pqcheck 0.12.0 → 0.13.1

package/README.md

@@ -22,7 +22,7 @@ Wire Cipherwake into your CI so every PR gets a Trust Diff comment when your dom
 npx pqcheck onboard cipherwake.io
 ```
 
-That runs in sequence: scan your domain → write the GitHub Action workflow → capture a vendor lockfile → generate a release checklist → open your browser to the API-key page. You finish by adding the API key as a repo secret + committing.
+That runs in sequence: scan your domain → write the GitHub Action workflow → capture a vendor lockfile → generate a release checklist → commit + push. **No API key, no repo secret.** The scaffolded workflow uses GitHub Actions OIDC (`id-token: write`) to authenticate to Cipherwake — Free includes 30 Trust Diff calls/month per repo, no setup required.
 
 **Or step-by-step if you prefer:**
 
@@ -30,20 +30,15 @@ That runs in sequence: scan your domain → write the GitHub Action workflow →
 # 1. Scaffold a GitHub Actions workflow (interactive prompts)
 npx pqcheck init
 
-# 2. Generate a free API key at https://cipherwake.io/account#api-keys
-#    (Free tier: 30 Trust Diff calls/month)
-
-# 3. Add the key as a repo secret:
-#    GitHub → Settings → Secrets → Actions → New secret
-#    Name: CIPHERWAKE_API_KEY  Value: qpk_...
-
-# 4. Commit + push
+# 2. Commit + push
 git add .github/workflows/cipherwake.yml
 git commit -m "ci: add Cipherwake Trust Diff gate"
 git push
 ```
 
-That's it. Open a PR and Cipherwake comments inline when cert / SPKI / HSTS / CSP / DMARC / vendor scripts drift since your baseline.
+That's it. The scaffolded workflow includes `permissions: id-token: write`, so the runner mints a signed OIDC token on each run and Cipherwake meters per repo — no secret to manage. Open a PR and Cipherwake comments inline when cert / SPKI / HSTS / CSP / DMARC / vendor scripts drift since your baseline.
+
+**Need higher limits?** Paid tiers (Starter $29/mo · Growth $79/mo · Scale $199/mo) lift the per-repo quota to 1,000 / 10,000 / 50,000 calls/month. Generate an API key at [/account#api-keys](https://cipherwake.io/account#api-keys), then add it as the repo secret `CIPHERWAKE_API_KEY`. The Action uses the secret when present and falls back to OIDC when not — no code change needed to upgrade.
 
 **Want more?**
 - Pre-commit hook: `npx pqcheck deploy-check <domain>` before every deploy
@@ -254,7 +249,7 @@ This CLI is one of four ways to consume the [Decryption Blast Radius API](https:
 |---|---|
 | **CLI** (this package) | `npx pqcheck` |
 | **Browser extension** | Chrome Web Store / Firefox AMO / Edge — toolbar badge per tab + dependency analysis |
-| **GitHub Action** | [`cipherwake-io/pqcheck/action@main`](https://github.com/cipherwake-io/pqcheck/tree/main/action) — PR comments, SARIF upload, lockfile generation |
+| **GitHub Action** | [`cipherwakelabs/pqcheck/action@main`](https://github.com/cipherwakelabs/pqcheck/tree/main/action) — PR comments, SARIF upload, lockfile generation |
 | **Slack `/pqcheck`** | [Install on workspace](https://cipherwake.io/install-slack) |
 | **Web** | [cipherwake.io](https://cipherwake.io) — share-friendly URLs at `/r/<domain>` |
 
@@ -298,10 +293,10 @@ The CLI follows the same policy — output formats are stable across minor versi
   run: npx pqcheck@latest mycompany.com --threshold 7
 ```
 
-For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockfile diff on regression), use the [GitHub Action](https://github.com/cipherwake-io/pqcheck/tree/main/action):
+For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockfile diff on regression), use the [GitHub Action](https://github.com/cipherwakelabs/pqcheck/tree/main/action):
 
 ```yaml
-- uses: cipherwake-io/pqcheck/action@main
+- uses: cipherwakelabs/pqcheck/action@main
   with:
     domain: mycompany.com
     threshold: '7'
@@ -322,7 +317,7 @@ MIT. © 2026 Cipherwake.
 
 ---
 
-**Source:** [github.com/cipherwake-io/pqcheck](https://github.com/cipherwake-io/pqcheck)
+**Source:** [github.com/cipherwakelabs/pqcheck](https://github.com/cipherwakelabs/pqcheck)
 
 **Changelog:** [CHANGELOG.md](./CHANGELOG.md) for version-by-version release notes.
 

package/bin/pqcheck.js

@@ -2715,6 +2715,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write          # required for OIDC-based metering (Free=30 calls/repo/mo, no API key needed)
   security-events: write   # required for SARIF upload to Code Scanning
   pull-requests: write     # required for sticky PR comment (Action v3.1+)
 
@@ -2729,8 +2730,11 @@ jobs:
           domain: ${domain}
           baseline: ${baseline}
           fail-on: ${failOn}
-        env:
-          CIPHERWAKE_API_KEY: \${{ secrets.CIPHERWAKE_API_KEY }}
+        # No env/secrets needed for Free tier — the action uses the
+        # workflow's id-token: write permission to fetch a GitHub-signed
+        # OIDC token and meters per repo (30 calls/mo, no setup).
+        # If you want higher limits, link this repo to a paid Cipherwake
+        # account at https://cipherwake.io/account → Linked repos.
 `;
 }
 
@@ -3300,33 +3304,19 @@ async function runOnboardCommand(args) {
   }
 
   // -------------------------------------------------------------------------
-  // Browser open + final next-steps
+  // Final next-steps (v0.13 OIDC path — no API key needed for Free tier)
   // -------------------------------------------------------------------------
-  // Query MUST come before fragment per RFC 3986. The previous order
-  // `#api-keys?utm_source=onboard` made utm_source part of the fragment
-  // (which never reaches the server), so attribution analytics never fired.
-  const apiKeyUrl = `${API_BASE}/account?utm_source=onboard#api-keys`;
-  console.log(color("bold", "  ✓ Setup files written. Three steps remain:"));
-  console.log("");
-  console.log(`  ${color("dim", "1.")} ${color("bold", "Get a free API key")} (30 Trust Diff calls/month)`);
-  console.log(`     ${color("violet", apiKeyUrl)}`);
-  if (!noOpen) {
-    const opened = await tryOpenBrowser(apiKeyUrl);
-    if (opened) {
-      console.log(`     ${color("dim", "(opened in your browser — sign in / sign up there)")}`);
-    } else {
-      console.log(`     ${color("dim", "(copy the URL above; --no-open suppresses this hint)")}`);
-    }
-  }
-  console.log("");
-  console.log(`  ${color("dim", "2.")} ${color("bold", "Add the key as a GitHub repo secret")}`);
-  console.log(`     ${color("dim", "GitHub → Settings → Secrets and variables → Actions → New repository secret")}`);
-  console.log(`     ${color("dim", "Name: CIPHERWAKE_API_KEY   Value: qpk_... (from step 1)")}`);
-  console.log("");
-  console.log(`  ${color("dim", "3.")} ${color("bold", "Commit + push")}`);
-  // R41 Q1.15 (locked 2026-05-16): build the git-add file list as an array
-  // and join, so we don't print trailing-space args when --skip flags are
-  // used. Harmless bash semantics either way; cleaner output.
+  // Pre-v0.13 this step opened a browser to the API-key page + asked the user
+  // to paste the key as a GitHub repo secret. With Action v3.2 + OIDC repo
+  // metering, the scaffolded workflow has `permissions: { id-token: write }`
+  // and the action fetches a GitHub-signed token automatically — no key, no
+  // secret, no browser hop. Free tier is 30 calls/repo/mo, enforced server-
+  // side via the `meter_gh_action_call` RPC against `gh_action_repo_quota`.
+  // For higher limits, the user links this repo to a paid account at /account
+  // (one-time OAuth) — still no API key in CI.
+  console.log(color("bold", "  ✓ Setup files written. Two steps remain:"));
+  console.log("");
+  console.log(`  ${color("dim", "1.")} ${color("bold", "Commit + push")} (no API key, no secrets needed for the Free tier)`);
   const filesToAdd = [".github/workflows/cipherwake.yml"];
   if (!skipVendors) filesToAdd.push("cipherwake.vendors.json");
   if (!skipChecklist) filesToAdd.push("CIPHERWAKE_CHECKLIST.md");
@@ -3334,8 +3324,21 @@ async function runOnboardCommand(args) {
   console.log(`     ${color("dim", "$")} git commit -m "ci: add Cipherwake Trust Diff gate"`);
   console.log(`     ${color("dim", "$")} git push`);
   console.log("");
-  console.log(`  ${color("dim", "Open a PR after pushing and Cipherwake will comment inline within ~60s of the workflow firing.")}`);
-  console.log("");
+  console.log(`  ${color("dim", "2.")} ${color("bold", "Open a PR")}`);
+  console.log(`     ${color("dim", "Cipherwake will comment inline within ~60s of the workflow firing. The action uses GitHub OIDC to meter usage per repo (Free = 30 calls/mo).")}`);
+  console.log("");
+  // R48 (post-R47 review MAJOR #6): the /account → "Linked repos" UI is
+  // not yet shipped (out of R47 scope). Pointing users to a nonexistent
+  // page-hash would create a broken growth path at the moment of intent.
+  // Route through the feedback form until the linking UI lands.
+  console.log(`  ${color("dim", "Want higher limits (1K/10K/50K Trust Diff calls/mo)?")}`);
+  console.log(`     ${color("violet", `${API_BASE}/feedback?topic=linked-repos`)}`);
+  console.log(`     ${color("dim", "Repo-linking UI is rolling out — request early access via the form.")}`);
+  console.log("");
+  // R41 fix #4 carried forward: --strict gates exit code on step failures.
+  // noOpen flag is now a no-op since we don't open a browser, but we keep it
+  // accepted for backward compat with users who already pass --no-open.
+  void noOpen;
   // R41 fix #4: --strict makes onboard exit non-zero if any step failed.
   // Default (best-effort) exit 0 keeps the wizard friendly for first-time
   // human setup — the visible yellow warnings tell them what to retry.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "pqcheck",
-  "version": "0.12.0",
-  "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
+  "version": "0.13.1",
+  "description": "HTTPS posture scanner with Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
   "keywords": [
     "post-quantum",
     "cryptography",
@@ -21,7 +21,7 @@
   "bugs": "https://cipherwake.io",
   "repository": {
     "type": "git",
-    "url": "https://github.com/cipherwake-io/pqcheck.git",
+    "url": "https://github.com/cipherwakelabs/pqcheck.git",
     "directory": "cli"
   },
   "license": "MIT",