npm - proof-of-commitment - Versions diffs - 1.20.0 → 1.21.0 - Mend

proof-of-commitment 1.20.0 → 1.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -51,26 +51,23 @@ npx proof-of-commitment --file go.sum    # full transitive set
 **Web demo (no install):** [getcommit.dev/audit](https://getcommit.dev/audit) — paste your packages, see risk scores in seconds.
-**Account + monitoring (v1.10.0):**
+## Get notified before the next attack
+The CLI tells you what's risky today. A free API key unlocks **monitoring** — daily score recomputation across the packages you depend on, with alerts when one degrades (publisher drops, release stalls, score falls ≥10 points).
+[**Get a free API key →**](https://getcommit.dev/get-started?ref=npm-readme-monitoring&utm_source=cli) — no card, 30 seconds · 200 audits/day free · Developer $15/mo unlocks alerts + watchlist.
 ```bash
 # Install once, then use the `poc` alias:
 npm install -g proof-of-commitment
-# Get a free API key at https://getcommit.dev/get-started?utm_source=cli, then:
-poc login sk_commit_your_key_here
-# ✓ Authenticated — Tier: Free — Usage: 0/200 requests (daily)
-poc status                          # check tier + usage anytime
-poc logout                          # remove saved key
-# Monitoring (Developer $15/mo+ — daily scans + alerts):
-poc watch chalk
+# After getting your free key:
+poc login sk_commit_your_key_here   # save and validate
+poc status                          # check tier + usage
+poc watch chalk                     # start monitoring (Developer $15/mo)
 poc watch requests --ecosystem pypi
-poc watch serde --ecosystem cargo
-poc watchlist                       # view scores + risk levels
-poc unwatch chalk
-# Enable monitoring: https://getcommit.dev/pricing
+poc watchlist                       # view all watched packages
+poc init                            # add CI gate to this project
 ```
 Alerts fire on: score drop ≥10 points · package crosses CRITICAL threshold · recovery to HEALTHY.

package/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.20.0
+ * proof-of-commitment CLI v1.21.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -22,6 +22,22 @@ const JSON_API_HEADERS = {
   'Accept': 'application/json',
 };
+/**
+ * Build /api/audit request headers, adding Authorization: Bearer <key>
+ * when a key is present in COMMIT_API_KEY or ~/.commit/config.
+ *
+ * Without this, signed-up users hitting 429 stayed stuck: the inline-signup
+ * (v1.20.0) and URL signup flows both save the key locally, but the audit
+ * call site never read it — so "Re-run your command" still 429'd. Fixed
+ * in v1.20.1 after live dogfood confirmed the dead-end (see commit log).
+ */
+async function auditHeaders() {
+  const key = await readApiKey();
+  return key
+    ? { ...JSON_API_HEADERS, Authorization: `Bearer ${key}` }
+    : JSON_API_HEADERS;
+}
 // ANSI color helpers
 const c = {
   reset: '\x1b[0m',
@@ -332,6 +348,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
   console.log(clr(c.cyan, `\n  🔗 Full report: ${WEB}?packages=${encodeURIComponent(topPkgs)}&${utm}`));
   console.log(clr(c.cyan, `  🤖 GitHub Action: github.com/piiiico/commit-action — block CRITICAL packages in CI`));
   console.log(clr(c.dim, `  📋 Add to this project: `) + clr(c.cyan, `poc init`) + clr(c.dim, ` — creates workflow + README badge`));
+  console.log(clr(c.dim, `  🛡️  Protect every install: `) + clr(c.cyan, `poc hook`) + clr(c.dim, ` — Cursor hook, blocks CRITICAL before npm/pip/cargo runs`));
   // Per-package profile URLs — drive traffic to permanent, indexable pages
   const ecoPath = { npm: 'npm', pypi: 'pypi', cargo: 'cargo', golang: 'go' };
@@ -462,7 +479,7 @@ async function inlineSignup(results) {
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.20.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.21.0 — supply chain risk scorer
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -488,6 +505,11 @@ ${clr(c.bold, 'Reports:')}
   poc report [pkgs]   Same flags as scan — packages, --pypi, --cargo, --file, etc.
                       Saves audit-report.html to cwd + prints Markdown for GitHub issues
+${clr(c.bold, 'IDE Hooks:')}
+  poc hook            Install Cursor beforeShellExecution hook (blocks CRITICAL packages)
+  poc hook --global   Install for all Cursor projects (~/.cursor/hooks.json)
+  poc hook --uninstall Remove the hook
 ${clr(c.bold, 'Account:')}
   poc login [key]     Save and validate your API key (interactive or direct)
   poc status          Show current tier, usage, and limits
@@ -876,11 +898,13 @@ async function auditBatched(packages, ecosystem, { onProgress } = {}) {
   let completed = 0;
   let batchedCta = null;
+  // Resolve auth once so all parallel batches share the same key lookup.
+  const headers = await auditHeaders();
   const results = await Promise.all(
     batches.map(async (batch) => {
       const res = await fetch(API, {
         method: 'POST',
-        headers: JSON_API_HEADERS,
+        headers,
         body: JSON.stringify({ packages: batch, ecosystem }),
       });
       if (!res.ok) {
@@ -1107,6 +1131,201 @@ async function cmdLogout() {
   console.log();
 }
+/**
+ * poc hook [--cursor] [--global] [--uninstall]
+ * Install a beforeShellExecution hook for Cursor that scores packages before install.
+ * Writes a standalone Node.js hook script to ~/.commit/cursor-hook.js and
+ * configures .cursor/hooks.json (project) or ~/.cursor/hooks.json (--global).
+ */
+async function cmdHook(args) {
+  const os = await import('os');
+  const fs = await import('fs');
+  const path = await import('path');
+  const isGlobal = args.includes('--global') || args.includes('-g');
+  const uninstall = args.includes('--uninstall') || args.includes('--remove');
+  // ── Hook script (plain Node.js, no external deps) ─────────────────────
+  const hookScript = `#!/usr/bin/env node
+/**
+ * Commit supply chain hook for Cursor (auto-generated by \`poc hook\`)
+ * Intercepts npm/pip/cargo/go install commands and scores packages
+ * against getcommit.dev before they run.
+ *
+ * CRITICAL packages are blocked. HIGH packages trigger confirmation.
+ * Docs: https://getcommit.dev/docs/cursor-hook
+ */
+const API = 'https://poc-backend.amdal-dev.workers.dev/api/audit';
+const fs = require('fs');
+const path = require('path');
+function readKey() {
+  try {
+    if (process.env.COMMIT_API_KEY) return process.env.COMMIT_API_KEY.trim();
+    const cfg = fs.readFileSync(path.join(require('os').homedir(), '.commit', 'config'), 'utf-8');
+    const m = cfg.match(/^api_key\\s*=\\s*(.+)$/m);
+    return m ? m[1].trim() : '';
+  } catch { return ''; }
+}
+function parseInstall(cmd) {
+  const t = cmd.trim();
+  let m;
+  // npm / pnpm / yarn
+  m = t.match(/^(?:npm\\s+(?:i|install|add)|pnpm\\s+(?:i|install|add)|yarn\\s+add)\\s+(.+)/);
+  if (m) return { eco: 'npm', pkgs: m[1].split(/\\s+/).filter(a => !a.startsWith('-') && a !== 'install' && a !== 'add') };
+  // pip
+  m = t.match(/^(?:pip3?\\s+install|uv\\s+pip\\s+install|python3?\\s+-m\\s+pip\\s+install)\\s+(.+)/);
+  if (m) return { eco: 'pypi', pkgs: m[1].split(/\\s+/).filter(a => !a.startsWith('-')).map(a => a.split('==')[0].split('>=')[0]) };
+  // cargo
+  m = t.match(/^cargo\\s+(?:add|install)\\s+(.+)/);
+  if (m) return { eco: 'cargo', pkgs: m[1].split(/\\s+/).filter(a => !a.startsWith('-')) };
+  // go
+  m = t.match(/^go\\s+(?:get|install)\\s+(.+)/);
+  if (m) return { eco: 'golang', pkgs: m[1].split(/\\s+/).filter(a => !a.startsWith('-')).map(a => a.split('@')[0]) };
+  return null;
+}
+async function main() {
+  let input;
+  try { input = JSON.parse(fs.readFileSync('/dev/stdin', 'utf-8')); } catch { process.stdout.write(JSON.stringify({ permission: 'allow' })); return; }
+  const parsed = parseInstall(input.command || '');
+  if (!parsed || parsed.pkgs.length === 0) { process.stdout.write(JSON.stringify({ permission: 'allow' })); return; }
+  const headers = { 'Content-Type': 'application/json', 'Accept': 'application/json' };
+  const key = readKey();
+  if (key) headers['Authorization'] = 'Bearer ' + key;
+  try {
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), 4000);
+    const res = await fetch(API, { method: 'POST', headers, body: JSON.stringify({ packages: parsed.pkgs, ecosystem: parsed.eco }), signal: ctrl.signal });
+    clearTimeout(timer);
+    if (!res.ok && res.status !== 429) { process.stdout.write(JSON.stringify({ permission: 'allow' })); return; }
+    const data = await res.json();
+    const results = data.results || data.packages_already_scored || [];
+    const critical = results.filter(r => (r.riskFlags || []).some(f => f.startsWith('CRITICAL')));
+    const high = results.filter(r => (r.riskFlags || []).some(f => f.startsWith('HIGH')));
+    const url = 'https://getcommit.dev/audit?packages=' + parsed.pkgs.join(',') + '&ecosystem=' + parsed.eco;
+    if (critical.length > 0) {
+      const lines = critical.map(r => '  \\u{1F534} ' + r.name + ' (score ' + (r.score||'?') + ') \\u2014 ' + (r.riskFlags||[]).slice(0,1).join(', '));
+      process.stdout.write(JSON.stringify({
+        permission: 'deny',
+        user_message: '\\u{1F534} Commit blocked: ' + critical.map(r=>r.name).join(', ') + ' flagged CRITICAL\\n\\n' + lines.join('\\n') + '\\n\\n\\u2192 ' + url,
+        agent_message: 'Package install blocked by Commit. CRITICAL = sole publisher + high downloads (attack surface of axios/node-ipc incidents). ' + critical.map(r=>r.name).join(', ') + '. Report: ' + url,
+      }));
+      return;
+    }
+    if (high.length > 0) {
+      const lines = high.map(r => '  \\u{1F7E1} ' + r.name + ' (score ' + (r.score||'?') + ') \\u2014 ' + (r.riskFlags||[]).slice(0,1).join(', '));
+      process.stdout.write(JSON.stringify({
+        permission: 'ask',
+        user_message: '\\u{1F7E1} Commit: ' + high.map(r=>r.name).join(', ') + ' scored HIGH risk\\n\\n' + lines.join('\\n') + '\\n\\nProceed? \\u2192 ' + url,
+      }));
+      return;
+    }
+    process.stdout.write(JSON.stringify({ permission: 'allow' }));
+  } catch { process.stdout.write(JSON.stringify({ permission: 'allow' })); }
+}
+main();
+`;
+  const commitDir = path.join(os.homedir(), '.commit');
+  const hookPath = path.join(commitDir, 'cursor-hook.js');
+  // ── Uninstall ──────────────────────────────────────────────────────────
+  if (uninstall) {
+    let removed = false;
+    if (fs.existsSync(hookPath)) {
+      fs.unlinkSync(hookPath);
+      removed = true;
+    }
+    // Remove from hooks.json
+    for (const hooksDir of [
+      path.join(process.cwd(), '.cursor'),
+      path.join(os.homedir(), '.cursor'),
+    ]) {
+      const hooksFile = path.join(hooksDir, 'hooks.json');
+      if (fs.existsSync(hooksFile)) {
+        try {
+          const cfg = JSON.parse(fs.readFileSync(hooksFile, 'utf-8'));
+          const hooks = cfg.hooks?.beforeShellExecution || [];
+          const filtered = hooks.filter(h => !h.command?.includes('cursor-hook.js'));
+          if (filtered.length !== hooks.length) {
+            cfg.hooks.beforeShellExecution = filtered;
+            fs.writeFileSync(hooksFile, JSON.stringify(cfg, null, 2) + '\n');
+            removed = true;
+            console.log(clr(c.dim, `  Updated: ${hooksFile}`));
+          }
+        } catch {}
+      }
+    }
+    if (removed) {
+      console.log(clr(c.green, '\n  ✓ Cursor hook uninstalled.'));
+    } else {
+      console.log(clr(c.dim, '\n  No hook found to remove.'));
+    }
+    console.log();
+    return;
+  }
+  // ── Install ────────────────────────────────────────────────────────────
+  // 1. Write hook script
+  if (!fs.existsSync(commitDir)) fs.mkdirSync(commitDir, { recursive: true });
+  fs.writeFileSync(hookPath, hookScript, { mode: 0o755 });
+  // 2. Configure hooks.json
+  const hooksDir = isGlobal
+    ? path.join(os.homedir(), '.cursor')
+    : path.join(process.cwd(), '.cursor');
+  if (!fs.existsSync(hooksDir)) fs.mkdirSync(hooksDir, { recursive: true });
+  const hooksFile = path.join(hooksDir, 'hooks.json');
+  let cfg = { version: 1, hooks: {} };
+  if (fs.existsSync(hooksFile)) {
+    try { cfg = JSON.parse(fs.readFileSync(hooksFile, 'utf-8')); } catch {}
+  }
+  if (!cfg.hooks) cfg.hooks = {};
+  if (!cfg.hooks.beforeShellExecution) cfg.hooks.beforeShellExecution = [];
+  // Avoid duplicates
+  const existing = cfg.hooks.beforeShellExecution.some(h => h.command?.includes('cursor-hook.js'));
+  if (!existing) {
+    cfg.hooks.beforeShellExecution.push({
+      command: `node ${hookPath}`,
+    });
+  }
+  fs.writeFileSync(hooksFile, JSON.stringify(cfg, null, 2) + '\n');
+  // 3. Report
+  console.log(clr(c.green, '\n  ✓ Cursor supply chain hook installed'));
+  console.log();
+  console.log(clr(c.bold, '  What happens now:'));
+  console.log(clr(c.dim, '  Every ') + clr(c.cyan, 'npm install') + clr(c.dim, ', ') +
+    clr(c.cyan, 'pip install') + clr(c.dim, ', ') + clr(c.cyan, 'cargo add') + clr(c.dim, ', and ') +
+    clr(c.cyan, 'go get') + clr(c.dim, ' in Cursor'));
+  console.log(clr(c.dim, '  is scored against Commit before it runs.'));
+  console.log(clr(c.dim, '  CRITICAL packages are blocked. HIGH packages ask for confirmation.'));
+  console.log();
+  console.log(clr(c.bold, '  Files:'));
+  console.log(clr(c.dim, `  Hook script: ${hookPath}`));
+  console.log(clr(c.dim, `  Config:      ${hooksFile}`));
+  console.log();
+  const key = await readApiKey();
+  if (!key) {
+    console.log(clr(c.yellow, '  ⚠ No API key found.') + clr(c.dim, ' Anonymous limit: 15 audits/day.'));
+    console.log(clr(c.dim, '  Get a free key (200/day): ') + clr(c.cyan, 'poc login'));
+    console.log(clr(c.dim, '  Or: ') + clr(c.cyan, 'https://getcommit.dev/get-started?ref=cursor-hook&utm_source=cli'));
+    console.log();
+  }
+  console.log(clr(c.dim, '  Uninstall: ') + clr(c.cyan, 'poc hook --uninstall'));
+  console.log();
+}
 function tierLabel(tier) {
   if (tier === 'pro') return clr(c.cyan + c.bold, 'Pro');
   if (tier === 'enterprise') return clr(c.magenta + c.bold, 'Enterprise');
@@ -1479,7 +1698,7 @@ async function cmdReport(packages, ecosystem, { filePath, isLockfile, totalScann
     if (packages.length <= 20) {
       const res = await fetch(API, {
         method: 'POST',
-        headers: JSON_API_HEADERS,
+        headers: await auditHeaders(),
         body: JSON.stringify({ packages, ecosystem }),
       });
       if (!res.ok) {
@@ -1705,6 +1924,11 @@ async function main() {
     process.exit(0);
   }
+  if (subcmd === 'hook') {
+    await cmdHook(args.slice(1));
+    process.exit(0);
+  }
   if (subcmd === 'report') {
     // Parse report args (same flags as main scan)
     const reportArgs = args.slice(1);
@@ -1881,7 +2105,7 @@ async function main() {
     try {
       const res = await fetch(API, {
         method: 'POST',
-        headers: JSON_API_HEADERS,
+        headers: await auditHeaders(),
         body: JSON.stringify({ packages, ecosystem }),
       });
       if (!res.ok) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.20.0",
+  "version": "1.21.0",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",