proof-of-commitment 1.0.0

package/README.md

@@ -0,0 +1,88 @@
+# proof-of-commitment
+
+> Supply chain risk scorer for npm and PyPI packages. Behavioral signals that can't be faked.
+
+```
+npx proof-of-commitment axios zod chalk
+```
+
+```
+──────────────────────────────────────────────────────────────────────────
+Package               Risk            Score    Maintainers  Downloads     Age
+──────────────────────────────────────────────────────────────────────────
+axios                 🔴 CRITICAL      89       1            102.0M/wk     11.6y
+  └ longevity=25 momentum=25 releases=20 maintainers=4 github=15
+zod                   🔴 CRITICAL      83       1            154.0M/wk     6.1y
+  └ longevity=25 momentum=25 releases=18 maintainers=4 github=11
+chalk                 🔴 CRITICAL      75       1            414.6M/wk     12.7y
+  └ longevity=25 momentum=22 releases=13 maintainers=4 github=11
+──────────────────────────────────────────────────────────────────────────
+
+⚠  3 CRITICAL packages found.
+   CRITICAL = sole maintainer + >10M weekly downloads (high-value attack target)
+   Full breakdown: https://getcommit.dev/audit?packages=axios,zod,chalk
+```
+
+## What this does
+
+`npm audit` finds *known* CVEs — vulnerabilities already catalogued in a database. This scores *structural risk before it becomes a CVE*.
+
+The axios attack on April 1st, 2026: `npm audit` showed zero issues beforehand. Proof of Commitment flagged axios as CRITICAL (1 maintainer, 96M downloads/week) — the exact profile that made it a high-value target.
+
+**Score dimensions:**
+- **Longevity** (25 pts) — years in production
+- **Download Momentum** (25 pts) — weekly download trend
+- **Release Consistency** (20 pts) — days since last release
+- **Maintainer Depth** (15 pts) — team size
+- **GitHub Backing** (15 pts) — organization/team support
+
+**CRITICAL** = sole maintainer + >10M weekly downloads (high-value attack target)
+
+## Usage
+
+```bash
+# Score npm packages
+npx proof-of-commitment axios zod chalk lodash express
+
+# Score PyPI packages
+npx proof-of-commitment --pypi litellm langchain requests numpy
+
+# Auto-detect from package.json or requirements.txt
+npx proof-of-commitment --file package.json
+npx proof-of-commitment --file requirements.txt
+
+# Short alias
+npx poc axios zod chalk
+```
+
+## Zero-install MCP server (for Claude, Cursor, Windsurf)
+
+Add to your AI tool's config:
+```json
+{
+  "mcpServers": {
+    "proof-of-commitment": {
+      "type": "streamable-http",
+      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
+    }
+  }
+}
+```
+
+Then ask: *"Audit the dependencies in my package.json"* or *"What's the risk profile of vercel/ai?"*
+
+## GitHub Action
+
+Posts audit results directly on your PR:
+```yaml
+- uses: piiiico/proof-of-commitment@main
+  with:
+    fail-on-critical: false
+    comment-on-pr: true
+```
+
+## Links
+
+- **Web demo:** https://getcommit.dev/audit
+- **Live watchlist:** https://getcommit.dev/watchlist (top 25 npm packages by structural risk)
+- **GitHub:** https://github.com/piiiico/proof-of-commitment

package/index.js

@@ -0,0 +1,264 @@
+#!/usr/bin/env node
+/**
+ * proof-of-commitment CLI
+ * Scores npm/PyPI packages on behavioral commitment signals.
+ * Usage: npx proof-of-commitment [packages...] [options]
+ */
+
+const API = 'https://poc-backend.amdal-dev.workers.dev/api/audit';
+const WEB = 'https://getcommit.dev/audit';
+
+// ANSI color helpers
+const c = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  red: '\x1b[31m',
+  yellow: '\x1b[33m',
+  green: '\x1b[32m',
+  cyan: '\x1b[36m',
+  white: '\x1b[37m',
+  bgRed: '\x1b[41m',
+  bgYellow: '\x1b[43m',
+};
+
+const NO_COLOR = process.env.NO_COLOR || !process.stdout.isTTY;
+const col = NO_COLOR ? () => '' : (code) => code;
+
+function clr(code, text) {
+  if (NO_COLOR) return text;
+  return `${code}${text}${c.reset}`;
+}
+
+function riskColor(flags, score) {
+  if (flags && flags.includes('CRITICAL')) return c.red + c.bold;
+  if (score < 40) return c.yellow + c.bold;
+  if (score < 60) return c.yellow;
+  return c.green;
+}
+
+function riskLabel(flags, score) {
+  if (flags && flags.includes('CRITICAL')) return '🔴 CRITICAL';
+  if (score < 40) return '🟠 HIGH';
+  if (score < 60) return '🟡 MODERATE';
+  if (score < 75) return '🟡 GOOD';
+  return '🟢 HEALTHY';
+}
+
+function fmtDownloads(n) {
+  if (n >= 1e9) return (n / 1e9).toFixed(1) + 'B/wk';
+  if (n >= 1e6) return (n / 1e6).toFixed(1) + 'M/wk';
+  if (n >= 1e3) return (n / 1e3).toFixed(0) + 'K/wk';
+  return n + '/wk';
+}
+
+function padEnd(str, len) {
+  const visible = str.replace(/\x1b\[[0-9;]*m/g, '');
+  return str + ' '.repeat(Math.max(0, len - visible.length));
+}
+
+function printTable(results) {
+  const COL = {
+    name: 20, risk: 14, score: 7, maintainers: 12, downloads: 12, age: 8,
+  };
+
+  const header = [
+    padEnd(clr(c.bold, 'Package'), COL.name),
+    padEnd(clr(c.bold, 'Risk'), COL.risk),
+    padEnd(clr(c.bold, 'Score'), COL.score),
+    padEnd(clr(c.bold, 'Maintainers'), COL.maintainers),
+    padEnd(clr(c.bold, 'Downloads'), COL.downloads),
+    padEnd(clr(c.bold, 'Age'), COL.age),
+  ].join('  ');
+
+  const divider = '─'.repeat(COL.name + COL.risk + COL.score + COL.maintainers + COL.downloads + COL.age + 10);
+
+  console.log('\n' + divider);
+  console.log(header);
+  console.log(divider);
+
+  let criticalCount = 0;
+
+  for (const pkg of results) {
+    const rc = riskColor(pkg.riskFlags, pkg.score);
+    const label = riskLabel(pkg.riskFlags, pkg.score);
+    if (pkg.riskFlags && pkg.riskFlags.includes('CRITICAL')) criticalCount++;
+
+    const row = [
+      padEnd(pkg.name, COL.name),
+      padEnd(clr(rc, label), COL.risk),
+      padEnd(String(pkg.score), COL.score),
+      padEnd(String(pkg.maintainers || '?'), COL.maintainers),
+      padEnd(fmtDownloads(pkg.weeklyDownloads || 0), COL.downloads),
+      padEnd((pkg.ageYears || '?').toString().replace(/(\.\d).*/, '$1') + 'y', COL.age),
+    ].join('  ');
+
+    console.log(row);
+
+    // Score breakdown if available
+    if (pkg.scoreBreakdown) {
+      const b = pkg.scoreBreakdown;
+      const breakdown = clr(c.dim,
+        `  └ longevity=${b.longevity} momentum=${b.downloadMomentum} ` +
+        `releases=${b.releaseConsistency} maintainers=${b.maintainerDepth} github=${b.githubBacking}`
+      );
+      console.log(breakdown);
+    }
+  }
+
+  console.log(divider);
+
+  if (criticalCount > 0) {
+    console.log('\n' + clr(c.red + c.bold, `⚠  ${criticalCount} CRITICAL package${criticalCount > 1 ? 's' : ''} found.`));
+    console.log(clr(c.dim, '   CRITICAL = sole maintainer + >10M weekly downloads (high-value attack target)'));
+    console.log(clr(c.dim, `   Full breakdown: ${WEB}?packages=${results.map(r => r.name).join(',')}`));
+  } else {
+    console.log('\n' + clr(c.green, '✓  No CRITICAL packages found.'));
+  }
+  console.log();
+}
+
+function printHelp() {
+  console.log(`
+${clr(c.bold, 'proof-of-commitment')} — supply chain risk scorer
+
+${clr(c.bold, 'Usage:')}
+  npx proof-of-commitment [packages...]     Score npm packages
+  npx proof-of-commitment --pypi [pkgs...]  Score PyPI packages
+  npx proof-of-commitment --file <path>     Auto-detect from package.json / requirements.txt
+
+${clr(c.bold, 'Examples:')}
+  npx proof-of-commitment axios zod chalk
+  npx proof-of-commitment --pypi litellm langchain requests
+  npx proof-of-commitment --file package.json
+  npx proof-of-commitment --file requirements.txt
+
+${clr(c.bold, 'Score meaning:')}
+  🔴 CRITICAL  Sole maintainer + >10M downloads/wk (high-value attack target)
+  🟠 HIGH      Score < 40
+  🟡 MODERATE  Score 40–59
+  🟡 GOOD      Score 60–74
+  🟢 HEALTHY   Score 75+
+
+${clr(c.bold, 'Score dimensions:')} longevity · download momentum · release consistency · maintainer depth · GitHub backing
+
+${clr(c.bold, 'Web:')}  ${WEB}
+${clr(c.bold, 'MCP:')}  ${clr(c.dim, 'Add to Claude Desktop / Cursor for AI-assisted auditing')}
+  `);
+}
+
+async function readPackagesFromFile(filePath) {
+  const fs = await import('fs');
+  const path = await import('path');
+  const content = fs.readFileSync(filePath, 'utf-8');
+  const basename = path.basename(filePath).toLowerCase();
+
+  if (basename === 'package.json' || filePath.endsWith('.json')) {
+    const pkg = JSON.parse(content);
+    const deps = {
+      ...pkg.dependencies,
+      ...pkg.devDependencies,
+    };
+    return { packages: Object.keys(deps).slice(0, 20), ecosystem: 'npm' };
+  }
+
+  if (basename === 'requirements.txt' || filePath.endsWith('.txt')) {
+    const pkgs = content
+      .split('\n')
+      .map(l => l.trim())
+      .filter(l => l && !l.startsWith('#'))
+      .map(l => l.replace(/[>=<!\s].*/,'').trim())
+      .filter(Boolean)
+      .slice(0, 20);
+    return { packages: pkgs, ecosystem: 'pypi' };
+  }
+
+  throw new Error(`Unsupported file: ${filePath}. Use package.json or requirements.txt`);
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+
+  if (args.length === 0 || args.includes('--help') || args.includes('-h')) {
+    printHelp();
+    process.exit(0);
+  }
+
+  let ecosystem = 'npm';
+  let packages = [];
+  let filePath = null;
+
+  let i = 0;
+  while (i < args.length) {
+    const a = args[i];
+    if (a === '--pypi') { ecosystem = 'pypi'; i++; }
+    else if (a === '--npm') { ecosystem = 'npm'; i++; }
+    else if (a === '--file' || a === '-f') {
+      filePath = args[++i];
+      i++;
+    }
+    else if (a.startsWith('--')) {
+      console.error(`Unknown flag: ${a}`);
+      process.exit(1);
+    }
+    else { packages.push(a); i++; }
+  }
+
+  if (filePath) {
+    try {
+      const result = await readPackagesFromFile(filePath);
+      packages = result.packages;
+      ecosystem = result.ecosystem;
+      console.log(clr(c.dim, `Detected ${packages.length} packages from ${filePath} (${ecosystem})`));
+    } catch (err) {
+      console.error(`Error reading ${filePath}: ${err.message}`);
+      process.exit(1);
+    }
+  }
+
+  if (packages.length === 0) {
+    console.error('No packages specified. Run with --help for usage.');
+    process.exit(1);
+  }
+
+  if (packages.length > 20) {
+    console.warn(clr(c.yellow, `Warning: truncating to first 20 packages (got ${packages.length})`));
+    packages = packages.slice(0, 20);
+  }
+
+  const pkgList = packages.join(', ');
+  process.stdout.write(clr(c.dim, `Scoring ${packages.length} ${ecosystem} package${packages.length > 1 ? 's' : ''}...`));
+
+  const t0 = Date.now();
+  let data;
+  try {
+    const res = await fetch(API, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ packages, ecosystem }),
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`API error ${res.status}: ${text}`);
+    }
+    data = await res.json();
+  } catch (err) {
+    console.error(`\nError: ${err.message}`);
+    process.exit(1);
+  }
+
+  const elapsed = ((Date.now() - t0) / 1000).toFixed(1);
+  process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n`));
+
+  if (!data.results || data.results.length === 0) {
+    console.log('No results returned. Check package names and try again.');
+    process.exit(0);
+  }
+
+  printTable(data.results);
+}
+
+main().catch(err => {
+  console.error('Unexpected error:', err.message);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "proof-of-commitment",
+  "version": "1.0.0",
+  "description": "Supply chain risk scorer for npm and PyPI packages — behavioral signals that can't be faked",
+  "type": "module",
+  "bin": {
+    "proof-of-commitment": "./index.js",
+    "poc": "./index.js"
+  },
+  "main": "./index.js",
+  "files": [
+    "index.js",
+    "README.md"
+  ],
+  "keywords": [
+    "supply-chain",
+    "security",
+    "npm",
+    "pypi",
+    "dependencies",
+    "audit",
+    "risk",
+    "behavioral",
+    "commitment",
+    "maintainer"
+  ],
+  "author": "piiiico",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/piiiico/proof-of-commitment"
+  },
+  "homepage": "https://getcommit.dev/audit",
+  "engines": {
+    "node": ">=18"
+  }
+}