← Methodology library
Methodology · Vendor lockfile

A committable lockfile for your domain's third-party scripts. cipherwake.vendors.json

Vendor lockfile is the JSON artifact produced by npx pqcheck vendors export. It snapshots the list of third-party script origins your domain loads so you can commit it to your repo and fail PRs that introduce new origins. Like package-lock.json for vendor scripts.

What we measure

The set of distinct third-party origins (https://<host>) observed loading scripts on your domain at the time of the export. The lockfile is a domain-level snapshot — one file per monitored domain.

Free tier generates and uses lockfiles freely (1 monitored domain). Founder Pro adds a second mode: vendors sync merges your dashboard-managed approved-vendor allowlist into the lockfile, so the file represents both what was observed AND what you intentionally approved.

How we measure it

vendors export calls the public /api/deps endpoint — the same data that powers pqcheck deps <domain> and the Vendor Surface view on /r/<domain>. Origins are normalized to https://<hostname> form (path / query / fragment stripped, case lowercased, port stripped if default).

vendors check re-fetches current origins from the same endpoint and computes set difference vs the committed lockfile:

How it scores / contributes

The lockfile does not contribute to your Decryption Blast Radius score. It is a developer artifact: a policy file that says "these are the third-party origins we approved as of this commit." The scoring is unchanged.

What the lockfile does contribute: a stable PR-review event when vendor surface drifts. Like package-lock.json, the value comes from making changes visible in diffs.

Schema (v1)

{
  "schema_version": 1,
  "generator": "pqcheck-cli/0.12.0",
  "domain": "example.com",
  "generated_at": "2026-05-16T22:30:00.000Z",
  "approved_script_origins": [
    "https://js.stripe.com",
    "https://www.googletagmanager.com"
  ],
  "synced_from_account": null
}

The synced_from_account field is null for Free-generated lockfiles. Founder Pro vendors sync sets it to the sync timestamp, indicating the file contains dashboard-managed approvals (not just whatever was observed).

Free vs Founder Pro — what each tier gets

The dashboard UI is the Founder Pro wall. The lockfile itself is free.

What this tool does NOT claim

Limitations + edge cases

Try it