proof-of-commitment 1.12.1 → 1.13.1

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.12.1
+ * proof-of-commitment CLI v1.13.1
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -198,24 +198,95 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
   }
 
   // Contextual upsell — show when findings make monitoring relevant
+  // In TTY mode, inlineSignup() handles the upsell interactively — skip static text
   if (effectiveCritical > 0) {
-    // Check for API key synchronously via env (fast path)
     const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
     if (hasKey) {
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this package' : 'these packages'}: `) +
         clr(c.cyan, `poc watch ${results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name}`));
-    } else {
+    } else if (!process.stdin.isTTY || !process.stdout.isTTY) {
+      // Non-TTY (CI, piped): show static URL since interactive prompt won't work
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this' : 'these ' + effectiveCritical} CRITICAL ${effectiveCritical === 1 ? 'package' : 'packages'} — get alerted when scores change.`));
       console.log(clr(c.dim, '     Get a free API key: ') + clr(c.cyan, 'https://getcommit.dev/get-started?utm_source=cli'));
       console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
     }
+    // else: TTY mode — inlineSignup() will prompt interactively after printTable
+  }
+  console.log();
+}
+
+/**
+ * Inline signup: after CRITICAL findings, offer one-step email→key flow.
+ * Collapses 6-step funnel (visit site → email → check inbox → copy key → login → watch)
+ * into a single CLI prompt.
+ */
+async function inlineSignup(results) {
+  // Only prompt in interactive TTY when CRITICAL packages found and no key saved
+  if (!process.stdin.isTTY || !process.stdout.isTTY) return;
+  const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
+  if (hasKey) return;
+  const critPkgs = results.filter(r => hasCritical(r.riskFlags));
+  if (critPkgs.length === 0) return;
+
+  console.log(clr(c.dim, '  ─────────────────────────────────────────────'));
+  console.log(clr(c.bold, '  🔔 Get alerts when these scores change?'));
+  console.log(clr(c.dim, '     Free API key — no credit card, 10 seconds.\n'));
+
+  const { createInterface } = await import('readline');
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+
+  const email = await new Promise(resolve => {
+    rl.question(clr(c.dim, '  Your email (Enter to skip): '), answer => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+
+  if (!email) return;
+
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    console.log(clr(c.red, '  Invalid email. Skipped.'));
+    return;
   }
+
+  process.stdout.write(clr(c.dim, '  Creating key...'));
+
+  try {
+    const res = await fetch('https://poc-backend.amdal-dev.workers.dev/api/keys/create', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email, source: 'cli' }),
+    });
+
+    const data = await res.json();
+
+    if (data.key) {
+      await writeApiKey(data.key);
+      _cachedHasKey = true;
+      console.log(clr(c.green, ' ✓ Saved to ~/.commit/config'));
+      console.log(clr(c.dim, `     Backup sent to ${email}`));
+      console.log();
+      console.log(clr(c.bold, '  Next steps:'));
+      console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
+      if (critPkgs.length > 0) {
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${critPkgs[0].name}`) + clr(c.dim, '  — start monitoring (Pro)'));
+      }
+      console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc init') + clr(c.dim, '          — add CI gate to this project'));
+    } else if (data.message) {
+      console.log(clr(c.green, ` ✓ ${data.message}`));
+    } else {
+      console.log(clr(c.red, ` Failed: ${JSON.stringify(data)}`));
+    }
+  } catch (err) {
+    console.log(clr(c.red, ` Error: ${err.message}`));
+  }
+
   console.log();
 }
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.12.1 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.13.1 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -1667,6 +1738,7 @@ async function main() {
     const displayed = allResults.slice(0, MAX_DISPLAY);
     const criticalTotal = allResults.filter(r => hasCritical(r.riskFlags)).length;
     printTable(displayed, { totalScanned: allResults.length, totalCritical: criticalTotal, lockfile: true });
+    await inlineSignup(displayed);
     if (shouldFail(allResults, failOn)) {
       console.error(clr(c.red + c.bold, `\n✗ --fail-on=${failOn} threshold met. Exit 1.`));
       process.exit(1);
@@ -1697,6 +1769,7 @@ async function main() {
   }
 
   printTable(allResults);
+  await inlineSignup(allResults);
   if (shouldFail(allResults, failOn)) {
     console.error(clr(c.red + c.bold, `✗ --fail-on=${failOn} threshold met. Exit 1.`));
     process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.12.1",
+  "version": "1.13.1",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {