npm - pqcheck - Versions diffs - 0.3.0 → 0.5.0 - Mend

pqcheck 0.3.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -61,13 +61,41 @@ $ npx pqcheck chase.com
 ```
 npx pqcheck <domain>                      Scan and print human-readable report
+npx pqcheck lock <domain>                 Generate quantapact.lock (QXM artifact for repos)
 npx pqcheck <domain> --format json        Output raw JSON for piping / scripting
+npx pqcheck <domain> --format markdown    Output GitHub-issue / Slack-ready Markdown
 npx pqcheck <domain> --threshold 7        Exit 2 if score ≥ 7 (CI gate)
 npx pqcheck <domain> --quiet              Print only the numeric score
+npx pqcheck <domain> --watch [seconds]    Continuously poll and report changes
+npx pqcheck <domain> --webhook <url>      POST results to a URL on each scan
 npx pqcheck --help                        Show all options
 npx pqcheck --version                     Show version
 ```
+### QXM — Quantum Exposure Manifest (commit-able to your repo)
+Like SBOM, `package-lock.json`, or `cargo audit` outputs — track quantum exposure as a versioned artifact in your repo. Diffs surface real changes in pull requests.
+```bash
+npx pqcheck lock yourcompany.com
+# Writes:
+#   quantapact.lock          — stable JSON manifest
+#   quantapact-report.md     — human-readable summary (renders on GitHub)
+```
+Commit both files. Re-run `npx pqcheck lock` whenever you want to refresh; the diff in the next PR shows what changed (score, findings, key-reuse window).
+**In CI:**
+```yaml
+- name: Refresh QXM lockfile
+  run: npx pqcheck@latest lock yourcompany.com
+- name: Fail if score regressed
+  run: npx pqcheck@latest yourcompany.com --threshold 7
+```
+The lockfile schema is documented at [quantapact.com/schemas/qxm/v1](https://quantapact.com/methodology) and is intended to be stable across CLI versions.
 ### Exit codes
 | Code | Meaning |

package/bin/pqcheck.js CHANGED Viewed

@@ -7,7 +7,7 @@
 // =============================================================================
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.3.0";
+const VERSION = "0.5.0";
 const ANSI = {
   reset:   "\x1b[0m",
@@ -34,8 +34,19 @@ async function main() {
     process.exit(0);
   }
-  const domain = normalizeDomain(args.find((a) => !a.startsWith("-")) || "");
-  if (!domain) {
+  // Subcommand dispatch — currently only "lock" (QXM artifact generator).
+  // Anything else is treated as the default scan command.
+  if (args[0] === "lock") {
+    return runLockCommand(args.slice(1));
+  }
+  // Multi-domain support: any non-flag positional arg is a domain
+  const positional = args.filter((a) => !a.startsWith("-") && !isFlagValue(args, a));
+  const domains = positional
+    .map((a) => normalizeDomain(a))
+    .filter((d) => !!d);
+  if (domains.length === 0) {
     console.error(color("red", "error: no domain provided"));
     printUsage();
     process.exit(1);
@@ -44,49 +55,178 @@ async function main() {
   const quiet = args.includes("--quiet") || args.includes("-q");
   const format = parseFormat(args);
   const threshold = parseThreshold(args);
+  const watchInterval = parseWatch(args);
+  const webhookUrl = parseWebhook(args);
   if (threshold === "invalid") {
     console.error(color("red", "error: --threshold requires a number 0-10"));
     process.exit(1);
   }
+  if (watchInterval === "invalid") {
+    console.error(color("red", "error: --watch requires a positive number of seconds (default 300 if no value given)"));
+    process.exit(1);
+  }
+  if (webhookUrl === "invalid") {
+    console.error(color("red", "error: --webhook requires a URL starting with http:// or https://"));
+    process.exit(1);
+  }
-  if (!quiet) process.stderr.write(color("dim", `Scanning ${domain} ...`));
+  // Watch mode loop: scan, diff, optionally webhook, repeat.
+  if (watchInterval !== null) {
+    await runWatch({ domains, format, quiet, threshold, webhookUrl, intervalSec: watchInterval });
+    return; // runWatch handles its own exit; in practice it runs until killed.
+  }
+  // One-shot scan(s)
+  let worstExit = 0;
+  for (const domain of domains) {
+    const exit = await runOneScan({ domain, format, quiet, threshold, webhookUrl, multi: domains.length > 1 });
+    if (exit > worstExit) worstExit = exit;
+  }
+  process.exit(worstExit);
+}
+async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi }) {
+  if (!quiet && format === "text") process.stderr.write(color("dim", `Scanning ${domain} ...`));
   let report;
   try {
     const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
       method: "GET",
       headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION}` },
     });
-    if (!quiet) process.stderr.write("\r\x1b[K"); // clear "Scanning ..." line
+    if (!quiet && format === "text") process.stderr.write("\r\x1b[K");
     if (!resp.ok) {
       const errBody = await safeJSON(resp);
-      console.error(color("red", `error: ${resp.status} ${errBody?.error || resp.statusText}`));
+      console.error(color("red", `error scanning ${domain}: ${resp.status} ${errBody?.error || resp.statusText}`));
       if (errBody?.detail) console.error(color("dim", errBody.detail));
-      process.exit(1);
+      return 1;
     }
     report = await resp.json();
   } catch (err) {
-    if (!quiet) process.stderr.write("\r\x1b[K");
-    console.error(color("red", `error: ${err.message}`));
-    process.exit(1);
+    if (!quiet && format === "text") process.stderr.write("\r\x1b[K");
+    console.error(color("red", `error scanning ${domain}: ${err.message}`));
+    return 1;
+  }
+  // Webhook delivery — fire-and-forget POST with JSON body
+  if (webhookUrl) {
+    fetch(webhookUrl, {
+      method: "POST",
+      headers: { "content-type": "application/json", "user-agent": `pqcheck-cli/${VERSION}` },
+      body: JSON.stringify({ domain, report, source: "pqcheck-cli", at: new Date().toISOString() }),
+    }).catch(() => { /* best-effort — never fail the scan on webhook delivery */ });
   }
+  // Output dispatch
   if (quiet) {
-    // Numeric score on stdout, nothing else. Suitable for piping.
-    console.log(typeof report.score === "number" ? report.score : "");
+    if (multi) {
+      console.log(`${domain}\t${typeof report.score === "number" ? report.score : ""}`);
+    } else {
+      console.log(typeof report.score === "number" ? report.score : "");
+    }
   } else if (format === "json") {
-    console.log(JSON.stringify(report, null, 2));
+    if (multi) {
+      // Per-line NDJSON when scanning multiple domains so output is pipe-friendly
+      console.log(JSON.stringify(report));
+    } else {
+      console.log(JSON.stringify(report, null, 2));
+    }
+  } else if (format === "csv") {
+    if (multi && this && !this.csvHeaderPrinted) {
+      // Header only once, before first row
+    }
+    printCsvRow(report);
+  } else if (format === "markdown") {
+    printMarkdown(report, multi);
   } else {
+    if (multi) console.log(color("dim", `\n──── ${domain} ────`));
     printReport(report);
   }
-  // Threshold gating: exit 2 if score >= threshold (distinct from exit 1 = error)
   if (threshold !== null && typeof report.score === "number" && report.score >= threshold) {
-    if (!quiet) {
-      console.error(color("red", `threshold breach: score ${report.score} >= ${threshold}`));
+    if (!quiet && format === "text") {
+      console.error(color("red", `threshold breach: ${domain} score ${report.score} >= ${threshold}`));
     }
-    process.exit(2);
+    return 2;
   }
-  process.exit(0);
+  return 0;
+}
+async function runWatch({ domains, format, quiet, threshold, webhookUrl, intervalSec }) {
+  const previous = new Map(); // domain → previous score
+  if (!quiet && format === "text") {
+    console.error(color("dim", `Watching ${domains.length} domain(s), polling every ${intervalSec}s. Ctrl-C to stop.`));
+  }
+  // Print CSV header once if csv mode
+  if (format === "csv") printCsvHeader();
+  // Trap SIGINT so we exit cleanly
+  let stopped = false;
+  process.on("SIGINT", () => {
+    stopped = true;
+    if (!quiet && format === "text") console.error(color("dim", "\nStopped."));
+    process.exit(0);
+  });
+  while (!stopped) {
+    for (const domain of domains) {
+      try {
+        const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
+          method: "GET",
+          headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION}` },
+        });
+        if (!resp.ok) continue;
+        const report = await resp.json();
+        const prev = previous.get(domain);
+        const changed = prev !== undefined && typeof report.score === "number" && report.score !== prev;
+        previous.set(domain, report.score);
+        if (changed && webhookUrl) {
+          fetch(webhookUrl, {
+            method: "POST",
+            headers: { "content-type": "application/json", "user-agent": `pqcheck-cli/${VERSION}` },
+            body: JSON.stringify({
+              type: "score_changed",
+              domain,
+              previousScore: prev,
+              newScore: report.score,
+              report,
+              at: new Date().toISOString(),
+            }),
+          }).catch(() => {});
+        }
+        if (format === "csv") {
+          printCsvRow(report);
+        } else if (format === "json") {
+          console.log(JSON.stringify({ ...report, _watchPreviousScore: prev ?? null, _watchChanged: changed }));
+        } else if (format === "markdown") {
+          printMarkdown(report, true);
+        } else {
+          const stamp = new Date().toISOString().slice(11, 19);
+          if (changed) {
+            console.log(color("yellow", `[${stamp}] ${domain}: ${prev} → ${report.score}  (${report.scoreLabel}) ${color("yellow", "★ changed")}`));
+          } else if (!quiet) {
+            console.log(color("dim", `[${stamp}] ${domain}: ${report.score}  (${report.scoreLabel})`));
+          }
+        }
+      } catch (err) {
+        if (!quiet && format === "text") console.error(color("red", `[watch] ${domain}: ${err.message}`));
+      }
+    }
+    await sleep(intervalSec * 1000);
+  }
+}
+function sleep(ms) { return new Promise((r) => setTimeout(r, ms)); }
+function isFlagValue(args, val) {
+  // True when this arg is the value following a flag like --threshold 7 or --format json
+  const idx = args.indexOf(val);
+  if (idx <= 0) return false;
+  const prev = args[idx - 1];
+  return prev === "--threshold" || prev === "--format" || prev === "--watch" || prev === "--webhook";
 }
 function parseFormat(args) {
@@ -94,7 +234,8 @@ function parseFormat(args) {
   const i = args.indexOf("--format");
   if (i === -1) return "text";
   const v = (args[i + 1] || "").toLowerCase();
-  return v === "json" ? "json" : "text";
+  if (v === "json" || v === "csv" || v === "markdown" || v === "md") return v === "md" ? "markdown" : v;
+  return "text";
 }
 function parseThreshold(args) {
@@ -106,6 +247,94 @@ function parseThreshold(args) {
   return n;
 }
+function parseWatch(args) {
+  const i = args.indexOf("--watch");
+  if (i === -1) return null;
+  const raw = args[i + 1];
+  // --watch with no value defaults to 300s (5 min)
+  if (raw === undefined || raw.startsWith("-")) return 300;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n < 10) return "invalid";
+  return n;
+}
+function parseWebhook(args) {
+  const i = args.indexOf("--webhook");
+  if (i === -1) return null;
+  const raw = args[i + 1];
+  if (!raw || !/^https?:\/\//.test(raw)) return "invalid";
+  return raw;
+}
+// ---------- format renderers (CSV + markdown) ----------
+let _csvHeaderPrinted = false;
+function printCsvHeader() {
+  console.log("domain,score,grade,score_label,reachable,tls_version,hybrid_pqc,days_until_cert_expiry,subdomains,wildcard_cert,findings_high,findings_medium,findings_low");
+  _csvHeaderPrinted = true;
+}
+function printCsvRow(r) {
+  if (!_csvHeaderPrinted) printCsvHeader();
+  const ps = r.publicSurface || {};
+  const sevCount = (sev) => (r.findings || []).filter((f) => f.severity === sev).length;
+  const cells = [
+    csvEscape(r.domain),
+    r.score ?? "",
+    r.grade ?? "",
+    r.scoreLabel ?? "",
+    r.reachable ? "true" : "false",
+    csvEscape(ps.tlsVersion ?? ""),
+    ps.hybridPQC ? "true" : "false",
+    ps.daysUntilCertExpiry ?? "",
+    ps.subdomainCount ?? 0,
+    ps.wildcardCert ? "true" : "false",
+    sevCount("high") + sevCount("critical"),
+    sevCount("medium"),
+    sevCount("low"),
+  ];
+  console.log(cells.join(","));
+}
+function csvEscape(s) {
+  const v = String(s ?? "");
+  if (v.includes(",") || v.includes('"') || v.includes("\n")) {
+    return '"' + v.replace(/"/g, '""') + '"';
+  }
+  return v;
+}
+function printMarkdown(r, multi) {
+  if (!r.reachable) {
+    console.log(`### ${r.domain} — unreachable\n${r.errorMessage ? `> ${r.errorMessage}` : ""}\n`);
+    return;
+  }
+  const ps = r.publicSurface || {};
+  const lines = [];
+  lines.push(`### ${r.domain} — Decryption Blast Radius **${r.score} / 10** (${r.scoreLabel}, grade ${r.grade ?? "—"})`);
+  lines.push("");
+  lines.push("| Signal | Value |");
+  lines.push("|---|---|");
+  lines.push(`| TLS | ${ps.tlsVersion ?? "?"}${ps.cipher ? ` (${ps.cipher})` : ""} |`);
+  lines.push(`| Hybrid PQC | ${ps.hybridPQC ? "yes" : "no"} |`);
+  lines.push(`| Cert expires | ${ps.daysUntilCertExpiry !== null && ps.daysUntilCertExpiry !== undefined ? `in ${ps.daysUntilCertExpiry} days` : "?"} |`);
+  lines.push(`| HSTS | ${ps.hsts ? "enabled" : "not detected"} |`);
+  lines.push(`| Subdomains | ${ps.subdomainCount ?? 0}${ps.wildcardCert ? " (wildcard cert)" : ""} |`);
+  lines.push("");
+  if (r.findings && r.findings.length) {
+    lines.push("**Findings:**");
+    lines.push("");
+    for (const f of r.findings) {
+      lines.push(`- **[${f.severity.toUpperCase()}]** ${f.title}`);
+      lines.push(`  ${f.detail}`);
+    }
+    lines.push("");
+  }
+  lines.push(`> ⚠ Public surface only. Internal Blast Radius is typically 12–40× this score.`);
+  lines.push("");
+  lines.push(`Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)} · Share: ${API_BASE}/r/${encodeURIComponent(r.domain)}`);
+  if (multi) lines.push("\n---\n");
+  console.log(lines.join("\n"));
+}
 function printReport(r) {
   if (!r.reachable) {
     console.log(color("red", `\n  ${r.domain} — unreachable`));
@@ -217,6 +446,11 @@ function normalizeDomain(raw) {
     .split(":")[0];
 }
+function isValidDomain(d) {
+  if (!d || d.length < 4 || d.length > 253) return false;
+  return /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/.test(d);
+}
 async function safeJSON(resp) {
   try { return await resp.json(); } catch { return null; }
 }
@@ -228,18 +462,26 @@ ${color("bold", "pqcheck")} ${color("dim", `v${VERSION}`)}
 Public Surface Blast Radius — quantum-decryption risk for any domain.
 ${color("bold", "Usage:")}
-  npx pqcheck <domain>                       Scan and print human-readable report
-  npx pqcheck <domain> --format json         Output raw JSON
-  npx pqcheck <domain> --threshold 7         Exit 2 if score ≥ 7 (CI-friendly)
-  npx pqcheck <domain> --quiet               Print just the score, nothing else
+  npx pqcheck <domain>                          Scan + print human-readable report
+  npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) for repo commit
+  npx pqcheck a.com b.com c.com                 Multi-domain scan
+  npx pqcheck <domain> --format json            Raw JSON
+  npx pqcheck <domain> --format markdown        GitHub-issue / Slack-ready Markdown
+  npx pqcheck <domain> --format csv             Spreadsheet-friendly CSV row
+  npx pqcheck <domain> --threshold 7            Exit 2 if score ≥ 7 (CI gate)
+  npx pqcheck <domain> --quiet                  Print just the score number
+  npx pqcheck <domain> --watch [seconds]        Continuously poll and report changes
+  npx pqcheck <domain> --webhook <url>          POST report JSON to URL on each scan
 ${color("bold", "Options:")}
-  -h, --help                Show this help
-  -v, --version             Show version
-  --format <text|json>      Output format (default: text)
-  --json                    Alias for --format json
-  --threshold <0-10>        Exit code 2 if score meets/exceeds this value
-  -q, --quiet               Print only the numeric score (pipe-friendly)
+  -h, --help                       Show this help
+  -v, --version                    Show version
+  --format <text|json|markdown|csv>  Output format (default: text)
+  --json                           Alias for --format json
+  --threshold <0-10>               Exit 2 if score meets or exceeds this
+  -q, --quiet                      Print only the numeric score
+  --watch [seconds]                Poll every N seconds (default 300) and report changes
+  --webhook <url>                  POST scan results to a URL (one-shot or each watch tick)
 ${color("bold", "Exit codes:")}
   0   success
@@ -248,8 +490,10 @@ ${color("bold", "Exit codes:")}
 ${color("bold", "Examples:")}
   npx pqcheck chase.com
-  npx pqcheck quantapact.com --format json
-  npx pqcheck mybank.com --threshold 7      ${color("dim", "# fail CI if exposed")}
+  npx pqcheck mycompany.com mythirdparty.com --format csv > posture.csv
+  npx pqcheck mybank.com --threshold 7      ${color("dim", "# fail CI if score ≥ 7")}
+  npx pqcheck mybank.com --format markdown >> issue.md
+  npx pqcheck mybank.com --watch 600 --webhook https://hooks.slack.com/services/...
   echo "score: $(npx pqcheck mybank.com -q)"
 Backed by the patented Decryption Blast Radius methodology.
@@ -257,6 +501,244 @@ ${color("violet", "https://quantapact.com")}
 `);
 }
+// =============================================================================
+// `pqcheck lock` — QXM (Quantum Exposure Manifest) generator
+// =============================================================================
+// Generates two files committable to a git repo:
+//   quantapact.lock          — stable JSON manifest (machine-readable)
+//   quantapact-report.md     — human-readable summary (renders on GitHub)
+//
+// Like SBOM / package-lock.json / cargo audit / snyk test outputs — devs commit
+// these to track quantum exposure as a first-class technical concern.
+//
+// Usage:
+//   npx pqcheck lock <domain>           Write to ./quantapact.lock + .md
+//   npx pqcheck lock <domain> -o dir/   Write into a specific directory
+//   npx pqcheck lock <domain> --stdout  Print JSON to stdout (no files)
+//   npx pqcheck lock                    Read domain from existing
+//                                       quantapact.lock if present, else error
+// =============================================================================
+async function runLockCommand(args) {
+  const fs = await import("node:fs/promises");
+  const path = await import("node:path");
+  const crypto = await import("node:crypto");
+  const stdout = args.includes("--stdout");
+  const outIdx = args.indexOf("-o");
+  const outDir = outIdx >= 0 ? args[outIdx + 1] : ".";
+  // Find the domain — either positional arg, or read from existing lockfile
+  const positional = args.filter((a) => !a.startsWith("-") && a !== outDir);
+  let domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
+  if (!domain) {
+    try {
+      const existing = await fs.readFile(path.join(outDir, "quantapact.lock"), "utf8");
+      const parsed = JSON.parse(existing);
+      domain = parsed.domain;
+      if (!stdout) {
+        console.error(color("dim", `Re-locking from existing quantapact.lock (domain: ${domain})`));
+      }
+    } catch {
+      console.error(color("red", "error: no domain provided and no existing quantapact.lock found"));
+      console.error(color("dim", "Usage: npx pqcheck lock <domain>"));
+      process.exit(1);
+    }
+  }
+  if (!isValidDomain(domain)) {
+    console.error(color("red", `error: invalid domain '${domain}'`));
+    process.exit(1);
+  }
+  if (!stdout) process.stderr.write(color("dim", `Scanning ${domain} for QXM lockfile...`));
+  let report;
+  try {
+    const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
+      method: "GET",
+      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (lock)` },
+    });
+    if (!stdout) process.stderr.write("\r\x1b[K");
+    if (!resp.ok) {
+      const errBody = await safeJSON(resp);
+      console.error(color("red", `error: ${resp.status} ${errBody?.error || resp.statusText}`));
+      process.exit(1);
+    }
+    report = await resp.json();
+  } catch (err) {
+    if (!stdout) process.stderr.write("\r\x1b[K");
+    console.error(color("red", `error: ${err.message}`));
+    process.exit(1);
+  }
+  const manifest = buildQxmManifest(report, crypto);
+  const json = JSON.stringify(manifest, null, 2) + "\n";
+  if (stdout) {
+    console.log(json);
+    return;
+  }
+  // Write both files
+  const lockPath = path.join(outDir, "quantapact.lock");
+  const mdPath = path.join(outDir, "quantapact-report.md");
+  const md = renderQxmMarkdown(manifest);
+  try {
+    await fs.mkdir(outDir, { recursive: true });
+    await fs.writeFile(lockPath, json);
+    await fs.writeFile(mdPath, md);
+  } catch (err) {
+    console.error(color("red", `error writing files: ${err.message}`));
+    process.exit(1);
+  }
+  console.log("");
+  console.log(`  ${color("bold", "QXM lockfile written")} for ${color("violet", domain)}:`);
+  console.log("");
+  console.log(`  ${color("green", "✓")} ${lockPath}`);
+  console.log(`  ${color("green", "✓")} ${mdPath}`);
+  console.log("");
+  console.log(`  ${color("dim", "Decryption Blast Radius:")} ${color("bold", manifest.score + " / 10")} (Grade ${manifest.grade}, ${manifest.scoreLabel})`);
+  console.log(`  ${color("dim", "Findings:")} ${manifest.findings.length} (${manifest.findings.filter((f) => f.severity === "high" || f.severity === "critical").length} high/critical)`);
+  console.log("");
+  console.log(color("dim", "  Commit these to your repo to track quantum exposure as a versioned artifact."));
+  console.log(color("dim", "  Re-run `npx pqcheck lock` to refresh; diffs surface real changes in PRs."));
+  console.log("");
+  console.log(color("violet", `  → Verify online: ${API_BASE}/r/${encodeURIComponent(domain)}`));
+  console.log("");
+  process.exit(0);
+}
+function buildQxmManifest(report, crypto) {
+  // Stable hash of the underlying scan, useful for dedup + change detection in CI
+  const hashInput = JSON.stringify({
+    domain: report.domain,
+    score: report.score,
+    grade: report.grade,
+    findings: (report.findings || []).map((f) => ({ s: f.severity, t: f.title })),
+    publicSurface: report.publicSurface,
+  });
+  const evidenceHash = crypto.createHash("sha256").update(hashInput).digest("hex").slice(0, 32);
+  // Tessera recommendation classification (waitlist-shape; SDK not yet shipped)
+  const tesseraNeeded = (report.findings || []).some((f) =>
+    /key reused?|reused for|key persist|rsa fallback|chain weakest|hybrid pqc/i.test(f.title || ""),
+  );
+  return {
+    schema: "https://quantapact.com/schemas/qxm/v1",
+    schemaVersion: 1,
+    generator: `pqcheck-cli/${VERSION}`,
+    generatedAt: report.generatedAt || new Date().toISOString(),
+    domain: report.domain,
+    reachable: !!report.reachable,
+    score: report.score,
+    grade: report.grade,
+    scoreLabel: report.scoreLabel,
+    publicSurface: report.publicSurface || null,
+    findings: (report.findings || []).map((f) => ({
+      severity: f.severity,
+      title: f.title,
+      detail: f.detail,
+    })),
+    impact: report.impact || null,
+    sectorRanking: report.sectorRanking || null,
+    components: report.components || null,
+    evidence: {
+      evidenceHash,
+      methodology: "https://quantapact.com/methodology",
+      shareableReport: `https://quantapact.com/r/${encodeURIComponent(report.domain)}`,
+      badge: `https://quantapact.com/badge/${encodeURIComponent(report.domain)}.svg`,
+    },
+    remediation: {
+      tessera: tesseraNeeded ? "join-waitlist" : "not-needed",
+      tesseraWaitlist: "https://quantapact.com/feedback?source=qxm-tessera-interest",
+      notes: tesseraNeeded
+        ? "Findings include cryptographic exposure that Tessera SDK is being designed to remediate. Tessera is in development; join the waitlist to be notified when ready."
+        : "No quantum-decryption-relevant findings requiring Tessera remediation at this time.",
+    },
+  };
+}
+function renderQxmMarkdown(m) {
+  const lines = [];
+  lines.push(`# Quantum Exposure Manifest — \`${m.domain}\``);
+  lines.push("");
+  lines.push(`> **Decryption Blast Radius:** ${m.score} / 10 (Grade ${m.grade}, ${m.scoreLabel})`);
+  lines.push(`> Generated by [pqcheck](https://quantapact.com) at ${m.generatedAt}`);
+  lines.push("");
+  if (!m.reachable) {
+    lines.push(`*${m.domain} was not reachable at scan time.*`);
+    lines.push("");
+    return lines.join("\n");
+  }
+  lines.push("## Public-surface signals");
+  lines.push("");
+  lines.push("| Signal | Value |");
+  lines.push("|---|---|");
+  const ps = m.publicSurface || {};
+  lines.push(`| TLS version | ${ps.tlsVersion ?? "?"}${ps.cipher ? ` (${ps.cipher})` : ""} |`);
+  lines.push(`| Hybrid PQC | ${ps.hybridPQC ? "yes" : "no"} |`);
+  lines.push(`| Cert expires in | ${ps.daysUntilCertExpiry ?? "?"} days |`);
+  lines.push(`| HSTS | ${ps.hsts ? "enabled" : "not detected"} |`);
+  lines.push(`| Subdomains | ${ps.subdomainCount ?? 0}${ps.wildcardCert ? " (wildcard cert)" : ""} |`);
+  if (ps.keyReuseLongestYears) {
+    lines.push(`| **Key reuse window** | **${ps.keyReuseLongestYears} years** across ${ps.keyReuseCertsObserved ?? "?"} cert rotations |`);
+  }
+  lines.push("");
+  if (m.findings && m.findings.length) {
+    lines.push("## Findings");
+    lines.push("");
+    for (const f of m.findings) {
+      lines.push(`### \`[${f.severity.toUpperCase()}]\` ${f.title}`);
+      lines.push("");
+      lines.push(f.detail);
+      lines.push("");
+    }
+  }
+  if (m.impact && m.impact.headline) {
+    lines.push("## Plain-English impact");
+    lines.push("");
+    lines.push(`> ${m.impact.headline}`);
+    lines.push("");
+  }
+  if (m.sectorRanking && m.sectorRanking.available) {
+    lines.push("## Sector ranking");
+    lines.push("");
+    lines.push(`Among ${m.sectorRanking.sectorLabel}: **${m.sectorRanking.rank} of ${m.sectorRanking.total}** (worse than ${m.sectorRanking.betterThanCount} peers measured).`);
+    lines.push("");
+  }
+  lines.push("## Remediation");
+  lines.push("");
+  lines.push(`- **Tessera SDK status for this domain:** \`${m.remediation.tessera}\``);
+  lines.push(`- ${m.remediation.notes}`);
+  lines.push(`- [Join Tessera remediation waitlist](${m.remediation.tesseraWaitlist})`);
+  lines.push("");
+  lines.push("## Evidence");
+  lines.push("");
+  lines.push("| | |");
+  lines.push("|---|---|");
+  lines.push(`| Methodology | ${m.evidence.methodology} |`);
+  lines.push(`| Shareable report | ${m.evidence.shareableReport} |`);
+  lines.push(`| Embeddable badge | \`${m.evidence.badge}\` |`);
+  lines.push(`| Evidence hash | \`${m.evidence.evidenceHash}\` |`);
+  lines.push("");
+  lines.push("---");
+  lines.push("");
+  lines.push("*Public-surface measurements only. Internal Blast Radius (east-west traffic, internal databases, VPN tunnels, backup pipelines) is typically 12–40× this score. Re-run `npx pqcheck lock` to refresh; commit the result to your repo to surface changes in pull requests.*");
+  lines.push("");
+  return lines.join("\n");
+}
 main().catch((err) => {
   console.error(color("red", `fatal: ${err.message}`));
   process.exit(2);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",