proof-of-commitment 1.18.1 → 1.19.0

package/README.md

@@ -51,26 +51,23 @@ npx proof-of-commitment --file go.sum    # full transitive set
 
 **Web demo (no install):** [getcommit.dev/audit](https://getcommit.dev/audit) — paste your packages, see risk scores in seconds.
 
-**Account + monitoring (v1.10.0):**
+## Get notified before the next attack
+
+The CLI tells you what's risky today. A free API key unlocks **monitoring** — daily score recomputation across the packages you depend on, with alerts when one degrades (publisher drops, release stalls, score falls ≥10 points).
+
+[**Get a free API key →**](https://getcommit.dev/get-started?ref=npm-readme-monitoring&utm_source=cli) — no card, 30 seconds · 200 audits/day free · Developer $15/mo unlocks alerts + watchlist.
+
 ```bash
 # Install once, then use the `poc` alias:
 npm install -g proof-of-commitment
 
-# Get a free API key at https://getcommit.dev/get-started?utm_source=cli, then:
-poc login sk_commit_your_key_here
-# ✓ Authenticated — Tier: Free — Usage: 0/200 requests (daily)
-
-poc status                          # check tier + usage anytime
-poc logout                          # remove saved key
-
-# Monitoring (Pro tier — daily scans + alerts):
-poc watch chalk
+# After getting your free key:
+poc login sk_commit_your_key_here   # save and validate
+poc status                          # check tier + usage
+poc watch chalk                     # start monitoring (Developer $15/mo)
 poc watch requests --ecosystem pypi
-poc watch serde --ecosystem cargo
-poc watchlist                       # view scores + risk levels
-poc unwatch chalk
-
-# Upgrade to Pro: https://getcommit.dev/pricing
+poc watchlist                       # view all watched packages
+poc init                            # add CI gate to this project
 ```
 
 Alerts fire on: score drop ≥10 points · package crosses CRITICAL threshold · recovery to HEALTHY.
@@ -132,12 +129,12 @@ When `comment-on-pr: true` (default), the action automatically posts the audit t
 | `max-packages` | `20` | Max packages to audit when auto-detecting |
 | `include-dev-dependencies` | `false` | Include `devDependencies` from `package.json` |
 | `comment-on-pr` | `true` | Post audit results as a PR comment (requires `pull-requests: write` permission) |
-| `api-key` | _(none)_ | [Commit Pro](https://getcommit.dev/pricing) API key — enables batch requests and 10K requests/month |
+| `api-key` | _(none)_ | [Commit](https://getcommit.dev/pricing) API key — enables batch requests; Developer ($15/mo) gets 10K requests/month |
 | `api-url` | _(prod)_ | Override API endpoint (useful for self-hosting) |
 
 **Outputs:** `has-critical`, `critical-count`, `audit-summary` (markdown table, also written to Step Summary).
 
-**Free vs Pro:** Without an API key, packages are audited one at a time (with delays to respect rate limits). With a Pro API key, all packages are audited in a single batch request — faster and with higher monthly limits.
+**Free vs paid:** Without an API key, packages are audited one at a time (with delays to respect rate limits). With any API key (free or paid), all packages are audited in a single batch request — faster. Paid tiers (Developer $15/mo+) raise the monthly request limit and unlock daily monitoring.
 
 Example PR comment / Step Summary output:
 

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.18.1
+ * proof-of-commitment CLI v1.19.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -293,15 +293,11 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
       console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
     }
     // else: TTY mode — inlineSignup() will prompt interactively after printTable
-  } else if (!hasKey) {
-    // HEALTHY case + no saved key: soft watchlist CTA. The all-healthy
-    // footer previously surfaced only CI-shaped CTAs (Action, `poc init`)
-    // which both require active commitment — workflow change + repo edit.
-    // The lowest-friction conversion (email → API key → watchlist) was
-    // hidden behind the CRITICAL gate of inlineSignup(). Buyer-journey
-    // dogfood 2026-05-24 found 1472 weekly downloads → 0 organic signups;
-    // the watchlist value prop ("alert me when these degrade") is real
-    // for healthy packages too — that's exactly when monitoring matters.
+  } else if (!hasKey && (!process.stdin.isTTY || !process.stdout.isTTY)) {
+    // HEALTHY case + no saved key + non-TTY (CI/piped): static baseline CTA.
+    // In TTY mode, inlineSignup() now prompts interactively for healthy results
+    // too — the dim text below converted 0/621 weekly downloads. Keep static
+    // text only in CI/piped output where interactive prompts can't fire.
     // ref=audit-baseline distinguishes this funnel from audit-cli-429
     // (rate-limit rescue) and from the static utm_source=cli help-line.
     console.log(clr(c.dim, '\n  📊 Save this scan as your baseline. Re-run anytime with a free key:'));
@@ -311,23 +307,35 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
 }
 
 /**
- * Inline signup: after CRITICAL findings, offer one-step email→key flow.
+ * Inline signup: after any real audit, offer one-step email→key flow.
  * Collapses 6-step funnel (visit site → email → check inbox → copy key → login → watch)
  * into a single CLI prompt.
+ *
+ * v1.19: Triggers on healthy results too (≥3 packages). The dim "Save this scan
+ * as your baseline" footer line converted 0/621 weekly downloads — replacing it
+ * with an interactive prompt at the moment of audit success captures more
+ * intent. Copy adapts to context: degradation alerts (CRITICAL) vs baseline
+ * lock-in (healthy). Quick lookups (<3 packages) still skip the prompt.
  */
 async function inlineSignup(results) {
-  // Only prompt in interactive TTY when findings make monitoring relevant and no key saved
+  // Only prompt in interactive TTY when no key saved
   if (!process.stdin.isTTY || !process.stdout.isTTY) return;
   const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
   if (hasKey) return;
   const critPkgs = results.filter(r => hasCritical(r.riskFlags));
   const lowScorePkgs = results.filter(r => typeof r.score === 'number' && r.score < 60);
-  // Gate: ≥1 CRITICAL, OR ≥2 packages with score<60, OR large scan (≥50 packages)
-  const shouldPrompt = critPkgs.length >= 1 || lowScorePkgs.length >= 2 || results.length >= 50;
-  if (!shouldPrompt) return;
+  // Gate: ≥3 packages scanned (real audit, not a one-off `npx poc somepkg` check)
+  if (results.length < 3) return;
+
+  const hasFindings = critPkgs.length >= 1 || lowScorePkgs.length >= 2;
+  // Copy adapts to context. Findings → degradation framing.
+  // Healthy → baseline-lock framing (still real value: alert me if any score drops).
+  const heading = hasFindings
+    ? '  🔔 Lock in this audit. Get alerted if these packages get worse.'
+    : '  🔔 Lock in this baseline. Get alerted if any of these packages degrade.';
 
   console.log(clr(c.dim, '  ─────────────────────────────────────────────'));
-  console.log(clr(c.bold, '  🔔 Lock in this audit. Get alerts if these packages get worse.'));
+  console.log(clr(c.bold, heading));
   console.log(clr(c.dim, '     Free, no card, 10 seconds. Saves to ~/.commit/config.\n'));
 
   const { createInterface } = await import('readline');
@@ -366,8 +374,12 @@ async function inlineSignup(results) {
       console.log();
       console.log(clr(c.bold, '  Next steps:'));
       console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
-      if (critPkgs.length > 0) {
-        console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${critPkgs[0].name}`) + clr(c.dim, '  — start monitoring (Pro)'));
+      // Surface a concrete watch target. CRITICAL first (highest urgency);
+      // otherwise pick the lowest-score package as the most-likely-to-degrade.
+      const watchTarget = critPkgs[0]?.name
+        || results.slice().sort((a, b) => (a.score || 100) - (b.score || 100))[0]?.name;
+      if (watchTarget) {
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${watchTarget}`) + clr(c.dim, '  — start monitoring (Developer $15/mo)'));
       }
       console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc init') + clr(c.dim, '          — add CI gate to this project'));
     } else if (data.message) {
@@ -384,7 +396,7 @@ async function inlineSignup(results) {
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.18.1 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.19.0 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -415,14 +427,14 @@ ${clr(c.bold, 'Account:')}
   poc status          Show current tier, usage, and limits
   poc logout          Remove saved API key
 
-${clr(c.bold, 'Monitoring (Pro):')}
+${clr(c.bold, 'Monitoring (Developer $15/mo+):')}
   poc watch <package> [--ecosystem npm|pypi|cargo|golang]
                       Add a package to daily monitoring
   poc watchlist       List monitored packages with current scores + risk
   poc unwatch <pkg>   Remove a package from monitoring
 
-  Get a free key: https://getcommit.dev/get-started?utm_source=cli
-  Upgrade to Pro:  https://getcommit.dev/pricing
+  Get a free key:        https://getcommit.dev/get-started?utm_source=cli
+  Enable monitoring:     https://getcommit.dev/pricing?utm_source=cli&utm_campaign=help
 
 ${clr(c.bold, 'Options:')}
   --json              Output results as JSON
@@ -965,13 +977,14 @@ async function cmdLogin(keyArg) {
   console.log(clr(c.dim, `  Saved to: ${configPath}`));
   console.log();
 
-  if (info.tier === 'pro' || info.tier === 'enterprise') {
-    console.log(clr(c.cyan, '  Pro features unlocked:'));
+  if (info.tier === 'developer' || info.tier === 'pro' || info.tier === 'enterprise') {
+    console.log(clr(c.cyan, '  Monitoring unlocked:'));
     console.log(clr(c.dim, '    poc watch <package>    Add a package to daily monitoring'));
     console.log(clr(c.dim, '    poc watchlist          View monitored packages'));
     console.log(clr(c.dim, '    poc unwatch <package>  Remove from monitoring'));
   } else {
-    console.log(clr(c.dim, '  Upgrade to Pro for monitoring + alerts: https://getcommit.dev/pricing?utm_source=cli'));
+    console.log(clr(c.dim, '  Enable monitoring + alerts on Developer ($15/mo):'));
+    console.log(clr(c.cyan, '    https://getcommit.dev/pricing?utm_source=cli&utm_campaign=post-login'));
   }
   console.log();
 }
@@ -1009,7 +1022,8 @@ async function cmdStatus() {
   if (info.tier === 'free') {
     const pct = info.requests_limit > 0 ? Math.round((info.requests_used / info.requests_limit) * 100) : 0;
     if (pct >= 80) {
-      console.log(clr(c.yellow, `  ⚠ ${pct}% of daily limit used. Upgrade for 10K/month: https://getcommit.dev/pricing`));
+      console.log(clr(c.yellow, `  ⚠ ${pct}% of daily limit used. Developer ($15/mo) gets 10K/month + monitoring:`));
+      console.log(clr(c.cyan, `    https://getcommit.dev/pricing?utm_source=cli&utm_campaign=status-limit`));
     }
   }
 }
@@ -1036,11 +1050,24 @@ function tierLabel(tier) {
 
 /**
  * Handle 402 upgrade response from watchlist endpoints.
+ * Reads server response so the tier name, price, and URL stay authoritative
+ * (server is canonical — CLI was historically out of date saying "Pro" when
+ * "Developer" was the actual gate). Appends CLI UTM for attribution.
  */
-function printUpgradeRequired() {
-  console.error(clr(c.yellow + c.bold, '\n  ✦ Commit Pro required'));
-  console.error(clr(c.dim, '    Monitoring, daily scans, and alerts are Pro features.'));
-  console.error(clr(c.cyan, '    Upgrade at https://getcommit.dev/pricing\n'));
+async function printUpgradeRequired(res, campaign = 'watchlist-402') {
+  let body = null;
+  try { body = await res.json(); } catch {}
+  const plan = (body && body.upgrade && body.upgrade.plan) || 'developer';
+  const planLabel = plan.charAt(0).toUpperCase() + plan.slice(1);
+  const price = (body && body.upgrade && body.upgrade.price) || '$15/month';
+  const baseUrl = (body && body.upgrade && body.upgrade.url) || 'https://getcommit.dev/pricing';
+  const url = baseUrl + (baseUrl.includes('?') ? '&' : '?') + `utm_source=cli&utm_campaign=${campaign}`;
+  const currentTier = body && body.current_tier ? body.current_tier : 'free';
+
+  console.error(clr(c.yellow + c.bold, `\n  ✦ ${planLabel} (${price}) required`));
+  console.error(clr(c.dim, `    Monitoring, daily scans, and alerts start on ${planLabel}.`));
+  console.error(clr(c.dim, `    Current tier: ${currentTier}`));
+  console.error(clr(c.cyan, `    Upgrade at ${url}\n`));
 }
 
 /**
@@ -1061,7 +1088,7 @@ async function cmdWatch(pkg, ecosystem) {
     body: JSON.stringify({ package: pkg, ecosystem }),
   });
 
-  if (res.status === 402) { printUpgradeRequired(); process.exit(1); }
+  if (res.status === 402) { process.stdout.write('\n'); await printUpgradeRequired(res, 'watch-cmd'); process.exit(1); }
 
   const data = await res.json();
   if (!res.ok) {
@@ -1093,7 +1120,7 @@ async function cmdWatchlist() {
     headers: { 'Authorization': `Bearer ${key}` },
   });
 
-  if (res.status === 402) { printUpgradeRequired(); process.exit(1); }
+  if (res.status === 402) { await printUpgradeRequired(res, 'watchlist-cmd'); process.exit(1); }
 
   const data = await res.json();
   if (!res.ok) {
@@ -1132,7 +1159,7 @@ async function cmdWatchlist() {
   const divider = '─'.repeat(divWidth);
 
   console.log('\n' + divider);
-  console.log(clr(c.dim, `  Commit Pro watchlist · ${pkgs.length}/${data.limit} packages · tier: ${data.tier}`));
+  console.log(clr(c.dim, `  Commit watchlist · ${pkgs.length}/${data.limit} packages · tier: ${data.tier}`));
   console.log(divider);
   console.log(header);
   console.log(divider);
@@ -1175,7 +1202,7 @@ async function cmdUnwatch(pkg, ecosystem) {
     body: JSON.stringify({ package: pkg, ecosystem }),
   });
 
-  if (res.status === 402) { printUpgradeRequired(); process.exit(1); }
+  if (res.status === 402) { process.stdout.write('\n'); await printUpgradeRequired(res, 'unwatch-cmd'); process.exit(1); }
 
   const data = await res.json();
   if (!res.ok) {
@@ -1315,7 +1342,7 @@ ${rows}
 <div class="footer">
   <span>Generated by <a href="${WEB}" target="_blank">proof-of-commitment</a></span>
   <span><a href="https://github.com/piiiico/commit-action" target="_blank">GitHub Action</a></span>
-  <span><a href="https://getcommit.dev/pricing?utm_source=cli&amp;utm_medium=report" target="_blank">Commit Pro</a></span>
+  <span><a href="https://getcommit.dev/pricing?utm_source=cli&amp;utm_medium=report" target="_blank">Enable monitoring</a></span>
 </div>
 <script>
 function copyMd() {
@@ -1573,9 +1600,11 @@ jobs:
     console.log(clr(c.white, '  1. The badge updates daily with your project\'s score'));
     console.log(clr(c.white, '  2. Push to trigger the existing workflow'));
   }
-  console.log(clr(c.dim, `\n  Want daily monitoring + alerts? Get a free key:`));
-  console.log(clr(c.cyan, '  https://getcommit.dev/get-started?utm_source=cli'));
-  console.log(clr(c.dim, '  Then run: ') + clr(c.cyan, 'poc login') + clr(c.dim, ' + ') + clr(c.cyan, 'poc watch <package>\n'));
+  console.log(clr(c.dim, `\n  Want daily monitoring + alerts on your dependencies?`));
+  console.log(clr(c.dim, '    1. Free key (200 scans/day):  ') + clr(c.cyan, 'https://getcommit.dev/get-started?utm_source=cli'));
+  console.log(clr(c.dim, '    2. Authenticate:              ') + clr(c.cyan, 'poc login'));
+  console.log(clr(c.dim, '    3. Enable monitoring ($15/mo): ') + clr(c.cyan, 'https://getcommit.dev/pricing?utm_source=cli&utm_campaign=init'));
+  console.log(clr(c.dim, '    4. Watch a package:           ') + clr(c.cyan, 'poc watch <package>\n'));
 }
 
 async function main() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.18.1",
+  "version": "1.19.0",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",