docs: document m2pack subcommands

Add a Phase 4 'm2pack commands' section to docs/cli.md with each
subcommand's flags and a pointer at the m2pack-secure repo for
installation. Update README.md with a short m2pack paragraph and
append the Phase 4 entry to the Unreleased CHANGELOG section.

CHANGELOG.md

@@ -11,6 +11,9 @@ contract.
 
 ### Added
 
+- `metin-release m2pack <build|verify|diff|export-runtime-key>` subcommands that wrap the m2pack-secure binary.
+- `m2pack_build`, `m2pack_verify`, `m2pack_diff`, `m2pack_export_runtime_key` MCP tools mirroring the CLI surface.
+- `src/metin_release/m2pack_binary.py` binary-discovery helper using `M2PACK_BINARY` env var or `PATH`.
 - `metin_release_mcp` package and `metin-release-mcp` console script — a
   thin Model Context Protocol stdio server that wraps the Phase 1
   `release …` subcommands as eight MCP tools (`release_inspect`,

README.md

@@ -32,6 +32,20 @@ Add `--json` to get a machine-parseable envelope on stdout. Exit codes:
 
 See `docs/cli.md` for the full command reference.
 
+## m2pack commands
+
+Phase 4 adds a `metin-release m2pack …` command group that wraps the
+[`m2pack-secure`](https://gitea.jakubkadlec.dev/metin-server/m2pack-secure)
+binary for building, verifying, diffing, and runtime-key-exporting
+signed `.m2p` archives. The binary is not bundled — build it from the
+m2pack-secure repo and either put it on `PATH` or set `M2PACK_BINARY`
+to an absolute path.
+
+```
+metin-release m2pack build --input ... --output a.m2p --key ck --sign-secret-key sk
+metin-release m2pack verify --archive a.m2p --public-key pk
+```
+
 ## MCP server
 
 The `metin-release-mcp` console script (Phase 3) exposes each Phase 1

docs/cli.md

@@ -1,6 +1,7 @@
 # metin-release — CLI reference
 
-Phase 1 commands. All subcommands share the top-level flags.
+Phase 1 `release …` commands and Phase 4 `m2pack …` commands. All
+subcommands share the top-level flags.
 
 ## Top-level flags
 
@@ -145,3 +146,75 @@ metin-release release publish \
     [--created-at ...] [--sample-blobs N] \
     [--yes] [--force] [--dry-run-upload]
 ```
+
+## m2pack commands
+
+Phase 4 subcommands wrap the `m2pack-secure` binary and translate its
+JSON envelopes into the standard metin-release result envelope. The
+binary is **not** shipped with this CLI — build it from
+[`metin-server/m2pack-secure`](https://gitea.jakubkadlec.dev/metin-server/m2pack-secure)
+and either put it on `PATH` or point at it via the `M2PACK_BINARY`
+environment variable.
+
+All m2pack commands pass through `--json` to the real tool, so the
+raw m2pack envelope is always available under `data.m2pack`. When
+m2pack exits non-zero or emits non-JSON output the wrapper raises a
+subprocess error with `m2pack_failed` / `m2pack_invalid_json` /
+`m2pack_empty_output` error codes.
+
+### `m2pack build`
+
+Build a signed `.m2p` archive from a client asset directory.
+
+```
+metin-release m2pack build \
+    --input /path/to/client-assets \
+    --output /path/to/out.m2p \
+    --key /path/to/content.key \
+    --sign-secret-key /path/to/signing.sk \
+    [--key-id N]
+```
+
+### `m2pack verify`
+
+Verify an `.m2p` archive's signature (and optionally full-decrypt it).
+
+```
+metin-release m2pack verify \
+    --archive /path/to/a.m2p \
+    [--public-key /path/to/signing.pub] \
+    [--key /path/to/content.key]
+```
+
+Passing `--key` enables full-decrypt verification; omitting it only
+checks manifest structure and signature.
+
+### `m2pack diff`
+
+Diff two directories and/or `.m2p` archives. Either side can be a
+directory or an archive; m2pack figures it out.
+
+```
+metin-release m2pack diff --left /old --right /new.m2p
+```
+
+The wrapper promotes m2pack's added/removed/changed/unchanged counts
+into `data.stats` when available.
+
+### `m2pack export-runtime-key`
+
+Export a launcher runtime-key payload (json or raw blob) from a master
+content key + signing public key. Used to seed the launcher's bundled
+runtime-key file during release workflows.
+
+```
+metin-release m2pack export-runtime-key \
+    --key /path/to/content.key \
+    --public-key /path/to/signing.pub \
+    --output /path/to/runtime-key.json \
+    [--key-id N] [--format json|blob]
+```
+
+See `docs/key-rotation.md` in `m2pack-secure` for when to re-export
+runtime keys.
+