diff --git a/CHANGELOG.md b/CHANGELOG.md index 4db8281..ad66862 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,9 @@ contract. ### Added +- `metin-release m2pack ` subcommands that wrap the m2pack-secure binary. +- `m2pack_build`, `m2pack_verify`, `m2pack_diff`, `m2pack_export_runtime_key` MCP tools mirroring the CLI surface. +- `src/metin_release/m2pack_binary.py` binary-discovery helper using `M2PACK_BINARY` env var or `PATH`. - `metin_release_mcp` package and `metin-release-mcp` console script — a thin Model Context Protocol stdio server that wraps the Phase 1 `release …` subcommands as eight MCP tools (`release_inspect`, diff --git a/README.md b/README.md index e40c6c9..0499273 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,20 @@ Add `--json` to get a machine-parseable envelope on stdout. Exit codes: See `docs/cli.md` for the full command reference. +## m2pack commands + +Phase 4 adds a `metin-release m2pack …` command group that wraps the +[`m2pack-secure`](https://gitea.jakubkadlec.dev/metin-server/m2pack-secure) +binary for building, verifying, diffing, and runtime-key-exporting +signed `.m2p` archives. The binary is not bundled — build it from the +m2pack-secure repo and either put it on `PATH` or set `M2PACK_BINARY` +to an absolute path. + +``` +metin-release m2pack build --input ... --output a.m2p --key ck --sign-secret-key sk +metin-release m2pack verify --archive a.m2p --public-key pk +``` + ## MCP server The `metin-release-mcp` console script (Phase 3) exposes each Phase 1 diff --git a/docs/cli.md b/docs/cli.md index 42f2f00..e3a5ebb 100644 --- a/docs/cli.md +++ b/docs/cli.md @@ -1,6 +1,7 @@ # metin-release — CLI reference -Phase 1 commands. All subcommands share the top-level flags. +Phase 1 `release …` commands and Phase 4 `m2pack …` commands. All +subcommands share the top-level flags. ## Top-level flags @@ -145,3 +146,75 @@ metin-release release publish \ [--created-at ...] [--sample-blobs N] \ [--yes] [--force] [--dry-run-upload] ``` + +## m2pack commands + +Phase 4 subcommands wrap the `m2pack-secure` binary and translate its +JSON envelopes into the standard metin-release result envelope. The +binary is **not** shipped with this CLI — build it from +[`metin-server/m2pack-secure`](https://gitea.jakubkadlec.dev/metin-server/m2pack-secure) +and either put it on `PATH` or point at it via the `M2PACK_BINARY` +environment variable. + +All m2pack commands pass through `--json` to the real tool, so the +raw m2pack envelope is always available under `data.m2pack`. When +m2pack exits non-zero or emits non-JSON output the wrapper raises a +subprocess error with `m2pack_failed` / `m2pack_invalid_json` / +`m2pack_empty_output` error codes. + +### `m2pack build` + +Build a signed `.m2p` archive from a client asset directory. + +``` +metin-release m2pack build \ + --input /path/to/client-assets \ + --output /path/to/out.m2p \ + --key /path/to/content.key \ + --sign-secret-key /path/to/signing.sk \ + [--key-id N] +``` + +### `m2pack verify` + +Verify an `.m2p` archive's signature (and optionally full-decrypt it). + +``` +metin-release m2pack verify \ + --archive /path/to/a.m2p \ + [--public-key /path/to/signing.pub] \ + [--key /path/to/content.key] +``` + +Passing `--key` enables full-decrypt verification; omitting it only +checks manifest structure and signature. + +### `m2pack diff` + +Diff two directories and/or `.m2p` archives. Either side can be a +directory or an archive; m2pack figures it out. + +``` +metin-release m2pack diff --left /old --right /new.m2p +``` + +The wrapper promotes m2pack's added/removed/changed/unchanged counts +into `data.stats` when available. + +### `m2pack export-runtime-key` + +Export a launcher runtime-key payload (json or raw blob) from a master +content key + signing public key. Used to seed the launcher's bundled +runtime-key file during release workflows. + +``` +metin-release m2pack export-runtime-key \ + --key /path/to/content.key \ + --public-key /path/to/signing.pub \ + --output /path/to/runtime-key.json \ + [--key-id N] [--format json|blob] +``` + +See `docs/key-rotation.md` in `m2pack-secure` for when to re-export +runtime keys. +