proof-of-commitment 1.13.1 → 1.17.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Håkon Åmdal
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.13.1
+ * proof-of-commitment CLI v1.17.1
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -10,6 +10,18 @@ const KEYS_API = 'https://poc-backend.amdal-dev.workers.dev/api/keys';
 const WATCHLIST_API = 'https://poc-backend.amdal-dev.workers.dev/api/watchlist';
 const WEB = 'https://getcommit.dev/audit';
 
+// Backend uses Accept header to decide JSON vs plain-text body on 429
+// (added 2026-05-22 so v1.14.0 CLI, which sends the fetch default `*/*`,
+// gets a readable text body inside its Error wrapper instead of a JSON
+// dump). v1.17.0+ explicitly opts into JSON so handle429() can parse
+// shared_ip_hint, retry_after_seconds, etc. Default fetch in Node 20+
+// sends `Accept: */*` — without this header the backend would assume
+// the legacy raw-dump path.
+const JSON_API_HEADERS = {
+  'Content-Type': 'application/json',
+  'Accept': 'application/json',
+};
+
 // ANSI color helpers
 const c = {
   reset: '\x1b[0m',
@@ -42,6 +54,76 @@ function clr(code, text) {
   return `${code}${text}${c.reset}`;
 }
 
+/**
+ * Renders a human-readable rate-limit message to stderr and exits with code 1.
+ * Parses JSON body from a 429 response.
+ *
+ * v1.17.0: reads structured `shared_ip_hint` / `instant_key_url` /
+ * `packages_already_scored` / `retry_after_seconds` fields (see /api/audit
+ * 429 response). Older backends just return `message` + `upgrade_url`;
+ * the helper degrades gracefully. Single CTA only — paid upgrade is removed
+ * here because dogfood (2026-05-21) found that splitting attention between
+ * "free key" and "paid upgrade" lowers free-key conversion on the rescue
+ * step. The user is hitting the *free* wall — surface the free fix.
+ */
+async function handle429(res) {
+  let data = {};
+  try {
+    data = await res.json();
+  } catch {
+    // Non-JSON fallback — leave data as {}
+  }
+
+  const message = data.message || 'Daily free audit limit reached on this network IP.';
+  const instantKeyUrl =
+    data.instant_key_url ||
+    data.upgrade_url ||
+    'https://getcommit.dev/get-started?ref=audit-cli-429';
+  const partial = Array.isArray(data.packages_already_scored)
+    ? data.packages_already_scored
+    : [];
+  const retryAfter = Number.isFinite(data.retry_after_seconds)
+    ? data.retry_after_seconds
+    : null;
+
+  // Forward-compat: if backend ever returns partial scoring on 429,
+  // print what we have BEFORE the rescue message. Falls back to JSON
+  // dump if the row shape isn't a complete table row.
+  if (partial.length > 0) {
+    try {
+      console.log();
+      console.log(clr(c.dim, `  Partial results scored before the limit hit (${partial.length}):`));
+      printTable(partial, { totalScanned: partial.length });
+    } catch {
+      console.log(JSON.stringify(partial, null, 2));
+    }
+  }
+
+  console.error('');
+  console.error(clr(c.yellow + c.bold, `⚠  ${message}`));
+  if (data.shared_ip_hint) {
+    console.error(
+      clr(
+        c.dim,
+        '   Heads up: corporate NAT, CI runners, and dev containers all share egress IPs,'
+      )
+    );
+    console.error(
+      clr(c.dim, '   so the free-tier counter ticks faster than your personal usage suggests.')
+    );
+  }
+  console.error('');
+  console.error(clr(c.cyan + c.bold, `   → Free API key in 30 seconds (no card): ${instantKeyUrl}`));
+  if (retryAfter && retryAfter > 0) {
+    const hours = Math.floor(retryAfter / 3600);
+    const mins = Math.floor((retryAfter % 3600) / 60);
+    const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
+    console.error(clr(c.dim, `     or wait — free-tier resets in ${resetIn} (00:00 UTC).`));
+  }
+  console.error('');
+  process.exit(1);
+}
+
 /** Check if riskFlags array contains a CRITICAL-level flag (handles both "CRITICAL" and "CRITICAL: ..." formats) */
 function hasCritical(flags) {
   return flags && flags.some(f => typeof f === 'string' && f.startsWith('CRITICAL'));
@@ -221,12 +303,15 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
  * into a single CLI prompt.
  */
 async function inlineSignup(results) {
-  // Only prompt in interactive TTY when CRITICAL packages found and no key saved
+  // Only prompt in interactive TTY when findings make monitoring relevant and no key saved
   if (!process.stdin.isTTY || !process.stdout.isTTY) return;
   const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
   if (hasKey) return;
   const critPkgs = results.filter(r => hasCritical(r.riskFlags));
-  if (critPkgs.length === 0) return;
+  const lowScorePkgs = results.filter(r => typeof r.score === 'number' && r.score < 60);
+  // Gate: ≥1 CRITICAL, OR ≥2 packages with score<60, OR large scan (≥50 packages)
+  const shouldPrompt = critPkgs.length >= 1 || lowScorePkgs.length >= 2 || results.length >= 50;
+  if (!shouldPrompt) return;
 
   console.log(clr(c.dim, '  ─────────────────────────────────────────────'));
   console.log(clr(c.bold, '  🔔 Get alerts when these scores change?'));
@@ -286,7 +371,7 @@ async function inlineSignup(results) {
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.13.1 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.16.0 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -388,7 +473,8 @@ ${clr(c.bold, 'Provenance (npm):')}
 ${clr(c.bold, 'Score dimensions (npm/PyPI/Cargo):')} longevity · download momentum · release consistency · publisher depth · GitHub backing · provenance
 ${clr(c.bold, 'Score dimensions (Go):')} longevity · release consistency · maintainer depth · GitHub backing · stars
 
-${clr(c.bold, 'MCP:')} Add to Claude Desktop / Cursor for AI-assisted auditing — see homepage.
+${clr(c.bold, 'MCP:')} https://poc-backend.amdal-dev.workers.dev/mcp — connect from Claude Desktop / Cursor / Cline.
+       Free tier: 100 queries/IP/UTC day. Power users: API key for 200/day. ${clr(c.dim, '(Authorization: Bearer sk_commit_…)')}
 
 ${clr(c.bold, 'Web:')}  ${WEB}
   `);
@@ -698,18 +784,21 @@ async function auditBatched(packages, ecosystem, { onProgress } = {}) {
   }
 
   let completed = 0;
+  let batchedCta = null;
   const results = await Promise.all(
     batches.map(async (batch) => {
       const res = await fetch(API, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: JSON_API_HEADERS,
         body: JSON.stringify({ packages: batch, ecosystem }),
       });
       if (!res.ok) {
+        if (res.status === 429) await handle429(res);
         const text = await res.text();
         throw new Error(`API error ${res.status}: ${text}`);
       }
       const data = await res.json();
+      if (data._cta) batchedCta = data._cta;
       completed += batch.length;
       if (onProgress) onProgress(completed, packages.length);
       return data.results || [];
@@ -726,7 +815,7 @@ async function auditBatched(packages, ecosystem, { onProgress } = {}) {
     return (a.score || 100) - (b.score || 100);
   });
 
-  return all;
+  return { results: all, _cta: batchedCta };
 }
 
 /** Parse --fail-on=<level>. Returns one of 'critical' | 'risky' | 'none'. */
@@ -1284,14 +1373,17 @@ async function cmdReport(packages, ecosystem, { filePath, isLockfile, totalScann
     if (packages.length <= 20) {
       const res = await fetch(API, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: JSON_API_HEADERS,
         body: JSON.stringify({ packages, ecosystem }),
       });
-      if (!res.ok) throw new Error(`API error ${res.status}: ${await res.text()}`);
+      if (!res.ok) {
+        if (res.status === 429) await handle429(res);
+        throw new Error(`API error ${res.status}: ${await res.text()}`);
+      }
       const data = await res.json();
       allResults = data.results || [];
     } else {
-      allResults = await auditBatched(packages, ecosystem);
+      allResults = (await auditBatched(packages, ecosystem)).results;
     }
   } catch (err) {
     console.error(`\nError: ${err.message}`);
@@ -1673,6 +1765,7 @@ async function main() {
   const t0 = Date.now();
 
   let allResults;
+  let apiCta = null;
 
   if (packages.length <= 20) {
     if (!jsonOutput) process.stdout.write(clr(c.dim, `Scoring ${packages.length} ${ecosystem} package${packages.length > 1 ? 's' : ''}...`));
@@ -1680,15 +1773,17 @@ async function main() {
     try {
       const res = await fetch(API, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: JSON_API_HEADERS,
         body: JSON.stringify({ packages, ecosystem }),
       });
       if (!res.ok) {
+        if (res.status === 429) await handle429(res);
         const text = await res.text();
         throw new Error(`API error ${res.status}: ${text}`);
       }
       const data = await res.json();
       allResults = data.results || [];
+      apiCta = data._cta || null;
     } catch (err) {
       console.error(`\nError: ${err.message}`);
       process.exit(1);
@@ -1703,7 +1798,7 @@ async function main() {
 
     let lastPct = 0;
     try {
-      allResults = await auditBatched(packages, ecosystem, {
+      const batchResult = await auditBatched(packages, ecosystem, {
         onProgress: (done, total) => {
           const pct = Math.round((done / total) * 100);
           if (pct >= lastPct + 20) {
@@ -1712,6 +1807,8 @@ async function main() {
           }
         }
       });
+      allResults = batchResult.results;
+      apiCta = batchResult._cta;
     } catch (err) {
       console.error(`\nError: ${err.message}`);
       process.exit(1);
@@ -1738,6 +1835,7 @@ async function main() {
     const displayed = allResults.slice(0, MAX_DISPLAY);
     const criticalTotal = allResults.filter(r => hasCritical(r.riskFlags)).length;
     printTable(displayed, { totalScanned: allResults.length, totalCritical: criticalTotal, lockfile: true });
+    if (apiCta) console.log(clr(c.dim + c.cyan, `\n  ${apiCta}`));
     await inlineSignup(displayed);
     if (shouldFail(allResults, failOn)) {
       console.error(clr(c.red + c.bold, `\n✗ --fail-on=${failOn} threshold met. Exit 1.`));
@@ -1769,6 +1867,7 @@ async function main() {
   }
 
   printTable(allResults);
+  if (apiCta) console.log(clr(c.dim + c.cyan, `\n  ${apiCta}`));
   await inlineSignup(allResults);
   if (shouldFail(allResults, failOn)) {
     console.error(clr(c.red + c.bold, `✗ --fail-on=${failOn} threshold met. Exit 1.`));

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.13.1",
+  "version": "1.17.1",
+  "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {
@@ -10,7 +11,8 @@
   "main": "./index.js",
   "files": [
     "index.js",
-    "README.md"
+    "README.md",
+    "LICENSE"
   ],
   "keywords": [
     "supply-chain",