CellScript 0.20.0-rc.1

Installation

One-line install (Global)

curl -fsSL https://raw.githubusercontent.com/CellScript-Labs/CellScript/main/scripts/install.sh | sh

One-line install (China mainland)

If raw.githubusercontent.com is unreachable, use a GitHub proxy:

curl -fsSL https://ghgo.xyz/https://raw.githubusercontent.com/CellScript-Labs/CellScript/main/scripts/install.sh | sh

Or force a specific mirror for binary downloads:

CELLSCRIPT_MIRROR=ghgo curl -fsSL https://ghgo.xyz/https://raw.githubusercontent.com/CellScript-Labs/CellScript/main/scripts/install.sh | sh

Available mirrors: ghgo (ghgo.xyz), ghproxy (gh-proxy.com), ghfast (ghfast.top)

Install specific version

CELLSCRIPT_VERSION=0.20.0-rc.1 curl -fsSL https://raw.githubusercontent.com/CellScript-Labs/CellScript/main/scripts/install.sh | sh

Alternative: cargo install

cargo install cellscript

---

Manual download

Platform	Archive
macOS (Apple Silicon)	cellscript-0.20.0-rc.1-aarch64-apple-darwin.tar.gz
macOS (Intel)	cellscript-0.20.0-rc.1-x86_64-apple-darwin.tar.gz
Linux (x86_64)	cellscript-0.20.0-rc.1-x86_64-unknown-linux-musl.tar.gz
Linux (ARM64)	cellscript-0.20.0-rc.1-aarch64-unknown-linux-musl.tar.gz

Unpack and add to PATH:

tar xzf cellscript-*.tar.gz
mkdir -p ~/.cellscript/bin && mv cellc ~/.cellscript/bin/
export PATH="$HOME/.cellscript/bin:$PATH"

Verify: cellc --version

---

Environment variables

Variable	Default	Description
CELLSCRIPT_HOME	~/.cellscript	Installation directory
CELLSCRIPT_VERSION	latest	Install a specific version
CELLSCRIPT_MIRROR	auto	Mirror: auto, direct, ghgo, ghproxy, ghfast
CELLSCRIPT_DRY_RUN	0	Set to 1 to preview without installing

Full Changelog: v0.16.2...v0.20.0-rc.1

CellScript 0.16.2

CellScript 0.16.2 is a builder-ergonomics patch for CKB resource identity
handoff. It keeps the 0.16 compiler/runtime scope, while making external
transaction builders less dependent on copied harness conventions.

Highlights

• cellc resource-identity emits a compiler-owned passive resource identity
  artifact and JSON plan for resource output type scripts.
• cellc validate-tx --resource-identities checks created resource outputs
  against the generated passive identity plan.
• cellc validate-tx --production rejects known fixture-only resource
  identities, including devnet always_success and all-zero placeholders, when
  they appear as real resource output type scripts.
• cellc explain-assumptions and cellc solve-tx can be scoped with
  --entry-action or --entry-lock, so external builders can consume the
  selected entrypoint contract instead of whole-module noise.
• Builder-facing contract commands now emit JSON by default; --json remains
  accepted for compatibility, and --human prints a short terminal summary.
• cellc builder manifest and cellc builder check are canonical namespace
  forms; builder-manifest and builder-check remain aliases.
• cellc entry-witness now exposes raw script-group witness placement in its
  default JSON output.
• cellc solve-tx now exposes submit_ready: false, missing builder
  steps, structural builder-evidence requirements, a fillable evidence
  template, and a fixture identity policy.
• cellc builder manifest and cellc builder check provide a two-step
  builder-facing workflow over the lower-level ABI, constraints, witness,
  assumption, resource identity, and validation commands.
• Builder docs clarify that scoped action artifacts are active verifiers and
  must not be used as passive MintAuthority, Token, Pool, or LPReceipt
  resource identities.

Validation

The release patch was validated with the v0.16 CLI/backend suite:

cargo test --test v0_16 -- --nocapture

The suite covers resource identity plan generation and validation, scoped
assumption/solver output, wildcard structural evidence requirements, entry
witness placement, builder manifest/check flow, active artifact misuse
rejection, and production fixture-identity rejection.

The wiki and builder-facing examples were audited so contract commands use the
default JSON output and the canonical cellc builder manifest /
cellc builder check namespace. The old dashed forms and --json flag remain
accepted for compatibility.

The builder UX was also smoke-tested against
WuodOdhis/cellscript-swap-builder main at
479feb004338524d367b6656c6fb356ca7918f28: the external Rust builder accepted
compiler-generated entry witness bytes and passive Token:token_out resource
identity, cellc builder check --production --primitive-strict 0.16 passed the
positive transaction shape, and negative checks rejected both scoped action
artifact and always_success fixture identities for the created token output.

CellScript 0.16.1

CellScript 0.16.1 is a patch release for bundled example lifecycle clarity and
builder handoff. It keeps the 0.16 assurance/tooling scope, while making the
token, launch, AMM, and NFT examples easier to build against from an external
transaction builder.

Highlights

• The token authority mint action is now mint_with_authority, making the
  required MintAuthority input explicit.
• The launch bootstrap action is now bootstrap_token.
• bootstrap_token and launch_token expose the first-token-cell path
  directly.
• launch_token materialises the Pool and LP receipt topology directly; it
  does not rely on an implicit amm_pool.seed_pool call.
• nft.cell now exposes create_collection for the first Collection Cell.
• The token/AMM bootstrap guide documents the CLI-first builder path through
  scoped entry selection, ABI inspection, entry-witness generation,
  builder-assumption inspection, and transaction JSON validation.

Validation

The release gate was run in production mode against local CKB/devnet
transactions:

./scripts/ckb_cellscript_acceptance.sh --production --stateful-scenarios
python3 scripts/validate_ckb_cellscript_production_evidence.py <report.json>

The validated evidence covers all bundled strict original scoped actions, lock
spend checks, measured cycles, transaction sizes, occupied capacity, and
stateful lifecycle scenarios including launch-to-mint, AMM seed/add/swap/remove,
and NFT collection bootstrap.

CellScript 0.16.0

CellScript 0.16 is an assurance and tooling release. For users, the main change
is that the compiler is no longer just producing an artefact and a metadata
sidecar. It now gives you a clearer view of what a contract expects from a CKB
transaction builder, what is checked by generated verifier code, what still
needs external evidence, and which proof or deployment facts changed between
builds.

This release is deliberately conservative. It improves the day-to-day workflow
for building, reviewing, and packaging CKB-facing CellScript contracts, but it
does not claim full transaction solving, formal verification, or executable CKB
equivalence for every standard compatibility fixture.

NovaSeal now ships with the 0.16 branch as bundled proposal packages and local
acceptance tooling. Its detailed project progress will be tracked separately in
the Nervos Talk thread:
NovaSeal: a Bitcoin-authorised Cell framework for CKB.

What Users Will Notice

Clearer Pre-Production Feedback

--primitive-strict=0.16 is now the strict pre-production mode. It catches
ProofPlan gaps that earlier workflows could leave as audit notes.

In practical terms, this means:

• contracts with metadata-only invariant claims fail earlier;
• runtime-required obligations are surfaced as blockers instead of being easy
  to miss in metadata;
• strict builds make it clearer whether a source file is ready for production
  evidence or still needs protocol-specific review;
• fail-closed examples now fail for explicit PP0150 reasons rather than hiding
  behind older 0.15-era tooling paths.

Some bundled examples intentionally remain strict-fail-closed in 0.16.
token.cell, amm_pool.cell, and launch.cell still contain selected
aggregate or Pool ProofPlan gaps. They remain useful examples, but the release
notes and wiki no longer describe them as strict-clean production artefacts.

Better Builder Handoff

The compiler now gives transaction builders a much more concrete handoff.

Users can inspect:

• required inputs and outputs;
• required cell deps and witness fields;
• capacity, fee, change, and signature policy expectations;
• which assumptions need evidence before signing;
• which assumptions are only structural and which require external material.

The user-facing command is:

cellc explain-assumptions examples/nft.cell --target-profile ckb --json

This is meant for wallet, relayer, SDK, and builder integration work. It does
not replace CKB dry-run or final transaction validation, but it makes the
builder contract visible and reviewable.

Transaction Shape Checks Before Signing

0.16 adds:

cellc validate-tx --against metadata.json tx.json --json

This checks whether a transaction JSON shape lines up with the compiler's
builder assumptions. Use metadata and transaction JSON generated by your build
or builder pipeline. It is useful before signing or handing a transaction to a
separate builder pipeline.

It can catch missing or malformed evidence for assumptions such as TYPE_ID
plans, global uniqueness, lock-group transaction scope, capacity evidence, and
manifest-bound spawn targets.

This is still not a full semantic CKB verifier. Production claims still require
dry-run, capacity checks, cycle evidence, commit evidence, and any external
attestations required by the protocol.

More Useful Transaction Templates

cellc solve-tx now emits a deterministic transaction template rather than
leaving builders to reconstruct all requirements from scattered metadata.

Users should expect a template that names:

• input and output slots;
• dep requirements;
• fee and change expectations;
• signing manifest structure;
• per-lock signature request requirements.

It is not a final solver. It does not pick live cells, resolve headers, compute
final fees, place every witness, or submit the transaction. It gives builders a
stable starting point.

More Practical Audit And Deployment Reports

The metadata tooling surface has expanded around common release-review tasks:
cellc deploy-plan, cellc verify-deploy, cellc diff-deploy,
cellc lock-deps, cellc proof-diff, cellc profile, cellc trace-tx, and
cellc audit-bundle.

The user-visible benefit is that release reviewers can now answer questions
without manually comparing raw metadata files:

• what changed between two ProofPlan records;
• which deployment dependency changed;
• which lock deps are expected;
• which source entries contribute to an audit bundle;
• whether a deployment plan still matches its metadata;
• what a profile exposes to downstream tooling.

These reports are JSON-first so they can be used in CI, wallets, release
scripts, and external audit tooling.

Better Editor Experience

The VS Code extension is aligned with CellScript 0.16.0.

For users, this means the local editor integration now follows the current
cellc --lsp and 0.16 authoring surface. The extension exposes active-file
commands for the report flows that do not require separate input files:

• builder assumptions;
• transaction template;
• deployment plan;
• profile report;
• audit bundle.

Commands that compare or validate separate artefacts remain CLI-first:
validate-tx, trace-tx, proof-diff, verify-deploy, diff-deploy, and
lock-deps.

CKB And Compatibility

Descriptive CKB Compatibility Fixtures

The CKB compatibility suite now documents expected shapes for common Nervos
contracts and patterns:

• sUDT;
• xUDT;
• ACP;
• Cheque;
• Omnilock-compatible locks;
• NervosDAO since/epoch behaviour;
• Type ID.

The manifest is:

tests/compat/ckb_standard/manifest.json

These fixtures are useful for review, planning, and compatibility discussion.
They are not yet executable accepted/rejected CKB VM tests. CKB dry-run remains
the acceptance mechanism for production claims.

CKB Standard Library Protocol Stubs

0.16 adds schema-level stdlib protocol descriptors for:

• std::sudt;
• std::xudt;
• std::type_id;
• std::htlc;
• std::cheque;
• std::acp.

For users, this is a roadmap signal and a tooling anchor. The descriptors make
the intended protocol surface visible, but they are not production modules yet:
there is no CellScript source implementation, assembly generation, or
production CKB evidence for these stdlib protocols in 0.16.

NovaSeal Packaging

NovaSeal is included with the 0.16 branch as bundled proposal packages plus
local devnet/profile acceptance tooling. This means CellScript users can inspect
NovaSeal examples, profiles, schemas, fixtures, and local evidence generation
from the same checkout.

The local acceptance boundary remains explicit. A local run can report:

status=local_devnet_passed_external_endpoint_required
live_devnet_rpc_executed=true
local_blockers=0
external_endpoint_status=external_required

Full external-completeness is stricter and must reach:

status=passed
live_devnet_rpc_executed=true
local_blockers=0
acceptance_blockers=0
blockers=0
external_endpoint_status=passed

NovaSeal is therefore shipping with CellScript as a bundled proposal package,
not as a blanket mainnet-production claim for every CellScript or NovaSeal
profile. External BIP340 TCB review, public BTC SPV evidence, shared CellDep
attestation, and profile-specific external review remain part of the production
acceptance boundary.

Ongoing NovaSeal progress, discussion, and project-facing updates will be
tracked in the Nervos Talk thread:
NovaSeal: a Bitcoin-authorised Cell framework for CKB.

Compatibility

Existing v0.15-style sources can still use default compatibility mode while
migration is in progress.

Use --primitive-strict=0.16 when you want the stricter pre-production
assurance gate. Expect it to reject metadata-only or runtime-required ProofPlan
gaps that were previously visible but not fatal.

The practical migration advice is:

1. Compile without strict mode to inspect current metadata.
2. Run cellc explain-assumptions <source.cell> --json and review builder obligations.
3. Try --primitive-strict=0.16.
4. Treat PP0150 as a real readiness signal, not as a compiler nuisance.
5. Use CKB dry-run and acceptance evidence before making production claims.

Verification

Focused v0.16 gate:

cargo test --locked -p cellscript --test v0_16 -- --test-threads=1
cargo test --locked -p cellscript proof_plan --lib -- --test-threads=1
cargo check --locked -p cellscript --all-targets
git diff --check

Full scoped 0.16 gate:

cargo fmt --all
cargo check --locked -p cellscript --all-targets
cargo test --locked -p cellscript
cargo clippy --locked -p cellscript --all-targets -- -D warnings
git diff --check

NovaSeal local acceptance entry point:

./scripts/novaseal_devnet_stateful_acceptance.sh --pretty
target/debug/cellc certify --plugin novaseal-profile-v0 --repo-root . --json

Deferred To 0.17

The following items remain outside the scoped 0.16 release:

• executable CKB VM accepted/rejected fixture runner;
• full CKB transaction semantic validation;
• final transaction solver with live cell selection, dep/header resolution,
  fee/change calculation, witness placement, signing, and dry-run;
• on-chain deployment verification;
• full CellScript-to-RISC-V/assembly source maps;
• production-ready CKB stdlib protocol implementations;
• executable aggregate invariant lowering;
• iCKB differential tests;
• production formal-verification guarantees;
• deeper compiler cleanups from the comparative audit.

Intentional Boundarie...

CellScript 0.15.0

Release date: 2026-05-26.

CellScript 0.15 is the scoped-invariant, Covenant ProofPlan, and verifier
soundness hardening release. It closes the known fail-open and
semantic-boundary bugs found during the hardening audit, makes verifier
triggers, scope, coverage, builder assumptions, and enforcement gaps explicit
in source and metadata, and promotes cell identity into a first-class primitive
while resetting the capability vocabulary from protocol verbs to kernel
effects.

The short version: 0.15 adds scoped invariant declarations, aggregate
assertion primitives, Covenant ProofPlan metadata and cellc explain-proof,
first-class cell identity policies, explicit destruction policies, a
kernel/protocol primitive split, expression-local unsigned widening, a
compat/strict migration path, semantic-boundary hardening, and renames internal
type_hash metadata fields.

0.15 is intentionally a hardening release, not the final boundary architecture.
It blocks the known dangerous cases and introduces the scaffolding required for
0.16, where the same boundaries can become fully type-enforced, CFG-aware, and
coverage-linked.

Highlights

Verifier Soundness Hardening

0.15 closes the known high-risk boundary leaks where verifier semantics could
be lowered too early into ordinary low-level values, raw byte spans, raw paths,
or syntax occurrences. The hardening work includes:

• fail-closed paths no longer lowering as ordinary Return(U64(error)) values;
• runtime/helper and syscall status paths checked before exposing DSL values;
• lock predicate success requiring canonical bool == 1;
• Molecule semantic field access gated by containing-layout canonicality;
• branch-local and duplicate lifecycle effects conservatively rejected until
  CFG-aware resource summaries are complete;
• package/dependency paths contained inside their declared capability roots;
• const initializers restricted to compile-time-safe expressions;
• initial SyscallSpec, IR status-boundary, validated schema planning,
  ResourceEffectSummary, and ProofPlan executable-evidence scaffolding.

This is a hardening release. It does not claim full first-class status typing,
full SyscallSpec migration, CFG lifecycle merging, or complete source-to-runtime
ProofPlan evidence linking.

Scoped Invariant Syntax

0.15 adds first-class invariant declarations with explicit trigger, scope,
and reads:

invariant udt_amount_non_increase {
    trigger: type_group
    scope: group
    reads: group_inputs<Token>.amount, group_outputs<Token>.amount

    assert_sum(group_outputs<Token>.amount) <= assert_sum(group_inputs<Token>.amount)
}

Supported triggers: explicit_entry, lock_group, type_group.
Supported scopes: selected_cells, group, transaction.

Invariants are preserved through AST, type checking, IR, module metadata,
formatting, LSP symbols, hover/completions, docs, and scoped CKB entry
compilation.

Aggregate Invariant Primitives

0.15 adds scoped aggregate assertion primitives for common covenant-style
relations:

assert_sum(group_outputs<Token>.amount) <= assert_sum(group_inputs<Token>.amount)
assert_conserved(Token.amount, scope = group)
assert_delta(Token.amount, witness.delta, scope = selected_cells)
assert_distinct(outputs<NFT>.token_id, scope = transaction)
assert_singleton(Config.config_id, scope = group)

Aggregate fields must resolve to fixed-width integer or fixed-byte schema
fields. Dynamic tables, generic collections, and bool fields are rejected.
Non-literal assert_delta arguments must be bound through reads to
witness.* or lock_args.*, so the runtime delta has an auditable source.

Boundary: Aggregate primitives are currently metadata-only for automatic
aggregate verifier-loop lowering. They emit codegen_coverage_status: "gap:metadata-only" and status: "runtime-required" until a later lowering
pass proves them on chain. 0.15 now also cross-references declared aggregate
invariants against checked action obligations; matched obligations are reported
as bounded action coverage, while unmatched declarations remain visible and
gateable.

Covenant ProofPlan Metadata

0.15 adds a ProofPlan stage and cellc explain-proof audit surface.
Runtime, action, function, and lock metadata expose ProofPlan records with:

• invariant name and source span
• trigger, scope, reads, coverage
• input/output relation checks
• group cardinality
• identity/lifecycle policy
• builder assumptions
• diagnostics and codegen coverage status
• matched/unmatched invariant action coverage

cellc explain-proof prints trigger/scope/reads/coverage/on-chain status in
human-readable and JSON output.

ScriptArgs and lock_args provenance is reported under reads.lock_args,
not reads.witness; witness remains reserved for transaction witness data.

cellc check --deny-runtime-obligations rejects runtime-required ProofPlan
gaps, including declared invariants whose coverage is still metadata-only or
whose action coverage is unmatched.

Production and strict gates also reject records that claim checked runtime
coverage without executable evidence. Static or metadata-only details such as
checked-static do not populate executable runtime/codegen evidence.

Lock-group transaction risk diagnostics warn when a lock_group verifier
scans transaction-wide views, because only inputs sharing that lock trigger
the verifier.

Expression-local Unsigned Widening

0.15 defines a deliberately bounded coercion rule for primitive unsigned
integers. CellScript may widen u8 -> u16 -> u32 -> u64 -> u128 only inside
arithmetic and numeric comparison expressions.

This is not a general implicit numeric coercion feature. Assignment, return,
ABI, witness, create layout, struct field initialization, Molecule layout,
and serialization boundaries remain exact-type boundaries. Integer literals may
be context-typed by an expected primitive integer type, but non-literal values
must use an explicit cast at boundaries:

let total: u64 = amount_u64 + fee_u16 // accepted expression-local widening
let stored: u64 = fee_u16             // rejected boundary widening
let stored: u64 = fee_u16 as u64      // accepted explicit boundary cast

Compound assignment is a write boundary: target += rhs is valid only when
rhs is the same width as, or narrower than, target. Generic u128
arithmetic and ordering remain unsupported except for explicitly implemented
u128 delta and equality paths.

Cell Identity and TYPE_ID Lifecycle

0.15 promotes cell identity from a metadata annotation into a first-class
primitive policy:

resource Token has store {
    identity(ckb_type_id)
    amount: u64
}

Supported identity policies:

Policy	Meaning	0.15 executable boundary
identity none	No identity tracking (default, backward compatible)	No identity verifier is emitted
identity ckb_type_id	CKB TYPE_ID: derived from first input + output index	create_unique requires a TYPE_ID output plan and reports global creation uniqueness as runtime-required; replace_unique preserves TypeHash
identity field(path)	Fixed-width field identity within the data payload	create_unique anchors the output field bytes and reports global uniqueness as runtime-required; replace_unique compares input/output field bytes
identity script_args	Identity derived from the executing script args	create_unique anchors the output LockHash and reports global uniqueness as runtime-required; replace_unique preserves LockHash
identity singleton_type	Singleton type identity	create_unique anchors the output TypeHash and reports singleton creation exclusivity as runtime-required; replace_unique preserves TypeHash

Identity-aware lifecycle forms:

// Identity-aware creation
let minted = create_unique<Token>(identity = ckb_type_id) {
    amount: 100
} with_lock(recipient)

// Identity-aware replacement (consumes input, preserves identity)
let updated = replace_unique<Token>(identity = ckb_type_id) old {
    amount: old.amount - 50
}

IrInstruction::CreateUnique and IrInstruction::ReplaceUnique carry
identity metadata through the full compile pipeline. TypeMetadata.identity_policy
exposes the policy in compiled JSON metadata (hidden when none).

replace_unique has the syntax
replace_unique<T>(identity = policy) input_cell { ... }; the input operand is
required because the verifier compares the consumed Cell with the replacement
output. It does not take a with_lock(...) clause.

For create_unique policies, 0.15 emits local runtime anchors for the created
output and records the full global uniqueness proof as runtime-required.
For ckb_type_id, the remaining boundary is the TYPE_ID builder plan. For
field-, script-args-, and singleton-type creation, global uniqueness remains a
builder/indexer responsibility outside the CKB-VM execution scope.

Explicit Destruction Policies

0.15 adds policy-specific destruction forms so the compiler and verifier know
what is being proved:

Form	What it proves
destroy_singleton_type(cell)	No output with the same TypeHash exists
destroy_unique(cell, identity = type_id)	TYPE_ID continuation absence, lowered through the same output TypeHash scan
destroy_instance(cell, identity_field = id)	A field-identified instance destruction intent; full same-field output scan is runtime-required
burn_amount(cell, field = amount)	Quantity-delta burn intent; executable delta proof is runtime-required

Bare destroy cell still compiles as DestructionPolicy::Default. In strict
mode it must be authori...

CellScript 0.14.0

CellScript 0.14 is focused on CKB semantic completeness rather than another syntax cleanup pass. The release exposes more of the concrete CKB transaction surface directly in source, metadata, and validation: bounded Spawn/IPC verifier reuse, structured WitnessArgs access, explicit Source views, ScriptGroup and outputs_data metadata validation, TYPE_ID create-plan metadata, strict script-reference records, CKB-profile since/time/epoch helpers, capacity-floor metadata, and fixed-Hash dynamic Blake2b support. The action model remains the explicit verifier model from 0.13; 0.14 only completes the intentional state-edge spelling cleanup from legacy move to transition.

The validation story is also stricter. The current release has passed the full CKB release gate with builder-backed production actions, local CKB stateful scenarios, valid and invalid lock-spend coverage, measured cycles, transaction size, occupied capacity, syntax-combination fuzzing, VS Code extension dry-run packaging, and the new 0.14 scope audit. The boundary is deliberately conservative: Spawn/IPC is bounded verifier reuse, not full protocol composability; ScriptGroup, outputs_data, and TYPE_ID are metadata/tamper validated in 0.14, while full accepted/rejected CKB transaction fixture matrices remain a later compatibility-suite track.

CellScript 0.13.2

Key Updates

• Stack-backed Vec<T> helpers with fixed-width elements and local runtime support.

• Canonical action/update syntax:

  • action f(input: T) -> output: T
  • where proof block
  • Explicit move for state transitions

• Lock-boundary data sources: protected, witness, lock_args

• Stdlib & metadata patterns enforce explicit verifier obligations.

• Full stateful scenario coverage: 7 end-to-end scenarios + 43 production actions.

Not Included (Future Work)

• Hidden signer authority or default sighash
• Full generic maps
• Cell-backed collection ownership
• Declarative capacity/since policies

Compatibility

• Canonical actions follow signature-direction outputs.
• State transitions use move before.state: A -> after.state: B.
• Persistent outputs named explicitly: create output = T { ... }.
• Tooling: VS Code extension 0.13.2, metadata schema 30.

Collections & Vec<T>

• Stack-backed helpers: Vec<u64>, Vec<Address>, Vec<Hash>.
• Full runtime lowering: push, pop, insert, remove, first, last, reverse, etc.
• Does not support full generic HashMap<K,V> or cell-backed Vec<Cell<T>>.
• Option<T> reserved for future use.

Surface Syntax & Examples

• Module/import style: module cellscript::token
• Persistent declarations use capability lists.
• Action outputs are deterministic and named.
• move + where for state transitions and proofs.
• require condition for verifier guards.
• Flow declarations explicitly describe state graphs.
• Clean examples separated from profiled acceptance tests.

Verification & Release Gate

• ./scripts/cellscript_ckb_release_gate.sh full runs:

  • Rust formatting, checks, tests, clippy
  • VS Code extension dry-run
  • Syntax-combination audits + stateful business-flow coverage

Stateful CKB Evidence

• 7 end-to-end scenarios: token, NFT sale, timelock, launch, AMM, vesting, multisig.
• 46 committed steps + 20 action-branch scenarios.
• Covers all 43 production actions with dry-run, committed tx, cycles, size, capacity checks.

Stdlib & CLI

• Lifecycle helpers: transfer, claim, settle.
• CLI (cellc) commands: build, new, explain, explain-generics.
• Typed Vec<T> helpers report element width, capacity, and helper usage.

Backend & ELF

• Internal ELF assembler restricted to allowed mnemonics.
• Stack-frame load/store, large immediates, and u128 ops materialized explicitly.
• State storage remains explicit cell data; create uses declared state names.
• Preserved-field verification strictly fail-closed.

Important Boundaries

• Address is not a signer proof.
• witness Address is not sighash authorization.
• Full GNU/RISC-V instruction support is not included.
• No implicit signer defaults or Cell-backed ownership in 0.13.

CellScript 0.12.0

CellScript 0.12 moves the project from a prototype DSL toward a production-gated compiler and local tooling release for the current CKB bundled suite.

Highlights:

• CKB bundled suite closed for current scope: all seven examples strict-admitted, deployed, and action-covered in production acceptance.
• Full bundled coverage: 43/43 source actions, 15/15 locks, builder-backed local CKB transactions, measured cycles, tx size, and occupied-capacity evidence.
• Production-facing metadata and constraints now expose runtime errors, ABI shape, CKB hash/DepGroup policy, capacity requirements, and artifact verification.
• Local package workflow covers init/build/check/fmt/doc, path dependencies, lockfile checks, and artifact validation.
• VS Code extension is included with the CellScript LSP, not just syntax highlighting.
• Wiki and docs were refreshed for 0.12.

Boundary: this production claim applies to the bundled 0.12 suite and its recorded evidence. External contracts still require metadata review, builder evidence, CKB acceptance reports, and security review.