a2m-submit
v1.1.8
Published
Zero-friction CLI to list your AI project on the A2M marketplace. One command. No forms.
Maintainers
Readme
A2M — AI App Marketplace
Zero-friction CLI to list your AI project on a2m.one in one command.
What is A2M?
A2M (Agent-to-Marketplace) is a hosted registry and discovery platform for AI applications, MCP servers, and agents. It consists of:
a2m-submit— a CLI tool published on npm that submits any project to the registrya2m.one— the public marketplace frontendapi.a2m.one— the REST API backing the registryrepo.spot— reserved for a future discovery/aggregator spinoff
Quick Start (end users)
# 1. Log in with GitHub or Google (one-time, saves key to ~/.a2m/config.json)
npx a2m-submit login
# 2. Submit your project from its directory
cd /path/to/your/project
npx a2m-submit --workspace . --submitThat's it. Your listing appears at https://a2m.one/listings/your-project-name.
CLI Reference
npx a2m-submit # show quick start
npx a2m-submit --help # full usage reference
npx a2m-submit login # authenticate via GitHub or Google
npx a2m-submit whoami # show stored credentials
npx a2m-submit logout # remove stored credentials
npx a2m-submit --workspace . --submit # submit & publish
npx a2m-submit --workspace . --submit --draft # submit as draft
npx a2m-submit --workspace . --publish # promote draft to published
npx a2m-submit --workspace . --remove # remove listingAll flags
| Flag | Description |
|------|-------------|
| --workspace <path> | Project directory to scan (default: .) |
| --submit | Build manifest and submit to registry |
| --draft | Submit as draft (not publicly listed) |
| --publish | Promote an existing draft to published |
| --remove | Remove listing from registry |
| --api-key <key> | API key (or set A2M_API_KEY env var) |
| --out <path> | Write manifest JSON to file |
| --pretty | Pretty-print manifest JSON |
| --private | Hide repository URL from listing |
| --license <id> | Override license identifier |
| --changelog <file> | Load changelog from file |
| --author-name <name> | Override author name |
| --author-email <email> | Override author email |
| --website <url> | Override website URL |
| --twitter / --linkedin / --discord / --github <url> | Social links |
| --audit | Run local pre-flight security scan (secrets + dependency vulnerabilities) |
| --audit-model <id> | Specify model instance for local pre-flight review |
| --audit-endpoint <url> | Override local API endpoint (default: localhost:11434 for Ollama) |
Local Security Audit Scan
The CLI includes a built-in pre-flight DevSecOps security scan powered by local AI tooling (Ollama, Gemini, Anthropic, OpenAI, or local developer agents). It performs:
- Secrets Scan (
repo-security-scanstyle): Recursively checks files in the workspace for exposed keys, tokens, and passwords. - Dependency Audit (
auditscanstyle): Scans the project's packages for known vulnerabilities. - AI DevSecOps Review: Queries a local/cloud LLM or local developer agent with the scan findings to assess risk, map the attack surface, and calculate a Security Trust Score before submission.
By default, when running --submit interactively, the CLI will search for local AI clients and offer to run this pre-flight scan automatically. If multiple local clients are discovered (such as codex, opencode, hermes, claude, gemini, or ollama), it displays an interactive selection list.
Scoring Calibration & Registry Sync
- Score Calibration: The DevSecOps review prompt is calibrated to distinguish between active production secret exposures (which fail the scan under 40/100) and minor structural warnings. For instance, git-tracked environment configuration files (like
pm2.config.cjsor.envtemplates) containing only default development or placeholder values result in warning-level ratings in the65–75 / 100range rather than critical failures. - Registry Sync: When a local pre-flight scan is completed, the full AI audit report (including risk assessments, attack surface maps, remediation steps, and score) is embedded in the manifest's
security_signals. Upon submission, the API server saves these findings as alocal_auditscan in the database. - Frontend Sync: The composite trust score and detailed scans breakdown popup on
a2m.oneare prioritized using this deep local pre-flight report, ensuring that the score displayed on the web dashboard matches the CLI review. If the verification status resolves as warning-level, it displays a distinct⚠️ Warningbadge.
API key precedence
--api-key flag → A2M_API_KEY env var → ~/.a2m/config.json → (none)Project Structure
ai-marketplace/
├── src/ # CLI tool source (TypeScript)
├── shared/ # Shared types & Zod validator
├── server/ # Hono API server + Drizzle ORM + Postgres
├── web/ # Next.js 14 marketplace frontend
├── docker/ # Docker Compose (Postgres)
├── nginx/ # Nginx vhost configs for a2m.one + api.a2m.one
├── scripts/ # Seed scripts (seed-500-agents.mjs)
├── docs/ # Architecture, ops, smoke test docs
├── tests/ # CLI Vitest test suites
└── server/tests/ # Server Vitest test suitesTech Stack
| Layer | Tech |
|-------|------|
| CLI | TypeScript, Node 22, zod |
| API | Hono, Drizzle ORM, Postgres 15 |
| Frontend | Next.js 14 (App Router), Tailwind CSS |
| Auth | GitHub OAuth, Google OAuth (loopback CLI flow) |
| Infra | PM2, Docker Compose, Nginx, Let's Encrypt |
| Package | npm (a2m-submit) |
Live URLs
| URL | Description |
|-----|-------------|
| https://a2m.one | Public marketplace |
| https://api.a2m.one | REST API |
| https://a2m.one/submit | Submit guide |
| https://a2m.one/listings | Browse catalog |
| https://a2m.one/feedback | Feedback form |
Production Operations
See docs/production-ops.md for:
- Starting/stopping with PM2 (
./start_prod.sh/./stop_prod.sh) - PM2 startup for reboot survival
- Environment variable reference
- Nginx config overview
- Log locations
Local Development
See USAGE.md for full local dev setup.
Quick summary:
./start.sh # starts Postgres (Docker), API (tsx), frontend (next dev)
./stop.sh # stops everythingPhase Map
| Phase | Description | Status | |-------|-------------|--------| | Phase 1 | CLI manifest generator, validation | ✅ Complete | | Phase 2 | Hosted registry, API, frontend, auth | ✅ Complete | | Phase 3 | A2A runtime registry, repo.spot spinoff | 🔜 Planned |
Test Status
npm test # 58 tests (CLI + server)
pnpm --filter @a2m/server test # server tests only
cd web && npx next build # frontend build checkAll 58 tests passing. Next.js build clean.
