@aikdna/kdna-cli 0.17.0 → 0.19.0

package/src/registry.js

@@ -1,5 +1,5 @@
 /**
- * RegistryResolver — KDNA v0.7 registry client.
+ * RegistryResolver — KDNA asset-first registry client.
  *
  * Responsibilities:
  *   1. Resolve names: bare → @aikdna/bare, validate @scope/name format
@@ -7,7 +7,7 @@
  *   3. Cache registry metadata locally
  *   4. Surface scope trust info to install/publish
  *
- * Schema v2.0 — see kdna-registry/SCHEMA.md
+ * Schema v3.0 — see kdna-registry/SCHEMA.md
  */
 
 const fs = require('fs');
@@ -22,6 +22,7 @@ const DEFAULT_OFFICIAL_SCOPE = '@aikdna';
 const CANONICAL_REGISTRY_URL =
   process.env.KDNA_REGISTRY_URL ||
   'https://raw.githubusercontent.com/aikdna/kdna-registry/main/domains.json';
+const REQUIRED_SCHEMA_VERSION = '3.0';
 
 const NAME_RE = /^@([a-z][a-z0-9-]*)\/([a-z][a-z0-9_]*)$/;
 const BARE_NAME_RE = /^[a-z][a-z0-9_]*$/;
@@ -39,6 +40,63 @@ function writeJson(file, data) {
   fs.writeFileSync(file, JSON.stringify(data, null, 2) + '\n');
 }
 
+function parseDate(value) {
+  const date = value ? new Date(value) : null;
+  return date && !Number.isNaN(date.getTime()) ? date : null;
+}
+
+function registryTrustIssues(registry, { now = new Date() } = {}) {
+  const issues = [];
+  const trust = registry?.trust || {};
+
+  if (!registry || registry.schema_version !== REQUIRED_SCHEMA_VERSION) {
+    issues.push(
+      `Registry schema_version must be ${REQUIRED_SCHEMA_VERSION}, got ${JSON.stringify(registry?.schema_version)}`,
+    );
+  }
+
+  if (!trust.model) issues.push('registry.trust.model is required');
+  if (!trust.snapshot) issues.push('registry.trust.snapshot is required');
+  if (!trust.timestamp) issues.push('registry.trust.timestamp is required');
+
+  const snapshotVersion = trust.snapshot?.registry_version;
+  if (snapshotVersion && snapshotVersion !== registry.registry_version) {
+    issues.push(
+      `registry.trust.snapshot.registry_version ${snapshotVersion} does not match registry_version ${registry.registry_version}`,
+    );
+  }
+
+  const snapshotExpires = parseDate(trust.snapshot?.expires_at);
+  const timestampExpires = parseDate(trust.timestamp?.expires_at);
+  if (!snapshotExpires) issues.push('registry.trust.snapshot.expires_at must be an ISO timestamp');
+  if (!timestampExpires)
+    issues.push('registry.trust.timestamp.expires_at must be an ISO timestamp');
+  if (snapshotExpires && snapshotExpires <= now) {
+    issues.push(`registry snapshot expired at ${trust.snapshot.expires_at}`);
+  }
+  if (timestampExpires && timestampExpires <= now) {
+    issues.push(`registry timestamp expired at ${trust.timestamp.expires_at}`);
+  }
+
+  return issues;
+}
+
+function registryRevocations(registry) {
+  return registry?.trust?.revocations || [];
+}
+
+function isEntryRevoked(registry, entry) {
+  const revocations = registryRevocations(registry);
+  return (
+    revocations.find((rev) => {
+      if (rev.name && rev.name !== entry.name) return false;
+      if (rev.version && rev.version !== entry.version) return false;
+      if (rev.asset_digest && rev.asset_digest !== entry.asset_digest) return false;
+      return rev.name || rev.asset_digest;
+    }) || null
+  );
+}
+
 // ─── Name parsing ───────────────────────────────────────────────────────
 
 /**
@@ -151,7 +209,17 @@ class RegistryResolver {
   _loadRegistryForScope(scopeName) {
     if (this._registries.has(scopeName)) return this._registries.get(scopeName);
     const source = this._sourceForScope(scopeName);
-    const data = source.load({ allowNetwork: this.allowNetwork, refresh: this.refresh });
+    let data = source.load({ allowNetwork: this.allowNetwork, refresh: this.refresh });
+    let trustIssues = data ? registryTrustIssues(data) : [];
+    if (trustIssues.length && this.allowNetwork && !this.refresh) {
+      data = source.load({ allowNetwork: true, refresh: true });
+      trustIssues = data ? registryTrustIssues(data) : [];
+    }
+    if (trustIssues.length) {
+      throw new Error(
+        `Registry trust check failed:\n${trustIssues.map((i) => `- ${i}`).join('\n')}`,
+      );
+    }
     this._registries.set(scopeName, data);
     return data;
   }
@@ -186,12 +254,6 @@ class RegistryResolver {
       );
     }
 
-    if (registry.schema_version && registry.schema_version !== '2.0') {
-      throw new Error(
-        `Registry schema_version ${registry.schema_version} not supported. This CLI requires 2.0.`,
-      );
-    }
-
     const scope = registry.scopes?.[parsed.scope];
     if (!scope) {
       throw new Error(`Scope ${parsed.scope} not registered in registry.`);
@@ -215,6 +277,13 @@ class RegistryResolver {
       throw new Error(`${entry.name}@${entry.version} has been yanked${when}.${reason}${replace}`);
     }
 
+    const revocation = isEntryRevoked(registry, entry);
+    if (revocation) {
+      const reason = revocation.reason ? `\nReason: ${revocation.reason}` : '';
+      const when = revocation.revoked_at ? ` (revoked ${revocation.revoked_at.slice(0, 10)})` : '';
+      throw new Error(`${entry.name}@${entry.version} has been revoked${when}.${reason}`);
+    }
+
     return { parsed, scope, entry, registry };
   }
 
@@ -250,6 +319,9 @@ function fetchRegistry() {
 module.exports = {
   RegistryResolver,
   parseName,
+  REQUIRED_SCHEMA_VERSION,
+  registryTrustIssues,
+  isEntryRevoked,
   loadRegistry,
   fetchRegistry,
   CANONICAL_REGISTRY_URL,

package/src/setup.js

@@ -15,9 +15,11 @@
 const fs = require('fs');
 const path = require('path');
 
-const USER_KDNA_DIR = path.join(process.env.HOME || process.env.USERPROFILE || '.', '.kdna');
-const DOMAINS_DIR = path.join(USER_KDNA_DIR, 'domains');
-const CLUSTERS_DIR = path.join(USER_KDNA_DIR, 'clusters');
+const PATHS = require('./paths');
+
+const USER_KDNA_DIR = PATHS.root;
+const DOMAINS_DIR = PATHS.domains.root;
+const CLUSTERS_DIR = PATHS.clusters;
 const SKILLS_REPO = 'https://raw.githubusercontent.com/aikdna/kdna-skills/main';
 
 const AGENTS = [
@@ -119,15 +121,23 @@ async function cmdSetup() {
   const pkg = require(path.join(__dirname, '..', 'package.json'));
   log(`KDNA CLI v${pkg.version}`);
 
-  // 2. KDNA data root
-  ensureDir(DOMAINS_DIR);
+  // 2. KDNA data root — .kdna asset store
+  ensureDir(PATHS.root);
+  ensureDir(PATHS.packages);
   ensureDir(CLUSTERS_DIR);
+  ensureDir(PATHS.registry);
+  ensureDir(PATHS.traces);
+  ensureDir(PATHS.feedback);
+  ensureDir(PATHS.evals);
+  ensureDir(PATHS.cache);
+  ensureDir(PATHS.identity);
+  ensureDir(PATHS.licenses);
   log(`Data root: ${USER_KDNA_DIR}/`);
 
-  // 2b. Clean legacy (un-scoped) domain directories from pre-v0.7
+  // 2b. Directory installs are not part of the runtime model.
   if (fs.existsSync(DOMAINS_DIR)) {
     const legacy = fs.readdirSync(DOMAINS_DIR).filter((e) => {
-      if (e.startsWith('@') || e.startsWith('.')) return false;
+      if (e.startsWith('.')) return false;
       try {
         return fs.statSync(path.join(DOMAINS_DIR, e)).isDirectory();
       } catch {
@@ -136,19 +146,8 @@ async function cmdSetup() {
     });
     if (legacy.length) {
       console.log('');
-      warn(
-        `Removing ${legacy.length} legacy (un-scoped) domain director${legacy.length > 1 ? 'ies' : 'y'}:`,
-      );
-      for (const d of legacy) {
-        const dPath = path.join(DOMAINS_DIR, d);
-        try {
-          fs.rmSync(dPath, { recursive: true, force: true });
-          log(`  removed ~/.kdna/domains/${d}/`);
-        } catch (e) {
-          warn(`  could not remove ~/.kdna/domains/${d}/ — ${e.message}`);
-          console.log(`    To remove manually:  rm -rf ~/.kdna/domains/${d}/`);
-        }
-      }
+      warn(`Ignoring ${legacy.length} legacy domain director${legacy.length > 1 ? 'ies' : 'y'}.`);
+      console.log('  Runtime assets now live under ~/.kdna/packages/ as .kdna files.');
       console.log('  Re-install with: kdna install @aikdna/<name>');
       console.log('');
     }