npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

a2m-submit

v1.1.8

Published

Zero-friction CLI to list your AI project on the A2M marketplace. One command. No forms.

Readme

A2M — AI App Marketplace

Zero-friction CLI to list your AI project on a2m.one in one command.

What is A2M?

A2M (Agent-to-Marketplace) is a hosted registry and discovery platform for AI applications, MCP servers, and agents. It consists of:

  • a2m-submit — a CLI tool published on npm that submits any project to the registry
  • a2m.one — the public marketplace frontend
  • api.a2m.one — the REST API backing the registry
  • repo.spot — reserved for a future discovery/aggregator spinoff

Quick Start (end users)

# 1. Log in with GitHub or Google (one-time, saves key to ~/.a2m/config.json)
npx a2m-submit login

# 2. Submit your project from its directory
cd /path/to/your/project
npx a2m-submit --workspace . --submit

That's it. Your listing appears at https://a2m.one/listings/your-project-name.

CLI Reference

npx a2m-submit                    # show quick start
npx a2m-submit --help             # full usage reference
npx a2m-submit login              # authenticate via GitHub or Google
npx a2m-submit whoami             # show stored credentials
npx a2m-submit logout             # remove stored credentials
npx a2m-submit --workspace . --submit              # submit & publish
npx a2m-submit --workspace . --submit --draft      # submit as draft
npx a2m-submit --workspace . --publish             # promote draft to published
npx a2m-submit --workspace . --remove              # remove listing

All flags

| Flag | Description | |------|-------------| | --workspace <path> | Project directory to scan (default: .) | | --submit | Build manifest and submit to registry | | --draft | Submit as draft (not publicly listed) | | --publish | Promote an existing draft to published | | --remove | Remove listing from registry | | --api-key <key> | API key (or set A2M_API_KEY env var) | | --out <path> | Write manifest JSON to file | | --pretty | Pretty-print manifest JSON | | --private | Hide repository URL from listing | | --license <id> | Override license identifier | | --changelog <file> | Load changelog from file | | --author-name <name> | Override author name | | --author-email <email> | Override author email | | --website <url> | Override website URL | | --twitter / --linkedin / --discord / --github <url> | Social links | | --audit | Run local pre-flight security scan (secrets + dependency vulnerabilities) | | --audit-model <id> | Specify model instance for local pre-flight review | | --audit-endpoint <url> | Override local API endpoint (default: localhost:11434 for Ollama) |

Local Security Audit Scan

The CLI includes a built-in pre-flight DevSecOps security scan powered by local AI tooling (Ollama, Gemini, Anthropic, OpenAI, or local developer agents). It performs:

  1. Secrets Scan (repo-security-scan style): Recursively checks files in the workspace for exposed keys, tokens, and passwords.
  2. Dependency Audit (auditscan style): Scans the project's packages for known vulnerabilities.
  3. AI DevSecOps Review: Queries a local/cloud LLM or local developer agent with the scan findings to assess risk, map the attack surface, and calculate a Security Trust Score before submission.

By default, when running --submit interactively, the CLI will search for local AI clients and offer to run this pre-flight scan automatically. If multiple local clients are discovered (such as codex, opencode, hermes, claude, gemini, or ollama), it displays an interactive selection list.

Scoring Calibration & Registry Sync

  • Score Calibration: The DevSecOps review prompt is calibrated to distinguish between active production secret exposures (which fail the scan under 40/100) and minor structural warnings. For instance, git-tracked environment configuration files (like pm2.config.cjs or .env templates) containing only default development or placeholder values result in warning-level ratings in the 65–75 / 100 range rather than critical failures.
  • Registry Sync: When a local pre-flight scan is completed, the full AI audit report (including risk assessments, attack surface maps, remediation steps, and score) is embedded in the manifest's security_signals. Upon submission, the API server saves these findings as a local_audit scan in the database.
  • Frontend Sync: The composite trust score and detailed scans breakdown popup on a2m.one are prioritized using this deep local pre-flight report, ensuring that the score displayed on the web dashboard matches the CLI review. If the verification status resolves as warning-level, it displays a distinct ⚠️ Warning badge.

API key precedence

--api-key flag → A2M_API_KEY env var → ~/.a2m/config.json → (none)

Project Structure

ai-marketplace/
├── src/           # CLI tool source (TypeScript)
├── shared/        # Shared types & Zod validator
├── server/        # Hono API server + Drizzle ORM + Postgres
├── web/           # Next.js 14 marketplace frontend
├── docker/        # Docker Compose (Postgres)
├── nginx/         # Nginx vhost configs for a2m.one + api.a2m.one
├── scripts/       # Seed scripts (seed-500-agents.mjs)
├── docs/          # Architecture, ops, smoke test docs
├── tests/         # CLI Vitest test suites
└── server/tests/  # Server Vitest test suites

Tech Stack

| Layer | Tech | |-------|------| | CLI | TypeScript, Node 22, zod | | API | Hono, Drizzle ORM, Postgres 15 | | Frontend | Next.js 14 (App Router), Tailwind CSS | | Auth | GitHub OAuth, Google OAuth (loopback CLI flow) | | Infra | PM2, Docker Compose, Nginx, Let's Encrypt | | Package | npm (a2m-submit) |

Live URLs

| URL | Description | |-----|-------------| | https://a2m.one | Public marketplace | | https://api.a2m.one | REST API | | https://a2m.one/submit | Submit guide | | https://a2m.one/listings | Browse catalog | | https://a2m.one/feedback | Feedback form |

Production Operations

See docs/production-ops.md for:

  • Starting/stopping with PM2 (./start_prod.sh / ./stop_prod.sh)
  • PM2 startup for reboot survival
  • Environment variable reference
  • Nginx config overview
  • Log locations

Local Development

See USAGE.md for full local dev setup.

Quick summary:

./start.sh      # starts Postgres (Docker), API (tsx), frontend (next dev)
./stop.sh       # stops everything

Phase Map

| Phase | Description | Status | |-------|-------------|--------| | Phase 1 | CLI manifest generator, validation | ✅ Complete | | Phase 2 | Hosted registry, API, frontend, auth | ✅ Complete | | Phase 3 | A2A runtime registry, repo.spot spinoff | 🔜 Planned |

Test Status

npm test                              # 58 tests (CLI + server)
pnpm --filter @a2m/server test        # server tests only
cd web && npx next build              # frontend build check

All 58 tests passing. Next.js build clean.