proof-of-commitment 1.4.0 → 1.6.0

package/README.md

@@ -1,6 +1,6 @@
 # proof-of-commitment
 
-> Supply chain risk scorer for npm and PyPI packages. Behavioral signals that can't be faked.
+> Supply chain risk scorer for npm, PyPI, Cargo (Rust), and Go modules. Behavioral signals that can't be faked.
 
 ```
 npx proof-of-commitment axios zod chalk
@@ -50,14 +50,26 @@ npx proof-of-commitment axios zod chalk lodash express
 # Score PyPI packages
 npx proof-of-commitment --pypi litellm langchain requests numpy
 
-# Auto-detect from package.json or requirements.txt
-npx proof-of-commitment --file package.json
-npx proof-of-commitment --file requirements.txt
+# Score Rust crates
+npx proof-of-commitment --cargo serde tokio reqwest
+
+# Score Go modules (full module path required — host/owner/repo)
+npx proof-of-commitment --golang github.com/gin-gonic/gin golang.org/x/net
+
+# Auto-detect from manifest / lock / module file
+npx proof-of-commitment --file package.json       # npm
+npx proof-of-commitment --file package-lock.json  # full transitive
+npx proof-of-commitment --file requirements.txt   # PyPI
+npx proof-of-commitment --file Cargo.toml         # Rust direct deps
+npx proof-of-commitment --file go.mod             # Go direct + indirect
+npx proof-of-commitment --file go.sum             # Go full transitive set
 
 # Short alias
 npx poc axios zod chalk
 ```
 
+**Go modules note:** Go has no centralized download counter and no publisher registry. Scoring is GitHub-primary: longevity, release cadence, GitHub contributor count, OpenSSF Scorecard, and stars (popularity proxy). The "publishers" column in Go output shows GitHub push-access contributors — the closest equivalent to npm publishers.
+
 ## Zero-install MCP server (for Claude, Cursor, Windsurf)
 
 Add to your AI tool's config:

package/index.js

@@ -87,12 +87,23 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     const label = riskLabel(pkg.riskFlags, pkg.score);
     if (pkg.riskFlags && pkg.riskFlags.includes('CRITICAL')) criticalInDisplay++;
 
+    // Go modules have no download data — show "—" instead. The maintainers
+    // column for Go shows GitHub contributor count (the closest equivalent
+    // to publish access since Go has no centralized publisher concept).
+    const isGo = pkg.ecosystem === 'golang';
+    const dlDisplay = isGo
+      ? '—'
+      : fmtDownloads(pkg.weeklyDownloads || 0);
+    const maintDisplay = pkg.maintainers === 35
+      ? '30+'
+      : String(pkg.maintainers || '?');
+
     const row = [
       padEnd(pkg.name, COL.name),
       padEnd(clr(rc, label), COL.risk),
       padEnd(String(pkg.score), COL.score),
-      padEnd(String(pkg.maintainers || '?'), COL.maintainers),
-      padEnd(fmtDownloads(pkg.weeklyDownloads || 0), COL.downloads),
+      padEnd(maintDisplay, COL.maintainers),
+      padEnd(dlDisplay, COL.downloads),
       padEnd((pkg.ageYears || '?').toString().replace(/(\.\d).*/, '$1') + 'y', COL.age),
     ].join('  ');
 
@@ -104,13 +115,18 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
       console.log(clr(c.dim, `  ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
     }
 
-    // Score breakdown if available
+    // Score breakdown if available — keys differ across ecosystems
     if (pkg.scoreBreakdown) {
       const b = pkg.scoreBreakdown;
-      const breakdown = clr(c.dim,
-        `  └ longevity=${b.longevity} momentum=${b.downloadMomentum} ` +
-        `releases=${b.releaseConsistency} publishers=${b.maintainerDepth} github=${b.githubBacking}`
-      );
+      const breakdown = isGo
+        ? clr(c.dim,
+            `  └ longevity=${b.longevity} releases=${b.releaseConsistency} ` +
+            `contributors=${b.maintainerDepth} github=${b.githubBacking} stars=${b.popularityProxy}`
+          )
+        : clr(c.dim,
+            `  └ longevity=${b.longevity} momentum=${b.downloadMomentum} ` +
+            `releases=${b.releaseConsistency} publishers=${b.maintainerDepth} github=${b.githubBacking}`
+          );
       console.log(breakdown);
     }
   }
@@ -138,24 +154,33 @@ function printHelp() {
 ${clr(c.bold, 'proof-of-commitment')} — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
-  npx proof-of-commitment [packages...]         Score npm packages
-  npx proof-of-commitment --pypi [pkgs...]      Score PyPI packages
-  npx proof-of-commitment --file package.json   Audit direct dependencies
-  npx proof-of-commitment --file package-lock.json  Audit ALL dependencies (lock file)
-  npx proof-of-commitment --file yarn.lock      Audit from yarn lock file
-  npx proof-of-commitment --file pnpm-lock.yaml Audit from pnpm lock file
-  npx proof-of-commitment --file requirements.txt  Audit Python packages
+  npx proof-of-commitment [packages...]              Score npm packages
+  npx proof-of-commitment --pypi [pkgs...]           Score PyPI packages
+  npx proof-of-commitment --cargo [crates...]        Score Rust crates
+  npx proof-of-commitment --golang [modules...]      Score Go modules (full path required)
+  npx proof-of-commitment --file package.json        Audit direct dependencies
+  npx proof-of-commitment --file package-lock.json   Audit ALL dependencies (lock file)
+  npx proof-of-commitment --file yarn.lock           Audit from yarn lock file
+  npx proof-of-commitment --file pnpm-lock.yaml      Audit from pnpm lock file
+  npx proof-of-commitment --file requirements.txt    Audit Python packages
+  npx proof-of-commitment --file Cargo.toml          Audit Rust direct dependencies
+  npx proof-of-commitment --file go.mod              Audit Go direct + indirect deps
+  npx proof-of-commitment --file go.sum              Audit Go full transitive set
 
 ${clr(c.bold, 'Options:')}
   --json        Output results as JSON (exits 1 if any CRITICAL found — useful in CI)
   --pypi        Score PyPI packages instead of npm
-  --file, -f    Read packages from package.json, lock file, or requirements.txt
+  --cargo       Score Rust crates from crates.io
+  --golang      Score Go modules from proxy.golang.org (use full path: github.com/owner/repo)
+  --file, -f    Read packages from package.json, lock file, requirements.txt, Cargo.toml, or go.mod/go.sum
 
 ${clr(c.bold, 'Examples:')}
   npx proof-of-commitment axios zod chalk
   npx proof-of-commitment --pypi litellm langchain requests
-  npx proof-of-commitment --file package.json
+  npx proof-of-commitment --cargo serde tokio reqwest
+  npx proof-of-commitment --golang github.com/gin-gonic/gin golang.org/x/net
   npx proof-of-commitment --file package-lock.json   # scans ALL transitive deps
+  npx proof-of-commitment --file go.sum              # scans full Go module graph
   npx proof-of-commitment axios chalk --json | jq '.criticalCount'
 
 ${clr(c.bold, 'Score meaning:')}
@@ -165,7 +190,8 @@ ${clr(c.bold, 'Score meaning:')}
   🟡 GOOD      Score 60–74
   🟢 HEALTHY   Score 75+
 
-${clr(c.bold, 'Score dimensions:')} longevity · download momentum · release consistency · publisher depth · GitHub backing
+${clr(c.bold, 'Score dimensions (npm/PyPI/Cargo):')} longevity · download momentum · release consistency · publisher depth · GitHub backing
+${clr(c.bold, 'Score dimensions (Go):')} longevity · release consistency · maintainer depth · GitHub backing · stars (Go has no centralized download counter)
 
 ${clr(c.bold, 'Web:')}  ${WEB}
 ${clr(c.bold, 'MCP:')}  ${clr(c.dim, 'Add to Claude Desktop / Cursor for AI-assisted auditing')}
@@ -274,7 +300,106 @@ async function readPackagesFromFile(filePath) {
     return { packages: pkgs, ecosystem: 'pypi', lockfile: false };
   }
 
-  throw new Error(`Unsupported file: ${basename}. Supported: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt`);
+  // Cargo.toml
+  if (basename === 'cargo.toml') {
+    // Crude TOML parse — extract [dependencies] section keys
+    const pkgs = parseCargoToml(content);
+    return { packages: pkgs, ecosystem: 'cargo', lockfile: false };
+  }
+
+  // go.mod — Go module file
+  if (basename === 'go.mod') {
+    const pkgs = parseGoMod(content);
+    return { packages: pkgs, ecosystem: 'golang', lockfile: false, totalInFile: pkgs.length };
+  }
+
+  // go.sum — Go module checksum file (lockfile-equivalent — captures full transitive set)
+  if (basename === 'go.sum') {
+    const pkgs = parseGoSum(content);
+    return { packages: pkgs, ecosystem: 'golang', lockfile: true, totalInFile: pkgs.length };
+  }
+
+  throw new Error(`Unsupported file: ${basename}. Supported: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Cargo.toml, go.mod, go.sum`);
+}
+
+/**
+ * Parse a Cargo.toml — extract direct deps from [dependencies] / [dev-dependencies].
+ * Crude — only handles the common "name = version" / "name = { ... }" lines under
+ * [dependencies] / [dev-dependencies]. Doesn't expand workspace members.
+ */
+function parseCargoToml(content) {
+  const pkgs = new Set();
+  const lines = content.split('\n');
+  let inDeps = false;
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (line.startsWith('[')) {
+      inDeps = /^\[(dev-)?dependencies\]/.test(line);
+      continue;
+    }
+    if (!inDeps || !line || line.startsWith('#')) continue;
+    const match = line.match(/^([a-zA-Z0-9_-]+)\s*=/);
+    if (match) pkgs.add(match[1]);
+  }
+  return [...pkgs];
+}
+
+/**
+ * Parse a go.mod file — extract direct + indirect dependencies from require blocks.
+ * Format:
+ *   require (
+ *       github.com/gin-gonic/gin v1.9.1
+ *       golang.org/x/net v0.20.0 // indirect
+ *   )
+ *   require github.com/foo/bar v1.0.0
+ */
+function parseGoMod(content) {
+  const pkgs = new Set();
+  const lines = content.split('\n');
+  let inRequireBlock = false;
+
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line || line.startsWith('//')) continue;
+
+    // Block-form require: "require ("
+    if (/^require\s*\(\s*$/.test(line)) {
+      inRequireBlock = true;
+      continue;
+    }
+    if (inRequireBlock && line === ')') {
+      inRequireBlock = false;
+      continue;
+    }
+
+    // Inside a block: "<modulepath> <version>" optionally followed by comments
+    if (inRequireBlock) {
+      const match = line.match(/^([^\s]+)\s+v[^\s]+/);
+      if (match) pkgs.add(match[1]);
+      continue;
+    }
+
+    // Single-line require: "require <modulepath> <version>"
+    const single = line.match(/^require\s+([^\s]+)\s+v[^\s]+/);
+    if (single) pkgs.add(single[1]);
+  }
+
+  return [...pkgs];
+}
+
+/**
+ * Parse a go.sum file — module path is the first column, version + suffix follow.
+ * Each module appears multiple times (once per artifact); dedupe.
+ */
+function parseGoSum(content) {
+  const pkgs = new Set();
+  for (const raw of content.split('\n')) {
+    const line = raw.trim();
+    if (!line) continue;
+    const match = line.match(/^([^\s]+)\s+v[^\s/]+/);
+    if (match) pkgs.add(match[1]);
+  }
+  return [...pkgs];
 }
 
 /**
@@ -340,6 +465,8 @@ async function main() {
     const a = args[i];
     if (a === '--pypi') { ecosystem = 'pypi'; i++; }
     else if (a === '--npm') { ecosystem = 'npm'; i++; }
+    else if (a === '--cargo') { ecosystem = 'cargo'; i++; }
+    else if (a === '--golang' || a === '--go') { ecosystem = 'golang'; i++; }
     else if (a === '--json') { jsonOutput = true; i++; }
     else if (a === '--file' || a === '-f') {
       filePath = args[++i];

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.4.0",
-  "description": "Supply chain risk scorer for npm and PyPI packages — behavioral signals that can't be faked",
+  "version": "1.6.0",
+  "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {
     "proof-of-commitment": "./index.js",
@@ -17,6 +17,11 @@
     "security",
     "npm",
     "pypi",
+    "cargo",
+    "rust",
+    "golang",
+    "go",
+    "go-modules",
     "dependencies",
     "audit",
     "risk",