npm - pqcheck - Versions diffs - 0.7.0 → 0.7.2 - Mend

pqcheck 0.7.0 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/bin/pqcheck.js +59 -30
package/package.json +1 -1

package/bin/pqcheck.js CHANGED Viewed

@@ -7,7 +7,7 @@
 // =============================================================================
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.7.0";
+const VERSION = "0.7.2";
 const ANSI = {
   reset:   "\x1b[0m",
@@ -498,41 +498,64 @@ ${color("bold", "pqcheck")} ${color("dim", `v${VERSION}`)}
 Public Surface Blast Radius — quantum-decryption risk for any domain.
-${color("bold", "Usage:")}
+${color("bold", "Commands:")}
   npx pqcheck <domain>                          Scan + print human-readable report
-  npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) for repo commit
-  npx pqcheck deps <domain>                     Scan third-party origins (supply-chain HNDL); --lock for committable manifest
-  npx pqcheck a.com b.com c.com                 Multi-domain scan
-  npx pqcheck <domain> --format json            Raw JSON
-  npx pqcheck <domain> --format markdown        GitHub-issue / Slack-ready Markdown
-  npx pqcheck <domain> --format csv             Spreadsheet-friendly CSV row
-  npx pqcheck <domain> --threshold 7            Exit 2 if score ≥ 7 (CI gate)
-  npx pqcheck <domain> --quiet                  Print just the score number
-  npx pqcheck <domain> --watch [seconds]        Continuously poll and report changes
-  npx pqcheck <domain> --webhook <url>          POST report JSON to URL on each scan
-${color("bold", "Options:")}
+  npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) committable manifest
+  npx pqcheck deps <domain>                     Scan all third-party origins on the page (supply-chain HNDL)
+  npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2 on regression
+  npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
+  npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
+${color("bold", "Multi-domain:")}
+  npx pqcheck a.com b.com c.com                 Multi-domain scan (positional)
+  npx pqcheck --file domains.txt                Bulk scan from a newline-separated file (# comments allowed)
+${color("bold", "Output formats:")}
+  --format text                                 Human-readable (default)
+  --format json (or --json)                     Raw JSON / NDJSON for multi
+  --format markdown                             GitHub-issue / Slack-ready Markdown
+  --format csv                                  Spreadsheet-friendly CSV row
+  --format sarif                                SARIF 2.1.0 for GitHub Code Scanning upload
+  --gh-action                                   GitHub Actions ::notice/::warning/::error annotations
+${color("bold", "Common flags:")}
   -h, --help                       Show this help
   -v, --version                    Show version
-  --format <text|json|markdown|csv>  Output format (default: text)
-  --json                           Alias for --format json
-  --threshold <0-10>               Exit 2 if score meets or exceeds this
+  --threshold <0-10>               Exit 2 if score meets or exceeds this (CI gate)
   -q, --quiet                      Print only the numeric score
   --watch [seconds]                Poll every N seconds (default 300) and report changes
   --webhook <url>                  POST scan results to a URL (one-shot or each watch tick)
+${color("bold", "Subcommand-specific:")}
+  pqcheck deps:
+    --lock                                       Also write quantapact-deps.lock + .md
+    -o <dir>                                     Output directory for --lock files
+    --max=<N>                                    Max third parties to scan (default 20)
+    --allowlist <file>                           Exit 3 if any third-party not in allowlist (CI gate)
+  pqcheck lock:
+    -o <dir>                                     Output directory
+    --stdout                                     Print JSON to stdout instead of writing files
+  pqcheck history:
+    --days <N>                                   History window (default 90)
+    --json                                       Raw JSON
 ${color("bold", "Exit codes:")}
   0   success
   1   usage / network / scan error
-  2   score met or exceeded --threshold
+  2   score met or exceeded --threshold (or diff regression)
+  3   allowlist violation (deps --allowlist)
 ${color("bold", "Examples:")}
   npx pqcheck chase.com
-  npx pqcheck mycompany.com mythirdparty.com --format csv > posture.csv
   npx pqcheck mybank.com --threshold 7      ${color("dim", "# fail CI if score ≥ 7")}
-  npx pqcheck mybank.com --format markdown >> issue.md
-  npx pqcheck mybank.com --watch 600 --webhook https://hooks.slack.com/services/...
-  echo "score: $(npx pqcheck mybank.com -q)"
+  npx pqcheck deps stripe.com --lock
+  npx pqcheck deps acme.com --allowlist allowed-vendors.txt   ${color("dim", "# CI vendor-risk gate")}
+  npx pqcheck diff main.lock pr.lock        ${color("dim", "# regression detection in PR")}
+  npx pqcheck history quantapact.com
+  npx pqcheck cert ./mycert.pem             ${color("dim", "# offline cert analysis")}
+  npx pqcheck --file domains.txt --format json > scans.ndjson
+  npx pqcheck mybank.com --format sarif > pqcheck.sarif   ${color("dim", "# upload to Code Scanning")}
+  npx pqcheck mybank.com --gh-action        ${color("dim", "# inline PR annotations")}
 Backed by the patented Decryption Blast Radius methodology.
 ${color("violet", "https://quantapact.com")}
@@ -1238,20 +1261,26 @@ async function runHistoryCommand(args) {
   console.log(`  ${color("bold", domain)} ${color("dim", "·")} score history (${days}d, ${sorted.length} samples)`);
   console.log(`  ${color("dim", `range ${min.toFixed(1)} – ${max.toFixed(1)} · trend ${trend}`)}`);
   console.log("");
-  // Compact ASCII sparkline
-  const range = Math.max(0.1, max - min);
-  const ramp = "▁▂▃▄▅▆▇█";
+  // Compact ASCII sparkline (flat → centered dots; varying → ramp blocks)
+  const isFlat = Math.abs(max - min) < 0.05;
   let bar = "";
-  for (const p of sorted) {
-    const idx = Math.min(ramp.length - 1, Math.floor(((p.score - min) / range) * (ramp.length - 1)));
-    bar += ramp[idx];
+  if (isFlat) {
+    bar = "·".repeat(sorted.length);
+  } else {
+    const range = max - min;
+    const ramp = "▁▂▃▄▅▆▇█";
+    for (const p of sorted) {
+      const idx = Math.min(ramp.length - 1, Math.floor(((p.score - min) / range) * (ramp.length - 1)));
+      bar += ramp[idx];
+    }
   }
   console.log(`  ${color("violet", bar)}`);
   console.log("");
-  // Tail of recent samples
+  // Tail of recent samples — accept either recordedAt or scannedAt or date
   console.log(`  ${color("dim", "Recent samples (most-recent first):")}`);
   for (const p of points.slice(0, 8)) {
-    const date = (p.scannedAt || p.date || "").slice(0, 10);
+    const dateRaw = p.recordedAt || p.scannedAt || p.date || "";
+    const date = String(dateRaw).slice(0, 10) || "—".padEnd(10, " ");
     console.log(`    ${color("dim", date)}  score ${color("bold", p.score?.toFixed(1) ?? "?")}  grade ${p.grade ?? "?"}`);
   }
   console.log("");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",