pqcheck 0.13.1 → 0.14.0

package/README.md

@@ -22,7 +22,7 @@ Wire Cipherwake into your CI so every PR gets a Trust Diff comment when your dom
 npx pqcheck onboard cipherwake.io
 ```
 
-That runs in sequence: scan your domain → write the GitHub Action workflow → capture a vendor lockfile → generate a release checklist → commit + push. **No API key, no repo secret.** The scaffolded workflow uses GitHub Actions OIDC (`id-token: write`) to authenticate to Cipherwake — Free includes 30 Trust Diff calls/month per repo, no setup required.
+That runs in sequence: scan your domain → write the GitHub Action workflow → capture a vendor lockfile → generate a release checklist → commit + push. **No API key, no repo secret.** The scaffolded workflow uses GitHub Actions OIDC (`id-token: write`) to authenticate to Cipherwake — Free includes 100 Trust Diff calls/month per repo, no setup required.
 
 **Or step-by-step if you prefer:**
 
@@ -49,7 +49,7 @@ That's it. The scaffolded workflow includes `permissions: id-token: write`, so t
 
 ## What's new in 0.12.0
 
-**Developer habit-loop bundle (locked 2026-05-16).** Five new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the 30 Trust Diff calls/month quota.
+**Developer habit-loop bundle (locked 2026-05-16).** Five new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the 100 Trust Diff calls/month per repo quota.
 
 - `pqcheck init` — interactive scaffold for `.github/workflows/cipherwake.yml`. Prompts for domain, fail-on severity, baseline. No copy-paste from docs required.
 - `pqcheck deploy-check <domain>` — pre-deploy Trust Diff gate with deploy-friendly framing. Uses last-scan as default baseline. Same exit semantics as `trust-diff`.

package/bin/pqcheck.js

@@ -94,6 +94,12 @@ async function main() {
     // cipherwakelabs/pqcheck Action mode: trust-diff.
     return runTrustDiffCommand(args.slice(1));
   }
+  if (args[0] === "preview-diff") {
+    // CLI v0.14.0 (locked 2026-05-19): preview deployment vs production diff.
+    // Calls /api/preview-diff with two URLs and reports application-surface
+    // changes (new third-party scripts, header regressions, score drops).
+    return runPreviewDiffCommand(args.slice(1));
+  }
   if (args[0] === "history") {
     return runHistoryCommand(args.slice(1));
   }
@@ -2123,6 +2129,142 @@ async function runTrustDiffCommand(args) {
   process.exit(0);
 }
 
+/**
+ * `pqcheck preview-diff --preview <URL> --production <URL>` — compare a preview
+ * deployment URL against a production canonical URL. Surfaces new third-party
+ * scripts, security-header regressions, and DBR score drops. CLI v0.14.0.
+ *
+ * Inputs:
+ *   --preview <URL>       Preview deployment URL (required)
+ *   --production <URL>    Production canonical URL (required)
+ *   --compare-transport   Include TLS/cert/SPKI in verdict (default off — preview
+ *                         URLs are typically edge-hosted by Vercel/Netlify/Cloudflare
+ *                         and direct transport comparison is noise).
+ *   --fail-on <severity>  any | low | medium | high | critical (default high).
+ *                         Honored on paid tiers; Free is report-only.
+ *   --format              pretty (default) | json
+ *
+ * Exit codes match trust-diff: 0 pass · 1 warn · 2 fail · 3 error.
+ *
+ * Requires CIPHERWAKE_API_KEY env var (Free tier: 100 calls/repo/mo at
+ * /account#api-keys, or use the GitHub Action which fetches OIDC automatically).
+ */
+async function runPreviewDiffCommand(args) {
+  const previewUrl = parseFlag(args, "--preview");
+  const productionUrl = parseFlag(args, "--production");
+  if (!previewUrl || !productionUrl) {
+    console.error(color("red", "error: pqcheck preview-diff requires --preview and --production URLs"));
+    console.error(color("dim", "Usage: npx pqcheck preview-diff --preview https://preview-xyz.vercel.app --production https://example.com [--compare-transport] [--fail-on high] [--format pretty|json]"));
+    process.exit(3);
+  }
+  if (!QP_API_KEY) {
+    console.error(color("red", "error: pqcheck preview-diff requires CIPHERWAKE_API_KEY"));
+    console.error(color("dim", "Generate a free key (100 calls/repo/mo) at https://cipherwake.io/account#api-keys"));
+    console.error(color("dim", "Then: export CIPHERWAKE_API_KEY=qpk_<32-hex>"));
+    console.error(color("dim", "Or use the GitHub Action with 'permissions: id-token: write' — no key needed."));
+    process.exit(3);
+  }
+
+  const compareTransport = args.includes("--compare-transport");
+  const failOn = parseFlag(args, "--fail-on") || "high";
+  const format = parseFlag(args, "--format") || "pretty";
+
+  // R66 (B4 / Q4.2 fix): policy_mode mirrors --fail-on intent.
+  // `--fail-on none` (or `off`) → report-only; anything else → fail mode.
+  // Server silently downgrades on Free tier; paid tier honors fail.
+  // This makes the CLI exit-code semantics actually fire for paid users.
+  const policyMode = ["none", "off", ""].includes(String(failOn).toLowerCase())
+    ? "report"
+    : "fail";
+
+  let resp;
+  try {
+    resp = await fetch(`${API_BASE}/api/preview-diff`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${QP_API_KEY}`,
+        "User-Agent": `pqcheck-cli/${VERSION}`,
+      },
+      body: JSON.stringify({
+        preview_url: previewUrl,
+        production_url: productionUrl,
+        compare_transport: compareTransport,
+        fail_on: failOn,
+        policy_mode: policyMode,
+      }),
+    });
+  } catch (err) {
+    console.error(color("red", `error: network failure calling /api/preview-diff: ${err.message}`));
+    process.exit(3);
+  }
+
+  if (resp.status === 401 || resp.status === 403) {
+    await handleAuthError(resp);
+    process.exit(3);
+  }
+  if (resp.status === 429) {
+    const body = await safeJSON(resp);
+    console.error(color("red", "error: Preview Diff API quota exceeded for this month"));
+    if (body?.message) console.error(color("dim", body.message));
+    process.exit(3);
+  }
+  if (!resp.ok) {
+    const body = await safeJSON(resp);
+    console.error(color("red", `error: /api/preview-diff returned ${resp.status}`));
+    if (body?.message) console.error(color("dim", body.message));
+    process.exit(3);
+  }
+
+  const result = await resp.json();
+  const verdict = result?.result?.verdict || "pass";
+  const summaryLines = result?.result?.summary_lines || [];
+
+  if (format === "json") {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log("");
+    console.log(`  ${color("bold", "Cipherwake Preview Trust Diff")}`);
+    console.log(`  ${color("dim", `preview=${previewUrl}`)}`);
+    console.log(`  ${color("dim", `production=${productionUrl}`)}`);
+    const prevScore = result?.preview?.score;
+    const prodScore = result?.production?.score;
+    if (typeof prevScore === "number" || typeof prodScore === "number") {
+      console.log(`  ${color("dim", `DBR: preview=${typeof prevScore === "number" ? prevScore.toFixed(1) : "—"} · production=${typeof prodScore === "number" ? prodScore.toFixed(1) : "—"}`)}`);
+    }
+    console.log("");
+    console.log(`  ${color("bold", "Application surface:")}`);
+    if (summaryLines.length === 0 || (summaryLines.length === 1 && /no meaningful/i.test(summaryLines[0]))) {
+      console.log(`    ${color("green", "✓ No meaningful application-surface changes detected.")}`);
+    } else {
+      for (const line of summaryLines) {
+        const c = line.startsWith("+") ? "yellow" : line.startsWith("-") ? "red" : "dim";
+        console.log(`    ${color(c, line)}`);
+      }
+    }
+    console.log("");
+    const transport = result?.result?.transport || {};
+    if (transport.preview_is_edge_hosted) {
+      console.log(`  ${color("dim", `Transport: preview is edge-hosted (${transport.preview_cert_issuer ?? "unknown"}) — informational only.`)}`);
+    } else if (transport.preview_cert_issuer && transport.preview_cert_issuer !== transport.production_cert_issuer) {
+      console.log(`  ${color("dim", `Transport: cert issuer differs (${transport.production_cert_issuer ?? "—"} → ${transport.preview_cert_issuer ?? "—"}).`)}`);
+    }
+    console.log("");
+    const verdictColor = verdict === "fail" ? "red" : verdict === "warn" ? "yellow" : "green";
+    console.log(`  Verdict: ${color(verdictColor, verdict.toUpperCase())} (max severity: ${result?.result?.max_severity || "info"})`);
+    console.log(`  Tier: ${result?.tier || "free"} · policy: ${result?.policy_mode_effective || "report"}`);
+    if (result.upgrade_hint) {
+      console.log("");
+      console.log(`  ${color("dim", "💡 " + result.upgrade_hint)}`);
+    }
+    console.log("");
+  }
+
+  if (verdict === "fail") process.exit(2);
+  if (verdict === "warn") process.exit(1);
+  process.exit(0);
+}
+
 /**
  * Convert /api/trust-diff response to SARIF 2.1.0 for upload via
  * github/codeql-action/upload-sarif@v3. Each delta becomes a result with
@@ -2665,7 +2807,7 @@ async function runInitCommand(args) {
   console.log(`  ${color("bold", "Next steps:")}`);
   console.log("");
   console.log(`  ${color("dim", "1.")} Generate a Cipherwake API key at ${color("violet", "https://cipherwake.io/account#api-keys")}`);
-  console.log(`     ${color("dim", "Free tier: 30 Trust Diff calls/month")}`);
+  console.log(`     ${color("dim", "Free tier: 100 Trust Diff calls/month per repo")}`);
   console.log("");
   console.log(`  ${color("dim", "2.")} Add it as a repo secret:`);
   console.log(`     ${color("dim", "Settings → Secrets and variables → Actions → New repository secret")}`);
@@ -2701,7 +2843,7 @@ function renderTrustDiffWorkflow({ domain, failOn, baseline }) {
 # posture regresses vs the baseline (cert / SPKI / vendor scripts / HSTS / CSP /
 # DMARC / HNDL).
 #
-# Free tier: 30 Trust Diff calls/month per CIPHERWAKE_API_KEY.
+# Free tier: 100 Trust Diff calls/month per repo (OIDC-metered).
 # Methodology: https://cipherwake.io/methodology/
 # Action source: https://github.com/cipherwakelabs/pqcheck
 
@@ -2715,7 +2857,7 @@ on:
 
 permissions:
   contents: read
-  id-token: write          # required for OIDC-based metering (Free=30 calls/repo/mo, no API key needed)
+  id-token: write          # required for OIDC-based metering (Free=100 calls/repo/mo, no API key needed)
   security-events: write   # required for SARIF upload to Code Scanning
   pull-requests: write     # required for sticky PR comment (Action v3.1+)
 
@@ -2762,7 +2904,7 @@ async function prompt(question) {
 //     pre-build, Netlify build commands, custom CD scripts)
 //
 // Exit codes match trust-diff: 0 pass · 1 warn · 2 fail · 3 error.
-// Consumes the same Free 30 Trust Diff calls/month quota.
+// Consumes the same Free 100 Trust Diff calls/month per repo quota.
 // =============================================================================
 
 async function runDeployCheckCommand(args) {
@@ -3310,7 +3452,7 @@ async function runOnboardCommand(args) {
   // to paste the key as a GitHub repo secret. With Action v3.2 + OIDC repo
   // metering, the scaffolded workflow has `permissions: { id-token: write }`
   // and the action fetches a GitHub-signed token automatically — no key, no
-  // secret, no browser hop. Free tier is 30 calls/repo/mo, enforced server-
+  // secret, no browser hop. Free tier is 100 calls/repo/mo, enforced server-
   // side via the `meter_gh_action_call` RPC against `gh_action_repo_quota`.
   // For higher limits, the user links this repo to a paid account at /account
   // (one-time OAuth) — still no API key in CI.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "pqcheck",
-  "version": "0.13.1",
-  "description": "HTTPS posture scanner with Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
+  "version": "0.14.0",
+  "description": "HTTPS posture scanner with Preview Deploy Trust Diff for PRs, Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
   "keywords": [
     "post-quantum",
     "cryptography",