@enactprotocol/cli 2.0.3 → 2.0.5

package/dist/utils/auth.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Auth utilities shared across commands
+ */
+/**
+ * Get the current authenticated username
+ * Returns null if not authenticated or username cannot be determined
+ */
+export declare function getCurrentUsername(): Promise<string | null>;
+/**
+ * Extract namespace from a tool name
+ * e.g., "alice/utils/greeter" -> "alice"
+ */
+export declare function extractNamespace(toolName: string): string;
+//# sourceMappingURL=auth.d.ts.map

package/dist/utils/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/utils/auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAcH;;;GAGG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAyDjE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAGzD"}

package/dist/utils/auth.js

@@ -0,0 +1,64 @@
+/**
+ * Auth utilities shared across commands
+ */
+import { getSecret } from "@enactprotocol/secrets";
+/** Namespace for storing auth tokens in keyring */
+const AUTH_NAMESPACE = "enact:auth";
+const ACCESS_TOKEN_KEY = "access_token";
+/** Supabase configuration */
+const SUPABASE_URL = process.env.SUPABASE_URL || "https://siikwkfgsmouioodghho.supabase.co";
+const SUPABASE_ANON_KEY = process.env.SUPABASE_ANON_KEY ??
+    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InNpaWt3a2Znc21vdWlvb2RnaGhvIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjQ2MTkzMzksImV4cCI6MjA4MDE5NTMzOX0.kxnx6-IPFhmGx6rzNx36vbyhFMFZKP_jFqaDbKnJ_E0";
+/**
+ * Get the current authenticated username
+ * Returns null if not authenticated or username cannot be determined
+ */
+export async function getCurrentUsername() {
+    const token = await getSecret(AUTH_NAMESPACE, ACCESS_TOKEN_KEY);
+    if (!token) {
+        return null;
+    }
+    try {
+        // Get user info from Supabase
+        const userResponse = await fetch(`${SUPABASE_URL}/auth/v1/user`, {
+            headers: {
+                Authorization: `Bearer ${token}`,
+                apikey: SUPABASE_ANON_KEY,
+            },
+        });
+        if (!userResponse.ok) {
+            return null;
+        }
+        const user = (await userResponse.json());
+        // Get profile from database for definitive username
+        const profileResponse = await fetch(`${SUPABASE_URL}/rest/v1/profiles?id=eq.${user.id}&select=username`, {
+            headers: {
+                Authorization: `Bearer ${token}`,
+                apikey: SUPABASE_ANON_KEY,
+            },
+        });
+        if (profileResponse.ok) {
+            const profiles = (await profileResponse.json());
+            if (profiles[0]?.username) {
+                return profiles[0].username;
+            }
+        }
+        // Fall back to user metadata
+        return (user.user_metadata?.username ||
+            user.user_metadata?.user_name ||
+            user.email?.split("@")[0] ||
+            null);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Extract namespace from a tool name
+ * e.g., "alice/utils/greeter" -> "alice"
+ */
+export function extractNamespace(toolName) {
+    const parts = toolName.split("/");
+    return parts[0] ?? "";
+}
+//# sourceMappingURL=auth.js.map

package/dist/utils/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/utils/auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEnD,mDAAmD;AACnD,MAAM,cAAc,GAAG,YAAY,CAAC;AACpC,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAExC,6BAA6B;AAC7B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,0CAA0C,CAAC;AAC5F,MAAM,iBAAiB,GACrB,OAAO,CAAC,GAAG,CAAC,iBAAiB;IAC7B,kNAAkN,CAAC;AAErN;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAC;IAChE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,eAAe,EAAE;YAC/D,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,MAAM,EAAE,iBAAiB;aAC1B;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAQtC,CAAC;QAEF,oDAAoD;QACpD,MAAM,eAAe,GAAG,MAAM,KAAK,CACjC,GAAG,YAAY,2BAA2B,IAAI,CAAC,EAAE,kBAAkB,EACnE;YACE,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,MAAM,EAAE,iBAAiB;aAC1B;SACF,CACF,CAAC;QAEF,IAAI,eAAe,CAAC,EAAE,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,CAAC,MAAM,eAAe,CAAC,IAAI,EAAE,CAAgC,CAAC;YAC/E,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC;gBAC1B,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,OAAO,CACL,IAAI,CAAC,aAAa,EAAE,QAAQ;YAC5B,IAAI,CAAC,aAAa,EAAE,SAAS;YAC7B,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACzB,IAAI,CACL,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AACxB,CAAC"}

package/dist/utils/index.d.ts

@@ -5,4 +5,5 @@ export { colors, symbols, success, error, warning, info, dim, newline, header, k
 export { createSpinner, withSpinner, intro, outro, confirm, text, password, select, isCancel, cancel, log, logInfo, logSuccess, logWarning, logError, logStep, type SpinnerInstance, } from "./spinner";
 export { EXIT_SUCCESS, EXIT_FAILURE, EXIT_USAGE, EXIT_DATAERR, EXIT_NOINPUT, EXIT_NOUSER, EXIT_NOHOST, EXIT_UNAVAILABLE, EXIT_SOFTWARE, EXIT_OSERR, EXIT_OSFILE, EXIT_CANTCREAT, EXIT_IOERR, EXIT_TEMPFAIL, EXIT_PROTOCOL, EXIT_NOPERM, EXIT_CONFIG, EXIT_TOOL_NOT_FOUND, EXIT_MANIFEST_ERROR, EXIT_EXECUTION_ERROR, EXIT_TIMEOUT, EXIT_TRUST_ERROR, EXIT_REGISTRY_ERROR, EXIT_AUTH_ERROR, EXIT_VALIDATION_ERROR, EXIT_NETWORK_ERROR, EXIT_CONTAINER_ERROR, getExitCodeDescription, exit, exitSuccess, exitFailure, } from "./exit-codes";
 export { CliError, ToolNotFoundError, ManifestError, ValidationError, AuthError, NetworkError, RegistryError, TrustError, TimeoutError, ExecutionError, ContainerError, FileNotFoundError, PermissionError, ConfigError, UsageError, handleError, withErrorHandling, categorizeError, ErrorMessages, printErrorWithSuggestions, } from "./errors";
+export { getCurrentUsername, extractNamespace } from "./auth";
 //# sourceMappingURL=index.d.ts.map

package/dist/utils/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,MAAM,EACN,OAAO,EACP,OAAO,EACP,KAAK,EACL,OAAO,EACP,IAAI,EACJ,GAAG,EACH,OAAO,EACP,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,KAAK,EACL,IAAI,EACJ,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,OAAO,EACP,MAAM,EACN,SAAS,EACT,KAAK,WAAW,GACjB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,aAAa,EACb,WAAW,EACX,KAAK,EACL,KAAK,EACL,OAAO,EACP,IAAI,EACJ,QAAQ,EACR,MAAM,EACN,QAAQ,EACR,MAAM,EACN,GAAG,EACH,OAAO,EACP,UAAU,EACV,UAAU,EACV,QAAQ,EACR,OAAO,EACP,KAAK,eAAe,GACrB,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,aAAa,EACb,UAAU,EACV,WAAW,EACX,cAAc,EACd,UAAU,EACV,aAAa,EACb,aAAa,EACb,WAAW,EACX,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,oBAAoB,EACpB,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACtB,IAAI,EACJ,WAAW,EACX,WAAW,GACZ,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,QAAQ,EACR,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,WAAW,EACX,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,yBAAyB,GAC1B,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,MAAM,EACN,OAAO,EACP,OAAO,EACP,KAAK,EACL,OAAO,EACP,IAAI,EACJ,GAAG,EACH,OAAO,EACP,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,KAAK,EACL,IAAI,EACJ,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,OAAO,EACP,MAAM,EACN,SAAS,EACT,KAAK,WAAW,GACjB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,aAAa,EACb,WAAW,EACX,KAAK,EACL,KAAK,EACL,OAAO,EACP,IAAI,EACJ,QAAQ,EACR,MAAM,EACN,QAAQ,EACR,MAAM,EACN,GAAG,EACH,OAAO,EACP,UAAU,EACV,UAAU,EACV,QAAQ,EACR,OAAO,EACP,KAAK,eAAe,GACrB,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,aAAa,EACb,UAAU,EACV,WAAW,EACX,cAAc,EACd,UAAU,EACV,aAAa,EACb,aAAa,EACb,WAAW,EACX,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,oBAAoB,EACpB,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACtB,IAAI,EACJ,WAAW,EACX,WAAW,GACZ,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,QAAQ,EACR,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,WAAW,EACX,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,yBAAyB,GAC1B,MAAM,UAAU,CAAC;AAGlB,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC"}

package/dist/utils/index.js

@@ -9,4 +9,6 @@ export { createSpinner, withSpinner, intro, outro, confirm, text, password, sele
 export { EXIT_SUCCESS, EXIT_FAILURE, EXIT_USAGE, EXIT_DATAERR, EXIT_NOINPUT, EXIT_NOUSER, EXIT_NOHOST, EXIT_UNAVAILABLE, EXIT_SOFTWARE, EXIT_OSERR, EXIT_OSFILE, EXIT_CANTCREAT, EXIT_IOERR, EXIT_TEMPFAIL, EXIT_PROTOCOL, EXIT_NOPERM, EXIT_CONFIG, EXIT_TOOL_NOT_FOUND, EXIT_MANIFEST_ERROR, EXIT_EXECUTION_ERROR, EXIT_TIMEOUT, EXIT_TRUST_ERROR, EXIT_REGISTRY_ERROR, EXIT_AUTH_ERROR, EXIT_VALIDATION_ERROR, EXIT_NETWORK_ERROR, EXIT_CONTAINER_ERROR, getExitCodeDescription, exit, exitSuccess, exitFailure, } from "./exit-codes";
 // Error handling
 export { CliError, ToolNotFoundError, ManifestError, ValidationError, AuthError, NetworkError, RegistryError, TrustError, TimeoutError, ExecutionError, ContainerError, FileNotFoundError, PermissionError, ConfigError, UsageError, handleError, withErrorHandling, categorizeError, ErrorMessages, printErrorWithSuggestions, } from "./errors";
+// Auth utilities
+export { getCurrentUsername, extractNamespace } from "./auth";
 //# sourceMappingURL=index.js.map

package/dist/utils/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,oBAAoB;AACpB,OAAO,EACL,MAAM,EACN,OAAO,EACP,OAAO,EACP,KAAK,EACL,OAAO,EACP,IAAI,EACJ,GAAG,EACH,OAAO,EACP,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,KAAK,EACL,IAAI,EACJ,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,OAAO,EACP,MAAM,EACN,SAAS,GAEV,MAAM,UAAU,CAAC;AAElB,sBAAsB;AACtB,OAAO,EACL,aAAa,EACb,WAAW,EACX,KAAK,EACL,KAAK,EACL,OAAO,EACP,IAAI,EACJ,QAAQ,EACR,MAAM,EACN,QAAQ,EACR,MAAM,EACN,GAAG,EACH,OAAO,EACP,UAAU,EACV,UAAU,EACV,QAAQ,EACR,OAAO,GAER,MAAM,WAAW,CAAC;AAEnB,aAAa;AACb,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,aAAa,EACb,UAAU,EACV,WAAW,EACX,cAAc,EACd,UAAU,EACV,aAAa,EACb,aAAa,EACb,WAAW,EACX,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,oBAAoB,EACpB,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACtB,IAAI,EACJ,WAAW,EACX,WAAW,GACZ,MAAM,cAAc,CAAC;AAEtB,iBAAiB;AACjB,OAAO,EACL,QAAQ,EACR,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,WAAW,EACX,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,yBAAyB,GAC1B,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,oBAAoB;AACpB,OAAO,EACL,MAAM,EACN,OAAO,EACP,OAAO,EACP,KAAK,EACL,OAAO,EACP,IAAI,EACJ,GAAG,EACH,OAAO,EACP,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,KAAK,EACL,IAAI,EACJ,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,OAAO,EACP,MAAM,EACN,SAAS,GAEV,MAAM,UAAU,CAAC;AAElB,sBAAsB;AACtB,OAAO,EACL,aAAa,EACb,WAAW,EACX,KAAK,EACL,KAAK,EACL,OAAO,EACP,IAAI,EACJ,QAAQ,EACR,MAAM,EACN,QAAQ,EACR,MAAM,EACN,GAAG,EACH,OAAO,EACP,UAAU,EACV,UAAU,EACV,QAAQ,EACR,OAAO,GAER,MAAM,WAAW,CAAC;AAEnB,aAAa;AACb,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,WAAW,EACX,gBAAgB,EAChB,aAAa,EACb,UAAU,EACV,WAAW,EACX,cAAc,EACd,UAAU,EACV,aAAa,EACb,aAAa,EACb,WAAW,EACX,WAAW,EACX,mBAAmB,EACnB,mBAAmB,EACnB,oBAAoB,EACpB,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,sBAAsB,EACtB,IAAI,EACJ,WAAW,EACX,WAAW,GACZ,MAAM,cAAc,CAAC;AAEtB,iBAAiB;AACjB,OAAO,EACL,QAAQ,EACR,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,WAAW,EACX,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,yBAAyB,GAC1B,MAAM,UAAU,CAAC;AAElB,iBAAiB;AACjB,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enactprotocol/cli",
-  "version": "2.0.3",
+  "version": "2.0.5",
   "description": "Command-line interface for Enact - the npm for AI tools",
   "type": "module",
   "main": "./dist/index.js",
@@ -34,10 +34,10 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.11.0",
-    "@enactprotocol/api": "2.0.3",
-    "@enactprotocol/execution": "2.0.3",
-    "@enactprotocol/secrets": "2.0.3",
-    "@enactprotocol/shared": "2.0.3",
+    "@enactprotocol/api": "2.0.5",
+    "@enactprotocol/execution": "2.0.5",
+    "@enactprotocol/secrets": "2.0.5",
+    "@enactprotocol/shared": "2.0.5",
     "commander": "^12.1.0",
     "picocolors": "^1.1.1"
   },

package/src/commands/get/index.ts

@@ -27,7 +27,7 @@ import {
 } from "../../utils";
 
 interface GetOptions extends GlobalOptions {
-  version?: string;
+  ver?: string;
 }
 
 /**
@@ -65,7 +65,7 @@ function displayToolInfo(tool: ToolInfo, options: GetOptions): void {
   }
 
   newline();
-  keyValue("Available Versions", tool.versions.join(", "));
+  keyValue("Available Versions", tool.versions.map((v) => v.version).join(", "));
 
   if (options.verbose) {
     newline();
@@ -129,9 +129,9 @@ async function getHandler(
   }
 
   try {
-    if (options.version) {
+    if (options.ver) {
       // Get specific version info
-      const versionInfo = await getToolVersion(client, toolName, options.version);
+      const versionInfo = await getToolVersion(client, toolName, options.ver);
 
       if (options.json) {
         json(versionInfo);
@@ -177,7 +177,7 @@ export function configureGetCommand(program: Command): void {
     .command("get <tool>")
     .alias("info")
     .description("Show detailed information about a tool")
-    .option("-V, --version <version>", "Show info for a specific version")
+    .option("--ver <version>", "Show info for a specific version")
     .option("-v, --verbose", "Show detailed output")
     .option("--json", "Output as JSON")
     .action(async (toolName: string, options: GetOptions) => {

package/src/commands/publish/index.ts

@@ -21,7 +21,9 @@ import type { CommandContext, GlobalOptions } from "../../types";
 import {
   dim,
   error,
+  extractNamespace,
   formatError,
+  getCurrentUsername,
   header,
   info,
   json,
@@ -208,6 +210,27 @@ async function publishHandler(
   }
   newline();
 
+  // Pre-flight namespace check (skip in local dev mode)
+  if (!options.skipAuth) {
+    const currentUsername = await getCurrentUsername();
+    if (currentUsername) {
+      const toolNamespace = extractNamespace(toolName);
+      if (toolNamespace !== currentUsername) {
+        error(
+          `Namespace mismatch: Tool namespace "${toolNamespace}" does not match your username "${currentUsername}".`
+        );
+        newline();
+        dim("You can only publish tools under your own namespace.");
+        dim("Either:");
+        dim(
+          `  1. Change the tool name to "${currentUsername}/${toolName.split("/").slice(1).join("/")}" in your enact.md`
+        );
+        dim(`  2. Or login as a user with the "${toolNamespace}" username`);
+        process.exit(1);
+      }
+    }
+  }
+
   // Get registry URL from config or environment
   const config = loadConfig();
   const registryUrl =

package/src/commands/run/index.ts

@@ -186,7 +186,16 @@ async function fetchAndCacheTool(
     process.env.ENACT_REGISTRY_URL ??
     config.registry?.url ??
     "https://siikwkfgsmouioodghho.supabase.co/functions/v1";
-  const client = createApiClient({ baseUrl: registryUrl });
+
+  // Get auth token - use user token if available, otherwise use anon key for public access
+  let authToken = config.registry?.authToken ?? process.env.ENACT_AUTH_TOKEN;
+  if (!authToken && registryUrl.includes("siikwkfgsmouioodghho.supabase.co")) {
+    // Use the official Supabase anon key for unauthenticated access
+    authToken =
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InNpaWt3a2Znc21vdWlvb2RnaGhvIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjQ2MTkzMzksImV4cCI6MjA4MDE5NTMzOX0.kxnx6-IPFhmGx6rzNx36vbyhFMFZKP_jFqaDbKnJ_E0";
+  }
+
+  const client = createApiClient({ baseUrl: registryUrl, authToken });
 
   // Get tool info to find latest version or use requested version
   const toolInfo = await getToolInfo(client, toolName);

package/src/commands/search/index.ts

@@ -32,6 +32,7 @@ interface SearchOptions extends GlobalOptions {
   tags?: string;
   limit?: string;
   offset?: string;
+  threshold?: string;
   local?: boolean;
   global?: boolean;
 }
@@ -229,7 +230,15 @@ async function searchHandler(
     process.env.ENACT_REGISTRY_URL ??
     config.registry?.url ??
     "https://siikwkfgsmouioodghho.supabase.co/functions/v1";
-  const authToken = config.registry?.authToken;
+
+  // Get auth token - use user token if available, otherwise use anon key for public access
+  let authToken = config.registry?.authToken ?? process.env.ENACT_AUTH_TOKEN;
+  if (!authToken && registryUrl.includes("siikwkfgsmouioodghho.supabase.co")) {
+    // Use the official Supabase anon key for unauthenticated access
+    authToken =
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InNpaWt3a2Znc21vdWlvb2RnaGhvIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjQ2MTkzMzksImV4cCI6MjA4MDE5NTMzOX0.kxnx6-IPFhmGx6rzNx36vbyhFMFZKP_jFqaDbKnJ_E0";
+  }
+
   const client = createApiClient({
     baseUrl: registryUrl,
     authToken: authToken,
@@ -237,12 +246,16 @@ async function searchHandler(
 
   const limit = options.limit ? Number.parseInt(options.limit, 10) : 20;
   const offset = options.offset ? Number.parseInt(options.offset, 10) : 0;
+  const threshold = options.threshold ? Number.parseFloat(options.threshold) : undefined;
 
   if (ctx.options.verbose) {
     info(`Searching for: "${query}"`);
     if (options.tags) {
       info(`Tags: ${options.tags}`);
     }
+    if (threshold !== undefined) {
+      info(`Similarity threshold: ${threshold}`);
+    }
   }
 
   try {
@@ -251,8 +264,16 @@ async function searchHandler(
       tags: options.tags,
       limit,
       offset,
+      threshold,
     });
 
+    // Show search type in verbose mode
+    if (ctx.options.verbose && response.searchType) {
+      const searchTypeLabel =
+        response.searchType === "hybrid" ? "semantic + text (hybrid)" : "text only (no OpenAI key)";
+      info(`Search mode: ${searchTypeLabel}`);
+    }
+
     // JSON output
     if (options.json) {
       json({
@@ -262,6 +283,7 @@ async function searchHandler(
         limit: response.limit,
         offset: response.offset,
         hasMore: response.hasMore,
+        searchType: response.searchType,
       });
       return;
     }
@@ -269,6 +291,9 @@ async function searchHandler(
     // No results
     if (response.results.length === 0) {
       info(`No tools found matching "${query}"`);
+      if (response.searchType === "text") {
+        dim("Note: Semantic search unavailable (OpenAI key not configured on server)");
+      }
       dim("Try a different search term or remove tag filters");
       return;
     }
@@ -348,6 +373,10 @@ export function configureSearchCommand(program: Command): void {
     .option("-t, --tags <tags>", "Filter by tags (comma-separated, registry only)")
     .option("-l, --limit <number>", "Maximum results to return (default: 20, registry only)")
     .option("-o, --offset <number>", "Pagination offset (default: 0, registry only)")
+    .option(
+      "--threshold <number>",
+      "Similarity threshold for semantic search (0.0-1.0, default: 0.1)"
+    )
     .option("-v, --verbose", "Show detailed output")
     .option("--json", "Output as JSON")
     .action(async (query: string, options: SearchOptions) => {

package/src/commands/sign/index.ts

@@ -12,11 +12,7 @@
 
 import { readFileSync, writeFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
-import {
-  createApiClient,
-  getToolVersion,
-  submitAttestation as submitAttestationToRegistry,
-} from "@enactprotocol/api";
+import { createApiClient, getToolVersion, submitAttestationToRegistry } from "@enactprotocol/api";
 import { getSecret } from "@enactprotocol/secrets";
 import {
   addTrustedAuditor,
@@ -31,6 +27,7 @@ import {
   type EnactToolAttestationOptions,
   type SigstoreBundle,
   createEnactToolStatement,
+  extractCertificateFromBundle,
   signAttestation,
 } from "@enactprotocol/trust";
 import type { Command } from "commander";
@@ -160,7 +157,8 @@ function displayDryRun(
  */
 async function promptAddToTrustList(
   auditorEmail: string,
-  isInteractive: boolean
+  isInteractive: boolean,
+  issuer?: string
 ): Promise<boolean> {
   if (!isInteractive) {
     return false;
@@ -168,7 +166,8 @@ async function promptAddToTrustList(
 
   try {
     // Convert email to provider:identity format (e.g., github:alice)
-    const providerIdentity = emailToProviderIdentity(auditorEmail);
+    // Pass the issuer so we can correctly determine the provider
+    const providerIdentity = emailToProviderIdentity(auditorEmail, issuer);
 
     // Check if already in local trust list
     const trustedAuditors = getTrustedAuditors();
@@ -387,11 +386,12 @@ async function signRemoteTool(
     const attestationResult = await withSpinner(
       "Submitting attestation to registry...",
       async () => {
-        return await submitAttestationToRegistry(client, {
-          name: toolInfo.name,
-          version: toolInfo.version,
-          sigstoreBundle: result.bundle as unknown as Record<string, unknown>,
-        });
+        return await submitAttestationToRegistry(
+          client,
+          toolInfo.name,
+          toolInfo.version,
+          result.bundle as unknown as Record<string, unknown>
+        );
       }
     );
 
@@ -402,9 +402,11 @@ async function signRemoteTool(
       keyValue("Rekor log index", String(attestationResult.rekorLogIndex));
     }
 
-    // Prompt to add to trust list
+    // Prompt to add to trust list - extract issuer from bundle for correct identity format
     if (_ctx.isInteractive && !options.json) {
-      await promptAddToTrustList(attestationResult.auditor, _ctx.isInteractive);
+      const certificate = extractCertificateFromBundle(result.bundle);
+      const issuer = certificate?.identity?.issuer;
+      await promptAddToTrustList(attestationResult.auditor, _ctx.isInteractive, issuer);
     }
 
     if (options.json) {
@@ -446,6 +448,28 @@ async function signLocalTool(
 
   const manifest = loaded.manifest;
 
+  // Warn about local signing workflow - attestation hash won't match published bundle
+  if (_ctx.isInteractive && !options.dryRun) {
+    newline();
+    warning("Local signing creates an attestation for the manifest content hash.");
+    dim("If you plan to publish this tool, the published bundle will have a different hash.");
+    dim("The attestation won't match and verification will fail.");
+    newline();
+    info("Recommended workflow:");
+    dim(`  1. ${colors.command(`enact publish ${pathArg}`)}     # Publish first`);
+    dim(
+      `  2. ${colors.command(`enact sign ${manifest.name}@${manifest.version ?? "1.0.0"}`)}  # Then sign the published version`
+    );
+    newline();
+
+    const shouldContinue = await confirm("Continue with local signing anyway?", false);
+    if (!shouldContinue) {
+      info("Signing cancelled. Use the recommended workflow above.");
+      return;
+    }
+    newline();
+  }
+
   // Validate manifest
   const validation = validateManifest(manifest);
   if (!validation.valid && validation.errors) {
@@ -562,11 +586,12 @@ async function signLocalTool(
           "Submitting attestation to registry...",
           async () => {
             // Submit the Sigstore bundle directly (v2 API)
-            return await submitAttestationToRegistry(client, {
-              name: manifest.name,
-              version: manifest.version ?? "1.0.0",
-              sigstoreBundle: result.bundle as unknown as Record<string, unknown>,
-            });
+            return await submitAttestationToRegistry(
+              client,
+              manifest.name,
+              manifest.version ?? "1.0.0",
+              result.bundle as unknown as Record<string, unknown>
+            );
           }
         );
 
@@ -576,8 +601,11 @@ async function signLocalTool(
         };
 
         // Prompt to add auditor to trust list (if interactive and not in JSON mode)
+        // Extract issuer from bundle for correct identity format
         if (!options.json && _ctx.isInteractive) {
-          await promptAddToTrustList(attestationResult.auditor, _ctx.isInteractive);
+          const certificate = extractCertificateFromBundle(result.bundle);
+          const issuer = certificate?.identity?.issuer;
+          await promptAddToTrustList(attestationResult.auditor, _ctx.isInteractive, issuer);
         }
       } catch (err) {
         warning("Failed to submit attestation to registry");

package/src/index.ts

@@ -32,7 +32,7 @@ import {
 } from "./commands";
 import { error, formatError } from "./utils";
 
-export const version = "2.0.3";
+export const version = "2.0.5";
 
 // Export types for external use
 export type { GlobalOptions, CommandContext } from "./types";
@@ -47,9 +47,7 @@ async function main() {
   program
     .name("enact")
     .description("Enact - Verified, portable protocol for AI-executable tools")
-    .version(version)
-    .option("--json", "Output as JSON")
-    .option("-v, --verbose", "Enable verbose output");
+    .version(version);
 
   // Configure all commands
   configureSetupCommand(program);

package/src/utils/auth.ts

@@ -0,0 +1,87 @@
+/**
+ * Auth utilities shared across commands
+ */
+
+import { getSecret } from "@enactprotocol/secrets";
+
+/** Namespace for storing auth tokens in keyring */
+const AUTH_NAMESPACE = "enact:auth";
+const ACCESS_TOKEN_KEY = "access_token";
+
+/** Supabase configuration */
+const SUPABASE_URL = process.env.SUPABASE_URL || "https://siikwkfgsmouioodghho.supabase.co";
+const SUPABASE_ANON_KEY =
+  process.env.SUPABASE_ANON_KEY ??
+  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InNpaWt3a2Znc21vdWlvb2RnaGhvIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjQ2MTkzMzksImV4cCI6MjA4MDE5NTMzOX0.kxnx6-IPFhmGx6rzNx36vbyhFMFZKP_jFqaDbKnJ_E0";
+
+/**
+ * Get the current authenticated username
+ * Returns null if not authenticated or username cannot be determined
+ */
+export async function getCurrentUsername(): Promise<string | null> {
+  const token = await getSecret(AUTH_NAMESPACE, ACCESS_TOKEN_KEY);
+  if (!token) {
+    return null;
+  }
+
+  try {
+    // Get user info from Supabase
+    const userResponse = await fetch(`${SUPABASE_URL}/auth/v1/user`, {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        apikey: SUPABASE_ANON_KEY,
+      },
+    });
+
+    if (!userResponse.ok) {
+      return null;
+    }
+
+    const user = (await userResponse.json()) as {
+      id: string;
+      email?: string;
+      user_metadata?: {
+        user_name?: string;
+        username?: string;
+        full_name?: string;
+      };
+    };
+
+    // Get profile from database for definitive username
+    const profileResponse = await fetch(
+      `${SUPABASE_URL}/rest/v1/profiles?id=eq.${user.id}&select=username`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          apikey: SUPABASE_ANON_KEY,
+        },
+      }
+    );
+
+    if (profileResponse.ok) {
+      const profiles = (await profileResponse.json()) as Array<{ username: string }>;
+      if (profiles[0]?.username) {
+        return profiles[0].username;
+      }
+    }
+
+    // Fall back to user metadata
+    return (
+      user.user_metadata?.username ||
+      user.user_metadata?.user_name ||
+      user.email?.split("@")[0] ||
+      null
+    );
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Extract namespace from a tool name
+ * e.g., "alice/utils/greeter" -> "alice"
+ */
+export function extractNamespace(toolName: string): string {
+  const parts = toolName.split("/");
+  return parts[0] ?? "";
+}

package/src/utils/index.ts

@@ -105,3 +105,6 @@ export {
   ErrorMessages,
   printErrorWithSuggestions,
 } from "./errors";
+
+// Auth utilities
+export { getCurrentUsername, extractNamespace } from "./auth";

package/tests/commands/get.test.ts

@@ -42,24 +42,26 @@ describe("get command", () => {
       expect(args[0]?.name()).toBe("tool");
     });
 
-    test("has --version option", () => {
+    test("has --ver option for specifying version", () => {
       const program = new Command();
       configureGetCommand(program);
 
       const getCmd = program.commands.find((cmd) => cmd.name() === "get");
       const opts = getCmd?.options ?? [];
-      const versionOpt = opts.find((o) => o.long === "--version");
-      expect(versionOpt).toBeDefined();
+      const verOpt = opts.find((o) => o.long === "--ver");
+      expect(verOpt).toBeDefined();
     });
 
-    test("has -v short option for version", () => {
+    test("has -v short option for verbose (not version)", () => {
       const program = new Command();
       configureGetCommand(program);
 
       const getCmd = program.commands.find((cmd) => cmd.name() === "get");
       const opts = getCmd?.options ?? [];
-      const versionOpt = opts.find((o) => o.short === "-v");
-      expect(versionOpt).toBeDefined();
+      // -v is for verbose, not version (--ver is for version)
+      const verboseOpt = opts.find((o) => o.short === "-v");
+      expect(verboseOpt).toBeDefined();
+      expect(verboseOpt?.long).toBe("--verbose");
     });
 
     test("has --json option", () => {