npm - pqcheck - Versions diffs - 0.7.4 → 0.7.6 - Mend

pqcheck 0.7.4 → 0.7.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -12,6 +12,12 @@ The same scanner that powers [quantapact.com](https://quantapact.com), the brows
 ---
+## What's new in 0.7.6
+User-Agent now consistently tags the subcommand on every request (`pqcheck-cli/0.7.6 (scan)`, `(lock)`, `(deps)`, `(history)`, `(watch)`). Lets the server aggregate adoption by subcommand. No new data collected — the subcommand token rides inside the User-Agent header that has always been logged anonymously. See [privacy](https://quantapact.com/privacy) and [CHANGELOG.md](./CHANGELOG.md).
+---
 ## What it does
 `pqcheck` scans any HTTPS domain and computes its **Decryption Blast Radius score** — the first continuous metric for harvest-now-decrypt-later (HNDL) risk. Every other TLS scanner answers "is post-quantum cryptography enabled?" with yes/no. `pqcheck` answers the question that actually matters: *if an adversary harvests this traffic today and decrypts it in 2035, how much past + future data unlocks?*
@@ -233,6 +239,8 @@ MIT. © 2026 Quantapact.
 ---
-**Source:** [github.com/quantapact/pqcheck](https://github.com/quantapact/pqcheck) *(public, pending org transfer to `quantapact/pqcheck`)*
+**Source:** [github.com/quantapact/pqcheck](https://github.com/quantapact/pqcheck)
+**Changelog:** [CHANGELOG.md](./CHANGELOG.md) for version-by-version release notes.
 **Issues / feedback:** [quantapact.com/feedback](https://quantapact.com/feedback) or open an issue on the repo.

package/bin/pqcheck.js CHANGED Viewed

@@ -7,7 +7,7 @@
 // =============================================================================
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.7.4";
+const VERSION = "0.7.6";
 const ANSI = {
   reset:   "\x1b[0m",
@@ -122,7 +122,7 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi
   try {
     const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
       method: "GET",
-      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION}` },
+      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (scan)` },
     });
     if (!quiet && format === "text") process.stderr.write("\r\x1b[K");
     if (!resp.ok) {
@@ -147,6 +147,13 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi
     }).catch(() => { /* best-effort — never fail the scan on webhook delivery */ });
   }
+  // In --quiet mode the score still goes to stdout (script-pipeable), but a
+  // degraded warning lands on stderr so silent fallback to cached data can't
+  // mislead a CI gate or one-off check.
+  if (quiet && report._meta?.degraded) {
+    console.error(`pqcheck: ⚠ ${domain} — using cached score (live probe failed: ${report._meta.degradedReason || "unknown"}; last verified ${report._meta.lastUpdated || "?"})`);
+  }
   // Output dispatch
   if (quiet) {
     if (multi) {
@@ -208,7 +215,7 @@ async function runWatch({ domains, format, quiet, threshold, webhookUrl, interva
       try {
         const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
           method: "GET",
-          headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION}` },
+          headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (watch)` },
         });
         if (!resp.ok) continue;
         const report = await resp.json();
@@ -239,10 +246,11 @@ async function runWatch({ domains, format, quiet, threshold, webhookUrl, interva
           printMarkdown(report, true);
         } else {
           const stamp = new Date().toISOString().slice(11, 19);
+          const degradedTag = report._meta?.degraded ? color("yellow", ` ⚠ cached (${report._meta.degradedReason || "probe failed"})`) : "";
           if (changed) {
-            console.log(color("yellow", `[${stamp}] ${domain}: ${prev} → ${report.score}  (${report.scoreLabel}) ${color("yellow", "★ changed")}`));
+            console.log(color("yellow", `[${stamp}] ${domain}: ${prev} → ${report.score}  (${report.scoreLabel}) ${color("yellow", "★ changed")}${degradedTag}`));
           } else if (!quiet) {
-            console.log(color("dim", `[${stamp}] ${domain}: ${report.score}  (${report.scoreLabel})`));
+            console.log(color("dim", `[${stamp}] ${domain}: ${report.score}  (${report.scoreLabel})${degradedTag}`));
           }
         }
       } catch (err) {
@@ -388,7 +396,21 @@ function printReport(r) {
   console.log("");
   console.log(`  ${color("bold", r.domain)}`);
   console.log(color("dim", "  ─────────────────────────────────────"));
-  console.log(`  ${color("bold", "PUBLIC SURFACE BLAST RADIUS:")} ${color(labelColor, `${r.score} / 10`)} ${color(labelColor, `(${r.scoreLabel})`)}`);
+  // Loud warning when the API fell back to a cached value because three live
+  // probe attempts came up degraded. Devs need to know they may be looking at
+  // stale data — silent fallback would erode trust in the tool.
+  const meta = r._meta || {};
+  if (meta.degraded) {
+    const since = meta.lastUpdated ? new Date(meta.lastUpdated).toUTCString() : "unknown";
+    console.log("");
+    console.log(color("yellow", "  ⚠ WARNING: showing last known-good cached score"));
+    console.log(color("yellow", `    Reason: ${meta.degradedReason || "unknown"}`));
+    console.log(color("yellow", `    Last verified: ${since}`));
+    console.log(color("dim", "    The live probe failed after 3 retries. Re-run shortly to refresh."));
+    console.log("");
+  }
+  const degradedMark = meta.degraded ? color("yellow", " *") : "";
+  console.log(`  ${color("bold", "PUBLIC SURFACE BLAST RADIUS:")} ${color(labelColor, `${r.score} / 10`)}${degradedMark} ${color(labelColor, `(${r.scoreLabel})`)}`);
   console.log("");
   console.log(color("dim", "  Public surface signals:"));
   console.log(`  • TLS:           ${r.publicSurface.tlsVersion ?? "?"} ${r.publicSurface.cipher ? color("dim", `(${r.publicSurface.cipher})`) : ""}`);
@@ -1198,6 +1220,13 @@ function printGitHubActionAnnotations(report) {
   // GitHub Actions workflow command syntax: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
   const findings = Array.isArray(report.findings) ? report.findings : [];
   const sevMap = { critical: "error", high: "error", medium: "warning", low: "notice" };
+  // Surface degraded-cache state as a workflow warning so it lands in the
+  // PR check summary — devs need to know they may be gating on stale data.
+  if (report._meta?.degraded) {
+    const reason = String(report._meta.degradedReason || "live probe failed").replace(/[\r\n]/g, " ").replace(/::/g, ":");
+    const since = String(report._meta.lastUpdated || "unknown");
+    console.log(`::warning title=Quantapact: cached score (live probe failed)::Showing last known-good score from ${since}. Reason: ${reason}. Re-run shortly for a fresh probe.`);
+  }
   // Top-line score/grade as a notice
   console.log(`::notice title=Quantapact: ${report.domain}::Grade ${report.grade || "?"} · score ${report.score ?? "?"} / 10`);
   for (const f of findings) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.7.4",
+  "version": "0.7.6",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",