npm - pqcheck - Versions diffs - 0.7.8 → 0.10.0 - Mend

pqcheck 0.7.8 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -8,10 +8,14 @@ npx pqcheck stripe.com
 Zero install. Works in any terminal with Node 18+. Free, no signup, no API key.
-The same scanner that powers [quantapact.com](https://quantapact.com), the browser extension, and the GitHub Action.
+The same scanner that powers [cipherwake.io](https://cipherwake.io), the browser extension, and the GitHub Action.
 ---
+## What's new in 0.7.9
+**CSP verdict + vendor labels on `pqcheck deps`.** The supply-chain table now shows a friendly vendor label (`New Relic · errors` / `Cloudflare · cdn` / `Adobe Fonts · fonts`) per host instead of raw `bam.nr-data.net`-style hostnames, plus a one-line site-wide CSP verdict above the table (`✗ No CSP enforcement` / `⚠ CSP is permissive` / `✓ Strict CSP enforced`). Same data shape ships on `/r/<domain>` and in the browser extension — cross-surface parity for the supply-chain story. See [CHANGELOG.md](./CHANGELOG.md).
 ## What's new in 0.7.8
 **Supply-chain change detection in CI** — `pqcheck deps <domain> --baseline file.json` compares the current third-party host list to a stored baseline. New hosts since the last accepted state are flagged `*NEW*` in the pretty table and `"isNew": true` in JSON. Add `--fail-on-new` to exit `4` if anything new appeared — the Polyfill.io-style CI gate that fails PRs introducing third-party scripts until you deliberately accept them with `--write-baseline`. Each row also shows an `SRI` column (on/off/n/a) so you can see which scripts allow silent vendor-side content swaps. See [CHANGELOG.md](./CHANGELOG.md).
@@ -38,10 +42,11 @@ Plus a full ASM check suite for credibility:
 ```
 npx pqcheck <domain>                          Scan + print human-readable report
-npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) committable manifest
+npx pqcheck lock <domain>                     Generate cipherwake.lock (QXM) committable manifest
 npx pqcheck deps <domain>                     Scan all third-party origins on the page (supply-chain HNDL)
 npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2 on regression
 npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
+npx pqcheck changes <domain>                  Summarize public attack-surface changes in last 14 days
 npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
 ```
@@ -77,7 +82,7 @@ npx pqcheck --file domains.txt                Bulk scan from a newline-separated
 ### Subcommand-specific flags
 **`pqcheck deps`:**
-- `--lock` — Also write `quantapact-deps.lock` + `.md`
+- `--lock` — Also write `cipherwake-deps.lock` + `.md`
 - `-o <dir>` — Output directory for `--lock` files
 - `--max=<N>` — Max third parties to scan (default 20)
 - `--allowlist <file>` — Exit **3** if any third-party not in allowlist (CI vendor-risk gate)
@@ -156,13 +161,15 @@ Like SBOM, `package-lock.json`, or `cargo audit` outputs — track quantum expos
 ```bash
 npx pqcheck lock yourcompany.com
 # Writes:
-#   quantapact.lock          — stable JSON manifest
-#   quantapact-report.md     — human-readable summary (renders on GitHub)
+#   cipherwake.lock          — stable JSON manifest
+#   cipherwake-report.md     — human-readable summary (renders on GitHub)
 ```
 Commit both files. Use `npx pqcheck diff old.lock new.lock` in CI to surface regressions in PR comments.
-Schema documented at [quantapact.com/schemas/qxm/v1](https://quantapact.com/methodology/qxm).
+> **Filename history.** This tool was previously named Quantapact and earlier versions wrote `quantapact.lock` + `quantapact-report.md`. Both names work forever — `pqcheck lock` auto-detects an existing legacy lockfile and overwrites it in place rather than silently creating a second file in your repo. New repos get the new `cipherwake.lock` default. No migration required.
+Schema documented at [cipherwake.io/schemas/qxm/v1](https://cipherwake.io/methodology/qxm).
 ### Supply-chain dependency scanning
@@ -171,41 +178,41 @@ npx pqcheck deps stripe.com
 # Output: every third-party origin on stripe.com (analytics, CDN, fonts, etc.) graded for quantum risk
 ```
-Add `--lock` to write `quantapact-deps.lock` + `.md` for committing or PR comparison. Add `--allowlist file.txt` to gate CI on vendor approval.
+Add `--lock` to write `cipherwake-deps.lock` + `.md` for committing or PR comparison. Add `--allowlist file.txt` to gate CI on vendor approval.
 ## Companion surfaces
-This CLI is one of four ways to consume the [Decryption Blast Radius API](https://quantapact.com/api):
+This CLI is one of four ways to consume the [Decryption Blast Radius API](https://cipherwake.io/api):
 | Surface | Where |
 |---|---|
 | **CLI** (this package) | `npx pqcheck` |
 | **Browser extension** | Chrome Web Store / Firefox AMO / Edge — toolbar badge per tab + dependency analysis |
-| **GitHub Action** | [`quantapact/pqcheck/action@main`](https://github.com/quantapact/pqcheck/tree/main/action) — PR comments, SARIF upload, lockfile generation |
-| **Slack `/pqcheck`** | [Install on workspace](https://quantapact.com/install-slack) |
-| **Web** | [quantapact.com](https://quantapact.com) — share-friendly URLs at `/r/<domain>` |
+| **GitHub Action** | [`cipherwake-io/pqcheck/action@main`](https://github.com/cipherwake-io/pqcheck/tree/main/action) — PR comments, SARIF upload, lockfile generation |
+| **Slack `/pqcheck`** | [Install on workspace](https://cipherwake.io/install-slack) |
+| **Web** | [cipherwake.io](https://cipherwake.io) — share-friendly URLs at `/r/<domain>` |
 ## Public API
-`pqcheck` is a wrapper around the public Quantapact API. You can also call the API directly:
+`pqcheck` is a wrapper around the public Cipherwake API. You can also call the API directly:
 ```bash
-curl -s "https://www.quantapact.com/api/scan?domain=stripe.com" | jq '.grade, .score'
+curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" | jq '.grade, .score'
 ```
-Full API reference at [quantapact.com/api](https://quantapact.com/api).
+Full API reference at [cipherwake.io/api](https://cipherwake.io/api).
-**Rate limits:** 300 scans per hour per IP, 20 `--fresh` (force-refresh) scans per hour per IP. No API key required. Returns HTTP 429 if exceeded — back off and retry, or [let us know via the feedback form](https://quantapact.com/feedback) if you need higher limits (we're prioritizing the API tier based on real demand).
+**Rate limits:** 300 scans per hour per IP, 20 `--fresh` (force-refresh) scans per hour per IP. No API key required. Returns HTTP 429 if exceeded — back off and retry, or [let us know via the feedback form](https://cipherwake.io/feedback) if you need higher limits (we're prioritizing the API tier based on real demand).
 ## Methodology
 Decryption Blast Radius scoring methodology is fully open. Component weights, PQC discount math, the "what we DON'T claim" sections, edge cases — all documented:
-- [Decryption Blast Radius](https://quantapact.com/methodology/decryption-blast-radius) — core methodology
-- [Score components](https://quantapact.com/methodology/score-components) — the 4-bar weighted breakdown + PQC discount
-- [QXM lockfile schema](https://quantapact.com/methodology/qxm) — committable manifest format
-- [Browser extension methodology](https://quantapact.com/methodology/browser-extension) — supply-chain HNDL detection logic
-- [Methodology library](https://quantapact.com/methodology) — full index
+- [Decryption Blast Radius](https://cipherwake.io/methodology/decryption-blast-radius) — core methodology
+- [Score components](https://cipherwake.io/methodology/score-components) — the 4-bar weighted breakdown + PQC discount
+- [QXM lockfile schema](https://cipherwake.io/methodology/qxm) — committable manifest format
+- [Browser extension methodology](https://cipherwake.io/methodology/browser-extension) — supply-chain HNDL detection logic
+- [Methodology library](https://cipherwake.io/methodology) — full index
 ## Versioning + stability
@@ -215,20 +222,20 @@ The CLI follows the same policy — output formats are stable across minor versi
 ## Privacy
-`pqcheck` sends the domain you scan to `quantapact.com/api/scan` (so the TLS handshake can be performed from the public internet). No other data is sent — no email, no client-side identifier. The server logs anonymized analytics: domain, hashed IP (for rate limiting), user-agent. We don't track individual users across scans. See [quantapact.com/privacy](https://quantapact.com/privacy).
+`pqcheck` sends the domain you scan to `cipherwake.io/api/scan` (so the TLS handshake can be performed from the public internet). No other data is sent — no email, no client-side identifier. The server logs anonymized analytics: domain, hashed IP (for rate limiting), user-agent. We don't track individual users across scans. See [cipherwake.io/privacy](https://cipherwake.io/privacy).
 ## CI integration
 ```yaml
 # .github/workflows/quantum-risk-gate.yml
-- name: Quantapact public-surface gate
+- name: Cipherwake public-surface gate
   run: npx pqcheck@latest mycompany.com --threshold 7
 ```
-For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockfile diff on regression), use the [GitHub Action](https://github.com/quantapact/pqcheck/tree/main/action):
+For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockfile diff on regression), use the [GitHub Action](https://github.com/cipherwake-io/pqcheck/tree/main/action):
 ```yaml
-- uses: quantapact/pqcheck/action@main
+- uses: cipherwake-io/pqcheck/action@main
   with:
     domain: mycompany.com
     threshold: '7'
@@ -245,12 +252,12 @@ For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockf
 ## License
-MIT. © 2026 Quantapact.
+MIT. © 2026 Cipherwake.
 ---
-**Source:** [github.com/quantapact/pqcheck](https://github.com/quantapact/pqcheck)
+**Source:** [github.com/cipherwake-io/pqcheck](https://github.com/cipherwake-io/pqcheck)
 **Changelog:** [CHANGELOG.md](./CHANGELOG.md) for version-by-version release notes.
-**Issues / feedback:** [quantapact.com/feedback](https://quantapact.com/feedback) or open an issue on the repo.
+**Issues / feedback:** [cipherwake.io/feedback](https://cipherwake.io/feedback) or open an issue on the repo.

package/bin/pqcheck.js CHANGED Viewed

@@ -2,12 +2,48 @@
 // =============================================================================
 // pqcheck CLI — npx pqcheck <domain>
 // =============================================================================
-// Tiny wrapper around the public scan API at quantapact.com.
+// Tiny wrapper around the public scan API at cipherwake.io.
 // Zero deps (uses node:fetch). Works under `npx pqcheck` without installation.
 // =============================================================================
-const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.7.8";
+const API_BASE = process.env.PQCHECK_API_BASE || "https://cipherwake.io";
+const VERSION = "0.10.0";
+// API-key support — paid tiers (Starter $29 / Growth $79 / Scale $199) get
+// per-account monthly quotas instead of the per-IP rate limit. Set via:
+//   export CIPHERWAKE_API_KEY=qpk_<32-hex>
+// Anonymous CLI use still works (no env var → falls back to IP rate limit).
+//
+// QUANTAPACT_API_KEY is honored as a deprecated fallback for existing users
+// (rebrand 2026-05-15). Will be removed in v1.0; in the meantime no break.
+const QP_API_KEY = (process.env.CIPHERWAKE_API_KEY || process.env.QUANTAPACT_API_KEY || "").trim();
+// Builds headers with optional Authorization. Use for every CLI → API call
+// so a single env-var toggle authenticates every endpoint at once.
+function apiHeaders(extra = {}) {
+  const h = { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION}`, ...extra };
+  if (QP_API_KEY) h.authorization = `Bearer ${QP_API_KEY}`;
+  return h;
+}
+// Helpful messaging when the server tells us auth/quota failed.
+async function handleAuthError(resp) {
+  if (resp.status === 401) {
+    const body = await safeJSON(resp);
+    if (body?.error === "invalid_api_key") {
+      console.error(color("red", "CIPHERWAKE_API_KEY is invalid or revoked. Check https://cipherwake.io/account to rotate."));
+      return true;
+    }
+  }
+  if (resp.status === 429) {
+    const body = await safeJSON(resp);
+    if (body?.error === "monthly_quota_exceeded") {
+      console.error(color("red", `Monthly quota exceeded${body.detail ? ` — ${body.detail}` : ""}. Upgrade tier at https://cipherwake.io/pricing or wait until the 1st.`));
+      return true;
+    }
+  }
+  return false;
+}
 const ANSI = {
   reset:   "\x1b[0m",
@@ -25,9 +61,17 @@ const color = (c, s) => (supportsColor ? `${ANSI[c]}${s}${ANSI.reset}` : s);
 async function main() {
   const args = process.argv.slice(2);
-  if (args.length === 0 || args.includes("--help") || args.includes("-h")) {
+  // No-args entry: show a layman's quick-start before the full usage block.
+  // Behavior: argv.length === 0 prints the friendly intro then usage and exits 1.
+  // --help / -h prints only usage (no intro) and exits 0.
+  if (args.length === 0) {
+    printQuickStart();
+    printUsage();
+    process.exit(1);
+  }
+  if (args.includes("--help") || args.includes("-h")) {
     printUsage();
-    process.exit(args.length === 0 ? 1 : 0);
+    process.exit(0);
   }
   if (args.includes("--version") || args.includes("-v")) {
     console.log(`pqcheck ${VERSION}`);
@@ -47,9 +91,15 @@ async function main() {
   if (args[0] === "history") {
     return runHistoryCommand(args.slice(1));
   }
+  if (args[0] === "changes") {
+    return runChangesCommand(args.slice(1));
+  }
   if (args[0] === "cert") {
     return runCertCommand(args.slice(1));
   }
+  if (args[0] === "watch") {
+    return runWatchCommand(args.slice(1));
+  }
   // Multi-domain support: positional args are domains.
   // --file reads additional domains from a newline-delimited file.
@@ -133,7 +183,7 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
     const qs = fresh ? `?domain=${encodeURIComponent(domain)}&force=1` : `?domain=${encodeURIComponent(domain)}`;
     const resp = await fetch(`${API_BASE}/api/scan${qs}`, {
       method: "GET",
-      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (scan)` },
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (scan)` }),
     });
     if (!quiet && format === "text") process.stderr.write("\r\x1b[K");
     if (!resp.ok) {
@@ -232,7 +282,7 @@ async function runWatch({ domains, format, quiet, threshold, webhookUrl, interva
       try {
         const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
           method: "GET",
-          headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (watch)` },
+          headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (watch)` }),
         });
         if (!resp.ok) continue;
         const report = await resp.json();
@@ -357,7 +407,14 @@ function printCsvRow(r) {
   console.log(cells.join(","));
 }
 function csvEscape(s) {
-  const v = String(s ?? "");
+  // Spreadsheet-formula-injection defense (R2 finding): cells starting
+  // with =, +, -, @, TAB, or CR get treated as formulas by Excel/Sheets.
+  // Prefix with a literal-string ' to neutralize. Defense-in-depth even
+  // though domains are shape-validated upstream.
+  let v = String(s ?? "");
+  if (/^[=+\-@\t\r\n]/.test(v)) {
+    v = "'" + v;
+  }
   if (v.includes(",") || v.includes('"') || v.includes("\n")) {
     return '"' + v.replace(/"/g, '""') + '"';
   }
@@ -393,6 +450,13 @@ function printMarkdown(r, multi) {
   lines.push(`> ⚠ Public surface only. Internal Blast Radius is typically 12–40× this score.`);
   lines.push("");
   lines.push(`Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)} · Share: ${API_BASE}/r/${encodeURIComponent(r.domain)}`);
+  // Conversion CTA (generalbusiness.md principle #15): one-line activation
+  // path on every value-delivery moment. Pointed at /watch/<domain>.
+  // Audit-required 2026-05-14: copy matches current locked plan ($29 Starter
+  // not the old "watch free / weekly digest"). PR-comment context plants
+  // team-invitation idea for the eventual Growth tier upgrade.
+  lines.push(`📌 **Monitor ${r.domain} continuously?** ${API_BASE}/watch/${encodeURIComponent(r.domain)}`);
+  lines.push(`Cipherwake Starter $29/mo · 5 domains · daily scans + email alerts on cert/script/posture changes. Invite your team on Growth ($79/mo) when ready.`);
   if (multi) lines.push("\n---\n");
   console.log(lines.join("\n"));
 }
@@ -506,7 +570,25 @@ function printReport(r) {
     console.log("");
   }
-  console.log(color("violet", `  → Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)}`));
+  // Provenance pill — "Tracked by Cipherwake since X · N observations". Trust
+  // signal that this isn't a one-shot probe but a historical record. Only
+  // renders if we actually have prior observations for the domain.
+  if (r.trackedSince) {
+    const trackedDate = String(r.trackedSince).slice(0, 10);
+    const obs = typeof r.observations === "number" && r.observations > 0 ? r.observations : null;
+    const obsLine = obs ? ` · ${obs} observation${obs === 1 ? "" : "s"}` : "";
+    console.log(color("dim", `  Tracked by Cipherwake since ${trackedDate}${obsLine}`));
+    console.log("");
+  }
+  // Conversion CTA (generalbusiness.md principle #15): every value-delivery
+  // moment surfaces the same /watch/<domain> activation path. Audit-required
+  // 2026-05-14: copy must match current locked revenue plan ($29 Starter,
+  // not the old "free 1-domain weekly digest").
+  console.log(color("violet", `  📌 Monitor ${r.domain} daily: ${API_BASE}/watch/${encodeURIComponent(r.domain)}`));
+  console.log(color("dim",    `     Cipherwake Starter $29/mo · 5 watched domains · email alerts · cancel anytime`));
+  console.log("");
+  console.log(color("dim",    `  → Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)}`));
   console.log(color("dim",    `  → Share this:  ${API_BASE}/r/${encodeURIComponent(r.domain)}`));
   console.log(color("dim",    `  → Compare two: ${API_BASE}/compare?a=${encodeURIComponent(r.domain)}&b=`));
   console.log("");
@@ -531,6 +613,31 @@ async function safeJSON(resp) {
   try { return await resp.json(); } catch { return null; }
 }
+// Friendly first-time intro shown when the CLI is invoked with no args.
+// Goal: tell a brand-new user what this tool does + give them ONE
+// command to copy-paste, before the full usage block. Modeled on
+// `curl`/`gh`/`vercel` first-run output (concise, action-oriented).
+function printQuickStart() {
+  console.log(`
+${color("bold", "👋 Welcome to pqcheck")} ${color("dim", `(v${VERSION})`)}
+Cipherwake's CLI grades any website's quantum-decryption risk —
+the chance that a harvest-now-decrypt-later attack could read its
+TLS traffic once quantum decryption arrives.
+${color("bold", "Try it:")}
+  ${color("dim", "$")} npx pqcheck chase.com
+${color("bold", "What you'll see:")} a single letter grade (A–F), the score components
+(cipher class, cert lifetime, key rotation history, subdomain exposure),
+top findings, and a link to the full interactive report.
+${color("bold", "Free + open methodology.")} No account needed for single-domain scans.
+Add ${color("dim", "QUANTAPACT_API_KEY")} env var for higher rate limits + private results
+(create one at ${color("dim", "https://cipherwake.io/signin")}).
+`);
+}
 function printUsage() {
   console.log(`
 ${color("bold", "pqcheck")} ${color("dim", `v${VERSION}`)}
@@ -539,11 +646,13 @@ Public Surface Blast Radius — quantum-decryption risk for any domain.
 ${color("bold", "Commands:")}
   npx pqcheck <domain>                          Scan + print human-readable report
-  npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) committable manifest
+  npx pqcheck lock <domain>                     Generate cipherwake.lock (QXM) committable manifest
   npx pqcheck deps <domain>                     Scan all third-party origins on the page (supply-chain HNDL)
   npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2 on regression
   npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
+  npx pqcheck changes <domain>                  Summarize public attack-surface changes in last 14 days
   npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
+  npx pqcheck watch <domain>                    Add a domain to your watched-domain list (requires CIPHERWAKE_API_KEY)
 ${color("bold", "Multi-domain:")}
   npx pqcheck a.com b.com c.com                 Multi-domain scan (positional)
@@ -568,7 +677,7 @@ ${color("bold", "Common flags:")}
 ${color("bold", "Subcommand-specific:")}
   pqcheck deps:
-    --lock                                       Also write quantapact-deps.lock + .md
+    --lock                                       Also write cipherwake-deps.lock + .md
     -o <dir>                                     Output directory for --lock files
     --max=<N>                                    Max third parties to scan (default 20)
     --allowlist <file>                           Exit 3 if any third-party not in allowlist (CI gate)
@@ -597,14 +706,14 @@ ${color("bold", "Examples:")}
   npx pqcheck deps acme.com --baseline .pqcheck-baseline.json --write-baseline   ${color("dim", "# capture initial state")}
   npx pqcheck deps acme.com --baseline .pqcheck-baseline.json --fail-on-new      ${color("dim", "# fail PR on new third party")}
   npx pqcheck diff main.lock pr.lock        ${color("dim", "# regression detection in PR")}
-  npx pqcheck history quantapact.com
+  npx pqcheck history cipherwake.io
   npx pqcheck cert ./mycert.pem             ${color("dim", "# offline cert analysis")}
   npx pqcheck --file domains.txt --format json > scans.ndjson
   npx pqcheck mybank.com --format sarif > pqcheck.sarif   ${color("dim", "# upload to Code Scanning")}
   npx pqcheck mybank.com --gh-action        ${color("dim", "# inline PR annotations")}
 Backed by the patented Decryption Blast Radius methodology.
-${color("violet", "https://quantapact.com")}
+${color("violet", "https://cipherwake.io")}
 `);
 }
@@ -612,20 +721,46 @@ ${color("violet", "https://quantapact.com")}
 // `pqcheck lock` — QXM (Quantum Exposure Manifest) generator
 // =============================================================================
 // Generates two files committable to a git repo:
-//   quantapact.lock          — stable JSON manifest (machine-readable)
-//   quantapact-report.md     — human-readable summary (renders on GitHub)
+//   cipherwake.lock          — stable JSON manifest (machine-readable)
+//   cipherwake-report.md     — human-readable summary (renders on GitHub)
 //
 // Like SBOM / package-lock.json / cargo audit / snyk test outputs — devs commit
 // these to track quantum exposure as a first-class technical concern.
 //
+// Filename history: this tool was previously named Quantapact, and earlier
+// versions wrote `quantapact.lock` / `quantapact-report.md`. We permanently
+// support reading EITHER filename; existing repos with the old name keep
+// working forever. When re-locking in a directory that has the legacy file,
+// we overwrite it in place rather than silently creating a new file alongside.
+// New repos (no existing lockfile) get the new default `cipherwake.lock`.
+//
 // Usage:
-//   npx pqcheck lock <domain>           Write to ./quantapact.lock + .md
+//   npx pqcheck lock <domain>           Write to ./cipherwake.lock + .md
+//                                       (or preserves ./quantapact.lock if present)
 //   npx pqcheck lock <domain> -o dir/   Write into a specific directory
 //   npx pqcheck lock <domain> --stdout  Print JSON to stdout (no files)
 //   npx pqcheck lock                    Read domain from existing
-//                                       quantapact.lock if present, else error
+//                                       cipherwake.lock OR quantapact.lock, else error
 // =============================================================================
+// Discover an existing lockfile in `dir`, preferring the new name but
+// accepting the legacy name. Returns { lockPath, mdPath, isLegacy } if found,
+// or null if neither exists. Read-anywhere, write-back-to-same-name policy.
+async function discoverExistingLockfile(fs, path, dir) {
+  const candidates = [
+    { lockName: "cipherwake.lock", mdName: "cipherwake-report.md", isLegacy: false },
+    { lockName: "quantapact.lock", mdName: "quantapact-report.md", isLegacy: true },
+  ];
+  for (const c of candidates) {
+    const lockPath = path.join(dir, c.lockName);
+    try {
+      await fs.access(lockPath);
+      return { lockPath, mdPath: path.join(dir, c.mdName), isLegacy: c.isLegacy };
+    } catch { /* try next */ }
+  }
+  return null;
+}
 async function runLockCommand(args) {
   const fs = await import("node:fs/promises");
   const path = await import("node:path");
@@ -639,16 +774,26 @@ async function runLockCommand(args) {
   const positional = args.filter((a) => !a.startsWith("-") && a !== outDir);
   let domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
+  // Discover any existing lockfile (new or legacy). Used both for re-lock
+  // domain auto-detection AND to preserve the filename on write.
+  const existing = await discoverExistingLockfile(fs, path, outDir);
   if (!domain) {
-    try {
-      const existing = await fs.readFile(path.join(outDir, "quantapact.lock"), "utf8");
-      const parsed = JSON.parse(existing);
-      domain = parsed.domain;
-      if (!stdout) {
-        console.error(color("dim", `Re-locking from existing quantapact.lock (domain: ${domain})`));
+    if (existing) {
+      try {
+        const content = await fs.readFile(existing.lockPath, "utf8");
+        const parsed = JSON.parse(content);
+        domain = parsed.domain;
+        if (!stdout) {
+          const baseName = path.basename(existing.lockPath);
+          console.error(color("dim", `Re-locking from existing ${baseName} (domain: ${domain})`));
+        }
+      } catch {
+        console.error(color("red", `error: could not parse existing ${path.basename(existing.lockPath)}`));
+        process.exit(1);
       }
-    } catch {
-      console.error(color("red", "error: no domain provided and no existing quantapact.lock found"));
+    } else {
+      console.error(color("red", "error: no domain provided and no existing cipherwake.lock found"));
       console.error(color("dim", "Usage: npx pqcheck lock <domain>"));
       process.exit(1);
     }
@@ -665,7 +810,7 @@ async function runLockCommand(args) {
   try {
     const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
       method: "GET",
-      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (lock)` },
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (lock)` }),
     });
     if (!stdout) process.stderr.write("\r\x1b[K");
     if (!resp.ok) {
@@ -688,9 +833,16 @@ async function runLockCommand(args) {
     return;
   }
-  // Write both files
-  const lockPath = path.join(outDir, "quantapact.lock");
-  const mdPath = path.join(outDir, "quantapact-report.md");
+  // Write both files. Filename policy: if a legacy quantapact.lock already
+  // exists in this directory, overwrite it in place (preserve user's
+  // committed filename — no surprise renames in their repo). Otherwise
+  // default to the new cipherwake.lock.
+  const lockPath = existing
+    ? existing.lockPath
+    : path.join(outDir, "cipherwake.lock");
+  const mdPath = existing
+    ? existing.mdPath
+    : path.join(outDir, "cipherwake-report.md");
   const md = renderQxmMarkdown(manifest);
   try {
@@ -736,7 +888,7 @@ function buildQxmManifest(report, crypto) {
   );
   return {
-    schema: "https://quantapact.com/schemas/qxm/v1",
+    schema: "https://cipherwake.io/schemas/qxm/v1",
     schemaVersion: 1,
     generator: `pqcheck-cli/${VERSION}`,
     generatedAt: report.generatedAt || new Date().toISOString(),
@@ -756,13 +908,13 @@ function buildQxmManifest(report, crypto) {
     components: report.components || null,
     evidence: {
       evidenceHash,
-      methodology: "https://quantapact.com/methodology",
-      shareableReport: `https://quantapact.com/r/${encodeURIComponent(report.domain)}`,
-      badge: `https://quantapact.com/badge/${encodeURIComponent(report.domain)}.svg`,
+      methodology: "https://cipherwake.io/methodology",
+      shareableReport: `https://cipherwake.io/r/${encodeURIComponent(report.domain)}`,
+      badge: `https://cipherwake.io/badge/${encodeURIComponent(report.domain)}.svg`,
     },
     remediation: {
       tessera: tesseraNeeded ? "join-waitlist" : "not-needed",
-      tesseraWaitlist: "https://quantapact.com/feedback?source=qxm-tessera-interest",
+      tesseraWaitlist: "https://cipherwake.io/feedback?source=qxm-tessera-interest",
       notes: tesseraNeeded
         ? "Findings include cryptographic exposure that Tessera SDK is being designed to remediate. Tessera is in development; join the waitlist to be notified when ready."
         : "No quantum-decryption-relevant findings requiring Tessera remediation at this time.",
@@ -775,7 +927,7 @@ function renderQxmMarkdown(m) {
   lines.push(`# Quantum Exposure Manifest — \`${m.domain}\``);
   lines.push("");
   lines.push(`> **Decryption Blast Radius:** ${m.score} / 10 (Grade ${m.grade}, ${m.scoreLabel})`);
-  lines.push(`> Generated by [pqcheck](https://quantapact.com) at ${m.generatedAt}`);
+  lines.push(`> Generated by [pqcheck](https://cipherwake.io) at ${m.generatedAt}`);
   lines.push("");
   if (!m.reachable) {
     lines.push(`*${m.domain} was not reachable at scan time.*`);
@@ -852,7 +1004,8 @@ function renderQxmMarkdown(m) {
 // Fetches the public HTML of the target domain, extracts third-party origins
 // referenced via <script src>, <iframe src>, <link href>, <img src>, then runs
 // /api/scan against each unique third party. Outputs a sorted summary + an
-// optional committable lockfile (quantapact-deps.lock).
+// optional committable lockfile (cipherwake-deps.lock; legacy quantapact-deps.lock
+// is overwritten in place if present, see write-path comments below).
 //
 // Parallel to the browser extension's Dependencies tab, exposed as a CLI for
 // CI integration: gate PR builds on third-party crypto posture.
@@ -860,7 +1013,7 @@ function renderQxmMarkdown(m) {
 // Usage:
 //   npx pqcheck deps <domain>           Scan + print summary table
 //   npx pqcheck deps <domain> --json    JSON output (pipe to jq, etc.)
-//   npx pqcheck deps <domain> --lock    Also write quantapact-deps.lock + .md
+//   npx pqcheck deps <domain> --lock    Also write cipherwake-deps.lock + .md
 //   npx pqcheck deps <domain> -o dir/   Output directory for --lock files
 //   npx pqcheck deps <domain> --max=20  Cap on third parties scanned (default 20)
 // =============================================================================
@@ -932,12 +1085,15 @@ async function runDepsCommand(args) {
   }
   if (!json) process.stderr.write(color("dim", `Fetching ${domain} HTML...`));
-  const html = await fetchPageHTML(domain);
+  const fetched = await fetchPageHTML(domain);
   if (!json) process.stderr.write("\r\x1b[K");
-  if (!html) {
+  if (!fetched) {
     console.error(color("red", `error: could not fetch https://${domain}/`));
     process.exit(1);
   }
+  const { html, headerCsp } = fetched;
+  const metaCsp = extractMetaCsp(html);
+  const cspVerdict = classifyCsp(headerCsp, metaCsp);
   const refs = extractThirdPartyRefs(html, domain);
   if (refs.length === 0) {
@@ -977,7 +1133,7 @@ async function runDepsCommand(args) {
       batch.map(async (h) => {
         try {
           const r = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(h.host)}&source=cli-deps`, {
-            headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (deps)` },
+            headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (deps)` }),
           });
           if (!r.ok) return { ...h, types: Array.from(h.types), scan: null, error: `${r.status}` };
           const body = await r.json();
@@ -1031,13 +1187,17 @@ async function runDepsCommand(args) {
   // Build manifest
   const manifest = {
-    $schema: "https://quantapact.com/schemas/deps/v1",
-    schemaVersion: "1.1", // bumped for SRI + baseline-diff fields
+    $schema: "https://cipherwake.io/schemas/deps/v1",
+    schemaVersion: "1.2", // bumped for CSP + vendor classification fields
     domain,
     scannedAt: new Date().toISOString(),
     tool: "pqcheck-cli",
     toolVersion: VERSION,
     summary,
+    csp: {
+      quality: cspVerdict.quality,           // "absent" | "weak" | "strict"
+      source: cspVerdict.source,             // "header" | "meta" | null
+    },
     baseline: baselineHosts ? {
       file: baselinePath,
       newHosts,
@@ -1049,6 +1209,7 @@ async function runDepsCommand(args) {
       types: r.types,
       occurrences: r.occurrences,
       sri: { allScriptsHaveSri: !r.anyMissingSri, allHttps: r.allHttps },
+      vendor: classifyVendor(r.host),        // { name, category } or null
       isNew: r.isNew || false,
       scan: r.scan,
       error: r.error,
@@ -1066,7 +1227,7 @@ async function runDepsCommand(args) {
     try {
       const fs2 = await import("node:fs/promises");
       const baselinePayload = {
-        $schema: "https://quantapact.com/schemas/deps-baseline/v1",
+        $schema: "https://cipherwake.io/schemas/deps-baseline/v1",
         domain,
         capturedAt: new Date().toISOString(),
         toolVersion: VERSION,
@@ -1101,6 +1262,15 @@ async function runDepsCommand(args) {
   console.log("");
   console.log(`  ${color("bold", "Supply-chain HNDL exposure")} for ${color("violet", domain)}`);
   console.log(`  ${color("dim", `${summary.uniqueOrigins} unique third-party origins · ${summary.totalReferences} references · weakest: ${summary.weakestLink?.host ?? "—"} (${summary.weakestLink?.grade ?? "—"})`)}`);
+  // CSP-quality summary line — single line, site-wide. Mirrors the banner the
+  // extension shows on the Supply Chain tab.
+  if (cspVerdict.quality === "absent") {
+    console.log(`  ${color("red", "✗ No CSP enforcement")} ${color("dim", "— vendor swaps go undetected by the browser")}`);
+  } else if (cspVerdict.quality === "weak") {
+    console.log(`  ${color("yellow", "⚠ CSP is permissive")} ${color("dim", `— uses unsafe-inline / wildcards / data: (${cspVerdict.source})`)}`);
+  } else if (cspVerdict.quality === "strict") {
+    console.log(`  ${color("green", "✓ Strict CSP enforced")} ${color("dim", `(${cspVerdict.source})`)}`);
+  }
   if (baselineHosts) {
     const baselineSize = baselineHosts.size;
     if (baselineSize === 0) {
@@ -1113,19 +1283,33 @@ async function runDepsCommand(args) {
     }
   }
   console.log("");
-  console.log(`  ${color("dim", "GRADE  HOST                                          PQC  SRI  TYPES")}`);
-  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ───  ───  ─────")}`);
+  console.log(`  ${color("dim", "GRADE  HOST                                          VENDOR (CATEGORY)        PQC  SRI  TYPES")}`);
+  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ──────────────────────  ───  ───  ─────")}`);
   for (const r of results) {
     const gradeStr = r.scan?.grade ?? "?";
     const gradeColored = gradeStr === "A" ? color("green", gradeStr) : gradeStr === "F" || gradeStr === "D" ? color("red", gradeStr) : color("yellow", gradeStr);
-    const isNewMark = r.isNew ? color("yellow", " *NEW*") : "";
     const hostRaw = r.host + (r.isNew ? " *NEW*" : "");
     const host = hostRaw.length > 41 ? hostRaw.slice(0, 40) + "…" : (r.host.padEnd(r.isNew ? 35 : 41, " ") + (r.isNew ? color("yellow", " *NEW*") : ""));
     const pqc = r.scan?.hybridPQC ? color("green", "yes") : color("dim", "no ");
     const hasScript = (r.types || []).includes("script");
     const sriCell = !hasScript ? color("dim", "n/a") : r.anyMissingSri ? color("yellow", "off") : color("green", "on ");
     const types = r.types.join(",");
-    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${pqc}  ${sriCell}  ${color("dim", types)}`);
+    // Vendor classification — "(New Relic · errors)" beats "bam.nr-data.net"
+    // for comprehension. Padded to 22 chars so the table columns stay aligned.
+    // Heuristic matches return `name: null` and just a category — render as
+    // "(cdn — inferred)" to signal we're guessing without claiming certainty.
+    const vendor = classifyVendor(r.host);
+    let vendorStrRaw;
+    if (vendor?.name) {
+      vendorStrRaw = `${vendor.name} (${vendor.category})`;
+    } else if (vendor?.category) {
+      vendorStrRaw = `(${vendor.category} — inferred)`;
+    } else {
+      vendorStrRaw = "—";
+    }
+    const vendorTruncated = vendorStrRaw.length > 22 ? vendorStrRaw.slice(0, 21) + "…" : vendorStrRaw.padEnd(22, " ");
+    const vendorColored = color("dim", vendorTruncated);
+    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${vendorColored}  ${pqc}  ${sriCell}  ${color("dim", types)}`);
   }
   console.log("");
   if (baselineHosts && baselineHosts.size > 0 && newHosts.length > 0) {
@@ -1136,8 +1320,19 @@ async function runDepsCommand(args) {
   console.log("");
   if (lock) {
-    const lockPath = path.join(outDir, "quantapact-deps.lock");
-    const mdPath = path.join(outDir, "quantapact-deps-report.md");
+    // Filename policy mirrors `pqcheck lock`: prefer the new cipherwake-deps.lock,
+    // but if a legacy quantapact-deps.lock exists in this dir, overwrite that one
+    // in place so the user's repo doesn't suddenly grow a second lockfile.
+    const fsSync = await import("node:fs");
+    const legacyDepsLock = path.join(outDir, "quantapact-deps.lock");
+    const legacyDepsMd = path.join(outDir, "quantapact-deps-report.md");
+    const hasLegacy = fsSync.existsSync(legacyDepsLock);
+    const lockPath = hasLegacy
+      ? legacyDepsLock
+      : path.join(outDir, "cipherwake-deps.lock");
+    const mdPath = hasLegacy
+      ? legacyDepsMd
+      : path.join(outDir, "cipherwake-deps-report.md");
     try {
       await fs.mkdir(outDir, { recursive: true });
       await fs.writeFile(lockPath, JSON.stringify(manifest, null, 2));
@@ -1177,16 +1372,163 @@ async function fetchPageHTML(domain) {
       method: "GET",
       redirect: "follow",
       signal: ctrl.signal,
-      headers: { "User-Agent": `pqcheck-cli/${VERSION} (deps; +https://quantapact.com)` },
+      headers: { "User-Agent": `pqcheck-cli/${VERSION} (deps; +https://cipherwake.io)` },
     });
     clearTimeout(t);
     if (!resp.ok) return null;
-    return await resp.text();
+    const html = await resp.text();
+    // Also capture the CSP header so the deps view can show the site-wide
+    // enforcement level. Report-only header is ignored (not enforced).
+    const headerCsp = resp.headers.get("content-security-policy") || "";
+    return { html, headerCsp };
   } catch {
     return null;
   }
 }
+// Scrape <meta http-equiv="Content-Security-Policy" content="..."> from HTML
+// as a fallback when the response header is absent.
+function extractMetaCsp(html) {
+  const re = /<meta[^>]*\bhttp-equiv\s*=\s*["']?content-security-policy["']?[^>]*\bcontent\s*=\s*["']([^"']+)["']/i;
+  const m = html.match(re);
+  return m ? m[1] : "";
+}
+// Site-level CSP-quality classifier. Mirrors lib/serviceCatalog.ts and the
+// extension's classifyCsp(). Three buckets: absent / weak / strict.
+function classifyCsp(headerCsp, metaCsp) {
+  const policy = ((headerCsp || "").trim() || (metaCsp || "").trim()).toLowerCase();
+  if (!policy) return { quality: "absent", source: null, raw: "" };
+  const weakSignals = ["'unsafe-inline'", "'unsafe-eval'", "'unsafe-hashes'", " * ", " *;", "data:", "blob:"];
+  const weak = weakSignals.some((sig) => policy.includes(sig));
+  return {
+    quality: weak ? "weak" : "strict",
+    source: (headerCsp || "").trim() ? "header" : "meta",
+    raw: policy,
+  };
+}
+// Compact vendor catalog — covers ~50 most common third-party origins so the
+// pretty table can show "(New Relic · errors)" instead of just "bam.nr-data.net".
+// Mirror of lib/serviceCatalog.ts + extension/popup.js SERVICE_CATALOG; keep
+// the three in sync when adding vendors.
+const SERVICE_CATALOG = {
+  "googletagmanager.com": { name: "Google Tag Manager", category: "analytics" },
+  "google-analytics.com": { name: "Google Analytics", category: "analytics" },
+  "googleadservices.com": { name: "Google Ads", category: "ads" },
+  "doubleclick.net": { name: "Google DoubleClick", category: "ads" },
+  "googleapis.com": { name: "Google APIs", category: "cdn" },
+  "gstatic.com": { name: "Google Static", category: "cdn" },
+  "recaptcha.net": { name: "Google reCAPTCHA", category: "captcha" },
+  "youtube.com": { name: "YouTube", category: "social" },
+  "cloudflare.com": { name: "Cloudflare", category: "cdn" },
+  "cdnjs.cloudflare.com": { name: "Cloudflare cdnjs", category: "cdn" },
+  "cloudflareinsights.com": { name: "Cloudflare Web Analytics", category: "analytics" },
+  "challenges.cloudflare.com": { name: "Cloudflare Turnstile", category: "captcha" },
+  "stripe.com": { name: "Stripe", category: "payments" },
+  "js.stripe.com": { name: "Stripe Checkout", category: "payments" },
+  "amazonaws.com": { name: "AWS S3", category: "cdn" },
+  "cloudfront.net": { name: "AWS CloudFront", category: "cdn" },
+  "clarity.ms": { name: "Microsoft Clarity", category: "analytics" },
+  "azureedge.net": { name: "Azure CDN", category: "cdn" },
+  "facebook.com": { name: "Facebook", category: "social" },
+  "facebook.net": { name: "Facebook Pixel", category: "ads" },
+  "fbcdn.net": { name: "Facebook CDN", category: "cdn" },
+  "connect.facebook.net": { name: "Facebook Pixel", category: "ads" },
+  "twitter.com": { name: "Twitter (X)", category: "social" },
+  "linkedin.com": { name: "LinkedIn", category: "social" },
+  "snap.licdn.com": { name: "LinkedIn Tracking", category: "ads" },
+  "use.typekit.net": { name: "Adobe Fonts", category: "fonts" },
+  "typekit.net": { name: "Adobe Fonts", category: "fonts" },
+  "paypal.com": { name: "PayPal", category: "payments" },
+  "auth0.com": { name: "Auth0", category: "auth" },
+  "okta.com": { name: "Okta", category: "auth" },
+  "intercomcdn.com": { name: "Intercom", category: "support" },
+  "zendesk.com": { name: "Zendesk", category: "support" },
+  "sentry.io": { name: "Sentry", category: "errors" },
+  "browser.sentry-cdn.com": { name: "Sentry", category: "errors" },
+  "js-agent.newrelic.com": { name: "New Relic", category: "errors" },
+  "bam.nr-data.net": { name: "New Relic", category: "errors" },
+  "datadoghq.com": { name: "Datadog", category: "errors" },
+  "browser-intake-datadoghq.com": { name: "Datadog RUM", category: "errors" },
+  "mailchimp.com": { name: "Mailchimp", category: "analytics" },
+  "hubspot.com": { name: "HubSpot", category: "analytics" },
+  "js.hubspot.com": { name: "HubSpot Tracking", category: "analytics" },
+  "segment.com": { name: "Segment", category: "analytics" },
+  "amplitude.com": { name: "Amplitude", category: "analytics" },
+  "mxpnl.com": { name: "Mixpanel", category: "analytics" },
+  "hotjar.com": { name: "Hotjar", category: "analytics" },
+  "plausible.io": { name: "Plausible Analytics", category: "analytics" },
+  "js.hcaptcha.com": { name: "hCaptcha", category: "captcha" },
+  "cdn.jsdelivr.net": { name: "jsDelivr CDN", category: "cdn" },
+  "unpkg.com": { name: "unpkg CDN", category: "cdn" },
+  "code.jquery.com": { name: "jQuery CDN", category: "cdn" },
+  "akamaihd.net": { name: "Akamai CDN", category: "cdn" },
+  "akamaized.net": { name: "Akamai CDN", category: "cdn" },
+  "fastly.net": { name: "Fastly CDN", category: "cdn" },
+  "bootstrapcdn.com": { name: "Bootstrap CDN", category: "cdn" },
+  "maxcdn.bootstrapcdn.com": { name: "Bootstrap CDN", category: "cdn" },
+  "cookielaw.org": { name: "OneTrust Cookie Consent", category: "consent" },
+  "cookiebot.com": { name: "Cookiebot", category: "consent" },
+  "vimeo.com": { name: "Vimeo", category: "social" },
+  "shopify.com": { name: "Shopify", category: "ecommerce" },
+  "cdn.shopify.com": { name: "Shopify CDN", category: "ecommerce" },
+  "tiktok.com": { name: "TikTok", category: "social" },
+};
+// Conservative heuristic patterns — same as lib/serviceCatalog.ts + popup.js.
+// Used when a host isn't in the explicit catalog. Doesn't name the vendor
+// (we don't know), but assigns a high-confidence category like "cdn" or
+// "ads" so unknown hosts aren't blank.
+const HEURISTIC_PATTERNS = [
+  // CDN
+  { re: /^cdn[.-]/, category: "cdn" },
+  { re: /^static\./, category: "cdn" },
+  { re: /^assets\./, category: "cdn" },
+  { re: /\.cloudfront\.net$/, category: "cdn" },
+  { re: /\.akamai(?:edge|hd|ized)?\.net$/, category: "cdn" },
+  { re: /\.fastly\.net$/, category: "cdn" },
+  { re: /\.azureedge\.net$/, category: "cdn" },
+  // Analytics / RUM
+  { re: /^analytics?\./, category: "analytics" },
+  { re: /^metrics?\./, category: "analytics" },
+  { re: /^telemetry\./, category: "analytics" },
+  { re: /^rum\./, category: "analytics" },
+  // Ads
+  { re: /^ads?[.-]/, category: "ads" },
+  { re: /^adserver\./, category: "ads" },
+  { re: /^pubads\./, category: "ads" },
+  { re: /\.advertising\./, category: "ads" },
+  // Consent / cookies
+  { re: /^consent\./, category: "consent" },
+  { re: /^cookies?\./, category: "consent" },
+  { re: /^gdpr\./, category: "consent" },
+  // Fonts
+  { re: /^fonts?\./, category: "fonts" },
+  // Errors / monitoring
+  { re: /^sentry[.-]/, category: "errors" },
+];
+function classifyVendor(host) {
+  if (!host) return null;
+  const lower = host.toLowerCase();
+  if (SERVICE_CATALOG[lower]) return SERVICE_CATALOG[lower];
+  for (const pattern of Object.keys(SERVICE_CATALOG)) {
+    if (lower === pattern || lower.endsWith("." + pattern)) {
+      return SERVICE_CATALOG[pattern];
+    }
+  }
+  for (const { re, category } of HEURISTIC_PATTERNS) {
+    if (re.test(lower)) {
+      // Inferred — no vendor name, just the category. CLI consumers (the
+      // pretty table + JSON output) check `name === null` to distinguish
+      // from explicit catalog matches.
+      return { name: null, category };
+    }
+  }
+  return null;
+}
 function extractThirdPartyRefs(html, targetDomain) {
   const out = [];
   const targetRoot = registeredDomain(targetDomain);
@@ -1323,6 +1665,67 @@ function depsManifestToMarkdown(m) {
 // SARIF + GitHub Action output formats
 // =============================================================================
+// Derive a SARIF-stable rule ID from a finding. Prefer the registry's stable
+// `id` (e.g., "tls.rsa_kex_fallback") so the same finding gets the same
+// ruleId every run — without it, GitHub Code Scanning treats a reordered
+// finding list as a fresh batch of new findings, blowing up the triage UX.
+// Short non-crypto hash for SARIF rule-ID disambiguation. djb2-style.
+// Pure JS so it works in both Node and the CLI bundle. 8-char hex output
+// is enough entropy to disambiguate distinct legacy findings without
+// becoming churn-prone — same input string always produces the same hash.
+function shortHash(input) {
+  let h = 5381;
+  for (let i = 0; i < input.length; i++) {
+    h = ((h << 5) + h + input.charCodeAt(i)) >>> 0;
+  }
+  return h.toString(16).padStart(8, "0");
+}
+function stableRuleId(f) {
+  if (f && typeof f.id === "string" && f.id.length > 0) {
+    // Normalize: if a registry ID already carries the `pqcheck.` prefix
+    // (which happened before this helper existed), don't double-prefix
+    // it into `pqcheck.pqcheck.tls...`. Strip and reattach.
+    const id = f.id.replace(/^pqcheck\./i, "");
+    return `pqcheck.${id}`;
+  }
+  // Fallback for legacy findings emitted without the registry — slug the
+  // title. Still stable across runs (same input → same output).
+  const title = f?.title || "finding";
+  const detail = f?.detail || "";
+  const slug = title
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "_")
+    .replace(/^_+|_+$/g, "")
+    .slice(0, 48);
+  // GPT adversarial review 2026-05-12: legacy findings with similar
+  // titles ("No HSTS header" vs "No HSTS Header!") both slug to
+  // "no_hsts_header" and would collide in SARIF, causing GitHub Code
+  // Scanning to merge unrelated findings. Append a short hash of the
+  // full (title + detail) so semantically-different findings get
+  // distinct rule IDs even when their slugged titles match.
+  const disambiguator = shortHash(`${title}|${detail}`);
+  if (slug.length === 0) {
+    return `pqcheck.legacy.unnamed.${disambiguator}`;
+  }
+  return `pqcheck.legacy.${slug}.${disambiguator}`;
+}
+// Deduplicate the `rules` array — multiple findings can share the same
+// underlying rule (e.g., two cert findings both pinned to `cert.expired`).
+// SARIF's rule list must contain each rule once.
+function dedupeRules(findings) {
+  const seen = new Set();
+  const out = [];
+  for (const f of findings) {
+    const id = stableRuleId(f);
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push(f);
+  }
+  return out;
+}
 function reportToSarif(report) {
   // SARIF 2.1.0 minimal schema for security findings.
   // Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
@@ -1336,9 +1739,15 @@ function reportToSarif(report) {
         driver: {
           name: "pqcheck",
           version: VERSION,
-          informationUri: "https://quantapact.com",
-          rules: findings.map((f, i) => ({
-            id: `pqcheck-${i + 1}`,
+          informationUri: "https://cipherwake.io",
+          // Stable rule IDs — anchored to the finding's registry id (e.g.
+          // "tls.rsa_kex_fallback") when present, otherwise a slug derived
+          // from the title. Previously used positional pqcheck-${i+1} which
+          // made GitHub Code Scanning see every reorder as a "new" finding,
+          // poisoning the dedup/triage UX. Stable IDs let Code Scanning
+          // recognize the same rule across runs.
+          rules: dedupeRules(findings).map((f) => ({
+            id: stableRuleId(f),
             name: (f.title || "finding").replace(/[^A-Za-z0-9]/g, "_"),
             shortDescription: { text: f.title || "finding" },
             fullDescription: { text: f.detail || f.title || "finding" },
@@ -1346,8 +1755,8 @@ function reportToSarif(report) {
           })),
         },
       },
-      results: findings.map((f, i) => ({
-        ruleId: `pqcheck-${i + 1}`,
+      results: findings.map((f) => ({
+        ruleId: stableRuleId(f),
         level: sevMap[f.severity] || "note",
         message: { text: `${f.title || "finding"}${f.detail ? ` — ${f.detail}` : ""}` },
         // GitHub Code Scanning requires file: scheme (or relative path) for
@@ -1355,7 +1764,7 @@ function reportToSarif(report) {
         // relative path so findings show up cleanly in the Security tab.
         locations: [{
           physicalLocation: {
-            artifactLocation: { uri: `quantapact-scan/${report.domain || "unknown"}.txt` },
+            artifactLocation: { uri: `cipherwake-scan/${report.domain || "unknown"}.txt` },
             region: { startLine: 1, startColumn: 1 },
           },
         }],
@@ -1364,7 +1773,7 @@ function reportToSarif(report) {
           score: report.score,
           grade: report.grade,
           severity: f.severity,
-          reportUrl: `https://www.quantapact.com/r/${report.domain || ""}`,
+          reportUrl: `https://www.cipherwake.io/r/${report.domain || ""}`,
         },
       })),
       properties: {
@@ -1385,10 +1794,10 @@ function printGitHubActionAnnotations(report) {
   if (report._meta?.degraded) {
     const reason = String(report._meta.degradedReason || "live probe failed").replace(/[\r\n]/g, " ").replace(/::/g, ":");
     const since = String(report._meta.lastUpdated || "unknown");
-    console.log(`::warning title=Quantapact: cached score (live probe failed)::Showing last known-good score from ${since}. Reason: ${reason}. Re-run shortly for a fresh probe.`);
+    console.log(`::warning title=Cipherwake: cached score (live probe failed)::Showing last known-good score from ${since}. Reason: ${reason}. Re-run shortly for a fresh probe.`);
   }
   // Top-line score/grade as a notice
-  console.log(`::notice title=Quantapact: ${report.domain}::Grade ${report.grade || "?"} · score ${report.score ?? "?"} / 10`);
+  console.log(`::notice title=Cipherwake: ${report.domain}::Grade ${report.grade || "?"} · score ${report.score ?? "?"} / 10`);
   for (const f of findings) {
     const cmd = sevMap[f.severity] || "notice";
     const title = (f.title || "finding").replace(/[\r\n]/g, " ");
@@ -1420,7 +1829,7 @@ async function runHistoryCommand(args) {
   let h;
   try {
     const r = await fetch(`${API_BASE}/api/history?domain=${encodeURIComponent(domain)}&days=${days}`, {
-      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (history)` },
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (history)` }),
     });
     if (!r.ok) {
       console.error(color("red", `error: ${r.status} ${r.statusText}`));
@@ -1480,6 +1889,84 @@ async function runHistoryCommand(args) {
   console.log("");
 }
+// =============================================================================
+// `pqcheck changes <domain>` — surface observation-table deltas for a domain
+// =============================================================================
+// Hits /api/changes-summary which aggregates the new observation tables
+// shipped 2026-05-13 (subdomain_observations, script_observations,
+// posture_snapshots, cert_observations). Returns "N attack-surface changes
+// in last 14d" + breakdown. Devs use this in CI ("did anything change since
+// yesterday?") and in PR descriptions ("attached: 3 changes detected since
+// last week").
+async function runChangesCommand(args) {
+  const json = args.includes("--json");
+  const positional = args.filter((a) => !a.startsWith("-"));
+  const domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
+  if (!domain || !isValidDomain(domain)) {
+    console.error(color("red", "error: pqcheck changes requires a valid domain"));
+    console.error(color("dim", "Usage: npx pqcheck changes <domain> [--json]"));
+    process.exit(1);
+  }
+  let summary;
+  try {
+    const r = await fetch(`${API_BASE}/api/changes-summary?domain=${encodeURIComponent(domain)}`, {
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (changes)` }),
+    });
+    if (!r.ok) {
+      console.error(color("red", `error: ${r.status} ${r.statusText}`));
+      process.exit(1);
+    }
+    summary = await r.json();
+  } catch (err) {
+    console.error(color("red", `error: ${err.message}`));
+    process.exit(1);
+  }
+  if (json) {
+    console.log(JSON.stringify(summary, null, 2));
+    return;
+  }
+  const tracked = summary.trackedSince;
+  const total = summary.changes?.last14d ?? 0;
+  const b = summary.breakdown ?? {};
+  console.log("");
+  console.log(`  ${color("bold", domain)} ${color("dim", "·")} attack-surface change summary`);
+  if (!tracked) {
+    console.log(color("dim", "  No observation history yet. Run `npx pqcheck " + domain + "` to start accumulating."));
+    console.log("");
+    return;
+  }
+  const trackedDate = String(tracked).slice(0, 10);
+  console.log(color("dim", `  Tracking since ${trackedDate}`));
+  console.log("");
+  if (total === 0) {
+    console.log(`  ${color("green", "✓")} No public attack-surface changes detected in the last 14 days.`);
+    console.log("");
+    return;
+  }
+  console.log(`  ${color("yellow", "⚠")} ${color("bold", total)} change${total === 1 ? "" : "s"} detected in the last 14 days:`);
+  console.log("");
+  if (b.newSubdomains14d) {
+    console.log(`    ${color("violet", "•")} ${color("bold", b.newSubdomains14d)} new subdomain${b.newSubdomains14d === 1 ? "" : "s"} observed in CT logs or live scans`);
+  }
+  if (b.newScripts14d) {
+    console.log(`    ${color("violet", "•")} ${color("bold", b.newScripts14d)} new third-party script host${b.newScripts14d === 1 ? "" : "s"} loaded`);
+  }
+  if (b.newCertKeys14d) {
+    console.log(`    ${color("violet", "•")} ${color("bold", b.newCertKeys14d)} new SPKI fingerprint${b.newCertKeys14d === 1 ? "" : "s"} (cert rotation with new key)`);
+  }
+  console.log("");
+  console.log(color("dim", `  Full changelog: ${API_BASE}/domain/${domain}/security-changelog`));
+  console.log("");
+}
 // =============================================================================
 // `pqcheck diff` — diff two QXM lockfiles
 // =============================================================================
@@ -1509,7 +1996,7 @@ async function runDiffCommand(args) {
   }
   console.log("");
-  console.log(`  ${color("bold", "Quantapact lockfile diff")}`);
+  console.log(`  ${color("bold", "Cipherwake lockfile diff")}`);
   console.log(`  ${color("dim", `${positional[0]} → ${positional[1]}`)}`);
   console.log("");
   if (diff.scoreChange !== null) {
@@ -1580,6 +2067,114 @@ function computeLockDiff(oldLock, newLock) {
 // `pqcheck cert <pem-file>` — analyze a local cert file (offline)
 // =============================================================================
+// `pqcheck watch <domain>` — adds the given domain to the user's watched-
+// domain list via the authenticated /api/watched-domains POST. Requires
+// QUANTAPACT_API_KEY env var. Closes the CLI ↔ account loop: developers
+// who use the CLI can now opt into persistent monitoring from the same
+// surface without leaving the terminal.
+async function runWatchCommand(args) {
+  const positional = args.filter((a) => !a.startsWith("-"));
+  if (positional.length === 0) {
+    console.error(color("red", "error: pqcheck watch requires a domain"));
+    console.error(color("dim", "Usage: npx pqcheck watch <domain>"));
+    console.error("");
+    console.error(color("dim", "Example: npx pqcheck watch chase.com"));
+    process.exit(1);
+  }
+  if (!QP_API_KEY) {
+    const rawDomain = positional[0] ? String(positional[0]).trim().toLowerCase() : "";
+    const looksLikeDomain = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/.test(rawDomain);
+    console.error(color("red", "error: pqcheck watch requires CIPHERWAKE_API_KEY (paid tier)"));
+    console.error("");
+    console.error(color("dim", "Two ways to add this domain:"));
+    if (looksLikeDomain) {
+      console.error(color("dim", `  1. Sign up + click "Watch" in your browser:`));
+      console.error(color("dim", `       ${API_BASE}/watch/${rawDomain}`));
+    } else {
+      console.error(color("dim", `  1. Sign up + click "Watch" in your browser:`));
+      console.error(color("dim", `       ${API_BASE}/watch/<your-domain>`));
+    }
+    console.error(color("dim", `  2. Stay on the CLI — sign up + rotate an API key:`));
+    console.error(color("dim", `       ${API_BASE}/signin`));
+    console.error(color("dim", `       ${API_BASE}/account  (rotate key)`));
+    console.error(color("dim", `       export CIPHERWAKE_API_KEY=qpk_...`));
+    process.exit(1);
+  }
+  const raw = positional[0];
+  const domain = normalizeDomain(raw);
+  if (!isValidDomain(domain)) {
+    console.error(color("red", `error: '${raw}' is not a valid domain`));
+    process.exit(1);
+  }
+  console.log("");
+  console.log(color("violet", `  📌 Adding ${domain} to your watched-domain list…`));
+  let resp;
+  try {
+    resp = await fetch(`${API_BASE}/api/watched-domains`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "authorization": "Bearer " + QP_API_KEY,
+      },
+      body: JSON.stringify({ domain }),
+    });
+  } catch (err) {
+    console.error(color("red", `  network error: ${err.message ?? err}`));
+    process.exit(1);
+  }
+  if (resp.status === 401 || resp.status === 403) {
+    console.error(color("red", `  authentication failed (HTTP ${resp.status})`));
+    console.error(color("dim", `  Your API key may be invalid or revoked. Regenerate at ${API_BASE}/account`));
+    process.exit(1);
+  }
+  let out = {};
+  try { out = await resp.json(); } catch { /* ignore */ }
+  if (!resp.ok) {
+    if (out.error === "domain_already_watched") {
+      console.log(color("dim", `  ${domain} is already on your watched-domain list.`));
+      console.log(color("dim", `  Manage at: ${API_BASE}/account`));
+      process.exit(0);
+    }
+    if (out.error === "tier_cap_exceeded") {
+      console.error(color("red", `  ${out.message || "Tier cap reached."}`));
+      console.error(color("dim", `  See pricing: ${API_BASE}/pricing`));
+      process.exit(1);
+    }
+    if (out.error === "invalid_domain") {
+      console.error(color("red", `  ${domain} is not a valid hostname.`));
+      process.exit(1);
+    }
+    console.error(color("red", `  add failed: ${out.message || out.error || `HTTP ${resp.status}`}`));
+    process.exit(1);
+  }
+  console.log("");
+  console.log(color("green", `  ✓ Now watching ${domain}.`));
+  console.log("");
+  if (out.verificationInstructions) {
+    const v = out.verificationInstructions;
+    console.log(color("bold", "  Next: verify ownership"));
+    console.log(color("dim", `  Pick ONE method:`));
+    console.log("");
+    console.log(color("dim", `    DNS TXT     — name:  ${v.dnsTxt?.recordName}`));
+    console.log(color("dim", `                  value: ${v.dnsTxt?.recordValue}`));
+    console.log("");
+    console.log(color("dim", `    HTTP file   — url:   ${v.wellKnown?.url}`));
+    console.log(color("dim", `                  body:  ${v.wellKnown?.body}`));
+    console.log("");
+    console.log(color("dim", `  After adding the record, click 'Verify now' at ${API_BASE}/account`));
+    console.log(color("dim", `  or run: npx pqcheck watch ${domain} --verify  (coming soon)`));
+  }
+  console.log("");
+  process.exit(0);
+}
 async function runCertCommand(args) {
   const fs = await import("node:fs/promises");
   const crypto = await import("node:crypto");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.7.8",
+  "version": "0.10.0",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",
@@ -17,15 +17,15 @@
     "crypto-audit",
     "crypto-inventory"
   ],
-  "homepage": "https://quantapact.com",
-  "bugs": "https://quantapact.com",
+  "homepage": "https://cipherwake.io",
+  "bugs": "https://cipherwake.io",
   "repository": {
     "type": "git",
-    "url": "https://github.com/quantapact/pqcheck.git",
+    "url": "https://github.com/cipherwake-io/pqcheck.git",
     "directory": "cli"
   },
   "license": "MIT",
-  "author": "Quantapact",
+  "author": "Cipherwake",
   "type": "module",
   "engines": {
     "node": ">=18"