proof-of-commitment 1.23.0 → 1.24.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/index.js +32 -2
- package/package.json +4 -2
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on **behavioral commitment** — signals that are harder to fake than stars, READMEs, or download counts.
|
|
8
8
|
|
|
9
|
-
## The supply chain problem
|
|
9
|
+
## The supply chain security problem
|
|
10
10
|
|
|
11
11
|
26 of the 91 npm packages with >10M weekly downloads have a **single npm publisher**. Together they account for over 3 billion downloads per week. `npm audit` doesn't surface this. Stars don't either.
|
|
12
12
|
|
|
@@ -93,7 +93,7 @@ Add to Claude Desktop, Cursor, Windsurf, or any MCP-compatible AI tool. Then ask
|
|
|
93
93
|
|
|
94
94
|
## GitHub Action
|
|
95
95
|
|
|
96
|
-
Add supply chain auditing to any CI pipeline in 30 seconds — auto-detects packages from `package.json` or `requirements.txt`, **posts results as a PR comment**, writes to GitHub Step Summary, and optionally fails on CRITICAL packages.
|
|
96
|
+
Add supply chain security auditing to any CI pipeline in 30 seconds — auto-detects packages from `package.json` or `requirements.txt`, **posts results as a PR comment**, writes to GitHub Step Summary, and optionally fails on CRITICAL packages.
|
|
97
97
|
|
|
98
98
|
Use the dedicated action at [piiiico/commit-action](https://github.com/piiiico/commit-action):
|
|
99
99
|
|
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.
|
|
3
|
+
* proof-of-commitment CLI v1.24.0
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -101,6 +101,14 @@ async function handle429(res) {
|
|
|
101
101
|
const retryAfter = Number.isFinite(data.retry_after_seconds)
|
|
102
102
|
? data.retry_after_seconds
|
|
103
103
|
: null;
|
|
104
|
+
// Backend signals "you've blown past the free wall, Developer $15/mo is the
|
|
105
|
+
// right fix" via overshoot=true / tier_suggestion="developer" (added
|
|
106
|
+
// backend-side 2026-06-04). When set, backend routes instantKeyUrl to
|
|
107
|
+
// /pricing — so the CLI must NOT promise "Free API key in 30 seconds" or
|
|
108
|
+
// prompt for email (a 200/day key won't help someone scanning 260+/day).
|
|
109
|
+
// Mismatched CTA text + destination kills trust and conversion. This branch
|
|
110
|
+
// aligns label + URL + skips the inline email prompt. (Dogfood, 2026-06-06.)
|
|
111
|
+
const overshoot = data.overshoot === true || data.tier_suggestion === 'developer';
|
|
104
112
|
|
|
105
113
|
// Forward-compat: if backend ever returns partial scoring on 429,
|
|
106
114
|
// print what we have BEFORE the rescue message. Falls back to JSON
|
|
@@ -130,6 +138,28 @@ async function handle429(res) {
|
|
|
130
138
|
}
|
|
131
139
|
console.error('');
|
|
132
140
|
|
|
141
|
+
// Overshoot path: free key is the wrong tool. Surface a URL aligned with
|
|
142
|
+
// the backend's Developer recommendation, skip the email prompt, exit.
|
|
143
|
+
// Without this branch, the CLI would say "Free API key in 30 seconds (no
|
|
144
|
+
// card)" while the URL goes to /pricing — bait-and-switch that erodes
|
|
145
|
+
// trust at the highest-intent moment we get with a user.
|
|
146
|
+
if (overshoot) {
|
|
147
|
+
console.error(
|
|
148
|
+
clr(
|
|
149
|
+
c.cyan + c.bold,
|
|
150
|
+
` → Compare plans (Developer $15/mo · 1,000/day · batch API): ${instantKeyUrl}`
|
|
151
|
+
)
|
|
152
|
+
);
|
|
153
|
+
if (retryAfter && retryAfter > 0) {
|
|
154
|
+
const hours = Math.floor(retryAfter / 3600);
|
|
155
|
+
const mins = Math.floor((retryAfter % 3600) / 60);
|
|
156
|
+
const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
|
|
157
|
+
console.error(clr(c.dim, ` or wait — free-tier resets in ${resetIn} (00:00 UTC).`));
|
|
158
|
+
}
|
|
159
|
+
console.error('');
|
|
160
|
+
process.exit(1);
|
|
161
|
+
}
|
|
162
|
+
|
|
133
163
|
// TTY: inline signup collapses the 6-step browser flow (visit URL → enter
|
|
134
164
|
// email → copy key → switch back to terminal → export key → re-run) to a
|
|
135
165
|
// single terminal prompt. Non-TTY (CI/piped) falls through to the URL.
|
|
@@ -498,7 +528,7 @@ async function inlineSignup(results) {
|
|
|
498
528
|
|
|
499
529
|
function printHelp() {
|
|
500
530
|
console.log(`
|
|
501
|
-
${clr(c.bold, 'proof-of-commitment')} v1.
|
|
531
|
+
${clr(c.bold, 'proof-of-commitment')} v1.24.0 — supply chain risk scorer
|
|
502
532
|
|
|
503
533
|
${clr(c.bold, 'Usage:')}
|
|
504
534
|
npx proof-of-commitment Auto-detect manifest in current dir
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.24.0",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
|
-
"description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
5
|
+
"description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"bin": {
|
|
8
8
|
"proof-of-commitment": "./index.js",
|
|
@@ -16,7 +16,9 @@
|
|
|
16
16
|
],
|
|
17
17
|
"keywords": [
|
|
18
18
|
"supply-chain",
|
|
19
|
+
"supply-chain-security",
|
|
19
20
|
"security",
|
|
21
|
+
"scanner",
|
|
20
22
|
"npm",
|
|
21
23
|
"pypi",
|
|
22
24
|
"cargo",
|