@enactprotocol/cli 2.0.4 → 2.0.5

package/src/commands/search/index.ts

@@ -32,6 +32,7 @@ interface SearchOptions extends GlobalOptions {
   tags?: string;
   limit?: string;
   offset?: string;
+  threshold?: string;
   local?: boolean;
   global?: boolean;
 }
@@ -229,7 +230,15 @@ async function searchHandler(
     process.env.ENACT_REGISTRY_URL ??
     config.registry?.url ??
     "https://siikwkfgsmouioodghho.supabase.co/functions/v1";
-  const authToken = config.registry?.authToken;
+
+  // Get auth token - use user token if available, otherwise use anon key for public access
+  let authToken = config.registry?.authToken ?? process.env.ENACT_AUTH_TOKEN;
+  if (!authToken && registryUrl.includes("siikwkfgsmouioodghho.supabase.co")) {
+    // Use the official Supabase anon key for unauthenticated access
+    authToken =
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InNpaWt3a2Znc21vdWlvb2RnaGhvIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjQ2MTkzMzksImV4cCI6MjA4MDE5NTMzOX0.kxnx6-IPFhmGx6rzNx36vbyhFMFZKP_jFqaDbKnJ_E0";
+  }
+
   const client = createApiClient({
     baseUrl: registryUrl,
     authToken: authToken,
@@ -237,12 +246,16 @@ async function searchHandler(
 
   const limit = options.limit ? Number.parseInt(options.limit, 10) : 20;
   const offset = options.offset ? Number.parseInt(options.offset, 10) : 0;
+  const threshold = options.threshold ? Number.parseFloat(options.threshold) : undefined;
 
   if (ctx.options.verbose) {
     info(`Searching for: "${query}"`);
     if (options.tags) {
       info(`Tags: ${options.tags}`);
     }
+    if (threshold !== undefined) {
+      info(`Similarity threshold: ${threshold}`);
+    }
   }
 
   try {
@@ -251,8 +264,16 @@ async function searchHandler(
       tags: options.tags,
       limit,
       offset,
+      threshold,
     });
 
+    // Show search type in verbose mode
+    if (ctx.options.verbose && response.searchType) {
+      const searchTypeLabel =
+        response.searchType === "hybrid" ? "semantic + text (hybrid)" : "text only (no OpenAI key)";
+      info(`Search mode: ${searchTypeLabel}`);
+    }
+
     // JSON output
     if (options.json) {
       json({
@@ -262,6 +283,7 @@ async function searchHandler(
         limit: response.limit,
         offset: response.offset,
         hasMore: response.hasMore,
+        searchType: response.searchType,
       });
       return;
     }
@@ -269,6 +291,9 @@ async function searchHandler(
     // No results
     if (response.results.length === 0) {
       info(`No tools found matching "${query}"`);
+      if (response.searchType === "text") {
+        dim("Note: Semantic search unavailable (OpenAI key not configured on server)");
+      }
       dim("Try a different search term or remove tag filters");
       return;
     }
@@ -348,6 +373,10 @@ export function configureSearchCommand(program: Command): void {
     .option("-t, --tags <tags>", "Filter by tags (comma-separated, registry only)")
     .option("-l, --limit <number>", "Maximum results to return (default: 20, registry only)")
     .option("-o, --offset <number>", "Pagination offset (default: 0, registry only)")
+    .option(
+      "--threshold <number>",
+      "Similarity threshold for semantic search (0.0-1.0, default: 0.1)"
+    )
     .option("-v, --verbose", "Show detailed output")
     .option("--json", "Output as JSON")
     .action(async (query: string, options: SearchOptions) => {

package/src/commands/sign/index.ts

@@ -12,11 +12,7 @@
 
 import { readFileSync, writeFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
-import {
-  createApiClient,
-  getToolVersion,
-  submitAttestation as submitAttestationToRegistry,
-} from "@enactprotocol/api";
+import { createApiClient, getToolVersion, submitAttestationToRegistry } from "@enactprotocol/api";
 import { getSecret } from "@enactprotocol/secrets";
 import {
   addTrustedAuditor,
@@ -31,6 +27,7 @@ import {
   type EnactToolAttestationOptions,
   type SigstoreBundle,
   createEnactToolStatement,
+  extractCertificateFromBundle,
   signAttestation,
 } from "@enactprotocol/trust";
 import type { Command } from "commander";
@@ -160,7 +157,8 @@ function displayDryRun(
  */
 async function promptAddToTrustList(
   auditorEmail: string,
-  isInteractive: boolean
+  isInteractive: boolean,
+  issuer?: string
 ): Promise<boolean> {
   if (!isInteractive) {
     return false;
@@ -168,7 +166,8 @@ async function promptAddToTrustList(
 
   try {
     // Convert email to provider:identity format (e.g., github:alice)
-    const providerIdentity = emailToProviderIdentity(auditorEmail);
+    // Pass the issuer so we can correctly determine the provider
+    const providerIdentity = emailToProviderIdentity(auditorEmail, issuer);
 
     // Check if already in local trust list
     const trustedAuditors = getTrustedAuditors();
@@ -387,11 +386,12 @@ async function signRemoteTool(
     const attestationResult = await withSpinner(
       "Submitting attestation to registry...",
       async () => {
-        return await submitAttestationToRegistry(client, {
-          name: toolInfo.name,
-          version: toolInfo.version,
-          sigstoreBundle: result.bundle as unknown as Record<string, unknown>,
-        });
+        return await submitAttestationToRegistry(
+          client,
+          toolInfo.name,
+          toolInfo.version,
+          result.bundle as unknown as Record<string, unknown>
+        );
       }
     );
 
@@ -402,9 +402,11 @@ async function signRemoteTool(
       keyValue("Rekor log index", String(attestationResult.rekorLogIndex));
     }
 
-    // Prompt to add to trust list
+    // Prompt to add to trust list - extract issuer from bundle for correct identity format
     if (_ctx.isInteractive && !options.json) {
-      await promptAddToTrustList(attestationResult.auditor, _ctx.isInteractive);
+      const certificate = extractCertificateFromBundle(result.bundle);
+      const issuer = certificate?.identity?.issuer;
+      await promptAddToTrustList(attestationResult.auditor, _ctx.isInteractive, issuer);
     }
 
     if (options.json) {
@@ -446,6 +448,28 @@ async function signLocalTool(
 
   const manifest = loaded.manifest;
 
+  // Warn about local signing workflow - attestation hash won't match published bundle
+  if (_ctx.isInteractive && !options.dryRun) {
+    newline();
+    warning("Local signing creates an attestation for the manifest content hash.");
+    dim("If you plan to publish this tool, the published bundle will have a different hash.");
+    dim("The attestation won't match and verification will fail.");
+    newline();
+    info("Recommended workflow:");
+    dim(`  1. ${colors.command(`enact publish ${pathArg}`)}     # Publish first`);
+    dim(
+      `  2. ${colors.command(`enact sign ${manifest.name}@${manifest.version ?? "1.0.0"}`)}  # Then sign the published version`
+    );
+    newline();
+
+    const shouldContinue = await confirm("Continue with local signing anyway?", false);
+    if (!shouldContinue) {
+      info("Signing cancelled. Use the recommended workflow above.");
+      return;
+    }
+    newline();
+  }
+
   // Validate manifest
   const validation = validateManifest(manifest);
   if (!validation.valid && validation.errors) {
@@ -562,11 +586,12 @@ async function signLocalTool(
           "Submitting attestation to registry...",
           async () => {
             // Submit the Sigstore bundle directly (v2 API)
-            return await submitAttestationToRegistry(client, {
-              name: manifest.name,
-              version: manifest.version ?? "1.0.0",
-              sigstoreBundle: result.bundle as unknown as Record<string, unknown>,
-            });
+            return await submitAttestationToRegistry(
+              client,
+              manifest.name,
+              manifest.version ?? "1.0.0",
+              result.bundle as unknown as Record<string, unknown>
+            );
           }
         );
 
@@ -576,8 +601,11 @@ async function signLocalTool(
         };
 
         // Prompt to add auditor to trust list (if interactive and not in JSON mode)
+        // Extract issuer from bundle for correct identity format
         if (!options.json && _ctx.isInteractive) {
-          await promptAddToTrustList(attestationResult.auditor, _ctx.isInteractive);
+          const certificate = extractCertificateFromBundle(result.bundle);
+          const issuer = certificate?.identity?.issuer;
+          await promptAddToTrustList(attestationResult.auditor, _ctx.isInteractive, issuer);
         }
       } catch (err) {
         warning("Failed to submit attestation to registry");

package/src/index.ts

@@ -32,7 +32,7 @@ import {
 } from "./commands";
 import { error, formatError } from "./utils";
 
-export const version = "2.0.4";
+export const version = "2.0.5";
 
 // Export types for external use
 export type { GlobalOptions, CommandContext } from "./types";
@@ -47,9 +47,7 @@ async function main() {
   program
     .name("enact")
     .description("Enact - Verified, portable protocol for AI-executable tools")
-    .version(version)
-    .option("--json", "Output as JSON")
-    .option("-v, --verbose", "Enable verbose output");
+    .version(version);
 
   // Configure all commands
   configureSetupCommand(program);

package/tests/commands/get.test.ts

@@ -42,24 +42,26 @@ describe("get command", () => {
       expect(args[0]?.name()).toBe("tool");
     });
 
-    test("has --version option", () => {
+    test("has --ver option for specifying version", () => {
       const program = new Command();
       configureGetCommand(program);
 
       const getCmd = program.commands.find((cmd) => cmd.name() === "get");
       const opts = getCmd?.options ?? [];
-      const versionOpt = opts.find((o) => o.long === "--version");
-      expect(versionOpt).toBeDefined();
+      const verOpt = opts.find((o) => o.long === "--ver");
+      expect(verOpt).toBeDefined();
     });
 
-    test("has -v short option for version", () => {
+    test("has -v short option for verbose (not version)", () => {
       const program = new Command();
       configureGetCommand(program);
 
       const getCmd = program.commands.find((cmd) => cmd.name() === "get");
       const opts = getCmd?.options ?? [];
-      const versionOpt = opts.find((o) => o.short === "-v");
-      expect(versionOpt).toBeDefined();
+      // -v is for verbose, not version (--ver is for version)
+      const verboseOpt = opts.find((o) => o.short === "-v");
+      expect(verboseOpt).toBeDefined();
+      expect(verboseOpt?.long).toBe("--verbose");
     });
 
     test("has --json option", () => {

package/tests/commands/sign.test.ts

@@ -161,4 +161,63 @@ command: "echo hello"
       expect(predicateType).toContain("tool");
     });
   });
+
+  describe("remote tool reference parsing", () => {
+    test("parses simple remote tool reference with version", () => {
+      const ref = "alice/greeter@1.2.0";
+      const atIndex = ref.lastIndexOf("@");
+      const name = ref.slice(0, atIndex);
+      const version = ref.slice(atIndex + 1);
+
+      expect(name).toBe("alice/greeter");
+      expect(version).toBe("1.2.0");
+    });
+
+    test("parses namespaced tool reference with version", () => {
+      const ref = "org/utils/greeter@2.0.0";
+      const atIndex = ref.lastIndexOf("@");
+      const name = ref.slice(0, atIndex);
+      const version = ref.slice(atIndex + 1);
+
+      expect(name).toBe("org/utils/greeter");
+      expect(version).toBe("2.0.0");
+    });
+
+    test("detects remote vs local tool reference", () => {
+      const isRemoteToolRef = (path: string): boolean => {
+        // Remote refs contain @ for version and don't start with . or /
+        return (
+          !path.startsWith(".") && !path.startsWith("/") && path.includes("@") && path.includes("/")
+        );
+      };
+
+      expect(isRemoteToolRef("alice/greeter@1.0.0")).toBe(true);
+      expect(isRemoteToolRef("./local-tool")).toBe(false);
+      expect(isRemoteToolRef("/absolute/path/tool")).toBe(false);
+      expect(isRemoteToolRef("examples/hello-python")).toBe(false);
+    });
+
+    test("requires version in remote tool reference", () => {
+      const hasVersion = (ref: string): boolean => {
+        return ref.includes("@") && ref.lastIndexOf("@") > 0;
+      };
+
+      expect(hasVersion("alice/greeter@1.0.0")).toBe(true);
+      expect(hasVersion("alice/greeter")).toBe(false);
+    });
+
+    test("validates semver version format", () => {
+      const isValidSemver = (version: string): boolean => {
+        const semverRegex = /^\d+\.\d+\.\d+(-[\w.]+)?(\+[\w.]+)?$/;
+        return semverRegex.test(version);
+      };
+
+      expect(isValidSemver("1.0.0")).toBe(true);
+      expect(isValidSemver("2.1.3")).toBe(true);
+      expect(isValidSemver("1.0.0-alpha")).toBe(true);
+      expect(isValidSemver("1.0.0-beta.1")).toBe(true);
+      expect(isValidSemver("invalid")).toBe(false);
+      expect(isValidSemver("1.0")).toBe(false);
+    });
+  });
 });