JSPM

@opena2a/check-core

0.2.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 107
  • Score
    100M100P100Q82367F
  • License Apache-2.0

Data-shape and orchestration primitives for the `check` command across OpenA2A CLIs. One implementation of input classification, registry → scan-on-miss flow, download-error translation, and canonical CheckOutput schema — consumed by hackmyagent, opena2a-cli, and ai-trust.

Package Exports

  • @opena2a/check-core

Readme

@opena2a/check-core

Data-shape and orchestration primitives for the check command across OpenA2A CLIs (hackmyagent, opena2a, ai-trust).

One implementation of:

  • input classification (npm / pypi / github / local / url)
  • download-error translation
  • registry-status → meter-gate mapping
  • canonical CheckOutput + NotFoundOutput JSON shape
  • registry-first, scan-on-miss orchestrator (pluggable adapters)

Rendering stays in @opena2a/cli-ui. This package is data only.

Why

Three CLIs emit check --json. Before 0.18.3 their outputs disagreed on five load-bearing fields (trustLevel, verdict, packageType, scanStatus, name). M2 closed that by convention; M3 closes it by construction — there is exactly one implementation, and every CLI imports it.

Parent design: briefs/cli-consolidation.md. Milestone: [CA-034] M3.

API

import {
  checkPackage,
  buildCheckOutput,
  buildNotFoundOutput,
  translateDownloadError,
  mapScanStatusForMeter,
  parseCheckInput,
} from "@opena2a/check-core";

Orchestrator (registry-first, scan-on-miss)

const res = await checkPackage({
  target: "@modelcontextprotocol/server-filesystem",
  mode: "scan-on-miss",
  registry: (name, type) => client.checkTrust(name, type),
  scan: (name) => runLocalScan(name),
  skillFallback: (name) => resolveSkill(name),
});

if (res.kind === "found") {
  console.log(JSON.stringify(res.output, null, 2));
} else {
  console.log(JSON.stringify(res.output, null, 2));
  process.exitCode = 2;
}

Pure helpers (for CLIs that keep their own flow)

const output = buildCheckOutput({
  name: "express",
  type: "npm-package",
  scan: { score: 100, maxScore: 100, findings: [] },
  registry: trustAnswer,
});

const hint = translateDownloadError("anthropic/code-review", "code 128");
// { errorHint: "Looks like a git-style name. npm packages use ...", suggestions: [...] }

Contract

The emission order of buildCheckOutput is load-bearing: the opena2a-parity harness compares JSON byte-for-byte across CLIs. Do not reorder fields without bumping to a new minor — consumers rely on stable shape.

License

Apache-2.0