pqcheck 0.16.16 → 0.16.18

package/README.md

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
-> **Latest: v0.16.16** — `pqcheck setup` now defaults to per-project install of the Claude Code statusLine + hooks (`./.claude/settings.json` instead of `~/.claude/settings.json`). The Cipherwake badge will only fire in projects where you ran setup, not across every Claude Code session on the machine. Pass `--scope global` to opt back into machine-wide install. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.18** — `--version` now reads dynamically from `package.json` instead of a hardcoded constant. Prior releases (0.16.16, 0.16.17) shipped with the constant left at `0.16.15`, so AI agents citing "I ran pqcheck X.Y.Z" were citing the wrong version. Single source of truth from here on; locked by a unit test against future drift. [Full changelog →](./CHANGELOG.md)
 
 ## Two ways to use it
 

package/bin/pqcheck.js

@@ -24,7 +24,27 @@
 })();
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://cipherwake.io";
-const VERSION = "0.16.15";
+
+// v0.16.18 — read VERSION dynamically from package.json so it can never
+// drift from the published npm version again. Prior to this, the constant
+// was hardcoded and required a manual edit on every release — and the
+// 0.16.16/0.16.17 publishes shipped with VERSION="0.16.15" because the
+// hardcode bump was forgotten. AI agents reporting "I ran pqcheck X.Y.Z"
+// were citing the wrong version. Now: single source of truth = package.json.
+// Uses createRequire so the JSON load is synchronous; ~1ms at startup,
+// negligible vs first network call. Falls back to "unknown" on file-read
+// failure (should never happen in production install layout).
+const VERSION = await (async () => {
+  try {
+    const { readFileSync } = await import("node:fs");
+    const { join, dirname } = await import("node:path");
+    const { fileURLToPath } = await import("node:url");
+    const here = dirname(fileURLToPath(import.meta.url));
+    return JSON.parse(readFileSync(join(here, "..", "package.json"), "utf8")).version || "unknown";
+  } catch {
+    return "unknown";
+  }
+})();
 
 // v0.16.15 — attribution suffix. When the CLI runs inside GitHub Actions
 // (GH sets GITHUB_ACTIONS=true automatically in every step) we append
@@ -3051,12 +3071,51 @@ async function runScanBasedDeployCheck(domain, args) {
   try {
     resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, { headers });
   } catch (err) {
+    // v0.16.17 — the v0.16.13 fail-loud AI guard fix was applied to the main
+    // trust-diff deploy-check path but missed THIS fallback path (no-baseline
+    // first-deploy), so a network blip on the very first `pqcheck deploy-check
+    // <new-domain> --ai` exited 3 with no CIPHERWAKE_AI_GUARD_RESULT block.
+    // The calling AI agent then had no ship_decision to route on and could
+    // silently continue shipping — exactly the failure mode the protocol
+    // exists to prevent. Same emit-block-and-exit pattern as trust-diff.
     console.error(color("red", `error: network failure calling /api/scan: ${err.message}`));
-    process.exit(3);
+    return emitAiGuardReviewAndExit(args, {
+      code: "deploy_check_fetch_failed",
+      message: `Network failure calling /api/scan: ${err?.message || "fetch failed"}`,
+      exitCode: 3,
+    });
   }
   if (!resp.ok) {
-    console.error(color("red", `error: /api/scan returned ${resp.status}`));
-    process.exit(3);
+    // v0.16.17 — same fix as above for the HTTP-non-OK path. The 429 case
+    // is especially load-bearing: a brand new AI-coder workflow trying its
+    // first deploy-check on a fresh project will commonly hit per-IP rate
+    // limits, get a bare `error: /api/scan returned 429`, and exit 3 with no
+    // guard block. The AI agent then has nothing to parse. Emitting a
+    // ship_decision=review block with a quota-specific error code lets the
+    // agent surface the rate-limit problem to the user instead of silently
+    // continuing. Surface the body message + auth hint when available so
+    // the user knows whether to wait or get an API key.
+    const body = await safeJSON(resp);
+    const statusLabel = resp.status === 429
+      ? "rate-limited"
+      : resp.status === 401 || resp.status === 403
+        ? "auth failed"
+        : `${resp.status}`;
+    console.error(color("red", `error: /api/scan returned ${resp.status} (${statusLabel})`));
+    if (body?.message) console.error(color("dim", body.message));
+    if (body?.hint) console.error(color("dim", body.hint));
+    if (resp.status === 429) {
+      console.error(color("dim", "Higher quota via free API key (no card): https://cipherwake.io/account#api-keys"));
+    }
+    const code = resp.status === 429
+      ? "deploy_check_rate_limited"
+      : resp.status === 401 || resp.status === 403
+        ? "deploy_check_auth_failed"
+        : "deploy_check_scan_failed";
+    const message = resp.status === 429
+      ? (body?.message || "Per-IP rate limit hit on /api/scan. Wait ~1 minute or use an API key for higher quota.")
+      : body?.message || `Cipherwake /api/scan returned ${resp.status}.`;
+    return emitAiGuardReviewAndExit(args, { code, message, exitCode: 3 });
   }
   const report = await resp.json();
   const findings = Array.isArray(report.findings) ? report.findings : [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.16",
+  "version": "0.16.18",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",