proof-of-commitment 1.22.1 → 1.23.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +12 -6
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.
|
|
3
|
+
* proof-of-commitment CLI v1.23.0
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -420,14 +420,20 @@ async function inlineSignup(results) {
|
|
|
420
420
|
if (hasKey) return;
|
|
421
421
|
const critPkgs = results.filter(r => hasCritical(r.riskFlags));
|
|
422
422
|
const lowScorePkgs = results.filter(r => typeof r.score === 'number' && r.score < 60);
|
|
423
|
-
// Gate: ≥3 packages scanned (real audit, not a one-off `npx poc somepkg` check)
|
|
424
|
-
if (results.length < 3) return;
|
|
425
|
-
|
|
426
423
|
const hasFindings = critPkgs.length >= 1 || lowScorePkgs.length >= 2;
|
|
424
|
+
// Gate: show prompt when there's something worth monitoring.
|
|
425
|
+
// Old gate (results.length < 3) blocked the most common entry point:
|
|
426
|
+
// `npx proof-of-commitment axios` after reading about an attack.
|
|
427
|
+
// A single CRITICAL result IS the high-intent moment — don't skip it.
|
|
428
|
+
// For healthy single-package checks with no findings, still skip.
|
|
429
|
+
if (results.length < 3 && !hasFindings) return;
|
|
430
|
+
|
|
427
431
|
// Copy adapts to context. Findings → degradation framing.
|
|
428
432
|
// Healthy → baseline-lock framing (still real value: alert me if any score drops).
|
|
429
433
|
const heading = hasFindings
|
|
430
|
-
?
|
|
434
|
+
? (results.length === 1
|
|
435
|
+
? ' 🔔 Monitor this package. Get alerted if it gets worse.'
|
|
436
|
+
: ' 🔔 Lock in this audit. Get alerted if these packages get worse.')
|
|
431
437
|
: ' 🔔 Lock in this baseline. Get alerted if any of these packages degrade.';
|
|
432
438
|
|
|
433
439
|
console.log(clr(c.dim, ' ─────────────────────────────────────────────'));
|
|
@@ -492,7 +498,7 @@ async function inlineSignup(results) {
|
|
|
492
498
|
|
|
493
499
|
function printHelp() {
|
|
494
500
|
console.log(`
|
|
495
|
-
${clr(c.bold, 'proof-of-commitment')} v1.
|
|
501
|
+
${clr(c.bold, 'proof-of-commitment')} v1.23.0 — supply chain risk scorer
|
|
496
502
|
|
|
497
503
|
${clr(c.bold, 'Usage:')}
|
|
498
504
|
npx proof-of-commitment Auto-detect manifest in current dir
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.23.0",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
5
|
"description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|