@nullis/cli is the operator-facing tool. Before a policy touches the chain, the CLI checks it is well-formed and canonical; after a decision, it renders the Privacy Receipt in a readable form — for successes and blocks alike.
The policy manifest
A policy is a readable JSON manifest, hashed topolicy_hash and registered on-chain with an active version.
Field reference
| Field | Type | Meaning |
|---|---|---|
policy_id | integer | Unique id, referenced by verify_and_execute |
version | integer | Bumped on every root rotation; stale versions are rejected |
action_type | transfer | access_grant | What the contract executes on success |
asset | string | The asset the policy authorizes |
max_amount | integer | Upper bound the contract enforces (amount ≤ max_amount) |
approved_root | field | Merkle root of approved credential commitments |
app_domain | string | Domain separator for cross-app unlinkable nullifiers |
expiry | unix ts | After this, all proofs are rejected |
Validate a manifest
Render a Privacy Receipt
The receipt renders the same way whether the decision was a success or a block — that duality is the point.Canonical vocabulary
The CLI — and everything in Nullis — uses one fixed set of terms, no synonyms:| Term | Meaning |
|---|---|
| policy / policy manifest | Readable JSON config, hashed to policy_hash, registered on-chain |
| approved root | Per-policy, per-version Merkle root of approved credential commitments |
| commitment | Poseidon(credential_secret) |
| nullifier | Domain-separated, cross-app unlinkable one-time marker |
| context_hash | Binds a proof to one exact action |
| action_id / intent_nonce | One application-created authorization intent, consumed on-chain |
| app_domain / app_domain_hash | Domain separator that makes one credential unlinkable across apps |
| Privacy Receipt | The inspectable artifact emitted after every decision |
Publish flow
How policies are registered and versioned on-chain.