pqcheck 0.16.19 → 0.16.20

package/README.md

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
-> **Latest: v0.16.19** — `pqcheck setup` now COMPOSES with an existing Claude Code `statusLine.command` (e.g., PinnedAI's) via a new `--prepend=<cmd>` flag on `cipherwake-statusline`. Both tools' badges render in the single statusLine slot. Previously, Cipherwake politely skipped if any prior statusLine existed — which meant you'd only ever see one tool's badge. Now: composed wrap with 5s timeout + graceful degradation on prepend failure + idempotent re-runs. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.20** — `pqcheck deploy-check --ai` now adds an absolute posture grade (A+ → F, strict SSL-Labs rubric over CSP / HSTS / X-Frame-Options / X-Content-Type-Options / Referrer-Policy / Permissions-Policy + `x-powered-by` leak) alongside the existing drift-only `ship_decision`. Grade D/F sets `posture_decision=block` so AI coders gate posture failures even on a clean drift. Adds `scope_note` (drift pass ≠ functional verification) and surfaces ready-to-paste fix snippets (Next.js / vercel.json / Express). Watched-domain monitoring also gains `posture_regression` + `cert_expiring` alerts. [Full changelog →](./CHANGELOG.md)
 
 ## Two ways to use it
 

package/bin/pqcheck.js

@@ -495,6 +495,22 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       }
     }
 
+    // R86 — surface absolute posture grade + remediation alongside drift verdict.
+    // The grade= field carries DBR grade; posture_grade= is the new absolute
+    // posture (A+/A/B/C/D/F based on header presence/strength).
+    // posture_decision separates the absolute-state routing signal from the
+    // drift-based ship_decision so a weak-but-unchanged site gets a review
+    // nudge distinct from drift.
+    const posture = report.posture || null;
+    const postureFields = posture ? {
+      posture_grade: posture.grade,
+      posture_score: posture.score,
+      posture_decision: posture.decision,
+      posture_missing: (posture.missing || []).join(",") || "none",
+      posture_leaks: (posture.info_leaks || []).join("; ") || "none",
+      posture_findings_count: (posture.findings || []).length,
+      posture_fixes_count: (posture.fixes || []).length,
+    } : {};
     console.log(formatAiFooterBlock({
       status: shipDecision,
       domain,
@@ -509,6 +525,13 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       findings_critical: findings.filter((f) => severityRank(f.severity) === 4).length,
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
+      // R85 (2026-06-03) — scope honesty disclaimer. pass = trust surface
+      // stable, NOT app functionality. Agents that follow the protocol must
+      // see this so they don't announce a deploy whose signup is broken
+      // (the exact bug the user reported on socialideagen 2026-06-02).
+      scope: "trust_surface_drift",
+      scope_note: "ship_decision=pass means public trust surface stable. Does NOT verify app functionality. Pair with functional checks (e.g. Playwright e2e) for full deploy safety.",
+      ...postureFields,
     }));
     console.log("");
 
@@ -3400,6 +3423,20 @@ async function runTrustDiffCommand(args) {
       console.log(color("dim", "  Run with --verbose to see all verified signals."));
     }
 
+    // R86 — posture grade + remediation alongside drift. trust-diff API returns
+    // result.current_report which contains the full scan; if so, read posture
+    // from it. Otherwise gracefully omit (older API responses without posture).
+    const currentReport = result.current_report || result.report || null;
+    const posture = currentReport?.posture || null;
+    const postureFields = posture ? {
+      posture_grade: posture.grade,
+      posture_score: posture.score,
+      posture_decision: posture.decision,
+      posture_missing: (posture.missing || []).join(",") || "none",
+      posture_leaks: (posture.info_leaks || []).join("; ") || "none",
+      posture_findings_count: (posture.findings || []).length,
+      posture_fixes_count: (posture.fixes || []).length,
+    } : {};
     console.log(formatAiFooterBlock({
       status: shipDecision,
       domain,
@@ -3417,6 +3454,13 @@ async function runTrustDiffCommand(args) {
       quota_limit: result.quota?.monthly_limit ?? "",
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
+      // R85 — scope honesty disclaimer (per build brief 2026-06-03).
+      // ship_decision=pass means trust surface stable, NOT app functions.
+      // Agents must see this so they don't announce a deploy whose signup
+      // is broken (the exact bug socialideagen had on 2026-06-02).
+      scope: "trust_surface_drift",
+      scope_note: "ship_decision=pass means public trust surface stable. Does NOT verify app functionality. Pair with functional checks for full deploy safety.",
+      ...postureFields,
     }));
     console.log("");
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.19",
+  "version": "0.16.20",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",