MCP.so
Sign In

proof-of-commitment

@piiiico

About proof-of-commitment

Supply chain security risk scorer for npm, PyPI, Cargo, and Go — behavioral signals that can't be faked

Basic information

Category

Other

License

MIT

Runtime

node

Publisher

piiiico

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "proof-of-commitment": {
      "command": "npx",
      "args": [
        "-y",
        "@smithery/cli",
        "install",
        "proof-of-commitment",
        "--client",
        "claude"
      ]
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is proof-of-commitment?

proof-of-commitment is an MCP server and web tool that scores npm packages, PyPI packages, Rust crates, Go modules, and GitHub repos on behavioral commitment — signals like publisher concentration, age, and provenance that are harder to fake than stars or download counts. It helps developers and AI agents identify supply chain risk, especially single-publisher packages with large reach.

How to use proof-of-commitment?

Add the server to any MCP-compatible AI tool using the URL https://poc-backend.amdal-dev.workers.dev/mcp via a streamable-http transport. Use the CLI with npx proof-of-commitment (zero‑arg auto‑detect in a project directory, or explicit package names and --file flags). For CI, use --fail-on=critical or the dedicated GitHub Action piiiico/commit-action@v1. Install IDE hooks with poc hook to block critical packages before install.

Key features of proof-of-commitment

  • Detects publish‑access concentration risk (single NPM publisher >10M weekly downloads)
  • Supports npm, PyPI, Rust crates, Go modules, and GitHub repos
  • CLI with zero‑arg auto‑detect and lock‑file scanning (package‑lock, yarn.lock, go.sum, etc.)
  • CI integration with --fail-on=critical and GitHub Action (PR comments, step summary)
  • SARIF output for GitHub Code Scanning (Security tab)
  • IDE hooks for Cursor, Claude Code, and Windsurf to block critical packages
  • Monitoring plan with weekly/daily alerts and package score degradation detection

Use cases of proof-of-commitment

  • Auditing a project’s package.json or lockfile for supply chain risk before merging
  • Adding a CI gate that blocks pull requests when critical packages are detected
  • Preventing AI coding assistants from installing high‑risk dependencies via IDE hooks
  • Monitoring third‑party packages for publisher changes or score drops over time

FAQ from proof-of-commitment

How does proof-of-commitment differ from npm audit?

npm audit flags known vulnerabilities, but not publish‑access concentration. proof-of-commitment surfaces attack‑surface risk — e.g., a single publisher with >10M weekly downloads — which npm audit does not detect.

Do I need to log in to use proof-of-commitment?

No login is required for the MCP server or CLI. A free API key is available to unlock monitoring (package watch, alerts) and higher rate limits.

What ecosystems does proof-of-commitment support?

It supports npm (Node.js), PyPI (Python), Rust crates, Go modules, and GitHub repositories.

What does a CRITICAL score mean?

A CRITICAL score indicates a package with a sole npm publisher and more than 10 million weekly downloads — a profile matching the axios token theft attack in March 2026.

How is data fetched in the MCP server?

The server uses a streamable‑HTTP backend (https://poc-backend.amdal-dev.workers.dev/mcp) that queries the same API used by the CLI and web demo. No local data storage is required.

Comments

More Other MCP servers