npm - proof-of-commitment - Versions diffs - 1.19.0 → 1.20.0 - Mend

proof-of-commitment 1.19.0 → 1.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -51,23 +51,26 @@ npx proof-of-commitment --file go.sum    # full transitive set
 **Web demo (no install):** [getcommit.dev/audit](https://getcommit.dev/audit) — paste your packages, see risk scores in seconds.
-## Get notified before the next attack
-The CLI tells you what's risky today. A free API key unlocks **monitoring** — daily score recomputation across the packages you depend on, with alerts when one degrades (publisher drops, release stalls, score falls ≥10 points).
-[**Get a free API key →**](https://getcommit.dev/get-started?ref=npm-readme-monitoring&utm_source=cli) — no card, 30 seconds · 200 audits/day free · Developer $15/mo unlocks alerts + watchlist.
+**Account + monitoring (v1.10.0):**
 ```bash
 # Install once, then use the `poc` alias:
 npm install -g proof-of-commitment
-# After getting your free key:
-poc login sk_commit_your_key_here   # save and validate
-poc status                          # check tier + usage
-poc watch chalk                     # start monitoring (Developer $15/mo)
+# Get a free API key at https://getcommit.dev/get-started?utm_source=cli, then:
+poc login sk_commit_your_key_here
+# ✓ Authenticated — Tier: Free — Usage: 0/200 requests (daily)
+poc status                          # check tier + usage anytime
+poc logout                          # remove saved key
+# Monitoring (Developer $15/mo+ — daily scans + alerts):
+poc watch chalk
 poc watch requests --ecosystem pypi
-poc watchlist                       # view all watched packages
-poc init                            # add CI gate to this project
+poc watch serde --ecosystem cargo
+poc watchlist                       # view scores + risk levels
+poc unwatch chalk
+# Enable monitoring: https://getcommit.dev/pricing
 ```
 Alerts fire on: score drop ≥10 points · package crosses CRITICAL threshold · recovery to HEALTHY.

package/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.19.0
+ * proof-of-commitment CLI v1.20.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -113,14 +113,80 @@ async function handle429(res) {
     );
   }
   console.error('');
-  console.error(clr(c.cyan + c.bold, `   → Free API key in 30 seconds (no card): ${instantKeyUrl}`));
-  if (retryAfter && retryAfter > 0) {
-    const hours = Math.floor(retryAfter / 3600);
-    const mins = Math.floor((retryAfter % 3600) / 60);
-    const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
-    console.error(clr(c.dim, `     or wait — free-tier resets in ${resetIn} (00:00 UTC).`));
+  // TTY: inline signup collapses the 6-step browser flow (visit URL → enter
+  // email → copy key → switch back to terminal → export key → re-run) to a
+  // single terminal prompt. Non-TTY (CI/piped) falls through to the URL.
+  if (process.stdin.isTTY && process.stdout.isTTY) {
+    console.error(clr(c.dim, '  ─────────────────────────────────────────────'));
+    console.error(clr(c.bold, '  Get a free key and keep scanning (no card, saves to ~/.commit/config):'));
+    console.error('');
+    const { createInterface } = await import('readline');
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    const email = await new Promise(resolve => {
+      rl.question(clr(c.dim, '  Your email (Enter to skip): '), answer => {
+        rl.close();
+        resolve(answer.trim());
+      });
+    });
+    if (email && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+      process.stderr.write(clr(c.dim, '  Creating key...'));
+      try {
+        const createRes = await fetch('https://poc-backend.amdal-dev.workers.dev/api/keys/create', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ email, source: 'audit-cli-429' }),
+        });
+        const keyData = await createRes.json();
+        if (keyData.key) {
+          await writeApiKey(keyData.key);
+          console.error(clr(c.green, ' ✓ Key saved to ~/.commit/config'));
+          console.error(clr(c.dim, `     Backup sent to ${email}`));
+          console.error('');
+          console.error(clr(c.bold, '  Re-run your command to continue with your new key.'));
+          console.error('');
+        } else {
+          const errMsg = keyData.error === 'rate_limit_exceeded'
+            ? 'Too many keys from this IP today — try again tomorrow.'
+            : (keyData.message || 'Could not create key. Try the web: ' + instantKeyUrl);
+          console.error(clr(c.red, ` Failed: ${errMsg}`));
+          console.error('');
+        }
+      } catch (err) {
+        console.error(clr(c.red, ` Error: ${err.message}`));
+        console.error(clr(c.dim, `  Try the web: ${instantKeyUrl}`));
+        console.error('');
+      }
+    } else if (email) {
+      console.error(clr(c.red, '  Invalid email. Skipped.'));
+      console.error(clr(c.dim, `  Try the web: ${instantKeyUrl}`));
+      console.error('');
+    } else {
+      // User pressed Enter to skip — show URL as fallback
+      console.error(clr(c.cyan + c.bold, `  → Get a free key later: ${instantKeyUrl}`));
+      if (retryAfter && retryAfter > 0) {
+        const hours = Math.floor(retryAfter / 3600);
+        const mins = Math.floor((retryAfter % 3600) / 60);
+        const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
+        console.error(clr(c.dim, `     or wait — free-tier resets in ${resetIn} (00:00 UTC).`));
+      }
+      console.error('');
+    }
+  } else {
+    // Non-TTY fallback: print URL for CI/piped contexts
+    console.error(clr(c.cyan + c.bold, `   → Free API key in 30 seconds (no card): ${instantKeyUrl}`));
+    if (retryAfter && retryAfter > 0) {
+      const hours = Math.floor(retryAfter / 3600);
+      const mins = Math.floor((retryAfter % 3600) / 60);
+      const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
+      console.error(clr(c.dim, `     or wait — free-tier resets in ${resetIn} (00:00 UTC).`));
+    }
+    console.error('');
   }
-  console.error('');
   process.exit(1);
 }
@@ -396,7 +462,7 @@ async function inlineSignup(results) {
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.19.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.20.0 — supply chain risk scorer
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.19.0",
+  "version": "1.20.0",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",