proof-of-commitment 1.14.0 → 1.18.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Håkon Åmdal
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -56,7 +56,7 @@ npx proof-of-commitment --file go.sum    # full transitive set
 # Install once, then use the `poc` alias:
 npm install -g proof-of-commitment
 
-# Get a free API key at https://getcommit.dev/get-started, then:
+# Get a free API key at https://getcommit.dev/get-started?utm_source=cli, then:
 poc login sk_commit_your_key_here
 # ✓ Authenticated — Tier: Free — Usage: 0/200 requests (daily)
 

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.14.0
+ * proof-of-commitment CLI v1.18.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -10,6 +10,18 @@ const KEYS_API = 'https://poc-backend.amdal-dev.workers.dev/api/keys';
 const WATCHLIST_API = 'https://poc-backend.amdal-dev.workers.dev/api/watchlist';
 const WEB = 'https://getcommit.dev/audit';
 
+// Backend uses Accept header to decide JSON vs plain-text body on 429
+// (added 2026-05-22 so v1.14.0 CLI, which sends the fetch default `*/*`,
+// gets a readable text body inside its Error wrapper instead of a JSON
+// dump). v1.17.0+ explicitly opts into JSON so handle429() can parse
+// shared_ip_hint, retry_after_seconds, etc. Default fetch in Node 20+
+// sends `Accept: */*` — without this header the backend would assume
+// the legacy raw-dump path.
+const JSON_API_HEADERS = {
+  'Content-Type': 'application/json',
+  'Accept': 'application/json',
+};
+
 // ANSI color helpers
 const c = {
   reset: '\x1b[0m',
@@ -42,6 +54,76 @@ function clr(code, text) {
   return `${code}${text}${c.reset}`;
 }
 
+/**
+ * Renders a human-readable rate-limit message to stderr and exits with code 1.
+ * Parses JSON body from a 429 response.
+ *
+ * v1.17.0: reads structured `shared_ip_hint` / `instant_key_url` /
+ * `packages_already_scored` / `retry_after_seconds` fields (see /api/audit
+ * 429 response). Older backends just return `message` + `upgrade_url`;
+ * the helper degrades gracefully. Single CTA only — paid upgrade is removed
+ * here because dogfood (2026-05-21) found that splitting attention between
+ * "free key" and "paid upgrade" lowers free-key conversion on the rescue
+ * step. The user is hitting the *free* wall — surface the free fix.
+ */
+async function handle429(res) {
+  let data = {};
+  try {
+    data = await res.json();
+  } catch {
+    // Non-JSON fallback — leave data as {}
+  }
+
+  const message = data.message || 'Daily free audit limit reached on this network IP.';
+  const instantKeyUrl =
+    data.instant_key_url ||
+    data.upgrade_url ||
+    'https://getcommit.dev/get-started?ref=audit-cli-429';
+  const partial = Array.isArray(data.packages_already_scored)
+    ? data.packages_already_scored
+    : [];
+  const retryAfter = Number.isFinite(data.retry_after_seconds)
+    ? data.retry_after_seconds
+    : null;
+
+  // Forward-compat: if backend ever returns partial scoring on 429,
+  // print what we have BEFORE the rescue message. Falls back to JSON
+  // dump if the row shape isn't a complete table row.
+  if (partial.length > 0) {
+    try {
+      console.log();
+      console.log(clr(c.dim, `  Partial results scored before the limit hit (${partial.length}):`));
+      printTable(partial, { totalScanned: partial.length });
+    } catch {
+      console.log(JSON.stringify(partial, null, 2));
+    }
+  }
+
+  console.error('');
+  console.error(clr(c.yellow + c.bold, `⚠  ${message}`));
+  if (data.shared_ip_hint) {
+    console.error(
+      clr(
+        c.dim,
+        '   Heads up: corporate NAT, CI runners, and dev containers all share egress IPs,'
+      )
+    );
+    console.error(
+      clr(c.dim, '   so the free-tier counter ticks faster than your personal usage suggests.')
+    );
+  }
+  console.error('');
+  console.error(clr(c.cyan + c.bold, `   → Free API key in 30 seconds (no card): ${instantKeyUrl}`));
+  if (retryAfter && retryAfter > 0) {
+    const hours = Math.floor(retryAfter / 3600);
+    const mins = Math.floor((retryAfter % 3600) / 60);
+    const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
+    console.error(clr(c.dim, `     or wait — free-tier resets in ${resetIn} (00:00 UTC).`));
+  }
+  console.error('');
+  process.exit(1);
+}
+
 /** Check if riskFlags array contains a CRITICAL-level flag (handles both "CRITICAL" and "CRITICAL: ..." formats) */
 function hasCritical(flags) {
   return flags && flags.some(f => typeof f === 'string' && f.startsWith('CRITICAL'));
@@ -197,10 +279,10 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     }
   }
 
-  // Contextual upsell — show when findings make monitoring relevant
-  // In TTY mode, inlineSignup() handles the upsell interactively — skip static text
+  // Contextual upsell — show when findings make monitoring relevant.
+  // In TTY mode, inlineSignup() handles the CRITICAL/risky upsell interactively — skip static text there.
+  const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
   if (effectiveCritical > 0) {
-    const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
     if (hasKey) {
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this package' : 'these packages'}: `) +
         clr(c.cyan, `poc watch ${results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name}`));
@@ -211,6 +293,19 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
       console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
     }
     // else: TTY mode — inlineSignup() will prompt interactively after printTable
+  } else if (!hasKey) {
+    // HEALTHY case + no saved key: soft watchlist CTA. The all-healthy
+    // footer previously surfaced only CI-shaped CTAs (Action, `poc init`)
+    // which both require active commitment — workflow change + repo edit.
+    // The lowest-friction conversion (email → API key → watchlist) was
+    // hidden behind the CRITICAL gate of inlineSignup(). Buyer-journey
+    // dogfood 2026-05-24 found 1472 weekly downloads → 0 organic signups;
+    // the watchlist value prop ("alert me when these degrade") is real
+    // for healthy packages too — that's exactly when monitoring matters.
+    // ref=audit-baseline distinguishes this funnel from audit-cli-429
+    // (rate-limit rescue) and from the static utm_source=cli help-line.
+    console.log(clr(c.dim, '\n  📊 Lock in this baseline — get alerted if any package degrades:'));
+    console.log(clr(c.dim, '     ') + clr(c.cyan, 'https://getcommit.dev/get-started?ref=audit-baseline&utm_source=cli') + clr(c.dim, '  (free, no card, 10s)'));
   }
   console.log();
 }
@@ -221,16 +316,19 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
  * into a single CLI prompt.
  */
 async function inlineSignup(results) {
-  // Only prompt in interactive TTY when CRITICAL packages found and no key saved
+  // Only prompt in interactive TTY when findings make monitoring relevant and no key saved
   if (!process.stdin.isTTY || !process.stdout.isTTY) return;
   const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
   if (hasKey) return;
   const critPkgs = results.filter(r => hasCritical(r.riskFlags));
-  if (critPkgs.length === 0) return;
+  const lowScorePkgs = results.filter(r => typeof r.score === 'number' && r.score < 60);
+  // Gate: ≥1 CRITICAL, OR ≥2 packages with score<60, OR large scan (≥50 packages)
+  const shouldPrompt = critPkgs.length >= 1 || lowScorePkgs.length >= 2 || results.length >= 50;
+  if (!shouldPrompt) return;
 
   console.log(clr(c.dim, '  ─────────────────────────────────────────────'));
-  console.log(clr(c.bold, '  🔔 Get alerts when these scores change?'));
-  console.log(clr(c.dim, '     Free API key — no credit card, 10 seconds.\n'));
+  console.log(clr(c.bold, '  🔔 Lock in this audit. Get alerts if these packages get worse.'));
+  console.log(clr(c.dim, '     Free, no card, 10 seconds. Saves to ~/.commit/config.\n'));
 
   const { createInterface } = await import('readline');
   const rl = createInterface({ input: process.stdin, output: process.stdout });
@@ -286,7 +384,7 @@ async function inlineSignup(results) {
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.14.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.18.0 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -323,7 +421,7 @@ ${clr(c.bold, 'Monitoring (Pro):')}
   poc watchlist       List monitored packages with current scores + risk
   poc unwatch <pkg>   Remove a package from monitoring
 
-  Get a free key: https://getcommit.dev/get-started
+  Get a free key: https://getcommit.dev/get-started?utm_source=cli
   Upgrade to Pro:  https://getcommit.dev/pricing
 
 ${clr(c.bold, 'Options:')}
@@ -699,18 +797,21 @@ async function auditBatched(packages, ecosystem, { onProgress } = {}) {
   }
 
   let completed = 0;
+  let batchedCta = null;
   const results = await Promise.all(
     batches.map(async (batch) => {
       const res = await fetch(API, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: JSON_API_HEADERS,
         body: JSON.stringify({ packages: batch, ecosystem }),
       });
       if (!res.ok) {
+        if (res.status === 429) await handle429(res);
         const text = await res.text();
         throw new Error(`API error ${res.status}: ${text}`);
       }
       const data = await res.json();
+      if (data._cta) batchedCta = data._cta;
       completed += batch.length;
       if (onProgress) onProgress(completed, packages.length);
       return data.results || [];
@@ -727,7 +828,7 @@ async function auditBatched(packages, ecosystem, { onProgress } = {}) {
     return (a.score || 100) - (b.score || 100);
   });
 
-  return all;
+  return { results: all, _cta: batchedCta };
 }
 
 /** Parse --fail-on=<level>. Returns one of 'critical' | 'risky' | 'none'. */
@@ -842,7 +943,7 @@ async function cmdLogin(keyArg) {
 
   if (!key || !key.startsWith('sk_commit_')) {
     console.error(clr(c.red, '\n  Invalid API key format. Keys start with sk_commit_'));
-    console.error(clr(c.dim, '  Get one at https://getcommit.dev/get-started\n'));
+    console.error(clr(c.dim, '  Get one at https://getcommit.dev/get-started?utm_source=cli\n'));
     process.exit(1);
   }
 
@@ -884,7 +985,7 @@ async function cmdStatus() {
   if (!key) {
     console.log(clr(c.dim, '\n  Not logged in.'));
     console.log(clr(c.dim, '  Run ') + clr(c.cyan, 'poc login') + clr(c.dim, ' to authenticate.'));
-    console.log(clr(c.dim, '  Get a free key at https://getcommit.dev/get-started\n'));
+    console.log(clr(c.dim, '  Get a free key at https://getcommit.dev/get-started?utm_source=cli\n'));
     return;
   }
 
@@ -1285,14 +1386,17 @@ async function cmdReport(packages, ecosystem, { filePath, isLockfile, totalScann
     if (packages.length <= 20) {
       const res = await fetch(API, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: JSON_API_HEADERS,
         body: JSON.stringify({ packages, ecosystem }),
       });
-      if (!res.ok) throw new Error(`API error ${res.status}: ${await res.text()}`);
+      if (!res.ok) {
+        if (res.status === 429) await handle429(res);
+        throw new Error(`API error ${res.status}: ${await res.text()}`);
+      }
       const data = await res.json();
       allResults = data.results || [];
     } else {
-      allResults = await auditBatched(packages, ecosystem);
+      allResults = (await auditBatched(packages, ecosystem)).results;
     }
   } catch (err) {
     console.error(`\nError: ${err.message}`);
@@ -1674,6 +1778,7 @@ async function main() {
   const t0 = Date.now();
 
   let allResults;
+  let apiCta = null;
 
   if (packages.length <= 20) {
     if (!jsonOutput) process.stdout.write(clr(c.dim, `Scoring ${packages.length} ${ecosystem} package${packages.length > 1 ? 's' : ''}...`));
@@ -1681,15 +1786,17 @@ async function main() {
     try {
       const res = await fetch(API, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: JSON_API_HEADERS,
         body: JSON.stringify({ packages, ecosystem }),
       });
       if (!res.ok) {
+        if (res.status === 429) await handle429(res);
         const text = await res.text();
         throw new Error(`API error ${res.status}: ${text}`);
       }
       const data = await res.json();
       allResults = data.results || [];
+      apiCta = data._cta || null;
     } catch (err) {
       console.error(`\nError: ${err.message}`);
       process.exit(1);
@@ -1704,7 +1811,7 @@ async function main() {
 
     let lastPct = 0;
     try {
-      allResults = await auditBatched(packages, ecosystem, {
+      const batchResult = await auditBatched(packages, ecosystem, {
         onProgress: (done, total) => {
           const pct = Math.round((done / total) * 100);
           if (pct >= lastPct + 20) {
@@ -1713,6 +1820,8 @@ async function main() {
           }
         }
       });
+      allResults = batchResult.results;
+      apiCta = batchResult._cta;
     } catch (err) {
       console.error(`\nError: ${err.message}`);
       process.exit(1);
@@ -1739,6 +1848,7 @@ async function main() {
     const displayed = allResults.slice(0, MAX_DISPLAY);
     const criticalTotal = allResults.filter(r => hasCritical(r.riskFlags)).length;
     printTable(displayed, { totalScanned: allResults.length, totalCritical: criticalTotal, lockfile: true });
+    if (apiCta) console.log(clr(c.dim + c.cyan, `\n  ${apiCta}`));
     await inlineSignup(displayed);
     if (shouldFail(allResults, failOn)) {
       console.error(clr(c.red + c.bold, `\n✗ --fail-on=${failOn} threshold met. Exit 1.`));
@@ -1770,6 +1880,7 @@ async function main() {
   }
 
   printTable(allResults);
+  if (apiCta) console.log(clr(c.dim + c.cyan, `\n  ${apiCta}`));
   await inlineSignup(allResults);
   if (shouldFail(allResults, failOn)) {
     console.error(clr(c.red + c.bold, `✗ --fail-on=${failOn} threshold met. Exit 1.`));

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.14.0",
+  "version": "1.18.0",
+  "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {
@@ -10,7 +11,8 @@
   "main": "./index.js",
   "files": [
     "index.js",
-    "README.md"
+    "README.md",
+    "LICENSE"
   ],
   "keywords": [
     "supply-chain",