polkadot-cli 1.14.2 → 1.15.0

package/README.md

@@ -14,7 +14,7 @@ Ships with Polkadot and all system parachains preconfigured with multiple fallba
 - ✅ zsh, bash, and fish autocompletion
 - ✅ Exposes all on-chain metadata documentation
 - ✅ Encode, dry-run, and submit extrinsics
-- ✅ Support for custom signed extensions
+- ✅ Support for custom signed extensions — and a `dot <chain>.extensions` inspector to discover them
 - ✅ Built with agent use in mind — structured JSON output on every command (`--json`)
 - ✅ Fuzzy matching with typo suggestions
 - ✅ Account management — BIP39 mnemonics, derivation paths, env-backed secrets, watch-only, dev accounts
@@ -29,6 +29,7 @@ Ships with Polkadot and all system parachains preconfigured with multiple fallba
 - ✅ Non-native fee payment — pay tx fees in any asset the chain accepts via `--asset` (asset-hub-style chains)
 - ✅ Bandersnatch member keys — derive Ring VRF member keys from mnemonics for on-chain member sets
 - ✅ Export/import — portable chain and account configuration for backup, sharing, and CI bootstrapping
+- ✅ Claude Code skill — `dot-cli` skill installable as a plugin marketplace, teaches agents how to drive the CLI
 
 ### Preconfigured chains
 
@@ -57,6 +58,25 @@ npm install -g polkadot-cli@latest
 
 This installs the `dot` command globally.
 
+## Claude Code skill
+
+This repo ships a [Claude Code](https://claude.com/claude-code) skill that teaches Claude how to drive the `dot` CLI — query patterns, tx encoding, runtime API calls, and bash scripting gotchas.
+
+Register the marketplace and install the skill:
+
+```
+/plugin marketplace add peetzweg/polkadot-cli
+/plugin install dot-cli@polkadot-cli
+```
+
+The skill auto-triggers when you ask Claude about `dot`, Substrate storage queries, extrinsic submission, runtime APIs, or XCM. You can also invoke it directly with `/dot-cli`.
+
+To pull the latest skill updates:
+
+```
+/plugin marketplace update polkadot-cli
+```
+
 ## Usage
 
 ### Manage chains
@@ -133,7 +153,7 @@ Chain names are case-insensitive (`Polkadot.query.System.Number` works the same)
 
 #### Export/import chain configuration
 
-Export and import chain configurations for backup, sharing across machines, or team collaboration. Metadata is not included — re-fetch with `dot chain update --all` after importing.
+Export and import chain configurations for backup, sharing across machines, or team collaboration.
 
 ```bash
 # Export custom chains to stdout (pipe-friendly JSON)
@@ -157,12 +177,36 @@ dot chain import my-chains.json --dry-run
 # Overwrite existing chains
 dot chain import my-chains.json --overwrite
 
+# Skip automatic metadata fetch (faster for offline/CI bootstrap)
+dot chain import my-chains.json --no-metadata
+
 # Pipe between machines
 ssh remote-dev "dot chain export" | dot chain import -
 ```
 
 By default, `export` only includes user-added chains and built-ins with modified RPCs. Use `--all` to include everything. Import skips existing chains unless `--overwrite` is passed, and validates relay references with warnings for missing relays.
 
+After a non-dry-run import, metadata is fetched automatically for each newly added or overwritten chain so tab completion and metadata-dependent commands work immediately. Pass `--no-metadata` to skip the fetch — you can always backfill later with `dot chain update --all`.
+
+Output shows one line per chain with a status glyph and a terse summary:
+
+```
+  ✓ preview
+  ✓ preview-people
+  ⟳ polkadot (overwritten)
+  - paseo (skipped)
+
+2 added, 1 overwritten, 1 skipped
+
+Updating metadata for 3 chain(s)...
+
+  ✓ preview
+  ✓ preview-people
+  ✓ polkadot
+```
+
+Running `dot chain import` with no file path prints the subcommand help instead of blocking on stdin.
+
 ### Manage accounts
 
 Dev accounts (Alice, Bob, Charlie, Dave, Eve, Ferdie) are always available for testnets. Create or import your own accounts for any chain.
@@ -187,14 +231,14 @@ dot account create my-validator
 # Create with a derivation path
 dot account create my-staking --path //staking
 
-# Import from a BIP39 mnemonic
-dot account import treasury --secret "word1 word2 ... word12"
+# Add a keyed account from a BIP39 mnemonic
+dot account add treasury --secret "word1 word2 ... word12"
 
-# Import with a derivation path
-dot account import hot-wallet --secret "word1 word2 ... word12" --path //hot
+# Add with a derivation path
+dot account add hot-wallet --secret "word1 word2 ... word12" --path //hot
 
-# Import an env-var-backed account (secret stays off disk)
-dot account import ci-signer --env MY_SECRET
+# Add an env-var-backed account (secret stays off disk)
+dot account add ci-signer --env MY_SECRET
 
 # Derive a child account from an existing one
 dot account derive treasury treasury-staking --path //staking
@@ -212,9 +256,9 @@ dot account export --include-secrets --file backup.json
 dot account export --watch-only
 
 # Batch-import accounts from a file
-dot account import --file team-accounts.json
-dot account import --file accounts.json --dry-run
-dot account import --file accounts.json --overwrite
+dot account import team-accounts.json
+dot account import accounts.json --dry-run
+dot account import accounts.json --overwrite
 
 # Inspect an account — show public key and SS58 address
 dot account inspect alice
@@ -236,7 +280,7 @@ dot account add council 0xd43593c715fdd31c61141abd04a99fd6822c8558854ccde39a5684
 
 Watch-only accounts appear in `dot account list` with a `(watch-only)` badge and can be inspected and removed like any other account. They cannot be used with `--from` (signing) or as a source for `derive`.
 
-The `add` subcommand is context-sensitive: bare `add <name> <address>` creates a watch-only entry, while `add --secret` or `add --env` imports a keyed account (same as `import`).
+The `add` subcommand is context-sensitive: bare `add <name> <address>` creates a watch-only entry, while `add --secret` or `add --env` imports a keyed account. `dot account import` is reserved for file-based batch import.
 
 #### Named address resolution
 
@@ -297,21 +341,32 @@ dot account inspect alice --json
 # {"publicKey":"0xd435...a27d","ss58":"5Grw...utQY","prefix":42,"name":"Alice"}
 ```
 
+#### Reveal the sr25519 private key
+
+For provisioning another signer (e.g. a server that expects a raw hex private key in an env var), add `--show-secret` to print the **64-byte sr25519 expanded secret** as `0x`-prefixed hex:
+
+```bash
+dot account inspect dave --show-secret
+# Private Key: 0x<128 hex chars>   (sr25519 expanded, 64 bytes — never share)
+```
+
+Works for dev accounts (derived on-the-fly from the standard dev mnemonic) and for stored accounts that have a secret (mnemonic or hex seed). Refuses on watch-only accounts, bare SS58 addresses, or hex public keys. The hex is the final secret after any derivation path is applied, so it can be fed directly to signers that don't accept a mnemonic+path (e.g. `@scure/sr25519`'s `sign`, or services like identity-backend that read a `PROXY_PRIVATE_KEY`). Combine with `--json` to include it under the `privateKey` field.
+
 #### Env-var-backed accounts
 
 For CI/CD and security-conscious workflows, store a reference to an environment variable instead of the secret itself:
 
 ```bash
-dot account import ci-signer --env MY_SECRET
+dot account add ci-signer --env MY_SECRET
 ```
 
-`--secret` and `--env` are mutually exclusive. `add` is an alias for `import`.
+`--secret` and `--env` are mutually exclusive. Use `dot account add` for single-account imports; `dot account import` is reserved for file-based batch import.
 
 The secret is never written to disk. At signing time, the CLI reads `$MY_SECRET` and derives the keypair. If the variable is not set, the CLI errors with a clear message. `account list` shows an `(env: MY_SECRET)` badge and resolves the address live when the variable is available.
 
 #### Derivation paths
 
-Use `--path` with `create`, `import`, or the `derive` action to derive child keys from the same secret. Different paths produce different keypairs, enabling key separation (e.g. staking vs. governance) without managing multiple mnemonics.
+Use `--path` with `create`, `add`, or the `derive` action to derive child keys from the same secret. Different paths produce different keypairs, enabling key separation (e.g. staking vs. governance) without managing multiple mnemonics.
 
 ```bash
 # Create with a derivation path
@@ -320,8 +375,8 @@ dot account create my-staking --path //staking
 # Multi-segment path (hard + soft junctions)
 dot account create multi --path //polkadot//0/wallet
 
-# Import with a path
-dot account import hot --secret "word1 word2 ..." --path //hot
+# Add with a path
+dot account add hot --secret "word1 word2 ..." --path //hot
 
 # Derive a child from an existing account
 dot account derive treasury treasury-staking --path //staking
@@ -362,20 +417,24 @@ dot account export --include-secrets --file backup.json
 # Export only watch-only accounts (always safe)
 dot account export --watch-only
 
-# Batch-import accounts from a file
-dot account import --file team-accounts.json
+# Batch-import accounts from a file (positional path, like `dot chain import`)
+dot account import team-accounts.json
 
 # Preview without applying
-dot account import --file accounts.json --dry-run
+dot account import accounts.json --dry-run
 
 # Overwrite existing accounts
-dot account import --file accounts.json --overwrite
+dot account import accounts.json --overwrite
 
 # Pipe from another machine
-ssh remote-dev "dot account export --watch-only" | dot account import --file /dev/stdin
+ssh remote-dev "dot account export --watch-only" | dot account import -
 ```
 
-Security: default export replaces mnemonic/seed with `"<redacted>"`. `--include-secrets` is required for actual secrets. Env-backed accounts export the variable *name* (e.g. `{"env": "MY_SECRET"}`), never the value. Redacted accounts import as watch-only (public key preserved, no signing capability). The existing single-account `import` (`--secret`/`--env`) is unchanged — batch import uses `--file` to distinguish.
+Output mirrors `dot chain import` — one line per account with a status glyph (`✓` added, `⟳` overwritten, `-` skipped) and a terse count summary at the end. Running `dot account import` with no file path prints the subcommand help instead of blocking on stdin.
+
+`dot account import` is file-only. For a single-account import from a mnemonic or env variable, use `dot account add <name> --secret "..."` or `dot account add <name> --env VAR`.
+
+Security: default export replaces mnemonic/seed with `"<redacted>"`. `--include-secrets` is required for actual secrets. Env-backed accounts export the variable *name* (e.g. `{"env": "MY_SECRET"}`), never the value. Redacted accounts import as watch-only (public key preserved, no signing capability).
 
 ### Chain prefix
 
@@ -409,7 +468,7 @@ dot polkadot.apis.Core
 dot apis Core --chain polkadot
 ```
 
-This works for all categories (`query`, `tx`, `const`, `events`, `errors`, `apis`). When passing positional method arguments, keep `Pallet` and `Item` either fully dot-joined (`query.System.Account 5Grw...`) or fully space-separated (`query System Account 5Grw...`) — mixing the two (`query System.Account 5Grw...`) does not work because the second arg gets parsed as a pallet name.
+This works for all categories (`query`, `tx`, `const`, `events`, `errors`, `apis`, `extensions`). When passing positional method arguments, keep `Pallet` and `Item` either fully dot-joined (`query.System.Account 5Grw...`) or fully space-separated (`query System Account 5Grw...`) — mixing the two (`query System.Account 5Grw...`) does not work because the second arg gets parsed as a pallet name.
 
 ### Query storage
 
@@ -637,10 +696,44 @@ dot polkadot.const.Balances.ExistentialDeposit  # look up value (connects to cha
 # Runtime APIs
 dot polkadot.apis                               # all runtime APIs
 dot polkadot.apis.Core                          # methods in Core
+
+# Transaction extensions (flat — no pallet sub-level)
+dot polkadot.extensions                         # all transaction extensions
+dot polkadot.extensions.CheckMortality          # extension detail
 ```
 
 `--chain <name>` works as an alternative to the prefix in every form (e.g. `dot tx.Balances --chain polkadot`). To browse pallets across all categories at once, use `dot inspect` (see [Inspect metadata](#inspect-metadata)).
 
+### Transaction extensions
+
+List the transaction extensions (also known as signed extensions) a chain declares in its runtime, with types and a marker indicating whether `polkadot-api` handles the extension automatically or whether you need to provide a value via `--ext` when building a transaction (see [Submit extrinsics](#submit-extrinsics)).
+
+```bash
+# List all transaction extensions on a chain
+dot polkadot.extensions
+
+# Detail view for a single extension
+dot polkadot.extensions.CheckMortality
+
+# --chain flag form is equivalent
+dot extensions.ChargeTransactionPayment --chain polkadot
+
+# Space-separated syntax also works
+dot extensions CheckMortality --chain polkadot
+
+# Structured output for scripts
+dot polkadot.extensions --json
+```
+
+`extension` and `ext` are aliases for `extensions`. Shell completion suggests identifiers after `dot polkadot.extensions.<Tab>`.
+
+The list view tags each entry:
+
+- `[builtin]` — `polkadot-api` fills this in for you (e.g. `CheckMortality`, `CheckNonce`, `ChargeTransactionPayment`, `CheckMetadataHash`)
+- `[custom]` — you must provide a value with `--ext` when signing, for example `--ext '{"<Identifier>":{"value":<v>}}'`
+
+The detail view shows the extension's value type, its `additionalSigned` type, and a ready-to-adapt `--ext` snippet for custom extensions. Use this to discover what `--ext` payload a chain expects before submitting a `dot tx` command.
+
 ### Submit extrinsics
 
 Build, sign, and submit transactions. Pass a `Pallet.Call` with arguments, or a raw SCALE-encoded call hex (e.g. from a multisig proposal or governance). Both forms display a decoded human-readable representation of the call.
@@ -806,6 +899,8 @@ For manual override, use `--ext` with a JSON object:
 dot tx.System.remark 0xdeadbeef --from alice --chain polkadot --ext '{"MyExtension":{"value":"..."}}'
 ```
 
+Not sure which extensions a chain exposes? Run `dot <chain>.extensions` (see [Transaction extensions](#transaction-extensions)) to list them all with value types and a `[builtin]` / `[custom]` marker.
+
 #### Transaction options
 
 Override low-level transaction parameters. Useful for rapid-fire submission (custom nonce), priority fees (tip), or controlling transaction lifetime (mortality).
@@ -1346,7 +1441,7 @@ The notification is automatically suppressed when:
 
 ## Configuration
 
-Config and metadata caches live in `~/.polkadot/`:
+Config and metadata caches live in `~/.polkadot/` by default:
 
 ```
 ~/.polkadot/
@@ -1360,6 +1455,29 @@ Config and metadata caches live in `~/.polkadot/`:
 
 > **Warning:** `accounts.json` stores secrets (mnemonics and seeds) in **plain text**. Encrypted-at-rest storage is planned but not yet implemented. Keep appropriate file permissions (`chmod 600 ~/.polkadot/accounts.json`) and do not use this for high-value mainnet accounts.
 
+### `DOT_HOME` — redirect the config directory
+
+Set the `DOT_HOME` environment variable to point at a different directory. When set, the CLI reads and writes **everything** (config, accounts, metadata, update cache) under that path — no `.polkadot` suffix is appended.
+
+```bash
+# Use a scratch directory for experimentation
+DOT_HOME=/tmp/dot-scratch dot account create throwaway
+
+# Isolated per-project state (e.g. in a repo-local shell)
+export DOT_HOME="$PWD/.dot"
+dot chain add local --rpc ws://localhost:9944
+
+# Unset or empty DOT_HOME falls back to $HOME/.polkadot
+```
+
+Typical uses:
+
+- **Run throwaway commands without touching your real accounts.** Point `DOT_HOME` at a tmpdir so `dot account create`, `dot chain add`, and similar never modify `~/.polkadot/`.
+- **CI and test harnesses.** Give each job its own `DOT_HOME` so parallel runs don't share state. The project's own test fixture (`runCli`) uses this mechanism.
+- **Multiple profiles on one machine.** Switch between environments (e.g. a mainnet profile and a local-dev profile) by changing `DOT_HOME`.
+
+Empty-string `DOT_HOME=""` is treated as unset and falls back to `$HOME/.polkadot` — so a shell-quoting slip can't accidentally send writes to `/`.
+
 ## Environment compatibility
 
 The CLI works in Node.js (v22+), Bun, and sandboxed runtimes (e.g. LLM tool-use / MCP environments). WebSocket connections use the native `WebSocket` implementation provided by the runtime — no external WebSocket package is required.

package/dist/cli.mjs

@@ -181,13 +181,20 @@ import { access, mkdir, readFile, rm, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { join } from "node:path";
 function getConfigDir() {
-  return DOT_DIR;
+  const override = process.env.DOT_HOME;
+  return override && override.length > 0 ? override : join(homedir(), ".polkadot");
+}
+function getChainsDir() {
+  return join(getConfigDir(), "chains");
 }
 function getChainDir(chainName) {
-  return join(CHAINS_DIR, chainName);
+  return join(getChainsDir(), chainName);
 }
 function getMetadataPath(chainName) {
-  return join(CHAINS_DIR, chainName, "metadata.bin");
+  return join(getChainDir(chainName), "metadata.bin");
+}
+function getConfigPath() {
+  return join(getConfigDir(), "config.json");
 }
 async function ensureDir(dir) {
   await mkdir(dir, { recursive: true });
@@ -201,9 +208,10 @@ async function fileExists(path) {
   }
 }
 async function loadConfig() {
-  await ensureDir(DOT_DIR);
-  if (await fileExists(CONFIG_PATH)) {
-    const saved = JSON.parse(await readFile(CONFIG_PATH, "utf-8"));
+  await ensureDir(getConfigDir());
+  const configPath = getConfigPath();
+  if (await fileExists(configPath)) {
+    const saved = JSON.parse(await readFile(configPath, "utf-8"));
     const chains = {};
     for (const [name, defaultConfig] of Object.entries(DEFAULT_CONFIG.chains)) {
       chains[name] = saved.chains[name] ? { ...defaultConfig, ...saved.chains[name] } : defaultConfig;
@@ -219,8 +227,8 @@ async function loadConfig() {
   return DEFAULT_CONFIG;
 }
 async function saveConfig(config) {
-  await ensureDir(DOT_DIR);
-  await writeFile(CONFIG_PATH, `${JSON.stringify(config, null, 2)}
+  await ensureDir(getConfigDir());
+  await writeFile(getConfigPath(), `${JSON.stringify(config, null, 2)}
 `);
 }
 async function loadMetadata(chainName) {
@@ -255,18 +263,17 @@ function resolveChain(config, chainFlag) {
   }
   return { name, chain: config.chains[name] };
 }
-var DOT_DIR, CONFIG_PATH, CHAINS_DIR;
 var init_store = __esm(() => {
   init_errors();
   init_types();
-  DOT_DIR = join(homedir(), ".polkadot");
-  CONFIG_PATH = join(DOT_DIR, "config.json");
-  CHAINS_DIR = join(DOT_DIR, "chains");
 });
 
 // src/config/accounts-store.ts
 import { access as access2, mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "node:fs/promises";
 import { join as join2 } from "node:path";
+function getAccountsPath() {
+  return join2(getConfigDir(), "accounts.json");
+}
 async function ensureDir2(dir) {
   await mkdir2(dir, { recursive: true });
 }
@@ -280,24 +287,23 @@ async function fileExists2(path) {
 }
 async function loadAccounts() {
   await ensureDir2(getConfigDir());
-  if (await fileExists2(ACCOUNTS_PATH)) {
-    const data = await readFile2(ACCOUNTS_PATH, "utf-8");
+  const path = getAccountsPath();
+  if (await fileExists2(path)) {
+    const data = await readFile2(path, "utf-8");
     return JSON.parse(data);
   }
   return { accounts: [] };
 }
 async function saveAccounts(file) {
   await ensureDir2(getConfigDir());
-  await writeFile2(ACCOUNTS_PATH, `${JSON.stringify(file, null, 2)}
+  await writeFile2(getAccountsPath(), `${JSON.stringify(file, null, 2)}
 `);
 }
 function findAccount(file, name) {
   return file.accounts.find((a) => a.name.toLowerCase() === name.toLowerCase());
 }
-var ACCOUNTS_PATH;
 var init_accounts_store = __esm(() => {
   init_store();
-  ACCOUNTS_PATH = join2(getConfigDir(), "accounts.json");
 });
 
 // src/config/accounts-types.ts
@@ -355,6 +361,7 @@ import {
   ss58Decode,
   validateMnemonic
 } from "@polkadot-labs/hdkd-helpers";
+import { HDKD, secretFromSeed } from "@scure/sr25519";
 import { getPolkadotSigner } from "polkadot-api/signer";
 function isDevAccount(name) {
   return DEV_NAMES.includes(name.toLowerCase());
@@ -381,6 +388,50 @@ function getDevKeypair(name) {
   const path = devDerivationPath(name);
   return deriveFromMnemonic(DEV_PHRASE, path);
 }
+function parseDerivations(path) {
+  const out = [];
+  for (const [, type, code] of path.matchAll(DERIVATION_RE)) {
+    out.push([type === "//" ? "hard" : "soft", code]);
+  }
+  return out;
+}
+function createChainCode(code) {
+  const chainCode = new Uint8Array(32);
+  const asNumber = +code;
+  if (Number.isNaN(asNumber)) {
+    const bytes = new TextEncoder().encode(code);
+    if (bytes.length >= 32) {
+      throw new Error(`Derivation component "${code}" is too long (max 31 bytes)`);
+    }
+    chainCode[0] = bytes.length << 2;
+    chainCode.set(bytes, 1);
+  } else {
+    const n = asNumber >>> 0;
+    chainCode[0] = n & 255;
+    chainCode[1] = n >>> 8 & 255;
+    chainCode[2] = n >>> 16 & 255;
+    chainCode[3] = n >>> 24 & 255;
+  }
+  return chainCode;
+}
+function deriveExpandedSecret(miniSecret, path) {
+  return parseDerivations(path).reduce((sk, [type, code]) => type === "hard" ? HDKD.secretHard(sk, createChainCode(code)) : HDKD.secretSoft(sk, createChainCode(code)), secretFromSeed(miniSecret));
+}
+function miniSecretFromSecret(secret) {
+  const isHexSeed = /^0x[0-9a-fA-F]{64}$/.test(secret);
+  if (isHexSeed) {
+    const clean = secret.slice(2);
+    const bytes = new Uint8Array(32);
+    for (let i = 0;i < clean.length; i += 2) {
+      bytes[i / 2] = parseInt(clean.substring(i, i + 2), 16);
+    }
+    return bytes;
+  }
+  if (!validateMnemonic(secret)) {
+    throw new Error("Invalid secret. Expected a 0x-prefixed 32-byte hex seed or a valid BIP39 mnemonic.");
+  }
+  return entropyToMiniSecret(mnemonicToEntropy(secret));
+}
 function getDevAddress(name, prefix = 42) {
   const keypair = getDevKeypair(name);
   return ss58Address(keypair.publicKey, prefix);
@@ -474,10 +525,37 @@ async function resolveAccountSigner(name) {
   const keypair = await resolveAccountKeypair(name);
   return getPolkadotSigner(keypair.publicKey, "Sr25519", keypair.sign);
 }
-var DEV_NAMES;
+async function resolveAccountExpandedSecret(name) {
+  if (isDevAccount(name)) {
+    const miniSecret2 = entropyToMiniSecret(mnemonicToEntropy(DEV_PHRASE));
+    return deriveExpandedSecret(miniSecret2, devDerivationPath(name));
+  }
+  const accountsFile = await loadAccounts();
+  const account = findAccount(accountsFile, name);
+  if (!account) {
+    const available = [...DEV_NAMES, ...accountsFile.accounts.map((a) => a.name)].sort((a, b) => a.localeCompare(b));
+    const suggestions = findClosest(name, available);
+    const hint = suggestions.length > 0 ? `
+  Did you mean: ${suggestions.join(", ")}?` : "";
+    const list = available.map((a) => `
+    - ${a}`).join("");
+    throw new Error(`Unknown account "${name}".${hint}
+  Available accounts:${list}`);
+  }
+  if (account.secret === undefined) {
+    throw new Error(`Account "${name}" is watch-only (no secret). Cannot derive private key. Import with --secret or --env.`);
+  }
+  const miniSecret = miniSecretFromSecret(resolveSecret(account.secret));
+  return deriveExpandedSecret(miniSecret, account.derivationPath);
+}
+function bytesToHex(bytes) {
+  return "0x" + Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var DEV_NAMES, DERIVATION_RE;
 var init_accounts = __esm(() => {
   init_accounts_store();
   DEV_NAMES = ["alice", "bob", "charlie", "dave", "eve", "ferdie"];
+  DERIVATION_RE = /(\/{1,2})([^/]+)/g;
 });
 
 // src/utils/binary-display.ts
@@ -556,6 +634,33 @@ function printDocs(docs) {
     console.log(`  ${DIM}${text}${RESET}`);
   }
 }
+function printImportResults(params) {
+  const { added, overwritten, skipped, dryRun, noun } = params;
+  for (const name of added) {
+    console.log(`  ${GREEN}${CHECK_MARK}${RESET} ${name}`);
+  }
+  for (const name of overwritten) {
+    console.log(`  ${YELLOW}⟳${RESET} ${name}${DIM} (overwritten)${RESET}`);
+  }
+  for (const name of skipped) {
+    console.log(`  ${DIM}- ${name} (skipped)${RESET}`);
+  }
+  if (added.length === 0 && overwritten.length === 0 && skipped.length === 0) {
+    const prefix = dryRun ? "(dry run) " : "";
+    console.log(`${prefix}No ${noun}s imported.`);
+    return;
+  }
+  const parts = [];
+  if (added.length > 0)
+    parts.push(`${added.length} added`);
+  if (overwritten.length > 0)
+    parts.push(`${overwritten.length} overwritten`);
+  if (skipped.length > 0)
+    parts.push(`${skipped.length} skipped`);
+  const suffix = dryRun ? " (dry run)" : "";
+  console.log();
+  console.log(`${parts.join(", ")}${suffix}`);
+}
 
 class Spinner {
   timer = null;
@@ -802,6 +907,22 @@ function getSignedExtensions(meta) {
     return [];
   return byVersion[Number(versionKeys[0])] ?? [];
 }
+function getSignedExtensionNames(meta) {
+  return getSignedExtensions(meta).map((e) => e.identifier).sort((a, b) => a.localeCompare(b));
+}
+function findSignedExtension(meta, identifier) {
+  return getSignedExtensions(meta).find((e) => e.identifier.toLowerCase() === identifier.toLowerCase());
+}
+function describeSignedExtension(meta, info) {
+  return {
+    identifier: info.identifier,
+    valueType: describeType(meta.lookup, info.type),
+    additionalSignedType: describeType(meta.lookup, info.additionalSigned),
+    valueTypeId: info.type,
+    additionalSignedTypeId: info.additionalSigned,
+    isBuiltin: PAPI_BUILTIN_EXTENSIONS.has(info.identifier)
+  };
+}
 function getPalletNames(meta) {
   return meta.unified.pallets.map((p) => p.name).sort((a, b) => a.localeCompare(b));
 }
@@ -950,12 +1071,26 @@ function hexToBytes(hex) {
   }
   return bytes;
 }
-var METADATA_TIMEOUT_MS = 15000, optionalOpaqueBytes, v15Arg;
+var METADATA_TIMEOUT_MS = 15000, optionalOpaqueBytes, v15Arg, PAPI_BUILTIN_EXTENSIONS;
 var init_metadata = __esm(() => {
   init_store();
   init_errors();
   optionalOpaqueBytes = Option(Bytes());
   v15Arg = toHex(u32.enc(15));
+  PAPI_BUILTIN_EXTENSIONS = new Set([
+    "CheckNonZeroSender",
+    "CheckSpecVersion",
+    "CheckTxVersion",
+    "CheckGenesis",
+    "CheckMortality",
+    "CheckNonce",
+    "CheckWeight",
+    "ChargeTransactionPayment",
+    "ChargeAssetTxPayment",
+    "CheckMetadataHash",
+    "StorageWeightReclaim",
+    "PrevalidateAttests"
+  ]);
 });
 
 // src/core/explorers.ts
@@ -1325,7 +1460,7 @@ function parsePrimitive(prim, arg) {
       return parseValue(arg);
   }
 }
-var PAPI_BUILTIN_EXTENSIONS, NO_DEFAULT;
+var NO_DEFAULT;
 var init_tx = __esm(() => {
   init_store();
   init_types();
@@ -1337,20 +1472,6 @@ var init_tx = __esm(() => {
   init_binary_display();
   init_errors();
   init_focused_inspect();
-  PAPI_BUILTIN_EXTENSIONS = new Set([
-    "CheckNonZeroSender",
-    "CheckSpecVersion",
-    "CheckTxVersion",
-    "CheckGenesis",
-    "CheckMortality",
-    "CheckNonce",
-    "CheckWeight",
-    "ChargeTransactionPayment",
-    "ChargeAssetTxPayment",
-    "CheckMetadataHash",
-    "StorageWeightReclaim",
-    "PrevalidateAttests"
-  ]);
   NO_DEFAULT = Symbol("no-default");
 });
 
@@ -2046,7 +2167,7 @@ var init_focused_inspect = __esm(() => {
 import { blake2b as blake2b2 } from "@noble/hashes/blake2.js";
 import { sha256 } from "@noble/hashes/sha2.js";
 import { keccak_256 } from "@noble/hashes/sha3.js";
-import { bytesToHex, hexToBytes as hexToBytes2 } from "@noble/hashes/utils.js";
+import { bytesToHex as bytesToHex2, hexToBytes as hexToBytes2 } from "@noble/hashes/utils.js";
 function computeHash(algorithm, data) {
   const algo = ALGORITHMS[algorithm];
   if (!algo) {
@@ -2065,7 +2186,7 @@ function parseInputData(input) {
   return new TextEncoder().encode(input);
 }
 function toHex2(bytes) {
-  return `0x${bytesToHex(bytes)}`;
+  return `0x${bytesToHex2(bytes)}`;
 }
 function isValidAlgorithm(name) {
   return name in ALGORITHMS;
@@ -2124,6 +2245,12 @@ async function loadRuntimeApiNames(_config, chainName) {
     methodNames: a.methods.map((m) => m.name)
   }));
 }
+async function loadExtensionIdentifiers(_config, chainName) {
+  const raw = await loadMetadata(chainName);
+  if (!raw)
+    return null;
+  return getSignedExtensionNames(parseMetadata(raw));
+}
 function filterPallets(pallets, category) {
   switch (category) {
     case "query":
@@ -2263,6 +2390,9 @@ async function completeDotpath(currentWord, config, knownChains, precedingWords)
     if (category === "apis") {
       return completeApisCategory(first, numComplete, endsWithDot, completeSegments, currentWord, config, chainFromFlag);
     }
+    if (category === "extensions") {
+      return completeExtensionsCategory(first, numComplete, endsWithDot, currentWord, config, chainFromFlag);
+    }
     if (numComplete === 1 && endsWithDot) {
       const chainName = chainFromFlag;
       if (!chainName)
@@ -2319,6 +2449,9 @@ async function completeDotpath(currentWord, config, knownChains, precedingWords)
       if (category === "apis") {
         return completeApisCategory(`${first}.${completeSegments[1]}`, numComplete - 1, endsWithDot, completeSegments.slice(1), currentWord, config, chainName);
       }
+      if (category === "extensions") {
+        return completeExtensionsCategory(`${first}.${completeSegments[1]}`, numComplete - 1, endsWithDot, currentWord, config, chainName);
+      }
       const pallets = await loadPallets(config, chainName);
       if (!pallets)
         return [];
@@ -2375,6 +2508,23 @@ async function completeApisCategory(prefix, numComplete, endsWithDot, segments,
   }
   return [];
 }
+async function completeExtensionsCategory(prefix, numComplete, endsWithDot, currentWord, config, chainNameOverride) {
+  const chainName = chainNameOverride;
+  if (!chainName)
+    return [];
+  const names = await loadExtensionIdentifiers(config, chainName);
+  if (!names)
+    return [];
+  if (numComplete === 1 && endsWithDot) {
+    const candidates = names.map((n) => `${prefix}.${n}`);
+    return filterPrefix(candidates, currentWord.slice(0, -1));
+  }
+  if (numComplete === 1 && !endsWithDot) {
+    const candidates = names.map((n) => `${prefix}.${n}`);
+    return filterPrefix(candidates, currentWord);
+  }
+  return [];
+}
 var CATEGORIES2, CATEGORY_ALIASES2, NAMED_COMMANDS, CHAIN_SUBCOMMANDS, ACCOUNT_SUBCOMMANDS, GLOBAL_OPTIONS, TX_OPTIONS, QUERY_OPTIONS;
 var init_complete = __esm(() => {
   init_accounts_store();
@@ -2382,7 +2532,7 @@ var init_complete = __esm(() => {
   init_accounts();
   init_hash();
   init_metadata();
-  CATEGORIES2 = ["query", "tx", "const", "events", "errors", "apis"];
+  CATEGORIES2 = ["query", "tx", "const", "events", "errors", "apis", "extensions"];
   CATEGORY_ALIASES2 = {
     query: "query",
     tx: "tx",
@@ -2394,7 +2544,10 @@ var init_complete = __esm(() => {
     errors: "errors",
     error: "errors",
     apis: "apis",
-    api: "apis"
+    api: "apis",
+    extensions: "extensions",
+    extension: "extensions",
+    ext: "extensions"
   };
   NAMED_COMMANDS = ["chain", "account", "inspect", "hash", "sign", "parachain", "completions"];
   CHAIN_SUBCOMMANDS = ["add", "remove", "update", "list"];
@@ -2428,7 +2581,7 @@ var init_complete = __esm(() => {
 // src/cli.ts
 import cac from "cac";
 // package.json
-var version = "1.14.2";
+var version = "1.15.0";
 
 // src/commands/account.ts
 init_accounts_store();
@@ -2441,31 +2594,30 @@ ${BOLD}Usage:${RESET}
   $ dot account add <name> --secret <s> [--path <derivation>]        Import from BIP39 mnemonic
   $ dot account add <name> --env <VAR> [--path <derivation>]         Import account backed by env variable
   $ dot account create|new <name> [--path <derivation>]              Create a new account
-  $ dot account import <name> --secret <s> [--path <derivation>]     Import from BIP39 mnemonic
-  $ dot account import <name> --env <VAR> [--path <derivation>]      Import account backed by env variable
-  $ dot account import --file <path>                                 Batch-import accounts from a file
+  $ dot account import <file>                                        Batch-import accounts from a file
   $ dot account export [names...]                                    Export accounts to stdout
   $ dot account derive <source> <new-name> --path <derivation>       Derive a child account
-  $ dot account inspect <input> [--prefix <N>]                       Inspect an account/address/key
+  $ dot account inspect <input> [--prefix <N>] [--show-secret]       Inspect an account/address/key
   $ dot account list                                                 List all accounts
   $ dot account remove|delete <name> [name2] ...                     Remove stored account(s)
 
 ${BOLD}Examples:${RESET}
   $ dot account add treasury 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY
+  $ dot account add treasury --secret "word1 word2 ... word12"
+  $ dot account add ci-signer --env MY_SECRET --path //ci
   $ dot account create my-validator
   $ dot account create my-staking --path //staking
   $ dot account create multi --path //polkadot//0/wallet
-  $ dot account import treasury --secret "word1 word2 ... word12"
-  $ dot account import ci-signer --env MY_SECRET --path //ci
-  $ dot account import --file team-accounts.json
-  $ dot account import --file accounts.json --dry-run
-  $ dot account import --file accounts.json --overwrite
+  $ dot account import team-accounts.json
+  $ dot account import accounts.json --dry-run
+  $ dot account import accounts.json --overwrite
   $ dot account export
   $ dot account export treasury my-validator
   $ dot account export --include-secrets --file backup.json
   $ dot account export --watch-only
   $ dot account derive treasury treasury-staking --path //staking
   $ dot account inspect alice
+  $ dot account inspect dave --show-secret
   $ dot account inspect 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY
   $ dot account inspect 0xd435...a27d --prefix 0
   $ dot account list
@@ -2476,7 +2628,7 @@ ${YELLOW}Note: Secrets are stored unencrypted in ~/.polkadot/accounts.json.
       Hex seed import (0x...) is not supported via CLI.${RESET}
 `.trimStart();
 function registerAccountCommands(cli) {
-  cli.command("account [action] [...names]", "Manage local accounts (create, import, list, remove, export)").alias("accounts").option("--secret <value>", "Secret key (mnemonic or hex seed) for import").option("--env <varName>", "Environment variable name holding the secret").option("--path <derivation>", "Derivation path (e.g. //staking, //polkadot//0/wallet)").option("--prefix <number>", "SS58 prefix for address encoding (default: 42)").option("--file <path>", "Input/output file for batch import/export").option("--overwrite", "Overwrite existing accounts on batch import").option("--dry-run", "Preview batch import without applying changes").option("--include-secrets", "Include secrets in export (redacted by default)").option("--watch-only", "Export only watch-only accounts").action(async (action, names, opts) => {
+  cli.command("account [action] [...names]", "Manage local accounts (create, import, list, remove, export)").alias("accounts").option("--secret <value>", "Secret key (mnemonic or hex seed) for import").option("--env <varName>", "Environment variable name holding the secret").option("--path <derivation>", "Derivation path (e.g. //staking, //polkadot//0/wallet)").option("--prefix <number>", "SS58 prefix for address encoding (default: 42)").option("--file <path>", "Input/output file for batch import/export").option("--overwrite", "Overwrite existing accounts on batch import").option("--dry-run", "Preview batch import without applying changes").option("--include-secrets", "Include secrets in export (redacted by default)").option("--watch-only", "Export only watch-only accounts").option("--show-secret", "Reveal the 64-byte sr25519 expanded private key (inspect only)").action(async (action, names, opts) => {
     if (!action) {
       if (process.argv[2] === "accounts")
         return accountList(opts);
@@ -2492,9 +2644,7 @@ function registerAccountCommands(cli) {
           return accountImport(names[0], opts);
         return accountAddWatchOnly(names[0], names[1], opts);
       case "import":
-        if (opts.file)
-          return accountBatchImport(opts);
-        return accountImport(names[0], opts);
+        return accountBatchImport(names[0], opts);
       case "export":
         return accountExport(names, opts);
       case "derive":
@@ -2893,16 +3043,19 @@ async function accountInspect(input, opts) {
   let name;
   let publicKeyHex;
   let bandersnatch;
+  let hasSecret = false;
   if (isDevAccount(input)) {
     name = input.charAt(0).toUpperCase() + input.slice(1).toLowerCase();
     const devAddr = getDevAddress(input);
     publicKeyHex = publicKeyToHex(fromSs58(devAddr));
+    hasSecret = true;
   } else {
     const accountsFile = await loadAccounts();
     const account = findAccount(accountsFile, input);
     if (account) {
       name = account.name;
       bandersnatch = account.bandersnatch;
+      hasSecret = account.secret !== undefined;
       if (account.publicKey) {
         publicKeyHex = account.publicKey;
       } else if (account.secret !== undefined && isEnvSecret(account.secret)) {
@@ -2929,12 +3082,31 @@ async function accountInspect(input, opts) {
     }
   }
   const ss58 = toSs58(publicKeyHex, prefix);
+  let privateKeyHex;
+  if (opts.showSecret) {
+    if (!name) {
+      console.error("--show-secret requires an account name; raw addresses and hex keys have no secret to reveal.");
+      process.exit(1);
+    }
+    if (!hasSecret) {
+      console.error(`Account "${name}" is watch-only (no secret). Cannot reveal private key.`);
+      process.exit(1);
+    }
+    try {
+      privateKeyHex = bytesToHex(await resolveAccountExpandedSecret(input));
+    } catch (err) {
+      console.error(err.message);
+      process.exit(1);
+    }
+  }
   if (isJsonOutput(opts)) {
     const result = { publicKey: publicKeyHex, ss58, prefix };
     if (name)
       result.name = name;
     if (bandersnatch && Object.keys(bandersnatch).length > 0)
       result.bandersnatch = bandersnatch;
+    if (privateKeyHex)
+      result.privateKey = privateKeyHex;
     console.log(formatJson(result));
   } else {
     printHeading("Account Info");
@@ -2955,6 +3127,10 @@ async function accountInspect(input, opts) {
       }
     }
     console.log(`  ${BOLD}Prefix:${RESET}      ${prefix}`);
+    if (privateKeyHex) {
+      console.log(`  ${BOLD}Private Key:${RESET} ${privateKeyHex}`);
+      console.log(`               ${YELLOW}(sr25519 expanded, 64 bytes — never share)${RESET}`);
+    }
     console.log();
   }
 }
@@ -3019,12 +3195,17 @@ async function accountExport(names, opts) {
     process.stdout.write(json);
   }
 }
-async function accountBatchImport(opts) {
+async function accountBatchImport(filePath, opts) {
+  const inputPath = filePath ?? opts.file;
   let raw;
-  if (!opts.file || opts.file === "-") {
+  if (!inputPath || inputPath === "-") {
+    if (process.stdin.isTTY) {
+      console.log(ACCOUNT_HELP);
+      return;
+    }
     raw = await readStdin();
   } else {
-    raw = await readFile3(opts.file, "utf-8");
+    raw = await readFile3(inputPath, "utf-8");
   }
   let importData;
   try {
@@ -3103,16 +3284,13 @@ async function accountBatchImport(opts) {
     }));
     return;
   }
-  const prefix = opts.dryRun ? "(dry run) " : "";
-  if (added.length > 0)
-    console.log(`${prefix}Added: ${added.join(", ")}`);
-  if (overwritten.length > 0)
-    console.log(`${prefix}Overwritten: ${overwritten.join(", ")}`);
-  if (skipped.length > 0)
-    console.log(`${prefix}Skipped: ${skipped.join(", ")}`);
-  if (added.length === 0 && overwritten.length === 0) {
-    console.log(`${prefix}No accounts imported.`);
-  }
+  printImportResults({
+    added,
+    overwritten,
+    skipped,
+    dryRun: opts.dryRun ?? false,
+    noun: "account"
+  });
 }
 
 // src/commands/apis.ts
@@ -3264,9 +3442,10 @@ ${BOLD}Examples:${RESET}
   $ dot chain import my-chains.json
   $ dot chain import my-chains.json --dry-run
   $ dot chain import my-chains.json --overwrite
+  $ dot chain import my-chains.json --no-metadata
 `.trimStart();
 function registerChainCommands(cli) {
-  cli.command("chain [action] [...names]", "Manage chains (add, remove, update, list, export, import)").alias("chains").option("--all", "Update/export all configured chains").option("--relay <name>", "Parent relay chain for this parachain").option("--parachain-id <id>", "Parachain ID (auto-detected if omitted with --relay)").option("--file <path>", "Output/input file for export/import").option("--overwrite", "Overwrite existing chains on import").option("--dry-run", "Preview import without applying changes").action(async (action, names, opts) => {
+  cli.command("chain [action] [...names]", "Manage chains (add, remove, update, list, export, import)").alias("chains").option("--all", "Update/export all configured chains").option("--relay <name>", "Parent relay chain for this parachain").option("--parachain-id <id>", "Parachain ID (auto-detected if omitted with --relay)").option("--file <path>", "Output/input file for export/import").option("--overwrite", "Overwrite existing chains on import").option("--dry-run", "Preview import without applying changes").option("--no-metadata", "Skip automatic metadata fetch after import").action(async (action, names, opts) => {
     if (!action) {
       if (process.argv[2] === "chains")
         return chainList(opts);
@@ -3476,7 +3655,17 @@ async function chainUpdate(name, opts) {
 }
 async function chainUpdateAll(config) {
   const chainNames = Object.keys(config.chains).sort();
-  process.stderr.write(`Updating metadata for ${chainNames.length} chains...
+  const failed = await updateChainsMetadata(config, chainNames);
+  if (failed > 0) {
+    console.error(`
+${failed} of ${chainNames.length} chains failed to update.`);
+    process.exit(1);
+  }
+}
+async function updateChainsMetadata(config, chainNames) {
+  if (chainNames.length === 0)
+    return 0;
+  process.stderr.write(`Updating metadata for ${chainNames.length} chain(s)...
 
 `);
   const results = await Promise.allSettled(chainNames.map(async (chainName) => {
@@ -3497,12 +3686,7 @@ async function chainUpdateAll(config) {
       console.log(`  ${RED}✗${RESET} ${name}${DIM} — ${result.reason?.message ?? "unknown error"}${RESET}`);
     }
   }
-  const failed = results.filter((r) => r.status === "rejected").length;
-  if (failed > 0) {
-    console.error(`
-${failed} of ${chainNames.length} chains failed to update.`);
-    process.exit(1);
-  }
+  return results.filter((r) => r.status === "rejected").length;
 }
 function isBuiltinModified(name, config) {
   const defaultRpc = DEFAULT_CONFIG.chains[name]?.rpc;
@@ -3561,10 +3745,14 @@ async function chainExport(names, opts) {
 async function chainImport(filePath, opts) {
   const inputPath = filePath ?? opts.file;
   let raw;
-  if (inputPath && inputPath !== "-") {
-    raw = await readFile4(inputPath, "utf-8");
-  } else {
+  if (!inputPath || inputPath === "-") {
+    if (process.stdin.isTTY) {
+      console.log(CHAIN_HELP);
+      return;
+    }
     raw = await readStdin2();
+  } else {
+    raw = await readFile4(inputPath, "utf-8");
   }
   let importData;
   try {
@@ -3618,18 +3806,16 @@ async function chainImport(filePath, opts) {
     }));
     return;
   }
-  const prefix = opts.dryRun ? "(dry run) " : "";
-  if (added.length > 0)
-    console.log(`${prefix}Added: ${added.join(", ")}`);
-  if (overwritten.length > 0)
-    console.log(`${prefix}Overwritten: ${overwritten.join(", ")}`);
-  if (skipped.length > 0)
-    console.log(`${prefix}Skipped: ${skipped.join(", ")}`);
-  if (added.length === 0 && overwritten.length === 0) {
-    console.log(`${prefix}No chains imported.`);
-  } else if (!opts.dryRun) {
-    console.error(`
-Run "dot chain update --all" to fetch metadata for imported chains.`);
+  printImportResults({
+    added,
+    overwritten,
+    skipped,
+    dryRun: opts.dryRun ?? false,
+    noun: "chain"
+  });
+  if (!opts.dryRun && opts.metadata !== false && (added.length > 0 || overwritten.length > 0)) {
+    console.log();
+    await updateChainsMetadata(config, [...added, ...overwritten]);
   }
 }
 
@@ -4373,6 +4559,61 @@ async function showItemHelp2(category, target, opts) {
     }
   }
 }
+async function handleExtensions(target, opts) {
+  const config = await loadConfig();
+  const { name: chainName, chain: chainConfig } = resolveChain(config, opts.chain);
+  const meta = await loadMeta2(chainName, chainConfig, opts.rpc);
+  if (!target) {
+    const extensions = getSignedExtensions(meta).map((e) => describeSignedExtension(meta, e)).sort((a, b) => a.identifier.localeCompare(b.identifier));
+    if (isJsonOutput(opts)) {
+      console.log(formatJson({
+        chain: chainName,
+        extensions: extensions.map((e) => ({
+          identifier: e.identifier,
+          valueType: e.valueType,
+          additionalSignedType: e.additionalSignedType,
+          isBuiltin: e.isBuiltin
+        }))
+      }));
+      return;
+    }
+    printHeading(`Transaction extensions on ${chainName} (${extensions.length})`);
+    for (const e of extensions) {
+      const tag = e.isBuiltin ? `${DIM}[builtin]${RESET}` : `${CYAN}[custom]${RESET}`;
+      printItem(e.identifier, `${e.valueType}  ${tag}`);
+    }
+    console.log();
+    return;
+  }
+  const info = findSignedExtension(meta, target);
+  if (!info) {
+    const names = getSignedExtensionNames(meta);
+    throw new Error(suggestMessage("transaction extension", target, names));
+  }
+  const described = describeSignedExtension(meta, info);
+  if (isJsonOutput(opts)) {
+    console.log(formatJson({
+      chain: chainName,
+      identifier: described.identifier,
+      valueType: described.valueType,
+      additionalSignedType: described.additionalSignedType,
+      valueTypeId: described.valueTypeId,
+      additionalSignedTypeId: described.additionalSignedTypeId,
+      isBuiltin: described.isBuiltin
+    }));
+    return;
+  }
+  printHeading(`${described.identifier} (Transaction Extension)`);
+  console.log(`  ${BOLD}Value type:${RESET}       ${described.valueType}`);
+  console.log(`  ${BOLD}AdditionalSigned:${RESET} ${described.additionalSignedType}`);
+  console.log(`  ${BOLD}Handled by:${RESET}       ${described.isBuiltin ? "polkadot-api (builtin)" : "user (custom — provide via --ext)"}`);
+  if (!described.isBuiltin) {
+    console.log();
+    console.log(`${BOLD}Usage:${RESET}`);
+    console.log(`  dot ${chainName}.tx.<Pallet>.<Call> --from <acc> --ext '{"${described.identifier}":{"value":<v>}}'`);
+  }
+  console.log();
+}
 
 // src/commands/hash.ts
 init_hash();
@@ -5399,7 +5640,7 @@ async function handleTx(target, args, opts) {
     const at = parseAtOption(opts.at);
     if (!decodeOnly || opts.unsigned) {
       const userExtOverrides = parseExtOption(opts.ext);
-      const skipBuiltins = asset !== undefined ? new Set([...PAPI_BUILTIN_EXTENSIONS2].filter((e) => e !== "ChargeAssetTxPayment")) : PAPI_BUILTIN_EXTENSIONS2;
+      const skipBuiltins = asset !== undefined ? new Set([...PAPI_BUILTIN_EXTENSIONS].filter((e) => e !== "ChargeAssetTxPayment")) : PAPI_BUILTIN_EXTENSIONS;
       if (asset !== undefined) {
         userExtOverrides.ChargeAssetTxPayment ??= {
           value: { tip: tip ?? 0n, asset_id: asset }
@@ -6330,20 +6571,6 @@ function parsePrimitive2(prim, arg) {
       return parseValue(arg);
   }
 }
-var PAPI_BUILTIN_EXTENSIONS2 = new Set([
-  "CheckNonZeroSender",
-  "CheckSpecVersion",
-  "CheckTxVersion",
-  "CheckGenesis",
-  "CheckMortality",
-  "CheckNonce",
-  "CheckWeight",
-  "ChargeTransactionPayment",
-  "ChargeAssetTxPayment",
-  "CheckMetadataHash",
-  "StorageWeightReclaim",
-  "PrevalidateAttests"
-]);
 function parseExtOption(ext) {
   if (!ext)
     return {};
@@ -6361,7 +6588,7 @@ function parseExtOption(ext) {
   }
 }
 var NO_DEFAULT2 = Symbol("no-default");
-function buildCustomSignedExtensions(meta, userOverrides, builtins = PAPI_BUILTIN_EXTENSIONS2) {
+function buildCustomSignedExtensions(meta, userOverrides, builtins = PAPI_BUILTIN_EXTENSIONS) {
   const result = {};
   const extensions = getSignedExtensions(meta);
   for (const ext of extensions) {
@@ -6698,9 +6925,13 @@ init_types();
 import { access as access3, mkdir as mkdir3, readFile as readFile7, rm as rm2, writeFile as writeFile5 } from "node:fs/promises";
 import { homedir as homedir2 } from "node:os";
 import { join as join3 } from "node:path";
-var DOT_DIR2 = join3(homedir2(), ".polkadot");
-var CONFIG_PATH2 = join3(DOT_DIR2, "config.json");
-var CHAINS_DIR2 = join3(DOT_DIR2, "chains");
+function getConfigDir2() {
+  const override = process.env.DOT_HOME;
+  return override && override.length > 0 ? override : join3(homedir2(), ".polkadot");
+}
+function getConfigPath2() {
+  return join3(getConfigDir2(), "config.json");
+}
 async function ensureDir3(dir) {
   await mkdir3(dir, { recursive: true });
 }
@@ -6713,9 +6944,10 @@ async function fileExists3(path) {
   }
 }
 async function loadConfig2() {
-  await ensureDir3(DOT_DIR2);
-  if (await fileExists3(CONFIG_PATH2)) {
-    const saved = JSON.parse(await readFile7(CONFIG_PATH2, "utf-8"));
+  await ensureDir3(getConfigDir2());
+  const configPath = getConfigPath2();
+  if (await fileExists3(configPath)) {
+    const saved = JSON.parse(await readFile7(configPath, "utf-8"));
     const chains = {};
     for (const [name, defaultConfig] of Object.entries(DEFAULT_CONFIG.chains)) {
       chains[name] = saved.chains[name] ? { ...defaultConfig, ...saved.chains[name] } : defaultConfig;
@@ -6731,8 +6963,8 @@ async function loadConfig2() {
   return DEFAULT_CONFIG;
 }
 async function saveConfig2(config) {
-  await ensureDir3(DOT_DIR2);
-  await writeFile5(CONFIG_PATH2, `${JSON.stringify(config, null, 2)}
+  await ensureDir3(getConfigDir2());
+  await writeFile5(getConfigPath2(), `${JSON.stringify(config, null, 2)}
 `);
 }
 
@@ -7012,7 +7244,10 @@ var CATEGORY_ALIASES = {
   errors: "errors",
   error: "errors",
   apis: "apis",
-  api: "apis"
+  api: "apis",
+  extensions: "extensions",
+  extension: "extensions",
+  ext: "extensions"
 };
 function matchCategory(segment) {
   return CATEGORY_ALIASES[segment.toLowerCase()];
@@ -7027,7 +7262,7 @@ function parseDotPath(input, knownChains = []) {
       const cat = matchCategory(parts[0]);
       if (cat)
         return { category: cat };
-      throw new Error(`Unknown command "${parts[0]}". Expected a category (query, tx, const, events, errors, apis) or a named command.`);
+      throw new Error(`Unknown command "${parts[0]}". Expected a category (query, tx, const, events, errors, apis, extensions) or a named command.`);
     }
     case 2: {
       const cat = matchCategory(parts[0]);
@@ -7108,6 +7343,7 @@ if (process.argv[2] === "__complete") {
     console.log("  events    List or inspect pallet events");
     console.log("  errors    List or inspect pallet errors");
     console.log("  apis      Browse and call runtime APIs");
+    console.log("  extensions  List transaction extensions on a chain");
     console.log();
     console.log("Examples:");
     console.log("  dot polkadot.query.System.Account <addr>            Query a storage item");
@@ -7117,6 +7353,8 @@ if (process.argv[2] === "__complete") {
     console.log("  dot polkadot.const.Balances.ExistentialDeposit");
     console.log("  dot polkadot.events.Balances                        List events in Balances");
     console.log("  dot polkadot.apis.Core.version                      Call a runtime API");
+    console.log("  dot polkadot.extensions                             List transaction extensions");
+    console.log("  dot polkadot.extensions.CheckMortality              Inspect one extension");
     console.log("  dot query.System.Number --chain polkadot            --chain flag form");
     console.log("  dot ./transfer.yaml --from alice                    Run from file (chain in YAML)");
     console.log("  dot tx.0x1f0003... --to-yaml --chain polkadot       Decode hex call to YAML");
@@ -7283,6 +7521,14 @@ if (process.argv[2] === "__complete") {
       case "apis":
         await handleApis2(target, args, handlerOpts);
         break;
+      case "extensions": {
+        if (parsed.item) {
+          const suggestion = parsed.chain ? `dot ${parsed.chain}.extensions.${parsed.pallet}` : opts.chain ? `dot extensions.${parsed.pallet} --chain ${opts.chain}` : `dot extensions.${parsed.pallet} --chain <chain>`;
+          throw new CliError2(`Transaction extensions have no sub-items. Try "${suggestion}".`);
+        }
+        await handleExtensions(parsed.pallet, handlerOpts);
+        break;
+      }
     }
   });
   cli.option("--help, -h", "Display this message");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polkadot-cli",
-  "version": "1.14.2",
+  "version": "1.15.0",
   "description": "CLI tool for querying Polkadot-ecosystem on-chain state",
   "type": "module",
   "bin": {
@@ -43,6 +43,7 @@
     "@polkadot-api/view-builder": "^0.5.1",
     "@polkadot-labs/hdkd": "^0.0.28",
     "@polkadot-labs/hdkd-helpers": "^0.0.29",
+    "@scure/sr25519": "^1.0.0",
     "cac": "^6.7.14",
     "polkadot-api": "^2.0.1",
     "verifiablejs": "^1.2.0",