2 tools are needed
There needs to be an issuer tool which issuers can use to check the TokenScript sanity and sign it, like:
- On a basic level, the TokenScript satisfies the schema;
- Whether or not the contracts in it exists;
- Whether or not the attributes used in actions are defined somewhere;
Signing (read the docs on the keys)
- generate an express-of-trust address for a signing key
- checking the reputation key matches the certificate
- checking the certificate is not a CDN certificate
- signing with both keys (or only one, if only one is provided)
- signing manifest (linked resources)
- make sure all linked resources integrity is checked
- make sure all cards are individually signed (so that the deployment can only deploy some cards related to the operations needed)
website builders tool
There needs to be a website builder's tool to:
- Make sure the tokenscript is properly signed and integral
- Obtain signing information (like whether or not all transactions are trusted)
- Trim a tokenscript for the functions needed for the web builder
- Generate customised per-deployment version of the bootstrap JS library
- Check a specific webpage with TS deployed to find out if the TS is properly deployed
- Check if there are newer versions of TS for redeployment
What language to use
However, I'm not so sure of the issuer tool.
It makes it possible to merge these two tools (issuer tool + web builder tool) into one command-line utility or library. Otherwise, some functionalities will duplicate in 2 languages. e.g. integrity check and deriving express-of-trust address.
Reasons to prefer Java for issuer tool
Traditionally much cryptographic stuff is done in Java and @jot2re can develop this. Otherwise, we will have to delegate the tool development to some JS developers that I'm not entirely sure of.
Implications of the decision if we go with Java
- If we go with Java, the reusable part of the code† can go to a library in Maven repository to be sourced in Android
- The reusable part for Android is mostly TokenScript checking and validation, but the Signing is reusable as IntelliJ plugin too, and replace part of the existing tool.