pqcheck 0.14.0 → 0.14.1

package/README.md

@@ -47,6 +47,42 @@ That's it. The scaffolded workflow includes `permissions: id-token: write`, so t
 
 ---
 
+## What's new in 0.14.0
+
+**Preview Deploy Trust Diff (R67-locked 2026-05-19).** Compare a preview deployment URL against production and surface application-surface changes (new third-party scripts, header regressions, DBR score drops) inside the PR review — before merge. The stickiest dev-workflow feature per Cipherwake's design ranking, with a dedicated SSRF-pinned scan path that keeps preview-URL hostnames out of our moat tables (feature-branch names stay private).
+
+```bash
+npx pqcheck preview-diff \
+  --preview https://feature-x-abc123.vercel.app \
+  --production https://example.com
+```
+
+Sample output:
+
+```
+  Cipherwake Preview Trust Diff
+  preview=https://feature-x-abc123.vercel.app
+  production=https://example.com
+
+  Application surface:
+    + New third-party script: widget.intercom.io
+    - Content-Security-Policy [script-src] added permissive token(s): 'unsafe-inline'
+    ~ Strict-Transport-Security weakened: max-age=31536000 → max-age=3600
+
+  Transport: preview is edge-hosted (Let's Encrypt) — informational only.
+
+  Verdict: WARN (max severity: high)
+  Tier: free · policy: report
+```
+
+Flags: `--preview <URL>` · `--production <URL>` · `--compare-transport` (opt in TLS/cert/SPKI in verdict) · `--fail-on <severity>` (default `high`; pass `none` for report-only) · `--format pretty|json`.
+
+Exit codes match `trust-diff`: `0` pass · `1` warn · `2` fail · `3` error. Free tier silently downgrades fail → report and notes the upgrade hook in the response; Starter+ honors `fail-on` for real CI gating.
+
+Auth: `CIPHERWAKE_API_KEY` env (or the GitHub Action which fetches OIDC automatically — no key needed for Free).
+
+Also: CSP weakening detection now diffs `script-src` / `default-src` / `object-src` / `frame-ancestors` / `base-uri` / `style-src` directives for newly-permissive tokens (`*`, `'unsafe-inline'`, `'unsafe-eval'`, `data:`, `blob:`).
+
 ## What's new in 0.12.0
 
 **Developer habit-loop bundle (locked 2026-05-16).** Five new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the 100 Trust Diff calls/month per repo quota.
@@ -100,7 +136,8 @@ npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2
 npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
 npx pqcheck changes <domain>                  Summarize public attack-surface changes in last 14 days
 npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
-npx pqcheck trust-diff <domain>               Trust Diff vs configured baseline; CI gate (Free: 30/mo)
+npx pqcheck trust-diff <domain>               Trust Diff vs configured baseline; CI gate (Free: 100/repo/mo)
+npx pqcheck preview-diff --preview U --production U  Preview-URL vs production-URL diff; new scripts + header regressions + score drops (NEW in 0.14.0)
 npx pqcheck deploy-check <domain>             Pre-deploy gate (Trust Diff alias with last-scan baseline)
 npx pqcheck onboard <domain>                  One-command setup wizard (scan + init + vendors + checklist)
 npx pqcheck init                              Interactive scaffold for .github/workflows/cipherwake.yml

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "description": "HTTPS posture scanner with Preview Deploy Trust Diff for PRs, Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup.",
   "keywords": [
     "post-quantum",