@aikdna/kdna-cli 0.17.0 → 0.19.0

package/src/loader.js

@@ -15,8 +15,8 @@ const FILE_MAP = core.FILE_MAP;
  * Read and parse a KDNA JSON file.
  * Returns null if the file does not exist.
  */
-function readFile(domainDir, filename) {
-  const filePath = path.join(domainDir, filename);
+function readFile(sourceDir, filename) {
+  const filePath = path.join(sourceDir, filename);
   if (!fs.existsSync(filePath)) return null;
   try {
     return JSON.parse(fs.readFileSync(filePath, 'utf8'));
@@ -29,32 +29,32 @@ function readFile(domainDir, filename) {
  * Load the minimum required KDNA files (Core + Patterns).
  * Always load these. They form the cognition baseline.
  */
-function loadCorePatterns(domainDir) {
-  const coreData = readFile(domainDir, FILE_MAP.core);
-  const patternsData = readFile(domainDir, FILE_MAP.patterns);
+function loadCorePatterns(sourceDir) {
+  const coreData = readFile(sourceDir, FILE_MAP.core);
+  const patternsData = readFile(sourceDir, FILE_MAP.patterns);
   return core.loadCorePatternsFromData(coreData, patternsData);
 }
 
 /**
  * Load a complete KDNA domain.
  *
- * @param {string} domainDir — path to the domain folder
+ * @param {string} sourceDir — path to a dev source directory
  * @param {object} [options]
  * @param {string} [options.input] — user input text for conditional loading
  * @param {'all'|'minimum'|'auto'} [options.mode='auto'] — loading mode
  * @returns {object|null} loaded KDNA files keyed by type, or null if minimum files are missing
  */
-function loadDomain(domainDir, options = {}) {
+function loadDomain(sourceDir, options = {}) {
   const dataMap = { core: null, patterns: null };
 
-  dataMap.core = readFile(domainDir, FILE_MAP.core);
-  dataMap.patterns = readFile(domainDir, FILE_MAP.patterns);
+  dataMap.core = readFile(sourceDir, FILE_MAP.core);
+  dataMap.patterns = readFile(sourceDir, FILE_MAP.patterns);
 
   if (!dataMap.core || !dataMap.patterns) return null;
 
   // Also read optional files that might be present
   for (const key of ['scenarios', 'cases', 'reasoning', 'evolution']) {
-    const data = readFile(domainDir, FILE_MAP[key]);
+    const data = readFile(sourceDir, FILE_MAP[key]);
     if (data) dataMap[key] = data;
   }
 

package/src/package-store.js

@@ -0,0 +1,232 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const PATHS = require('./paths');
+const { parseName } = require('./registry');
+const core = require('@aikdna/kdna-core');
+
+if (typeof core.createKdnaAssetReader !== 'function') {
+  throw new Error('@aikdna/kdna-core >=0.5.0 is required for direct .kdna asset loading');
+}
+
+const assetReader = core.createKdnaAssetReader();
+
+const INDEX_VERSION = 2;
+
+function ensureDir(dir) {
+  fs.mkdirSync(dir, { recursive: true });
+}
+
+function readJsonFile(file) {
+  try {
+    return JSON.parse(fs.readFileSync(file, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeJsonFile(file, data) {
+  ensureDir(path.dirname(file));
+  fs.writeFileSync(file, JSON.stringify(data, null, 2) + '\n');
+}
+
+function readIndex() {
+  const data = readJsonFile(PATHS.packageIndex);
+  if (data?.packages && typeof data.packages === 'object') return data;
+  return { version: INDEX_VERSION, packages: {} };
+}
+
+function writeIndex(index) {
+  index.version = INDEX_VERSION;
+  writeJsonFile(PATHS.packageIndex, index);
+}
+
+function sha256File(filePath) {
+  return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex');
+}
+
+function assetDigest(filePath) {
+  return `sha256:${sha256File(filePath)}`;
+}
+
+function contentDigest(kdnaPath) {
+  return assetReader.contentDigestSync(assetReader.openSync(kdnaPath));
+}
+
+function assetDir(scope, ident, version) {
+  return path.join(PATHS.packages, scope, ident, version || 'unknown');
+}
+
+function assetFileName(ident, version) {
+  return `${ident}-${version || 'unknown'}.kdna`;
+}
+
+function readContainerJson(kdnaPath, fileName, options = {}) {
+  const asset = assetReader.openSync(kdnaPath);
+  return assetReader.readJsonSync(asset, fileName, options);
+}
+
+function readContainerEntry(kdnaPath, fileName) {
+  const asset = assetReader.openSync(kdnaPath);
+  return assetReader.readEntrySync(asset, fileName);
+}
+
+function listContainerEntries(kdnaPath) {
+  const asset = assetReader.openSync(kdnaPath);
+  return assetReader.listEntriesSync(asset);
+}
+
+function readContainer(kdnaPath, options = {}) {
+  const asset = assetReader.openSync(kdnaPath);
+  return {
+    manifest: assetReader.readJsonSync(asset, 'kdna.json'),
+    core: assetReader.readJsonSync(asset, 'KDNA_Core.json', options),
+    patterns: assetReader.readJsonSync(asset, 'KDNA_Patterns.json', options),
+    scenarios: assetReader.readJsonSync(asset, 'KDNA_Scenarios.json', options),
+    cases: assetReader.readJsonSync(asset, 'KDNA_Cases.json', options),
+    reasoning: assetReader.readJsonSync(asset, 'KDNA_Reasoning.json', options),
+    evolution: assetReader.readJsonSync(asset, 'KDNA_Evolution.json', options),
+    files: assetReader.listEntriesSync(asset),
+  };
+}
+
+function verifyAsset(kdnaPath, options = {}) {
+  const asset = assetReader.openSync(kdnaPath);
+  return assetReader.verifySync(asset, options);
+}
+
+function getInstalled(input) {
+  const parsed = parseName(input);
+  if (!parsed) return null;
+  const index = readIndex();
+  const entry = index.packages[parsed.full];
+  if (!entry?.asset_path || !fs.existsSync(entry.asset_path)) return null;
+  return { ...entry, parsed };
+}
+
+function listInstalled() {
+  const index = readIndex();
+  return Object.entries(index.packages)
+    .map(([full, entry]) => ({ full, ...entry }))
+    .filter((entry) => entry.asset_path && fs.existsSync(entry.asset_path))
+    .sort((a, b) => a.full.localeCompare(b.full));
+}
+
+function readAssetManifest(assetPath) {
+  return readContainerJson(assetPath, 'kdna.json') || {};
+}
+
+function receiptPathForAsset(assetPath) {
+  return path.join(path.dirname(assetPath), 'receipt.json');
+}
+
+function installAsset({ sourcePath, name, version, source = {} }) {
+  const parsed = parseName(name);
+  if (!parsed) throw new Error(`Invalid scoped domain name: ${name}`);
+  const finalVersion = version || 'unknown';
+  const destDir = assetDir(parsed.scope, parsed.ident, finalVersion);
+  const dest = path.join(destDir, assetFileName(parsed.ident, finalVersion));
+  ensureDir(destDir);
+  fs.copyFileSync(sourcePath, dest);
+
+  const manifest = readAssetManifest(dest);
+  const installedAt = new Date().toISOString();
+  const computedAssetDigest = assetDigest(dest);
+  const computedContentDigest = contentDigest(dest);
+  const receiptPath = receiptPathForAsset(dest);
+  const receipt = {
+    version: 1,
+    name: parsed.full,
+    asset_path: dest,
+    asset_digest: computedAssetDigest,
+    content_digest: computedContentDigest,
+    package_version: finalVersion,
+    judgment_version: manifest.judgment_version || null,
+    access: manifest.access || 'open',
+    signature: manifest.signature || null,
+    installed_at: installedAt,
+    source,
+  };
+  writeJsonFile(receiptPath, receipt);
+
+  const index = readIndex();
+  index.packages[parsed.full] = {
+    name: parsed.full,
+    version: finalVersion,
+    asset_path: dest,
+    receipt_path: receiptPath,
+    asset_digest: computedAssetDigest,
+    content_digest: computedContentDigest,
+    judgment_version: manifest.judgment_version || null,
+    access: manifest.access || 'open',
+    signature: manifest.signature || null,
+    installed_at: installedAt,
+    source,
+  };
+  writeIndex(index);
+  return index.packages[parsed.full];
+}
+
+function resolveAsset(input) {
+  const expanded = input.replace(/^~/, process.env.HOME || '');
+  const looksLikeFile =
+    input.endsWith('.kdna') &&
+    (input.startsWith('./') ||
+      input.startsWith('/') ||
+      input.startsWith('~/') ||
+      fs.existsSync(expanded));
+  if (looksLikeFile) {
+    const abs = path.resolve(expanded);
+    if (!fs.existsSync(abs) || !fs.statSync(abs).isFile()) return null;
+    const manifest = readAssetManifest(abs);
+    const full = manifest.name;
+    const parsed = full ? parseName(full) : null;
+    return {
+      name: full || path.basename(abs, '.kdna'),
+      parsed,
+      asset_path: abs,
+      receipt_path: null,
+      version: manifest.version || null,
+      judgment_version: manifest.judgment_version || null,
+      access: manifest.access || 'open',
+      asset_digest: assetDigest(abs),
+      content_digest: contentDigest(abs),
+      source: { type: 'local-file', path: abs },
+      local_file: true,
+    };
+  }
+  return getInstalled(input);
+}
+
+function removeInstalled(input) {
+  const parsed = parseName(input);
+  if (!parsed) return false;
+  const index = readIndex();
+  const entry = index.packages[parsed.full];
+  if (!entry) return false;
+  delete index.packages[parsed.full];
+  writeIndex(index);
+  if (entry.asset_path) {
+    const versionDir = path.dirname(entry.asset_path);
+    fs.rmSync(versionDir, { recursive: true, force: true });
+  }
+  return true;
+}
+
+module.exports = {
+  readIndex,
+  writeIndex,
+  sha256File,
+  assetDigest,
+  contentDigest,
+  readContainer,
+  readContainerEntry,
+  readContainerJson,
+  listContainerEntries,
+  verifyAsset,
+  getInstalled,
+  listInstalled,
+  installAsset,
+  resolveAsset,
+  removeInstalled,
+};

package/src/paths.js

@@ -0,0 +1,44 @@
+// KDNA shared path configuration — canonical source for ~/.kdna structure
+// Spec: docs/local-kdna-home-spec.md
+
+const path = require('path');
+
+const KDNA_HOME =
+  process.env.KDNA_HOME || path.join(process.env.HOME || process.env.USERPROFILE || '.', '.kdna');
+
+const PATHS = {
+  root: KDNA_HOME,
+  config: path.join(KDNA_HOME, 'config.json'),
+  identity: path.join(KDNA_HOME, 'identity'),
+  domains: {
+    root: path.join(KDNA_HOME, 'domains'),
+    official: path.join(KDNA_HOME, 'domains', 'official'),
+    local: path.join(KDNA_HOME, 'domains', 'local'),
+    private: path.join(KDNA_HOME, 'domains', 'private'),
+    // Legacy flat path — used for migration only
+    legacy: path.join(KDNA_HOME, 'domains'),
+    // All three directories for scanning
+    all: [
+      path.join(KDNA_HOME, 'domains', 'official'),
+      path.join(KDNA_HOME, 'domains', 'local'),
+      path.join(KDNA_HOME, 'domains', 'private'),
+    ],
+  },
+  clusters: path.join(KDNA_HOME, 'clusters'),
+  packages: path.join(KDNA_HOME, 'packages'),
+  packageIndex: path.join(KDNA_HOME, 'index.json'),
+  registry: path.join(KDNA_HOME, 'registry'),
+  registryCache: path.join(KDNA_HOME, 'registry', 'cache.json'),
+  traces: path.join(KDNA_HOME, 'traces'),
+  feedback: path.join(KDNA_HOME, 'feedback'),
+  evals: path.join(KDNA_HOME, 'evals'),
+  cache: path.join(KDNA_HOME, 'cache'),
+  licenses: path.join(KDNA_HOME, 'licenses'),
+};
+
+// Runtime asset store aliases
+PATHS.USER_KDNA_DIR = KDNA_HOME;
+PATHS.INSTALL_DIR = PATHS.packages;
+
+module.exports = PATHS;
+module.exports.KDNA_HOME = KDNA_HOME;

package/src/publish.js

@@ -7,7 +7,7 @@
 
 const fs = require('fs');
 const path = require('path');
-const { EXIT } = require('./cmds/_common');
+const { EXIT, selfCheckText, isYesNoSelfCheck } = require('./cmds/_common');
 
 function error(msg, code = EXIT.VALIDATION_FAILED) {
   console.error(`Error: ${msg}`);
@@ -53,17 +53,17 @@ const SLOGAN_PATTERNS = [
 // PRIORITIZE or AVOID, not steps to follow.
 
 const SOP_PATTERNS = [
-  /^Step\s+\d/i,                     // "Step 1: identify the topic"
+  /^Step\s+\d/i, // "Step 1: identify the topic"
   /^First,?\s|^Next,?\s|^Then,?\s|^Finally,?\s/i, // "First, do X. Then do Y."
-  /^Check\s(for|if|whether)\s/i,    // "Check for spelling errors"
+  /^Check\s(for|if|whether)\s/i, // "Check for spelling errors"
   /^Always\s+(use|do|make|include)/i, // "Always use active voice"
-  /^Never\s+(use|do|make)/i,        // "Never use passive voice"
-  /^Generate\s/i,                    // "Generate three options"
-  /^Create\s+(a|the)\s/i,           // "Create a list of..."
-  /^Make\s+sure\s/i,                // "Make sure to check..."
-  /^Remember\s+to\s/i,              // "Remember to validate..."
+  /^Never\s+(use|do|make)/i, // "Never use passive voice"
+  /^Generate\s/i, // "Generate three options"
+  /^Create\s+(a|the)\s/i, // "Create a list of..."
+  /^Make\s+sure\s/i, // "Make sure to check..."
+  /^Remember\s+to\s/i, // "Remember to validate..."
   /^(You|The agent)\s+should\s+(use|do|make|include)/i, // "You should use X"
-  /^Avoid\s+(using|doing)/i,         // "Avoid using X" (too procedural)
+  /^Avoid\s+(using|doing)/i, // "Avoid using X" (too procedural)
 ];
 
 function isSOP(text) {
@@ -143,8 +143,6 @@ function isGenericSelfCheck(question) {
 
 // ─── Human Lock Gate ──────────────────────────────────────────────────
 
-const JUDGMENT_CARD_TYPES = ['axiom', 'boundary', 'risk', 'aesthetic'];
-
 /**
  * Check whether the domain satisfies Human Lock requirements.
  * Returns { passed, issues[] } — publish should be blocked if !passed.
@@ -190,13 +188,19 @@ function checkHumanLock(domainPath) {
     // Rule 3: Lock must confirm judgment fields were reviewed
     const checked = card.human_lock.checked || {};
     if (!checked.applies_when) {
-      issues.push(`${card.type} "${card.id}" Human Lock does not confirm applies_when was reviewed.`);
+      issues.push(
+        `${card.type} "${card.id}" Human Lock does not confirm applies_when was reviewed.`,
+      );
     }
     if (!checked.does_not_apply_when) {
-      issues.push(`${card.type} "${card.id}" Human Lock does not confirm does_not_apply_when was reviewed.`);
+      issues.push(
+        `${card.type} "${card.id}" Human Lock does not confirm does_not_apply_when was reviewed.`,
+      );
     }
     if (!checked.failure_risk) {
-      issues.push(`${card.type} "${card.id}" Human Lock does not confirm failure_risk was reviewed.`);
+      issues.push(
+        `${card.type} "${card.id}" Human Lock does not confirm failure_risk was reviewed.`,
+      );
     }
   }
 
@@ -384,21 +388,22 @@ function cmdPublishCheck(domainPath, args = []) {
     }
     for (let i = 0; i < core.stances.length; i++) {
       const s = core.stances[i];
-      if (typeof s !== 'string') {
+      const stanceText = typeof s === 'string' ? s : s && typeof s === 'object' ? s.stance : null;
+      if (!stanceText || typeof stanceText !== 'string') {
         fail(
           'KDNA_Core.json',
           `stances[${i}]`,
           JSON.stringify(s),
-          'Must be a string, not an object.',
+          'Must be a string or an object with a stance string.',
         );
-      } else if (isSlogan(s)) {
+      } else if (isSlogan(stanceText)) {
         fail(
           'KDNA_Core.json',
           `stances[${i}]`,
-          s,
+          stanceText,
           'Reads like a slogan. Stances must be prescriptive positions that bias agent behavior.',
         );
-      } else if (isVague(s)) {
+      } else if (isVague(stanceText)) {
         warn('KDNA_Core.json', `stances[${i}]`, 'Contains vague language.');
       } else {
         pass('KDNA_Core.json', `stances[${i}]`);
@@ -442,22 +447,23 @@ function cmdPublishCheck(domainPath, args = []) {
   if (patterns.self_check && Array.isArray(patterns.self_check)) {
     for (let i = 0; i < patterns.self_check.length; i++) {
       const sc = patterns.self_check[i];
-      if (typeof sc !== 'string') {
+      const text = selfCheckText(sc);
+      if (!text) {
         fail(
           'KDNA_Patterns.json',
           `self_check[${i}]`,
           JSON.stringify(sc),
-          'Must be a string, not an object.',
+          'Must be a string or an object with a question string.',
         );
-      } else if (isGenericSelfCheck(sc)) {
+      } else if (isGenericSelfCheck(text)) {
         fail(
           'KDNA_Patterns.json',
           `self_check[${i}]`,
-          sc,
+          text,
           'Generic question. Self-checks must be domain-specific, not "is this helpful?".',
         );
-      } else if (!sc.endsWith('?')) {
-        warn('KDNA_Patterns.json', `self_check[${i}]`, 'Should end with a question mark.');
+      } else if (!isYesNoSelfCheck(sc)) {
+        warn('KDNA_Patterns.json', `self_check[${i}]`, 'Should be answerable with yes/no.');
         passes++;
       } else {
         pass('KDNA_Patterns.json', `self_check[${i}]`);
@@ -527,25 +533,24 @@ function identityPaths() {
 }
 
 /**
- * Canonical signing payload: sorted (filename, sha256) pairs of all .json files
- * inside the .kdna ZIP, joined as `name:hex\n`. This is what the signature covers.
+ * Canonical signing payload: sorted (filename, sha256) pairs of all published
+ * content entries inside the .kdna ZIP, joined as `name:hex\n`.
  *
  * Excludes the `signature` field from kdna.json itself (computed by removing it
- * before hashing). All other files included as-is.
+ * before hashing). Digest self-reference fields are also excluded. All other files included as-is.
  */
-function canonicalPayload(srcDir) {
-  const files = fs
-    .readdirSync(srcDir)
-    .filter((f) => f.endsWith('.json'))
-    .sort();
+function canonicalPayload(srcDir, opts = {}) {
+  const files = listPublishEntries(srcDir);
   const parts = [];
   for (const f of files) {
-    const full = path.join(srcDir, f);
+    const full = f === 'mimetype' ? null : path.join(srcDir, f);
     let buf;
-    if (f === 'kdna.json') {
+    if (f === 'mimetype') {
+      buf = Buffer.from('application/vnd.aikdna.kdna+zip');
+    } else if (f.endsWith('.json')) {
       const obj = JSON.parse(fs.readFileSync(full, 'utf8'));
-      delete obj.signature;
-      buf = Buffer.from(JSON.stringify(obj));
+      const value = f === 'kdna.json' ? manifestForSigning(obj, opts) : obj;
+      buf = Buffer.from(stableStringify(value));
     } else {
       buf = fs.readFileSync(full);
     }
@@ -555,6 +560,89 @@ function canonicalPayload(srcDir) {
   return parts.join('\n');
 }
 
+function manifestForSigning(manifest, opts = {}) {
+  const copy = { ...(manifest || {}) };
+  delete copy.signature;
+  delete copy.asset_digest;
+  delete copy.container_sha256;
+  if (!opts.includeContentDigest) delete copy.content_digest;
+  delete copy._source;
+  return copy;
+}
+
+function stableStringify(value) {
+  if (Array.isArray(value)) return `[${value.map(stableStringify).join(',')}]`;
+  if (value && typeof value === 'object') {
+    return `{${Object.keys(value)
+      .sort()
+      .map((key) => `${JSON.stringify(key)}:${stableStringify(value[key])}`)
+      .join(',')}}`;
+  }
+  return JSON.stringify(value);
+}
+
+function manifestForContentDigest(manifest) {
+  const copy = { ...(manifest || {}) };
+  delete copy.signature;
+  delete copy.asset_digest;
+  delete copy.container_sha256;
+  delete copy.content_digest;
+  delete copy._source;
+  return copy;
+}
+
+function sourceContentDigest(srcDir) {
+  const files = listPublishEntries(srcDir);
+  const parts = [];
+  for (const f of files) {
+    let buf;
+    if (f === 'mimetype') {
+      buf = Buffer.from('application/vnd.aikdna.kdna+zip');
+    } else if (f.endsWith('.json')) {
+      const obj = JSON.parse(fs.readFileSync(path.join(srcDir, f), 'utf8'));
+      const value = f === 'kdna.json' ? manifestForContentDigest(obj) : obj;
+      buf = Buffer.from(stableStringify(value));
+    } else {
+      buf = fs.readFileSync(path.join(srcDir, f));
+    }
+    parts.push(`${f}:${crypto.createHash('sha256').update(buf).digest('hex')}`);
+  }
+  return `sha256:${crypto
+    .createHash('sha256')
+    .update(Buffer.from(parts.join('\n')))
+    .digest('hex')}`;
+}
+
+function listPublishEntries(domainDir) {
+  const entries = ['mimetype'];
+  const skipDirs = new Set(['.git', 'node_modules', 'dist']);
+  function walk(dir, prefix = '') {
+    for (const name of fs.readdirSync(dir).sort()) {
+      if (name === 'mimetype') continue;
+      if (name === '.DS_Store' || name === 'signature.json') continue;
+      const abs = path.join(dir, name);
+      const rel = prefix ? `${prefix}/${name}` : name;
+      const stat = fs.statSync(abs);
+      if (stat.isDirectory()) {
+        if (!skipDirs.has(name)) walk(abs, rel);
+        continue;
+      }
+      if (
+        rel.endsWith('.json') ||
+        rel === 'README.md' ||
+        rel === 'LICENSE' ||
+        rel.startsWith('evals/') ||
+        rel.startsWith('examples/') ||
+        rel.startsWith('reports/')
+      ) {
+        entries.push(rel);
+      }
+    }
+  }
+  walk(domainDir);
+  return entries;
+}
+
 function signPayload(payload, privateKeyPem) {
   const privateKey = crypto.createPrivateKey(privateKeyPem);
   const sig = crypto.sign(null, Buffer.from(payload), privateKey);
@@ -579,17 +667,17 @@ function publicKeyToScopeFormat(publicKeyPem) {
 }
 
 function packToFile(domainDir, outPath) {
-  const files = fs
-    .readdirSync(domainDir)
-    .filter((f) => f.endsWith('.json') || f === 'README.md' || f === 'LICENSE');
-  if (!files.includes('kdna.json')) error('kdna.json required in domain folder for publish.');
+  const files = listPublishEntries(domainDir).filter((f) => f !== 'mimetype');
+  if (!files.includes('kdna.json'))
+    error('kdna.json required in dev source directory for publish.');
 
   const script = `import zipfile, os
 src = ${JSON.stringify(domainDir)}
 out = ${JSON.stringify(outPath)}
 files = ${JSON.stringify(files)}
 with zipfile.ZipFile(out, 'w', zipfile.ZIP_DEFLATED) as zf:
-    for f in sorted(files):
+    zf.writestr(zipfile.ZipInfo('mimetype'), 'application/vnd.aikdna.kdna+zip', compress_type=zipfile.ZIP_STORED)
+    for f in files:
         zf.write(os.path.join(src, f), f)
 `;
   const tmpPy = `/tmp/kdna-publish-pack-${Date.now()}.py`;
@@ -679,14 +767,17 @@ function cmdPublish(domainPath, args = []) {
 
   // 2. Write signature
   delete manifest.signature;
+  delete manifest.asset_digest;
+  delete manifest.container_sha256;
+  delete manifest.content_digest;
   fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
-  const payload = canonicalPayload(abs);
-  const sig = signPayload(payload, privateKey);
+  manifest.content_digest = sourceContentDigest(abs);
+  fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
+  const signedPayload = canonicalPayload(abs);
+  const sig = signPayload(signedPayload, privateKey);
   manifest.signature = 'ed25519:' + sig;
   fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
-  console.log(
-    `  ✓ Signed (payload covers ${fs.readdirSync(abs).filter((f) => f.endsWith('.json')).length} json files)`,
-  );
+  console.log(`  ✓ Signed (payload covers ${listPublishEntries(abs).length} content entries)`);
 
   // 3. Pack
   const fileName = `${m[2]}-${manifest.version}.kdna`;
@@ -697,9 +788,10 @@ function cmdPublish(domainPath, args = []) {
   const outPath = path.join(outDir, fileName);
   packToFile(abs, outPath);
   const sha256 = sha256File(outPath);
+  const assetDigest = `sha256:${sha256}`;
   const size = fs.statSync(outPath).size;
   console.log(`  ✓ Packed: ${outPath} (${size} bytes)`);
-  console.log(`  ✓ sha256: ${sha256}`);
+  console.log(`  ✓ asset_digest: ${assetDigest}`);
 
   // 4. Optional upload via gh CLI
   const tagIdx = args.indexOf('--release-tag');
@@ -726,8 +818,9 @@ function cmdPublish(domainPath, args = []) {
     name,
     type: manifest.cluster ? 'cluster' : 'domain',
     version: manifest.version,
-    kdna_url: kdnaUrl,
-    sha256,
+    asset_url: kdnaUrl,
+    asset_digest: assetDigest,
+    content_digest: manifest.content_digest || null,
     signature: manifest.signature,
     release_status: kdnaUrl ? 'published_signed' : 'published_signed_local',
     author: { ...manifest.author },
@@ -744,4 +837,10 @@ function cmdPublish(domainPath, args = []) {
   );
 }
 
-module.exports = { cmdPublishCheck, cmdPublish, checkHumanLock, canonicalPayload, publicKeyToScopeFormat };
+module.exports = {
+  cmdPublishCheck,
+  cmdPublish,
+  checkHumanLock,
+  canonicalPayload,
+  publicKeyToScopeFormat,
+};