@aikdna/kdna-cli 0.26.1 → 0.26.3

package/README.md

@@ -51,19 +51,19 @@ Successful validation returns:
 
 ## Core Commands
 
-| Command | Purpose |
-|---|---|
-| `kdna demo minimal <dir>` | Create a minimal v1 source directory |
-| `kdna inspect <path>` | Inspect a v1 source dir or `.kdna` container |
-| `kdna validate <path>` | Validate format, schema, payload, checksums, and load contract |
-| `kdna plan-load <path> --json` | Return the Core LoadPlan before runtime load |
-| `kdna plan-load <path> --json --has-password` | Diagnose password-authorized load state |
-| `kdna plan-load <path> --json --entitlement-status active` | Diagnose receipt/entitlement load state |
-| `kdna pack <source-dir> <output.kdna>` | Pack a v1 source directory |
-| `kdna unpack <input.kdna> <output-dir>` | Unpack a v1 container |
-| `kdna load <path> --profile=<index|compact|scenario|full> --as=<json|prompt>` | Render judgment context for agents or tools |
-| `kdna setup` | Install the `kdna-loader` skill for supported agents |
-| `kdna doctor --agents` | Check agent loader installation |
+| Command                                                    | Purpose                                                        |
+| ---------------------------------------------------------- | -------------------------------------------------------------- | -------- | ---------------- | -------- | ------------------------------------------- |
+| `kdna demo minimal <dir>`                                  | Create a minimal v1 source directory                           |
+| `kdna inspect <path>`                                      | Inspect a v1 source dir or `.kdna` container                   |
+| `kdna validate <path>`                                     | Validate format, schema, payload, checksums, and load contract |
+| `kdna plan-load <path> --json`                             | Return the Core LoadPlan before runtime load                   |
+| `kdna plan-load <path> --json --has-password`              | Diagnose password-authorized load state                        |
+| `kdna plan-load <path> --json --entitlement-status active` | Diagnose receipt/entitlement load state                        |
+| `kdna pack <source-dir> <output.kdna>`                     | Pack a v1 source directory                                     |
+| `kdna unpack <input.kdna> <output-dir>`                    | Unpack a v1 container                                          |
+| `kdna load <path> --profile=<index                         | compact                                                        | scenario | full> --as=<json | prompt>` | Render judgment context for agents or tools |
+| `kdna setup`                                               | Install the `kdna-loader` skill for supported agents           |
+| `kdna doctor --agents`                                     | Check agent loader installation                                |
 
 ## Producer Path
 

package/fixtures/v1-minimal/checksums.json

@@ -3,4 +3,4 @@
   "manifest_digest": "sha256:fae062dbca0eb8878eaf28eabeed732a6827443056eb66fb27f3961307630af7",
   "payload_digest": "sha256:593109dd2aaf3fcc7ab9f352d5cd4476596ab9db5850175824e0619796088caf",
   "asset_digest": "sha256:placeholder"
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikdna/kdna-cli",
-  "version": "0.26.1",
+  "version": "0.26.3",
   "description": "KDNA CLI — runtime control plane for verifying, installing, loading, comparing, publishing, and auditing existing .kdna assets.",
   "type": "commonjs",
   "bin": {
@@ -31,7 +31,8 @@
     "test:v1": "node --test tests/v1-global-cli.test.js tests/v1-demo-minimal.test.js",
     "test:smoke": "npm run test:core-smoke",
     "test:legacy": "node --test tests/v07-commands.test.js tests/v012-commands.test.js tests/asset-store.test.js",
-    "test:demo": "node --test tests/v1-demo-minimal.test.js"
+    "test:demo": "node --test tests/v1-demo-minimal.test.js",
+    "prepublishOnly": "npm test"
   },
   "keywords": [
     "kdna",
@@ -55,7 +56,7 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@aikdna/kdna-core": "^0.12.0"
+    "@aikdna/kdna-core": "^0.12.1"
   },
   "optionalDependencies": {
     "ajv": "^8.20.0",

package/skills/kdna-loader/SKILL.md

@@ -29,11 +29,11 @@ incorrectly, assigns wrong priorities, applies wrong risk models, and
 offers wrong recommendations — all with the false confidence of having
 "loaded expert judgment."
 
-*No KDNA*: the agent uses model capability, tools, MCP, project files,
+_No KDNA_: the agent uses model capability, tools, MCP, project files,
 and normal prompts. It may lack domain-specific judgment, but it is
 not polluted by incorrect judgment.
 
-*Wrong KDNA*: the agent applies a mismatched framework — e.g., diagnosing
+_Wrong KDNA_: the agent applies a mismatched framework — e.g., diagnosing
 a website design task through a team management lens, or treating a
 price question as an editing issue. The output is worse than baseline.
 
@@ -152,15 +152,15 @@ what you'd produce if you loaded the domain? If yes, skip it.
 After evaluating against `applies_when`, `does_not_apply_when`, and
 `failure_risks`, classify into one of 7 states:
 
-| State | Condition | Action |
-|-------|-----------|--------|
-| **SKIP_NO_JUDGMENT_NEEDED** | Task is mechanical: format, translate, lookup, execute | Answer normally. Do not mention KDNA. |
-| **SKIP_NO_LOCAL_DOMAIN** | Task may need judgment, but no installed domain covers it | Answer normally. Only mention KDNA if user explicitly asks. |
-| **SKIP_WEAK_FIT** | A domain is weakly related but insufficiently matches | Answer normally. Trace notes "weak match, skipped." |
-| **REJECT_NEGATIVE_MATCH** | A domain's `does_not_apply_when` explicitly excludes this task | Block loading. Respect the author's boundary. |
-| **ASK_AMBIGUOUS_DOMAIN** | 2+ domains could apply but with different judgment frameworks | Ask user to choose. Do **not** silently blend. |
-| **LOAD_STRONG_FIT** | One local domain strongly matches and validates | Load it. |
-| **BLOCK_INTEGRITY_FAILED** | Domain matches but validation, checksum, parsing, or runtime loading fails | Block loading. Notify if appropriate. |
+| State                       | Condition                                                                  | Action                                                      |
+| --------------------------- | -------------------------------------------------------------------------- | ----------------------------------------------------------- |
+| **SKIP_NO_JUDGMENT_NEEDED** | Task is mechanical: format, translate, lookup, execute                     | Answer normally. Do not mention KDNA.                       |
+| **SKIP_NO_LOCAL_DOMAIN**    | Task may need judgment, but no installed domain covers it                  | Answer normally. Only mention KDNA if user explicitly asks. |
+| **SKIP_WEAK_FIT**           | A domain is weakly related but insufficiently matches                      | Answer normally. Trace notes "weak match, skipped."         |
+| **REJECT_NEGATIVE_MATCH**   | A domain's `does_not_apply_when` explicitly excludes this task             | Block loading. Respect the author's boundary.               |
+| **ASK_AMBIGUOUS_DOMAIN**    | 2+ domains could apply but with different judgment frameworks              | Ask user to choose. Do **not** silently blend.              |
+| **LOAD_STRONG_FIT**         | One local domain strongly matches and validates                            | Load it.                                                    |
+| **BLOCK_INTEGRITY_FAILED**  | Domain matches but validation, checksum, parsing, or runtime loading fails | Block loading. Notify if appropriate.                       |
 
 **Rule: Negative Match First.** Check `does_not_apply_when` before
 checking `applies_when`. A domain that says "not for visual design"
@@ -223,8 +223,8 @@ stages.
 You have now internalized the domain's judgment surface. From this
 point on:
 
-1. **Adopt the axioms as your reasoning frame** — reason *from*
-   them, not *around* them.
+1. **Adopt the axioms as your reasoning frame** — reason _from_
+   them, not _around_ them.
 2. **Honour the boundaries** — for each axiom you'd apply, confirm
    the task is in `applies_when` AND not in `does_not_apply_when`.
 3. **Pre-check failure_risk** — before producing output, ask:
@@ -259,14 +259,14 @@ KDNA does not override:
 
 ## Failure handling
 
-| Situation | What to do |
-|---|---|
-| `kdna` CLI not installed | Skip KDNA. Answer normally. Mention installation only if user asks about KDNA itself. |
-| No local v1 assets are found | No domains installed. Skip KDNA. |
-| `kdna plan-load <asset>` returns `can_load_now=false` | Do not load. Follow `required_action` and `issues[].code`. |
-| `kdna load <name>` exits non-zero | That domain is broken (validation, authorization, parse, or runtime loading failure). Try next candidate or skip KDNA. The error message tells you why. |
-| User explicitly asks for a domain that isn't installed | Tell them, suggest `kdna install <name>`. Do not fabricate the domain. |
-| Two domains' stances directly conflict on the task | Surface to user. Do not blend. |
+| Situation                                              | What to do                                                                                                                                              |
+| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `kdna` CLI not installed                               | Skip KDNA. Answer normally. Mention installation only if user asks about KDNA itself.                                                                   |
+| No local v1 assets are found                           | No domains installed. Skip KDNA.                                                                                                                        |
+| `kdna plan-load <asset>` returns `can_load_now=false`  | Do not load. Follow `required_action` and `issues[].code`.                                                                                              |
+| `kdna load <name>` exits non-zero                      | That domain is broken (validation, authorization, parse, or runtime loading failure). Try next candidate or skip KDNA. The error message tells you why. |
+| User explicitly asks for a domain that isn't installed | Tell them, suggest `kdna install <name>`. Do not fabricate the domain.                                                                                  |
+| Two domains' stances directly conflict on the task     | Surface to user. Do not blend.                                                                                                                          |
 
 ---
 

package/src/agent.js

@@ -306,9 +306,7 @@ function cmdMatch(taskText, args = []) {
       }
     }
     console.log('');
-    console.log(
-      'To load a domain: kdna load <name|file.kdna>',
-    );
+    console.log('To load a domain: kdna load <name|file.kdna>');
   }
 }
 

package/src/cli.js

@@ -89,6 +89,7 @@ Start here:
 Core v1:
   inspect  <path>                   Inspect v1 source dir or .kdna container
   validate <path>                   Validate v1 source dir or .kdna container
+  validate <path> --runtime         Validate and require LoadPlan readiness
   plan-load <path>                  Return a LoadPlan before runtime load
                                   Add --has-password or --entitlement-status for diagnostics
   pack     <src> <out>              Deterministic pack into .kdna container
@@ -97,6 +98,11 @@ Core v1:
 More:
   kdna help advanced                Agent runtime, setup, loading, comparison
   kdna help legacy                  Pre-v1 compatibility commands
+  Advanced index: doctor, trace, history, license, verify, compare, diff, search
+  verify  <name|file>               Legacy asset verification
+  compare <name|file> --input "..." Legacy comparison report
+  diff    <left> <right>             Legacy asset diff
+  search  <query>                    Search installed/available legacy entries
 
 Flags:
   --json                            Structured JSON output
@@ -111,6 +117,7 @@ function showHelpAdvanced() {
 Core v1:
   inspect  <path>                   Inspect v1 source dir or .kdna container
   validate <path>                   Validate v1 source dir or .kdna container
+  validate <path> --runtime         Validate and require LoadPlan readiness
   plan-load <path> [--has-password] [--entitlement-status <status>]
                                   Return a LoadPlan before runtime load
   pack     <src> <out>              Deterministic pack into .kdna container
@@ -261,12 +268,56 @@ switch (cmd) {
   case 'validate': {
     const v1Target = args.filter((a) => !a.startsWith('--'))[1];
     if (v1Target) {
-      const { isV1SourceDir, detectContainerFormat, validate, pack, unpack, inspect } = require('@aikdna/kdna-core');
+      const {
+        isV1SourceDir,
+        detectContainerFormat,
+        validate,
+        pack,
+        unpack,
+        inspect,
+      } = require('@aikdna/kdna-core');
       const abs = require('node:path').resolve(v1Target);
       if (isV1SourceDir(abs) || detectContainerFormat(abs) === 'v1') {
+        const runtimeMode = args.includes('--runtime');
         const result = validate(v1Target);
+        if (runtimeMode) {
+          const entitlementStatusIndex = args.indexOf('--entitlement-status');
+          const entitlementStatus =
+            entitlementStatusIndex >= 0 ? args[entitlementStatusIndex + 1] : null;
+          const allowedEntitlementStatuses = new Set([
+            'active',
+            'expired',
+            'revoked',
+            'offline_grace',
+          ]);
+          if (entitlementStatusIndex >= 0 && !allowedEntitlementStatuses.has(entitlementStatus)) {
+            error(
+              'Invalid --entitlement-status. Use active, expired, revoked, or offline_grace.',
+              EXIT.INPUT_ERROR,
+            );
+          }
+          const core = require('@aikdna/kdna-core');
+          if (typeof core.planLoad !== 'function') {
+            error(
+              'kdna validate --runtime requires @aikdna/kdna-core with the LoadPlan v1 API. Update @aikdna/kdna-core before enabling runtime authorization diagnostics.',
+              EXIT.PROVIDER_ERROR,
+            );
+          }
+          result.runtime_load_plan = core.planLoad(v1Target, {
+            hasPassword: args.includes('--has-password'),
+            entitlement: entitlementStatus ? { status: entitlementStatus } : undefined,
+          });
+        }
         console.log(JSON.stringify(result, null, 2));
-        process.exit(result.overall_valid ? 0 : 1);
+        if (!result.overall_valid) process.exit(1);
+        if (
+          runtimeMode &&
+          result.runtime_load_plan &&
+          result.runtime_load_plan.can_load_now !== true
+        ) {
+          process.exit(result.runtime_load_plan.state === 'invalid' ? 1 : 3);
+        }
+        process.exit(0);
       }
     }
     error(
@@ -277,7 +328,11 @@ switch (cmd) {
   }
   case 'plan-load': {
     const v1Target = args.filter((a) => !a.startsWith('--'))[1];
-    if (!v1Target) error('Usage: kdna plan-load <path> [--json] [--has-password] [--entitlement-status <status>]', EXIT.INPUT_ERROR);
+    if (!v1Target)
+      error(
+        'Usage: kdna plan-load <path> [--json] [--has-password] [--entitlement-status <status>]',
+        EXIT.INPUT_ERROR,
+      );
     const core = require('@aikdna/kdna-core');
     const abs = require('node:path').resolve(v1Target);
     if (!(core.isV1SourceDir(abs) || core.detectContainerFormat(abs) === 'v1')) {
@@ -293,19 +348,30 @@ switch (cmd) {
     const entitlementStatus = entitlementStatusIndex >= 0 ? args[entitlementStatusIndex + 1] : null;
     const allowedEntitlementStatuses = new Set(['active', 'expired', 'revoked', 'offline_grace']);
     if (entitlementStatusIndex >= 0 && !allowedEntitlementStatuses.has(entitlementStatus)) {
-      error('Invalid --entitlement-status. Use active, expired, revoked, or offline_grace.', EXIT.INPUT_ERROR);
+      error(
+        'Invalid --entitlement-status. Use active, expired, revoked, or offline_grace.',
+        EXIT.INPUT_ERROR,
+      );
     }
     const plan = core.planLoad(v1Target, {
       hasPassword: args.includes('--has-password'),
       entitlement: entitlementStatus ? { status: entitlementStatus } : undefined,
     });
     console.log(JSON.stringify(plan, null, 2));
-    process.exit(plan.state === 'invalid' ? 1 : 0);
+    process.exit(plan.state === 'invalid' ? 1 : plan.can_load_now === true ? 0 : 3);
+    break;
   }
   case 'pack': {
     const v1Target = args.filter((a) => !a.startsWith('--'))[1];
     if (v1Target) {
-      const { isV1SourceDir, detectContainerFormat, validate, pack, unpack, inspect } = require('@aikdna/kdna-core');
+      const {
+        isV1SourceDir,
+        detectContainerFormat,
+        validate,
+        pack,
+        unpack,
+        inspect,
+      } = require('@aikdna/kdna-core');
       const abs = require('node:path').resolve(v1Target);
       if (isV1SourceDir(abs)) {
         const out = args.filter((a) => !a.startsWith('--'))[2];
@@ -329,7 +395,14 @@ switch (cmd) {
   case 'unpack': {
     const v1Target = args.filter((a) => !a.startsWith('--'))[1];
     if (v1Target) {
-      const { isV1SourceDir, detectContainerFormat, validate, pack, unpack, inspect } = require('@aikdna/kdna-core');
+      const {
+        isV1SourceDir,
+        detectContainerFormat,
+        validate,
+        pack,
+        unpack,
+        inspect,
+      } = require('@aikdna/kdna-core');
       const abs = require('node:path').resolve(v1Target);
       if (detectContainerFormat(abs) === 'v1') {
         const out = args.filter((a) => !a.startsWith('--'))[2];
@@ -408,7 +481,14 @@ switch (cmd) {
   case 'inspect': {
     const target = args.filter((a) => !a.startsWith('--'))[1];
     if (!target) error('Usage: kdna inspect <path> [--json] [--locale zh-CN]');
-    const { isV1SourceDir, detectContainerFormat, validate, pack, unpack, inspect } = require('@aikdna/kdna-core');
+    const {
+      isV1SourceDir,
+      detectContainerFormat,
+      validate,
+      pack,
+      unpack,
+      inspect,
+    } = require('@aikdna/kdna-core');
     const abs = require('node:path').resolve(target);
     if (isV1SourceDir(abs) || detectContainerFormat(abs) === 'v1') {
       const out = inspect(target);
@@ -466,7 +546,8 @@ switch (cmd) {
   case 'load': {
     const target = args.filter((a) => !a.startsWith('--'))[1];
     if (target) {
-      const { isV1SourceDir, detectContainerFormat, loadV1 } = require('@aikdna/kdna-core');
+      const core = require('@aikdna/kdna-core');
+      const { isV1SourceDir, detectContainerFormat } = core;
       const abs = require('node:path').resolve(target);
       if (isV1SourceDir(abs) || detectContainerFormat(abs) === 'v1') {
         const getFlag = (name) => {
@@ -478,7 +559,25 @@ switch (cmd) {
         const profile = getFlag('--profile') || 'compact';
         const as = getFlag('--as') || 'json';
         try {
-          const r = loadV1(target, { profile, as });
+          const loadV1Authorized =
+            core.loadAuthorized ||
+            ((input, options) => {
+              if (typeof core.planLoad !== 'function') {
+                throw new Error('LoadPlan API is required before loading KDNA Core v1 assets');
+              }
+              const plan = core.planLoad(input, options);
+              if (plan.can_load_now !== true) {
+                const err = new Error(
+                  `LoadPlan denied loading: state=${plan.state || 'invalid'} required_action=${plan.required_action || 'block'}`,
+                );
+                err.code =
+                  (plan.issues && plan.issues[0] && plan.issues[0].code) ||
+                  'KDNA_LOAD_NOT_AUTHORIZED';
+                throw err;
+              }
+              return core.loadV1(input, options);
+            });
+          const r = loadV1Authorized(target, { profile, as });
           if (as === 'prompt') {
             process.stdout.write(r.text + '\n');
           } else {

package/src/cmds/anti-monolithic.js

@@ -38,7 +38,7 @@
 const fs = require('fs');
 const path = require('path');
 
-const AXIOM_THRESHOLD = 6;     // SPEC §5.2 says "between 2 and 6 axioms"
+const AXIOM_THRESHOLD = 6; // SPEC §5.2 says "between 2 and 6 axioms"
 const FRAMEWORK_THRESHOLD = 3; // RFC-0013 §4 companion rule
 const RATIONALE_MIN_LENGTH = 30;
 
@@ -103,7 +103,11 @@ function runAntiMonolithicCheck(dir, opts = {}) {
     hasRationale = typeof rationale === 'string' && rationale.trim().length >= RATIONALE_MIN_LENGTH;
     result.summary.has_decomposition_rationale = hasRationale;
 
-    if (rationale && rationale.trim().length > 0 && rationale.trim().length < RATIONALE_MIN_LENGTH) {
+    if (
+      rationale &&
+      rationale.trim().length > 0 &&
+      rationale.trim().length < RATIONALE_MIN_LENGTH
+    ) {
       result.warnings.push(
         `module_manifest.json: decomposition_rationale is only ${rationale.trim().length} chars; ` +
           `minimum is ${RATIONALE_MIN_LENGTH} chars to count as a real sign-off.`,

package/src/cmds/demo.js

@@ -26,9 +26,7 @@ function cmdDemo(args) {
   if (fs.existsSync(outDir)) {
     const existing = fs.readdirSync(outDir).filter((f) => f !== '.DS_Store');
     if (existing.length > 0 && !force) {
-      console.error(
-        `Target already exists and is not empty: ${outDir}`,
-      );
+      console.error(`Target already exists and is not empty: ${outDir}`);
       console.error('Use --force to overwrite.');
       process.exit(2);
     }

package/src/cmds/domain.js

@@ -238,9 +238,7 @@ function cmdValidateAntiMonolithic(dir, opts = {}) {
   const amResults = [];
   if (schemaResult.cluster && Array.isArray(schemaResult.domains)) {
     for (const d of schemaResult.domains) {
-      amResults.push(
-        runAntiMonolithicCheckOnCore(d.path || abs, { strict }),
-      );
+      amResults.push(runAntiMonolithicCheckOnCore(d.path || abs, { strict }));
     }
   } else {
     amResults.push(runAntiMonolithicCheckOnCore(abs, { strict }));
@@ -316,21 +314,9 @@ function cmdPack(dir, outputDir) {
   if (!core) error('KDNA_Core.json not found or invalid');
   if (!pat) error('KDNA_Patterns.json not found or invalid');
 
-  console.warn('Warning: kdna dev pack creates a dev-only non-trusted .kdna bundle.');
-  console.warn('Use KDNA Studio compile/export to create a trusted canonical .kdna asset.');
-
-  // Human Lock Gate — check judgment-class cards before packing
-  const { checkHumanLock } = require('../publish');
-  const hl = checkHumanLock(abs);
-  if (!hl.passed) {
-    console.error('Human Lock Gate: BLOCKED');
-    for (const issue of hl.issues) {
-      console.error(`  ✗ ${issue}`);
-    }
-    console.error('Judgment-class cards must be locked with valid Human Lock before packing.');
-    console.error('Use kdna publish --check for details.');
-    process.exit(EXIT.HUMAN_LOCK_REQUIRED);
-  }
+  console.warn('Warning: kdna dev pack creates a dev-only .kdna bundle.');
+  console.warn('Use KDNA Studio compile/export for release-grade authoring evidence.');
+  console.warn('Human Lock is optional provenance and is not required for format validity.');
 
   const domainName = core.meta?.domain || path.basename(abs);
 

package/src/package-store.js

@@ -68,7 +68,7 @@ function readContainerJson(kdnaPath, fileName, options = {}) {
 
 function readContainerDataMap(kdnaPath, options = {}) {
   const asset = assetReader.openSync(kdnaPath);
-  const dataMap = assetReader.readDataMapSync(asset, undefined, options);
+  const dataMap = readDataMapCompatSync(asset, options);
   if (asset.entries.has('kdna.json')) {
     dataMap['kdna.json'] = assetReader.readJsonSync(asset, 'kdna.json', options);
   }
@@ -87,7 +87,7 @@ function listContainerEntries(kdnaPath) {
 
 function readContainer(kdnaPath, options = {}) {
   const asset = assetReader.openSync(kdnaPath);
-  const dataMap = assetReader.readDataMapSync(asset, undefined, options);
+  const dataMap = readDataMapCompatSync(asset, options);
   return {
     manifest: dataMap['kdna.json'] || {},
     core: dataMap['KDNA_Core.json'] || {},
@@ -100,6 +100,31 @@ function readContainer(kdnaPath, options = {}) {
   };
 }
 
+function readDataMapCompatSync(asset, options = {}) {
+  try {
+    return assetReader.readDataMapSync(asset, undefined, options);
+  } catch (e) {
+    if (!String(e?.message || '').includes('missing payload.kdnab')) {
+      throw e;
+    }
+  }
+
+  const dataMap = {};
+  for (const entry of [
+    'KDNA_Core.json',
+    'KDNA_Patterns.json',
+    'KDNA_Scenarios.json',
+    'KDNA_Cases.json',
+    'KDNA_Reasoning.json',
+    'KDNA_Evolution.json',
+  ]) {
+    if (asset.entries.has(entry)) {
+      dataMap[entry] = assetReader.readJsonSync(asset, entry, options);
+    }
+  }
+  return dataMap;
+}
+
 function verifyAsset(kdnaPath, options = {}) {
   const asset = assetReader.openSync(kdnaPath);
   return assetReader.verifySync(asset, options);

package/src/publish.js

@@ -689,7 +689,7 @@ function cmdPublish(assetPath, args = []) {
 
   console.log('');
   console.log('─'.repeat(60));
-  console.log('Legacy registry patch (historical compatibility only):');
+  console.log('Legacy Registry patch (historical compatibility only):');
   console.log('─'.repeat(60));
   console.log(JSON.stringify(patch, null, 2));
   console.log('');
@@ -710,12 +710,6 @@ function validateAuthoringProvenance(manifest) {
   const badge = manifest.quality_badge || 'untested';
   const highTrust = (badgeRank[badge] || 0) >= badgeRank.tested;
   const authoring = manifest.authoring;
-  const studioCompatible = new Set([
-    'kdna-studio',
-    'kdna-studio-cli',
-    'kdna-studio-sdk',
-    'third-party-studio-compatible',
-  ]);
 
   if (!authoring) {
     if (highTrust) issues.push(`quality_badge "${badge}" requires authoring provenance`);
@@ -724,8 +718,18 @@ function validateAuthoringProvenance(manifest) {
   if (authoring.created_by === 'manual-dev-source' && highTrust) {
     issues.push('manual-dev-source assets cannot claim tested or higher quality');
   }
-  if (highTrust && !studioCompatible.has(authoring.created_by)) {
-    issues.push(`quality_badge "${badge}" requires Studio-compatible created_by`);
+  // Conformance-based check: any tool that passes the official validator is compatible.
+  // The authoring.conformance block records validator identity and pass status.
+  if (highTrust) {
+    const conformance = authoring.conformance;
+    if (!conformance || !conformance.passed) {
+      issues.push(
+        `quality_badge "${badge}" requires conformance validation (authoring.conformance.passed = true)`,
+      );
+    }
+    if (!conformance || !conformance.spec_version) {
+      issues.push('trusted assets require authoring.conformance.spec_version');
+    }
   }
   if (highTrust && !authoring.compiler) issues.push('trusted assets require authoring.compiler');
   if (highTrust && !authoring.compiler_version) {

package/src/verify.js

@@ -20,6 +20,7 @@ const path = require('path');
 const { RegistryResolver, parseName, registryTrustIssues, isEntryRevoked } = require('./registry');
 const { EXIT, isYesNoSelfCheck } = require('./cmds/_common');
 const { licenseDecryptOptionsForManifest } = require('./cmds/license');
+const { validateAuthoringProvenance } = require('./publish');
 
 const {
   getInstalled,
@@ -515,71 +516,24 @@ function checkJudgment(input, options = {}) {
   };
   const badge = manifest?.quality_badge || 'untested';
   const highTrust = (badgeRank[badge] || 0) >= badgeRank.tested;
-  const authoring = manifest?.authoring;
-  const studioCompatible = new Set([
-    'kdna-studio',
-    'kdna-studio-cli',
-    'kdna-studio-sdk',
-    'third-party-studio-compatible',
-  ]);
   if (highTrust) {
-    if (!authoring) {
-      score.max += 2;
+    const provenanceIssues = validateAuthoringProvenance(manifest || {});
+    score.max += 1;
+    if (provenanceIssues.length) {
       issues.push({
         severity: 'error',
-        msg: `quality_badge ${badge} requires authoring provenance`,
+        msg: `quality_badge ${badge} authoring provenance gate failed: ${provenanceIssues.join('; ')}`,
       });
     } else {
-      const okSource = studioCompatible.has(authoring.created_by);
-      bump(1, okSource ? 1 : 0, `authoring.created_by: ${authoring.created_by || '?'}`);
-      if (!okSource) {
-        issues.push({
-          severity: 'error',
-          msg: 'trusted quality requires Studio-compatible authoring.created_by',
-        });
-      }
-      const hasCompiler = !!(
-        authoring.compiler &&
-        authoring.compiler_version &&
-        authoring.compiled_at
-      );
-      bump(1, hasCompiler ? 1 : 0, 'authoring compiler metadata present');
-      if (!hasCompiler) {
-        issues.push({
-          severity: 'error',
-          msg: 'trusted quality requires compiler, compiler_version, and compiled_at',
-        });
-      }
-      const hasIdentity = [
-        'asset_uid',
-        'project_uid',
-        'build_id',
-        'domain_id',
-        'content_digest',
-      ].every((field) => !!(authoring[field] || manifest[field]));
-      bump(1, hasIdentity ? 1 : 0, 'authoring asset identity present');
-      if (!hasIdentity) {
-        issues.push({
-          severity: 'error',
-          msg: 'trusted quality requires asset_uid, project_uid, build_id, domain_id, and content_digest',
-        });
-      }
-      const humanConfirmed =
-        authoring.human_confirmed === true && Number(authoring.human_lock_count) > 0;
-      bump(1, humanConfirmed ? 1 : 0, `Human Lock provenance (${authoring.human_lock_count || 0})`);
-      if (!humanConfirmed) {
-        issues.push({
-          severity: 'error',
-          msg: 'trusted quality requires human_confirmed=true and human_lock_count > 0',
-        });
-      }
+      score.total += 1;
+      passed.push('✓ authoring provenance satisfies trusted quality gate');
     }
-  } else if (!authoring) {
+  } else if (!manifest?.authoring) {
     issues.push({
       severity: 'warn',
       msg: 'authoring provenance missing; asset cannot be promoted above untested',
     });
-  } else if (authoring.created_by === 'manual-dev-source') {
+  } else if (manifest.authoring.created_by === 'manual-dev-source') {
     passed.push('authoring provenance: manual-dev-source (untested ceiling)');
   }
 

package/src/cmds/protect.js.bak

@@ -1,245 +0,0 @@
-/**
- * KDNA Protected Asset Commands (RFC-0009)
- *
- * Commands:
- *   kdna protect <file.kdna> --out <file.kdna> [--entries <list>]
- *   kdna unlock <file.kdna> [--profile compact|index|full]
- *   kdna recover <file.kdna> --out <file.kdna> [--code-stdin]
- *
-
-const fs = require('fs');
-const path = require('path');
-const { EXIT, error, promptPassword } = require('./_common');
-const {
-  createKdnaAssetReader,
-  createPasswordDecryptEntry,
-  createRecoveryDecryptEntry,
-  encryptProtectedEntry,
-  generateRecoveryCode,
-} = require('@aikdna/kdna-core');
-
-function parseEntriesFlag(flag) {
-  if (!flag) return ['KDNA_Core.json'];
-  return flag.split(',').map((s) => s.trim());
-}
-
-function cmdProtect(args) {
-  const file = args[0];
-  if (!file) error('Usage: kdna protect <file.kdna> --out <file.kdna> [--entries KDNA_Core.json,KDNA_Patterns.json]', EXIT.INPUT_ERROR);
-
-  const outIdx = args.indexOf('--out');
-  const outPath = outIdx >= 0 ? args[outIdx + 1] : null;
-  if (!outPath) error('Missing --out', EXIT.INPUT_ERROR);
-
-  const entriesIdx = args.indexOf('--entries');
-  const entriesToEncrypt = parseEntriesFlag(entriesIdx >= 0 ? args[entriesIdx + 1] : null);
-
-  if (!fs.existsSync(file)) error(`File not found: ${file}`, EXIT.INPUT_ERROR);
-
-  const password = promptPassword('Password: ');
-  if (!password) error('Password is required.', EXIT.INPUT_ERROR);
-
-  const reader = createKdnaAssetReader();
-  const asset = reader.openSync(file);
-  const manifest = reader.readManifestSync(asset);
-
-  if (manifest.access === 'protected') {
-    error('Asset is already protected. Use recover to change password.', EXIT.INPUT_ERROR);
-  }
-
-  // Update manifest
-  const newManifest = { ...manifest, access: 'protected', encryption: { profile: 'kdna-password-protected-v1', encrypted_entries: entriesToEncrypt } };
-
-  // Build new ZIP with encrypted entries
-  const allEntries = reader.listEntriesSync(asset);
-  const zipEntries = {};
-  const recoveryCode = generateRecoveryCode();
-
-  for (const entryName of allEntries) {
-    if (entryName === 'kdna.json') {
-      zipEntries[entryName] = JSON.stringify(newManifest);
-    } else if (entriesToEncrypt.includes(entryName)) {
-      const plaintext = reader.readEntrySync(asset, entryName);
-      const encrypted = encryptProtectedEntry(plaintext, {
-        entryName,
-        manifest: newManifest,
-        password,
-        recoveryCode,
-      });
-      zipEntries[entryName] = JSON.stringify(encrypted);
-    } else {
-      zipEntries[entryName] = reader.readEntrySync(asset, entryName);
-    }
-  }
-
-  // Add mimetype if missing
-  if (!zipEntries.mimetype) {
-    zipEntries.mimetype = 'application/vnd.aikdna.kdna+zip';
-  }
-
-  // Write new asset using core's internal ZIP builder or a simple approach
-  // For the CLI, we use the asset reader's internal helper if available, otherwise manual ZIP
-  const zipBuffer = buildZip(zipEntries);
-  fs.writeFileSync(outPath, zipBuffer);
-
-  console.log(`Protected asset written to: ${outPath}`);
-  console.log(`Encrypted entries: ${entriesToEncrypt.join(', ')}`);
-  console.log('Recovery code: (displayed once — save it)');
-  console.log(`  ${recoveryCode}`);
-  console.log('  Use `kdna recover` if you forget the password.');
-}
-
-function cmdUnlock(args) {
-  const file = args[0];
-  if (!file) error('Usage: kdna unlock <file.kdna> [--profile compact|index|full]', EXIT.INPUT_ERROR);
-
-  const profileIdx = args.indexOf('--profile');
-  const profile = profileIdx >= 0 ? args[profileIdx + 1] : 'compact';
-
-  if (!fs.existsSync(file)) error(`File not found: ${file}`, EXIT.INPUT_ERROR);
-
-  const password = promptPassword('Password: ');
-  if (!password) error('Password is required.', EXIT.INPUT_ERROR);
-
-  const reader = createKdnaAssetReader();
-  const asset = reader.openSync(file);
-  const manifest = reader.readManifestSync(asset);
-
-  if (manifest.access !== 'protected') {
-    error(`Asset access is "${manifest.access}", expected "protected"`, EXIT.INPUT_ERROR);
-  }
-
-  const decryptEntry = createPasswordDecryptEntry({ password });
-
-  try {
-    const loaded = reader.loadProfileSync(asset, profile, { decryptEntry });
-    console.log(JSON.stringify(loaded, null, 2));
-  } catch (e) {
-    error(`Unlock failed: ${e.message}`, EXIT.TRUST_FAILED);
-  }
-}
-
-function cmdRecover(args) {
-  const file = args[0];
-  if (!file) error('Usage: kdna recover <file.kdna> --out <file.kdna> [--code-stdin]', EXIT.INPUT_ERROR);
-
-  const outIdx = args.indexOf('--out');
-  const outPath = outIdx >= 0 ? args[outIdx + 1] : null;
-  if (!outPath) error('Missing --out', EXIT.INPUT_ERROR);
-
-  if (!fs.existsSync(file)) error(`File not found: ${file}`, EXIT.INPUT_ERROR);
-
-  let recoveryCode;
-  if (args.includes('--code-stdin')) {
-    const stdinData = fs.readFileSync(0, 'utf8').trim();
-    if (!stdinData) error('No recovery code provided on stdin.', EXIT.INPUT_ERROR);
-    recoveryCode = stdinData;
-  } else {
-    recoveryCode = promptPassword('Recovery code: ');
-    if (!recoveryCode) error('Recovery code is required.', EXIT.INPUT_ERROR);
-  }
-
-  const newPassword = promptPassword('New password: ');
-  if (!newPassword) error('New password is required.', EXIT.INPUT_ERROR);
-
-  const reader = createKdnaAssetReader();
-  const asset = reader.openSync(file);
-  const manifest = reader.readManifestSync(asset);
-
-  if (manifest.access !== 'protected') {
-    error(`Asset access is "${manifest.access}", expected "protected"`, EXIT.INPUT_ERROR);
-  }
-
-  const decryptEntry = createRecoveryDecryptEntry({ recoveryCode });
-
-  // Decrypt all encrypted entries with recovery code, then re-encrypt with new password
-  const entriesToEncrypt = manifest.encryption?.encrypted_entries || ['KDNA_Core.json'];
-  const allEntries = reader.listEntriesSync(asset);
-  const zipEntries = {};
-  const newRecoveryCode = generateRecoveryCode();
-
-  for (const entryName of allEntries) {
-    if (entriesToEncrypt.includes(entryName)) {
-      // Decrypt with recovery code
-      const encryptedData = reader.readEntrySync(asset, entryName);
-      const plaintext = decryptEntry({ entryName, ciphertext: encryptedData, manifest });
-
-      // Re-encrypt with new password and new recovery code
-      const encrypted = encryptProtectedEntry(plaintext, {
-        entryName,
-        manifest: { ...manifest, encryption: { ...manifest.encryption, encrypted_entries: entriesToEncrypt } },
-        password: newPassword,
-        recoveryCode: newRecoveryCode,
-      });
-      zipEntries[entryName] = JSON.stringify(encrypted);
-    } else {
-      zipEntries[entryName] = reader.readEntrySync(asset, entryName);
-    }
-  }
-
-  if (!zipEntries.mimetype) {
-    zipEntries.mimetype = 'application/vnd.aikdna.kdna+zip';
-  }
-
-  const zipBuffer = buildZip(zipEntries);
-  fs.writeFileSync(outPath, zipBuffer);
-
-  console.log(`Recovered asset written to: ${outPath}`);
-  console.log('Password has been reset.');
-  console.log('New recovery code: (displayed once — save it)');
-  console.log(`  ${newRecoveryCode}`);
-  console.log('  The old recovery code is no longer valid.');
-}
-
-// Simple ZIP builder for CLI usage
-function u16(n) {
-  const b = Buffer.alloc(2);
-  b.writeUInt16LE(n);
-  return b;
-}
-
-function u32(n) {
-  const b = Buffer.alloc(4);
-  b.writeUInt32LE(n);
-  return b;
-}
-
-function buildZip(entries) {
-  const localParts = [];
-  const centralParts = [];
-  let offset = 0;
-
-  for (const [name, value] of Object.entries(entries)) {
-    const nameBuf = Buffer.from(name);
-    const data = Buffer.from(value);
-    const local = Buffer.concat([
-      u32(0x04034b50), u16(20), u16(0), u16(0), u16(0), u16(0),
-      u32(0), u32(data.length), u32(data.length), u16(nameBuf.length), u16(0),
-      nameBuf, data,
-    ]);
-    localParts.push(local);
-
-    centralParts.push(
-      Buffer.concat([
-        u32(0x02014b50), u16(20), u16(20), u16(0), u16(0), u16(0), u16(0),
-        u32(0), u32(data.length), u32(data.length), u16(nameBuf.length), u16(0),
-        u16(0), u16(0), u16(0), u32(0), u32(offset), nameBuf,
-      ]),
-    );
-    offset += local.length;
-  }
-
-  const central = Buffer.concat(centralParts);
-  const local = Buffer.concat(localParts);
-  const eocd = Buffer.concat([
-    u32(0x06054b50), u16(0), u16(0), u16(centralParts.length), u16(centralParts.length),
-    u32(central.length), u32(local.length), u16(0),
-  ]);
-  return Buffer.concat([local, central, eocd]);
-}
-
-module.exports = {
-  cmdProtect,
-  cmdUnlock,
-  cmdRecover,
-};