@enactprotocol/cli 2.3.1 → 2.3.5

package/src/commands/learn/index.ts

@@ -225,27 +225,31 @@ async function learnHandler(
     const attestations = attestationsResponse.attestations;
 
     if (attestations.length === 0) {
-      // No attestations found
-      info(`${symbols.warning} Tool ${toolName}@${version} has no attestations.`);
+      // No attestations found — but if minimum_attestations is 0, that's fine
+      if (minimumAttestations === 0) {
+        // User explicitly configured zero required attestations — allow access
+      } else {
+        info(`${symbols.warning} Tool ${toolName}@${version} has no attestations.`);
 
-      if (trustPolicy === "require_attestation") {
-        throw new TrustError(
-          "Trust policy requires attestations. Cannot display documentation from unverified tools."
-        );
-      }
-      if (ctx.isInteractive && trustPolicy === "prompt") {
-        dim("Documentation from unverified tools may contain malicious content.");
-        const proceed = await confirm("View documentation from unverified tool?");
-        if (!proceed) {
-          info("Cancelled.");
-          process.exit(0);
+        if (trustPolicy === "require_attestation") {
+          throw new TrustError(
+            "Trust policy requires attestations. Cannot display documentation from unverified tools."
+          );
+        }
+        if (ctx.isInteractive && trustPolicy === "prompt") {
+          dim("Documentation from unverified tools may contain malicious content.");
+          const proceed = await confirm("View documentation from unverified tool?");
+          if (!proceed) {
+            info("Cancelled.");
+            process.exit(0);
+          }
+        } else if (!ctx.isInteractive && trustPolicy === "prompt") {
+          throw new TrustError(
+            "Cannot display documentation from unverified tools in non-interactive mode."
+          );
         }
-      } else if (!ctx.isInteractive && trustPolicy === "prompt") {
-        throw new TrustError(
-          "Cannot display documentation from unverified tools in non-interactive mode."
-        );
       }
-      // trustPolicy === "allow" - continue without prompting
+      // trustPolicy === "allow" or minimumAttestations === 0 - continue without prompting
     } else {
       // Verify attestations locally (never trust registry's verification status)
       const verifiedAuditors = await verifyAllAttestations(

package/src/commands/run/index.ts

@@ -318,22 +318,22 @@ function atomicReplace(targetDir: string, sourceDir: string): void {
 async function extractToCache(
   bundleData: ArrayBuffer,
   toolName: string,
-  version: string
+  _version: string
 ): Promise<string> {
   const cacheDir = getCacheDir();
   const toolPath = toolNameToPath(toolName);
-  const versionDir = join(cacheDir, toolPath, `v${version.replace(/^v/, "")}`);
+  const destDir = join(cacheDir, toolPath);
 
   // Create a temporary file for the bundle
   const tempFile = join(cacheDir, `bundle-${Date.now()}.tar.gz`);
   mkdirSync(dirname(tempFile), { recursive: true });
   writeFileSync(tempFile, Buffer.from(bundleData));
 
-  // Create destination directory
-  mkdirSync(versionDir, { recursive: true });
+  // Create destination directory (flat, no version subdirectory — matches resolver)
+  mkdirSync(destDir, { recursive: true });
 
   // Extract using tar command
-  const proc = Bun.spawn(["tar", "-xzf", tempFile, "-C", versionDir], {
+  const proc = Bun.spawn(["tar", "-xzf", tempFile, "-C", destDir], {
     stdout: "pipe",
     stderr: "pipe",
   });
@@ -352,7 +352,7 @@ async function extractToCache(
     throw new Error(`Failed to extract bundle: ${stderr}`);
   }
 
-  return versionDir;
+  return destDir;
 }
 
 /**
@@ -450,22 +450,26 @@ async function fetchAndCacheTool(
   const attestations = attestationsResponse.attestations;
 
   if (attestations.length === 0) {
-    // No attestations found
-    info(`${symbols.warning} Tool ${toolName}@${targetVersion} has no attestations.`);
+    // No attestations found — but if minimum_attestations is 0, that's fine
+    if (minimumAttestations === 0) {
+      // User explicitly configured zero required attestations — allow execution
+    } else {
+      info(`${symbols.warning} Tool ${toolName}@${targetVersion} has no attestations.`);
 
-    if (trustPolicy === "require_attestation") {
-      throw new TrustError("Trust policy requires attestations. Execution blocked.");
-    }
-    if (ctx.isInteractive && trustPolicy === "prompt") {
-      const proceed = await confirm("Run unverified tool?");
-      if (!proceed) {
-        info("Execution cancelled.");
-        process.exit(0);
+      if (trustPolicy === "require_attestation") {
+        throw new TrustError("Trust policy requires attestations. Execution blocked.");
+      }
+      if (ctx.isInteractive && trustPolicy === "prompt") {
+        const proceed = await confirm("Run unverified tool?");
+        if (!proceed) {
+          info("Execution cancelled.");
+          process.exit(0);
+        }
+      } else if (!ctx.isInteractive && trustPolicy === "prompt") {
+        throw new TrustError("Cannot run unverified tools in non-interactive mode.");
       }
-    } else if (!ctx.isInteractive && trustPolicy === "prompt") {
-      throw new TrustError("Cannot run unverified tools in non-interactive mode.");
     }
-    // trustPolicy === "allow" - continue without prompting
+    // trustPolicy === "allow" or minimumAttestations === 0 - continue without prompting
   } else {
     // Verify attestations locally (never trust registry's verification status)
     const verifiedAuditors = await verifyAllAttestations(

package/src/index.ts

@@ -37,7 +37,7 @@ import {
 } from "./commands";
 import { error, formatError } from "./utils";
 
-export const version = "2.3.1";
+export const version = "2.3.5";
 
 // Export types for external use
 export type { GlobalOptions, CommandContext } from "./types";