opena2a baselines
Collect behavioral observations from installed packages for crowdsourced behavioral profiles.
Usage
opena2a baselines --package <name> [options]Description
Collects static metrics from a specified installed package and submits them to the OpenA2A Registry for aggregation into crowdsourced behavioral profiles. This is an opt-in feature that must be enabled before use.
Collected metrics include: file count, total size, dependency count, lockfile presence, test script availability, and suspicious script detection. No source code or file contents are transmitted.
Opt-in required. Enable with opena2a config contribute on before using this command.
Collected Metrics
| Metric | Description |
|---|---|
| File count | Total number of files in the package. |
| Size | Total package size on disk. |
| Dependency count | Number of direct dependencies. |
| Lockfile | Whether a lockfile (package-lock.json, yarn.lock) is present. |
| Test scripts | Whether test scripts are defined in package.json. |
| Suspicious scripts | Detection of potentially unsafe lifecycle scripts. |
Flags
| Flag | Description |
|---|---|
--package <name> | Package name to collect observations from (required). |
--duration <seconds> | Observation duration in seconds (default: 60). |
--registry-url <url> | Override the default registry endpoint. |
--format <text|json> | Output format. |
--ci | CI mode with deterministic output. |
--verbose | Show detailed collection progress. |
Examples
opena2a config contribute on opena2a baselines --package express
opena2a baselines --package langchain --duration 120 --verboseopena2a baselines --package axios --registry-url https://registry.example.comBehavioral Profiling
Baseline observations contribute to crowdsourced behavioral profiles in the OpenA2A Registry. When many users contribute observations for the same package, the registry builds a statistical profile of "normal" package characteristics. This profile enables anomaly detection -- if a future version of a package suddenly has significantly more files, dependencies, or suspicious scripts, the registry can flag it for review.
The observation duration (default: 60 seconds) controls how long the command collects metrics. Longer durations produce more stable readings but are primarily useful for packages with dynamic behaviors. For most packages, the default duration is sufficient.
Expected Output
$ opena2a baselines --package express --verbose Baseline Collection ==================== Package: express@4.18.2 Duration: 60s Registry: https://api.oa2a.org Collected Metrics: File count: 187 Total size: 1.2 MB Dependencies: 31 direct, 58 transitive Lockfile: Present (package-lock.json) Test scripts: Present (test, test:ci) Suspicious scripts: None detected Submission: Accepted Observations for express: 142 total (yours is observation #143)
Opt-In Contribution
The baselines command requires explicit opt-in via opena2a config contribute onbefore it will submit any data. Without this setting, the command collects and displays metrics locally but does not transmit them to the registry. This ensures you can preview exactly what would be submitted before enabling contributions. No source code, file contents, or personally identifiable information is ever included in the submission -- only aggregate package-level metrics.
Error Handling
If the specified package is not installed, the command reports it as not found and lists the location searched (node_modules). If contributions are not enabled, the command displays the collected metrics and prints the command to enable contributions. When the registry is unreachable, the command completes locally and reports the connectivity error without failing.