npm - proof-of-commitment - Versions diffs - 1.9.0 → 1.11.0 - Mend

proof-of-commitment 1.9.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -51,24 +51,26 @@ npx proof-of-commitment --file go.sum    # full transitive set
 **Web demo (no install):** [getcommit.dev/audit](https://getcommit.dev/audit) — paste your packages, see risk scores in seconds.
-**Commit Pro — daily monitoring + alerts (v1.9.0):**
+**Account + monitoring (v1.10.0):**
 ```bash
 # Install once, then use the `poc` alias:
 npm install -g proof-of-commitment
-# Add packages to daily monitoring (requires Pro API key):
+# Get a free API key at https://getcommit.dev/get-started, then:
+poc login sk_commit_your_key_here
+# ✓ Authenticated — Tier: Free — Usage: 0/200 requests (daily)
+poc status                          # check tier + usage anytime
+poc logout                          # remove saved key
+# Monitoring (Pro tier — daily scans + alerts):
 poc watch chalk
 poc watch requests --ecosystem pypi
 poc watch serde --ecosystem cargo
-# View your watchlist with current scores:
-poc watchlist
-# Remove a package:
+poc watchlist                       # view scores + risk levels
 poc unwatch chalk
-# API key: set COMMIT_API_KEY env or add api_key=<key> to ~/.commit/config
-# Get a key at https://getcommit.dev/pricing
+# Upgrade to Pro: https://getcommit.dev/pricing
 ```
 Alerts fire on: score drop ≥10 points · package crosses CRITICAL threshold · recovery to HEALTHY.

package/index.js CHANGED Viewed

@@ -1,11 +1,12 @@
 #!/usr/bin/env node
 /**
- * proof-of-commitment CLI v1.9.0
+ * proof-of-commitment CLI v1.11.0
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
  * Usage: npx proof-of-commitment [packages...] [options]
  */
 const API = 'https://poc-backend.amdal-dev.workers.dev/api/audit';
+const KEYS_API = 'https://poc-backend.amdal-dev.workers.dev/api/keys';
 const WATCHLIST_API = 'https://poc-backend.amdal-dev.workers.dev/api/watchlist';
 const WEB = 'https://getcommit.dev/audit';
@@ -26,6 +27,16 @@ const c = {
 const NO_COLOR = process.env.NO_COLOR || !process.stdout.isTTY;
+// Synchronous API key check for upsell messaging (avoids async in printTable)
+let _cachedHasKey = false;
+try {
+  const _os = await import('os');
+  const _fs = await import('fs');
+  const _path = await import('path');
+  const _cfg = _fs.readFileSync(_path.join(_os.homedir(), '.commit', 'config'), 'utf-8');
+  _cachedHasKey = /^api_key\s*=\s*.+$/m.test(_cfg);
+} catch {}
 function clr(code, text) {
   if (NO_COLOR) return text;
   return `${code}${text}${c.reset}`;
@@ -174,15 +185,23 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
   // Contextual upsell — show when findings make monitoring relevant
   if (effectiveCritical > 0) {
-    console.log(clr(c.dim, `\n  📊 Track ${effectiveCritical === 1 ? 'this package' : 'these packages'} daily. Get alerted on score changes.`));
-    console.log(clr(c.dim, `     Commit Pro — batch API, monitoring, alerts → https://getcommit.dev/pricing`));
+    // Check for API key synchronously via env (fast path)
+    const hasKey = !!process.env.COMMIT_API_KEY || _cachedHasKey;
+    if (hasKey) {
+      console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this package' : 'these packages'}: `) +
+        clr(c.cyan, `poc watch ${results.find(r => hasCritical(r.riskFlags))?.name || results[0]?.name}`));
+    } else {
+      console.log(clr(c.dim, `\n  📊 Monitor ${effectiveCritical === 1 ? 'this' : 'these ' + effectiveCritical} CRITICAL ${effectiveCritical === 1 ? 'package' : 'packages'} — get alerted when scores change.`));
+      console.log(clr(c.dim, '     Get a free API key: ') + clr(c.cyan, 'https://getcommit.dev/get-started'));
+      console.log(clr(c.dim, '     Then run: ') + clr(c.cyan, 'poc login'));
+    }
   }
   console.log();
 }
 function printHelp() {
   console.log(`
-${clr(c.bold, 'proof-of-commitment')} v1.9.0 — supply chain risk scorer
+${clr(c.bold, 'proof-of-commitment')} v1.11.0 — supply chain risk scorer
 ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment                            Auto-detect manifest in current dir
@@ -199,14 +218,24 @@ ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment --file go.mod              Audit Go direct + indirect deps
   npx proof-of-commitment --file go.sum              Audit Go full transitive set
-${clr(c.bold, 'Commit Pro monitoring (poc watch):')}
+${clr(c.bold, 'Reports:')}
+  poc report          Scan and generate a shareable HTML report + Markdown snippet
+  poc report [pkgs]   Same flags as scan — packages, --pypi, --cargo, --file, etc.
+                      Saves audit-report.html to cwd + prints Markdown for GitHub issues
+${clr(c.bold, 'Account:')}
+  poc login [key]     Save and validate your API key (interactive or direct)
+  poc status          Show current tier, usage, and limits
+  poc logout          Remove saved API key
+${clr(c.bold, 'Monitoring (Pro):')}
   poc watch <package> [--ecosystem npm|pypi|cargo|golang]
-                      Add a package to daily monitoring (Pro tier)
+                      Add a package to daily monitoring
   poc watchlist       List monitored packages with current scores + risk
   poc unwatch <pkg>   Remove a package from monitoring
-  API key: set COMMIT_API_KEY env or add api_key=<key> to ~/.commit/config
-  Get a key: https://getcommit.dev/pricing
+  Get a free key: https://getcommit.dev/get-started
+  Upgrade to Pro:  https://getcommit.dev/pricing
 ${clr(c.bold, 'Options:')}
   --json              Output results as JSON
@@ -646,6 +675,174 @@ async function readApiKey() {
   return null;
 }
+/**
+ * Write API key to ~/.commit/config, creating dir if needed.
+ */
+async function writeApiKey(key) {
+  const os = await import('os');
+  const fs = await import('fs');
+  const path = await import('path');
+  const dir = path.join(os.homedir(), '.commit');
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  const configPath = path.join(dir, 'config');
+  let lines = [];
+  try {
+    lines = fs.readFileSync(configPath, 'utf-8').split('\n');
+  } catch {}
+  // Replace existing api_key line or append
+  let found = false;
+  lines = lines.map(l => {
+    if (/^api_key\s*=/.test(l)) { found = true; return `api_key = ${key}`; }
+    return l;
+  });
+  if (!found) lines.push(`api_key = ${key}`);
+  fs.writeFileSync(configPath, lines.filter(l => l !== '').join('\n') + '\n');
+  return configPath;
+}
+/**
+ * Remove API key from ~/.commit/config.
+ */
+async function removeApiKey() {
+  const os = await import('os');
+  const fs = await import('fs');
+  const path = await import('path');
+  const configPath = path.join(os.homedir(), '.commit', 'config');
+  try {
+    const content = fs.readFileSync(configPath, 'utf-8');
+    const filtered = content.split('\n').filter(l => !/^api_key\s*=/.test(l)).join('\n');
+    fs.writeFileSync(configPath, filtered.trim() ? filtered.trim() + '\n' : '');
+    return true;
+  } catch { return false; }
+}
+/**
+ * Validate an API key against the usage endpoint. Returns tier info or null.
+ */
+async function validateApiKey(key) {
+  try {
+    const res = await fetch(`${KEYS_API}/usage`, {
+      headers: { 'Authorization': `Bearer ${key}` },
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch { return null; }
+}
+/**
+ * poc login [key] — save and validate API key
+ */
+async function cmdLogin(keyArg) {
+  let key = keyArg;
+  if (!key) {
+    // Check if stdin has data (piped input)
+    const { createInterface } = await import('readline');
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    key = await new Promise(resolve => {
+      rl.question(clr(c.dim, '  Enter your API key: '), answer => {
+        rl.close();
+        resolve(answer.trim());
+      });
+    });
+  }
+  if (!key || !key.startsWith('sk_commit_')) {
+    console.error(clr(c.red, '\n  Invalid API key format. Keys start with sk_commit_'));
+    console.error(clr(c.dim, '  Get one at https://getcommit.dev/get-started\n'));
+    process.exit(1);
+  }
+  process.stdout.write(clr(c.dim, '  Validating...'));
+  const info = await validateApiKey(key);
+  if (!info || info.error) {
+    console.error(clr(c.red, ' ✗ Invalid or expired API key.'));
+    console.error(clr(c.dim, `  ${info?.message || 'Key not recognized.'}`));
+    process.exit(1);
+  }
+  const configPath = await writeApiKey(key);
+  console.log(clr(c.green, ' ✓ Authenticated'));
+  console.log();
+  console.log(clr(c.bold, `  Tier:     `) + tierLabel(info.tier));
+  console.log(clr(c.bold, `  Usage:    `) + `${info.requests_used ?? 0}/${info.requests_limit ?? '?'} requests (${info.period || 'daily'})`);
+  console.log(clr(c.bold, `  Resets:   `) + (info.period_reset_at || '—'));
+  console.log(clr(c.dim, `  Saved to: ${configPath}`));
+  console.log();
+  if (info.tier === 'pro' || info.tier === 'enterprise') {
+    console.log(clr(c.cyan, '  Pro features unlocked:'));
+    console.log(clr(c.dim, '    poc watch <package>    Add a package to daily monitoring'));
+    console.log(clr(c.dim, '    poc watchlist          View monitored packages'));
+    console.log(clr(c.dim, '    poc unwatch <package>  Remove from monitoring'));
+  } else {
+    console.log(clr(c.dim, '  Upgrade to Pro for monitoring + alerts: https://getcommit.dev/pricing'));
+  }
+  console.log();
+}
+/**
+ * poc status — show current auth + usage
+ */
+async function cmdStatus() {
+  const key = await readApiKey();
+  if (!key) {
+    console.log(clr(c.dim, '\n  Not logged in.'));
+    console.log(clr(c.dim, '  Run ') + clr(c.cyan, 'poc login') + clr(c.dim, ' to authenticate.'));
+    console.log(clr(c.dim, '  Get a free key at https://getcommit.dev/get-started\n'));
+    return;
+  }
+  process.stdout.write(clr(c.dim, '  Checking...'));
+  const info = await validateApiKey(key);
+  if (!info || info.error) {
+    console.error(clr(c.red, ' ✗ Key invalid or expired.'));
+    console.error(clr(c.dim, '  Run ') + clr(c.cyan, 'poc login') + clr(c.dim, ' to re-authenticate.\n'));
+    process.exit(1);
+  }
+  console.log(clr(c.green, ' ✓ Connected'));
+  console.log();
+  console.log(clr(c.bold, `  Tier:     `) + tierLabel(info.tier));
+  console.log(clr(c.bold, `  Usage:    `) + `${info.requests_used ?? 0}/${info.requests_limit ?? '?'} requests (${info.period || 'daily'})`);
+  console.log(clr(c.bold, `  Resets:   `) + (info.period_reset_at || '—'));
+  console.log(clr(c.bold, `  Prefix:   `) + (info.key_prefix || key.slice(0, 19) + '...'));
+  console.log();
+  if (info.tier === 'free') {
+    const pct = info.requests_limit > 0 ? Math.round((info.requests_used / info.requests_limit) * 100) : 0;
+    if (pct >= 80) {
+      console.log(clr(c.yellow, `  ⚠ ${pct}% of daily limit used. Upgrade for 10K/month: https://getcommit.dev/pricing`));
+    }
+  }
+}
+/**
+ * poc logout — remove saved API key
+ */
+async function cmdLogout() {
+  const removed = await removeApiKey();
+  if (removed) {
+    console.log(clr(c.green, '\n  ✓ Logged out. API key removed from ~/.commit/config.'));
+  } else {
+    console.log(clr(c.dim, '\n  No saved API key found.'));
+  }
+  console.log();
+}
+function tierLabel(tier) {
+  if (tier === 'pro') return clr(c.cyan + c.bold, 'Pro');
+  if (tier === 'enterprise') return clr(c.magenta + c.bold, 'Enterprise');
+  if (tier === 'developer') return clr(c.green + c.bold, 'Developer');
+  return clr(c.dim, 'Free');
+}
 /**
  * Handle 402 upgrade response from watchlist endpoints.
  */
@@ -803,6 +1000,257 @@ async function cmdUnwatch(pkg, ecosystem) {
   }
 }
+/**
+ * Generate a self-contained HTML report from audit results.
+ * Returns the full HTML string.
+ */
+function buildHtmlReport(results, { ecosystem, scannedFrom, totalScanned } = {}) {
+  const ts = new Date().toISOString().replace('T', ' ').slice(0, 19) + ' UTC';
+  const topPkgs = results.slice(0, 20).map(r => r.name).join(',');
+  const webUrl = `${WEB}?packages=${encodeURIComponent(topPkgs)}`;
+  const criticalCount = results.filter(r => hasCritical(r.riskFlags)).length;
+  const healthyCount = results.filter(r => !hasCritical(r.riskFlags) && (r.score || 0) >= 75).length;
+  function riskBadge(pkg) {
+    if (hasCritical(pkg.riskFlags)) return '<span class="badge critical">CRITICAL</span>';
+    if ((pkg.score || 100) < 40) return '<span class="badge high">HIGH</span>';
+    if ((pkg.score || 100) < 60) return '<span class="badge moderate">MODERATE</span>';
+    if ((pkg.score || 100) < 75) return '<span class="badge good">GOOD</span>';
+    return '<span class="badge healthy">HEALTHY</span>';
+  }
+  function provBadge(pkg) {
+    if (pkg.ecosystem === 'golang') return '';
+    return pkg.hasProvenance ? '<span class="prov">🔐</span>' : '';
+  }
+  function fmtDl(n) {
+    if (!n) return '—';
+    if (n >= 1e9) return (n / 1e9).toFixed(1) + 'B/wk';
+    if (n >= 1e6) return (n / 1e6).toFixed(1) + 'M/wk';
+    if (n >= 1e3) return (n / 1e3).toFixed(0) + 'K/wk';
+    return n + '/wk';
+  }
+  const rows = results.map(pkg => {
+    const isGo = pkg.ecosystem === 'golang';
+    return `<tr class="${hasCritical(pkg.riskFlags) ? 'row-critical' : ''}">
+      <td class="pkg-name">${escHtml(pkg.name)}${provBadge(pkg)}</td>
+      <td>${riskBadge(pkg)}</td>
+      <td class="score">${pkg.score ?? '?'}</td>
+      <td>${pkg.maintainers === 35 ? '30+' : (pkg.maintainers ?? '?')}</td>
+      <td>${isGo ? '—' : fmtDl(pkg.weeklyDownloads)}</td>
+      <td>${pkg.ageYears ? pkg.ageYears.toString().replace(/(\.\d).*/, '$1') + 'y' : '?'}</td>
+    </tr>`;
+  }).join('\n');
+  const summaryLabel = criticalCount > 0
+    ? `⚠ ${criticalCount} CRITICAL package${criticalCount > 1 ? 's' : ''} found`
+    : `✓ No CRITICAL packages`;
+  const summaryClass = criticalCount > 0 ? 'summary-critical' : 'summary-ok';
+  const scannedLine = scannedFrom
+    ? `<span>Scanned from <code>${escHtml(scannedFrom)}</code></span> · `
+    : '';
+  const totalLine = totalScanned && totalScanned > results.length
+    ? `showing top ${results.length} of ${totalScanned} packages · `
+    : `${results.length} package${results.length !== 1 ? 's' : ''} · `;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Supply chain audit — proof-of-commitment</title>
+<style>
+  :root { --red:#ef4444;--orange:#f97316;--yellow:#eab308;--green:#22c55e;--cyan:#06b6d4;--bg:#0f172a;--surface:#1e293b;--border:#334155;--text:#f1f5f9;--muted:#94a3b8; }
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body { font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace; background: var(--bg); color: var(--text); padding: 2rem; line-height: 1.5; font-size: 14px; }
+  .header { display: flex; align-items: center; gap: 1rem; margin-bottom: 1.5rem; flex-wrap: wrap; }
+  .logo { font-size: 1.1rem; font-weight: bold; color: var(--cyan); }
+  .logo a { color: inherit; text-decoration: none; }
+  .web-link { margin-left: auto; }
+  .web-link a { color: var(--cyan); text-decoration: none; font-size: 0.85rem; border: 1px solid var(--border); padding: 0.3rem 0.75rem; border-radius: 4px; }
+  .web-link a:hover { background: var(--surface); }
+  .summary { padding: 0.75rem 1rem; border-radius: 6px; margin-bottom: 1.5rem; font-weight: bold; }
+  .summary-critical { background: rgba(239,68,68,0.15); border: 1px solid var(--red); color: var(--red); }
+  .summary-ok { background: rgba(34,197,94,0.1); border: 1px solid var(--green); color: var(--green); }
+  .meta { color: var(--muted); font-size: 0.8rem; margin-bottom: 1.5rem; }
+  .meta code { background: var(--surface); padding: 0.1rem 0.3rem; border-radius: 3px; }
+  table { width: 100%; border-collapse: collapse; }
+  thead { border-bottom: 1px solid var(--border); }
+  th { text-align: left; padding: 0.5rem 0.75rem; color: var(--muted); font-weight: normal; font-size: 0.8rem; text-transform: uppercase; letter-spacing: 0.05em; }
+  td { padding: 0.5rem 0.75rem; border-bottom: 1px solid rgba(51,65,85,0.5); }
+  tr.row-critical { background: rgba(239,68,68,0.07); }
+  .pkg-name { font-weight: bold; }
+  .prov { margin-left: 0.4rem; font-size: 0.9em; }
+  .badge { display: inline-block; padding: 0.1rem 0.5rem; border-radius: 3px; font-size: 0.75rem; font-weight: bold; }
+  .badge.critical { background: rgba(239,68,68,0.2); color: var(--red); border: 1px solid var(--red); }
+  .badge.high { background: rgba(249,115,22,0.15); color: var(--orange); border: 1px solid var(--orange); }
+  .badge.moderate { background: rgba(234,179,8,0.15); color: var(--yellow); border: 1px solid var(--yellow); }
+  .badge.good { background: rgba(234,179,8,0.1); color: var(--yellow); border: 1px solid rgba(234,179,8,0.5); }
+  .badge.healthy { background: rgba(34,197,94,0.1); color: var(--green); border: 1px solid var(--green); }
+  .score { color: var(--muted); }
+  .footer { margin-top: 2rem; padding-top: 1rem; border-top: 1px solid var(--border); color: var(--muted); font-size: 0.8rem; display: flex; gap: 1.5rem; flex-wrap: wrap; }
+  .footer a { color: var(--cyan); text-decoration: none; }
+  .md-section { margin-top: 2rem; background: var(--surface); border: 1px solid var(--border); border-radius: 6px; padding: 1rem; }
+  .md-label { color: var(--muted); font-size: 0.75rem; margin-bottom: 0.5rem; text-transform: uppercase; letter-spacing: 0.05em; }
+  .md-copy { background: var(--bg); border: 1px solid var(--border); border-radius: 4px; padding: 0.75rem; font-size: 0.8rem; white-space: pre; overflow-x: auto; color: var(--text); }
+  .copy-btn { float: right; cursor: pointer; background: var(--border); border: none; color: var(--text); padding: 0.2rem 0.6rem; border-radius: 3px; font-size: 0.75rem; font-family: inherit; }
+  .copy-btn:hover { background: var(--cyan); color: var(--bg); }
+</style>
+</head>
+<body>
+<div class="header">
+  <div class="logo"><a href="${WEB}" target="_blank">proof-of-commitment</a></div>
+  <div class="web-link"><a href="${webUrl}" target="_blank">🔗 Open in browser →</a></div>
+</div>
+<div class="summary ${summaryClass}">${summaryLabel}</div>
+<div class="meta">${scannedLine}${totalLine}${ecosystem || 'npm'} · generated ${ts}</div>
+<table>
+  <thead><tr>
+    <th>Package</th><th>Risk</th><th>Score</th><th>Publishers</th><th>Downloads</th><th>Age</th>
+  </tr></thead>
+  <tbody>
+${rows}
+  </tbody>
+</table>
+<div class="md-section">
+  <div class="md-label">Copy for GitHub issues / Slack <button class="copy-btn" onclick="copyMd()">Copy</button></div>
+  <div class="md-copy" id="md-content">${escHtml(buildMarkdown(results, { ecosystem, scannedFrom, totalScanned, webUrl }))}</div>
+</div>
+<div class="footer">
+  <span>Generated by <a href="${WEB}" target="_blank">proof-of-commitment</a></span>
+  <span><a href="https://github.com/piiiico/commit-action" target="_blank">GitHub Action</a></span>
+  <span><a href="https://getcommit.dev/pricing" target="_blank">Commit Pro</a></span>
+</div>
+<script>
+function copyMd() {
+  const text = document.getElementById('md-content').textContent;
+  navigator.clipboard.writeText(text).then(() => {
+    const btn = document.querySelector('.copy-btn');
+    btn.textContent = '✓ Copied';
+    setTimeout(() => btn.textContent = 'Copy', 2000);
+  });
+}
+</script>
+</body>
+</html>`;
+}
+function escHtml(str) {
+  return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}
+function buildMarkdown(results, { ecosystem, scannedFrom, totalScanned, webUrl } = {}) {
+  const criticalCount = results.filter(r => hasCritical(r.riskFlags)).length;
+  const summaryLine = criticalCount > 0
+    ? `⚠ **${criticalCount} CRITICAL package${criticalCount > 1 ? 's' : ''} found**`
+    : `✅ No CRITICAL packages`;
+  function riskEmoji(pkg) {
+    if (hasCritical(pkg.riskFlags)) return '🔴 CRITICAL';
+    if ((pkg.score || 100) < 40) return '🟠 HIGH';
+    if ((pkg.score || 100) < 60) return '🟡 MODERATE';
+    if ((pkg.score || 100) < 75) return '🟡 GOOD';
+    return '🟢 HEALTHY';
+  }
+  const header = `| Package | Risk | Score | Publishers | Downloads |
+|---------|------|-------|------------|-----------|`;
+  function fmtDl(n) {
+    if (!n) return '—';
+    if (n >= 1e6) return (n / 1e6).toFixed(1) + 'M/wk';
+    if (n >= 1e3) return (n / 1e3).toFixed(0) + 'K/wk';
+    return n + '/wk';
+  }
+  const rows = results.map(pkg => {
+    const maintDisplay = pkg.maintainers === 35 ? '30+' : (pkg.maintainers ?? '?');
+    const dlDisplay = pkg.ecosystem === 'golang' ? '—' : fmtDl(pkg.weeklyDownloads);
+    return `| ${pkg.name}${pkg.hasProvenance ? ' 🔐' : ''} | ${riskEmoji(pkg)} | ${pkg.score ?? '?'} | ${maintDisplay} | ${dlDisplay} |`;
+  }).join('\n');
+  const scannedNote = scannedFrom ? ` (from \`${scannedFrom}\`)` : '';
+  const totalNote = totalScanned && totalScanned > results.length ? `, top ${results.length} of ${totalScanned}` : '';
+  const footer = `\n*Scanned ${results.length} ${ecosystem || 'npm'} package${results.length !== 1 ? 's' : ''}${scannedNote}${totalNote} with [proof-of-commitment](https://getcommit.dev) · [Full report](${webUrl || WEB})*`;
+  return `## Supply chain audit\n\n${summaryLine}\n\n${header}\n${rows}${footer}`;
+}
+/**
+ * poc report — generate shareable HTML report + Markdown snippet
+ */
+async function cmdReport(packages, ecosystem, { filePath, isLockfile, totalScanned } = {}) {
+  const fs = await import('fs');
+  process.stdout.write(clr(c.dim, `Scoring ${packages.length} ${ecosystem} package${packages.length > 1 ? 's' : ''}...`));
+  const t0 = Date.now();
+  let allResults;
+  try {
+    if (packages.length <= 20) {
+      const res = await fetch(API, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ packages, ecosystem }),
+      });
+      if (!res.ok) throw new Error(`API error ${res.status}: ${await res.text()}`);
+      const data = await res.json();
+      allResults = data.results || [];
+    } else {
+      allResults = await auditBatched(packages, ecosystem);
+    }
+  } catch (err) {
+    console.error(`\nError: ${err.message}`);
+    process.exit(1);
+  }
+  const elapsed = ((Date.now() - t0) / 1000).toFixed(1);
+  process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n\n`));
+  // Sort: CRITICAL first, then by score ascending
+  allResults.sort((a, b) => {
+    const aCrit = hasCritical(a.riskFlags) ? 1 : 0;
+    const bCrit = hasCritical(b.riskFlags) ? 1 : 0;
+    if (aCrit !== bCrit) return bCrit - aCrit;
+    return (a.score || 100) - (b.score || 100);
+  });
+  const displayResults = allResults.slice(0, 50);
+  const topPkgs = displayResults.slice(0, 20).map(r => r.name).join(',');
+  const webUrl = `${WEB}?packages=${encodeURIComponent(topPkgs)}`;
+  // Save HTML report
+  const outFile = 'audit-report.html';
+  const html = buildHtmlReport(displayResults, {
+    ecosystem,
+    scannedFrom: filePath ? filePath.split('/').pop() : null,
+    totalScanned: totalScanned || allResults.length,
+  });
+  fs.writeFileSync(outFile, html);
+  // Print Markdown snippet
+  const md = buildMarkdown(displayResults, {
+    ecosystem,
+    scannedFrom: filePath ? filePath.split('/').pop() : null,
+    totalScanned: totalScanned || allResults.length,
+    webUrl,
+  });
+  console.log(clr(c.bold, 'Markdown snippet') + clr(c.dim, ' (paste into GitHub issues, PRs, Slack):'));
+  console.log(clr(c.dim, '─'.repeat(60)));
+  console.log(md);
+  console.log(clr(c.dim, '─'.repeat(60)));
+  console.log();
+  console.log(clr(c.green, `  ✓ HTML report saved → ${outFile}`));
+  console.log(clr(c.cyan, `  🔗 Web report: ${webUrl}`));
+  console.log();
+}
 async function main() {
   const args = process.argv.slice(2);
@@ -811,9 +1259,74 @@ async function main() {
     process.exit(0);
   }
-  // Watchlist subcommands
+  // Subcommands
   const subcmd = args[0];
+  if (subcmd === 'login') {
+    const keyArg = args[1] || null;
+    await cmdLogin(keyArg);
+    process.exit(0);
+  }
+  if (subcmd === 'status') {
+    await cmdStatus();
+    process.exit(0);
+  }
+  if (subcmd === 'logout') {
+    await cmdLogout();
+    process.exit(0);
+  }
+  if (subcmd === 'report') {
+    // Parse report args (same flags as main scan)
+    const reportArgs = args.slice(1);
+    let ecosystem = 'npm';
+    let packages = [];
+    let filePath = null;
+    let totalInFile = 0;
+    let ri = 0;
+    while (ri < reportArgs.length) {
+      const a = reportArgs[ri];
+      if (a === '--pypi') { ecosystem = 'pypi'; ri++; }
+      else if (a === '--npm') { ecosystem = 'npm'; ri++; }
+      else if (a === '--cargo') { ecosystem = 'cargo'; ri++; }
+      else if (a === '--golang' || a === '--go') { ecosystem = 'golang'; ri++; }
+      else if (a === '--file' || a === '-f') { filePath = reportArgs[++ri]; ri++; }
+      else if (a.startsWith('--')) { console.error(`Unknown flag: ${a}`); process.exit(1); }
+      else { packages.push(a); ri++; }
+    }
+    if (!filePath && packages.length === 0) {
+      const detected = await autodetectManifest(process.cwd());
+      if (detected) {
+        filePath = detected;
+        console.log(clr(c.dim, `Auto-detected manifest: ${detected}`));
+      } else {
+        console.error('No packages specified and no manifest found. Run: poc report [packages...] or --file <manifest>');
+        process.exit(1);
+      }
+    }
+    if (filePath) {
+      try {
+        const result = await readPackagesFromFile(filePath);
+        packages = result.packages;
+        ecosystem = result.ecosystem;
+        totalInFile = result.totalInFile || packages.length;
+        console.log(clr(c.dim, `Detected ${totalInFile} packages from ${filePath} (${ecosystem})`));
+      } catch (err) {
+        console.error(`Error reading ${filePath}: ${err.message}`);
+        process.exit(1);
+      }
+    }
+    if (packages.length === 0) { console.error('No packages found.'); process.exit(1); }
+    await cmdReport(packages, ecosystem, { filePath, totalScanned: totalInFile || packages.length });
+    process.exit(0);
+  }
   if (subcmd === 'watch') {
     const pkg = args[1];
     if (!pkg) { console.error('Usage: poc watch <package> [--ecosystem npm|pypi|cargo|golang]'); process.exit(1); }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.9.0",
+  "version": "1.11.0",
   "description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {