proof-of-commitment 1.21.0 → 1.21.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +30 -4
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.21.
|
|
3
|
+
* proof-of-commitment CLI v1.21.1
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -479,7 +479,7 @@ async function inlineSignup(results) {
|
|
|
479
479
|
|
|
480
480
|
function printHelp() {
|
|
481
481
|
console.log(`
|
|
482
|
-
${clr(c.bold, 'proof-of-commitment')} v1.21.
|
|
482
|
+
${clr(c.bold, 'proof-of-commitment')} v1.21.1 — supply chain risk scorer
|
|
483
483
|
|
|
484
484
|
${clr(c.bold, 'Usage:')}
|
|
485
485
|
npx proof-of-commitment Auto-detect manifest in current dir
|
|
@@ -1209,11 +1209,24 @@ async function main() {
|
|
|
1209
1209
|
const high = results.filter(r => (r.riskFlags || []).some(f => f.startsWith('HIGH')));
|
|
1210
1210
|
const url = 'https://getcommit.dev/audit?packages=' + parsed.pkgs.join(',') + '&ecosystem=' + parsed.eco;
|
|
1211
1211
|
|
|
1212
|
+
// v1.21.1: detect rate-limit hit and surface signup CTA + unscored-package warning.
|
|
1213
|
+
// Without this, hook silently allowed unscored packages on 429 (false sense of security)
|
|
1214
|
+
// and the conversion driver (signup URL in 429 body) never reached the user.
|
|
1215
|
+
const rateLimited = res.status === 429;
|
|
1216
|
+
// Force cursor-hook attribution — backend default is audit-cli-429 which misattributes.
|
|
1217
|
+
const rlUrl = rateLimited ? 'https://getcommit.dev/get-started?ref=cursor-hook-429&utm_source=cli' : '';
|
|
1218
|
+
const unscored = rateLimited ? Math.max(0, parsed.pkgs.length - results.length) : 0;
|
|
1219
|
+
const rlNote = rateLimited
|
|
1220
|
+
? '\\n\\n\\u26A0 Commit free limit reached'
|
|
1221
|
+
+ (unscored > 0 ? ' \\u2014 ' + unscored + ' of ' + parsed.pkgs.length + ' package(s) NOT audited' : '')
|
|
1222
|
+
+ '\\n Free key (200/day, no card): ' + rlUrl
|
|
1223
|
+
: '';
|
|
1224
|
+
|
|
1212
1225
|
if (critical.length > 0) {
|
|
1213
1226
|
const lines = critical.map(r => ' \\u{1F534} ' + r.name + ' (score ' + (r.score||'?') + ') \\u2014 ' + (r.riskFlags||[]).slice(0,1).join(', '));
|
|
1214
1227
|
process.stdout.write(JSON.stringify({
|
|
1215
1228
|
permission: 'deny',
|
|
1216
|
-
user_message: '\\u{1F534} Commit blocked: ' + critical.map(r=>r.name).join(', ') + ' flagged CRITICAL\\n\\n' + lines.join('\\n') + '\\n\\n\\u2192 ' + url,
|
|
1229
|
+
user_message: '\\u{1F534} Commit blocked: ' + critical.map(r=>r.name).join(', ') + ' flagged CRITICAL\\n\\n' + lines.join('\\n') + '\\n\\n\\u2192 ' + url + rlNote,
|
|
1217
1230
|
agent_message: 'Package install blocked by Commit. CRITICAL = sole publisher + high downloads (attack surface of axios/node-ipc incidents). ' + critical.map(r=>r.name).join(', ') + '. Report: ' + url,
|
|
1218
1231
|
}));
|
|
1219
1232
|
return;
|
|
@@ -1222,7 +1235,20 @@ async function main() {
|
|
|
1222
1235
|
const lines = high.map(r => ' \\u{1F7E1} ' + r.name + ' (score ' + (r.score||'?') + ') \\u2014 ' + (r.riskFlags||[]).slice(0,1).join(', '));
|
|
1223
1236
|
process.stdout.write(JSON.stringify({
|
|
1224
1237
|
permission: 'ask',
|
|
1225
|
-
user_message: '\\u{1F7E1} Commit: ' + high.map(r=>r.name).join(', ') + ' scored HIGH risk\\n\\n' + lines.join('\\n') + '\\n\\nProceed? \\u2192 ' + url,
|
|
1238
|
+
user_message: '\\u{1F7E1} Commit: ' + high.map(r=>r.name).join(', ') + ' scored HIGH risk\\n\\n' + lines.join('\\n') + '\\n\\nProceed? \\u2192 ' + url + rlNote,
|
|
1239
|
+
}));
|
|
1240
|
+
return;
|
|
1241
|
+
}
|
|
1242
|
+
// Rate-limited with no critical/high in the scored partial: still alert user.
|
|
1243
|
+
// If unscored packages remain, this is a security signal (could be CRITICAL we missed).
|
|
1244
|
+
// If all packages scored clean, this is a conversion signal (drive them to sign up).
|
|
1245
|
+
if (rateLimited) {
|
|
1246
|
+
const head = unscored > 0
|
|
1247
|
+
? '\\u26A0 Commit free limit reached \\u2014 ' + unscored + ' of ' + parsed.pkgs.length + ' package(s) NOT audited'
|
|
1248
|
+
: '\\u2713 ' + parsed.pkgs.join(', ') + ' look clean (free-tier audit)';
|
|
1249
|
+
process.stdout.write(JSON.stringify({
|
|
1250
|
+
permission: 'ask',
|
|
1251
|
+
user_message: head + '\\n\\nFree API key (200/day, no card, 30s):\\n ' + rlUrl + '\\n\\nProceed anyway?',
|
|
1226
1252
|
}));
|
|
1227
1253
|
return;
|
|
1228
1254
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.21.
|
|
3
|
+
"version": "1.21.1",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
5
|
"description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|