chore(cli): qof fixes

.github/ISSUE_TEMPLATE/sdk-bug.yml

@@ -1,12 +1,12 @@
 name: SDK Bug
-description: Bug in SDK 
+description: Bug in SDK
 labels: ["type: bug", "needs-info"]
 body:
   - type: markdown
     attributes:
       value: |
         This tracker is for SDK and CLI bugs only.
-        
+
         Protocol bugs: https://github.com/paritytech/dotns/issues
 
   - type: checkboxes
@@ -86,12 +86,12 @@ body:
       value: |
         OS: 
         Bun: 
-        Package version: 
+        Package version:
     validations:
       required: true
 
   - type: textarea
     id: logs
     attributes:
       label: Logs
-      render: shell
+      render: shell

.github/ISSUE_TEMPLATE/sdk-build.yml

@@ -55,6 +55,6 @@ body:
       value: |
         OS: 
         Bun: 
-        Node: 
+        Node:
     validations:
-      required: true
+      required: true

.github/ISSUE_TEMPLATE/sdk-docs.yml

@@ -46,4 +46,4 @@ body:
   - type: textarea
     id: suggestion
     attributes:
-      label: Suggestion
+      label: Suggestion

.github/actions/bulletin/action.yml

@@ -1,77 +1,95 @@
 name: Upload to Bulletin
-description: Authorize an account and upload a build directory to Bulletin
+description: Authorize the deployer on Bulletin and upload a build directory
 
 inputs:
   mnemonic:
-    description: 'BIP39 mnemonic for Bulletin uploads'
+    description: "BIP39 mnemonic of the deployer account (uploads to Bulletin)"
     required: true
+  authorizer-mnemonic:
+    description: |
+      BIP39 mnemonic (or SURI like //Eve) of the Bulletin Authorizer that
+      grants on-chain upload quota to the deployer before upload.
+      Defaults to //Eve, the account seeded into AllowedAuthorizers on the
+      bulletin testnet and dev runtimes (the same key the Bulletin console
+      faucet uses). //Alice is sudo and a storage account, not an authoriser,
+      so a plain signed authorize from Alice is rejected as BadOrigin.
+    required: false
+    default: "//Eve"
   bulletin-rpc:
-    description: 'Bulletin chain WebSocket RPC endpoint (default: CLI built-in)'
+    description: "Bulletin chain WebSocket RPC endpoint (default: CLI built-in)"
     required: false
   env:
-    description: 'DotNS environment used by cache/store operations'
+    description: "DotNS environment used by cache/store operations"
     required: false
-    default: 'paseo-v2'
+    default: "paseo-v2"
   build-path:
-    description: 'Path to the build directory to upload'
+    description: "Path to the build directory to upload"
     required: false
-    default: './build'
+    default: "./build"
   upload-concurrency:
-    description: 'Adaptive scheduler max window (max: 4)'
+    description: "Adaptive scheduler max window (max: 4)"
     required: false
-    default: '4'
+    default: "4"
   max-retries:
-    description: 'Max retry attempts for transient RPC failures'
+    description: "Max retry attempts for transient RPC failures"
     required: false
-    default: '3'
+    default: "3"
   retry-delay:
-    description: 'Seconds to wait between retries'
+    description: "Seconds to wait between retries"
     required: false
-    default: '15'
+    default: "15"
   cache:
-    description: 'Write uploaded CID to on-chain Store after upload'
+    description: "Write uploaded CID to on-chain Store after upload"
     required: false
-    default: 'false'
+    default: "false"
 outputs:
   cid:
-    description: 'Content Identifier of the uploaded build'
+    description: "Content Identifier of the uploaded build"
     value: ${{ steps.upload.outputs.cid }}
   contenthash:
-    description: 'Contenthash of the uploaded build'
+    description: "Contenthash of the uploaded build"
     value: ${{ steps.upload.outputs.contenthash }}
 
 runs:
   using: composite
   steps:
-    - name: Authorize account for Bulletin
+    - name: Authorize deployer on Bulletin
       shell: bash
       run: |
         set -euo pipefail
         source "$GITHUB_ACTION_PATH/../lib/run-dotns.sh"
         echo "::add-mask::$DOTNS_MNEMONIC"
+        echo "::add-mask::$AUTHORIZER_MNEMONIC"
 
         ADDRESS=$(dotns account address)
         RESULT_FILE=$(mktemp)
-        ARGS=(bulletin authorize "$ADDRESS" --json --reporter stream)
+        # SURI like //Alice goes via --key-uri; everything else is a BIP39 mnemonic.
+        if [[ "$AUTHORIZER_MNEMONIC" == //* ]]; then
+          AUTH_ARGS=(--key-uri "$AUTHORIZER_MNEMONIC")
+        else
+          AUTH_ARGS=(-m "$AUTHORIZER_MNEMONIC")
+        fi
+        ARGS=(bulletin authorize "$ADDRESS" "${AUTH_ARGS[@]}" --json --reporter stream)
         [[ -n "$BULLETIN_RPC" ]] && ARGS+=(--bulletin-rpc "$BULLETIN_RPC")
 
         if run_dotns_with_retry \
-          "Authorize account for Bulletin" \
+          "Authorize deployer on Bulletin" \
           "$RESULT_FILE" \
           "1" \
           "$RETRY_DELAY" \
           dotns \
           "${ARGS[@]}"; then
-          echo "::notice::Account ${ADDRESS} authorized"
+          echo "::notice::Deployer ${ADDRESS} authorized on Bulletin"
         else
           ERROR_MESSAGE=$(jq -r '.error // empty' "$RESULT_FILE" 2>/dev/null || true)
-          echo "::error::${ERROR_MESSAGE:-Authorization failed}"
+          echo "::error::${ERROR_MESSAGE:-Bulletin authorize failed}"
           rm -f "$RESULT_FILE"
           exit 1
         fi
         rm -f "$RESULT_FILE"
       env:
         DOTNS_MNEMONIC: ${{ inputs.mnemonic }}
+        AUTHORIZER_MNEMONIC: ${{ inputs.authorizer-mnemonic }}
         DOTNS_ENV: ${{ inputs.env }}
         BULLETIN_RPC: ${{ inputs.bulletin-rpc }}
         CI: "true"

.github/actions/dotns/action.yml

@@ -3,42 +3,42 @@ description: Look up, register, and set contenthash for a DotNS domain or subnam
 
 inputs:
   mnemonic:
-    description: 'BIP39 mnemonic for DotNS on-chain operations'
+    description: "BIP39 mnemonic for DotNS on-chain operations"
     required: true
   rpc:
-    description: 'WebSocket RPC endpoint (default: CLI built-in)'
+    description: "WebSocket RPC endpoint (default: CLI built-in)"
     required: false
   env:
-    description: 'DotNS environment'
+    description: "DotNS environment"
     required: false
-    default: 'paseo-v2'
+    default: "paseo-v2"
   basename:
-    description: 'Base domain without .dot'
+    description: "Base domain without .dot"
     required: true
   mode:
-    description: 'preview (subname deploy) | production (basename deploy)'
+    description: "preview (subname deploy) | production (basename deploy)"
     required: true
   subname:
-    description: 'Subname to register (required when mode=preview)'
+    description: "Subname to register (required when mode=preview)"
     required: false
   domain:
-    description: 'Resolved domain (e.g. pr42.mysite or mysite)'
+    description: "Resolved domain (e.g. pr42.mysite or mysite)"
     required: true
   register-base:
-    description: 'Attempt base domain registration if not already owned'
+    description: "Attempt base domain registration if not already owned"
     required: false
-    default: 'false'
+    default: "false"
   cid:
-    description: 'Content Identifier to set as contenthash'
+    description: "Content Identifier to set as contenthash"
     required: true
   max-retries:
-    description: 'Max retry attempts for transient RPC failures'
+    description: "Max retry attempts for transient RPC failures"
     required: false
-    default: '3'
+    default: "3"
   retry-delay:
-    description: 'Seconds to wait between retries'
+    description: "Seconds to wait between retries"
     required: false
-    default: '15'
+    default: "15"
 
 runs:
   using: composite
@@ -93,10 +93,20 @@ runs:
       run: |
         echo "::add-mask::$DOTNS_MNEMONIC"
 
+        # Names of 5 characters or fewer classify as Reserved and must be
+        # registered through the governance (registerReserved) path, which is
+        # gated on the caller being whitelisted (the "Whitelist deployer" step
+        # authorises exactly this). Longer names use regular registration.
+        REGISTER_ARGS=(register domain --name "$BASENAME")
+        if [[ "${#BASENAME}" -le 5 ]]; then
+          REGISTER_ARGS+=(--governance)
+          echo "::notice::${BASENAME}.dot is a reserved name; using governance registration."
+        fi
+
         for ATTEMPT in $(seq 1 "$MAX_RETRIES"); do
           echo "Register base attempt $ATTEMPT/$MAX_RETRIES"
 
-          if dotns register domain --name "$BASENAME" 2>&1; then
+          if dotns "${REGISTER_ARGS[@]}" 2>&1; then
             echo "::notice::Base domain ${BASENAME}.dot registered"
             exit 0
           fi
@@ -107,12 +117,13 @@ runs:
 
         echo "::error::Base domain registration failed after $MAX_RETRIES attempts."
         echo ""
-        echo "This usually means the account does not have the required"
-        echo "Proof-of-Personhood status for this name."
+        echo "For reserved names (5 characters or fewer) the deployer must be"
+        echo "whitelisted for governance registration. For longer names the"
+        echo "account must hold the required Proof-of-Personhood status."
         echo ""
         echo "To fix this:"
-        echo "  1. Check your POP status:  dotns pop status"
-        echo "  2. Complete personhood verification outside DotNS if needed."
+        echo "  1. Confirm the deployer is whitelisted:  dotns account is-whitelisted <address>"
+        echo "  2. Check PoP status (longer names):       dotns pop status"
         echo "  3. Then re-run this workflow."
         echo ""
         echo "You can also register manually at https://dotns.paseo.li"

.github/labeler.yml

@@ -50,4 +50,4 @@
   - changed-files:
       - any-glob-to-any-file:
           - "**/package.json"
-          - "**/bun.lockb"
+          - "**/bun.lockb"

.github/labels.yml

@@ -140,4 +140,4 @@
 
 - name: "benchmark-complete"
   color: "059669"
-  description: "Benchmark run completed"
+  description: "Benchmark run completed"

.github/semantic.yml

@@ -1,29 +1,31 @@
 {
   "titleOnly": true,
-  "types": [
-    "feat",
-    "fix",
-    "bug",
-    "docs",
-    "style",
-    "refactor",
-    "test",
-    "chore",
-    "ci",
-    "perf",
-    "revert"
-  ],
-  "scopes": [
-    "cli",
-    "ui",
-    "bulletin",
-    "auth",
-    "register",
-    "content",
-    "pop",
-    "lookup",
-    "deps",
-    "ci",
-    "release"
-  ]
-}
+  "types":
+    [
+      "feat",
+      "fix",
+      "bug",
+      "docs",
+      "style",
+      "refactor",
+      "test",
+      "chore",
+      "ci",
+      "perf",
+      "revert",
+    ],
+  "scopes":
+    [
+      "cli",
+      "ui",
+      "bulletin",
+      "auth",
+      "register",
+      "content",
+      "pop",
+      "lookup",
+      "deps",
+      "ci",
+      "release",
+    ],
+}

.github/workflows/actionlint.yml

@@ -0,0 +1,29 @@
+name: Lint Workflows
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/**"
+      - ".github/actions/**"
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+      - ".github/actions/**"
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    name: actionlint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run actionlint
+        uses: docker://rhysd/actionlint:latest
+        env:
+          SHELLCHECK_OPTS: "-e SC2129 -e SC2086 -e SC2193"
+        with:
+          args: -color

.github/workflows/benchmark-on-demand.yml

@@ -140,6 +140,7 @@ jobs:
     secrets:
       dotns-mnemonic: ${{ secrets.DOTNS_MNEMONIC }}
       bulletin-mnemonic: ${{ secrets.DOTNS_MNEMONIC_BENCHMARK }}
+      registrar-operator-mnemonic: ${{ secrets.DOTNS_REGISTRAR_OPERATOR_MNEMONIC }}
 
   build-ui:
     needs: [parse, authorize]
@@ -191,6 +192,7 @@ jobs:
     secrets:
       dotns-mnemonic: ${{ secrets.DOTNS_MNEMONIC }}
       bulletin-mnemonic: ${{ secrets.DOTNS_MNEMONIC_BENCHMARK }}
+      registrar-operator-mnemonic: ${{ secrets.DOTNS_REGISTRAR_OPERATOR_MNEMONIC }}
 
   report-ui:
     needs: [parse, deploy-ui]