Skip to content

Commit d453709

Browse files
Update README: install methods, remove private tools (#5)
* Update README: add install methods, remove private tools, fix npx refs - Add npm global install and Homebrew install options alongside npx - Remove HMA Researcher and Hunter from adapter table and architecture - Fix npx commands from opena2a to opena2a-cli (matches npm package name) * Add npm README for opena2a-cli package Creates packages/cli/README.md so the npm page shows proper documentation. Mirrors the root README but removes GIF image references that won't resolve on npmjs.com and adds an npm version badge. * Sync package-lock.json with opena2a-cli package name The lock file still referenced the old package name "opena2a" instead of "opena2a-cli", causing npm ci to fail in CI with "Missing: opena2a-cli@0.1.0 from lock file". * Fix PR review workflow: use file-based JSON, add error handling - Use jq --rawfile instead of shell variable expansion to avoid escaping issues with large diffs - Write request payload to file and use curl -d @file - Capture HTTP status code and handle non-200 responses gracefully - Skip review if ANTHROPIC_API_KEY is not configured - Also set ANTHROPIC_API_KEY secret in repo (was missing) * Do not auto-approve PRs when review API is unavailable On API failure or missing key, post a comment instead of auto-approving. This prevents a security bypass where causing API errors could skip review.
1 parent de227c9 commit d453709

4 files changed

Lines changed: 323 additions & 20 deletions

File tree

.github/workflows/pr-review.yml

Lines changed: 30 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -32,19 +32,37 @@ jobs:
3232
env:
3333
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
3434
run: |
35-
DIFF=$(cat /tmp/pr-diff.txt)
36-
RESPONSE=$(curl -s https://api.anthropic.com/v1/messages \
35+
if [ -z "$ANTHROPIC_API_KEY" ]; then
36+
echo "ANTHROPIC_API_KEY not set"
37+
echo "verdict=SKIP" >> "$GITHUB_OUTPUT"
38+
echo "Review skipped: ANTHROPIC_API_KEY not configured. Set the secret to enable automated reviews." > /tmp/review.txt
39+
exit 0
40+
fi
41+
42+
# Build JSON payload from file to avoid shell escaping issues
43+
jq -n --rawfile diff /tmp/pr-diff.txt '{
44+
model: "claude-sonnet-4-5-20250929",
45+
max_tokens: 4096,
46+
system: "You are a security-focused code reviewer for the OpenA2A platform (TypeScript monorepo, npm workspaces, Turborepo). Review for: 1) Security vulnerabilities (OWASP Top 10, credential exposure, injection) 2) TypeScript best practices 3) Architecture consistency 4) Test coverage. End with VERDICT: APPROVE or REQUEST_CHANGES.",
47+
messages: [{role: "user", content: ("Review this PR diff:\n\n" + $diff)}]
48+
}' > /tmp/request.json
49+
50+
HTTP_CODE=$(curl -s -o /tmp/response.json -w '%{http_code}' \
51+
https://api.anthropic.com/v1/messages \
3752
-H "x-api-key: $ANTHROPIC_API_KEY" \
3853
-H "anthropic-version: 2023-06-01" \
3954
-H "content-type: application/json" \
40-
-d "$(jq -n --arg diff "$DIFF" '{
41-
model: "claude-sonnet-4-5-20250929",
42-
max_tokens: 4096,
43-
system: "You are a security-focused code reviewer for the OpenA2A platform (TypeScript monorepo, npm workspaces, Turborepo). Review for: 1) Security vulnerabilities (OWASP Top 10, credential exposure, injection) 2) TypeScript best practices 3) Architecture consistency 4) Test coverage. End with VERDICT: APPROVE or REQUEST_CHANGES.",
44-
messages: [{role: "user", content: ("Review this PR diff:\n\n" + $diff)}]
45-
}')")
55+
-d @/tmp/request.json)
56+
57+
if [ "$HTTP_CODE" != "200" ]; then
58+
echo "API returned HTTP $HTTP_CODE"
59+
cat /tmp/response.json
60+
echo "verdict=SKIP" >> "$GITHUB_OUTPUT"
61+
echo "Review could not be completed: API error (HTTP $HTTP_CODE). A manual review is required." > /tmp/review.txt
62+
exit 0
63+
fi
4664
47-
REVIEW_TEXT=$(echo "$RESPONSE" | jq -r '.content[0].text // "Review failed"')
65+
REVIEW_TEXT=$(jq -r '.content[0].text // "Review failed"' /tmp/response.json)
4866
echo "$REVIEW_TEXT" > /tmp/review.txt
4967
5068
if echo "$REVIEW_TEXT" | grep -q "VERDICT: APPROVE"; then
@@ -60,7 +78,9 @@ jobs:
6078
REVIEW_BODY=$(cat /tmp/review.txt)
6179
VERDICT="${{ steps.review.outputs.verdict }}"
6280
63-
if [ "$VERDICT" = "APPROVE" ]; then
81+
if [ "$VERDICT" = "SKIP" ]; then
82+
gh pr comment ${{ github.event.pull_request.number }} --body "$REVIEW_BODY"
83+
elif [ "$VERDICT" = "APPROVE" ]; then
6484
gh pr review ${{ github.event.pull_request.number }} --approve --body "$REVIEW_BODY" || \
6585
gh pr comment ${{ github.event.pull_request.number }} --body "$REVIEW_BODY"
6686
else

README.md

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,14 @@ Credential detection, scope drift analysis, config integrity, runtime monitoring
1818
## Install
1919

2020
```bash
21-
npx opena2a init
21+
# Try without installing
22+
npx opena2a-cli init
23+
24+
# Install globally
25+
npm install -g opena2a-cli
26+
27+
# Homebrew (macOS/Linux)
28+
brew tap opena2a-org/tap && brew install opena2a
2229
```
2330

2431
No configuration required. Works with Node.js, Python, Go, and MCP server projects.
@@ -201,8 +208,6 @@ The CLI orchestrates these specialized tools through a unified interface:
201208
| `opena2a secrets` | [Secretless AI](https://github.com/opena2a-org/secretless-ai) | Credential management for AI coding tools |
202209
| `opena2a benchmark` | [OASB](https://github.com/opena2a-org/oasb) | 222 attack scenarios, compliance scoring |
203210
| `opena2a registry` | [AI Trust](https://github.com/opena2a-org/ai-trust) | Trust Registry queries, package verification |
204-
| `opena2a research` | [HMA Researcher](https://github.com/opena2a-org/hma-researcher) | Autonomous security research agent |
205-
| `opena2a hunt` | [HMA Hunter](https://github.com/opena2a-org/hma-hunter) | Multi-turn attack decomposition |
206211
| `opena2a train` | [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent) | Vulnerable AI agent for training |
207212
| `opena2a crypto` | [CryptoServe](https://github.com/ecolibria/crypto-serve) | Cryptographic inventory, PQC readiness |
208213
| `opena2a identity` | [AIM](https://github.com/opena2a-org/agent-identity-management) | Agent identity management |
@@ -218,16 +223,16 @@ All commands support `--format json` and `--ci` flags for pipeline integration:
218223
```yaml
219224
# GitHub Actions example
220225
- name: Security assessment
221-
run: npx opena2a init --ci --format json > security-report.json
226+
run: npx opena2a-cli init --ci --format json > security-report.json
222227

223228
- name: Credential check
224229
run: |
225-
npx opena2a protect --dry-run --ci --format json > cred-report.json
230+
npx opena2a-cli protect --dry-run --ci --format json > cred-report.json
226231
# Fail if credentials found
227232
jq -e '.totalFound == 0' cred-report.json
228233
229234
- name: Config integrity
230-
run: npx opena2a guard verify --ci
235+
run: npx opena2a-cli guard verify --ci
231236
```
232237
233238
## Output Formats
@@ -256,8 +261,6 @@ opena2a CLI
256261
+-- secrets -> secretless-ai
257262
+-- benchmark -> @opena2a/oasb
258263
+-- registry -> ai-trust
259-
+-- research -> hma-researcher
260-
+-- hunt -> hma-hunter
261264
+-- train -> opena2a/dvaa (Docker)
262265
+-- crypto -> cryptoserve (Python)
263266
+-- identity -> aim

package-lock.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)