proof-of-commitment 1.8.1 → 1.10.0

package/README.md

@@ -51,6 +51,28 @@ npx proof-of-commitment --file go.sum    # full transitive set
 
 **Web demo (no install):** [getcommit.dev/audit](https://getcommit.dev/audit) — paste your packages, see risk scores in seconds.
 
+**Commit Pro — daily monitoring + alerts (v1.9.0):**
+```bash
+# Install once, then use the `poc` alias:
+npm install -g proof-of-commitment
+
+# Add packages to daily monitoring (requires Pro API key):
+poc watch chalk
+poc watch requests --ecosystem pypi
+poc watch serde --ecosystem cargo
+
+# View your watchlist with current scores:
+poc watchlist
+
+# Remove a package:
+poc unwatch chalk
+
+# API key: set COMMIT_API_KEY env or add api_key=<key> to ~/.commit/config
+# Get a key at https://getcommit.dev/pricing
+```
+
+Alerts fire on: score drop ≥10 points · package crosses CRITICAL threshold · recovery to HEALTHY.
+
 **MCP server (zero install):**
 
 ```json

package/index.js

@@ -1,11 +1,13 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.8.1
+ * proof-of-commitment CLI v1.10.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
 
 const API = 'https://poc-backend.amdal-dev.workers.dev/api/audit';
+const KEYS_API = 'https://poc-backend.amdal-dev.workers.dev/api/keys';
+const WATCHLIST_API = 'https://poc-backend.amdal-dev.workers.dev/api/watchlist';
 const WEB = 'https://getcommit.dev/audit';
 
 // ANSI color helpers
@@ -25,6 +27,16 @@ const c = {
 
 const NO_COLOR = process.env.NO_COLOR || !process.stdout.isTTY;
 
+// Synchronous API key check for upsell messaging (avoids async in printTable)
+let _cachedHasKey = false;
+try {
+  const _os = await import('os');
+  const _fs = await import('fs');
+  const _path = await import('path');
+  const _cfg = _fs.readFileSync(_path.join(_os.homedir(), '.commit', 'config'), 'utf-8');
+  _cachedHasKey = /^api_key\s*=\s*.+$/m.test(_cfg);
+} catch {}
+
 function clr(code, text) {
   if (NO_COLOR) return text;
   return `${code}${text}${c.reset}`;
@@ -173,15 +185,23 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
 
   // Contextual upsell — show when findings make monitoring relevant
   if (effectiveCritical > 0) {
-    console.log(clr(c.dim, `\n  📊 Track ${effectiveCritical === 1 ? 'this package' : 'these packages'} daily. Get alerted on score changes.`));
-    console.log(clr(c.dim, `     Commit Pro — batch API, monitoring, alerts → https://getcommit.dev/pricing`));
+    // Check for API key synchronously via env (fast path)
+    const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
+    if (hasKey) {
+      console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this package' : 'these packages'}: `) +
+        clr(c.cyan, `poc watch ${results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name}`));
+    } else {
+      console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this' : 'these ' + effectiveCritical} CRITICAL ${effectiveCritical === 1 ? 'package' : 'packages'} — get alerted when scores change.`));
+      console.log(clr(c.dim, '     Get a free API key: ') + clr(c.cyan, 'https://getcommit.dev/get-started'));
+      console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
+    }
   }
   console.log();
 }
 
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.8.1 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.10.0 — supply chain risk scorer
 
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -198,6 +218,20 @@ ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment --file go.mod              Audit Go direct + indirect deps
   npx proof-of-commitment --file go.sum              Audit Go full transitive set
 
+${clr(c.bold, 'Account:')}
+  poc login [key]     Save and validate your API key (interactive or direct)
+  poc status          Show current tier, usage, and limits
+  poc logout          Remove saved API key
+
+${clr(c.bold, 'Monitoring (Pro):')}
+  poc watch <package> [--ecosystem npm|pypi|cargo|golang]
+                      Add a package to daily monitoring
+  poc watchlist       List monitored packages with current scores + risk
+  poc unwatch <pkg>   Remove a package from monitoring
+
+  Get a free key: https://getcommit.dev/get-started
+  Upgrade to Pro:  https://getcommit.dev/pricing
+
 ${clr(c.bold, 'Options:')}
   --json              Output results as JSON
   --fail-on=<level>   Exit 1 when findings meet the threshold. Levels:
@@ -616,6 +650,351 @@ function shouldFail(results, failOn) {
   return false;
 }
 
+/**
+ * Read API key from env or ~/.commit/config file.
+ * Returns the key string, or null if not found.
+ */
+async function readApiKey() {
+  if (process.env.COMMIT_API_KEY) return process.env.COMMIT_API_KEY.trim();
+  try {
+    const os = await import('os');
+    const fs = await import('fs');
+    const path = await import('path');
+    const configPath = path.join(os.homedir(), '.commit', 'config');
+    const content = fs.readFileSync(configPath, 'utf-8');
+    for (const line of content.split('\n')) {
+      const m = line.match(/^api_key\s*=\s*(.+)$/);
+      if (m) return m[1].trim();
+    }
+  } catch {}
+  return null;
+}
+
+/**
+ * Write API key to ~/.commit/config, creating dir if needed.
+ */
+async function writeApiKey(key) {
+  const os = await import('os');
+  const fs = await import('fs');
+  const path = await import('path');
+  const dir = path.join(os.homedir(), '.commit');
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+
+  const configPath = path.join(dir, 'config');
+  let lines = [];
+  try {
+    lines = fs.readFileSync(configPath, 'utf-8').split('\n');
+  } catch {}
+
+  // Replace existing api_key line or append
+  let found = false;
+  lines = lines.map(l => {
+    if (/^api_key\s*=/.test(l)) { found = true; return `api_key = ${key}`; }
+    return l;
+  });
+  if (!found) lines.push(`api_key = ${key}`);
+
+  fs.writeFileSync(configPath, lines.filter(l => l !== '').join('\n') + '\n');
+  return configPath;
+}
+
+/**
+ * Remove API key from ~/.commit/config.
+ */
+async function removeApiKey() {
+  const os = await import('os');
+  const fs = await import('fs');
+  const path = await import('path');
+  const configPath = path.join(os.homedir(), '.commit', 'config');
+  try {
+    const content = fs.readFileSync(configPath, 'utf-8');
+    const filtered = content.split('\n').filter(l => !/^api_key\s*=/.test(l)).join('\n');
+    fs.writeFileSync(configPath, filtered.trim() ? filtered.trim() + '\n' : '');
+    return true;
+  } catch { return false; }
+}
+
+/**
+ * Validate an API key against the usage endpoint. Returns tier info or null.
+ */
+async function validateApiKey(key) {
+  try {
+    const res = await fetch(`${KEYS_API}/usage`, {
+      headers: { 'Authorization': `Bearer ${key}` },
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch { return null; }
+}
+
+/**
+ * poc login [key] — save and validate API key
+ */
+async function cmdLogin(keyArg) {
+  let key = keyArg;
+
+  if (!key) {
+    // Check if stdin has data (piped input)
+    const { createInterface } = await import('readline');
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    key = await new Promise(resolve => {
+      rl.question(clr(c.dim, '  Enter your API key: '), answer => {
+        rl.close();
+        resolve(answer.trim());
+      });
+    });
+  }
+
+  if (!key || !key.startsWith('sk_commit_')) {
+    console.error(clr(c.red, '\n  Invalid API key format. Keys start with sk_commit_'));
+    console.error(clr(c.dim, '  Get one at https://getcommit.dev/get-started\n'));
+    process.exit(1);
+  }
+
+  process.stdout.write(clr(c.dim, '  Validating...'));
+  const info = await validateApiKey(key);
+
+  if (!info || info.error) {
+    console.error(clr(c.red, ' ✗ Invalid or expired API key.'));
+    console.error(clr(c.dim, `  ${info?.message || 'Key not recognized.'}`));
+    process.exit(1);
+  }
+
+  const configPath = await writeApiKey(key);
+  console.log(clr(c.green, ' ✓ Authenticated'));
+  console.log();
+  console.log(clr(c.bold, `  Tier:     `) + tierLabel(info.tier));
+  console.log(clr(c.bold, `  Usage:    `) + `${info.requests_used ?? 0}/${info.requests_limit ?? '?'} requests (${info.period || 'daily'})`);
+  console.log(clr(c.bold, `  Resets:   `) + (info.period_reset_at || '—'));
+  console.log(clr(c.dim, `  Saved to: ${configPath}`));
+  console.log();
+
+  if (info.tier === 'pro' || info.tier === 'enterprise') {
+    console.log(clr(c.cyan, '  Pro features unlocked:'));
+    console.log(clr(c.dim, '    poc watch <package>    Add a package to daily monitoring'));
+    console.log(clr(c.dim, '    poc watchlist          View monitored packages'));
+    console.log(clr(c.dim, '    poc unwatch <package>  Remove from monitoring'));
+  } else {
+    console.log(clr(c.dim, '  Upgrade to Pro for monitoring + alerts: https://getcommit.dev/pricing'));
+  }
+  console.log();
+}
+
+/**
+ * poc status — show current auth + usage
+ */
+async function cmdStatus() {
+  const key = await readApiKey();
+
+  if (!key) {
+    console.log(clr(c.dim, '\n  Not logged in.'));
+    console.log(clr(c.dim, '  Run ') + clr(c.cyan, 'poc login') + clr(c.dim, ' to authenticate.'));
+    console.log(clr(c.dim, '  Get a free key at https://getcommit.dev/get-started\n'));
+    return;
+  }
+
+  process.stdout.write(clr(c.dim, '  Checking...'));
+  const info = await validateApiKey(key);
+
+  if (!info || info.error) {
+    console.error(clr(c.red, ' ✗ Key invalid or expired.'));
+    console.error(clr(c.dim, '  Run ') + clr(c.cyan, 'poc login') + clr(c.dim, ' to re-authenticate.\n'));
+    process.exit(1);
+  }
+
+  console.log(clr(c.green, ' ✓ Connected'));
+  console.log();
+  console.log(clr(c.bold, `  Tier:     `) + tierLabel(info.tier));
+  console.log(clr(c.bold, `  Usage:    `) + `${info.requests_used ?? 0}/${info.requests_limit ?? '?'} requests (${info.period || 'daily'})`);
+  console.log(clr(c.bold, `  Resets:   `) + (info.period_reset_at || '—'));
+  console.log(clr(c.bold, `  Prefix:   `) + (info.key_prefix || key.slice(0, 19) + '...'));
+  console.log();
+
+  if (info.tier === 'free') {
+    const pct = info.requests_limit > 0 ? Math.round((info.requests_used / info.requests_limit) * 100) : 0;
+    if (pct >= 80) {
+      console.log(clr(c.yellow, `  ⚠ ${pct}% of daily limit used. Upgrade for 10K/month: https://getcommit.dev/pricing`));
+    }
+  }
+}
+
+/**
+ * poc logout — remove saved API key
+ */
+async function cmdLogout() {
+  const removed = await removeApiKey();
+  if (removed) {
+    console.log(clr(c.green, '\n  ✓ Logged out. API key removed from ~/.commit/config.'));
+  } else {
+    console.log(clr(c.dim, '\n  No saved API key found.'));
+  }
+  console.log();
+}
+
+function tierLabel(tier) {
+  if (tier === 'pro') return clr(c.cyan + c.bold, 'Pro');
+  if (tier === 'enterprise') return clr(c.magenta + c.bold, 'Enterprise');
+  if (tier === 'developer') return clr(c.green + c.bold, 'Developer');
+  return clr(c.dim, 'Free');
+}
+
+/**
+ * Handle 402 upgrade response from watchlist endpoints.
+ */
+function printUpgradeRequired() {
+  console.error(clr(c.yellow + c.bold, '\n  ✦ Commit Pro required'));
+  console.error(clr(c.dim, '    Monitoring, daily scans, and alerts are Pro features.'));
+  console.error(clr(c.cyan, '    Upgrade at https://getcommit.dev/pricing\n'));
+}
+
+/**
+ * poc watch <package> [--ecosystem npm|pypi|cargo|golang]
+ */
+async function cmdWatch(pkg, ecosystem) {
+  const key = await readApiKey();
+  if (!key) {
+    console.error(clr(c.red, 'No API key found. Set COMMIT_API_KEY or add api_key=<key> to ~/.commit/config'));
+    console.error(clr(c.dim, 'Get a key at https://getcommit.dev/pricing'));
+    process.exit(1);
+  }
+
+  process.stdout.write(clr(c.dim, `Adding ${pkg} (${ecosystem}) to watchlist...`));
+  const res = await fetch(WATCHLIST_API, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${key}` },
+    body: JSON.stringify({ package: pkg, ecosystem }),
+  });
+
+  if (res.status === 402) { printUpgradeRequired(); process.exit(1); }
+
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(`\n${clr(c.red, 'Error:')} ${data.message || JSON.stringify(data)}`);
+    process.exit(1);
+  }
+
+  const isNew = data.new_packages > 0;
+  process.stdout.write('\n');
+  if (isNew) {
+    console.log(clr(c.green, `  ✓ Now watching ${pkg}`));
+    console.log(clr(c.dim, '    Daily scan runs at 06:00 UTC. Alerts on score drop ≥10 or CRITICAL threshold.'));
+  } else {
+    console.log(clr(c.dim, `  ↩ ${pkg} is already in your watchlist`));
+  }
+}
+
+/**
+ * poc watchlist — show monitored packages table
+ */
+async function cmdWatchlist() {
+  const key = await readApiKey();
+  if (!key) {
+    console.error(clr(c.red, 'No API key found. Set COMMIT_API_KEY or add api_key=<key> to ~/.commit/config'));
+    process.exit(1);
+  }
+
+  const res = await fetch(WATCHLIST_API, {
+    headers: { 'Authorization': `Bearer ${key}` },
+  });
+
+  if (res.status === 402) { printUpgradeRequired(); process.exit(1); }
+
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(clr(c.red, `Error: ${data.message || JSON.stringify(data)}`));
+    process.exit(1);
+  }
+
+  const pkgs = data.packages || [];
+  if (pkgs.length === 0) {
+    console.log(clr(c.dim, '\n  No packages monitored yet.'));
+    console.log(clr(c.dim, '  Add one: poc watch <package>\n'));
+    return;
+  }
+
+  const COL = { name: 24, eco: 8, score: 7, prev: 7, risk: 14, scanned: 22 };
+
+  function riskLabelFromLevel(level) {
+    if (!level) return clr(c.dim, '—');
+    if (level === 'CRITICAL') return clr(c.red + c.bold, '🔴 CRITICAL');
+    if (level === 'HIGH') return clr(c.yellow + c.bold, '🟠 HIGH');
+    if (level === 'MODERATE') return clr(c.yellow, '🟡 MODERATE');
+    if (level === 'GOOD') return clr(c.yellow, '🟡 GOOD');
+    return clr(c.green, '🟢 HEALTHY');
+  }
+
+  const header = [
+    padEnd(clr(c.bold, 'Package'), COL.name),
+    padEnd(clr(c.bold, 'Eco'), COL.eco),
+    padEnd(clr(c.bold, 'Score'), COL.score),
+    padEnd(clr(c.bold, 'Prev'), COL.prev),
+    padEnd(clr(c.bold, 'Risk'), COL.risk),
+    padEnd(clr(c.bold, 'Last scanned'), COL.scanned),
+  ].join('  ');
+
+  const divWidth = COL.name + COL.eco + COL.score + COL.prev + COL.risk + COL.scanned + 10;
+  const divider = '─'.repeat(divWidth);
+
+  console.log('\n' + divider);
+  console.log(clr(c.dim, `  Commit Pro watchlist · ${pkgs.length}/${data.limit} packages · tier: ${data.tier}`));
+  console.log(divider);
+  console.log(header);
+  console.log(divider);
+
+  for (const pkg of pkgs) {
+    const scoreStr = pkg.current_score !== null ? String(pkg.current_score) : clr(c.dim, '—');
+    const prevStr = pkg.previous_score !== null ? String(pkg.previous_score) : clr(c.dim, '—');
+    const scanned = pkg.last_scanned_at ? pkg.last_scanned_at.replace('T', ' ').slice(0, 19) + ' UTC' : clr(c.dim, 'not yet');
+
+    const row = [
+      padEnd(pkg.name, COL.name),
+      padEnd(pkg.ecosystem, COL.eco),
+      padEnd(scoreStr, COL.score),
+      padEnd(prevStr, COL.prev),
+      padEnd(riskLabelFromLevel(pkg.risk_level), COL.risk),
+      padEnd(scanned, COL.scanned),
+    ].join('  ');
+    console.log(row);
+  }
+
+  console.log(divider);
+  console.log(clr(c.dim, '\n  Alerts sent on: score drop ≥10 · CRITICAL threshold · recovery to HEALTHY'));
+  console.log(clr(c.cyan, '  Remove a package: poc unwatch <package>\n'));
+}
+
+/**
+ * poc unwatch <package> [--ecosystem npm|pypi|cargo|golang]
+ */
+async function cmdUnwatch(pkg, ecosystem) {
+  const key = await readApiKey();
+  if (!key) {
+    console.error(clr(c.red, 'No API key found. Set COMMIT_API_KEY or add api_key=<key> to ~/.commit/config'));
+    process.exit(1);
+  }
+
+  process.stdout.write(clr(c.dim, `Removing ${pkg} (${ecosystem}) from watchlist...`));
+  const res = await fetch(WATCHLIST_API, {
+    method: 'DELETE',
+    headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${key}` },
+    body: JSON.stringify({ package: pkg, ecosystem }),
+  });
+
+  if (res.status === 402) { printUpgradeRequired(); process.exit(1); }
+
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(`\n${clr(c.red, 'Error:')} ${data.message || JSON.stringify(data)}`);
+    process.exit(1);
+  }
+
+  process.stdout.write('\n');
+  if ((data.removed ?? 0) > 0) {
+    console.log(clr(c.green, `  ✓ Removed ${pkg} from watchlist`));
+  } else {
+    console.log(clr(c.dim, `  ${pkg} was not in your watchlist`));
+  }
+}
+
 async function main() {
   const args = process.argv.slice(2);
 
@@ -624,6 +1003,58 @@ async function main() {
     process.exit(0);
   }
 
+  // Subcommands
+  const subcmd = args[0];
+
+  if (subcmd === 'login') {
+    const keyArg = args[1] || null;
+    await cmdLogin(keyArg);
+    process.exit(0);
+  }
+
+  if (subcmd === 'status') {
+    await cmdStatus();
+    process.exit(0);
+  }
+
+  if (subcmd === 'logout') {
+    await cmdLogout();
+    process.exit(0);
+  }
+
+  if (subcmd === 'watch') {
+    const pkg = args[1];
+    if (!pkg) { console.error('Usage: poc watch <package> [--ecosystem npm|pypi|cargo|golang]'); process.exit(1); }
+    let ecosystem = 'npm';
+    for (let i = 2; i < args.length; i++) {
+      if (args[i] === '--ecosystem' || args[i] === '-e') ecosystem = args[++i] || 'npm';
+      else if (args[i] === '--pypi') ecosystem = 'pypi';
+      else if (args[i] === '--cargo') ecosystem = 'cargo';
+      else if (args[i] === '--golang' || args[i] === '--go') ecosystem = 'golang';
+    }
+    await cmdWatch(pkg, ecosystem);
+    process.exit(0);
+  }
+
+  if (subcmd === 'watchlist') {
+    await cmdWatchlist();
+    process.exit(0);
+  }
+
+  if (subcmd === 'unwatch') {
+    const pkg = args[1];
+    if (!pkg) { console.error('Usage: poc unwatch <package> [--ecosystem npm|pypi|cargo|golang]'); process.exit(1); }
+    let ecosystem = 'npm';
+    for (let i = 2; i < args.length; i++) {
+      if (args[i] === '--ecosystem' || args[i] === '-e') ecosystem = args[++i] || 'npm';
+      else if (args[i] === '--pypi') ecosystem = 'pypi';
+      else if (args[i] === '--cargo') ecosystem = 'cargo';
+      else if (args[i] === '--golang' || args[i] === '--go') ecosystem = 'golang';
+    }
+    await cmdUnwatch(pkg, ecosystem);
+    process.exit(0);
+  }
+
   let ecosystem = 'npm';
   let packages = [];
   let filePath = null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.8.1",
+  "version": "1.10.0",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {