npm - proof-of-commitment - Versions diffs - 1.5.0 → 1.7.0 - Mend

proof-of-commitment 1.5.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -4,7 +4,7 @@
 > **Stars lie. Behavioral signals don't.**
-An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, and GitHub repos on **behavioral commitment** — signals that are harder to fake than stars, READMEs, or download counts.
+An MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on **behavioral commitment** — signals that are harder to fake than stars, READMEs, or download counts.
 ## The supply chain problem
@@ -40,10 +40,13 @@ npx proof-of-commitment --file pnpm-workspace.yaml  # pnpm workspaces
 npx proof-of-commitment --file package-lock.json --json | jq '.criticalCount'
 # PyPI too:
 npx proof-of-commitment --pypi litellm langchain requests
-# Cargo (Rust) via API:
-curl -s https://poc-backend.amdal-dev.workers.dev/api/audit \
-  -X POST -H "Content-Type: application/json" \
-  -d '{"packages":["serde","tokio","reqwest"],"ecosystem":"cargo"}'
+# Cargo (Rust) via CLI:
+npx proof-of-commitment --cargo serde tokio reqwest
+# Go modules via CLI (full module path required):
+npx proof-of-commitment --golang github.com/gin-gonic/gin golang.org/x/net
+# Or scan a go.mod / go.sum file directly:
+npx proof-of-commitment --file go.mod
+npx proof-of-commitment --file go.sum    # full transitive set
 ```
 **Web demo (no install):** [getcommit.dev/audit](https://getcommit.dev/audit) — paste your packages, see risk scores in seconds.
@@ -143,12 +146,13 @@ Grades: 🟢 OK (75+) · 🟠 WARNING (40–74) · 🔴 CRITICAL (<40 or sole np
 Badges are cached 1 hour. No API key needed.
-Also supports PyPI, Cargo, and the full ecosystem-specific format:
+Also supports PyPI, Cargo, Go modules, and the full ecosystem-specific format:
 ```markdown
 ![commit score](https://poc-backend.amdal-dev.workers.dev/api/badge/npm/YOUR-PACKAGE)
 ![commit score](https://poc-backend.amdal-dev.workers.dev/api/badge/pypi/YOUR-PACKAGE)
 ![commit score](https://poc-backend.amdal-dev.workers.dev/api/badge/cargo/YOUR-CRATE)
+![commit score](https://poc-backend.amdal-dev.workers.dev/api/badge/golang/github.com/owner/repo)
 ```
 ## REST API
@@ -183,14 +187,15 @@ curl https://poc-backend.amdal-dev.workers.dev/api/audit \
 }
 ```
-## 8 MCP tools
+## 9 MCP tools
 | Tool | Description |
 |------|-------------|
-| `audit_dependencies` | Batch risk audit for up to 20 npm/PyPI/Cargo packages |
+| `audit_dependencies` | Batch risk audit for up to 20 npm/PyPI/Cargo/Go packages |
 | `lookup_npm_package` | Single npm package behavioral profile |
 | `lookup_pypi_package` | Single PyPI package behavioral profile |
 | `lookup_cargo_crate` | Single Rust crate behavioral profile (crates.io) |
+| `lookup_go_module` | Single Go module behavioral profile (proxy.golang.org + GitHub) |
 | `lookup_github_repo` | GitHub repo commitment score (longevity, commit frequency, contributor depth) |
 | `lookup_business` | Norwegian business register — operating years, employees, financials |
 | `lookup_business_by_org` | Same, by org number |
@@ -249,7 +254,7 @@ Declarative signals (stars, README quality, CI badges) don't capture this risk.
 |-------|-----------|
 | Backend | Cloudflare Workers + D1 |
 | MCP | Model Context Protocol SDK |
-| Data | npm registry, PyPI, crates.io, GitHub API, Brønnøysund (NO) |
+| Data | npm registry, PyPI, crates.io, proxy.golang.org, deps.dev, GitHub API, Brønnøysund (NO) |
 | Landing | Astro + Cloudflare Pages |
 ## Roadmap
@@ -259,7 +264,7 @@ Planned, not promised. The project is early-stage — contributions welcome on a
 | Feature | Status | Notes |
 |---------|--------|-------|
 | **Cargo (Rust) registry support** | ✅ Live | MCP tool, REST API, badge endpoint — `ecosystem: "cargo"` |
-| **Go modules support** | Planned | pkg.go.dev API + GitHub backing score |
+| **Go modules support** | ✅ Live | proxy.golang.org + deps.dev + GitHub-primary scoring — `ecosystem: "golang"` |
 | **Score breakdown visualization** | Planned | Chart component for the 5 dimensions on getcommit.dev/audit |
 | **`--json` flag for CLI** | ✅ Live | `npx proof-of-commitment --file package-lock.json --json \| jq '.criticalCount'` |
 | **pnpm workspace monorepo support** | ✅ Live | `--file pnpm-workspace.yaml` or auto-detected from `pnpm-lock.yaml` |

package/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI
- * Scores npm/PyPI packages on behavioral commitment signals.
+ * proof-of-commitment CLI v1.7.0
+ * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
@@ -20,6 +20,7 @@ const c = {
   white: '\x1b[37m',
   bgRed: '\x1b[41m',
   bgYellow: '\x1b[43m',
+  magenta: '\x1b[35m',
 };
 const NO_COLOR = process.env.NO_COLOR || !process.stdout.isTTY;
@@ -29,15 +30,20 @@ function clr(code, text) {
   return `${code}${text}${c.reset}`;
 }
+/** Check if riskFlags array contains a CRITICAL-level flag (handles both "CRITICAL" and "CRITICAL: ..." formats) */
+function hasCritical(flags) {
+  return flags && flags.some(f => typeof f === 'string' && f.startsWith('CRITICAL'));
+}
 function riskColor(flags, score) {
-  if (flags && flags.includes('CRITICAL')) return c.red + c.bold;
+  if (hasCritical(flags)) return c.red + c.bold;
   if (score < 40) return c.yellow + c.bold;
   if (score < 60) return c.yellow;
   return c.green;
 }
 function riskLabel(flags, score) {
-  if (flags && flags.includes('CRITICAL')) return '🔴 CRITICAL';
+  if (hasCritical(flags)) return '🔴 CRITICAL';
   if (score < 40) return '🟠 HIGH';
   if (score < 60) return '🟡 MODERATE';
   if (score < 75) return '🟡 GOOD';
@@ -57,20 +63,28 @@ function padEnd(str, len) {
 }
 function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
+  const isNpm = !results[0] || results[0].ecosystem !== 'golang';
   const COL = {
-    name: 20, risk: 14, score: 7, maintainers: 12, downloads: 12, age: 8,
+    name: 20, risk: 14, score: 7, maintainers: 12, downloads: 12, age: 8, provenance: 10,
   };
-  const header = [
+  const headerParts = [
     padEnd(clr(c.bold, 'Package'), COL.name),
     padEnd(clr(c.bold, 'Risk'), COL.risk),
     padEnd(clr(c.bold, 'Score'), COL.score),
     padEnd(clr(c.bold, 'Publishers'), COL.maintainers),
     padEnd(clr(c.bold, 'Downloads'), COL.downloads),
     padEnd(clr(c.bold, 'Age'), COL.age),
-  ].join('  ');
+  ];
-  const divider = '─'.repeat(COL.name + COL.risk + COL.score + COL.maintainers + COL.downloads + COL.age + 10);
+  // Show Provenance column for npm packages
+  if (isNpm) {
+    headerParts.push(padEnd(clr(c.bold, 'Provenance'), COL.provenance));
+  }
+  const header = headerParts.join('  ');
+  const divWidth = COL.name + COL.risk + COL.score + COL.maintainers + COL.downloads + COL.age + (isNpm ? COL.provenance + 2 : 0) + 10;
+  const divider = '─'.repeat(divWidth);
   console.log('\n' + divider);
   if (lockfile && totalScanned && results.length < totalScanned) {
@@ -81,25 +95,41 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
   console.log(divider);
   let criticalInDisplay = 0;
+  let provenanceCount = 0;
   for (const pkg of results) {
     const rc = riskColor(pkg.riskFlags, pkg.score);
     const label = riskLabel(pkg.riskFlags, pkg.score);
-    if (pkg.riskFlags && pkg.riskFlags.includes('CRITICAL')) criticalInDisplay++;
+    if (hasCritical(pkg.riskFlags)) criticalInDisplay++;
+    if (pkg.hasProvenance) provenanceCount++;
+    // Go modules have no download data
+    const isGo = pkg.ecosystem === 'golang';
+    const dlDisplay = isGo ? '—' : fmtDownloads(pkg.weeklyDownloads || 0);
+    const maintDisplay = pkg.maintainers === 35 ? '30+' : String(pkg.maintainers || '?');
-    const row = [
+    // Provenance indicator
+    const provDisplay = pkg.hasProvenance
+      ? clr(c.green, '🔐 verified')
+      : clr(c.dim, '—');
+    const rowParts = [
       padEnd(pkg.name, COL.name),
       padEnd(clr(rc, label), COL.risk),
       padEnd(String(pkg.score), COL.score),
-      padEnd(String(pkg.maintainers || '?'), COL.maintainers),
-      padEnd(fmtDownloads(pkg.weeklyDownloads || 0), COL.downloads),
+      padEnd(maintDisplay, COL.maintainers),
+      padEnd(dlDisplay, COL.downloads),
       padEnd((pkg.ageYears || '?').toString().replace(/(\.\d).*/, '$1') + 'y', COL.age),
-    ].join('  ');
+    ];
+    if (isNpm) {
+      rowParts.push(padEnd(provDisplay, COL.provenance));
+    }
-    console.log(row);
+    console.log(rowParts.join('  '));
     // Show GitHub contributor context for CRITICAL packages with active communities
-    if (pkg.riskFlags && pkg.riskFlags.includes('CRITICAL') && pkg.githubContributors && pkg.githubContributors > 1) {
+    if (hasCritical(pkg.riskFlags) && pkg.githubContributors && pkg.githubContributors > 1) {
       const ghCount = pkg.githubContributors === 35 ? '30+' : pkg.githubContributors;
       console.log(clr(c.dim, `  ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
     }
@@ -107,10 +137,16 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     // Score breakdown if available
     if (pkg.scoreBreakdown) {
       const b = pkg.scoreBreakdown;
-      const breakdown = clr(c.dim,
-        `  └ longevity=${b.longevity} momentum=${b.downloadMomentum} ` +
-        `releases=${b.releaseConsistency} publishers=${b.maintainerDepth} github=${b.githubBacking}`
-      );
+      const breakdown = isGo
+        ? clr(c.dim,
+            `  └ longevity=${b.longevity} releases=${b.releaseConsistency} ` +
+            `contributors=${b.maintainerDepth} github=${b.githubBacking} stars=${b.popularityProxy}`
+          )
+        : clr(c.dim,
+            `  └ longevity=${b.longevity} momentum=${b.downloadMomentum} ` +
+            `releases=${b.releaseConsistency} publishers=${b.maintainerDepth} github=${b.githubBacking}` +
+            (b.trustedPublishing ? ` provenance=${b.trustedPublishing}` : '')
+          );
       console.log(breakdown);
     }
   }
@@ -122,76 +158,92 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     const suffix = totalScanned ? ` (in ${totalScanned} packages scanned)` : '';
     console.log('\n' + clr(c.red + c.bold, `⚠  ${effectiveCritical} CRITICAL package${effectiveCritical > 1 ? 's' : ''} found${suffix}.`));
     console.log(clr(c.dim, '   CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)'));
+    if (provenanceCount > 0 && provenanceCount < results.length) {
+      console.log(clr(c.cyan, `   🔐 ${provenanceCount}/${results.length} use Trusted Publishing (OIDC provenance) — partial mitigation`));
+    }
   } else {
     const suffix = totalScanned ? ` (${totalScanned} packages scanned)` : '';
     console.log('\n' + clr(c.green, `✓  No CRITICAL packages found${suffix}.`));
   }
-  // Always show the web URL with top critical packages first
+  // Footer with web link + CI integration CTA
   const topPkgs = results.slice(0, 10).map(r => r.name).join(',');
-  console.log(clr(c.dim, `\n🔗 Web view: ${WEB}?packages=${encodeURIComponent(topPkgs)}`));
+  console.log(clr(c.cyan, `\n  🔗 Full report: ${WEB}?packages=${encodeURIComponent(topPkgs)}`));
+  console.log(clr(c.cyan, `  🤖 GitHub Action: github.com/piiiico/commit-action — block CRITICAL packages in CI`));
   console.log();
 }
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.7.0 — supply chain risk scorer
 ${clr(c.bold, 'Usage:')}
-  npx proof-of-commitment [packages...]         Score npm packages
-  npx proof-of-commitment --pypi [pkgs...]      Score PyPI packages
-  npx proof-of-commitment --file package.json   Audit direct dependencies
-  npx proof-of-commitment --file package-lock.json  Audit ALL dependencies (lock file)
-  npx proof-of-commitment --file yarn.lock      Audit from yarn lock file
-  npx proof-of-commitment --file pnpm-lock.yaml Audit from pnpm lock file
-  npx proof-of-commitment --file pnpm-workspace.yaml  Audit entire pnpm monorepo
-  npx proof-of-commitment --file requirements.txt  Audit Python packages
+  npx proof-of-commitment [packages...]              Score npm packages
+  npx proof-of-commitment --pypi [pkgs...]           Score PyPI packages
+  npx proof-of-commitment --cargo [crates...]        Score Rust crates
+  npx proof-of-commitment --golang [modules...]      Score Go modules (full path required)
+  npx proof-of-commitment --file package.json        Audit direct dependencies
+  npx proof-of-commitment --file package-lock.json   Audit ALL dependencies (lock file)
+  npx proof-of-commitment --file yarn.lock           Audit from yarn lock file
+  npx proof-of-commitment --file pnpm-lock.yaml      Audit from pnpm lock file
+  npx proof-of-commitment --file requirements.txt    Audit Python packages
+  npx proof-of-commitment --file Cargo.toml          Audit Rust direct dependencies
+  npx proof-of-commitment --file go.mod              Audit Go direct + indirect deps
+  npx proof-of-commitment --file go.sum              Audit Go full transitive set
 ${clr(c.bold, 'Options:')}
   --json        Output results as JSON (exits 1 if any CRITICAL found — useful in CI)
   --pypi        Score PyPI packages instead of npm
-  --file, -f    Read packages from package.json, lock file, pnpm-workspace.yaml, or requirements.txt
+  --cargo       Score Rust crates from crates.io
+  --golang      Score Go modules from proxy.golang.org (use full path: github.com/owner/repo)
+  --file, -f    Read packages from package.json, lock file, requirements.txt, Cargo.toml, or go.mod/go.sum
 ${clr(c.bold, 'Examples:')}
   npx proof-of-commitment axios zod chalk
   npx proof-of-commitment --pypi litellm langchain requests
-  npx proof-of-commitment --file package.json
+  npx proof-of-commitment --cargo serde tokio reqwest
+  npx proof-of-commitment --golang github.com/gin-gonic/gin golang.org/x/net
   npx proof-of-commitment --file package-lock.json   # scans ALL transitive deps
+  npx proof-of-commitment --file go.sum              # scans full Go module graph
   npx proof-of-commitment axios chalk --json | jq '.criticalCount'
 ${clr(c.bold, 'Score meaning:')}
-  🔴 CRITICAL  Sole npm publisher + >10M downloads/wk (publish-access concentration risk)
+  🔴 CRITICAL  Sole publisher + >10M downloads/wk (publish-access concentration risk)
   🟠 HIGH      Score < 40
   🟡 MODERATE  Score 40–59
   🟡 GOOD      Score 60–74
   🟢 HEALTHY   Score 75+
-${clr(c.bold, 'Score dimensions:')} longevity · download momentum · release consistency · publisher depth · GitHub backing
+${clr(c.bold, 'Provenance (npm):')}
+  🔐 verified  Package uses Trusted Publishing (OIDC provenance from CI — not a human credential)
+  —            No provenance attestation detected
+${clr(c.bold, 'Score dimensions (npm/PyPI/Cargo):')} longevity · download momentum · release consistency · publisher depth · GitHub backing · provenance
+${clr(c.bold, 'Score dimensions (Go):')} longevity · release consistency · maintainer depth · GitHub backing · stars
+${clr(c.bold, 'CI integration:')}
+  GitHub Action: ${clr(c.cyan, 'github.com/piiiico/commit-action')} — fails PRs on CRITICAL packages
+  MCP server:   Add to Claude Desktop / Cursor for AI-assisted auditing
 ${clr(c.bold, 'Web:')}  ${WEB}
-${clr(c.bold, 'MCP:')}  ${clr(c.dim, 'Add to Claude Desktop / Cursor for AI-assisted auditing')}
   `);
 }
 /**
  * Parse package-lock.json (npm lockfileVersion 2 or 3)
- * Returns all package names found in the lock file.
  */
 function parseLockNpm(content) {
   const lock = JSON.parse(content);
   const pkgs = new Set();
   if (lock.packages) {
-    // lockfileVersion 2+: keys are "node_modules/pkg" or "node_modules/@scope/pkg"
     for (const key of Object.keys(lock.packages)) {
-      if (!key || key === '') continue; // root package
-      // Strip "node_modules/" prefix, handle nested paths like "node_modules/foo/node_modules/bar"
+      if (!key || key === '') continue;
       const parts = key.split('node_modules/');
       const pkgPath = parts[parts.length - 1];
       if (pkgPath) pkgs.add(pkgPath);
     }
   } else if (lock.dependencies) {
-    // lockfileVersion 1: flat dependencies object
     for (const name of Object.keys(lock.dependencies)) {
       pkgs.add(name);
     }
@@ -202,11 +254,9 @@ function parseLockNpm(content) {
 /**
  * Parse yarn.lock (v1 format)
- * Returns all unique package names.
  */
 function parseLockYarn(content) {
   const pkgs = new Set();
-  // Each block starts with "name@version:" or "name@range1, name@range2:"
   const headerRe = /^"?(@?[^@\s"]+)@/gm;
   let match;
   while ((match = headerRe.exec(content)) !== null) {
@@ -217,11 +267,9 @@ function parseLockYarn(content) {
 /**
  * Parse pnpm-lock.yaml (v6+)
- * Returns all unique package names.
  */
 function parseLockPnpm(content) {
   const pkgs = new Set();
-  // packages section has entries like "  /chalk@5.3.0:" or "  chalk@5.3.0:"
   const pkgRe = /^\s+\/?(@?[^@\s/]+(?:\/[^@\s]+)?)@/gm;
   let match;
   while ((match = pkgRe.exec(content)) !== null) {
@@ -231,123 +279,73 @@ function parseLockPnpm(content) {
 }
 /**
- * Parse pnpm-workspace.yaml and resolve all workspace package dependencies.
- * Reads package.json from each workspace, merges deps, deduplicates.
- * Internal workspace packages are excluded from the audit list.
+ * Parse pnpm-workspace.yaml — find all workspace packages and aggregate their deps.
+ * Expects format:
+ *   packages:
+ *     - "packages/*"
+ *     - "apps/*"
  */
-async function parsePnpmWorkspace(filePath) {
+async function parsePnpmWorkspace(content, filePath) {
   const fs = await import('fs');
   const path = await import('path');
-  const content = fs.readFileSync(filePath, 'utf-8');
-  const dir = path.dirname(path.resolve(filePath));
+  const dir = path.dirname(filePath);
+  const pkgs = new Set();
-  // Parse packages list from YAML
-  // Format: "packages:\n  - 'apps/*'\n  - 'packages/*'"
+  // Extract glob patterns from YAML
   const patterns = [];
   const lines = content.split('\n');
   let inPackages = false;
-  for (const line of lines) {
-    if (/^packages\s*:/.test(line)) { inPackages = true; continue; }
-    if (inPackages) {
-      if (/^\s+-/.test(line)) {
-        const pattern = line.replace(/^\s+-\s*/, '').replace(/['"]/g, '').trim();
-        if (pattern) patterns.push(pattern);
-      } else if (/^\S/.test(line) && line.trim()) {
-        inPackages = false;
-      }
-    }
-  }
-  if (patterns.length === 0) {
-    throw new Error('No workspace packages found in pnpm-workspace.yaml');
-  }
-  // Split into includes and excludes
-  const excludes = patterns.filter(p => p.startsWith('!')).map(p => p.slice(1));
-  const includes = patterns.filter(p => !p.startsWith('!'));
-  // Resolve patterns to directories containing package.json
-  const workspaceDirs = [];
-  for (const pattern of includes) {
-    if (pattern.endsWith('/*') || pattern.endsWith('/**')) {
-      // Glob: 'apps/*' -> list all subdirectories of apps/
-      const parentDir = path.join(dir, pattern.replace(/\/\*\*?$/, ''));
-      try {
-        const entries = fs.readdirSync(parentDir, { withFileTypes: true });
-        for (const entry of entries) {
-          if (entry.isDirectory()) {
-            const fullPath = path.join(parentDir, entry.name);
-            const isExcluded = excludes.some(ex => fullPath.includes(ex) || entry.name === ex);
-            if (!isExcluded) workspaceDirs.push(fullPath);
-          }
-        }
-      } catch { /* directory doesn't exist — skip */ }
-    } else {
-      // Direct path: 'packages/shared'
-      const fullPath = path.join(dir, pattern);
-      try {
-        fs.statSync(fullPath);
-        workspaceDirs.push(fullPath);
-      } catch { /* doesn't exist — skip */ }
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (line === 'packages:') { inPackages = true; continue; }
+    if (inPackages && line.startsWith('-')) {
+      const pattern = line.replace(/^-\s*["']?/, '').replace(/["']?\s*$/, '');
+      patterns.push(pattern);
+    } else if (inPackages && !line.startsWith('#') && line !== '') {
+      break;
     }
   }
-  // Collect workspace package names (to exclude from audit — they're internal)
-  const workspacePackageNames = new Set();
-  for (const wsDir of workspaceDirs) {
+  // For each pattern, look for package.json files
+  for (const pattern of patterns) {
+    const globDir = path.join(dir, pattern.replace('/*', '').replace('/**', ''));
     try {
-      const pkg = JSON.parse(fs.readFileSync(path.join(wsDir, 'package.json'), 'utf-8'));
-      if (pkg.name) workspacePackageNames.add(pkg.name);
-    } catch { /* no package.json — skip */ }
+      const entries = fs.readdirSync(globDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue;
+        const pkgJsonPath = path.join(globDir, entry.name, 'package.json');
+        try {
+          const pkgContent = fs.readFileSync(pkgJsonPath, 'utf-8');
+          const pkg = JSON.parse(pkgContent);
+          const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+          for (const name of Object.keys(deps)) pkgs.add(name);
+        } catch {}
+      }
+    } catch {}
   }
-  // Read root package.json + all workspace package.json files, merge deps
-  const allDeps = new Set();
-  let workspaceCount = 0;
-  // Root
+  // Also check root package.json
   try {
     const rootPkg = JSON.parse(fs.readFileSync(path.join(dir, 'package.json'), 'utf-8'));
-    if (rootPkg.dependencies) Object.keys(rootPkg.dependencies).forEach(d => allDeps.add(d));
-    if (rootPkg.devDependencies) Object.keys(rootPkg.devDependencies).forEach(d => allDeps.add(d));
-  } catch { /* no root package.json */ }
-  // Workspaces
-  for (const wsDir of workspaceDirs) {
-    try {
-      const pkg = JSON.parse(fs.readFileSync(path.join(wsDir, 'package.json'), 'utf-8'));
-      if (pkg.dependencies) Object.keys(pkg.dependencies).forEach(d => allDeps.add(d));
-      if (pkg.devDependencies) Object.keys(pkg.devDependencies).forEach(d => allDeps.add(d));
-      workspaceCount++;
-    } catch { /* no package.json in workspace dir */ }
-  }
-  // Remove internal workspace packages from audit list
-  for (const name of workspacePackageNames) {
-    allDeps.delete(name);
-  }
+    const deps = { ...rootPkg.dependencies, ...rootPkg.devDependencies };
+    for (const name of Object.keys(deps)) pkgs.add(name);
+  } catch {}
-  return {
-    packages: [...allDeps],
-    ecosystem: 'npm',
-    lockfile: false,
-    totalInFile: allDeps.size,
-    workspaceCount,
-  };
+  return [...pkgs];
 }
 async function readPackagesFromFile(filePath) {
   const fs = await import('fs');
   const path = await import('path');
+  const content = fs.readFileSync(filePath, 'utf-8');
   const basename = path.basename(filePath).toLowerCase();
-  // pnpm-workspace.yaml — monorepo workspace scanner
+  // pnpm-workspace.yaml
   if (basename === 'pnpm-workspace.yaml' || basename === 'pnpm-workspace.yml') {
-    return parsePnpmWorkspace(filePath);
+    const pkgs = await parsePnpmWorkspace(content, filePath);
+    return { packages: pkgs, ecosystem: 'npm', lockfile: false, totalInFile: pkgs.length };
   }
-  const content = fs.readFileSync(filePath, 'utf-8');
   // package-lock.json
   if (basename === 'package-lock.json') {
     const pkgs = parseLockNpm(content);
@@ -360,20 +358,8 @@ async function readPackagesFromFile(filePath) {
     return { packages: pkgs, ecosystem: 'npm', lockfile: true, totalInFile: pkgs.length };
   }
-  // pnpm-lock.yaml — also check for workspace file to give better detection
+  // pnpm-lock.yaml
   if (basename === 'pnpm-lock.yaml' || basename === 'pnpm-lock.yml') {
-    const dir = path.dirname(path.resolve(filePath));
-    const workspaceFile = path.join(dir, 'pnpm-workspace.yaml');
-    let hasWorkspace = false;
-    try { fs.statSync(workspaceFile); hasWorkspace = true; } catch {}
-    if (hasWorkspace) {
-      // Monorepo detected — use workspace-aware parsing
-      const result = await parsePnpmWorkspace(workspaceFile);
-      result.monorepoDetected = true;
-      return result;
-    }
     const pkgs = parseLockPnpm(content);
     return { packages: pkgs, ecosystem: 'npm', lockfile: true, totalInFile: pkgs.length };
   }
@@ -399,12 +385,97 @@ async function readPackagesFromFile(filePath) {
     return { packages: pkgs, ecosystem: 'pypi', lockfile: false };
   }
-  throw new Error(`Unsupported file: ${basename}. Supported: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, pnpm-workspace.yaml, requirements.txt`);
+  // Cargo.toml
+  if (basename === 'cargo.toml') {
+    const pkgs = parseCargoToml(content);
+    return { packages: pkgs, ecosystem: 'cargo', lockfile: false };
+  }
+  // go.mod
+  if (basename === 'go.mod') {
+    const pkgs = parseGoMod(content);
+    return { packages: pkgs, ecosystem: 'golang', lockfile: false, totalInFile: pkgs.length };
+  }
+  // go.sum
+  if (basename === 'go.sum') {
+    const pkgs = parseGoSum(content);
+    return { packages: pkgs, ecosystem: 'golang', lockfile: true, totalInFile: pkgs.length };
+  }
+  throw new Error(`Unsupported file: ${basename}. Supported: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, pnpm-workspace.yaml, requirements.txt, Cargo.toml, go.mod, go.sum`);
+}
+/**
+ * Parse Cargo.toml
+ */
+function parseCargoToml(content) {
+  const pkgs = new Set();
+  const lines = content.split('\n');
+  let inDeps = false;
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (line.startsWith('[')) {
+      inDeps = /^\[(dev-)?dependencies\]/.test(line);
+      continue;
+    }
+    if (!inDeps || !line || line.startsWith('#')) continue;
+    const match = line.match(/^([a-zA-Z0-9_-]+)\s*=/);
+    if (match) pkgs.add(match[1]);
+  }
+  return [...pkgs];
+}
+/**
+ * Parse go.mod
+ */
+function parseGoMod(content) {
+  const pkgs = new Set();
+  const lines = content.split('\n');
+  let inRequireBlock = false;
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line || line.startsWith('//')) continue;
+    if (/^require\s*\(\s*$/.test(line)) {
+      inRequireBlock = true;
+      continue;
+    }
+    if (inRequireBlock && line === ')') {
+      inRequireBlock = false;
+      continue;
+    }
+    if (inRequireBlock) {
+      const match = line.match(/^([^\s]+)\s+v[^\s]+/);
+      if (match) pkgs.add(match[1]);
+      continue;
+    }
+    const single = line.match(/^require\s+([^\s]+)\s+v[^\s]+/);
+    if (single) pkgs.add(single[1]);
+  }
+  return [...pkgs];
+}
+/**
+ * Parse go.sum
+ */
+function parseGoSum(content) {
+  const pkgs = new Set();
+  for (const raw of content.split('\n')) {
+    const line = raw.trim();
+    if (!line) continue;
+    const match = line.match(/^([^\s]+)\s+v[^\s/]+/);
+    if (match) pkgs.add(match[1]);
+  }
+  return [...pkgs];
 }
 /**
  * Audit packages in batches of 20, in parallel.
- * Returns all results sorted by risk score (highest risk first).
  */
 async function auditBatched(packages, ecosystem, { onProgress } = {}) {
   const BATCH_SIZE = 20;
@@ -434,10 +505,10 @@ async function auditBatched(packages, ecosystem, { onProgress } = {}) {
   const all = results.flat();
-  // Sort: CRITICAL first, then by score ascending (lower score = higher risk)
+  // Sort: CRITICAL first, then by score ascending
   all.sort((a, b) => {
-    const aCrit = a.riskFlags?.includes('CRITICAL') ? 1 : 0;
-    const bCrit = b.riskFlags?.includes('CRITICAL') ? 1 : 0;
+    const aCrit = hasCritical(a.riskFlags) ? 1 : 0;
+    const bCrit = hasCritical(b.riskFlags) ? 1 : 0;
     if (aCrit !== bCrit) return bCrit - aCrit;
     return (a.score || 100) - (b.score || 100);
   });
@@ -465,6 +536,8 @@ async function main() {
     const a = args[i];
     if (a === '--pypi') { ecosystem = 'pypi'; i++; }
     else if (a === '--npm') { ecosystem = 'npm'; i++; }
+    else if (a === '--cargo') { ecosystem = 'cargo'; i++; }
+    else if (a === '--golang' || a === '--go') { ecosystem = 'golang'; i++; }
     else if (a === '--json') { jsonOutput = true; i++; }
     else if (a === '--file' || a === '-f') {
       filePath = args[++i];
@@ -484,14 +557,7 @@ async function main() {
       ecosystem = result.ecosystem;
       isLockfile = result.lockfile || false;
       totalInFile = result.totalInFile || packages.length;
-      if (result.workspaceCount) {
-        if (!jsonOutput) console.log(clr(c.dim, `Monorepo: ${result.workspaceCount} workspace${result.workspaceCount > 1 ? 's' : ''} → ${totalInFile} unique external dependencies (${ecosystem})`));
-        if (result.monorepoDetected && !jsonOutput) {
-          console.log(clr(c.dim, `  (auto-detected pnpm-workspace.yaml next to ${filePath})`));
-        }
-      } else {
-        if (!jsonOutput) console.log(clr(c.dim, `Detected ${totalInFile} packages from ${filePath} (${ecosystem})`));
-      }
+      if (!jsonOutput) console.log(clr(c.dim, `Detected ${totalInFile} packages from ${filePath} (${ecosystem})`));
     } catch (err) {
       console.error(`Error reading ${filePath}: ${err.message}`);
       process.exit(1);
@@ -508,7 +574,6 @@ async function main() {
   let allResults;
   if (packages.length <= 20) {
-    // Single batch — existing behavior
     if (!jsonOutput) process.stdout.write(clr(c.dim, `Scoring ${packages.length} ${ecosystem} package${packages.length > 1 ? 's' : ''}...`));
     try {
@@ -532,7 +597,6 @@ async function main() {
     if (!jsonOutput) process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n`));
   } else {
-    // Multi-batch for lock files
     const batches = Math.ceil(packages.length / 20);
     if (!jsonOutput) process.stdout.write(clr(c.dim, `Scanning ${packages.length} packages (${batches} batches in parallel)...`));
@@ -555,28 +619,29 @@ async function main() {
     const elapsed = ((Date.now() - t0) / 1000).toFixed(1);
     if (!jsonOutput) process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n`));
-    // JSON output: emit all results with summary
     if (jsonOutput) {
-      const criticalCount = allResults.filter(r => r.riskFlags?.includes('CRITICAL')).length;
+      const criticalCount = allResults.filter(r => hasCritical(r.riskFlags)).length;
+      const provenanceCount = allResults.filter(r => r.hasProvenance).length;
       console.log(JSON.stringify({
         totalScanned: allResults.length,
         criticalCount,
+        provenanceCount,
         results: allResults,
       }, null, 2));
       process.exit(criticalCount > 0 ? 1 : 0);
     }
-    // For lock files: show top 25 highest-risk packages
+    // Lock files: show top 25 highest-risk
     const MAX_DISPLAY = 25;
     const displayed = allResults.slice(0, MAX_DISPLAY);
-    const criticalTotal = allResults.filter(r => r.riskFlags?.includes('CRITICAL')).length;
+    const criticalTotal = allResults.filter(r => hasCritical(r.riskFlags)).length;
     printTable(displayed, { totalScanned: allResults.length, totalCritical: criticalTotal, lockfile: true });
     return;
   }
   if (!allResults || allResults.length === 0) {
     if (jsonOutput) {
-      console.log(JSON.stringify({ totalScanned: 0, criticalCount: 0, results: [] }, null, 2));
+      console.log(JSON.stringify({ totalScanned: 0, criticalCount: 0, provenanceCount: 0, results: [] }, null, 2));
     } else {
       console.log('No results returned. Check package names and try again.');
     }
@@ -584,10 +649,12 @@ async function main() {
   }
   if (jsonOutput) {
-    const criticalCount = allResults.filter(r => r.riskFlags?.includes('CRITICAL')).length;
+    const criticalCount = allResults.filter(r => hasCritical(r.riskFlags)).length;
+    const provenanceCount = allResults.filter(r => r.hasProvenance).length;
     console.log(JSON.stringify({
       totalScanned: allResults.length,
       criticalCount,
+      provenanceCount,
       results: allResults,
     }, null, 2));
     process.exit(criticalCount > 0 ? 1 : 0);

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.5.0",
-  "description": "Supply chain risk scorer for npm, PyPI, and Cargo packages — behavioral signals that can't be faked",
+  "version": "1.7.0",
+  "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {
     "proof-of-commitment": "./index.js",
@@ -19,16 +19,18 @@
     "pypi",
     "cargo",
     "rust",
-    "pnpm",
-    "monorepo",
-    "workspace",
+    "golang",
+    "go",
+    "go-modules",
     "dependencies",
     "audit",
     "risk",
     "behavioral",
     "commitment",
     "maintainer",
-    "publisher"
+    "publisher",
+    "provenance",
+    "trusted-publishing"
   ],
   "author": "piiiico",
   "license": "MIT",