proof-of-commitment 1.22.1 → 1.24.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/index.js +42 -6
- package/package.json +4 -2
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on **behavioral commitment** — signals that are harder to fake than stars, READMEs, or download counts.
|
|
8
8
|
|
|
9
|
-
## The supply chain problem
|
|
9
|
+
## The supply chain security problem
|
|
10
10
|
|
|
11
11
|
26 of the 91 npm packages with >10M weekly downloads have a **single npm publisher**. Together they account for over 3 billion downloads per week. `npm audit` doesn't surface this. Stars don't either.
|
|
12
12
|
|
|
@@ -93,7 +93,7 @@ Add to Claude Desktop, Cursor, Windsurf, or any MCP-compatible AI tool. Then ask
|
|
|
93
93
|
|
|
94
94
|
## GitHub Action
|
|
95
95
|
|
|
96
|
-
Add supply chain auditing to any CI pipeline in 30 seconds — auto-detects packages from `package.json` or `requirements.txt`, **posts results as a PR comment**, writes to GitHub Step Summary, and optionally fails on CRITICAL packages.
|
|
96
|
+
Add supply chain security auditing to any CI pipeline in 30 seconds — auto-detects packages from `package.json` or `requirements.txt`, **posts results as a PR comment**, writes to GitHub Step Summary, and optionally fails on CRITICAL packages.
|
|
97
97
|
|
|
98
98
|
Use the dedicated action at [piiiico/commit-action](https://github.com/piiiico/commit-action):
|
|
99
99
|
|
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.
|
|
3
|
+
* proof-of-commitment CLI v1.24.0
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -101,6 +101,14 @@ async function handle429(res) {
|
|
|
101
101
|
const retryAfter = Number.isFinite(data.retry_after_seconds)
|
|
102
102
|
? data.retry_after_seconds
|
|
103
103
|
: null;
|
|
104
|
+
// Backend signals "you've blown past the free wall, Developer $15/mo is the
|
|
105
|
+
// right fix" via overshoot=true / tier_suggestion="developer" (added
|
|
106
|
+
// backend-side 2026-06-04). When set, backend routes instantKeyUrl to
|
|
107
|
+
// /pricing — so the CLI must NOT promise "Free API key in 30 seconds" or
|
|
108
|
+
// prompt for email (a 200/day key won't help someone scanning 260+/day).
|
|
109
|
+
// Mismatched CTA text + destination kills trust and conversion. This branch
|
|
110
|
+
// aligns label + URL + skips the inline email prompt. (Dogfood, 2026-06-06.)
|
|
111
|
+
const overshoot = data.overshoot === true || data.tier_suggestion === 'developer';
|
|
104
112
|
|
|
105
113
|
// Forward-compat: if backend ever returns partial scoring on 429,
|
|
106
114
|
// print what we have BEFORE the rescue message. Falls back to JSON
|
|
@@ -130,6 +138,28 @@ async function handle429(res) {
|
|
|
130
138
|
}
|
|
131
139
|
console.error('');
|
|
132
140
|
|
|
141
|
+
// Overshoot path: free key is the wrong tool. Surface a URL aligned with
|
|
142
|
+
// the backend's Developer recommendation, skip the email prompt, exit.
|
|
143
|
+
// Without this branch, the CLI would say "Free API key in 30 seconds (no
|
|
144
|
+
// card)" while the URL goes to /pricing — bait-and-switch that erodes
|
|
145
|
+
// trust at the highest-intent moment we get with a user.
|
|
146
|
+
if (overshoot) {
|
|
147
|
+
console.error(
|
|
148
|
+
clr(
|
|
149
|
+
c.cyan + c.bold,
|
|
150
|
+
` → Compare plans (Developer $15/mo · 1,000/day · batch API): ${instantKeyUrl}`
|
|
151
|
+
)
|
|
152
|
+
);
|
|
153
|
+
if (retryAfter && retryAfter > 0) {
|
|
154
|
+
const hours = Math.floor(retryAfter / 3600);
|
|
155
|
+
const mins = Math.floor((retryAfter % 3600) / 60);
|
|
156
|
+
const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
|
|
157
|
+
console.error(clr(c.dim, ` or wait — free-tier resets in ${resetIn} (00:00 UTC).`));
|
|
158
|
+
}
|
|
159
|
+
console.error('');
|
|
160
|
+
process.exit(1);
|
|
161
|
+
}
|
|
162
|
+
|
|
133
163
|
// TTY: inline signup collapses the 6-step browser flow (visit URL → enter
|
|
134
164
|
// email → copy key → switch back to terminal → export key → re-run) to a
|
|
135
165
|
// single terminal prompt. Non-TTY (CI/piped) falls through to the URL.
|
|
@@ -420,14 +450,20 @@ async function inlineSignup(results) {
|
|
|
420
450
|
if (hasKey) return;
|
|
421
451
|
const critPkgs = results.filter(r => hasCritical(r.riskFlags));
|
|
422
452
|
const lowScorePkgs = results.filter(r => typeof r.score === 'number' && r.score < 60);
|
|
423
|
-
// Gate: ≥3 packages scanned (real audit, not a one-off `npx poc somepkg` check)
|
|
424
|
-
if (results.length < 3) return;
|
|
425
|
-
|
|
426
453
|
const hasFindings = critPkgs.length >= 1 || lowScorePkgs.length >= 2;
|
|
454
|
+
// Gate: show prompt when there's something worth monitoring.
|
|
455
|
+
// Old gate (results.length < 3) blocked the most common entry point:
|
|
456
|
+
// `npx proof-of-commitment axios` after reading about an attack.
|
|
457
|
+
// A single CRITICAL result IS the high-intent moment — don't skip it.
|
|
458
|
+
// For healthy single-package checks with no findings, still skip.
|
|
459
|
+
if (results.length < 3 && !hasFindings) return;
|
|
460
|
+
|
|
427
461
|
// Copy adapts to context. Findings → degradation framing.
|
|
428
462
|
// Healthy → baseline-lock framing (still real value: alert me if any score drops).
|
|
429
463
|
const heading = hasFindings
|
|
430
|
-
?
|
|
464
|
+
? (results.length === 1
|
|
465
|
+
? ' 🔔 Monitor this package. Get alerted if it gets worse.'
|
|
466
|
+
: ' 🔔 Lock in this audit. Get alerted if these packages get worse.')
|
|
431
467
|
: ' 🔔 Lock in this baseline. Get alerted if any of these packages degrade.';
|
|
432
468
|
|
|
433
469
|
console.log(clr(c.dim, ' ─────────────────────────────────────────────'));
|
|
@@ -492,7 +528,7 @@ async function inlineSignup(results) {
|
|
|
492
528
|
|
|
493
529
|
function printHelp() {
|
|
494
530
|
console.log(`
|
|
495
|
-
${clr(c.bold, 'proof-of-commitment')} v1.
|
|
531
|
+
${clr(c.bold, 'proof-of-commitment')} v1.24.0 — supply chain risk scorer
|
|
496
532
|
|
|
497
533
|
${clr(c.bold, 'Usage:')}
|
|
498
534
|
npx proof-of-commitment Auto-detect manifest in current dir
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.24.0",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
|
-
"description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
5
|
+
"description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"bin": {
|
|
8
8
|
"proof-of-commitment": "./index.js",
|
|
@@ -16,7 +16,9 @@
|
|
|
16
16
|
],
|
|
17
17
|
"keywords": [
|
|
18
18
|
"supply-chain",
|
|
19
|
+
"supply-chain-security",
|
|
19
20
|
"security",
|
|
21
|
+
"scanner",
|
|
20
22
|
"npm",
|
|
21
23
|
"pypi",
|
|
22
24
|
"cargo",
|