npm - opena2a-cli - Versions diffs - 0.5.6 → 0.5.8 - Mend

opena2a-cli 0.5.6 → 0.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/README.md +42 -10
package/dist/commands/atp-types.d.ts +70 -0
package/dist/commands/atp-types.d.ts.map +1 -0
package/dist/commands/atp-types.js +8 -0
package/dist/commands/atp-types.js.map +1 -0
package/dist/commands/claim.d.ts +42 -0
package/dist/commands/claim.d.ts.map +1 -0
package/dist/commands/claim.js +437 -0
package/dist/commands/claim.js.map +1 -0
package/dist/commands/detect.js +1 -1
package/dist/commands/detect.js.map +1 -1
package/dist/commands/guard-policy.js +1 -1
package/dist/commands/guard-policy.js.map +1 -1
package/dist/commands/guard.js +1 -1
package/dist/commands/guard.js.map +1 -1
package/dist/commands/identity.js +1 -1
package/dist/commands/identity.js.map +1 -1
package/dist/commands/init.d.ts.map +1 -1
package/dist/commands/init.js +4 -2
package/dist/commands/init.js.map +1 -1
package/dist/commands/mcp-audit.d.ts.map +1 -1
package/dist/commands/mcp-audit.js +1 -0
package/dist/commands/mcp-audit.js.map +1 -1
package/dist/commands/review.js +10 -10
package/dist/commands/review.js.map +1 -1
package/dist/commands/runtime.d.ts +9 -0
package/dist/commands/runtime.d.ts.map +1 -1
package/dist/commands/runtime.js +33 -0
package/dist/commands/runtime.js.map +1 -1
package/dist/commands/shield.js +1 -1
package/dist/commands/shield.js.map +1 -1
package/dist/commands/trust.d.ts +30 -0
package/dist/commands/trust.d.ts.map +1 -0
package/dist/commands/trust.js +295 -0
package/dist/commands/trust.js.map +1 -0
package/dist/index.js +61 -5
package/dist/index.js.map +1 -1
package/dist/natural/intent-map.js +2 -2
package/dist/natural/intent-map.js.map +1 -1
package/dist/router.d.ts.map +1 -1
package/dist/router.js +27 -0
package/dist/router.js.map +1 -1
package/dist/semantic/command-index.json +13 -4
package/dist/shield/detect.d.ts.map +1 -1
package/dist/shield/detect.js +1 -0
package/dist/shield/detect.js.map +1 -1
package/dist/shield/init.d.ts +9 -0
package/dist/shield/init.d.ts.map +1 -1
package/dist/shield/init.js +25 -21
package/dist/shield/init.js.map +1 -1
package/dist/shield/integrity.js +6 -6
package/dist/shield/integrity.js.map +1 -1
package/dist/util/ai-config.d.ts.map +1 -1
package/dist/util/ai-config.js +1 -1
package/dist/util/ai-config.js.map +1 -1
package/dist/util/detect.d.ts.map +1 -1
package/dist/util/detect.js +32 -6
package/dist/util/detect.js.map +1 -1
package/dist/util/report-submission.js +1 -1
package/dist/util/report-submission.js.map +1 -1
package/dist/util/scoring.js +5 -5
package/dist/util/scoring.js.map +1 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -39,10 +39,10 @@ No configuration required. Works with Node.js, Python, Go, and MCP server projec
 ## What It Does
-Run `opena2a init` in any project directory to get an instant security assessment:
+Run `opena2a init` in any project directory to get a read-only security assessment:
 ```
-  OpenA2A Security Report  v0.5.5
+  OpenA2A Security Report  v0.5.7
   Project      myapp v2.1.0
   Type         Node.js + MCP server
@@ -117,7 +117,7 @@ opena2a review --format json       # JSON output for CI
 ### `opena2a init`
-Assess your project's security posture. Detects project type, scans for credentials, checks hygiene (`.gitignore`, `.env` protection, lock file, security config), calculates a trust score (0-100), and provides prioritized next steps.
+Read-only security assessment. Detects project type (Node.js, Python via `pyproject.toml`, Go via `go.mod`), scans for credentials, checks hygiene (`.gitignore`, `.env` protection, lock file, security config, `.mcp/config.json`), calculates a trust score (0-100), and provides prioritized next steps. Does not modify any files -- use `opena2a protect` or `opena2a shield init` to take action.
 ```bash
 opena2a init                    # Assess current directory
@@ -126,6 +126,8 @@ opena2a init --verbose          # Show individual credential details
 opena2a init --format json      # Machine-readable output for CI
 ```
+For a full security orchestration (credential scanning, policy generation, shell hooks, event log), use `opena2a shield init` instead.
 ### `opena2a protect`
 Single command to fix all auto-fixable findings. Migrates credentials, fixes `.gitignore`, excludes AI config files from git, signs config files, and shows before/after security score.
@@ -197,6 +199,31 @@ opena2a config contribute on      # Enable community data sharing
 opena2a config llm on             # Enable LLM-powered command matching
 ```
+### `opena2a trust`
+Look up the trust profile for an AI agent or MCP server from the OpenA2A Trust Registry (Agent Trust Protocol).
+```bash
+opena2a trust express                  # Look up npm package
+opena2a trust langchain --source pypi  # Look up PyPI package
+opena2a trust https://github.com/org/repo  # GitHub URL (auto-parsed)
+opena2a trust                          # Auto-detect from package.json in cwd
+opena2a trust express --json           # Machine-readable output
+opena2a trust express --verbose        # Show full posture details
+```
+Defaults to npm as the source when `--source` is not specified. Supports `npm`, `pypi`, and `github` sources.
+### `opena2a claim`
+Claim ownership of a discovered agent in the Trust Registry. Verifies ownership via npm or GitHub, generates an Ed25519 keypair at `~/.opena2a/keys/`, and links the profile to your verified identity.
+```bash
+opena2a claim my-agent                 # Claim via npm ownership verification
+opena2a claim                          # Auto-detect from package.json in cwd
+opena2a claim my-agent --json          # Machine-readable output
+```
 ## Shield: Unified Security Orchestration
 Shield ties all OpenA2A tools into a single security layer for AI coding assistants. It provides a tamper-evident event log, policy evaluation, runtime monitoring, session identification, integrity verification, and LLM-powered analysis.
@@ -240,7 +267,7 @@ Full environment scan: detects project type, scans for credentials, discovers AI
 ```bash
 opena2a shield init                    # Scan current directory
 opena2a shield init --dir ./my-agent   # Scan specific directory
-opena2a shield init --format json      # Machine-readable output
+opena2a shield init --format json      # Single valid JSON document for CI
 ```
 #### `opena2a shield status`
@@ -268,7 +295,7 @@ opena2a shield log --format json           # JSON output
 #### `opena2a shield selfcheck`
-Runs five integrity checks: policy hash, shell hook content, event chain validity, process binary, and artifact signatures. Returns `healthy`, `degraded`, or `compromised` status.
+Runs five integrity checks: policy hash, shell hook content, event chain validity, process binary, and artifact signatures. Returns `healthy`, `degraded`, or `compromised` status. Event chain gaps (e.g., from log rotation) report as `degraded` rather than `compromised`, since they indicate data loss rather than tampering.
 ```bash
 opena2a shield selfcheck
@@ -403,19 +430,22 @@ Shield maintains a tamper-evident event log. Events are stored in the project-lo
 ### Quick Start
 ```bash
-# 1. Initialize Shield in your project
+# 1. Initialize Shield (full 11-step orchestration)
 opena2a shield init
-# 2. Check what AI assistants are running
+# 2. Look up trust profiles for your dependencies
+opena2a trust express
+# 3. Check what AI assistants are running
 opena2a shield session
-# 3. View security events
+# 4. View security events
 opena2a shield log --severity medium
-# 4. Generate a posture report
+# 5. Generate a posture report
 opena2a shield report
-# 5. Run integrity verification
+# 6. Run integrity verification
 opena2a shield selfcheck
 ```
@@ -451,6 +481,8 @@ The CLI orchestrates these specialized tools through a unified interface:
 | `opena2a identity` | [AIM](https://github.com/opena2a-org/agent-identity-management) | Agent identity management |
 | `opena2a broker` | [Secretless AI](https://github.com/opena2a-org/secretless-ai) | Identity-aware credential broker daemon |
 | `opena2a dlp` | [Secretless AI](https://github.com/opena2a-org/secretless-ai) | Data loss prevention for AI tool transcripts |
+| `opena2a trust` | [OpenA2A Registry](https://registry.opena2a.org) | Agent Trust Protocol lookup (npm, PyPI, GitHub) |
+| `opena2a claim` | [OpenA2A Registry](https://registry.opena2a.org) | Claim ownership of a discovered agent |
 Adapters install tools on first use. Each tool works standalone or through the CLI.

package/dist/commands/atp-types.d.ts ADDED Viewed

@@ -0,0 +1,70 @@
+/**
+ * Agent Trust Protocol (ATP) types.
+ * TypeScript interfaces for the public trust lookup and claim APIs
+ * on the OpenA2A Registry.
+ */
+export interface TrustPosture {
+    hardeningPassRate: number;
+    oasbCompliance: number;
+    soulConformance: string;
+    attackSurfaceRisk: string;
+    supplyChainHealth: number;
+    a2asCertified: boolean;
+}
+export interface TrustFactors {
+    verification: number;
+    uptime: number;
+    actionSuccess: number;
+    securityAlerts: number;
+    compliance: number;
+    age: number;
+    drift: number;
+    feedback: number;
+}
+export type TrustLevel = 'discovered' | 'scanned' | 'claimed' | 'verified' | 'certified';
+export interface SupplyChainInfo {
+    totalDependencies: number;
+    criticalVulnerabilities: number;
+    highVulnerabilities: number;
+    lastPublished: string;
+    maintainerCount: number;
+}
+export interface TrustLookupResponse {
+    agentId: string;
+    name: string;
+    source: string;
+    version: string;
+    publisher: string;
+    publisherVerified: boolean;
+    trustScore: number;
+    trustLevel: TrustLevel;
+    posture?: TrustPosture;
+    factors?: TrustFactors;
+    capabilities?: string[];
+    supplyChain?: SupplyChainInfo;
+    lastScanned: string;
+    profileUrl: string;
+}
+export interface OwnershipProof {
+    method: 'npm' | 'github' | 'pypi';
+    /** npm: username, github: owner/repo, pypi: token prefix */
+    identity: string;
+    /** Opaque proof payload (varies by method) */
+    evidence: string;
+}
+export interface ClaimRequest {
+    agentId: string;
+    proof: OwnershipProof;
+    publicKey: string;
+}
+export interface ClaimResponse {
+    success: boolean;
+    agentId: string;
+    previousTrustLevel: TrustLevel;
+    newTrustLevel: TrustLevel;
+    previousTrustScore: number;
+    newTrustScore: number;
+    profileUrl: string;
+    error?: string;
+}
+//# sourceMappingURL=atp-types.d.ts.map

package/dist/commands/atp-types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"atp-types.d.ts","sourceRoot":"","sources":["../../src/commands/atp-types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,WAAW,YAAY;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,UAAU,GAAG,YAAY,GAAG,SAAS,GAAG,SAAS,GAAG,UAAU,GAAG,WAAW,CAAC;AAEzF,MAAM,WAAW,eAAe;IAC9B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,uBAAuB,EAAE,MAAM,CAAC;IAChC,mBAAmB,EAAE,MAAM,CAAC;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,UAAU,CAAC;IACvB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAClC,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,cAAc,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,UAAU,CAAC;IAC/B,aAAa,EAAE,UAAU,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB"}

package/dist/commands/atp-types.js ADDED Viewed

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * Agent Trust Protocol (ATP) types.
+ * TypeScript interfaces for the public trust lookup and claim APIs
+ * on the OpenA2A Registry.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=atp-types.js.map

package/dist/commands/atp-types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"atp-types.js","sourceRoot":"","sources":["../../src/commands/atp-types.ts"],"names":[],"mappings":";AAAA;;;;GAIG"}

package/dist/commands/claim.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * opena2a claim -- Claim ownership of a discovered agent in the trust registry.
+ * Verifies package ownership via npm, GitHub, or PyPI and links the profile
+ * to the developer's verified identity.
+ *
+ * Usage:
+ *   opena2a claim @anthropic/mcp-server-fetch
+ *   opena2a claim langchain --source pypi
+ *   opena2a claim                              # reads package.json in cwd
+ */
+import type { TrustLookupResponse, OwnershipProof, ClaimResponse } from './atp-types.js';
+export interface ClaimOptions {
+    packageName?: string;
+    source?: string;
+    registryUrl?: string;
+    ci?: boolean;
+    format?: 'text' | 'json';
+    json?: boolean;
+    verbose?: boolean;
+}
+export declare const _internals: {
+    readLocalPackageName(): string | null;
+    fetchTrustLookup(registryUrl: string, packageName: string, source?: string): Promise<{
+        ok: boolean;
+        status: number;
+        data?: TrustLookupResponse;
+    }>;
+    verifyNpmOwnership(packageName: string): Promise<OwnershipProof | null>;
+    verifyGithubOwnership(packageName: string): Promise<OwnershipProof | null>;
+    generateKeypair(): Promise<{
+        publicKey: string;
+        privateKey: string;
+    }>;
+    submitClaim(registryUrl: string, agentId: string, proof: OwnershipProof, publicKey: string): Promise<{
+        ok: boolean;
+        status: number;
+        data?: ClaimResponse;
+    }>;
+    storeKeypair(agentId: string, publicKey: string, privateKey: string): Promise<string>;
+};
+export declare function claim(options: ClaimOptions): Promise<number>;
+//# sourceMappingURL=claim.d.ts.map

package/dist/commands/claim.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"claim.d.ts","sourceRoot":"","sources":["../../src/commands/claim.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,KAAK,EACV,mBAAmB,EACnB,cAAc,EACd,aAAa,EACd,MAAM,gBAAgB,CAAC;AAIxB,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAQD,eAAO,MAAM,UAAU;4BACG,MAAM,GAAG,IAAI;kCActB,MAAM,eACN,MAAM,WACV,MAAM,GACd,OAAO,CAAC;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,mBAAmB,CAAA;KAAE,CAAC;oCAmBjC,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;uCA6BpC,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;uBAmDvD,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;6BAY5D,MAAM,WACV,MAAM,SACR,cAAc,aACV,MAAM,GAChB,OAAO,CAAC;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,aAAa,CAAA;KAAE,CAAC;0BAoCrC,MAAM,aAAa,MAAM,cAAc,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAiB5F,CAAC;AAIF,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CA2PlE"}