pqcheck 0.16.0 → 0.16.3

package/README.md

@@ -49,7 +49,7 @@ You get the same scanner that powers [cipherwake.io](https://cipherwake.io), the
 | `npx pqcheck <domain>` | The basic scan. Returns DBR score (0–10), letter grade (A–F), and a list of findings ranked by severity. The fastest way to ask "is my site's HTTPS posture healthy today?" |
 | `npx pqcheck deploy-check <domain> --ai` | The flagship command. Wraps the scan with `ship_decision=pass\|review\|block` for your AI coding agent to gate the deploy announcement. Works anonymously on first use; subsequent runs compare against the previous scan. |
 | `npx pqcheck trust-diff <domain>` | Compare today's HTTPS surface against a saved baseline (last week / last month / a saved CI baseline). For CI gates and release checklists. |
-| `npx pqcheck preview-diff --preview <URL> --production <URL>` | Compare a Vercel/Netlify preview deployment URL to production. Surfaces new third-party scripts, header regressions, and DBR score drops *inside the PR*, before merge. |
+| `npx pqcheck preview-diff --preview <URL> --production <URL>` | Compare a Vercel/Netlify preview deployment URL to production. Surfaces new third-party scripts, header regressions, and DBR score drops *inside the PR*, before merge. **v0.16.3** — now renders per-signal N vs N+1 status on every run (scripts, headers, cert SPKI, TLS, …) so you can see *every* check fired, not just "did something change." Add `--verbose` for the full side-by-side table. |
 | `npx pqcheck vendors export/check/sync <domain>` | Vendor lockfile (`cipherwake.vendors.json`) + CI gate that exits non-zero when a new third-party origin appears. Like `package-lock.json` for vendor scripts. |
 | `npx pqcheck onboard <domain>` | One command: scan → scaffold the GitHub Action → capture a vendor lockfile → set a baseline → commit + push. Zero copy-paste from docs. |
 | **`npx pqcheck guard --domain <D> -- <cmd>`** 🆕 | **Deploy guard wrapper.** Wraps any deploy command. Runs `deploy-check` first; conditionally runs `<cmd>` based on `ship_decision`. Modes: `--gate-mode balanced` (default) / `advisory` / `strict`. ONE command instead of two — the strongest single artifact for AI-coder workflows because the AI never has to remember to chain check + deploy. |

package/bin/cipherwake-statusline.js

@@ -121,6 +121,18 @@ const sevSegment = (!isUnreachable && max_severity && max_severity !== "none")
   ? ` · ${String(max_severity).toUpperCase()}`
   : "";
 
+// v0.16.2 — drift narrative suffix. "stable 14d" / "drifted 2d ago" / "now".
+// Sourced from state.lastChanged (smartCache populates) so the customer
+// sees time-series anchor at a glance, not just a single-point snapshot.
+let stabilitySegment = "";
+if (!isUnreachable && state.lastChanged) {
+  const dms = Date.now() - new Date(state.lastChanged).getTime();
+  const days = Math.floor(dms / 86400000);
+  if (days <= 0) stabilitySegment = " · drifted today";
+  else if (days < 7) stabilitySegment = ` · drifted ${days}d ago`;
+  else stabilitySegment = ` · stable ${days}d`;
+}
+
 process.stdout.write(
   c(cdec, "◆") +
     " " +

package/bin/pqcheck.js

@@ -24,7 +24,7 @@
 })();
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://cipherwake.io";
-const VERSION = "0.16.0";
+const VERSION = "0.16.3";
 
 // API-key support — paid tiers (Starter $29 / Growth $79 / Scale $199) get
 // per-account monthly quotas instead of the per-IP rate limit. Set via:
@@ -831,11 +831,13 @@ function countVerifiedSignals(report) {
   if (report?.sourceMaps?.reachable) cats.push("source maps");
   // 6. TLS posture
   if (report?.publicSurface?.tlsVersion || report?.tlsVersion) cats.push("TLS");
-  // 7. Mixed content — not yet a separate probe but counted when we have
-  //    publicDeps (which exposes any loadedOverHttps:false items).
-  if (report?.publicDeps?.fetched) cats.push("mixed-content");
+  // 7. Mixed content — v0.16.2 promoted to dedicated probe; falls back to
+  //    publicDeps inference when explicit field missing.
+  if (report?.mixedContent?.probed || report?.publicDeps?.fetched) cats.push("mixed-content");
   // 8. Subdomain scale (from CT log scan)
   if (typeof report?.publicSurface?.subdomainCount === "number") cats.push("subdomain scale");
+  // 9. Protected paths (v0.16.2 — the headline feature)
+  if (report?.protectedPaths?.probed) cats.push("protected paths");
   return { count: cats.length, categories: cats };
 }
 
@@ -939,6 +941,131 @@ function formatHighYieldVerbose(report) {
   return lines.join("\n");
 }
 
+// v0.16.3 — preview-diff per-signal comparison. Render N vs N+1 signal
+// values for both sides side-by-side so the customer SEES that every
+// signal was checked, even when delta_count=0. Without this, preview-diff
+// was silent on non-changing signals and looked like a binary "did
+// anything change" detector. With this, every preview-diff output proves
+// the 9 signals were exercised on both URLs.
+function formatPreviewDiffPerSignal(prev, prod, options = {}) {
+  if (!prev || !prod) return null;
+  const verbose = options.verbose === true;
+  const rows = [];
+  const push = (name, l, r) => rows.push({ name, prev: l, prod: r, same: l === r });
+
+  if (typeof prev?.score === "number" || typeof prod?.score === "number") {
+    const dbrL = typeof prev?.score === "number" ? `${prev.score.toFixed(1)}${prev.grade ? " " + prev.grade : ""}` : "—";
+    const dbrR = typeof prod?.score === "number" ? `${prod.score.toFixed(1)}${prod.grade ? " " + prod.grade : ""}` : "—";
+    push("DBR", dbrL, dbrR);
+  }
+
+  const prevScripts = prev?.publicDeps?.thirdPartyCount;
+  const prodScripts = prod?.publicDeps?.thirdPartyCount;
+  if (prevScripts !== undefined || prodScripts !== undefined) {
+    push("Scripts", String(prevScripts ?? "—"), String(prodScripts ?? "—"));
+  }
+
+  const hdrSummary = (h) => {
+    if (!h?.reachable) return "—";
+    const flags = [];
+    flags.push(h.csp?.present ? "CSP✓" : "CSP✗");
+    flags.push(h.hsts?.present ? `HSTS${h.hsts.preload ? "+preload" : ""}✓` : "HSTS✗");
+    flags.push(h.xFrameOptions?.present ? "XFO✓" : "XFO✗");
+    return flags.join(" ");
+  };
+  if (prev?.httpHeaders || prod?.httpHeaders) {
+    push("Headers", hdrSummary(prev?.httpHeaders), hdrSummary(prod?.httpHeaders));
+  }
+
+  const ckSummary = (c) => {
+    if (!c) return "—";
+    if (!c.reachable) return "unreachable";
+    const issues = [];
+    if (c.anyMissingSecure) issues.push("Secure");
+    if (c.anyMissingHttpOnly) issues.push("HttpOnly");
+    if (c.anyMissingSameSite) issues.push("SameSite");
+    const tag = issues.length ? `miss:${issues.join(",")}` : "all flags";
+    return `${c.count ?? 0} (${tag})`;
+  };
+  if (prev?.cookies || prod?.cookies) push("Cookies", ckSummary(prev?.cookies), ckSummary(prod?.cookies));
+
+  const smSummary = (s) => {
+    if (!s) return "—";
+    if (!s.reachable) return "unreachable";
+    if (s.exposed) return `${s.exposedCount} EXPOSED`;
+    return "none exposed";
+  };
+  if (prev?.sourceMaps || prod?.sourceMaps) push("Source maps", smSummary(prev?.sourceMaps), smSummary(prod?.sourceMaps));
+
+  const mcSummary = (m) => {
+    if (m === null || m === undefined) return "—";
+    if (typeof m === "number") return String(m);
+    if (typeof m === "object") {
+      if (typeof m.insecureCount === "number") return String(m.insecureCount);
+      if (typeof m.count === "number") return String(m.count);
+    }
+    return "—";
+  };
+  if (prev?.mixedContent !== null || prod?.mixedContent !== null) {
+    push("Mixed content", mcSummary(prev?.mixedContent), mcSummary(prod?.mixedContent));
+  }
+
+  const ppSummary = (p) => {
+    if (!p?.probed) return "—";
+    const protected_ = p.protectedCount ?? 0;
+    const exposed = p.exposedCount ?? 0;
+    const total = protected_ + exposed;
+    return total === 0 ? "0/0" : `${protected_}/${total} protected`;
+  };
+  if (prev?.protectedPaths || prod?.protectedPaths) {
+    push("Protected paths", ppSummary(prev?.protectedPaths), ppSummary(prod?.protectedPaths));
+  }
+
+  const certSummary = (c) => {
+    if (!c) return "—";
+    if (c.spkiSha256) return `${String(c.spkiSha256).slice(0, 10)}…`;
+    return c.issuer || "—";
+  };
+  if (prev?.cert || prod?.cert) push("Cert SPKI", certSummary(prev?.cert), certSummary(prod?.cert));
+
+  if (prev?.tlsVersion || prod?.tlsVersion) push("TLS", prev?.tlsVersion || "—", prod?.tlsVersion || "—");
+
+  const prevSub = prev?.publicSurface?.subdomainCount;
+  const prodSub = prod?.publicSurface?.subdomainCount;
+  if (prevSub !== undefined || prodSub !== undefined) {
+    push("Subdomains", String(prevSub ?? "—"), String(prodSub ?? "—"));
+  }
+
+  if (rows.length === 0) return null;
+
+  if (!verbose) {
+    // Compact 1-line summary: "✓ 9/9 signals match (preview ↔ production)"
+    const sameCount = rows.filter((r) => r.same).length;
+    const allMatch = sameCount === rows.length;
+    const symbol = allMatch ? color("green", "✓ ") : color("yellow", "~ ");
+    return symbol + color("bold", `${sameCount}/${rows.length} signals match`) + color("dim", " (preview ↔ production)");
+  }
+
+  // Verbose: per-row table
+  const lines = [];
+  lines.push("");
+  lines.push(color("bold", "Per-signal verification (preview ↔ production):"));
+  const nameWidth = Math.max(...rows.map((r) => r.name.length));
+  const prevWidth = Math.max(...rows.map((r) => r.prev.length));
+  for (const r of rows) {
+    const arrow = r.same ? color("dim", "↔") : color("yellow", "→");
+    const valueColor = r.same ? "dim" : "yellow";
+    lines.push(
+      "  " +
+      color("bold", r.name.padEnd(nameWidth)) + "  " +
+      color(valueColor, r.prev.padEnd(prevWidth)) + "  " +
+      arrow + "  " +
+      color(valueColor, r.prod)
+    );
+  }
+  return lines.join("\n");
+}
+
 // Helper: pretty-print 1-3 alerts (when ship_decision = review/block) ABOVE
 // the trust-posture line, so the actionable change is the FIRST thing the
 // customer sees. Each alert is one line with an emoji + concise summary.
@@ -2762,19 +2889,39 @@ async function runScanBasedDeployCheck(domain, args) {
         ];
   }
 
+  // v0.16.0 high-yield rendering — same shape as runOneScan but with the
+  // "first-deploy" context line above the brand header (since this path
+  // fires only when there's no baseline to diff against).
+  const verbose = isVerboseMode(args);
+  const highSevFindings = findings.filter((f) => severityRank(f.severity) >= 3);
+  const alertCount = highSevFindings.length;
+
   console.log("");
   console.log(color("dim", `  ℹ first deploy-check for ${domain} — using current scan state (no baseline yet to diff against)`));
   console.log("");
-  console.log(formatAiBanner({
-    domain,
-    kind: "scan",
-    dbr: report.score,
-    grade: report.grade,
-    maxSeverity: maxSev,
-    shipDecision,
-    unreachable,
-  }));
-  console.log(formatAiBody({ topIssue, whyMatters, nextActions }));
+  console.log(formatBrandHeader(domain));
+  console.log("");
+  console.log(formatDecisionPulse({ shipDecision, alertCount, unreachable, diffContext: true }));
+
+  if (unreachable) {
+    console.log(formatAiBody({ topIssue, whyMatters, nextActions }));
+  } else {
+    if (alertCount > 0) {
+      const alerts = formatAlertsLine(highSevFindings);
+      if (alerts) console.log(alerts);
+    }
+    const tpl = formatTrustPostureLine(report);
+    if (tpl) console.log(tpl);
+    const vsl = formatVerifiedSignalsLine(report);
+    if (vsl) console.log(vsl);
+    if (verbose) {
+      console.log("");
+      console.log(formatHighYieldVerbose(report));
+    } else {
+      console.log(color("dim", "  Run with --verbose to see all verified signals."));
+    }
+  }
+
   console.log(formatAiFooterBlock({
     status: shipDecision,
     domain,
@@ -2910,16 +3057,41 @@ async function runTrustDiffCommand(args) {
           `If not intentional: revert the deploy or investigate the drift source.`,
         ];
 
-    console.log("");
-    console.log(formatAiBanner({
+    // v0.16.0 high-yield rendering for trust-diff.
+    const verbose = isVerboseMode(args);
+    const diffNoChange = deltas.length === 0;
+    const fakeReport = {
       domain,
-      kind: "trust-diff",
-      dbr: result.current_score,
+      score: result.current_score,
       grade: result.current_grade,
-      maxSeverity: maxSev,
-      shipDecision,
-    }));
-    console.log(formatAiBody({ topIssue, whyMatters, nextActions }));
+      _meta: { lastChanged: result.last_changed },
+      sectorRanking: result.sectorRanking,
+    };
+
+    console.log("");
+    console.log(formatBrandHeader(domain));
+    console.log("");
+    console.log(formatDecisionPulse({ shipDecision, alertCount: deltas.length, unreachable: false, diffContext: true }));
+
+    if (deltas.length > 0) {
+      // Surface top deltas as alerts
+      const alertFindings = deltas.slice(0, 3).map((d) => ({
+        severity: d.severity || "medium",
+        title: d.title || d.what_changed || d.type || "drift",
+        id: d.id,
+      }));
+      const alerts = formatAlertsLine(alertFindings);
+      if (alerts) console.log(alerts);
+      if (deltas.length > 3) console.log(color("dim", `  +${deltas.length - 3} more (run with --verbose)`));
+    }
+    const tpl = formatTrustPostureLine(fakeReport);
+    if (tpl) console.log(tpl);
+    const vsl = formatVerifiedSignalsLine(fakeReport, { diffNoChange });
+    if (vsl) console.log(vsl);
+    if (!verbose) {
+      console.log(color("dim", "  Run with --verbose to see all verified signals."));
+    }
+
     console.log(formatAiFooterBlock({
       status: shipDecision,
       domain,
@@ -3123,16 +3295,82 @@ async function runPreviewDiffCommand(args) {
           `Each "- CSP weakened" or "~ HSTS weakened" reduces production safety.`,
         ];
 
-    console.log("");
-    console.log(formatAiBanner({
-      domain: result?.production?.domain || productionUrl,
-      kind: "preview-diff",
-      dbr: prevScore,
+    // v0.16.3 high-yield rendering for preview-diff. Uses the per-side
+    // `signals` snapshot returned by /api/preview-diff so the customer
+    // sees N vs N+1 on every signal (not just the binary "no drift").
+    // Falls back to the v0.16.2 shape when the server hasn't deployed
+    // the signals snapshot yet (older API response).
+    const verbose = isVerboseMode(args);
+    const diffNoChange = !hasUnexpectedDiff;
+    const prevSig = result?.preview?.signals || null;
+    const prodSig = result?.production?.signals || null;
+    // Brand header uses the production hostname (e.g. "quantapact.com")
+    // not the full Vercel preview URL, so the customer doesn't see
+    // "◆ Cipherwake — https://quantapact-k3y...vercel.app".
+    const headerDomain = result?.production?.hostname || result?.production?.domain || productionUrl;
+    // Synthesize a report-shaped object from the production-side signals
+    // snapshot so the existing trust-posture + verified-signals helpers
+    // (which read .score, .grade, .sectorRanking, .cookies, etc.) work
+    // without changes.
+    const reportLike = prodSig ? {
+      domain: headerDomain,
+      score: prodSig.score,
+      grade: prodSig.grade,
+      _meta: { lastChanged: prodSig.lastChanged },
+      sectorRanking: prodSig.sectorRanking,
+      publicDeps: prodSig.publicDeps ? { fetched: true, thirdParties: new Array(prodSig.publicDeps.thirdPartyCount || 0) } : null,
+      httpHeaders: prodSig.httpHeaders,
+      cookies: prodSig.cookies,
+      sourceMaps: prodSig.sourceMaps,
+      mixedContent: prodSig.mixedContent,
+      cert: prodSig.cert,
+      tlsVersion: prodSig.tlsVersion,
+      publicSurface: prodSig.publicSurface,
+      protectedPaths: prodSig.protectedPaths,
+    } : {
+      // Fallback: legacy server, only score/grade available.
+      domain: headerDomain,
+      score: prevScore,
       grade: result?.preview?.grade,
-      maxSeverity: maxSev,
-      shipDecision,
-    }));
-    console.log(formatAiBody({ topIssue, whyMatters, nextActions }));
+      _meta: { lastChanged: result?.production?.lastChanged },
+      sectorRanking: result?.production?.sectorRanking,
+    };
+    // Render top deltas as alert lines (1 per finding, max 3)
+    const deltaLines = summaryLines.filter((l) => !/no meaningful/i.test(l));
+
+    console.log("");
+    console.log(formatBrandHeader(headerDomain) + color("dim", "  (preview ↔ production)"));
+    console.log("");
+    console.log(formatDecisionPulse({ shipDecision, alertCount: deltaLines.length, unreachable: false, diffContext: true }));
+
+    if (deltaLines.length > 0) {
+      for (const dl of deltaLines.slice(0, 3)) {
+        const sym = dl.startsWith("⛔") || dl.startsWith("-") ? "red" : dl.startsWith("⚠") || dl.startsWith("~") ? "yellow" : "dim";
+        console.log(color(sym, dl));
+      }
+      if (deltaLines.length > 3) console.log(color("dim", `  +${deltaLines.length - 3} more (run with --verbose)`));
+    }
+    const tpl = formatTrustPostureLine(reportLike);
+    if (tpl) console.log(tpl);
+    const vsl = formatVerifiedSignalsLine(reportLike, { diffNoChange });
+    if (vsl) console.log(vsl);
+    // v0.16.3 — per-signal N vs N+1 comparison. Renders ALWAYS (default and
+    // --verbose), in different shapes:
+    //   - default: 1-line "9/9 signals match (preview ↔ production)" so the
+    //     customer sees the checks fired without scrolling
+    //   - --verbose: per-row table with both sides spelled out
+    const psl = formatPreviewDiffPerSignal(prevSig, prodSig, { verbose });
+    if (psl) console.log(psl);
+    if (!verbose) {
+      console.log(color("dim", "  Run with --verbose to see per-signal breakdown."));
+    }
+
+    // (Old banner + body removed in v0.16.2; new high-yield layout above
+    // replaces them. AI footer still lands below for downstream agents.)
+    if (verbose) {
+      console.log("");
+      console.log(formatAiBody({ topIssue, whyMatters, nextActions }));
+    }
     console.log(formatAiFooterBlock({
       status: shipDecision,
       domain: result?.production?.domain || productionUrl,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.0",
+  "version": "0.16.3",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",