proof-of-commitment 1.27.0 → 1.29.0

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.26.0
+ * proof-of-commitment CLI v1.29.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -649,7 +649,60 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
  * intent. Copy adapts to context: degradation alerts (CRITICAL) vs baseline
  * lock-in (healthy). Quick lookups (<3 packages) still skip the prompt.
  */
-async function inlineSignup(results) {
+/**
+ * Build the top-3-by-risk-priority watch seeds for /api/keys/create body.watch.
+ *
+ * Mirrors the web-side buildWatchSeeds at
+ * commit-landing-v2/src/pages/audit.astro:1299 so the two signup paths
+ * (web audit form vs CLI inline-prompt) feed the backend with the same
+ * shape — backend then writes the user's default project's
+ * monitored_packages BEFORE the welcome email so step 1 names actual
+ * packages instead of hardcoded `poc watch express / lodash` examples.
+ *
+ * Priority: compromised > CRITICAL > HIGH > others (any flags) > clean.
+ * The free-tier cap (3) is enforced both here and again on the backend
+ * (PACKAGE_LIMITS.free) — defense in depth across client-server drift.
+ * Validates ecosystem against the backend ECOSYSTEMS set
+ * (npm/pypi/cargo/golang); unknown ecosystems fall back to npm because
+ * the backend rejects unknowns and we want to surface SOMETHING rather
+ * than nothing. Filters out names that fail npm's 214-char max and
+ * dedupes by (name, ecosystem).
+ *
+ * Closes the second proposition-gap layer (CLI-side mirror of the
+ * 2026-06-11 audit-page watchlist auto-seed at abe53f1/df8a8be).
+ */
+function buildCliWatchSeeds(results) {
+  if (!Array.isArray(results) || results.length === 0) return [];
+  const VALID_ECOS = new Set(['npm', 'pypi', 'cargo', 'golang']);
+  function priority(r) {
+    if (r.compromised) return 0;
+    if (Array.isArray(r.riskFlags) && r.riskFlags.some(f => typeof f === 'string' && f.startsWith('CRITICAL'))) return 1;
+    if (Array.isArray(r.riskFlags) && r.riskFlags.some(f => typeof f === 'string' && f.startsWith('HIGH'))) return 2;
+    if (Array.isArray(r.riskFlags) && r.riskFlags.length > 0) return 3;
+    return 4;
+  }
+  const filtered = results.filter(r => typeof r.name === 'string' && r.name.length > 0 && r.name.length < 215);
+  const sorted = filtered.slice().sort((a, b) => {
+    const pa = priority(a);
+    const pb = priority(b);
+    if (pa !== pb) return pa - pb;
+    return filtered.indexOf(a) - filtered.indexOf(b);
+  });
+  const seeds = [];
+  const seen = new Set();
+  for (const r of sorted) {
+    const rawEco = typeof r.ecosystem === 'string' ? r.ecosystem.toLowerCase() : 'npm';
+    const eco = VALID_ECOS.has(rawEco) ? rawEco : 'npm';
+    const key = `${r.name}|${eco}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    seeds.push({ name: r.name, ecosystem: eco });
+    if (seeds.length >= 3) break; // free-tier cap (backend re-validates)
+  }
+  return seeds;
+}
+
+async function inlineSignup(results, opts = {}) {
   // Only prompt in interactive TTY when no key saved
   if (!process.stdin.isTTY || !process.stdout.isTTY) return;
   const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
@@ -657,20 +710,36 @@ async function inlineSignup(results) {
   const critPkgs = results.filter(r => hasCritical(r.riskFlags));
   const lowScorePkgs = results.filter(r => typeof r.score === 'number' && r.score < 60);
   const hasFindings = critPkgs.length >= 1 || lowScorePkgs.length >= 2;
-  // Gate: show prompt when there's something worth monitoring.
+  // engagementSignal: true when the backend returned an `_cta` field, which
+  // means this IP has scored ≥ AUDIT_SOFT_CTA_AT (5) packages today.
+  // That's a server-confirmed engagement signal independent of local result
+  // shape — the user is approaching the daily wall (15) and will hit it
+  // soon. Pre-this fix, single-package healthy scans at counts 5–14 saw
+  // only a dim URL: the strongest in-terminal conversion moment dropped to
+  // a copy-paste task. With engagementSignal=true we bypass the findings
+  // gate so the inline email→key prompt fires at the moment of warmest
+  // engagement. Closes the leak found 2026-06-10 dogfooding /api/keys/stats:
+  // 4 IPs hit AUDIT_SOFT_CTA_AT in 7d, 0 organic signups.
+  const engagementSignal = !!opts.engagementSignal;
+  // Gate: show prompt when there's something worth monitoring OR the user
+  // has demonstrated repeat-use engagement today (server _cta signal).
   // Old gate (results.length < 3) blocked the most common entry point:
   // `npx proof-of-commitment axios` after reading about an attack.
   // A single CRITICAL result IS the high-intent moment — don't skip it.
-  // For healthy single-package checks with no findings, still skip.
-  if (results.length < 3 && !hasFindings) return;
+  // For healthy single-package checks with no findings AND no engagement
+  // signal, still skip.
+  if (results.length < 3 && !hasFindings && !engagementSignal) return;
 
   // Copy adapts to context. Findings → degradation framing.
   // Healthy → baseline-lock framing (still real value: alert me if any score drops).
+  // engagementSignal without findings → soft-CTA wall-approach framing.
   const heading = hasFindings
     ? (results.length === 1
       ? '  🔔 Monitor this package. Get alerted if it gets worse.'
       : '  🔔 Lock in this audit. Get alerted if these packages get worse.')
-    : '  🔔 Lock in this baseline. Get alerted if any of these packages degrade.';
+    : engagementSignal
+      ? '  🔔 Past the free anonymous quota on this network — lift it to 200/day.'
+      : '  🔔 Lock in this baseline. Get alerted if any of these packages degrade.';
 
   console.log(clr(c.dim, '  ─────────────────────────────────────────────'));
   console.log(clr(c.bold, heading));
@@ -696,10 +765,29 @@ async function inlineSignup(results) {
   process.stdout.write(clr(c.dim, '  Creating key...'));
 
   try {
+    // Funnel attribution: 'cli-soft-cta' for engagement-signal path,
+    // 'cli' for findings-driven inline prompts. Lets api_keys.source
+    // measure 2026-06-10 engagementSignal gate-bypass lift separately
+    // from baseline inline-CLI signups. Backend VALID_SOURCES gains
+    // 'cli-soft-cta' in this same commit; older worker versions drop
+    // unknown sources to 'web' (safe degradation, no error).
+    const source = engagementSignal && !hasFindings ? 'cli-soft-cta' : 'cli';
+    // Proposition shift (2026-06-11, second layer): same defect the audit-page
+    // welcome email had until df8a8be — pre-fix, every CLI signup got hardcoded
+    // "poc watch express / lodash" in their welcome email regardless of what
+    // they actually scanned. Web side now seeds top-3-by-risk-priority on POST
+    // and the backend writes them to the user's default project before sending
+    // the welcome email. CLI must mirror or signups via `npx proof-of-commitment
+    // <some-package>` still get an email orthogonal to their intent. Backend
+    // accepts body.watch = [{name, ecosystem}], caps at PACKAGE_LIMITS.free=3,
+    // echoes seededPackages back as data.watched_packages. Priority order
+    // (compromised > CRITICAL > HIGH > others) matches the web-side
+    // buildWatchSeeds at commit-landing-v2/src/pages/audit.astro:1299.
+    const watch = buildCliWatchSeeds(results);
     const res = await fetch('https://poc-backend.amdal-dev.workers.dev/api/keys/create', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ email, source: 'cli' }),
+      body: JSON.stringify({ email, source, watch }),
     });
 
     const data = await res.json();
@@ -710,16 +798,39 @@ async function inlineSignup(results) {
       console.log(clr(c.green, ' ✓ Saved to ~/.commit/config'));
       console.log(clr(c.dim, `     Backup sent to ${email}`));
       console.log();
-      console.log(clr(c.bold, '  Next steps:'));
-      // Surface a concrete watch target. CRITICAL first (highest urgency);
-      // otherwise pick the lowest-score package as the most-likely-to-degrade.
-      const watchTarget = critPkgs[0]?.name
-        || results.slice().sort((a, b) => (a.score || 100) - (b.score || 100))[0]?.name;
-      if (watchTarget) {
-        console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${watchTarget}`) + clr(c.dim, '  — monitor this package (free: 3 packages, weekly)'));
+      // Render the backend echo (data.watched_packages) — the user sees
+      // "Now watching: foo, bar, baz" before the first weekly digest fires
+      // (~7d). Mirrors the audit-page renderInlineForm success state at
+      // commit-landing-v2/src/pages/audit.astro:1971 so on-context-switch the
+      // user does not see contradictory "you have nothing watched" messaging
+      // in `poc list`. Trust the server echo, not our pre-submit array (the
+      // server caps + dedups). Older backend versions that predate body.watch
+      // simply omit watched_packages — we fall through to the legacy
+      // single-target hint, no regression.
+      const watched = Array.isArray(data.watched_packages) ? data.watched_packages : [];
+      if (watched.length > 0) {
+        const names = watched.map(w => w.name).join(', ');
+        const noun = watched.length === 1 ? 'package' : 'packages';
+        console.log(clr(c.green, `  ✓ Now watching ${watched.length} ${noun}: ${names}`));
+        console.log(clr(c.dim, '     Mondays we email you if any score drops a tier or a watched package gets attacked.\n'));
+        console.log(clr(c.bold, '  Next steps:'));
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc list') + clr(c.dim, '          — confirm your watchlist'));
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc init') + clr(c.dim, '          — add CI gate to this project'));
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
+      } else {
+        console.log(clr(c.bold, '  Next steps:'));
+        // Legacy fallback: backend did not seed (old worker, empty seeds, or
+        // seed failure swallowed). Surface a concrete watch target. CRITICAL
+        // first (highest urgency); otherwise pick the lowest-score package as
+        // the most-likely-to-degrade.
+        const watchTarget = critPkgs[0]?.name
+          || results.slice().sort((a, b) => (a.score || 100) - (b.score || 100))[0]?.name;
+        if (watchTarget) {
+          console.log(clr(c.dim, '    • ') + clr(c.cyan, `poc watch ${watchTarget}`) + clr(c.dim, '  — monitor this package (free: 3 packages, weekly)'));
+        }
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc init') + clr(c.dim, '          — add CI gate to this project'));
+        console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
       }
-      console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc init') + clr(c.dim, '          — add CI gate to this project'));
-      console.log(clr(c.dim, '    • ') + clr(c.cyan, 'poc status') + clr(c.dim, '       — check your account'));
     } else if (data.message) {
       console.log(clr(c.green, ` ✓ ${data.message}`));
     } else {
@@ -734,7 +845,7 @@ async function inlineSignup(results) {
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.24.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.29.0 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -2635,7 +2746,7 @@ async function main() {
     const criticalTotal = allResults.filter(r => hasCritical(r.riskFlags)).length;
     printTable(displayed, { totalScanned: allResults.length, totalCritical: criticalTotal, lockfile: true });
     if (apiCta) console.log(clr(c.dim + c.cyan, `\n  ${apiCta}`));
-    await inlineSignup(displayed);
+    await inlineSignup(displayed, { engagementSignal: !!apiCta });
     if (shouldFail(allResults, failOn)) {
       console.error(clr(c.red + c.bold, `\n✗ --fail-on=${failOn} threshold met. Exit 1.`));
       process.exit(1);
@@ -2676,7 +2787,7 @@ async function main() {
 
   printTable(allResults);
   if (apiCta) console.log(clr(c.dim + c.cyan, `\n  ${apiCta}`));
-  await inlineSignup(allResults);
+  await inlineSignup(allResults, { engagementSignal: !!apiCta });
   if (shouldFail(allResults, failOn)) {
     console.error(clr(c.red + c.bold, `✗ --fail-on=${failOn} threshold met. Exit 1.`));
     process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.27.0",
+  "version": "1.29.0",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",