This document is for repository maintenance. It is not required for normal package use.
npm run prepare:wasm
npm run build:wasm:prepared:lite
npm run build:wasm:prepared:full
npm run build:wasm:prepared:verification
npm run build:wasm:prepared
npm run build:js
npm run build:verification:v6
npm run build:bytecode-verifiers
npm run inspect:reference-artifact -- --artifact ./reference.json --fail-on-warning
npm run buildprepare:wasm may download or update the pinned Sui source, create a disposable patched worktree, generate compatibility stubs and vendor patches, install the matching local wasm-bindgen, remove stale patch state at startup, and write .sui-build/patch-state.json after successful preparation.
Prepared build scripts consume existing prepared state:
build:wasm:prepared:litewritesdist/lite.build:wasm:prepared:fullwritesdist/full.build:wasm:prepared:verificationwritesdist/verification.build:verification:v6writes decoded-bytecode-version 6 verifier files underdist/verification/v6/classicanddist/verification/v6/v7source-2024.inspect:reference-artifactdecodes caller-provided reference artifact headers for fixture review. Use--fail-on-warningbefore promoting a fixture.buildruns WASM preparation, JS build, and bundled bytecode verifier builds.
Full builds run a Binaryen wasm-opt strip pass after wasm-bindgen. Set WASM_OPT=/path/to/wasm-opt if it is not on PATH, or set SUI_WASM_SKIP_WASM_OPT=1 to build without that size pass. Set SUI_WASM_STRICT_OFFLINE=1 when you want Cargo to fail instead of reaching the network.
| Path | Role |
|---|---|
.sui-build/source/ |
Pristine Sui checkout at the commit in sui-version.json |
.sui-build/work/ |
Disposable worktree where sui-move-wasm is overlaid and patches are applied |
.sui-build/generated/stubs/ |
Generated WASM compatibility stub crates |
.sui-build/generated/vendor/ |
Vendored dependency sources that need local WASM patching |
.sui-build/generated/local-bin/ |
Local build tools such as pinned wasm-bindgen |
.sui-build/patch-state.json |
Successful prepare marker checked by prepared builds |
dist/full, dist/lite, dist/verification |
Generated package artifacts |
dist/verification/v6/classic |
Generated classic verifier artifact for decoded bytecode version 6 |
dist/verification/v6/v7source-2024 |
Generated v7-source verifier artifact that can emit decoded bytecode version 6 |
Only edit tracked project sources such as src/, sui-move-wasm/, and scripts/compat/. .sui-build/ is ignored build/cache state and can be removed with npm run clean together with dist/. Set SUI_SOURCE_DIR or SUI_WORK_DIR only when intentionally moving those directories.
The active scripts/compat/ directory is the WASM compatibility overlay for the pinned Sui version. Its manifest.json is checked by prepare:wasm. Missing required compat files are prepare failures.
For an intentional build against another Sui source version, override it explicitly:
SUI_VERSION=1.x.y SUI_TAG=mainnet-v1.x.y npm run build:wasm
# or, when calling the low-level script directly:
node scripts/build-wasm.mjs --sui-version 1.x.y --sui-tag mainnet-v1.x.ynpm run typecheck
npm run lint
npm run format:check
npm test
npm run test:parity
npm run test:audit
npm run test:browser
node test/integration/run.mjs semantic
node test/integration/run.mjs doc-freshness
node test/integration/run.mjs cli-pipeline-tableRun npm run build first when a check needs generated dist/ artifacts.
The local Sui CLI must be installed or selected with SUI_CLI for CLI comparison checks. A version difference from sui-version.json is a warning and comparison risk, not a reason to accept mismatched output.
Before publishing or deploying a browser app that uses the verification entry, confirm the package or deploy artifact includes the routed verifier assets:
dist/verification/v6/classic/sui_move_wasm.jsdist/verification/v6/classic/sui_move_wasm_bg.wasmdist/verification/v6/v7source-2024/sui_move_wasm.jsdist/verification/v6/v7source-2024/sui_move_wasm_bg.wasm
When checking npm package contents locally, npm pack --dry-run --json --cache /private/tmp/sui-move-builder-npm-cache avoids relying on a user-global npm cache. Consumer web-app deploy artifacts may rewrite the prefix, but the v6/classic and v6/v7source-2024 route files must remain reachable next to the emitted verification entry chunk.
For browser deploy checks, request the routed verifier JS and adjacent WASM URLs directly and confirm successful responses. The .wasm responses should use Content-Type: application/wasm. The loader retries transient route JS and WASM fetch failures, including provider or cache warmup 503 responses, but 404 remains a deployment error.
Useful environment variables:
SUI_CLI=/path/to/suiselects the local Sui CLI binary.BROWSER_BIN=/path/to/chromeselects the browser binary fortest:browser.SUI_PARITY_LIMIT=10changes the number of auto-discovered examples.SUI_PARITY_MIN_MOVE_FILES=3requires larger multi-file examples.
Checks run serially because .sui-build, dist, and Sui CLI cache state are shared.
Use scripts/verification/prove-bytecode-verifier-fixture.mjs when promoting a decoded-bytecode-version verifier fixture. The proof output includes:
fixture: the mainnet transaction, intent, and pinned source location being checked.verifier: the selected verifier ID, dist path, Sui source version, and public export surface.dependencySource: the Sui source checkout used for framework dependencies.referenceInspection: header inspection output frominspect:reference-artifact.resultandfullResult: summarized and complete verifier outputs.okanderrors: the promotion gate result.
Proof fails when referenceInspection.warnings is non-empty. A promoted knownFixtures entry must record the warning-free inspection summary and expected verified + exact_bytecode_match result.
Use --refresh-fixture to rebuild a known fixture proof from its pinned GitHub source and transaction digest into .sui-build/bytecode-verifier-proof-runs/ instead of reusing an existing proof cache.
CLI comparison checks use the installed Sui CLI, or the binary selected by SUI_CLI. They fail when the CLI is missing. They warn when the CLI version differs from sui-version.json.
The parity checks compare covered packages and scenarios only. They do not patch outputs or maintain expected-result snapshots.
Available groups:
| Command | Role |
|---|---|
npm test |
Runtime, semantic, and configured comparison checks |
npm run test:parity |
Compare Sui CLI output with full and lite WASM outputs |
npm run test:audit |
Compare selected CLI artifacts and verification references |
npm run test:browser |
Optional browser smoke test |
npm run dev:browser-parity |
Interactive browser build and local CLI comparison page |
node test/integration/run.mjs semantic |
Runtime and semantic checks without CLI comparison |
node test/integration/run.mjs output-deps |
One integration case |
Audit groups:
audit buildrunssui move build --path <package> --install-dir <output>, converts generated.mvartifacts to base64, runs the low-level WASM compile binding with publish intent, and compares module bytecode.audit upgradeis a non-verification root-as-zero compile comparison harness forprepareMovePackageUpgrade; it still uses dump output and must not be treated as upgrade transaction.mvproof. Verification audits do not use dump output as an upgrade reference. Real Sui CLI upgrade.mvcomparison requires caller-provided upgrade inputs such asupgradeCapabilityand any required sender or gas fields so the helper can runsui client upgrade --install-dir.audit transactionuses Sui RPC and GitHub access to fetch configured publish or upgrade transactions, extracts the singlePublishorUpgradecommand payload, passes that kind as verificationintent, and rebuilds the configured GitHub source commit through the verification artifact.audit github-binaryuses GitHub API and raw file access to fetch configured committed.mvartifacts, requires each artifact to declarepublishorupgradeintent, rebuilds the same source commit through the verification artifact, and records bytecode diff summaries plus the expected verification status.
For manual browser comparison, run npm run dev:browser-parity and open the printed local URL. The page loads a package from the pinned Sui examples, a local package path, or a GitHub repository; builds it with the selected browser WASM artifact; asks the local server to build the same package with sui move build --dump-bytecode-as-base64 --path <package>; and compares module bytecode, dependency IDs, and digest.
Do not commit generated .sui-build/ state or dist/ artifacts unless a task explicitly requires generated output to be committed.
The repository keeps upstream Sui source pristine. Patches and generated compatibility state belong in the disposable build paths created by prepare:wasm.
When changing README.md, VERIFICATION.md, PACKAGE_BEHAVIOR.md, DEVELOPMENT.md, CLI_PIPELINE.md, or AGENTS.md, run:
node test/integration/run.mjs doc-freshness
node test/integration/run.mjs cli-pipeline-tableKeep documentation limited to current behavior, current limitations, and verified checks. Do not add work logs or retrospective notes.
For Sui version updates, follow AGENTS.md. For decoded bytecode version records used by verification, see BYTECODE_VERSION_HISTORY.md and scripts/verification/bytecode-version-sources.json.
Builder updates track the pinned Sui CLI/source version in sui-version.json. Refresh and test the active compat overlay during prepare:wasm, then reuse the prepared worktree for lite, full, verification, and release checks.
Verification routing is decoded-bytecode-version-first. When a Sui source update keeps decoded bytecode version and serialization behavior unchanged, update the current verifier with the builder. When either changes, preserve the previous verifier as a bytecode verifier and pin the Sui tag/commit that represents that decoded bytecode version in scripts/verification/bytecode-verifiers.json.
If several Sui releases were skipped, regenerate upstream tag inventory with npm run inventory:sui-tags, analyze decoded bytecode version changes with npm run analyze:bytecode-versions, and restore any missing verifier that changes verification evidence.