npm - pqcheck - Versions diffs - 0.13.2 → 0.14.1 - Mend

pqcheck 0.13.2 → 0.14.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -47,6 +47,42 @@ That's it. The scaffolded workflow includes `permissions: id-token: write`, so t
 ---
+## What's new in 0.14.0
+**Preview Deploy Trust Diff (R67-locked 2026-05-19).** Compare a preview deployment URL against production and surface application-surface changes (new third-party scripts, header regressions, DBR score drops) inside the PR review — before merge. The stickiest dev-workflow feature per Cipherwake's design ranking, with a dedicated SSRF-pinned scan path that keeps preview-URL hostnames out of our moat tables (feature-branch names stay private).
+```bash
+npx pqcheck preview-diff \
+  --preview https://feature-x-abc123.vercel.app \
+  --production https://example.com
+```
+Sample output:
+```
+  Cipherwake Preview Trust Diff
+  preview=https://feature-x-abc123.vercel.app
+  production=https://example.com
+  Application surface:
+    + New third-party script: widget.intercom.io
+    - Content-Security-Policy [script-src] added permissive token(s): 'unsafe-inline'
+    ~ Strict-Transport-Security weakened: max-age=31536000 → max-age=3600
+  Transport: preview is edge-hosted (Let's Encrypt) — informational only.
+  Verdict: WARN (max severity: high)
+  Tier: free · policy: report
+```
+Flags: `--preview <URL>` · `--production <URL>` · `--compare-transport` (opt in TLS/cert/SPKI in verdict) · `--fail-on <severity>` (default `high`; pass `none` for report-only) · `--format pretty|json`.
+Exit codes match `trust-diff`: `0` pass · `1` warn · `2` fail · `3` error. Free tier silently downgrades fail → report and notes the upgrade hook in the response; Starter+ honors `fail-on` for real CI gating.
+Auth: `CIPHERWAKE_API_KEY` env (or the GitHub Action which fetches OIDC automatically — no key needed for Free).
+Also: CSP weakening detection now diffs `script-src` / `default-src` / `object-src` / `frame-ancestors` / `base-uri` / `style-src` directives for newly-permissive tokens (`*`, `'unsafe-inline'`, `'unsafe-eval'`, `data:`, `blob:`).
 ## What's new in 0.12.0
 **Developer habit-loop bundle (locked 2026-05-16).** Five new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the 100 Trust Diff calls/month per repo quota.
@@ -100,7 +136,8 @@ npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2
 npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
 npx pqcheck changes <domain>                  Summarize public attack-surface changes in last 14 days
 npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
-npx pqcheck trust-diff <domain>               Trust Diff vs configured baseline; CI gate (Free: 30/mo)
+npx pqcheck trust-diff <domain>               Trust Diff vs configured baseline; CI gate (Free: 100/repo/mo)
+npx pqcheck preview-diff --preview U --production U  Preview-URL vs production-URL diff; new scripts + header regressions + score drops (NEW in 0.14.0)
 npx pqcheck deploy-check <domain>             Pre-deploy gate (Trust Diff alias with last-scan baseline)
 npx pqcheck onboard <domain>                  One-command setup wizard (scan + init + vendors + checklist)
 npx pqcheck init                              Interactive scaffold for .github/workflows/cipherwake.yml

package/bin/pqcheck.js CHANGED Viewed

@@ -94,6 +94,12 @@ async function main() {
     // cipherwakelabs/pqcheck Action mode: trust-diff.
     return runTrustDiffCommand(args.slice(1));
   }
+  if (args[0] === "preview-diff") {
+    // CLI v0.14.0 (locked 2026-05-19): preview deployment vs production diff.
+    // Calls /api/preview-diff with two URLs and reports application-surface
+    // changes (new third-party scripts, header regressions, score drops).
+    return runPreviewDiffCommand(args.slice(1));
+  }
   if (args[0] === "history") {
     return runHistoryCommand(args.slice(1));
   }
@@ -2123,6 +2129,142 @@ async function runTrustDiffCommand(args) {
   process.exit(0);
 }
+/**
+ * `pqcheck preview-diff --preview <URL> --production <URL>` — compare a preview
+ * deployment URL against a production canonical URL. Surfaces new third-party
+ * scripts, security-header regressions, and DBR score drops. CLI v0.14.0.
+ *
+ * Inputs:
+ *   --preview <URL>       Preview deployment URL (required)
+ *   --production <URL>    Production canonical URL (required)
+ *   --compare-transport   Include TLS/cert/SPKI in verdict (default off — preview
+ *                         URLs are typically edge-hosted by Vercel/Netlify/Cloudflare
+ *                         and direct transport comparison is noise).
+ *   --fail-on <severity>  any | low | medium | high | critical (default high).
+ *                         Honored on paid tiers; Free is report-only.
+ *   --format              pretty (default) | json
+ *
+ * Exit codes match trust-diff: 0 pass · 1 warn · 2 fail · 3 error.
+ *
+ * Requires CIPHERWAKE_API_KEY env var (Free tier: 100 calls/repo/mo at
+ * /account#api-keys, or use the GitHub Action which fetches OIDC automatically).
+ */
+async function runPreviewDiffCommand(args) {
+  const previewUrl = parseFlag(args, "--preview");
+  const productionUrl = parseFlag(args, "--production");
+  if (!previewUrl || !productionUrl) {
+    console.error(color("red", "error: pqcheck preview-diff requires --preview and --production URLs"));
+    console.error(color("dim", "Usage: npx pqcheck preview-diff --preview https://preview-xyz.vercel.app --production https://example.com [--compare-transport] [--fail-on high] [--format pretty|json]"));
+    process.exit(3);
+  }
+  if (!QP_API_KEY) {
+    console.error(color("red", "error: pqcheck preview-diff requires CIPHERWAKE_API_KEY"));
+    console.error(color("dim", "Generate a free key (100 calls/repo/mo) at https://cipherwake.io/account#api-keys"));
+    console.error(color("dim", "Then: export CIPHERWAKE_API_KEY=qpk_<32-hex>"));
+    console.error(color("dim", "Or use the GitHub Action with 'permissions: id-token: write' — no key needed."));
+    process.exit(3);
+  }
+  const compareTransport = args.includes("--compare-transport");
+  const failOn = parseFlag(args, "--fail-on") || "high";
+  const format = parseFlag(args, "--format") || "pretty";
+  // R66 (B4 / Q4.2 fix): policy_mode mirrors --fail-on intent.
+  // `--fail-on none` (or `off`) → report-only; anything else → fail mode.
+  // Server silently downgrades on Free tier; paid tier honors fail.
+  // This makes the CLI exit-code semantics actually fire for paid users.
+  const policyMode = ["none", "off", ""].includes(String(failOn).toLowerCase())
+    ? "report"
+    : "fail";
+  let resp;
+  try {
+    resp = await fetch(`${API_BASE}/api/preview-diff`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${QP_API_KEY}`,
+        "User-Agent": `pqcheck-cli/${VERSION}`,
+      },
+      body: JSON.stringify({
+        preview_url: previewUrl,
+        production_url: productionUrl,
+        compare_transport: compareTransport,
+        fail_on: failOn,
+        policy_mode: policyMode,
+      }),
+    });
+  } catch (err) {
+    console.error(color("red", `error: network failure calling /api/preview-diff: ${err.message}`));
+    process.exit(3);
+  }
+  if (resp.status === 401 || resp.status === 403) {
+    await handleAuthError(resp);
+    process.exit(3);
+  }
+  if (resp.status === 429) {
+    const body = await safeJSON(resp);
+    console.error(color("red", "error: Preview Diff API quota exceeded for this month"));
+    if (body?.message) console.error(color("dim", body.message));
+    process.exit(3);
+  }
+  if (!resp.ok) {
+    const body = await safeJSON(resp);
+    console.error(color("red", `error: /api/preview-diff returned ${resp.status}`));
+    if (body?.message) console.error(color("dim", body.message));
+    process.exit(3);
+  }
+  const result = await resp.json();
+  const verdict = result?.result?.verdict || "pass";
+  const summaryLines = result?.result?.summary_lines || [];
+  if (format === "json") {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log("");
+    console.log(`  ${color("bold", "Cipherwake Preview Trust Diff")}`);
+    console.log(`  ${color("dim", `preview=${previewUrl}`)}`);
+    console.log(`  ${color("dim", `production=${productionUrl}`)}`);
+    const prevScore = result?.preview?.score;
+    const prodScore = result?.production?.score;
+    if (typeof prevScore === "number" || typeof prodScore === "number") {
+      console.log(`  ${color("dim", `DBR: preview=${typeof prevScore === "number" ? prevScore.toFixed(1) : "—"} · production=${typeof prodScore === "number" ? prodScore.toFixed(1) : "—"}`)}`);
+    }
+    console.log("");
+    console.log(`  ${color("bold", "Application surface:")}`);
+    if (summaryLines.length === 0 || (summaryLines.length === 1 && /no meaningful/i.test(summaryLines[0]))) {
+      console.log(`    ${color("green", "✓ No meaningful application-surface changes detected.")}`);
+    } else {
+      for (const line of summaryLines) {
+        const c = line.startsWith("+") ? "yellow" : line.startsWith("-") ? "red" : "dim";
+        console.log(`    ${color(c, line)}`);
+      }
+    }
+    console.log("");
+    const transport = result?.result?.transport || {};
+    if (transport.preview_is_edge_hosted) {
+      console.log(`  ${color("dim", `Transport: preview is edge-hosted (${transport.preview_cert_issuer ?? "unknown"}) — informational only.`)}`);
+    } else if (transport.preview_cert_issuer && transport.preview_cert_issuer !== transport.production_cert_issuer) {
+      console.log(`  ${color("dim", `Transport: cert issuer differs (${transport.production_cert_issuer ?? "—"} → ${transport.preview_cert_issuer ?? "—"}).`)}`);
+    }
+    console.log("");
+    const verdictColor = verdict === "fail" ? "red" : verdict === "warn" ? "yellow" : "green";
+    console.log(`  Verdict: ${color(verdictColor, verdict.toUpperCase())} (max severity: ${result?.result?.max_severity || "info"})`);
+    console.log(`  Tier: ${result?.tier || "free"} · policy: ${result?.policy_mode_effective || "report"}`);
+    if (result.upgrade_hint) {
+      console.log("");
+      console.log(`  ${color("dim", "💡 " + result.upgrade_hint)}`);
+    }
+    console.log("");
+  }
+  if (verdict === "fail") process.exit(2);
+  if (verdict === "warn") process.exit(1);
+  process.exit(0);
+}
 /**
  * Convert /api/trust-diff response to SARIF 2.1.0 for upload via
  * github/codeql-action/upload-sarif@v3. Each delta becomes a result with

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "pqcheck",
-  "version": "0.13.2",
-  "description": "HTTPS posture scanner with Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
+  "version": "0.14.1",
+  "description": "HTTPS posture scanner with Preview Deploy Trust Diff for PRs, Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
   "keywords": [
     "post-quantum",
     "cryptography",