npm - proof-of-commitment - Versions diffs - 1.10.0 → 1.12.0 - Mend

proof-of-commitment 1.10.0 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -51,24 +51,26 @@ npx proof-of-commitment --file go.sum    # full transitive set
 **Web demo (no install):** [getcommit.dev/audit](https://getcommit.dev/audit) — paste your packages, see risk scores in seconds.
-**Commit Pro — daily monitoring + alerts (v1.9.0):**
+**Account + monitoring (v1.10.0):**
 ```bash
 # Install once, then use the `poc` alias:
 npm install -g proof-of-commitment
-# Add packages to daily monitoring (requires Pro API key):
+# Get a free API key at https://getcommit.dev/get-started, then:
+poc login sk_commit_your_key_here
+# ✓ Authenticated — Tier: Free — Usage: 0/200 requests (daily)
+poc status                          # check tier + usage anytime
+poc logout                          # remove saved key
+# Monitoring (Pro tier — daily scans + alerts):
 poc watch chalk
 poc watch requests --ecosystem pypi
 poc watch serde --ecosystem cargo
-# View your watchlist with current scores:
-poc watchlist
-# Remove a package:
+poc watchlist                       # view scores + risk levels
 poc unwatch chalk
-# API key: set COMMIT_API_KEY env or add api_key=<key> to ~/.commit/config
-# Get a key at https://getcommit.dev/pricing
+# Upgrade to Pro: https://getcommit.dev/pricing
 ```
 Alerts fire on: score drop ≥10 points · package crosses CRITICAL threshold · recovery to HEALTHY.

package/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.10.0
+ * proof-of-commitment CLI v1.12.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -182,6 +182,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
   const topPkgs = results.slice(0, 10).map(r => r.name).join(',');
   console.log(clr(c.cyan, `\n  🔗 Full report: ${WEB}?packages=${encodeURIComponent(topPkgs)}`));
   console.log(clr(c.cyan, `  🤖 GitHub Action: github.com/piiiico/commit-action — block CRITICAL packages in CI`));
+  console.log(clr(c.dim, `  📋 Add to this project: `) + clr(c.cyan, `poc init`) + clr(c.dim, ` — creates workflow + README badge`));
   // Contextual upsell — show when findings make monitoring relevant
   if (effectiveCritical > 0) {
@@ -201,7 +202,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.10.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.12.0 — supply chain risk scorer
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -218,6 +219,15 @@ ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment --file go.mod              Audit Go direct + indirect deps
   npx proof-of-commitment --file go.sum              Audit Go full transitive set
+${clr(c.bold, 'Setup:')}
+  poc init            Add a GitHub Action + README badge to the current project
+                      Auto-detects ecosystem. Blocks CRITICAL packages on every PR.
+${clr(c.bold, 'Reports:')}
+  poc report          Scan and generate a shareable HTML report + Markdown snippet
+  poc report [pkgs]   Same flags as scan — packages, --pypi, --cargo, --file, etc.
+                      Saves audit-report.html to cwd + prints Markdown for GitHub issues
 ${clr(c.bold, 'Account:')}
   poc login [key]     Save and validate your API key (interactive or direct)
   poc status          Show current tier, usage, and limits
@@ -995,6 +1005,390 @@ async function cmdUnwatch(pkg, ecosystem) {
   }
 }
+/**
+ * Generate a self-contained HTML report from audit results.
+ * Returns the full HTML string.
+ */
+function buildHtmlReport(results, { ecosystem, scannedFrom, totalScanned } = {}) {
+  const ts = new Date().toISOString().replace('T', ' ').slice(0, 19) + ' UTC';
+  const topPkgs = results.slice(0, 20).map(r => r.name).join(',');
+  const webUrl = `${WEB}?packages=${encodeURIComponent(topPkgs)}`;
+  const criticalCount = results.filter(r => hasCritical(r.riskFlags)).length;
+  const healthyCount = results.filter(r => !hasCritical(r.riskFlags) && (r.score || 0) >= 75).length;
+  function riskBadge(pkg) {
+    if (hasCritical(pkg.riskFlags)) return '<span class="badge critical">CRITICAL</span>';
+    if ((pkg.score || 100) < 40) return '<span class="badge high">HIGH</span>';
+    if ((pkg.score || 100) < 60) return '<span class="badge moderate">MODERATE</span>';
+    if ((pkg.score || 100) < 75) return '<span class="badge good">GOOD</span>';
+    return '<span class="badge healthy">HEALTHY</span>';
+  }
+  function provBadge(pkg) {
+    if (pkg.ecosystem === 'golang') return '';
+    return pkg.hasProvenance ? '<span class="prov">🔐</span>' : '';
+  }
+  function fmtDl(n) {
+    if (!n) return '—';
+    if (n >= 1e9) return (n / 1e9).toFixed(1) + 'B/wk';
+    if (n >= 1e6) return (n / 1e6).toFixed(1) + 'M/wk';
+    if (n >= 1e3) return (n / 1e3).toFixed(0) + 'K/wk';
+    return n + '/wk';
+  }
+  const rows = results.map(pkg => {
+    const isGo = pkg.ecosystem === 'golang';
+    return `<tr class="${hasCritical(pkg.riskFlags) ? 'row-critical' : ''}">
+      <td class="pkg-name">${escHtml(pkg.name)}${provBadge(pkg)}</td>
+      <td>${riskBadge(pkg)}</td>
+      <td class="score">${pkg.score ?? '?'}</td>
+      <td>${pkg.maintainers === 35 ? '30+' : (pkg.maintainers ?? '?')}</td>
+      <td>${isGo ? '—' : fmtDl(pkg.weeklyDownloads)}</td>
+      <td>${pkg.ageYears ? pkg.ageYears.toString().replace(/(\.\d).*/, '$1') + 'y' : '?'}</td>
+    </tr>`;
+  }).join('\n');
+  const summaryLabel = criticalCount > 0
+    ? `⚠ ${criticalCount} CRITICAL package${criticalCount > 1 ? 's' : ''} found`
+    : `✓ No CRITICAL packages`;
+  const summaryClass = criticalCount > 0 ? 'summary-critical' : 'summary-ok';
+  const scannedLine = scannedFrom
+    ? `<span>Scanned from <code>${escHtml(scannedFrom)}</code></span> · `
+    : '';
+  const totalLine = totalScanned && totalScanned > results.length
+    ? `showing top ${results.length} of ${totalScanned} packages · `
+    : `${results.length} package${results.length !== 1 ? 's' : ''} · `;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Supply chain audit — proof-of-commitment</title>
+<style>
+  :root { --red:#ef4444;--orange:#f97316;--yellow:#eab308;--green:#22c55e;--cyan:#06b6d4;--bg:#0f172a;--surface:#1e293b;--border:#334155;--text:#f1f5f9;--muted:#94a3b8; }
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body { font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace; background: var(--bg); color: var(--text); padding: 2rem; line-height: 1.5; font-size: 14px; }
+  .header { display: flex; align-items: center; gap: 1rem; margin-bottom: 1.5rem; flex-wrap: wrap; }
+  .logo { font-size: 1.1rem; font-weight: bold; color: var(--cyan); }
+  .logo a { color: inherit; text-decoration: none; }
+  .web-link { margin-left: auto; }
+  .web-link a { color: var(--cyan); text-decoration: none; font-size: 0.85rem; border: 1px solid var(--border); padding: 0.3rem 0.75rem; border-radius: 4px; }
+  .web-link a:hover { background: var(--surface); }
+  .summary { padding: 0.75rem 1rem; border-radius: 6px; margin-bottom: 1.5rem; font-weight: bold; }
+  .summary-critical { background: rgba(239,68,68,0.15); border: 1px solid var(--red); color: var(--red); }
+  .summary-ok { background: rgba(34,197,94,0.1); border: 1px solid var(--green); color: var(--green); }
+  .meta { color: var(--muted); font-size: 0.8rem; margin-bottom: 1.5rem; }
+  .meta code { background: var(--surface); padding: 0.1rem 0.3rem; border-radius: 3px; }
+  table { width: 100%; border-collapse: collapse; }
+  thead { border-bottom: 1px solid var(--border); }
+  th { text-align: left; padding: 0.5rem 0.75rem; color: var(--muted); font-weight: normal; font-size: 0.8rem; text-transform: uppercase; letter-spacing: 0.05em; }
+  td { padding: 0.5rem 0.75rem; border-bottom: 1px solid rgba(51,65,85,0.5); }
+  tr.row-critical { background: rgba(239,68,68,0.07); }
+  .pkg-name { font-weight: bold; }
+  .prov { margin-left: 0.4rem; font-size: 0.9em; }
+  .badge { display: inline-block; padding: 0.1rem 0.5rem; border-radius: 3px; font-size: 0.75rem; font-weight: bold; }
+  .badge.critical { background: rgba(239,68,68,0.2); color: var(--red); border: 1px solid var(--red); }
+  .badge.high { background: rgba(249,115,22,0.15); color: var(--orange); border: 1px solid var(--orange); }
+  .badge.moderate { background: rgba(234,179,8,0.15); color: var(--yellow); border: 1px solid var(--yellow); }
+  .badge.good { background: rgba(234,179,8,0.1); color: var(--yellow); border: 1px solid rgba(234,179,8,0.5); }
+  .badge.healthy { background: rgba(34,197,94,0.1); color: var(--green); border: 1px solid var(--green); }
+  .score { color: var(--muted); }
+  .footer { margin-top: 2rem; padding-top: 1rem; border-top: 1px solid var(--border); color: var(--muted); font-size: 0.8rem; display: flex; gap: 1.5rem; flex-wrap: wrap; }
+  .footer a { color: var(--cyan); text-decoration: none; }
+  .md-section { margin-top: 2rem; background: var(--surface); border: 1px solid var(--border); border-radius: 6px; padding: 1rem; }
+  .md-label { color: var(--muted); font-size: 0.75rem; margin-bottom: 0.5rem; text-transform: uppercase; letter-spacing: 0.05em; }
+  .md-copy { background: var(--bg); border: 1px solid var(--border); border-radius: 4px; padding: 0.75rem; font-size: 0.8rem; white-space: pre; overflow-x: auto; color: var(--text); }
+  .copy-btn { float: right; cursor: pointer; background: var(--border); border: none; color: var(--text); padding: 0.2rem 0.6rem; border-radius: 3px; font-size: 0.75rem; font-family: inherit; }
+  .copy-btn:hover { background: var(--cyan); color: var(--bg); }
+</style>
+</head>
+<body>
+<div class="header">
+  <div class="logo"><a href="${WEB}" target="_blank">proof-of-commitment</a></div>
+  <div class="web-link"><a href="${webUrl}" target="_blank">🔗 Open in browser →</a></div>
+</div>
+<div class="summary ${summaryClass}">${summaryLabel}</div>
+<div class="meta">${scannedLine}${totalLine}${ecosystem || 'npm'} · generated ${ts}</div>
+<table>
+  <thead><tr>
+    <th>Package</th><th>Risk</th><th>Score</th><th>Publishers</th><th>Downloads</th><th>Age</th>
+  </tr></thead>
+  <tbody>
+${rows}
+  </tbody>
+</table>
+<div class="md-section">
+  <div class="md-label">Copy for GitHub issues / Slack <button class="copy-btn" onclick="copyMd()">Copy</button></div>
+  <div class="md-copy" id="md-content">${escHtml(buildMarkdown(results, { ecosystem, scannedFrom, totalScanned, webUrl }))}</div>
+</div>
+<div class="footer">
+  <span>Generated by <a href="${WEB}" target="_blank">proof-of-commitment</a></span>
+  <span><a href="https://github.com/piiiico/commit-action" target="_blank">GitHub Action</a></span>
+  <span><a href="https://getcommit.dev/pricing" target="_blank">Commit Pro</a></span>
+</div>
+<script>
+function copyMd() {
+  const text = document.getElementById('md-content').textContent;
+  navigator.clipboard.writeText(text).then(() => {
+    const btn = document.querySelector('.copy-btn');
+    btn.textContent = '✓ Copied';
+    setTimeout(() => btn.textContent = 'Copy', 2000);
+  });
+}
+</script>
+</body>
+</html>`;
+}
+function escHtml(str) {
+  return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}
+function buildMarkdown(results, { ecosystem, scannedFrom, totalScanned, webUrl } = {}) {
+  const criticalCount = results.filter(r => hasCritical(r.riskFlags)).length;
+  const summaryLine = criticalCount > 0
+    ? `⚠ **${criticalCount} CRITICAL package${criticalCount > 1 ? 's' : ''} found**`
+    : `✅ No CRITICAL packages`;
+  function riskEmoji(pkg) {
+    if (hasCritical(pkg.riskFlags)) return '🔴 CRITICAL';
+    if ((pkg.score || 100) < 40) return '🟠 HIGH';
+    if ((pkg.score || 100) < 60) return '🟡 MODERATE';
+    if ((pkg.score || 100) < 75) return '🟡 GOOD';
+    return '🟢 HEALTHY';
+  }
+  const header = `| Package | Risk | Score | Publishers | Downloads |
+|---------|------|-------|------------|-----------|`;
+  function fmtDl(n) {
+    if (!n) return '—';
+    if (n >= 1e6) return (n / 1e6).toFixed(1) + 'M/wk';
+    if (n >= 1e3) return (n / 1e3).toFixed(0) + 'K/wk';
+    return n + '/wk';
+  }
+  const rows = results.map(pkg => {
+    const maintDisplay = pkg.maintainers === 35 ? '30+' : (pkg.maintainers ?? '?');
+    const dlDisplay = pkg.ecosystem === 'golang' ? '—' : fmtDl(pkg.weeklyDownloads);
+    return `| ${pkg.name}${pkg.hasProvenance ? ' 🔐' : ''} | ${riskEmoji(pkg)} | ${pkg.score ?? '?'} | ${maintDisplay} | ${dlDisplay} |`;
+  }).join('\n');
+  const scannedNote = scannedFrom ? ` (from \`${scannedFrom}\`)` : '';
+  const totalNote = totalScanned && totalScanned > results.length ? `, top ${results.length} of ${totalScanned}` : '';
+  const footer = `\n*Scanned ${results.length} ${ecosystem || 'npm'} package${results.length !== 1 ? 's' : ''}${scannedNote}${totalNote} with [proof-of-commitment](https://getcommit.dev) · [Full report](${webUrl || WEB})*`;
+  return `## Supply chain audit\n\n${summaryLine}\n\n${header}\n${rows}${footer}`;
+}
+/**
+ * poc report — generate shareable HTML report + Markdown snippet
+ */
+async function cmdReport(packages, ecosystem, { filePath, isLockfile, totalScanned } = {}) {
+  const fs = await import('fs');
+  process.stdout.write(clr(c.dim, `Scoring ${packages.length} ${ecosystem} package${packages.length > 1 ? 's' : ''}...`));
+  const t0 = Date.now();
+  let allResults;
+  try {
+    if (packages.length <= 20) {
+      const res = await fetch(API, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ packages, ecosystem }),
+      });
+      if (!res.ok) throw new Error(`API error ${res.status}: ${await res.text()}`);
+      const data = await res.json();
+      allResults = data.results || [];
+    } else {
+      allResults = await auditBatched(packages, ecosystem);
+    }
+  } catch (err) {
+    console.error(`\nError: ${err.message}`);
+    process.exit(1);
+  }
+  const elapsed = ((Date.now() - t0) / 1000).toFixed(1);
+  process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n\n`));
+  // Sort: CRITICAL first, then by score ascending
+  allResults.sort((a, b) => {
+    const aCrit = hasCritical(a.riskFlags) ? 1 : 0;
+    const bCrit = hasCritical(b.riskFlags) ? 1 : 0;
+    if (aCrit !== bCrit) return bCrit - aCrit;
+    return (a.score || 100) - (b.score || 100);
+  });
+  const displayResults = allResults.slice(0, 50);
+  const topPkgs = displayResults.slice(0, 20).map(r => r.name).join(',');
+  const webUrl = `${WEB}?packages=${encodeURIComponent(topPkgs)}`;
+  // Save HTML report
+  const outFile = 'audit-report.html';
+  const html = buildHtmlReport(displayResults, {
+    ecosystem,
+    scannedFrom: filePath ? filePath.split('/').pop() : null,
+    totalScanned: totalScanned || allResults.length,
+  });
+  fs.writeFileSync(outFile, html);
+  // Print Markdown snippet
+  const md = buildMarkdown(displayResults, {
+    ecosystem,
+    scannedFrom: filePath ? filePath.split('/').pop() : null,
+    totalScanned: totalScanned || allResults.length,
+    webUrl,
+  });
+  console.log(clr(c.bold, 'Markdown snippet') + clr(c.dim, ' (paste into GitHub issues, PRs, Slack):'));
+  console.log(clr(c.dim, '─'.repeat(60)));
+  console.log(md);
+  console.log(clr(c.dim, '─'.repeat(60)));
+  console.log();
+  console.log(clr(c.green, `  ✓ HTML report saved → ${outFile}`));
+  console.log(clr(c.cyan, `  🔗 Web report: ${webUrl}`));
+  console.log();
+}
+/**
+ * poc init — scaffold a GitHub Action workflow + README badge for the current project.
+ * Turns every CLI user into a permanent distribution node.
+ */
+async function cmdInit() {
+  const fs = await import('fs');
+  const path = await import('path');
+  const cwd = process.cwd();
+  // Detect ecosystem from project files
+  let ecosystem = 'npm';
+  let manifestName = 'package.json';
+  const checks = [
+    ['package.json', 'npm'],
+    ['package-lock.json', 'npm'],
+    ['yarn.lock', 'npm'],
+    ['pnpm-lock.yaml', 'npm'],
+    ['requirements.txt', 'pypi'],
+    ['Cargo.toml', 'cargo'],
+    ['go.mod', 'golang'],
+  ];
+  for (const [file, eco] of checks) {
+    if (fs.existsSync(path.join(cwd, file))) {
+      ecosystem = eco;
+      manifestName = file;
+      break;
+    }
+  }
+  console.log(clr(c.bold, '\n  Commit — supply chain audit for CI\n'));
+  console.log(clr(c.dim, `  Detected: ${manifestName} (${ecosystem})`));
+  // ── 1. GitHub Action workflow ──
+  const workflowDir = path.join(cwd, '.github', 'workflows');
+  const workflowPath = path.join(workflowDir, 'commit-audit.yml');
+  const ecoFlag = ecosystem === 'npm' ? '' : ` --${ecosystem === 'golang' ? 'go' : ecosystem}`;
+  const workflowContent = `# Supply chain audit — powered by Commit (getcommit.dev)
+# Scores dependencies on behavioral signals: publisher concentration,
+# download anomalies, release patterns, trusted publishing adoption.
+# Blocks PRs when CRITICAL packages are found (configurable).
+name: Supply Chain Audit
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+  schedule:
+    - cron: '0 9 * * 1'  # Weekly Monday 09:00 UTC
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - run: npx -y proof-of-commitment${ecoFlag} --fail-on=critical
+`;
+  let workflowCreated = false;
+  if (fs.existsSync(workflowPath)) {
+    console.log(clr(c.yellow, `  ⚠ .github/workflows/commit-audit.yml already exists — skipped`));
+  } else {
+    fs.mkdirSync(workflowDir, { recursive: true });
+    fs.writeFileSync(workflowPath, workflowContent);
+    workflowCreated = true;
+    console.log(clr(c.green, `  ✓ Created .github/workflows/commit-audit.yml`));
+  }
+  // ── 2. README badge ──
+  // Try to read project name from package.json or directory name
+  let projectName = path.basename(cwd);
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf-8'));
+    if (pkg.name) projectName = pkg.name;
+  } catch {}
+  const badgeUrl = `https://poc-backend.amdal-dev.workers.dev/badge/npm/${encodeURIComponent(projectName)}`;
+  const auditUrl = `https://getcommit.dev/audit?packages=${encodeURIComponent(projectName)}`;
+  const badgeMd = `[![Commit Score](${badgeUrl})](${auditUrl})`;
+  console.log(clr(c.green, `  ✓ README badge (paste into your README.md):\n`));
+  console.log(`    ${badgeMd}\n`);
+  // ── 3. Try to auto-insert badge into README ──
+  let badgeInserted = false;
+  const readmeCandidates = ['README.md', 'readme.md', 'Readme.md'];
+  for (const name of readmeCandidates) {
+    const readmePath = path.join(cwd, name);
+    if (fs.existsSync(readmePath)) {
+      const content = fs.readFileSync(readmePath, 'utf-8');
+      if (content.includes('Commit Score') || content.includes('poc-backend.amdal-dev.workers.dev/badge')) {
+        console.log(clr(c.dim, `  Badge already in ${name} — skipped`));
+        badgeInserted = true;
+        break;
+      }
+      // Insert after the first H1 heading, or at the top
+      const h1Match = content.match(/^#\s+.+$/m);
+      let newContent;
+      if (h1Match) {
+        const insertPos = h1Match.index + h1Match[0].length;
+        newContent = content.slice(0, insertPos) + '\n\n' + badgeMd + content.slice(insertPos);
+      } else {
+        newContent = badgeMd + '\n\n' + content;
+      }
+      fs.writeFileSync(readmePath, newContent);
+      badgeInserted = true;
+      console.log(clr(c.green, `  ✓ Badge added to ${name}`));
+      break;
+    }
+  }
+  if (!badgeInserted) {
+    console.log(clr(c.dim, `  No README found — paste the badge manually`));
+  }
+  // ── 4. Next steps ──
+  console.log(clr(c.bold, '\n  What happens next:\n'));
+  if (workflowCreated) {
+    console.log(clr(c.white, '  1. Commit and push — the Action runs on your next PR'));
+    console.log(clr(c.white, '  2. PRs with CRITICAL dependencies are blocked automatically'));
+    console.log(clr(c.white, '  3. The badge updates daily with your project\'s score'));
+  } else {
+    console.log(clr(c.white, '  1. The badge updates daily with your project\'s score'));
+    console.log(clr(c.white, '  2. Push to trigger the existing workflow'));
+  }
+  console.log(clr(c.dim, `\n  Want daily monitoring + alerts? Get a free key:`));
+  console.log(clr(c.cyan, '  https://getcommit.dev/get-started'));
+  console.log(clr(c.dim, '  Then run: ') + clr(c.cyan, 'poc login') + clr(c.dim, ' + ') + clr(c.cyan, 'poc watch <package>\n'));
+}
 async function main() {
   const args = process.argv.slice(2);
@@ -1006,6 +1400,11 @@ async function main() {
   // Subcommands
   const subcmd = args[0];
+  if (subcmd === 'init') {
+    await cmdInit();
+    process.exit(0);
+  }
   if (subcmd === 'login') {
     const keyArg = args[1] || null;
     await cmdLogin(keyArg);
@@ -1022,6 +1421,55 @@ async function main() {
     process.exit(0);
   }
+  if (subcmd === 'report') {
+    // Parse report args (same flags as main scan)
+    const reportArgs = args.slice(1);
+    let ecosystem = 'npm';
+    let packages = [];
+    let filePath = null;
+    let totalInFile = 0;
+    let ri = 0;
+    while (ri < reportArgs.length) {
+      const a = reportArgs[ri];
+      if (a === '--pypi') { ecosystem = 'pypi'; ri++; }
+      else if (a === '--npm') { ecosystem = 'npm'; ri++; }
+      else if (a === '--cargo') { ecosystem = 'cargo'; ri++; }
+      else if (a === '--golang' || a === '--go') { ecosystem = 'golang'; ri++; }
+      else if (a === '--file' || a === '-f') { filePath = reportArgs[++ri]; ri++; }
+      else if (a.startsWith('--')) { console.error(`Unknown flag: ${a}`); process.exit(1); }
+      else { packages.push(a); ri++; }
+    }
+    if (!filePath && packages.length === 0) {
+      const detected = await autodetectManifest(process.cwd());
+      if (detected) {
+        filePath = detected;
+        console.log(clr(c.dim, `Auto-detected manifest: ${detected}`));
+      } else {
+        console.error('No packages specified and no manifest found. Run: poc report [packages...] or --file <manifest>');
+        process.exit(1);
+      }
+    }
+    if (filePath) {
+      try {
+        const result = await readPackagesFromFile(filePath);
+        packages = result.packages;
+        ecosystem = result.ecosystem;
+        totalInFile = result.totalInFile || packages.length;
+        console.log(clr(c.dim, `Detected ${totalInFile} packages from ${filePath} (${ecosystem})`));
+      } catch (err) {
+        console.error(`Error reading ${filePath}: ${err.message}`);
+        process.exit(1);
+      }
+    }
+    if (packages.length === 0) { console.error('No packages found.'); process.exit(1); }
+    await cmdReport(packages, ecosystem, { filePath, totalScanned: totalInFile || packages.length });
+    process.exit(0);
+  }
   if (subcmd === 'watch') {
     const pkg = args[1];
     if (!pkg) { console.error('Usage: poc watch <package> [--ecosystem npm|pypi|cargo|golang]'); process.exit(1); }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.10.0",
+  "version": "1.12.0",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {