pqcheck 0.16.18 → 0.16.20

package/README.md

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
-> **Latest: v0.16.18** — `--version` now reads dynamically from `package.json` instead of a hardcoded constant. Prior releases (0.16.16, 0.16.17) shipped with the constant left at `0.16.15`, so AI agents citing "I ran pqcheck X.Y.Z" were citing the wrong version. Single source of truth from here on; locked by a unit test against future drift. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.20** — `pqcheck deploy-check --ai` now adds an absolute posture grade (A+ → F, strict SSL-Labs rubric over CSP / HSTS / X-Frame-Options / X-Content-Type-Options / Referrer-Policy / Permissions-Policy + `x-powered-by` leak) alongside the existing drift-only `ship_decision`. Grade D/F sets `posture_decision=block` so AI coders gate posture failures even on a clean drift. Adds `scope_note` (drift pass ≠ functional verification) and surfaces ready-to-paste fix snippets (Next.js / vercel.json / Express). Watched-domain monitoring also gains `posture_regression` + `cert_expiring` alerts. [Full changelog →](./CHANGELOG.md)
 
 ## Two ways to use it
 

package/bin/cipherwake-statusline.js

@@ -21,10 +21,56 @@
 import { readFileSync, existsSync } from "node:fs";
 import { join, dirname } from "node:path";
 import { homedir } from "node:os";
+import { execSync } from "node:child_process";
 
 const GLOBAL_STATE_FILE = join(homedir(), ".config", "cipherwake", "last-scan.json");
 const STALE_THRESHOLD_HOURS = 24;
 
+// v0.16.19 — `--prepend=<command>` flag for statusLine composition. Claude
+// Code's `statusLine.command` only supports ONE command, which means two
+// tools (e.g. Cipherwake + PinnedAI) both writing their own statusLine
+// silently clobber each other depending on install order. When a customer
+// runs both, they only see whichever installed last. With --prepend, the
+// Cipherwake binary runs the other tool's command first, joins its output
+// with a separator, and renders Cipherwake's own line after. Result:
+// `[pinned output] · ◆ Cipherwake · domain ✓ PASS · 5m ago` — both
+// surfaces visible in the single statusLine slot.
+//
+// pqcheck setup detects an existing statusLine.command at install time
+// and writes the wrapper form automatically:
+//   "command": "npx --package=pqcheck@latest cipherwake-statusline --prepend='<prior-command>'"
+//
+// If the prior command errors (or the tool was uninstalled), this binary
+// swallows the failure and just renders Cipherwake's part — never causes
+// the whole statusLine to break.
+const PREPEND_SEPARATOR = " · ";
+const prependArg = process.argv.find((a) => a.startsWith("--prepend="));
+if (prependArg) {
+  const prependCmd = prependArg.slice("--prepend=".length);
+  if (prependCmd) {
+    try {
+      // 5s soft timeout — statusLine rendering must stay snappy. If the
+      // other tool hangs, we cut it off and continue with Cipherwake's part.
+      // stdio: ignore on stderr so a noisy prior tool doesn't pollute the
+      // bar; we want only its rendered stdout output.
+      const out = execSync(prependCmd, {
+        encoding: "utf8",
+        timeout: 5_000,
+        stdio: ["ignore", "pipe", "ignore"],
+        env: process.env,
+      }).trim();
+      if (out) {
+        process.stdout.write(out);
+        process.stdout.write(PREPEND_SEPARATOR);
+      }
+    } catch {
+      // Prepend command failed (uninstalled, timeout, errored). Skip
+      // silently — never break the whole statusLine because of a
+      // composition partner.
+    }
+  }
+}
+
 // v0.16.6 — project-aware state lookup. Walk up from CWD looking for a
 // repo-local `.cipherwake/last-scan.json`. This way each project shows
 // its own last scan, and switching projects doesn't bleed the previous

package/bin/pqcheck.js

@@ -495,6 +495,22 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       }
     }
 
+    // R86 — surface absolute posture grade + remediation alongside drift verdict.
+    // The grade= field carries DBR grade; posture_grade= is the new absolute
+    // posture (A+/A/B/C/D/F based on header presence/strength).
+    // posture_decision separates the absolute-state routing signal from the
+    // drift-based ship_decision so a weak-but-unchanged site gets a review
+    // nudge distinct from drift.
+    const posture = report.posture || null;
+    const postureFields = posture ? {
+      posture_grade: posture.grade,
+      posture_score: posture.score,
+      posture_decision: posture.decision,
+      posture_missing: (posture.missing || []).join(",") || "none",
+      posture_leaks: (posture.info_leaks || []).join("; ") || "none",
+      posture_findings_count: (posture.findings || []).length,
+      posture_fixes_count: (posture.fixes || []).length,
+    } : {};
     console.log(formatAiFooterBlock({
       status: shipDecision,
       domain,
@@ -509,6 +525,13 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       findings_critical: findings.filter((f) => severityRank(f.severity) === 4).length,
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
+      // R85 (2026-06-03) — scope honesty disclaimer. pass = trust surface
+      // stable, NOT app functionality. Agents that follow the protocol must
+      // see this so they don't announce a deploy whose signup is broken
+      // (the exact bug the user reported on socialideagen 2026-06-02).
+      scope: "trust_surface_drift",
+      scope_note: "ship_decision=pass means public trust surface stable. Does NOT verify app functionality. Pair with functional checks (e.g. Playwright e2e) for full deploy safety.",
+      ...postureFields,
     }));
     console.log("");
 
@@ -3400,6 +3423,20 @@ async function runTrustDiffCommand(args) {
       console.log(color("dim", "  Run with --verbose to see all verified signals."));
     }
 
+    // R86 — posture grade + remediation alongside drift. trust-diff API returns
+    // result.current_report which contains the full scan; if so, read posture
+    // from it. Otherwise gracefully omit (older API responses without posture).
+    const currentReport = result.current_report || result.report || null;
+    const posture = currentReport?.posture || null;
+    const postureFields = posture ? {
+      posture_grade: posture.grade,
+      posture_score: posture.score,
+      posture_decision: posture.decision,
+      posture_missing: (posture.missing || []).join(",") || "none",
+      posture_leaks: (posture.info_leaks || []).join("; ") || "none",
+      posture_findings_count: (posture.findings || []).length,
+      posture_fixes_count: (posture.fixes || []).length,
+    } : {};
     console.log(formatAiFooterBlock({
       status: shipDecision,
       domain,
@@ -3417,6 +3454,13 @@ async function runTrustDiffCommand(args) {
       quota_limit: result.quota?.monthly_limit ?? "",
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
+      // R85 — scope honesty disclaimer (per build brief 2026-06-03).
+      // ship_decision=pass means trust surface stable, NOT app functions.
+      // Agents must see this so they don't announce a deploy whose signup
+      // is broken (the exact bug socialideagen had on 2026-06-02).
+      scope: "trust_surface_drift",
+      scope_note: "ship_decision=pass means public trust surface stable. Does NOT verify app functionality. Pair with functional checks for full deploy safety.",
+      ...postureFields,
     }));
     console.log("");
 
@@ -6317,19 +6361,54 @@ async function runSetupCommand(args) {
         settings = JSON.parse(raw);
         existed = true;
       } catch { /* will create */ }
-      if (existed && settings.statusLine && typeof settings.statusLine === "object") {
-        // Already has a statusLine config — don't overwrite.
-        console.log(color("dim", `  ⊝ ${displayPath} already has a statusLine entry — leaving alone`));
-        console.log(color("dim", `    To use the Cipherwake statusline instead, set: "command": "npx --package=pqcheck@latest cipherwake-statusline"`));
-        installSummary.push({ component: "Claude Code statusLine", path: settingsPath, status: "skipped-existing-config" });
+      // v0.16.19 — statusLine composition. Previous behavior was: if any
+      // statusLine.command already existed, SKIP. That was safe (never
+      // clobbered other tools) but invisible — a user with PinnedAI's
+      // statusline installed would never see Cipherwake's after running
+      // `pqcheck setup`. Now: detect the prior command and wrap it via
+      // `cipherwake-statusline --prepend=<prior>` so both render in the
+      // single statusLine slot. The prepend logic in cipherwake-statusline.js
+      // swallows prepend-command failures silently, so this composition
+      // survives the user later uninstalling the partner tool.
+      //
+      // Skip the wrap when the existing command IS already our wrapper
+      // (idempotent re-install — don't recursively nest).
+      const CIPHERWAKE_CMD_PREFIX = "npx --package=pqcheck@latest cipherwake-statusline";
+      const priorCmd = (existed && settings.statusLine && typeof settings.statusLine === "object")
+        ? String(settings.statusLine.command || "").trim()
+        : "";
+      const priorIsOurs = priorCmd.startsWith("npx --package=pqcheck") && priorCmd.includes("cipherwake-statusline");
+
+      if (priorIsOurs) {
+        console.log(color("dim", `  ⊝ ${displayPath} statusLine already points at cipherwake-statusline — leaving alone`));
+        installSummary.push({ component: "Claude Code statusLine", path: settingsPath, status: "skipped-already-ours" });
       } else {
         const backupPath = existed ? await backupSettingsJson(settingsPath) : null;
         if (backupPath) console.log(color("dim", `    backup: ${backupPath}`));
-        settings.statusLine = { type: "command", command: "npx --package=pqcheck@latest cipherwake-statusline" };
+        let command;
+        if (priorCmd) {
+          // Compose: wrap the existing command via --prepend.
+          // Single-quote the prior command + escape any single quotes
+          // (rare in practice but defensive).
+          const safe = priorCmd.replace(/'/g, `'\\''`);
+          command = `${CIPHERWAKE_CMD_PREFIX} --prepend='${safe}'`;
+          console.log(color("green", `  ✓ composed statusLine: existing command wrapped via --prepend → ${displayPath}`));
+          console.log(color("dim", `    prior command: ${priorCmd.slice(0, 80)}${priorCmd.length > 80 ? "..." : ""}`));
+          console.log(color("dim", `    both surfaces now render in the single statusLine slot`));
+        } else {
+          // Fresh install — no prior command to compose with.
+          command = CIPHERWAKE_CMD_PREFIX;
+          console.log(color("green", `  ✓ added statusLine config → ${displayPath}`));
+        }
+        settings.statusLine = { type: "command", command };
         await fs.mkdir(path.dirname(settingsPath), { recursive: true });
         await fs.writeFile(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf8");
-        console.log(color("green", `  ✓ added statusLine config → ${displayPath}`));
-        installSummary.push({ component: "Claude Code statusLine", path: settingsPath, status: existed ? "installed-updated" : "installed-created", backup: backupPath });
+        installSummary.push({
+          component: "Claude Code statusLine",
+          path: settingsPath,
+          status: existed && priorCmd ? "installed-composed" : (existed ? "installed-updated" : "installed-created"),
+          backup: backupPath,
+        });
       }
     } catch (err) {
       console.log(color("red", `  ✗ statusLine config install failed: ${err.message}`));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.18",
+  "version": "0.16.20",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",