pqcheck 0.5.0 → 0.6.0

package/bin/pqcheck.js

@@ -7,7 +7,7 @@
 // =============================================================================
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.5.0";
+const VERSION = "0.6.0";
 
 const ANSI = {
   reset:   "\x1b[0m",
@@ -34,11 +34,13 @@ async function main() {
     process.exit(0);
   }
 
-  // Subcommand dispatch — currently only "lock" (QXM artifact generator).
-  // Anything else is treated as the default scan command.
+  // Subcommand dispatch.
   if (args[0] === "lock") {
     return runLockCommand(args.slice(1));
   }
+  if (args[0] === "deps") {
+    return runDepsCommand(args.slice(1));
+  }
 
   // Multi-domain support: any non-flag positional arg is a domain
   const positional = args.filter((a) => !a.startsWith("-") && !isFlagValue(args, a));
@@ -464,6 +466,7 @@ Public Surface Blast Radius — quantum-decryption risk for any domain.
 ${color("bold", "Usage:")}
   npx pqcheck <domain>                          Scan + print human-readable report
   npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) for repo commit
+  npx pqcheck deps <domain>                     Scan third-party origins (supply-chain HNDL); --lock for committable manifest
   npx pqcheck a.com b.com c.com                 Multi-domain scan
   npx pqcheck <domain> --format json            Raw JSON
   npx pqcheck <domain> --format markdown        GitHub-issue / Slack-ready Markdown
@@ -739,6 +742,309 @@ function renderQxmMarkdown(m) {
   return lines.join("\n");
 }
 
+// =============================================================================
+// `pqcheck deps` — supply-chain HNDL scan for a target domain
+// =============================================================================
+// Fetches the public HTML of the target domain, extracts third-party origins
+// referenced via <script src>, <iframe src>, <link href>, <img src>, then runs
+// /api/scan against each unique third party. Outputs a sorted summary + an
+// optional committable lockfile (quantapact-deps.lock).
+//
+// Parallel to the browser extension's Dependencies tab, exposed as a CLI for
+// CI integration: gate PR builds on third-party crypto posture.
+//
+// Usage:
+//   npx pqcheck deps <domain>           Scan + print summary table
+//   npx pqcheck deps <domain> --json    JSON output (pipe to jq, etc.)
+//   npx pqcheck deps <domain> --lock    Also write quantapact-deps.lock + .md
+//   npx pqcheck deps <domain> -o dir/   Output directory for --lock files
+//   npx pqcheck deps <domain> --max=20  Cap on third parties scanned (default 20)
+// =============================================================================
+
+async function runDepsCommand(args) {
+  const fs = await import("node:fs/promises");
+  const path = await import("node:path");
+
+  const json = args.includes("--json");
+  const lock = args.includes("--lock");
+  const outIdx = args.indexOf("-o");
+  const outDir = outIdx >= 0 ? args[outIdx + 1] : ".";
+  const maxArg = args.find((a) => a.startsWith("--max="));
+  const maxThirdParties = maxArg ? Math.max(1, parseInt(maxArg.slice(6), 10) || 20) : 20;
+
+  const positional = args.filter((a) => !a.startsWith("-") && a !== outDir);
+  const domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
+  if (!domain || !isValidDomain(domain)) {
+    console.error(color("red", "error: pqcheck deps requires a valid domain"));
+    console.error(color("dim", "Usage: npx pqcheck deps <domain> [--json|--lock] [-o dir/] [--max=N]"));
+    process.exit(1);
+  }
+
+  if (!json) process.stderr.write(color("dim", `Fetching ${domain} HTML...`));
+  const html = await fetchPageHTML(domain);
+  if (!json) process.stderr.write("\r\x1b[K");
+  if (!html) {
+    console.error(color("red", `error: could not fetch https://${domain}/`));
+    process.exit(1);
+  }
+
+  const refs = extractThirdPartyRefs(html, domain);
+  if (refs.length === 0) {
+    if (json) {
+      console.log(JSON.stringify({ domain, scannedAt: new Date().toISOString(), thirdParties: [], summary: { uniqueOrigins: 0, totalReferences: 0 } }, null, 2));
+    } else {
+      console.log("");
+      console.log(`  ${color("violet", domain)} ${color("dim", "·")} ${color("bold", "no third-party origins detected")}`);
+      console.log(color("dim", "  (page is fully first-party, or HTML didn't load script/iframe/link refs)"));
+      console.log("");
+    }
+    return;
+  }
+
+  // Group by host, dedupe
+  const byHost = new Map();
+  for (const r of refs) {
+    if (!byHost.has(r.host)) byHost.set(r.host, { host: r.host, types: new Set(), occurrences: 0 });
+    const e = byHost.get(r.host);
+    e.types.add(r.type);
+    e.occurrences += 1;
+  }
+  const uniqueHosts = Array.from(byHost.values()).slice(0, maxThirdParties);
+
+  if (!json) process.stderr.write(color("dim", `Scanning ${uniqueHosts.length} third-party origins...`));
+
+  // Scan each host (parallel batches of 4 to avoid hammering the API)
+  const BATCH = 4;
+  const results = [];
+  for (let i = 0; i < uniqueHosts.length; i += BATCH) {
+    const batch = uniqueHosts.slice(i, i + BATCH);
+    const batchResults = await Promise.all(
+      batch.map(async (h) => {
+        try {
+          const r = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(h.host)}&source=cli-deps`, {
+            headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (deps)` },
+          });
+          if (!r.ok) return { ...h, types: Array.from(h.types), scan: null, error: `${r.status}` };
+          const body = await r.json();
+          return {
+            ...h,
+            types: Array.from(h.types),
+            scan: {
+              grade: body.grade,
+              score: body.score,
+              reachable: body.reachable,
+              hybridPQC: body.publicSurface?.hybridPQC ?? false,
+            },
+          };
+        } catch (e) {
+          return { ...h, types: Array.from(h.types), scan: null, error: e.message };
+        }
+      })
+    );
+    results.push(...batchResults);
+  }
+  if (!json) process.stderr.write("\r\x1b[K");
+
+  // Sort: F first (worst), then D, C, B, A; unreachable/error to bottom
+  const gradeRank = { F: 5, D: 4, C: 3, B: 2, A: 1 };
+  results.sort((a, b) => {
+    const ar = a.scan?.grade ? gradeRank[a.scan.grade] || 0 : -1;
+    const br = b.scan?.grade ? gradeRank[b.scan.grade] || 0 : -1;
+    return br - ar;
+  });
+
+  const summary = buildDepsSummary(results);
+
+  // Build manifest
+  const manifest = {
+    $schema: "https://quantapact.com/schemas/deps/v1",
+    schemaVersion: "1.0",
+    domain,
+    scannedAt: new Date().toISOString(),
+    tool: "pqcheck-cli",
+    toolVersion: VERSION,
+    summary,
+    thirdParties: results.map((r) => ({
+      host: r.host,
+      types: r.types,
+      occurrences: r.occurrences,
+      scan: r.scan,
+      error: r.error,
+    })),
+    evidence: {
+      methodology: `${API_BASE}/methodology/browser-extension`,
+      reportLink: `${API_BASE}/r/${domain}`,
+    },
+  };
+
+  if (json) {
+    console.log(JSON.stringify(manifest, null, 2));
+    return;
+  }
+
+  // Pretty terminal table
+  console.log("");
+  console.log(`  ${color("bold", "Supply-chain HNDL exposure")} for ${color("violet", domain)}`);
+  console.log(`  ${color("dim", `${summary.uniqueOrigins} unique third-party origins · ${summary.totalReferences} references · weakest: ${summary.weakestLink?.host ?? "—"} (${summary.weakestLink?.grade ?? "—"})`)}`);
+  console.log("");
+  console.log(`  ${color("dim", "GRADE  HOST                                          PQC  TYPES")}`);
+  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ───  ─────")}`);
+  for (const r of results) {
+    const gradeStr = r.scan?.grade ?? "?";
+    const gradeColored = gradeStr === "A" ? color("green", gradeStr) : gradeStr === "F" || gradeStr === "D" ? color("red", gradeStr) : color("yellow", gradeStr);
+    const host = r.host.length > 41 ? r.host.slice(0, 40) + "…" : r.host.padEnd(41, " ");
+    const pqc = r.scan?.hybridPQC ? color("green", "yes") : color("dim", "no ");
+    const types = r.types.join(",");
+    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${pqc}  ${color("dim", types)}`);
+  }
+  console.log("");
+  console.log(`  ${color("dim", "Each row scanned via")} ${color("violet", "/api/scan")}${color("dim", " · /methodology/browser-extension explains scoring")}`);
+  console.log("");
+
+  if (lock) {
+    const lockPath = path.join(outDir, "quantapact-deps.lock");
+    const mdPath = path.join(outDir, "quantapact-deps-report.md");
+    try {
+      await fs.mkdir(outDir, { recursive: true });
+      await fs.writeFile(lockPath, JSON.stringify(manifest, null, 2));
+      await fs.writeFile(mdPath, depsManifestToMarkdown(manifest));
+      console.log(`  ${color("bold", "Wrote")} ${color("violet", lockPath)} ${color("dim", "and")} ${color("violet", mdPath)}`);
+      console.log(`  ${color("dim", "Commit these to track third-party crypto posture changes in PR diffs.")}`);
+      console.log("");
+    } catch (err) {
+      console.error(color("red", `error writing lockfile: ${err.message}`));
+      process.exit(1);
+    }
+  }
+}
+
+async function fetchPageHTML(domain) {
+  try {
+    const ctrl = new AbortController();
+    const t = setTimeout(() => ctrl.abort(), 8000);
+    const resp = await fetch(`https://${domain}/`, {
+      method: "GET",
+      redirect: "follow",
+      signal: ctrl.signal,
+      headers: { "User-Agent": `pqcheck-cli/${VERSION} (deps; +https://quantapact.com)` },
+    });
+    clearTimeout(t);
+    if (!resp.ok) return null;
+    return await resp.text();
+  } catch {
+    return null;
+  }
+}
+
+function extractThirdPartyRefs(html, targetDomain) {
+  const out = [];
+  // Patterns: <tag ... attr="..."> — non-greedy, single or double quoted
+  const patterns = [
+    { type: "script", re: /<script\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
+    { type: "iframe", re: /<iframe\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
+    { type: "link",   re: /<link\b[^>]*\bhref\s*=\s*["']([^"']+)["']/gi },
+    { type: "img",    re: /<img\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
+  ];
+  const targetRoot = registeredDomain(targetDomain);
+  for (const { type, re } of patterns) {
+    let m;
+    while ((m = re.exec(html)) !== null) {
+      try {
+        const u = new URL(m[1], `https://${targetDomain}`);
+        if (u.protocol !== "http:" && u.protocol !== "https:") continue;
+        const host = u.hostname.toLowerCase();
+        if (!host || host === targetDomain || registeredDomain(host) === targetRoot) continue;
+        out.push({ host, type });
+      } catch { /* relative URL or malformed */ }
+    }
+  }
+  return out;
+}
+
+// Cheap registered-domain helper — covers common 2-label TLDs (co.uk, com.au, etc.)
+function registeredDomain(host) {
+  const parts = host.split(".");
+  if (parts.length <= 2) return host;
+  const last2 = parts.slice(-2).join(".");
+  const doubleTLDs = new Set([
+    "co.uk", "co.jp", "co.nz", "co.za", "com.au", "com.br", "com.cn", "com.mx",
+    "com.tr", "ne.jp", "ac.uk", "gov.uk", "org.uk", "edu.au", "gov.au",
+  ]);
+  if (doubleTLDs.has(last2)) return parts.slice(-3).join(".");
+  return last2;
+}
+
+function buildDepsSummary(results) {
+  const byGrade = { A: 0, B: 0, C: 0, D: 0, F: 0, "?": 0 };
+  let totalRefs = 0;
+  let scoreSum = 0;
+  let scoreN = 0;
+  let pqcCount = 0;
+  let weakest = null;
+  for (const r of results) {
+    totalRefs += r.occurrences;
+    const g = r.scan?.grade ?? "?";
+    byGrade[g] = (byGrade[g] || 0) + 1;
+    if (typeof r.scan?.score === "number") {
+      scoreSum += r.scan.score;
+      scoreN += 1;
+      if (!weakest || r.scan.score > weakest.score) {
+        weakest = { host: r.host, grade: r.scan.grade, score: r.scan.score };
+      }
+    }
+    if (r.scan?.hybridPQC) pqcCount += 1;
+  }
+  return {
+    uniqueOrigins: results.length,
+    totalReferences: totalRefs,
+    byGrade,
+    averageScore: scoreN > 0 ? Math.round((scoreSum / scoreN) * 10) / 10 : null,
+    hybridPQCCount: pqcCount,
+    weakestLink: weakest,
+  };
+}
+
+function depsManifestToMarkdown(m) {
+  const lines = [];
+  lines.push(`# Supply-chain HNDL exposure: ${m.domain}`);
+  lines.push("");
+  lines.push(`Scanned at \`${m.scannedAt}\` by \`${m.tool}@${m.toolVersion}\`.`);
+  lines.push("");
+  lines.push("## Summary");
+  lines.push("");
+  lines.push(`- **Unique third-party origins:** ${m.summary.uniqueOrigins}`);
+  lines.push(`- **Total references:** ${m.summary.totalReferences}`);
+  lines.push(`- **Average HNDL score:** ${m.summary.averageScore ?? "—"} / 10`);
+  lines.push(`- **Hybrid-PQC origins:** ${m.summary.hybridPQCCount} / ${m.summary.uniqueOrigins}`);
+  if (m.summary.weakestLink) {
+    lines.push(`- **Weakest link:** \`${m.summary.weakestLink.host}\` — grade ${m.summary.weakestLink.grade}, score ${m.summary.weakestLink.score}`);
+  }
+  lines.push("");
+  lines.push("## Grade distribution");
+  lines.push("");
+  lines.push("| Grade | Count |");
+  lines.push("|---|---|");
+  for (const g of ["A", "B", "C", "D", "F", "?"]) {
+    if ((m.summary.byGrade[g] || 0) > 0) lines.push(`| ${g} | ${m.summary.byGrade[g]} |`);
+  }
+  lines.push("");
+  lines.push("## Third parties");
+  lines.push("");
+  lines.push("| Grade | Host | PQC | Types | Occurrences |");
+  lines.push("|---|---|---|---|---|");
+  for (const tp of m.thirdParties) {
+    const grade = tp.scan?.grade ?? "?";
+    const pqc = tp.scan?.hybridPQC ? "yes" : "no";
+    lines.push(`| ${grade} | \`${tp.host}\` | ${pqc} | ${tp.types.join(", ")} | ${tp.occurrences} |`);
+  }
+  lines.push("");
+  lines.push("---");
+  lines.push("");
+  lines.push("*Methodology: [/methodology/browser-extension](" + m.evidence.methodology + "). Re-run `npx pqcheck deps " + m.domain + " --lock` to refresh; commit the lockfile to track changes in pull requests.*");
+  lines.push("");
+  return lines.join("\n");
+}
+
 main().catch((err) => {
   console.error(color("red", `fatal: ${err.message}`));
   process.exit(2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",