Only install for install/download and wheel commands

packages/safe-chain/src/packagemanager/pip/runPipCommand.js

@@ -3,6 +3,26 @@ import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { installSafeChainCA } from "../../registryProxy/certUtils.js";
 
+/**
+ * Returns true if the pip command needs the Safe-chain CA installed.
+ * @param {string[]} args
+ * @returns {boolean}
+ */
+function needsCaInstalled(args) {
+  const known = new Set(["install", "wheel", "download"]);
+  let startIdx = 0;
+  if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
+    startIdx = 2;
+  }
+  for (let i = startIdx; i < args.length; i++) {
+    const token = args[i];
+    if (!token) continue;
+    if (token.startsWith("-")) continue; // skip flags
+    if (known.has(token)) return true;
+  }
+  return false;
+}
+
 /**
  * @param {string} command
  * @param {string[]} args
@@ -11,9 +31,11 @@ import { installSafeChainCA } from "../../registryProxy/certUtils.js";
  */
 export async function runPip(command, args) {
   try {
-    // Install Safe Chain CA in OS trust store before running pip
+    // Only install CA for commands that download or build packages.
-    // Py 3.14 requires that certs are properly installed in the OS trust store
+    // This minimizes privilege prompts for read-only operations like 'list' or 'show'.
-    await installSafeChainCA();
+    if (needsCaInstalled(args)) {
+      await installSafeChainCA();
+    }
     const env = mergeSafeChainProxyEnvironmentVariables(process.env);
     const result = await safeSpawn(command, args, {
       stdio: "inherit",