@aikdna/kdna-cli 0.19.3 → 0.20.0

package/src/dev-pack-v2.js

@@ -0,0 +1,117 @@
+// KDNA dev pack — v2 container support
+// Produces KDNA Container v2 (.kdna files with CBOR payload.kdnab) from dev source directories.
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+let _cbor = null;
+function getCbor() {
+  if (!_cbor) {
+    try {
+      _cbor = require('cbor-x');
+    } catch {
+      try {
+        _cbor = require('@aikdna/kdna-core/../cbor-x');
+      } catch {
+        throw new Error('cbor-x is required for dev pack v2. Install: npm install cbor-x');
+      }
+    }
+  }
+  return _cbor;
+}
+
+const KDNA_FILES = [
+  'KDNA_Core.json',
+  'KDNA_Patterns.json',
+  'KDNA_Scenarios.json',
+  'KDNA_Cases.json',
+  'KDNA_Reasoning.json',
+  'KDNA_Evolution.json',
+];
+
+function packV2(sourceDir, manifest, options = {}) {
+  const abs = path.resolve(sourceDir);
+
+  // 1. Read source files
+  const judgment = {};
+  for (const f of KDNA_FILES) {
+    const filePath = path.join(abs, f);
+    if (fs.existsSync(filePath)) {
+      try {
+        judgment[
+          f
+            .replace(/^KDNA_/, '')
+            .replace(/\.json$/, '')
+            .toLowerCase()
+        ] = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+      } catch {
+        /* skip unreadable */
+      }
+    }
+  }
+
+  // 2. Build CBOR payload
+  const payload = {
+    kind: 'kdna.payload',
+    payload_version: '2.0',
+    domain: { name: manifest.name || '', version: manifest.version || '0.1.0' },
+    judgment,
+    profiles: {},
+    integrity: {
+      source_tree_digest: `sha256:${computeDirHash(abs)}`,
+    },
+  };
+  const payloadBuf = getCbor().encode(payload);
+
+  // 3. Build manifest (v2)
+  const v2Manifest = {
+    ...manifest,
+    format_version: '2.0',
+    spec_version: '2.0',
+    container: {
+      type: 'kdna-container-v2',
+      payload: 'payload.kdnab',
+      payload_encoding: 'cbor',
+      payload_schema: 'kdna-payload-v2',
+      payload_digest: `sha256:${crypto.createHash('sha256').update(payloadBuf).digest('hex')}`,
+    },
+    runtime: {
+      min_runtime_version: '0.3.0',
+      load_contract: 'context-capsule-v1',
+    },
+  };
+
+  return {
+    entries: {
+      mimetype: 'application/vnd.aikdna.kdna+zip',
+      'kdna.json': JSON.stringify(v2Manifest, null, 2),
+      'payload.kdnab': payloadBuf,
+    },
+    manifest: v2Manifest,
+    payload,
+  };
+}
+
+function computeDirHash(dir) {
+  const files = fs
+    .readdirSync(dir)
+    .filter((f) => fs.statSync(path.join(dir, f)).isFile())
+    .sort();
+  const hash = crypto.createHash('sha256');
+  for (const f of files) {
+    hash.update(f);
+    hash.update(fs.readFileSync(path.join(dir, f)));
+  }
+  return hash.digest('hex');
+}
+
+function verifySourceIntegrity(sourceDir, expectedDigest) {
+  if (!expectedDigest) return { valid: false, error: 'No expected digest provided' };
+  const actual = `sha256:${computeDirHash(sourceDir)}`;
+  if (actual !== expectedDigest) {
+    return { valid: false, error: `Digest mismatch: expected ${expectedDigest}, got ${actual}` };
+  }
+  return { valid: true, digest: actual };
+}
+
+module.exports = { packV2, verifySourceIntegrity, computeDirHash };

package/src/init.js

@@ -1,5 +1,6 @@
 /**
- * kdna init <name>        — Scaffold a new KDNA domain from template.
+ * kdna init <name>        — Deprecated alias for kdna dev scaffold <name>.
+ * kdna dev scaffold <name> — Scaffold a non-canonical dev source workspace.
  * kdna cluster init <name> — Scaffold a new KDNA cluster from template.
  */
 
@@ -27,9 +28,9 @@ function copyRecursive(src, dest, replacements) {
   }
 }
 
-function cmdInit(name) {
+function cmdInit(name, options = {}) {
   if (!name) {
-    console.error('Error: Domain name required. Usage: kdna init <name>');
+    console.error('Error: Domain name required. Usage: kdna dev scaffold <name>');
     process.exit(1);
   }
 
@@ -56,8 +57,15 @@ function cmdInit(name) {
     'YYYY-MM-DD': today,
   });
 
-  console.log(`✓ Created KDNA domain: ${targetDir}/`);
+  if (options.deprecatedAlias) {
+    console.warn(
+      'Warning: kdna init is deprecated. Use kdna dev scaffold for dev source workspaces.',
+    );
+  }
+  console.log(`✓ Created non-canonical KDNA dev source workspace: ${targetDir}/`);
   console.log(`  Files: KDNA_Core.json, KDNA_Patterns.json, kdna.json, tests/before-after.json`);
+  console.log('  This workspace is not a trusted KDNA asset.');
+  console.log('  To create a trusted .kdna asset, use KDNA Studio compile/export.');
 
   // Run structural validation (lint + schema only). Content quality checks
   // are for publish time, not scaffold time — the template contains placeholders
@@ -92,8 +100,8 @@ function cmdInit(name) {
   );
   console.log(`  3. Edit ${targetDir}/kdna.json — set author, description, repo`);
   console.log(`  4. Run: kdna dev validate ${name}           (structural check)`);
-  console.log(`  5. Run: kdna publish --check ${name}         (content quality gate)`);
-  console.log(`  6. Run: kdna verify ${name}                  (full judgment scoring)`);
+  console.log(`  5. Run: kdna publish --check ${name}         (dev readiness check only)`);
+  console.log(`  6. Use KDNA Studio to Human Lock, compile, and export a trusted .kdna asset`);
 }
 
 /**

package/src/install.js

@@ -27,6 +27,7 @@ const {
   sha256File,
   readContainer,
   readContainerJson,
+  readContainerEntry,
   verifyAsset,
 } = require('./package-store');
 
@@ -153,6 +154,24 @@ function ensureDir(dir) {
   fs.mkdirSync(dir, { recursive: true });
 }
 
+// ─── Audit Log ───────────────────────────────────────────────────────
+
+function auditLog(action, details) {
+  try {
+    const logDir = path.join(USER_KDNA_DIR, 'logs');
+    ensureDir(logDir);
+    const logFile = path.join(logDir, 'audit.log');
+    const entry = JSON.stringify({
+      timestamp: new Date().toISOString(),
+      action,
+      ...details,
+    });
+    fs.appendFileSync(logFile, entry + '\n');
+  } catch {
+    /* audit is best-effort, never block on it */
+  }
+}
+
 // ─── Source parsing ─────────────────────────────────────────────────────
 
 function parseSource(input) {
@@ -306,13 +325,14 @@ function cmdInstallExtended(input, args = []) {
 
   const yes = args.includes('--yes');
   const jsonMode = args.includes('--json');
+  const trusted = args.includes('--trusted');
   const source = parseSource(input);
 
   switch (source.type) {
     case 'registry':
       return installFromRegistry(source.parsed, yes, jsonMode);
     case 'local-file':
-      return installFromLocalFile(source.path, yes, jsonMode);
+      return installFromLocalFile(source.path, yes, jsonMode, trusted);
   }
 }
 
@@ -411,6 +431,7 @@ function installSingleFromUrl({ entry, scope }, jsonMode = false) {
 
   verifySignature({ assetPath: tmpFile, scope, entry, lenient: true });
 
+  auditLog('install', { name: entry.name, version: entry.version, source: 'registry' });
   const installed = installAsset({
     sourcePath: tmpFile,
     name: entry.name,
@@ -483,7 +504,7 @@ function installCluster(clusterEntry, resolver, _yes, jsonMode = false) {
   }
 }
 
-function installFromLocalFile(filePath, _yes, jsonMode = false) {
+function installFromLocalFile(filePath, yes, jsonMode = false, trusted = false) {
   const abs = path.resolve(filePath);
   if (!fs.existsSync(abs) || !fs.statSync(abs).isFile()) error(`Not a file: ${abs}`);
   if (!abs.endsWith('.kdna')) error(`Not a .kdna asset: ${abs}`, EXIT.INPUT_ERROR);
@@ -493,6 +514,98 @@ function installFromLocalFile(filePath, _yes, jsonMode = false) {
   if (!declared || !/^@[a-z][a-z0-9-]*\/[a-z][a-z0-9_]*$/.test(declared)) {
     error(scopedNameError('package kdna.json.name', declared), EXIT.INPUT_ERROR);
   }
+
+  // ── Trust checks for local install ──────────────────────────
+  const trustLevel = { label: 'local_unverified', issues: [] };
+
+  // Check mimetype (plain text, not JSON)
+  try {
+    const mimeEntry = readContainerEntry(abs, 'mimetype');
+    const hasMimetype =
+      mimeEntry && mimeEntry.toString().trim() === 'application/vnd.aikdna.kdna+zip';
+    if (!hasMimetype) trustLevel.issues.push('missing or incorrect mimetype');
+  } catch {
+    trustLevel.issues.push('no mimetype entry');
+  }
+
+  // Check for KDNA_Core.json (may be encrypted — skip if unreadable)
+  try {
+    const hasCore = readContainerJson(abs, 'KDNA_Core.json');
+    if (!hasCore) trustLevel.issues.push('missing KDNA_Core.json');
+  } catch {
+    trustLevel.issues.push('KDNA_Core.json unreadable (may be encrypted)');
+  }
+
+  // Check content_digest
+  if (!manifest.content_digest) trustLevel.issues.push('no content_digest');
+
+  // Check authoring provenance
+  if (!manifest.authoring?.created_by) {
+    trustLevel.issues.push('no authoring provenance (not Studio-compiled)');
+  } else if (manifest.authoring.created_by === 'manual-dev-source') {
+    trustLevel.issues.push('created by manual dev source (not Studio-compiled)');
+  }
+
+  // Try signature verification if present
+  if (manifest.signature) {
+    try {
+      const sigResult = verifyAsset(abs, { requireSignature: true });
+      if (sigResult.signature_valid) {
+        trustLevel.label = 'local_signature_verified';
+        trustLevel.issues = trustLevel.issues.filter((i) => !i.includes('not Studio-compiled'));
+      } else {
+        trustLevel.issues.push('signature present but failed verification');
+      }
+    } catch {
+      trustLevel.issues.push('signature verification failed');
+    }
+  }
+
+  // --trusted mode: signature must be present and verified
+  if (trusted && trustLevel.issues.length > 0) {
+    const reasons = trustLevel.issues.map((i) => `  - ${i}`).join('\n');
+    error(
+      `Trust verification failed for local .kdna asset:\n${reasons}\n\n` +
+        `Use 'kdna install <file.kdna>' without --trusted to install anyway (unverified local asset).`,
+      EXIT.TRUST_FAILED,
+    );
+  }
+  // Signature is required for --trusted mode
+  if (trusted && !manifest.signature) {
+    error(
+      '--trusted requires a signed .kdna asset. This asset has no signature.\n' +
+        'Use Studio compile/export with --sign, or install without --trusted.',
+      EXIT.TRUST_FAILED,
+    );
+  }
+  // For tested+ quality_badge, require Studio-compatible authoring provenance
+  const highTrustBadges = new Set(['tested', 'validated', 'expert_reviewed', 'production_ready']);
+  if (
+    trusted &&
+    highTrustBadges.has(manifest.quality_badge) &&
+    (!manifest.authoring?.compiler || !manifest.authoring?.compiler_version)
+  ) {
+    error(
+      `--trusted requires Studio-compatible authoring provenance for quality_badge "${manifest.quality_badge}".\n` +
+        'This asset lacks compiler provenance. Re-publish through Studio pipeline.',
+      EXIT.TRUST_FAILED,
+    );
+  }
+
+  if (!jsonMode) {
+    if (trustLevel.label === 'local_signature_verified') {
+      console.log(`  Trust: ${trustLevel.label}`);
+    } else {
+      console.warn(`  Trust: ${trustLevel.label} — ${trustLevel.issues.join('; ')}`);
+    }
+  }
+
+  auditLog('install', {
+    name: declared,
+    version: manifest.version,
+    source: 'local-file',
+    path: abs,
+  });
   const installed = installAsset({
     sourcePath: abs,
     name: declared,
@@ -524,6 +637,7 @@ function installFromLocalFile(filePath, _yes, jsonMode = false) {
 function cmdRemove(input) {
   const parsed = parseName(input);
   if (!parsed) error(`Invalid name "${input}". Use @scope/name or bare name.`);
+  auditLog('remove', { name: parsed.full });
   if (!removeInstalled(parsed.full)) {
     console.log(`${parsed.full} is not installed.`);
     return;

package/src/kdf-spec.js

@@ -0,0 +1,42 @@
+// KDNA Key Derivation Parameters — canonical reference
+// Per RFC-0008 and RFC-0009, these parameters MUST be used for all KDF operations.
+
+const KDF_PARAMS = {
+  'kdna-password-protected-v1': {
+    algorithm: 'Argon2id',
+    version: 0x13,
+    memoryCostKiB: 65536, // 64 MiB
+    timeCost: 3, // 3 iterations
+    parallelism: 4, // 4 lanes
+    saltLength: 32, // 256-bit random salt
+    hashLength: 32, // 256-bit derived key
+    tagLength: 16, // AES-256-GCM authentication tag
+  },
+  'kdna-licensed-entry-v1': {
+    algorithm: 'HKDF-SHA256',
+    info: 'kdna-licensed-entry-v1',
+    salt: null, // No salt — deterministic from master key
+    keyLength: 32, // 256-bit AES key
+    wrapAlgorithm: 'AES-256-KW',
+    wireTagSize: 16, // Tag prepended to ciphertext in wire format
+    contentEncryption: 'AES-256-GCM',
+  },
+  'kdna-identity-backup-v1': {
+    algorithm: 'PBKDF2-SHA256',
+    iterations: 100000,
+    keyLength: 32, // 256-bit AES key
+    ivLength: 16, // 128-bit random IV
+    encryption: 'AES-256-CBC',
+  },
+};
+
+function validateParameters(profile) {
+  const params = KDF_PARAMS[profile];
+  if (!params)
+    throw new Error(
+      `Unknown KDF profile: ${profile}. Valid: ${Object.keys(KDF_PARAMS).join(', ')}`,
+    );
+  return params;
+}
+
+module.exports = { KDF_PARAMS, validateParameters };

package/src/package-store.js

@@ -11,6 +11,25 @@ if (typeof core.createKdnaAssetReader !== 'function') {
 
 const assetReader = core.createKdnaAssetReader();
 
+const V1_ENTRIES = [
+  'KDNA_Core.json',
+  'KDNA_Patterns.json',
+  'KDNA_Scenarios.json',
+  'KDNA_Cases.json',
+  'KDNA_Reasoning.json',
+  'KDNA_Evolution.json',
+];
+
+function validateContainerV2(asset, assetPath) {
+  const hasPayload = asset.entries.has('payload.kdnab');
+  if (hasPayload) return; // v2, OK
+  const hasV1 = V1_ENTRIES.some((e) => asset.entries.has(e));
+  if (!hasV1) return; // neither v1 nor v2, probably empty — let caller decide
+  const found = V1_ENTRIES.filter((e) => asset.entries.has(e));
+  const msg = `ERR_LEGACY_PLAINTEXT_CONTAINER: This .kdna uses the removed v1 plaintext ZIP format (found: ${found.join(', ')}). Rebuild from source with KDNA Container v2.`;
+  throw Object.assign(new Error(msg), { code: 'ERR_LEGACY_PLAINTEXT_CONTAINER' });
+}
+
 const INDEX_VERSION = 2;
 
 function ensureDir(dir) {
@@ -78,14 +97,16 @@ function listContainerEntries(kdnaPath) {
 
 function readContainer(kdnaPath, options = {}) {
   const asset = assetReader.openSync(kdnaPath);
+  validateContainerV2(asset, kdnaPath);
+  const dataMap = assetReader.readDataMapSync(asset, undefined, options);
   return {
-    manifest: assetReader.readJsonSync(asset, 'kdna.json'),
-    core: assetReader.readJsonSync(asset, 'KDNA_Core.json', options),
-    patterns: assetReader.readJsonSync(asset, 'KDNA_Patterns.json', options),
-    scenarios: assetReader.readJsonSync(asset, 'KDNA_Scenarios.json', options),
-    cases: assetReader.readJsonSync(asset, 'KDNA_Cases.json', options),
-    reasoning: assetReader.readJsonSync(asset, 'KDNA_Reasoning.json', options),
-    evolution: assetReader.readJsonSync(asset, 'KDNA_Evolution.json', options),
+    manifest: dataMap['kdna.json'] || {},
+    core: dataMap['KDNA_Core.json'] || {},
+    patterns: dataMap['KDNA_Patterns.json'] || {},
+    scenarios: dataMap['KDNA_Scenarios.json'] || null,
+    cases: dataMap['KDNA_Cases.json'] || null,
+    reasoning: dataMap['KDNA_Reasoning.json'] || null,
+    evolution: dataMap['KDNA_Evolution.json'] || null,
     files: assetReader.listEntriesSync(asset),
   };
 }
@@ -222,6 +243,7 @@ module.exports = {
   readContainer,
   readContainerEntry,
   readContainerJson,
+  readAssetManifest,
   listContainerEntries,
   verifyAsset,
   getInstalled,

package/src/paths.js

@@ -1,5 +1,7 @@
 // KDNA shared path configuration — canonical source for ~/.kdna structure
 // Spec: docs/local-kdna-home-spec.md
+// NOTE: domains/ is NOT part of the runtime model (see local-kdna-home-spec.md §Invariants).
+// The domains field below is retained ONLY for legacy migration. New code MUST use packages/.
 
 const path = require('path');
 
@@ -10,14 +12,13 @@ const PATHS = {
   root: KDNA_HOME,
   config: path.join(KDNA_HOME, 'config.json'),
   identity: path.join(KDNA_HOME, 'identity'),
+  // LEGACY — domains/ is not part of the runtime model. Retained for migration only.
   domains: {
     root: path.join(KDNA_HOME, 'domains'),
     official: path.join(KDNA_HOME, 'domains', 'official'),
     local: path.join(KDNA_HOME, 'domains', 'local'),
     private: path.join(KDNA_HOME, 'domains', 'private'),
-    // Legacy flat path — used for migration only
     legacy: path.join(KDNA_HOME, 'domains'),
-    // All three directories for scanning
     all: [
       path.join(KDNA_HOME, 'domains', 'official'),
       path.join(KDNA_HOME, 'domains', 'local'),