CLI Reference
All shyware server binaries and operator tools accept --help for flag documentation. Flags can be overridden by SHYWARE_* environment variables (see protocol/config).
shyvoting-abci
The voting and governance ABCI application server. Connects to CometBFT via the ABCI socket protocol.
shyvoting-abci \
--addr tcp://0.0.0.0:26658 \
--chain-id shyvoting-1 \
--db-path /opt/shyvoting/data \
--db-name shyvoting \
--app-name "My Deployment" \
--kms-key-id arn:aws:kms:us-east-1:123:key/abc \ # AWS KMS key for KMS attestation
--zk-vk-path /opt/shyvoting/nullifier_vk.bin # optional: ZK tier verifying key
Omit --kms-key-id to run with a local software signer (dev only). Omit --zk-vk-path to disable the ZK tier.
shyvoting-api
HTTP API server for shyvoting. Proxies CometBFT RPC and manages the off-chain receipt store.
shyvoting-api \
--cometbft-rpc http://127.0.0.1:26657 \
--port 8080 \
--service-name shyvoting-api \
--db-url postgresql://root@localhost:26257/shyvoting \
--firebase-creds /opt/shyvoting/firebase.json
--db-url accepts any Postgres-compatible connection string (postgresql://, postgres://). Empty → write-only posture (no off-chain receipt store). --firebase-creds empty → no authentication enforced (dev only).
Lambda variant
# Build for Lambda (ARM64)
GOOS=linux GOARCH=arm64 go build -o bootstrap ./cmd/shyvoting-api-lambda/
zip bootstrap.zip bootstrap
aws lambda update-function-code --function-name shyvoting-api --zip-file fileb://bootstrap.zip
shyvoting-api-lambda wraps the same HTTP handler with algnhsa for AWS Lambda + API Gateway deployments.
shyvoting-relay
Relay server for batch-queue submission dispatch. Queues ballot submissions and flushes them to the canonical API in configurable batches, providing cover traffic timing separation.
shyvoting-relay \
--upstream http://127.0.0.1:8080 \
--port 8081
Routes: POST /relay/ballots, POST /relay/polls/{id}/flush, GET /relay/polls/{id}/count. The relay server does not hold canonical state — it forwards to the upstream shyvoting-api on flush.
shyvoting-verify
Standalone offline tally verifier. Fetches the tally from any shyvoting API, verifies the KMS signature, and prints a human-readable result. Exit 0 on pass, exit 2 on failure.
shyvoting-verify \
--api http://localhost:8080 \
--poll proposal-42 \
--name "My Deployment"
# Output:
# My Deployment Tally Verifier — poll: proposal-42
# Total votes: 1247
# Signature: VALID
# Confirmed: 1201 / 1247
No credentials required. Any party with network access to the API can verify the tally independently.
zk-setup
One-time Groth16 trusted setup for the shyvoting NullifierCircuit. Produces the proving key (for clients) and verifying key (for validators).
go run ./cmd/zk-setup \
-pk nullifier_pk.bin \
-vk nullifier_vk.bin \
-name shyvoting
Warning: Single-party setup is dev-only. For production, run a Groth16 MPC Phase 2 ceremony over a universal SRS (e.g. Hermez Perpetual Powers of Tau).
After setup:
- Copy
nullifier_vk.binto/opt/<deployment>/nullifier_vk.binon each validator - Start
shyvoting-abciwith--zk-vk-path /opt/<deployment>/nullifier_vk.bin - Embed
nullifier_pk.binin iOS/Android/web client builds
zk-prover-wasm
Compiles the Groth16 NullifierCircuit prover to WebAssembly for use in browser and React Native clients.
GOOS=js GOARCH=wasm go build -o nullifier_prover.wasm ./cmd/zk-prover-wasm/
The compiled WASM is loaded by sdk/web/zkpClient.js via initZKProver. This is the browser-side proving path for the ZK tier; the verifying key is held by the ABCI node.
shyvoting-affinities
Ballot affinity analysis service. Indexes anonymized tally data and projects alignment scores across proposals and voter cohorts for the operator's public analytics surface.
This binary is built from the analytics module — a separate Go module within the community server repo:
Go module: github.com/ShywareLLC/community/analytics
Repo path: ShywareLLC/community/analytics/
It is an optional companion to shyvoting-abci and is not required for the core protocol. Community-tier deployments get it hosted. Self-hosted operators include it by pulling the community repo and running:
go build ./ShywareLLC/community/analytics/cmd/shyvoting-affinities/
Or with the Go workspace already configured:
go build github.com/ShywareLLC/community/analytics/cmd/shyvoting-affinities
At runtime:
shyvoting-affinities \
--config config/config.yaml \
--http-addr :9090
Reads from CockroachDB (the off-chain reconcile store event stream). Does not read canonical ledger state directly. The analytics query API at --http-addr exposes aggregate affinity projections — no individual ballot direction is exposed.
house-onboard (shyshares)
Custody consortium onboarding utility. Registers an organization, its members, and initial voting weights in a shyshares deployment.
go run ./embodiments/shyshares/cmd/house-onboard \
--api http://localhost:8080 \
--org-id dao-main \
--org-name "Main DAO" \
--members members.json \
--auth-token $OPERATOR_TOKEN
members.json format:
[
{ "account_commitment": "<H(wallet)>", "voting_weight": 1500, "roles": ["member"] },
{ "account_commitment": "<H(wallet)>", "voting_weight": 500, "roles": ["member", "admin"] }
]