proof-of-commitment 1.22.0 → 1.23.0

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.21.1
+ * proof-of-commitment CLI v1.23.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -272,9 +272,11 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
 
   let criticalInDisplay = 0;
   let provenanceCount = 0;
+  let compromisedCount = 0;
 
   for (const pkg of results) {
     const rc = riskColor(pkg.riskFlags, pkg.score);
+    if (pkg.compromised) compromisedCount++;
     const label = riskLabel(pkg.riskFlags, pkg.score);
     if (hasCritical(pkg.riskFlags)) criticalInDisplay++;
     if (pkg.hasProvenance) provenanceCount++;
@@ -310,6 +312,12 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
       console.log(clr(c.dim, `  ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
     }
 
+    // Recently compromised warning
+    if (pkg.compromised) {
+      const atk = pkg.compromised;
+      console.log(clr(c.red, `  ⚠ COMPROMISED — ${atk.attack} (${atk.date}) — ${atk.url}`));
+    }
+
     // Score breakdown if available
     if (pkg.scoreBreakdown) {
       const b = pkg.scoreBreakdown;
@@ -342,6 +350,11 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     console.log('\n' + clr(c.green, `✓  No CRITICAL packages found${suffix}.`));
   }
 
+  if (compromisedCount > 0) {
+    console.log(clr(c.red + c.bold, `\n⚠  ${compromisedCount} package${compromisedCount > 1 ? 's' : ''} recently compromised in supply chain attacks.`));
+    console.log(clr(c.dim, '   Verify you are on clean versions. See URLs above for incident details.'));
+  }
+
   // Footer with web link + CI integration CTA
   const topPkgs = results.slice(0, 10).map(r => r.name).join(',');
   const utm = 'utm_source=cli&utm_medium=audit';
@@ -407,14 +420,20 @@ async function inlineSignup(results) {
   if (hasKey) return;
   const critPkgs = results.filter(r => hasCritical(r.riskFlags));
   const lowScorePkgs = results.filter(r => typeof r.score === 'number' && r.score < 60);
-  // Gate: ≥3 packages scanned (real audit, not a one-off `npx poc somepkg` check)
-  if (results.length < 3) return;
-
   const hasFindings = critPkgs.length >= 1 || lowScorePkgs.length >= 2;
+  // Gate: show prompt when there's something worth monitoring.
+  // Old gate (results.length < 3) blocked the most common entry point:
+  // `npx proof-of-commitment axios` after reading about an attack.
+  // A single CRITICAL result IS the high-intent moment — don't skip it.
+  // For healthy single-package checks with no findings, still skip.
+  if (results.length < 3 && !hasFindings) return;
+
   // Copy adapts to context. Findings → degradation framing.
   // Healthy → baseline-lock framing (still real value: alert me if any score drops).
   const heading = hasFindings
-    ? '  🔔 Lock in this audit. Get alerted if these packages get worse.'
+    ? (results.length === 1
+      ? '  🔔 Monitor this package. Get alerted if it gets worse.'
+      : '  🔔 Lock in this audit. Get alerted if these packages get worse.')
     : '  🔔 Lock in this baseline. Get alerted if any of these packages degrade.';
 
   console.log(clr(c.dim, '  ─────────────────────────────────────────────'));
@@ -479,7 +498,7 @@ async function inlineSignup(results) {
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.21.1 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.23.0 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.22.0",
+  "version": "1.23.0",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",