polkadot-cli 1.19.0 → 1.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +148 -40
- package/dist/cli.mjs +879 -277
- package/package.json +7 -7
package/README.md
CHANGED
|
@@ -18,6 +18,7 @@ Ships with Polkadot and all system parachains preconfigured with multiple fallba
|
|
|
18
18
|
- ✅ Built with agent use in mind — structured JSON output on every command (`--json`)
|
|
19
19
|
- ✅ Fuzzy matching with typo suggestions
|
|
20
20
|
- ✅ Account management — BIP39 mnemonics, derivation paths, env-backed secrets, watch-only, dev accounts
|
|
21
|
+
- ✅ Local workspaces — `dot init` creates a `.polkadot/` in any directory, auto-discovered git-style and fully isolated from your global `~/.polkadot`
|
|
21
22
|
- ✅ Named address resolution across all commands
|
|
22
23
|
- ✅ Runtime API calls — `dot polkadot.apis.Core.version`
|
|
23
24
|
- ✅ Raw JSON-RPC calls — `dot polkadot.rpc.system_health`, with discovery via `rpc_methods` and tab-completion
|
|
@@ -280,6 +281,10 @@ dot account create my-staking --path //staking
|
|
|
280
281
|
# Add a keyed account from a BIP39 mnemonic
|
|
281
282
|
dot account add treasury --secret "word1 word2 ... word12"
|
|
282
283
|
|
|
284
|
+
# Add from a 32-byte hex seed or a 64-byte raw sr25519 private key
|
|
285
|
+
dot account add seeded --secret 0x1111111111111111111111111111111111111111111111111111111111111111
|
|
286
|
+
dot account add raw-key --secret 0x<128-hex-char expanded secret> # no --path
|
|
287
|
+
|
|
283
288
|
# Add with a derivation path
|
|
284
289
|
dot account add hot-wallet --secret "word1 word2 ... word12" --path //hot
|
|
285
290
|
|
|
@@ -313,6 +318,7 @@ dot account inspect 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY
|
|
|
313
318
|
dot account inspect 0xd43593c715fdd31c61141abd04a99fd6822c8558854ccde39a5684e7a56da27d
|
|
314
319
|
dot account inspect alice --prefix 0 # Polkadot mainnet prefix
|
|
315
320
|
dot account inspect alice --json # JSON output
|
|
321
|
+
dot account inspect dave --show-secret # reveal mnemonic + sr25519 private key
|
|
316
322
|
```
|
|
317
323
|
|
|
318
324
|
#### Watch-only accounts
|
|
@@ -484,16 +490,21 @@ dot account inspect --pallet-id py/trsry --json
|
|
|
484
490
|
|
|
485
491
|
Constraints (will error): cannot combine a positional input with derivation flags; `--pallet-id` and `--parachain` are mutually exclusive; `--parachain` requires `--parachain-type child|sibling`; `--show-secret` doesn't apply (derived sovereigns have no key).
|
|
486
492
|
|
|
487
|
-
#### Reveal the sr25519 private key
|
|
493
|
+
#### Reveal the mnemonic and sr25519 private key
|
|
488
494
|
|
|
489
|
-
For provisioning another signer (e.g. a server that expects a raw hex private key in an env var), add `--show-secret` to print the **64-byte sr25519 expanded secret** as `0x`-prefixed hex:
|
|
495
|
+
For provisioning another signer (e.g. a server that expects a raw hex private key in an env var), add `--show-secret` to print the **64-byte sr25519 expanded secret** as `0x`-prefixed hex. It also reveals the **stored mnemonic** (or hex seed) so you can back it up:
|
|
490
496
|
|
|
491
497
|
```bash
|
|
492
|
-
dot account inspect
|
|
493
|
-
#
|
|
498
|
+
dot account inspect my-validator --show-secret
|
|
499
|
+
# Mnemonic: word1 word2 ... word12 (only for accounts stored as a phrase)
|
|
500
|
+
# Private Key: 0x<128 hex chars> (sr25519 expanded, 64 bytes — never share)
|
|
494
501
|
```
|
|
495
502
|
|
|
496
|
-
Works for dev accounts (derived on-the-fly from the standard dev mnemonic) and for stored accounts that have a secret
|
|
503
|
+
Works for dev accounts (derived on-the-fly from the standard dev mnemonic) and for stored accounts that have a secret. Refuses on watch-only accounts, bare SS58 addresses, or hex public keys. The revealed line depends on how the account was stored: a phrase shows under `Mnemonic`, a 32-byte hex seed under `Seed`, and a raw private key shows only the `Private Key` (the stored secret already _is_ the expanded key). **Env-backed secrets are never resolved to disk output** — only the `$VAR` reference is shown. The expanded `Private Key` is the final secret after any derivation path is applied, so it can be fed directly to signers that don't accept a mnemonic+path (e.g. `@scure/sr25519`'s `sign`, or services like identity-backend that read a `PROXY_PRIVATE_KEY`). Combine with `--json` to include the values under the `mnemonic`/`seed` and `privateKey` fields.
|
|
504
|
+
|
|
505
|
+
The revealed `Private Key` round-trips: you can re-import it as a usable account (see [Import a raw private key](#import-a-raw-private-key) below).
|
|
506
|
+
|
|
507
|
+
> **Note:** if the account was stored with a derivation path, the revealed `Mnemonic`/`Seed` reproduces the original address **only when re-imported with the same `--path`** (shown on the `Derivation` line). The `Private Key` already bakes in the path, so it round-trips on its own.
|
|
497
508
|
|
|
498
509
|
#### Env-var-backed accounts
|
|
499
510
|
|
|
@@ -540,12 +551,29 @@ Signers
|
|
|
540
551
|
|
|
541
552
|
**Supported secret formats for import:**
|
|
542
553
|
|
|
543
|
-
| Format | Example |
|
|
544
|
-
|
|
545
|
-
| BIP39 mnemonic (12/24 words) | `"abandon abandon ... about"` |
|
|
546
|
-
| Hex seed (`0x` + 64 hex chars) | `
|
|
554
|
+
| Format | Example | `--path`? |
|
|
555
|
+
|--------|---------|-----------|
|
|
556
|
+
| BIP39 mnemonic (12/24 words) | `"abandon abandon ... about"` | Yes |
|
|
557
|
+
| Hex seed (`0x` + 64 hex chars = 32 bytes) | `0x1111...1111` | Yes |
|
|
558
|
+
| Raw private key (`0x` + 128 hex chars = 64-byte sr25519 expanded secret) | `0x20e0...5568` | No (cannot be HD-derived) |
|
|
559
|
+
|
|
560
|
+
All three formats work directly from the command line via `--secret` or via `--env`.
|
|
561
|
+
|
|
562
|
+
#### Import a raw private key
|
|
563
|
+
|
|
564
|
+
The 64-byte expanded secret that `--show-secret` prints can be re-imported as a fully usable, signing-capable account. This is the round-trip companion to `--show-secret` — handy when a key only exists in expanded form (e.g. exported from another tool or read from a `PROXY_PRIVATE_KEY` env var):
|
|
547
565
|
|
|
548
|
-
|
|
566
|
+
```bash
|
|
567
|
+
# Round-trip: reveal dave's expanded secret, then import it under a new name
|
|
568
|
+
SECRET=$(dot account inspect dave --show-secret --json | jq -r .privateKey)
|
|
569
|
+
dot account add raw-dave --secret "$SECRET"
|
|
570
|
+
# raw-dave now has the same address as dave and can sign
|
|
571
|
+
|
|
572
|
+
# Or from an environment variable (secret stays off disk)
|
|
573
|
+
dot account add server-signer --env PROXY_PRIVATE_KEY
|
|
574
|
+
```
|
|
575
|
+
|
|
576
|
+
A raw private key cannot be HD-derived, so `--path` is rejected for this format. Imported expanded-secret accounts sign exactly like mnemonic-backed ones.
|
|
549
577
|
|
|
550
578
|
#### Export/import accounts
|
|
551
579
|
|
|
@@ -1860,48 +1888,89 @@ dot parachain 1000 --type child --json
|
|
|
1860
1888
|
dot account inspect --parachain 1000 --parachain-type child --json
|
|
1861
1889
|
```
|
|
1862
1890
|
|
|
1863
|
-
### Bandersnatch member keys
|
|
1891
|
+
### Bandersnatch / verifiable (member keys, ring-VRF proofs, signing)
|
|
1892
|
+
|
|
1893
|
+
`dot verifiable` is a set of composable, unopinionated primitives over the
|
|
1894
|
+
[`verifiablejs`](https://github.com/paritytech/verifiablejs) WASM library: derive
|
|
1895
|
+
member keys, sign, generate and verify ring-VRF proofs, and encode member sets.
|
|
1896
|
+
Every action is bytes-in, bytes-out — it takes hex / `--file` / `--stdin` input
|
|
1897
|
+
and supports `--output json`, so it pipes together and composes with any data
|
|
1898
|
+
(for example values you fetched on-chain with `dot` beforehand). It makes no
|
|
1899
|
+
assumptions and does no fetching or selection of its own.
|
|
1900
|
+
|
|
1901
|
+
#### Two concepts you must not conflate
|
|
1902
|
+
|
|
1903
|
+
```
|
|
1904
|
+
Mnemonic ─BIP39─▶ entropy ─keyed blake2b─▶ member entropy ─▶ member key / secret
|
|
1905
|
+
(key = --entropy-key) │
|
|
1906
|
+
ring proof: one_shot(…, --context, --message)
|
|
1907
|
+
```
|
|
1908
|
+
|
|
1909
|
+
- **`--entropy-key <text|0xhex>`** — the key mixed into the keyed-blake2b that
|
|
1910
|
+
turns your mnemonic into the Bandersnatch member entropy. **Omit** it for a
|
|
1911
|
+
**lite** person (unkeyed); use **`candidate`** for a **full** person. It must
|
|
1912
|
+
match the key used when the member was recognised on-chain, or you derive a
|
|
1913
|
+
different (unrecognised) member key. It is **not** an sr25519 derivation path
|
|
1914
|
+
and **not** the ring `--context`. (The value is the raw UTF-8 — or hex — bytes
|
|
1915
|
+
of the blake2b key; this matches the iOS/Android clients, which key the
|
|
1916
|
+
"full person" deriver with `"candidate"`.)
|
|
1917
|
+
- **`--context <text|0xhex>`** — the **32-byte ring/proof namespace** (e.g.
|
|
1918
|
+
`"dotns"`), zero-padded right to 32 bytes like Solidity `bytes32()`. It
|
|
1919
|
+
determines the alias and is named `context` across the runtime
|
|
1920
|
+
(`type Context = [u8;32]`), the iOS client, and verifiablejs. Used by
|
|
1921
|
+
`alias` / `prove` / `verify`.
|
|
1922
|
+
|
|
1923
|
+
> **Migration (breaking):** previously `dot verifiable <account> --context
|
|
1924
|
+
> candidate` used `--context` as the entropy-derivation key. That key is now
|
|
1925
|
+
> `--entropy-key`, and `--context` means the ring context. For one release the
|
|
1926
|
+
> old form still works on the member command (with a deprecation warning); use
|
|
1927
|
+
> `--entropy-key` going forward.
|
|
1864
1928
|
|
|
1865
|
-
|
|
1929
|
+
#### Member keys
|
|
1866
1930
|
|
|
1867
1931
|
```bash
|
|
1868
|
-
#
|
|
1932
|
+
# Lite person (unkeyed)
|
|
1869
1933
|
dot verifiable alice
|
|
1870
|
-
# Output:
|
|
1871
|
-
# Bandersnatch Member Key
|
|
1872
|
-
#
|
|
1873
1934
|
# Account: alice
|
|
1874
|
-
# Member Key:
|
|
1935
|
+
# Member Key: 0xbb6ee099b568f1844d62fc00e6305c2e83aa8da30ce59e664ef39e089204d43c
|
|
1875
1936
|
|
|
1876
|
-
#
|
|
1877
|
-
dot verifiable alice --
|
|
1878
|
-
#
|
|
1879
|
-
#
|
|
1880
|
-
#
|
|
1881
|
-
|
|
1882
|
-
# Context: candidate
|
|
1883
|
-
# Member Key: 0x2fd5b74033d904cf5575b932507939c5d43811e488223229eaf5596565f15ae6
|
|
1937
|
+
# Full person (candidate-keyed)
|
|
1938
|
+
dot verifiable alice --entropy-key candidate
|
|
1939
|
+
# Account: alice
|
|
1940
|
+
# Entropy Key: candidate
|
|
1941
|
+
# Member Key: 0x5f915576987547d3e55bb4129ac8cae1d338f8933073dc74272b4c825f738592
|
|
1942
|
+
```
|
|
1884
1943
|
|
|
1885
|
-
|
|
1886
|
-
dot verifiable alice --context pps
|
|
1944
|
+
Derived keys are saved to the account store and shown in `dot account inspect`.
|
|
1887
1945
|
|
|
1888
|
-
|
|
1889
|
-
dot verifiable alice --context candidate --json
|
|
1890
|
-
```
|
|
1946
|
+
#### Alias, sign, prove, verify
|
|
1891
1947
|
|
|
1892
|
-
|
|
1948
|
+
```bash
|
|
1949
|
+
# Alias for a ring context (deterministic in entropy + context)
|
|
1950
|
+
dot verifiable alias alice --entropy-key candidate --context dotns
|
|
1893
1951
|
|
|
1894
|
-
|
|
1895
|
-
|
|
1896
|
-
|
|
1952
|
+
# Standalone Bandersnatch signature (64 bytes)
|
|
1953
|
+
dot verifiable sign alice --message "hello" --entropy-key candidate
|
|
1954
|
+
dot verifiable verify-sig --signature 0x… --member 0x… --message "hello"
|
|
1897
1955
|
|
|
1898
|
-
-
|
|
1899
|
-
|
|
1900
|
-
|
|
1956
|
+
# Ring-VRF proof over a members set, then verify it locally
|
|
1957
|
+
dot verifiable members 0x<key> 0x<key> --output json # SCALE-encode the ring
|
|
1958
|
+
dot verifiable prove alice --entropy-key candidate --context dotns \
|
|
1959
|
+
--message 0x… --members 0x… --output json
|
|
1960
|
+
dot verifiable verify --proof 0x… --context dotns --message 0x… --members 0x…
|
|
1961
|
+
# verify exits non-zero if the proof does not validate
|
|
1962
|
+
```
|
|
1901
1963
|
|
|
1902
|
-
|
|
1964
|
+
`dot verifiable` is deliberately scoped to **raw verifiable crypto** — bytes in,
|
|
1965
|
+
bytes out, with no knowledge of Polkadot chains, pallets, or collections (the
|
|
1966
|
+
same way `dot sign` is just sr25519). It does no automated fetching or selection
|
|
1967
|
+
and assumes nothing about how the bytes were produced or where they go: supply
|
|
1968
|
+
the members/context/message yourself (e.g. read from chain with `dot` first), and
|
|
1969
|
+
use the resulting signature or proof however you need — as a value in a `dot`
|
|
1970
|
+
extrinsic or signed extension, or anywhere else.
|
|
1903
1971
|
|
|
1904
|
-
Run `dot verifiable` with no arguments
|
|
1972
|
+
Run `dot verifiable` with no arguments for the full action/option list and the
|
|
1973
|
+
derivation diagram. Both 12- and 24-word mnemonics are supported.
|
|
1905
1974
|
|
|
1906
1975
|
### Getting help
|
|
1907
1976
|
|
|
@@ -2084,13 +2153,52 @@ Config and metadata caches live in `~/.polkadot/` by default:
|
|
|
2084
2153
|
|
|
2085
2154
|
> **Warning:** `accounts.json` stores secrets (mnemonics and seeds) in **plain text**. Encrypted-at-rest storage is planned but not yet implemented. Keep appropriate file permissions (`chmod 600 ~/.polkadot/accounts.json`) and do not use this for high-value mainnet accounts.
|
|
2086
2155
|
|
|
2156
|
+
### Local workspaces — `dot init`
|
|
2157
|
+
|
|
2158
|
+
Create a self-contained, per-directory setup for chains and accounts. A workspace is just a `.polkadot/` directory that `dot` discovers automatically:
|
|
2159
|
+
|
|
2160
|
+
```bash
|
|
2161
|
+
mkdir -p ~/dot/paseo && cd ~/dot/paseo
|
|
2162
|
+
dot init
|
|
2163
|
+
# Initialized empty dot workspace at /Users/you/dot/paseo/.polkadot
|
|
2164
|
+
# Check which workspace is active with: dot which
|
|
2165
|
+
```
|
|
2166
|
+
|
|
2167
|
+
From this directory (and any subdirectory), every `dot` command reads and writes **all** state — accounts, custom chains, metadata cache — under `./.polkadot/` instead of `~/.polkadot/`:
|
|
2168
|
+
|
|
2169
|
+
```bash
|
|
2170
|
+
dot account create sudo # stored in ./.polkadot/accounts.json
|
|
2171
|
+
dot chain add mytestnet --rpc ws://localhost:9944
|
|
2172
|
+
dot which
|
|
2173
|
+
# /Users/you/dot/paseo/.polkadot
|
|
2174
|
+
# Source: local workspace (discovered from current directory)
|
|
2175
|
+
```
|
|
2176
|
+
|
|
2177
|
+
**Discovery** is git-style: `dot` looks for a `.polkadot/` directory in the current directory, then in each parent, stopping at `$HOME` or the filesystem root. The nearest workspace wins. The global `~/.polkadot` is never treated as a workspace — it is only ever the fallback.
|
|
2178
|
+
|
|
2179
|
+
**Precedence:** `DOT_HOME` env var → discovered local workspace → global `~/.polkadot`.
|
|
2180
|
+
|
|
2181
|
+
**Full isolation:** while a workspace is active, the global config is invisible. An account named `sudo` in `~/dot/paseo` and one in `~/dot/mytestnet` are unrelated identities — lookups never fall back to the global config, and resolution errors name the config root that was searched, so running in the wrong directory self-diagnoses. Built-in chains (Polkadot, Paseo, and the system parachains) still work everywhere; they ship with the binary.
|
|
2182
|
+
|
|
2183
|
+
`dot init` is deliberately minimal: it creates an empty `.polkadot/` directory and nothing else. It refuses to run in `$HOME`, errors if the directory already has a workspace, and warns when the new workspace shadows a parent workspace or when a set `DOT_HOME` masks discovery. Nothing is copied from the global config, and no `.gitignore` is written — whether to commit or ignore a workspace (remember: `accounts.json` holds plain-text secrets) is your decision to make.
|
|
2184
|
+
|
|
2185
|
+
**Throwaway sessions** are just disposable workspaces:
|
|
2186
|
+
|
|
2187
|
+
```bash
|
|
2188
|
+
tmp=$(mktemp -d) && cd "$tmp" && dot init
|
|
2189
|
+
# ... add throwaway accounts and chains, run txs ...
|
|
2190
|
+
cd - && rm -rf "$tmp" # nothing ever touched ~/.polkadot
|
|
2191
|
+
```
|
|
2192
|
+
|
|
2193
|
+
For secrets that should never hit disk at all, combine workspaces with `--env` secret sources (see [Manage accounts](#manage-accounts)).
|
|
2194
|
+
|
|
2087
2195
|
### `DOT_TRUST_CACHED_METADATA` — skip the staleness check
|
|
2088
2196
|
|
|
2089
2197
|
Set `DOT_TRUST_CACHED_METADATA=1` to disable the post-failure stale-metadata check on `dot tx`, `dot tx --dry-run`, and `dot query`. When set, errors propagate exactly as the runtime / RPC reported them, with no extra `state_getRuntimeVersion` / `state_getStorageHash` round-trip. Useful in CI loops where you've just refreshed metadata manually and don't want the overhead.
|
|
2090
2198
|
|
|
2091
2199
|
### `DOT_HOME` — redirect the config directory
|
|
2092
2200
|
|
|
2093
|
-
Set the `DOT_HOME` environment variable to point at a different directory. When set, the CLI reads and writes **everything** (config, accounts, metadata, update cache) under that path — no `.polkadot` suffix is appended.
|
|
2201
|
+
Set the `DOT_HOME` environment variable to point at a different directory. When set, the CLI reads and writes **everything** (config, accounts, metadata, update cache) under that path — no `.polkadot` suffix is appended. `DOT_HOME` takes precedence over both [local workspace discovery](#local-workspaces--dot-init) and the global `~/.polkadot`.
|
|
2094
2202
|
|
|
2095
2203
|
```bash
|
|
2096
2204
|
# Use a scratch directory for experimentation
|