@aikdna/kdna-cli 0.13.0 → 0.14.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikdna/kdna-cli",
-  "version": "0.13.0",
+  "version": "0.14.0",
   "description": "KDNA CLI — create, validate, install, and manage domain cognition packages for AI agents.",
   "type": "commonjs",
   "bin": {

package/src/cli.js

@@ -7,7 +7,7 @@
  */
 
 const { error, EXIT, setQuiet, setExitCodeOnly } = require('./cmds/_common');
-const { cmdValidate, cmdPack, cmdUnpack, cmdInspect } = require('./cmds/domain');
+const { cmdValidate, cmdPack, cmdPackEncrypt, cmdUnpack, cmdUnpackEncrypt, cmdInspect } = require('./cmds/domain');
 const { cmdList, cmdRegistry } = require('./cmds/registry');
 const {
   cmdCompare,
@@ -24,6 +24,7 @@ const { cmdIdentity } = require('./cmds/identity');
 const { cmdSetup } = require('./cmds/setup');
 const { cmdDoctor } = require('./cmds/doctor');
 const { cmdTrace, cmdHistory } = require('./cmds/trace');
+const { cmdLicenseGenerate, cmdLicenseVerify, cmdLicenseBind, cmdLicenseShow } = require('./cmds/license');
 const { cmdPreview, cmdProject, cmdEval, cmdExport, cmdDemo } = require('./cmds/legacy');
 const { cmdStudioScaffold, cmdCardsValidate, cmdLockVerify, cmdStudioCompile, cmdStudioReadiness } = require('./cmds/studio');
 const { cmdTestRun, cmdTestImport } = require('./cmds/test');
@@ -54,7 +55,9 @@ Domain Authoring:
   validate <path>                  Validate domain structure
   validate --schema <path>         Schema-only validation
   pack <path>                      Pack into .kdna container
+  pack <path> --encrypt --license <file>   Pack encrypted .kdnae container
   unpack <file>                    Unpack .kdna container
+  unpack <file> --license <file>   Unpack encrypted .kdnae container
   inspect <path>                   Inspect domain or .kdna file
   publish <path>                   Pack + sign + publish
   publish --check <path>           Quality gate check only
@@ -133,6 +136,12 @@ Trace & Diagnostics:
   trace [--json] [--since 7d] [--export <file>]  Agent judgment trace
   history [--stats] [--domain <name>] [--agent <name>]  Recent usage
 
+License & Authorization:
+  license generate <domain> --to <email>   Generate signed license
+  license verify <license.json>            Verify license signature
+  license bind <license.json>              Bind license to this machine
+  license show <license.json>              Display license details
+
 Flags:
   --json                           Structured JSON output (machine-readable)
   --quiet                          Suppress non-error output
@@ -167,13 +176,21 @@ switch (cmd) {
       }
     }
     if (!target) error('Usage: kdna pack <path>');
-    cmdPack(target, output);
+    if (args.includes('--encrypt')) {
+      cmdPackEncrypt(target, args);
+    } else {
+      cmdPack(target, output);
+    }
     break;
   }
   case 'unpack': {
     const target = args[1];
-    if (!target) error('Usage: kdna unpack <file.kdna>');
-    cmdUnpack(target, args.includes('--force'));
+    if (!target) error('Usage: kdna unpack <file.kdna|file.kdnae>');
+    if (target.endsWith('.kdnae')) {
+      cmdUnpackEncrypt(target, args);
+    } else {
+      cmdUnpack(target, args.includes('--force'));
+    }
     break;
   }
   case 'preview': {
@@ -408,6 +425,29 @@ switch (cmd) {
     cmdHistory(args);
     break;
   }
+  case 'license': {
+    const sub = args[1];
+    const rest = args.slice(2);
+    if (sub === 'generate') {
+      cmdLicenseGenerate(rest);
+    } else if (sub === 'verify') {
+      cmdLicenseVerify(rest);
+    } else if (sub === 'bind') {
+      cmdLicenseBind(rest);
+    } else if (sub === 'show') {
+      cmdLicenseShow(rest);
+    } else {
+      error(
+        'Usage:\n' +
+          '  kdna license generate <domain> --to <email> [--expires <date>]\n' +
+          '  kdna license verify <license.json>\n' +
+          '  kdna license bind <license.json>\n' +
+          '  kdna license show <license.json>',
+        EXIT.INPUT_ERROR,
+      );
+    }
+    break;
+  }
   case 'identity': {
     cmdIdentity(args);
     break;

package/src/cmds/_common.js

@@ -57,8 +57,9 @@ Usage:
   kdna validate <path>          Validate a domain directory
   kdna validate --schema <path>   ...with JSON Schema
   kdna pack <path>              Pack a domain folder into a .kdna container
+  kdna pack <path> --encrypt --license <file>   Pack encrypted .kdnae container
   kdna pack --output <dir> <path>   Output .kdna to specific directory
-  kdna unpack <path>            Unpack a .kdna container to a folder
+  kdna unpack <path>            Unpack a .kdna or .kdnae container to a folder
   kdna inspect <path>           Inspect a domain directory or .kdna file
   kdna publish <path>           Pack + sign + output registry patch
   kdna publish <path> --release-tag <tag> --repo <o/r>   ...also upload to GitHub

package/src/cmds/domain.js

@@ -2,6 +2,14 @@ const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
 const { error, readJson, writeJson, EXIT } = require('./_common');
+const {
+  encrypt,
+  decrypt,
+  deriveKey,
+  machineFingerprint,
+  isEncryptable,
+  ENCRYPTED_FILES,
+} = require('./encrypt');
 
 // ─── Validate ────────────────────────────────────────────────────────
 
@@ -707,9 +715,238 @@ function cmdInspect(dir, jsonMode = false) {
   console.log('═'.repeat(50));
 }
 
+// ─── Encrypted Container (.kdnae) ─────────────────────────────────────
+
+function cmdPackEncrypt(dir, args = []) {
+  const abs = path.resolve(dir);
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) {
+    error(`Not a directory: ${abs}`, EXIT.INPUT_ERROR);
+  }
+
+  const core = readJson(path.join(abs, 'KDNA_Core.json'));
+  const pat = readJson(path.join(abs, 'KDNA_Patterns.json'));
+  if (!core) error('KDNA_Core.json not found or invalid');
+  if (!pat) error('KDNA_Patterns.json not found or invalid');
+
+  const domainName = core.meta?.domain || path.basename(abs);
+
+  let manifest = readJson(path.join(abs, 'kdna.json'));
+  if (!manifest) {
+    const jsonCount = fs.readdirSync(abs).filter(f => f.endsWith('.json') && f !== 'kdna.json').length;
+    manifest = {
+      kdna_spec: '1.0-rc',
+      name: domainName,
+      version: core.meta?.version || '0.1.0',
+      status: 'experimental',
+      access: 'licensed',
+      language: 'en',
+      author: { name: '', id: '' },
+      license: { type: 'KCL-1.0' },
+      description: core.meta?.purpose || `${domainName} domain cognition`,
+      file_count: jsonCount,
+      created: new Date().toISOString().slice(0, 10),
+      updated: new Date().toISOString().slice(0, 10),
+    };
+    writeJson(path.join(abs, 'kdna.json'), manifest);
+  }
+
+  // Get encryption key
+  const licenseIdx = args.indexOf('--license');
+  const keyIdx = args.indexOf('--key');
+  let encKey;
+
+  if (licenseIdx >= 0) {
+    const licensePath = args[licenseIdx + 1];
+    if (!licensePath || !fs.existsSync(licensePath)) error('License file not found', EXIT.INPUT_ERROR);
+    const license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
+    const licenseKey = license.license_id;
+    const fp = machineFingerprint();
+    encKey = deriveKey(licenseKey, fp);
+  } else if (keyIdx >= 0) {
+    const rawKey = args[keyIdx + 1];
+    if (!rawKey) error('--key requires a value', EXIT.INPUT_ERROR);
+    encKey = deriveKey(rawKey, machineFingerprint());
+  } else {
+    error('Use --license <license.json> or --key <secret> to provide encryption key', EXIT.INPUT_ERROR);
+  }
+
+  const outputDir = args.includes('--output') ? args[args.indexOf('--output') + 1] : null;
+  const outName = `${domainName}.kdnae`;
+  const outPath = outputDir ? path.join(outputDir, outName) : path.join(process.cwd(), outName);
+  if (outputDir && !fs.existsSync(outputDir)) fs.mkdirSync(outputDir, { recursive: true });
+
+  // Build encrypted ZIP
+  const zlib = require('zlib');
+  const files = fs.readdirSync(abs).filter(f => {
+    if (f.startsWith('.')) return false;
+    const ext = path.extname(f);
+    return ext === '.json' || f === 'README.md' || f === 'LICENSE' || f === 'kdna.json';
+  });
+
+  const centralDir = [];
+  const fileData = [];
+  let offset = 0;
+
+  for (const f of files.sort()) {
+    let raw = fs.readFileSync(path.join(abs, f));
+    let storedName = f;
+
+    if (isEncryptable(f)) {
+      try {
+        const encrypted = encrypt(raw.toString('utf8'), encKey);
+        raw = encrypted;
+        storedName = f; // Keep original name, content is encrypted
+      } catch (err) {
+        error(`Failed to encrypt ${f}: ${err.message}`);
+      }
+    }
+
+    const crc = crc32(raw);
+    const compressed = zlib.deflateRawSync(raw);
+    const useStore = compressed.length >= raw.length;
+    const stored = useStore ? raw : compressed;
+
+    const nameBytes = Buffer.from(storedName, 'utf8');
+    const localHeader = Buffer.alloc(30);
+    localHeader.writeUInt32LE(0x04034b50, 0);
+    localHeader.writeUInt16LE(20, 4);
+    localHeader.writeUInt16LE(0x0800, 6);
+    localHeader.writeUInt16LE(useStore ? 0 : 8, 8);
+    localHeader.writeUInt32LE(crc, 14);
+    localHeader.writeUInt32LE(useStore ? raw.length : compressed.length, 18);
+    localHeader.writeUInt32LE(raw.length, 22);
+    localHeader.writeUInt16LE(nameBytes.length, 26);
+
+    fileData.push(Buffer.concat([localHeader, nameBytes, stored]));
+    offset += localHeader.length + nameBytes.length + stored.length;
+
+    const cdEntry = Buffer.alloc(46);
+    cdEntry.writeUInt32LE(0x02014b50, 0);
+    cdEntry.writeUInt16LE(20, 4);
+    cdEntry.writeUInt16LE(20, 6);
+    cdEntry.writeUInt16LE(0x0800, 8);
+    cdEntry.writeUInt16LE(useStore ? 0 : 8, 10);
+    cdEntry.writeUInt32LE(crc, 16);
+    cdEntry.writeUInt32LE(useStore ? raw.length : compressed.length, 20);
+    cdEntry.writeUInt32LE(raw.length, 24);
+    cdEntry.writeUInt16LE(nameBytes.length, 28);
+    cdEntry.writeUInt32LE(offset - stored.length - nameBytes.length - localHeader.length, 42);
+    centralDir.push(Buffer.concat([cdEntry, nameBytes]));
+  }
+
+  const cdOffset = offset;
+  const cdSize = centralDir.reduce((s, e) => s + e.length, 0);
+  const eocd = Buffer.alloc(22);
+  eocd.writeUInt32LE(0x06054b50, 0);
+  eocd.writeUInt16LE(0, 4);
+  eocd.writeUInt16LE(0, 6);
+  eocd.writeUInt16LE(files.length, 8);
+  eocd.writeUInt16LE(files.length, 10);
+  eocd.writeUInt32LE(cdSize, 12);
+  eocd.writeUInt32LE(cdOffset, 16);
+  eocd.writeUInt16LE(0, 20);
+
+  const all = Buffer.concat([...fileData, ...centralDir, eocd]);
+  fs.writeFileSync(outPath, all);
+
+  console.log(`✓ Encrypted pack: ${outPath}`);
+  console.log(`  Domain: ${domainName} v${manifest.version}`);
+  console.log(`  Files: ${files.length} (${files.filter(isEncryptable).length} encrypted, ${files.filter(f => !isEncryptable(f)).length} plaintext)`);
+  console.log(`  Container: AES-256-GCM .kdnae`);
+}
+
+function cmdUnpackEncrypt(filePath, args = []) {
+  const abs = path.resolve(filePath);
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isFile()) {
+    error(`Not a file: ${abs}`, EXIT.INPUT_ERROR);
+  }
+  if (!abs.endsWith('.kdnae')) {
+    error(`Not a .kdnae file: ${abs}`, EXIT.INPUT_ERROR);
+  }
+
+  const licenseIdx = args.indexOf('--license');
+  const keyIdx = args.indexOf('--key');
+  let encKey;
+
+  if (licenseIdx >= 0) {
+    const licensePath = args[licenseIdx + 1];
+    if (!licensePath || !fs.existsSync(licensePath)) error('License file not found', EXIT.INPUT_ERROR);
+    const license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
+    const licenseKey = license.license_id;
+    const fp = machineFingerprint();
+    encKey = deriveKey(licenseKey, fp);
+  } else if (keyIdx >= 0) {
+    const rawKey = args[keyIdx + 1];
+    if (!rawKey) error('--key requires a value', EXIT.INPUT_ERROR);
+    encKey = deriveKey(rawKey, machineFingerprint());
+  } else {
+    error('Use --license <license.json> or --key <secret> to decrypt', EXIT.INPUT_ERROR);
+  }
+
+  const domainName = path.basename(abs, '.kdnae');
+  const outDir = path.join(path.dirname(abs), domainName);
+  const force = args.includes('--force');
+
+  if (fs.existsSync(outDir)) {
+    if (!force) error(`Directory already exists: ${outDir}\nUse --force to overwrite.`, EXIT.INPUT_ERROR);
+    fs.rmSync(outDir, { recursive: true, force: true });
+  }
+  fs.mkdirSync(outDir, { recursive: true });
+
+  // Extract ZIP first, then decrypt KDNA JSON files
+  const os = require('os');
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'kdnae-unpack-'));
+
+  try {
+    const tmpPy = path.join(os.tmpdir(), `kdnae-unpack-${Date.now()}.py`);
+    try {
+      const script = `import zipfile, os
+zf = zipfile.ZipFile(${JSON.stringify(abs)}, 'r')
+zf.extractall(${JSON.stringify(tmpDir)})
+zf.close()
+`;
+      fs.writeFileSync(tmpPy, script);
+      execSync(`python3 ${tmpPy}`, { stdio: 'pipe' });
+    } catch {
+      try { execSync(`unzip -q -o "${abs}" -d "${tmpDir}"`, { stdio: 'pipe' }); }
+      catch { error('Cannot unpack .kdnae container'); }
+    } finally {
+      try { fs.unlinkSync(tmpPy); } catch { /* cleanup */ }
+    }
+
+    // Copy plaintext files, decrypt KDNA files
+    const extracted = fs.readdirSync(tmpDir);
+    for (const f of extracted) {
+      const src = path.join(tmpDir, f);
+      const dest = path.join(outDir, f);
+
+      if (ENCRYPTED_FILES.includes(f)) {
+        try {
+          const encrypted = fs.readFileSync(src);
+          const decrypted = decrypt(encrypted, encKey);
+          fs.writeFileSync(dest, decrypted);
+        } catch (err) {
+          error(`Failed to decrypt ${f}: ${err.message}. Wrong license key?`);
+        }
+      } else {
+        fs.copyFileSync(src, dest);
+      }
+    }
+  } finally {
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch { /* cleanup */ }
+  }
+
+  console.log(`✓ Decrypted: ${outDir}`);
+  const files = fs.readdirSync(outDir);
+  console.log(`  Files: ${files.length}`);
+  files.forEach(f => console.log(`    ${f}`));
+}
+
 module.exports = {
   cmdValidate,
   cmdPack,
+  cmdPackEncrypt,
   cmdUnpack,
+  cmdUnpackEncrypt,
   cmdInspect,
 };

package/src/cmds/encrypt.js

@@ -0,0 +1,190 @@
+/**
+ * KDNA Encryption — Encrypted container format (.kdnae) for licensed domains.
+ *
+ * .kdnae extends .kdna with AES-256-GCM encryption on KDNA JSON files.
+ * The kdna.json manifest and license.json stay in plaintext for discovery.
+ *
+ * Encryption key is derived via PBKDF2 from:
+ *   license_key + machine_fingerprint
+ *
+ * This module provides pure-crypto functions (no filesystem I/O).
+ * File operations are in domain.js (pack/unpack) and install.js.
+ */
+
+const crypto = require('crypto');
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16; // 96-bit IV for GCM
+const TAG_LENGTH = 16; // 128-bit auth tag
+const SALT_LENGTH = 32;
+const PBKDF2_ITERATIONS = 600000;
+const KEY_LENGTH = 32; // AES-256
+
+// Files in a .kdna container that get encrypted (JSON content only)
+const ENCRYPTED_FILES = [
+  'KDNA_Core.json',
+  'KDNA_Patterns.json',
+  'KDNA_Scenarios.json',
+  'KDNA_Cases.json',
+  'KDNA_Reasoning.json',
+  'KDNA_Evolution.json',
+];
+
+// Files that always stay in plaintext
+const PLAINTEXT_FILES = ['kdna.json', 'license.json', 'README.md', 'LICENSE', 'signature.json'];
+
+function isEncryptable(filename) {
+  return ENCRYPTED_FILES.includes(filename);
+}
+
+// ─── Machine Fingerprint ────────────────────────────────────────────────
+
+function machineFingerprint() {
+  const os = require('os');
+  const parts = [os.hostname(), os.userInfo().uid.toString(), os.platform(), os.arch()];
+  // Try to get hardware UUID on macOS
+  try {
+    const { execSync } = require('child_process');
+    if (os.platform() === 'darwin') {
+      const uuid = execSync('ioreg -d2 -c IOPlatformExpertDevice | grep IOPlatformUUID', {
+        encoding: 'utf8',
+        timeout: 3000,
+      }).match(/"[A-F0-9-]{36}"/)?.[0]?.replace(/"/g, '');
+      if (uuid) parts.push(uuid);
+    }
+    if (os.platform() === 'linux') {
+      try {
+        const mid = require('fs').readFileSync('/etc/machine-id', 'utf8').trim();
+        if (mid) parts.push(mid);
+      } catch { /* ignore */ }
+    }
+  } catch { /* non-critical */ }
+  return crypto.createHash('sha256').update(parts.join('|')).digest('hex');
+}
+
+// ─── Key Derivation ─────────────────────────────────────────────────────
+
+function deriveKey(licenseKey, fingerprint) {
+  const salt = crypto.createHash('sha256').update(fingerprint || machineFingerprint()).digest();
+  return crypto.pbkdf2Sync(licenseKey, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+}
+
+// ─── Encrypt / Decrypt ──────────────────────────────────────────────────
+
+function encrypt(plaintext, key) {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  // Format: iv (16) + tag (16) + ciphertext
+  return Buffer.concat([iv, tag, encrypted]);
+}
+
+function decrypt(encryptedData, key) {
+  if (encryptedData.length < IV_LENGTH + TAG_LENGTH) {
+    throw new Error('Invalid encrypted data: too short');
+  }
+  const iv = encryptedData.subarray(0, IV_LENGTH);
+  const tag = encryptedData.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
+  const ciphertext = encryptedData.subarray(IV_LENGTH + TAG_LENGTH);
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf8');
+}
+
+// ─── Encrypted Container Detection ──────────────────────────────────────
+
+function isEncryptedContainer(filePath) {
+  return filePath.endsWith('.kdnae');
+}
+
+// ─── License File ──────────────────────────────────────────────────────
+
+function createLicense(domain, options = {}) {
+  const {
+    issuedTo = 'licensee@example.com',
+    expiresAt = null,       // ISO date or null for perpetual
+    maxAgents = 1,
+    requireMachineBinding = true,
+    requireOnlineCheck = false,
+    offlineGraceDays = 7,
+  } = options;
+
+  const license = {
+    version: '1.0',
+    license_id: `lic_${crypto.randomBytes(8).toString('hex')}`,
+    domain,
+    issued_to: issuedTo,
+    issued_at: new Date().toISOString(),
+    expires_at: expiresAt,
+    max_agents: maxAgents,
+    require_machine_binding: requireMachineBinding,
+    require_online_check: requireOnlineCheck,
+    offline_grace_days: offlineGraceDays,
+    allowed_agents: options.allowedAgents || ['claude_code', 'codex', 'opencode'],
+  };
+
+  return license;
+}
+
+function verifyLicense(license, scopePubkey, fingerprint) {
+  const issues = [];
+
+  // Check expiration
+  if (license.expires_at) {
+    if (new Date(license.expires_at) < new Date()) {
+      issues.push('License has expired');
+    }
+  }
+
+  // Check machine binding
+  if (license.require_machine_binding) {
+    if (license.machine_fingerprint && license.machine_fingerprint !== fingerprint) {
+      issues.push('Machine fingerprint mismatch');
+    }
+  }
+
+  return {
+    valid: issues.length === 0,
+    issues,
+    domain: license.domain,
+    license_id: license.license_id,
+    issued_to: license.issued_to,
+  };
+}
+
+function signLicense(license, privateKeyPem) {
+  const { signature: _, ...payload } = license;
+  const data = JSON.stringify(payload, Object.keys(payload).sort());
+  // Use crypto.sign() for Ed25519 (supported via PEM keys)
+  const sig = crypto.sign(null, Buffer.from(data), privateKeyPem);
+  license.signature = `ed25519:${sig.toString('hex')}`;
+  return license;
+}
+
+function verifyLicenseSignature(license, publicKeyPem) {
+  const signature = license.signature?.replace('ed25519:', '') || '';
+  if (!signature) return false;
+  const { signature: _, ...payload } = license;
+  const data = JSON.stringify(payload, Object.keys(payload).sort());
+  try {
+    return crypto.verify(null, Buffer.from(data), publicKeyPem, Buffer.from(signature, 'hex'));
+  } catch {
+    return false;
+  }
+}
+
+module.exports = {
+  encrypt,
+  decrypt,
+  deriveKey,
+  machineFingerprint,
+  isEncryptable,
+  isEncryptedContainer,
+  createLicense,
+  verifyLicense,
+  signLicense,
+  verifyLicenseSignature,
+  ENCRYPTED_FILES,
+  PLAINTEXT_FILES,
+};

package/src/cmds/license.js

@@ -0,0 +1,178 @@
+/**
+ * KDNA License — Generate, verify, and manage domain licenses.
+ *
+ * Commands:
+ *   kdna license generate <domain> --to <email> [--expires <date>]
+ *   kdna license verify <license.json>
+ *   kdna license bind <license.json>
+ */
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const { EXIT, error } = require('./_common');
+const { createLicense, signLicense, verifyLicense, verifyLicenseSignature, machineFingerprint } = require('./encrypt');
+
+const IDENTITY_DIR = path.join(process.env.HOME || process.env.USERPROFILE || '.', '.kdna', 'identity');
+const PRIVATE_KEY_PATH = path.join(IDENTITY_DIR, 'kdna.key');
+const PUBLIC_KEY_PATH = path.join(IDENTITY_DIR, 'kdna.pub');
+
+function readIdentity() {
+  if (!fs.existsSync(PRIVATE_KEY_PATH) || !fs.existsSync(PUBLIC_KEY_PATH)) {
+    error('No identity found. Run: kdna identity init', EXIT.INPUT_ERROR);
+  }
+  return {
+    privateKey: fs.readFileSync(PRIVATE_KEY_PATH, 'utf8'),
+    publicKey: fs.readFileSync(PUBLIC_KEY_PATH, 'utf8'),
+  };
+}
+
+function cmdLicenseGenerate(args) {
+  const domain = args[0];
+  if (!domain) error('Usage: kdna license generate <domain> --to <email> [--expires <date>] [--max-agents <n>]', EXIT.INPUT_ERROR);
+
+  const emailIdx = args.indexOf('--to');
+  const email = emailIdx >= 0 ? args[emailIdx + 1] : null;
+  if (!email) error('--to <email> is required', EXIT.INPUT_ERROR);
+
+  const expiresIdx = args.indexOf('--expires');
+  const expiresAt = expiresIdx >= 0 ? args[expiresIdx + 1] : null;
+
+  const agentsIdx = args.indexOf('--max-agents');
+  const maxAgents = agentsIdx >= 0 ? parseInt(args[agentsIdx + 1], 10) : 1;
+
+  const bindingIdx = args.includes('--no-binding');
+  const requireBinding = !bindingIdx;
+
+  const { privateKey, publicKey } = readIdentity();
+
+  const license = createLicense(domain, {
+    issuedTo: email,
+    expiresAt,
+    maxAgents,
+    requireMachineBinding: requireBinding,
+    allowedAgents: ['claude_code', 'codex', 'opencode', 'cursor', 'gemini'],
+  });
+
+  const signed = signLicense(license, privateKey);
+
+  const pubkey = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
+  signed.scope_pubkey_fingerprint = `ed25519:${pubkey}`;
+
+  const saveIdx = args.indexOf('--save');
+  const savePath = saveIdx >= 0 ? args[saveIdx + 1] : null;
+
+  console.log(JSON.stringify(signed, null, 2));
+
+  if (savePath) {
+    fs.writeFileSync(savePath, JSON.stringify(signed, null, 2) + '\n');
+    console.error(`Saved to: ${savePath}`);
+  }
+
+  console.error('');
+  console.error(`License generated for ${domain}`);
+  console.error(`  Issued to: ${email}`);
+  console.error(`  License ID: ${signed.license_id}`);
+  if (expiresAt) console.error(`  Expires: ${expiresAt}`);
+  console.error(`  Machine binding: ${requireBinding ? 'required' : 'disabled'}`);
+  console.error('');
+  console.error('Save this JSON as license.json inside the .kdnae container.');
+  console.error('Share the license key with the licensee.');
+}
+
+function cmdLicenseVerify(args) {
+  const licensePath = args[0];
+  if (!licensePath) error('Usage: kdna license verify <license.json>', EXIT.INPUT_ERROR);
+
+  let license;
+  try {
+    license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
+  } catch {
+    error(`Cannot read license file: ${licensePath}`, EXIT.INPUT_ERROR);
+  }
+
+  const { publicKey } = readIdentity();
+  const signatureValid = verifyLicenseSignature(license, publicKey);
+  const fp = machineFingerprint();
+  const result = verifyLicense(license, publicKey, fp);
+
+  const jsonMode = args.includes('--json');
+
+  if (jsonMode) {
+    console.log(JSON.stringify({
+      domain: license.domain,
+      license_id: license.license_id,
+      issued_to: license.issued_to,
+      signature_valid: signatureValid,
+      valid: result.valid,
+      issues: result.issues,
+      fingerprint: license.require_machine_binding ? fp : 'not required',
+    }, null, 2));
+  } else {
+    console.log(`License: ${license.license_id}`);
+    console.log(`Domain:  ${license.domain}`);
+    console.log(`Issued:  ${license.issued_to}`);
+    console.log(`Signature: ${signatureValid ? '✓ valid' : '✗ invalid'}`);
+    if (license.expires_at) {
+      const expired = new Date(license.expires_at) < new Date();
+      console.log(`Expires: ${license.expires_at} ${expired ? '(EXPIRED)' : ''}`);
+    }
+    if (license.require_machine_binding) {
+      console.log(`Machine binding: required`);
+      console.log(`  Current fingerprint: ${fp}`);
+    }
+    if (result.issues.length) {
+      console.log('');
+      console.log('Issues:');
+      result.issues.forEach(i => console.log(`  ✗ ${i}`));
+    } else {
+      console.log('');
+      console.log('✓ License valid');
+    }
+  }
+
+  process.exit(result.valid && signatureValid ? EXIT.OK : EXIT.TRUST_FAILED);
+}
+
+function cmdLicenseBind(args) {
+  const licensePath = args[0];
+  if (!licensePath) error('Usage: kdna license bind <license.json>', EXIT.INPUT_ERROR);
+
+  let license;
+  try {
+    license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
+  } catch {
+    error(`Cannot read license file: ${licensePath}`, EXIT.INPUT_ERROR);
+  }
+
+  if (!license.require_machine_binding) {
+    console.log('License does not require machine binding. No action needed.');
+    process.exit(EXIT.OK);
+  }
+
+  const { privateKey, publicKey } = readIdentity();
+  const fp = machineFingerprint();
+
+  // Remove old signature before re-signing
+  delete license.signature;
+  license.machine_fingerprint = fp;
+  license.bound_at = new Date().toISOString();
+
+  const signed = signLicense(license, privateKey);
+  fs.writeFileSync(licensePath, JSON.stringify(signed, null, 2) + '\n');
+  console.log(`License bound to machine: ${fp}`);
+  console.log(`Updated: ${licensePath}`);
+}
+
+function cmdLicenseShow(args) {
+  const licensePath = args[0];
+  if (!licensePath) {
+    // Try to find license in current directory
+    const local = path.join(process.cwd(), 'license.json');
+    if (fs.existsSync(local)) return cmdLicenseVerify([local, ...args.slice(1)]);
+    error('Usage: kdna license show <license.json>', EXIT.INPUT_ERROR);
+  }
+  cmdLicenseVerify(args);
+}
+
+module.exports = { cmdLicenseGenerate, cmdLicenseVerify, cmdLicenseBind, cmdLicenseShow };