pqcheck 0.13.2 → 0.14.0

package/bin/pqcheck.js

@@ -94,6 +94,12 @@ async function main() {
     // cipherwakelabs/pqcheck Action mode: trust-diff.
     return runTrustDiffCommand(args.slice(1));
   }
+  if (args[0] === "preview-diff") {
+    // CLI v0.14.0 (locked 2026-05-19): preview deployment vs production diff.
+    // Calls /api/preview-diff with two URLs and reports application-surface
+    // changes (new third-party scripts, header regressions, score drops).
+    return runPreviewDiffCommand(args.slice(1));
+  }
   if (args[0] === "history") {
     return runHistoryCommand(args.slice(1));
   }
@@ -2123,6 +2129,142 @@ async function runTrustDiffCommand(args) {
   process.exit(0);
 }
 
+/**
+ * `pqcheck preview-diff --preview <URL> --production <URL>` — compare a preview
+ * deployment URL against a production canonical URL. Surfaces new third-party
+ * scripts, security-header regressions, and DBR score drops. CLI v0.14.0.
+ *
+ * Inputs:
+ *   --preview <URL>       Preview deployment URL (required)
+ *   --production <URL>    Production canonical URL (required)
+ *   --compare-transport   Include TLS/cert/SPKI in verdict (default off — preview
+ *                         URLs are typically edge-hosted by Vercel/Netlify/Cloudflare
+ *                         and direct transport comparison is noise).
+ *   --fail-on <severity>  any | low | medium | high | critical (default high).
+ *                         Honored on paid tiers; Free is report-only.
+ *   --format              pretty (default) | json
+ *
+ * Exit codes match trust-diff: 0 pass · 1 warn · 2 fail · 3 error.
+ *
+ * Requires CIPHERWAKE_API_KEY env var (Free tier: 100 calls/repo/mo at
+ * /account#api-keys, or use the GitHub Action which fetches OIDC automatically).
+ */
+async function runPreviewDiffCommand(args) {
+  const previewUrl = parseFlag(args, "--preview");
+  const productionUrl = parseFlag(args, "--production");
+  if (!previewUrl || !productionUrl) {
+    console.error(color("red", "error: pqcheck preview-diff requires --preview and --production URLs"));
+    console.error(color("dim", "Usage: npx pqcheck preview-diff --preview https://preview-xyz.vercel.app --production https://example.com [--compare-transport] [--fail-on high] [--format pretty|json]"));
+    process.exit(3);
+  }
+  if (!QP_API_KEY) {
+    console.error(color("red", "error: pqcheck preview-diff requires CIPHERWAKE_API_KEY"));
+    console.error(color("dim", "Generate a free key (100 calls/repo/mo) at https://cipherwake.io/account#api-keys"));
+    console.error(color("dim", "Then: export CIPHERWAKE_API_KEY=qpk_<32-hex>"));
+    console.error(color("dim", "Or use the GitHub Action with 'permissions: id-token: write' — no key needed."));
+    process.exit(3);
+  }
+
+  const compareTransport = args.includes("--compare-transport");
+  const failOn = parseFlag(args, "--fail-on") || "high";
+  const format = parseFlag(args, "--format") || "pretty";
+
+  // R66 (B4 / Q4.2 fix): policy_mode mirrors --fail-on intent.
+  // `--fail-on none` (or `off`) → report-only; anything else → fail mode.
+  // Server silently downgrades on Free tier; paid tier honors fail.
+  // This makes the CLI exit-code semantics actually fire for paid users.
+  const policyMode = ["none", "off", ""].includes(String(failOn).toLowerCase())
+    ? "report"
+    : "fail";
+
+  let resp;
+  try {
+    resp = await fetch(`${API_BASE}/api/preview-diff`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${QP_API_KEY}`,
+        "User-Agent": `pqcheck-cli/${VERSION}`,
+      },
+      body: JSON.stringify({
+        preview_url: previewUrl,
+        production_url: productionUrl,
+        compare_transport: compareTransport,
+        fail_on: failOn,
+        policy_mode: policyMode,
+      }),
+    });
+  } catch (err) {
+    console.error(color("red", `error: network failure calling /api/preview-diff: ${err.message}`));
+    process.exit(3);
+  }
+
+  if (resp.status === 401 || resp.status === 403) {
+    await handleAuthError(resp);
+    process.exit(3);
+  }
+  if (resp.status === 429) {
+    const body = await safeJSON(resp);
+    console.error(color("red", "error: Preview Diff API quota exceeded for this month"));
+    if (body?.message) console.error(color("dim", body.message));
+    process.exit(3);
+  }
+  if (!resp.ok) {
+    const body = await safeJSON(resp);
+    console.error(color("red", `error: /api/preview-diff returned ${resp.status}`));
+    if (body?.message) console.error(color("dim", body.message));
+    process.exit(3);
+  }
+
+  const result = await resp.json();
+  const verdict = result?.result?.verdict || "pass";
+  const summaryLines = result?.result?.summary_lines || [];
+
+  if (format === "json") {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log("");
+    console.log(`  ${color("bold", "Cipherwake Preview Trust Diff")}`);
+    console.log(`  ${color("dim", `preview=${previewUrl}`)}`);
+    console.log(`  ${color("dim", `production=${productionUrl}`)}`);
+    const prevScore = result?.preview?.score;
+    const prodScore = result?.production?.score;
+    if (typeof prevScore === "number" || typeof prodScore === "number") {
+      console.log(`  ${color("dim", `DBR: preview=${typeof prevScore === "number" ? prevScore.toFixed(1) : "—"} · production=${typeof prodScore === "number" ? prodScore.toFixed(1) : "—"}`)}`);
+    }
+    console.log("");
+    console.log(`  ${color("bold", "Application surface:")}`);
+    if (summaryLines.length === 0 || (summaryLines.length === 1 && /no meaningful/i.test(summaryLines[0]))) {
+      console.log(`    ${color("green", "✓ No meaningful application-surface changes detected.")}`);
+    } else {
+      for (const line of summaryLines) {
+        const c = line.startsWith("+") ? "yellow" : line.startsWith("-") ? "red" : "dim";
+        console.log(`    ${color(c, line)}`);
+      }
+    }
+    console.log("");
+    const transport = result?.result?.transport || {};
+    if (transport.preview_is_edge_hosted) {
+      console.log(`  ${color("dim", `Transport: preview is edge-hosted (${transport.preview_cert_issuer ?? "unknown"}) — informational only.`)}`);
+    } else if (transport.preview_cert_issuer && transport.preview_cert_issuer !== transport.production_cert_issuer) {
+      console.log(`  ${color("dim", `Transport: cert issuer differs (${transport.production_cert_issuer ?? "—"} → ${transport.preview_cert_issuer ?? "—"}).`)}`);
+    }
+    console.log("");
+    const verdictColor = verdict === "fail" ? "red" : verdict === "warn" ? "yellow" : "green";
+    console.log(`  Verdict: ${color(verdictColor, verdict.toUpperCase())} (max severity: ${result?.result?.max_severity || "info"})`);
+    console.log(`  Tier: ${result?.tier || "free"} · policy: ${result?.policy_mode_effective || "report"}`);
+    if (result.upgrade_hint) {
+      console.log("");
+      console.log(`  ${color("dim", "💡 " + result.upgrade_hint)}`);
+    }
+    console.log("");
+  }
+
+  if (verdict === "fail") process.exit(2);
+  if (verdict === "warn") process.exit(1);
+  process.exit(0);
+}
+
 /**
  * Convert /api/trust-diff response to SARIF 2.1.0 for upload via
  * github/codeql-action/upload-sarif@v3. Each delta becomes a result with

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "pqcheck",
-  "version": "0.13.2",
-  "description": "HTTPS posture scanner with Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
+  "version": "0.14.0",
+  "description": "HTTPS posture scanner with Preview Deploy Trust Diff for PRs, Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
   "keywords": [
     "post-quantum",
     "cryptography",