proof-of-commitment 1.23.0 → 1.25.0

package/README.md

@@ -6,7 +6,7 @@
 
 An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on **behavioral commitment** — signals that are harder to fake than stars, READMEs, or download counts.
 
-## The supply chain problem
+## The supply chain security problem
 
 26 of the 91 npm packages with >10M weekly downloads have a **single npm publisher**. Together they account for over 3 billion downloads per week. `npm audit` doesn't surface this. Stars don't either.
 
@@ -93,7 +93,7 @@ Add to Claude Desktop, Cursor, Windsurf, or any MCP-compatible AI tool. Then ask
 
 ## GitHub Action
 
-Add supply chain auditing to any CI pipeline in 30 seconds — auto-detects packages from `package.json` or `requirements.txt`, **posts results as a PR comment**, writes to GitHub Step Summary, and optionally fails on CRITICAL packages.
+Add supply chain security auditing to any CI pipeline in 30 seconds — auto-detects packages from `package.json` or `requirements.txt`, **posts results as a PR comment**, writes to GitHub Step Summary, and optionally fails on CRITICAL packages.
 
 Use the dedicated action at [piiiico/commit-action](https://github.com/piiiico/commit-action):
 

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.23.0
+ * proof-of-commitment CLI v1.24.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -101,6 +101,14 @@ async function handle429(res) {
   const retryAfter = Number.isFinite(data.retry_after_seconds)
     ? data.retry_after_seconds
     : null;
+  // Backend signals "you've blown past the free wall, Developer $15/mo is the
+  // right fix" via overshoot=true / tier_suggestion="developer" (added
+  // backend-side 2026-06-04). When set, backend routes instantKeyUrl to
+  // /pricing — so the CLI must NOT promise "Free API key in 30 seconds" or
+  // prompt for email (a 200/day key won't help someone scanning 260+/day).
+  // Mismatched CTA text + destination kills trust and conversion. This branch
+  // aligns label + URL + skips the inline email prompt. (Dogfood, 2026-06-06.)
+  const overshoot = data.overshoot === true || data.tier_suggestion === 'developer';
 
   // Forward-compat: if backend ever returns partial scoring on 429,
   // print what we have BEFORE the rescue message. Falls back to JSON
@@ -130,6 +138,28 @@ async function handle429(res) {
   }
   console.error('');
 
+  // Overshoot path: free key is the wrong tool. Surface a URL aligned with
+  // the backend's Developer recommendation, skip the email prompt, exit.
+  // Without this branch, the CLI would say "Free API key in 30 seconds (no
+  // card)" while the URL goes to /pricing — bait-and-switch that erodes
+  // trust at the highest-intent moment we get with a user.
+  if (overshoot) {
+    console.error(
+      clr(
+        c.cyan + c.bold,
+        `   → Compare plans (Developer $15/mo · 1,000/day · batch API): ${instantKeyUrl}`
+      )
+    );
+    if (retryAfter && retryAfter > 0) {
+      const hours = Math.floor(retryAfter / 3600);
+      const mins = Math.floor((retryAfter % 3600) / 60);
+      const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
+      console.error(clr(c.dim, `     or wait — free-tier resets in ${resetIn} (00:00 UTC).`));
+    }
+    console.error('');
+    process.exit(1);
+  }
+
   // TTY: inline signup collapses the 6-step browser flow (visit URL → enter
   // email → copy key → switch back to terminal → export key → re-run) to a
   // single terminal prompt. Non-TTY (CI/piped) falls through to the URL.
@@ -383,10 +413,11 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this package' : 'these packages'}: `) +
         clr(c.cyan, `poc watch ${results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name}`));
     } else if (!process.stdin.isTTY || !process.stdout.isTTY) {
-      // Non-TTY (CI, piped): show static URL since interactive prompt won't work
+      // Non-TTY (CI, piped): show one-step watch command since interactive prompt won't work
+      const watchPkg = results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name;
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this' : 'these ' + effectiveCritical} CRITICAL ${effectiveCritical === 1 ? 'package' : 'packages'} — get alerted when scores change.`));
-      console.log(clr(c.dim, '     Get a free API key: ') + clr(c.cyan, 'https://getcommit.dev/get-started?utm_source=cli'));
-      console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
+      console.log(clr(c.dim, '     One step: ') + clr(c.cyan, `poc watch ${watchPkg} --email you@company.com`));
+      console.log(clr(c.dim, '     Free: 3 packages, weekly digest. Developer $15/mo: 15 packages, daily scans.'));
     }
     // else: TTY mode — inlineSignup() will prompt interactively after printTable
   } else if (!hasKey && (!process.stdin.isTTY || !process.stdout.isTTY)) {
@@ -396,8 +427,8 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     // text only in CI/piped output where interactive prompts can't fire.
     // ref=audit-baseline distinguishes this funnel from audit-cli-429
     // (rate-limit rescue) and from the static utm_source=cli help-line.
-    console.log(clr(c.dim, '\n  📊 Save this scan as your baseline. Re-run anytime with a free key:'));
-    console.log(clr(c.dim, '     ') + clr(c.cyan, 'https://getcommit.dev/get-started?ref=audit-baseline&utm_source=cli') + clr(c.dim, '  (200/day free; push alerts on Developer $15/mo)'));
+    console.log(clr(c.dim, '\n  📊 Get alerted if any package degrades:'));
+    console.log(clr(c.dim, '     ') + clr(c.cyan, `poc watch ${results[0]?.name || '<package>'} --email you@company.com`) + clr(c.dim, '  (free: 3 packages, weekly digest)'));
   }
   console.log();
 }
@@ -475,15 +506,15 @@ async function inlineSignup(results) {
       console.log(clr(c.dim, `     Backup sent to ${email}`));
       console.log();
       console.log(clr(c.bold, '  Next steps:'));
-      console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
       // Surface a concrete watch target. CRITICAL first (highest urgency);
       // otherwise pick the lowest-score package as the most-likely-to-degrade.
       const watchTarget = critPkgs[0]?.name
         || results.slice().sort((a, b) => (a.score || 100) - (b.score || 100))[0]?.name;
       if (watchTarget) {
-        console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${watchTarget}`) + clr(c.dim, '  — start monitoring (Developer $15/mo)'));
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${watchTarget}`) + clr(c.dim, '  — monitor this package (free: 3 packages, weekly)'));
       }
       console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc init') + clr(c.dim, '          — add CI gate to this project'));
+      console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
     } else if (data.message) {
       console.log(clr(c.green, ` ✓ ${data.message}`));
     } else {
@@ -498,7 +529,7 @@ async function inlineSignup(results) {
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.23.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.24.0 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -536,9 +567,9 @@ ${clr(c.bold, 'Account:')}
   poc status          Show current tier, usage, and limits
   poc logout          Remove saved API key
 
-${clr(c.bold, 'Monitoring (Developer $15/mo+):')}
-  poc watch <package> [--ecosystem npm|pypi|cargo|golang]
-                      Add a package to daily monitoring
+${clr(c.bold, 'Monitoring (free: 3 packages weekly · Developer $15/mo: 15 daily):')}
+  poc watch <package> [--email you@co.com] [--ecosystem npm|pypi|cargo|golang]
+                      Add a package to monitoring. --email creates a free key in one step.
   poc watchlist       List monitored packages with current scores + risk
   poc unwatch <pkg>   Remove a package from monitoring
 
@@ -1525,15 +1556,53 @@ async function printUpgradeRequired(res, campaign = 'watchlist-402') {
 /**
  * poc watch <package> [--ecosystem npm|pypi|cargo|golang]
  */
-async function cmdWatch(pkg, ecosystem) {
-  const key = await readApiKey();
+async function cmdWatch(pkg, ecosystem, emailArg) {
+  let key = await readApiKey();
+
+  // --email flag: create a free key inline if none exists, collapsing the
+  // visit-site → enter-email → copy-key → poc-login → poc-watch flow to one step.
+  if (!key && emailArg) {
+    if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(emailArg)) {
+      console.error(clr(c.red, 'Invalid email. Usage: poc watch <pkg> --email you@co.com'));
+      process.exit(1);
+    }
+    process.stdout.write(clr(c.dim, '  Creating free API key...'));
+    try {
+      const createRes = await fetch('https://poc-backend.amdal-dev.workers.dev/api/keys/create', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email: emailArg, source: 'cli-watch' }),
+      });
+      const keyData = await createRes.json();
+      if (keyData.key) {
+        await writeApiKey(keyData.key);
+        key = keyData.key;
+        console.log(clr(c.green, ' ✓'));
+        console.log(clr(c.dim, `     Key saved to ~/.commit/config. Backup sent to ${emailArg}.`));
+      } else {
+        const errMsg = keyData.error === 'rate_limit_exceeded'
+          ? 'Too many keys from this IP today.'
+          : (keyData.message || 'Could not create key.');
+        console.error(clr(c.red, ` ${errMsg}`));
+        process.exit(1);
+      }
+    } catch (err) {
+      console.error(clr(c.red, ` Error: ${err.message}`));
+      process.exit(1);
+    }
+  }
+
   if (!key) {
-    console.error(clr(c.red, 'No API key found. Set COMMIT_API_KEY or add api_key=<key> to ~/.commit/config'));
-    console.error(clr(c.dim, 'Get a key at https://getcommit.dev/pricing?utm_source=cli'));
+    console.error(clr(c.red, 'No API key found.'));
+    console.error('');
+    console.error(clr(c.bold, '  One-step setup — creates key + starts monitoring:'));
+    console.error(clr(c.cyan, `    poc watch ${pkg} --email you@company.com`));
+    console.error('');
+    console.error(clr(c.dim, '  Or set COMMIT_API_KEY / add api_key=<key> to ~/.commit/config'));
     process.exit(1);
   }
 
-  process.stdout.write(clr(c.dim, `Adding ${pkg} (${ecosystem}) to watchlist...`));
+  process.stdout.write(clr(c.dim, `  Adding ${pkg} (${ecosystem}) to watchlist...`));
   const res = await fetch(WATCHLIST_API, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${key}` },
@@ -1541,6 +1610,16 @@ async function cmdWatch(pkg, ecosystem) {
   });
 
   if (res.status === 402) { process.stdout.write('\n'); await printUpgradeRequired(res, 'watch-cmd'); process.exit(1); }
+  if (res.status === 422) {
+    const errData = await res.json().catch(() => ({}));
+    process.stdout.write('\n');
+    console.log(clr(c.yellow, `  ⚠ ${errData.message || 'Package limit reached.'}`));
+    if (errData.upgrade) {
+      console.log(clr(c.dim, `     ${errData.upgrade.message || `Upgrade to ${errData.upgrade.plan} for more:`}`));
+      console.log(clr(c.cyan, `     ${errData.upgrade.url}`));
+    }
+    process.exit(1);
+  }
 
   const data = await res.json();
   if (!res.ok) {
@@ -1552,7 +1631,7 @@ async function cmdWatch(pkg, ecosystem) {
   process.stdout.write('\n');
   if (isNew) {
     console.log(clr(c.green, `  ✓ Now watching ${pkg}`));
-    console.log(clr(c.dim, '    Daily scan runs at 06:00 UTC. Alerts on score drop ≥10 or CRITICAL threshold.'));
+    console.log(clr(c.dim, '    Weekly digest (Mondays). Upgrade to Developer ($15/mo) for daily scans + Slack alerts.'));
   } else {
     console.log(clr(c.dim, `  ↩ ${pkg} is already in your watchlist`));
   }
@@ -2147,15 +2226,17 @@ async function main() {
 
   if (subcmd === 'watch') {
     const pkg = args[1];
-    if (!pkg) { console.error('Usage: poc watch <package> [--ecosystem npm|pypi|cargo|golang]'); process.exit(1); }
+    if (!pkg) { console.error('Usage: poc watch <package> [--email you@co.com] [--ecosystem npm|pypi|cargo|golang]'); process.exit(1); }
     let ecosystem = 'npm';
+    let email = null;
     for (let i = 2; i < args.length; i++) {
       if (args[i] === '--ecosystem' || args[i] === '-e') ecosystem = args[++i] || 'npm';
+      else if (args[i] === '--email') email = args[++i] || null;
       else if (args[i] === '--pypi') ecosystem = 'pypi';
       else if (args[i] === '--cargo') ecosystem = 'cargo';
       else if (args[i] === '--golang' || args[i] === '--go') ecosystem = 'golang';
     }
-    await cmdWatch(pkg, ecosystem);
+    await cmdWatch(pkg, ecosystem, email);
     process.exit(0);
   }
 

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.23.0",
+  "version": "1.25.0",
   "mcpName": "io.github.piiiico/proof-of-commitment",
-  "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
+  "description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {
     "proof-of-commitment": "./index.js",
@@ -16,7 +16,9 @@
   ],
   "keywords": [
     "supply-chain",
+    "supply-chain-security",
     "security",
+    "scanner",
     "npm",
     "pypi",
     "cargo",