pqcheck 0.6.0 → 0.7.0

package/bin/pqcheck.js

@@ -7,7 +7,7 @@
 // =============================================================================
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.6.0";
+const VERSION = "0.7.0";
 
 const ANSI = {
   reset:   "\x1b[0m",
@@ -41,10 +41,38 @@ async function main() {
   if (args[0] === "deps") {
     return runDepsCommand(args.slice(1));
   }
+  if (args[0] === "diff") {
+    return runDiffCommand(args.slice(1));
+  }
+  if (args[0] === "history") {
+    return runHistoryCommand(args.slice(1));
+  }
+  if (args[0] === "cert") {
+    return runCertCommand(args.slice(1));
+  }
+
+  // Multi-domain support: positional args are domains.
+  // --file reads additional domains from a newline-delimited file.
+  const fileFlagIdx = args.indexOf("--file");
+  let fileDomains = [];
+  if (fileFlagIdx >= 0) {
+    const filePath = args[fileFlagIdx + 1];
+    if (!filePath) {
+      console.error(color("red", "error: --file requires a path argument"));
+      process.exit(1);
+    }
+    try {
+      const fs = await import("node:fs/promises");
+      const raw = await fs.readFile(filePath, "utf8");
+      fileDomains = raw.split(/\r?\n/).map((l) => l.trim()).filter((l) => l && !l.startsWith("#"));
+    } catch (err) {
+      console.error(color("red", `error reading --file ${filePath}: ${err.message}`));
+      process.exit(1);
+    }
+  }
 
-  // Multi-domain support: any non-flag positional arg is a domain
   const positional = args.filter((a) => !a.startsWith("-") && !isFlagValue(args, a));
-  const domains = positional
+  const domains = [...positional, ...fileDomains]
     .map((a) => normalizeDomain(a))
     .filter((d) => !!d);
 
@@ -140,6 +168,10 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi
     printCsvRow(report);
   } else if (format === "markdown") {
     printMarkdown(report, multi);
+  } else if (format === "sarif") {
+    console.log(JSON.stringify(reportToSarif(report), null, 2));
+  } else if (format === "gh-action") {
+    printGitHubActionAnnotations(report);
   } else {
     if (multi) console.log(color("dim", `\n──── ${domain} ────`));
     printReport(report);
@@ -228,15 +260,18 @@ function isFlagValue(args, val) {
   const idx = args.indexOf(val);
   if (idx <= 0) return false;
   const prev = args[idx - 1];
-  return prev === "--threshold" || prev === "--format" || prev === "--watch" || prev === "--webhook";
+  return prev === "--threshold" || prev === "--format" || prev === "--watch" || prev === "--webhook" || prev === "--file" || prev === "-o" || prev === "--allowlist";
 }
 
 function parseFormat(args) {
   if (args.includes("--json")) return "json"; // back-compat alias
+  if (args.includes("--gh-action")) return "gh-action"; // GitHub Actions annotation format
   const i = args.indexOf("--format");
   if (i === -1) return "text";
   const v = (args[i + 1] || "").toLowerCase();
-  if (v === "json" || v === "csv" || v === "markdown" || v === "md") return v === "md" ? "markdown" : v;
+  if (v === "json" || v === "csv" || v === "markdown" || v === "md" || v === "sarif" || v === "gh-action") {
+    return v === "md" ? "markdown" : v;
+  }
   return "text";
 }
 
@@ -772,6 +807,23 @@ async function runDepsCommand(args) {
   const maxArg = args.find((a) => a.startsWith("--max="));
   const maxThirdParties = maxArg ? Math.max(1, parseInt(maxArg.slice(6), 10) || 20) : 20;
 
+  // Allowlist support: --allowlist <path> reads newline-separated host patterns.
+  // If a third-party host is NOT in the allowlist, the scan exits non-zero with code 3.
+  // Useful as a CI gate for vendor-risk teams: "fail PR if any unapproved third-party appears."
+  const allowlistIdx = args.indexOf("--allowlist");
+  let allowlist = null;
+  if (allowlistIdx >= 0) {
+    const allowlistPath = args[allowlistIdx + 1];
+    try {
+      const fs2 = await import("node:fs/promises");
+      const raw = await fs2.readFile(allowlistPath, "utf8");
+      allowlist = new Set(raw.split(/\r?\n/).map(l => l.trim().toLowerCase()).filter(l => l && !l.startsWith("#")));
+    } catch (err) {
+      console.error(color("red", `error reading --allowlist: ${err.message}`));
+      process.exit(1);
+    }
+  }
+
   const positional = args.filter((a) => !a.startsWith("-") && a !== outDir);
   const domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
   if (!domain || !isValidDomain(domain)) {
@@ -916,6 +968,23 @@ async function runDepsCommand(args) {
       process.exit(1);
     }
   }
+
+  // Allowlist gate: exit non-zero if any third-party host isn't in the allowlist.
+  if (allowlist) {
+    const violations = results.filter(r => !allowlist.has(r.host));
+    if (violations.length > 0) {
+      if (!json) {
+        console.error("");
+        console.error(color("red", `  ✗ Allowlist violation: ${violations.length} third-party origin(s) not in allowlist:`));
+        for (const v of violations) console.error(`    - ${v.host}`);
+        console.error("");
+      }
+      process.exit(3);
+    } else if (!json) {
+      console.log(`  ${color("green", "✓")} ${color("dim", "All third-party origins on allowlist.")}`);
+      console.log("");
+    }
+  }
 }
 
 async function fetchPageHTML(domain) {
@@ -1045,6 +1114,334 @@ function depsManifestToMarkdown(m) {
   return lines.join("\n");
 }
 
+// =============================================================================
+// SARIF + GitHub Action output formats
+// =============================================================================
+
+function reportToSarif(report) {
+  // SARIF 2.1.0 minimal schema for security findings.
+  // Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+  const findings = Array.isArray(report.findings) ? report.findings : [];
+  const sevMap = { critical: "error", high: "error", medium: "warning", low: "note" };
+  return {
+    $schema: "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [{
+      tool: {
+        driver: {
+          name: "pqcheck",
+          version: VERSION,
+          informationUri: "https://quantapact.com",
+          rules: findings.map((f, i) => ({
+            id: `pqcheck-${i + 1}`,
+            name: (f.title || "finding").replace(/[^A-Za-z0-9]/g, "_"),
+            shortDescription: { text: f.title || "finding" },
+            fullDescription: { text: f.detail || f.title || "finding" },
+            defaultConfiguration: { level: sevMap[f.severity] || "note" },
+          })),
+        },
+      },
+      results: findings.map((f, i) => ({
+        ruleId: `pqcheck-${i + 1}`,
+        level: sevMap[f.severity] || "note",
+        message: { text: `${f.title || "finding"}${f.detail ? ` — ${f.detail}` : ""}` },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: { uri: `https://${report.domain || ""}` },
+          },
+        }],
+        properties: {
+          domain: report.domain,
+          score: report.score,
+          grade: report.grade,
+          severity: f.severity,
+        },
+      })),
+      properties: {
+        score: report.score,
+        grade: report.grade,
+        domain: report.domain,
+      },
+    }],
+  };
+}
+
+function printGitHubActionAnnotations(report) {
+  // GitHub Actions workflow command syntax: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
+  const findings = Array.isArray(report.findings) ? report.findings : [];
+  const sevMap = { critical: "error", high: "error", medium: "warning", low: "notice" };
+  // Top-line score/grade as a notice
+  console.log(`::notice title=Quantapact: ${report.domain}::Grade ${report.grade || "?"} · score ${report.score ?? "?"} / 10`);
+  for (const f of findings) {
+    const cmd = sevMap[f.severity] || "notice";
+    const title = (f.title || "finding").replace(/[\r\n]/g, " ");
+    const msg = (f.detail || f.title || "").replace(/[\r\n]/g, " ").replace(/::/g, ":");
+    console.log(`::${cmd} title=${title}::${msg}`);
+  }
+}
+
+// =============================================================================
+// `pqcheck history` — show recent score history for a domain
+// =============================================================================
+
+async function runHistoryCommand(args) {
+  const json = args.includes("--json");
+  const positional = args.filter((a) => !a.startsWith("-"));
+  const domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
+  if (!domain || !isValidDomain(domain)) {
+    console.error(color("red", "error: pqcheck history requires a valid domain"));
+    console.error(color("dim", "Usage: npx pqcheck history <domain> [--json]"));
+    process.exit(1);
+  }
+  const days = (() => {
+    const i = args.indexOf("--days");
+    if (i === -1) return 90;
+    const n = parseInt(args[i + 1] || "90", 10);
+    return Number.isFinite(n) && n > 0 && n <= 365 ? n : 90;
+  })();
+
+  let h;
+  try {
+    const r = await fetch(`${API_BASE}/api/history?domain=${encodeURIComponent(domain)}&days=${days}`, {
+      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (history)` },
+    });
+    if (!r.ok) {
+      console.error(color("red", `error: ${r.status} ${r.statusText}`));
+      process.exit(1);
+    }
+    h = await r.json();
+  } catch (err) {
+    console.error(color("red", `error: ${err.message}`));
+    process.exit(1);
+  }
+
+  if (json) {
+    console.log(JSON.stringify(h, null, 2));
+    return;
+  }
+
+  const points = Array.isArray(h?.points) ? h.points : [];
+  if (points.length === 0) {
+    console.log(`  ${color("violet", domain)} ${color("dim", "·")} no history found`);
+    console.log(color("dim", "  (need at least one previous scan; try `npx pqcheck " + domain + "` first)"));
+    return;
+  }
+  const sorted = points.slice().reverse(); // oldest → newest
+  const first = sorted[0].score;
+  const last = sorted[sorted.length - 1].score;
+  const delta = last - first;
+  const min = Math.min(...sorted.map(p => p.score));
+  const max = Math.max(...sorted.map(p => p.score));
+  const trend = Math.abs(delta) < 0.1 ? "→ flat" : delta > 0 ? `↑ +${delta.toFixed(1)} (worsened)` : `↓ ${delta.toFixed(1)} (improved)`;
+
+  console.log("");
+  console.log(`  ${color("bold", domain)} ${color("dim", "·")} score history (${days}d, ${sorted.length} samples)`);
+  console.log(`  ${color("dim", `range ${min.toFixed(1)} – ${max.toFixed(1)} · trend ${trend}`)}`);
+  console.log("");
+  // Compact ASCII sparkline
+  const range = Math.max(0.1, max - min);
+  const ramp = "▁▂▃▄▅▆▇█";
+  let bar = "";
+  for (const p of sorted) {
+    const idx = Math.min(ramp.length - 1, Math.floor(((p.score - min) / range) * (ramp.length - 1)));
+    bar += ramp[idx];
+  }
+  console.log(`  ${color("violet", bar)}`);
+  console.log("");
+  // Tail of recent samples
+  console.log(`  ${color("dim", "Recent samples (most-recent first):")}`);
+  for (const p of points.slice(0, 8)) {
+    const date = (p.scannedAt || p.date || "").slice(0, 10);
+    console.log(`    ${color("dim", date)}  score ${color("bold", p.score?.toFixed(1) ?? "?")}  grade ${p.grade ?? "?"}`);
+  }
+  console.log("");
+}
+
+// =============================================================================
+// `pqcheck diff` — diff two QXM lockfiles
+// =============================================================================
+
+async function runDiffCommand(args) {
+  const fs = await import("node:fs/promises");
+  const json = args.includes("--json");
+  const positional = args.filter((a) => !a.startsWith("-"));
+  if (positional.length !== 2) {
+    console.error(color("red", "error: pqcheck diff requires two lockfile paths"));
+    console.error(color("dim", "Usage: npx pqcheck diff old.lock new.lock [--json]"));
+    process.exit(1);
+  }
+  let oldLock, newLock;
+  try {
+    oldLock = JSON.parse(await fs.readFile(positional[0], "utf8"));
+    newLock = JSON.parse(await fs.readFile(positional[1], "utf8"));
+  } catch (err) {
+    console.error(color("red", `error reading lockfile: ${err.message}`));
+    process.exit(1);
+  }
+
+  const diff = computeLockDiff(oldLock, newLock);
+  if (json) {
+    console.log(JSON.stringify(diff, null, 2));
+    process.exit(diff.regressed ? 2 : 0);
+  }
+
+  console.log("");
+  console.log(`  ${color("bold", "Quantapact lockfile diff")}`);
+  console.log(`  ${color("dim", `${positional[0]} → ${positional[1]}`)}`);
+  console.log("");
+  if (diff.scoreChange !== null) {
+    const arrow = diff.scoreChange > 0 ? color("red", "↑") : diff.scoreChange < 0 ? color("green", "↓") : color("dim", "→");
+    const direction = diff.scoreChange > 0 ? "worsened" : diff.scoreChange < 0 ? "improved" : "unchanged";
+    console.log(`  Score: ${color("bold", diff.oldScore?.toFixed(1) ?? "?")} → ${color("bold", diff.newScore?.toFixed(1) ?? "?")} ${arrow} ${diff.scoreChange.toFixed(1)} (${direction})`);
+  }
+  if (diff.gradeChange) {
+    const colored = diff.regressed ? color("red", diff.newGrade) : color("green", diff.newGrade);
+    console.log(`  Grade: ${diff.oldGrade ?? "?"} → ${colored}`);
+  }
+  if (diff.componentChanges?.length > 0) {
+    console.log("");
+    console.log(`  ${color("dim", "Component changes:")}`);
+    for (const c of diff.componentChanges) {
+      const arrow = c.change > 0 ? color("red", "↑") : color("green", "↓");
+      console.log(`    ${c.name.padEnd(20, " ")} ${c.before?.toFixed(2) ?? "?"} → ${c.after?.toFixed(2) ?? "?"}  ${arrow} ${Math.abs(c.change).toFixed(2)}`);
+    }
+  }
+  if (diff.findingsAdded?.length > 0) {
+    console.log("");
+    console.log(`  ${color("red", "+ New findings:")}`);
+    for (const f of diff.findingsAdded) console.log(`    [${f.severity}] ${f.title}`);
+  }
+  if (diff.findingsResolved?.length > 0) {
+    console.log("");
+    console.log(`  ${color("green", "- Resolved findings:")}`);
+    for (const f of diff.findingsResolved) console.log(`    [${f.severity}] ${f.title}`);
+  }
+  console.log("");
+  process.exit(diff.regressed ? 2 : 0);
+}
+
+function computeLockDiff(oldLock, newLock) {
+  const oldScore = typeof oldLock?.score === "number" ? oldLock.score : oldLock?.summary?.score;
+  const newScore = typeof newLock?.score === "number" ? newLock.score : newLock?.summary?.score;
+  const oldGrade = oldLock?.grade || oldLock?.summary?.grade;
+  const newGrade = newLock?.grade || newLock?.summary?.grade;
+  const scoreChange = (typeof oldScore === "number" && typeof newScore === "number") ? Math.round((newScore - oldScore) * 100) / 100 : null;
+  const componentChanges = [];
+  const oldComp = oldLock?.components || {};
+  const newComp = newLock?.components || {};
+  for (const k of Object.keys({ ...oldComp, ...newComp })) {
+    const before = typeof oldComp[k]?.contribution === "number" ? oldComp[k].contribution : null;
+    const after = typeof newComp[k]?.contribution === "number" ? newComp[k].contribution : null;
+    if (before !== null && after !== null && Math.abs(after - before) >= 0.05) {
+      componentChanges.push({ name: k, before, after, change: Math.round((after - before) * 100) / 100 });
+    }
+  }
+  // Findings comparison by title
+  const oldFindings = Array.isArray(oldLock?.findings) ? oldLock.findings : [];
+  const newFindings = Array.isArray(newLock?.findings) ? newLock.findings : [];
+  const oldTitles = new Set(oldFindings.map(f => f.title));
+  const newTitles = new Set(newFindings.map(f => f.title));
+  const findingsAdded = newFindings.filter(f => !oldTitles.has(f.title));
+  const findingsResolved = oldFindings.filter(f => !newTitles.has(f.title));
+  const regressed = (typeof scoreChange === "number" && scoreChange > 0.1) || findingsAdded.some(f => f.severity === "high" || f.severity === "critical");
+  return {
+    oldScore, newScore, oldGrade, newGrade, scoreChange,
+    gradeChange: oldGrade !== newGrade,
+    componentChanges,
+    findingsAdded, findingsResolved,
+    regressed,
+  };
+}
+
+// =============================================================================
+// `pqcheck cert <pem-file>` — analyze a local cert file (offline)
+// =============================================================================
+
+async function runCertCommand(args) {
+  const fs = await import("node:fs/promises");
+  const crypto = await import("node:crypto");
+  const json = args.includes("--json");
+  const positional = args.filter((a) => !a.startsWith("-"));
+  if (positional.length === 0) {
+    console.error(color("red", "error: pqcheck cert requires a cert file path"));
+    console.error(color("dim", "Usage: npx pqcheck cert <path-to-pem-or-crt> [--json]"));
+    process.exit(1);
+  }
+
+  let pemData;
+  try {
+    pemData = await fs.readFile(positional[0], "utf8");
+  } catch (err) {
+    console.error(color("red", `error reading cert file: ${err.message}`));
+    process.exit(1);
+  }
+
+  let cert;
+  try {
+    cert = new crypto.X509Certificate(pemData);
+  } catch (err) {
+    console.error(color("red", `error parsing cert: ${err.message}`));
+    console.error(color("dim", "Expected a PEM-encoded X.509 cert (.pem, .crt, .cer)."));
+    process.exit(1);
+  }
+
+  const validFrom = new Date(cert.validFrom);
+  const validTo = new Date(cert.validTo);
+  const daysLeft = Math.round((validTo.getTime() - Date.now()) / (1000 * 60 * 60 * 24));
+  const sigAlg = (cert.publicKey?.asymmetricKeyType || "unknown").toUpperCase();
+  const keyBits = cert.publicKey?.asymmetricKeyDetails?.modulusLength || cert.publicKey?.asymmetricKeyDetails?.namedCurve || "?";
+  const sans = (cert.subjectAltName || "").split(",").map(s => s.trim()).filter(Boolean);
+  const isWildcard = sans.some(s => s.includes("*."));
+
+  // Quantum exposure assessment
+  let quantumNote;
+  if (sigAlg === "RSA" && Number(keyBits) >= 2048) {
+    quantumNote = "RSA-" + keyBits + " — broken by Shor's algorithm once a CRQC exists";
+  } else if (sigAlg === "EC" || sigAlg === "ECDSA") {
+    quantumNote = "ECDSA (" + keyBits + ") — broken by Shor's algorithm once a CRQC exists";
+  } else if (sigAlg === "ED25519") {
+    quantumNote = "Ed25519 — broken by Shor's algorithm once a CRQC exists";
+  } else {
+    quantumNote = sigAlg + " — quantum exposure unknown";
+  }
+
+  const result = {
+    file: positional[0],
+    subject: cert.subject,
+    issuer: cert.issuer,
+    serialNumber: cert.serialNumber,
+    validFrom: validFrom.toISOString(),
+    validTo: validTo.toISOString(),
+    daysUntilExpiry: daysLeft,
+    keyAlgorithm: sigAlg,
+    keyBits,
+    sans,
+    isWildcard,
+    isCA: cert.ca,
+    quantumExposure: quantumNote,
+  };
+
+  if (json) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+
+  console.log("");
+  console.log(`  ${color("bold", "Cert analysis")}: ${color("violet", positional[0])}`);
+  console.log("");
+  console.log(`  Subject:    ${cert.subject}`);
+  console.log(`  Issuer:     ${cert.issuer}`);
+  console.log(`  Valid:      ${validFrom.toISOString().slice(0, 10)} → ${validTo.toISOString().slice(0, 10)} (${daysLeft} days remaining)`);
+  console.log(`  Serial:     ${cert.serialNumber}`);
+  console.log(`  Key:        ${sigAlg}-${keyBits}`);
+  console.log(`  SANs (${sans.length}): ${sans.slice(0, 4).join(", ")}${sans.length > 4 ? ", ..." : ""}`);
+  console.log(`  Wildcard:   ${isWildcard ? "yes" : "no"}`);
+  console.log(`  CA cert:    ${cert.ca ? "yes" : "no"}`);
+  console.log("");
+  console.log(`  ${color("yellow", "Quantum exposure:")} ${quantumNote}`);
+  console.log("");
+}
+
 main().catch((err) => {
   console.error(color("red", `fatal: ${err.message}`));
   process.exit(2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",