npm - @aikdna/kdna-cli - Versions diffs - 0.16.10 → 0.18.0 - Mend

@aikdna/kdna-cli 0.16.10 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/README.md +158 -75
package/package.json +5 -5
package/skills/kdna-loader/SKILL.md +5 -6
package/src/agent.js +489 -79
package/src/cli.js +112 -62
package/src/cmds/_common.js +32 -16
package/src/cmds/badge.js +7 -7
package/src/cmds/changelog.js +1 -1
package/src/cmds/cluster.js +16 -48
package/src/cmds/doctor.js +10 -27
package/src/cmds/domain.js +213 -443
package/src/cmds/explain.js +122 -0
package/src/cmds/legacy.js +8 -8
package/src/cmds/license.js +483 -26
package/src/cmds/quality.js +14 -2
package/src/cmds/registry.js +15 -67
package/src/cmds/studio.js +4 -5
package/src/cmds/test.js +4 -4
package/src/cmds/trace.js +11 -7
package/src/compare.js +28 -22
package/src/diff.js +11 -13
package/src/init.js +2 -2
package/src/install.js +138 -460
package/src/loader.js +10 -10
package/src/package-store.js +229 -0
package/src/paths.js +44 -0
package/src/publish.js +184 -22
package/src/registry.js +76 -9
package/src/setup.js +19 -20
package/src/verify.js +275 -121
package/templates/standard-domain/kdna.json +2 -1
package/validators/kdna-lint.js +37 -3
package/validators/kdna-validate.js +3 -2
package/src/cmds/encrypt.js +0 -199

package/src/cmds/domain.js CHANGED Viewed

@@ -2,47 +2,31 @@ const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
 const { error, readJson, writeJson, EXIT } = require('./_common');
-const {
-  encrypt,
-  decrypt,
-  deriveKey,
-  machineFingerprint,
-  isEncryptable,
-  ENCRYPTED_FILES,
-} = require('./encrypt');
-// ─── Validate ────────────────────────────────────────────────────────
-function cmdValidate(dir, schemaOnly, jsonMode = false) {
-  const abs = path.resolve(dir);
-  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) {
-    error(`Not a directory: ${abs}`, EXIT.INPUT_ERROR);
-  }
-  const { lintDomain, validateDomainSchema, validateCrossFile } = require('@aikdna/kdna-core');
-  // Resolve schemas from @aikdna/kdna-core package
-  const SCHEMA_DIR = path.join(
-    path.dirname(require.resolve('@aikdna/kdna-core/package.json')),
-    'schema',
-  );
-  // Read all KDNA JSON files
-  const files = fs.readdirSync(abs).filter((f) => f.endsWith('.json') && f !== 'kdna.json');
+const KDNA_DOMAIN_FILES = new Set([
+  'KDNA_Core.json',
+  'KDNA_Patterns.json',
+  'KDNA_Scenarios.json',
+  'KDNA_Cases.json',
+  'KDNA_Reasoning.json',
+  'KDNA_Evolution.json',
+]);
+function readKDNAContentFiles(abs) {
   const dataMap = {};
-  const schemaMap = {};
-  for (const f of files) {
+  const parseErrors = [];
+  for (const f of fs.readdirSync(abs).filter((name) => KDNA_DOMAIN_FILES.has(name))) {
     try {
       dataMap[f] = JSON.parse(fs.readFileSync(path.join(abs, f), 'utf8'));
     } catch (e) {
       dataMap[f] = null;
-      console.error(`  JSON parse error in ${f}: ${e.message}`);
+      parseErrors.push(`${f}: ${e.message}`);
     }
   }
+  return { dataMap, parseErrors };
+}
-  // Schema validation — always load all available schemas
-  const FILE_TO_SCHEMA = {
+function loadSchemaMap(schemaDir) {
+  const fileToSchema = {
     'KDNA_Core.json': 'KDNA_Core.schema.json',
     'KDNA_Patterns.json': 'KDNA_Patterns.schema.json',
     'KDNA_Scenarios.json': 'KDNA_Scenarios.schema.json',
@@ -51,10 +35,11 @@ function cmdValidate(dir, schemaOnly, jsonMode = false) {
     'KDNA_Evolution.json': 'KDNA_Evolution.schema.json',
   };
+  const schemaMap = {};
   const loadedSchemas = [];
   const missingSchemas = [];
-  for (const [, schemaFile] of Object.entries(FILE_TO_SCHEMA)) {
-    const schemaPath = path.join(SCHEMA_DIR, schemaFile);
+  for (const schemaFile of Object.values(fileToSchema)) {
+    const schemaPath = path.join(schemaDir, schemaFile);
     if (fs.existsSync(schemaPath)) {
       try {
         schemaMap[schemaFile] = JSON.parse(fs.readFileSync(schemaPath, 'utf8'));
@@ -67,50 +52,132 @@ function cmdValidate(dir, schemaOnly, jsonMode = false) {
     }
   }
-  if (missingSchemas.length) {
-    console.log(
-      `  Note: ${missingSchemas.length} schema file(s) not found (optional file schemas): ${missingSchemas.join(', ')}`,
-    );
-    console.log(`  Schema dir: ${SCHEMA_DIR}`);
-  }
+  return { schemaMap, loadedSchemas, missingSchemas };
+}
-  // Validation layers
-  const errors = [];
+function validateDomainDirectory(abs, schemaMap, schemaOnly) {
+  const { lintDomain, validateDomainSchema, validateCrossFile } = require('@aikdna/kdna-core');
+  const { dataMap, parseErrors } = readKDNAContentFiles(abs);
+  const errors = parseErrors.map((msg) => `JSON parse error in ${msg}`);
   const warnings = [];
-  // Layer 1: Lint (structural + content checks)
   if (!schemaOnly) {
     const lintResult = lintDomain(dataMap);
     errors.push(...lintResult.errors);
     warnings.push(...lintResult.warnings);
   }
-  // Layer 2: JSON Schema validation against loaded schemas
   const schemaResult = validateDomainSchema(dataMap, schemaMap);
   errors.push(...schemaResult.errors);
   warnings.push(...schemaResult.warnings);
-  // Layer 3: Cross-file consistency
   const crossResult = validateCrossFile(dataMap);
   errors.push(...crossResult.errors);
   warnings.push(...crossResult.warnings);
-  const validCount = Object.keys(dataMap).filter((k) => dataMap[k]).length;
+  return {
+    path: abs,
+    valid: errors.length === 0,
+    files: Object.keys(dataMap).filter((k) => dataMap[k]).length,
+    errors,
+    warnings,
+  };
+}
+function isClusterDirectory(abs) {
+  const manifest = readJson(path.join(abs, 'kdna.json'));
+  return !!(
+    manifest?.cluster ||
+    fs.existsSync(path.join(abs, 'KDNA_Cluster.json')) ||
+    fs.existsSync(path.join(abs, 'cluster_manifest.json'))
+  );
+}
+function validateClusterDirectory(abs, schemaMap, schemaOnly) {
+  const manifest = readJson(path.join(abs, 'kdna.json')) || {};
+  const clusterManifest = readJson(path.join(abs, 'KDNA_Cluster.json')) || {};
+  const fallbackManifest = readJson(path.join(abs, 'cluster_manifest.json')) || {};
+  const subDomains = manifest.sub_domains || fallbackManifest.domains || [];
+  const errors = [];
+  const warnings = [];
+  if (!Array.isArray(subDomains) || subDomains.length === 0) {
+    errors.push('Cluster has no sub_domains/domains list to validate');
+  }
+  const domains = [];
+  for (const name of subDomains) {
+    const domainPath = path.join(abs, name);
+    if (!fs.existsSync(domainPath) || !fs.statSync(domainPath).isDirectory()) {
+      errors.push(`Cluster sub-domain not found: ${name}`);
+      continue;
+    }
+    const result = validateDomainDirectory(domainPath, schemaMap, schemaOnly);
+    domains.push({ name, ...result });
+    warnings.push(...result.warnings.map((w) => `${name}: ${w}`));
+    errors.push(...result.errors.map((e) => `${name}: ${e}`));
+  }
+  if (!manifest.cluster && !clusterManifest.name && !fallbackManifest.name) {
+    warnings.push('Cluster metadata is minimal: no cluster marker or cluster name found');
+  }
+  return {
+    path: abs,
+    valid: errors.length === 0,
+    cluster: true,
+    domains,
+    files: domains.reduce((sum, d) => sum + d.files, 0),
+    errors,
+    warnings,
+  };
+}
+// ─── Validate ────────────────────────────────────────────────────────
+function cmdValidate(dir, schemaOnly, jsonMode = false) {
+  const abs = path.resolve(dir);
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) {
+    error(`Not a directory: ${abs}`, EXIT.INPUT_ERROR);
+  }
+  // Resolve schemas from @aikdna/kdna-core package
+  const SCHEMA_DIR = path.join(
+    path.dirname(require.resolve('@aikdna/kdna-core/package.json')),
+    'schema',
+  );
+  const { schemaMap, loadedSchemas, missingSchemas } = loadSchemaMap(SCHEMA_DIR);
+  if (missingSchemas.length) {
+    console.log(
+      `  Note: ${missingSchemas.length} schema file(s) not found (optional file schemas): ${missingSchemas.join(', ')}`,
+    );
+    console.log(`  Schema dir: ${SCHEMA_DIR}`);
+  }
+  const result = isClusterDirectory(abs)
+    ? validateClusterDirectory(abs, schemaMap, schemaOnly)
+    : validateDomainDirectory(abs, schemaMap, schemaOnly);
+  const { errors, warnings } = result;
+  const validCount = result.files;
   const schemaInfo = schemaOnly
     ? ` (schema-only mode, ${loadedSchemas.length} schemas loaded)`
     : '';
   if (jsonMode) {
-    const result = {
+    const payload = {
       path: abs,
       valid: errors.length === 0,
       files: validCount,
+      cluster: !!result.cluster,
+      domains: result.domains,
       schemas_loaded: loadedSchemas.length,
       schema_only: schemaOnly,
       errors,
       warnings,
     };
-    console.log(JSON.stringify(result, null, 2));
+    console.log(JSON.stringify(payload, null, 2));
     process.exit(errors.length ? EXIT.VALIDATION_FAILED : EXIT.OK);
   }
@@ -124,7 +191,13 @@ function cmdValidate(dir, schemaOnly, jsonMode = false) {
     process.exit(EXIT.VALIDATION_FAILED);
   }
-  console.log(`✓ KDNA domain valid: ${abs} (${validCount} files, schema OK${schemaInfo})`);
+  if (result.cluster) {
+    console.log(
+      `✓ KDNA cluster valid: ${abs} (${result.domains.length} domains, ${validCount} KDNA files, schema OK${schemaInfo})`,
+    );
+  } else {
+    console.log(`✓ KDNA domain valid: ${abs} (${validCount} files, schema OK${schemaInfo})`);
+  }
 }
 // ─── Pack / Unpack (.kdna ZIP container) ──────────────────────────────────
@@ -140,6 +213,19 @@ function cmdPack(dir, outputDir) {
   if (!core) error('KDNA_Core.json not found or invalid');
   if (!pat) error('KDNA_Patterns.json not found or invalid');
+  // Human Lock Gate — check judgment-class cards before packing
+  const { checkHumanLock } = require('../publish');
+  const hl = checkHumanLock(abs);
+  if (!hl.passed) {
+    console.error('Human Lock Gate: BLOCKED');
+    for (const issue of hl.issues) {
+      console.error(`  ✗ ${issue}`);
+    }
+    console.error('Judgment-class cards must be locked with valid Human Lock before packing.');
+    console.error('Use kdna publish --check for details.');
+    process.exit(EXIT.HUMAN_LOCK_REQUIRED);
+  }
   const domainName = core.meta?.domain || path.basename(abs);
   // Ensure kdna.json manifest exists (generate if missing)
@@ -374,7 +460,7 @@ zf.close()
   files.forEach((f) => console.log(`    ${f}`));
 }
-// ─── Inspect .kdna file (ZIP container or legacy merged JSON) ────────────
+// ─── Inspect .kdna file (ZIP container) ──────────────────────────────────
 function inspectKdnaFile(filePath, jsonMode = false) {
   const abs = path.resolve(filePath);
@@ -386,106 +472,47 @@ function inspectKdnaFile(filePath, jsonMode = false) {
   fs.readSync(fd, head, 0, 4, 0);
   fs.closeSync(fd);
   const isZip = head[0] === 0x50 && head[1] === 0x4b;
+  if (!isZip) error('Invalid .kdna asset: expected ZIP container');
-  let core, patterns, manifest;
-  const presentFiles = [];
-  if (isZip) {
-    // ZIP container — extract to temp, read files
-    const os = require('os');
-    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'kdna-inspect-'));
-    try {
-      const tmpInspectPy = path.join(
-        fs.existsSync('/tmp') ? '/tmp' : require('os').tmpdir(),
-        `kdna-inspect-${Date.now()}.py`,
-      );
-      try {
-        const script = `import zipfile, os
-zf = zipfile.ZipFile(${JSON.stringify(abs)}, 'r')
-zf.extractall(${JSON.stringify(tmpDir)})
-zf.close()
-`;
-        fs.writeFileSync(tmpInspectPy, script);
-        execSync(`python3 ${tmpInspectPy}`, { stdio: 'pipe' });
-      } finally {
-        try {
-          fs.unlinkSync(tmpInspectPy);
-        } catch {
-          /* cleanup */
-        }
-      }
-    } catch {
-      try {
-        execSync(`unzip -q -o "${abs}" -d "${tmpDir}"`, { stdio: 'pipe' });
-      } catch {
-        fs.rmSync(tmpDir, { recursive: true, force: true });
-        error('Cannot read .kdna container. Install python3 or unzip.');
-      }
-    }
-    core = readJson(path.join(tmpDir, 'KDNA_Core.json'));
-    patterns = readJson(path.join(tmpDir, 'KDNA_Patterns.json'));
-    manifest = readJson(path.join(tmpDir, 'kdna.json'));
-    for (const f of fs.readdirSync(tmpDir)) {
-      if (f.startsWith('KDNA_') && f.endsWith('.json')) {
-        presentFiles.push(f);
-      }
-      if (f === 'README.md' || f === 'LICENSE') presentFiles.push(f);
-    }
-    fs.rmSync(tmpDir, { recursive: true, force: true });
-  } else {
-    // Legacy merged JSON/YAML format (deprecated)
-    const raw = fs.readFileSync(abs, 'utf8');
-    let data;
-    try {
-      data = JSON.parse(raw);
-    } catch {
-      data = parseSimpleYaml(raw);
-    }
-    if (!data || !data.meta) error(`Invalid .kdna file: missing meta section`);
-    const m = data.meta || {};
-    manifest = {
-      name: m.name || m.domain,
-      version: m.version || '?',
-      status: data.status || '?',
-      access: data.access || '?',
-      language: data.language || '?',
-      author: data.author || { name: '?' },
-      license: data.license || { type: '?' },
-      description: data.description || m.purpose || '?',
-      spec_version: m.spec_version || data.kdna_spec || '?',
-    };
-    core = data.core || {};
-    patterns = data.patterns || {};
-    presentFiles.push('.kdna (legacy merged format)');
-    if (data.scenarios) {
-      presentFiles.push('scenarios (inline)');
-    }
-    if (data.cases) {
-      presentFiles.push('cases (inline)');
-    }
-    if (data.reasoning) {
-      presentFiles.push('reasoning (inline)');
-    }
-    if (data.evolution) {
-      presentFiles.push('evolution (inline)');
-    }
+  const { listContainerEntries, readContainerJson } = require('../package-store');
+  const { licenseDecryptOptionsForManifest } = require('./license');
+  const presentFiles = listContainerEntries(abs).filter(
+    (f) => (f.startsWith('KDNA_') && f.endsWith('.json')) || f === 'README.md' || f === 'LICENSE',
+  );
+  const manifest = readContainerJson(abs, 'kdna.json') || {};
+  const encryptedEntries = Array.isArray(manifest.encryption?.encrypted_entries)
+    ? manifest.encryption.encrypted_entries
+    : [];
+  let decryptOptions = {};
+  let decryptError = null;
+  if (encryptedEntries.length) {
+    const licensed = licenseDecryptOptionsForManifest(manifest);
+    if (licensed.ok) decryptOptions = { decryptEntry: licensed.decryptEntry };
+    else decryptError = licensed.error;
+  }
+  let core = null;
+  let patterns = null;
+  try {
+    core = decryptError ? null : readContainerJson(abs, 'KDNA_Core.json', decryptOptions);
+    patterns = decryptError ? null : readContainerJson(abs, 'KDNA_Patterns.json', decryptOptions);
+  } catch (e) {
+    if (!encryptedEntries.length) error(`Cannot inspect .kdna asset: ${e.message}`);
+    decryptError = e.message;
   }
-  if (!core) error('KDNA_Core.json not found in container');
+  if (!core && !encryptedEntries.includes('KDNA_Core.json')) {
+    error('KDNA_Core.json not found in container');
+  }
   const m = manifest || {};
-  const c = core;
+  const c = core || {};
   const p = patterns || {};
   if (jsonMode) {
     const result = {
       name: m.name || c.meta?.domain || path.basename(abs, '.kdna'),
-      format: isZip ? 'kdna-zip' : 'legacy-merged',
+      format: 'kdna-zip',
       spec: m.spec_version || m.kdna_spec || null,
       version: m.version || null,
       status: m.status || 'experimental',
@@ -494,6 +521,9 @@ zf.close()
       license: m.license?.type || null,
       created: m.created || c.meta?.created || null,
       description: m.description || c.meta?.purpose || null,
+      protected: encryptedEntries.length > 0,
+      encrypted_entries: encryptedEntries,
+      license_required: !!decryptError,
       content: {
         axioms: (c.axioms || []).length,
         ontology: (c.ontology || []).length,
@@ -513,7 +543,7 @@ zf.close()
   console.log(`  ${m.name || c.meta?.domain || path.basename(abs, '.kdna')} — KDNA Domain`);
   console.log('═'.repeat(50));
   console.log('');
-  console.log(`  Format:      .kdna ${isZip ? '(ZIP container)' : '(legacy merged)'}`);
+  console.log(`  Format:      .kdna (ZIP container)`);
   console.log(`  Spec:        ${m.spec_version || m.kdna_spec || '0.4'}`);
   console.log(`  Version:     ${m.version || '?'}`);
   console.log(`  Status:      ${m.status || 'experimental'}`);
@@ -522,6 +552,10 @@ zf.close()
   console.log(`  License:     ${m.license?.type || '?'}`);
   console.log(`  Created:     ${m.created || c.meta?.created || '?'}`);
   console.log(`  Description: ${m.description || c.meta?.purpose || '?'}`);
+  if (encryptedEntries.length) {
+    console.log(`  Protected:   ${encryptedEntries.join(', ')}`);
+    if (decryptError) console.log(`  Activation:  required (${decryptError})`);
+  }
   console.log('');
   console.log('  ── Content ──');
   console.log(`  Axioms:             ${(c.axioms || []).length}`);
@@ -538,57 +572,9 @@ zf.close()
   console.log('═'.repeat(50));
 }
-function parseSimpleYaml(raw) {
-  // Parse a simple subset of YAML (no nesting beyond 1 level for sections)
-  const result = {};
-  let currentSection = null;
-  const lines = raw.split('\n');
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith('#')) continue;
-    // Section header: "core:" or "  core:" etc
-    if (/^[a-z_]+:$/.test(trimmed)) {
-      currentSection = trimmed.slice(0, -1);
-      if (!result[currentSection]) result[currentSection] = {};
-      continue;
-    }
-    // Key: value
-    const kv = trimmed.match(/^([a-z_]+):\s*(.*)/i);
-    if (kv && !kv[1].startsWith('-')) {
-      const key = kv[1];
-      const val = kv[2].trim().replace(/^["']|["']$/g, '');
-      if (currentSection) {
-        if (key === 'version' && typeof result[currentSection] === 'object') {
-          result[currentSection][key] = val;
-        } else if (!result[currentSection][key]) {
-          result[currentSection][key] = val;
-        }
-      } else {
-        result[key] = val;
-      }
-      continue;
-    }
-    // Array item: "- value"
-    if (trimmed.startsWith('- ') && currentSection) {
-      // For counts only, we don't parse full arrays
-      if (currentSection === 'axioms' || currentSection === 'stances') {
-        if (!result.core) result.core = {};
-        if (!result.core[currentSection]) result.core[currentSection] = [];
-        result.core[currentSection].push({ _parsed: true });
-      }
-    }
-  }
-  return result;
-}
 // ─── Inspect ───────────────────────────────────────────────────────────
-function cmdInspect(dir, jsonMode = false, locale = null) {
+function cmdInspect(dir, jsonMode = false, locale = null, options = {}) {
   const abs = path.resolve(dir);
   const stat = fs.existsSync(abs) ? fs.statSync(abs) : null;
   if (!stat) error(`Path not found: ${abs}`, EXIT.INPUT_ERROR);
@@ -599,7 +585,14 @@ function cmdInspect(dir, jsonMode = false, locale = null) {
     return;
   }
-  // Directory — existing logic
+  if (stat.isDirectory() && !options.allowDirectory) {
+    error(
+      'Directory inspection is a dev-only operation. Use: kdna dev inspect <source-dir>',
+      EXIT.INPUT_ERROR,
+    );
+  }
+  // Dev source directory
   if (!stat.isDirectory()) error(`Not a KDNA domain: ${abs}`, EXIT.INPUT_ERROR);
   const core = readJson(path.join(abs, 'KDNA_Core.json'));
@@ -775,265 +768,46 @@ function cmdInspect(dir, jsonMode = false, locale = null) {
   console.log('═'.repeat(50));
 }
-// ─── Encrypted Container (.kdnae) ─────────────────────────────────────
+// ─── KDNA Card (locale-aware) ────────────────────────────────────
-function cmdPackEncrypt(dir, args = []) {
-  const abs = path.resolve(dir);
-  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) {
-    error(`Not a directory: ${abs}`, EXIT.INPUT_ERROR);
-  }
+function readCardFromDirectory(abs, locale = null) {
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) return null;
+  let card = readJson(path.join(abs, 'KDNA_CARD.json'));
-  const core = readJson(path.join(abs, 'KDNA_Core.json'));
-  const pat = readJson(path.join(abs, 'KDNA_Patterns.json'));
-  if (!core) error('KDNA_Core.json not found or invalid');
-  if (!pat) error('KDNA_Patterns.json not found or invalid');
+  if (locale) {
+    const localeCard = readJson(path.join(abs, 'locales', locale, 'KDNA_CARD.json'));
+    if (localeCard) {
+      card = { ...card, ...localeCard };
+    }
+  }
-  const domainName = core.meta?.domain || path.basename(abs);
+  return card;
+}
-  let manifest = readJson(path.join(abs, 'kdna.json'));
-  if (!manifest) {
-    const jsonCount = fs
-      .readdirSync(abs)
-      .filter((f) => f.endsWith('.json') && f !== 'kdna.json').length;
-    manifest = {
-      kdna_spec: '1.0-rc',
-      name: domainName,
-      version: core.meta?.version || '0.1.0',
-      status: 'experimental',
-      access: 'licensed',
-      language: 'en',
-      author: { name: '', id: '' },
-      license: { type: 'KCL-1.0' },
-      description: core.meta?.purpose || `${domainName} domain cognition`,
-      file_count: jsonCount,
-      created: new Date().toISOString().slice(0, 10),
-      updated: new Date().toISOString().slice(0, 10),
-    };
-    writeJson(path.join(abs, 'kdna.json'), manifest);
-  }
+function cmdCard(dir, jsonMode = false, locale = null, options = {}) {
+  const abs = path.resolve(dir);
+  const stat = fs.existsSync(abs) ? fs.statSync(abs) : null;
+  if (!stat) error(`Path not found: ${abs}`, EXIT.INPUT_ERROR);
-  // Get encryption key
-  const licenseIdx = args.indexOf('--license');
-  const keyIdx = args.indexOf('--key');
-  let encKey;
-  if (licenseIdx >= 0) {
-    const licensePath = args[licenseIdx + 1];
-    if (!licensePath || !fs.existsSync(licensePath))
-      error('License file not found', EXIT.INPUT_ERROR);
-    const license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
-    const licenseKey = license.license_id;
-    const fp = machineFingerprint();
-    encKey = deriveKey(licenseKey, fp);
-  } else if (keyIdx >= 0) {
-    const rawKey = args[keyIdx + 1];
-    if (!rawKey) error('--key requires a value', EXIT.INPUT_ERROR);
-    encKey = deriveKey(rawKey, machineFingerprint());
-  } else {
+  if (stat.isDirectory() && !options.allowDirectory) {
     error(
-      'Use --license <license.json> or --key <secret> to provide encryption key',
+      'Directory card inspection is a dev-only operation. Use: kdna dev card <source-dir>',
       EXIT.INPUT_ERROR,
     );
   }
-  const outputDir = args.includes('--output') ? args[args.indexOf('--output') + 1] : null;
-  const outName = `${domainName}.kdnae`;
-  const outPath = outputDir ? path.join(outputDir, outName) : path.join(process.cwd(), outName);
-  if (outputDir && !fs.existsSync(outputDir)) fs.mkdirSync(outputDir, { recursive: true });
-  // Build encrypted ZIP
-  const zlib = require('zlib');
-  const files = fs.readdirSync(abs).filter((f) => {
-    if (f.startsWith('.')) return false;
-    const ext = path.extname(f);
-    return ext === '.json' || f === 'README.md' || f === 'LICENSE' || f === 'kdna.json';
-  });
-  const centralDir = [];
-  const fileData = [];
-  let offset = 0;
-  for (const f of files.sort()) {
-    let raw = fs.readFileSync(path.join(abs, f));
-    let storedName = f;
-    if (isEncryptable(f)) {
-      try {
-        const encrypted = encrypt(raw.toString('utf8'), encKey);
-        raw = encrypted;
-        storedName = f; // Keep original name, content is encrypted
-      } catch (err) {
-        error(`Failed to encrypt ${f}: ${err.message}`);
-      }
+  let card = null;
+  if (stat.isFile() && abs.endsWith('.kdna')) {
+    const { readContainerJson } = require('../package-store');
+    card = readContainerJson(abs, 'KDNA_CARD.json') || null;
+    if (locale) {
+      const localeCard = readContainerJson(abs, `locales/${locale}/KDNA_CARD.json`) || null;
+      if (localeCard) card = { ...card, ...localeCard };
     }
-    const crc = crc32(raw);
-    const compressed = zlib.deflateRawSync(raw);
-    const useStore = compressed.length >= raw.length;
-    const stored = useStore ? raw : compressed;
-    const nameBytes = Buffer.from(storedName, 'utf8');
-    const localHeader = Buffer.alloc(30);
-    localHeader.writeUInt32LE(0x04034b50, 0);
-    localHeader.writeUInt16LE(20, 4);
-    localHeader.writeUInt16LE(0x0800, 6);
-    localHeader.writeUInt16LE(useStore ? 0 : 8, 8);
-    localHeader.writeUInt32LE(crc, 14);
-    localHeader.writeUInt32LE(useStore ? raw.length : compressed.length, 18);
-    localHeader.writeUInt32LE(raw.length, 22);
-    localHeader.writeUInt16LE(nameBytes.length, 26);
-    fileData.push(Buffer.concat([localHeader, nameBytes, stored]));
-    offset += localHeader.length + nameBytes.length + stored.length;
-    const cdEntry = Buffer.alloc(46);
-    cdEntry.writeUInt32LE(0x02014b50, 0);
-    cdEntry.writeUInt16LE(20, 4);
-    cdEntry.writeUInt16LE(20, 6);
-    cdEntry.writeUInt16LE(0x0800, 8);
-    cdEntry.writeUInt16LE(useStore ? 0 : 8, 10);
-    cdEntry.writeUInt32LE(crc, 16);
-    cdEntry.writeUInt32LE(useStore ? raw.length : compressed.length, 20);
-    cdEntry.writeUInt32LE(raw.length, 24);
-    cdEntry.writeUInt16LE(nameBytes.length, 28);
-    cdEntry.writeUInt32LE(offset - stored.length - nameBytes.length - localHeader.length, 42);
-    centralDir.push(Buffer.concat([cdEntry, nameBytes]));
-  }
-  const cdOffset = offset;
-  const cdSize = centralDir.reduce((s, e) => s + e.length, 0);
-  const eocd = Buffer.alloc(22);
-  eocd.writeUInt32LE(0x06054b50, 0);
-  eocd.writeUInt16LE(0, 4);
-  eocd.writeUInt16LE(0, 6);
-  eocd.writeUInt16LE(files.length, 8);
-  eocd.writeUInt16LE(files.length, 10);
-  eocd.writeUInt32LE(cdSize, 12);
-  eocd.writeUInt32LE(cdOffset, 16);
-  eocd.writeUInt16LE(0, 20);
-  const all = Buffer.concat([...fileData, ...centralDir, eocd]);
-  fs.writeFileSync(outPath, all);
-  console.log(`✓ Encrypted pack: ${outPath}`);
-  console.log(`  Domain: ${domainName} v${manifest.version}`);
-  console.log(
-    `  Files: ${files.length} (${files.filter(isEncryptable).length} encrypted, ${files.filter((f) => !isEncryptable(f)).length} plaintext)`,
-  );
-  console.log(`  Container: AES-256-GCM .kdnae`);
-}
-function cmdUnpackEncrypt(filePath, args = []) {
-  const abs = path.resolve(filePath);
-  if (!fs.existsSync(abs) || !fs.statSync(abs).isFile()) {
-    error(`Not a file: ${abs}`, EXIT.INPUT_ERROR);
-  }
-  if (!abs.endsWith('.kdnae')) {
-    error(`Not a .kdnae file: ${abs}`, EXIT.INPUT_ERROR);
-  }
-  const licenseIdx = args.indexOf('--license');
-  const keyIdx = args.indexOf('--key');
-  let encKey;
-  if (licenseIdx >= 0) {
-    const licensePath = args[licenseIdx + 1];
-    if (!licensePath || !fs.existsSync(licensePath))
-      error('License file not found', EXIT.INPUT_ERROR);
-    const license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
-    const licenseKey = license.license_id;
-    const fp = machineFingerprint();
-    encKey = deriveKey(licenseKey, fp);
-  } else if (keyIdx >= 0) {
-    const rawKey = args[keyIdx + 1];
-    if (!rawKey) error('--key requires a value', EXIT.INPUT_ERROR);
-    encKey = deriveKey(rawKey, machineFingerprint());
+  } else if (stat.isDirectory()) {
+    card = readCardFromDirectory(abs, locale);
   } else {
-    error('Use --license <license.json> or --key <secret> to decrypt', EXIT.INPUT_ERROR);
-  }
-  const domainName = path.basename(abs, '.kdnae');
-  const outDir = path.join(path.dirname(abs), domainName);
-  const force = args.includes('--force');
-  if (fs.existsSync(outDir)) {
-    if (!force)
-      error(`Directory already exists: ${outDir}\nUse --force to overwrite.`, EXIT.INPUT_ERROR);
-    fs.rmSync(outDir, { recursive: true, force: true });
-  }
-  fs.mkdirSync(outDir, { recursive: true });
-  // Extract ZIP first, then decrypt KDNA JSON files
-  const os = require('os');
-  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'kdnae-unpack-'));
-  try {
-    const tmpPy = path.join(os.tmpdir(), `kdnae-unpack-${Date.now()}.py`);
-    try {
-      const script = `import zipfile, os
-zf = zipfile.ZipFile(${JSON.stringify(abs)}, 'r')
-zf.extractall(${JSON.stringify(tmpDir)})
-zf.close()
-`;
-      fs.writeFileSync(tmpPy, script);
-      execSync(`python3 ${tmpPy}`, { stdio: 'pipe' });
-    } catch {
-      try {
-        execSync(`unzip -q -o "${abs}" -d "${tmpDir}"`, { stdio: 'pipe' });
-      } catch {
-        error('Cannot unpack .kdnae container');
-      }
-    } finally {
-      try {
-        fs.unlinkSync(tmpPy);
-      } catch {
-        /* cleanup */
-      }
-    }
-    // Copy plaintext files, decrypt KDNA files
-    const extracted = fs.readdirSync(tmpDir);
-    for (const f of extracted) {
-      const src = path.join(tmpDir, f);
-      const dest = path.join(outDir, f);
-      if (ENCRYPTED_FILES.includes(f)) {
-        try {
-          const encrypted = fs.readFileSync(src);
-          const decrypted = decrypt(encrypted, encKey);
-          fs.writeFileSync(dest, decrypted);
-        } catch (err) {
-          error(`Failed to decrypt ${f}: ${err.message}. Wrong license key?`);
-        }
-      } else {
-        fs.copyFileSync(src, dest);
-      }
-    }
-  } finally {
-    try {
-      fs.rmSync(tmpDir, { recursive: true, force: true });
-    } catch {
-      /* cleanup */
-    }
-  }
-  console.log(`✓ Decrypted: ${outDir}`);
-  const files = fs.readdirSync(outDir);
-  console.log(`  Files: ${files.length}`);
-  files.forEach((f) => console.log(`    ${f}`));
-}
-// ─── KDNA Card (locale-aware) ────────────────────────────────────
-function cmdCard(dir, locale = null) {
-  const abs = path.resolve(dir);
-  let card = readJson(path.join(abs, 'KDNA_CARD.json'));
-  if (locale) {
-    const localeCard = readJson(path.join(abs, 'locales', locale, 'KDNA_CARD.json'));
-    if (localeCard) {
-      card = { ...card, ...localeCard };
-    }
+    error(`Not a .kdna asset: ${abs}`, EXIT.INPUT_ERROR);
   }
   if (!card) {
@@ -1043,8 +817,6 @@ function cmdCard(dir, locale = null) {
     );
   }
-  const jsonMode = process.argv.includes('--json');
   if (jsonMode) {
     console.log(JSON.stringify(card, null, 2));
     return;
@@ -1102,9 +874,7 @@ function cmdCard(dir, locale = null) {
 module.exports = {
   cmdValidate,
   cmdPack,
-  cmdPackEncrypt,
   cmdUnpack,
-  cmdUnpackEncrypt,
   cmdInspect,
   cmdCard,
 };