pqcheck 0.2.0 → 0.3.0

package/README.md

@@ -14,12 +14,17 @@ That's it. No install. Works from any terminal with Node 18+.
 
 `pqcheck` scans any HTTPS domain and computes its **Decryption Blast Radius Score** — the first continuous metric for harvest-now-decrypt-later (HNDL) risk. Every other TLS scanner answers "is post-quantum cryptography enabled?" with a yes/no. `pqcheck` answers the question that actually matters: *if an adversary harvests this traffic today and decrypts it in 2035, how much past + future data unlocks?*
 
-The score combines:
+The score combines (Quantum / cert findings — our differentiator):
+- **Public-key reuse across rotations** — detects when the same private key has been live across multiple cert renewals (often 4+ years at large enterprises). **★ Unique to pqcheck — no other ASM/TLS scanner surfaces this.**
 - **Cipher-class probing** — does the server accept RSA fallback even if it prefers ECDHE?
 - **Certificate chain analysis** — including the intermediate cert (the chain's actual quantum failure point)
-- **Public-key reuse across rotations** — detects when the same private key has been live across multiple cert renewals (often 4+ years at large enterprises)
 - **Subject scale** — wildcard certs and subdomain count multiplying the blast radius
 
+Plus a full ASM check suite for credibility (so the report doesn't feel narrow):
+- **Email security** — SPF, DMARC, DKIM (15 selectors probed), BIMI
+- **HTTP header security** — HSTS (with preload + max-age), CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP
+- **Subdomain takeover detection** — fingerprint-based scan against AWS S3, GitHub Pages, Heroku, Shopify, Fastly, and 5+ other commonly-orphaned services
+
 ## Example
 
 ```
@@ -83,6 +88,15 @@ The `--threshold` flag turns `pqcheck` into a quantum-risk gate for any pipeline
 
 If the score is 7.0 or higher, the step fails and the PR can't merge.
 
+For GitHub Actions specifically, there's also a [first-class action](https://github.com/mzon7/quantapact/tree/main/action) with `score` / `grade` / `report-url` outputs:
+
+```yaml
+- uses: mzon7/quantapact/action@main
+  with:
+    domain: mycompany.com
+    threshold: '7'
+```
+
 For finer control, combine `--quiet` with shell logic:
 
 ```bash

package/bin/pqcheck.js

@@ -7,7 +7,7 @@
 // =============================================================================
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.2.0";
+const VERSION = "0.3.0";
 
 const ANSI = {
   reset:   "\x1b[0m",
@@ -131,16 +131,47 @@ function printReport(r) {
   console.log(`  • HSTS:          ${r.publicSurface.hsts ? color("green", "enabled") : color("dim", "not detected")}`);
   console.log(`  • Subdomains:    ${r.publicSurface.subdomainCount}${r.publicSurface.wildcardCert ? color("yellow", " (wildcard cert)") : ""}`);
   console.log("");
+  // Coverage line — communicates breadth of checks
+  const coverage = ["TLS", "Cert chain", "Cipher class", color("violet", "★ Key reuse (CT-log)"), "Subdomains"];
+  if (r.emailSecurity) coverage.push("SPF", "DMARC", "DKIM", "BIMI");
+  if (r.httpHeaders && r.httpHeaders.reachable) coverage.push("HSTS", "CSP", "X-Frame", "Referrer-Policy");
+  if (r.subdomainTakeover) coverage.push("Takeover");
+  console.log(color("dim", "  Checked: ") + coverage.join(color("dim", " · ")));
+  console.log("");
+
   if (r.findings && r.findings.length) {
-    console.log(color("dim", "  Findings:"));
+    // Group findings by category. Quantum/cert findings come first since
+    // they're the differentiator; ASM-completeness findings come after.
+    const groups = { quantum: [], takeover: [], email: [], headers: [], other: [] };
     for (const f of r.findings) {
-      const sev = f.severity.toUpperCase();
-      const sevColor =
-        f.severity === "critical" ? "red" :
-        f.severity === "high"     ? "yellow" :
-        f.severity === "medium"   ? "yellow" : "dim";
-      console.log(`  ${color(sevColor, `[${sev}]`)} ${f.title}`);
-      console.log(color("dim", `    ${f.detail}`));
+      const t = (f.title || "").toLowerCase();
+      if (/spf|dmarc|dkim|bimi/.test(t)) groups.email.push(f);
+      else if (/hsts|csp|x-frame|content-?type|referrer|clickjacking|server version|permissions-policy/.test(t)) groups.headers.push(f);
+      else if (/takeover/.test(t)) groups.takeover.push(f);
+      else if (/key reused?|key persist|reused for|cert rotation|chain weakest|rsa fallback|ecdhe|quantum/.test(t)) groups.quantum.push(f);
+      else groups.other.push(f);
+    }
+    const sections = [
+      ["quantum", "Quantum & cert exposure (our differentiator):", groups.quantum],
+      ["takeover", "Subdomain takeover:", groups.takeover],
+      ["email", "Email security (SPF / DMARC / DKIM / BIMI):", groups.email],
+      ["headers", "HTTP header security:", groups.headers],
+      ["other", "Other:", groups.other],
+    ];
+    for (const [key, label, arr] of sections) {
+      if (!arr || arr.length === 0) continue;
+      console.log(color("violet", `  ${label}`));
+      for (const f of arr) {
+        const sev = f.severity.toUpperCase();
+        const sevColor =
+          f.severity === "critical" ? "red" :
+          f.severity === "high"     ? "yellow" :
+          f.severity === "medium"   ? "yellow" : "dim";
+        const isUnique = key === "quantum" && /key reused?|reused for|key persist/.test((f.title || "").toLowerCase());
+        const star = isUnique ? color("violet", " ★ UNIQUE TO PQCHECK") : "";
+        console.log(`  ${color(sevColor, `[${sev}]`)} ${f.title}${star}`);
+        console.log(color("dim", `    ${f.detail}`));
+      }
     }
     console.log("");
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",