@aikdna/kdna-cli 0.18.0 → 0.19.0

package/src/publish.js

@@ -53,17 +53,17 @@ const SLOGAN_PATTERNS = [
 // PRIORITIZE or AVOID, not steps to follow.
 
 const SOP_PATTERNS = [
-  /^Step\s+\d/i,                     // "Step 1: identify the topic"
+  /^Step\s+\d/i, // "Step 1: identify the topic"
   /^First,?\s|^Next,?\s|^Then,?\s|^Finally,?\s/i, // "First, do X. Then do Y."
-  /^Check\s(for|if|whether)\s/i,    // "Check for spelling errors"
+  /^Check\s(for|if|whether)\s/i, // "Check for spelling errors"
   /^Always\s+(use|do|make|include)/i, // "Always use active voice"
-  /^Never\s+(use|do|make)/i,        // "Never use passive voice"
-  /^Generate\s/i,                    // "Generate three options"
-  /^Create\s+(a|the)\s/i,           // "Create a list of..."
-  /^Make\s+sure\s/i,                // "Make sure to check..."
-  /^Remember\s+to\s/i,              // "Remember to validate..."
+  /^Never\s+(use|do|make)/i, // "Never use passive voice"
+  /^Generate\s/i, // "Generate three options"
+  /^Create\s+(a|the)\s/i, // "Create a list of..."
+  /^Make\s+sure\s/i, // "Make sure to check..."
+  /^Remember\s+to\s/i, // "Remember to validate..."
   /^(You|The agent)\s+should\s+(use|do|make|include)/i, // "You should use X"
-  /^Avoid\s+(using|doing)/i,         // "Avoid using X" (too procedural)
+  /^Avoid\s+(using|doing)/i, // "Avoid using X" (too procedural)
 ];
 
 function isSOP(text) {
@@ -188,13 +188,19 @@ function checkHumanLock(domainPath) {
     // Rule 3: Lock must confirm judgment fields were reviewed
     const checked = card.human_lock.checked || {};
     if (!checked.applies_when) {
-      issues.push(`${card.type} "${card.id}" Human Lock does not confirm applies_when was reviewed.`);
+      issues.push(
+        `${card.type} "${card.id}" Human Lock does not confirm applies_when was reviewed.`,
+      );
     }
     if (!checked.does_not_apply_when) {
-      issues.push(`${card.type} "${card.id}" Human Lock does not confirm does_not_apply_when was reviewed.`);
+      issues.push(
+        `${card.type} "${card.id}" Human Lock does not confirm does_not_apply_when was reviewed.`,
+      );
     }
     if (!checked.failure_risk) {
-      issues.push(`${card.type} "${card.id}" Human Lock does not confirm failure_risk was reviewed.`);
+      issues.push(
+        `${card.type} "${card.id}" Human Lock does not confirm failure_risk was reviewed.`,
+      );
     }
   }
 
@@ -527,29 +533,24 @@ function identityPaths() {
 }
 
 /**
- * Canonical signing payload: sorted (filename, sha256) pairs of all .json files
- * inside the .kdna ZIP, joined as `name:hex\n`. This is what the signature covers.
+ * Canonical signing payload: sorted (filename, sha256) pairs of all published
+ * content entries inside the .kdna ZIP, joined as `name:hex\n`.
  *
  * Excludes the `signature` field from kdna.json itself (computed by removing it
  * before hashing). Digest self-reference fields are also excluded. All other files included as-is.
  */
 function canonicalPayload(srcDir, opts = {}) {
-  const files = fs
-    .readdirSync(srcDir)
-    .filter((f) => f.endsWith('.json'))
-    .sort();
+  const files = listPublishEntries(srcDir);
   const parts = [];
   for (const f of files) {
-    const full = path.join(srcDir, f);
+    const full = f === 'mimetype' ? null : path.join(srcDir, f);
     let buf;
-    if (f === 'kdna.json') {
+    if (f === 'mimetype') {
+      buf = Buffer.from('application/vnd.aikdna.kdna+zip');
+    } else if (f.endsWith('.json')) {
       const obj = JSON.parse(fs.readFileSync(full, 'utf8'));
-      delete obj.signature;
-      delete obj.asset_digest;
-      delete obj.container_sha256;
-      if (!opts.includeContentDigest) delete obj.content_digest;
-      delete obj._source;
-      buf = Buffer.from(JSON.stringify(obj));
+      const value = f === 'kdna.json' ? manifestForSigning(obj, opts) : obj;
+      buf = Buffer.from(stableStringify(value));
     } else {
       buf = fs.readFileSync(full);
     }
@@ -559,6 +560,16 @@ function canonicalPayload(srcDir, opts = {}) {
   return parts.join('\n');
 }
 
+function manifestForSigning(manifest, opts = {}) {
+  const copy = { ...(manifest || {}) };
+  delete copy.signature;
+  delete copy.asset_digest;
+  delete copy.container_sha256;
+  if (!opts.includeContentDigest) delete copy.content_digest;
+  delete copy._source;
+  return copy;
+}
+
 function stableStringify(value) {
   if (Array.isArray(value)) return `[${value.map(stableStringify).join(',')}]`;
   if (value && typeof value === 'object') {
@@ -581,22 +592,55 @@ function manifestForContentDigest(manifest) {
 }
 
 function sourceContentDigest(srcDir) {
-  const files = fs
-    .readdirSync(srcDir)
-    .filter((f) => f.endsWith('.json') || f === 'README.md' || f === 'LICENSE')
-    .sort();
+  const files = listPublishEntries(srcDir);
   const parts = [];
   for (const f of files) {
     let buf;
-    if (f === 'kdna.json') {
+    if (f === 'mimetype') {
+      buf = Buffer.from('application/vnd.aikdna.kdna+zip');
+    } else if (f.endsWith('.json')) {
       const obj = JSON.parse(fs.readFileSync(path.join(srcDir, f), 'utf8'));
-      buf = Buffer.from(stableStringify(manifestForContentDigest(obj)));
+      const value = f === 'kdna.json' ? manifestForContentDigest(obj) : obj;
+      buf = Buffer.from(stableStringify(value));
     } else {
       buf = fs.readFileSync(path.join(srcDir, f));
     }
     parts.push(`${f}:${crypto.createHash('sha256').update(buf).digest('hex')}`);
   }
-  return `sha256:${crypto.createHash('sha256').update(Buffer.from(parts.join('\n'))).digest('hex')}`;
+  return `sha256:${crypto
+    .createHash('sha256')
+    .update(Buffer.from(parts.join('\n')))
+    .digest('hex')}`;
+}
+
+function listPublishEntries(domainDir) {
+  const entries = ['mimetype'];
+  const skipDirs = new Set(['.git', 'node_modules', 'dist']);
+  function walk(dir, prefix = '') {
+    for (const name of fs.readdirSync(dir).sort()) {
+      if (name === 'mimetype') continue;
+      if (name === '.DS_Store' || name === 'signature.json') continue;
+      const abs = path.join(dir, name);
+      const rel = prefix ? `${prefix}/${name}` : name;
+      const stat = fs.statSync(abs);
+      if (stat.isDirectory()) {
+        if (!skipDirs.has(name)) walk(abs, rel);
+        continue;
+      }
+      if (
+        rel.endsWith('.json') ||
+        rel === 'README.md' ||
+        rel === 'LICENSE' ||
+        rel.startsWith('evals/') ||
+        rel.startsWith('examples/') ||
+        rel.startsWith('reports/')
+      ) {
+        entries.push(rel);
+      }
+    }
+  }
+  walk(domainDir);
+  return entries;
 }
 
 function signPayload(payload, privateKeyPem) {
@@ -623,17 +667,17 @@ function publicKeyToScopeFormat(publicKeyPem) {
 }
 
 function packToFile(domainDir, outPath) {
-  const files = fs
-    .readdirSync(domainDir)
-    .filter((f) => f.endsWith('.json') || f === 'README.md' || f === 'LICENSE');
-  if (!files.includes('kdna.json')) error('kdna.json required in dev source directory for publish.');
+  const files = listPublishEntries(domainDir).filter((f) => f !== 'mimetype');
+  if (!files.includes('kdna.json'))
+    error('kdna.json required in dev source directory for publish.');
 
   const script = `import zipfile, os
 src = ${JSON.stringify(domainDir)}
 out = ${JSON.stringify(outPath)}
 files = ${JSON.stringify(files)}
 with zipfile.ZipFile(out, 'w', zipfile.ZIP_DEFLATED) as zf:
-    for f in sorted(files):
+    zf.writestr(zipfile.ZipInfo('mimetype'), 'application/vnd.aikdna.kdna+zip', compress_type=zipfile.ZIP_STORED)
+    for f in files:
         zf.write(os.path.join(src, f), f)
 `;
   const tmpPy = `/tmp/kdna-publish-pack-${Date.now()}.py`;
@@ -729,13 +773,11 @@ function cmdPublish(domainPath, args = []) {
   fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
   manifest.content_digest = sourceContentDigest(abs);
   fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
-  const signedPayload = canonicalPayload(abs, { includeContentDigest: true });
+  const signedPayload = canonicalPayload(abs);
   const sig = signPayload(signedPayload, privateKey);
   manifest.signature = 'ed25519:' + sig;
   fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
-  console.log(
-    `  ✓ Signed (payload covers ${fs.readdirSync(abs).filter((f) => f.endsWith('.json')).length} json files)`,
-  );
+  console.log(`  ✓ Signed (payload covers ${listPublishEntries(abs).length} content entries)`);
 
   // 3. Pack
   const fileName = `${m[2]}-${manifest.version}.kdna`;
@@ -795,4 +837,10 @@ function cmdPublish(domainPath, args = []) {
   );
 }
 
-module.exports = { cmdPublishCheck, cmdPublish, checkHumanLock, canonicalPayload, publicKeyToScopeFormat };
+module.exports = {
+  cmdPublishCheck,
+  cmdPublish,
+  checkHumanLock,
+  canonicalPayload,
+  publicKeyToScopeFormat,
+};

package/src/registry.js

@@ -69,7 +69,8 @@ function registryTrustIssues(registry, { now = new Date() } = {}) {
   const snapshotExpires = parseDate(trust.snapshot?.expires_at);
   const timestampExpires = parseDate(trust.timestamp?.expires_at);
   if (!snapshotExpires) issues.push('registry.trust.snapshot.expires_at must be an ISO timestamp');
-  if (!timestampExpires) issues.push('registry.trust.timestamp.expires_at must be an ISO timestamp');
+  if (!timestampExpires)
+    issues.push('registry.trust.timestamp.expires_at must be an ISO timestamp');
   if (snapshotExpires && snapshotExpires <= now) {
     issues.push(`registry snapshot expired at ${trust.snapshot.expires_at}`);
   }
@@ -86,12 +87,14 @@ function registryRevocations(registry) {
 
 function isEntryRevoked(registry, entry) {
   const revocations = registryRevocations(registry);
-  return revocations.find((rev) => {
-    if (rev.name && rev.name !== entry.name) return false;
-    if (rev.version && rev.version !== entry.version) return false;
-    if (rev.asset_digest && rev.asset_digest !== entry.asset_digest) return false;
-    return rev.name || rev.asset_digest;
-  }) || null;
+  return (
+    revocations.find((rev) => {
+      if (rev.name && rev.name !== entry.name) return false;
+      if (rev.version && rev.version !== entry.version) return false;
+      if (rev.asset_digest && rev.asset_digest !== entry.asset_digest) return false;
+      return rev.name || rev.asset_digest;
+    }) || null
+  );
 }
 
 // ─── Name parsing ───────────────────────────────────────────────────────
@@ -213,7 +216,9 @@ class RegistryResolver {
       trustIssues = data ? registryTrustIssues(data) : [];
     }
     if (trustIssues.length) {
-      throw new Error(`Registry trust check failed:\n${trustIssues.map((i) => `- ${i}`).join('\n')}`);
+      throw new Error(
+        `Registry trust check failed:\n${trustIssues.map((i) => `- ${i}`).join('\n')}`,
+      );
     }
     this._registries.set(scopeName, data);
     return data;

package/src/verify.js

@@ -21,13 +21,6 @@ const { RegistryResolver, parseName, registryTrustIssues, isEntryRevoked } = req
 const { EXIT, isYesNoSelfCheck } = require('./cmds/_common');
 const { licenseDecryptOptionsForManifest } = require('./cmds/license');
 
-let validateManifestFn;
-try {
-  validateManifestFn = require('@aikdna/kdna-core').validateManifest;
-} catch {
-  // kdna-core not available — manifest validation skipped
-}
-
 const {
   getInstalled,
   listContainerEntries,
@@ -37,6 +30,50 @@ const {
   verifyAsset,
 } = require('./package-store');
 
+function validateManifestFn(manifest) {
+  const errors = [];
+  const warnings = [];
+  const required = [
+    'format',
+    'format_version',
+    'spec_version',
+    'name',
+    'version',
+    'judgment_version',
+    'description',
+    'author',
+    'license',
+    'status',
+    'quality_badge',
+    'access',
+    'languages',
+    'default_language',
+  ];
+
+  if (manifest.kdna_spec) errors.push('kdna.json: kdna_spec is not allowed. Use spec_version.');
+  if (manifest.language)
+    errors.push('kdna.json: language is not allowed. Use default_language and languages.');
+  for (const field of required) {
+    if (!(field in manifest) || manifest[field] === undefined || manifest[field] === '') {
+      errors.push(`kdna.json: missing required field "${field}"`);
+    }
+  }
+  if (manifest.format && manifest.format !== 'kdna') {
+    errors.push(`kdna.json.format: invalid value "${manifest.format}". Expected "kdna".`);
+  }
+  if (manifest.format_version && manifest.format_version !== '1.0') {
+    errors.push(
+      `kdna.json.format_version: invalid value "${manifest.format_version}". Expected "1.0".`,
+    );
+  }
+  if (manifest.spec_version && manifest.spec_version !== '1.0-rc') {
+    warnings.push(
+      `kdna.json.spec_version: non-standard value "${manifest.spec_version}". Expected "1.0-rc".`,
+    );
+  }
+  return { errors, warnings };
+}
+
 function readJson(p) {
   try {
     return JSON.parse(fs.readFileSync(p, 'utf8'));
@@ -672,15 +709,21 @@ function cmdVerify(input, args = []) {
     }
     const { checkTrust: agentCheckTrust } = require('./agent');
     const trust = agentCheckTrust(parsed.full);
-    console.log(JSON.stringify({
-      domain: parsed.full,
-      passed: trust.passed,
-      failures: trust.failures,
-      warnings: trust.warnings,
-      risk_level: trust.riskLevel,
-      spec_version: trust.specVersion,
-      signature_valid: trust.signatureValid,
-    }, null, 2));
+    console.log(
+      JSON.stringify(
+        {
+          domain: parsed.full,
+          passed: trust.passed,
+          failures: trust.failures,
+          warnings: trust.warnings,
+          risk_level: trust.riskLevel,
+          spec_version: trust.specVersion,
+          signature_valid: trust.signatureValid,
+        },
+        null,
+        2,
+      ),
+    );
     process.exit(trust.passed ? 0 : EXIT.TRUST_FAILED);
   }
 
@@ -743,7 +786,8 @@ function cmdVerify(input, args = []) {
     ? manifest.encryption.encrypted_entries
     : [];
   const requiresProtectedRead =
-    encryptedEntries.length > 0 && (want.structure || want.judgment || want.i18n || want.governance);
+    encryptedEntries.length > 0 &&
+    (want.structure || want.judgment || want.i18n || want.governance);
   if (requiresProtectedRead) {
     const licensed = licenseDecryptOptionsForManifest(manifest);
     if (licensed.ok) {

package/src/version.js

@@ -147,12 +147,18 @@ function cmdVersionSuggest(domainPath = '.', args = []) {
   const changes = detectChanges(abs);
 
   if (jsonMode) {
-    console.log(JSON.stringify({
-      current_version: currentVersion,
-      suggested_bump: changes.suggestion,
-      reasons: changes.reasons,
-      change_summary: changes.summary,
-    }, null, 2));
+    console.log(
+      JSON.stringify(
+        {
+          current_version: currentVersion,
+          suggested_bump: changes.suggestion,
+          reasons: changes.reasons,
+          change_summary: changes.summary,
+        },
+        null,
+        2,
+      ),
+    );
     return;
   }
 
@@ -194,7 +200,9 @@ function detectChanges(domainPath) {
   // Count axioms with applies_when (v2.1 governance) vs without
   if (core?.axioms) {
     const total = core.axioms.length;
-    const governed = core.axioms.filter((a) => a.applies_when?.length && a.does_not_apply_when?.length).length;
+    const governed = core.axioms.filter(
+      (a) => a.applies_when?.length && a.does_not_apply_when?.length,
+    ).length;
     if (governed < total) {
       axiomChanges = total - governed;
       reasons.push(`${axiomChanges} axioms missing v2.1 governance fields`);

package/templates/minimal-domain/kdna.json

@@ -1,9 +1,12 @@
 {
-  "kdna_spec": "1.0-rc",
+  "format": "kdna",
+  "format_version": "1.0",
+  "spec_version": "1.0-rc",
   "name": "@aikdna/example_domain",
   "version": "0.1.0",
-  "language": "en",
+  "judgment_version": "0.1.0",
   "languages": ["en"],
+  "default_language": "en",
   "created": "YYYY-MM-DD",
   "updated": "YYYY-MM-DD",
   "description": "[TODO: describe what judgment this domain improves in one sentence]",
@@ -11,6 +14,7 @@
   "keywords": ["[TODO: add relevant keywords]"],
   "access": "open",
   "status": "experimental",
+  "quality_badge": "untested",
   "author": {
     "name": "Your Name",
     "id": "your-id"
@@ -22,10 +26,6 @@
     "allow_redistribution": true,
     "allow_training": true
   },
-  "registry": {
-    "repo": "https://github.com/your-org/your-repo"
-  },
   "file_count": 3,
-  "kdna_file_count": 3,
-  "files": ["KDNA_Core.json", "KDNA_Patterns.json", "tests/before-after.json"]
+  "risk_level": "R0"
 }

package/templates/standard-domain/README.md

@@ -54,20 +54,20 @@ If any of the above is true, the agent should decline to load this domain.
 
 ## Known Failure Risks
 
-| Risk | When it shows up |
-|------|---|
-| [risk 1 from axiom_one.failure_risk] | [trigger] |
-| [risk 2 from axiom_two.failure_risk] | [trigger] |
-| [risk 3 from misread_one.failure_risk] | [trigger] |
+| Risk                                   | When it shows up |
+| -------------------------------------- | ---------------- |
+| [risk 1 from axiom_one.failure_risk]   | [trigger]        |
+| [risk 2 from axiom_two.failure_risk]   | [trigger]        |
+| [risk 3 from misread_one.failure_risk] | [trigger]        |
 
 ## Files
 
-| File | Purpose |
-|------|---------|
-| `KDNA_Core.json` | Axioms (with v2.1 boundaries), ontology, frameworks, causal structure, stances |
+| File                 | Purpose                                                                          |
+| -------------------- | -------------------------------------------------------------------------------- |
+| `KDNA_Core.json`     | Axioms (with v2.1 boundaries), ontology, frameworks, causal structure, stances   |
 | `KDNA_Patterns.json` | Terminology, banned terms, misunderstandings (with v2.1 boundaries), self-checks |
-| `evals/` | Test cases for `kdna compare` and quality scoring |
-| `kdna.json` | Domain manifest (name, version, judgment_version, signature) |
+| `evals/`             | Test cases for `kdna compare` and quality scoring                                |
+| `kdna.json`          | Domain manifest (name, version, judgment_version, signature)                     |
 
 ## License
 

package/templates/standard-domain/kdna.json

@@ -1,11 +1,14 @@
 {
-  "kdna_spec": "1.0-rc",
+  "format": "kdna",
+  "format_version": "1.0",
+  "spec_version": "1.0-rc",
   "name": "@yourscope/your_domain_id",
   "version": "0.1.0",
   "judgment_version": "YYYY.MM",
   "status": "experimental",
   "access": "open",
-  "language": "en",
+  "languages": ["en"],
+  "default_language": "en",
   "created": "YYYY-MM-DD",
   "updated": "YYYY-MM-DD",
   "description": "[one-sentence description; appears on registry and in install output]",
@@ -25,5 +28,5 @@
     "allow_training": true
   },
   "file_count": 2,
-  "files": ["KDNA_Core.json", "KDNA_Patterns.json"]
+  "risk_level": "R0"
 }

package/validators/kdna-lint.js

@@ -51,23 +51,57 @@ for (const f of files) {
 
 const result = lintDomain(dataMap);
 
+function validateManifest(manifest) {
+  const errors = [];
+  const warnings = [];
+  const required = [
+    'format',
+    'format_version',
+    'spec_version',
+    'name',
+    'version',
+    'judgment_version',
+    'description',
+    'author',
+    'license',
+    'status',
+    'quality_badge',
+    'access',
+    'languages',
+    'default_language',
+  ];
+
+  if (manifest.kdna_spec) errors.push('kdna_spec is not allowed. Use spec_version.');
+  if (manifest.language)
+    errors.push('language is not allowed. Use default_language and languages.');
+  for (const field of required) {
+    if (!(field in manifest) || manifest[field] === undefined || manifest[field] === '') {
+      errors.push(`missing required field "${field}"`);
+    }
+  }
+  if (manifest.format && manifest.format !== 'kdna') {
+    errors.push(`format: invalid value "${manifest.format}". Expected "kdna".`);
+  }
+  if (manifest.format_version && manifest.format_version !== '1.0') {
+    errors.push(`format_version: invalid value "${manifest.format_version}". Expected "1.0".`);
+  }
+  if (manifest.spec_version && manifest.spec_version !== '1.0-rc') {
+    warnings.push(
+      `spec_version: non-standard value "${manifest.spec_version}". Expected "1.0-rc".`,
+    );
+  }
+  return { errors, warnings };
+}
+
 // Also validate kdna.json manifest if present and validateManifest is available
 let manifestPath;
 try {
   manifestPath = path.join(domainDir, 'kdna.json');
   if (fs.existsSync(manifestPath)) {
     const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
-    let validateManifestFn;
-    try {
-      validateManifestFn = require('@aikdna/kdna-core').validateManifest;
-    } catch {
-      // validateManifest not yet available in installed kdna-core — skip manifest check
-    }
-    if (validateManifestFn) {
-      const mResult = validateManifestFn(manifest);
-      for (const e of mResult.errors) result.errors.push(`kdna.json: ${e}`);
-      for (const w of mResult.warnings) result.warnings.push(`kdna.json: ${w}`);
-    }
+    const mResult = validateManifest(manifest);
+    for (const e of mResult.errors) result.errors.push(`kdna.json: ${e}`);
+    for (const w of mResult.warnings) result.warnings.push(`kdna.json: ${w}`);
   }
 } catch (e) {
   if (e.code !== 'ENOENT') {