proof-of-commitment 1.20.0 → 1.20.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +12 -15
- package/index.js +23 -5
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -51,26 +51,23 @@ npx proof-of-commitment --file go.sum # full transitive set
|
|
|
51
51
|
|
|
52
52
|
**Web demo (no install):** [getcommit.dev/audit](https://getcommit.dev/audit) — paste your packages, see risk scores in seconds.
|
|
53
53
|
|
|
54
|
-
|
|
54
|
+
## Get notified before the next attack
|
|
55
|
+
|
|
56
|
+
The CLI tells you what's risky today. A free API key unlocks **monitoring** — daily score recomputation across the packages you depend on, with alerts when one degrades (publisher drops, release stalls, score falls ≥10 points).
|
|
57
|
+
|
|
58
|
+
[**Get a free API key →**](https://getcommit.dev/get-started?ref=npm-readme-monitoring&utm_source=cli) — no card, 30 seconds · 200 audits/day free · Developer $15/mo unlocks alerts + watchlist.
|
|
59
|
+
|
|
55
60
|
```bash
|
|
56
61
|
# Install once, then use the `poc` alias:
|
|
57
62
|
npm install -g proof-of-commitment
|
|
58
63
|
|
|
59
|
-
#
|
|
60
|
-
poc login sk_commit_your_key_here
|
|
61
|
-
#
|
|
62
|
-
|
|
63
|
-
poc status # check tier + usage anytime
|
|
64
|
-
poc logout # remove saved key
|
|
65
|
-
|
|
66
|
-
# Monitoring (Developer $15/mo+ — daily scans + alerts):
|
|
67
|
-
poc watch chalk
|
|
64
|
+
# After getting your free key:
|
|
65
|
+
poc login sk_commit_your_key_here # save and validate
|
|
66
|
+
poc status # check tier + usage
|
|
67
|
+
poc watch chalk # start monitoring (Developer $15/mo)
|
|
68
68
|
poc watch requests --ecosystem pypi
|
|
69
|
-
poc
|
|
70
|
-
poc
|
|
71
|
-
poc unwatch chalk
|
|
72
|
-
|
|
73
|
-
# Enable monitoring: https://getcommit.dev/pricing
|
|
69
|
+
poc watchlist # view all watched packages
|
|
70
|
+
poc init # add CI gate to this project
|
|
74
71
|
```
|
|
75
72
|
|
|
76
73
|
Alerts fire on: score drop ≥10 points · package crosses CRITICAL threshold · recovery to HEALTHY.
|
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.20.
|
|
3
|
+
* proof-of-commitment CLI v1.20.1
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -22,6 +22,22 @@ const JSON_API_HEADERS = {
|
|
|
22
22
|
'Accept': 'application/json',
|
|
23
23
|
};
|
|
24
24
|
|
|
25
|
+
/**
|
|
26
|
+
* Build /api/audit request headers, adding Authorization: Bearer <key>
|
|
27
|
+
* when a key is present in COMMIT_API_KEY or ~/.commit/config.
|
|
28
|
+
*
|
|
29
|
+
* Without this, signed-up users hitting 429 stayed stuck: the inline-signup
|
|
30
|
+
* (v1.20.0) and URL signup flows both save the key locally, but the audit
|
|
31
|
+
* call site never read it — so "Re-run your command" still 429'd. Fixed
|
|
32
|
+
* in v1.20.1 after live dogfood confirmed the dead-end (see commit log).
|
|
33
|
+
*/
|
|
34
|
+
async function auditHeaders() {
|
|
35
|
+
const key = await readApiKey();
|
|
36
|
+
return key
|
|
37
|
+
? { ...JSON_API_HEADERS, Authorization: `Bearer ${key}` }
|
|
38
|
+
: JSON_API_HEADERS;
|
|
39
|
+
}
|
|
40
|
+
|
|
25
41
|
// ANSI color helpers
|
|
26
42
|
const c = {
|
|
27
43
|
reset: '\x1b[0m',
|
|
@@ -462,7 +478,7 @@ async function inlineSignup(results) {
|
|
|
462
478
|
|
|
463
479
|
function printHelp() {
|
|
464
480
|
console.log(`
|
|
465
|
-
${clr(c.bold, 'proof-of-commitment')} v1.20.
|
|
481
|
+
${clr(c.bold, 'proof-of-commitment')} v1.20.1 — supply chain risk scorer
|
|
466
482
|
|
|
467
483
|
${clr(c.bold, 'Usage:')}
|
|
468
484
|
npx proof-of-commitment Auto-detect manifest in current dir
|
|
@@ -876,11 +892,13 @@ async function auditBatched(packages, ecosystem, { onProgress } = {}) {
|
|
|
876
892
|
|
|
877
893
|
let completed = 0;
|
|
878
894
|
let batchedCta = null;
|
|
895
|
+
// Resolve auth once so all parallel batches share the same key lookup.
|
|
896
|
+
const headers = await auditHeaders();
|
|
879
897
|
const results = await Promise.all(
|
|
880
898
|
batches.map(async (batch) => {
|
|
881
899
|
const res = await fetch(API, {
|
|
882
900
|
method: 'POST',
|
|
883
|
-
headers
|
|
901
|
+
headers,
|
|
884
902
|
body: JSON.stringify({ packages: batch, ecosystem }),
|
|
885
903
|
});
|
|
886
904
|
if (!res.ok) {
|
|
@@ -1479,7 +1497,7 @@ async function cmdReport(packages, ecosystem, { filePath, isLockfile, totalScann
|
|
|
1479
1497
|
if (packages.length <= 20) {
|
|
1480
1498
|
const res = await fetch(API, {
|
|
1481
1499
|
method: 'POST',
|
|
1482
|
-
headers:
|
|
1500
|
+
headers: await auditHeaders(),
|
|
1483
1501
|
body: JSON.stringify({ packages, ecosystem }),
|
|
1484
1502
|
});
|
|
1485
1503
|
if (!res.ok) {
|
|
@@ -1881,7 +1899,7 @@ async function main() {
|
|
|
1881
1899
|
try {
|
|
1882
1900
|
const res = await fetch(API, {
|
|
1883
1901
|
method: 'POST',
|
|
1884
|
-
headers:
|
|
1902
|
+
headers: await auditHeaders(),
|
|
1885
1903
|
body: JSON.stringify({ packages, ecosystem }),
|
|
1886
1904
|
});
|
|
1887
1905
|
if (!res.ok) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.20.
|
|
3
|
+
"version": "1.20.1",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
5
|
"description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|