proof-of-commitment 1.32.0 → 1.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/index.js +52 -5
  2. package/package.json +1 -1
package/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  #!/usr/bin/env node
2
2
  /**
3
- * proof-of-commitment CLI v1.32.0
3
+ * proof-of-commitment CLI v1.33.0
4
4
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
5
5
  * Usage: npx proof-of-commitment [packages...] [options]
6
6
  */
@@ -313,6 +313,40 @@ function hasCritical(flags) {
313
313
  return flags && flags.some(f => typeof f === 'string' && f.startsWith('CRITICAL'));
314
314
  }
315
315
 
316
+ /**
317
+ * Footer-calibration helper — diagnoses when the CRITICAL count is so dense
318
+ * that the label has lost actionable meaning, and produces a reframe.
319
+ *
320
+ * Why this exists. Lockfile audits on real Node projects routinely report
321
+ * 40–60% of scanned packages as CRITICAL — the threshold (sole publisher +
322
+ * >10M weekly downloads) is structurally widespread in npm. When the footer
323
+ * says "157 CRITICAL packages found" without context, a new user reads it as
324
+ * either alarmist noise (close the tab) or as an unbounded ask (157 things
325
+ * to investigate — uninstall the tool). Both kill activation.
326
+ *
327
+ * The dogfood signal: 2026-06-16 commit-landing-v2 lockfile, authenticated,
328
+ * 326 scanned, 157 CRITICAL (48%). Reflection: "label loses meaning when
329
+ * half the tree is red." Calibration reframes 157-of-326 as "typical npm
330
+ * baseline; act on the top 3-5 by impact" — preserves the data and gives
331
+ * the user a concrete next step. Threshold 20% chosen because that's the
332
+ * point at which per-package action stops being feasible.
333
+ *
334
+ * Returns null when calibration shouldn't fire (low ratio, no scan total,
335
+ * trivially small scan). Returns a `{ ratio, percent, baseline }` object
336
+ * otherwise — caller decides how to render it.
337
+ */
338
+ function summarizeCriticalConcentration(criticalCount, totalScanned) {
339
+ if (!totalScanned || totalScanned < 10) return null;
340
+ if (!criticalCount || criticalCount <= 0) return null;
341
+ const ratio = criticalCount / totalScanned;
342
+ if (ratio < 0.20) return null;
343
+ return {
344
+ ratio,
345
+ percent: Math.round(ratio * 100),
346
+ baseline: true,
347
+ };
348
+ }
349
+
316
350
  function riskColor(flags, score) {
317
351
  if (hasCritical(flags)) return c.red + c.bold;
318
352
  if (score < 40) return c.yellow + c.bold;
@@ -592,9 +626,22 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
592
626
 
593
627
  const effectiveCritical = totalCritical !== undefined ? totalCritical : criticalInDisplay;
594
628
  if (effectiveCritical > 0) {
595
- const suffix = totalScanned ? ` (in ${totalScanned} packages scanned)` : '';
596
- console.log('\n' + clr(c.red + c.bold, `⚠ ${effectiveCritical} CRITICAL package${effectiveCritical > 1 ? 's' : ''} found${suffix}.`));
597
- console.log(clr(c.dim, ' CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)'));
629
+ const conc = summarizeCriticalConcentration(effectiveCritical, totalScanned);
630
+ if (conc) {
631
+ // High-density reframe: at ≥20% CRITICAL the per-package alarm framing
632
+ // loses meaning (the user can't audit a third of their tree). Recast as
633
+ // ecosystem baseline + actionable shortlist. Pinned by
634
+ // test/cli-critical-concentration.test.ts.
635
+ console.log('\n' + clr(c.red + c.bold, `⚠ ${effectiveCritical} CRITICAL packages (${conc.percent}% of ${totalScanned} scanned).`));
636
+ console.log(clr(c.dim, ' CRITICAL = sole npm publisher + >10M weekly downloads.'));
637
+ console.log(clr(c.dim, ' At this density you\'re seeing npm\'s baseline — most popular packages have'));
638
+ console.log(clr(c.dim, ' one publisher. Watch the top 3-5 above (highest impact); pin your lockfile'));
639
+ console.log(clr(c.dim, ' and audit deltas for the rest — concentration you can\'t avoid per-dep.'));
640
+ } else {
641
+ const suffix = totalScanned ? ` (in ${totalScanned} packages scanned)` : '';
642
+ console.log('\n' + clr(c.red + c.bold, `⚠ ${effectiveCritical} CRITICAL package${effectiveCritical > 1 ? 's' : ''} found${suffix}.`));
643
+ console.log(clr(c.dim, ' CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)'));
644
+ }
598
645
  if (provenanceCount > 0 && provenanceCount < results.length) {
599
646
  console.log(clr(c.cyan, ` 🔐 ${provenanceCount}/${results.length} use Trusted Publishing (OIDC provenance) — partial mitigation`));
600
647
  }
@@ -942,7 +989,7 @@ async function inlineSignup(results, opts = {}) {
942
989
 
943
990
  function printHelp() {
944
991
  console.log(`
945
- ${clr(c.bold, 'proof-of-commitment')} v1.32.0 — supply chain risk scorer
992
+ ${clr(c.bold, 'proof-of-commitment')} v1.33.0 — supply chain risk scorer
946
993
 
947
994
  ${clr(c.bold, 'Usage:')}
948
995
  npx proof-of-commitment Auto-detect manifest in current dir
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "proof-of-commitment",
3
- "version": "1.32.0",
3
+ "version": "1.33.0",
4
4
  "mcpName": "io.github.piiiico/proof-of-commitment",
5
5
  "description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
6
6
  "type": "module",