proof-of-commitment 1.24.0 → 1.25.1

package/README.md

@@ -11,15 +11,15 @@ An MCP server and web tool that scores npm packages, PyPI packages, Rust crates,
 26 of the 91 npm packages with >10M weekly downloads have a **single npm publisher**. Together they account for over 3 billion downloads per week. `npm audit` doesn't surface this. Stars don't either.
 
 Four packages in a typical Node.js project are CRITICAL right now:
-- **chalk** — 413M downloads/week, **1 npm publisher**
-- **zod** — 163M downloads/week, **1 npm publisher** (30+ GitHub contributors)
-- **lodash** — 145M downloads/week, **1 npm publisher**
-- **axios** — 99M downloads/week, **1 npm publisher** (attacked March 30, 2026)
+- **chalk** — 432M downloads/week, **1 npm publisher**
+- **zod** — 185M downloads/week, **1 npm publisher** (30+ GitHub contributors)
+- **lodash** — 156M downloads/week, **1 npm publisher**
+- **axios** — 113M downloads/week, **1 npm publisher** (attacked March 30, 2026)
 
 They won't appear in your `package.json` either — but these are in almost every project:
-- **minimatch** — 562M downloads/week, **1 npm publisher**
-- **glob** — 333M downloads/week, **1 npm publisher**
-- **cross-spawn** — 190M downloads/week, **1 npm publisher**
+- **minimatch** — 625M downloads/week, **1 npm publisher**
+- **glob** — 366M downloads/week, **1 npm publisher**
+- **cross-spawn** — 215M downloads/week, **1 npm publisher**
 
 Behavioral signals surface this. Stars and READMEs don't.
 

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.24.0
+ * proof-of-commitment CLI v1.25.1
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -98,9 +98,14 @@ async function handle429(res) {
   const partial = Array.isArray(data.packages_already_scored)
     ? data.packages_already_scored
     : [];
+  // Authenticated keys: retry_after (seconds, used by worker auth-middleware quota path).
+  // Anonymous IPs: retry_after_seconds (legacy / overshoot rescue path).
+  // Read both so both paths surface a reset-time hint.
   const retryAfter = Number.isFinite(data.retry_after_seconds)
     ? data.retry_after_seconds
-    : null;
+    : Number.isFinite(data.retry_after)
+      ? data.retry_after
+      : null;
   // Backend signals "you've blown past the free wall, Developer $15/mo is the
   // right fix" via overshoot=true / tier_suggestion="developer" (added
   // backend-side 2026-06-04). When set, backend routes instantKeyUrl to
@@ -109,6 +114,25 @@ async function handle429(res) {
   // Mismatched CTA text + destination kills trust and conversion. This branch
   // aligns label + URL + skips the inline email prompt. (Dogfood, 2026-06-06.)
   const overshoot = data.overshoot === true || data.tier_suggestion === 'developer';
+  // Authenticated-key quota path (added 2026-06-10): when the user already
+  // owns an API key and burns through their daily allowance, the backend
+  // auth-middleware (worker.ts resolveApiKey) returns a NESTED upgrade object:
+  //   { error, message, tier, upgrade: { url, plan, price, limit, message }, retry_after }
+  // The legacy handle429() shape only knew the FLAT anonymous-IP shape
+  // (instant_key_url, upgrade_url, overshoot, tier_suggestion). On a free-tier
+  // key quota hit, all those flat fields were undefined → handler fell back
+  // to "Get a free key" + inline email prompt → user (who already has a key)
+  // got bait-and-switched at their highest-intent moment: invested in setup,
+  // used the key all day, ready to upgrade — and we offered them to create
+  // ANOTHER free key. Detect via `data.upgrade?.url && data.upgrade?.plan` +
+  // a non-anonymous `data.tier`, route to dedicated upgrade UX. Aligns CLI
+  // CTA + URL + skips email prompt symmetric to the overshoot branch.
+  const keyUpgrade =
+    data.upgrade &&
+    typeof data.upgrade.url === 'string' &&
+    typeof data.upgrade.plan === 'string' &&
+    typeof data.tier === 'string' &&
+    data.tier !== 'anonymous';
 
   // Forward-compat: if backend ever returns partial scoring on 429,
   // print what we have BEFORE the rescue message. Falls back to JSON
@@ -138,6 +162,36 @@ async function handle429(res) {
   }
   console.error('');
 
+  // Authenticated-key quota path: user already has a key, hit their daily
+  // allowance. Free-key inline prompt is the wrong tool — surface upgrade.
+  // (Diagnosis: 2026-06-10 idle-mode dogfood — see comment block above.)
+  if (keyUpgrade) {
+    const planLabel = data.upgrade.plan.charAt(0).toUpperCase() + data.upgrade.plan.slice(1);
+    const price = data.upgrade.price || '';
+    const limit = data.upgrade.limit || '';
+    const pitch = data.upgrade.message || `Upgrade to ${planLabel}.`;
+    // URL already carries utm_campaign=key-upgrade + utm_source=key +
+    // utm_medium=quota from backend buildUpgradeUrl — no rewrite needed,
+    // /pricing key-upgrade banner reads these and pre-selects the tier.
+    console.error(
+      clr(
+        c.cyan + c.bold,
+        `   → ${planLabel} (${price}${limit ? ' · ' + limit : ''}): ${data.upgrade.url}`
+      )
+    );
+    if (pitch) {
+      console.error(clr(c.dim, `     ${pitch}`));
+    }
+    if (retryAfter && retryAfter > 0) {
+      const hours = Math.floor(retryAfter / 3600);
+      const mins = Math.floor((retryAfter % 3600) / 60);
+      const resetIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
+      console.error(clr(c.dim, `     or wait — your free-tier quota resets in ${resetIn}.`));
+    }
+    console.error('');
+    process.exit(1);
+  }
+
   // Overshoot path: free key is the wrong tool. Surface a URL aligned with
   // the backend's Developer recommendation, skip the email prompt, exit.
   // Without this branch, the CLI would say "Free API key in 30 seconds (no
@@ -413,10 +467,11 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this package' : 'these packages'}: `) +
         clr(c.cyan, `poc watch ${results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name}`));
     } else if (!process.stdin.isTTY || !process.stdout.isTTY) {
-      // Non-TTY (CI, piped): show static URL since interactive prompt won't work
+      // Non-TTY (CI, piped): show one-step watch command since interactive prompt won't work
+      const watchPkg = results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name;
       console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this' : 'these ' + effectiveCritical} CRITICAL ${effectiveCritical === 1 ? 'package' : 'packages'} — get alerted when scores change.`));
-      console.log(clr(c.dim, '     Get a free API key: ') + clr(c.cyan, 'https://getcommit.dev/get-started?utm_source=cli'));
-      console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
+      console.log(clr(c.dim, '     One step: ') + clr(c.cyan, `poc watch ${watchPkg} --email you@company.com`));
+      console.log(clr(c.dim, '     Free: 3 packages, weekly digest. Developer $15/mo: 15 packages, daily scans.'));
     }
     // else: TTY mode — inlineSignup() will prompt interactively after printTable
   } else if (!hasKey && (!process.stdin.isTTY || !process.stdout.isTTY)) {
@@ -426,8 +481,8 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     // text only in CI/piped output where interactive prompts can't fire.
     // ref=audit-baseline distinguishes this funnel from audit-cli-429
     // (rate-limit rescue) and from the static utm_source=cli help-line.
-    console.log(clr(c.dim, '\n  📊 Save this scan as your baseline. Re-run anytime with a free key:'));
-    console.log(clr(c.dim, '     ') + clr(c.cyan, 'https://getcommit.dev/get-started?ref=audit-baseline&utm_source=cli') + clr(c.dim, '  (200/day free; push alerts on Developer $15/mo)'));
+    console.log(clr(c.dim, '\n  📊 Get alerted if any package degrades:'));
+    console.log(clr(c.dim, '     ') + clr(c.cyan, `poc watch ${results[0]?.name || '<package>'} --email you@company.com`) + clr(c.dim, '  (free: 3 packages, weekly digest)'));
   }
   console.log();
 }
@@ -505,15 +560,15 @@ async function inlineSignup(results) {
       console.log(clr(c.dim, `     Backup sent to ${email}`));
       console.log();
       console.log(clr(c.bold, '  Next steps:'));
-      console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
       // Surface a concrete watch target. CRITICAL first (highest urgency);
       // otherwise pick the lowest-score package as the most-likely-to-degrade.
       const watchTarget = critPkgs[0]?.name
         || results.slice().sort((a, b) => (a.score || 100) - (b.score || 100))[0]?.name;
       if (watchTarget) {
-        console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${watchTarget}`) + clr(c.dim, '  — start monitoring (Developer $15/mo)'));
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${watchTarget}`) + clr(c.dim, '  — monitor this package (free: 3 packages, weekly)'));
       }
       console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc init') + clr(c.dim, '          — add CI gate to this project'));
+      console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
     } else if (data.message) {
       console.log(clr(c.green, ` ✓ ${data.message}`));
     } else {
@@ -566,9 +621,9 @@ ${clr(c.bold, 'Account:')}
   poc status          Show current tier, usage, and limits
   poc logout          Remove saved API key
 
-${clr(c.bold, 'Monitoring (Developer $15/mo+):')}
-  poc watch <package> [--ecosystem npm|pypi|cargo|golang]
-                      Add a package to daily monitoring
+${clr(c.bold, 'Monitoring (free: 3 packages weekly · Developer $15/mo: 15 daily):')}
+  poc watch <package> [--email you@co.com] [--ecosystem npm|pypi|cargo|golang]
+                      Add a package to monitoring. --email creates a free key in one step.
   poc watchlist       List monitored packages with current scores + risk
   poc unwatch <pkg>   Remove a package from monitoring
 
@@ -1555,15 +1610,53 @@ async function printUpgradeRequired(res, campaign = 'watchlist-402') {
 /**
  * poc watch <package> [--ecosystem npm|pypi|cargo|golang]
  */
-async function cmdWatch(pkg, ecosystem) {
-  const key = await readApiKey();
+async function cmdWatch(pkg, ecosystem, emailArg) {
+  let key = await readApiKey();
+
+  // --email flag: create a free key inline if none exists, collapsing the
+  // visit-site → enter-email → copy-key → poc-login → poc-watch flow to one step.
+  if (!key && emailArg) {
+    if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(emailArg)) {
+      console.error(clr(c.red, 'Invalid email. Usage: poc watch <pkg> --email you@co.com'));
+      process.exit(1);
+    }
+    process.stdout.write(clr(c.dim, '  Creating free API key...'));
+    try {
+      const createRes = await fetch('https://poc-backend.amdal-dev.workers.dev/api/keys/create', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email: emailArg, source: 'cli-watch' }),
+      });
+      const keyData = await createRes.json();
+      if (keyData.key) {
+        await writeApiKey(keyData.key);
+        key = keyData.key;
+        console.log(clr(c.green, ' ✓'));
+        console.log(clr(c.dim, `     Key saved to ~/.commit/config. Backup sent to ${emailArg}.`));
+      } else {
+        const errMsg = keyData.error === 'rate_limit_exceeded'
+          ? 'Too many keys from this IP today.'
+          : (keyData.message || 'Could not create key.');
+        console.error(clr(c.red, ` ${errMsg}`));
+        process.exit(1);
+      }
+    } catch (err) {
+      console.error(clr(c.red, ` Error: ${err.message}`));
+      process.exit(1);
+    }
+  }
+
   if (!key) {
-    console.error(clr(c.red, 'No API key found. Set COMMIT_API_KEY or add api_key=<key> to ~/.commit/config'));
-    console.error(clr(c.dim, 'Get a key at https://getcommit.dev/pricing?utm_source=cli'));
+    console.error(clr(c.red, 'No API key found.'));
+    console.error('');
+    console.error(clr(c.bold, '  One-step setup — creates key + starts monitoring:'));
+    console.error(clr(c.cyan, `    poc watch ${pkg} --email you@company.com`));
+    console.error('');
+    console.error(clr(c.dim, '  Or set COMMIT_API_KEY / add api_key=<key> to ~/.commit/config'));
     process.exit(1);
   }
 
-  process.stdout.write(clr(c.dim, `Adding ${pkg} (${ecosystem}) to watchlist...`));
+  process.stdout.write(clr(c.dim, `  Adding ${pkg} (${ecosystem}) to watchlist...`));
   const res = await fetch(WATCHLIST_API, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${key}` },
@@ -1571,6 +1664,16 @@ async function cmdWatch(pkg, ecosystem) {
   });
 
   if (res.status === 402) { process.stdout.write('\n'); await printUpgradeRequired(res, 'watch-cmd'); process.exit(1); }
+  if (res.status === 422) {
+    const errData = await res.json().catch(() => ({}));
+    process.stdout.write('\n');
+    console.log(clr(c.yellow, `  ⚠ ${errData.message || 'Package limit reached.'}`));
+    if (errData.upgrade) {
+      console.log(clr(c.dim, `     ${errData.upgrade.message || `Upgrade to ${errData.upgrade.plan} for more:`}`));
+      console.log(clr(c.cyan, `     ${errData.upgrade.url}`));
+    }
+    process.exit(1);
+  }
 
   const data = await res.json();
   if (!res.ok) {
@@ -1582,7 +1685,7 @@ async function cmdWatch(pkg, ecosystem) {
   process.stdout.write('\n');
   if (isNew) {
     console.log(clr(c.green, `  ✓ Now watching ${pkg}`));
-    console.log(clr(c.dim, '    Daily scan runs at 06:00 UTC. Alerts on score drop ≥10 or CRITICAL threshold.'));
+    console.log(clr(c.dim, '    Weekly digest (Mondays). Upgrade to Developer ($15/mo) for daily scans + Slack alerts.'));
   } else {
     console.log(clr(c.dim, `  ↩ ${pkg} is already in your watchlist`));
   }
@@ -2177,15 +2280,17 @@ async function main() {
 
   if (subcmd === 'watch') {
     const pkg = args[1];
-    if (!pkg) { console.error('Usage: poc watch <package> [--ecosystem npm|pypi|cargo|golang]'); process.exit(1); }
+    if (!pkg) { console.error('Usage: poc watch <package> [--email you@co.com] [--ecosystem npm|pypi|cargo|golang]'); process.exit(1); }
     let ecosystem = 'npm';
+    let email = null;
     for (let i = 2; i < args.length; i++) {
       if (args[i] === '--ecosystem' || args[i] === '-e') ecosystem = args[++i] || 'npm';
+      else if (args[i] === '--email') email = args[++i] || null;
       else if (args[i] === '--pypi') ecosystem = 'pypi';
       else if (args[i] === '--cargo') ecosystem = 'cargo';
       else if (args[i] === '--golang' || args[i] === '--go') ecosystem = 'golang';
     }
-    await cmdWatch(pkg, ecosystem);
+    await cmdWatch(pkg, ecosystem, email);
     process.exit(0);
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.24.0",
+  "version": "1.25.1",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
@@ -34,7 +34,15 @@
     "maintainer",
     "publisher",
     "provenance",
-    "trusted-publishing"
+    "trusted-publishing",
+    "mcp",
+    "mcp-server",
+    "vulnerability",
+    "sca",
+    "dependency-audit",
+    "lockfile",
+    "devsecops",
+    "ci"
   ],
   "author": "piiiico",
   "license": "MIT",