npm - @aikdna/kdna-cli - Versions diffs - 0.17.0 → 0.19.0 - Mend

@aikdna/kdna-cli 0.17.0 → 0.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/README.md +120 -101
package/SECURITY.md +1 -1
package/package.json +6 -4
package/skills/kdna-loader/SKILL.md +23 -22
package/src/agent.js +290 -159
package/src/cli.js +117 -67
package/src/cmds/_common.js +40 -18
package/src/cmds/badge.js +14 -9
package/src/cmds/changelog.js +32 -12
package/src/cmds/cluster.js +80 -85
package/src/cmds/doctor.js +10 -27
package/src/cmds/domain.js +114 -427
package/src/cmds/explain.js +119 -0
package/src/cmds/governance.js +111 -42
package/src/cmds/legacy.js +8 -9
package/src/cmds/license.js +491 -26
package/src/cmds/quality.js +10 -3
package/src/cmds/registry.js +15 -67
package/src/cmds/studio.js +99 -47
package/src/cmds/test.js +9 -6
package/src/cmds/trace.js +11 -7
package/src/compare.js +41 -22
package/src/diff.js +38 -24
package/src/identity.js +9 -7
package/src/init.js +2 -2
package/src/install.js +147 -459
package/src/loader.js +10 -10
package/src/package-store.js +232 -0
package/src/paths.js +44 -0
package/src/publish.js +150 -51
package/src/registry.js +81 -9
package/src/setup.js +19 -20
package/src/verify.js +293 -140
package/src/version.js +15 -7
package/templates/minimal-domain/kdna.json +7 -7
package/templates/standard-domain/README.md +10 -10
package/templates/standard-domain/kdna.json +7 -3
package/validators/kdna-lint.js +45 -11
package/src/cmds/encrypt.js +0 -199

package/src/cmds/domain.js CHANGED Viewed

@@ -2,15 +2,6 @@ const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
 const { error, readJson, writeJson, EXIT } = require('./_common');
-const {
-  encrypt,
-  decrypt,
-  deriveKey,
-  machineFingerprint,
-  isEncryptable,
-  ENCRYPTED_FILES,
-} = require('./encrypt');
 const KDNA_DOMAIN_FILES = new Set([
   'KDNA_Core.json',
   'KDNA_Patterns.json',
@@ -244,12 +235,17 @@ function cmdPack(dir, outputDir) {
       .readdirSync(abs)
       .filter((f) => f.endsWith('.json') && f !== 'kdna.json').length;
     manifest = {
-      kdna_spec: '1.0-rc',
+      format: 'kdna',
+      format_version: '1.0',
+      spec_version: '1.0-rc',
       name: domainName,
       version: core.meta?.version || '0.1.0',
+      judgment_version: core.meta?.version || '0.1.0',
       status: 'experimental',
+      quality_badge: 'untested',
       access: 'open',
-      language: 'en',
+      languages: ['en'],
+      default_language: 'en',
       author: { name: '', id: '' },
       license: { type: 'CC-BY-4.0' },
       description: core.meta?.purpose || `${domainName} domain cognition`,
@@ -277,6 +273,7 @@ function cmdPack(dir, outputDir) {
 src = ${JSON.stringify(abs)}
 out = ${JSON.stringify(outPath)}
 with zipfile.ZipFile(out, 'w', zipfile.ZIP_DEFLATED) as zf:
+    zf.writestr(zipfile.ZipInfo('mimetype'), 'application/vnd.aikdna.kdna+zip', compress_type=zipfile.ZIP_STORED)
     for f in sorted(os.listdir(src)):
         fp = os.path.join(src, f)
         if os.path.isfile(fp) and (f.endswith('.json') or f in ('README.md', 'LICENSE', 'kdna.json')):
@@ -295,7 +292,17 @@ with zipfile.ZipFile(out, 'w', zipfile.ZIP_DEFLATED) as zf:
     }
   }
-  // Strategy 2: system zip command
+  // Strategy 2: Node.js native ZIP, which preserves the required mimetype entry
+  if (!packed) {
+    try {
+      createNodeZip(abs, outPath);
+      packed = true;
+    } catch {
+      /* try external zip last */
+    }
+  }
+  // Strategy 3: system zip command
   if (!packed) {
     const cwd = process.cwd();
     try {
@@ -311,16 +318,6 @@ with zipfile.ZipFile(out, 'w', zipfile.ZIP_DEFLATED) as zf:
     }
   }
-  // #22: Strategy 3 — Node.js native ZIP (no external dependencies)
-  if (!packed) {
-    try {
-      createNodeZip(abs, outPath);
-      packed = true;
-    } catch {
-      /* last attempt failed */
-    }
-  }
   if (!packed) {
     const platform = process.platform;
     const hints = {
@@ -350,11 +347,14 @@ function createNodeZip(srcDir, outPath) {
   const fileData = [];
   let offset = 0;
-  for (const f of files) {
-    const raw = fs.readFileSync(path.join(srcDir, f));
+  for (const f of ['mimetype', ...files]) {
+    const raw =
+      f === 'mimetype'
+        ? Buffer.from('application/vnd.aikdna.kdna+zip')
+        : fs.readFileSync(path.join(srcDir, f));
     const crc = crc32(raw);
     const compressed = zlib.deflateRawSync(raw);
-    const useStore = compressed.length >= raw.length;
+    const useStore = f === 'mimetype' || compressed.length >= raw.length;
     const nameBytes = Buffer.from(f, 'utf8');
     const localHeader = Buffer.alloc(30);
@@ -469,7 +469,7 @@ zf.close()
   files.forEach((f) => console.log(`    ${f}`));
 }
-// ─── Inspect .kdna file (ZIP container or legacy merged JSON) ────────────
+// ─── Inspect .kdna file (ZIP container) ──────────────────────────────────
 function inspectKdnaFile(filePath, jsonMode = false) {
   const abs = path.resolve(filePath);
@@ -481,107 +481,48 @@ function inspectKdnaFile(filePath, jsonMode = false) {
   fs.readSync(fd, head, 0, 4, 0);
   fs.closeSync(fd);
   const isZip = head[0] === 0x50 && head[1] === 0x4b;
+  if (!isZip) error('Invalid .kdna asset: expected ZIP container');
-  let core, patterns, manifest;
-  const presentFiles = [];
-  if (isZip) {
-    // ZIP container — extract to temp, read files
-    const os = require('os');
-    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'kdna-inspect-'));
-    try {
-      const tmpInspectPy = path.join(
-        fs.existsSync('/tmp') ? '/tmp' : require('os').tmpdir(),
-        `kdna-inspect-${Date.now()}.py`,
-      );
-      try {
-        const script = `import zipfile, os
-zf = zipfile.ZipFile(${JSON.stringify(abs)}, 'r')
-zf.extractall(${JSON.stringify(tmpDir)})
-zf.close()
-`;
-        fs.writeFileSync(tmpInspectPy, script);
-        execSync(`python3 ${tmpInspectPy}`, { stdio: 'pipe' });
-      } finally {
-        try {
-          fs.unlinkSync(tmpInspectPy);
-        } catch {
-          /* cleanup */
-        }
-      }
-    } catch {
-      try {
-        execSync(`unzip -q -o "${abs}" -d "${tmpDir}"`, { stdio: 'pipe' });
-      } catch {
-        fs.rmSync(tmpDir, { recursive: true, force: true });
-        error('Cannot read .kdna container. Install python3 or unzip.');
-      }
-    }
-    core = readJson(path.join(tmpDir, 'KDNA_Core.json'));
-    patterns = readJson(path.join(tmpDir, 'KDNA_Patterns.json'));
-    manifest = readJson(path.join(tmpDir, 'kdna.json'));
-    for (const f of fs.readdirSync(tmpDir)) {
-      if (f.startsWith('KDNA_') && f.endsWith('.json')) {
-        presentFiles.push(f);
-      }
-      if (f === 'README.md' || f === 'LICENSE') presentFiles.push(f);
-    }
-    fs.rmSync(tmpDir, { recursive: true, force: true });
-  } else {
-    // Legacy merged JSON/YAML format (deprecated)
-    const raw = fs.readFileSync(abs, 'utf8');
-    let data;
-    try {
-      data = JSON.parse(raw);
-    } catch {
-      data = parseSimpleYaml(raw);
-    }
-    if (!data || !data.meta) error(`Invalid .kdna file: missing meta section`);
-    const m = data.meta || {};
-    manifest = {
-      name: m.name || m.domain,
-      version: m.version || '?',
-      status: data.status || '?',
-      access: data.access || '?',
-      language: data.language || '?',
-      author: data.author || { name: '?' },
-      license: data.license || { type: '?' },
-      description: data.description || m.purpose || '?',
-      spec_version: m.spec_version || data.kdna_spec || '?',
-    };
-    core = data.core || {};
-    patterns = data.patterns || {};
-    presentFiles.push('.kdna (legacy merged format)');
-    if (data.scenarios) {
-      presentFiles.push('scenarios (inline)');
-    }
-    if (data.cases) {
-      presentFiles.push('cases (inline)');
-    }
-    if (data.reasoning) {
-      presentFiles.push('reasoning (inline)');
-    }
-    if (data.evolution) {
-      presentFiles.push('evolution (inline)');
-    }
+  const { listContainerEntries, readContainerJson } = require('../package-store');
+  const { licenseDecryptOptionsForManifest } = require('./license');
+  const presentFiles = listContainerEntries(abs).filter(
+    (f) => (f.startsWith('KDNA_') && f.endsWith('.json')) || f === 'README.md' || f === 'LICENSE',
+  );
+  const manifest = readContainerJson(abs, 'kdna.json') || {};
+  const encryptedEntries = Array.isArray(manifest.encryption?.encrypted_entries)
+    ? manifest.encryption.encrypted_entries
+    : [];
+  let decryptOptions = {};
+  let decryptError = null;
+  if (encryptedEntries.length) {
+    const licensed = licenseDecryptOptionsForManifest(manifest);
+    if (licensed.ok) decryptOptions = { decryptEntry: licensed.decryptEntry };
+    else decryptError = licensed.error;
+  }
+  let core = null;
+  let patterns = null;
+  try {
+    core = decryptError ? null : readContainerJson(abs, 'KDNA_Core.json', decryptOptions);
+    patterns = decryptError ? null : readContainerJson(abs, 'KDNA_Patterns.json', decryptOptions);
+  } catch (e) {
+    if (!encryptedEntries.length) error(`Cannot inspect .kdna asset: ${e.message}`);
+    decryptError = e.message;
   }
-  if (!core) error('KDNA_Core.json not found in container');
+  if (!core && !encryptedEntries.includes('KDNA_Core.json')) {
+    error('KDNA_Core.json not found in container');
+  }
   const m = manifest || {};
-  const c = core;
+  const c = core || {};
   const p = patterns || {};
   if (jsonMode) {
     const result = {
       name: m.name || c.meta?.domain || path.basename(abs, '.kdna'),
-      format: isZip ? 'kdna-zip' : 'legacy-merged',
-      spec: m.spec_version || m.kdna_spec || null,
+      format: 'kdna-zip',
+      spec: m.spec_version || null,
       version: m.version || null,
       status: m.status || 'experimental',
       access: m.access || 'open',
@@ -589,6 +530,9 @@ zf.close()
       license: m.license?.type || null,
       created: m.created || c.meta?.created || null,
       description: m.description || c.meta?.purpose || null,
+      protected: encryptedEntries.length > 0,
+      encrypted_entries: encryptedEntries,
+      license_required: !!decryptError,
       content: {
         axioms: (c.axioms || []).length,
         ontology: (c.ontology || []).length,
@@ -608,8 +552,8 @@ zf.close()
   console.log(`  ${m.name || c.meta?.domain || path.basename(abs, '.kdna')} — KDNA Domain`);
   console.log('═'.repeat(50));
   console.log('');
-  console.log(`  Format:      .kdna ${isZip ? '(ZIP container)' : '(legacy merged)'}`);
-  console.log(`  Spec:        ${m.spec_version || m.kdna_spec || '0.4'}`);
+  console.log(`  Format:      .kdna (ZIP container)`);
+  console.log(`  Spec:        ${m.spec_version || '?'}`);
   console.log(`  Version:     ${m.version || '?'}`);
   console.log(`  Status:      ${m.status || 'experimental'}`);
   console.log(`  Access:      ${m.access || 'open'}`);
@@ -617,6 +561,10 @@ zf.close()
   console.log(`  License:     ${m.license?.type || '?'}`);
   console.log(`  Created:     ${m.created || c.meta?.created || '?'}`);
   console.log(`  Description: ${m.description || c.meta?.purpose || '?'}`);
+  if (encryptedEntries.length) {
+    console.log(`  Protected:   ${encryptedEntries.join(', ')}`);
+    if (decryptError) console.log(`  Activation:  required (${decryptError})`);
+  }
   console.log('');
   console.log('  ── Content ──');
   console.log(`  Axioms:             ${(c.axioms || []).length}`);
@@ -633,57 +581,9 @@ zf.close()
   console.log('═'.repeat(50));
 }
-function parseSimpleYaml(raw) {
-  // Parse a simple subset of YAML (no nesting beyond 1 level for sections)
-  const result = {};
-  let currentSection = null;
-  const lines = raw.split('\n');
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith('#')) continue;
-    // Section header: "core:" or "  core:" etc
-    if (/^[a-z_]+:$/.test(trimmed)) {
-      currentSection = trimmed.slice(0, -1);
-      if (!result[currentSection]) result[currentSection] = {};
-      continue;
-    }
-    // Key: value
-    const kv = trimmed.match(/^([a-z_]+):\s*(.*)/i);
-    if (kv && !kv[1].startsWith('-')) {
-      const key = kv[1];
-      const val = kv[2].trim().replace(/^["']|["']$/g, '');
-      if (currentSection) {
-        if (key === 'version' && typeof result[currentSection] === 'object') {
-          result[currentSection][key] = val;
-        } else if (!result[currentSection][key]) {
-          result[currentSection][key] = val;
-        }
-      } else {
-        result[key] = val;
-      }
-      continue;
-    }
-    // Array item: "- value"
-    if (trimmed.startsWith('- ') && currentSection) {
-      // For counts only, we don't parse full arrays
-      if (currentSection === 'axioms' || currentSection === 'stances') {
-        if (!result.core) result.core = {};
-        if (!result.core[currentSection]) result.core[currentSection] = [];
-        result.core[currentSection].push({ _parsed: true });
-      }
-    }
-  }
-  return result;
-}
 // ─── Inspect ───────────────────────────────────────────────────────────
-function cmdInspect(dir, jsonMode = false, locale = null) {
+function cmdInspect(dir, jsonMode = false, locale = null, options = {}) {
   const abs = path.resolve(dir);
   const stat = fs.existsSync(abs) ? fs.statSync(abs) : null;
   if (!stat) error(`Path not found: ${abs}`, EXIT.INPUT_ERROR);
@@ -694,7 +594,14 @@ function cmdInspect(dir, jsonMode = false, locale = null) {
     return;
   }
-  // Directory — existing logic
+  if (stat.isDirectory() && !options.allowDirectory) {
+    error(
+      'Directory inspection is a dev-only operation. Use: kdna dev inspect <source-dir>',
+      EXIT.INPUT_ERROR,
+    );
+  }
+  // Dev source directory
   if (!stat.isDirectory()) error(`Not a KDNA domain: ${abs}`, EXIT.INPUT_ERROR);
   const core = readJson(path.join(abs, 'KDNA_Core.json'));
@@ -722,6 +629,16 @@ function cmdInspect(dir, jsonMode = false, locale = null) {
   ];
   const filesPresent = expected.filter((f) => fs.existsSync(path.join(abs, f)));
+  // Governance metadata (with locale support)
+  let kdnaCard = readJson(path.join(abs, 'KDNA_CARD.json'));
+  if (locale && !kdnaCard) {
+    kdnaCard = readJson(path.join(abs, 'locales', locale, 'KDNA_CARD.json'));
+  }
+  if (locale && kdnaCard) {
+    const localeCard = readJson(path.join(abs, 'locales', locale, 'KDNA_CARD.json'));
+    if (localeCard) kdnaCard = localeCard;
+  }
   if (jsonMode) {
     const result = {
       name: m.name || c.meta?.domain || path.basename(abs),
@@ -827,15 +744,6 @@ function cmdInspect(dir, jsonMode = false, locale = null) {
   if (evo) console.log(`  Evolution stages:   ${(evo.stages || []).length}`);
-  // Governance metadata (with locale support)
-  let kdnaCard = readJson(path.join(abs, 'KDNA_CARD.json'));
-  if (locale && !kdnaCard) {
-    kdnaCard = readJson(path.join(abs, 'locales', locale, 'KDNA_CARD.json'));
-  }
-  if (locale && kdnaCard) {
-    const localeCard = readJson(path.join(abs, 'locales', locale, 'KDNA_CARD.json'));
-    if (localeCard) kdnaCard = localeCard;
-  }
   if (kdnaCard) {
     const displayName = kdnaCard.display_name || '';
     const summary = kdnaCard.summary || '';
@@ -870,265 +778,46 @@ function cmdInspect(dir, jsonMode = false, locale = null) {
   console.log('═'.repeat(50));
 }
-// ─── Encrypted Container (.kdnae) ─────────────────────────────────────
+// ─── KDNA Card (locale-aware) ────────────────────────────────────
-function cmdPackEncrypt(dir, args = []) {
-  const abs = path.resolve(dir);
-  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) {
-    error(`Not a directory: ${abs}`, EXIT.INPUT_ERROR);
-  }
+function readCardFromDirectory(abs, locale = null) {
+  if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory()) return null;
+  let card = readJson(path.join(abs, 'KDNA_CARD.json'));
-  const core = readJson(path.join(abs, 'KDNA_Core.json'));
-  const pat = readJson(path.join(abs, 'KDNA_Patterns.json'));
-  if (!core) error('KDNA_Core.json not found or invalid');
-  if (!pat) error('KDNA_Patterns.json not found or invalid');
+  if (locale) {
+    const localeCard = readJson(path.join(abs, 'locales', locale, 'KDNA_CARD.json'));
+    if (localeCard) {
+      card = { ...card, ...localeCard };
+    }
+  }
-  const domainName = core.meta?.domain || path.basename(abs);
+  return card;
+}
-  let manifest = readJson(path.join(abs, 'kdna.json'));
-  if (!manifest) {
-    const jsonCount = fs
-      .readdirSync(abs)
-      .filter((f) => f.endsWith('.json') && f !== 'kdna.json').length;
-    manifest = {
-      kdna_spec: '1.0-rc',
-      name: domainName,
-      version: core.meta?.version || '0.1.0',
-      status: 'experimental',
-      access: 'licensed',
-      language: 'en',
-      author: { name: '', id: '' },
-      license: { type: 'KCL-1.0' },
-      description: core.meta?.purpose || `${domainName} domain cognition`,
-      file_count: jsonCount,
-      created: new Date().toISOString().slice(0, 10),
-      updated: new Date().toISOString().slice(0, 10),
-    };
-    writeJson(path.join(abs, 'kdna.json'), manifest);
-  }
+function cmdCard(dir, jsonMode = false, locale = null, options = {}) {
+  const abs = path.resolve(dir);
+  const stat = fs.existsSync(abs) ? fs.statSync(abs) : null;
+  if (!stat) error(`Path not found: ${abs}`, EXIT.INPUT_ERROR);
-  // Get encryption key
-  const licenseIdx = args.indexOf('--license');
-  const keyIdx = args.indexOf('--key');
-  let encKey;
-  if (licenseIdx >= 0) {
-    const licensePath = args[licenseIdx + 1];
-    if (!licensePath || !fs.existsSync(licensePath))
-      error('License file not found', EXIT.INPUT_ERROR);
-    const license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
-    const licenseKey = license.license_id;
-    const fp = machineFingerprint();
-    encKey = deriveKey(licenseKey, fp);
-  } else if (keyIdx >= 0) {
-    const rawKey = args[keyIdx + 1];
-    if (!rawKey) error('--key requires a value', EXIT.INPUT_ERROR);
-    encKey = deriveKey(rawKey, machineFingerprint());
-  } else {
+  if (stat.isDirectory() && !options.allowDirectory) {
     error(
-      'Use --license <license.json> or --key <secret> to provide encryption key',
+      'Directory card inspection is a dev-only operation. Use: kdna dev card <source-dir>',
       EXIT.INPUT_ERROR,
     );
   }
-  const outputDir = args.includes('--output') ? args[args.indexOf('--output') + 1] : null;
-  const outName = `${domainName}.kdnae`;
-  const outPath = outputDir ? path.join(outputDir, outName) : path.join(process.cwd(), outName);
-  if (outputDir && !fs.existsSync(outputDir)) fs.mkdirSync(outputDir, { recursive: true });
-  // Build encrypted ZIP
-  const zlib = require('zlib');
-  const files = fs.readdirSync(abs).filter((f) => {
-    if (f.startsWith('.')) return false;
-    const ext = path.extname(f);
-    return ext === '.json' || f === 'README.md' || f === 'LICENSE' || f === 'kdna.json';
-  });
-  const centralDir = [];
-  const fileData = [];
-  let offset = 0;
-  for (const f of files.sort()) {
-    let raw = fs.readFileSync(path.join(abs, f));
-    let storedName = f;
-    if (isEncryptable(f)) {
-      try {
-        const encrypted = encrypt(raw.toString('utf8'), encKey);
-        raw = encrypted;
-        storedName = f; // Keep original name, content is encrypted
-      } catch (err) {
-        error(`Failed to encrypt ${f}: ${err.message}`);
-      }
+  let card = null;
+  if (stat.isFile() && abs.endsWith('.kdna')) {
+    const { readContainerJson } = require('../package-store');
+    card = readContainerJson(abs, 'KDNA_CARD.json') || null;
+    if (locale) {
+      const localeCard = readContainerJson(abs, `locales/${locale}/KDNA_CARD.json`) || null;
+      if (localeCard) card = { ...card, ...localeCard };
     }
-    const crc = crc32(raw);
-    const compressed = zlib.deflateRawSync(raw);
-    const useStore = compressed.length >= raw.length;
-    const stored = useStore ? raw : compressed;
-    const nameBytes = Buffer.from(storedName, 'utf8');
-    const localHeader = Buffer.alloc(30);
-    localHeader.writeUInt32LE(0x04034b50, 0);
-    localHeader.writeUInt16LE(20, 4);
-    localHeader.writeUInt16LE(0x0800, 6);
-    localHeader.writeUInt16LE(useStore ? 0 : 8, 8);
-    localHeader.writeUInt32LE(crc, 14);
-    localHeader.writeUInt32LE(useStore ? raw.length : compressed.length, 18);
-    localHeader.writeUInt32LE(raw.length, 22);
-    localHeader.writeUInt16LE(nameBytes.length, 26);
-    fileData.push(Buffer.concat([localHeader, nameBytes, stored]));
-    offset += localHeader.length + nameBytes.length + stored.length;
-    const cdEntry = Buffer.alloc(46);
-    cdEntry.writeUInt32LE(0x02014b50, 0);
-    cdEntry.writeUInt16LE(20, 4);
-    cdEntry.writeUInt16LE(20, 6);
-    cdEntry.writeUInt16LE(0x0800, 8);
-    cdEntry.writeUInt16LE(useStore ? 0 : 8, 10);
-    cdEntry.writeUInt32LE(crc, 16);
-    cdEntry.writeUInt32LE(useStore ? raw.length : compressed.length, 20);
-    cdEntry.writeUInt32LE(raw.length, 24);
-    cdEntry.writeUInt16LE(nameBytes.length, 28);
-    cdEntry.writeUInt32LE(offset - stored.length - nameBytes.length - localHeader.length, 42);
-    centralDir.push(Buffer.concat([cdEntry, nameBytes]));
-  }
-  const cdOffset = offset;
-  const cdSize = centralDir.reduce((s, e) => s + e.length, 0);
-  const eocd = Buffer.alloc(22);
-  eocd.writeUInt32LE(0x06054b50, 0);
-  eocd.writeUInt16LE(0, 4);
-  eocd.writeUInt16LE(0, 6);
-  eocd.writeUInt16LE(files.length, 8);
-  eocd.writeUInt16LE(files.length, 10);
-  eocd.writeUInt32LE(cdSize, 12);
-  eocd.writeUInt32LE(cdOffset, 16);
-  eocd.writeUInt16LE(0, 20);
-  const all = Buffer.concat([...fileData, ...centralDir, eocd]);
-  fs.writeFileSync(outPath, all);
-  console.log(`✓ Encrypted pack: ${outPath}`);
-  console.log(`  Domain: ${domainName} v${manifest.version}`);
-  console.log(
-    `  Files: ${files.length} (${files.filter(isEncryptable).length} encrypted, ${files.filter((f) => !isEncryptable(f)).length} plaintext)`,
-  );
-  console.log(`  Container: AES-256-GCM .kdnae`);
-}
-function cmdUnpackEncrypt(filePath, args = []) {
-  const abs = path.resolve(filePath);
-  if (!fs.existsSync(abs) || !fs.statSync(abs).isFile()) {
-    error(`Not a file: ${abs}`, EXIT.INPUT_ERROR);
-  }
-  if (!abs.endsWith('.kdnae')) {
-    error(`Not a .kdnae file: ${abs}`, EXIT.INPUT_ERROR);
-  }
-  const licenseIdx = args.indexOf('--license');
-  const keyIdx = args.indexOf('--key');
-  let encKey;
-  if (licenseIdx >= 0) {
-    const licensePath = args[licenseIdx + 1];
-    if (!licensePath || !fs.existsSync(licensePath))
-      error('License file not found', EXIT.INPUT_ERROR);
-    const license = JSON.parse(fs.readFileSync(licensePath, 'utf8'));
-    const licenseKey = license.license_id;
-    const fp = machineFingerprint();
-    encKey = deriveKey(licenseKey, fp);
-  } else if (keyIdx >= 0) {
-    const rawKey = args[keyIdx + 1];
-    if (!rawKey) error('--key requires a value', EXIT.INPUT_ERROR);
-    encKey = deriveKey(rawKey, machineFingerprint());
+  } else if (stat.isDirectory()) {
+    card = readCardFromDirectory(abs, locale);
   } else {
-    error('Use --license <license.json> or --key <secret> to decrypt', EXIT.INPUT_ERROR);
-  }
-  const domainName = path.basename(abs, '.kdnae');
-  const outDir = path.join(path.dirname(abs), domainName);
-  const force = args.includes('--force');
-  if (fs.existsSync(outDir)) {
-    if (!force)
-      error(`Directory already exists: ${outDir}\nUse --force to overwrite.`, EXIT.INPUT_ERROR);
-    fs.rmSync(outDir, { recursive: true, force: true });
-  }
-  fs.mkdirSync(outDir, { recursive: true });
-  // Extract ZIP first, then decrypt KDNA JSON files
-  const os = require('os');
-  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'kdnae-unpack-'));
-  try {
-    const tmpPy = path.join(os.tmpdir(), `kdnae-unpack-${Date.now()}.py`);
-    try {
-      const script = `import zipfile, os
-zf = zipfile.ZipFile(${JSON.stringify(abs)}, 'r')
-zf.extractall(${JSON.stringify(tmpDir)})
-zf.close()
-`;
-      fs.writeFileSync(tmpPy, script);
-      execSync(`python3 ${tmpPy}`, { stdio: 'pipe' });
-    } catch {
-      try {
-        execSync(`unzip -q -o "${abs}" -d "${tmpDir}"`, { stdio: 'pipe' });
-      } catch {
-        error('Cannot unpack .kdnae container');
-      }
-    } finally {
-      try {
-        fs.unlinkSync(tmpPy);
-      } catch {
-        /* cleanup */
-      }
-    }
-    // Copy plaintext files, decrypt KDNA files
-    const extracted = fs.readdirSync(tmpDir);
-    for (const f of extracted) {
-      const src = path.join(tmpDir, f);
-      const dest = path.join(outDir, f);
-      if (ENCRYPTED_FILES.includes(f)) {
-        try {
-          const encrypted = fs.readFileSync(src);
-          const decrypted = decrypt(encrypted, encKey);
-          fs.writeFileSync(dest, decrypted);
-        } catch (err) {
-          error(`Failed to decrypt ${f}: ${err.message}. Wrong license key?`);
-        }
-      } else {
-        fs.copyFileSync(src, dest);
-      }
-    }
-  } finally {
-    try {
-      fs.rmSync(tmpDir, { recursive: true, force: true });
-    } catch {
-      /* cleanup */
-    }
-  }
-  console.log(`✓ Decrypted: ${outDir}`);
-  const files = fs.readdirSync(outDir);
-  console.log(`  Files: ${files.length}`);
-  files.forEach((f) => console.log(`    ${f}`));
-}
-// ─── KDNA Card (locale-aware) ────────────────────────────────────
-function cmdCard(dir, jsonMode = false, locale = null) {
-  const abs = path.resolve(dir);
-  let card = readJson(path.join(abs, 'KDNA_CARD.json'));
-  if (locale) {
-    const localeCard = readJson(path.join(abs, 'locales', locale, 'KDNA_CARD.json'));
-    if (localeCard) {
-      card = { ...card, ...localeCard };
-    }
+    error(`Not a .kdna asset: ${abs}`, EXIT.INPUT_ERROR);
   }
   if (!card) {
@@ -1195,9 +884,7 @@ function cmdCard(dir, jsonMode = false, locale = null) {
 module.exports = {
   cmdValidate,
   cmdPack,
-  cmdPackEncrypt,
   cmdUnpack,
-  cmdUnpackEncrypt,
   cmdInspect,
   cmdCard,
 };