pqcheck 0.16.10 → 0.16.13

package/README.md

@@ -1,24 +1,50 @@
 # pqcheck
 
-> **A deploy gate for AI coding agents.** Tell Claude Code / Cursor / Copilot whether the site you just deployed is safe to announce — or whether your AI coworker should pause and ask you first.
+> **Type `npx pqcheck stripe.com`** (or any HTTPS domain) to scan its public posture in seconds — Decryption Blast Radius grade (0–10), letter (A–F), and findings ranked by severity. No signup, no API key, per-IP rate limited.
+>
+> **Or, for your own deploys:** wire `npx pqcheck deploy-check yourdomain.com --ai` into Claude Code / Cursor / Copilot. Your AI coder parses `ship_decision=pass|review|block` and decides whether to announce the deploy, ask you, or stop.
 
 [![npm version](https://img.shields.io/npm/v/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
+> **Latest: v0.16.12** — ⚠️ **Existing GitHub Action users:** one-line fix required in `.github/workflows/cipherwake.yml` (`uses: cipherwakelabs/pqcheck@v3` → `cipherwakelabs/pqcheck/action@v3`). The old ref was broken since v0.15 and silently failed every CI run; today's end-to-end test caught it. Re-running `pqcheck onboard` also regenerates the workflow correctly. Plus: README rewritten to advertise both `pqcheck <domain>` and `pqcheck deploy-check --ai` equally, rate limits corrected. [Full changelog →](./CHANGELOG.md)
+
+## Two ways to use it
+
+### 1. Scan any domain — no signup, no API key, no per-account quota
+
 ```bash
-npx pqcheck deploy-check yourdomain.com --ai
+npx pqcheck stripe.com
 ```
 
 ```
-◆ Cipherwake · yourdomain.com ⚠ REVIEW · DBR 4.1 C · HIGH
+◆ Cipherwake · stripe.com  DBR 2.3 B · 1 finding
 
 Top finding:
-  [HIGH] ECDHE-only — quantum-vulnerable key exchange
+  [MEDIUM] Intermediate cert uses RSA — quantum-vulnerable chain link
+
+Full report: https://cipherwake.io/r/stripe.com
+```
+
+Anonymous. Per-IP rate limited (120 scans/hour) for cost protection — that's it. Use it to spot-check a vendor before signing, audit a competitor's HTTPS posture, or just satisfy "I wonder how `<domain>` grades."
+
+### 2. Gate your own deploys with your AI coder
+
+```bash
+npx pqcheck deploy-check yourdomain.com --ai
+```
+
+```
+◆ Cipherwake · yourdomain.com ⚠ REVIEW · 2 changes since last scan · HIGH
+
+Surface changes:
+  + New third-party script: widget.intercom.io
+  ~ Strict-Transport-Security weakened: max-age=31536000 → max-age=3600
 
 CIPHERWAKE_AI_GUARD_RESULT
 ship_decision=review
-top_issue=tls.ecdhe_only_quantum_vulnerable
+top_issue=vendor.new_third_party_script
 END_CIPHERWAKE_AI_GUARD_RESULT
 ```
 
@@ -28,70 +54,108 @@ The last block — `CIPHERWAKE_AI_GUARD_RESULT` — is what your AI coding agent
 - **review** — stop and ask you what to do (your HTTPS posture drifted vs. last scan)
 - **block** — refuse to announce until you investigate (something critical changed)
 
-Zero install. Works in any terminal with Node 18+. Free, no signup, no API key required for first deploys.
+Zero install. Works in any terminal with Node 18+. Both modes are free — no signup, no API key required for first use of either.
 
 ## What pqcheck actually checks
 
-Each `pqcheck <domain>` scans your site's public HTTPS surface and produces:
+### Bare scan (`pqcheck <domain>`) — current-state posture grade
 
-- a **DBR score** (Decryption Blast Radius, 0–10) — how much of today's traffic would be readable to an attacker who's storing it now and waiting for quantum computers to break today's encryption (the "harvest-now, decrypt-later" risk, typically 5–10 years out per NIST timelines)
-- a **letter grade** (A–F)
-- a **findings list** ranked by severity — TLS cipher suites, certificate quality, security headers (CSP / HSTS / etc.), third-party scripts loaded by the page, key reuse across subdomains, and more
+Scans any public HTTPS surface and produces a **DBR score** (0–10), a **letter grade** (A–F), and a **findings list** ranked by severity. Same scanner that powers [cipherwake.io](https://cipherwake.io), the browser extension, and the GitHub Action — what it checks:
 
-You get the same scanner that powers [cipherwake.io](https://cipherwake.io), the browser extension, and the GitHub Action.
+- **TLS posture** — ciphersuite class, hybrid PQC key agreement (`X25519MLKEM768`), forward secrecy
+- **Certificate chain** — issuer, intermediate quality, key reuse across rotations (★ unique to pqcheck), wildcard / subdomain blast radius
+- **Security headers** — HSTS (preload + max-age), CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP
+- **Email security** — SPF, DMARC, DKIM (~30 selectors probed including Resend/Mailgun/SES), BIMI
+- **Supply chain** — every third-party script loaded by the page, graded for quantum risk
+- **Subdomain takeover** — fingerprint scan against AWS S3, GitHub Pages, Heroku, Shopify, Fastly, etc.
+
+### Deploy gate (`pqcheck deploy-check --ai`) — drift since your last scan
+
+Compares your site's public HTTPS surface *now* against your last scan and surfaces what changed:
+
+- **New third-party scripts** loading on the page that weren't there before (the Polyfill.io-class supply-chain risk)
+- **Header regressions** — CSP weakened, HSTS shortened or removed, X-Frame-Options dropped, permissive tokens (`'unsafe-inline'`, `*`) introduced
+- **Certificate / SPKI changes** — unexpected rotations, key reuse across renewals, intermediate-chain changes
+- **TLS posture changes** — ciphersuite shifts, hybrid PQC key-agreement added or removed
+- **Vendor surface changes** — new email senders (SPF/DMARC), new CDN origins, new analytics endpoints
+- **Subdomain takeover exposure** — new dangling CNAMEs
+
+The gate routes each change through the same DBR severity model above to decide `pass` / `review` / `block`. Cosmetic drift passes; high-severity drift (new script from an unknown origin, header regression that breaks defense-in-depth, cert SPKI change without a rotation event) triggers `review`; critical drift (expired cert served, takeover-vulnerable subdomain, malicious vendor injected) triggers `block`. DBR's full severity rubric: [/methodology/decryption-blast-radius](https://cipherwake.io/methodology/decryption-blast-radius).
+
+On **first use** with no prior scan to diff against, `deploy-check` falls back to the bare scan's absolute-posture grading to give you a baseline. Every subsequent run is drift-relative to the previous scan.
 
 ---
 
 ## Commands at a glance
 
+Grouped by intent: **deploy gate** (the flagship wedge) → **drift comparison** (the engine the gate runs on) → **AI setup / install** → **workflow scaffolds** → **committable artifacts** → **posture grade + tracking** → **diagnostic**. Every CLI command is listed here exactly once; flags / output formats / exit codes are in [Flags, formats & exit codes](#flags-formats--exit-codes) further down.
+
 | Command | What it gives you |
 |---|---|
-| `npx pqcheck <domain>` | The basic scan. Returns DBR score (0–10), letter grade (A–F), and a list of findings ranked by severity. The fastest way to ask "is my site's HTTPS posture healthy today?" |
-| `npx pqcheck deploy-check <domain> --ai` | The flagship command. Wraps the scan with `ship_decision=pass\|review\|block` for your AI coding agent to gate the deploy announcement. Works anonymously on first use; subsequent runs compare against the previous scan. |
+| **Deploy gate — the flagship wedge** | |
+| `npx pqcheck deploy-check <domain> --ai` | **The flagship.** Scans the domain, compares against the previous scan (first run sets the baseline), and emits a `ship_decision=pass\|review\|block` field your AI coding agent parses to decide whether to announce the deploy, ask you, or stop. Works anonymously — no signup needed. |
+| **`npx pqcheck guard --domain <D> -- <cmd>`** | **Deploy guard wrapper.** Wraps any deploy command. Runs `deploy-check` first; conditionally runs `<cmd>` based on `ship_decision`. Modes: `--gate-mode balanced` (default) / `advisory` / `strict`. ONE command instead of two — the strongest single artifact for AI-coder workflows because the AI never has to remember to chain check + deploy. |
+| **`--ai` flag** (any of the above) | **AI Coder Mode.** Three-layer output (banner / body / structured `CIPHERWAKE_AI_GUARD_RESULT` block) tuned for Claude Code / Cursor / Aider / Zed. Includes a `ship_decision=pass\|review\|block` field your AI coworker parses to decide whether to announce the deploy, ask you, or revert. See [/methodology/ai-coder-mode](https://cipherwake.io/methodology/ai-coder-mode). |
+| **Drift comparison — what the gate runs on** | |
 | `npx pqcheck trust-diff <domain>` | Compare today's HTTPS surface against a saved baseline (last week / last month / a saved CI baseline). For CI gates and release checklists. |
-| `npx pqcheck preview-diff --preview <URL> --production <URL>` | Compare a Vercel/Netlify preview deployment URL to production. Surfaces new third-party scripts, header regressions, and DBR score drops *inside the PR*, before merge. **v0.16.3** — now renders per-signal N vs N+1 status on every run (scripts, headers, cert SPKI, TLS, …) so you can see *every* check fired, not just "did something change." Add `--verbose` for the full side-by-side table. |
-| `npx pqcheck vendors export/check/sync <domain>` | Vendor lockfile (`cipherwake.vendors.json`) + CI gate that exits non-zero when a new third-party origin appears. Like `package-lock.json` for vendor scripts. |
+| `npx pqcheck preview-diff --preview <URL> --production <URL>` | Compare a Vercel/Netlify preview deployment URL to production. Surfaces new third-party scripts, header regressions, and DBR score drops *inside the PR*, before merge. Renders per-signal N vs N+1 status on every run (scripts, headers, cert SPKI, TLS, …) so you can see *every* check fired, not just "did something change." Add `--verbose` for the full side-by-side table. |
+| **AI setup / install** | |
+| **`npx pqcheck setup --auto --domain <D>`** | **One-command full setup for every AI coder.** Installs (idempotently): GitHub Action workflow, AI Coder Protocol across all detected rules files (Claude / Cursor / Copilot / Aider / Windsurf / Continue / Cline / AGENTS.md) using fenced markers (`<!-- CIPHERWAKE_AI_CODER_PROTOCOL_START/END -->`), git pre-push hook, Claude Code statusLine + 2 hooks (PostToolUse Bash + **UserPromptSubmit**), per-repo `.cipherwake/last-status.json` for Cursor / Copilot / Continue to read as context. Skip flags available. Backups taken before any `~/.claude/settings.json` write. Audit trail at `~/.config/cipherwake/install-prefs.json`; install manifest at `~/.config/cipherwake/install-manifest.json`. |
+| **`npx pqcheck setup --plan --domain <D>`** | **Dry-run mode.** Prints every file change `--auto` would make (target paths + operation type: create / append-markered / deep-merge / backup-first) without writing anything. Run this first when you're not sure what `--auto` will touch. |
+| **`npx pqcheck protocol install`** | **Opt-in installer** for the AI Coder Protocol — appends the pre-deploy verification rule to your `CLAUDE.md` / `.cursorrules` / `.aider.conf.yml` with explicit consent (Rule 17). One upfront question (auto / manual / no). Never silent writes. |
+| **`UserPromptSubmit` hook** | **Claude sees `ship_decision` before responding to every prompt.** When `pqcheck setup --auto` runs, it wires `cipherwake-prompt-hook` as a Claude Code UserPromptSubmit hook. On every user prompt, the hook injects `additionalContext` with the current scan's `ship_decision` IF it's `review`/`block` and the state is <24h old. Silent when state is missing, stale, or `pass`. Different timing from the PostToolUse chat-hook: this fires *before* Claude thinks (proactive), the chat-hook fires *after* a Bash command (reactive). |
+| **Per-repo state file** `.cipherwake/last-status.json` | **Cursor / Copilot / Continue read this for workspace context.** Every `pqcheck` scan writes the same payload as the per-user file. Created by `setup --auto`; auto-added to `.gitignore` (per-developer state, not committable). Gives AI agents inside VS Code-family editors a repo-local artifact they pick up automatically when reading workspace files. |
+| **Workflow scaffolds** | |
 | `npx pqcheck onboard <domain>` | One command: scan → scaffold the GitHub Action → capture a vendor lockfile → set a baseline → commit + push. Zero copy-paste from docs. |
-| **`npx pqcheck guard --domain <D> -- <cmd>`** 🆕 | **Deploy guard wrapper.** Wraps any deploy command. Runs `deploy-check` first; conditionally runs `<cmd>` based on `ship_decision`. Modes: `--gate-mode balanced` (default) / `advisory` / `strict`. ONE command instead of two — the strongest single artifact for AI-coder workflows because the AI never has to remember to chain check + deploy. |
-| **`npx pqcheck protocol install`** 🆕 | **Opt-in installer** for the AI Coder Protocol — appends the pre-deploy verification rule to your `CLAUDE.md` / `.cursorrules` / `.aider.conf.yml` with explicit consent (Rule 17). One upfront question (auto / manual / no). Never silent writes. |
-| **`npx pqcheck setup --auto --domain <D>`** 🆕 | **One-command full setup for every AI coder.** Installs (idempotently): GitHub Action workflow, AI Coder Protocol across all detected rules files (Claude / Cursor / Copilot / Aider / Windsurf / Continue / Cline / AGENTS.md) using fenced markers (`<!-- CIPHERWAKE_AI_CODER_PROTOCOL_START/END -->`), git pre-push hook, Claude Code statusLine + 2 hooks (PostToolUse Bash + **UserPromptSubmit** ⓝ), per-repo `.cipherwake/last-status.json` for Cursor / Copilot / Continue to read as context. Skip flags available. Backups taken before any `~/.claude/settings.json` write. Audit trail at `~/.config/cipherwake/install-prefs.json`; install manifest at `~/.config/cipherwake/install-manifest.json`. |
-| **`UserPromptSubmit` hook** (v0.15.1 ⓝ) | **Claude sees `ship_decision` before responding to every prompt.** When `pqcheck setup --auto` runs, it wires `cipherwake-prompt-hook` as a Claude Code UserPromptSubmit hook. On every user prompt, the hook injects `additionalContext` with the current scan's `ship_decision` IF it's `review`/`block` and the state is <24h old. Silent when state is missing, stale, or `pass`. Different timing from the PostToolUse chat-hook: this fires *before* Claude thinks (proactive), the chat-hook fires *after* a Bash command (reactive). |
-| **Per-repo state file** `.cipherwake/last-status.json` (v0.15.1 ⓝ) | **Cursor / Copilot / Continue read this for workspace context.** Every `pqcheck` scan writes the same payload as the per-user file. Created by `setup --auto`; auto-added to `.gitignore` (per-developer state, not committable). Gives AI agents inside VS Code-family editors a repo-local artifact they pick up automatically when reading workspace files. |
-| **`npx pqcheck setup --plan --domain <D>`** 🆕 | **Dry-run mode.** Prints every file change `--auto` would make (target paths + operation type: create / append-markered / deep-merge / backup-first) without writing anything. Run this first when you're not sure what `--auto` will touch. |
-| **`npx pqcheck debug-network`** 🆕 | **Connectivity diagnostic.** Probes cipherwake.io API, homepage, crt.sh upstream, and the direct Vercel URL (bypassing Cloudflare). Reports HTTP status + timing per hop. Use when "scan hung" / "command not found" / corporate proxy issues come up — surfaces the actual broken hop with an actionable cause list. |
-| **`--ai` flag** (any of the above) | **AI Coder Mode** (0.15.0). Three-layer output (banner / body / structured `CIPHERWAKE_AI_GUARD_RESULT` block) tuned for Claude Code / Cursor / Aider / Zed. Includes a `ship_decision=pass\|review\|block` field your AI coworker parses to decide whether to announce the deploy, ask you, or revert. See [/methodology/ai-coder-mode](https://cipherwake.io/methodology/ai-coder-mode). |
+| `npx pqcheck init` | Interactive scaffold for `.github/workflows/cipherwake.yml`. Use when you want manual control instead of `onboard`'s all-in-one flow. |
+| `npx pqcheck release-checklist [domain]` | Pre-release trust checklist (markdown, offline). Paste into release notes. |
+| `npx pqcheck vendors export/check/sync <domain>` | Vendor lockfile (`cipherwake.vendors.json`) + CI gate that exits non-zero when a new third-party origin appears. Like `package-lock.json` for vendor scripts. |
+| **Committable artifacts (SBOM-style)** | |
+| `npx pqcheck lock <domain>` | Generate `cipherwake.lock` (QXM committable manifest) + human-readable `cipherwake-report.md`. SBOM-style artifact for quantum exposure — commit both, diff in PRs. |
+| `npx pqcheck diff <old.lock> <new.lock>` | Compare two QXM lockfiles; exit 2 on regression. For CI PR-comment diffs. |
+| `npx pqcheck deps <domain>` | Scan all third-party origins on the page (supply-chain HNDL grading). `--lock` writes `cipherwake-deps.lock` + `.md`; `--allowlist`, `--baseline`, `--fail-on-new` for CI vendor gates. |
+| `npx pqcheck cert <file.pem>` | Analyze a local PEM/CRT cert file offline (no network). |
+| **Posture grade + tracking** | |
+| `npx pqcheck <domain>` | **Posture grade (no diff baseline).** Returns DBR score (0–10), letter grade (A–F), and a list of findings ranked by severity. Use when you want a one-shot health check without setting up a baseline — for first-time audits, ad-hoc spot checks, or grading a domain you don't own. For ongoing deploys, use `deploy-check` instead. |
+| `npx pqcheck history <domain>` | 90-day score history (sparkline + samples). `--days <N>` to change window. |
+| `npx pqcheck changes <domain>` | Summarize public attack-surface changes in last 14 days. |
+| `npx pqcheck watch <domain>` | Add domain to your watched list on the server (needs `CIPHERWAKE_API_KEY`). Distinct from the `--watch <secs>` flag, which is local polling. |
+| **Diagnostic** | |
+| **`npx pqcheck debug-network`** | **Connectivity diagnostic.** Probes cipherwake.io API, homepage, crt.sh upstream, and the direct Vercel URL (bypassing Cloudflare). Reports HTTP status + timing per hop. Use when "scan hung" / "command not found" / corporate proxy issues come up — surfaces the actual broken hop with an actionable cause list. |
 
 Free tier covers all of the above within 100 Trust Diff calls/month per repo via OIDC. **Founder Pro** ($19.99/mo, locked while subscription active) raises that to 5,000 calls/month + unlocks custom thresholds, vendor lockfile, CI fail rules, and 5 watched domains. Single-domain scans (`npx pqcheck <domain>`) are anonymous + rate-limited per IP — no account or key needed. `npx pqcheck deploy-check <domain> --ai` also works fully anonymously for first-deploy gating.
 
 ### AI Coder Mode in 30 seconds
 
 ```bash
-npx pqcheck cipherwake.io --ai
+npx pqcheck deploy-check cipherwake.io --ai
 ```
 
 Output:
 
 ```
-◆ Cipherwake · cipherwake.io ⚠ REVIEW · DBR 4.1 C · HIGH
+◆ Cipherwake · cipherwake.io ⚠ REVIEW · 1 change since last scan · HIGH
 
-Top finding:
-  [HIGH] ECDHE-only — quantum-vulnerable key exchange
+Surface changes:
+  + New third-party script: widget.intercom.io
+    Loaded from an origin not present in your last scan.
 
 Why it matters:
-  Forward-secret against classical attackers. Shor's algorithm decrypts
-  recorded handshakes once a CRQC exists.
+  New third-party scripts execute in full page context. A script that
+  appeared without an intentional code change = supply-chain risk vector
+  (Polyfill.io-class). Confirm it was added on purpose.
 
 Recommended next action:
-  Review finding above and decide if it was intentional.
+  Review the change above and decide if it was intentional.
   View full report: https://cipherwake.io/r/cipherwake.io
-  Re-scan with --fresh after fix: npx pqcheck cipherwake.io --fresh --ai
+  Re-scan after fix: npx pqcheck deploy-check cipherwake.io --ai
 
 CIPHERWAKE_AI_GUARD_RESULT
 status=review
 domain=cipherwake.io
 ship_decision=review
 max_severity=high
-top_issue=tls.ecdhe_only_quantum_vulnerable
+top_issue=vendor.new_third_party_script
 advisory_only=true
 END_CIPHERWAKE_AI_GUARD_RESULT
 ```
@@ -215,15 +279,7 @@ npx pqcheck vendors sync mycompany.com      # Founder Pro — pull dashboard all
 
 `pqcheck deps` also surfaces a one-line site-wide **CSP verdict** above the supply-chain table (`✗ No CSP enforcement` / `⚠ CSP is permissive` / `✓ Strict CSP enforced`) and friendly vendor labels (`New Relic · errors` / `Cloudflare · cdn` / `Adobe Fonts · fonts`) instead of raw hostnames. Same data shape ships on `/r/<domain>` and in the browser extension.
 
-### Developer habit-loop subcommands
-
-```bash
-npx pqcheck init                # interactive scaffold for .github/workflows/cipherwake.yml
-npx pqcheck deploy-check        # pre-deploy gate (Trust Diff alias, last-scan baseline)
-npx pqcheck release-checklist   # markdown trust checklist for release notes (offline)
-```
-
-The GitHub Action posts a **sticky PR comment** with results when `comment-on-pr: true` is set on `pull_request` events. Comment auto-edits on subsequent pushes — no spam.
+> **GitHub Action note:** when scaffolded via `pqcheck onboard` or `pqcheck init`, the Action posts a **sticky PR comment** with results when `comment-on-pr: true` is set on `pull_request` events. The comment auto-edits on subsequent pushes — no spam.
 
 ---
 
@@ -243,33 +299,9 @@ Plus a full ASM check suite for credibility:
 - **HTTP header security** — HSTS (with preload + max-age), CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP
 - **Subdomain takeover detection** — fingerprint-based scan against AWS S3, GitHub Pages, Heroku, Shopify, Fastly, etc.
 
-## Commands
+## Flags, formats & exit codes
 
-```
-npx pqcheck <domain>                          Scan + print human-readable report
-npx pqcheck lock <domain>                     Generate cipherwake.lock (QXM) committable manifest
-npx pqcheck deps <domain>                     Scan all third-party origins on the page (supply-chain HNDL)
-npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2 on regression
-npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
-npx pqcheck changes <domain>                  Summarize public attack-surface changes in last 14 days
-npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
-npx pqcheck trust-diff <domain>               Trust Diff vs configured baseline; CI gate (Free: 100/repo/mo)
-npx pqcheck preview-diff --preview U --production U  Preview-URL vs production-URL diff; new scripts + header regressions + score drops (NEW in 0.14.0)
-npx pqcheck deploy-check <domain>             Pre-deploy gate (Trust Diff alias with last-scan baseline)
-npx pqcheck onboard <domain>                  One-command setup wizard (scan + init + vendors + checklist)
-npx pqcheck init                              Interactive scaffold for .github/workflows/cipherwake.yml
-npx pqcheck release-checklist [domain]        Pre-release trust checklist (markdown, offline)
-npx pqcheck vendors export <domain>           Write cipherwake.vendors.json from observed third-party scripts
-npx pqcheck vendors check <domain>            CI gate; exit 4 on new origins not in lockfile
-npx pqcheck vendors sync <domain>             Pull dashboard allowlist into lockfile (Founder Pro, needs API key)
-npx pqcheck watch <domain>                    Add domain to your watched list (needs CIPHERWAKE_API_KEY)
-npx pqcheck guard --domain <D> -- <cmd>       AI Coder Mode (0.15.0) — wrap any deploy command with a Trust Diff gate
-npx pqcheck deploy-check <D> --ai             AI Coder Mode (0.15.0) — frictionless first-deploy, anonymous, emits CIPHERWAKE_AI_GUARD_RESULT block
-npx pqcheck setup --auto --domain <D>         AI Coder Mode (0.15.0) — one-command install across CLAUDE.md/.cursorrules/.github + git pre-push hook + statusline
-npx pqcheck setup --plan --domain <D>         AI Coder Mode (0.15.0) — dry-run: print every file change before --auto writes anything
-npx pqcheck protocol install --auto           AI Coder Mode (0.15.0) — append AI Coder Protocol to detected rules files (idempotent, fenced markers)
-npx pqcheck debug-network                     Probe upstream connectivity (cipherwake.io / crt.sh / Vercel) — for "scan hung" diagnosis
-```
+Every CLI command is documented in [Commands at a glance](#commands-at-a-glance) above. What follows is reference material for usage patterns, flags, output formats, and exit codes shared across commands.
 
 ### Multi-domain
 
@@ -422,7 +454,7 @@ curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" | jq '.grade, .sc
 
 Full API reference at [cipherwake.io/api](https://cipherwake.io/api).
 
-**Rate limits:** 300 scans per hour per IP, 20 `--fresh` (force-refresh) scans per hour per IP. No API key required. Returns HTTP 429 if exceeded — back off and retry, or [let us know via the feedback form](https://cipherwake.io/feedback) if you need higher limits (we're prioritizing the API tier based on real demand).
+**Rate limits:** 120 scans per hour per IP for anonymous CLI use, 20 `--fresh` (force-refresh) scans per hour per IP. **Authenticated paths bypass this:** GitHub Actions OIDC (Free = 100 calls/month per repo) and API key (Founder Pro = 5,000/month per account) each have their own per-account / per-repo quota with no per-IP cap. No API key required for the anonymous path. Returns HTTP 429 if exceeded — back off and retry, or [let us know via the feedback form](https://cipherwake.io/feedback) if you need higher limits.
 
 ## Methodology
 

package/bin/cipherwake-statusline.js

@@ -109,6 +109,10 @@ const {
   domain, score, grade, ship_decision, written_at, max_severity, unreachable,
   // v0.16.4 — preview-diff-specific fields for the 4-line render
   kind, delta_count, diff_no_change, sector_ranking, verified_signal_categories, last_changed,
+  // v0.16.11 — top finding ID so REVIEW/BLOCK lines say WHAT'S WRONG
+  // inline. Without this, the customer sees "⚠ REVIEW" with no cause and
+  // has to run a separate `pqcheck deploy-check --ai` to find out why.
+  top_issue,
 } = state;
 const age = ageHours(written_at);
 
@@ -179,6 +183,41 @@ if (!isUnreachable && stabilitySource) {
   else stabilitySegment = ` · stable ${days}d`;
 }
 
+// v0.16.11 — terse human label for the top_issue finding ID. Only rendered
+// when ship_decision is review or block (the cases where the customer needs
+// to know WHY without running another command). Mapping covers the
+// finding IDs from lib/findingRegistry.ts that drive verdicts; for unknown
+// IDs, derive a fallback by taking the last dotted segment and replacing
+// underscores with spaces. "as few words as possible" — typical render is
+// 2-4 words; never more than ~30 chars.
+const TOP_ISSUE_LABELS = {
+  "chain.weakest_link.intermediate": "weak intermediate cert",
+  "chain.weakest_link.root":         "weak root cert",
+  "tls.ecdhe_only_quantum_vulnerable": "quantum-vulnerable kex",
+  "tls.pqc_test_inconclusive_scanner_limit": "PQC test inconclusive",
+  "tls.rsa_kex_only":                "RSA kex only",
+  "tls.rsa_kex_fallback":            "RSA fallback",
+  "tls.rsa_kex_accepted_legacy":     "RSA kex accepted",
+  "tls.version_obsolete":            "obsolete TLS",
+  "tls.domain_unreachable":          "unreachable",
+  "email.spf.missing":               "no SPF",
+  "email.dmarc.missing":             "no DMARC",
+  "email.dkim.missing":              "no DKIM",
+};
+function topIssueLabel(id) {
+  if (!id || id === "none") return null;
+  if (TOP_ISSUE_LABELS[id]) return TOP_ISSUE_LABELS[id];
+  // Fallback: last dotted segment, underscores → spaces, cap 30 chars.
+  const tail = String(id).split(".").pop() || id;
+  return tail.replace(/_/g, " ").slice(0, 30);
+}
+const issueSegment = (!isUnreachable && (ship_decision === "review" || ship_decision === "block"))
+  ? (() => {
+      const label = topIssueLabel(top_issue);
+      return label ? ` · ${label}` : "";
+    })()
+  : "";
+
 process.stdout.write(
   c(cdec, "◆") +
     " " +
@@ -188,6 +227,6 @@ process.stdout.write(
     " " +
     c(C.bold, displayDomain) +
     " " +
-    c(cdec, `${symbol} ${labelWord}`) +
+    c(cdec, `${symbol} ${labelWord}${issueSegment}`) +
     c(C.dim, `${dbrSegment}${stabilitySegment} · ${formatAge(written_at)}`)
 );

package/bin/pqcheck.js

@@ -24,9 +24,9 @@
 })();
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://cipherwake.io";
-const VERSION = "0.16.10";
+const VERSION = "0.16.13";
 
-// API-key support — paid tiers (Starter $29 / Growth $79 / Scale $199) get
+// API-key support — paid tier (Founder Pro $19.99/mo launch pricing, locked while sub active) gets
 // per-account monthly quotas instead of the per-IP rate limit. Set via:
 //   export CIPHERWAKE_API_KEY=qpk_<32-hex>
 // Anonymous CLI use still works (no env var → falls back to IP rate limit).
@@ -95,6 +95,16 @@ async function main() {
     process.exit(0);
   }
 
+  // v0.16.13: opportunistic update-check banner. Reads cached registry
+  // result from disk and prints a one-line stderr banner if a newer
+  // version is published; refreshes the cache in the background for next
+  // time. Never blocks the command. See maybeShowVersionBanner() for the
+  // full rationale (TL;DR: prevents the npx-cached-stale-version trap
+  // that caused 0.7.0 to silently run for months on existing users).
+  // Awaited so the banner appears BEFORE the command output for visibility,
+  // but it only reads a tiny file (no network on hot path).
+  await maybeShowVersionBanner(args);
+
   // Subcommand dispatch.
   if (args[0] === "lock") {
     return runLockCommand(args.slice(1));
@@ -759,6 +769,169 @@ function formatAiFooterBlock(fields) {
   return color("dim", lines.join("\n"));
 }
 
+// v0.16.13 — fail-loud AI guard for fetch/quota/server errors during
+// deploy-check. Without this, a network blip during `pqcheck deploy-check
+// --ai` would print a red error to stderr and exit 3 — but the AI Coder
+// Protocol relies on the CIPHERWAKE_AI_GUARD_RESULT block. Missing block =
+// AI agent assumes "no signal" and may continue shipping. The fix: in AI
+// mode, always emit a block with ship_decision=review and a top_issue code
+// the agent can route on. Behaviour in non-AI text mode is unchanged.
+function emitAiGuardReviewAndExit(args, errorDetail) {
+  if (parseAiMode(args)) {
+    const positional = args.filter((a) => !a.startsWith("-"));
+    const domain = positional[0] || "";
+    const baseline = parseFlag(args, "--baseline") || "last-scan";
+    try {
+      console.log("");
+      console.log(formatBrandHeader(domain));
+      console.log("");
+      console.log(color("yellow", "  ⚠ REVIEW — Cipherwake deploy-check could not complete"));
+      console.log(color("dim",    `  ${errorDetail.message}`));
+      console.log(color("dim",    "  Treating as REVIEW per fail-safe policy. Do NOT announce the deploy until you manually verify or rerun the check successfully."));
+      console.log(formatAiFooterBlock({
+        status: "review",
+        domain,
+        kind: "trust-diff",
+        baseline,
+        verdict: "review",
+        delta_count: 0,
+        max_severity: "unknown",
+        ship_decision: "review",
+        top_issue: errorDetail.code,
+        top_issue_title: errorDetail.message,
+        dbr: "",
+        grade: "",
+        quota_used: "",
+        quota_limit: "",
+        scanned_at: new Date().toISOString(),
+        advisory_only: "true",
+        error: errorDetail.code,
+      }));
+      console.log("");
+      // Persist the review state so the IDE statusbar reflects the failure
+      // (otherwise the bar stays on the previous successful scan).
+      writeLastScanFile({
+        domain,
+        kind: "trust-diff",
+        score: null,
+        grade: null,
+        max_severity: "unknown",
+        ship_decision: "review",
+        baseline,
+        delta_count: 0,
+        top_issue: errorDetail.code,
+        error: errorDetail.code,
+      }).catch(() => { /* best-effort */ });
+    } catch {
+      // even error path must not throw — fall through to exit
+    }
+  }
+  process.exit(errorDetail.exitCode ?? 3);
+}
+
+// v0.16.13 — opportunistic version check. Reads a small cache file on cold
+// start; if a newer version is in cache AND we haven't already banner'd
+// today, prints a banner to stderr. Separately, if cache is >24h old, fires
+// off a background fetch (non-blocking) whose result lands for the NEXT
+// invocation. Zero network on hot path. Skipped in machine-readable formats
+// (JSON/SARIF/github) so it never pollutes scripted output. The banner
+// helps users who installed via `npx pqcheck` months ago and have a stale
+// version cached in ~/.npm/_npx/ that they don't know is stale.
+const VERSION_CHECK_TTL_MS = 24 * 60 * 60 * 1000;
+const VERSION_REGISTRY_URL = "https://registry.npmjs.org/pqcheck";
+
+async function maybeShowVersionBanner(args) {
+  // Skip in machine-parsed output formats.
+  const format = parseFlag(args, "--format");
+  if (format === "json" || format === "sarif" || format === "github") return;
+  // Skip if explicitly disabled (env opt-out).
+  if (process.env.PQCHECK_NO_UPDATE_CHECK === "1") return;
+
+  try {
+    const os = await import("node:os");
+    const path = await import("node:path");
+    const fs = await import("node:fs/promises");
+
+    const cacheDir = path.join(os.homedir(), ".config", "cipherwake");
+    const cachePath = path.join(cacheDir, "version-check.json");
+
+    let cached = null;
+    try {
+      cached = JSON.parse(await fs.readFile(cachePath, "utf8"));
+    } catch {
+      // first run or unreadable — fall through
+    }
+
+    const now = Date.now();
+    const stale = !cached || !cached.checked_at || (now - cached.checked_at) > VERSION_CHECK_TTL_MS;
+
+    // 1. If cache has a known-newer version, print banner now (synchronous,
+    //    cheap, no network).
+    if (cached && cached.latest && isNewerVersion(cached.latest, VERSION)) {
+      const lastShownAt = cached.last_shown_at || 0;
+      const showThrottleMs = 6 * 60 * 60 * 1000; // at most once per 6h
+      if (now - lastShownAt > showThrottleMs) {
+        process.stderr.write(
+          color("yellow", `\n  ⬆ pqcheck ${cached.latest} is available `) +
+          color("dim",    `(you have ${VERSION}) — run: `) +
+          color("bold",   "npm i -g pqcheck@latest") +
+          color("dim",    "  (or: rm -rf ~/.npm/_npx && npx pqcheck@latest ...)\n\n")
+        );
+        // Persist that we just shown the banner so we don't spam.
+        await fs.mkdir(cacheDir, { recursive: true });
+        await fs.writeFile(cachePath, JSON.stringify({ ...cached, last_shown_at: now }, null, 2));
+      }
+    }
+
+    // 2. If cache is stale, fire-and-forget a registry fetch so the NEXT
+    //    cold start has fresh data. Detached from the await chain so it
+    //    never delays exit.
+    if (stale) {
+      void refreshVersionCacheInBackground(cachePath);
+    }
+  } catch {
+    // best-effort — never break the CLI for an update check
+  }
+}
+
+async function refreshVersionCacheInBackground(cachePath) {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 2500);
+    const resp = await fetch(VERSION_REGISTRY_URL, {
+      headers: { "Accept": "application/json", "User-Agent": `pqcheck-cli/${VERSION}` },
+      signal: controller.signal,
+    });
+    clearTimeout(timeout);
+    if (!resp.ok) return;
+    const body = await resp.json();
+    const latest = body?.["dist-tags"]?.latest;
+    if (!latest) return;
+    const fs = await import("node:fs/promises");
+    const path = await import("node:path");
+    await fs.mkdir(path.dirname(cachePath), { recursive: true });
+    // Preserve last_shown_at so we don't reset the throttle on every refresh.
+    let prior = {};
+    try { prior = JSON.parse(await fs.readFile(cachePath, "utf8")); } catch { /* none */ }
+    await fs.writeFile(cachePath, JSON.stringify({
+      ...prior,
+      latest,
+      checked_at: Date.now(),
+    }, null, 2));
+  } catch {
+    // best-effort
+  }
+}
+
+function isNewerVersion(remote, local) {
+  const parse = (v) => String(v).split(".").map((n) => parseInt(n, 10) || 0);
+  const [a, b, c] = parse(remote);
+  const [x, y, z] = parse(local);
+  if (a !== x) return a > x;
+  if (b !== y) return b > y;
+  return c > z;
+}
+
 // v0.16.0 — high-yield output formatters.
 //
 // Design (per user direction 2026-05-22): every scan should deliver
@@ -1291,7 +1464,7 @@ function printMarkdown(r, multi) {
   // not the old "watch free / weekly digest"). PR-comment context plants
   // team-invitation idea for the eventual Growth tier upgrade.
   lines.push(`📌 **Monitor ${r.domain} continuously?** ${API_BASE}/watch/${encodeURIComponent(r.domain)}`);
-  lines.push(`Cipherwake Starter $29/mo · 5 domains · daily scans + email alerts on cert/script/posture changes. Invite your team on Growth ($79/mo) when ready.`);
+  lines.push(`Cipherwake Founder Pro $19.99/mo (launch pricing, locked while subscription active) · 5 watched domains · daily scans · full CI Trust Gate · approved-vendor allowlist · webhook delivery (Slack incoming-webhook URLs work).`);
   if (multi) lines.push("\n---\n");
   console.log(lines.join("\n"));
 }
@@ -1421,7 +1594,7 @@ function printReport(r) {
   // 2026-05-14: copy must match current locked revenue plan ($29 Starter,
   // not the old "free 1-domain weekly digest").
   console.log(color("violet", `  📌 Monitor ${r.domain} daily: ${API_BASE}/watch/${encodeURIComponent(r.domain)}`));
-  console.log(color("dim",    `     Cipherwake Starter $29/mo · 5 watched domains · email alerts · cancel anytime`));
+  console.log(color("dim",    `     Cipherwake Founder Pro $19.99/mo · 5 watched domains · email alerts · launch pricing locked while subscription active · cancel anytime`));
   console.log("");
   console.log(color("dim",    `  → Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)}`));
   console.log(color("dim",    `  → Share this:  ${API_BASE}/r/${encodeURIComponent(r.domain)}`));
@@ -3040,19 +3213,33 @@ async function runTrustDiffCommand(args) {
     });
   } catch (err) {
     console.error(color("red", `error: network failure calling /api/trust-diff: ${err.message}`));
-    process.exit(3);
+    // v0.16.13: in AI mode, emit a ship_decision=review block so the
+    // calling agent doesn't silently treat a fetch failure as "no signal".
+    return emitAiGuardReviewAndExit(args, {
+      code: "deploy_check_fetch_failed",
+      message: `Network failure: ${err?.message || "fetch failed"}`,
+      exitCode: 3,
+    });
   }
 
   if (resp.status === 401 || resp.status === 403) {
     await handleAuthError(resp);
-    process.exit(3);
+    return emitAiGuardReviewAndExit(args, {
+      code: "deploy_check_auth_failed",
+      message: `Authorization failed (${resp.status}). Check CIPHERWAKE_API_KEY or hit /account#api-keys.`,
+      exitCode: 3,
+    });
   }
   if (resp.status === 429) {
     const body = await safeJSON(resp);
     console.error(color("red", "error: Trust Diff API quota exceeded"));
     if (body?.message) console.error(color("dim", body.message));
     console.error(color("dim", "Higher quota via free API key (no card): https://cipherwake.io/account#api-keys"));
-    process.exit(3);
+    return emitAiGuardReviewAndExit(args, {
+      code: "deploy_check_quota_exceeded",
+      message: body?.message || "Trust Diff monthly quota exceeded — upgrade or wait for monthly reset.",
+      exitCode: 3,
+    });
   }
   // R74-confirm friction fix #2 (GPT 2026-05-22): 404 on first-deploy is
   // expected — the domain has never been scanned, so there's no baseline to
@@ -3069,7 +3256,11 @@ async function runTrustDiffCommand(args) {
     console.error(color("red", `error: /api/trust-diff returned ${resp.status}`));
     if (body?.message) console.error(color("dim", body.message));
     if (body?.hint) console.error(color("dim", body.hint));
-    process.exit(3);
+    return emitAiGuardReviewAndExit(args, {
+      code: "deploy_check_server_error",
+      message: body?.message || `Cipherwake server returned ${resp.status}.`,
+      exitCode: 3,
+    });
   }
 
   const result = await resp.json();
@@ -4232,7 +4423,7 @@ function renderReleaseChecklist(domain, opts = {}) {
 // `pqcheck init` — interactive workflow scaffold (habit-loop #4, locked 2026-05-16)
 // =============================================================================
 // Writes a ready-to-commit .github/workflows/cipherwake.yml that calls
-// cipherwakelabs/pqcheck@v3 in trust-diff mode. Zero copy-paste docs friction.
+// cipherwakelabs/pqcheck/action@v3 in trust-diff mode. Zero copy-paste docs friction.
 //
 // Flags:
 //   --domain <d>       Skip the domain prompt
@@ -4409,7 +4600,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run Cipherwake Trust Diff
-        uses: cipherwakelabs/pqcheck@v3
+        uses: cipherwakelabs/pqcheck/action@v3
         with:
           mode: trust-diff
           domain: ${domain}
@@ -4417,7 +4608,7 @@ jobs:
           fail-on: ${failOn}
         # No env/secrets needed for Free tier — the action uses the
         # workflow's id-token: write permission to fetch a GitHub-signed
-        # OIDC token and meters per repo (30 calls/mo, no setup).
+        # OIDC token and meters per repo (100 calls/mo, no setup).
         # If you want higher limits, link this repo to a paid Cipherwake
         # account at https://cipherwake.io/account → Linked repos.
 `;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.10",
+  "version": "0.16.13",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",