# m2pack-secure

CLI-first archive builder for a modern Metin2 client pack pipeline.

It is designed as a replacement for legacy EterPack tooling when you control the
client source and want a format that is easier to automate and harder to tamper
with.

## Goals

- CLI workflow first, no GUI dependency
- deterministic manifest layout for automation
- `zstd` compression
- `XChaCha20-Poly1305` authenticated encryption per file
- `Ed25519` signed manifest for tamper detection
- JSON output for AI agents and automation

## Current commands

- `m2pack keygen`
- `m2pack build`
- `m2pack list`
- `m2pack verify`
- `m2pack extract`
- `m2pack export-client-config`

## MCP Server

The repository also ships a Linux-friendly MCP server that wraps the `m2pack`
CLI for AI agents and automation.

Files:

- `mcp_server.mjs`
- `package.json`

Install:

```bash
npm install
```

Run:

```bash
node mcp_server.mjs
```

If the `m2pack` binary is not at `build/m2pack`, set:

```bash
export M2PACK_BINARY=/absolute/path/to/m2pack
```

Exposed tools:

- `pack_keygen`
- `pack_build`
- `pack_list`
- `pack_verify`
- `pack_extract`
- `pack_export_client_config`
- `pack_binary_info`

## Build

```bash
cmake -S . -B build
cmake --build build -j
```

## Quick start

Generate a master content key and signing keypair:

```bash
./build/m2pack keygen --out-dir keys --json
```

Build an archive from a client asset directory:

```bash
./build/m2pack build \
  --input /path/to/client/root \
  --output out/client.m2p \
  --key keys/master.key \
  --sign-secret-key keys/signing.key \
  --json
```

Verify the archive:

```bash
./build/m2pack verify \
  --archive out/client.m2p \
  --public-key keys/signing.pub \
  --key keys/master.key \
  --json
```

Extract:

```bash
./build/m2pack extract \
  --archive out/client.m2p \
  --output out/unpacked \
  --key keys/master.key
```

Export a client config header for `m2dev-client-src/src/PackLib/M2PackKeys.h`:

```bash
./build/m2pack export-client-config \
  --key keys/master.key \
  --public-key keys/signing.pub \
  --output /path/to/m2dev-client-src/src/PackLib/M2PackKeys.h
```

## Format summary

- Single archive file with a fixed header
- Binary manifest near the end of the file
- Signed manifest hash in the header
- Per-file random nonce
- Per-file AEAD ciphertext, authenticated with the relative file path

See [docs/format.md](docs/format.md) and
[docs/client-integration.md](docs/client-integration.md).