pqcheck 0.7.9 → 0.12.0

package/bin/pqcheck.js

@@ -2,12 +2,48 @@
 // =============================================================================
 // pqcheck CLI — npx pqcheck <domain>
 // =============================================================================
-// Tiny wrapper around the public scan API at quantapact.com.
+// Tiny wrapper around the public scan API at cipherwake.io.
 // Zero deps (uses node:fetch). Works under `npx pqcheck` without installation.
 // =============================================================================
 
-const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.7.9";
+const API_BASE = process.env.PQCHECK_API_BASE || "https://cipherwake.io";
+const VERSION = "0.12.0";
+
+// API-key support — paid tiers (Starter $29 / Growth $79 / Scale $199) get
+// per-account monthly quotas instead of the per-IP rate limit. Set via:
+//   export CIPHERWAKE_API_KEY=qpk_<32-hex>
+// Anonymous CLI use still works (no env var → falls back to IP rate limit).
+//
+// QUANTAPACT_API_KEY is honored as a deprecated fallback for existing users
+// (rebrand 2026-05-15). Will be removed in v1.0; in the meantime no break.
+const QP_API_KEY = (process.env.CIPHERWAKE_API_KEY || process.env.QUANTAPACT_API_KEY || "").trim();
+
+// Builds headers with optional Authorization. Use for every CLI → API call
+// so a single env-var toggle authenticates every endpoint at once.
+function apiHeaders(extra = {}) {
+  const h = { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION}`, ...extra };
+  if (QP_API_KEY) h.authorization = `Bearer ${QP_API_KEY}`;
+  return h;
+}
+
+// Helpful messaging when the server tells us auth/quota failed.
+async function handleAuthError(resp) {
+  if (resp.status === 401) {
+    const body = await safeJSON(resp);
+    if (body?.error === "invalid_api_key") {
+      console.error(color("red", "CIPHERWAKE_API_KEY is invalid or revoked. Check https://cipherwake.io/account to rotate."));
+      return true;
+    }
+  }
+  if (resp.status === 429) {
+    const body = await safeJSON(resp);
+    if (body?.error === "monthly_quota_exceeded") {
+      console.error(color("red", `Monthly quota exceeded${body.detail ? ` — ${body.detail}` : ""}. Upgrade tier at https://cipherwake.io/pricing or wait until the 1st.`));
+      return true;
+    }
+  }
+  return false;
+}
 
 const ANSI = {
   reset:   "\x1b[0m",
@@ -25,9 +61,17 @@ const color = (c, s) => (supportsColor ? `${ANSI[c]}${s}${ANSI.reset}` : s);
 async function main() {
   const args = process.argv.slice(2);
 
-  if (args.length === 0 || args.includes("--help") || args.includes("-h")) {
+  // No-args entry: show a layman's quick-start before the full usage block.
+  // Behavior: argv.length === 0 prints the friendly intro then usage and exits 1.
+  // --help / -h prints only usage (no intro) and exits 0.
+  if (args.length === 0) {
+    printQuickStart();
+    printUsage();
+    process.exit(1);
+  }
+  if (args.includes("--help") || args.includes("-h")) {
     printUsage();
-    process.exit(args.length === 0 ? 1 : 0);
+    process.exit(0);
   }
   if (args.includes("--version") || args.includes("-v")) {
     console.log(`pqcheck ${VERSION}`);
@@ -44,12 +88,39 @@ async function main() {
   if (args[0] === "diff") {
     return runDiffCommand(args.slice(1));
   }
+  if (args[0] === "trust-diff") {
+    // CLI v0.11.0 (locked 2026-05-16): new subcommand that calls /api/trust-diff
+    // and outputs verdict in selected format. Designed for CI use via the
+    // cipherwakelabs/pqcheck Action mode: trust-diff.
+    return runTrustDiffCommand(args.slice(1));
+  }
   if (args[0] === "history") {
     return runHistoryCommand(args.slice(1));
   }
+  if (args[0] === "changes") {
+    return runChangesCommand(args.slice(1));
+  }
   if (args[0] === "cert") {
     return runCertCommand(args.slice(1));
   }
+  if (args[0] === "watch") {
+    return runWatchCommand(args.slice(1));
+  }
+  if (args[0] === "release-checklist") {
+    return runReleaseChecklistCommand(args.slice(1));
+  }
+  if (args[0] === "init") {
+    return runInitCommand(args.slice(1));
+  }
+  if (args[0] === "deploy-check") {
+    return runDeployCheckCommand(args.slice(1));
+  }
+  if (args[0] === "vendors") {
+    return runVendorsCommand(args.slice(1));
+  }
+  if (args[0] === "onboard") {
+    return runOnboardCommand(args.slice(1));
+  }
 
   // Multi-domain support: positional args are domains.
   // --file reads additional domains from a newline-delimited file.
@@ -133,7 +204,7 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
     const qs = fresh ? `?domain=${encodeURIComponent(domain)}&force=1` : `?domain=${encodeURIComponent(domain)}`;
     const resp = await fetch(`${API_BASE}/api/scan${qs}`, {
       method: "GET",
-      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (scan)` },
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (scan)` }),
     });
     if (!quiet && format === "text") process.stderr.write("\r\x1b[K");
     if (!resp.ok) {
@@ -232,7 +303,7 @@ async function runWatch({ domains, format, quiet, threshold, webhookUrl, interva
       try {
         const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
           method: "GET",
-          headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (watch)` },
+          headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (watch)` }),
         });
         if (!resp.ok) continue;
         const report = await resp.json();
@@ -357,7 +428,14 @@ function printCsvRow(r) {
   console.log(cells.join(","));
 }
 function csvEscape(s) {
-  const v = String(s ?? "");
+  // Spreadsheet-formula-injection defense (R2 finding): cells starting
+  // with =, +, -, @, TAB, or CR get treated as formulas by Excel/Sheets.
+  // Prefix with a literal-string ' to neutralize. Defense-in-depth even
+  // though domains are shape-validated upstream.
+  let v = String(s ?? "");
+  if (/^[=+\-@\t\r\n]/.test(v)) {
+    v = "'" + v;
+  }
   if (v.includes(",") || v.includes('"') || v.includes("\n")) {
     return '"' + v.replace(/"/g, '""') + '"';
   }
@@ -393,6 +471,13 @@ function printMarkdown(r, multi) {
   lines.push(`> ⚠ Public surface only. Internal Blast Radius is typically 12–40× this score.`);
   lines.push("");
   lines.push(`Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)} · Share: ${API_BASE}/r/${encodeURIComponent(r.domain)}`);
+  // Conversion CTA (generalbusiness.md principle #15): one-line activation
+  // path on every value-delivery moment. Pointed at /watch/<domain>.
+  // Audit-required 2026-05-14: copy matches current locked plan ($29 Starter
+  // not the old "watch free / weekly digest"). PR-comment context plants
+  // team-invitation idea for the eventual Growth tier upgrade.
+  lines.push(`📌 **Monitor ${r.domain} continuously?** ${API_BASE}/watch/${encodeURIComponent(r.domain)}`);
+  lines.push(`Cipherwake Starter $29/mo · 5 domains · daily scans + email alerts on cert/script/posture changes. Invite your team on Growth ($79/mo) when ready.`);
   if (multi) lines.push("\n---\n");
   console.log(lines.join("\n"));
 }
@@ -506,7 +591,25 @@ function printReport(r) {
     console.log("");
   }
 
-  console.log(color("violet", `  → Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)}`));
+  // Provenance pill — "Tracked by Cipherwake since X · N observations". Trust
+  // signal that this isn't a one-shot probe but a historical record. Only
+  // renders if we actually have prior observations for the domain.
+  if (r.trackedSince) {
+    const trackedDate = String(r.trackedSince).slice(0, 10);
+    const obs = typeof r.observations === "number" && r.observations > 0 ? r.observations : null;
+    const obsLine = obs ? ` · ${obs} observation${obs === 1 ? "" : "s"}` : "";
+    console.log(color("dim", `  Tracked by Cipherwake since ${trackedDate}${obsLine}`));
+    console.log("");
+  }
+
+  // Conversion CTA (generalbusiness.md principle #15): every value-delivery
+  // moment surfaces the same /watch/<domain> activation path. Audit-required
+  // 2026-05-14: copy must match current locked revenue plan ($29 Starter,
+  // not the old "free 1-domain weekly digest").
+  console.log(color("violet", `  📌 Monitor ${r.domain} daily: ${API_BASE}/watch/${encodeURIComponent(r.domain)}`));
+  console.log(color("dim",    `     Cipherwake Starter $29/mo · 5 watched domains · email alerts · cancel anytime`));
+  console.log("");
+  console.log(color("dim",    `  → Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)}`));
   console.log(color("dim",    `  → Share this:  ${API_BASE}/r/${encodeURIComponent(r.domain)}`));
   console.log(color("dim",    `  → Compare two: ${API_BASE}/compare?a=${encodeURIComponent(r.domain)}&b=`));
   console.log("");
@@ -531,6 +634,31 @@ async function safeJSON(resp) {
   try { return await resp.json(); } catch { return null; }
 }
 
+// Friendly first-time intro shown when the CLI is invoked with no args.
+// Goal: tell a brand-new user what this tool does + give them ONE
+// command to copy-paste, before the full usage block. Modeled on
+// `curl`/`gh`/`vercel` first-run output (concise, action-oriented).
+function printQuickStart() {
+  console.log(`
+${color("bold", "👋 Welcome to pqcheck")} ${color("dim", `(v${VERSION})`)}
+
+Cipherwake's CLI grades any website's quantum-decryption risk —
+the chance that a harvest-now-decrypt-later attack could read its
+TLS traffic once quantum decryption arrives.
+
+${color("bold", "Try it:")}
+  ${color("dim", "$")} npx pqcheck chase.com
+
+${color("bold", "What you'll see:")} a single letter grade (A–F), the score components
+(cipher class, cert lifetime, key rotation history, subdomain exposure),
+top findings, and a link to the full interactive report.
+
+${color("bold", "Free + open methodology.")} No account needed for single-domain scans.
+Add ${color("dim", "QUANTAPACT_API_KEY")} env var for higher rate limits + private results
+(create one at ${color("dim", "https://cipherwake.io/signin")}).
+`);
+}
+
 function printUsage() {
   console.log(`
 ${color("bold", "pqcheck")} ${color("dim", `v${VERSION}`)}
@@ -539,11 +667,20 @@ Public Surface Blast Radius — quantum-decryption risk for any domain.
 
 ${color("bold", "Commands:")}
   npx pqcheck <domain>                          Scan + print human-readable report
-  npx pqcheck lock <domain>                     Generate quantapact.lock (QXM) committable manifest
+  npx pqcheck lock <domain>                     Generate cipherwake.lock (QXM) committable manifest
   npx pqcheck deps <domain>                     Scan all third-party origins on the page (supply-chain HNDL)
   npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2 on regression
   npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
+  npx pqcheck changes <domain>                  Summarize public attack-surface changes in last 14 days
   npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
+  npx pqcheck watch <domain>                    Add a domain to your watched-domain list (requires CIPHERWAKE_API_KEY)
+  npx pqcheck onboard <domain>                  One-command setup wizard (scan + init + vendors + checklist + open browser)
+  npx pqcheck init                              Interactive scaffold for .github/workflows/cipherwake.yml
+  npx pqcheck deploy-check <domain>             Pre-deploy trust gate (Trust Diff vs last scan; deploy-friendly framing)
+  npx pqcheck release-checklist [domain]        Print a pre-release trust checklist (markdown, offline)
+  npx pqcheck vendors export <domain>           Write cipherwake.vendors.json from observed third-party scripts
+  npx pqcheck vendors check <domain>            Compare current scan to lockfile; exit 4 on new origins (Free CI gate)
+  npx pqcheck vendors sync <domain>             Pull approved-vendor list from your account (Starter+)
 
 ${color("bold", "Multi-domain:")}
   npx pqcheck a.com b.com c.com                 Multi-domain scan (positional)
@@ -568,7 +705,7 @@ ${color("bold", "Common flags:")}
 
 ${color("bold", "Subcommand-specific:")}
   pqcheck deps:
-    --lock                                       Also write quantapact-deps.lock + .md
+    --lock                                       Also write cipherwake-deps.lock + .md
     -o <dir>                                     Output directory for --lock files
     --max=<N>                                    Max third parties to scan (default 20)
     --allowlist <file>                           Exit 3 if any third-party not in allowlist (CI gate)
@@ -592,19 +729,20 @@ ${color("bold", "Exit codes:")}
 ${color("bold", "Examples:")}
   npx pqcheck chase.com
   npx pqcheck mybank.com --threshold 7      ${color("dim", "# fail CI if score ≥ 7")}
+  npx pqcheck mybank.com --watch 600        ${color("dim", "# poll locally every 10 min, log on change (no API key required)")}
   npx pqcheck deps stripe.com --lock
   npx pqcheck deps acme.com --allowlist allowed-vendors.txt   ${color("dim", "# CI vendor-risk gate")}
   npx pqcheck deps acme.com --baseline .pqcheck-baseline.json --write-baseline   ${color("dim", "# capture initial state")}
   npx pqcheck deps acme.com --baseline .pqcheck-baseline.json --fail-on-new      ${color("dim", "# fail PR on new third party")}
   npx pqcheck diff main.lock pr.lock        ${color("dim", "# regression detection in PR")}
-  npx pqcheck history quantapact.com
+  npx pqcheck history cipherwake.io
   npx pqcheck cert ./mycert.pem             ${color("dim", "# offline cert analysis")}
   npx pqcheck --file domains.txt --format json > scans.ndjson
   npx pqcheck mybank.com --format sarif > pqcheck.sarif   ${color("dim", "# upload to Code Scanning")}
   npx pqcheck mybank.com --gh-action        ${color("dim", "# inline PR annotations")}
 
 Backed by the patented Decryption Blast Radius methodology.
-${color("violet", "https://quantapact.com")}
+${color("violet", "https://cipherwake.io")}
 `);
 }
 
@@ -612,20 +750,46 @@ ${color("violet", "https://quantapact.com")}
 // `pqcheck lock` — QXM (Quantum Exposure Manifest) generator
 // =============================================================================
 // Generates two files committable to a git repo:
-//   quantapact.lock          — stable JSON manifest (machine-readable)
-//   quantapact-report.md     — human-readable summary (renders on GitHub)
+//   cipherwake.lock          — stable JSON manifest (machine-readable)
+//   cipherwake-report.md     — human-readable summary (renders on GitHub)
 //
 // Like SBOM / package-lock.json / cargo audit / snyk test outputs — devs commit
 // these to track quantum exposure as a first-class technical concern.
 //
+// Filename history: this tool was previously named Quantapact, and earlier
+// versions wrote `quantapact.lock` / `quantapact-report.md`. We permanently
+// support reading EITHER filename; existing repos with the old name keep
+// working forever. When re-locking in a directory that has the legacy file,
+// we overwrite it in place rather than silently creating a new file alongside.
+// New repos (no existing lockfile) get the new default `cipherwake.lock`.
+//
 // Usage:
-//   npx pqcheck lock <domain>           Write to ./quantapact.lock + .md
+//   npx pqcheck lock <domain>           Write to ./cipherwake.lock + .md
+//                                       (or preserves ./quantapact.lock if present)
 //   npx pqcheck lock <domain> -o dir/   Write into a specific directory
 //   npx pqcheck lock <domain> --stdout  Print JSON to stdout (no files)
 //   npx pqcheck lock                    Read domain from existing
-//                                       quantapact.lock if present, else error
+//                                       cipherwake.lock OR quantapact.lock, else error
 // =============================================================================
 
+// Discover an existing lockfile in `dir`, preferring the new name but
+// accepting the legacy name. Returns { lockPath, mdPath, isLegacy } if found,
+// or null if neither exists. Read-anywhere, write-back-to-same-name policy.
+async function discoverExistingLockfile(fs, path, dir) {
+  const candidates = [
+    { lockName: "cipherwake.lock", mdName: "cipherwake-report.md", isLegacy: false },
+    { lockName: "quantapact.lock", mdName: "quantapact-report.md", isLegacy: true },
+  ];
+  for (const c of candidates) {
+    const lockPath = path.join(dir, c.lockName);
+    try {
+      await fs.access(lockPath);
+      return { lockPath, mdPath: path.join(dir, c.mdName), isLegacy: c.isLegacy };
+    } catch { /* try next */ }
+  }
+  return null;
+}
+
 async function runLockCommand(args) {
   const fs = await import("node:fs/promises");
   const path = await import("node:path");
@@ -639,16 +803,26 @@ async function runLockCommand(args) {
   const positional = args.filter((a) => !a.startsWith("-") && a !== outDir);
   let domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
 
+  // Discover any existing lockfile (new or legacy). Used both for re-lock
+  // domain auto-detection AND to preserve the filename on write.
+  const existing = await discoverExistingLockfile(fs, path, outDir);
+
   if (!domain) {
-    try {
-      const existing = await fs.readFile(path.join(outDir, "quantapact.lock"), "utf8");
-      const parsed = JSON.parse(existing);
-      domain = parsed.domain;
-      if (!stdout) {
-        console.error(color("dim", `Re-locking from existing quantapact.lock (domain: ${domain})`));
+    if (existing) {
+      try {
+        const content = await fs.readFile(existing.lockPath, "utf8");
+        const parsed = JSON.parse(content);
+        domain = parsed.domain;
+        if (!stdout) {
+          const baseName = path.basename(existing.lockPath);
+          console.error(color("dim", `Re-locking from existing ${baseName} (domain: ${domain})`));
+        }
+      } catch {
+        console.error(color("red", `error: could not parse existing ${path.basename(existing.lockPath)}`));
+        process.exit(1);
       }
-    } catch {
-      console.error(color("red", "error: no domain provided and no existing quantapact.lock found"));
+    } else {
+      console.error(color("red", "error: no domain provided and no existing cipherwake.lock found"));
       console.error(color("dim", "Usage: npx pqcheck lock <domain>"));
       process.exit(1);
     }
@@ -665,7 +839,7 @@ async function runLockCommand(args) {
   try {
     const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, {
       method: "GET",
-      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (lock)` },
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (lock)` }),
     });
     if (!stdout) process.stderr.write("\r\x1b[K");
     if (!resp.ok) {
@@ -688,9 +862,16 @@ async function runLockCommand(args) {
     return;
   }
 
-  // Write both files
-  const lockPath = path.join(outDir, "quantapact.lock");
-  const mdPath = path.join(outDir, "quantapact-report.md");
+  // Write both files. Filename policy: if a legacy quantapact.lock already
+  // exists in this directory, overwrite it in place (preserve user's
+  // committed filename — no surprise renames in their repo). Otherwise
+  // default to the new cipherwake.lock.
+  const lockPath = existing
+    ? existing.lockPath
+    : path.join(outDir, "cipherwake.lock");
+  const mdPath = existing
+    ? existing.mdPath
+    : path.join(outDir, "cipherwake-report.md");
   const md = renderQxmMarkdown(manifest);
 
   try {
@@ -736,7 +917,7 @@ function buildQxmManifest(report, crypto) {
   );
 
   return {
-    schema: "https://quantapact.com/schemas/qxm/v1",
+    schema: "https://cipherwake.io/schemas/qxm/v1",
     schemaVersion: 1,
     generator: `pqcheck-cli/${VERSION}`,
     generatedAt: report.generatedAt || new Date().toISOString(),
@@ -756,13 +937,13 @@ function buildQxmManifest(report, crypto) {
     components: report.components || null,
     evidence: {
       evidenceHash,
-      methodology: "https://quantapact.com/methodology",
-      shareableReport: `https://quantapact.com/r/${encodeURIComponent(report.domain)}`,
-      badge: `https://quantapact.com/badge/${encodeURIComponent(report.domain)}.svg`,
+      methodology: "https://cipherwake.io/methodology",
+      shareableReport: `https://cipherwake.io/r/${encodeURIComponent(report.domain)}`,
+      badge: `https://cipherwake.io/badge/${encodeURIComponent(report.domain)}.svg`,
     },
     remediation: {
       tessera: tesseraNeeded ? "join-waitlist" : "not-needed",
-      tesseraWaitlist: "https://quantapact.com/feedback?source=qxm-tessera-interest",
+      tesseraWaitlist: "https://cipherwake.io/feedback?source=qxm-tessera-interest",
       notes: tesseraNeeded
         ? "Findings include cryptographic exposure that Tessera SDK is being designed to remediate. Tessera is in development; join the waitlist to be notified when ready."
         : "No quantum-decryption-relevant findings requiring Tessera remediation at this time.",
@@ -775,7 +956,7 @@ function renderQxmMarkdown(m) {
   lines.push(`# Quantum Exposure Manifest — \`${m.domain}\``);
   lines.push("");
   lines.push(`> **Decryption Blast Radius:** ${m.score} / 10 (Grade ${m.grade}, ${m.scoreLabel})`);
-  lines.push(`> Generated by [pqcheck](https://quantapact.com) at ${m.generatedAt}`);
+  lines.push(`> Generated by [pqcheck](https://cipherwake.io) at ${m.generatedAt}`);
   lines.push("");
   if (!m.reachable) {
     lines.push(`*${m.domain} was not reachable at scan time.*`);
@@ -852,7 +1033,8 @@ function renderQxmMarkdown(m) {
 // Fetches the public HTML of the target domain, extracts third-party origins
 // referenced via <script src>, <iframe src>, <link href>, <img src>, then runs
 // /api/scan against each unique third party. Outputs a sorted summary + an
-// optional committable lockfile (quantapact-deps.lock).
+// optional committable lockfile (cipherwake-deps.lock; legacy quantapact-deps.lock
+// is overwritten in place if present, see write-path comments below).
 //
 // Parallel to the browser extension's Dependencies tab, exposed as a CLI for
 // CI integration: gate PR builds on third-party crypto posture.
@@ -860,7 +1042,7 @@ function renderQxmMarkdown(m) {
 // Usage:
 //   npx pqcheck deps <domain>           Scan + print summary table
 //   npx pqcheck deps <domain> --json    JSON output (pipe to jq, etc.)
-//   npx pqcheck deps <domain> --lock    Also write quantapact-deps.lock + .md
+//   npx pqcheck deps <domain> --lock    Also write cipherwake-deps.lock + .md
 //   npx pqcheck deps <domain> -o dir/   Output directory for --lock files
 //   npx pqcheck deps <domain> --max=20  Cap on third parties scanned (default 20)
 // =============================================================================
@@ -980,7 +1162,7 @@ async function runDepsCommand(args) {
       batch.map(async (h) => {
         try {
           const r = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(h.host)}&source=cli-deps`, {
-            headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (deps)` },
+            headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (deps)` }),
           });
           if (!r.ok) return { ...h, types: Array.from(h.types), scan: null, error: `${r.status}` };
           const body = await r.json();
@@ -1034,7 +1216,7 @@ async function runDepsCommand(args) {
 
   // Build manifest
   const manifest = {
-    $schema: "https://quantapact.com/schemas/deps/v1",
+    $schema: "https://cipherwake.io/schemas/deps/v1",
     schemaVersion: "1.2", // bumped for CSP + vendor classification fields
     domain,
     scannedAt: new Date().toISOString(),
@@ -1074,7 +1256,7 @@ async function runDepsCommand(args) {
     try {
       const fs2 = await import("node:fs/promises");
       const baselinePayload = {
-        $schema: "https://quantapact.com/schemas/deps-baseline/v1",
+        $schema: "https://cipherwake.io/schemas/deps-baseline/v1",
         domain,
         capturedAt: new Date().toISOString(),
         toolVersion: VERSION,
@@ -1143,10 +1325,19 @@ async function runDepsCommand(args) {
     const types = r.types.join(",");
     // Vendor classification — "(New Relic · errors)" beats "bam.nr-data.net"
     // for comprehension. Padded to 22 chars so the table columns stay aligned.
+    // Heuristic matches return `name: null` and just a category — render as
+    // "(cdn — inferred)" to signal we're guessing without claiming certainty.
     const vendor = classifyVendor(r.host);
-    const vendorStrRaw = vendor ? `${vendor.name} (${vendor.category})` : "—";
+    let vendorStrRaw;
+    if (vendor?.name) {
+      vendorStrRaw = `${vendor.name} (${vendor.category})`;
+    } else if (vendor?.category) {
+      vendorStrRaw = `(${vendor.category} — inferred)`;
+    } else {
+      vendorStrRaw = "—";
+    }
     const vendorTruncated = vendorStrRaw.length > 22 ? vendorStrRaw.slice(0, 21) + "…" : vendorStrRaw.padEnd(22, " ");
-    const vendorColored = vendor ? color("dim", vendorTruncated) : color("dim", vendorTruncated);
+    const vendorColored = color("dim", vendorTruncated);
     console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${vendorColored}  ${pqc}  ${sriCell}  ${color("dim", types)}`);
   }
   console.log("");
@@ -1158,8 +1349,19 @@ async function runDepsCommand(args) {
   console.log("");
 
   if (lock) {
-    const lockPath = path.join(outDir, "quantapact-deps.lock");
-    const mdPath = path.join(outDir, "quantapact-deps-report.md");
+    // Filename policy mirrors `pqcheck lock`: prefer the new cipherwake-deps.lock,
+    // but if a legacy quantapact-deps.lock exists in this dir, overwrite that one
+    // in place so the user's repo doesn't suddenly grow a second lockfile.
+    const fsSync = await import("node:fs");
+    const legacyDepsLock = path.join(outDir, "quantapact-deps.lock");
+    const legacyDepsMd = path.join(outDir, "quantapact-deps-report.md");
+    const hasLegacy = fsSync.existsSync(legacyDepsLock);
+    const lockPath = hasLegacy
+      ? legacyDepsLock
+      : path.join(outDir, "cipherwake-deps.lock");
+    const mdPath = hasLegacy
+      ? legacyDepsMd
+      : path.join(outDir, "cipherwake-deps-report.md");
     try {
       await fs.mkdir(outDir, { recursive: true });
       await fs.writeFile(lockPath, JSON.stringify(manifest, null, 2));
@@ -1199,7 +1401,7 @@ async function fetchPageHTML(domain) {
       method: "GET",
       redirect: "follow",
       signal: ctrl.signal,
-      headers: { "User-Agent": `pqcheck-cli/${VERSION} (deps; +https://quantapact.com)` },
+      headers: { "User-Agent": `pqcheck-cli/${VERSION} (deps; +https://cipherwake.io)` },
     });
     clearTimeout(t);
     if (!resp.ok) return null;
@@ -1303,6 +1505,39 @@ const SERVICE_CATALOG = {
   "tiktok.com": { name: "TikTok", category: "social" },
 };
 
+// Conservative heuristic patterns — same as lib/serviceCatalog.ts + popup.js.
+// Used when a host isn't in the explicit catalog. Doesn't name the vendor
+// (we don't know), but assigns a high-confidence category like "cdn" or
+// "ads" so unknown hosts aren't blank.
+const HEURISTIC_PATTERNS = [
+  // CDN
+  { re: /^cdn[.-]/, category: "cdn" },
+  { re: /^static\./, category: "cdn" },
+  { re: /^assets\./, category: "cdn" },
+  { re: /\.cloudfront\.net$/, category: "cdn" },
+  { re: /\.akamai(?:edge|hd|ized)?\.net$/, category: "cdn" },
+  { re: /\.fastly\.net$/, category: "cdn" },
+  { re: /\.azureedge\.net$/, category: "cdn" },
+  // Analytics / RUM
+  { re: /^analytics?\./, category: "analytics" },
+  { re: /^metrics?\./, category: "analytics" },
+  { re: /^telemetry\./, category: "analytics" },
+  { re: /^rum\./, category: "analytics" },
+  // Ads
+  { re: /^ads?[.-]/, category: "ads" },
+  { re: /^adserver\./, category: "ads" },
+  { re: /^pubads\./, category: "ads" },
+  { re: /\.advertising\./, category: "ads" },
+  // Consent / cookies
+  { re: /^consent\./, category: "consent" },
+  { re: /^cookies?\./, category: "consent" },
+  { re: /^gdpr\./, category: "consent" },
+  // Fonts
+  { re: /^fonts?\./, category: "fonts" },
+  // Errors / monitoring
+  { re: /^sentry[.-]/, category: "errors" },
+];
+
 function classifyVendor(host) {
   if (!host) return null;
   const lower = host.toLowerCase();
@@ -1312,6 +1547,14 @@ function classifyVendor(host) {
       return SERVICE_CATALOG[pattern];
     }
   }
+  for (const { re, category } of HEURISTIC_PATTERNS) {
+    if (re.test(lower)) {
+      // Inferred — no vendor name, just the category. CLI consumers (the
+      // pretty table + JSON output) check `name === null` to distinguish
+      // from explicit catalog matches.
+      return { name: null, category };
+    }
+  }
   return null;
 }
 
@@ -1451,6 +1694,67 @@ function depsManifestToMarkdown(m) {
 // SARIF + GitHub Action output formats
 // =============================================================================
 
+// Derive a SARIF-stable rule ID from a finding. Prefer the registry's stable
+// `id` (e.g., "tls.rsa_kex_fallback") so the same finding gets the same
+// ruleId every run — without it, GitHub Code Scanning treats a reordered
+// finding list as a fresh batch of new findings, blowing up the triage UX.
+// Short non-crypto hash for SARIF rule-ID disambiguation. djb2-style.
+// Pure JS so it works in both Node and the CLI bundle. 8-char hex output
+// is enough entropy to disambiguate distinct legacy findings without
+// becoming churn-prone — same input string always produces the same hash.
+function shortHash(input) {
+  let h = 5381;
+  for (let i = 0; i < input.length; i++) {
+    h = ((h << 5) + h + input.charCodeAt(i)) >>> 0;
+  }
+  return h.toString(16).padStart(8, "0");
+}
+
+function stableRuleId(f) {
+  if (f && typeof f.id === "string" && f.id.length > 0) {
+    // Normalize: if a registry ID already carries the `pqcheck.` prefix
+    // (which happened before this helper existed), don't double-prefix
+    // it into `pqcheck.pqcheck.tls...`. Strip and reattach.
+    const id = f.id.replace(/^pqcheck\./i, "");
+    return `pqcheck.${id}`;
+  }
+  // Fallback for legacy findings emitted without the registry — slug the
+  // title. Still stable across runs (same input → same output).
+  const title = f?.title || "finding";
+  const detail = f?.detail || "";
+  const slug = title
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "_")
+    .replace(/^_+|_+$/g, "")
+    .slice(0, 48);
+  // GPT adversarial review 2026-05-12: legacy findings with similar
+  // titles ("No HSTS header" vs "No HSTS Header!") both slug to
+  // "no_hsts_header" and would collide in SARIF, causing GitHub Code
+  // Scanning to merge unrelated findings. Append a short hash of the
+  // full (title + detail) so semantically-different findings get
+  // distinct rule IDs even when their slugged titles match.
+  const disambiguator = shortHash(`${title}|${detail}`);
+  if (slug.length === 0) {
+    return `pqcheck.legacy.unnamed.${disambiguator}`;
+  }
+  return `pqcheck.legacy.${slug}.${disambiguator}`;
+}
+
+// Deduplicate the `rules` array — multiple findings can share the same
+// underlying rule (e.g., two cert findings both pinned to `cert.expired`).
+// SARIF's rule list must contain each rule once.
+function dedupeRules(findings) {
+  const seen = new Set();
+  const out = [];
+  for (const f of findings) {
+    const id = stableRuleId(f);
+    if (seen.has(id)) continue;
+    seen.add(id);
+    out.push(f);
+  }
+  return out;
+}
+
 function reportToSarif(report) {
   // SARIF 2.1.0 minimal schema for security findings.
   // Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
@@ -1464,9 +1768,15 @@ function reportToSarif(report) {
         driver: {
           name: "pqcheck",
           version: VERSION,
-          informationUri: "https://quantapact.com",
-          rules: findings.map((f, i) => ({
-            id: `pqcheck-${i + 1}`,
+          informationUri: "https://cipherwake.io",
+          // Stable rule IDs — anchored to the finding's registry id (e.g.
+          // "tls.rsa_kex_fallback") when present, otherwise a slug derived
+          // from the title. Previously used positional pqcheck-${i+1} which
+          // made GitHub Code Scanning see every reorder as a "new" finding,
+          // poisoning the dedup/triage UX. Stable IDs let Code Scanning
+          // recognize the same rule across runs.
+          rules: dedupeRules(findings).map((f) => ({
+            id: stableRuleId(f),
             name: (f.title || "finding").replace(/[^A-Za-z0-9]/g, "_"),
             shortDescription: { text: f.title || "finding" },
             fullDescription: { text: f.detail || f.title || "finding" },
@@ -1474,8 +1784,8 @@ function reportToSarif(report) {
           })),
         },
       },
-      results: findings.map((f, i) => ({
-        ruleId: `pqcheck-${i + 1}`,
+      results: findings.map((f) => ({
+        ruleId: stableRuleId(f),
         level: sevMap[f.severity] || "note",
         message: { text: `${f.title || "finding"}${f.detail ? ` — ${f.detail}` : ""}` },
         // GitHub Code Scanning requires file: scheme (or relative path) for
@@ -1483,7 +1793,7 @@ function reportToSarif(report) {
         // relative path so findings show up cleanly in the Security tab.
         locations: [{
           physicalLocation: {
-            artifactLocation: { uri: `quantapact-scan/${report.domain || "unknown"}.txt` },
+            artifactLocation: { uri: `cipherwake-scan/${report.domain || "unknown"}.txt` },
             region: { startLine: 1, startColumn: 1 },
           },
         }],
@@ -1492,7 +1802,7 @@ function reportToSarif(report) {
           score: report.score,
           grade: report.grade,
           severity: f.severity,
-          reportUrl: `https://www.quantapact.com/r/${report.domain || ""}`,
+          reportUrl: `https://www.cipherwake.io/r/${report.domain || ""}`,
         },
       })),
       properties: {
@@ -1513,10 +1823,10 @@ function printGitHubActionAnnotations(report) {
   if (report._meta?.degraded) {
     const reason = String(report._meta.degradedReason || "live probe failed").replace(/[\r\n]/g, " ").replace(/::/g, ":");
     const since = String(report._meta.lastUpdated || "unknown");
-    console.log(`::warning title=Quantapact: cached score (live probe failed)::Showing last known-good score from ${since}. Reason: ${reason}. Re-run shortly for a fresh probe.`);
+    console.log(`::warning title=Cipherwake: cached score (live probe failed)::Showing last known-good score from ${since}. Reason: ${reason}. Re-run shortly for a fresh probe.`);
   }
   // Top-line score/grade as a notice
-  console.log(`::notice title=Quantapact: ${report.domain}::Grade ${report.grade || "?"} · score ${report.score ?? "?"} / 10`);
+  console.log(`::notice title=Cipherwake: ${report.domain}::Grade ${report.grade || "?"} · score ${report.score ?? "?"} / 10`);
   for (const f of findings) {
     const cmd = sevMap[f.severity] || "notice";
     const title = (f.title || "finding").replace(/[\r\n]/g, " ");
@@ -1548,7 +1858,7 @@ async function runHistoryCommand(args) {
   let h;
   try {
     const r = await fetch(`${API_BASE}/api/history?domain=${encodeURIComponent(domain)}&days=${days}`, {
-      headers: { accept: "application/json", "user-agent": `pqcheck-cli/${VERSION} (history)` },
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (history)` }),
     });
     if (!r.ok) {
       console.error(color("red", `error: ${r.status} ${r.statusText}`));
@@ -1608,10 +1918,257 @@ async function runHistoryCommand(args) {
   console.log("");
 }
 
+// =============================================================================
+// `pqcheck changes <domain>` — surface observation-table deltas for a domain
+// =============================================================================
+// Hits /api/changes-summary which aggregates the new observation tables
+// shipped 2026-05-13 (subdomain_observations, script_observations,
+// posture_snapshots, cert_observations). Returns "N attack-surface changes
+// in last 14d" + breakdown. Devs use this in CI ("did anything change since
+// yesterday?") and in PR descriptions ("attached: 3 changes detected since
+// last week").
+
+async function runChangesCommand(args) {
+  const json = args.includes("--json");
+  const positional = args.filter((a) => !a.startsWith("-"));
+  const domain = positional.length > 0 ? normalizeDomain(positional[0]) : null;
+  if (!domain || !isValidDomain(domain)) {
+    console.error(color("red", "error: pqcheck changes requires a valid domain"));
+    console.error(color("dim", "Usage: npx pqcheck changes <domain> [--json]"));
+    process.exit(1);
+  }
+
+  let summary;
+  try {
+    const r = await fetch(`${API_BASE}/api/changes-summary?domain=${encodeURIComponent(domain)}`, {
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (changes)` }),
+    });
+    if (!r.ok) {
+      console.error(color("red", `error: ${r.status} ${r.statusText}`));
+      process.exit(1);
+    }
+    summary = await r.json();
+  } catch (err) {
+    console.error(color("red", `error: ${err.message}`));
+    process.exit(1);
+  }
+
+  if (json) {
+    console.log(JSON.stringify(summary, null, 2));
+    return;
+  }
+
+  const tracked = summary.trackedSince;
+  const total = summary.changes?.last14d ?? 0;
+  const b = summary.breakdown ?? {};
+  console.log("");
+  console.log(`  ${color("bold", domain)} ${color("dim", "·")} attack-surface change summary`);
+
+  if (!tracked) {
+    console.log(color("dim", "  No observation history yet. Run `npx pqcheck " + domain + "` to start accumulating."));
+    console.log("");
+    return;
+  }
+
+  const trackedDate = String(tracked).slice(0, 10);
+  console.log(color("dim", `  Tracking since ${trackedDate}`));
+  console.log("");
+
+  if (total === 0) {
+    console.log(`  ${color("green", "✓")} No public attack-surface changes detected in the last 14 days.`);
+    console.log("");
+    return;
+  }
+
+  console.log(`  ${color("yellow", "⚠")} ${color("bold", total)} change${total === 1 ? "" : "s"} detected in the last 14 days:`);
+  console.log("");
+  if (b.newSubdomains14d) {
+    console.log(`    ${color("violet", "•")} ${color("bold", b.newSubdomains14d)} new subdomain${b.newSubdomains14d === 1 ? "" : "s"} observed in CT logs or live scans`);
+  }
+  if (b.newScripts14d) {
+    console.log(`    ${color("violet", "•")} ${color("bold", b.newScripts14d)} new third-party script host${b.newScripts14d === 1 ? "" : "s"} loaded`);
+  }
+  if (b.newCertKeys14d) {
+    console.log(`    ${color("violet", "•")} ${color("bold", b.newCertKeys14d)} new SPKI fingerprint${b.newCertKeys14d === 1 ? "" : "s"} (cert rotation with new key)`);
+  }
+  console.log("");
+  console.log(color("dim", `  Full changelog: ${API_BASE}/domain/${domain}/security-changelog`));
+  console.log("");
+}
+
 // =============================================================================
 // `pqcheck diff` — diff two QXM lockfiles
 // =============================================================================
 
+/**
+ * `pqcheck trust-diff <domain>` — compare current public trust posture vs a
+ * baseline via /api/trust-diff. Phase 2 launch feature (CLI v0.11.0).
+ *
+ * Inputs:
+ *   --baseline    last-week | last-month | last-scan | <ISO date>  (default: last-week)
+ *   --fail-on     any | low | medium | high | critical              (default: high)
+ *   --format      pretty | json | sarif | github                    (default: pretty)
+ *
+ * Exit codes:
+ *   0 = pass     — no deltas at or above fail-on severity
+ *   1 = warn     — deltas observed but below fail-on threshold
+ *   2 = fail     — deltas observed at or above fail-on threshold
+ *   3 = error    — auth/quota/network failure
+ *
+ * Requires CIPHERWAKE_API_KEY env var (Free tier: 30 calls/mo at /account#api-keys).
+ */
+async function runTrustDiffCommand(args) {
+  const positional = args.filter((a) => !a.startsWith("-") && !isFlagValue(args, a));
+  if (positional.length === 0) {
+    console.error(color("red", "error: pqcheck trust-diff requires a domain"));
+    console.error(color("dim", "Usage: npx pqcheck trust-diff <domain> [--baseline last-week] [--fail-on high] [--format pretty|json|sarif|github]"));
+    process.exit(3);
+  }
+  const domain = normalizeDomain(positional[0]);
+  if (!domain) {
+    console.error(color("red", `error: invalid domain "${positional[0]}"`));
+    process.exit(3);
+  }
+  if (!QP_API_KEY) {
+    console.error(color("red", "error: pqcheck trust-diff requires CIPHERWAKE_API_KEY"));
+    console.error(color("dim", "Generate a free key (30 calls/mo) at https://cipherwake.io/account#api-keys"));
+    console.error(color("dim", "Then: export CIPHERWAKE_API_KEY=qpk_<32-hex>"));
+    process.exit(3);
+  }
+
+  const baseline = parseFlag(args, "--baseline") || "last-week";
+  const failOn = parseFlag(args, "--fail-on") || "high";
+  const format = parseFlag(args, "--format") || "pretty";
+
+  let resp;
+  try {
+    resp = await fetch(`${API_BASE}/api/trust-diff`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${QP_API_KEY}`,
+        "User-Agent": `pqcheck-cli/${VERSION}`,
+      },
+      body: JSON.stringify({ domain, baseline, fail_on: failOn }),
+    });
+  } catch (err) {
+    console.error(color("red", `error: network failure calling /api/trust-diff: ${err.message}`));
+    process.exit(3);
+  }
+
+  if (resp.status === 401 || resp.status === 403) {
+    await handleAuthError(resp);
+    process.exit(3);
+  }
+  if (resp.status === 429) {
+    const body = await safeJSON(resp);
+    console.error(color("red", "error: Trust Diff API quota exceeded for this month"));
+    if (body?.message) console.error(color("dim", body.message));
+    process.exit(3);
+  }
+  if (!resp.ok) {
+    const body = await safeJSON(resp);
+    console.error(color("red", `error: /api/trust-diff returned ${resp.status}`));
+    if (body?.message) console.error(color("dim", body.message));
+    process.exit(3);
+  }
+
+  const result = await resp.json();
+  const verdict = result.verdict || "pass";
+  const deltas = Array.isArray(result.deltas) ? result.deltas : [];
+
+  // Format output
+  if (format === "json") {
+    console.log(JSON.stringify(result, null, 2));
+  } else if (format === "sarif") {
+    console.log(JSON.stringify(trustDiffToSarif(result), null, 2));
+  } else if (format === "github") {
+    // GitHub Actions workflow command output
+    for (const d of deltas) {
+      const sev = d.severity === "critical" || d.severity === "high" ? "error" : d.severity === "medium" ? "warning" : "notice";
+      const msg = `${d.title || d.type}: ${d.what_changed || ""}`.replace(/\n/g, "%0A").replace(/\r/g, "");
+      console.log(`::${sev}::${msg}`);
+    }
+    console.log(`\nTrust Diff verdict: ${verdict.toUpperCase()} — ${deltas.length} delta${deltas.length === 1 ? "" : "s"} observed.`);
+    console.log(`Quota: ${result.quota?.used_this_month || 0}/${result.quota?.monthly_limit || 0} used.`);
+  } else {
+    // pretty (default)
+    console.log("");
+    console.log(`  ${color("bold", "Cipherwake Trust Diff")}`);
+    console.log(`  ${color("dim", `${domain} · baseline=${baseline} · fail-on=${failOn}`)}`);
+    console.log("");
+    if (deltas.length === 0) {
+      console.log(`  ${color("green", "✓ No deltas observed")}`);
+    } else {
+      const colorByLevel = (sev) => sev === "critical" ? "red" : sev === "high" ? "red" : sev === "medium" ? "yellow" : "dim";
+      for (const d of deltas) {
+        const sevTag = d.severity ? `[${d.severity.toUpperCase()}]` : "";
+        console.log(`  ${color(colorByLevel(d.severity), sevTag)} ${d.title || d.type}`);
+        if (d.what_changed) console.log(`    ${color("dim", d.what_changed)}`);
+      }
+    }
+    console.log("");
+    const verdictColor = verdict === "fail" ? "red" : verdict === "warn" ? "yellow" : "green";
+    console.log(`  Verdict: ${color(verdictColor, verdict.toUpperCase())}`);
+    console.log(`  Quota: ${result.quota?.used_this_month || 0}/${result.quota?.monthly_limit || 0} used this month`);
+    if (result.upgrade_hint) {
+      console.log("");
+      console.log(`  ${color("dim", "💡 " + result.upgrade_hint)}`);
+    }
+  }
+
+  // Exit code based on verdict
+  if (verdict === "fail") process.exit(2);
+  if (verdict === "warn") process.exit(1);
+  process.exit(0);
+}
+
+/**
+ * Convert /api/trust-diff response to SARIF 2.1.0 for upload via
+ * github/codeql-action/upload-sarif@v3. Each delta becomes a result with
+ * level = error|warning|note based on severity.
+ */
+function trustDiffToSarif(result) {
+  const deltas = Array.isArray(result.deltas) ? result.deltas : [];
+  const rules = [...new Set(deltas.map((d) => d.type))].map((type) => ({
+    id: type,
+    name: type,
+    shortDescription: { text: type.replace(/_/g, " ").toLowerCase() },
+    helpUri: `https://cipherwake.io/methodology/change-briefs#${type.toLowerCase()}`,
+  }));
+  const results = deltas.map((d) => ({
+    ruleId: d.type,
+    level: d.severity === "critical" || d.severity === "high" ? "error" : d.severity === "medium" ? "warning" : "note",
+    message: { text: `${d.title || d.type}: ${d.what_changed || ""}` },
+    locations: [{
+      physicalLocation: {
+        artifactLocation: { uri: `cipherwake://${result.domain || "domain"}` },
+      },
+    }],
+  }));
+  return {
+    $schema: "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
+    version: "2.1.0",
+    runs: [{
+      tool: {
+        driver: {
+          name: "Cipherwake Trust Diff",
+          version: VERSION,
+          informationUri: "https://cipherwake.io",
+          rules,
+        },
+      },
+      results,
+    }],
+  };
+}
+
+function parseFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx === -1 || idx === args.length - 1) return null;
+  return args[idx + 1];
+}
+
 async function runDiffCommand(args) {
   const fs = await import("node:fs/promises");
   const json = args.includes("--json");
@@ -1637,7 +2194,7 @@ async function runDiffCommand(args) {
   }
 
   console.log("");
-  console.log(`  ${color("bold", "Quantapact lockfile diff")}`);
+  console.log(`  ${color("bold", "Cipherwake lockfile diff")}`);
   console.log(`  ${color("dim", `${positional[0]} → ${positional[1]}`)}`);
   console.log("");
   if (diff.scoreChange !== null) {
@@ -1708,6 +2265,118 @@ function computeLockDiff(oldLock, newLock) {
 // `pqcheck cert <pem-file>` — analyze a local cert file (offline)
 // =============================================================================
 
+// `pqcheck watch <domain>` — adds the given domain to the user's watched-
+// domain list via the authenticated /api/watched-domains POST. Requires
+// QUANTAPACT_API_KEY env var. Closes the CLI ↔ account loop: developers
+// who use the CLI can now opt into persistent monitoring from the same
+// surface without leaving the terminal.
+async function runWatchCommand(args) {
+  const positional = args.filter((a) => !a.startsWith("-"));
+  if (positional.length === 0) {
+    console.error(color("red", "error: pqcheck watch requires a domain"));
+    console.error(color("dim", "Usage: npx pqcheck watch <domain>"));
+    console.error("");
+    console.error(color("dim", "Example: npx pqcheck watch chase.com"));
+    process.exit(1);
+  }
+  if (!QP_API_KEY) {
+    const rawDomain = positional[0] ? String(positional[0]).trim().toLowerCase() : "";
+    const looksLikeDomain = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/.test(rawDomain);
+    console.error(color("red", "error: pqcheck watch requires CIPHERWAKE_API_KEY (paid tier)"));
+    console.error("");
+    console.error(color("dim", "Two ways to add this domain:"));
+    if (looksLikeDomain) {
+      console.error(color("dim", `  1. Sign up + click "Watch" in your browser:`));
+      console.error(color("dim", `       ${API_BASE}/watch/${rawDomain}`));
+    } else {
+      console.error(color("dim", `  1. Sign up + click "Watch" in your browser:`));
+      console.error(color("dim", `       ${API_BASE}/watch/<your-domain>`));
+    }
+    console.error(color("dim", `  2. Stay on the CLI — sign up + rotate an API key:`));
+    console.error(color("dim", `       ${API_BASE}/signin`));
+    console.error(color("dim", `       ${API_BASE}/account  (rotate key)`));
+    console.error(color("dim", `       export CIPHERWAKE_API_KEY=qpk_...`));
+    console.error("");
+    console.error(color("dim", `Just want to poll locally without an account? Use --watch instead:`));
+    console.error(color("dim", `  npx pqcheck ${looksLikeDomain ? rawDomain : "<your-domain>"} --watch 600`));
+    console.error(color("dim", `  (No API key required. Polls every N seconds, logs on score change.)`));
+    process.exit(1);
+  }
+
+  const raw = positional[0];
+  const domain = normalizeDomain(raw);
+  if (!isValidDomain(domain)) {
+    console.error(color("red", `error: '${raw}' is not a valid domain`));
+    process.exit(1);
+  }
+
+  console.log("");
+  console.log(color("violet", `  📌 Adding ${domain} to your watched-domain list…`));
+
+  let resp;
+  try {
+    resp = await fetch(`${API_BASE}/api/watched-domains`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "authorization": "Bearer " + QP_API_KEY,
+      },
+      body: JSON.stringify({ domain }),
+    });
+  } catch (err) {
+    console.error(color("red", `  network error: ${err.message ?? err}`));
+    process.exit(1);
+  }
+
+  if (resp.status === 401 || resp.status === 403) {
+    console.error(color("red", `  authentication failed (HTTP ${resp.status})`));
+    console.error(color("dim", `  Your API key may be invalid or revoked. Regenerate at ${API_BASE}/account`));
+    process.exit(1);
+  }
+
+  let out = {};
+  try { out = await resp.json(); } catch { /* ignore */ }
+
+  if (!resp.ok) {
+    if (out.error === "domain_already_watched") {
+      console.log(color("dim", `  ${domain} is already on your watched-domain list.`));
+      console.log(color("dim", `  Manage at: ${API_BASE}/account`));
+      process.exit(0);
+    }
+    if (out.error === "tier_cap_exceeded") {
+      console.error(color("red", `  ${out.message || "Tier cap reached."}`));
+      console.error(color("dim", `  See pricing: ${API_BASE}/pricing`));
+      process.exit(1);
+    }
+    if (out.error === "invalid_domain") {
+      console.error(color("red", `  ${domain} is not a valid hostname.`));
+      process.exit(1);
+    }
+    console.error(color("red", `  add failed: ${out.message || out.error || `HTTP ${resp.status}`}`));
+    process.exit(1);
+  }
+
+  console.log("");
+  console.log(color("green", `  ✓ Now watching ${domain}.`));
+  console.log("");
+  if (out.verificationInstructions) {
+    const v = out.verificationInstructions;
+    console.log(color("bold", "  Next: verify ownership"));
+    console.log(color("dim", `  Pick ONE method:`));
+    console.log("");
+    console.log(color("dim", `    DNS TXT     — name:  ${v.dnsTxt?.recordName}`));
+    console.log(color("dim", `                  value: ${v.dnsTxt?.recordValue}`));
+    console.log("");
+    console.log(color("dim", `    HTTP file   — url:   ${v.wellKnown?.url}`));
+    console.log(color("dim", `                  body:  ${v.wellKnown?.body}`));
+    console.log("");
+    console.log(color("dim", `  After adding the record, click 'Verify now' at ${API_BASE}/account`));
+    console.log(color("dim", `  or run: npx pqcheck watch ${domain} --verify  (coming soon)`));
+  }
+  console.log("");
+  process.exit(0);
+}
+
 async function runCertCommand(args) {
   const fs = await import("node:fs/promises");
   const crypto = await import("node:crypto");
@@ -1793,6 +2462,940 @@ async function runCertCommand(args) {
   console.log("");
 }
 
+// =============================================================================
+// `pqcheck release-checklist [domain]` — pre-release trust checklist generator
+// =============================================================================
+// Outputs a markdown checklist for teams to paste into release notes or run
+// as a pre-deploy gate. Pure offline (no API call). Domain is optional —
+// when present, the checklist is interpolated; when absent, a `<your-domain>`
+// placeholder is left for the user to fill.
+//
+// Habit-loop feature locked 2026-05-16: turns Cipherwake into part of the
+// release ritual without heavy integrations. See [[cipherwake-launch-plan-2026-05]].
+// Free tier — no API quota consumed.
+// =============================================================================
+
+async function runReleaseChecklistCommand(args) {
+  const positional = args.filter((a) => !a.startsWith("-"));
+  const raw = positional[0];
+  let target = "<your-domain>";
+  if (raw) {
+    const normalized = normalizeDomain(raw);
+    if (!isValidDomain(normalized)) {
+      console.error(color("red", `error: '${raw}' is not a valid domain`));
+      process.exit(1);
+    }
+    target = normalized;
+  }
+  const out = renderReleaseChecklist(target, { generator: "release-checklist" });
+  console.log(out);
+  process.exit(0);
+}
+
+// R41 fix #3 (locked 2026-05-16): shared release-checklist helper used by
+// both `pqcheck release-checklist` (prints to stdout) and `pqcheck onboard`
+// (writes to CIPHERWAKE_CHECKLIST.md). Single source of truth for the 9
+// checklist items + verification commands + "where to look" links.
+//
+// generator: "release-checklist" or "onboard" — controls the intro paragraph
+// so the file written by `onboard` says "Generated by `pqcheck onboard`"
+// while the standalone `release-checklist` command emits the user-facing
+// "Run these in CI or paste..." intro. All other content is identical.
+function renderReleaseChecklist(domain, opts = {}) {
+  const generator = opts.generator === "onboard" ? "onboard" : "release-checklist";
+  const intro = generator === "onboard"
+    ? `Generated by \`pqcheck onboard\` — re-run \`pqcheck release-checklist ${domain}\` anytime.`
+    : `Run these in CI or paste into your release-notes template. Each item maps to a Cipherwake check; recommended commands are below. Free tier covers all of these on 1 monitored domain.`;
+  return [
+    `## Pre-release trust checklist for ${domain}`,
+    ``,
+    intro,
+    ``,
+    `- [ ] Trust Diff passes vs last successful deploy`,
+    `- [ ] No new unapproved vendor scripts observed since last release`,
+    `- [ ] HSTS still present and unchanged`,
+    `- [ ] CSP still present and unchanged`,
+    `- [ ] DMARC policy unchanged`,
+    `- [ ] Certificate issuer expected (no surprise CA rotation)`,
+    `- [ ] SPKI / key rotation matches your deploy pipeline`,
+    `- [ ] HNDL Decryption Blast Radius score within target range`,
+    `- [ ] Cipherwake monitoring still active (last scan within 24h)`,
+    ``,
+    `### How to verify`,
+    ``,
+    `\`\`\`bash`,
+    `# Trust posture vs last successful deploy (Free: 30 calls/mo)`,
+    `npx pqcheck trust-diff ${domain} --baseline last-week --fail-on high`,
+    ``,
+    `# Third-party origins on the page (vendor scripts)`,
+    `npx pqcheck vendors check ${domain}`,
+    ``,
+    `# Live grade + score components`,
+    `npx pqcheck ${domain}`,
+    `\`\`\``,
+    ``,
+    `### Where to look`,
+    ``,
+    `- Full dashboard: https://cipherwake.io/r/${encodeURIComponent(domain)}`,
+    `- Methodology + what each check means: https://cipherwake.io/methodology/`,
+    `- 30-day Trust Timeline + Change Briefs: https://cipherwake.io/account`,
+    ``,
+  ].join("\n");
+}
+
+// =============================================================================
+// `pqcheck init` — interactive workflow scaffold (habit-loop #4, locked 2026-05-16)
+// =============================================================================
+// Writes a ready-to-commit .github/workflows/cipherwake.yml that calls
+// cipherwakelabs/pqcheck@v3 in trust-diff mode. Zero copy-paste docs friction.
+//
+// Flags:
+//   --domain <d>       Skip the domain prompt
+//   --fail-on <level>  Skip the severity prompt (any|low|medium|high|critical)
+//   --baseline <ref>   Skip the baseline prompt (last-week|last-month|last-scan|<ISO>)
+//   --yes / -y         Use defaults for everything not explicitly passed
+//   --force            Overwrite an existing workflow file without prompting
+//   --stdout           Print the workflow to stdout instead of writing files
+//
+// Free tier: no API call made by init itself. The generated workflow runs
+// against the user's CIPHERWAKE_API_KEY secret (30 free Trust Diff calls/mo).
+// =============================================================================
+
+const VALID_FAIL_ON = ["any", "low", "medium", "high", "critical"];
+const VALID_BASELINES = ["last-week", "last-month", "last-scan"];
+
+async function runInitCommand(args) {
+  const fs = await import("node:fs/promises");
+  const path = await import("node:path");
+  const useDefaults = args.includes("--yes") || args.includes("-y");
+  const stdout = args.includes("--stdout");
+  const force = args.includes("--force");
+
+  const flagDomain = readFlagValue(args, "--domain");
+  const flagFailOn = readFlagValue(args, "--fail-on");
+  const flagBaseline = readFlagValue(args, "--baseline");
+
+  console.log("");
+  console.log(`  ${color("bold", "pqcheck init")} ${color("dim", "— scaffold a Cipherwake GitHub Action workflow")}`);
+  console.log("");
+
+  let domain = flagDomain ? normalizeDomain(flagDomain) : null;
+  if (!domain) {
+    if (useDefaults) {
+      console.error(color("red", "error: --yes requires --domain (no interactive prompt to fill from)"));
+      process.exit(1);
+    }
+    const answer = await prompt(`  Domain to monitor (e.g. cipherwake.io): `);
+    domain = normalizeDomain((answer || "").trim());
+  }
+  if (!isValidDomain(domain)) {
+    console.error(color("red", `  error: '${domain}' is not a valid hostname`));
+    process.exit(1);
+  }
+
+  let failOn = flagFailOn || "high";
+  if (!flagFailOn && !useDefaults) {
+    const answer = await prompt(`  Fail CI on severity ${color("dim", "[any|low|medium|high(default)|critical]")}: `);
+    if (answer && answer.trim()) failOn = answer.trim().toLowerCase();
+  }
+  if (!VALID_FAIL_ON.includes(failOn)) {
+    console.error(color("red", `  error: --fail-on must be one of ${VALID_FAIL_ON.join("|")}`));
+    process.exit(1);
+  }
+
+  let baseline = flagBaseline || "last-week";
+  if (!flagBaseline && !useDefaults) {
+    const answer = await prompt(`  Baseline ${color("dim", "[last-week(default)|last-month|last-scan|<ISO date>]")}: `);
+    if (answer && answer.trim()) baseline = answer.trim();
+  }
+  if (!isValidBaseline(baseline)) {
+    console.error(color("red", `  error: --baseline must be last-week|last-month|last-scan or an ISO date (YYYY-MM-DD)`));
+    process.exit(1);
+  }
+
+  const workflow = renderTrustDiffWorkflow({ domain, failOn, baseline });
+
+  if (stdout) {
+    console.log(workflow);
+    process.exit(0);
+  }
+
+  // Resolve target path: ./.github/workflows/cipherwake.yml in cwd
+  const cwd = process.cwd();
+  const workflowDir = path.join(cwd, ".github", "workflows");
+  const workflowPath = path.join(workflowDir, "cipherwake.yml");
+
+  try {
+    await fs.mkdir(workflowDir, { recursive: true });
+  } catch (err) {
+    console.error(color("red", `  error creating ${workflowDir}: ${err.message}`));
+    process.exit(1);
+  }
+
+  // Check existing file
+  let exists = false;
+  try {
+    await fs.access(workflowPath);
+    exists = true;
+  } catch { /* doesn't exist */ }
+
+  if (exists && !force) {
+    if (useDefaults) {
+      console.error(color("red", `  error: ${workflowPath} already exists (re-run with --force to overwrite)`));
+      process.exit(1);
+    }
+    const answer = await prompt(`  ${color("yellow", workflowPath + " already exists — overwrite?")} ${color("dim", "[y/N]")}: `);
+    if (!/^y(es)?$/i.test((answer || "").trim())) {
+      console.error(color("dim", "  cancelled — workflow not written"));
+      process.exit(1);
+    }
+  }
+
+  try {
+    await fs.writeFile(workflowPath, workflow, "utf8");
+  } catch (err) {
+    console.error(color("red", `  error writing ${workflowPath}: ${err.message}`));
+    process.exit(1);
+  }
+
+  const relPath = path.relative(cwd, workflowPath);
+  console.log("");
+  console.log(color("green", `  ✓ Wrote ${relPath}`));
+  console.log("");
+  console.log(`  ${color("bold", "Next steps:")}`);
+  console.log("");
+  console.log(`  ${color("dim", "1.")} Generate a Cipherwake API key at ${color("violet", "https://cipherwake.io/account#api-keys")}`);
+  console.log(`     ${color("dim", "Free tier: 30 Trust Diff calls/month")}`);
+  console.log("");
+  console.log(`  ${color("dim", "2.")} Add it as a repo secret:`);
+  console.log(`     ${color("dim", "Settings → Secrets and variables → Actions → New repository secret")}`);
+  console.log(`     ${color("dim", "Name: CIPHERWAKE_API_KEY")}`);
+  console.log("");
+  console.log(`  ${color("dim", "3.")} Commit + push:`);
+  console.log(`     ${color("dim", "$")} git add ${relPath}`);
+  console.log(`     ${color("dim", "$")} git commit -m "ci: add Cipherwake Trust Diff gate"`);
+  console.log(`     ${color("dim", "$")} git push`);
+  console.log("");
+  console.log(`  Open a PR to see the gate run.`);
+  console.log("");
+  process.exit(0);
+}
+
+function readFlagValue(args, name) {
+  const idx = args.indexOf(name);
+  if (idx === -1) return null;
+  const v = args[idx + 1];
+  return v && !v.startsWith("-") ? v : null;
+}
+
+function isValidBaseline(value) {
+  if (VALID_BASELINES.includes(value)) return true;
+  // ISO date YYYY-MM-DD or YYYY-MM-DDTHH:MM:SSZ
+  return /^\d{4}-\d{2}-\d{2}(T\d{2}:\d{2}(:\d{2})?(\.\d+)?Z?)?$/.test(value);
+}
+
+function renderTrustDiffWorkflow({ domain, failOn, baseline }) {
+  return `# Cipherwake — Trust Diff gate
+# Generated by \`pqcheck init\` (v${VERSION}).
+# Runs on every PR and pushes to main: fails the build if your public trust
+# posture regresses vs the baseline (cert / SPKI / vendor scripts / HSTS / CSP /
+# DMARC / HNDL).
+#
+# Free tier: 30 Trust Diff calls/month per CIPHERWAKE_API_KEY.
+# Methodology: https://cipherwake.io/methodology/
+# Action source: https://github.com/cipherwakelabs/pqcheck
+
+name: Cipherwake Trust Diff
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+  security-events: write   # required for SARIF upload to Code Scanning
+  pull-requests: write     # required for sticky PR comment (Action v3.1+)
+
+jobs:
+  trust-diff:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Cipherwake Trust Diff
+        uses: cipherwakelabs/pqcheck@v3
+        with:
+          mode: trust-diff
+          domain: ${domain}
+          baseline: ${baseline}
+          fail-on: ${failOn}
+        env:
+          CIPHERWAKE_API_KEY: \${{ secrets.CIPHERWAKE_API_KEY }}
+`;
+}
+
+// Tiny readline wrapper. We avoid pulling a CLI prompt library — this is the
+// only interactive path in pqcheck and Node's built-in readline is enough.
+async function prompt(question) {
+  const readline = await import("node:readline/promises");
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const answer = await rl.question(question);
+    return answer;
+  } finally {
+    rl.close();
+  }
+}
+
+// =============================================================================
+// `pqcheck deploy-check <domain>` — pre-deploy trust gate (habit-loop #5)
+// =============================================================================
+// Thin alias for `pqcheck trust-diff` with deploy-friendly framing:
+//   - Default baseline: last-scan (compares vs your most recent scan, which
+//     usually correlates with the previous deploy)
+//   - Default fail-on: high
+//   - Cleaner output for shell-script use in deploy pipelines (Vercel
+//     pre-build, Netlify build commands, custom CD scripts)
+//
+// Exit codes match trust-diff: 0 pass · 1 warn · 2 fail · 3 error.
+// Consumes the same Free 30 Trust Diff calls/month quota.
+// =============================================================================
+
+async function runDeployCheckCommand(args) {
+  const positional = args.filter((a) => !a.startsWith("-"));
+  if (positional.length === 0) {
+    console.error(color("red", "error: pqcheck deploy-check requires a domain"));
+    console.error(color("dim", "Usage: npx pqcheck deploy-check <domain> [--baseline last-scan|last-week|<ISO>] [--fail-on high|medium|low|any]"));
+    process.exit(1);
+  }
+
+  // Forward to trust-diff with deploy-tuned defaults if the user didn't specify.
+  const forwarded = [...args];
+  if (!args.includes("--baseline")) forwarded.push("--baseline", "last-scan");
+  if (!args.includes("--fail-on")) forwarded.push("--fail-on", "high");
+
+  // Pre-print a deploy-context header (only in text mode — JSON/SARIF users
+  // are scripting and don't want our preamble polluting their pipe).
+  const format = parseFormat(forwarded);
+  if (format === "text") {
+    console.log("");
+    console.log(`  ${color("bold", "🚀 Deploy gate")} ${color("dim", "— checking public trust posture vs last scan")}`);
+    console.log("");
+  }
+
+  return runTrustDiffCommand(forwarded);
+}
+
+// =============================================================================
+// `pqcheck vendors <subcommand>` — vendor lockfile management (habit-loop #10)
+// =============================================================================
+// Free tier (Option A, locked 2026-05-16):
+//   pqcheck vendors export <domain>   — write cipherwake.vendors.json from
+//                                       the current observed vendor scripts
+//                                       (read-only snapshot, no CI enforce)
+//   pqcheck vendors check <domain>    — compare current scan to the lockfile,
+//                                       exit 4 if new origins appeared
+//                                       (free CI gate via the deps endpoint)
+//
+// Starter+ tier:
+//   pqcheck vendors sync <domain>     — pull approved-vendor list from
+//                                       /api/vendor-allowlist and merge into
+//                                       the lockfile (bidirectional)
+//
+// The lockfile is a developer artifact: commit it to the repo to track
+// vendor-surface drift in PR diffs. Like package-lock.json for third-party
+// scripts.
+//
+// Per [[quantapact-pricing-discipline]]: Free generates the lockfile and uses
+// it in CI; Starter+ adds the dashboard-sync layer + approved-vendor
+// enforcement. The dashboard CRUD UI is the Starter wall, not the lockfile.
+// =============================================================================
+
+const VENDOR_LOCKFILE_NAME = "cipherwake.vendors.json";
+
+async function runVendorsCommand(args) {
+  const sub = args[0];
+  if (!sub || sub === "--help" || sub === "-h") {
+    console.log(`
+${color("bold", "pqcheck vendors")} ${color("dim", `v${VERSION}`)}
+
+Vendor lockfile management — track third-party scripts on your domain.
+
+${color("bold", "Subcommands:")}
+  pqcheck vendors export <domain>   Write ${VENDOR_LOCKFILE_NAME} from current observed vendors (Free)
+  pqcheck vendors check <domain>    Compare current scan to the lockfile; exit 4 on new origins (Free CI gate)
+  pqcheck vendors sync <domain>     Pull approved-vendor list from your account (Starter+, requires CIPHERWAKE_API_KEY)
+
+${color("bold", "Flags:")}
+  -o <path>                  Output / input path (default: ./${VENDOR_LOCKFILE_NAME})
+
+${color("bold", "Examples:")}
+  npx pqcheck vendors export cipherwake.io                       ${color("dim", "# capture initial state")}
+  npx pqcheck vendors check cipherwake.io                        ${color("dim", "# CI gate — fails on new origins")}
+  CIPHERWAKE_API_KEY=qpk_... npx pqcheck vendors sync cipherwake.io   ${color("dim", "# Starter+ dashboard sync")}
+
+Methodology: ${color("violet", "https://cipherwake.io/methodology/vendor-lockfile")}
+`);
+    process.exit(0);
+  }
+
+  const rest = args.slice(1);
+  const positional = rest.filter((a) => !a.startsWith("-"));
+  const raw = positional[0];
+  if (!raw) {
+    console.error(color("red", `error: pqcheck vendors ${sub} requires a domain`));
+    process.exit(1);
+  }
+  const domain = normalizeDomain(raw);
+  if (!isValidDomain(domain)) {
+    console.error(color("red", `error: '${raw}' is not a valid domain`));
+    process.exit(1);
+  }
+
+  const outIdx = rest.indexOf("-o");
+  const outPath = (outIdx >= 0 && rest[outIdx + 1] && !rest[outIdx + 1].startsWith("-"))
+    ? rest[outIdx + 1]
+    : VENDOR_LOCKFILE_NAME;
+
+  if (sub === "export") {
+    return runVendorsExport(domain, outPath);
+  }
+  if (sub === "check") {
+    return runVendorsCheck(domain, outPath);
+  }
+  if (sub === "sync") {
+    return runVendorsSync(domain, outPath);
+  }
+  console.error(color("red", `error: unknown subcommand 'vendors ${sub}'. Try: export | check | sync`));
+  process.exit(1);
+}
+
+async function fetchVendorOrigins(domain) {
+  // Calls /api/deps which returns the observed third-party origin list for
+  // a domain. Same endpoint that powers `pqcheck deps <domain>`.
+  //
+  // R40 fix (Q2.6): add a 15-second timeout via AbortController. Previously
+  // a hung /api/deps would block the CLI indefinitely — CI runs would
+  // consume their full 6-hour budget waiting for a response that never
+  // comes. 15s is generous enough for the slow tail but bounds the worst
+  // case.
+  const ac = new AbortController();
+  const timer = setTimeout(() => ac.abort(), 15_000);
+  let resp;
+  try {
+    resp = await fetch(`${API_BASE}/api/deps?domain=${encodeURIComponent(domain)}`, {
+      method: "GET",
+      headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (vendors)` }),
+      signal: ac.signal,
+    });
+  } catch (err) {
+    if (err?.name === "AbortError") throw new Error("/api/deps timed out after 15s");
+    throw err;
+  } finally {
+    clearTimeout(timer);
+  }
+  if (!resp.ok) {
+    const body = await safeJSON(resp);
+    throw new Error(`/api/deps returned ${resp.status} ${body?.error || resp.statusText}`);
+  }
+  const data = await resp.json();
+  const thirds = Array.isArray(data.thirdParties) ? data.thirdParties : [];
+  // R40 fix (Q2.7): preserve the observed protocol. Previously we
+  // force-converted http://vendor.com into https://vendor.com which
+  // mis-represented what we actually observed. Now: keep http:// when
+  // the API gives an explicit http:// origin; default to https:// only
+  // when the host comes without a protocol prefix.
+  const origins = new Set();
+  for (const t of thirds) {
+    const host = typeof t === "string" ? t : (t.host ?? t.origin ?? "");
+    if (!host) continue;
+    const o = normalizeObservedOrigin(host);
+    if (o) origins.add(o);
+  }
+  return Array.from(origins).sort();
+}
+
+// R40 fix (Q2.7): preserve observed protocol. URL parser handles host
+// validation + canonicalization (lowercase, default-port stripping).
+function normalizeObservedOrigin(value) {
+  const s = String(value).trim().toLowerCase();
+  if (!s) return null;
+  try {
+    const u = s.startsWith("http://") || s.startsWith("https://")
+      ? new URL(s)
+      : new URL("https://" + s);
+    return u.origin;
+  } catch {
+    return null;
+  }
+}
+
+function buildVendorLockfile(domain, origins) {
+  return {
+    schema_version: 1,
+    generator: `pqcheck-cli/${VERSION}`,
+    domain,
+    generated_at: new Date().toISOString(),
+    approved_script_origins: origins,
+    // Soft tier marker — read by sync to know if the lockfile carries
+    // dashboard-managed entries. Free-only lockfiles set this to null.
+    synced_from_account: null,
+  };
+}
+
+async function runVendorsExport(domain, outPath) {
+  const fs = await import("node:fs/promises");
+  console.log("");
+  console.log(`  ${color("bold", "Exporting vendor lockfile")} ${color("dim", `— ${domain}`)}`);
+  console.log("");
+  let origins;
+  try {
+    origins = await fetchVendorOrigins(domain);
+  } catch (err) {
+    console.error(color("red", `  error fetching vendor origins: ${err.message}`));
+    process.exit(1);
+  }
+  const lockfile = buildVendorLockfile(domain, origins);
+  try {
+    await fs.writeFile(outPath, JSON.stringify(lockfile, null, 2) + "\n", "utf8");
+  } catch (err) {
+    console.error(color("red", `  error writing ${outPath}: ${err.message}`));
+    process.exit(1);
+  }
+  console.log(color("green", `  ✓ Wrote ${outPath} with ${origins.length} approved script origin${origins.length === 1 ? "" : "s"}.`));
+  console.log("");
+  console.log(`  ${color("dim", "Commit this file to your repo to track vendor-surface drift in PR diffs.")}`);
+  // R40 fix (Q2.12): nested template literal — the outer backticks are the
+  // template literal; the inner string passed to color() must ALSO be a
+  // template literal so ${domain} interpolates. Previously this printed
+  // the literal text "${domain}" because color()'s arg was a plain string.
+  console.log(`  ${color("dim", `Run \`pqcheck vendors check ${domain}\` in CI to fail PRs that introduce new origins.`)}`);
+  console.log("");
+  process.exit(0);
+}
+
+async function runVendorsCheck(domain, lockPath) {
+  const fs = await import("node:fs/promises");
+  let lockfile;
+  try {
+    const raw = await fs.readFile(lockPath, "utf8");
+    lockfile = JSON.parse(raw);
+  } catch (err) {
+    console.error(color("red", `  error reading ${lockPath}: ${err.message}`));
+    console.error(color("dim", `  Run: npx pqcheck vendors export ${domain}   to generate one.`));
+    process.exit(1);
+  }
+  if (lockfile.schema_version !== 1) {
+    console.error(color("red", `  error: ${lockPath} schema_version=${lockfile.schema_version}, expected 1`));
+    process.exit(1);
+  }
+  if (lockfile.domain && lockfile.domain !== domain) {
+    console.error(color("yellow", `  warning: lockfile is for ${lockfile.domain} but checking against ${domain}`));
+  }
+  const baseline = new Set(Array.isArray(lockfile.approved_script_origins) ? lockfile.approved_script_origins : []);
+  let observed;
+  try {
+    observed = new Set(await fetchVendorOrigins(domain));
+  } catch (err) {
+    console.error(color("red", `  error fetching current vendors: ${err.message}`));
+    process.exit(1);
+  }
+  const newOrigins = [...observed].filter((o) => !baseline.has(o));
+  const removed = [...baseline].filter((o) => !observed.has(o));
+
+  console.log("");
+  console.log(`  ${color("bold", "Vendor lockfile check")} ${color("dim", `— ${domain}`)}`);
+  console.log("");
+  if (newOrigins.length === 0 && removed.length === 0) {
+    console.log(color("green", `  ✓ Vendor surface matches lockfile (${baseline.size} origins).`));
+    console.log("");
+    process.exit(0);
+  }
+  if (newOrigins.length > 0) {
+    console.log(color("red", `  ⚠ ${newOrigins.length} new origin${newOrigins.length === 1 ? "" : "s"} observed (not in lockfile):`));
+    for (const o of newOrigins) console.log(`    + ${o}`);
+    console.log("");
+  }
+  if (removed.length > 0) {
+    console.log(color("dim", `  - ${removed.length} origin${removed.length === 1 ? "" : "s"} no longer observed:`));
+    for (const o of removed) console.log(`    - ${o}`);
+    console.log("");
+  }
+  if (newOrigins.length > 0) {
+    console.log(color("dim", `  To accept the additions, re-run: npx pqcheck vendors export ${domain}`));
+    console.log(color("dim", `  Then commit the updated ${lockPath} to your repo.`));
+    console.log("");
+    process.exit(4); // New origin(s) detected — same exit code as `deps --fail-on-new`
+  }
+  // Only removals (cleanup), no failure
+  process.exit(0);
+}
+
+async function runVendorsSync(domain, outPath) {
+  const fs = await import("node:fs/promises");
+  if (!QP_API_KEY) {
+    console.error(color("red", "  error: `vendors sync` requires CIPHERWAKE_API_KEY (Starter+ feature)"));
+    console.error("");
+    console.error(color("dim", "  Free tier: use `vendors export` to generate a read-only lockfile."));
+    console.error(color("dim", "  Sign up + manage approved vendors at: " + API_BASE + "/account"));
+    console.error(color("dim", "  Pricing: " + API_BASE + "/pricing"));
+    process.exit(1);
+  }
+  console.log("");
+  console.log(`  ${color("bold", "Syncing vendor lockfile with your account")} ${color("dim", `— ${domain}`)}`);
+  console.log("");
+  let resp;
+  try {
+    resp = await fetch(`${API_BASE}/api/vendor-allowlist?domain=${encodeURIComponent(domain)}`, {
+      method: "GET",
+      headers: {
+        "user-agent": `pqcheck-cli/${VERSION} (vendors-sync)`,
+        "authorization": "Bearer " + QP_API_KEY,
+      },
+    });
+  } catch (err) {
+    console.error(color("red", `  network error: ${err.message ?? err}`));
+    process.exit(1);
+  }
+  if (resp.status === 401 || resp.status === 403) {
+    const body = await safeJSON(resp);
+    console.error(color("red", `  authentication failed (HTTP ${resp.status})`));
+    if (body?.error === "starter_required") {
+      console.error(color("dim", `  Approved-vendor allowlist starts at Starter ($29/mo). ${body.message ?? ""}`));
+      console.error(color("dim", `  ${API_BASE}/pricing?utm_source=cli_vendors_sync`));
+    }
+    process.exit(1);
+  }
+  if (!resp.ok) {
+    console.error(color("red", `  /api/vendor-allowlist returned ${resp.status}`));
+    process.exit(1);
+  }
+  const data = await resp.json();
+  const allowlist = Array.isArray(data.allowlist) ? data.allowlist : [];
+  // Filter to entries for this domain + extract vendor_origin
+  const dashboardOrigins = new Set();
+  for (const item of allowlist) {
+    if (item && item.domain === domain && typeof item.vendor_origin === "string") {
+      dashboardOrigins.add(item.vendor_origin);
+    }
+  }
+
+  // Merge with currently observed (so the lockfile covers everything we see + everything the user approved)
+  let observed = new Set();
+  try {
+    observed = new Set(await fetchVendorOrigins(domain));
+  } catch (err) {
+    console.error(color("yellow", `  warning: could not fetch currently observed origins (${err.message}); using dashboard-only list`));
+  }
+
+  const merged = new Set([...observed, ...dashboardOrigins]);
+  const origins = Array.from(merged).sort();
+  const lockfile = buildVendorLockfile(domain, origins);
+  lockfile.synced_from_account = new Date().toISOString();
+
+  try {
+    await fs.writeFile(outPath, JSON.stringify(lockfile, null, 2) + "\n", "utf8");
+  } catch (err) {
+    console.error(color("red", `  error writing ${outPath}: ${err.message}`));
+    process.exit(1);
+  }
+  console.log(color("green", `  ✓ Synced ${outPath} — ${dashboardOrigins.size} dashboard-approved, ${observed.size} currently observed, ${origins.length} total.`));
+  console.log("");
+  console.log(`  ${color("dim", "Commit the updated lockfile to your repo. `pqcheck vendors check` in CI will fail PRs that")}`);
+  console.log(`  ${color("dim", "introduce origins outside the merged set.")}`);
+  console.log("");
+  process.exit(0);
+}
+
+// =============================================================================
+// `pqcheck onboard <domain>` — one-command setup wizard (locked 2026-05-16)
+// =============================================================================
+// Composes existing CLI subcommands into one happy-path flow:
+//   1. Quick public scan → show current grade so the user sees value first
+//   2. Scaffold the GitHub Action workflow (via runInitCommand)
+//   3. Generate a vendor lockfile snapshot (via runVendorsExport)
+//   4. Generate a release-checklist markdown
+//   5. Open the user's browser to /account#api-keys for API-key generation
+//   6. Print next-steps (secret name + commit commands + PR open)
+//
+// Design notes:
+//   - Pure composition of already-reviewed subcommands; no new server endpoints.
+//   - Browser-open uses platform default (`open`/`xdg-open`/`start`). When
+//     headless or sandboxed, the URL is still printed so the user can copy.
+//   - Each step is best-effort: a failed step prints a warning and continues
+//     so a partial setup is still useful. Hard errors only stop early steps
+//     where the rest can't proceed (invalid domain).
+//   - --skip-scan / --skip-vendors / --skip-checklist let power users opt out.
+//   - --no-open suppresses the browser launch (CI / SSH / headless friendly).
+// =============================================================================
+
+async function runOnboardCommand(args) {
+  const positional = args.filter((a) => !a.startsWith("-"));
+  const raw = positional[0];
+  if (!raw) {
+    console.error(color("red", "error: pqcheck onboard requires a domain"));
+    console.error(color("dim", "Usage: npx pqcheck onboard <domain> [--skip-scan] [--skip-vendors] [--skip-checklist] [--no-open] [--force] [--strict]"));
+    process.exit(1);
+  }
+  const domain = normalizeDomain(raw);
+  if (!isValidDomain(domain)) {
+    console.error(color("red", `error: '${raw}' is not a valid domain`));
+    process.exit(1);
+  }
+  const skipScan = args.includes("--skip-scan");
+  const skipVendors = args.includes("--skip-vendors");
+  const skipChecklist = args.includes("--skip-checklist");
+  const noOpen = args.includes("--no-open");
+  // R41 fix #1: --force lets users intentionally overwrite an existing
+  // setup (idempotent re-runs). Without it, we abort if any of the
+  // 3 output files already exists, so a user re-running onboard by
+  // mistake doesn't lose hand-edited CIPHERWAKE_CHECKLIST.md / vendors
+  // lockfile / workflow YAML.
+  const force = args.includes("--force");
+  // R41 fix #4: --strict makes onboard exit non-zero if any step fails.
+  // For human-driven first-time setup, exit 0 (best-effort) is the right
+  // default — printed warnings tell the user what to retry. For CI
+  // automation around the wizard itself, --strict lets a build fail on
+  // step errors. (Recommended usage in CI is still the individual
+  // subcommands, not onboard.)
+  const strict = args.includes("--strict");
+
+  // R41 fix #1: pre-flight overwrite check. We probe the 3 output paths
+  // BEFORE running any step so an aborted run doesn't half-modify the
+  // user's project. We use sync stat checks because we're not in a hot
+  // path and the readability win is worth the tiny perf cost.
+  if (!force) {
+    const fsSync = await import("node:fs");
+    const existing = [];
+    try { fsSync.statSync(".github/workflows/cipherwake.yml"); existing.push(".github/workflows/cipherwake.yml"); } catch {}
+    if (!skipVendors) {
+      try { fsSync.statSync("cipherwake.vendors.json"); existing.push("cipherwake.vendors.json"); } catch {}
+    }
+    if (!skipChecklist) {
+      try { fsSync.statSync("CIPHERWAKE_CHECKLIST.md"); existing.push("CIPHERWAKE_CHECKLIST.md"); } catch {}
+    }
+    if (existing.length > 0) {
+      console.error("");
+      console.error(color("red", `  error: refusing to overwrite existing files:`));
+      for (const f of existing) console.error(color("dim", `    ${f}`));
+      console.error("");
+      console.error(color("dim", `  Re-run with --force to overwrite, or delete the files manually.`));
+      console.error(color("dim", `  (--skip-vendors / --skip-checklist also bypass individual file checks.)`));
+      process.exit(1);
+    }
+  }
+
+  // R41 fix #4: track step failures for --strict mode
+  let anyStepFailed = false;
+
+  console.log("");
+  console.log(`  ${color("bold", "🚀 Cipherwake onboarding")} ${color("dim", `— ${domain}`)}`);
+  console.log("");
+  console.log(`  ${color("dim", "This will write ~3 files to your project and open your browser to grab an API key.")}`);
+  console.log(`  ${color("dim", "All steps are best-effort; you can re-run any individual subcommand later.")}`);
+  console.log("");
+
+  // -------------------------------------------------------------------------
+  // STEP 1 — quick scan (value-first; user sees their grade before any setup)
+  // -------------------------------------------------------------------------
+  if (!skipScan) {
+    console.log(color("violet", `  ▸ Step 1 / 4 — scanning ${domain}…`));
+    try {
+      const resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}&source=onboard`, {
+        method: "GET",
+        headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION} (onboard)` }),
+      });
+      if (resp.ok) {
+        const report = await resp.json();
+        const score = typeof report.score === "number" ? report.score.toFixed(1) : "?";
+        const grade = report.grade || "?";
+        const label = report.scoreLabel || "—";
+        console.log(`    ${color("bold", "Current grade:")} ${color("violet", grade)} (${score}/10 · ${label})`);
+        console.log(`    ${color("dim", `Full report: ${API_BASE}/r/${encodeURIComponent(domain)}`)}`);
+      } else {
+        console.log(color("yellow", `    skipped (scan returned HTTP ${resp.status})`));
+        anyStepFailed = true;
+      }
+    } catch (err) {
+      console.log(color("yellow", `    skipped (${err?.message ?? "scan failed"})`));
+      anyStepFailed = true;
+    }
+    console.log("");
+  }
+
+  // -------------------------------------------------------------------------
+  // STEP 2 — workflow scaffold
+  // -------------------------------------------------------------------------
+  console.log(color("violet", `  ▸ Step 2 / 4 — scaffolding GitHub Action workflow…`));
+  try {
+    // Call runInitCommand non-interactively. The function process.exit()'s on
+    // its own; to compose it here we'd have to refactor. Pragmatic approach:
+    // spawn a child node invoking ourselves with `init --yes --domain ...`.
+    // That keeps each step idempotent and isolated.
+    const { spawn } = await import("node:child_process");
+    const result = await new Promise((resolve) => {
+      const p = spawn(process.execPath, [
+        process.argv[1],
+        "init",
+        "--yes",
+        "--domain", domain,
+        "--force",
+      ], { stdio: "inherit" });
+      p.on("exit", (code) => resolve(code ?? 0));
+      p.on("error", () => resolve(1));
+    });
+    if (result !== 0) {
+      console.log(color("yellow", `    init exited ${result} — you can re-run \`pqcheck init\` later`));
+      anyStepFailed = true;
+    }
+  } catch (err) {
+    console.log(color("yellow", `    skipped init (${err?.message ?? "subprocess failed"})`));
+    anyStepFailed = true;
+  }
+  console.log("");
+
+  // -------------------------------------------------------------------------
+  // STEP 3 — vendor lockfile (skipped if --skip-vendors)
+  // -------------------------------------------------------------------------
+  if (!skipVendors) {
+    console.log(color("violet", `  ▸ Step 3 / 4 — capturing vendor lockfile…`));
+    try {
+      const { spawn } = await import("node:child_process");
+      const result = await new Promise((resolve) => {
+        const p = spawn(process.execPath, [
+          process.argv[1],
+          "vendors",
+          "export",
+          domain,
+        ], { stdio: "inherit" });
+        p.on("exit", (code) => resolve(code ?? 0));
+        p.on("error", () => resolve(1));
+      });
+      if (result !== 0) {
+        console.log(color("yellow", `    vendors export exited ${result} — you can re-run \`pqcheck vendors export ${domain}\` later`));
+        anyStepFailed = true;
+      }
+    } catch (err) {
+      console.log(color("yellow", `    skipped vendors export (${err?.message ?? "subprocess failed"})`));
+      anyStepFailed = true;
+    }
+    console.log("");
+  }
+
+  // -------------------------------------------------------------------------
+  // STEP 4 — release checklist (skipped if --skip-checklist)
+  // -------------------------------------------------------------------------
+  if (!skipChecklist) {
+    console.log(color("violet", `  ▸ Step 4 / 4 — writing release checklist…`));
+    try {
+      const fs = await import("node:fs/promises");
+      const checklist = buildReleaseChecklistMarkdown(domain);
+      await fs.writeFile("CIPHERWAKE_CHECKLIST.md", checklist, "utf8");
+      console.log(`    ${color("green", "✓ Wrote CIPHERWAKE_CHECKLIST.md")}`);
+    } catch (err) {
+      console.log(color("yellow", `    skipped checklist (${err?.message ?? "write failed"})`));
+      anyStepFailed = true;
+    }
+    console.log("");
+  }
+
+  // -------------------------------------------------------------------------
+  // Browser open + final next-steps
+  // -------------------------------------------------------------------------
+  // Query MUST come before fragment per RFC 3986. The previous order
+  // `#api-keys?utm_source=onboard` made utm_source part of the fragment
+  // (which never reaches the server), so attribution analytics never fired.
+  const apiKeyUrl = `${API_BASE}/account?utm_source=onboard#api-keys`;
+  console.log(color("bold", "  ✓ Setup files written. Three steps remain:"));
+  console.log("");
+  console.log(`  ${color("dim", "1.")} ${color("bold", "Get a free API key")} (30 Trust Diff calls/month)`);
+  console.log(`     ${color("violet", apiKeyUrl)}`);
+  if (!noOpen) {
+    const opened = await tryOpenBrowser(apiKeyUrl);
+    if (opened) {
+      console.log(`     ${color("dim", "(opened in your browser — sign in / sign up there)")}`);
+    } else {
+      console.log(`     ${color("dim", "(copy the URL above; --no-open suppresses this hint)")}`);
+    }
+  }
+  console.log("");
+  console.log(`  ${color("dim", "2.")} ${color("bold", "Add the key as a GitHub repo secret")}`);
+  console.log(`     ${color("dim", "GitHub → Settings → Secrets and variables → Actions → New repository secret")}`);
+  console.log(`     ${color("dim", "Name: CIPHERWAKE_API_KEY   Value: qpk_... (from step 1)")}`);
+  console.log("");
+  console.log(`  ${color("dim", "3.")} ${color("bold", "Commit + push")}`);
+  // R41 Q1.15 (locked 2026-05-16): build the git-add file list as an array
+  // and join, so we don't print trailing-space args when --skip flags are
+  // used. Harmless bash semantics either way; cleaner output.
+  const filesToAdd = [".github/workflows/cipherwake.yml"];
+  if (!skipVendors) filesToAdd.push("cipherwake.vendors.json");
+  if (!skipChecklist) filesToAdd.push("CIPHERWAKE_CHECKLIST.md");
+  console.log(`     ${color("dim", "$")} git add ${filesToAdd.join(" ")}`);
+  console.log(`     ${color("dim", "$")} git commit -m "ci: add Cipherwake Trust Diff gate"`);
+  console.log(`     ${color("dim", "$")} git push`);
+  console.log("");
+  console.log(`  ${color("dim", "Open a PR after pushing and Cipherwake will comment inline within ~60s of the workflow firing.")}`);
+  console.log("");
+  // R41 fix #4: --strict makes onboard exit non-zero if any step failed.
+  // Default (best-effort) exit 0 keeps the wizard friendly for first-time
+  // human setup — the visible yellow warnings tell them what to retry.
+  if (strict && anyStepFailed) {
+    console.log(color("dim", "  (--strict: one or more steps failed; exiting non-zero)"));
+    process.exit(1);
+  }
+  process.exit(0);
+}
+
+// R41 fix #3: buildReleaseChecklistMarkdown is now a thin alias to the shared
+// renderReleaseChecklist() helper defined alongside runReleaseChecklistCommand.
+// Single source of truth — when either subcommand's content changes, both
+// callers update automatically.
+function buildReleaseChecklistMarkdown(domain) {
+  return renderReleaseChecklist(domain, { generator: "onboard" });
+}
+
+// Cross-platform browser launcher. Returns true if a launcher binary
+// dispatched successfully; false if no launcher is available (e.g. headless
+// server, sandboxed CI, broken xdg-open config).
+//
+// R41 fix #2 (locked 2026-05-16): use exit-event detection + longer timeout
+// so we don't falsely claim "(opened in your browser)" when xdg-open is
+// installed but the launcher exits non-zero (no graphical session, no
+// MIME handler). Previously a flat 200ms timeout resolved true even when
+// the launcher exited 3 because no display was available.
+async function tryOpenBrowser(url) {
+  if (process.env.CI || process.env.CIPHERWAKE_NO_BROWSER) return false;
+  const { spawn } = await import("node:child_process");
+  const platform = process.platform;
+  let cmd, cmdArgs;
+  if (platform === "darwin") {
+    cmd = "open"; cmdArgs = [url];
+  } else if (platform === "win32") {
+    cmd = "cmd"; cmdArgs = ["/c", "start", "", url];
+  } else {
+    cmd = "xdg-open"; cmdArgs = [url];
+  }
+  return await new Promise((resolve) => {
+    let settled = false;
+    let p;
+    try {
+      p = spawn(cmd, cmdArgs, { stdio: "ignore", detached: true });
+    } catch {
+      resolve(false);
+      return;
+    }
+    p.on("error", () => { if (!settled) { settled = true; resolve(false); } });
+    p.on("exit", (code) => { if (!settled) { settled = true; resolve(code === 0); } });
+    p.unref();
+    // Belt-and-suspenders: if the launcher takes >1s to exit AND no error
+    // event has fired, assume it dispatched and went detached (open on
+    // macOS does this — returns after AppleScript-asking Finder/Safari).
+    setTimeout(() => {
+      if (!settled) { settled = true; resolve(true); }
+    }, 1000);
+  });
+}
+
 main().catch((err) => {
   console.error(color("red", `fatal: ${err.message}`));
   process.exit(2);