fix(setup): reject cli packages without provenance

[leno23]

Summary

Fixes #1826.

• reject platform-specific @voidzero-dev/vite-plus-cli-* packages when npm metadata lacks dist.attestations.provenance
• apply the same check to vp upgrade, the POSIX install script, and the PowerShell install script
• keep local tarball and pkg.pr.new install paths unchanged

Verification

• git diff --check
• bash -n packages/cli/install.sh
• RUSTUP_TOOLCHAIN=stable rustfmt --edition 2024 --check crates/vite_setup/src/registry.rs
• checked current npm metadata for @voidzero-dev/vite-plus-cli-darwin-arm64@0.2.0 exposes dist.attestations.provenance

Blocked locally

• pwsh is not installed in this environment, so I could not run a PowerShell parse check
• cargo test -p vite_setup registry::tests::test_dist_info --lib fails before compiling because the pinned nightly-2026-06-10 toolchain has a missing manifest locally; retrying with RUSTUP_TOOLCHAIN=stable reaches workspace dependency resolution and fails on the nightly-only fspy dependency from vite-task

[netlify]

✅ Deploy Preview for viteplus-preview canceled.

Name	Link
🔨 Latest commit	f6601a3
🔍 Latest deploy log	https://app.netlify.com/projects/viteplus-preview/deploys/6a33c419aec9350008116c25

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4ddec74341

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[leno23]

Addressed the Codex review findings in 60980b2:

• POSIX installer now checks provenance under dist.attestations.provenance instead of matching arbitrary top-level metadata fields
• PowerShell installer now parses raw string metadata responses before checking dist.attestations.provenance, and reports metadata errors consistently

Local validation:

• bash -n packages/cli/install.sh
• git diff --check
• metadata grep smoke check verifies valid dist.attestations.provenance passes and top-level-only attestations fail

pwsh is not installed in this macOS checkout, so the PowerShell change was validated by code inspection only and left for CI.

[leno23]

Pushed a follow-up shell installer fix in f1f2b62: the first grep-based path check was too narrow because real npm metadata can contain nested dist.signatures before dist.attestations, which caused the install.sh matrix to reject valid alpha metadata. The shell path now uses a small awk scanner to verify dist.attestations.provenance without matching top-level-only fake fields.

Local validation:

• bash -n packages/cli/install.sh
• git diff --check
• live alpha metadata for @voidzero-dev/vite-plus-cli-darwin-arm64@alpha passes
• top-level-only attestations.provenance fixture fails
• nested dist.attestations.provenance fixture passes

[leno23]

Updated this branch to address the macOS CLI E2E failure where vp check could not resolve @napi-rs/cli from the installed CLI package context. Moved the CLI package's @napi-rs/cli entry into runtime dependencies and refreshed the lockfile.\n\nLocal validation:\n- pnpm install --lockfile-only\n- pnpm -F vite-plus exec tsgo --noEmit\n- git diff --check

[fengmk2]

Why?

[fengmk2]

Please reply your proposal to #1826, and then submit a PR.