pqcheck 0.13.0 → 0.13.2

package/README.md

@@ -22,7 +22,7 @@ Wire Cipherwake into your CI so every PR gets a Trust Diff comment when your dom
 npx pqcheck onboard cipherwake.io
 ```
 
-That runs in sequence: scan your domain → write the GitHub Action workflow → capture a vendor lockfile → generate a release checklist → open your browser to the API-key page. You finish by adding the API key as a repo secret + committing.
+That runs in sequence: scan your domain → write the GitHub Action workflow → capture a vendor lockfile → generate a release checklist → commit + push. **No API key, no repo secret.** The scaffolded workflow uses GitHub Actions OIDC (`id-token: write`) to authenticate to Cipherwake — Free includes 100 Trust Diff calls/month per repo, no setup required.
 
 **Or step-by-step if you prefer:**
 
@@ -30,20 +30,15 @@ That runs in sequence: scan your domain → write the GitHub Action workflow →
 # 1. Scaffold a GitHub Actions workflow (interactive prompts)
 npx pqcheck init
 
-# 2. Generate a free API key at https://cipherwake.io/account#api-keys
-#    (Free tier: 30 Trust Diff calls/month)
-
-# 3. Add the key as a repo secret:
-#    GitHub → Settings → Secrets → Actions → New secret
-#    Name: CIPHERWAKE_API_KEY  Value: qpk_...
-
-# 4. Commit + push
+# 2. Commit + push
 git add .github/workflows/cipherwake.yml
 git commit -m "ci: add Cipherwake Trust Diff gate"
 git push
 ```
 
-That's it. Open a PR and Cipherwake comments inline when cert / SPKI / HSTS / CSP / DMARC / vendor scripts drift since your baseline.
+That's it. The scaffolded workflow includes `permissions: id-token: write`, so the runner mints a signed OIDC token on each run and Cipherwake meters per repo — no secret to manage. Open a PR and Cipherwake comments inline when cert / SPKI / HSTS / CSP / DMARC / vendor scripts drift since your baseline.
+
+**Need higher limits?** Paid tiers (Starter $29/mo · Growth $79/mo · Scale $199/mo) lift the per-repo quota to 1,000 / 10,000 / 50,000 calls/month. Generate an API key at [/account#api-keys](https://cipherwake.io/account#api-keys), then add it as the repo secret `CIPHERWAKE_API_KEY`. The Action uses the secret when present and falls back to OIDC when not — no code change needed to upgrade.
 
 **Want more?**
 - Pre-commit hook: `npx pqcheck deploy-check <domain>` before every deploy
@@ -54,7 +49,7 @@ That's it. Open a PR and Cipherwake comments inline when cert / SPKI / HSTS / CS
 
 ## What's new in 0.12.0
 
-**Developer habit-loop bundle (locked 2026-05-16).** Five new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the 30 Trust Diff calls/month quota.
+**Developer habit-loop bundle (locked 2026-05-16).** Five new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the 100 Trust Diff calls/month per repo quota.
 
 - `pqcheck init` — interactive scaffold for `.github/workflows/cipherwake.yml`. Prompts for domain, fail-on severity, baseline. No copy-paste from docs required.
 - `pqcheck deploy-check <domain>` — pre-deploy Trust Diff gate with deploy-friendly framing. Uses last-scan as default baseline. Same exit semantics as `trust-diff`.

package/bin/pqcheck.js

@@ -2665,7 +2665,7 @@ async function runInitCommand(args) {
   console.log(`  ${color("bold", "Next steps:")}`);
   console.log("");
   console.log(`  ${color("dim", "1.")} Generate a Cipherwake API key at ${color("violet", "https://cipherwake.io/account#api-keys")}`);
-  console.log(`     ${color("dim", "Free tier: 30 Trust Diff calls/month")}`);
+  console.log(`     ${color("dim", "Free tier: 100 Trust Diff calls/month per repo")}`);
   console.log("");
   console.log(`  ${color("dim", "2.")} Add it as a repo secret:`);
   console.log(`     ${color("dim", "Settings → Secrets and variables → Actions → New repository secret")}`);
@@ -2701,7 +2701,7 @@ function renderTrustDiffWorkflow({ domain, failOn, baseline }) {
 # posture regresses vs the baseline (cert / SPKI / vendor scripts / HSTS / CSP /
 # DMARC / HNDL).
 #
-# Free tier: 30 Trust Diff calls/month per CIPHERWAKE_API_KEY.
+# Free tier: 100 Trust Diff calls/month per repo (OIDC-metered).
 # Methodology: https://cipherwake.io/methodology/
 # Action source: https://github.com/cipherwakelabs/pqcheck
 
@@ -2715,7 +2715,7 @@ on:
 
 permissions:
   contents: read
-  id-token: write          # required for OIDC-based metering (Free=30 calls/repo/mo, no API key needed)
+  id-token: write          # required for OIDC-based metering (Free=100 calls/repo/mo, no API key needed)
   security-events: write   # required for SARIF upload to Code Scanning
   pull-requests: write     # required for sticky PR comment (Action v3.1+)
 
@@ -2762,7 +2762,7 @@ async function prompt(question) {
 //     pre-build, Netlify build commands, custom CD scripts)
 //
 // Exit codes match trust-diff: 0 pass · 1 warn · 2 fail · 3 error.
-// Consumes the same Free 30 Trust Diff calls/month quota.
+// Consumes the same Free 100 Trust Diff calls/month per repo quota.
 // =============================================================================
 
 async function runDeployCheckCommand(args) {
@@ -3310,7 +3310,7 @@ async function runOnboardCommand(args) {
   // to paste the key as a GitHub repo secret. With Action v3.2 + OIDC repo
   // metering, the scaffolded workflow has `permissions: { id-token: write }`
   // and the action fetches a GitHub-signed token automatically — no key, no
-  // secret, no browser hop. Free tier is 30 calls/repo/mo, enforced server-
+  // secret, no browser hop. Free tier is 100 calls/repo/mo, enforced server-
   // side via the `meter_gh_action_call` RPC against `gh_action_repo_quota`.
   // For higher limits, the user links this repo to a paid account at /account
   // (one-time OAuth) — still no API key in CI.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.13.0",
+  "version": "0.13.2",
   "description": "HTTPS posture scanner with Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
   "keywords": [
     "post-quantum",