npm - proof-of-commitment - Versions diffs - 1.17.1 → 1.18.1 - Mend

proof-of-commitment 1.17.1 → 1.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -56,7 +56,7 @@ npx proof-of-commitment --file go.sum    # full transitive set
 # Install once, then use the `poc` alias:
 npm install -g proof-of-commitment
-# Get a free API key at https://getcommit.dev/get-started, then:
+# Get a free API key at https://getcommit.dev/get-started?utm_source=cli, then:
 poc login sk_commit_your_key_here
 # ✓ Authenticated — Tier: Free — Usage: 0/200 requests (daily)

package/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.17.1
+ * proof-of-commitment CLI v1.18.1
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -279,10 +279,10 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     }
   }
-  // Contextual upsell — show when findings make monitoring relevant
-  // In TTY mode, inlineSignup() handles the upsell interactively — skip static text
+  // Contextual upsell — show when findings make monitoring relevant.
+  // In TTY mode, inlineSignup() handles the CRITICAL/risky upsell interactively — skip static text there.
+  const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
   if (effectiveCritical > 0) {
-    const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
     if (hasKey) {
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this package' : 'these packages'}: `) +
         clr(c.cyan, `poc watch ${results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name}`));
@@ -293,6 +293,19 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
       console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
     }
     // else: TTY mode — inlineSignup() will prompt interactively after printTable
+  } else if (!hasKey) {
+    // HEALTHY case + no saved key: soft watchlist CTA. The all-healthy
+    // footer previously surfaced only CI-shaped CTAs (Action, `poc init`)
+    // which both require active commitment — workflow change + repo edit.
+    // The lowest-friction conversion (email → API key → watchlist) was
+    // hidden behind the CRITICAL gate of inlineSignup(). Buyer-journey
+    // dogfood 2026-05-24 found 1472 weekly downloads → 0 organic signups;
+    // the watchlist value prop ("alert me when these degrade") is real
+    // for healthy packages too — that's exactly when monitoring matters.
+    // ref=audit-baseline distinguishes this funnel from audit-cli-429
+    // (rate-limit rescue) and from the static utm_source=cli help-line.
+    console.log(clr(c.dim, '\n  📊 Save this scan as your baseline. Re-run anytime with a free key:'));
+    console.log(clr(c.dim, '     ') + clr(c.cyan, 'https://getcommit.dev/get-started?ref=audit-baseline&utm_source=cli') + clr(c.dim, '  (200/day free; push alerts on Developer $15/mo)'));
   }
   console.log();
 }
@@ -314,8 +327,8 @@ async function inlineSignup(results) {
   if (!shouldPrompt) return;
   console.log(clr(c.dim, '  ─────────────────────────────────────────────'));
-  console.log(clr(c.bold, '  🔔 Get alerts when these scores change?'));
-  console.log(clr(c.dim, '     Free API key — no credit card, 10 seconds.\n'));
+  console.log(clr(c.bold, '  🔔 Lock in this audit. Get alerts if these packages get worse.'));
+  console.log(clr(c.dim, '     Free, no card, 10 seconds. Saves to ~/.commit/config.\n'));
   const { createInterface } = await import('readline');
   const rl = createInterface({ input: process.stdin, output: process.stdout });
@@ -371,7 +384,7 @@ async function inlineSignup(results) {
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.16.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.18.1 — supply chain risk scorer
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -408,7 +421,7 @@ ${clr(c.bold, 'Monitoring (Pro):')}
   poc watchlist       List monitored packages with current scores + risk
   poc unwatch <pkg>   Remove a package from monitoring
-  Get a free key: https://getcommit.dev/get-started
+  Get a free key: https://getcommit.dev/get-started?utm_source=cli
   Upgrade to Pro:  https://getcommit.dev/pricing
 ${clr(c.bold, 'Options:')}
@@ -930,7 +943,7 @@ async function cmdLogin(keyArg) {
   if (!key || !key.startsWith('sk_commit_')) {
     console.error(clr(c.red, '\n  Invalid API key format. Keys start with sk_commit_'));
-    console.error(clr(c.dim, '  Get one at https://getcommit.dev/get-started\n'));
+    console.error(clr(c.dim, '  Get one at https://getcommit.dev/get-started?utm_source=cli\n'));
     process.exit(1);
   }
@@ -972,7 +985,7 @@ async function cmdStatus() {
   if (!key) {
     console.log(clr(c.dim, '\n  Not logged in.'));
     console.log(clr(c.dim, '  Run ') + clr(c.cyan, 'poc login') + clr(c.dim, ' to authenticate.'));
-    console.log(clr(c.dim, '  Get a free key at https://getcommit.dev/get-started\n'));
+    console.log(clr(c.dim, '  Get a free key at https://getcommit.dev/get-started?utm_source=cli\n'));
     return;
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.17.1",
+  "version": "1.18.1",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",