pqcheck v0.16.15

[0.16.15] — 2026-05-29

Added — attribution for CI-run invocations

When the CLI detects GITHUB_ACTIONS=true in the environment (auto-set by every GitHub Actions step), it now appends (pqcheck-action) to the User-Agent on every API call. The server-side classifier buckets these into the action channel instead of cli, so dashboards can split CI traffic from human/manual invocations cleanly.

No new data is collected — the User-Agent string was already being sent on every call; this is a labeling change that makes the existing data more analyzable. Opt out with PQCHECK_DISABLE_ACTION_ATTRIBUTION=1 (only respected when GITHUB_ACTIONS=true).

pqcheck v0.16.14

[0.16.14] — 2026-05-29

Changed — bug reports route to GitHub Issues

bugs.url in package.json updated from https://cipherwake.io to https://github.com/cipherwakelabs/pqcheck/issues. The npmjs.com listing's "Issues" link now points where developers expect — public, searchable, subscribable. Same change shipped in parallel for the Open VSX + Microsoft Marketplace extension listings (cipherwake-statusbar v0.16.4).

Action v4.0.0 — Marketplace listing (action.yml at root)

What changed

GitHub Marketplace requires action.yml at the repo root. v3's sub-path layout (action/action.yml) blocked the Marketplace listing checkbox. v4 puts the canonical manifest at root. Same Action, cleaner ref.

Use it

- uses: cipherwakelabs/pqcheck@v4
  with:
    mode: trust-diff
    domain: your-domain.com
    fail-on: high
    comment-on-pr: true

v3 customers

v3 stays live. Existing workflows on cipherwakelabs/pqcheck/action@v3 keep working — no migration required.

Migration (optional)

-      - uses: cipherwakelabs/pqcheck/action@v3
+      - uses: cipherwakelabs/pqcheck@v4

All inputs, outputs, and behavior identical.

Action v3.4.0 — Preview Deploy Trust Diff

[v3.4.0] — 2026-05-19

Added — mode: preview-diff (Preview Deploy Trust Diff)

The stickiest dev-workflow mode. Compares a preview deployment URL
against a production URL inside the PR. Surfaces new third-party
scripts, security-header regressions (including CSP weakening like
script-src * or 'unsafe-inline' getting added), HSTS removal /
max-age=0, and DBR score drops — before merge.

- uses: cipherwakelabs/pqcheck@v3
  with:
    mode: preview-diff
    preview-url: ${{ steps.vercel.outputs.preview-url }}
    production-url: https://example.com
    comment-on-pr: 'true'

New inputs (only used in mode: preview-diff):

• preview-url — full URL of the preview deployment
• production-url — full URL of the production canonical site
• compare-transport (default false) — opt TLS/cert/SPKI diffs into
  CI verdict. Default false because preview URLs typically use
  edge-host TLS (Vercel/Netlify/Cloudflare) and direct comparison is
  noise.

The existing fail-on input is honored: none / off → report-only,
anything else → CI fail on max severity ≥ threshold. Free tier silently
downgrades to report-only and notes the upgrade hook in the PR comment.
Starter+ honors fail-on for real CI gating.

Security / scan path

Preview-diff uses a dedicated SSRF-pinned scan path
(runPreviewScanForDomain) that only invokes connect-time IP-pinned
probes: TLS handshake + page HTML fetch. It does NOT call the
unpinned probes (cipher class / cert chain / CT logs / email security
/ raw HTTP header fetch). Side benefit: preview-URL hostnames
(feature-abc.vercel.app) never enter Cipherwake's observation
tables — branch names stay private.

Trade-off: preview.score and production.score may be null in the
response (full DBR needs all components). Script / header / transport
comparison still works fully. To get a full DBR score, run
npx pqcheck <domain> separately — that path uses the standard
/api/scan pipeline.

Hardening (R66 + R67 GPT review chain — both cleared 2026-05-19)

• Validate mode step rejects unknown mode inputs up front (typos no
  longer silently no-op)
• URL validation via Node's WHATWG parser instead of metachar denylist
  (allows query strings containing &)
• PR comment construction uses jq --arg for marker / preview-url /
  production-url variables (closes shell-concatenation injection on
  URLs containing single quotes / backslashes)
• Verdict-based exit code: exit 2 on verdict=fail (CI blocked),
  ::warning:: on warn (CI green to keep PR comment visible)

CLI v0.13.0 — keyless OIDC onboard

[0.13.0] — 2026-05-18

Added — Keyless setup via GitHub Actions OIDC (paired with Action v3.2.0)

npx pqcheck onboard <domain> now scaffolds a GitHub workflow that uses GitHub's OIDC token instead of requiring a CIPHERWAKE_API_KEY repo secret. Free tier: 30 calls/repo/month, zero setup.

Scaffolded cipherwake.yml includes permissions: id-token: write, which lets the Action mint a GitHub-signed JWT containing the repository claim. Server (cipherwake.io) verifies the JWT against GitHub's JWKS and meters per repo via the new gh_action_repo_quota table. Higher-limit paid tiers link the repo to a Cipherwake account via the dashboard (no API key in CI either).

Setup flow before: npx pqcheck onboard <domain> → open browser → sign in → generate API key → copy → GitHub repo settings → New secret → paste → commit + push. Six steps.

Setup flow now: npx pqcheck onboard <domain> → commit + push. Two steps.

Changed — onboard wizard output

• Drops the "open browser to API-key page" step from the Free path.
• Drops the "add CIPHERWAKE_API_KEY as a repo secret" instruction.
• Now prints two next-steps (commit + push, then open a PR) instead of three.
• Adds a footer link for higher-limit users to request repo-account linking (rolling out separately).
• The --no-open flag is now a no-op (accepted for backward compat; will be removed in v1.0).

Changed — npm description

Replaces the abstract "find out how much of your data unlocks when quantum decryption arrives" with a concrete feature surface: "HTTPS posture scanner with Trust Diff for CI, vendor lockfile + drift alerts, cross-tenant key map, and HNDL/quantum-decryption risk scoring. Free, no signup."

Compatibility

• Workflows that explicitly pass api-key: ${{ secrets.CIPHERWAKE_API_KEY }} continue to work — the API-key path is unchanged. The OIDC path only fires when no key is provided AND the workflow has id-token: write.
• Local CLI use (terminal, non-GitHub CI) is unchanged: per-IP rate limit for anonymous, per-account quota for qpk_* keys.

Fixed

• Public repo URL in package.json corrected from the old cipherwake-io/pqcheck to the current cipherwakelabs/pqcheck (rebrand follow-up).

[0.12.0] — 2026-05-16

Added — Developer habit-loop bundle (6 new subcommands)

Six new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the existing 30 Trust Diff calls/month quota.

• pqcheck onboard <domain> — one-command setup wizard. Runs in sequence: (1) public scan to show your current grade, (2) init to scaffold the workflow, (3) vendors export to capture the lockfile, (4) writes CIPHERWAKE_CHECKLIST.md for release notes, (5) opens your browser to the API-key page, (6) prints next-steps. Flags: --skip-scan, --skip-vendors, --skip-checklist, --no-open. Honors CI=true and CIPHERWAKE_NO_BROWSER=1 env vars to suppress the browser launch.
• pqcheck init — interactive scaffold for .github/workflows/cipherwake.yml. Prompts for domain, fail-on severity, baseline. Flags: --yes / -y (use defaults; requires --domain), --force (overwrite existing workflow), --stdout (print to stdout instead of writing), --domain, --fail-on, --baseline.
• pqcheck deploy-check <domain> — pre-deploy Trust Diff gate with deploy-friendly framing. Uses last-scan as default baseline + high as default fail-on. Same exit semantics as trust-diff (0 pass / 1 warn / 2 fail / 3 error).
• pqcheck release-checklist [domain] — pure-offline markdown checklist for release notes. No API call.
• pqcheck vendors export <domain> — write cipherwake.vendors.json from currently observed third-party origins (schema v1). Like package-lock.json for vendor scripts.
• pqcheck vendors check <domain> — CI gate; exits 4 when new origins appear that aren't in the lockfile (matches deps --fail-on-new). Exit 0 when only removals.
• pqcheck vendors sync <domain> — Starter+ only (requires CIPHERWAKE_API_KEY); merges your /api/vendor-allowlist approvals into the lockfile.

Docs

• README — new "Get started in 60 seconds" section (init → secret → push → PR comment).
• New methodology page /methodology/vendor-lockfile per Rule 1 (Cipherwake project rules).

Quota notes

• All habit-loop subcommands are Free-tier-eligible. vendors * calls /api/deps which has its own per-IP rate limit (not metered against the Trust Diff 30/mo quota).
• vendors sync requires a Starter+ API key because the underlying /api/vendor-allowlist endpoint is Starter+ gated server-side.

Paired releases

• GitHub Action v3.1 — mode: trust-diff + comment-on-pr: true now posts a sticky PR comment with Trust Diff results. Extra --format json CLI call when commenting is enabled (1 additional Trust Diff quota call per PR run).
• Browser extension v0.6.1 — popup shows a "🛡 Add CI gate" CTA after every scan; deep-links to /account?install-action=<domain> which auto-opens the Trust Diff config section.

[0.11.0] — 2026-05-16

Added — pqcheck trust-diff <domain> subcommand

• New subcommand calls /api/trust-diff to compare current public trust posture vs a configured baseline.
• Inputs: --baseline last-week|last-month|last-scan|<ISO> (default last-week), --fail-on any|low|medium|high|critical (default high), --format pretty|json|sarif|github (default pretty).
• Exit codes: 0 pass · 1 warn (changes below threshold) · 2 fail (changes at/above threshold) · 3 error (auth/quota/network).
• Free tier: 30 calls/month at CIPHERWAKE_API_KEY (generate at https://cipherwake.io/account#api-keys).
• SARIF output (--format sarif) is upload-ready for github/codeql-action/upload-sarif@v3 — surfaces deltas in the GitHub Security tab.
• GitHub Actions output (--format github) writes ::error:: / ::warning:: / ::notice:: workflow commands directly.
• Pairs with the new cipherwakelabs/pqcheck/action mode: trust-diff for one-line CI integration.

Marketing-funnel copy aligned to the locked free-monitoring policy

• Help text + tail messages reference Trust Diff + Vendor Change + HNDL + Key Map per the v3-way validated tier architecture (Free=1 monitored, 30 API/mo, fail-mode CI; Starter $29=5 + allowlist; Growth $79=50 + Slack/webhook + team; Scale $199=500 + direct API + CSV).

[0.10.0] — 2026-05-15

Changed — Default lockfile filename is now cipherwake.lock (was quantapact.lock)

• npx pqcheck lock <domain> in a clean directory now writes cipherwake.lock
  • cipherwake-report.md (matches the project's new name after the
    Quantapact → Cipherwake rebrand).
• Backwards-compatible permanently. If a quantapact.lock already exists
  in the directory, the CLI overwrites it in place rather than silently
  creating a second file in your repo. No migration required — your existing
  committed lockfile keeps working forever.
• Same logic applies to pqcheck deps --lock: writes cipherwake-deps.lock
  by default, preserves legacy quantapact-deps.lock if already present.
• SARIF output's artifact-location URI changed from quantapact-scan/... to
  cipherwake-scan/... (visible in GitHub Code Scanning UI).

Changed — Brand-trace cleanup across surfaces

• CIPHERWAKE_API_KEY env var name advertised in CLI help (the older
  QUANTAPACT_API_KEY continues to work as a permanent fallback).
• Help text + READMEs updated.

[0.9.0] — 2026-05-13

Added — Cipherwake account API-key support

• New env var QUANTAPACT_API_KEY=qpk_<hex> authenticates every CLI → API call.
• With a key set, your CLI usage bills against your account's monthly quota
  (Starter 1K · Growth 10K · Scale 50K calls/mo) instead of the per-IP rate limit.
• Anonymous CLI use still works — the env var is optional.
• Better error messages on 401 (invalid key) and 429 (quota exceeded) — points
  you at /account to rotate or /pricing to upgrade.
• Affects every authenticated endpoint: scan, history, deps, lock,
  changes-summary, watch. Webhook POSTs to your URL never receive your
  API key — only cipherwake.io calls do.

[0.8.2] — 2026-05-12

Fixed — SARIF rule IDs now stable across runs

• The --format sarif output previously emitted positional rule IDs (pqcheck-1, pqcheck-2, …). If the same domain produced findings in a different order between scans, GitHub Code Scanning would treat reordered findings as new findings, blowing up the triage queue. Fixed: rule IDs now derive from the finding's stable registry ID (e.g., pqcheck.tls.rsa_kex_fallback), so the same finding gets the same rule ID across runs.
• The SARIF rules array is also now deduped — multiple findings tied to the same registry rule (e.g., two key-reuse findings) no longer produce duplicate rule entries.

[0.8.1] — 2026-05-12

Added — "Tracked by Cipherwake since X · N observations" provenance pill

• After every scan, the CLI prints a one-line provenance footer (e.g. Tracked by Cipherwake since 2026-04-12 · 47 observations) showing how long Cipherwake has been observing the domain and how many cert observations we've accumulated. Only renders when prior history exists — first-ever scans of a brand-new domain stay quiet.
• Mirrors the pill on the extension popup, the GitHub Action PR comment, and the Slack /pqcheck response footer. Closes the cross-surface parity gap (Rule 8) for provenance.
• Turns one-shot scan output into a trust signal: this isn't a single probe — it's a row in a historical record.

[0.8.0] — 2026-05-12

Added — pqcheck changes <domain> subcommand

• New subcommand pqcheck changes <domain> — summarises Cipherwake-observed public attack-surface changes for a domain in the last 14 days. Calls /api/changes-summary against cipherwake.io and prints:
  • Tracking-since date (when Cipherwake first observed the domain)
  • Total changes detect...

Action v3.3.0 — First-run baseline UX + shareable badge

What's new

• First-run UX (#10) — When this is the very first Trust Diff run for a repo (no prior baseline to diff against), the PR comment now reads "First baseline captured" with a clear "what happens next" explainer, instead of a misleading "No changes since baseline" success.
• Shareable badge (#14) — Clean-pass comments now include a markdown block teams can paste into release notes or status pages:

[![Cipherwake Trust Diff](https://cipherwake.io/badge/<domain>.svg)](https://cipherwake.io/r/<domain>)

No behavior change

• Sticky-comment dedup marker unchanged
• Fail-on threshold translation unchanged (warn = exit 0, fail = exit 2)
• Quota footer + posted-by line unchanged
• Both modes (scan + trust-diff) work the same
• OIDC keyless auth (Free=100 calls/repo/mo) unchanged

Upgrade

- uses: cipherwakelabs/pqcheck/action@v3   # auto-pulls v3.3.0

Existing workflows pinned to @v3 get the new comment template on next run — no edits needed.

Action v3.2.0 — GitHub OIDC fallback

action-v3.2.0

Action v3.2.0 — GitHub OIDC fallback for keyless Free-tier metering

CLI v0.12.0 — Developer habit-loop bundle

[0.12.0] — 2026-05-16

Added — Developer habit-loop bundle (6 new subcommands)

Six new subcommands that put Cipherwake where developers already work: PRs, CI, release notes, vendor allowlists. Free tier covers all of them within the existing 30 Trust Diff calls/month quota.

• pqcheck onboard <domain> — one-command setup wizard. Runs in sequence: (1) public scan to show your current grade, (2) init to scaffold the workflow, (3) vendors export to capture the lockfile, (4) writes CIPHERWAKE_CHECKLIST.md for release notes, (5) opens your browser to the API-key page, (6) prints next-steps. Flags: --skip-scan, --skip-vendors, --skip-checklist, --no-open. Honors CI=true and CIPHERWAKE_NO_BROWSER=1 env vars to suppress the browser launch.
• pqcheck init — interactive scaffold for .github/workflows/cipherwake.yml. Prompts for domain, fail-on severity, baseline. Flags: --yes / -y (use defaults; requires --domain), --force (overwrite existing workflow), --stdout (print to stdout instead of writing), --domain, --fail-on, --baseline.
• pqcheck deploy-check <domain> — pre-deploy Trust Diff gate with deploy-friendly framing. Uses last-scan as default baseline + high as default fail-on. Same exit semantics as trust-diff (0 pass / 1 warn / 2 fail / 3 error).
• pqcheck release-checklist [domain] — pure-offline markdown checklist for release notes. No API call.
• pqcheck vendors export <domain> — write cipherwake.vendors.json from currently observed third-party origins (schema v1). Like package-lock.json for vendor scripts.
• pqcheck vendors check <domain> — CI gate; exits 4 when new origins appear that aren't in the lockfile (matches deps --fail-on-new). Exit 0 when only removals.
• pqcheck vendors sync <domain> — Starter+ only (requires CIPHERWAKE_API_KEY); merges your /api/vendor-allowlist approvals into the lockfile.

Docs

• README — new "Get started in 60 seconds" section (init → secret → push → PR comment).
• New methodology page /methodology/vendor-lockfile per Rule 1 (Cipherwake project rules).

Quota notes

• All habit-loop subcommands are Free-tier-eligible. vendors * calls /api/deps which has its own per-IP rate limit (not metered against the Trust Diff 30/mo quota).
• vendors sync requires a Starter+ API key because the underlying /api/vendor-allowlist endpoint is Starter+ gated server-side.

Paired releases

• GitHub Action v3.1 — mode: trust-diff + comment-on-pr: true now posts a sticky PR comment with Trust Diff results. Extra --format json CLI call when commenting is enabled (1 additional Trust Diff quota call per PR run).
• Browser extension v0.6.1 — popup shows a "🛡 Add CI gate" CTA after every scan; deep-links to /account?install-action=<domain> which auto-opens the Trust Diff config section.

Action v3.1.0 — Trust Diff PR comment

[v3.1.0] — 2026-05-16

Added — Sticky PR comment for Trust Diff mode

When mode: trust-diff + comment-on-pr: true on a pull_request event, the Action posts a sticky PR comment with the Trust Diff verdict. Auto-edits on subsequent pushes (no comment spam). Heading Cipherwake Trust Diff for <domain> identifies prior comments for the dedup search.

Comment renders:

• Verdict emoji (🟢 pass / 🟡 warn / 🔴 fail) + plain-language headline
• "Changed" section with per-delta severity tags
• "No changes since baseline" branch for clean PRs
• Approve-vendor / Configure-Trust-Diff CTAs
• Quota footer (used / monthly limit)

Quota cost

One extra Trust Diff API call per PR run when comment-on-pr: true — the CLI is invoked twice: once for the user-facing format + workflow log annotations, once with --format json for the comment markdown. Default behavior (comment-on-pr: false) is unchanged.

Required permissions

Add to the workflow permissions: block when enabling commenting:

permissions:
  contents: read
  pull-requests: write   # required for the sticky comment

Mirror to workflow summary

The comment markdown is also written to $GITHUB_STEP_SUMMARY so the run page shows the verdict without opening the PR.

CLI v0.10.0 — cipherwake.lock default + brand rebrand

Changed — Default lockfile filename is now cipherwake.lock (was quantapact.lock)

• npx pqcheck lock <domain> in a clean directory now writes cipherwake.lock
  • cipherwake-report.md (matches the project's new name after the
    Quantapact → Cipherwake rebrand).
• Backwards-compatible permanently. If a quantapact.lock already exists
  in the directory, the CLI overwrites it in place rather than silently
  creating a second file in your repo. No migration required — your existing
  committed lockfile keeps working forever.
• Same logic applies to pqcheck deps --lock: writes cipherwake-deps.lock
  by default, preserves legacy quantapact-deps.lock if already present.
• SARIF output's artifact-location URI changed from quantapact-scan/... to
  cipherwake-scan/... (visible in GitHub Code Scanning UI).

Changed — Brand-trace cleanup across surfaces

• CIPHERWAKE_API_KEY env var name advertised in CLI help (the older
  QUANTAPACT_API_KEY continues to work as a permanent fallback).
• Help text + READMEs updated.

---

Published to npm: npm install -g pqcheck@0.10.0 or npx pqcheck@latest.

Backwards compatibility: existing repos with quantapact.lock keep using that filename forever — the CLI auto-detects and preserves it. New repos get cipherwake.lock by default. No migration required.