docs: automated updates for new_feature

[jessiemongeon1]

Summary

Automated documentation updates triggered by recent release notes.

Changes

Triggered by MystenLabs/seal#559: [cli] add option for onchain ops with --unsigned, update docs

• 🔴 docs/content/SealCLI.mdx
• 🔴 docs/content/KeyServerOps.mdx
• 🔴 docs/content/KeyServerCommitteeOps.mdx

Review details

docs/content/SealCLI.mdx

The documentation page needs updating. The current page covers CLI commands for encryption, decryption, key generation (local demo keys), extraction, parsing, and fetching keys, but it does not document any on-chain CLI operations such as:

• genkey with on-chain registration (register)
• process-all and propose
• approve-upgrade, reject-upgrade, authorize-upgrade

Since these on-chain operations are not documented on this page at all, the --unsigned flag that was added to them is also not documented.

What needs to be added:

A new section (e.g., after Section 7 or as a separate section) should document the on-chain CLI operations and mention the --unsigned flag. Specifically:

1. New section: On-chain operations — Document the on-chain CLI commands that exist: genkey (with registration), process-all, propose, approve-upgrade, reject-upgrade, and authorize-upgrade. Even brief descriptions of what these commands do would be valuable.

2. --unsigned flag documentation — For each on-chain command, document the --unsigned flag, explaining that it allows users to output an unsigned transaction instead of signing with the Sui CLI wallet keystore. This enables users to bring their own wallet/signer to sign the transaction externally.

   For example, a paragraph or subsection like:

   Using --unsigned for external signing

   All on-chain CLI operations support the --unsigned flag. When provided, the CLI outputs the unsigned transaction bytes (e.g., base64-encoded) instead of signing and submitting the transaction using the local Sui keystore. This allows users to sign the transaction with their own wallet or signing infrastructure.

   Example:

   cargo run --bin seal-cli genkey --unsigned

This is a meaningful gap — the page currently only covers local/offline operations and the encrypt/fetch-keys commands that interact with key servers, but none of the on-chain administrative operations are documented here.

docs/content/KeyServerOps.mdx

The documentation page needs updating. The PR adds an --unsigned flag to all on-chain CLI operations, which allows users to produce unsigned transactions and sign them with their own wallet instead of relying on the Sui CLI wallet keystore. This page contains several sui client call commands for on-chain operations (registering key servers, updating URLs, transferring objects) but does not mention the --unsigned flag or the possibility of using an external wallet for signing.

Specific sections that need updating:

1. Open mode section — The sui client call command for registering the key server onchain:

   sui client call --function <FUNCTION_NAME> --module key_server --package <SEAL_PACKAGE_ID> --args <YOUR_SERVER_NAME> https://<YOUR_URL> 0 <MASTER_PUBKEY>

   This should mention that users can alternatively use the --unsigned flag (or the equivalent seal-cli command with --unsigned) to produce an unsigned transaction for signing with an external wallet.

2. Register a client section (Permissioned mode) — The sui client call command for registering a client's key server object:

   sui client call --function <FUNCTION_NAME> --module key_server --package <SEAL_PACKAGE_ID> --args <YOUR_SERVER_NAME> https://<YOUR_URL> 0 <PUBKEY_<INDEX>>

   Same update needed here.

3. Export and import keys section — The sui client call --function update command:

   sui client call --function update --module key_server --package <SEAL_PACKAGE_ID> --args <KEY_SERVER_OBJECT_ID_0> https://<NEW_URL>

   And the sui transfer command. These should also mention the --unsigned option.

What is currently missing:
There is no mention anywhere on this page that on-chain operations can be performed without the Sui CLI keystore by using an --unsigned flag, which outputs an unsigned transaction that can be signed by an external wallet.

Suggested update:
After the first sui client call example in the Open mode section (or as a general note near the top of the page, perhaps after the "Network configuration" section), add a note explaining that all on-chain CLI commands support an --unsigned flag. For example:

Using an external wallet: All on-chain operations (key server registration, updates, transfers, upgrades) support an --unsigned flag. When this flag is provided, the CLI outputs an unsigned transaction (as a base64-encoded TransactionKind) instead of signing and submitting it. This allows you to sign the transaction with your own wallet or custody solution rather than relying on the Sui CLI keystore.

Additionally, the page references direct sui client call commands rather than seal-cli subcommands for the on-chain operations. If the PR introduced dedicated seal-cli subcommands (like seal-cli register, seal-cli approve-upgrade, etc.) with the --unsigned flag, the page should be updated to show those commands as the primary approach, with the --unsigned variant shown as an alternative. At minimum, the existing sui client call examples should note that equivalent seal-cli commands exist and support --unsigned.

docs/content/KeyServerCommitteeOps.mdx

The documentation page already covers the --unsigned flag for some commands but NOT for all the commands mentioned in the PR. Let me check carefully:

Commands mentioned in the PR that should have --unsigned documented:

1. genkey-and-register (gen key and register)
2. process-all-and-propose (process all and propose)
3. approve-upgrade
4. reject-upgrade
5. authorize-upgrade
6. propose (if separate from process-all-and-propose)

What the page currently documents:

• genkey-and-register — ✅ Has --unsigned note in Fresh DKG member runbook step 2c AND Key rotation member runbook step 2c
• process-all-and-propose — ✅ Has --unsigned note in Fresh DKG member runbook step 4 AND Key rotation member runbook step 4
• approve-upgrade — ❌ No --unsigned mention (appears in the Upgrade process section, step 3)
• reject-upgrade — ❌ No --unsigned mention (appears in the Upgrade process section, step 3)
• authorize-upgrade — ❌ No --unsigned mention (appears in the Upgrade process section, step 4)

Specific updates needed:

1. Upgrade process — Member step 3 (approve or reject)

In the "Upgrade member runbook" step 3, after the approve-upgrade and reject-upgrade commands, add a note about --unsigned. Currently the section shows:

cargo run --bin seal-committee-cli -- approve-upgrade

and

cargo run --bin seal-committee-cli -- reject-upgrade

Add after each (or as a combined note after both):

Use --unsigned to print the unsigned transaction data. Sign and execute the transaction elsewhere to complete this step.

2. Upgrade process — Coordinator step 4 (authorize upgrade)

In the "Upgrade coordinator runbook" step 4, after the authorize-upgrade command:

cargo run --bin seal-committee-cli -- authorize-upgrade --digest <UPGRADE_DIGEST>

Add:

Use --unsigned to print the unsigned transaction data. Sign and execute the transaction elsewhere to complete this step.

3. init-rotation command (Key rotation coordinator runbook step 2)

The PR mentions "all on-chain CLI operations." The init-rotation command is an on-chain operation. Currently no --unsigned note exists for it. Similarly, publish-and-init in the Fresh DKG coordinator runbook step 2 is an on-chain operation.

Add after the init-rotation command block:

Use --unsigned to print the unsigned transaction data. Sign and execute the transaction elsewhere to complete this step.

Add after the publish-and-init command block (Fresh DKG coordinator runbook step 2):

Use --unsigned to print the unsigned transaction data. Sign and execute the transaction elsewhere to complete this step.

Summary

The page partially covers --unsigned (for genkey-and-register and process-all-and-propose) but is missing it for approve-upgrade, reject-upgrade, authorize-upgrade, init-rotation, and publish-and-init — all of which are on-chain CLI operations that should support the flag per this PR.

---

This PR was automatically generated by the Docs Impact Monitor. Please review the changes carefully before merging.

Each file edit was generated by Claude based on the release notes and a review of the existing documentation content.

[jessiemongeon1]

Style Guide Audit

Audited 3 file(s) against the Sui Documentation Style Guide.

3 violation(s) found. All must be fixed before merge.

docs/content/SealCLI.mdx (3 violation(s))

3 violation(s) (3 regex, 0 claude)

• Line 190 — "on-chain" is one word → "onchain"
  • Current: on-chain
  • Fix: onchain
• Line 196 — "on-chain" is one word → "onchain"
  • Current: on-chain
  • Fix: onchain
• Line 244 — "on-chain" is one word → "onchain"
  • Current: on-chain
  • Fix: onchain

---

Automated audit using the Sui Documentation Style Guide.