pqcheck 0.7.6 → 0.7.8

package/README.md

@@ -12,9 +12,9 @@ The same scanner that powers [quantapact.com](https://quantapact.com), the brows
 
 ---
 
-## What's new in 0.7.6
+## What's new in 0.7.8
 
-User-Agent now consistently tags the subcommand on every request (`pqcheck-cli/0.7.6 (scan)`, `(lock)`, `(deps)`, `(history)`, `(watch)`). Lets the server aggregate adoption by subcommand. No new data collected — the subcommand token rides inside the User-Agent header that has always been logged anonymously. See [privacy](https://quantapact.com/privacy) and [CHANGELOG.md](./CHANGELOG.md).
+**Supply-chain change detection in CI** — `pqcheck deps <domain> --baseline file.json` compares the current third-party host list to a stored baseline. New hosts since the last accepted state are flagged `*NEW*` in the pretty table and `"isNew": true` in JSON. Add `--fail-on-new` to exit `4` if anything new appeared — the Polyfill.io-style CI gate that fails PRs introducing third-party scripts until you deliberately accept them with `--write-baseline`. Each row also shows an `SRI` column (on/off/n/a) so you can see which scripts allow silent vendor-side content swaps. See [CHANGELOG.md](./CHANGELOG.md).
 
 ---
 
@@ -81,6 +81,9 @@ npx pqcheck --file domains.txt                Bulk scan from a newline-separated
 - `-o <dir>` — Output directory for `--lock` files
 - `--max=<N>` — Max third parties to scan (default 20)
 - `--allowlist <file>` — Exit **3** if any third-party not in allowlist (CI vendor-risk gate)
+- `--baseline <file>` — Compare current hosts to baseline JSON; flag `*NEW*` and surface `isNew` in JSON output
+- `--write-baseline` — Overwrite `--baseline` file with current scan (use once to capture initial state)
+- `--fail-on-new` — Exit **4** if any new hosts appeared since baseline (CI supply-chain change gate)
 
 **`pqcheck lock`:**
 - `-o <dir>` — Output directory
@@ -98,6 +101,7 @@ npx pqcheck --file domains.txt                Bulk scan from a newline-separated
 | `1` | Usage / network / scan error |
 | `2` | Score met or exceeded `--threshold`, or `diff` detected regression |
 | `3` | Allowlist violation (`pqcheck deps --allowlist`) |
+| `4` | Supply-chain change detected — new host(s) since baseline (`pqcheck deps --fail-on-new`) |
 
 ## Examples
 
@@ -120,6 +124,12 @@ npx pqcheck deps mycompany.com --lock
 # Vendor-risk CI gate — fail PR if any third-party not in allowlist
 npx pqcheck deps mycompany.com --allowlist allowed-vendors.txt
 
+# Capture initial supply-chain baseline (run once, commit the JSON file)
+npx pqcheck deps mycompany.com --baseline .pqcheck-baseline.json --write-baseline
+
+# Supply-chain change gate — fail PR if any new third-party script appeared since baseline
+npx pqcheck deps mycompany.com --baseline .pqcheck-baseline.json --fail-on-new
+
 # Score history sparkline
 npx pqcheck history mycompany.com
 
@@ -185,7 +195,7 @@ curl -s "https://www.quantapact.com/api/scan?domain=stripe.com" | jq '.grade, .s
 
 Full API reference at [quantapact.com/api](https://quantapact.com/api).
 
-**Rate limit:** ~60 requests/minute per IP. No API key required. Returns HTTP 429 if exceeded — back off and retry.
+**Rate limits:** 300 scans per hour per IP, 20 `--fresh` (force-refresh) scans per hour per IP. No API key required. Returns HTTP 429 if exceeded — back off and retry, or [let us know via the feedback form](https://quantapact.com/feedback) if you need higher limits (we're prioritizing the API tier based on real demand).
 
 ## Methodology
 

package/bin/pqcheck.js

@@ -7,7 +7,7 @@
 // =============================================================================
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.7.6";
+const VERSION = "0.7.8";
 
 const ANSI = {
   reset:   "\x1b[0m",
@@ -107,20 +107,31 @@ async function main() {
     return; // runWatch handles its own exit; in practice it runs until killed.
   }
 
+  // --fresh: bypass server cache, force a fresh scan. Useful when verifying
+  // a cert/key change you just deployed. Subject to a 20/hr per-IP cap on
+  // the server side.
+  const fresh = args.includes("--fresh") || args.includes("--force");
+
   // One-shot scan(s)
   let worstExit = 0;
   for (const domain of domains) {
-    const exit = await runOneScan({ domain, format, quiet, threshold, webhookUrl, multi: domains.length > 1 });
+    const exit = await runOneScan({ domain, format, quiet, threshold, webhookUrl, multi: domains.length > 1, fresh });
     if (exit > worstExit) worstExit = exit;
   }
   process.exit(worstExit);
 }
 
-async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi }) {
-  if (!quiet && format === "text") process.stderr.write(color("dim", `Scanning ${domain} ...`));
+async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi, fresh }) {
+  if (!quiet && format === "text") process.stderr.write(color("dim", `Scanning ${domain}${fresh ? " (forcing fresh)" : ""} ...`));
   let report;
   try {
-    const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
+    // --fresh appends ?force=1 to bypass the smart-cache. Use when verifying
+    // a cert/key change you just deployed — otherwise scans hit the 1h SWR
+    // cache and return up-to-1h-old data. Subject to a 20/hr per-IP cap on
+    // the server side; if exceeded, the server silently downgrades to a
+    // cached scan and returns that instead of erroring.
+    const qs = fresh ? `?domain=${encodeURIComponent(domain)}&force=1` : `?domain=${encodeURIComponent(domain)}`;
+    const resp = await fetch(`${API_BASE}/api/scan${qs}`, {
       method: "GET",
       headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (scan)` },
     });
@@ -129,6 +140,12 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi
       const errBody = await safeJSON(resp);
       console.error(color("red", `error scanning ${domain}: ${resp.status} ${errBody?.error || resp.statusText}`));
       if (errBody?.detail) console.error(color("dim", errBody.detail));
+      // Surface the 429 upsell hint if present — tells users how to ask for
+      // higher limits via the feedback form. Same demand signal we capture
+      // on the homepage.
+      if (resp.status === 429 && errBody?.need_more?.feedback_url) {
+        console.error(color("dim", `${errBody.need_more.message} → ${errBody.need_more.feedback_url}`));
+      }
       return 1;
     }
     report = await resp.json();
@@ -547,6 +564,7 @@ ${color("bold", "Common flags:")}
   -q, --quiet                      Print only the numeric score
   --watch [seconds]                Poll every N seconds (default 300) and report changes
   --webhook <url>                  POST scan results to a URL (one-shot or each watch tick)
+  --fresh                          Bypass server cache, force a fresh scan (subject to 20/hr per-IP cap)
 
 ${color("bold", "Subcommand-specific:")}
   pqcheck deps:
@@ -554,6 +572,9 @@ ${color("bold", "Subcommand-specific:")}
     -o <dir>                                     Output directory for --lock files
     --max=<N>                                    Max third parties to scan (default 20)
     --allowlist <file>                           Exit 3 if any third-party not in allowlist (CI gate)
+    --baseline <file>                            Compare current hosts to baseline JSON; mark new ones
+    --write-baseline                             Overwrite the --baseline file with current scan
+    --fail-on-new                                Exit 4 if any NEW host since baseline (Polyfill.io-style supply-chain CI gate)
   pqcheck lock:
     -o <dir>                                     Output directory
     --stdout                                     Print JSON to stdout instead of writing files
@@ -566,12 +587,15 @@ ${color("bold", "Exit codes:")}
   1   usage / network / scan error
   2   score met or exceeded --threshold (or diff regression)
   3   allowlist violation (deps --allowlist)
+  4   supply-chain change detected — new host(s) since baseline (deps --fail-on-new)
 
 ${color("bold", "Examples:")}
   npx pqcheck chase.com
   npx pqcheck mybank.com --threshold 7      ${color("dim", "# fail CI if score ≥ 7")}
   npx pqcheck deps stripe.com --lock
   npx pqcheck deps acme.com --allowlist allowed-vendors.txt   ${color("dim", "# CI vendor-risk gate")}
+  npx pqcheck deps acme.com --baseline .pqcheck-baseline.json --write-baseline   ${color("dim", "# capture initial state")}
+  npx pqcheck deps acme.com --baseline .pqcheck-baseline.json --fail-on-new      ${color("dim", "# fail PR on new third party")}
   npx pqcheck diff main.lock pr.lock        ${color("dim", "# regression detection in PR")}
   npx pqcheck history quantapact.com
   npx pqcheck cert ./mycert.pem             ${color("dim", "# offline cert analysis")}
@@ -869,6 +893,36 @@ async function runDepsCommand(args) {
     }
   }
 
+  // Baseline support (v0.7.8+): --baseline <path> compares this scan's third
+  // parties to a stored baseline JSON file. New hosts get a NEW flag in
+  // output. With --fail-on-new, the CLI exits with code 4 if any new hosts
+  // appeared — turning the scan into a Polyfill.io-style supply-chain change
+  // detector for CI pipelines. --write-baseline overwrites the baseline file
+  // with the current scan's hosts (use after deliberately adding a vendor).
+  const baselineIdx = args.indexOf("--baseline");
+  const baselinePath = baselineIdx >= 0 ? args[baselineIdx + 1] : null;
+  const writeBaseline = args.includes("--write-baseline");
+  const failOnNew = args.includes("--fail-on-new");
+  let baselineHosts = null;
+  if (baselinePath) {
+    try {
+      const fs2 = await import("node:fs/promises");
+      const raw = await fs2.readFile(baselinePath, "utf8");
+      const parsed = JSON.parse(raw);
+      baselineHosts = new Set((parsed.thirdParties || parsed.hosts || []).map((h) =>
+        typeof h === "string" ? h.toLowerCase() : (h.host || "").toLowerCase()
+      ).filter(Boolean));
+    } catch (err) {
+      // File missing is OK on first run — treat as empty baseline (everything is "new")
+      if (err && err.code === "ENOENT") {
+        baselineHosts = new Set();
+      } else {
+        console.error(color("red", `error reading --baseline: ${err.message}`));
+        process.exit(1);
+      }
+    }
+  }
+
   const positional = args.filter((a) => !a.startsWith("-") && a !== outDir);
   const domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
   if (!domain || !isValidDomain(domain)) {
@@ -901,8 +955,12 @@ async function runDepsCommand(args) {
   // Group by host, dedupe
   const byHost = new Map();
   for (const r of refs) {
-    if (!byHost.has(r.host)) byHost.set(r.host, { host: r.host, types: new Set(), occurrences: 0 });
+    if (!byHost.has(r.host)) byHost.set(r.host, { host: r.host, types: new Set(), occurrences: 0, anyMissingSri: false, allHttps: true });
     const e = byHost.get(r.host);
+    // SRI status — host is flagged "no SRI" if ANY reference to it lacks integrity.
+    // Only counts for script type (iframes/links/imgs don't support SRI).
+    if (r.type === "script" && !r.sri) e.anyMissingSri = true;
+    if (!r.loadedOverHttps) e.allHttps = false;
     e.types.add(r.type);
     e.occurrences += 1;
   }
@@ -952,19 +1010,46 @@ async function runDepsCommand(args) {
 
   const summary = buildDepsSummary(results);
 
+  // Baseline diff (v0.7.8+): compare current hosts to baseline hosts.
+  // newHosts = hosts in current scan that weren't in the baseline.
+  // missingHosts = hosts in baseline that aren't in the current scan.
+  // Each result gets a `.isNew` flag for downstream rendering.
+  let newHosts = [];
+  let missingHosts = [];
+  if (baselineHosts) {
+    const currentHostSet = new Set(results.map((r) => r.host));
+    newHosts = results.map((r) => r.host).filter((h) => !baselineHosts.has(h));
+    missingHosts = Array.from(baselineHosts).filter((h) => !currentHostSet.has(h));
+    // Don't paint every row as *NEW* on the first run (empty baseline) — there
+    // is no prior state to be new relative to. The summary line still says
+    // "first run; all hosts will be captured" so the user knows.
+    const baselineIsFirstRun = baselineHosts.size === 0;
+    for (const r of results) {
+      r.isNew = baselineIsFirstRun ? false : !baselineHosts.has(r.host);
+    }
+  }
+
   // Build manifest
   const manifest = {
     $schema: "https://quantapact.com/schemas/deps/v1",
-    schemaVersion: "1.0",
+    schemaVersion: "1.1", // bumped for SRI + baseline-diff fields
     domain,
     scannedAt: new Date().toISOString(),
     tool: "pqcheck-cli",
     toolVersion: VERSION,
     summary,
+    baseline: baselineHosts ? {
+      file: baselinePath,
+      newHosts,
+      missingHosts,
+      isFirstRun: baselineHosts.size === 0,
+    } : null,
     thirdParties: results.map((r) => ({
       host: r.host,
       types: r.types,
       occurrences: r.occurrences,
+      sri: { allScriptsHaveSri: !r.anyMissingSri, allHttps: r.allHttps },
+      isNew: r.isNew || false,
       scan: r.scan,
       error: r.error,
     })),
@@ -974,6 +1059,39 @@ async function runDepsCommand(args) {
     },
   };
 
+  // --write-baseline: overwrite the baseline file with current hosts. Used
+  // after deliberately adding a vendor (e.g., 'we added Stripe, update the
+  // baseline so the next scan doesn't flag Stripe as new').
+  if (writeBaseline && baselinePath) {
+    try {
+      const fs2 = await import("node:fs/promises");
+      const baselinePayload = {
+        $schema: "https://quantapact.com/schemas/deps-baseline/v1",
+        domain,
+        capturedAt: new Date().toISOString(),
+        toolVersion: VERSION,
+        thirdParties: results.map((r) => ({ host: r.host, sri: !r.anyMissingSri })),
+      };
+      await fs2.writeFile(baselinePath, JSON.stringify(baselinePayload, null, 2) + "\n", "utf8");
+      if (!json) console.error(color("dim", `✓ wrote baseline to ${baselinePath} (${results.length} hosts)`));
+    } catch (err) {
+      console.error(color("red", `error writing --baseline: ${err.message}`));
+      process.exit(1);
+    }
+  }
+
+  // --fail-on-new: exit code 4 if any new hosts appeared since the baseline.
+  // The CI gate for supply-chain change detection.
+  if (failOnNew && baselineHosts && newHosts.length > 0 && baselineHosts.size > 0) {
+    if (!json) {
+      console.error(color("red", `\nFAIL: ${newHosts.length} new third-party host${newHosts.length > 1 ? "s" : ""} appeared since baseline:`));
+      for (const h of newHosts) console.error(color("red", `  + ${h}`));
+      console.error(color("dim", `\n  Use --write-baseline to accept these additions, or audit them as a potential supply-chain change.`));
+    }
+    if (json) console.log(JSON.stringify(manifest, null, 2));
+    process.exit(4);
+  }
+
   if (json) {
     console.log(JSON.stringify(manifest, null, 2));
     return;
@@ -983,18 +1101,37 @@ async function runDepsCommand(args) {
   console.log("");
   console.log(`  ${color("bold", "Supply-chain HNDL exposure")} for ${color("violet", domain)}`);
   console.log(`  ${color("dim", `${summary.uniqueOrigins} unique third-party origins · ${summary.totalReferences} references · weakest: ${summary.weakestLink?.host ?? "—"} (${summary.weakestLink?.grade ?? "—"})`)}`);
+  if (baselineHosts) {
+    const baselineSize = baselineHosts.size;
+    if (baselineSize === 0) {
+      console.log(`  ${color("dim", `Baseline: ${baselinePath} is empty — first run; all hosts will be captured.`)}`);
+    } else {
+      const newColor = newHosts.length > 0 ? "yellow" : "green";
+      const newLabel = newHosts.length > 0 ? `${newHosts.length} NEW since baseline` : "no new hosts since baseline";
+      const missingPart = missingHosts.length > 0 ? `, ${missingHosts.length} missing` : "";
+      console.log(`  ${color(newColor, newLabel)}${color("dim", `${missingPart} · baseline ${baselinePath}`)}`);
+    }
+  }
   console.log("");
-  console.log(`  ${color("dim", "GRADE  HOST                                          PQC  TYPES")}`);
-  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ───  ─────")}`);
+  console.log(`  ${color("dim", "GRADE  HOST                                          PQC  SRI  TYPES")}`);
+  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ───  ───  ─────")}`);
   for (const r of results) {
     const gradeStr = r.scan?.grade ?? "?";
     const gradeColored = gradeStr === "A" ? color("green", gradeStr) : gradeStr === "F" || gradeStr === "D" ? color("red", gradeStr) : color("yellow", gradeStr);
-    const host = r.host.length > 41 ? r.host.slice(0, 40) + "…" : r.host.padEnd(41, " ");
+    const isNewMark = r.isNew ? color("yellow", " *NEW*") : "";
+    const hostRaw = r.host + (r.isNew ? " *NEW*" : "");
+    const host = hostRaw.length > 41 ? hostRaw.slice(0, 40) + "…" : (r.host.padEnd(r.isNew ? 35 : 41, " ") + (r.isNew ? color("yellow", " *NEW*") : ""));
     const pqc = r.scan?.hybridPQC ? color("green", "yes") : color("dim", "no ");
+    const hasScript = (r.types || []).includes("script");
+    const sriCell = !hasScript ? color("dim", "n/a") : r.anyMissingSri ? color("yellow", "off") : color("green", "on ");
     const types = r.types.join(",");
-    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${pqc}  ${color("dim", types)}`);
+    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${pqc}  ${sriCell}  ${color("dim", types)}`);
   }
   console.log("");
+  if (baselineHosts && baselineHosts.size > 0 && newHosts.length > 0) {
+    console.log(`  ${color("yellow", "⚠")} ${color("dim", `${newHosts.length} new third-party host${newHosts.length > 1 ? "s" : ""} not in baseline. Audit, then run with --write-baseline to accept.`)}`);
+    console.log("");
+  }
   console.log(`  ${color("dim", "Each row scanned via")} ${color("violet", "/api/scan")}${color("dim", " · /methodology/browser-extension explains scoring")}`);
   console.log("");
 
@@ -1052,23 +1189,46 @@ async function fetchPageHTML(domain) {
 
 function extractThirdPartyRefs(html, targetDomain) {
   const out = [];
-  // Patterns: <tag ... attr="..."> — non-greedy, single or double quoted
-  const patterns = [
-    { type: "script", re: /<script\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
+  const targetRoot = registeredDomain(targetDomain);
+
+  // For <script> tags specifically, capture the FULL tag so we can extract
+  // the integrity attribute (SRI). Other tag types use simple src/href match.
+  const scriptTagRe = /<script\b([^>]*)>/gi;
+  let m;
+  while ((m = scriptTagRe.exec(html)) !== null) {
+    const attrs = m[1] || "";
+    const srcMatch = attrs.match(/\bsrc\s*=\s*["']([^"']+)["']/i);
+    if (!srcMatch) continue;
+    const integrityMatch = attrs.match(/\bintegrity\s*=\s*["']([^"']+)["']/i);
+    try {
+      const u = new URL(srcMatch[1], `https://${targetDomain}`);
+      if (u.protocol !== "http:" && u.protocol !== "https:") continue;
+      const host = u.hostname.toLowerCase();
+      if (!host || host === targetDomain || registeredDomain(host) === targetRoot) continue;
+      out.push({
+        host,
+        type: "script",
+        sri: !!(integrityMatch && integrityMatch[1].trim()),
+        loadedOverHttps: u.protocol === "https:",
+      });
+    } catch { /* relative URL or malformed */ }
+  }
+
+  // Non-script types: iframe / link / img — no SRI applies
+  const otherPatterns = [
     { type: "iframe", re: /<iframe\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
     { type: "link",   re: /<link\b[^>]*\bhref\s*=\s*["']([^"']+)["']/gi },
     { type: "img",    re: /<img\b[^>]*\bsrc\s*=\s*["']([^"']+)["']/gi },
   ];
-  const targetRoot = registeredDomain(targetDomain);
-  for (const { type, re } of patterns) {
-    let m;
-    while ((m = re.exec(html)) !== null) {
+  for (const { type, re } of otherPatterns) {
+    let mm;
+    while ((mm = re.exec(html)) !== null) {
       try {
-        const u = new URL(m[1], `https://${targetDomain}`);
+        const u = new URL(mm[1], `https://${targetDomain}`);
         if (u.protocol !== "http:" && u.protocol !== "https:") continue;
         const host = u.hostname.toLowerCase();
         if (!host || host === targetDomain || registeredDomain(host) === targetRoot) continue;
-        out.push({ host, type });
+        out.push({ host, type, sri: false, loadedOverHttps: u.protocol === "https:" });
       } catch { /* relative URL or malformed */ }
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.7.6",
+  "version": "0.7.8",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",