@aikdna/kdna-core 0.4.0 → 0.5.0

package/README.md

@@ -1,6 +1,6 @@
 # @aikdna/kdna-core
 
-Pure logic library (zero dependencies) for loading, validating, linting, rendering, and composing KDNA domain cognition packages.
+Core library for loading, validating, linting, rendering, composing, and directly reading KDNA `.kdna` cognition assets. It has zero npm runtime dependencies.
 
 ## Installation
 
@@ -11,7 +11,12 @@ npm install @aikdna/kdna-core
 ## Usage
 
 ```js
-const { lintDomain, validateDomainSchema, validateCrossFile, renderDomain } = require('@aikdna/kdna-core');
+const {
+  createKdnaAssetReader,
+  lintDomain,
+  validateDomainSchema,
+  validateCrossFile
+} = require('@aikdna/kdna-core');
 
 // Validate a domain
 const dataMap = {
@@ -26,6 +31,65 @@ const crossResult = validateCrossFile(dataMap);
 
 ## API
 
+### `createKdnaAssetReader()`
+
+Direct `.kdna` container reader. The reader opens ZIP-backed `.kdna` assets without persistent extraction and exposes:
+
+- `open(pathOrBytes)`
+- `listEntries(asset)`
+- `readEntry(asset, entryName)`
+- `readJson(asset, entryName)`
+- `readManifest(asset)`
+- `readDataMap(asset)`
+- `contentDigest(asset)`
+- `verify(asset, { asset_digest?, content_digest?, requireSignature? })`
+- `loadProfile(asset, "index" | "compact" | "scenario" | "full", options?)`
+
+Example:
+
+```js
+const { createKdnaAssetReader } = require('@aikdna/kdna-core');
+
+const reader = createKdnaAssetReader();
+const asset = await reader.open('./writing.kdna');
+const manifest = await reader.readManifest(asset);
+const trust = await reader.verify(asset, { requireSignature: true });
+const loaded = await reader.loadProfile(asset, 'compact');
+```
+
+The asset reader treats extraction caches as implementation details. The `.kdna` file remains the identity, install, verification, and loading object.
+
+Licensed assets can list encrypted JSON entries in `kdna.json`:
+
+```json
+{
+  "access": "licensed",
+  "encryption": {
+    "profile": "kdna-licensed-entry-v1",
+    "encrypted_entries": ["KDNA_Core.json", "KDNA_Patterns.json"]
+  }
+}
+```
+
+The reader never writes decrypted entries to disk. Callers provide an in-memory
+`decryptEntry` hook when they have already validated license activation:
+
+```js
+const { createLicensedDecryptEntry } = require('@aikdna/kdna-core');
+
+const decryptEntry = createLicensedDecryptEntry({
+  licenseKey: activation.license_key,
+  machineFingerprint: activation.machine_fingerprint
+});
+
+const loaded = await reader.loadProfile(asset, 'compact', { decryptEntry });
+```
+
+The profile uses AES-256-GCM over each protected entry and derives the entry key
+from the license key plus machine fingerprint using `scrypt-sha256`. This is a
+runtime primitive, not a license activation system; callers must validate license
+status before passing a decrypt hook to the reader.
+
 ### `lintDomain(dataMap)`
 Structural linting — checks required files, field presence, unique IDs, yes/no answerable self-checks, cross-file references, and flags potentially vague axioms.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikdna/kdna-core",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "KDNA core library — pure logic for loading, validating, linting, and rendering KDNA domain cognition packages. Zero Node.js dependencies.",
   "type": "commonjs",
   "main": "src/index.js",
@@ -16,7 +16,7 @@
   },
   "types": "src/types.d.ts",
   "scripts": {
-    "test": "node -e \"const m = require('./src/index.js'); console.log('kdna-core exports:', Object.keys(m).join(', '));\""
+    "test": "node --test test/*.test.js && node -e \"const m = require('./src/index.js'); console.log('kdna-core exports:', Object.keys(m).join(', '));\""
   },
   "files": [
     "src/",
@@ -32,7 +32,7 @@
   "license": "Apache-2.0",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/aikdna/KDNA.git",
+    "url": "git+https://github.com/aikdna/kdna.git",
     "directory": "packages/kdna-core"
   },
   "homepage": "https://aikdna.com",

package/src/asset-reader.js

@@ -0,0 +1,585 @@
+/**
+ * KDNA Asset Reader — direct .kdna container access.
+ *
+ * This module intentionally uses only Node.js built-ins. It reads ZIP central
+ * directory records directly so runtimes can inspect, verify, and load .kdna
+ * assets without persistent extraction to a domain directory.
+ */
+
+const fs = require('fs');
+const crypto = require('crypto');
+const zlib = require('zlib');
+const { loadDomainFromFiles, formatContext } = require('./loader');
+
+const STANDARD_ENTRIES = [
+  'kdna.json',
+  'KDNA_Core.json',
+  'KDNA_Patterns.json',
+  'KDNA_Scenarios.json',
+  'KDNA_Cases.json',
+  'KDNA_Reasoning.json',
+  'KDNA_Evolution.json',
+];
+
+const JSON_ENTRY_RE = /\.json$/i;
+
+function sha256Hex(buf) {
+  return crypto.createHash('sha256').update(buf).digest('hex');
+}
+
+function stableStringify(value) {
+  if (Array.isArray(value)) return `[${value.map(stableStringify).join(',')}]`;
+  if (value && typeof value === 'object') {
+    return `{${Object.keys(value)
+      .sort()
+      .map((key) => `${JSON.stringify(key)}:${stableStringify(value[key])}`)
+      .join(',')}}`;
+  }
+  return JSON.stringify(value);
+}
+
+function parseJson(buf, entryName) {
+  try {
+    return JSON.parse(Buffer.isBuffer(buf) ? buf.toString('utf8') : String(buf));
+  } catch (e) {
+    throw new Error(`${entryName}: invalid JSON: ${e.message}`);
+  }
+}
+
+function encryptedEntries(manifest) {
+  const entries = manifest?.encryption?.encrypted_entries;
+  return Array.isArray(entries) ? entries : [];
+}
+
+function isEncryptedEntry(manifest, entryName) {
+  return encryptedEntries(manifest).includes(entryName);
+}
+
+async function maybeDecryptEntry(asset, manifest, entryName, buf, options = {}) {
+  if (!isEncryptedEntry(manifest, entryName)) return buf;
+  if (typeof options.decryptEntry !== 'function') {
+    throw new Error(`${entryName}: encrypted entry requires decryptEntry hook`);
+  }
+  const decrypted = await options.decryptEntry({
+    asset,
+    manifest,
+    entryName,
+    ciphertext: buf,
+  });
+  if (typeof decrypted === 'string') return Buffer.from(decrypted);
+  if (Buffer.isBuffer(decrypted)) return decrypted;
+  if (decrypted instanceof Uint8Array) return Buffer.from(decrypted);
+  throw new Error(`${entryName}: decryptEntry hook must return string, Buffer, or Uint8Array`);
+}
+
+function normalizeDecryptedEntry(decrypted, entryName) {
+  if (typeof decrypted === 'string') return Buffer.from(decrypted);
+  if (Buffer.isBuffer(decrypted)) return decrypted;
+  if (decrypted instanceof Uint8Array) return Buffer.from(decrypted);
+  throw new Error(`${entryName}: decryptEntry hook must return string, Buffer, or Uint8Array`);
+}
+
+function maybeDecryptEntrySync(asset, manifest, entryName, buf, options = {}) {
+  if (!isEncryptedEntry(manifest, entryName)) return buf;
+  if (typeof options.decryptEntry !== 'function') {
+    throw new Error(`${entryName}: encrypted entry requires decryptEntry hook`);
+  }
+  const decrypted = options.decryptEntry({
+    asset,
+    manifest,
+    entryName,
+    ciphertext: buf,
+  });
+  if (decrypted && typeof decrypted.then === 'function') {
+    throw new Error(`${entryName}: decryptEntry hook must be synchronous for sync reads`);
+  }
+  return normalizeDecryptedEntry(decrypted, entryName);
+}
+
+function findEndOfCentralDirectory(buf) {
+  const min = Math.max(0, buf.length - 65557);
+  for (let i = buf.length - 22; i >= min; i--) {
+    if (buf.readUInt32LE(i) === 0x06054b50) return i;
+  }
+  throw new Error('Invalid .kdna asset: ZIP end-of-central-directory not found');
+}
+
+function parseZipEntries(buf) {
+  const eocd = findEndOfCentralDirectory(buf);
+  const totalEntries = buf.readUInt16LE(eocd + 10);
+  const centralDirOffset = buf.readUInt32LE(eocd + 16);
+  const entries = new Map();
+  let offset = centralDirOffset;
+
+  for (let i = 0; i < totalEntries; i++) {
+    if (buf.readUInt32LE(offset) !== 0x02014b50) {
+      throw new Error(`Invalid .kdna asset: ZIP central directory is corrupt at ${offset}`);
+    }
+
+    const method = buf.readUInt16LE(offset + 10);
+    const compressedSize = buf.readUInt32LE(offset + 20);
+    const uncompressedSize = buf.readUInt32LE(offset + 24);
+    const nameLen = buf.readUInt16LE(offset + 28);
+    const extraLen = buf.readUInt16LE(offset + 30);
+    const commentLen = buf.readUInt16LE(offset + 32);
+    const localHeaderOffset = buf.readUInt32LE(offset + 42);
+    const name = buf.slice(offset + 46, offset + 46 + nameLen).toString('utf8');
+
+    offset += 46 + nameLen + extraLen + commentLen;
+    if (!name || name.endsWith('/')) continue;
+
+    entries.set(name, {
+      name,
+      method,
+      compressedSize,
+      uncompressedSize,
+      localHeaderOffset,
+    });
+  }
+
+  return entries;
+}
+
+function readZipEntry(buf, entry) {
+  const offset = entry.localHeaderOffset;
+  if (buf.readUInt32LE(offset) !== 0x04034b50) {
+    throw new Error(`Invalid .kdna asset: local header missing for ${entry.name}`);
+  }
+
+  const nameLen = buf.readUInt16LE(offset + 26);
+  const extraLen = buf.readUInt16LE(offset + 28);
+  const dataStart = offset + 30 + nameLen + extraLen;
+  const compressed = buf.slice(dataStart, dataStart + entry.compressedSize);
+
+  if (entry.method === 0) return compressed;
+  if (entry.method === 8) return zlib.inflateRawSync(compressed);
+  throw new Error(`${entry.name}: unsupported ZIP compression method ${entry.method}`);
+}
+
+function normalizeInput(input) {
+  if (Buffer.isBuffer(input)) return { buffer: input, path: null };
+  if (input instanceof Uint8Array) return { buffer: Buffer.from(input), path: null };
+  if (typeof input !== 'string') {
+    throw new Error('KdnaAssetReader.open expects a file path, Buffer, or Uint8Array');
+  }
+  return { buffer: fs.readFileSync(input), path: input };
+}
+
+function manifestForDigest(manifest) {
+  const copy = { ...(manifest || {}) };
+  delete copy.signature;
+  delete copy.asset_digest;
+  delete copy.container_sha256;
+  delete copy.content_digest;
+  delete copy._source;
+  return copy;
+}
+
+function buildContentDigest(asset) {
+  const parts = [];
+  for (const entryName of [...asset.entries.keys()].sort()) {
+    if (entryName === '.DS_Store' || entryName === 'signature.json') continue;
+    const entryBuf = asset.readEntry(entryName);
+    let digestBuf = entryBuf;
+    if (entryName === 'kdna.json') {
+      digestBuf = Buffer.from(stableStringify(manifestForDigest(parseJson(entryBuf, entryName))));
+    }
+    parts.push(`${entryName}:${sha256Hex(digestBuf)}`);
+  }
+  return `sha256:${sha256Hex(Buffer.from(parts.join('\n')))}`;
+}
+
+function manifestForSignature(manifest, { stripDigestFields = true } = {}) {
+  const copy = { ...(manifest || {}) };
+  delete copy.signature;
+  delete copy._source;
+  if (stripDigestFields) {
+    delete copy.asset_digest;
+    delete copy.container_sha256;
+    delete copy.content_digest;
+  }
+  return copy;
+}
+
+function buildSigningPayload(asset, options = {}) {
+  const parts = [];
+  for (const entryName of [...asset.entries.keys()].filter((name) => JSON_ENTRY_RE.test(name)).sort()) {
+    if (entryName === 'signature.json') continue;
+    const entryBuf = asset.readEntry(entryName);
+    let payloadBuf = entryBuf;
+    if (entryName === 'kdna.json') {
+      payloadBuf = Buffer.from(
+        JSON.stringify(manifestForSignature(parseJson(entryBuf, entryName), options)),
+      );
+    }
+    parts.push(`${entryName}:${sha256Hex(payloadBuf)}`);
+  }
+  return parts.join('\n');
+}
+
+function verifySignature(asset, manifest, errors, warnings) {
+  if (!manifest.signature) {
+    warnings.push('kdna.json.signature missing');
+    return null;
+  }
+  if (!manifest.author?.public_key_pem) {
+    errors.push('kdna.json.author.public_key_pem missing');
+    return false;
+  }
+  if (!manifest.author?.pubkey) {
+    errors.push('kdna.json.author.pubkey missing');
+    return false;
+  }
+
+  const fingerprint = `ed25519:${sha256Hex(Buffer.from(manifest.author.public_key_pem))}`;
+  if (fingerprint !== manifest.author.pubkey) {
+    errors.push('author.public_key_pem fingerprint does not match author.pubkey');
+    return false;
+  }
+
+  try {
+    const signature = Buffer.from(String(manifest.signature).replace(/^ed25519:/, ''), 'hex');
+    const publicKey = crypto.createPublicKey(manifest.author.public_key_pem);
+    let ok = crypto.verify(null, Buffer.from(buildSigningPayload(asset)), publicKey, signature);
+    if (!ok) {
+      ok = crypto.verify(
+        null,
+        Buffer.from(buildSigningPayload(asset, { stripDigestFields: false })),
+        publicKey,
+        signature,
+      );
+    }
+    if (!ok) errors.push('Ed25519 signature invalid');
+    return ok;
+  } catch (e) {
+    errors.push(`signature verification failed: ${e.message}`);
+    return false;
+  }
+}
+
+function openAsset(input) {
+  const { buffer, path } = normalizeInput(input);
+  const entries = parseZipEntries(buffer);
+  return {
+    path,
+    size: buffer.length,
+    asset_digest: `sha256:${sha256Hex(buffer)}`,
+    entries,
+    readEntry(name) {
+      const entry = entries.get(name);
+      if (!entry) throw new Error(`Entry not found in .kdna asset: ${name}`);
+      return readZipEntry(buffer, entry);
+    },
+  };
+}
+
+function listEntries(asset) {
+  return [...asset.entries.keys()].sort();
+}
+
+function readEntry(asset, entryName, encoding) {
+  const buf = asset.readEntry(entryName);
+  return encoding ? buf.toString(encoding) : buf;
+}
+
+function readManifest(asset) {
+  return parseJson(asset.readEntry('kdna.json'), 'kdna.json');
+}
+
+function readDataMapSync(asset, entries = STANDARD_ENTRIES, options = {}) {
+  const dataMap = {};
+  const manifest = readManifest(asset);
+  const encrypted = encryptedEntries(manifest).filter((entryName) => entries.includes(entryName));
+  if (encrypted.length && typeof options.decryptEntry !== 'function') {
+    throw new Error(`encrypted entries require decryptEntry hook: ${encrypted.join(', ')}`);
+  }
+  for (const entryName of entries) {
+    if (!asset.entries.has(entryName)) continue;
+    const buf = maybeDecryptEntrySync(asset, manifest, entryName, asset.readEntry(entryName), options);
+    dataMap[entryName] = parseJson(buf, entryName);
+  }
+  return dataMap;
+}
+
+function verifySync(asset, options = {}) {
+  const errors = [];
+  const warnings = [];
+  const entries = listEntries(asset);
+
+  if (!asset.entries.has('kdna.json')) errors.push('required entry missing: kdna.json');
+  if (!asset.entries.has('KDNA_Core.json')) errors.push('required entry missing: KDNA_Core.json');
+  if (!asset.entries.has('KDNA_Patterns.json')) {
+    errors.push('required entry missing: KDNA_Patterns.json');
+  }
+
+  const content_digest = buildContentDigest(asset);
+  const asset_digest = asset.asset_digest;
+  if (options.asset_digest && options.asset_digest !== asset_digest) {
+    errors.push(`asset digest mismatch: expected ${options.asset_digest}, got ${asset_digest}`);
+  }
+  if (options.content_digest && options.content_digest !== content_digest) {
+    errors.push(`content digest mismatch: expected ${options.content_digest}, got ${content_digest}`);
+  }
+
+  let manifest = null;
+  let signature_valid = null;
+  if (asset.entries.has('kdna.json')) {
+    try {
+      manifest = readManifest(asset);
+      const encrypted = encryptedEntries(manifest);
+      if (encrypted.length) {
+        warnings.push(`encrypted entries present: ${encrypted.join(', ')}`);
+        if (options.requireDecryption && typeof options.decryptEntry !== 'function') {
+          errors.push('decryptEntry hook required for encrypted entries');
+        }
+        if (typeof options.decryptEntry === 'function') {
+          for (const entryName of encrypted) {
+            if (!asset.entries.has(entryName)) {
+              errors.push(`encrypted entry listed but missing: ${entryName}`);
+              continue;
+            }
+            try {
+              const decrypted = maybeDecryptEntrySync(
+                asset,
+                manifest,
+                entryName,
+                asset.readEntry(entryName),
+                options,
+              );
+              parseJson(decrypted, entryName);
+            } catch (e) {
+              errors.push(e.message);
+            }
+          }
+        }
+      }
+      if (options.requireSignature || manifest.signature) {
+        signature_valid = verifySignature(asset, manifest, errors, warnings);
+      }
+    } catch (e) {
+      errors.push(e.message);
+    }
+  }
+
+  return {
+    ok: errors.length === 0,
+    errors,
+    warnings,
+    entries,
+    manifest,
+    asset_digest,
+    content_digest,
+    signature_valid,
+  };
+}
+
+function loadProfileSync(asset, profile = 'compact', options = {}) {
+  const manifest = readManifest(asset);
+  if (profile === 'index') {
+    return {
+      profile,
+      manifest,
+      asset_digest: asset.asset_digest,
+      content_digest: buildContentDigest(asset),
+      entries: listEntries(asset),
+      name: manifest.name || manifest.asset_id || null,
+      version: manifest.version || null,
+      judgment_version: manifest.judgment_version || null,
+      keywords: manifest.keywords || [],
+    };
+  }
+  const dataMap = readDataMapSync(asset, STANDARD_ENTRIES, options);
+  const mode = profile === 'full' ? 'all' : profile === 'scenario' ? 'auto' : 'minimum';
+  const domain = loadDomainFromFiles(dataMap, { mode, input: options.input || '' });
+  return {
+    profile,
+    manifest,
+    domain,
+    context: options.context === false || !domain ? null : formatContext(domain),
+  };
+}
+
+function createKdnaAssetReader() {
+  return {
+    openSync: openAsset,
+
+    async open(input) {
+      return openAsset(input);
+    },
+
+    listEntriesSync: listEntries,
+
+    async listEntries(asset) {
+      return listEntries(asset);
+    },
+
+    readEntrySync: readEntry,
+
+    async readEntry(asset, entryName, encoding) {
+      return readEntry(asset, entryName, encoding);
+    },
+
+    readJsonSync(asset, entryName, options = {}) {
+      if (!asset.entries.has(entryName)) return null;
+      const manifest =
+        entryName === 'kdna.json' ? null : parseJson(asset.readEntry('kdna.json'), 'kdna.json');
+      const buf = maybeDecryptEntrySync(asset, manifest, entryName, asset.readEntry(entryName), options);
+      return parseJson(buf, entryName);
+    },
+
+    async readJson(asset, entryName, options = {}) {
+      if (!asset.entries.has(entryName)) return null;
+      const manifest =
+        entryName === 'kdna.json' ? null : parseJson(asset.readEntry('kdna.json'), 'kdna.json');
+      const buf = await maybeDecryptEntry(
+        asset,
+        manifest,
+        entryName,
+        asset.readEntry(entryName),
+        options,
+      );
+      return parseJson(buf, entryName);
+    },
+
+    readManifestSync: readManifest,
+
+    async readManifest(asset) {
+      return readManifest(asset);
+    },
+
+    readDataMapSync,
+
+    async readDataMap(asset, entries = STANDARD_ENTRIES, options = {}) {
+      const dataMap = {};
+      const manifest = await this.readManifest(asset);
+      for (const entryName of entries) {
+        if (!asset.entries.has(entryName)) continue;
+        const buf = await maybeDecryptEntry(
+          asset,
+          manifest,
+          entryName,
+          asset.readEntry(entryName),
+          options,
+        );
+        dataMap[entryName] = parseJson(buf, entryName);
+      }
+      return dataMap;
+    },
+
+    contentDigestSync: buildContentDigest,
+
+    async contentDigest(asset) {
+      return buildContentDigest(asset);
+    },
+
+    verifySync,
+
+    async verify(asset, options = {}) {
+      const errors = [];
+      const warnings = [];
+      const entries = [...asset.entries.keys()].sort();
+
+      if (!asset.entries.has('kdna.json')) errors.push('required entry missing: kdna.json');
+      if (!asset.entries.has('KDNA_Core.json')) errors.push('required entry missing: KDNA_Core.json');
+      if (!asset.entries.has('KDNA_Patterns.json')) {
+        errors.push('required entry missing: KDNA_Patterns.json');
+      }
+
+      const content_digest = buildContentDigest(asset);
+      const asset_digest = asset.asset_digest;
+      if (options.asset_digest && options.asset_digest !== asset_digest) {
+        errors.push(`asset digest mismatch: expected ${options.asset_digest}, got ${asset_digest}`);
+      }
+      if (options.content_digest && options.content_digest !== content_digest) {
+        errors.push(
+          `content digest mismatch: expected ${options.content_digest}, got ${content_digest}`,
+        );
+      }
+
+      let manifest = null;
+      let signature_valid = null;
+      if (asset.entries.has('kdna.json')) {
+        try {
+          manifest = parseJson(asset.readEntry('kdna.json'), 'kdna.json');
+          const encrypted = encryptedEntries(manifest);
+          if (encrypted.length) {
+            warnings.push(`encrypted entries present: ${encrypted.join(', ')}`);
+            if (options.requireDecryption && typeof options.decryptEntry !== 'function') {
+              errors.push('decryptEntry hook required for encrypted entries');
+            }
+            if (typeof options.decryptEntry === 'function') {
+              for (const entryName of encrypted) {
+                if (!asset.entries.has(entryName)) {
+                  errors.push(`encrypted entry listed but missing: ${entryName}`);
+                  continue;
+                }
+                try {
+                  const decrypted = await maybeDecryptEntry(
+                    asset,
+                    manifest,
+                    entryName,
+                    asset.readEntry(entryName),
+                    options,
+                  );
+                  parseJson(decrypted, entryName);
+                } catch (e) {
+                  errors.push(e.message);
+                }
+              }
+            }
+          }
+          if (options.requireSignature || manifest.signature) {
+            signature_valid = verifySignature(asset, manifest, errors, warnings);
+          }
+        } catch (e) {
+          errors.push(e.message);
+        }
+      }
+
+      return {
+        ok: errors.length === 0,
+        errors,
+        warnings,
+        entries,
+        manifest,
+        asset_digest,
+        content_digest,
+        signature_valid,
+      };
+    },
+
+    loadProfileSync,
+
+    async loadProfile(asset, profile = 'compact', options = {}) {
+      const manifest = await this.readManifest(asset);
+      if (profile === 'index') {
+        return {
+          profile,
+          manifest,
+          asset_digest: asset.asset_digest,
+          content_digest: buildContentDigest(asset),
+          entries: await this.listEntries(asset),
+          name: manifest.name || manifest.asset_id || null,
+          version: manifest.version || null,
+          judgment_version: manifest.judgment_version || null,
+          keywords: manifest.keywords || [],
+        };
+      }
+
+      const dataMap = await this.readDataMap(asset, STANDARD_ENTRIES, options);
+      const mode = profile === 'full' ? 'all' : profile === 'scenario' ? 'auto' : 'minimum';
+      const domain = loadDomainFromFiles(dataMap, { mode, input: options.input || '' });
+      return {
+        profile,
+        manifest,
+        domain,
+        context: options.context === false || !domain ? null : formatContext(domain),
+      };
+    },
+  };
+}
+
+module.exports = {
+  STANDARD_ENTRIES,
+  createKdnaAssetReader,
+};

package/src/crypto-profile.js

@@ -0,0 +1,106 @@
+const crypto = require('crypto');
+
+const LICENSED_ENTRY_PROFILE = 'kdna-licensed-entry-v1';
+const KDF = 'scrypt-sha256';
+const ALG = 'AES-256-GCM';
+
+function toBuffer(value, label) {
+  if (Buffer.isBuffer(value)) return value;
+  if (value instanceof Uint8Array) return Buffer.from(value);
+  if (typeof value === 'string') return Buffer.from(value, 'utf8');
+  throw new Error(`${label} must be a string, Buffer, or Uint8Array`);
+}
+
+function decodeBase64(value, label) {
+  if (typeof value !== 'string' || !value) throw new Error(`${label} must be base64`);
+  return Buffer.from(value, 'base64');
+}
+
+function normalizeEnvelope(value) {
+  if (Buffer.isBuffer(value) || value instanceof Uint8Array) {
+    return JSON.parse(Buffer.from(value).toString('utf8'));
+  }
+  if (typeof value === 'string') return JSON.parse(value);
+  if (value && typeof value === 'object') return value;
+  throw new Error('encrypted entry envelope must be JSON');
+}
+
+function deriveLicensedEntryKey(options = {}) {
+  const { licenseKey, machineFingerprint, salt, keyLength = 32 } = options;
+  if (!licenseKey) throw new Error('licenseKey is required');
+  if (!machineFingerprint) throw new Error('machineFingerprint is required');
+  const saltBuffer = Buffer.isBuffer(salt) || salt instanceof Uint8Array
+    ? Buffer.from(salt)
+    : decodeBase64(salt, 'salt');
+  const secret = `${licenseKey}|${machineFingerprint}`;
+  return crypto.scryptSync(secret, saltBuffer, keyLength);
+}
+
+function encryptedEntryAad(entryName, manifest = {}) {
+  return Buffer.from(
+    [
+      LICENSED_ENTRY_PROFILE,
+      manifest.name || manifest.asset_id || '',
+      manifest.version || '',
+      entryName,
+    ].join('\n'),
+    'utf8',
+  );
+}
+
+function encryptLicensedEntry(plaintext, options = {}) {
+  const { entryName, manifest = {}, licenseKey, machineFingerprint } = options;
+  if (!entryName) throw new Error('entryName is required');
+  const salt = crypto.randomBytes(16);
+  const iv = crypto.randomBytes(12);
+  const key = deriveLicensedEntryKey({ licenseKey, machineFingerprint, salt });
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  cipher.setAAD(encryptedEntryAad(entryName, manifest));
+  const ciphertext = Buffer.concat([cipher.update(toBuffer(plaintext, 'plaintext')), cipher.final()]);
+  return {
+    profile: LICENSED_ENTRY_PROFILE,
+    alg: ALG,
+    kdf: KDF,
+    salt: salt.toString('base64'),
+    iv: iv.toString('base64'),
+    tag: cipher.getAuthTag().toString('base64'),
+    ciphertext: ciphertext.toString('base64'),
+  };
+}
+
+function decryptLicensedEntry(envelopeValue, options = {}) {
+  const { entryName, manifest = {}, licenseKey, machineFingerprint } = options;
+  if (!entryName) throw new Error('entryName is required');
+  const envelope = normalizeEnvelope(envelopeValue);
+  if (envelope.profile !== LICENSED_ENTRY_PROFILE) {
+    throw new Error(`unsupported encrypted entry profile: ${envelope.profile || 'unknown'}`);
+  }
+  if (envelope.alg !== ALG) throw new Error(`unsupported encrypted entry alg: ${envelope.alg}`);
+  if (envelope.kdf !== KDF) throw new Error(`unsupported encrypted entry kdf: ${envelope.kdf}`);
+  const key = deriveLicensedEntryKey({
+    licenseKey,
+    machineFingerprint,
+    salt: envelope.salt,
+  });
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, decodeBase64(envelope.iv, 'iv'));
+  decipher.setAAD(encryptedEntryAad(entryName, manifest));
+  decipher.setAuthTag(decodeBase64(envelope.tag, 'tag'));
+  return Buffer.concat([
+    decipher.update(decodeBase64(envelope.ciphertext, 'ciphertext')),
+    decipher.final(),
+  ]);
+}
+
+function createLicensedDecryptEntry(options = {}) {
+  const { licenseKey, machineFingerprint } = options;
+  return ({ entryName, ciphertext, manifest }) =>
+    decryptLicensedEntry(ciphertext, { entryName, manifest, licenseKey, machineFingerprint });
+}
+
+module.exports = {
+  LICENSED_ENTRY_PROFILE,
+  deriveLicensedEntryKey,
+  encryptLicensedEntry,
+  decryptLicensedEntry,
+  createLicensedDecryptEntry,
+};

package/src/index.js

@@ -6,6 +6,8 @@ const lint = require('./lint-pure');
 const validate = require('./validate-pure');
 const render = require('./render');
 const compose = require('./compose');
+const assetReader = require('./asset-reader');
+const cryptoProfile = require('./crypto-profile');
 
 module.exports = {
   ...loader,
@@ -13,4 +15,6 @@ module.exports = {
   ...validate,
   ...render,
   ...compose,
+  ...assetReader,
+  ...cryptoProfile,
 };

package/src/index.mjs

@@ -17,3 +17,14 @@ export { validateDomainSchema, validateCrossFile } from './validate-pure.js';
 export { renderPreviewHTML, escHtml, renderCard } from './render.js';
 
 export { composeContext, composeContextWithAttribution, classifySignals, classifySignalsAcrossDomains, composeChecks, loadAndCompose, loadCluster, detectDomainConflicts, generateClusterTrace } from './compose.js';
+
+import assetReader from './asset-reader.js';
+import cryptoProfile from './crypto-profile.js';
+
+export const STANDARD_ENTRIES = assetReader.STANDARD_ENTRIES;
+export const createKdnaAssetReader = assetReader.createKdnaAssetReader;
+export const LICENSED_ENTRY_PROFILE = cryptoProfile.LICENSED_ENTRY_PROFILE;
+export const deriveLicensedEntryKey = cryptoProfile.deriveLicensedEntryKey;
+export const encryptLicensedEntry = cryptoProfile.encryptLicensedEntry;
+export const decryptLicensedEntry = cryptoProfile.decryptLicensedEntry;
+export const createLicensedDecryptEntry = cryptoProfile.createLicensedDecryptEntry;

package/src/types.d.ts

@@ -206,12 +206,23 @@ export interface KDNAManifest {
   kdna_spec: string;
   name: string;
   version: string;
-  status: 'experimental' | 'basic' | 'stable' | 'pro';
+  judgment_version?: string;
+  status: 'draft' | 'experimental' | 'stable' | 'deprecated' | 'basic' | 'pro';
   access: 'open' | 'licensed' | 'runtime';
-  language: string;
-  author: { name: string; id?: string };
+  language?: string;
+  default_language?: string;
+  languages?: string[];
+  author: { name: string; id?: string; pubkey?: string; public_key_pem?: string };
   license: { type: string; url?: string };
   description: string;
+  keywords?: string[];
+  encryption?: {
+    profile?: string;
+    encrypted_entries?: string[];
+    [key: string]: any;
+  };
+  content_digest?: string;
+  signature?: string;
 }
 
 export interface LintResult {
@@ -241,6 +252,167 @@ export function formatContext(domain: LoadedDomain): string;
 
 export const FILE_MAP: Record<string, string>;
 
+// Asset reader — direct .kdna API
+export const STANDARD_ENTRIES: string[];
+
+export interface KdnaAsset {
+  path: string | null;
+  size: number;
+  asset_digest: string;
+  entries: Map<string, unknown>;
+  readEntry(name: string): Uint8Array;
+}
+
+export interface KdnaAssetVerifyResult {
+  ok: boolean;
+  errors: string[];
+  warnings: string[];
+  entries: string[];
+  manifest: KDNAManifest | null;
+  asset_digest: string;
+  content_digest: string;
+  signature_valid: boolean | null;
+}
+
+export interface KdnaAssetIndexProfile {
+  profile: 'index';
+  manifest: KDNAManifest;
+  asset_digest: string;
+  content_digest: string;
+  entries: string[];
+  name: string | null;
+  version: string | null;
+  judgment_version: string | null;
+  keywords: string[];
+}
+
+export interface KdnaAssetLoadProfile {
+  profile: string;
+  manifest: KDNAManifest;
+  domain: LoadedDomain | null;
+  context: string | null;
+}
+
+export interface KdnaAssetReader {
+  openSync(input: string | Uint8Array): KdnaAsset;
+  open(input: string | Uint8Array): Promise<KdnaAsset>;
+  listEntriesSync(asset: KdnaAsset): string[];
+  listEntries(asset: KdnaAsset): Promise<string[]>;
+  readEntrySync(asset: KdnaAsset, entryName: string): Uint8Array;
+  readEntrySync(asset: KdnaAsset, entryName: string, encoding: string): string;
+  readEntry(asset: KdnaAsset, entryName: string): Promise<Uint8Array>;
+  readEntry(asset: KdnaAsset, entryName: string, encoding: string): Promise<string>;
+  readJsonSync(asset: KdnaAsset, entryName: string, options?: KdnaDecryptOptions): any;
+  readJson(asset: KdnaAsset, entryName: string, options?: KdnaDecryptOptions): Promise<any>;
+  readManifestSync(asset: KdnaAsset): KDNAManifest;
+  readManifest(asset: KdnaAsset): Promise<KDNAManifest>;
+  readDataMapSync(
+    asset: KdnaAsset,
+    entries?: string[],
+    options?: KdnaDecryptOptions,
+  ): KDNAFileDataMap;
+  readDataMap(
+    asset: KdnaAsset,
+    entries?: string[],
+    options?: KdnaDecryptOptions,
+  ): Promise<KDNAFileDataMap>;
+  contentDigestSync(asset: KdnaAsset): string;
+  contentDigest(asset: KdnaAsset): Promise<string>;
+  verifySync(
+    asset: KdnaAsset,
+    options?: {
+      asset_digest?: string;
+      content_digest?: string;
+      requireSignature?: boolean;
+      requireDecryption?: boolean;
+    } & KdnaDecryptOptions,
+  ): KdnaAssetVerifyResult;
+  verify(
+    asset: KdnaAsset,
+    options?: {
+      asset_digest?: string;
+      content_digest?: string;
+      requireSignature?: boolean;
+      requireDecryption?: boolean;
+    } & KdnaDecryptOptions,
+  ): Promise<KdnaAssetVerifyResult>;
+  loadProfileSync(
+    asset: KdnaAsset,
+    profile: 'index',
+    options?: { input?: string; context?: boolean } & KdnaDecryptOptions,
+  ): KdnaAssetIndexProfile;
+  loadProfileSync(
+    asset: KdnaAsset,
+    profile?: 'compact' | 'scenario' | 'full' | string,
+    options?: { input?: string; context?: boolean } & KdnaDecryptOptions,
+  ): KdnaAssetLoadProfile;
+  loadProfile(
+    asset: KdnaAsset,
+    profile: 'index',
+    options?: { input?: string; context?: boolean } & KdnaDecryptOptions,
+  ): Promise<KdnaAssetIndexProfile>;
+  loadProfile(
+    asset: KdnaAsset,
+    profile?: 'compact' | 'scenario' | 'full' | string,
+    options?: { input?: string; context?: boolean } & KdnaDecryptOptions,
+  ): Promise<KdnaAssetLoadProfile>;
+}
+
+export interface KdnaDecryptOptions {
+  decryptEntry?: (args: {
+    asset: KdnaAsset;
+    manifest: KDNAManifest;
+    entryName: string;
+    ciphertext: Uint8Array;
+  }) => string | Uint8Array | Promise<string | Uint8Array>;
+}
+
+export function createKdnaAssetReader(): KdnaAssetReader;
+
+export const LICENSED_ENTRY_PROFILE: string;
+
+export interface LicensedEntryEnvelope {
+  profile: string;
+  alg: 'AES-256-GCM';
+  kdf: 'scrypt-sha256';
+  salt: string;
+  iv: string;
+  tag: string;
+  ciphertext: string;
+}
+
+export function deriveLicensedEntryKey(options: {
+  licenseKey: string;
+  machineFingerprint: string;
+  salt: string | Uint8Array;
+  keyLength?: number;
+}): Uint8Array;
+
+export function encryptLicensedEntry(
+  plaintext: string | Uint8Array,
+  options: {
+    entryName: string;
+    manifest?: KDNAManifest;
+    licenseKey: string;
+    machineFingerprint: string;
+  },
+): LicensedEntryEnvelope;
+
+export function decryptLicensedEntry(
+  envelope: string | Uint8Array | LicensedEntryEnvelope,
+  options: {
+    entryName: string;
+    manifest?: KDNAManifest;
+    licenseKey: string;
+    machineFingerprint: string;
+  },
+): Uint8Array;
+
+export function createLicensedDecryptEntry(options: {
+  licenseKey: string;
+  machineFingerprint: string;
+}): NonNullable<KdnaDecryptOptions['decryptEntry']>;
+
 // Lint
 export function lintDomain(dataMap: KDNAFileDataMap): LintResult;
 

package/src/validate-pure.js

@@ -45,9 +45,6 @@ function validateDomainSchema(dataMap, schemaMap) {
     return { valid: true, errors: [], warnings };
   }
 
-  let validCount = 0;
-  let failCount = 0;
-
   for (const [file, schemaFile] of Object.entries(FILE_TO_SCHEMA)) {
     if (!dataMap[file]) continue;
     if (!schemaMap[schemaFile]) {
@@ -69,10 +66,7 @@ function validateDomainSchema(dataMap, schemaMap) {
     const validate = ajvInstance.compile(schema);
     const valid = validate(dataMap[file]);
 
-    if (valid) {
-      validCount++;
-    } else {
-      failCount++;
+    if (!valid) {
       for (const err of validate.errors || []) {
         const instancePath = err.instancePath || '/';
         errors.push(`${file}${instancePath}: ${err.message} (${err.keyword})`);