "pretty";
+    if (format === "json") {
+      printResult(result, "json");
+    } else {
+      console.log(`  ${BOLD}Type:${RESET}       ${result.type}`);
+      console.log(`  ${BOLD}Message:${RESET}    ${result.message}`);
+      console.log(`  ${BOLD}Signature:${RESET}  ${result.signature}`);
+      console.log(`  ${BOLD}Enum:${RESET}       ${result.enum}`);
+    }
+  });
+}
+
 // src/commands/tx.ts
 init_store();
 init_types();
@@ -4650,8 +4788,12 @@ function typeHint2(entry, meta) {
     case "tuple":
       return "a JSON array";
     case "sequence":
-    case "array":
-      return "a JSON array or hex-encoded bytes";
+    case "array": {
+      const inner = resolved.value;
+      if (inner?.type === "primitive" && inner.value === "u8")
+        return "hex-encoded bytes or text";
+      return "a JSON array, comma-separated values, or hex-encoded bytes";
+    }
     default:
       return describeType(meta.lookup, entry.id);
   }
@@ -4880,6 +5022,10 @@ async function parseTypedArg2(meta, entry, arg) {
           return normalizeValue2(meta.lookup, entry, JSON.parse(arg));
         } catch {}
       }
+      if (arg.includes(",")) {
+        const elements = arg.split(",");
+        return Promise.all(elements.map((el) => parseTypedArg2(meta, inner, el.trim())));
+      }
       if (/^0x[0-9a-fA-F]*$/.test(arg))
         return Binary3.fromHex(arg);
       return parseValue(arg);
@@ -5052,9 +5198,101 @@ function watchTransaction(observable, level) {
   });
 }
 
+// src/commands/verifiable.ts
+init_accounts_store();
+init_accounts();
+init_bandersnatch();
+init_output();
+var DEV_PHRASE2 = "bottom drive obey lake curtain smoke basket hold race lonely fit walk";
+var VERIFIABLE_HELP = `
+${BOLD}Usage:${RESET}
+  $ dot verifiable <account> [--context <value>]
+
+${BOLD}Arguments:${RESET}
+  account    Account name (stored or dev account)
+
+${BOLD}Options:${RESET}
+  --context <value>    Blake2b context for keyed derivation (e.g. "candidate")
+
+${BOLD}Examples:${RESET}
+  $ dot verifiable alice                            Unkeyed derivation (lite person)
+  $ dot verifiable alice --context candidate         Keyed with "candidate" (full person)
+  $ dot verifiable my-account --context candidate
+
+${BOLD}How it works:${RESET}
+
+  Mnemonic (12/24 words)
+      │  mnemonicToEntropy()  (raw BIP39 entropy, NOT miniSecret)
+      ▼
+  blake2b256(entropy, context?)   keyed or unkeyed
+      ▼
+  member_from_entropy()       verifiablejs WASM (Bandersnatch curve)
+      ▼
+  32-byte member key          for on-chain member set registration
+`.trimStart();
+function registerVerifiableCommands(cli) {
+  cli.command("verifiable [account]", "Derive Bandersnatch member key from account mnemonic").option("--context <value>", "Blake2b context for keyed derivation (e.g. candidate)").action(async (account, opts) => {
+    if (!account) {
+      console.log(VERIFIABLE_HELP);
+      return;
+    }
+    return deriveVerifiable(account, opts);
+  });
+}
+async function deriveVerifiable(account, opts) {
+  const mnemonic = await resolveMnemonic(account);
+  const memberKey = deriveBandersnatchMember(mnemonic, opts.context);
+  const memberKeyHex = publicKeyToHex(memberKey);
+  if (!isDevAccount(account)) {
+    const accountsFile = await loadAccounts();
+    const stored = findAccount(accountsFile, account);
+    if (stored) {
+      if (!stored.bandersnatch)
+        stored.bandersnatch = {};
+      stored.bandersnatch[opts.context ?? ""] = memberKeyHex;
+      await saveAccounts(accountsFile);
+    }
+  }
+  if (opts.output === "json") {
+    const result = {
+      account,
+      memberKey: memberKeyHex
+    };
+    if (opts.context)
+      result.context = opts.context;
+    console.log(formatJson(result));
+  } else {
+    printHeading("Bandersnatch Member Key");
+    console.log(`  ${BOLD}Account:${RESET}    ${account}`);
+    if (opts.context)
+      console.log(`  ${BOLD}Context:${RESET}    ${opts.context}`);
+    console.log(`  ${BOLD}Member Key:${RESET} ${memberKeyHex}`);
+    console.log();
+  }
+}
+async function resolveMnemonic(account) {
+  if (isDevAccount(account)) {
+    return DEV_PHRASE2;
+  }
+  const accountsFile = await loadAccounts();
+  const stored = findAccount(accountsFile, account);
+  if (!stored) {
+    const available = [...DEV_NAMES, ...accountsFile.accounts.map((a) => a.name)];
+    throw new Error(`Unknown account "${account}". Available accounts: ${available.join(", ")}`);
+  }
+  if (isWatchOnly(stored)) {
+    throw new Error(`Account "${account}" is watch-only (no secret). Cannot derive Bandersnatch key.`);
+  }
+  const secret = resolveSecret(stored.secret);
+  if (isHexPublicKey(`0x${secret.replace(/^0x/, "")}`)) {
+    throw new Error(`Account "${account}" uses a hex seed. Bandersnatch derivation requires a BIP39 mnemonic.`);
+  }
+  return secret;
+}
+
 // src/config/store.ts
 init_types();
-import { access as access3, mkdir as mkdir3, readFile as readFile4, rm as rm2, writeFile as writeFile3 } from "node:fs/promises";
+import { access as access3, mkdir as mkdir3, readFile as readFile5, rm as rm2, writeFile as writeFile3 } from "node:fs/promises";
 import { homedir as homedir2 } from "node:os";
 import { join as join3 } from "node:path";
 var DOT_DIR2 = join3(homedir2(), ".polkadot");
@@ -5074,7 +5312,7 @@ async function fileExists3(path) {
 async function loadConfig2() {
   await ensureDir3(DOT_DIR2);
   if (await fileExists3(CONFIG_PATH2)) {
-    const saved = JSON.parse(await readFile4(CONFIG_PATH2, "utf-8"));
+    const saved = JSON.parse(await readFile5(CONFIG_PATH2, "utf-8"));
     return {
       ...saved,
       chains: { ...DEFAULT_CONFIG.chains, ...saved.chains }
@@ -5091,7 +5329,7 @@ async function saveConfig2(config) {
 
 // src/core/file-loader.ts
 init_errors();
-import { access as access4, readFile as readFile5 } from "node:fs/promises";
+import { access as access4, readFile as readFile6 } from "node:fs/promises";
 import { parse as parseYaml } from "yaml";
 var CATEGORIES = ["tx", "query", "const", "apis"];
 var FILE_EXTENSIONS = [".json", ".yaml", ".yml"];
@@ -5156,7 +5394,7 @@ async function loadCommandFile(filePath, cliVars) {
   } catch {
     throw new CliError(`File not found: ${filePath}`);
   }
-  const rawText = await readFile5(filePath, "utf-8");
+  const rawText = await readFile6(filePath, "utf-8");
   if (!rawText.trim()) {
     throw new CliError(`File is empty: ${filePath}`);
   }
@@ -5477,7 +5715,9 @@ if (process.argv[2] === "__complete") {
     console.log("  chain              Manage chain configurations");
     console.log("  account            Manage accounts");
     console.log("  hash               Hash utilities");
+    console.log("  sign               Sign a message with an account keypair");
     console.log("  parachain          Derive parachain sovereign accounts");
+    console.log("  verifiable         Derive Bandersnatch member key from mnemonic");
     console.log("  completions <sh>   Generate shell completions (zsh, bash, fish)");
     console.log();
     console.log("Global options:");
@@ -5500,12 +5740,12 @@ if (process.argv[2] === "__complete") {
   registerInspectCommand(cli);
   registerAccountCommands(cli);
   registerHashCommand(cli);
+  registerSignCommand(cli);
   registerParachainCommand(cli);
   registerCompletionsCommand(cli);
+  registerVerifiableCommands(cli);
   cli.command("[dotpath] [...args]").option("--from <name>", "Account to sign with (for tx)").option("--dry-run", "Estimate fees without submitting (for tx)").option("--encode", "Encode call to hex without signing (for tx)").option("--yaml", "Decode call to YAML file format (for tx)").option("--json", "Decode call to JSON file format (for tx)").option("--ext <json>", "Custom signed extension values as JSON (for tx)").option("-w, --wait <level>", "Resolve at: broadcast, best-block (or best), finalized (for tx)", {
     default: "finalized"
-  }).option("--limit <n>", "Max entries to return for map queries (0 = unlimited)", {
-    default: 100
   }).option("--dump", "Dump all entries of a storage map (without specifying a key)").option("--var <kv>", "Template variable for file input (KEY=VALUE, repeatable)").option("--nonce <n>", "Custom nonce for manual tx sequencing (for tx)").option("--tip <amount>", "Tip to prioritize transaction (for tx)").option("--mortality <spec>", '"immortal" or period number (for tx)').option("--at <block>", 'Block hash, "best", or "finalized" to validate against (for tx)').action(async (dotpath, args, opts) => {
     if (!dotpath) {
       printHelp();
@@ -5538,7 +5778,6 @@ if (process.argv[2] === "__complete") {
         case "query":
           await handleQuery(target2, args, {
             ...handlerOpts2,
-            limit: opts.limit,
             dump: opts.dump,
             parsedArgs: cmd.args
           });
@@ -5581,7 +5820,7 @@ if (process.argv[2] === "__complete") {
     }
     switch (parsed.category) {
       case "query":
-        await handleQuery(target, args, { ...handlerOpts, limit: opts.limit, dump: opts.dump });
+        await handleQuery(target, args, { ...handlerOpts, dump: opts.dump });
         break;
       case "tx": {
         const txOpts = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polkadot-cli",
-  "version": "1.10.0",
+  "version": "1.12.0",
   "description": "CLI tool for querying Polkadot-ecosystem on-chain state",
   "type": "module",
   "bin": {
@@ -45,6 +45,7 @@
     "@polkadot-labs/hdkd-helpers": "^0.0.27",
     "cac": "^6.7.14",
     "polkadot-api": "^1.23.3",
+    "verifiablejs": "^1.2.0",
     "ws": "^8.19.0",
     "yaml": "^2.8.3"
   },