Gives you supply chain risk scores for npm, PyPI, Cargo, and Go packages through 9 MCP tools that surface behavioral signals like publisher concentration and release cadence. Built to catch the single-maintainer packages that stars and download counts hide. Query individual packages, audit lock files, or scan entire dependency trees from Claude Desktop or Cursor. The same scoring engine powers getcommit.dev and ships as a standalone CLI with CI gates and IDE hooks that block risky installs before they land. Useful when you need to know if that transitive dependency with 500 million weekly downloads has one person holding the keys.
claude mcp add --transport stdio piiiico-proof-of-commitment uvx proof-of-commitment