pqcheck 0.7.9 → 0.12.0

package/README.md

@@ -8,10 +8,67 @@ npx pqcheck stripe.com
 
 Zero install. Works in any terminal with Node 18+. Free, no signup, no API key.
 
-The same scanner that powers [quantapact.com](https://quantapact.com), the browser extension, and the GitHub Action.
+The same scanner that powers [cipherwake.io](https://cipherwake.io), the browser extension, and the GitHub Action.
 
 ---
 
+## Get started in 60 seconds
+
+Wire Cipherwake into your CI so every PR gets a Trust Diff comment when your domain's public trust posture changes.
+
+**One command does almost everything:**
+
+```bash
+npx pqcheck onboard cipherwake.io
+```
+
+That runs in sequence: scan your domain → write the GitHub Action workflow → capture a vendor lockfile → generate a release checklist → open your browser to the API-key page. You finish by adding the API key as a repo secret + committing.
+
+**Or step-by-step if you prefer:**
+
+```bash
+# 1. Scaffold a GitHub Actions workflow (interactive prompts)
+npx pqcheck init
+
+# 2. Generate a free API key at https://cipherwake.io/account#api-keys
+#    (Free tier: 30 Trust Diff calls/month)
+
+# 3. Add the key as a repo secret:
+#    GitHub → Settings → Secrets → Actions → New secret
+#    Name: CIPHERWAKE_API_KEY  Value: qpk_...
+
+# 4. Commit + push
+git add .github/workflows/cipherwake.yml
+git commit -m "ci: add Cipherwake Trust Diff gate"
+git push
+```
+
+That's it. Open a PR and Cipherwake comments inline when cert / SPKI / HSTS / CSP / DMARC / vendor scripts drift since your baseline.
+
+**Want more?**
+- Pre-commit hook: `npx pqcheck deploy-check <domain>` before every deploy
+- Release ritual: `npx pqcheck release-checklist <domain>` for your release notes
+- Vendor lockfile: `npx pqcheck vendors export <domain>` to commit `cipherwake.vendors.json` and fail PRs introducing new third-party scripts
+
+---
+
+## What's new in 0.12.0
+
+**Developer habit-loop bundle (locked 2026-05-16).** Five new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the 30 Trust Diff calls/month quota.
+
+- `pqcheck init` — interactive scaffold for `.github/workflows/cipherwake.yml`. Prompts for domain, fail-on severity, baseline. No copy-paste from docs required.
+- `pqcheck deploy-check <domain>` — pre-deploy Trust Diff gate with deploy-friendly framing. Uses last-scan as default baseline. Same exit semantics as `trust-diff`.
+- `pqcheck release-checklist [domain]` — markdown checklist for release notes. Offline, no API call.
+- `pqcheck vendors export <domain>` — write `cipherwake.vendors.json` from currently observed third-party origins. Like `package-lock.json` for vendor scripts.
+- `pqcheck vendors check <domain>` — CI gate; exits **4** when new origins appear that aren't in the lockfile.
+- `pqcheck vendors sync <domain>` — Starter+ only; pulls your dashboard-managed approved-vendor allowlist into the lockfile.
+
+Plus: the GitHub Action v3.1 now posts a **sticky PR comment** with Trust Diff results when `comment-on-pr: true` is set, and `/r/<domain>` has a "Copy as GitHub issue" button on every finding.
+
+## What's new in 0.11.0
+
+**Trust Diff subcommand** — `npx pqcheck trust-diff <domain>` calls `/api/trust-diff` and gates CI on regression severity vs a configured baseline. SARIF output uploads to GitHub's Code Scanning. Pair with `cipherwakelabs/pqcheck@v3` action `mode: trust-diff` for one-line CI integration.
+
 ## What's new in 0.7.9
 
 **CSP verdict + vendor labels on `pqcheck deps`.** The supply-chain table now shows a friendly vendor label (`New Relic · errors` / `Cloudflare · cdn` / `Adobe Fonts · fonts`) per host instead of raw `bam.nr-data.net`-style hostnames, plus a one-line site-wide CSP verdict above the table (`✗ No CSP enforcement` / `⚠ CSP is permissive` / `✓ Strict CSP enforced`). Same data shape ships on `/r/<domain>` and in the browser extension — cross-surface parity for the supply-chain story. See [CHANGELOG.md](./CHANGELOG.md).
@@ -42,11 +99,21 @@ Plus a full ASM check suite for credibility:
 
 ```
 npx pqcheck <domain>                          Scan + print human-readable report
-npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) committable manifest
+npx pqcheck lock <domain>                     Generate cipherwake.lock (QXM) committable manifest
 npx pqcheck deps <domain>                     Scan all third-party origins on the page (supply-chain HNDL)
 npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2 on regression
 npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
+npx pqcheck changes <domain>                  Summarize public attack-surface changes in last 14 days
 npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
+npx pqcheck trust-diff <domain>               Trust Diff vs configured baseline; CI gate (Free: 30/mo)
+npx pqcheck deploy-check <domain>             Pre-deploy gate (Trust Diff alias with last-scan baseline)
+npx pqcheck onboard <domain>                  One-command setup wizard (scan + init + vendors + checklist)
+npx pqcheck init                              Interactive scaffold for .github/workflows/cipherwake.yml
+npx pqcheck release-checklist [domain]        Pre-release trust checklist (markdown, offline)
+npx pqcheck vendors export <domain>           Write cipherwake.vendors.json from observed third-party scripts
+npx pqcheck vendors check <domain>            CI gate; exit 4 on new origins not in lockfile
+npx pqcheck vendors sync <domain>             Pull dashboard allowlist into lockfile (Starter+, needs API key)
+npx pqcheck watch <domain>                    Add domain to your watched list (needs CIPHERWAKE_API_KEY)
 ```
 
 ### Multi-domain
@@ -81,7 +148,7 @@ npx pqcheck --file domains.txt                Bulk scan from a newline-separated
 ### Subcommand-specific flags
 
 **`pqcheck deps`:**
-- `--lock` — Also write `quantapact-deps.lock` + `.md`
+- `--lock` — Also write `cipherwake-deps.lock` + `.md`
 - `-o <dir>` — Output directory for `--lock` files
 - `--max=<N>` — Max third parties to scan (default 20)
 - `--allowlist <file>` — Exit **3** if any third-party not in allowlist (CI vendor-risk gate)
@@ -160,13 +227,15 @@ Like SBOM, `package-lock.json`, or `cargo audit` outputs — track quantum expos
 ```bash
 npx pqcheck lock yourcompany.com
 # Writes:
-#   quantapact.lock          — stable JSON manifest
-#   quantapact-report.md     — human-readable summary (renders on GitHub)
+#   cipherwake.lock          — stable JSON manifest
+#   cipherwake-report.md     — human-readable summary (renders on GitHub)
 ```
 
 Commit both files. Use `npx pqcheck diff old.lock new.lock` in CI to surface regressions in PR comments.
 
-Schema documented at [quantapact.com/schemas/qxm/v1](https://quantapact.com/methodology/qxm).
+> **Filename history.** This tool was previously named Quantapact and earlier versions wrote `quantapact.lock` + `quantapact-report.md`. Both names work forever — `pqcheck lock` auto-detects an existing legacy lockfile and overwrites it in place rather than silently creating a second file in your repo. New repos get the new `cipherwake.lock` default. No migration required.
+
+Schema documented at [cipherwake.io/schemas/qxm/v1](https://cipherwake.io/methodology/qxm).
 
 ### Supply-chain dependency scanning
 
@@ -175,41 +244,41 @@ npx pqcheck deps stripe.com
 # Output: every third-party origin on stripe.com (analytics, CDN, fonts, etc.) graded for quantum risk
 ```
 
-Add `--lock` to write `quantapact-deps.lock` + `.md` for committing or PR comparison. Add `--allowlist file.txt` to gate CI on vendor approval.
+Add `--lock` to write `cipherwake-deps.lock` + `.md` for committing or PR comparison. Add `--allowlist file.txt` to gate CI on vendor approval.
 
 ## Companion surfaces
 
-This CLI is one of four ways to consume the [Decryption Blast Radius API](https://quantapact.com/api):
+This CLI is one of four ways to consume the [Decryption Blast Radius API](https://cipherwake.io/api):
 
 | Surface | Where |
 |---|---|
 | **CLI** (this package) | `npx pqcheck` |
 | **Browser extension** | Chrome Web Store / Firefox AMO / Edge — toolbar badge per tab + dependency analysis |
-| **GitHub Action** | [`quantapact/pqcheck/action@main`](https://github.com/quantapact/pqcheck/tree/main/action) — PR comments, SARIF upload, lockfile generation |
-| **Slack `/pqcheck`** | [Install on workspace](https://quantapact.com/install-slack) |
-| **Web** | [quantapact.com](https://quantapact.com) — share-friendly URLs at `/r/<domain>` |
+| **GitHub Action** | [`cipherwake-io/pqcheck/action@main`](https://github.com/cipherwake-io/pqcheck/tree/main/action) — PR comments, SARIF upload, lockfile generation |
+| **Slack `/pqcheck`** | [Install on workspace](https://cipherwake.io/install-slack) |
+| **Web** | [cipherwake.io](https://cipherwake.io) — share-friendly URLs at `/r/<domain>` |
 
 ## Public API
 
-`pqcheck` is a wrapper around the public Quantapact API. You can also call the API directly:
+`pqcheck` is a wrapper around the public Cipherwake API. You can also call the API directly:
 
 ```bash
-curl -s "https://www.quantapact.com/api/scan?domain=stripe.com" | jq '.grade, .score'
+curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" | jq '.grade, .score'
 ```
 
-Full API reference at [quantapact.com/api](https://quantapact.com/api).
+Full API reference at [cipherwake.io/api](https://cipherwake.io/api).
 
-**Rate limits:** 300 scans per hour per IP, 20 `--fresh` (force-refresh) scans per hour per IP. No API key required. Returns HTTP 429 if exceeded — back off and retry, or [let us know via the feedback form](https://quantapact.com/feedback) if you need higher limits (we're prioritizing the API tier based on real demand).
+**Rate limits:** 300 scans per hour per IP, 20 `--fresh` (force-refresh) scans per hour per IP. No API key required. Returns HTTP 429 if exceeded — back off and retry, or [let us know via the feedback form](https://cipherwake.io/feedback) if you need higher limits (we're prioritizing the API tier based on real demand).
 
 ## Methodology
 
 Decryption Blast Radius scoring methodology is fully open. Component weights, PQC discount math, the "what we DON'T claim" sections, edge cases — all documented:
 
-- [Decryption Blast Radius](https://quantapact.com/methodology/decryption-blast-radius) — core methodology
-- [Score components](https://quantapact.com/methodology/score-components) — the 4-bar weighted breakdown + PQC discount
-- [QXM lockfile schema](https://quantapact.com/methodology/qxm) — committable manifest format
-- [Browser extension methodology](https://quantapact.com/methodology/browser-extension) — supply-chain HNDL detection logic
-- [Methodology library](https://quantapact.com/methodology) — full index
+- [Decryption Blast Radius](https://cipherwake.io/methodology/decryption-blast-radius) — core methodology
+- [Score components](https://cipherwake.io/methodology/score-components) — the 4-bar weighted breakdown + PQC discount
+- [QXM lockfile schema](https://cipherwake.io/methodology/qxm) — committable manifest format
+- [Browser extension methodology](https://cipherwake.io/methodology/browser-extension) — supply-chain HNDL detection logic
+- [Methodology library](https://cipherwake.io/methodology) — full index
 
 ## Versioning + stability
 
@@ -219,20 +288,20 @@ The CLI follows the same policy — output formats are stable across minor versi
 
 ## Privacy
 
-`pqcheck` sends the domain you scan to `quantapact.com/api/scan` (so the TLS handshake can be performed from the public internet). No other data is sent — no email, no client-side identifier. The server logs anonymized analytics: domain, hashed IP (for rate limiting), user-agent. We don't track individual users across scans. See [quantapact.com/privacy](https://quantapact.com/privacy).
+`pqcheck` sends the domain you scan to `cipherwake.io/api/scan` (so the TLS handshake can be performed from the public internet). No other data is sent — no email, no client-side identifier. The server logs anonymized analytics: domain, hashed IP (for rate limiting), user-agent. We don't track individual users across scans. See [cipherwake.io/privacy](https://cipherwake.io/privacy).
 
 ## CI integration
 
 ```yaml
 # .github/workflows/quantum-risk-gate.yml
-- name: Quantapact public-surface gate
+- name: Cipherwake public-surface gate
   run: npx pqcheck@latest mycompany.com --threshold 7
 ```
 
-For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockfile diff on regression), use the [GitHub Action](https://github.com/quantapact/pqcheck/tree/main/action):
+For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockfile diff on regression), use the [GitHub Action](https://github.com/cipherwake-io/pqcheck/tree/main/action):
 
 ```yaml
-- uses: quantapact/pqcheck/action@main
+- uses: cipherwake-io/pqcheck/action@main
   with:
     domain: mycompany.com
     threshold: '7'
@@ -249,12 +318,12 @@ For richer integration (sticky PR comments, SARIF upload to Code Scanning, lockf
 
 ## License
 
-MIT. © 2026 Quantapact.
+MIT. © 2026 Cipherwake.
 
 ---
 
-**Source:** [github.com/quantapact/pqcheck](https://github.com/quantapact/pqcheck)
+**Source:** [github.com/cipherwake-io/pqcheck](https://github.com/cipherwake-io/pqcheck)
 
 **Changelog:** [CHANGELOG.md](./CHANGELOG.md) for version-by-version release notes.
 
-**Issues / feedback:** [quantapact.com/feedback](https://quantapact.com/feedback) or open an issue on the repo.
+**Issues / feedback:** [cipherwake.io/feedback](https://cipherwake.io/feedback) or open an issue on the repo.