npm - proof-of-commitment - Versions diffs - 1.11.0 → 1.12.1 - Mend

proof-of-commitment 1.11.0 → 1.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +163 -7
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.11.0
+ * proof-of-commitment CLI v1.12.1
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -180,8 +180,22 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
   // Footer with web link + CI integration CTA
   const topPkgs = results.slice(0, 10).map(r => r.name).join(',');
-  console.log(clr(c.cyan, `\n  🔗 Full report: ${WEB}?packages=${encodeURIComponent(topPkgs)}`));
+  const utm = 'utm_source=cli&utm_medium=audit';
+  console.log(clr(c.cyan, `\n  🔗 Full report: ${WEB}?packages=${encodeURIComponent(topPkgs)}&${utm}`));
   console.log(clr(c.cyan, `  🤖 GitHub Action: github.com/piiiico/commit-action — block CRITICAL packages in CI`));
+  console.log(clr(c.dim, `  📋 Add to this project: `) + clr(c.cyan, `poc init`) + clr(c.dim, ` — creates workflow + README badge`));
+  // Per-package profile URLs — drive traffic to permanent, indexable pages
+  const ecoPath = { npm: 'npm', pypi: 'pypi', cargo: 'cargo', golang: 'go' };
+  const profilePkgs = results.slice(0, 5).filter(r => r.name && ecoPath[r.ecosystem || 'npm']);
+  if (profilePkgs.length > 0) {
+    console.log(clr(c.dim, `\n  📄 Package profiles:`));
+    for (const r of profilePkgs) {
+      const eco = ecoPath[r.ecosystem || 'npm'];
+      const name = encodeURIComponent(r.name).replace(/%40/g, '@').replace(/%2F/g, '/');
+      console.log(clr(c.dim, `     getcommit.dev/${eco}/${name}`));
+    }
+  }
   // Contextual upsell — show when findings make monitoring relevant
   if (effectiveCritical > 0) {
@@ -192,7 +206,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
         clr(c.cyan, `poc watch ${results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name}`));
     } else {
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this' : 'these ' + effectiveCritical} CRITICAL ${effectiveCritical === 1 ? 'package' : 'packages'} — get alerted when scores change.`));
-      console.log(clr(c.dim, '     Get a free API key: ') + clr(c.cyan, 'https://getcommit.dev/get-started'));
+      console.log(clr(c.dim, '     Get a free API key: ') + clr(c.cyan, 'https://getcommit.dev/get-started?utm_source=cli'));
       console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
     }
   }
@@ -201,7 +215,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.11.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.12.1 — supply chain risk scorer
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -218,6 +232,10 @@ ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment --file go.mod              Audit Go direct + indirect deps
   npx proof-of-commitment --file go.sum              Audit Go full transitive set
+${clr(c.bold, 'Setup:')}
+  poc init            Add a GitHub Action + README badge to the current project
+                      Auto-detects ecosystem. Blocks CRITICAL packages on every PR.
 ${clr(c.bold, 'Reports:')}
   poc report          Scan and generate a shareable HTML report + Markdown snippet
   poc report [pkgs]   Same flags as scan — packages, --pypi, --cargo, --file, etc.
@@ -780,7 +798,7 @@ async function cmdLogin(keyArg) {
     console.log(clr(c.dim, '    poc watchlist          View monitored packages'));
     console.log(clr(c.dim, '    poc unwatch <package>  Remove from monitoring'));
   } else {
-    console.log(clr(c.dim, '  Upgrade to Pro for monitoring + alerts: https://getcommit.dev/pricing'));
+    console.log(clr(c.dim, '  Upgrade to Pro for monitoring + alerts: https://getcommit.dev/pricing?utm_source=cli'));
   }
   console.log();
 }
@@ -859,7 +877,7 @@ async function cmdWatch(pkg, ecosystem) {
   const key = await readApiKey();
   if (!key) {
     console.error(clr(c.red, 'No API key found. Set COMMIT_API_KEY or add api_key=<key> to ~/.commit/config'));
-    console.error(clr(c.dim, 'Get a key at https://getcommit.dev/pricing'));
+    console.error(clr(c.dim, 'Get a key at https://getcommit.dev/pricing?utm_source=cli'));
     process.exit(1);
   }
@@ -1124,7 +1142,7 @@ ${rows}
 <div class="footer">
   <span>Generated by <a href="${WEB}" target="_blank">proof-of-commitment</a></span>
   <span><a href="https://github.com/piiiico/commit-action" target="_blank">GitHub Action</a></span>
-  <span><a href="https://getcommit.dev/pricing" target="_blank">Commit Pro</a></span>
+  <span><a href="https://getcommit.dev/pricing?utm_source=cli&amp;utm_medium=report" target="_blank">Commit Pro</a></span>
 </div>
 <script>
 function copyMd() {
@@ -1251,6 +1269,139 @@ async function cmdReport(packages, ecosystem, { filePath, isLockfile, totalScann
   console.log();
 }
+/**
+ * poc init — scaffold a GitHub Action workflow + README badge for the current project.
+ * Turns every CLI user into a permanent distribution node.
+ */
+async function cmdInit() {
+  const fs = await import('fs');
+  const path = await import('path');
+  const cwd = process.cwd();
+  // Detect ecosystem from project files
+  let ecosystem = 'npm';
+  let manifestName = 'package.json';
+  const checks = [
+    ['package.json', 'npm'],
+    ['package-lock.json', 'npm'],
+    ['yarn.lock', 'npm'],
+    ['pnpm-lock.yaml', 'npm'],
+    ['requirements.txt', 'pypi'],
+    ['Cargo.toml', 'cargo'],
+    ['go.mod', 'golang'],
+  ];
+  for (const [file, eco] of checks) {
+    if (fs.existsSync(path.join(cwd, file))) {
+      ecosystem = eco;
+      manifestName = file;
+      break;
+    }
+  }
+  console.log(clr(c.bold, '\n  Commit — supply chain audit for CI\n'));
+  console.log(clr(c.dim, `  Detected: ${manifestName} (${ecosystem})`));
+  // ── 1. GitHub Action workflow ──
+  const workflowDir = path.join(cwd, '.github', 'workflows');
+  const workflowPath = path.join(workflowDir, 'commit-audit.yml');
+  const ecoFlag = ecosystem === 'npm' ? '' : ` --${ecosystem === 'golang' ? 'go' : ecosystem}`;
+  const workflowContent = `# Supply chain audit — powered by Commit (getcommit.dev)
+# Scores dependencies on behavioral signals: publisher concentration,
+# download anomalies, release patterns, trusted publishing adoption.
+# Blocks PRs when CRITICAL packages are found (configurable).
+name: Supply Chain Audit
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+  schedule:
+    - cron: '0 9 * * 1'  # Weekly Monday 09:00 UTC
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - run: npx -y proof-of-commitment${ecoFlag} --fail-on=critical
+`;
+  let workflowCreated = false;
+  if (fs.existsSync(workflowPath)) {
+    console.log(clr(c.yellow, `  ⚠ .github/workflows/commit-audit.yml already exists — skipped`));
+  } else {
+    fs.mkdirSync(workflowDir, { recursive: true });
+    fs.writeFileSync(workflowPath, workflowContent);
+    workflowCreated = true;
+    console.log(clr(c.green, `  ✓ Created .github/workflows/commit-audit.yml`));
+  }
+  // ── 2. README badge ──
+  // Try to read project name from package.json or directory name
+  let projectName = path.basename(cwd);
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf-8'));
+    if (pkg.name) projectName = pkg.name;
+  } catch {}
+  const badgeUrl = `https://poc-backend.amdal-dev.workers.dev/badge/npm/${encodeURIComponent(projectName)}`;
+  const auditUrl = `https://getcommit.dev/audit?packages=${encodeURIComponent(projectName)}`;
+  const badgeMd = `[![Commit Score](${badgeUrl})](${auditUrl})`;
+  console.log(clr(c.green, `  ✓ README badge (paste into your README.md):\n`));
+  console.log(`    ${badgeMd}\n`);
+  // ── 3. Try to auto-insert badge into README ──
+  let badgeInserted = false;
+  const readmeCandidates = ['README.md', 'readme.md', 'Readme.md'];
+  for (const name of readmeCandidates) {
+    const readmePath = path.join(cwd, name);
+    if (fs.existsSync(readmePath)) {
+      const content = fs.readFileSync(readmePath, 'utf-8');
+      if (content.includes('Commit Score') || content.includes('poc-backend.amdal-dev.workers.dev/badge')) {
+        console.log(clr(c.dim, `  Badge already in ${name} — skipped`));
+        badgeInserted = true;
+        break;
+      }
+      // Insert after the first H1 heading, or at the top
+      const h1Match = content.match(/^#\s+.+$/m);
+      let newContent;
+      if (h1Match) {
+        const insertPos = h1Match.index + h1Match[0].length;
+        newContent = content.slice(0, insertPos) + '\n\n' + badgeMd + content.slice(insertPos);
+      } else {
+        newContent = badgeMd + '\n\n' + content;
+      }
+      fs.writeFileSync(readmePath, newContent);
+      badgeInserted = true;
+      console.log(clr(c.green, `  ✓ Badge added to ${name}`));
+      break;
+    }
+  }
+  if (!badgeInserted) {
+    console.log(clr(c.dim, `  No README found — paste the badge manually`));
+  }
+  // ── 4. Next steps ──
+  console.log(clr(c.bold, '\n  What happens next:\n'));
+  if (workflowCreated) {
+    console.log(clr(c.white, '  1. Commit and push — the Action runs on your next PR'));
+    console.log(clr(c.white, '  2. PRs with CRITICAL dependencies are blocked automatically'));
+    console.log(clr(c.white, '  3. The badge updates daily with your project\'s score'));
+  } else {
+    console.log(clr(c.white, '  1. The badge updates daily with your project\'s score'));
+    console.log(clr(c.white, '  2. Push to trigger the existing workflow'));
+  }
+  console.log(clr(c.dim, `\n  Want daily monitoring + alerts? Get a free key:`));
+  console.log(clr(c.cyan, '  https://getcommit.dev/get-started?utm_source=cli'));
+  console.log(clr(c.dim, '  Then run: ') + clr(c.cyan, 'poc login') + clr(c.dim, ' + ') + clr(c.cyan, 'poc watch <package>\n'));
+}
 async function main() {
   const args = process.argv.slice(2);
@@ -1262,6 +1413,11 @@ async function main() {
   // Subcommands
   const subcmd = args[0];
+  if (subcmd === 'init') {
+    await cmdInit();
+    process.exit(0);
+  }
   if (subcmd === 'login') {
     const keyArg = args[1] || null;
     await cmdLogin(keyArg);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.11.0",
+  "version": "1.12.1",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {