npm - proof-of-commitment - Versions diffs - 1.20.1 → 1.21.1 - Mend

proof-of-commitment 1.20.1 → 1.21.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +234 -2
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.20.1
+ * proof-of-commitment CLI v1.21.1
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -348,6 +348,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
   console.log(clr(c.cyan, `\n  🔗 Full report: ${WEB}?packages=${encodeURIComponent(topPkgs)}&${utm}`));
   console.log(clr(c.cyan, `  🤖 GitHub Action: github.com/piiiico/commit-action — block CRITICAL packages in CI`));
   console.log(clr(c.dim, `  📋 Add to this project: `) + clr(c.cyan, `poc init`) + clr(c.dim, ` — creates workflow + README badge`));
+  console.log(clr(c.dim, `  🛡️  Protect every install: `) + clr(c.cyan, `poc hook`) + clr(c.dim, ` — Cursor hook, blocks CRITICAL before npm/pip/cargo runs`));
   // Per-package profile URLs — drive traffic to permanent, indexable pages
   const ecoPath = { npm: 'npm', pypi: 'pypi', cargo: 'cargo', golang: 'go' };
@@ -478,7 +479,7 @@ async function inlineSignup(results) {
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.20.1 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.21.1 — supply chain risk scorer
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -504,6 +505,11 @@ ${clr(c.bold, 'Reports:')}
   poc report [pkgs]   Same flags as scan — packages, --pypi, --cargo, --file, etc.
                       Saves audit-report.html to cwd + prints Markdown for GitHub issues
+${clr(c.bold, 'IDE Hooks:')}
+  poc hook            Install Cursor beforeShellExecution hook (blocks CRITICAL packages)
+  poc hook --global   Install for all Cursor projects (~/.cursor/hooks.json)
+  poc hook --uninstall Remove the hook
 ${clr(c.bold, 'Account:')}
   poc login [key]     Save and validate your API key (interactive or direct)
   poc status          Show current tier, usage, and limits
@@ -1125,6 +1131,227 @@ async function cmdLogout() {
   console.log();
 }
+/**
+ * poc hook [--cursor] [--global] [--uninstall]
+ * Install a beforeShellExecution hook for Cursor that scores packages before install.
+ * Writes a standalone Node.js hook script to ~/.commit/cursor-hook.js and
+ * configures .cursor/hooks.json (project) or ~/.cursor/hooks.json (--global).
+ */
+async function cmdHook(args) {
+  const os = await import('os');
+  const fs = await import('fs');
+  const path = await import('path');
+  const isGlobal = args.includes('--global') || args.includes('-g');
+  const uninstall = args.includes('--uninstall') || args.includes('--remove');
+  // ── Hook script (plain Node.js, no external deps) ─────────────────────
+  const hookScript = `#!/usr/bin/env node
+/**
+ * Commit supply chain hook for Cursor (auto-generated by \`poc hook\`)
+ * Intercepts npm/pip/cargo/go install commands and scores packages
+ * against getcommit.dev before they run.
+ *
+ * CRITICAL packages are blocked. HIGH packages trigger confirmation.
+ * Docs: https://getcommit.dev/docs/cursor-hook
+ */
+const API = 'https://poc-backend.amdal-dev.workers.dev/api/audit';
+const fs = require('fs');
+const path = require('path');
+function readKey() {
+  try {
+    if (process.env.COMMIT_API_KEY) return process.env.COMMIT_API_KEY.trim();
+    const cfg = fs.readFileSync(path.join(require('os').homedir(), '.commit', 'config'), 'utf-8');
+    const m = cfg.match(/^api_key\\s*=\\s*(.+)$/m);
+    return m ? m[1].trim() : '';
+  } catch { return ''; }
+}
+function parseInstall(cmd) {
+  const t = cmd.trim();
+  let m;
+  // npm / pnpm / yarn
+  m = t.match(/^(?:npm\\s+(?:i|install|add)|pnpm\\s+(?:i|install|add)|yarn\\s+add)\\s+(.+)/);
+  if (m) return { eco: 'npm', pkgs: m[1].split(/\\s+/).filter(a => !a.startsWith('-') && a !== 'install' && a !== 'add') };
+  // pip
+  m = t.match(/^(?:pip3?\\s+install|uv\\s+pip\\s+install|python3?\\s+-m\\s+pip\\s+install)\\s+(.+)/);
+  if (m) return { eco: 'pypi', pkgs: m[1].split(/\\s+/).filter(a => !a.startsWith('-')).map(a => a.split('==')[0].split('>=')[0]) };
+  // cargo
+  m = t.match(/^cargo\\s+(?:add|install)\\s+(.+)/);
+  if (m) return { eco: 'cargo', pkgs: m[1].split(/\\s+/).filter(a => !a.startsWith('-')) };
+  // go
+  m = t.match(/^go\\s+(?:get|install)\\s+(.+)/);
+  if (m) return { eco: 'golang', pkgs: m[1].split(/\\s+/).filter(a => !a.startsWith('-')).map(a => a.split('@')[0]) };
+  return null;
+}
+async function main() {
+  let input;
+  try { input = JSON.parse(fs.readFileSync('/dev/stdin', 'utf-8')); } catch { process.stdout.write(JSON.stringify({ permission: 'allow' })); return; }
+  const parsed = parseInstall(input.command || '');
+  if (!parsed || parsed.pkgs.length === 0) { process.stdout.write(JSON.stringify({ permission: 'allow' })); return; }
+  const headers = { 'Content-Type': 'application/json', 'Accept': 'application/json' };
+  const key = readKey();
+  if (key) headers['Authorization'] = 'Bearer ' + key;
+  try {
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), 4000);
+    const res = await fetch(API, { method: 'POST', headers, body: JSON.stringify({ packages: parsed.pkgs, ecosystem: parsed.eco }), signal: ctrl.signal });
+    clearTimeout(timer);
+    if (!res.ok && res.status !== 429) { process.stdout.write(JSON.stringify({ permission: 'allow' })); return; }
+    const data = await res.json();
+    const results = data.results || data.packages_already_scored || [];
+    const critical = results.filter(r => (r.riskFlags || []).some(f => f.startsWith('CRITICAL')));
+    const high = results.filter(r => (r.riskFlags || []).some(f => f.startsWith('HIGH')));
+    const url = 'https://getcommit.dev/audit?packages=' + parsed.pkgs.join(',') + '&ecosystem=' + parsed.eco;
+    // v1.21.1: detect rate-limit hit and surface signup CTA + unscored-package warning.
+    // Without this, hook silently allowed unscored packages on 429 (false sense of security)
+    // and the conversion driver (signup URL in 429 body) never reached the user.
+    const rateLimited = res.status === 429;
+    // Force cursor-hook attribution — backend default is audit-cli-429 which misattributes.
+    const rlUrl = rateLimited ? 'https://getcommit.dev/get-started?ref=cursor-hook-429&utm_source=cli' : '';
+    const unscored = rateLimited ? Math.max(0, parsed.pkgs.length - results.length) : 0;
+    const rlNote = rateLimited
+      ? '\\n\\n\\u26A0 Commit free limit reached'
+        + (unscored > 0 ? ' \\u2014 ' + unscored + ' of ' + parsed.pkgs.length + ' package(s) NOT audited' : '')
+        + '\\n   Free key (200/day, no card): ' + rlUrl
+      : '';
+    if (critical.length > 0) {
+      const lines = critical.map(r => '  \\u{1F534} ' + r.name + ' (score ' + (r.score||'?') + ') \\u2014 ' + (r.riskFlags||[]).slice(0,1).join(', '));
+      process.stdout.write(JSON.stringify({
+        permission: 'deny',
+        user_message: '\\u{1F534} Commit blocked: ' + critical.map(r=>r.name).join(', ') + ' flagged CRITICAL\\n\\n' + lines.join('\\n') + '\\n\\n\\u2192 ' + url + rlNote,
+        agent_message: 'Package install blocked by Commit. CRITICAL = sole publisher + high downloads (attack surface of axios/node-ipc incidents). ' + critical.map(r=>r.name).join(', ') + '. Report: ' + url,
+      }));
+      return;
+    }
+    if (high.length > 0) {
+      const lines = high.map(r => '  \\u{1F7E1} ' + r.name + ' (score ' + (r.score||'?') + ') \\u2014 ' + (r.riskFlags||[]).slice(0,1).join(', '));
+      process.stdout.write(JSON.stringify({
+        permission: 'ask',
+        user_message: '\\u{1F7E1} Commit: ' + high.map(r=>r.name).join(', ') + ' scored HIGH risk\\n\\n' + lines.join('\\n') + '\\n\\nProceed? \\u2192 ' + url + rlNote,
+      }));
+      return;
+    }
+    // Rate-limited with no critical/high in the scored partial: still alert user.
+    // If unscored packages remain, this is a security signal (could be CRITICAL we missed).
+    // If all packages scored clean, this is a conversion signal (drive them to sign up).
+    if (rateLimited) {
+      const head = unscored > 0
+        ? '\\u26A0 Commit free limit reached \\u2014 ' + unscored + ' of ' + parsed.pkgs.length + ' package(s) NOT audited'
+        : '\\u2713 ' + parsed.pkgs.join(', ') + ' look clean (free-tier audit)';
+      process.stdout.write(JSON.stringify({
+        permission: 'ask',
+        user_message: head + '\\n\\nFree API key (200/day, no card, 30s):\\n  ' + rlUrl + '\\n\\nProceed anyway?',
+      }));
+      return;
+    }
+    process.stdout.write(JSON.stringify({ permission: 'allow' }));
+  } catch { process.stdout.write(JSON.stringify({ permission: 'allow' })); }
+}
+main();
+`;
+  const commitDir = path.join(os.homedir(), '.commit');
+  const hookPath = path.join(commitDir, 'cursor-hook.js');
+  // ── Uninstall ──────────────────────────────────────────────────────────
+  if (uninstall) {
+    let removed = false;
+    if (fs.existsSync(hookPath)) {
+      fs.unlinkSync(hookPath);
+      removed = true;
+    }
+    // Remove from hooks.json
+    for (const hooksDir of [
+      path.join(process.cwd(), '.cursor'),
+      path.join(os.homedir(), '.cursor'),
+    ]) {
+      const hooksFile = path.join(hooksDir, 'hooks.json');
+      if (fs.existsSync(hooksFile)) {
+        try {
+          const cfg = JSON.parse(fs.readFileSync(hooksFile, 'utf-8'));
+          const hooks = cfg.hooks?.beforeShellExecution || [];
+          const filtered = hooks.filter(h => !h.command?.includes('cursor-hook.js'));
+          if (filtered.length !== hooks.length) {
+            cfg.hooks.beforeShellExecution = filtered;
+            fs.writeFileSync(hooksFile, JSON.stringify(cfg, null, 2) + '\n');
+            removed = true;
+            console.log(clr(c.dim, `  Updated: ${hooksFile}`));
+          }
+        } catch {}
+      }
+    }
+    if (removed) {
+      console.log(clr(c.green, '\n  ✓ Cursor hook uninstalled.'));
+    } else {
+      console.log(clr(c.dim, '\n  No hook found to remove.'));
+    }
+    console.log();
+    return;
+  }
+  // ── Install ────────────────────────────────────────────────────────────
+  // 1. Write hook script
+  if (!fs.existsSync(commitDir)) fs.mkdirSync(commitDir, { recursive: true });
+  fs.writeFileSync(hookPath, hookScript, { mode: 0o755 });
+  // 2. Configure hooks.json
+  const hooksDir = isGlobal
+    ? path.join(os.homedir(), '.cursor')
+    : path.join(process.cwd(), '.cursor');
+  if (!fs.existsSync(hooksDir)) fs.mkdirSync(hooksDir, { recursive: true });
+  const hooksFile = path.join(hooksDir, 'hooks.json');
+  let cfg = { version: 1, hooks: {} };
+  if (fs.existsSync(hooksFile)) {
+    try { cfg = JSON.parse(fs.readFileSync(hooksFile, 'utf-8')); } catch {}
+  }
+  if (!cfg.hooks) cfg.hooks = {};
+  if (!cfg.hooks.beforeShellExecution) cfg.hooks.beforeShellExecution = [];
+  // Avoid duplicates
+  const existing = cfg.hooks.beforeShellExecution.some(h => h.command?.includes('cursor-hook.js'));
+  if (!existing) {
+    cfg.hooks.beforeShellExecution.push({
+      command: `node ${hookPath}`,
+    });
+  }
+  fs.writeFileSync(hooksFile, JSON.stringify(cfg, null, 2) + '\n');
+  // 3. Report
+  console.log(clr(c.green, '\n  ✓ Cursor supply chain hook installed'));
+  console.log();
+  console.log(clr(c.bold, '  What happens now:'));
+  console.log(clr(c.dim, '  Every ') + clr(c.cyan, 'npm install') + clr(c.dim, ', ') +
+    clr(c.cyan, 'pip install') + clr(c.dim, ', ') + clr(c.cyan, 'cargo add') + clr(c.dim, ', and ') +
+    clr(c.cyan, 'go get') + clr(c.dim, ' in Cursor'));
+  console.log(clr(c.dim, '  is scored against Commit before it runs.'));
+  console.log(clr(c.dim, '  CRITICAL packages are blocked. HIGH packages ask for confirmation.'));
+  console.log();
+  console.log(clr(c.bold, '  Files:'));
+  console.log(clr(c.dim, `  Hook script: ${hookPath}`));
+  console.log(clr(c.dim, `  Config:      ${hooksFile}`));
+  console.log();
+  const key = await readApiKey();
+  if (!key) {
+    console.log(clr(c.yellow, '  ⚠ No API key found.') + clr(c.dim, ' Anonymous limit: 15 audits/day.'));
+    console.log(clr(c.dim, '  Get a free key (200/day): ') + clr(c.cyan, 'poc login'));
+    console.log(clr(c.dim, '  Or: ') + clr(c.cyan, 'https://getcommit.dev/get-started?ref=cursor-hook&utm_source=cli'));
+    console.log();
+  }
+  console.log(clr(c.dim, '  Uninstall: ') + clr(c.cyan, 'poc hook --uninstall'));
+  console.log();
+}
 function tierLabel(tier) {
   if (tier === 'pro') return clr(c.cyan + c.bold, 'Pro');
   if (tier === 'enterprise') return clr(c.magenta + c.bold, 'Enterprise');
@@ -1723,6 +1950,11 @@ async function main() {
     process.exit(0);
   }
+  if (subcmd === 'hook') {
+    await cmdHook(args.slice(1));
+    process.exit(0);
+  }
   if (subcmd === 'report') {
     // Parse report args (same flags as main scan)
     const reportArgs = args.slice(1);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.20.1",
+  "version": "1.21.1",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",