pqcheck 0.16.19 → 0.16.21

package/README.md

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
-> **Latest: v0.16.19** — `pqcheck setup` now COMPOSES with an existing Claude Code `statusLine.command` (e.g., PinnedAI's) via a new `--prepend=<cmd>` flag on `cipherwake-statusline`. Both tools' badges render in the single statusLine slot. Previously, Cipherwake politely skipped if any prior statusLine existed — which meant you'd only ever see one tool's badge. Now: composed wrap with 5s timeout + graceful degradation on prepend failure + idempotent re-runs. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.21** — `ship_decision` now folds posture into the headline routing decision (worst-of drift + posture) — closes a footgun where a clean-drift F-posture deploy would have shipped under the original "`pass` → announce" protocol. Posture rubric recalibrated for partial credit: a site with valid HSTS preload + everything else missing now scores ~29 / grade D, not 0 / F. Fix snippets now emit inline in a `CIPHERWAKE_POSTURE_FIXES` block — no JSON round-trip needed to read them. Empty legacy `grade=` field dropped from the AI block. [Full changelog →](./CHANGELOG.md)
 
 ## Two ways to use it
 

package/bin/pqcheck.js

@@ -495,21 +495,46 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       }
     }
 
+    // R86 — surface absolute posture grade + remediation alongside drift verdict.
+    // The grade= field carries DBR grade; posture_grade= is the new absolute
+    // posture (A+/A/B/C/D/F based on header presence/strength).
+    // posture_decision separates the absolute-state routing signal from the
+    // drift-based ship_decision so a weak-but-unchanged site gets a review
+    // nudge distinct from drift.
+    const posture = report.posture || null;
+    const postureFields = posture ? {
+      posture_grade: posture.grade,
+      posture_score: posture.score,
+      posture_decision: posture.decision,
+      posture_missing: (posture.missing || []).join(",") || "none",
+      posture_leaks: (posture.info_leaks || []).join("; ") || "none",
+      posture_findings_count: (posture.findings || []).length,
+      posture_fixes_count: (posture.fixes || []).length,
+    } : {};
+    const effectiveShip = combineShipDecision(shipDecision, posture?.decision);
     console.log(formatAiFooterBlock({
-      status: shipDecision,
+      status: effectiveShip,
       domain,
       kind: "scan",
-      dbr: typeof report.score === "number" ? report.score.toFixed(1) : "",
-      grade: report.grade || "",
+      dbr: typeof report.score === "number" ? report.score.toFixed(1) : undefined,
+      grade: report.grade || undefined,
       max_severity: maxSev,
-      ship_decision: shipDecision,
+      ship_decision: effectiveShip,
+      ship_decision_drift: shipDecision,
+      ship_decision_posture: posture?.decision,
       unreachable: unreachable ? "true" : "false",
       top_issue: topFinding?.id || topFinding?.title || "none",
       findings_high: findings.filter((f) => severityRank(f.severity) === 3).length,
       findings_critical: findings.filter((f) => severityRank(f.severity) === 4).length,
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
+      scope: "trust_surface_drift_plus_absolute_posture",
+      scope_note: "ship_decision = worst-of(drift, absolute posture). pass means BOTH no drift AND posture grade A+/A. ship_decision_drift and ship_decision_posture expose the two inputs separately. Cipherwake does NOT verify app functionality — pair with Playwright e2e for full deploy safety.",
+      ...postureFields,
     }));
+    if (posture && Array.isArray(posture.fixes) && posture.fixes.length > 0) {
+      console.log(formatPostureFixesBlock(posture.fixes));
+    }
     console.log("");
 
     // Threshold check still applies under --ai (script-pipeable). Otherwise
@@ -517,7 +542,7 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
     if (threshold !== null && typeof report.score === "number" && report.score >= threshold) {
       return 2;
     }
-    return shipDecisionExitCode(shipDecision);
+    return shipDecisionExitCode(effectiveShip);
   }
 
   // Output dispatch
@@ -732,6 +757,46 @@ function computeShipDecision({ maxSeverity, hasUnexpectedDiff, scoreDelta }) {
   return "pass";
 }
 
+// R86.2 (2026-06-03) — fold absolute posture grade into ship_decision so an
+// AI agent following the original "ship_decision=pass → safe to announce"
+// protocol does NOT ship a site with F-grade posture just because nothing
+// drifted since last scan. The headline decision must reflect both drift
+// and absolute state.
+//
+// Order: block > review > pass. Worst-of-both wins.
+const SHIP_DECISION_RANK = { pass: 0, review: 1, block: 2 };
+function combineShipDecision(driftDecision, postureDecision) {
+  if (!postureDecision) return driftDecision;
+  const a = SHIP_DECISION_RANK[driftDecision] ?? 0;
+  const b = SHIP_DECISION_RANK[postureDecision] ?? 0;
+  return a >= b ? driftDecision : postureDecision;
+}
+
+// R86.3 (2026-06-03) — emit per-finding fix snippets in a separate parseable
+// block after the AI guard block. The guard block stays compact key=value; the
+// fixes are multi-line code so they get their own block with explicit
+// start/end markers + per-fix delimiters. Agents can parse the fixes
+// independently and apply them without round-tripping to the JSON response.
+function formatPostureFixesBlock(fixes) {
+  if (!Array.isArray(fixes) || fixes.length === 0) return "";
+  const lines = ["", "CIPHERWAKE_POSTURE_FIXES"];
+  for (let i = 0; i < fixes.length; i++) {
+    const f = fixes[i] || {};
+    lines.push(`--- FIX ${i + 1} ---`);
+    lines.push(`finding_id=${String(f.finding_id || "").replace(/[\r\n]+/g, " ")}`);
+    lines.push(`title=${String(f.title || "").replace(/[\r\n]+/g, " ")}`);
+    lines.push(`framework=${String(f.framework || "").replace(/[\r\n]+/g, " ")}`);
+    lines.push(`file_target=${String(f.file_target || "").replace(/[\r\n]+/g, " ")}`);
+    lines.push("snippet:");
+    const snippet = String(f.snippet || "");
+    for (const line of snippet.split(/\r?\n/)) {
+      lines.push(line);
+    }
+  }
+  lines.push("END_CIPHERWAKE_POSTURE_FIXES");
+  return color("dim", lines.join("\n"));
+}
+
 function aiBannerColor(shipDecision) {
   if (shipDecision === "pass") return "green";
   if (shipDecision === "block") return "red";
@@ -3400,24 +3465,47 @@ async function runTrustDiffCommand(args) {
       console.log(color("dim", "  Run with --verbose to see all verified signals."));
     }
 
+    // R86 — posture grade + remediation alongside drift. trust-diff API returns
+    // result.current_report which contains the full scan; if so, read posture
+    // from it. Otherwise gracefully omit (older API responses without posture).
+    const currentReport = result.current_report || result.report || null;
+    const posture = currentReport?.posture || null;
+    const postureFields = posture ? {
+      posture_grade: posture.grade,
+      posture_score: posture.score,
+      posture_decision: posture.decision,
+      posture_missing: (posture.missing || []).join(",") || "none",
+      posture_leaks: (posture.info_leaks || []).join("; ") || "none",
+      posture_findings_count: (posture.findings || []).length,
+      posture_fixes_count: (posture.fixes || []).length,
+    } : {};
+    const effectiveShip = combineShipDecision(shipDecision, posture?.decision);
     console.log(formatAiFooterBlock({
-      status: shipDecision,
+      status: effectiveShip,
       domain,
       kind: "trust-diff",
       baseline,
       verdict,
       delta_count: deltas.length,
       max_severity: maxSev,
-      ship_decision: shipDecision,
+      ship_decision: effectiveShip,
+      ship_decision_drift: shipDecision,
+      ship_decision_posture: posture?.decision,
       top_issue: topDelta?.id || topDelta?.type || "none",
-      top_issue_title: topDelta?.title || "",
-      dbr: typeof result.current_score === "number" ? result.current_score.toFixed(1) : "",
-      grade: result.current_grade || "",
-      quota_used: result.quota?.used_this_month ?? "",
-      quota_limit: result.quota?.monthly_limit ?? "",
+      top_issue_title: topDelta?.title || undefined,
+      dbr: typeof result.current_score === "number" ? result.current_score.toFixed(1) : undefined,
+      grade: result.current_grade || undefined,
+      quota_used: result.quota?.used_this_month ?? undefined,
+      quota_limit: result.quota?.monthly_limit ?? undefined,
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
+      scope: "trust_surface_drift_plus_absolute_posture",
+      scope_note: "ship_decision = worst-of(drift, absolute posture). pass means BOTH no drift AND posture grade A+/A. ship_decision_drift and ship_decision_posture expose the two inputs separately. Cipherwake does NOT verify app functionality — pair with Playwright e2e for full deploy safety.",
+      ...postureFields,
     }));
+    if (posture && Array.isArray(posture.fixes) && posture.fixes.length > 0) {
+      console.log(formatPostureFixesBlock(posture.fixes));
+    }
     console.log("");
 
     await writeLastScanFile({
@@ -3426,13 +3514,13 @@ async function runTrustDiffCommand(args) {
       score: typeof result.current_score === "number" ? result.current_score : null,
       grade: result.current_grade || null,
       max_severity: maxSev,
-      ship_decision: shipDecision,
+      ship_decision: effectiveShip,
       baseline,
       delta_count: deltas.length,
       top_issue: topDelta?.id || topDelta?.title || null,
     });
 
-    process.exit(shipDecisionExitCode(shipDecision));
+    process.exit(shipDecisionExitCode(effectiveShip));
   }
 
   // Format output

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.19",
+  "version": "0.16.21",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",