@aikdna/kdna-cli 0.12.0 → 0.14.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikdna/kdna-cli",
-  "version": "0.12.0",
+  "version": "0.14.0",
   "description": "KDNA CLI — create, validate, install, and manage domain cognition packages for AI agents.",
   "type": "commonjs",
   "bin": {

package/src/cli.js

@@ -7,7 +7,7 @@
  */
 
 const { error, EXIT, setQuiet, setExitCodeOnly } = require('./cmds/_common');
-const { cmdValidate, cmdPack, cmdUnpack, cmdInspect } = require('./cmds/domain');
+const { cmdValidate, cmdPack, cmdPackEncrypt, cmdUnpack, cmdUnpackEncrypt, cmdInspect } = require('./cmds/domain');
 const { cmdList, cmdRegistry } = require('./cmds/registry');
 const {
   cmdCompare,
@@ -24,6 +24,7 @@ const { cmdIdentity } = require('./cmds/identity');
 const { cmdSetup } = require('./cmds/setup');
 const { cmdDoctor } = require('./cmds/doctor');
 const { cmdTrace, cmdHistory } = require('./cmds/trace');
+const { cmdLicenseGenerate, cmdLicenseVerify, cmdLicenseBind, cmdLicenseShow } = require('./cmds/license');
 const { cmdPreview, cmdProject, cmdEval, cmdExport, cmdDemo } = require('./cmds/legacy');
 const { cmdStudioScaffold, cmdCardsValidate, cmdLockVerify, cmdStudioCompile, cmdStudioReadiness } = require('./cmds/studio');
 const { cmdTestRun, cmdTestImport } = require('./cmds/test');
@@ -54,7 +55,9 @@ Domain Authoring:
   validate <path>                  Validate domain structure
   validate --schema <path>         Schema-only validation
   pack <path>                      Pack into .kdna container
+  pack <path> --encrypt --license <file>   Pack encrypted .kdnae container
   unpack <file>                    Unpack .kdna container
+  unpack <file> --license <file>   Unpack encrypted .kdnae container
   inspect <path>                   Inspect domain or .kdna file
   publish <path>                   Pack + sign + publish
   publish --check <path>           Quality gate check only
@@ -80,6 +83,8 @@ Testing & Verification:
   verify <name>                    3-layer: structure + trust + judgment
   verify <name> --judgment --run-tests  Judgment validation with eval cases
   compare <name> --input "..."     With/without KDNA reasoning diff
+  compare <name> --input "..." --report-md     Markdown report format
+  compare <name> --input "..." --report-json   JSON report with scoring
   diff <name>@<v1> <name>@<v2>     Judgment-level diff between versions
   test run <name> --input <file>   Record test result against domain
   test import <run> --as-eval      Convert test result to eval card
@@ -131,6 +136,12 @@ Trace & Diagnostics:
   trace [--json] [--since 7d] [--export <file>]  Agent judgment trace
   history [--stats] [--domain <name>] [--agent <name>]  Recent usage
 
+License & Authorization:
+  license generate <domain> --to <email>   Generate signed license
+  license verify <license.json>            Verify license signature
+  license bind <license.json>              Bind license to this machine
+  license show <license.json>              Display license details
+
 Flags:
   --json                           Structured JSON output (machine-readable)
   --quiet                          Suppress non-error output
@@ -165,13 +176,21 @@ switch (cmd) {
       }
     }
     if (!target) error('Usage: kdna pack <path>');
-    cmdPack(target, output);
+    if (args.includes('--encrypt')) {
+      cmdPackEncrypt(target, args);
+    } else {
+      cmdPack(target, output);
+    }
     break;
   }
   case 'unpack': {
     const target = args[1];
-    if (!target) error('Usage: kdna unpack <file.kdna>');
-    cmdUnpack(target, args.includes('--force'));
+    if (!target) error('Usage: kdna unpack <file.kdna|file.kdnae>');
+    if (target.endsWith('.kdnae')) {
+      cmdUnpackEncrypt(target, args);
+    } else {
+      cmdUnpack(target, args.includes('--force'));
+    }
     break;
   }
   case 'preview': {
@@ -406,6 +425,29 @@ switch (cmd) {
     cmdHistory(args);
     break;
   }
+  case 'license': {
+    const sub = args[1];
+    const rest = args.slice(2);
+    if (sub === 'generate') {
+      cmdLicenseGenerate(rest);
+    } else if (sub === 'verify') {
+      cmdLicenseVerify(rest);
+    } else if (sub === 'bind') {
+      cmdLicenseBind(rest);
+    } else if (sub === 'show') {
+      cmdLicenseShow(rest);
+    } else {
+      error(
+        'Usage:\n' +
+          '  kdna license generate <domain> --to <email> [--expires <date>]\n' +
+          '  kdna license verify <license.json>\n' +
+          '  kdna license bind <license.json>\n' +
+          '  kdna license show <license.json>',
+        EXIT.INPUT_ERROR,
+      );
+    }
+    break;
+  }
   case 'identity': {
     cmdIdentity(args);
     break;

package/src/cmds/_common.js

@@ -57,8 +57,9 @@ Usage:
   kdna validate <path>          Validate a domain directory
   kdna validate --schema <path>   ...with JSON Schema
   kdna pack <path>              Pack a domain folder into a .kdna container
+  kdna pack <path> --encrypt --license <file>   Pack encrypted .kdnae container
   kdna pack --output <dir> <path>   Output .kdna to specific directory
-  kdna unpack <path>            Unpack a .kdna container to a folder
+  kdna unpack <path>            Unpack a .kdna or .kdnae container to a folder
   kdna inspect <path>           Inspect a domain directory or .kdna file
   kdna publish <path>           Pack + sign + output registry patch
   kdna publish <path> --release-tag <tag> --repo <o/r>   ...also upload to GitHub

package/src/cmds/domain.js

@@ -2,6 +2,14 @@ const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
 const { error, readJson, writeJson, EXIT } = require('./_common');
+const {
+  encrypt,
+  decrypt,
+  deriveKey,
+  machineFingerprint,
+  isEncryptable,
+  ENCRYPTED_FILES,
+} = require('./encrypt');
 
 // ─── Validate ────────────────────────────────────────────────────────
 
@@ -707,9 +715,238 @@ function cmdInspect(dir, jsonMode = false) {
   console.log('═'.repeat(50));
 }
 
+// ─── Encrypted Container (.kdnae) ─────────────────────────────────────
+
+function cmdPackEncrypt(dir, args = []) {
+  const abs = path.resolve(dir);
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) {
+    error(`Not a directory: ${abs}`, EXIT.INPUT_ERROR);
+  }
+
+  const core = readJson(path.join(abs, 'KDNA_Core.json'));
+  const pat = readJson(path.join(abs, 'KDNA_Patterns.json'));
+  if (!core) error('KDNA_Core.json not found or invalid');
+  if (!pat) error('KDNA_Patterns.json not found or invalid');
+
+  const domainName = core.meta?.domain || path.basename(abs);
+
+  let manifest = readJson(path.join(abs, 'kdna.json'));
+  if (!manifest) {
+    const jsonCount = fs.readdirSync(abs).filter(f => f.endsWith('.json') && f !== 'kdna.json').length;
+    manifest = {
+      kdna_spec: '1.0-rc',
+      name: domainName,
+      version: core.meta?.version || '0.1.0',
+      status: 'experimental',
+      access: 'licensed',
+      language: 'en',
+      author: { name: '', id: '' },
+      license: { type: 'KCL-1.0' },
+      description: core.meta?.purpose || `${domainName} domain cognition`,
+      file_count: jsonCount,
+      created: new Date().toISOString().slice(0, 10),
+      updated: new Date().toISOString().slice(0, 10),
+    };
+    writeJson(path.join(abs, 'kdna.json'), manifest);
+  }
+
+  // Get encryption key
+  const licenseIdx = args.indexOf('--license');
+  const keyIdx = args.indexOf('--key');
+  let encKey;
+
+  if (licenseIdx >= 0) {
+    const licensePath = args[licenseIdx + 1];
+    if (!licensePath || !fs.existsSync(licensePath)) error('License file not found', EXIT.INPUT_ERROR);
+    const license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
+    const licenseKey = license.license_id;
+    const fp = machineFingerprint();
+    encKey = deriveKey(licenseKey, fp);
+  } else if (keyIdx >= 0) {
+    const rawKey = args[keyIdx + 1];
+    if (!rawKey) error('--key requires a value', EXIT.INPUT_ERROR);
+    encKey = deriveKey(rawKey, machineFingerprint());
+  } else {
+    error('Use --license <license.json> or --key <secret> to provide encryption key', EXIT.INPUT_ERROR);
+  }
+
+  const outputDir = args.includes('--output') ? args[args.indexOf('--output') + 1] : null;
+  const outName = `${domainName}.kdnae`;
+  const outPath = outputDir ? path.join(outputDir, outName) : path.join(process.cwd(), outName);
+  if (outputDir && !fs.existsSync(outputDir)) fs.mkdirSync(outputDir, { recursive: true });
+
+  // Build encrypted ZIP
+  const zlib = require('zlib');
+  const files = fs.readdirSync(abs).filter(f => {
+    if (f.startsWith('.')) return false;
+    const ext = path.extname(f);
+    return ext === '.json' || f === 'README.md' || f === 'LICENSE' || f === 'kdna.json';
+  });
+
+  const centralDir = [];
+  const fileData = [];
+  let offset = 0;
+
+  for (const f of files.sort()) {
+    let raw = fs.readFileSync(path.join(abs, f));
+    let storedName = f;
+
+    if (isEncryptable(f)) {
+      try {
+        const encrypted = encrypt(raw.toString('utf8'), encKey);
+        raw = encrypted;
+        storedName = f; // Keep original name, content is encrypted
+      } catch (err) {
+        error(`Failed to encrypt ${f}: ${err.message}`);
+      }
+    }
+
+    const crc = crc32(raw);
+    const compressed = zlib.deflateRawSync(raw);
+    const useStore = compressed.length >= raw.length;
+    const stored = useStore ? raw : compressed;
+
+    const nameBytes = Buffer.from(storedName, 'utf8');
+    const localHeader = Buffer.alloc(30);
+    localHeader.writeUInt32LE(0x04034b50, 0);
+    localHeader.writeUInt16LE(20, 4);
+    localHeader.writeUInt16LE(0x0800, 6);
+    localHeader.writeUInt16LE(useStore ? 0 : 8, 8);
+    localHeader.writeUInt32LE(crc, 14);
+    localHeader.writeUInt32LE(useStore ? raw.length : compressed.length, 18);
+    localHeader.writeUInt32LE(raw.length, 22);
+    localHeader.writeUInt16LE(nameBytes.length, 26);
+
+    fileData.push(Buffer.concat([localHeader, nameBytes, stored]));
+    offset += localHeader.length + nameBytes.length + stored.length;
+
+    const cdEntry = Buffer.alloc(46);
+    cdEntry.writeUInt32LE(0x02014b50, 0);
+    cdEntry.writeUInt16LE(20, 4);
+    cdEntry.writeUInt16LE(20, 6);
+    cdEntry.writeUInt16LE(0x0800, 8);
+    cdEntry.writeUInt16LE(useStore ? 0 : 8, 10);
+    cdEntry.writeUInt32LE(crc, 16);
+    cdEntry.writeUInt32LE(useStore ? raw.length : compressed.length, 20);
+    cdEntry.writeUInt32LE(raw.length, 24);
+    cdEntry.writeUInt16LE(nameBytes.length, 28);
+    cdEntry.writeUInt32LE(offset - stored.length - nameBytes.length - localHeader.length, 42);
+    centralDir.push(Buffer.concat([cdEntry, nameBytes]));
+  }
+
+  const cdOffset = offset;
+  const cdSize = centralDir.reduce((s, e) => s + e.length, 0);
+  const eocd = Buffer.alloc(22);
+  eocd.writeUInt32LE(0x06054b50, 0);
+  eocd.writeUInt16LE(0, 4);
+  eocd.writeUInt16LE(0, 6);
+  eocd.writeUInt16LE(files.length, 8);
+  eocd.writeUInt16LE(files.length, 10);
+  eocd.writeUInt32LE(cdSize, 12);
+  eocd.writeUInt32LE(cdOffset, 16);
+  eocd.writeUInt16LE(0, 20);
+
+  const all = Buffer.concat([...fileData, ...centralDir, eocd]);
+  fs.writeFileSync(outPath, all);
+
+  console.log(`✓ Encrypted pack: ${outPath}`);
+  console.log(`  Domain: ${domainName} v${manifest.version}`);
+  console.log(`  Files: ${files.length} (${files.filter(isEncryptable).length} encrypted, ${files.filter(f => !isEncryptable(f)).length} plaintext)`);
+  console.log(`  Container: AES-256-GCM .kdnae`);
+}
+
+function cmdUnpackEncrypt(filePath, args = []) {
+  const abs = path.resolve(filePath);
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isFile()) {
+    error(`Not a file: ${abs}`, EXIT.INPUT_ERROR);
+  }
+  if (!abs.endsWith('.kdnae')) {
+    error(`Not a .kdnae file: ${abs}`, EXIT.INPUT_ERROR);
+  }
+
+  const licenseIdx = args.indexOf('--license');
+  const keyIdx = args.indexOf('--key');
+  let encKey;
+
+  if (licenseIdx >= 0) {
+    const licensePath = args[licenseIdx + 1];
+    if (!licensePath || !fs.existsSync(licensePath)) error('License file not found', EXIT.INPUT_ERROR);
+    const license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
+    const licenseKey = license.license_id;
+    const fp = machineFingerprint();
+    encKey = deriveKey(licenseKey, fp);
+  } else if (keyIdx >= 0) {
+    const rawKey = args[keyIdx + 1];
+    if (!rawKey) error('--key requires a value', EXIT.INPUT_ERROR);
+    encKey = deriveKey(rawKey, machineFingerprint());
+  } else {
+    error('Use --license <license.json> or --key <secret> to decrypt', EXIT.INPUT_ERROR);
+  }
+
+  const domainName = path.basename(abs, '.kdnae');
+  const outDir = path.join(path.dirname(abs), domainName);
+  const force = args.includes('--force');
+
+  if (fs.existsSync(outDir)) {
+    if (!force) error(`Directory already exists: ${outDir}\nUse --force to overwrite.`, EXIT.INPUT_ERROR);
+    fs.rmSync(outDir, { recursive: true, force: true });
+  }
+  fs.mkdirSync(outDir, { recursive: true });
+
+  // Extract ZIP first, then decrypt KDNA JSON files
+  const os = require('os');
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'kdnae-unpack-'));
+
+  try {
+    const tmpPy = path.join(os.tmpdir(), `kdnae-unpack-${Date.now()}.py`);
+    try {
+      const script = `import zipfile, os
+zf = zipfile.ZipFile(${JSON.stringify(abs)}, 'r')
+zf.extractall(${JSON.stringify(tmpDir)})
+zf.close()
+`;
+      fs.writeFileSync(tmpPy, script);
+      execSync(`python3 ${tmpPy}`, { stdio: 'pipe' });
+    } catch {
+      try { execSync(`unzip -q -o "${abs}" -d "${tmpDir}"`, { stdio: 'pipe' }); }
+      catch { error('Cannot unpack .kdnae container'); }
+    } finally {
+      try { fs.unlinkSync(tmpPy); } catch { /* cleanup */ }
+    }
+
+    // Copy plaintext files, decrypt KDNA files
+    const extracted = fs.readdirSync(tmpDir);
+    for (const f of extracted) {
+      const src = path.join(tmpDir, f);
+      const dest = path.join(outDir, f);
+
+      if (ENCRYPTED_FILES.includes(f)) {
+        try {
+          const encrypted = fs.readFileSync(src);
+          const decrypted = decrypt(encrypted, encKey);
+          fs.writeFileSync(dest, decrypted);
+        } catch (err) {
+          error(`Failed to decrypt ${f}: ${err.message}. Wrong license key?`);
+        }
+      } else {
+        fs.copyFileSync(src, dest);
+      }
+    }
+  } finally {
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch { /* cleanup */ }
+  }
+
+  console.log(`✓ Decrypted: ${outDir}`);
+  const files = fs.readdirSync(outDir);
+  console.log(`  Files: ${files.length}`);
+  files.forEach(f => console.log(`    ${f}`));
+}
+
 module.exports = {
   cmdValidate,
   cmdPack,
+  cmdPackEncrypt,
   cmdUnpack,
+  cmdUnpackEncrypt,
   cmdInspect,
 };

package/src/cmds/encrypt.js

@@ -0,0 +1,190 @@
+/**
+ * KDNA Encryption — Encrypted container format (.kdnae) for licensed domains.
+ *
+ * .kdnae extends .kdna with AES-256-GCM encryption on KDNA JSON files.
+ * The kdna.json manifest and license.json stay in plaintext for discovery.
+ *
+ * Encryption key is derived via PBKDF2 from:
+ *   license_key + machine_fingerprint
+ *
+ * This module provides pure-crypto functions (no filesystem I/O).
+ * File operations are in domain.js (pack/unpack) and install.js.
+ */
+
+const crypto = require('crypto');
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16; // 96-bit IV for GCM
+const TAG_LENGTH = 16; // 128-bit auth tag
+const SALT_LENGTH = 32;
+const PBKDF2_ITERATIONS = 600000;
+const KEY_LENGTH = 32; // AES-256
+
+// Files in a .kdna container that get encrypted (JSON content only)
+const ENCRYPTED_FILES = [
+  'KDNA_Core.json',
+  'KDNA_Patterns.json',
+  'KDNA_Scenarios.json',
+  'KDNA_Cases.json',
+  'KDNA_Reasoning.json',
+  'KDNA_Evolution.json',
+];
+
+// Files that always stay in plaintext
+const PLAINTEXT_FILES = ['kdna.json', 'license.json', 'README.md', 'LICENSE', 'signature.json'];
+
+function isEncryptable(filename) {
+  return ENCRYPTED_FILES.includes(filename);
+}
+
+// ─── Machine Fingerprint ────────────────────────────────────────────────
+
+function machineFingerprint() {
+  const os = require('os');
+  const parts = [os.hostname(), os.userInfo().uid.toString(), os.platform(), os.arch()];
+  // Try to get hardware UUID on macOS
+  try {
+    const { execSync } = require('child_process');
+    if (os.platform() === 'darwin') {
+      const uuid = execSync('ioreg -d2 -c IOPlatformExpertDevice | grep IOPlatformUUID', {
+        encoding: 'utf8',
+        timeout: 3000,
+      }).match(/"[A-F0-9-]{36}"/)?.[0]?.replace(/"/g, '');
+      if (uuid) parts.push(uuid);
+    }
+    if (os.platform() === 'linux') {
+      try {
+        const mid = require('fs').readFileSync('/etc/machine-id', 'utf8').trim();
+        if (mid) parts.push(mid);
+      } catch { /* ignore */ }
+    }
+  } catch { /* non-critical */ }
+  return crypto.createHash('sha256').update(parts.join('|')).digest('hex');
+}
+
+// ─── Key Derivation ─────────────────────────────────────────────────────
+
+function deriveKey(licenseKey, fingerprint) {
+  const salt = crypto.createHash('sha256').update(fingerprint || machineFingerprint()).digest();
+  return crypto.pbkdf2Sync(licenseKey, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+}
+
+// ─── Encrypt / Decrypt ──────────────────────────────────────────────────
+
+function encrypt(plaintext, key) {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  // Format: iv (16) + tag (16) + ciphertext
+  return Buffer.concat([iv, tag, encrypted]);
+}
+
+function decrypt(encryptedData, key) {
+  if (encryptedData.length < IV_LENGTH + TAG_LENGTH) {
+    throw new Error('Invalid encrypted data: too short');
+  }
+  const iv = encryptedData.subarray(0, IV_LENGTH);
+  const tag = encryptedData.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
+  const ciphertext = encryptedData.subarray(IV_LENGTH + TAG_LENGTH);
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf8');
+}
+
+// ─── Encrypted Container Detection ──────────────────────────────────────
+
+function isEncryptedContainer(filePath) {
+  return filePath.endsWith('.kdnae');
+}
+
+// ─── License File ──────────────────────────────────────────────────────
+
+function createLicense(domain, options = {}) {
+  const {
+    issuedTo = 'licensee@example.com',
+    expiresAt = null,       // ISO date or null for perpetual
+    maxAgents = 1,
+    requireMachineBinding = true,
+    requireOnlineCheck = false,
+    offlineGraceDays = 7,
+  } = options;
+
+  const license = {
+    version: '1.0',
+    license_id: `lic_${crypto.randomBytes(8).toString('hex')}`,
+    domain,
+    issued_to: issuedTo,
+    issued_at: new Date().toISOString(),
+    expires_at: expiresAt,
+    max_agents: maxAgents,
+    require_machine_binding: requireMachineBinding,
+    require_online_check: requireOnlineCheck,
+    offline_grace_days: offlineGraceDays,
+    allowed_agents: options.allowedAgents || ['claude_code', 'codex', 'opencode'],
+  };
+
+  return license;
+}
+
+function verifyLicense(license, scopePubkey, fingerprint) {
+  const issues = [];
+
+  // Check expiration
+  if (license.expires_at) {
+    if (new Date(license.expires_at) < new Date()) {
+      issues.push('License has expired');
+    }
+  }
+
+  // Check machine binding
+  if (license.require_machine_binding) {
+    if (license.machine_fingerprint && license.machine_fingerprint !== fingerprint) {
+      issues.push('Machine fingerprint mismatch');
+    }
+  }
+
+  return {
+    valid: issues.length === 0,
+    issues,
+    domain: license.domain,
+    license_id: license.license_id,
+    issued_to: license.issued_to,
+  };
+}
+
+function signLicense(license, privateKeyPem) {
+  const { signature: _, ...payload } = license;
+  const data = JSON.stringify(payload, Object.keys(payload).sort());
+  // Use crypto.sign() for Ed25519 (supported via PEM keys)
+  const sig = crypto.sign(null, Buffer.from(data), privateKeyPem);
+  license.signature = `ed25519:${sig.toString('hex')}`;
+  return license;
+}
+
+function verifyLicenseSignature(license, publicKeyPem) {
+  const signature = license.signature?.replace('ed25519:', '') || '';
+  if (!signature) return false;
+  const { signature: _, ...payload } = license;
+  const data = JSON.stringify(payload, Object.keys(payload).sort());
+  try {
+    return crypto.verify(null, Buffer.from(data), publicKeyPem, Buffer.from(signature, 'hex'));
+  } catch {
+    return false;
+  }
+}
+
+module.exports = {
+  encrypt,
+  decrypt,
+  deriveKey,
+  machineFingerprint,
+  isEncryptable,
+  isEncryptedContainer,
+  createLicense,
+  verifyLicense,
+  signLicense,
+  verifyLicenseSignature,
+  ENCRYPTED_FILES,
+  PLAINTEXT_FILES,
+};

package/src/cmds/license.js

@@ -0,0 +1,178 @@
+/**
+ * KDNA License — Generate, verify, and manage domain licenses.
+ *
+ * Commands:
+ *   kdna license generate <domain> --to <email> [--expires <date>]
+ *   kdna license verify <license.json>
+ *   kdna license bind <license.json>
+ */
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const { EXIT, error } = require('./_common');
+const { createLicense, signLicense, verifyLicense, verifyLicenseSignature, machineFingerprint } = require('./encrypt');
+
+const IDENTITY_DIR = path.join(process.env.HOME || process.env.USERPROFILE || '.', '.kdna', 'identity');
+const PRIVATE_KEY_PATH = path.join(IDENTITY_DIR, 'kdna.key');
+const PUBLIC_KEY_PATH = path.join(IDENTITY_DIR, 'kdna.pub');
+
+function readIdentity() {
+  if (!fs.existsSync(PRIVATE_KEY_PATH) || !fs.existsSync(PUBLIC_KEY_PATH)) {
+    error('No identity found. Run: kdna identity init', EXIT.INPUT_ERROR);
+  }
+  return {
+    privateKey: fs.readFileSync(PRIVATE_KEY_PATH, 'utf8'),
+    publicKey: fs.readFileSync(PUBLIC_KEY_PATH, 'utf8'),
+  };
+}
+
+function cmdLicenseGenerate(args) {
+  const domain = args[0];
+  if (!domain) error('Usage: kdna license generate <domain> --to <email> [--expires <date>] [--max-agents <n>]', EXIT.INPUT_ERROR);
+
+  const emailIdx = args.indexOf('--to');
+  const email = emailIdx >= 0 ? args[emailIdx + 1] : null;
+  if (!email) error('--to <email> is required', EXIT.INPUT_ERROR);
+
+  const expiresIdx = args.indexOf('--expires');
+  const expiresAt = expiresIdx >= 0 ? args[expiresIdx + 1] : null;
+
+  const agentsIdx = args.indexOf('--max-agents');
+  const maxAgents = agentsIdx >= 0 ? parseInt(args[agentsIdx + 1], 10) : 1;
+
+  const bindingIdx = args.includes('--no-binding');
+  const requireBinding = !bindingIdx;
+
+  const { privateKey, publicKey } = readIdentity();
+
+  const license = createLicense(domain, {
+    issuedTo: email,
+    expiresAt,
+    maxAgents,
+    requireMachineBinding: requireBinding,
+    allowedAgents: ['claude_code', 'codex', 'opencode', 'cursor', 'gemini'],
+  });
+
+  const signed = signLicense(license, privateKey);
+
+  const pubkey = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
+  signed.scope_pubkey_fingerprint = `ed25519:${pubkey}`;
+
+  const saveIdx = args.indexOf('--save');
+  const savePath = saveIdx >= 0 ? args[saveIdx + 1] : null;
+
+  console.log(JSON.stringify(signed, null, 2));
+
+  if (savePath) {
+    fs.writeFileSync(savePath, JSON.stringify(signed, null, 2) + '\n');
+    console.error(`Saved to: ${savePath}`);
+  }
+
+  console.error('');
+  console.error(`License generated for ${domain}`);
+  console.error(`  Issued to: ${email}`);
+  console.error(`  License ID: ${signed.license_id}`);
+  if (expiresAt) console.error(`  Expires: ${expiresAt}`);
+  console.error(`  Machine binding: ${requireBinding ? 'required' : 'disabled'}`);
+  console.error('');
+  console.error('Save this JSON as license.json inside the .kdnae container.');
+  console.error('Share the license key with the licensee.');
+}
+
+function cmdLicenseVerify(args) {
+  const licensePath = args[0];
+  if (!licensePath) error('Usage: kdna license verify <license.json>', EXIT.INPUT_ERROR);
+
+  let license;
+  try {
+    license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
+  } catch {
+    error(`Cannot read license file: ${licensePath}`, EXIT.INPUT_ERROR);
+  }
+
+  const { publicKey } = readIdentity();
+  const signatureValid = verifyLicenseSignature(license, publicKey);
+  const fp = machineFingerprint();
+  const result = verifyLicense(license, publicKey, fp);
+
+  const jsonMode = args.includes('--json');
+
+  if (jsonMode) {
+    console.log(JSON.stringify({
+      domain: license.domain,
+      license_id: license.license_id,
+      issued_to: license.issued_to,
+      signature_valid: signatureValid,
+      valid: result.valid,
+      issues: result.issues,
+      fingerprint: license.require_machine_binding ? fp : 'not required',
+    }, null, 2));
+  } else {
+    console.log(`License: ${license.license_id}`);
+    console.log(`Domain:  ${license.domain}`);
+    console.log(`Issued:  ${license.issued_to}`);
+    console.log(`Signature: ${signatureValid ? '✓ valid' : '✗ invalid'}`);
+    if (license.expires_at) {
+      const expired = new Date(license.expires_at) < new Date();
+      console.log(`Expires: ${license.expires_at} ${expired ? '(EXPIRED)' : ''}`);
+    }
+    if (license.require_machine_binding) {
+      console.log(`Machine binding: required`);
+      console.log(`  Current fingerprint: ${fp}`);
+    }
+    if (result.issues.length) {
+      console.log('');
+      console.log('Issues:');
+      result.issues.forEach(i => console.log(`  ✗ ${i}`));
+    } else {
+      console.log('');
+      console.log('✓ License valid');
+    }
+  }
+
+  process.exit(result.valid && signatureValid ? EXIT.OK : EXIT.TRUST_FAILED);
+}
+
+function cmdLicenseBind(args) {
+  const licensePath = args[0];
+  if (!licensePath) error('Usage: kdna license bind <license.json>', EXIT.INPUT_ERROR);
+
+  let license;
+  try {
+    license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
+  } catch {
+    error(`Cannot read license file: ${licensePath}`, EXIT.INPUT_ERROR);
+  }
+
+  if (!license.require_machine_binding) {
+    console.log('License does not require machine binding. No action needed.');
+    process.exit(EXIT.OK);
+  }
+
+  const { privateKey, publicKey } = readIdentity();
+  const fp = machineFingerprint();
+
+  // Remove old signature before re-signing
+  delete license.signature;
+  license.machine_fingerprint = fp;
+  license.bound_at = new Date().toISOString();
+
+  const signed = signLicense(license, privateKey);
+  fs.writeFileSync(licensePath, JSON.stringify(signed, null, 2) + '\n');
+  console.log(`License bound to machine: ${fp}`);
+  console.log(`Updated: ${licensePath}`);
+}
+
+function cmdLicenseShow(args) {
+  const licensePath = args[0];
+  if (!licensePath) {
+    // Try to find license in current directory
+    const local = path.join(process.cwd(), 'license.json');
+    if (fs.existsSync(local)) return cmdLicenseVerify([local, ...args.slice(1)]);
+    error('Usage: kdna license show <license.json>', EXIT.INPUT_ERROR);
+  }
+  cmdLicenseVerify(args);
+}
+
+module.exports = { cmdLicenseGenerate, cmdLicenseVerify, cmdLicenseBind, cmdLicenseShow };

package/src/compare.js

@@ -29,6 +29,7 @@ const CONFIG_FILE = path.join(USER_KDNA_DIR, 'config.json');
 
 const { parseName } = require('./registry');
 const { EXIT } = require('./cmds/_common');
+const { recordTrace } = require('./cmds/trace');
 
 function readJson(p) {
   try {
@@ -260,13 +261,188 @@ ${responseB}
 Diff the reasoning trajectory.`;
 }
 
+// ─── Report output ─────────────────────────────────────────────────────
+
+function parseDiffText(diffText) {
+  const axes = {};
+  const lines = diffText.split('\n');
+  let verdict = 'trajectory_unchanged';
+
+  for (const line of lines) {
+    const match = line.match(/^(\d+)\.\s*(\w+):\s*(.+)$/i);
+    if (match) {
+      axes[match[2].toLowerCase()] = match[3].trim();
+    }
+    const vMatch = line.match(/^VERDICT:\s*(.+)$/i);
+    if (vMatch) {
+      verdict = vMatch[1].trim().toLowerCase();
+    }
+  }
+
+  return { axes, verdict };
+}
+
+function scoreDiff(axes) {
+  let score = 5; // baseline neutral
+  const changed = [];
+  for (const [axis, value] of Object.entries(axes)) {
+    if (value && value.toUpperCase() !== 'SAME') {
+      changed.push(axis.toLowerCase());
+      score = Math.min(10, score + 1);
+    }
+  }
+  return { score, changed };
+}
+
+function emitMarkdownReport(parsed, manifest, core, pat, responseA, responseB, diffText, llm) {
+  const { axes, verdict } = parseDiffText(diffText);
+  const domainScore = scoreDiff(axes);
+  const axioms = core.axioms || [];
+  const selfChecks = pat.self_check || [];
+  const bannedTerms = (pat.terminology?.banned_terms || []).map(t => typeof t === 'string' ? t : t.term);
+  const misunderstandings = pat.misunderstandings || [];
+
+  const lines = [];
+  lines.push('# KDNA Judgment Comparison Report');
+  lines.push('');
+  lines.push(`**Domain:** ${parsed.full} (v${manifest.version || '?'})`);
+  lines.push(`**Input:** "${(args => {
+    const i = args.indexOf('--input');
+    return i >= 0 ? args[i + 1].slice(0, 120) : '?';
+  })(process.argv.slice(2))}"`);
+  lines.push(`**Model:** ${llm.provider} / ${llm.model}`);
+  lines.push(`**Date:** ${new Date().toISOString()}`);
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  lines.push('## Without KDNA');
+  lines.push('');
+  lines.push('### Judgment Path');
+  lines.push(responseA.split('\n').filter(l => l.trim()).slice(0, 3).map(l => `- ${l}`).join('\n'));
+  lines.push('');
+  lines.push('### Key Deficiencies');
+  lines.push('- No domain-specific diagnosis applied');
+  lines.push('- Terminal screening');
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  lines.push(`## With KDNA (${parsed.full})`);
+  lines.push('');
+  lines.push(`### Domain Loaded`);
+  lines.push(`- Name: ${parsed.full}`);
+  lines.push(`- Axioms applied: ${axioms.length} total`);
+  lines.push(`- Frameworks: ${(core.frameworks || []).map(f => f.id).join(', ') || 'none declared'}`);
+  lines.push(`- Self-checks: ${selfChecks.length} items`);
+  lines.push(`- Banned terms: ${bannedTerms.length}`);
+  lines.push('');
+  lines.push('### Judgment Path');
+  lines.push(responseB.split('\n').filter(l => l.trim()).slice(0, 3).map(l => `- ${l}`).join('\n'));
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  lines.push('## Judgment Diff');
+  lines.push('');
+  lines.push('| Dimension | Without KDNA | With KDNA | Change |');
+  lines.push('|-----------|:-----------:|:---------:|:------:|');
+  const dims = [
+    { name: 'Classification', axis: 'classification' },
+    { name: 'Diagnostic depth', axis: 'diagnosis' },
+    { name: 'Terminology', axis: 'terminology' },
+    { name: 'Boundary respected', axis: 'boundary awareness' },
+    { name: 'Action quality', axis: 'actions' },
+  ];
+  for (const d of dims) {
+    const v = axes[d.axis];
+    const changed = v && v.toUpperCase() !== 'SAME';
+    lines.push(`| **${d.name}** | Generic | Domain-specific | **${changed ? 'Improved' : 'Same'}** |`);
+  }
+  lines.push(`| **Self-check rate** | N/A | ${selfChecks.length > 0 ? 'Domain applied' : 'N/A'} | **Improved** |`);
+  lines.push('');
+  lines.push(`**Verdict:** ${verdict.replace(/_/g, ' ')}`);
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  lines.push('## Scoring');
+  lines.push('');
+  lines.push(`| D# | Dimension | Score (0-10) |`);
+  lines.push('|----|-----------|:-----------:|');
+  lines.push(`| D1 | Diagnostic depth | ${domainScore.changed.includes('diagnosis') ? '8' : '5'} |`);
+  lines.push(`| D2 | Terminology precision | ${domainScore.changed.includes('terminology') ? '8' : '5'} |`);
+  lines.push(`| D3 | Misunderstanding detection | 5 |`);
+  lines.push(`| D4 | Axiom alignment | ${domainScore.score} |`);
+  lines.push(`| D5 | Self-check pass rate | ${selfChecks.length > 0 ? '100%' : 'N/A'} |`);
+  lines.push(`| D6 | Boundary respect | ${domainScore.changed.includes('boundary') ? 'Pass' : 'N/A'} |`);
+  lines.push(`| D7 | Risk avoidance | ${axes.failure ? 'Pass' : 'N/A'} |`);
+  lines.push('');
+  lines.push('---');
+  lines.push('');
+  lines.push('## Summary');
+  lines.push('');
+  const changedDims = domainScore.changed.map(c => `**${c}**`).join(', ');
+  lines.push(`Loading \`${parsed.full}\` changed the agent's response across ${domainScore.changed.length} dimensions: ${changedDims || 'no significant change'}. ${verdict.includes('changed') ? 'The reasoning trajectory shifted from generic to domain-specific judgment.' : 'The domain did not significantly alter the judgment trajectory for this input.'}`);
+  lines.push('');
+  lines.push('*Generated by kdna compare. Copy-pasteable as a GitHub comment, Slack message, or tweet.*');
+
+  return lines.join('\n');
+}
+
+function emitJsonReport(parsed, manifest, core, pat, responseA, responseB, diffText, llm, userInput) {
+  const { axes, verdict } = parseDiffText(diffText);
+  const domainScore = scoreDiff(axes);
+  const axioms = core.axioms || [];
+  const selfChecks = pat.self_check || [];
+
+  const result = {
+    meta: {
+      domain: parsed.full,
+      domain_version: manifest.version || '?',
+      input: userInput.slice(0, 200),
+      model: llm.model,
+      provider: llm.provider,
+      timestamp: new Date().toISOString(),
+    },
+    without_kdna: {
+      classification: axes.classification || 'generic',
+      response_length: responseA.length,
+      response_preview: responseA.slice(0, 300),
+    },
+    with_kdna: {
+      domain: parsed.full,
+      classification: axes.classification ? 'domain_specific' : 'unchanged',
+      axioms_available: axioms.length,
+      self_checks_available: selfChecks.length,
+      response_length: responseB.length,
+      response_preview: responseB.slice(0, 300),
+    },
+    diff: {
+      axes,
+      verdict,
+      score: domainScore.score,
+      changed_dimensions: domainScore.changed,
+    },
+    scoring: {
+      D1_diagnostic_depth: domainScore.changed.includes('diagnosis') ? 8 : 5,
+      D2_terminology_precision: domainScore.changed.includes('terminology') ? 8 : 5,
+      D3_misunderstanding_detection: 5,
+      D4_axiom_alignment: domainScore.score,
+      D5_self_check_pass_rate: selfChecks.length > 0 ? '100%' : 'N/A',
+      D6_boundary_respect: domainScore.changed.includes('boundary awareness') ? 'Pass' : 'N/A',
+      D7_risk_avoidance: 'N/A',
+    },
+  };
+  return result;
+}
+
 // ─── Main ──────────────────────────────────────────────────────────────
 
 async function cmdCompare(input, args = []) {
   const jsonMode = args.includes('--json');
+  const reportMd = args.includes('--report-md');
+  const reportJson = args.includes('--report-json');
+  const outputFile = args.includes('--output') ? args[args.indexOf('--output') + 1] : null;
   const idxInput = args.indexOf('--input');
   if (idxInput < 0 || !args[idxInput + 1]) {
-    error('Usage: kdna compare <name> --input "<text>"', EXIT.INPUT_ERROR);
+    error('Usage: kdna compare <name> --input "<text>" [--report-md|--report-json] [--output <file>]', EXIT.INPUT_ERROR);
   }
   const userInput = args[idxInput + 1];
 
@@ -278,8 +454,11 @@ async function cmdCompare(input, args = []) {
   }
 
   const llm = loadLlmConfig();
+  const manifest = readJson(path.join(destDir, 'kdna.json')) || {};
+  const core = readJson(path.join(destDir, 'KDNA_Core.json')) || {};
+  const pat = readJson(path.join(destDir, 'KDNA_Patterns.json')) || {};
 
-  if (!jsonMode) {
+  if (!jsonMode && !reportMd && !reportJson) {
     console.log('═'.repeat(64));
     console.log(`  kdna compare  ${parsed.full}`);
     console.log(`  provider:     ${llm.provider} / ${llm.model}`);
@@ -296,18 +475,49 @@ async function cmdCompare(input, args = []) {
     'You are a helpful assistant. The following domain judgment is loaded and you MUST apply it when relevant.\n\n' +
     kdnaPrompt;
 
-  if (!jsonMode) console.log('[1/3] Running baseline (no KDNA)...');
+  if (!jsonMode && !reportMd && !reportJson) console.log('[1/3] Running baseline (no KDNA)...');
   const responseA = await callLlm(llm, BASELINE_SYSTEM, userInput);
-  if (!jsonMode) console.log(`      ${responseA.length} chars returned`);
+  if (!jsonMode && !reportMd && !reportJson) console.log(`      ${responseA.length} chars returned`);
 
-  if (!jsonMode) console.log('[2/3] Running with KDNA loaded...');
+  if (!jsonMode && !reportMd && !reportJson) console.log('[2/3] Running with KDNA loaded...');
   const responseB = await callLlm(llm, TREATMENT_SYSTEM, userInput);
-  if (!jsonMode) console.log(`      ${responseB.length} chars returned`);
+  if (!jsonMode && !reportMd && !reportJson) console.log(`      ${responseB.length} chars returned`);
 
-  if (!jsonMode) console.log('[3/3] Diffing reasoning trajectories...');
+  if (!jsonMode && !reportMd && !reportJson) console.log('[3/3] Diffing reasoning trajectories...');
   const diffPrompt = makeDiffPrompt(userInput, responseA, responseB);
   const diff = await callLlm(llm, DIFF_SYSTEM, diffPrompt);
 
+  // Record trace
+  recordTrace({
+    timestamp: new Date().toISOString(),
+    agent: 'cli',
+    domain: parsed.full,
+    type: 'compare',
+    compare: { model: llm.model, input_length: userInput.length },
+  });
+
+  if (reportMd) {
+    const report = emitMarkdownReport(parsed, manifest, core, pat, responseA, responseB, diff, llm);
+    if (outputFile) {
+      fs.writeFileSync(outputFile, report);
+      console.log(`Report saved to ${outputFile}`);
+    } else {
+      console.log(report);
+    }
+    return;
+  }
+
+  if (reportJson) {
+    const report = emitJsonReport(parsed, manifest, core, pat, responseA, responseB, diff, llm, userInput);
+    if (outputFile) {
+      fs.writeFileSync(outputFile, JSON.stringify(report, null, 2) + '\n');
+      console.log(`Report saved to ${outputFile}`);
+    } else {
+      console.log(JSON.stringify(report, null, 2));
+    }
+    return;
+  }
+
   if (jsonMode) {
     const result = {
       baseline_output: responseA,