pqcheck 0.7.2 → 0.7.3

package/README.md

@@ -1,78 +1,139 @@
 # pqcheck
 
-> **Public Surface Blast Radius scanner** — find out how much of your data unlocks when quantum decryption arrives.
+> **Decryption Blast Radius scanner** — find out how much of your data unlocks when quantum decryption arrives.
 
 ```bash
-npx pqcheck chase.com
+npx pqcheck stripe.com
 ```
 
-That's it. No install. Works from any terminal with Node 18+.
+Zero install. Works in any terminal with Node 18+. Free, no signup, no API key.
+
+The same scanner that powers [quantapact.com](https://quantapact.com), the browser extension, and the GitHub Action.
 
 ---
 
 ## What it does
 
-`pqcheck` scans any HTTPS domain and computes its **Decryption Blast Radius Score** — the first continuous metric for harvest-now-decrypt-later (HNDL) risk. Every other TLS scanner answers "is post-quantum cryptography enabled?" with a yes/no. `pqcheck` answers the question that actually matters: *if an adversary harvests this traffic today and decrypts it in 2035, how much past + future data unlocks?*
+`pqcheck` scans any HTTPS domain and computes its **Decryption Blast Radius score** — the first continuous metric for harvest-now-decrypt-later (HNDL) risk. Every other TLS scanner answers "is post-quantum cryptography enabled?" with yes/no. `pqcheck` answers the question that actually matters: *if an adversary harvests this traffic today and decrypts it in 2035, how much past + future data unlocks?*
 
 The score combines (Quantum / cert findings — our differentiator):
 - **Public-key reuse across rotations** — detects when the same private key has been live across multiple cert renewals (often 4+ years at large enterprises). **★ Unique to pqcheck — no other ASM/TLS scanner surfaces this.**
 - **Cipher-class probing** — does the server accept RSA fallback even if it prefers ECDHE?
 - **Certificate chain analysis** — including the intermediate cert (the chain's actual quantum failure point)
 - **Subject scale** — wildcard certs and subdomain count multiplying the blast radius
+- **Hybrid PQC TLS detection** — credits servers using `X25519MLKEM768` with a methodology-aware discount
 
-Plus a full ASM check suite for credibility (so the report doesn't feel narrow):
-- **Email security** — SPF, DMARC, DKIM (15 selectors probed), BIMI
-- **HTTP header security** — HSTS (with preload + max-age), CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP
-- **Subdomain takeover detection** — fingerprint-based scan against AWS S3, GitHub Pages, Heroku, Shopify, Fastly, and 5+ other commonly-orphaned services
+Plus a full ASM check suite for credibility:
+- **Email security** — SPF, DMARC, DKIM (~30 selectors probed including Resend/Mailgun/SES/etc.), BIMI
+- **HTTP header security** — HSTS (with preload + max-age), CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP
+- **Subdomain takeover detection** — fingerprint-based scan against AWS S3, GitHub Pages, Heroku, Shopify, Fastly, etc.
 
-## Example
+## Commands
 
 ```
-$ npx pqcheck chase.com
+npx pqcheck <domain>                          Scan + print human-readable report
+npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) committable manifest
+npx pqcheck deps <domain>                     Scan all third-party origins on the page (supply-chain HNDL)
+npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2 on regression
+npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
+npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
+```
 
-  chase.com
-  ─────────────────────────────────────
-  PUBLIC SURFACE BLAST RADIUS: 5.6 / 10 (MEDIUM)
+### Multi-domain
 
-  Public surface signals:
-  • TLS:           TLSv1.3 (TLS_AES_128_GCM_SHA256)
-  • Hybrid PQC:    no
-  • Cert expires:  in 127 days
-  • HSTS:          not detected
-  • Subdomains:    47 (wildcard cert)
+```
+npx pqcheck a.com b.com c.com                 Multi-domain scan (positional)
+npx pqcheck --file domains.txt                Bulk scan from a newline-separated file (# comments allowed)
+```
 
-  Findings:
-  [HIGH] Same RSA-2048 key reused for 4.2 years across 3 cert rotations
-  [HIGH] ECDHE-only — quantum-vulnerable key exchange
-  [MED]  Wildcard cert spans 47 subdomains
+### Output formats
 
-  ⚠  This is the PUBLIC surface only.
-  Internal Blast Radius is typically 12–40× the public score.
+| Format | Use case |
+|---|---|
+| `--format text` *(default)* | Human-readable terminal output |
+| `--format json` (or `--json`) | Raw JSON for piping; NDJSON for multi-domain |
+| `--format markdown` | GitHub-issue / Slack-ready Markdown |
+| `--format csv` | Spreadsheet-friendly CSV row |
+| `--format sarif` | SARIF 2.1.0 for upload to GitHub Code Scanning |
+| `--gh-action` | GitHub Actions `::notice/::warning/::error` annotations |
 
-  Plain-English impact:
-  If quantum decryption arrives in 2030–2040, harvested traffic from
-  chase.com (US banks) would unlock 4.2 years of session data, across
-  47 subdomains under one wildcard cert.
+### Common flags
 
-  → Full report: https://quantapact.com/?check=chase.com
-```
+| Flag | Purpose |
+|---|---|
+| `-h`, `--help` | Show help |
+| `-v`, `--version` | Show version |
+| `--threshold <0-10>` | Exit 2 if score meets or exceeds this (CI gate) |
+| `-q`, `--quiet` | Print only the numeric score |
+| `--watch [seconds]` | Poll every N seconds (default 300) and report changes |
+| `--webhook <url>` | POST scan results to a URL (one-shot or each watch tick) |
 
-## Usage
+### Subcommand-specific flags
 
-```
-npx pqcheck <domain>                      Scan and print human-readable report
-npx pqcheck lock <domain>                 Generate quantapact.lock (QXM artifact for repos)
-npx pqcheck <domain> --format json        Output raw JSON for piping / scripting
-npx pqcheck <domain> --format markdown    Output GitHub-issue / Slack-ready Markdown
-npx pqcheck <domain> --threshold 7        Exit 2 if score ≥ 7 (CI gate)
-npx pqcheck <domain> --quiet              Print only the numeric score
-npx pqcheck <domain> --watch [seconds]    Continuously poll and report changes
-npx pqcheck <domain> --webhook <url>      POST results to a URL on each scan
-npx pqcheck --help                        Show all options
-npx pqcheck --version                     Show version
+**`pqcheck deps`:**
+- `--lock` — Also write `quantapact-deps.lock` + `.md`
+- `-o <dir>` — Output directory for `--lock` files
+- `--max=<N>` — Max third parties to scan (default 20)
+- `--allowlist <file>` — Exit **3** if any third-party not in allowlist (CI vendor-risk gate)
+
+**`pqcheck lock`:**
+- `-o <dir>` — Output directory
+- `--stdout` — Print JSON to stdout instead of writing files
+
+**`pqcheck history`:**
+- `--days <N>` — History window (default 90)
+- `--json` — Raw JSON output
+
+### Exit codes
+
+| Code | Meaning |
+|---|---|
+| `0` | Success |
+| `1` | Usage / network / scan error |
+| `2` | Score met or exceeded `--threshold`, or `diff` detected regression |
+| `3` | Allowlist violation (`pqcheck deps --allowlist`) |
+
+## Examples
+
+```bash
+# Quick scan
+npx pqcheck stripe.com
+
+# CI gate — fail if score >= 7
+npx pqcheck mybank.com --threshold 7
+
+# Generate committable QXM lockfile (like SBOM, but for quantum exposure)
+npx pqcheck lock mycompany.com
+
+# Track posture changes in PRs by diffing lockfiles
+npx pqcheck diff main.lock pr.lock
+
+# Supply-chain HNDL — scan all third-party scripts/iframes on a page
+npx pqcheck deps mycompany.com --lock
+
+# Vendor-risk CI gate — fail PR if any third-party not in allowlist
+npx pqcheck deps mycompany.com --allowlist allowed-vendors.txt
+
+# Score history sparkline
+npx pqcheck history mycompany.com
+
+# Offline cert analysis (no network)
+npx pqcheck cert ./mycert.pem
+
+# Bulk scan from list, NDJSON output
+npx pqcheck --file domains.txt --format json > scans.ndjson
+
+# Upload findings to GitHub Code Scanning
+npx pqcheck mybank.com --format sarif > pqcheck.sarif
+
+# GitHub Actions inline PR annotations
+npx pqcheck mybank.com --gh-action
+
+# Watch mode — poll, alert via webhook on change
+npx pqcheck mybank.com --watch 600 --webhook https://hooks.slack.com/...
 ```
 
-### QXM — Quantum Exposure Manifest (commit-able to your repo)
+### QXM — Quantum Exposure Manifest
 
 Like SBOM, `package-lock.json`, or `cargo audit` outputs — track quantum exposure as a versioned artifact in your repo. Diffs surface real changes in pull requests.
 
@@ -83,97 +144,95 @@ npx pqcheck lock yourcompany.com
 #   quantapact-report.md     — human-readable summary (renders on GitHub)
 ```
 
-Commit both files. Re-run `npx pqcheck lock` whenever you want to refresh; the diff in the next PR shows what changed (score, findings, key-reuse window).
+Commit both files. Use `npx pqcheck diff old.lock new.lock` in CI to surface regressions in PR comments.
 
-**In CI:**
+Schema documented at [quantapact.com/schemas/qxm/v1](https://quantapact.com/methodology/qxm).
 
-```yaml
-- name: Refresh QXM lockfile
-  run: npx pqcheck@latest lock yourcompany.com
-- name: Fail if score regressed
-  run: npx pqcheck@latest yourcompany.com --threshold 7
+### Supply-chain dependency scanning
+
+```bash
+npx pqcheck deps stripe.com
+# Output: every third-party origin on stripe.com (analytics, CDN, fonts, etc.) graded for quantum risk
 ```
 
-The lockfile schema is documented at [quantapact.com/schemas/qxm/v1](https://quantapact.com/methodology) and is intended to be stable across CLI versions.
+Add `--lock` to write `quantapact-deps.lock` + `.md` for committing or PR comparison. Add `--allowlist file.txt` to gate CI on vendor approval.
 
-### Exit codes
+## Companion surfaces
 
-| Code | Meaning |
-|------|---------|
-| 0    | Success — score below threshold (or no threshold set) |
-| 1    | Usage / network / scan error |
-| 2    | Score met or exceeded `--threshold` |
+This CLI is one of four ways to consume the [Decryption Blast Radius API](https://quantapact.com/api):
 
-### CI integration
+| Surface | Where |
+|---|---|
+| **CLI** (this package) | `npx pqcheck` |
+| **Browser extension** | Chrome Web Store / Firefox AMO / Edge — toolbar badge per tab + dependency analysis |
+| **GitHub Action** | [`quantapact/pqcheck/action@main`](https://github.com/quantapact/pqcheck/tree/main/action) — PR comments, SARIF upload, lockfile generation |
+| **Slack `/pqcheck`** | [Install on workspace](https://quantapact.com/install-slack) |
+| **Web** | [quantapact.com](https://quantapact.com) — share-friendly URLs at `/r/<domain>` |
 
-The `--threshold` flag turns `pqcheck` into a quantum-risk gate for any pipeline:
+## Public API
 
-```yaml
-# .github/workflows/quantum-risk-gate.yml
-- name: Check public-surface quantum-decryption risk
-  run: npx pqcheck mycompany.com --threshold 7
-```
-
-If the score is 7.0 or higher, the step fails and the PR can't merge.
+`pqcheck` is a wrapper around the public Quantapact API. You can also call the API directly:
 
-For GitHub Actions specifically, there's also a [first-class action](https://github.com/mzon7/quantapact/tree/main/action) with `score` / `grade` / `report-url` outputs:
-
-```yaml
-- uses: mzon7/quantapact/action@main
-  with:
-    domain: mycompany.com
-    threshold: '7'
+```bash
+curl -s "https://www.quantapact.com/api/scan?domain=stripe.com" | jq '.grade, .score'
 ```
 
-For finer control, combine `--quiet` with shell logic:
+Full API reference at [quantapact.com/api](https://quantapact.com/api).
 
-```bash
-SCORE=$(npx pqcheck mybank.com --quiet)
-echo "Public surface blast radius: $SCORE / 10"
-```
+**Rate limit:** ~60 requests/minute per IP. No API key required. Returns HTTP 429 if exceeded — back off and retry.
 
-Or grab the full JSON for richer analysis:
+## Methodology
 
-```bash
-npx pqcheck mybank.com --format json | jq '.findings[] | select(.severity=="high")'
-```
+Decryption Blast Radius scoring methodology is fully open. Component weights, PQC discount math, the "what we DON'T claim" sections, edge cases — all documented:
 
-## Web version
+- [Decryption Blast Radius](https://quantapact.com/methodology/decryption-blast-radius) — core methodology
+- [Score components](https://quantapact.com/methodology/score-components) — the 4-bar weighted breakdown + PQC discount
+- [QXM lockfile schema](https://quantapact.com/methodology/qxm) — committable manifest format
+- [Browser extension methodology](https://quantapact.com/methodology/browser-extension) — supply-chain HNDL detection logic
+- [Methodology library](https://quantapact.com/methodology) — full index
 
-Same scanner, browser-friendly UI: **[quantapact.com](https://quantapact.com)**
+## Versioning + stability
 
-Shareable per-domain reports at `quantapact.com/r/<domain>` — the URL unfurls in Twitter / Slack / LinkedIn with a dynamically-generated card showing the grade.
+We don't break the API contract. New fields are added; old fields are preserved. If we ever need a breaking change, it ships at `/api/v2/scan` with a deprecation timeline.
 
-## Public leaderboard
+The CLI follows the same policy — output formats are stable across minor versions.
 
-Sector rankings updated nightly across:
+## Privacy
 
-- US Banks (20 peers)
-- US Healthcare Systems (20 peers)
-- Major SaaS / Cloud Platforms (30 peers)
-- US Federal Government (25 peers)
-- Major EU & UK Banks (25 peers)
-- US Defense Contractors (15 peers)
-- Global Automakers (15 peers)
-- Global News & Media (15 peers)
-- US Telecom & ISPs (15 peers)
-- US Airlines (10 peers)
-- UK Government & Public Services (15 peers)
+`pqcheck` sends the domain you scan to `quantapact.com/api/scan` (so the TLS handshake can be performed from the public internet). No other data is sent — no email, no client-side identifier. The server logs anonymized analytics: domain, hashed IP (for rate limiting), user-agent. We don't track individual users across scans. See [quantapact.com/privacy](https://quantapact.com/privacy).
 
-→ **[quantapact.com/leaderboard.html](https://quantapact.com/leaderboard.html)**
+## CI integration
 
-## Methodology
+```yaml
+# .github/workflows/quantum-risk-gate.yml
+- name: Quantapact public-surface gate
+  run: npx pqcheck@latest mycompany.com --threshold 7
+```
 
-The Decryption Blast Radius scoring methodology is fully open and documented at **[quantapact.com/methodology](https://quantapact.com/methodology)**. Citable; methodology paper coming soon.
+For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockfile diff on regression), use the [GitHub Action](https://github.com/quantapact/pqcheck/tree/main/action):
 
-## Privacy
+```yaml
+- uses: quantapact/pqcheck/action@main
+  with:
+    domain: mycompany.com
+    threshold: '7'
+    comment-on-pr: 'true'
+    generate-sarif: 'true'
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: pqcheck-results.sarif
+```
+
+## Disclaimer
 
-`pqcheck` sends the domain you scan to the Quantapact API (so the actual TLS handshake can be performed from the public internet). No other data is sent — no email, no IP-tied identifier, nothing client-side. The server-side `/api/scan` endpoint stores anonymous scan results in a 30-minute cache to avoid duplicate scans of the same domain. See [quantapact.com/privacy](https://quantapact.com/privacy) for full details.
+`pqcheck` measures only the **public** surface of a domain — what's observable from the open internet. Internal Blast Radius (east-west traffic, internal databases, VPN tunnels, backup pipelines) is typically 12–40× the public score depending on sector. A passing public-surface grade does **not** mean low internal exposure.
 
 ## License
 
 MIT. © 2026 Quantapact.
 
-## Disclaimer
+---
 
-`pqcheck` measures only the **public** surface of a domain — what's observable from the open internet. Internal Blast Radius (east-west traffic, internal databases, VPN tunnels, backup pipelines) is typically 12–40× the public score depending on sector. A passing public-surface grade does **not** mean low internal exposure.
+**Source:** [github.com/quantapact/pqcheck](https://github.com/quantapact/pqcheck) *(public, pending org transfer to `quantapact/pqcheck`)*
+
+**Issues / feedback:** [quantapact.com/feedback](https://quantapact.com/feedback) or open an issue on the repo.

package/bin/pqcheck.js

@@ -7,7 +7,7 @@
 // =============================================================================
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.7.2";
+const VERSION = "0.7.3";
 
 const ANSI = {
   reset:   "\x1b[0m",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",
@@ -21,7 +21,7 @@
   "bugs": "https://quantapact.com",
   "repository": {
     "type": "git",
-    "url": "https://github.com/mzon7/quantapact.git",
+    "url": "https://github.com/quantapact/pqcheck.git",
     "directory": "cli"
   },
   "license": "MIT",