@aikdna/kdna-cli 0.16.10 → 0.18.0

package/src/loader.js

@@ -15,8 +15,8 @@ const FILE_MAP = core.FILE_MAP;
  * Read and parse a KDNA JSON file.
  * Returns null if the file does not exist.
  */
-function readFile(domainDir, filename) {
-  const filePath = path.join(domainDir, filename);
+function readFile(sourceDir, filename) {
+  const filePath = path.join(sourceDir, filename);
   if (!fs.existsSync(filePath)) return null;
   try {
     return JSON.parse(fs.readFileSync(filePath, 'utf8'));
@@ -29,32 +29,32 @@ function readFile(domainDir, filename) {
  * Load the minimum required KDNA files (Core + Patterns).
  * Always load these. They form the cognition baseline.
  */
-function loadCorePatterns(domainDir) {
-  const coreData = readFile(domainDir, FILE_MAP.core);
-  const patternsData = readFile(domainDir, FILE_MAP.patterns);
+function loadCorePatterns(sourceDir) {
+  const coreData = readFile(sourceDir, FILE_MAP.core);
+  const patternsData = readFile(sourceDir, FILE_MAP.patterns);
   return core.loadCorePatternsFromData(coreData, patternsData);
 }
 
 /**
  * Load a complete KDNA domain.
  *
- * @param {string} domainDir — path to the domain folder
+ * @param {string} sourceDir — path to a dev source directory
  * @param {object} [options]
  * @param {string} [options.input] — user input text for conditional loading
  * @param {'all'|'minimum'|'auto'} [options.mode='auto'] — loading mode
  * @returns {object|null} loaded KDNA files keyed by type, or null if minimum files are missing
  */
-function loadDomain(domainDir, options = {}) {
+function loadDomain(sourceDir, options = {}) {
   const dataMap = { core: null, patterns: null };
 
-  dataMap.core = readFile(domainDir, FILE_MAP.core);
-  dataMap.patterns = readFile(domainDir, FILE_MAP.patterns);
+  dataMap.core = readFile(sourceDir, FILE_MAP.core);
+  dataMap.patterns = readFile(sourceDir, FILE_MAP.patterns);
 
   if (!dataMap.core || !dataMap.patterns) return null;
 
   // Also read optional files that might be present
   for (const key of ['scenarios', 'cases', 'reasoning', 'evolution']) {
-    const data = readFile(domainDir, FILE_MAP[key]);
+    const data = readFile(sourceDir, FILE_MAP[key]);
     if (data) dataMap[key] = data;
   }
 

package/src/package-store.js

@@ -0,0 +1,229 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const PATHS = require('./paths');
+const { parseName } = require('./registry');
+const core = require('@aikdna/kdna-core');
+
+if (typeof core.createKdnaAssetReader !== 'function') {
+  throw new Error('@aikdna/kdna-core >=0.5.0 is required for direct .kdna asset loading');
+}
+
+const assetReader = core.createKdnaAssetReader();
+
+const INDEX_VERSION = 2;
+
+function ensureDir(dir) {
+  fs.mkdirSync(dir, { recursive: true });
+}
+
+function readJsonFile(file) {
+  try {
+    return JSON.parse(fs.readFileSync(file, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeJsonFile(file, data) {
+  ensureDir(path.dirname(file));
+  fs.writeFileSync(file, JSON.stringify(data, null, 2) + '\n');
+}
+
+function readIndex() {
+  const data = readJsonFile(PATHS.packageIndex);
+  if (data?.packages && typeof data.packages === 'object') return data;
+  return { version: INDEX_VERSION, packages: {} };
+}
+
+function writeIndex(index) {
+  index.version = INDEX_VERSION;
+  writeJsonFile(PATHS.packageIndex, index);
+}
+
+function sha256File(filePath) {
+  return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex');
+}
+
+function assetDigest(filePath) {
+  return `sha256:${sha256File(filePath)}`;
+}
+
+function contentDigest(kdnaPath) {
+  return assetReader.contentDigestSync(assetReader.openSync(kdnaPath));
+}
+
+function assetDir(scope, ident, version) {
+  return path.join(PATHS.packages, scope, ident, version || 'unknown');
+}
+
+function assetFileName(ident, version) {
+  return `${ident}-${version || 'unknown'}.kdna`;
+}
+
+function readContainerJson(kdnaPath, fileName, options = {}) {
+  const asset = assetReader.openSync(kdnaPath);
+  return assetReader.readJsonSync(asset, fileName, options);
+}
+
+function readContainerEntry(kdnaPath, fileName) {
+  const asset = assetReader.openSync(kdnaPath);
+  return assetReader.readEntrySync(asset, fileName);
+}
+
+function listContainerEntries(kdnaPath) {
+  const asset = assetReader.openSync(kdnaPath);
+  return assetReader.listEntriesSync(asset);
+}
+
+function readContainer(kdnaPath, options = {}) {
+  const asset = assetReader.openSync(kdnaPath);
+  return {
+    manifest: assetReader.readJsonSync(asset, 'kdna.json'),
+    core: assetReader.readJsonSync(asset, 'KDNA_Core.json', options),
+    patterns: assetReader.readJsonSync(asset, 'KDNA_Patterns.json', options),
+    scenarios: assetReader.readJsonSync(asset, 'KDNA_Scenarios.json', options),
+    cases: assetReader.readJsonSync(asset, 'KDNA_Cases.json', options),
+    reasoning: assetReader.readJsonSync(asset, 'KDNA_Reasoning.json', options),
+    evolution: assetReader.readJsonSync(asset, 'KDNA_Evolution.json', options),
+    files: assetReader.listEntriesSync(asset),
+  };
+}
+
+function verifyAsset(kdnaPath, options = {}) {
+  const asset = assetReader.openSync(kdnaPath);
+  return assetReader.verifySync(asset, options);
+}
+
+function getInstalled(input) {
+  const parsed = parseName(input);
+  if (!parsed) return null;
+  const index = readIndex();
+  const entry = index.packages[parsed.full];
+  if (!entry?.asset_path || !fs.existsSync(entry.asset_path)) return null;
+  return { ...entry, parsed };
+}
+
+function listInstalled() {
+  const index = readIndex();
+  return Object.entries(index.packages)
+    .map(([full, entry]) => ({ full, ...entry }))
+    .filter((entry) => entry.asset_path && fs.existsSync(entry.asset_path))
+    .sort((a, b) => a.full.localeCompare(b.full));
+}
+
+function readAssetManifest(assetPath) {
+  return readContainerJson(assetPath, 'kdna.json') || {};
+}
+
+function receiptPathForAsset(assetPath) {
+  return path.join(path.dirname(assetPath), 'receipt.json');
+}
+
+function installAsset({ sourcePath, name, version, source = {} }) {
+  const parsed = parseName(name);
+  if (!parsed) throw new Error(`Invalid scoped domain name: ${name}`);
+  const finalVersion = version || 'unknown';
+  const destDir = assetDir(parsed.scope, parsed.ident, finalVersion);
+  const dest = path.join(destDir, assetFileName(parsed.ident, finalVersion));
+  ensureDir(destDir);
+  fs.copyFileSync(sourcePath, dest);
+
+  const manifest = readAssetManifest(dest);
+  const installedAt = new Date().toISOString();
+  const computedAssetDigest = assetDigest(dest);
+  const computedContentDigest = contentDigest(dest);
+  const receiptPath = receiptPathForAsset(dest);
+  const receipt = {
+    version: 1,
+    name: parsed.full,
+    asset_path: dest,
+    asset_digest: computedAssetDigest,
+    content_digest: computedContentDigest,
+    package_version: finalVersion,
+    judgment_version: manifest.judgment_version || null,
+    access: manifest.access || 'open',
+    signature: manifest.signature || null,
+    installed_at: installedAt,
+    source,
+  };
+  writeJsonFile(receiptPath, receipt);
+
+  const index = readIndex();
+  index.packages[parsed.full] = {
+    name: parsed.full,
+    version: finalVersion,
+    asset_path: dest,
+    receipt_path: receiptPath,
+    asset_digest: computedAssetDigest,
+    content_digest: computedContentDigest,
+    judgment_version: manifest.judgment_version || null,
+    access: manifest.access || 'open',
+    signature: manifest.signature || null,
+    installed_at: installedAt,
+    source,
+  };
+  writeIndex(index);
+  return index.packages[parsed.full];
+}
+
+function resolveAsset(input) {
+  const expanded = input.replace(/^~/, process.env.HOME || '');
+  const looksLikeFile =
+    input.endsWith('.kdna') &&
+    (input.startsWith('./') || input.startsWith('/') || input.startsWith('~/') || fs.existsSync(expanded));
+  if (looksLikeFile) {
+    const abs = path.resolve(expanded);
+    if (!fs.existsSync(abs) || !fs.statSync(abs).isFile()) return null;
+    const manifest = readAssetManifest(abs);
+    const full = manifest.name;
+    const parsed = full ? parseName(full) : null;
+    return {
+      name: full || path.basename(abs, '.kdna'),
+      parsed,
+      asset_path: abs,
+      receipt_path: null,
+      version: manifest.version || null,
+      judgment_version: manifest.judgment_version || null,
+      access: manifest.access || 'open',
+      asset_digest: assetDigest(abs),
+      content_digest: contentDigest(abs),
+      source: { type: 'local-file', path: abs },
+      local_file: true,
+    };
+  }
+  return getInstalled(input);
+}
+
+function removeInstalled(input) {
+  const parsed = parseName(input);
+  if (!parsed) return false;
+  const index = readIndex();
+  const entry = index.packages[parsed.full];
+  if (!entry) return false;
+  delete index.packages[parsed.full];
+  writeIndex(index);
+  if (entry.asset_path) {
+    const versionDir = path.dirname(entry.asset_path);
+    fs.rmSync(versionDir, { recursive: true, force: true });
+  }
+  return true;
+}
+
+module.exports = {
+  readIndex,
+  writeIndex,
+  sha256File,
+  assetDigest,
+  contentDigest,
+  readContainer,
+  readContainerEntry,
+  readContainerJson,
+  listContainerEntries,
+  verifyAsset,
+  getInstalled,
+  listInstalled,
+  installAsset,
+  resolveAsset,
+  removeInstalled,
+};

package/src/paths.js

@@ -0,0 +1,44 @@
+// KDNA shared path configuration — canonical source for ~/.kdna structure
+// Spec: docs/local-kdna-home-spec.md
+
+const path = require('path');
+
+const KDNA_HOME = process.env.KDNA_HOME
+  || path.join(process.env.HOME || process.env.USERPROFILE || '.', '.kdna');
+
+const PATHS = {
+  root: KDNA_HOME,
+  config: path.join(KDNA_HOME, 'config.json'),
+  identity: path.join(KDNA_HOME, 'identity'),
+  domains: {
+    root: path.join(KDNA_HOME, 'domains'),
+    official: path.join(KDNA_HOME, 'domains', 'official'),
+    local: path.join(KDNA_HOME, 'domains', 'local'),
+    private: path.join(KDNA_HOME, 'domains', 'private'),
+    // Legacy flat path — used for migration only
+    legacy: path.join(KDNA_HOME, 'domains'),
+    // All three directories for scanning
+    all: [
+      path.join(KDNA_HOME, 'domains', 'official'),
+      path.join(KDNA_HOME, 'domains', 'local'),
+      path.join(KDNA_HOME, 'domains', 'private'),
+    ],
+  },
+  clusters: path.join(KDNA_HOME, 'clusters'),
+  packages: path.join(KDNA_HOME, 'packages'),
+  packageIndex: path.join(KDNA_HOME, 'index.json'),
+  registry: path.join(KDNA_HOME, 'registry'),
+  registryCache: path.join(KDNA_HOME, 'registry', 'cache.json'),
+  traces: path.join(KDNA_HOME, 'traces'),
+  feedback: path.join(KDNA_HOME, 'feedback'),
+  evals: path.join(KDNA_HOME, 'evals'),
+  cache: path.join(KDNA_HOME, 'cache'),
+  licenses: path.join(KDNA_HOME, 'licenses'),
+};
+
+// Runtime asset store aliases
+PATHS.USER_KDNA_DIR = KDNA_HOME;
+PATHS.INSTALL_DIR = PATHS.packages;
+
+module.exports = PATHS;
+module.exports.KDNA_HOME = KDNA_HOME;

package/src/publish.js

@@ -7,7 +7,7 @@
 
 const fs = require('fs');
 const path = require('path');
-const { EXIT } = require('./cmds/_common');
+const { EXIT, selfCheckText, isYesNoSelfCheck } = require('./cmds/_common');
 
 function error(msg, code = EXIT.VALIDATION_FAILED) {
   console.error(`Error: ${msg}`);
@@ -141,9 +141,69 @@ function isGenericSelfCheck(question) {
   return false;
 }
 
+// ─── Human Lock Gate ──────────────────────────────────────────────────
+
+/**
+ * Check whether the domain satisfies Human Lock requirements.
+ * Returns { passed, issues[] } — publish should be blocked if !passed.
+ */
+function checkHumanLock(domainPath) {
+  const core = readJson(path.join(domainPath, 'KDNA_Core.json'));
+  if (!core) return { passed: false, issues: ['KDNA_Core.json not found'] };
+
+  const issues = [];
+  const cards = [];
+
+  // Collect judgment-class cards from axioms, boundaries, risks
+  if (core.axioms) {
+    for (const a of core.axioms) {
+      cards.push({ type: 'axiom', id: a.id || '?', status: a.status, human_lock: a.human_lock });
+    }
+  }
+  if (core.boundaries) {
+    for (const b of core.boundaries) {
+      cards.push({ type: 'boundary', id: b.id || '?', status: b.status, human_lock: b.human_lock });
+    }
+  }
+  if (core.risks || core.risk_model) {
+    const risks = core.risks || core.risk_model || [];
+    for (const r of risks) {
+      cards.push({ type: 'risk', id: r.id || '?', status: r.status, human_lock: r.human_lock });
+    }
+  }
+
+  if (cards.length === 0) return { passed: true, issues: [] };
+
+  for (const card of cards) {
+    // Rule 1: Must be locked
+    if (!card.status || !['locked', 'tested', 'published'].includes(card.status)) {
+      issues.push(`${card.type} "${card.id}" is not locked. Human Lock required before publish.`);
+      continue;
+    }
+    // Rule 2: Must have human_lock record
+    if (!card.human_lock || !card.human_lock.by || !card.human_lock.statement) {
+      issues.push(`${card.type} "${card.id}" is locked but has no valid Human Lock record.`);
+      continue;
+    }
+    // Rule 3: Lock must confirm judgment fields were reviewed
+    const checked = card.human_lock.checked || {};
+    if (!checked.applies_when) {
+      issues.push(`${card.type} "${card.id}" Human Lock does not confirm applies_when was reviewed.`);
+    }
+    if (!checked.does_not_apply_when) {
+      issues.push(`${card.type} "${card.id}" Human Lock does not confirm does_not_apply_when was reviewed.`);
+    }
+    if (!checked.failure_risk) {
+      issues.push(`${card.type} "${card.id}" Human Lock does not confirm failure_risk was reviewed.`);
+    }
+  }
+
+  return { passed: issues.length === 0, issues };
+}
+
 // ─── Main check function ──────────────────────────────────────────────
 
-function cmdPublishCheck(domainPath) {
+function cmdPublishCheck(domainPath, args = []) {
   const abs = path.resolve(domainPath);
   if (!fs.existsSync(abs)) error(`Domain not found: ${abs}`);
 
@@ -152,6 +212,35 @@ function cmdPublishCheck(domainPath) {
   console.log('═'.repeat(60));
   console.log('');
 
+  // ─── Human Lock Gate (must pass before any other checks) ──────────
+  const hl = checkHumanLock(abs);
+  if (!hl.passed) {
+    if (args.includes('--force')) {
+      console.warn('  ⚠  Human Lock Gate: OVERRIDDEN (--force). Proceeding with checks.');
+      console.warn(`     ${hl.issues.length} unresolved Human Lock issue(s):`);
+      for (const issue of hl.issues) {
+        console.warn(`       ${issue}`);
+      }
+      console.warn('');
+    } else {
+      console.error('  Human Lock Gate: BLOCKED');
+      console.error(`  ${hl.issues.length} issue(s) found:`);
+      for (const issue of hl.issues) {
+        console.error(`    ✗ ${issue}`);
+      }
+      console.error('');
+      console.error('  Judgment-class cards (axiom, boundary, risk, aesthetic)');
+      console.error('  must be locked with a valid Human Lock record before publishing.');
+      console.error('  Use kdna-studio or manually add human_lock to each card.');
+      console.error('  Use --force for emergency override (audited).');
+      console.error('');
+      process.exit(EXIT.HUMAN_LOCK_REQUIRED);
+    }
+  } else {
+    console.log('  ✓ Human Lock Gate: passed');
+    console.log('');
+  }
+
   let errors = 0;
   let warnings = 0;
   let passes = 0;
@@ -293,21 +382,22 @@ function cmdPublishCheck(domainPath) {
     }
     for (let i = 0; i < core.stances.length; i++) {
       const s = core.stances[i];
-      if (typeof s !== 'string') {
+      const stanceText = typeof s === 'string' ? s : s && typeof s === 'object' ? s.stance : null;
+      if (!stanceText || typeof stanceText !== 'string') {
         fail(
           'KDNA_Core.json',
           `stances[${i}]`,
           JSON.stringify(s),
-          'Must be a string, not an object.',
+          'Must be a string or an object with a stance string.',
         );
-      } else if (isSlogan(s)) {
+      } else if (isSlogan(stanceText)) {
         fail(
           'KDNA_Core.json',
           `stances[${i}]`,
-          s,
+          stanceText,
           'Reads like a slogan. Stances must be prescriptive positions that bias agent behavior.',
         );
-      } else if (isVague(s)) {
+      } else if (isVague(stanceText)) {
         warn('KDNA_Core.json', `stances[${i}]`, 'Contains vague language.');
       } else {
         pass('KDNA_Core.json', `stances[${i}]`);
@@ -351,22 +441,23 @@ function cmdPublishCheck(domainPath) {
   if (patterns.self_check && Array.isArray(patterns.self_check)) {
     for (let i = 0; i < patterns.self_check.length; i++) {
       const sc = patterns.self_check[i];
-      if (typeof sc !== 'string') {
+      const text = selfCheckText(sc);
+      if (!text) {
         fail(
           'KDNA_Patterns.json',
           `self_check[${i}]`,
           JSON.stringify(sc),
-          'Must be a string, not an object.',
+          'Must be a string or an object with a question string.',
         );
-      } else if (isGenericSelfCheck(sc)) {
+      } else if (isGenericSelfCheck(text)) {
         fail(
           'KDNA_Patterns.json',
           `self_check[${i}]`,
-          sc,
+          text,
           'Generic question. Self-checks must be domain-specific, not "is this helpful?".',
         );
-      } else if (!sc.endsWith('?')) {
-        warn('KDNA_Patterns.json', `self_check[${i}]`, 'Should end with a question mark.');
+      } else if (!isYesNoSelfCheck(sc)) {
+        warn('KDNA_Patterns.json', `self_check[${i}]`, 'Should be answerable with yes/no.');
         passes++;
       } else {
         pass('KDNA_Patterns.json', `self_check[${i}]`);
@@ -440,9 +531,9 @@ function identityPaths() {
  * inside the .kdna ZIP, joined as `name:hex\n`. This is what the signature covers.
  *
  * Excludes the `signature` field from kdna.json itself (computed by removing it
- * before hashing). All other files included as-is.
+ * before hashing). Digest self-reference fields are also excluded. All other files included as-is.
  */
-function canonicalPayload(srcDir) {
+function canonicalPayload(srcDir, opts = {}) {
   const files = fs
     .readdirSync(srcDir)
     .filter((f) => f.endsWith('.json'))
@@ -454,6 +545,10 @@ function canonicalPayload(srcDir) {
     if (f === 'kdna.json') {
       const obj = JSON.parse(fs.readFileSync(full, 'utf8'));
       delete obj.signature;
+      delete obj.asset_digest;
+      delete obj.container_sha256;
+      if (!opts.includeContentDigest) delete obj.content_digest;
+      delete obj._source;
       buf = Buffer.from(JSON.stringify(obj));
     } else {
       buf = fs.readFileSync(full);
@@ -464,6 +559,46 @@ function canonicalPayload(srcDir) {
   return parts.join('\n');
 }
 
+function stableStringify(value) {
+  if (Array.isArray(value)) return `[${value.map(stableStringify).join(',')}]`;
+  if (value && typeof value === 'object') {
+    return `{${Object.keys(value)
+      .sort()
+      .map((key) => `${JSON.stringify(key)}:${stableStringify(value[key])}`)
+      .join(',')}}`;
+  }
+  return JSON.stringify(value);
+}
+
+function manifestForContentDigest(manifest) {
+  const copy = { ...(manifest || {}) };
+  delete copy.signature;
+  delete copy.asset_digest;
+  delete copy.container_sha256;
+  delete copy.content_digest;
+  delete copy._source;
+  return copy;
+}
+
+function sourceContentDigest(srcDir) {
+  const files = fs
+    .readdirSync(srcDir)
+    .filter((f) => f.endsWith('.json') || f === 'README.md' || f === 'LICENSE')
+    .sort();
+  const parts = [];
+  for (const f of files) {
+    let buf;
+    if (f === 'kdna.json') {
+      const obj = JSON.parse(fs.readFileSync(path.join(srcDir, f), 'utf8'));
+      buf = Buffer.from(stableStringify(manifestForContentDigest(obj)));
+    } else {
+      buf = fs.readFileSync(path.join(srcDir, f));
+    }
+    parts.push(`${f}:${crypto.createHash('sha256').update(buf).digest('hex')}`);
+  }
+  return `sha256:${crypto.createHash('sha256').update(Buffer.from(parts.join('\n'))).digest('hex')}`;
+}
+
 function signPayload(payload, privateKeyPem) {
   const privateKey = crypto.createPrivateKey(privateKeyPem);
   const sig = crypto.sign(null, Buffer.from(payload), privateKey);
@@ -491,7 +626,7 @@ function packToFile(domainDir, outPath) {
   const files = fs
     .readdirSync(domainDir)
     .filter((f) => f.endsWith('.json') || f === 'README.md' || f === 'LICENSE');
-  if (!files.includes('kdna.json')) error('kdna.json required in domain folder for publish.');
+  if (!files.includes('kdna.json')) error('kdna.json required in dev source directory for publish.');
 
   const script = `import zipfile, os
 src = ${JSON.stringify(domainDir)}
@@ -551,6 +686,26 @@ function cmdPublish(domainPath, args = []) {
   console.log('═'.repeat(60));
   console.log(`  Publishing ${name}@${manifest.version}`);
   console.log('═'.repeat(60));
+
+  // ─── Human Lock Gate ──────────────────────────────────────────────
+  const hl = checkHumanLock(abs);
+  if (!hl.passed) {
+    console.error('');
+    console.error('  Human Lock Gate: BLOCKED');
+    for (const issue of hl.issues) {
+      console.error(`    ✗ ${issue}`);
+    }
+    console.error('');
+    console.error('  Use kdna publish --check for details, or --force to override.');
+    if (!args.includes('--force')) {
+      process.exit(EXIT.HUMAN_LOCK_REQUIRED);
+    }
+    console.warn('  ⚠  --force override: publishing without Human Lock (emergency only)');
+  } else {
+    console.log(`  ✓ Human Lock Gate: passed`);
+  }
+  console.log('');
+
   console.log(`  Identity fingerprint: ${fingerprint(publicKey)}`);
   console.log(`  Scope trust key:      ${scopeKey.slice(0, 28)}…`);
   console.log('');
@@ -568,9 +723,14 @@ function cmdPublish(domainPath, args = []) {
 
   // 2. Write signature
   delete manifest.signature;
+  delete manifest.asset_digest;
+  delete manifest.container_sha256;
+  delete manifest.content_digest;
+  fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
+  manifest.content_digest = sourceContentDigest(abs);
   fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
-  const payload = canonicalPayload(abs);
-  const sig = signPayload(payload, privateKey);
+  const signedPayload = canonicalPayload(abs, { includeContentDigest: true });
+  const sig = signPayload(signedPayload, privateKey);
   manifest.signature = 'ed25519:' + sig;
   fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
   console.log(
@@ -586,9 +746,10 @@ function cmdPublish(domainPath, args = []) {
   const outPath = path.join(outDir, fileName);
   packToFile(abs, outPath);
   const sha256 = sha256File(outPath);
+  const assetDigest = `sha256:${sha256}`;
   const size = fs.statSync(outPath).size;
   console.log(`  ✓ Packed: ${outPath} (${size} bytes)`);
-  console.log(`  ✓ sha256: ${sha256}`);
+  console.log(`  ✓ asset_digest: ${assetDigest}`);
 
   // 4. Optional upload via gh CLI
   const tagIdx = args.indexOf('--release-tag');
@@ -615,8 +776,9 @@ function cmdPublish(domainPath, args = []) {
     name,
     type: manifest.cluster ? 'cluster' : 'domain',
     version: manifest.version,
-    kdna_url: kdnaUrl,
-    sha256,
+    asset_url: kdnaUrl,
+    asset_digest: assetDigest,
+    content_digest: manifest.content_digest || null,
     signature: manifest.signature,
     release_status: kdnaUrl ? 'published_signed' : 'published_signed_local',
     author: { ...manifest.author },
@@ -633,4 +795,4 @@ function cmdPublish(domainPath, args = []) {
   );
 }
 
-module.exports = { cmdPublishCheck, cmdPublish, canonicalPayload, publicKeyToScopeFormat };
+module.exports = { cmdPublishCheck, cmdPublish, checkHumanLock, canonicalPayload, publicKeyToScopeFormat };