polkadot-cli 1.19.0 → 1.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +148 -40
  2. package/dist/cli.mjs +879 -277
  3. package/package.json +7 -7
package/README.md CHANGED
@@ -18,6 +18,7 @@ Ships with Polkadot and all system parachains preconfigured with multiple fallba
18
18
  - ✅ Built with agent use in mind — structured JSON output on every command (`--json`)
19
19
  - ✅ Fuzzy matching with typo suggestions
20
20
  - ✅ Account management — BIP39 mnemonics, derivation paths, env-backed secrets, watch-only, dev accounts
21
+ - ✅ Local workspaces — `dot init` creates a `.polkadot/` in any directory, auto-discovered git-style and fully isolated from your global `~/.polkadot`
21
22
  - ✅ Named address resolution across all commands
22
23
  - ✅ Runtime API calls — `dot polkadot.apis.Core.version`
23
24
  - ✅ Raw JSON-RPC calls — `dot polkadot.rpc.system_health`, with discovery via `rpc_methods` and tab-completion
@@ -280,6 +281,10 @@ dot account create my-staking --path //staking
280
281
  # Add a keyed account from a BIP39 mnemonic
281
282
  dot account add treasury --secret "word1 word2 ... word12"
282
283
 
284
+ # Add from a 32-byte hex seed or a 64-byte raw sr25519 private key
285
+ dot account add seeded --secret 0x1111111111111111111111111111111111111111111111111111111111111111
286
+ dot account add raw-key --secret 0x<128-hex-char expanded secret> # no --path
287
+
283
288
  # Add with a derivation path
284
289
  dot account add hot-wallet --secret "word1 word2 ... word12" --path //hot
285
290
 
@@ -313,6 +318,7 @@ dot account inspect 5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY
313
318
  dot account inspect 0xd43593c715fdd31c61141abd04a99fd6822c8558854ccde39a5684e7a56da27d
314
319
  dot account inspect alice --prefix 0 # Polkadot mainnet prefix
315
320
  dot account inspect alice --json # JSON output
321
+ dot account inspect dave --show-secret # reveal mnemonic + sr25519 private key
316
322
  ```
317
323
 
318
324
  #### Watch-only accounts
@@ -484,16 +490,21 @@ dot account inspect --pallet-id py/trsry --json
484
490
 
485
491
  Constraints (will error): cannot combine a positional input with derivation flags; `--pallet-id` and `--parachain` are mutually exclusive; `--parachain` requires `--parachain-type child|sibling`; `--show-secret` doesn't apply (derived sovereigns have no key).
486
492
 
487
- #### Reveal the sr25519 private key
493
+ #### Reveal the mnemonic and sr25519 private key
488
494
 
489
- For provisioning another signer (e.g. a server that expects a raw hex private key in an env var), add `--show-secret` to print the **64-byte sr25519 expanded secret** as `0x`-prefixed hex:
495
+ For provisioning another signer (e.g. a server that expects a raw hex private key in an env var), add `--show-secret` to print the **64-byte sr25519 expanded secret** as `0x`-prefixed hex. It also reveals the **stored mnemonic** (or hex seed) so you can back it up:
490
496
 
491
497
  ```bash
492
- dot account inspect dave --show-secret
493
- # Private Key: 0x<128 hex chars> (sr25519 expanded, 64 bytes never share)
498
+ dot account inspect my-validator --show-secret
499
+ # Mnemonic: word1 word2 ... word12 (only for accounts stored as a phrase)
500
+ # Private Key: 0x<128 hex chars> (sr25519 expanded, 64 bytes — never share)
494
501
  ```
495
502
 
496
- Works for dev accounts (derived on-the-fly from the standard dev mnemonic) and for stored accounts that have a secret (mnemonic or hex seed). Refuses on watch-only accounts, bare SS58 addresses, or hex public keys. The hex is the final secret after any derivation path is applied, so it can be fed directly to signers that don't accept a mnemonic+path (e.g. `@scure/sr25519`'s `sign`, or services like identity-backend that read a `PROXY_PRIVATE_KEY`). Combine with `--json` to include it under the `privateKey` field.
503
+ Works for dev accounts (derived on-the-fly from the standard dev mnemonic) and for stored accounts that have a secret. Refuses on watch-only accounts, bare SS58 addresses, or hex public keys. The revealed line depends on how the account was stored: a phrase shows under `Mnemonic`, a 32-byte hex seed under `Seed`, and a raw private key shows only the `Private Key` (the stored secret already _is_ the expanded key). **Env-backed secrets are never resolved to disk output** — only the `$VAR` reference is shown. The expanded `Private Key` is the final secret after any derivation path is applied, so it can be fed directly to signers that don't accept a mnemonic+path (e.g. `@scure/sr25519`'s `sign`, or services like identity-backend that read a `PROXY_PRIVATE_KEY`). Combine with `--json` to include the values under the `mnemonic`/`seed` and `privateKey` fields.
504
+
505
+ The revealed `Private Key` round-trips: you can re-import it as a usable account (see [Import a raw private key](#import-a-raw-private-key) below).
506
+
507
+ > **Note:** if the account was stored with a derivation path, the revealed `Mnemonic`/`Seed` reproduces the original address **only when re-imported with the same `--path`** (shown on the `Derivation` line). The `Private Key` already bakes in the path, so it round-trips on its own.
497
508
 
498
509
  #### Env-var-backed accounts
499
510
 
@@ -540,12 +551,29 @@ Signers
540
551
 
541
552
  **Supported secret formats for import:**
542
553
 
543
- | Format | Example | Status |
544
- |--------|---------|--------|
545
- | BIP39 mnemonic (12/24 words) | `"abandon abandon ... about"` | Supported |
546
- | Hex seed (`0x` + 64 hex chars) | `0xabcdef0123...` | Not supported via CLI (see below) |
554
+ | Format | Example | `--path`? |
555
+ |--------|---------|-----------|
556
+ | BIP39 mnemonic (12/24 words) | `"abandon abandon ... about"` | Yes |
557
+ | Hex seed (`0x` + 64 hex chars = 32 bytes) | `0x1111...1111` | Yes |
558
+ | Raw private key (`0x` + 128 hex chars = 64-byte sr25519 expanded secret) | `0x20e0...5568` | No (cannot be HD-derived) |
559
+
560
+ All three formats work directly from the command line via `--secret` or via `--env`.
561
+
562
+ #### Import a raw private key
563
+
564
+ The 64-byte expanded secret that `--show-secret` prints can be re-imported as a fully usable, signing-capable account. This is the round-trip companion to `--show-secret` — handy when a key only exists in expanded form (e.g. exported from another tool or read from a `PROXY_PRIVATE_KEY` env var):
547
565
 
548
- **Known limitation:** Hex seed import (`--secret 0x...`) does not work from the command line. The CLI argument parser (`cac`) interprets `0x`-prefixed values as JavaScript numbers, which loses precision for 32-byte seeds. Use a BIP39 mnemonic instead. If you need to import a raw seed programmatically, write it directly to `~/.polkadot/accounts.json`.
566
+ ```bash
567
+ # Round-trip: reveal dave's expanded secret, then import it under a new name
568
+ SECRET=$(dot account inspect dave --show-secret --json | jq -r .privateKey)
569
+ dot account add raw-dave --secret "$SECRET"
570
+ # raw-dave now has the same address as dave and can sign
571
+
572
+ # Or from an environment variable (secret stays off disk)
573
+ dot account add server-signer --env PROXY_PRIVATE_KEY
574
+ ```
575
+
576
+ A raw private key cannot be HD-derived, so `--path` is rejected for this format. Imported expanded-secret accounts sign exactly like mnemonic-backed ones.
549
577
 
550
578
  #### Export/import accounts
551
579
 
@@ -1860,48 +1888,89 @@ dot parachain 1000 --type child --json
1860
1888
  dot account inspect --parachain 1000 --parachain-type child --json
1861
1889
  ```
1862
1890
 
1863
- ### Bandersnatch member keys
1891
+ ### Bandersnatch / verifiable (member keys, ring-VRF proofs, signing)
1892
+
1893
+ `dot verifiable` is a set of composable, unopinionated primitives over the
1894
+ [`verifiablejs`](https://github.com/paritytech/verifiablejs) WASM library: derive
1895
+ member keys, sign, generate and verify ring-VRF proofs, and encode member sets.
1896
+ Every action is bytes-in, bytes-out — it takes hex / `--file` / `--stdin` input
1897
+ and supports `--output json`, so it pipes together and composes with any data
1898
+ (for example values you fetched on-chain with `dot` beforehand). It makes no
1899
+ assumptions and does no fetching or selection of its own.
1900
+
1901
+ #### Two concepts you must not conflate
1902
+
1903
+ ```
1904
+ Mnemonic ─BIP39─▶ entropy ─keyed blake2b─▶ member entropy ─▶ member key / secret
1905
+ (key = --entropy-key) │
1906
+ ring proof: one_shot(…, --context, --message)
1907
+ ```
1908
+
1909
+ - **`--entropy-key <text|0xhex>`** — the key mixed into the keyed-blake2b that
1910
+ turns your mnemonic into the Bandersnatch member entropy. **Omit** it for a
1911
+ **lite** person (unkeyed); use **`candidate`** for a **full** person. It must
1912
+ match the key used when the member was recognised on-chain, or you derive a
1913
+ different (unrecognised) member key. It is **not** an sr25519 derivation path
1914
+ and **not** the ring `--context`. (The value is the raw UTF-8 — or hex — bytes
1915
+ of the blake2b key; this matches the iOS/Android clients, which key the
1916
+ "full person" deriver with `"candidate"`.)
1917
+ - **`--context <text|0xhex>`** — the **32-byte ring/proof namespace** (e.g.
1918
+ `"dotns"`), zero-padded right to 32 bytes like Solidity `bytes32()`. It
1919
+ determines the alias and is named `context` across the runtime
1920
+ (`type Context = [u8;32]`), the iOS client, and verifiablejs. Used by
1921
+ `alias` / `prove` / `verify`.
1922
+
1923
+ > **Migration (breaking):** previously `dot verifiable <account> --context
1924
+ > candidate` used `--context` as the entropy-derivation key. That key is now
1925
+ > `--entropy-key`, and `--context` means the ring context. For one release the
1926
+ > old form still works on the member command (with a deprecation warning); use
1927
+ > `--entropy-key` going forward.
1864
1928
 
1865
- Derive Bandersnatch member keys from account mnemonics for on-chain member set registration (personhood proofs, Ring VRF). Uses the [`verifiablejs`](https://github.com/paritytech/verifiablejs) WASM library.
1929
+ #### Member keys
1866
1930
 
1867
1931
  ```bash
1868
- # Derive unkeyed member key (lite person)
1932
+ # Lite person (unkeyed)
1869
1933
  dot verifiable alice
1870
- # Output:
1871
- # Bandersnatch Member Key
1872
- #
1873
1934
  # Account: alice
1874
- # Member Key: 0x66813b70ba616b374c90ac92edff6e3be95e12adbc93ea7a6c37cbf334ab87e2
1935
+ # Member Key: 0xbb6ee099b568f1844d62fc00e6305c2e83aa8da30ce59e664ef39e089204d43c
1875
1936
 
1876
- # Derive keyed member key (full person — "candidate" context)
1877
- dot verifiable alice --context candidate
1878
- # Output:
1879
- # Bandersnatch Member Key
1880
- #
1881
- # Account: alice
1882
- # Context: candidate
1883
- # Member Key: 0x2fd5b74033d904cf5575b932507939c5d43811e488223229eaf5596565f15ae6
1937
+ # Full person (candidate-keyed)
1938
+ dot verifiable alice --entropy-key candidate
1939
+ # Account: alice
1940
+ # Entropy Key: candidate
1941
+ # Member Key: 0x5f915576987547d3e55bb4129ac8cae1d338f8933073dc74272b4c825f738592
1942
+ ```
1884
1943
 
1885
- # Arbitrary context string
1886
- dot verifiable alice --context pps
1944
+ Derived keys are saved to the account store and shown in `dot account inspect`.
1887
1945
 
1888
- # JSON output (for scripting)
1889
- dot verifiable alice --context candidate --json
1890
- ```
1946
+ #### Alias, sign, prove, verify
1891
1947
 
1892
- The derivation flow:
1948
+ ```bash
1949
+ # Alias for a ring context (deterministic in entropy + context)
1950
+ dot verifiable alias alice --entropy-key candidate --context dotns
1893
1951
 
1894
- ```
1895
- Mnemonic mnemonicToEntropy() blake2b256(entropy, context?) → member_from_entropy() → 32-byte member key
1896
- ```
1952
+ # Standalone Bandersnatch signature (64 bytes)
1953
+ dot verifiable sign alice --message "hello" --entropy-key candidate
1954
+ dot verifiable verify-sig --signature 0x… --member 0x… --message "hello"
1897
1955
 
1898
- - **Unkeyed** (no `--context`): `blake2b256(entropy)` used for lite person registration
1899
- - **With context** (e.g. `--context candidate`): `blake2b256(entropy, key="candidate")` used for full person registration. The `--context` value is passed as the raw UTF-8 bytes of the blake2b key parameter.
1900
- - Both 12-word and 24-word mnemonics are supported
1956
+ # Ring-VRF proof over a members set, then verify it locally
1957
+ dot verifiable members 0x<key> 0x<key> --output json # SCALE-encode the ring
1958
+ dot verifiable prove alice --entropy-key candidate --context dotns \
1959
+ --message 0x… --members 0x… --output json
1960
+ dot verifiable verify --proof 0x… --context dotns --message 0x… --members 0x…
1961
+ # verify exits non-zero if the proof does not validate
1962
+ ```
1901
1963
 
1902
- Derived keys are saved to the account store. For stored accounts, saved keys appear in `dot account inspect` output. When creating a new account with `dot account create`, both unkeyed and `candidate` keys are automatically derived and saved.
1964
+ `dot verifiable` is deliberately scoped to **raw verifiable crypto** bytes in,
1965
+ bytes out, with no knowledge of Polkadot chains, pallets, or collections (the
1966
+ same way `dot sign` is just sr25519). It does no automated fetching or selection
1967
+ and assumes nothing about how the bytes were produced or where they go: supply
1968
+ the members/context/message yourself (e.g. read from chain with `dot` first), and
1969
+ use the resulting signature or proof however you need — as a value in a `dot`
1970
+ extrinsic or signed extension, or anywhere else.
1903
1971
 
1904
- Run `dot verifiable` with no arguments to see usage and the full derivation diagram.
1972
+ Run `dot verifiable` with no arguments for the full action/option list and the
1973
+ derivation diagram. Both 12- and 24-word mnemonics are supported.
1905
1974
 
1906
1975
  ### Getting help
1907
1976
 
@@ -2084,13 +2153,52 @@ Config and metadata caches live in `~/.polkadot/` by default:
2084
2153
 
2085
2154
  > **Warning:** `accounts.json` stores secrets (mnemonics and seeds) in **plain text**. Encrypted-at-rest storage is planned but not yet implemented. Keep appropriate file permissions (`chmod 600 ~/.polkadot/accounts.json`) and do not use this for high-value mainnet accounts.
2086
2155
 
2156
+ ### Local workspaces — `dot init`
2157
+
2158
+ Create a self-contained, per-directory setup for chains and accounts. A workspace is just a `.polkadot/` directory that `dot` discovers automatically:
2159
+
2160
+ ```bash
2161
+ mkdir -p ~/dot/paseo && cd ~/dot/paseo
2162
+ dot init
2163
+ # Initialized empty dot workspace at /Users/you/dot/paseo/.polkadot
2164
+ # Check which workspace is active with: dot which
2165
+ ```
2166
+
2167
+ From this directory (and any subdirectory), every `dot` command reads and writes **all** state — accounts, custom chains, metadata cache — under `./.polkadot/` instead of `~/.polkadot/`:
2168
+
2169
+ ```bash
2170
+ dot account create sudo # stored in ./.polkadot/accounts.json
2171
+ dot chain add mytestnet --rpc ws://localhost:9944
2172
+ dot which
2173
+ # /Users/you/dot/paseo/.polkadot
2174
+ # Source: local workspace (discovered from current directory)
2175
+ ```
2176
+
2177
+ **Discovery** is git-style: `dot` looks for a `.polkadot/` directory in the current directory, then in each parent, stopping at `$HOME` or the filesystem root. The nearest workspace wins. The global `~/.polkadot` is never treated as a workspace — it is only ever the fallback.
2178
+
2179
+ **Precedence:** `DOT_HOME` env var → discovered local workspace → global `~/.polkadot`.
2180
+
2181
+ **Full isolation:** while a workspace is active, the global config is invisible. An account named `sudo` in `~/dot/paseo` and one in `~/dot/mytestnet` are unrelated identities — lookups never fall back to the global config, and resolution errors name the config root that was searched, so running in the wrong directory self-diagnoses. Built-in chains (Polkadot, Paseo, and the system parachains) still work everywhere; they ship with the binary.
2182
+
2183
+ `dot init` is deliberately minimal: it creates an empty `.polkadot/` directory and nothing else. It refuses to run in `$HOME`, errors if the directory already has a workspace, and warns when the new workspace shadows a parent workspace or when a set `DOT_HOME` masks discovery. Nothing is copied from the global config, and no `.gitignore` is written — whether to commit or ignore a workspace (remember: `accounts.json` holds plain-text secrets) is your decision to make.
2184
+
2185
+ **Throwaway sessions** are just disposable workspaces:
2186
+
2187
+ ```bash
2188
+ tmp=$(mktemp -d) && cd "$tmp" && dot init
2189
+ # ... add throwaway accounts and chains, run txs ...
2190
+ cd - && rm -rf "$tmp" # nothing ever touched ~/.polkadot
2191
+ ```
2192
+
2193
+ For secrets that should never hit disk at all, combine workspaces with `--env` secret sources (see [Manage accounts](#manage-accounts)).
2194
+
2087
2195
  ### `DOT_TRUST_CACHED_METADATA` — skip the staleness check
2088
2196
 
2089
2197
  Set `DOT_TRUST_CACHED_METADATA=1` to disable the post-failure stale-metadata check on `dot tx`, `dot tx --dry-run`, and `dot query`. When set, errors propagate exactly as the runtime / RPC reported them, with no extra `state_getRuntimeVersion` / `state_getStorageHash` round-trip. Useful in CI loops where you've just refreshed metadata manually and don't want the overhead.
2090
2198
 
2091
2199
  ### `DOT_HOME` — redirect the config directory
2092
2200
 
2093
- Set the `DOT_HOME` environment variable to point at a different directory. When set, the CLI reads and writes **everything** (config, accounts, metadata, update cache) under that path — no `.polkadot` suffix is appended.
2201
+ Set the `DOT_HOME` environment variable to point at a different directory. When set, the CLI reads and writes **everything** (config, accounts, metadata, update cache) under that path — no `.polkadot` suffix is appended. `DOT_HOME` takes precedence over both [local workspace discovery](#local-workspaces--dot-init) and the global `~/.polkadot`.
2094
2202
 
2095
2203
  ```bash
2096
2204
  # Use a scratch directory for experimentation