CLI Reference #

The Mergeproof CLI (@mergeproof/cli) is the primary interface for interacting with the Mergeproof protocol. Create bounties, submit PRs, report bugs, attest code quality, and manage your wallet -- all from the terminal.

Installation #

Bash

# Install globally
npm install -g @mergeproof/cli

# Or use without installing
npx @mergeproof/cli <command>

# Or within the monorepo
pnpm install
pnpm --filter @mergeproof/cli build

After installation, the mergeproof binary is available in your PATH.

Configuration #

Environment Variables #

Variable	Description	Default
`MERGEPROOF_PRIVATE_KEY`	Wallet private key (0x-prefixed hex)	Auto-generated
`MERGEPROOF_NETWORK`	Target network: `production`, `staging`, `local`	`production`
`MERGEPROOF_GENLAYER_RPC`	Override GenLayer RPC endpoint	Per-network default
`MERGEPROOF_BASE_RPC`	Override Base RPC endpoint	Per-network default
`MERGEPROOF_BOUNTY_REGISTRY`	GenLayer BountyRegistry contract address	Per-network default
`MERGEPROOF_ESCROW_ADDRESS`	EVM Escrow contract address	Per-network default
`MERGEPROOF_TOKEN_ADDRESS`	ERC20 token contract address	Per-network default
`GITHUB_TOKEN`	GitHub PAT for posting comments on issues/PRs	(optional)
`MERGEPROOF_POST_TO_GITHUB`	Set `false` to disable GitHub comment posting	`true`
`MERGEPROOF_DEV_MODE`	Enable dev mode (shorter review windows)	`false`
`DEBUG`	Set `1` to print raw GenLayer receipts	(off)

Networks #

Network	GenLayer RPC	Base RPC	Chain
`production`	`https://studio.genlayer.com/api`	`https://mainnet.base.org`	Base
`staging`	`https://studio-stage.genlayer.com/api`	`https://sepolia.base.org`	Base Sepolia
`local`	`http://127.0.0.1:4000/api`	`http://127.0.0.1:8545`	Anvil

Wallet Management #

The CLI resolves wallets in this order:

MERGEPROOF_PRIVATE_KEY environment variable
Stored wallet at ~/.mergeproof/wallet.json
Auto-generates a new wallet (saved to ~/.mergeproof/wallet.json with 0600 permissions)

Global Options #

mergeproof [options] <command>

Option	Description
`--json`	Output all results as JSON (for scripting and AI agents)
`--network <env>`	Network: `production` (default), `staging`, `local`
`--keystore <path>`	Path to Foundry keystore file
`--ledger`	Use Ledger hardware wallet (not yet implemented)
`--trezor`	Use Trezor hardware wallet (not yet implemented)
`--walletconnect`	Use WalletConnect (not yet implemented)
`--version`	Show version number
`--help`	Show help

Command Reference #

`mergeproof bounty` -- Manage bounties #

`bounty create`#

Create a new bounty for a GitHub issue. Deposits funds into the EVM Escrow contract and registers the bounty on GenLayer.

Bash

mergeproof bounty create \
  --repo owner/repo \
  --issue 42 \
  --amount 100

Option	Required	Description
`--repo <owner/repo>`	Yes	GitHub repository (e.g. `myorg/myapp`)
`--issue <number>`	Yes	GitHub issue number
`--amount <value>`	Yes	Bounty amount in tokens (e.g. `100`)
`-t, --token <address>`	No	ERC20 token address (defaults to configured token)
`--stake-ratio <percent>`	No	PR submitter stake ratio, 5-25% (default: `10`)
`--attestation-pool <value>`	No	Attestation pool amount (default: 10% of bounty)
`--window <hours>`	No	Review window duration, 24-168 hours (default: `72`)
`--bounty-id <id>`	No	Custom bounty ID (auto-generated if omitted)
`-y, --yes`	No	Skip confirmation prompt

The command:

Checks your token balance
Verifies the bounty ID is unique
Checks repository permissions
Deposits funds on EVM Escrow (bounty + attestation pool)
Creates the bounty on GenLayer
Posts a comment on the GitHub issue (if GITHUB_TOKEN is set)

`bounty list`#

List bounties with optional filtering and pagination.

Bash

mergeproof bounty list
mergeproof bounty list --status open --limit 10
mergeproof bounty list --offset 50 --limit 25

Option	Description
`--status <status>`	Filter: `open`, `in_review`, `completed`
`--token <address>`	Filter by token address
`--offset <number>`	Skip N results for pagination (default: `0`)
`--limit <number>`	Max results per page (default: `50`)
`--sort <order>`	Sort: `newest` (default) or `oldest`

`bounty info <bounty-id>`#

Get detailed information about a specific bounty.

Bash

mergeproof bounty info bounty_a1b2c3d4e5f6g7h8

Displays: ID, repo, issue, amount, token, stake ratio, stake required, attestation pool, review window, status, owner, creation date, and current submission.

`bounty configure <bounty-id>`#

Update bounty configuration (owner only). Not available in v1 -- bounty parameters are immutable.

`mergeproof pr` -- Manage PR submissions #

`pr submit`#

Submit a PR for a bounty. Stakes the required amount (bounty amount * stake ratio) on the EVM Escrow.

Bash

mergeproof pr submit \
  --bounty bounty_a1b2c3d4e5f6g7h8 \
  --pr 15 \
  --commit abc123def456

Option	Required	Description
`--bounty <id>`	Yes	Bounty ID
`--pr <number>`	Yes	Pull request number
`--commit <hash>`	Yes	Commit hash to lock for review
`-y, --yes`	No	Skip confirmation prompt

The command:

Fetches bounty details and calculates stake
Checks existing stake (incremental staking supported)
Deposits any additional stake needed on EVM
Registers the submission on GenLayer
Posts to the GitHub PR (if GITHUB_TOKEN is set)

`pr retry`#

Retry a submission with a new commit after fixing bugs found during review.

Bash

mergeproof pr retry \
  --bounty bounty_a1b2c3d4e5f6g7h8 \
  --commit newcommithash123

Option	Required	Description
`--bounty <id>`	Yes	Bounty ID
`--commit <hash>`	Yes	New commit hash
`-y, --yes`	No	Skip confirmation prompt

If your stake was partially slashed from validated bugs, the retry command tops up the stake automatically.

`pr claim`#

Claim the bounty after the review window passes without critical issues.

Bash

mergeproof pr claim --bounty bounty_a1b2c3d4e5f6g7h8
mergeproof pr claim --bounty bounty_a1b2c3d4e5f6g7h8 --wait

Option	Required	Description
`--bounty <id>`	Yes	Bounty ID
`--wait`	No	Poll for Base settlement confirmation (up to 5 min)

`pr abandon`#

Abandon a submission. This forfeits your stake.

Bash

mergeproof pr abandon --bounty bounty_a1b2c3d4e5f6g7h8 --confirm

Option	Required	Description
`--bounty <id>`	Yes	Bounty ID
`--confirm`	Yes	Required safety flag (stake is forfeited)

`pr status [submission-id]`#

Check the status of a submission. Accepts a submission ID directly or looks up the current submission for a bounty.

Bash

mergeproof pr status sub_12345
mergeproof pr status --bounty bounty_a1b2c3d4e5f6g7h8

Option	Description
`--bounty <id>`	Look up current submission by bounty ID

Displays: submission ID, bounty ID, PR number, commit hash, attempt number (max 3), status, staked amount, current bounty value, total reduction, window start/end, and time remaining.

`mergeproof bug` -- Manage bug reports #

`bug report`#

Report a bug against an active submission. Requires a stake of 0.25% of the bounty amount.

Bash

mergeproof bug report \
  --bounty bounty_a1b2c3d4e5f6g7h8 \
  --commit abc123def456 \
  --severity major \
  --description "SQL injection in login handler"

Option	Required	Description
`--bounty <id>`	Yes	Bounty ID
`--commit <hash>`	Yes	Commit hash being reviewed
`--severity <level>`	Yes	`minor`, `major`, or `critical`
`--description <text>`	Yes	Bug description
`--evidence <url>`	No	URL to evidence (screenshot, PoC, etc.)
`-y, --yes`	No	Skip confirmation prompt

The bounty must be in in_review status. The command deposits 0.25% of the bounty as stake, then submits the report to GenLayer.

`bug validate <bug-id>`#

Validate a bug report (bounty owner only). Marks the bug as valid (rewards the hunter) or invalid (slashes the hunter's stake).

Bash

# Accept the bug as valid
mergeproof bug validate bug_12345 --valid

# Reject the bug
mergeproof bug validate bug_12345 --invalid

# Accept but rescope severity
mergeproof bug validate bug_12345 --valid --severity minor

Option	Description
`--valid`	Mark bug as valid (rewards hunter)
`--invalid`	Mark bug as invalid (slashes hunter stake)
`--severity <level>`	Rescope severity: `minor`, `major`, or `critical`

Exactly one of --valid or --invalid is required.

`bug list <submission-id>`#

List all bug reports for a submission.

Bash

mergeproof bug list sub_12345

Displays severity (with color-coded icons), bug ID, description, reporter, and validation status.

`bug info <bug-id>`#

Get details for a single bug report. Not yet implemented -- use bug list instead.

`mergeproof attest` -- Manage code attestations #

`attest submit`#

Attest that a submission's code is bug-free. Stakes 1% of the bounty amount.

Bash

mergeproof attest submit --bounty bounty_a1b2c3d4e5f6g7h8

Option	Required	Description
`--bounty <id>`	Yes	Bounty ID
`-y, --yes`	No	Skip confirmation prompt

Risk/reward:

If no valid bugs are found: get your stake back + 0.5% of bounty from the attestation pool
If valid bugs are found: your stake is slashed

The bounty must be in in_review status and have a non-zero attestation pool.

`attest list <bounty-id>`#

List all attestations for a bounty.

Bash

mergeproof attest list bounty_a1b2c3d4e5f6g7h8

Displays attestor GitHub username, wallet address, and attestation timestamp.

`mergeproof identity` -- GitHub identity verification #

`identity start`#

Generate a verification challenge string to link your wallet to your GitHub account.

Bash

mergeproof identity start

Post the returned challenge string to one of:

Your GitHub bio
A profile README (github.com/<username>/<username>)
A public gist

`identity verify`#

Complete verification after posting the challenge to GitHub.

Bash

mergeproof identity verify --github yourname

Option	Required	Description
`--github <username>`	Yes	Your GitHub username

`identity status`#

Check your current identity verification status.

Bash

mergeproof identity status

Displays whether your wallet is linked, the associated GitHub username, and verification timestamp.

`identity dev-register`#

Bash

mergeproof identity dev-register --github testuser

Option	Required	Description
`--github <username>`	Yes	GitHub username to register

`mergeproof wallet` -- Wallet and token management #

`wallet balance`#

Check your ETH and token balances.

Bash

mergeproof wallet balance
mergeproof wallet balance --token 0x1234...abcd

Option	Description
`-t, --token <address>`	Check balance of a specific ERC20 token

`wallet info`#

Show wallet address, contract addresses, and balances.

Bash

mergeproof wallet info

Displays: network, wallet address, ETH balance, token balance, escrow address, token address, and registry address.

`wallet send`#

Send ETH or ERC20 tokens.

Bash

# Send ETH
mergeproof wallet send --to 0xRecipient --amount 0.1

# Send ERC20 tokens
mergeproof wallet send --to 0xRecipient --amount 50 --token 0xTokenAddress

Option	Required	Description
`--to <address>`	Yes	Recipient address
`--amount <amount>`	Yes	Amount to send
`--token <address>`	No	ERC20 token address (omit for ETH)
`-y, --yes`	No	Skip confirmation prompt

`wallet import <private-key>`#

Import an existing private key. Overwrites any existing stored wallet.

Bash

mergeproof wallet import 0xYourPrivateKeyHere

Option	Description
`-y, --yes`	Skip overwrite confirmation

`wallet export`#

Display your private key. Requires interactive confirmation.

Bash

mergeproof wallet export

If the wallet is configured via MERGEPROOF_PRIVATE_KEY, the command reports that instead.

`wallet faucet`#

Request test tokens from the faucet. Only works on local and staging networks.

Bash

mergeproof wallet faucet

`mergeproof config` -- Configuration #

`config show`#

Display the resolved configuration: network, RPC endpoints, contract addresses, wallet info, and wallet source.

Bash

mergeproof config show

JSON Output Mode #

Pass --json to any command for machine-readable output. All commands emit structured JSON to stdout.

Bash

mergeproof --json bounty list --status open

Success response:

JSON

{
  "success": true,
  "message": "Bounty created",
  "data": {
    "bounty_id": "bounty_a1b2c3d4",
    "repo": "myorg/myapp",
    "issue": 42,
    "amount": "100",
    "evm_tx": "0x...",
    "genlayer_tx": "0x..."
  }
}

Error response:

JSON

{
  "success": false,
  "error": "Bounty not found",
  "error_code": "NOT_FOUND",
  "retriable": false
}

Error codes:

Code	Exit Code	Description
`INVALID_INPUT`	2	Bad arguments or insufficient balance
`NOT_FOUND`	3	Bounty, submission, or identity not found
`CONFIG_ERROR`	4	Missing contract address or unknown network
`STATE_ERROR`	5	Invalid state transition (e.g. bounty not open)
`NETWORK_ERROR`	11	RPC connection failure (retriable)
`TX_FAILED`	11	Transaction reverted (may be retriable)

Non-interactive environments (CI, pipes) require -y or --yes for commands that prompt for confirmation.

Example Workflows #

1. Full Bounty Lifecycle #

Bash

# Set up your wallet
export MERGEPROOF_PRIVATE_KEY=0xYourKey
export MERGEPROOF_NETWORK=staging

# Link your GitHub identity
mergeproof identity start
# Post the challenge to your GitHub bio, then:
mergeproof identity verify --github yourname

# Create a bounty on an issue
mergeproof bounty create \
  --repo myorg/myapp \
  --issue 42 \
  --amount 100 \
  --stake-ratio 10 \
  --window 72

# (Developer fixes the issue in a PR)

# Submit your PR
mergeproof pr submit \
  --bounty bounty_a1b2c3d4e5f6g7h8 \
  --pr 15 \
  --commit abc123def456

# Wait for the 72-hour review window...

# Claim the bounty after the window closes
mergeproof pr claim \
  --bounty bounty_a1b2c3d4e5f6g7h8 \
  --wait

2. Bug Hunting Workflow #

Bash

# Find open bounties
mergeproof bounty list --status in_review

# Inspect a bounty
mergeproof bounty info bounty_a1b2c3d4e5f6g7h8

# Report a bug (stakes 0.25% of bounty)
mergeproof bug report \
  --bounty bounty_a1b2c3d4e5f6g7h8 \
  --commit abc123def456 \
  --severity critical \
  --description "Buffer overflow in parser allows arbitrary code execution" \
  --evidence "https://gist.github.com/yourbugpoc"

# Check bug report status
mergeproof pr status --bounty bounty_a1b2c3d4e5f6g7h8

3. Attestation Workflow #

Bash

# Find bounties in review
mergeproof bounty list --status in_review

# Review the code, then attest (stakes 1% of bounty)
mergeproof attest submit --bounty bounty_a1b2c3d4e5f6g7h8

# Check attestations
mergeproof attest list bounty_a1b2c3d4e5f6g7h8

4. AI Agent Integration #

Bash

# All commands support --json for programmatic use
BOUNTY_ID=$(mergeproof --json bounty create \
  --repo myorg/myapp \
  --issue 42 \
  --amount 100 \
  -y | jq -r '.data.bounty_id')

echo "Created bounty: $BOUNTY_ID"

# List bounties as JSON
mergeproof --json bounty list --status open | jq '.bounties[] | .id'

# Check status programmatically
STATUS=$(mergeproof --json pr status --bounty "$BOUNTY_ID" | jq -r '.status')

mergeproof --network staging bounty list

"Escrow contract not configured"#

Set MERGEPROOF_ESCROW_ADDRESS or ensure you're on a network with pre-configured contracts.

"Insufficient balance"#

Check your balance and get test tokens on local/staging:

Bash

mergeproof wallet balance
mergeproof wallet faucet   # local/staging only

"Cannot prompt for confirmation in non-interactive mode"#

Add -y or --yes to skip confirmation prompts in CI/scripts:

Bash

mergeproof bounty create --repo org/repo --issue 1 --amount 100 -y

Transaction failures #

Set DEBUG=1 to see full GenLayer transaction receipts:

Bash

DEBUG=1 mergeproof pr submit --bounty <id> --pr 5 --commit abc123

GitHub comments not posting #

Ensure GITHUB_TOKEN is set with repo scope. Disable posting with:

Bash

export MERGEPROOF_POST_TO_GITHUB=false