pqcheck 0.15.3 → 0.16.0

package/bin/pqcheck.js

@@ -24,7 +24,7 @@
 })();
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://cipherwake.io";
-const VERSION = "0.15.3";
+const VERSION = "0.16.0";
 
 // API-key support — paid tiers (Starter $29 / Growth $79 / Scale $199) get
 // per-account monthly quotas instead of the per-IP rate limit. Set via:
@@ -236,17 +236,18 @@ async function main() {
   // the server side.
   const fresh = args.includes("--fresh") || args.includes("--force");
   const aiMode = parseAiMode(args);
+  const verbose = isVerboseMode(args);  // v0.16.0 — opt-in detailed panel
 
   // One-shot scan(s)
   let worstExit = 0;
   for (const domain of domains) {
-    const exit = await runOneScan({ domain, format, quiet, threshold, webhookUrl, multi: domains.length > 1, fresh, aiMode });
+    const exit = await runOneScan({ domain, format, quiet, threshold, webhookUrl, multi: domains.length > 1, fresh, aiMode, verbose });
     if (exit > worstExit) worstExit = exit;
   }
   process.exit(worstExit);
 }
 
-async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi, fresh, aiMode }) {
+async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi, fresh, aiMode, verbose }) {
   if (!quiet && format === "text") process.stderr.write(color("dim", `Scanning ${domain}${fresh ? " (forcing fresh)" : ""} ...`));
   let report;
   try {
@@ -405,17 +406,42 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
           ];
     }
 
+    // v0.16.0 high-yield rendering. Old layout was: banner + body + footer.
+    // New layout: brand header → decision pulse → alerts (if any) → trust
+    // posture → verified-signals summary → (verbose body if --verbose) →
+    // AI footer block. The structured footer is always last so downstream
+    // agents can parse ship_decision regardless of the verbose flag.
+    const highSevFindings = findings.filter((f) => severityRank(f.severity) >= 3);
+    const alertCount = highSevFindings.length;
+
     console.log("");
-    console.log(formatAiBanner({
-      domain,
-      kind: "scan",
-      dbr: report.score,
-      grade: report.grade,
-      maxSeverity: maxSev,
-      shipDecision,
-      unreachable,
-    }));
-    console.log(formatAiBody({ topIssue, whyMatters, nextActions }));
+    console.log(formatBrandHeader(domain));
+    console.log("");
+    console.log(formatDecisionPulse({ shipDecision, alertCount, unreachable, diffContext: false }));
+
+    if (unreachable) {
+      // Unreachable path: surface the friendly explanation + next actions
+      // immediately (no "verified signals" block — there's nothing to
+      // verify if we couldn't reach the site).
+      console.log(formatAiBody({ topIssue, whyMatters, nextActions }));
+    } else {
+      // Alerts above trust posture so the actionable change is first.
+      if (alertCount > 0) {
+        const alerts = formatAlertsLine(highSevFindings);
+        if (alerts) console.log(alerts);
+      }
+      const tpl = formatTrustPostureLine(report);
+      if (tpl) console.log(tpl);
+      const vsl = formatVerifiedSignalsLine(report);
+      if (vsl) console.log(vsl);
+      if (verbose) {
+        console.log("");
+        console.log(formatHighYieldVerbose(report));
+      } else {
+        console.log(color("dim", "  Run with --verbose to see all verified signals."));
+      }
+    }
+
     console.log(formatAiFooterBlock({
       status: shipDecision,
       domain,
@@ -424,6 +450,7 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       grade: report.grade || "",
       max_severity: maxSev,
       ship_decision: shipDecision,
+      unreachable: unreachable ? "true" : "false",
       top_issue: topFinding?.id || topFinding?.title || "none",
       findings_high: findings.filter((f) => severityRank(f.severity) === 3).length,
       findings_critical: findings.filter((f) => severityRank(f.severity) === 4).length,
@@ -727,6 +754,254 @@ function formatAiFooterBlock(fields) {
   return color("dim", lines.join("\n"));
 }
 
+// v0.16.0 — high-yield output formatters.
+//
+// Design (per user direction 2026-05-22): every scan should deliver
+// substantive insight, but the default must stay tight (3-5 lines max) so
+// running pqcheck 100 times/month doesn't feel like a mini audit every
+// time. The verbose panel is opt-in via `--verbose`.
+//
+// Three rendering tiers:
+//   1. Status line (1 line):        ◆ Cipherwake · X ✓ PASS · DBR 4.7 C · stable 14d
+//   2. Default CLI (3-5 lines):     "✓ PASS · no public-surface drift detected"
+//                                   "✓ Trust posture: DBR 4.7 C · top 23% in fintech · stable 14d"
+//                                   "✓ Verified 8 signals · scripts, headers, cookies, cert/SPKI, ..."
+//   3. Verbose (--verbose, 8+ lines): full per-signal breakdown
+// =============================================================================
+
+// Plain-English percentile copy. report.sectorRanking.percentile uses
+// "100 = worst, 0 = best". Customer copy inverts to "top N%" framing.
+// No cryptic p-quantiles — `p23` reads like jargon; `top 23%` is universal.
+function formatPercentileCopy(percentile, sectorName) {
+  if (typeof percentile !== "number" || !isFinite(percentile)) return null;
+  const sector = sectorName || "industry";
+  if (percentile <= 10) return `top 10% in ${sector}`;
+  if (percentile <= 25) return `top 25% in ${sector}`;
+  if (percentile <= 50) return `above median in ${sector}`;
+  if (percentile <= 75) return `below median in ${sector}`;
+  if (percentile <= 90) return `bottom 25% in ${sector}`;
+  return `bottom 10% in ${sector}`;
+}
+
+// "stable 14d" / "drifted 2d ago" / "first scan" depending on report data.
+// Reads from report._meta.lastChanged (smartCache populates) — if not
+// available, falls back to "tracked since first scan."
+function formatStabilityCopy(report) {
+  const lastChanged = report?._meta?.lastChanged || report?._meta?.lastUpdated;
+  if (lastChanged) {
+    const ms = Date.now() - new Date(lastChanged).getTime();
+    const days = Math.floor(ms / 86400000);
+    if (days <= 0) return "drifted today";
+    if (days < 7) return `drifted ${days}d ago`;
+    return `stable ${days}d`;
+  }
+  return null;
+}
+
+// "✓ Trust posture: DBR 4.7 C · top 23% in fintech · stable 14d"
+//   - Only includes sub-segments we have data for. If we can't compute a
+//     section, we omit it rather than padding with "—" / "n/a".
+function formatTrustPostureLine(report) {
+  const dbr = typeof report?.score === "number" ? report.score.toFixed(1) : null;
+  const grade = report?.grade || "";
+  if (!dbr) return null;
+  const parts = [`DBR ${dbr}${grade ? " " + grade : ""}`];
+  const sr = report?.sectorRanking;
+  const pctCopy = formatPercentileCopy(sr?.percentile, sr?.sectorLabel || sr?.sectorName || sr?.sector);
+  if (pctCopy) parts.push(pctCopy);
+  const stability = formatStabilityCopy(report);
+  if (stability) parts.push(stability);
+  return color("green", "✓ ") + color("bold", "Trust posture: ") + parts.join(color("dim", " · "));
+}
+
+// Count verified signals from the scan report. A "signal" is something
+// Cipherwake actively checked AND would surface in a diff if it changed.
+// Returns: { count, categories }.
+function countVerifiedSignals(report) {
+  const cats = [];
+  // 1. Third-party scripts
+  if (report?.publicDeps?.fetched || Array.isArray(report?.publicDeps?.thirdParties)) cats.push("scripts");
+  // 2. Security headers (CSP/HSTS/XFO at minimum)
+  if (report?.httpHeaders?.reachable) cats.push("headers");
+  // 3. Cookies (v0.16.0 — new)
+  if (report?.cookies?.reachable) cats.push("cookies");
+  // 4. Cert / SPKI
+  if (report?.cert || report?._meta?.certSerial) cats.push("cert/SPKI");
+  // 5. Source maps (v0.16.0 — new)
+  if (report?.sourceMaps?.reachable) cats.push("source maps");
+  // 6. TLS posture
+  if (report?.publicSurface?.tlsVersion || report?.tlsVersion) cats.push("TLS");
+  // 7. Mixed content — not yet a separate probe but counted when we have
+  //    publicDeps (which exposes any loadedOverHttps:false items).
+  if (report?.publicDeps?.fetched) cats.push("mixed-content");
+  // 8. Subdomain scale (from CT log scan)
+  if (typeof report?.publicSurface?.subdomainCount === "number") cats.push("subdomain scale");
+  return { count: cats.length, categories: cats };
+}
+
+// Default ("Verified N signals · scripts, headers, ...") is for first scans
+// where there's no baseline to compare. With a baseline + no drift we
+// switch to "Security-relevant surface unchanged" — it directly answers
+// the customer's question ("did anything that matters change?") instead
+// of just naming what we checked. User direction 2026-05-22.
+function formatVerifiedSignalsLine(report, options = {}) {
+  const { count, categories } = countVerifiedSignals(report);
+  if (count === 0) return null;
+  const head = options.diffNoChange === true
+    ? "Security-relevant surface unchanged"
+    : `Verified ${count} signal${count === 1 ? "" : "s"}`;
+  return color("green", "✓ ") + color("bold", head) + color("dim", " · " + categories.join(", "));
+}
+
+// Default high-yield panel — 3-5 lines max. Used in `pqcheck <domain> --ai`
+// and `pqcheck deploy-check --ai` when no critical findings need to be
+// surfaced prominently (otherwise the alerts go above this block).
+function formatHighYieldDefault(report, { shipDecision, diffContext, diffNoChange } = {}) {
+  const lines = [];
+  // Header pulse: "✓ PASS · no public-surface drift detected"
+  //               "⚠ REVIEW · 2 public-surface changes"
+  //               "⛔ BLOCK · protected path changed"
+  if (diffContext) {
+    lines.push(diffContext);
+  }
+  const tpl = formatTrustPostureLine(report);
+  if (tpl) lines.push(tpl);
+  // diffNoChange flag tells the verified-signals line to switch wording
+  // from "Verified N signals" to "Security-relevant surface unchanged" —
+  // only set this when there IS a baseline to compare against AND the
+  // diff returned zero deltas.
+  const vsl = formatVerifiedSignalsLine(report, { diffNoChange: !!diffNoChange });
+  if (vsl) lines.push(vsl);
+  lines.push(color("dim", "  Run with --verbose to see all verified signals."));
+  return lines.join("\n");
+}
+
+// Verbose panel — opt-in via --verbose. Per-signal bullet breakdown.
+// Used for first-run, troubleshooting, public benchmark/report pages.
+// The caller renders the trust-posture line ABOVE this block, so we
+// don't duplicate it here.
+function formatHighYieldVerbose(report) {
+  const lines = [];
+  lines.push(color("green", "✓ ") + color("bold", "Verified this deploy:"));
+  // Scripts
+  if (Array.isArray(report?.publicDeps?.thirdParties)) {
+    const hosts = report.publicDeps.thirdParties.slice(0, 6).map(d => d.host || d).filter(Boolean);
+    const more = report.publicDeps.thirdParties.length > 6
+      ? `, +${report.publicDeps.thirdParties.length - 6} more` : "";
+    lines.push(color("dim", `  · ${hosts.length} third-party script${hosts.length === 1 ? "" : "s"} intact (${hosts.join(", ")}${more})`));
+  }
+  // Headers (always-on)
+  const hh = report?.httpHeaders;
+  if (hh?.reachable) {
+    const hdrs = [];
+    if (hh.csp?.present) hdrs.push("CSP enforced");
+    if (hh.hsts?.present) hdrs.push(`HSTS${hh.hsts.preload ? " preload" : ""}`);
+    if (hh.xFrameOptions?.present) hdrs.push(`X-Frame-Options ${hh.xFrameOptions.value || ""}`.trim());
+    if (hh.xContentTypeOptions?.present) hdrs.push("X-Content-Type-Options nosniff");
+    if (hh.referrerPolicy?.present) hdrs.push(`Referrer-Policy ${hh.referrerPolicy.value || ""}`.trim());
+    if (hh.permissionsPolicy?.present) hdrs.push("Permissions-Policy set");
+    if (hdrs.length > 0) lines.push(color("dim", `  · ${hdrs.join(" · ")}`));
+  }
+  // Cert
+  if (report?.cert || report?._meta?.certSerial) {
+    const cert = report.cert || {};
+    const days = cert.notAfter
+      ? Math.floor((new Date(cert.notAfter).getTime() - Date.now()) / 86400000)
+      : null;
+    const certLine = days !== null
+      ? `Cert: ${days}d until expiry${cert.issuer ? " · issued by " + cert.issuer : ""}`
+      : `Cert: ${cert.issuer || "issued"}`;
+    lines.push(color("dim", `  · ${certLine}`));
+  }
+  // Cookies (v0.16.0)
+  const ck = report?.cookies;
+  if (ck?.reachable) {
+    if (ck.count === 0) {
+      lines.push(color("dim", `  · Cookies: none set`));
+    } else {
+      const flags = [];
+      if (!ck.anyMissingSecure) flags.push("all Secure");
+      if (!ck.anyMissingHttpOnly) flags.push("all HttpOnly");
+      if (!ck.anyMissingSameSite) flags.push("all SameSite set");
+      lines.push(color("dim", `  · Cookies: ${ck.count} set${flags.length ? " · " + flags.join(" + ") : ""}`));
+    }
+  }
+  // Source maps (v0.16.0)
+  const sm = report?.sourceMaps;
+  if (sm?.reachable) {
+    lines.push(color("dim", `  · ${sm.exposed ? `Source maps EXPOSED on ${sm.exposedCount} script(s)` : "No source maps exposed"}`));
+  }
+  // Mixed content
+  if (Array.isArray(report?.publicDeps?.thirdParties)) {
+    const insecure = report.publicDeps.thirdParties.filter(d => d.loadedOverHttps === false).length;
+    lines.push(color("dim", `  · ${insecure === 0 ? "No mixed-content (all third-parties over HTTPS)" : `Mixed content: ${insecure} resource(s) over HTTP`}`));
+  }
+  return lines.join("\n");
+}
+
+// Helper: pretty-print 1-3 alerts (when ship_decision = review/block) ABOVE
+// the trust-posture line, so the actionable change is the FIRST thing the
+// customer sees. Each alert is one line with an emoji + concise summary.
+function formatAlertsLine(findings, max = 3) {
+  if (!Array.isArray(findings) || findings.length === 0) return null;
+  const sortedAlerts = [...findings].sort(
+    (a, b) => severityRank(b.severity) - severityRank(a.severity),
+  );
+  const lines = [];
+  for (const f of sortedAlerts.slice(0, max)) {
+    const sev = String(f.severity || "").toLowerCase();
+    const sym = sev === "critical" ? "⛔" : sev === "high" ? "⚠" : "ⓘ";
+    const c = sev === "critical" ? "red" : sev === "high" ? "yellow" : "dim";
+    const title = f.title || f.id || "finding";
+    lines.push(color(c, `${sym} ${title}`));
+  }
+  if (sortedAlerts.length > max) {
+    lines.push(color("dim", `  +${sortedAlerts.length - max} more (run with --verbose)`));
+  }
+  return lines.join("\n");
+}
+
+function isVerboseMode(args) {
+  return args.includes("--verbose") || args.includes("--explain");
+}
+
+// One-line "decision pulse" — the prominent first line that tells the customer
+// the answer to "is this deploy safe to announce?" in <80 characters.
+// Wording branches on context:
+//   - Diff context (deploy-check / trust-diff / preview-diff): talks about
+//     CHANGES vs the baseline ("no public-surface drift detected").
+//   - Basic scan (no baseline): talks about FINDINGS from this scan
+//     ("no high-severity findings").
+function formatDecisionPulse({ shipDecision, alertCount, unreachable, diffContext }) {
+  if (unreachable) {
+    return color("red", "⛔ UNREACHABLE") + color("dim", " · scanner couldn't reach the domain");
+  }
+  const n = alertCount || 0;
+  if (shipDecision === "pass") {
+    const tail = diffContext
+      ? "no public-surface drift detected"
+      : "no high-severity findings";
+    return color("green", "✓ PASS") + color("dim", " · " + tail);
+  }
+  if (shipDecision === "review") {
+    const noun = diffContext ? "public-surface change" : "high-severity finding";
+    return color("yellow", "⚠ REVIEW") + color("dim", ` · ${n} ${noun}${n === 1 ? "" : "s"}`);
+  }
+  if (shipDecision === "block") {
+    const noun = diffContext ? "critical change" : "critical finding";
+    return color("red", "⛔ BLOCK") + color("dim", ` · ${n} ${noun}${n === 1 ? "" : "s"}`);
+  }
+  return color("dim", "· no decision");
+}
+
+// "◆ Cipherwake — domain" — the v0.16.0 brand+domain header line. Shorter
+// than the old AI banner so the decision-pulse line below it carries the
+// status. The banner color stays neutral (no decision color) because the
+// decision-pulse line owns that semantic.
+function formatBrandHeader(domain) {
+  return color("bold", "◆ Cipherwake") + color("dim", " — ") + color("bold", domain);
+}
+
 // Persist last-scan state to ~/.config/cipherwake/last-scan.json.
 // Feeds the cipherwake-statusline + cipherwake-prompt-hook + cipherwake-chat-hook
 // scripts so users get persistent ambient state in their AI coder's surfaces.
@@ -4770,7 +5045,7 @@ esac
 const CLAUDE_STATUSLINE_CONFIG_SNIPPET = `
   "statusLine": {
     "type": "command",
-    "command": "npx cipherwake-statusline"
+    "command": "npx --package=pqcheck@latest cipherwake-statusline"
   }`;
 
 // R74-confirm SHIP #14-15 (GPT 2026-05-22): network connectivity diagnostic.
@@ -5107,12 +5382,12 @@ async function runSetupCommand(args) {
       if (existed && settings.statusLine && typeof settings.statusLine === "object") {
         // Already has a statusLine config — don't overwrite.
         console.log(color("dim", `  ⊝ ~/.claude/settings.json already has a statusLine entry — leaving alone`));
-        console.log(color("dim", `    To use the Cipherwake statusline instead, set: "command": "npx cipherwake-statusline"`));
+        console.log(color("dim", `    To use the Cipherwake statusline instead, set: "command": "npx --package=pqcheck@latest cipherwake-statusline"`));
         installSummary.push({ component: "Claude Code statusLine", path: settingsPath, status: "skipped-existing-config" });
       } else {
         const backupPath = existed ? await backupSettingsJson(settingsPath) : null;
         if (backupPath) console.log(color("dim", `    backup: ${backupPath}`));
-        settings.statusLine = { type: "command", command: "npx cipherwake-statusline" };
+        settings.statusLine = { type: "command", command: "npx --package=pqcheck@latest cipherwake-statusline" };
         await fs.mkdir(path.dirname(settingsPath), { recursive: true });
         await fs.writeFile(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf8");
         console.log(color("green", `  ✓ added statusLine config → ~/.claude/settings.json`));
@@ -5151,7 +5426,7 @@ async function runSetupCommand(args) {
       }
       bashEntry.hooks = bashEntry.hooks || [];
 
-      const cipherwakeHookCmd = "npx cipherwake-chat-hook";
+      const cipherwakeHookCmd = "npx --package=pqcheck@latest cipherwake-chat-hook";
       const alreadyInstalled = bashEntry.hooks.some(
         (h) => h?.type === "command" && typeof h?.command === "string" && h.command.includes("cipherwake-chat-hook"),
       );
@@ -5196,7 +5471,7 @@ async function runSetupCommand(args) {
       settings.hooks = settings.hooks || {};
       settings.hooks.UserPromptSubmit = settings.hooks.UserPromptSubmit || [];
 
-      const cipherwakeHookCmd = "npx cipherwake-prompt-hook";
+      const cipherwakeHookCmd = "npx --package=pqcheck@latest cipherwake-prompt-hook";
       const alreadyInstalled = settings.hooks.UserPromptSubmit.some(
         (entry) => Array.isArray(entry?.hooks) && entry.hooks.some(
           (h) => h?.type === "command" && typeof h?.command === "string" && h.command.includes("cipherwake-prompt-hook"),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.15.3",
+  "version": "0.16.0",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",