@aikdna/kdna-cli 0.17.0 → 0.19.0

package/src/version.js

@@ -147,12 +147,18 @@ function cmdVersionSuggest(domainPath = '.', args = []) {
   const changes = detectChanges(abs);
 
   if (jsonMode) {
-    console.log(JSON.stringify({
-      current_version: currentVersion,
-      suggested_bump: changes.suggestion,
-      reasons: changes.reasons,
-      change_summary: changes.summary,
-    }, null, 2));
+    console.log(
+      JSON.stringify(
+        {
+          current_version: currentVersion,
+          suggested_bump: changes.suggestion,
+          reasons: changes.reasons,
+          change_summary: changes.summary,
+        },
+        null,
+        2,
+      ),
+    );
     return;
   }
 
@@ -194,7 +200,9 @@ function detectChanges(domainPath) {
   // Count axioms with applies_when (v2.1 governance) vs without
   if (core?.axioms) {
     const total = core.axioms.length;
-    const governed = core.axioms.filter((a) => a.applies_when?.length && a.does_not_apply_when?.length).length;
+    const governed = core.axioms.filter(
+      (a) => a.applies_when?.length && a.does_not_apply_when?.length,
+    ).length;
     if (governed < total) {
       axiomChanges = total - governed;
       reasons.push(`${axiomChanges} axioms missing v2.1 governance fields`);

package/templates/minimal-domain/kdna.json

@@ -1,9 +1,12 @@
 {
-  "kdna_spec": "1.0-rc",
+  "format": "kdna",
+  "format_version": "1.0",
+  "spec_version": "1.0-rc",
   "name": "@aikdna/example_domain",
   "version": "0.1.0",
-  "language": "en",
+  "judgment_version": "0.1.0",
   "languages": ["en"],
+  "default_language": "en",
   "created": "YYYY-MM-DD",
   "updated": "YYYY-MM-DD",
   "description": "[TODO: describe what judgment this domain improves in one sentence]",
@@ -11,6 +14,7 @@
   "keywords": ["[TODO: add relevant keywords]"],
   "access": "open",
   "status": "experimental",
+  "quality_badge": "untested",
   "author": {
     "name": "Your Name",
     "id": "your-id"
@@ -22,10 +26,6 @@
     "allow_redistribution": true,
     "allow_training": true
   },
-  "registry": {
-    "repo": "https://github.com/your-org/your-repo"
-  },
   "file_count": 3,
-  "kdna_file_count": 3,
-  "files": ["KDNA_Core.json", "KDNA_Patterns.json", "tests/before-after.json"]
+  "risk_level": "R0"
 }

package/templates/standard-domain/README.md

@@ -54,20 +54,20 @@ If any of the above is true, the agent should decline to load this domain.
 
 ## Known Failure Risks
 
-| Risk | When it shows up |
-|------|---|
-| [risk 1 from axiom_one.failure_risk] | [trigger] |
-| [risk 2 from axiom_two.failure_risk] | [trigger] |
-| [risk 3 from misread_one.failure_risk] | [trigger] |
+| Risk                                   | When it shows up |
+| -------------------------------------- | ---------------- |
+| [risk 1 from axiom_one.failure_risk]   | [trigger]        |
+| [risk 2 from axiom_two.failure_risk]   | [trigger]        |
+| [risk 3 from misread_one.failure_risk] | [trigger]        |
 
 ## Files
 
-| File | Purpose |
-|------|---------|
-| `KDNA_Core.json` | Axioms (with v2.1 boundaries), ontology, frameworks, causal structure, stances |
+| File                 | Purpose                                                                          |
+| -------------------- | -------------------------------------------------------------------------------- |
+| `KDNA_Core.json`     | Axioms (with v2.1 boundaries), ontology, frameworks, causal structure, stances   |
 | `KDNA_Patterns.json` | Terminology, banned terms, misunderstandings (with v2.1 boundaries), self-checks |
-| `evals/` | Test cases for `kdna compare` and quality scoring |
-| `kdna.json` | Domain manifest (name, version, judgment_version, signature) |
+| `evals/`             | Test cases for `kdna compare` and quality scoring                                |
+| `kdna.json`          | Domain manifest (name, version, judgment_version, signature)                     |
 
 ## License
 

package/templates/standard-domain/kdna.json

@@ -1,16 +1,20 @@
 {
-  "kdna_spec": "1.0",
+  "format": "kdna",
+  "format_version": "1.0",
+  "spec_version": "1.0-rc",
   "name": "@yourscope/your_domain_id",
   "version": "0.1.0",
   "judgment_version": "YYYY.MM",
   "status": "experimental",
   "access": "open",
-  "language": "en",
+  "languages": ["en"],
+  "default_language": "en",
   "created": "YYYY-MM-DD",
   "updated": "YYYY-MM-DD",
   "description": "[one-sentence description; appears on registry and in install output]",
   "core_insight": "[one-sentence core insight that distinguishes this domain]",
   "keywords": ["[add 3-6 keywords for kdna search]"],
+  "quality_badge": "untested",
   "author": {
     "name": "Your Name",
     "id": "your-id",
@@ -24,5 +28,5 @@
     "allow_training": true
   },
   "file_count": 2,
-  "files": ["KDNA_Core.json", "KDNA_Patterns.json"]
+  "risk_level": "R0"
 }

package/validators/kdna-lint.js

@@ -51,23 +51,57 @@ for (const f of files) {
 
 const result = lintDomain(dataMap);
 
+function validateManifest(manifest) {
+  const errors = [];
+  const warnings = [];
+  const required = [
+    'format',
+    'format_version',
+    'spec_version',
+    'name',
+    'version',
+    'judgment_version',
+    'description',
+    'author',
+    'license',
+    'status',
+    'quality_badge',
+    'access',
+    'languages',
+    'default_language',
+  ];
+
+  if (manifest.kdna_spec) errors.push('kdna_spec is not allowed. Use spec_version.');
+  if (manifest.language)
+    errors.push('language is not allowed. Use default_language and languages.');
+  for (const field of required) {
+    if (!(field in manifest) || manifest[field] === undefined || manifest[field] === '') {
+      errors.push(`missing required field "${field}"`);
+    }
+  }
+  if (manifest.format && manifest.format !== 'kdna') {
+    errors.push(`format: invalid value "${manifest.format}". Expected "kdna".`);
+  }
+  if (manifest.format_version && manifest.format_version !== '1.0') {
+    errors.push(`format_version: invalid value "${manifest.format_version}". Expected "1.0".`);
+  }
+  if (manifest.spec_version && manifest.spec_version !== '1.0-rc') {
+    warnings.push(
+      `spec_version: non-standard value "${manifest.spec_version}". Expected "1.0-rc".`,
+    );
+  }
+  return { errors, warnings };
+}
+
 // Also validate kdna.json manifest if present and validateManifest is available
 let manifestPath;
 try {
   manifestPath = path.join(domainDir, 'kdna.json');
   if (fs.existsSync(manifestPath)) {
     const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
-    let validateManifestFn;
-    try {
-      validateManifestFn = require('@aikdna/kdna-core').validateManifest;
-    } catch {
-      // validateManifest not yet available in installed kdna-core — skip manifest check
-    }
-    if (validateManifestFn) {
-      const mResult = validateManifestFn(manifest);
-      for (const e of mResult.errors) result.errors.push(`kdna.json: ${e}`);
-      for (const w of mResult.warnings) result.warnings.push(`kdna.json: ${w}`);
-    }
+    const mResult = validateManifest(manifest);
+    for (const e of mResult.errors) result.errors.push(`kdna.json: ${e}`);
+    for (const w of mResult.warnings) result.warnings.push(`kdna.json: ${w}`);
   }
 } catch (e) {
   if (e.code !== 'ENOENT') {

package/src/cmds/encrypt.js

@@ -1,199 +0,0 @@
-/**
- * KDNA Encryption — Encrypted container format (.kdnae) for licensed domains.
- *
- * .kdnae extends .kdna with AES-256-GCM encryption on KDNA JSON files.
- * The kdna.json manifest and license.json stay in plaintext for discovery.
- *
- * Encryption key is derived via PBKDF2 from:
- *   license_key + machine_fingerprint
- *
- * This module provides pure-crypto functions (no filesystem I/O).
- * File operations are in domain.js (pack/unpack) and install.js.
- */
-
-const crypto = require('crypto');
-
-const ALGORITHM = 'aes-256-gcm';
-const IV_LENGTH = 16; // 96-bit IV for GCM
-const TAG_LENGTH = 16; // 128-bit auth tag
-const SALT_LENGTH = 32;
-const PBKDF2_ITERATIONS = 600000;
-const KEY_LENGTH = 32; // AES-256
-
-// Files in a .kdna container that get encrypted (JSON content only)
-const ENCRYPTED_FILES = [
-  'KDNA_Core.json',
-  'KDNA_Patterns.json',
-  'KDNA_Scenarios.json',
-  'KDNA_Cases.json',
-  'KDNA_Reasoning.json',
-  'KDNA_Evolution.json',
-];
-
-// Files that always stay in plaintext
-const PLAINTEXT_FILES = ['kdna.json', 'license.json', 'README.md', 'LICENSE', 'signature.json'];
-
-function isEncryptable(filename) {
-  return ENCRYPTED_FILES.includes(filename);
-}
-
-// ─── Machine Fingerprint ────────────────────────────────────────────────
-
-function machineFingerprint() {
-  const os = require('os');
-  const parts = [os.hostname(), os.userInfo().uid.toString(), os.platform(), os.arch()];
-  // Try to get hardware UUID on macOS
-  try {
-    const { execSync } = require('child_process');
-    if (os.platform() === 'darwin') {
-      const uuid = execSync('ioreg -d2 -c IOPlatformExpertDevice | grep IOPlatformUUID', {
-        encoding: 'utf8',
-        timeout: 3000,
-      })
-        .match(/"[A-F0-9-]{36}"/)?.[0]
-        ?.replace(/"/g, '');
-      if (uuid) parts.push(uuid);
-    }
-    if (os.platform() === 'linux') {
-      try {
-        const mid = require('fs').readFileSync('/etc/machine-id', 'utf8').trim();
-        if (mid) parts.push(mid);
-      } catch {
-        /* ignore */
-      }
-    }
-  } catch {
-    /* non-critical */
-  }
-  return crypto.createHash('sha256').update(parts.join('|')).digest('hex');
-}
-
-// ─── Key Derivation ─────────────────────────────────────────────────────
-
-function deriveKey(licenseKey, fingerprint) {
-  const salt = crypto
-    .createHash('sha256')
-    .update(fingerprint || machineFingerprint())
-    .digest();
-  return crypto.pbkdf2Sync(licenseKey, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
-}
-
-// ─── Encrypt / Decrypt ──────────────────────────────────────────────────
-
-function encrypt(plaintext, key) {
-  const iv = crypto.randomBytes(IV_LENGTH);
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  // Format: iv (16) + tag (16) + ciphertext
-  return Buffer.concat([iv, tag, encrypted]);
-}
-
-function decrypt(encryptedData, key) {
-  if (encryptedData.length < IV_LENGTH + TAG_LENGTH) {
-    throw new Error('Invalid encrypted data: too short');
-  }
-  const iv = encryptedData.subarray(0, IV_LENGTH);
-  const tag = encryptedData.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
-  const ciphertext = encryptedData.subarray(IV_LENGTH + TAG_LENGTH);
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
-  decipher.setAuthTag(tag);
-  return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf8');
-}
-
-// ─── Encrypted Container Detection ──────────────────────────────────────
-
-function isEncryptedContainer(filePath) {
-  return filePath.endsWith('.kdnae');
-}
-
-// ─── License File ──────────────────────────────────────────────────────
-
-function createLicense(domain, options = {}) {
-  const {
-    issuedTo = 'licensee@example.com',
-    expiresAt = null, // ISO date or null for perpetual
-    maxAgents = 1,
-    requireMachineBinding = true,
-    requireOnlineCheck = false,
-    offlineGraceDays = 7,
-  } = options;
-
-  const license = {
-    version: '1.0',
-    license_id: `lic_${crypto.randomBytes(8).toString('hex')}`,
-    domain,
-    issued_to: issuedTo,
-    issued_at: new Date().toISOString(),
-    expires_at: expiresAt,
-    max_agents: maxAgents,
-    require_machine_binding: requireMachineBinding,
-    require_online_check: requireOnlineCheck,
-    offline_grace_days: offlineGraceDays,
-    allowed_agents: options.allowedAgents || ['claude_code', 'codex', 'opencode'],
-  };
-
-  return license;
-}
-
-function verifyLicense(license, scopePubkey, fingerprint) {
-  const issues = [];
-
-  // Check expiration
-  if (license.expires_at) {
-    if (new Date(license.expires_at) < new Date()) {
-      issues.push('License has expired');
-    }
-  }
-
-  // Check machine binding
-  if (license.require_machine_binding) {
-    if (license.machine_fingerprint && license.machine_fingerprint !== fingerprint) {
-      issues.push('Machine fingerprint mismatch');
-    }
-  }
-
-  return {
-    valid: issues.length === 0,
-    issues,
-    domain: license.domain,
-    license_id: license.license_id,
-    issued_to: license.issued_to,
-  };
-}
-
-function signLicense(license, privateKeyPem) {
-  const { signature: _, ...payload } = license;
-  const data = JSON.stringify(payload, Object.keys(payload).sort());
-  // Use crypto.sign() for Ed25519 (supported via PEM keys)
-  const sig = crypto.sign(null, Buffer.from(data), privateKeyPem);
-  license.signature = `ed25519:${sig.toString('hex')}`;
-  return license;
-}
-
-function verifyLicenseSignature(license, publicKeyPem) {
-  const signature = license.signature?.replace('ed25519:', '') || '';
-  if (!signature) return false;
-  const { signature: _, ...payload } = license;
-  const data = JSON.stringify(payload, Object.keys(payload).sort());
-  try {
-    return crypto.verify(null, Buffer.from(data), publicKeyPem, Buffer.from(signature, 'hex'));
-  } catch {
-    return false;
-  }
-}
-
-module.exports = {
-  encrypt,
-  decrypt,
-  deriveKey,
-  machineFingerprint,
-  isEncryptable,
-  isEncryptedContainer,
-  createLicense,
-  verifyLicense,
-  signLicense,
-  verifyLicenseSignature,
-  ENCRYPTED_FILES,
-  PLAINTEXT_FILES,
-};