ai-trust 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md ADDED
@@ -0,0 +1,117 @@
1
+ # oa2a
2
+
3
+ Command-line tool for querying the [OpenA2A Registry](https://registry.opena2a.org) trust API. Look up trust verdicts, scores, CVE counts, and dependency risk for packages in the registry.
4
+
5
+ ## Install
6
+
7
+ ```bash
8
+ npm install -g oa2a
9
+ ```
10
+
11
+ Or run directly with npx:
12
+
13
+ ```bash
14
+ npx oa2a check @modelcontextprotocol/server-filesystem
15
+ ```
16
+
17
+ ## Usage
18
+
19
+ ### Check a single package
20
+
21
+ ```bash
22
+ oa2a check @modelcontextprotocol/server-filesystem
23
+ ```
24
+
25
+ Specify the package type explicitly:
26
+
27
+ ```bash
28
+ oa2a check my-agent --type a2a_agent
29
+ ```
30
+
31
+ ### Audit dependencies from a project file
32
+
33
+ Parse `package.json` or `requirements.txt` and batch-query all dependencies:
34
+
35
+ ```bash
36
+ oa2a audit package.json
37
+ oa2a audit requirements.txt
38
+ ```
39
+
40
+ Set a minimum trust level threshold (default: 3):
41
+
42
+ ```bash
43
+ oa2a audit package.json --min-trust 2
44
+ ```
45
+
46
+ ### Batch lookup for multiple packages
47
+
48
+ ```bash
49
+ oa2a batch express lodash chalk commander
50
+ ```
51
+
52
+ Apply the same type to all packages:
53
+
54
+ ```bash
55
+ oa2a batch my-server-a my-server-b --type mcp_server
56
+ ```
57
+
58
+ ### Output options
59
+
60
+ Get raw JSON output for scripting:
61
+
62
+ ```bash
63
+ oa2a check express --json
64
+ oa2a audit package.json --json
65
+ ```
66
+
67
+ Use a custom registry URL:
68
+
69
+ ```bash
70
+ oa2a check express --registry-url http://localhost:8080
71
+ ```
72
+
73
+ Disable colored output:
74
+
75
+ ```bash
76
+ oa2a check express --no-color
77
+ ```
78
+
79
+ ## Exit Codes
80
+
81
+ | Code | Meaning |
82
+ |------|---------|
83
+ | 0 | All queried packages are safe |
84
+ | 1 | One or more packages have warnings, are blocked, or fall below the trust threshold |
85
+
86
+ ## Trust Levels
87
+
88
+ | Level | Label | Description |
89
+ |-------|-------|-------------|
90
+ | 0 | Blocked | Package is blocked due to security concerns |
91
+ | 1 | Warning | Package has known issues |
92
+ | 2 | Listed | Package is listed but not yet scanned |
93
+ | 3 | Scanned | Package has been scanned by HackMyAgent |
94
+ | 4 | Verified | Package is verified by the publisher |
95
+
96
+ ## Requirements
97
+
98
+ - Node.js 18 or later
99
+
100
+ ## Development
101
+
102
+ ```bash
103
+ git clone https://github.com/opena2a-org/oa2a.git
104
+ cd oa2a
105
+ npm install
106
+ npm run build
107
+ ```
108
+
109
+ Run locally without installing globally:
110
+
111
+ ```bash
112
+ node dist/index.js check express
113
+ ```
114
+
115
+ ## License
116
+
117
+ Apache-2.0
@@ -0,0 +1,52 @@
1
+ /**
2
+ * API client for the OpenA2A Registry trust query endpoints.
3
+ */
4
+ export interface TrustAnswer {
5
+ name: string;
6
+ type: string;
7
+ found: boolean;
8
+ verdict: string;
9
+ trustLevel: number;
10
+ trustScore: number;
11
+ cveCount: number;
12
+ recommendation: string;
13
+ profile?: SecurityProfile;
14
+ dependencies?: DependencyInfo;
15
+ }
16
+ export interface SecurityProfile {
17
+ id: string;
18
+ packageId: string;
19
+ version: string;
20
+ trustFactors: Record<string, unknown>;
21
+ riskIndicators: string[];
22
+ createdAt: string;
23
+ }
24
+ export interface DependencyInfo {
25
+ direct: number;
26
+ transitive: number;
27
+ maxDepth: number;
28
+ riskSummary: {
29
+ blocked: number;
30
+ warning: number;
31
+ safe: number;
32
+ };
33
+ }
34
+ export interface BatchResponse {
35
+ results: TrustAnswer[];
36
+ meta: {
37
+ total: number;
38
+ found: number;
39
+ notFound: number;
40
+ };
41
+ }
42
+ export interface PackageQuery {
43
+ name: string;
44
+ type?: string;
45
+ }
46
+ export declare class RegistryClient {
47
+ private baseUrl;
48
+ constructor(registryUrl: string);
49
+ checkTrust(name: string, type?: string): Promise<TrustAnswer>;
50
+ batchQuery(packages: PackageQuery[]): Promise<BatchResponse>;
51
+ }
52
+ //# sourceMappingURL=client.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,eAAe,CAAC;IAC1B,YAAY,CAAC,EAAE,cAAc,CAAC;CAC/B;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,WAAW,EAAE,CAAC;IACvB,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,OAAO,CAAS;gBAEZ,WAAW,EAAE,MAAM;IAIzB,UAAU,CACd,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,WAAW,CAAC;IA8BjB,UAAU,CAAC,QAAQ,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,aAAa,CAAC;CAqBnE"}
@@ -0,0 +1,50 @@
1
+ /**
2
+ * API client for the OpenA2A Registry trust query endpoints.
3
+ */
4
+ export class RegistryClient {
5
+ baseUrl;
6
+ constructor(registryUrl) {
7
+ this.baseUrl = registryUrl.replace(/\/+$/, "");
8
+ }
9
+ async checkTrust(name, type) {
10
+ const params = new URLSearchParams({
11
+ name,
12
+ includeProfile: "true",
13
+ includeDeps: "true",
14
+ });
15
+ if (type) {
16
+ params.set("type", type);
17
+ }
18
+ const url = `${this.baseUrl}/api/v1/trust/query?${params.toString()}`;
19
+ const response = await fetch(url, {
20
+ method: "GET",
21
+ headers: {
22
+ "Accept": "application/json",
23
+ "User-Agent": "oa2a-cli/0.1.0",
24
+ },
25
+ });
26
+ if (!response.ok) {
27
+ const body = await response.text();
28
+ throw new Error(`Registry API returned ${response.status}: ${body}`);
29
+ }
30
+ return (await response.json());
31
+ }
32
+ async batchQuery(packages) {
33
+ const url = `${this.baseUrl}/api/v1/trust/batch`;
34
+ const response = await fetch(url, {
35
+ method: "POST",
36
+ headers: {
37
+ "Content-Type": "application/json",
38
+ "Accept": "application/json",
39
+ "User-Agent": "oa2a-cli/0.1.0",
40
+ },
41
+ body: JSON.stringify({ packages }),
42
+ });
43
+ if (!response.ok) {
44
+ const body = await response.text();
45
+ throw new Error(`Registry API returned ${response.status}: ${body}`);
46
+ }
47
+ return (await response.json());
48
+ }
49
+ }
50
+ //# sourceMappingURL=client.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAiDH,MAAM,OAAO,cAAc;IACjB,OAAO,CAAS;IAExB,YAAY,WAAmB;QAC7B,IAAI,CAAC,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,UAAU,CACd,IAAY,EACZ,IAAa;QAEb,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,IAAI;YACJ,cAAc,EAAE,MAAM;YACtB,WAAW,EAAE,MAAM;SACpB,CAAC,CAAC;QAEH,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC3B,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,uBAAuB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QACtE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,QAAQ,EAAE,kBAAkB;gBAC5B,YAAY,EAAE,gBAAgB;aAC/B;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CACb,yBAAyB,QAAQ,CAAC,MAAM,KAAK,IAAI,EAAE,CACpD,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,QAAwB;QACvC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,qBAAqB,CAAC;QACjD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAE,kBAAkB;gBAC5B,YAAY,EAAE,gBAAgB;aAC/B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CACb,yBAAyB,QAAQ,CAAC,MAAM,KAAK,IAAI,EAAE,CACpD,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;IAClD,CAAC;CACF"}
@@ -0,0 +1,6 @@
1
+ /**
2
+ * oa2a audit - Parse dependency files and batch query trust.
3
+ */
4
+ import type { Command } from "commander";
5
+ export declare function registerAuditCommand(program: Command): void;
6
+ //# sourceMappingURL=audit.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/commands/audit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKzC,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA8D3D"}
@@ -0,0 +1,52 @@
1
+ /**
2
+ * oa2a audit - Parse dependency files and batch query trust.
3
+ */
4
+ import { RegistryClient } from "../api/client.js";
5
+ import { parseDependencyFile } from "../utils/parser.js";
6
+ import { formatBatchResults, formatJson } from "../output/formatter.js";
7
+ export function registerAuditCommand(program) {
8
+ program
9
+ .command("audit <file>")
10
+ .description("Audit dependencies from package.json or requirements.txt")
11
+ .option("--min-trust <level>", "minimum trust level threshold", "3")
12
+ .action(async (file, opts) => {
13
+ const globalOpts = program.opts();
14
+ const minTrust = parseInt(opts.minTrust, 10);
15
+ if (isNaN(minTrust) || minTrust < 0 || minTrust > 4) {
16
+ console.error("Error: --min-trust must be a number between 0 and 4");
17
+ process.exitCode = 1;
18
+ return;
19
+ }
20
+ try {
21
+ const packages = await parseDependencyFile(file);
22
+ if (packages.length === 0) {
23
+ console.log("No dependencies found in the specified file.");
24
+ return;
25
+ }
26
+ if (packages.length > 100) {
27
+ console.error(`Error: Too many dependencies (${packages.length}). The batch API supports a maximum of 100 packages per request.`);
28
+ process.exitCode = 1;
29
+ return;
30
+ }
31
+ const client = new RegistryClient(globalOpts.registryUrl);
32
+ const response = await client.batchQuery(packages);
33
+ if (globalOpts.json) {
34
+ console.log(formatJson(response));
35
+ }
36
+ else {
37
+ console.log(formatBatchResults(response, minTrust));
38
+ }
39
+ // Exit code 1 if any package is below threshold
40
+ const belowThreshold = response.results.some((r) => r.found && r.trustLevel < minTrust);
41
+ if (belowThreshold) {
42
+ process.exitCode = 1;
43
+ }
44
+ }
45
+ catch (err) {
46
+ const message = err instanceof Error ? err.message : String(err);
47
+ console.error(`Error: ${message}`);
48
+ process.exitCode = 1;
49
+ }
50
+ });
51
+ }
52
+ //# sourceMappingURL=audit.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/commands/audit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAExE,MAAM,UAAU,oBAAoB,CAAC,OAAgB;IACnD,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CACV,0DAA0D,CAC3D;SACA,MAAM,CACL,qBAAqB,EACrB,+BAA+B,EAC/B,GAAG,CACJ;SACA,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,IAA0B,EAAE,EAAE;QACzD,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAG9B,CAAC;QAEF,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC7C,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,GAAG,CAAC,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;YACpD,OAAO,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;YACrE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAEjD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC5D,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBAC1B,OAAO,CAAC,KAAK,CACX,iCAAiC,QAAQ,CAAC,MAAM,kEAAkE,CACnH,CAAC;gBACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;YAC1D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAEnD,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;gBACpB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;YACtD,CAAC;YAED,gDAAgD;YAChD,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAC1C,CAAC;YACF,IAAI,cAAc,EAAE,CAAC;gBACnB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;YACnC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
@@ -0,0 +1,6 @@
1
+ /**
2
+ * oa2a batch - Batch trust lookup for multiple packages.
3
+ */
4
+ import type { Command } from "commander";
5
+ export declare function registerBatchCommand(program: Command): void;
6
+ //# sourceMappingURL=batch.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"batch.d.ts","sourceRoot":"","sources":["../../src/commands/batch.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKzC,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAmE3D"}
@@ -0,0 +1,51 @@
1
+ /**
2
+ * oa2a batch - Batch trust lookup for multiple packages.
3
+ */
4
+ import { RegistryClient } from "../api/client.js";
5
+ import { formatBatchResults, formatJson } from "../output/formatter.js";
6
+ export function registerBatchCommand(program) {
7
+ program
8
+ .command("batch <names...>")
9
+ .description("Batch trust lookup for multiple packages")
10
+ .option("-t, --type <type>", "package type to apply to all packages")
11
+ .option("--min-trust <level>", "minimum trust level threshold", "3")
12
+ .action(async (names, opts) => {
13
+ const globalOpts = program.opts();
14
+ const minTrust = parseInt(opts.minTrust, 10);
15
+ if (isNaN(minTrust) || minTrust < 0 || minTrust > 4) {
16
+ console.error("Error: --min-trust must be a number between 0 and 4");
17
+ process.exitCode = 1;
18
+ return;
19
+ }
20
+ if (names.length > 100) {
21
+ console.error(`Error: Too many packages (${names.length}). The batch API supports a maximum of 100 packages per request.`);
22
+ process.exitCode = 1;
23
+ return;
24
+ }
25
+ const packages = names.map((name) => ({
26
+ name,
27
+ ...(opts.type ? { type: opts.type } : {}),
28
+ }));
29
+ const client = new RegistryClient(globalOpts.registryUrl);
30
+ try {
31
+ const response = await client.batchQuery(packages);
32
+ if (globalOpts.json) {
33
+ console.log(formatJson(response));
34
+ }
35
+ else {
36
+ console.log(formatBatchResults(response, minTrust));
37
+ }
38
+ // Exit code 1 if any package is below threshold
39
+ const belowThreshold = response.results.some((r) => r.found && r.trustLevel < minTrust);
40
+ if (belowThreshold) {
41
+ process.exitCode = 1;
42
+ }
43
+ }
44
+ catch (err) {
45
+ const message = err instanceof Error ? err.message : String(err);
46
+ console.error(`Error: ${message}`);
47
+ process.exitCode = 1;
48
+ }
49
+ });
50
+ }
51
+ //# sourceMappingURL=batch.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"batch.js","sourceRoot":"","sources":["../../src/commands/batch.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAExE,MAAM,UAAU,oBAAoB,CAAC,OAAgB;IACnD,OAAO;SACJ,OAAO,CAAC,kBAAkB,CAAC;SAC3B,WAAW,CAAC,0CAA0C,CAAC;SACvD,MAAM,CAAC,mBAAmB,EAAE,uCAAuC,CAAC;SACpE,MAAM,CACL,qBAAqB,EACrB,+BAA+B,EAC/B,GAAG,CACJ;SACA,MAAM,CACL,KAAK,EACH,KAAe,EACf,IAAyC,EACzC,EAAE;QACF,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAG9B,CAAC;QAEF,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC7C,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,GAAG,CAAC,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;YACpD,OAAO,CAAC,KAAK,CACX,qDAAqD,CACtD,CAAC;YACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACvB,OAAO,CAAC,KAAK,CACX,6BAA6B,KAAK,CAAC,MAAM,kEAAkE,CAC5G,CAAC;YACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAmB,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACpD,IAAI;YACJ,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1C,CAAC,CAAC,CAAC;QAEJ,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAE1D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAEnD,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;gBACpB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;YACtD,CAAC;YAED,gDAAgD;YAChD,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAC1C,CAAC;YACF,IAAI,cAAc,EAAE,CAAC;gBACnB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;YACnC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CACF,CAAC;AACN,CAAC"}
@@ -0,0 +1,6 @@
1
+ /**
2
+ * oa2a check - Single package trust lookup.
3
+ */
4
+ import type { Command } from "commander";
5
+ export declare function registerCheckCommand(program: Command): void;
6
+ //# sourceMappingURL=check.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIzC,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAgC3D"}
@@ -0,0 +1,34 @@
1
+ /**
2
+ * oa2a check - Single package trust lookup.
3
+ */
4
+ import { RegistryClient } from "../api/client.js";
5
+ import { formatCheckResult, formatJson } from "../output/formatter.js";
6
+ export function registerCheckCommand(program) {
7
+ program
8
+ .command("check <name>")
9
+ .description("Look up trust information for a single package")
10
+ .option("-t, --type <type>", "package type (mcp_server, a2a_agent, ai_tool, etc.)")
11
+ .action(async (name, opts) => {
12
+ const globalOpts = program.opts();
13
+ const client = new RegistryClient(globalOpts.registryUrl);
14
+ try {
15
+ const result = await client.checkTrust(name, opts.type);
16
+ if (globalOpts.json) {
17
+ console.log(formatJson(result));
18
+ }
19
+ else {
20
+ console.log(formatCheckResult(result));
21
+ }
22
+ // Exit code 1 if blocked or warning
23
+ if (result.found && (result.verdict === "blocked" || result.verdict === "warning")) {
24
+ process.exitCode = 1;
25
+ }
26
+ }
27
+ catch (err) {
28
+ const message = err instanceof Error ? err.message : String(err);
29
+ console.error(`Error: ${message}`);
30
+ process.exitCode = 1;
31
+ }
32
+ });
33
+ }
34
+ //# sourceMappingURL=check.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"check.js","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAEvE,MAAM,UAAU,oBAAoB,CAAC,OAAgB;IACnD,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,gDAAgD,CAAC;SAC7D,MAAM,CAAC,mBAAmB,EAAE,qDAAqD,CAAC;SAClF,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,IAAuB,EAAE,EAAE;QACtD,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAG9B,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAE1D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAExD,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;gBACpB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC;YACzC,CAAC;YAED,oCAAoC;YACpC,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,EAAE,CAAC;gBACnF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;YACnC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
@@ -0,0 +1,9 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * ai-trust - Trust verification CLI for AI packages.
4
+ *
5
+ * Check MCP servers, A2A agents, and AI tools before you install.
6
+ * Powered by the OpenA2A Registry.
7
+ */
8
+ export {};
9
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;GAKG"}
package/dist/index.js ADDED
@@ -0,0 +1,24 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * ai-trust - Trust verification CLI for AI packages.
4
+ *
5
+ * Check MCP servers, A2A agents, and AI tools before you install.
6
+ * Powered by the OpenA2A Registry.
7
+ */
8
+ import { Command } from "commander";
9
+ import { registerCheckCommand } from "./commands/check.js";
10
+ import { registerAuditCommand } from "./commands/audit.js";
11
+ import { registerBatchCommand } from "./commands/batch.js";
12
+ const program = new Command();
13
+ program
14
+ .name("ai-trust")
15
+ .description("Trust verification CLI for AI packages")
16
+ .version("0.1.0")
17
+ .option("--registry-url <url>", "registry base URL", "https://registry.opena2a.org")
18
+ .option("--json", "output raw JSON", false)
19
+ .option("--no-color", "disable colored output");
20
+ registerCheckCommand(program);
21
+ registerAuditCommand(program);
22
+ registerBatchCommand(program);
23
+ program.parse();
24
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAE3D,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,wCAAwC,CAAC;KACrD,OAAO,CAAC,OAAO,CAAC;KAChB,MAAM,CACL,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,CAC/B;KACA,MAAM,CAAC,QAAQ,EAAE,iBAAiB,EAAE,KAAK,CAAC;KAC1C,MAAM,CAAC,YAAY,EAAE,wBAAwB,CAAC,CAAC;AAElD,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAE9B,OAAO,CAAC,KAAK,EAAE,CAAC"}
@@ -0,0 +1,9 @@
1
+ /**
2
+ * Output formatting for trust query results.
3
+ * Supports colored terminal output and raw JSON.
4
+ */
5
+ import type { TrustAnswer, BatchResponse } from "../api/client.js";
6
+ export declare function formatCheckResult(answer: TrustAnswer): string;
7
+ export declare function formatBatchResults(response: BatchResponse, minTrust: number): string;
8
+ export declare function formatJson(data: unknown): string;
9
+ //# sourceMappingURL=formatter.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"formatter.d.ts","sourceRoot":"","sources":["../../src/output/formatter.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAsCnE,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CA2C7D;AAED,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,aAAa,EACvB,QAAQ,EAAE,MAAM,GACf,MAAM,CA6FR;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,CAEhD"}
@@ -0,0 +1,143 @@
1
+ /**
2
+ * Output formatting for trust query results.
3
+ * Supports colored terminal output and raw JSON.
4
+ */
5
+ import chalk from "chalk";
6
+ function verdictColor(verdict) {
7
+ switch (verdict) {
8
+ case "safe":
9
+ return chalk.green;
10
+ case "warning":
11
+ return chalk.yellow;
12
+ case "blocked":
13
+ return chalk.red;
14
+ default:
15
+ return chalk.gray;
16
+ }
17
+ }
18
+ function trustLevelLabel(level) {
19
+ switch (level) {
20
+ case 0:
21
+ return "Blocked";
22
+ case 1:
23
+ return "Warning";
24
+ case 2:
25
+ return "Listed";
26
+ case 3:
27
+ return "Scanned";
28
+ case 4:
29
+ return "Verified";
30
+ default:
31
+ return `Unknown (${level})`;
32
+ }
33
+ }
34
+ function trustLevelColor(level) {
35
+ if (level >= 3)
36
+ return chalk.green;
37
+ if (level >= 1)
38
+ return chalk.yellow;
39
+ return chalk.red;
40
+ }
41
+ export function formatCheckResult(answer) {
42
+ if (!answer.found) {
43
+ return [
44
+ "",
45
+ chalk.bold(` ${answer.name}`),
46
+ chalk.gray(` Type: ${answer.type || "unknown"}`),
47
+ chalk.gray(" Status: Not found in registry"),
48
+ "",
49
+ ].join("\n");
50
+ }
51
+ const colorVerdict = verdictColor(answer.verdict);
52
+ const colorTrust = trustLevelColor(answer.trustLevel);
53
+ const lines = [
54
+ "",
55
+ chalk.bold(` ${answer.name}`),
56
+ ` Type: ${answer.type}`,
57
+ ` Verdict: ${colorVerdict(answer.verdict.toUpperCase())}`,
58
+ ` Trust Level: ${colorTrust(trustLevelLabel(answer.trustLevel))} (${answer.trustLevel}/4)`,
59
+ ` Trust Score: ${answer.trustScore.toFixed(2)}`,
60
+ ` CVEs: ${answer.cveCount > 0 ? chalk.red(String(answer.cveCount)) : chalk.green("0")}`,
61
+ ` Recommendation: ${answer.recommendation}`,
62
+ ];
63
+ if (answer.dependencies) {
64
+ const deps = answer.dependencies;
65
+ lines.push("");
66
+ lines.push(chalk.bold(" Dependencies"));
67
+ lines.push(` Direct: ${deps.direct}`);
68
+ lines.push(` Transitive: ${deps.transitive}`);
69
+ if (deps.riskSummary) {
70
+ const rs = deps.riskSummary;
71
+ const parts = [];
72
+ if (rs.blocked > 0)
73
+ parts.push(chalk.red(`${rs.blocked} blocked`));
74
+ if (rs.warning > 0)
75
+ parts.push(chalk.yellow(`${rs.warning} warning`));
76
+ if (rs.safe > 0)
77
+ parts.push(chalk.green(`${rs.safe} safe`));
78
+ lines.push(` Risk Summary: ${parts.join(", ")}`);
79
+ }
80
+ }
81
+ lines.push("");
82
+ return lines.join("\n");
83
+ }
84
+ export function formatBatchResults(response, minTrust) {
85
+ const lines = [];
86
+ lines.push("");
87
+ lines.push(chalk.bold(` Trust Audit: ${response.meta.total} packages queried, ${response.meta.found} found, ${response.meta.notFound} not found`));
88
+ lines.push("");
89
+ // Table header
90
+ const nameWidth = 40;
91
+ const typeWidth = 14;
92
+ const verdictWidth = 10;
93
+ const levelWidth = 12;
94
+ const scoreWidth = 8;
95
+ const cveWidth = 6;
96
+ lines.push(" " +
97
+ "PACKAGE".padEnd(nameWidth) +
98
+ "TYPE".padEnd(typeWidth) +
99
+ "VERDICT".padEnd(verdictWidth) +
100
+ "TRUST".padEnd(levelWidth) +
101
+ "SCORE".padEnd(scoreWidth) +
102
+ "CVEs".padEnd(cveWidth));
103
+ lines.push(" " + "-".repeat(nameWidth + typeWidth + verdictWidth + levelWidth + scoreWidth + cveWidth));
104
+ for (const result of response.results) {
105
+ const colorVerdict = verdictColor(result.verdict);
106
+ const colorTrust = trustLevelColor(result.trustLevel);
107
+ const name = result.name.length > nameWidth - 2
108
+ ? result.name.substring(0, nameWidth - 5) + "..."
109
+ : result.name;
110
+ lines.push(" " +
111
+ name.padEnd(nameWidth) +
112
+ (result.type || "-").padEnd(typeWidth) +
113
+ colorVerdict(result.verdict.toUpperCase().padEnd(verdictWidth)) +
114
+ colorTrust(trustLevelLabel(result.trustLevel).padEnd(levelWidth)) +
115
+ (result.found ? result.trustScore.toFixed(2) : "-").toString().padEnd(scoreWidth) +
116
+ (result.found ? String(result.cveCount) : "-").padEnd(cveWidth));
117
+ }
118
+ // Summary
119
+ const belowThreshold = response.results.filter((r) => r.found && r.trustLevel < minTrust);
120
+ const notFound = response.results.filter((r) => !r.found);
121
+ lines.push("");
122
+ if (belowThreshold.length > 0) {
123
+ lines.push(chalk.yellow(` [!] ${belowThreshold.length} package(s) below minimum trust level ${minTrust}:`));
124
+ for (const pkg of belowThreshold) {
125
+ lines.push(chalk.yellow(` - ${pkg.name} (trust level ${pkg.trustLevel}, verdict: ${pkg.verdict})`));
126
+ }
127
+ }
128
+ if (notFound.length > 0) {
129
+ lines.push(chalk.gray(` [?] ${notFound.length} package(s) not found in registry:`));
130
+ for (const pkg of notFound) {
131
+ lines.push(chalk.gray(` - ${pkg.name}`));
132
+ }
133
+ }
134
+ if (belowThreshold.length === 0 && notFound.length === 0) {
135
+ lines.push(chalk.green(` All ${response.meta.found} packages meet minimum trust level ${minTrust}.`));
136
+ }
137
+ lines.push("");
138
+ return lines.join("\n");
139
+ }
140
+ export function formatJson(data) {
141
+ return JSON.stringify(data, null, 2);
142
+ }
143
+ //# sourceMappingURL=formatter.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"formatter.js","sourceRoot":"","sources":["../../src/output/formatter.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAG1B,SAAS,YAAY,CAAC,OAAe;IACnC,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,KAAK,CAAC,KAAK,CAAC;QACrB,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,MAAM,CAAC;QACtB,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC,GAAG,CAAC;QACnB;YACE,OAAO,KAAK,CAAC,IAAI,CAAC;IACtB,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,CAAC;YACJ,OAAO,SAAS,CAAC;QACnB,KAAK,CAAC;YACJ,OAAO,SAAS,CAAC;QACnB,KAAK,CAAC;YACJ,OAAO,QAAQ,CAAC;QAClB,KAAK,CAAC;YACJ,OAAO,SAAS,CAAC;QACnB,KAAK,CAAC;YACJ,OAAO,UAAU,CAAC;QACpB;YACE,OAAO,YAAY,KAAK,GAAG,CAAC;IAChC,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC;IACnC,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC,MAAM,CAAC;IACpC,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAmB;IACnD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO;YACL,EAAE;YACF,KAAK,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;YAC9B,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;YACjD,KAAK,CAAC,IAAI,CAAC,iCAAiC,CAAC;YAC7C,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IAED,MAAM,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAEtD,MAAM,KAAK,GAAa;QACtB,EAAE;QACF,KAAK,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,qBAAqB,MAAM,CAAC,IAAI,EAAE;QAClC,qBAAqB,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE;QACjE,qBAAqB,UAAU,CAAC,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,KAAK,MAAM,CAAC,UAAU,KAAK;QAC9F,qBAAqB,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;QACnD,qBAAqB,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;QAClG,qBAAqB,MAAM,CAAC,cAAc,EAAE;KAC7C,CAAC;IAEF,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/C,KAAK,CAAC,IAAI,CAAC,qBAAqB,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QACnD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC;YAC5B,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,IAAI,EAAE,CAAC,OAAO,GAAG,CAAC;gBAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,OAAO,UAAU,CAAC,CAAC,CAAC;YACnE,IAAI,EAAE,CAAC,OAAO,GAAG,CAAC;gBAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,UAAU,CAAC,CAAC,CAAC;YACtE,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC;gBAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC;YAC5D,KAAK,CAAC,IAAI,CAAC,qBAAqB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,QAAuB,EACvB,QAAgB;IAEhB,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,KAAK,CAAC,IAAI,CACR,kBAAkB,QAAQ,CAAC,IAAI,CAAC,KAAK,sBAAsB,QAAQ,CAAC,IAAI,CAAC,KAAK,WAAW,QAAQ,CAAC,IAAI,CAAC,QAAQ,YAAY,CAC5H,CACF,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,eAAe;IACf,MAAM,SAAS,GAAG,EAAE,CAAC;IACrB,MAAM,SAAS,GAAG,EAAE,CAAC;IACrB,MAAM,YAAY,GAAG,EAAE,CAAC;IACxB,MAAM,UAAU,GAAG,EAAE,CAAC;IACtB,MAAM,UAAU,GAAG,CAAC,CAAC;IACrB,MAAM,QAAQ,GAAG,CAAC,CAAC;IAEnB,KAAK,CAAC,IAAI,CACR,IAAI;QACF,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC;QAC3B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC;QACxB,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC;QAC9B,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC;QAC1B,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC;QAC1B,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAC1B,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,SAAS,GAAG,SAAS,GAAG,YAAY,GAAG,UAAU,GAAG,UAAU,GAAG,QAAQ,CAAC,CAAC,CAAC;IAEzG,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtC,MAAM,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEtD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,SAAS,GAAG,CAAC;YAC7C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,GAAG,KAAK;YACjD,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;QAEhB,KAAK,CAAC,IAAI,CACR,IAAI;YACF,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YACtB,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;YACtC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAC/D,UAAU,CAAC,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACjE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC;YACjF,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAClE,CAAC;IACJ,CAAC;IAED,UAAU;IACV,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,UAAU,GAAG,QAAQ,CAC1C,CAAC;IACF,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAE1D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CACR,KAAK,CAAC,MAAM,CACV,SAAS,cAAc,CAAC,MAAM,yCAAyC,QAAQ,GAAG,CACnF,CACF,CAAC;QACF,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CACR,KAAK,CAAC,MAAM,CACV,WAAW,GAAG,CAAC,IAAI,iBAAiB,GAAG,CAAC,UAAU,cAAc,GAAG,CAAC,OAAO,GAAG,CAC/E,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CACR,KAAK,CAAC,IAAI,CACR,SAAS,QAAQ,CAAC,MAAM,oCAAoC,CAC7D,CACF,CAAC;QACF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzD,KAAK,CAAC,IAAI,CACR,KAAK,CAAC,KAAK,CACT,SAAS,QAAQ,CAAC,IAAI,CAAC,KAAK,sCAAsC,QAAQ,GAAG,CAC9E,CACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAa;IACtC,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACvC,CAAC"}
@@ -0,0 +1,6 @@
1
+ /**
2
+ * Parsers for dependency files (package.json, requirements.txt).
3
+ */
4
+ import type { PackageQuery } from "../api/client.js";
5
+ export declare function parseDependencyFile(filePath: string): Promise<PackageQuery[]>;
6
+ //# sourceMappingURL=parser.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../src/utils/parser.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAErD,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,EAAE,CAAC,CAezB"}
@@ -0,0 +1,55 @@
1
+ /**
2
+ * Parsers for dependency files (package.json, requirements.txt).
3
+ */
4
+ import { readFile } from "node:fs/promises";
5
+ import { basename } from "node:path";
6
+ export async function parseDependencyFile(filePath) {
7
+ const fileName = basename(filePath);
8
+ const content = await readFile(filePath, "utf-8");
9
+ if (fileName === "package.json") {
10
+ return parsePackageJson(content);
11
+ }
12
+ if (fileName === "requirements.txt") {
13
+ return parseRequirementsTxt(content);
14
+ }
15
+ throw new Error(`Unsupported dependency file: ${fileName}. Supported: package.json, requirements.txt`);
16
+ }
17
+ function parsePackageJson(content) {
18
+ const pkg = JSON.parse(content);
19
+ const packages = [];
20
+ const seen = new Set();
21
+ for (const deps of [pkg.dependencies, pkg.devDependencies]) {
22
+ if (!deps)
23
+ continue;
24
+ for (const name of Object.keys(deps)) {
25
+ if (!seen.has(name)) {
26
+ seen.add(name);
27
+ packages.push({ name });
28
+ }
29
+ }
30
+ }
31
+ return packages;
32
+ }
33
+ function parseRequirementsTxt(content) {
34
+ const packages = [];
35
+ const seen = new Set();
36
+ for (const rawLine of content.split("\n")) {
37
+ const line = rawLine.trim();
38
+ // Skip empty lines and comments
39
+ if (!line || line.startsWith("#") || line.startsWith("-")) {
40
+ continue;
41
+ }
42
+ // Extract package name (before version specifiers)
43
+ const match = line.match(/^([a-zA-Z0-9_-]+(?:\[[a-zA-Z0-9_,-]+\])?)/);
44
+ if (match) {
45
+ // Strip extras like [security] from requests[security]
46
+ const name = match[1].replace(/\[.*\]/, "");
47
+ if (!seen.has(name)) {
48
+ seen.add(name);
49
+ packages.push({ name });
50
+ }
51
+ }
52
+ }
53
+ return packages;
54
+ }
55
+ //# sourceMappingURL=parser.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"parser.js","sourceRoot":"","sources":["../../src/utils/parser.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAGrC,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB;IAEhB,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAElD,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;QAChC,OAAO,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,QAAQ,KAAK,kBAAkB,EAAE,CAAC;QACpC,OAAO,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,IAAI,KAAK,CACb,gCAAgC,QAAQ,6CAA6C,CACtF,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAG7B,CAAC;IAEF,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe;IAC3C,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAE5B,gCAAgC;QAChC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1D,SAAS;QACX,CAAC;QAED,mDAAmD;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;QACtE,IAAI,KAAK,EAAE,CAAC;YACV,uDAAuD;YACvD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
package/package.json ADDED
@@ -0,0 +1,44 @@
1
+ {
2
+ "name": "ai-trust",
3
+ "version": "0.1.0",
4
+ "description": "Trust verification CLI for AI packages — check MCP servers, A2A agents, and AI tools before you install",
5
+ "type": "module",
6
+ "main": "dist/index.js",
7
+ "bin": {
8
+ "ai-trust": "dist/index.js"
9
+ },
10
+ "files": [
11
+ "dist"
12
+ ],
13
+ "scripts": {
14
+ "build": "tsc",
15
+ "dev": "ts-node src/index.ts",
16
+ "lint": "tsc --noEmit",
17
+ "test": "echo \"No tests yet\" && exit 0"
18
+ },
19
+ "keywords": [
20
+ "ai",
21
+ "trust",
22
+ "security",
23
+ "mcp",
24
+ "a2a",
25
+ "supply-chain",
26
+ "cli",
27
+ "model-context-protocol",
28
+ "ai-agent",
29
+ "opena2a"
30
+ ],
31
+ "author": "OpenA2A",
32
+ "license": "Apache-2.0",
33
+ "dependencies": {
34
+ "chalk": "^5.3.0",
35
+ "commander": "^12.1.0"
36
+ },
37
+ "devDependencies": {
38
+ "@types/node": "^20.11.0",
39
+ "typescript": "^5.3.0"
40
+ },
41
+ "engines": {
42
+ "node": ">=18.0.0"
43
+ }
44
+ }