proof-of-commitment 1.30.0 → 1.31.1

package/README.md

@@ -6,6 +6,24 @@
 
 An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on **behavioral commitment** — signals that are harder to fake than stars, READMEs, or download counts.
 
+```text
+$ npx proof-of-commitment axios zod chalk lodash minimatch
+Scoring 5 npm packages... done in 3.0s
+
+Package      Risk          Score   Publishers   Downloads      Age    Provenance
+chalk        🔴 CRITICAL   72      1            432.9M/wk      14.6y  —
+minimatch    🔴 CRITICAL   78      1            634.1M/wk      14.9y  —
+lodash       🔴 CRITICAL   80      1            158.9M/wk      14.1y  —
+zod          🔴 CRITICAL   83      1            161.2M/wk      6.3y   🔐 verified
+axios        🔴 CRITICAL   88      1            115.7M/wk      11.8y  🔐 verified
+                ⚠ COMPROMISED — axios token theft (2026-03-30)
+
+⚠  5 CRITICAL packages found.
+   CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)
+```
+
+`npm audit` flags none of these. They're not vulnerabilities — they're attack-surface concentration. One stolen npm token, one phished maintainer, and a single push reaches the whole ecosystem (axios, March 30 2026 — happened).
+
 ## The supply chain security problem
 
 26 of the 91 npm packages with >10M weekly downloads have a **single npm publisher**. Together they account for over 3 billion downloads per week. `npm audit` doesn't surface this. Stars don't either.

package/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.30.0
+ * proof-of-commitment CLI v1.31.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -162,6 +162,24 @@ async function handle429(res) {
   }
   console.error('');
 
+  // GitHub Actions: surface rate-limit as a workflow annotation so the human
+  // reviewer sees it in the PR checks tab, not buried in raw CI logs.
+  // Must fire BEFORE the path-specific branches — keyUpgrade and overshoot
+  // both exit early with process.exit(1) and would skip a late annotation.
+  if (process.env.GITHUB_ACTIONS === 'true') {
+    const fixUrl = keyUpgrade
+      ? (data.upgrade?.url || 'https://getcommit.dev/pricing?ref=ci-annotation')
+      : overshoot
+        ? (instantKeyUrl || 'https://getcommit.dev/pricing?ref=ci-annotation')
+        : (instantKeyUrl || 'https://getcommit.dev/get-started?ref=ci-annotation');
+    const fixLabel = keyUpgrade
+      ? 'Upgrade your API key for higher limits'
+      : overshoot
+        ? 'Get a Developer key ($15/mo, 1000/day)'
+        : 'Get a free API key (200/day, no card)';
+    console.error(`::warning title=Commit supply chain audit rate-limited::${fixLabel}. Add COMMIT_API_KEY to repo secrets. ${fixUrl}`);
+  }
+
   // Authenticated-key quota path: user already has a key, hit their daily
   // allowance. Free-key inline prompt is the wrong tool — surface upgrade.
   // (Diagnosis: 2026-06-10 idle-mode dogfood — see comment block above.)
@@ -585,6 +603,20 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     console.log('\n' + clr(c.green, `✓  No CRITICAL packages found${suffix}.`));
   }
 
+  // GitHub Actions: emit annotations so CRITICAL findings surface in the PR
+  // checks tab and workflow summary — not buried in raw log output. This is
+  // the same visibility commit-action gives, but for direct CLI users.
+  if (process.env.GITHUB_ACTIONS === 'true') {
+    if (effectiveCritical > 0) {
+      const critNames = results.filter(r => hasCritical(r.riskFlags)).slice(0, 5).map(r => r.name).join(', ');
+      console.error(`::warning title=Commit: ${effectiveCritical} CRITICAL package${effectiveCritical > 1 ? 's' : ''}::Sole npm publisher + >10M downloads/week: ${critNames}. Details: getcommit.dev/audit?packages=${encodeURIComponent(critNames)}&utm_source=cli&utm_medium=ci-annotation`);
+    }
+    if (compromisedCount > 0) {
+      const compNames = results.filter(r => r.compromised).slice(0, 5).map(r => r.name).join(', ');
+      console.error(`::error title=Commit: ${compromisedCount} compromised package${compromisedCount > 1 ? 's' : ''}::Recently attacked in supply chain incidents: ${compNames}. Verify you are on clean versions.`);
+    }
+  }
+
   if (compromisedCount > 0) {
     console.log(clr(c.red + c.bold, `\n⚠  ${compromisedCount} package${compromisedCount > 1 ? 's' : ''} recently compromised in supply chain attacks.`));
     console.log(clr(c.dim, '   Verify you are on clean versions. See URLs above for incident details.'));
@@ -846,7 +878,7 @@ async function inlineSignup(results, opts = {}) {
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.30.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.31.0 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.30.0",
+  "version": "1.31.1",
   "mcpName": "io.github.piiiico/proof-of-commitment",
   "description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
@@ -53,6 +53,13 @@
     "url": "https://github.com/piiiico/proof-of-commitment"
   },
   "homepage": "https://getcommit.dev/audit",
+  "bugs": {
+    "url": "https://github.com/piiiico/proof-of-commitment/issues"
+  },
+  "funding": {
+    "type": "individual",
+    "url": "https://getcommit.dev/pricing?utm_source=npm-fund&utm_medium=package-meta"
+  },
   "engines": {
     "node": ">=18"
   }