polkadot-cli 1.20.0 → 1.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +110 -29
- package/dist/cli.mjs +785 -243
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -18,6 +18,7 @@ Ships with Polkadot and all system parachains preconfigured with multiple fallba
|
|
|
18
18
|
- ✅ Built with agent use in mind — structured JSON output on every command (`--json`)
|
|
19
19
|
- ✅ Fuzzy matching with typo suggestions
|
|
20
20
|
- ✅ Account management — BIP39 mnemonics, derivation paths, env-backed secrets, watch-only, dev accounts
|
|
21
|
+
- ✅ Local workspaces — `dot init` creates a `.polkadot/` in any directory, auto-discovered git-style and fully isolated from your global `~/.polkadot`
|
|
21
22
|
- ✅ Named address resolution across all commands
|
|
22
23
|
- ✅ Runtime API calls — `dot polkadot.apis.Core.version`
|
|
23
24
|
- ✅ Raw JSON-RPC calls — `dot polkadot.rpc.system_health`, with discovery via `rpc_methods` and tab-completion
|
|
@@ -1887,48 +1888,89 @@ dot parachain 1000 --type child --json
|
|
|
1887
1888
|
dot account inspect --parachain 1000 --parachain-type child --json
|
|
1888
1889
|
```
|
|
1889
1890
|
|
|
1890
|
-
### Bandersnatch member keys
|
|
1891
|
+
### Bandersnatch / verifiable (member keys, ring-VRF proofs, signing)
|
|
1891
1892
|
|
|
1892
|
-
|
|
1893
|
+
`dot verifiable` is a set of composable, unopinionated primitives over the
|
|
1894
|
+
[`verifiablejs`](https://github.com/paritytech/verifiablejs) WASM library: derive
|
|
1895
|
+
member keys, sign, generate and verify ring-VRF proofs, and encode member sets.
|
|
1896
|
+
Every action is bytes-in, bytes-out — it takes hex / `--file` / `--stdin` input
|
|
1897
|
+
and supports `--output json`, so it pipes together and composes with any data
|
|
1898
|
+
(for example values you fetched on-chain with `dot` beforehand). It makes no
|
|
1899
|
+
assumptions and does no fetching or selection of its own.
|
|
1900
|
+
|
|
1901
|
+
#### Two concepts you must not conflate
|
|
1902
|
+
|
|
1903
|
+
```
|
|
1904
|
+
Mnemonic ─BIP39─▶ entropy ─keyed blake2b─▶ member entropy ─▶ member key / secret
|
|
1905
|
+
(key = --entropy-key) │
|
|
1906
|
+
ring proof: one_shot(…, --context, --message)
|
|
1907
|
+
```
|
|
1908
|
+
|
|
1909
|
+
- **`--entropy-key <text|0xhex>`** — the key mixed into the keyed-blake2b that
|
|
1910
|
+
turns your mnemonic into the Bandersnatch member entropy. **Omit** it for a
|
|
1911
|
+
**lite** person (unkeyed); use **`candidate`** for a **full** person. It must
|
|
1912
|
+
match the key used when the member was recognised on-chain, or you derive a
|
|
1913
|
+
different (unrecognised) member key. It is **not** an sr25519 derivation path
|
|
1914
|
+
and **not** the ring `--context`. (The value is the raw UTF-8 — or hex — bytes
|
|
1915
|
+
of the blake2b key; this matches the iOS/Android clients, which key the
|
|
1916
|
+
"full person" deriver with `"candidate"`.)
|
|
1917
|
+
- **`--context <text|0xhex>`** — the **32-byte ring/proof namespace** (e.g.
|
|
1918
|
+
`"dotns"`), zero-padded right to 32 bytes like Solidity `bytes32()`. It
|
|
1919
|
+
determines the alias and is named `context` across the runtime
|
|
1920
|
+
(`type Context = [u8;32]`), the iOS client, and verifiablejs. Used by
|
|
1921
|
+
`alias` / `prove` / `verify`.
|
|
1922
|
+
|
|
1923
|
+
> **Migration (breaking):** previously `dot verifiable <account> --context
|
|
1924
|
+
> candidate` used `--context` as the entropy-derivation key. That key is now
|
|
1925
|
+
> `--entropy-key`, and `--context` means the ring context. For one release the
|
|
1926
|
+
> old form still works on the member command (with a deprecation warning); use
|
|
1927
|
+
> `--entropy-key` going forward.
|
|
1928
|
+
|
|
1929
|
+
#### Member keys
|
|
1893
1930
|
|
|
1894
1931
|
```bash
|
|
1895
|
-
#
|
|
1932
|
+
# Lite person (unkeyed)
|
|
1896
1933
|
dot verifiable alice
|
|
1897
|
-
# Output:
|
|
1898
|
-
# Bandersnatch Member Key
|
|
1899
|
-
#
|
|
1900
1934
|
# Account: alice
|
|
1901
1935
|
# Member Key: 0xbb6ee099b568f1844d62fc00e6305c2e83aa8da30ce59e664ef39e089204d43c
|
|
1902
1936
|
|
|
1903
|
-
#
|
|
1904
|
-
dot verifiable alice --
|
|
1905
|
-
#
|
|
1906
|
-
#
|
|
1907
|
-
#
|
|
1908
|
-
|
|
1909
|
-
# Context: candidate
|
|
1910
|
-
# Member Key: 0x5f915576987547d3e55bb4129ac8cae1d338f8933073dc74272b4c825f738592
|
|
1937
|
+
# Full person (candidate-keyed)
|
|
1938
|
+
dot verifiable alice --entropy-key candidate
|
|
1939
|
+
# Account: alice
|
|
1940
|
+
# Entropy Key: candidate
|
|
1941
|
+
# Member Key: 0x5f915576987547d3e55bb4129ac8cae1d338f8933073dc74272b4c825f738592
|
|
1942
|
+
```
|
|
1911
1943
|
|
|
1912
|
-
|
|
1913
|
-
dot verifiable alice --context pps
|
|
1944
|
+
Derived keys are saved to the account store and shown in `dot account inspect`.
|
|
1914
1945
|
|
|
1915
|
-
|
|
1916
|
-
dot verifiable alice --context candidate --json
|
|
1917
|
-
```
|
|
1946
|
+
#### Alias, sign, prove, verify
|
|
1918
1947
|
|
|
1919
|
-
|
|
1948
|
+
```bash
|
|
1949
|
+
# Alias for a ring context (deterministic in entropy + context)
|
|
1950
|
+
dot verifiable alias alice --entropy-key candidate --context dotns
|
|
1920
1951
|
|
|
1921
|
-
|
|
1922
|
-
|
|
1923
|
-
|
|
1952
|
+
# Standalone Bandersnatch signature (64 bytes)
|
|
1953
|
+
dot verifiable sign alice --message "hello" --entropy-key candidate
|
|
1954
|
+
dot verifiable verify-sig --signature 0x… --member 0x… --message "hello"
|
|
1924
1955
|
|
|
1925
|
-
-
|
|
1926
|
-
|
|
1927
|
-
|
|
1956
|
+
# Ring-VRF proof over a members set, then verify it locally
|
|
1957
|
+
dot verifiable members 0x<key> 0x<key> --output json # SCALE-encode the ring
|
|
1958
|
+
dot verifiable prove alice --entropy-key candidate --context dotns \
|
|
1959
|
+
--message 0x… --members 0x… --output json
|
|
1960
|
+
dot verifiable verify --proof 0x… --context dotns --message 0x… --members 0x…
|
|
1961
|
+
# verify exits non-zero if the proof does not validate
|
|
1962
|
+
```
|
|
1928
1963
|
|
|
1929
|
-
|
|
1964
|
+
`dot verifiable` is deliberately scoped to **raw verifiable crypto** — bytes in,
|
|
1965
|
+
bytes out, with no knowledge of Polkadot chains, pallets, or collections (the
|
|
1966
|
+
same way `dot sign` is just sr25519). It does no automated fetching or selection
|
|
1967
|
+
and assumes nothing about how the bytes were produced or where they go: supply
|
|
1968
|
+
the members/context/message yourself (e.g. read from chain with `dot` first), and
|
|
1969
|
+
use the resulting signature or proof however you need — as a value in a `dot`
|
|
1970
|
+
extrinsic or signed extension, or anywhere else.
|
|
1930
1971
|
|
|
1931
|
-
Run `dot verifiable` with no arguments
|
|
1972
|
+
Run `dot verifiable` with no arguments for the full action/option list and the
|
|
1973
|
+
derivation diagram. Both 12- and 24-word mnemonics are supported.
|
|
1932
1974
|
|
|
1933
1975
|
### Getting help
|
|
1934
1976
|
|
|
@@ -2111,13 +2153,52 @@ Config and metadata caches live in `~/.polkadot/` by default:
|
|
|
2111
2153
|
|
|
2112
2154
|
> **Warning:** `accounts.json` stores secrets (mnemonics and seeds) in **plain text**. Encrypted-at-rest storage is planned but not yet implemented. Keep appropriate file permissions (`chmod 600 ~/.polkadot/accounts.json`) and do not use this for high-value mainnet accounts.
|
|
2113
2155
|
|
|
2156
|
+
### Local workspaces — `dot init`
|
|
2157
|
+
|
|
2158
|
+
Create a self-contained, per-directory setup for chains and accounts. A workspace is just a `.polkadot/` directory that `dot` discovers automatically:
|
|
2159
|
+
|
|
2160
|
+
```bash
|
|
2161
|
+
mkdir -p ~/dot/paseo && cd ~/dot/paseo
|
|
2162
|
+
dot init
|
|
2163
|
+
# Initialized empty dot workspace at /Users/you/dot/paseo/.polkadot
|
|
2164
|
+
# Check which workspace is active with: dot which
|
|
2165
|
+
```
|
|
2166
|
+
|
|
2167
|
+
From this directory (and any subdirectory), every `dot` command reads and writes **all** state — accounts, custom chains, metadata cache — under `./.polkadot/` instead of `~/.polkadot/`:
|
|
2168
|
+
|
|
2169
|
+
```bash
|
|
2170
|
+
dot account create sudo # stored in ./.polkadot/accounts.json
|
|
2171
|
+
dot chain add mytestnet --rpc ws://localhost:9944
|
|
2172
|
+
dot which
|
|
2173
|
+
# /Users/you/dot/paseo/.polkadot
|
|
2174
|
+
# Source: local workspace (discovered from current directory)
|
|
2175
|
+
```
|
|
2176
|
+
|
|
2177
|
+
**Discovery** is git-style: `dot` looks for a `.polkadot/` directory in the current directory, then in each parent, stopping at `$HOME` or the filesystem root. The nearest workspace wins. The global `~/.polkadot` is never treated as a workspace — it is only ever the fallback.
|
|
2178
|
+
|
|
2179
|
+
**Precedence:** `DOT_HOME` env var → discovered local workspace → global `~/.polkadot`.
|
|
2180
|
+
|
|
2181
|
+
**Full isolation:** while a workspace is active, the global config is invisible. An account named `sudo` in `~/dot/paseo` and one in `~/dot/mytestnet` are unrelated identities — lookups never fall back to the global config, and resolution errors name the config root that was searched, so running in the wrong directory self-diagnoses. Built-in chains (Polkadot, Paseo, and the system parachains) still work everywhere; they ship with the binary.
|
|
2182
|
+
|
|
2183
|
+
`dot init` is deliberately minimal: it creates an empty `.polkadot/` directory and nothing else. It refuses to run in `$HOME`, errors if the directory already has a workspace, and warns when the new workspace shadows a parent workspace or when a set `DOT_HOME` masks discovery. Nothing is copied from the global config, and no `.gitignore` is written — whether to commit or ignore a workspace (remember: `accounts.json` holds plain-text secrets) is your decision to make.
|
|
2184
|
+
|
|
2185
|
+
**Throwaway sessions** are just disposable workspaces:
|
|
2186
|
+
|
|
2187
|
+
```bash
|
|
2188
|
+
tmp=$(mktemp -d) && cd "$tmp" && dot init
|
|
2189
|
+
# ... add throwaway accounts and chains, run txs ...
|
|
2190
|
+
cd - && rm -rf "$tmp" # nothing ever touched ~/.polkadot
|
|
2191
|
+
```
|
|
2192
|
+
|
|
2193
|
+
For secrets that should never hit disk at all, combine workspaces with `--env` secret sources (see [Manage accounts](#manage-accounts)).
|
|
2194
|
+
|
|
2114
2195
|
### `DOT_TRUST_CACHED_METADATA` — skip the staleness check
|
|
2115
2196
|
|
|
2116
2197
|
Set `DOT_TRUST_CACHED_METADATA=1` to disable the post-failure stale-metadata check on `dot tx`, `dot tx --dry-run`, and `dot query`. When set, errors propagate exactly as the runtime / RPC reported them, with no extra `state_getRuntimeVersion` / `state_getStorageHash` round-trip. Useful in CI loops where you've just refreshed metadata manually and don't want the overhead.
|
|
2117
2198
|
|
|
2118
2199
|
### `DOT_HOME` — redirect the config directory
|
|
2119
2200
|
|
|
2120
|
-
Set the `DOT_HOME` environment variable to point at a different directory. When set, the CLI reads and writes **everything** (config, accounts, metadata, update cache) under that path — no `.polkadot` suffix is appended.
|
|
2201
|
+
Set the `DOT_HOME` environment variable to point at a different directory. When set, the CLI reads and writes **everything** (config, accounts, metadata, update cache) under that path — no `.polkadot` suffix is appended. `DOT_HOME` takes precedence over both [local workspace discovery](#local-workspaces--dot-init) and the global `~/.polkadot`.
|
|
2121
2202
|
|
|
2122
2203
|
```bash
|
|
2123
2204
|
# Use a scratch directory for experimentation
|