pqcheck 0.16.2 → 0.16.4

package/README.md

@@ -49,7 +49,7 @@ You get the same scanner that powers [cipherwake.io](https://cipherwake.io), the
 | `npx pqcheck <domain>` | The basic scan. Returns DBR score (0–10), letter grade (A–F), and a list of findings ranked by severity. The fastest way to ask "is my site's HTTPS posture healthy today?" |
 | `npx pqcheck deploy-check <domain> --ai` | The flagship command. Wraps the scan with `ship_decision=pass\|review\|block` for your AI coding agent to gate the deploy announcement. Works anonymously on first use; subsequent runs compare against the previous scan. |
 | `npx pqcheck trust-diff <domain>` | Compare today's HTTPS surface against a saved baseline (last week / last month / a saved CI baseline). For CI gates and release checklists. |
-| `npx pqcheck preview-diff --preview <URL> --production <URL>` | Compare a Vercel/Netlify preview deployment URL to production. Surfaces new third-party scripts, header regressions, and DBR score drops *inside the PR*, before merge. |
+| `npx pqcheck preview-diff --preview <URL> --production <URL>` | Compare a Vercel/Netlify preview deployment URL to production. Surfaces new third-party scripts, header regressions, and DBR score drops *inside the PR*, before merge. **v0.16.3** — now renders per-signal N vs N+1 status on every run (scripts, headers, cert SPKI, TLS, …) so you can see *every* check fired, not just "did something change." Add `--verbose` for the full side-by-side table. |
 | `npx pqcheck vendors export/check/sync <domain>` | Vendor lockfile (`cipherwake.vendors.json`) + CI gate that exits non-zero when a new third-party origin appears. Like `package-lock.json` for vendor scripts. |
 | `npx pqcheck onboard <domain>` | One command: scan → scaffold the GitHub Action → capture a vendor lockfile → set a baseline → commit + push. Zero copy-paste from docs. |
 | **`npx pqcheck guard --domain <D> -- <cmd>`** 🆕 | **Deploy guard wrapper.** Wraps any deploy command. Runs `deploy-check` first; conditionally runs `<cmd>` based on `ship_decision`. Modes: `--gate-mode balanced` (default) / `advisory` / `strict`. ONE command instead of two — the strongest single artifact for AI-coder workflows because the AI never has to remember to chain check + deploy. |

package/bin/cipherwake-statusline.js

@@ -73,7 +73,11 @@ try {
   process.exit(0);
 }
 
-const { domain, score, grade, ship_decision, written_at, max_severity, unreachable } = state;
+const {
+  domain, score, grade, ship_decision, written_at, max_severity, unreachable,
+  // v0.16.4 — preview-diff-specific fields for the 4-line render
+  kind, delta_count, diff_no_change, sector_ranking, verified_signal_categories, last_changed,
+} = state;
 const age = ageHours(written_at);
 
 if (age > STALE_THRESHOLD_HOURS) {
@@ -87,6 +91,70 @@ if (age > STALE_THRESHOLD_HOURS) {
   process.exit(0);
 }
 
+// v0.16.4 — preview-diff 4-line state.
+// User direction: when the last scan was `preview-diff` (two URLs compared),
+// render the high-yield block in the statusline. Other scan kinds keep the
+// 1-line compact format below — the bigger block would be too noisy when
+// it's just a routine domain scan with no diff context.
+if (kind === "preview-diff" && !unreachable) {
+  // Line 1: brand header (hostname only).
+  const head = c(C.bold, "◆ Cipherwake") + c(C.dim, " — ") + c(C.bold, domain || "—");
+  // Line 3: decision pulse, diff-flavored copy.
+  let pulse;
+  if (ship_decision === "pass") {
+    pulse = c(C.green, "✓ PASS") + c(C.dim, " · no risky deploy-surface drift detected");
+  } else if (ship_decision === "review") {
+    pulse = c(C.yellow, "⚠ REVIEW") + c(C.dim, ` · ${delta_count || 0} public-surface change${delta_count === 1 ? "" : "s"}`);
+  } else if (ship_decision === "block") {
+    pulse = c(C.red, "⛔ BLOCK") + c(C.dim, ` · ${delta_count || 0} critical change${delta_count === 1 ? "" : "s"}`);
+  } else {
+    pulse = c(C.dim, "· no decision");
+  }
+  // Line 4: trust posture (DBR + percentile copy + stability).
+  function formatPercentile(percentile, sector) {
+    if (typeof percentile !== "number") return null;
+    const s = sector || "industry";
+    if (percentile <= 10) return `top 10% in ${s}`;
+    if (percentile <= 25) return `top 25% in ${s}`;
+    if (percentile <= 50) return `above median in ${s}`;
+    if (percentile <= 75) return `below median in ${s}`;
+    if (percentile <= 90) return `bottom 25% in ${s}`;
+    return `bottom 10% in ${s}`;
+  }
+  function formatStability(iso) {
+    if (!iso) return null;
+    const days = Math.floor((Date.now() - new Date(iso).getTime()) / 86400000);
+    if (days <= 0) return "drifted today";
+    if (days < 7) return `drifted ${days}d ago`;
+    return `stable ${days}d`;
+  }
+  const trustParts = [];
+  if (typeof score === "number") {
+    trustParts.push(`DBR ${score.toFixed(1)}${grade ? " " + grade : ""}`);
+  }
+  const pct = formatPercentile(sector_ranking?.percentile, sector_ranking?.sectorLabel || sector_ranking?.sectorName || sector_ranking?.sector);
+  if (pct) trustParts.push(pct);
+  const stab = formatStability(last_changed);
+  if (stab) trustParts.push(stab);
+  const trustLine = trustParts.length > 0
+    ? c(C.green, "✓ ") + c(C.bold, "Trust posture: ") + trustParts.join(c(C.dim, " · "))
+    : null;
+  // Line 5: verified signals (or finding line when there IS drift).
+  let verifiedLine = null;
+  if (Array.isArray(verified_signal_categories) && verified_signal_categories.length > 0) {
+    const head = diff_no_change === true
+      ? "Security-relevant surface unchanged"
+      : `Verified ${verified_signal_categories.length} signal${verified_signal_categories.length === 1 ? "" : "s"}`;
+    verifiedLine = c(C.green, "✓ ") + c(C.bold, head) + c(C.dim, " · " + verified_signal_categories.join(", "));
+  }
+  // Compose
+  const lines = [head, "", pulse];
+  if (trustLine) lines.push(trustLine);
+  if (verifiedLine) lines.push(verifiedLine);
+  process.stdout.write(lines.join("\n"));
+  process.exit(0);
+}
+
 // Brand-anchored layout — "Cipherwake" is always the first word after the
 // diamond, so the customer (and their AI agent) can identify the status
 // line's source at a glance. Trailing segments depend on what we have:

package/bin/pqcheck.js

@@ -24,7 +24,7 @@
 })();
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://cipherwake.io";
-const VERSION = "0.16.2";
+const VERSION = "0.16.4";
 
 // API-key support — paid tiers (Starter $29 / Growth $79 / Scale $199) get
 // per-account monthly quotas instead of the per-IP rate limit. Set via:
@@ -941,6 +941,131 @@ function formatHighYieldVerbose(report) {
   return lines.join("\n");
 }
 
+// v0.16.3 — preview-diff per-signal comparison. Render N vs N+1 signal
+// values for both sides side-by-side so the customer SEES that every
+// signal was checked, even when delta_count=0. Without this, preview-diff
+// was silent on non-changing signals and looked like a binary "did
+// anything change" detector. With this, every preview-diff output proves
+// the 9 signals were exercised on both URLs.
+function formatPreviewDiffPerSignal(prev, prod, options = {}) {
+  if (!prev || !prod) return null;
+  const verbose = options.verbose === true;
+  const rows = [];
+  const push = (name, l, r) => rows.push({ name, prev: l, prod: r, same: l === r });
+
+  if (typeof prev?.score === "number" || typeof prod?.score === "number") {
+    const dbrL = typeof prev?.score === "number" ? `${prev.score.toFixed(1)}${prev.grade ? " " + prev.grade : ""}` : "—";
+    const dbrR = typeof prod?.score === "number" ? `${prod.score.toFixed(1)}${prod.grade ? " " + prod.grade : ""}` : "—";
+    push("DBR", dbrL, dbrR);
+  }
+
+  const prevScripts = prev?.publicDeps?.thirdPartyCount;
+  const prodScripts = prod?.publicDeps?.thirdPartyCount;
+  if (prevScripts !== undefined || prodScripts !== undefined) {
+    push("Scripts", String(prevScripts ?? "—"), String(prodScripts ?? "—"));
+  }
+
+  const hdrSummary = (h) => {
+    if (!h?.reachable) return "—";
+    const flags = [];
+    flags.push(h.csp?.present ? "CSP✓" : "CSP✗");
+    flags.push(h.hsts?.present ? `HSTS${h.hsts.preload ? "+preload" : ""}✓` : "HSTS✗");
+    flags.push(h.xFrameOptions?.present ? "XFO✓" : "XFO✗");
+    return flags.join(" ");
+  };
+  if (prev?.httpHeaders || prod?.httpHeaders) {
+    push("Headers", hdrSummary(prev?.httpHeaders), hdrSummary(prod?.httpHeaders));
+  }
+
+  const ckSummary = (c) => {
+    if (!c) return "—";
+    if (!c.reachable) return "unreachable";
+    const issues = [];
+    if (c.anyMissingSecure) issues.push("Secure");
+    if (c.anyMissingHttpOnly) issues.push("HttpOnly");
+    if (c.anyMissingSameSite) issues.push("SameSite");
+    const tag = issues.length ? `miss:${issues.join(",")}` : "all flags";
+    return `${c.count ?? 0} (${tag})`;
+  };
+  if (prev?.cookies || prod?.cookies) push("Cookies", ckSummary(prev?.cookies), ckSummary(prod?.cookies));
+
+  const smSummary = (s) => {
+    if (!s) return "—";
+    if (!s.reachable) return "unreachable";
+    if (s.exposed) return `${s.exposedCount} EXPOSED`;
+    return "none exposed";
+  };
+  if (prev?.sourceMaps || prod?.sourceMaps) push("Source maps", smSummary(prev?.sourceMaps), smSummary(prod?.sourceMaps));
+
+  const mcSummary = (m) => {
+    if (m === null || m === undefined) return "—";
+    if (typeof m === "number") return String(m);
+    if (typeof m === "object") {
+      if (typeof m.insecureCount === "number") return String(m.insecureCount);
+      if (typeof m.count === "number") return String(m.count);
+    }
+    return "—";
+  };
+  if (prev?.mixedContent !== null || prod?.mixedContent !== null) {
+    push("Mixed content", mcSummary(prev?.mixedContent), mcSummary(prod?.mixedContent));
+  }
+
+  const ppSummary = (p) => {
+    if (!p?.probed) return "—";
+    const protected_ = p.protectedCount ?? 0;
+    const exposed = p.exposedCount ?? 0;
+    const total = protected_ + exposed;
+    return total === 0 ? "0/0" : `${protected_}/${total} protected`;
+  };
+  if (prev?.protectedPaths || prod?.protectedPaths) {
+    push("Protected paths", ppSummary(prev?.protectedPaths), ppSummary(prod?.protectedPaths));
+  }
+
+  const certSummary = (c) => {
+    if (!c) return "—";
+    if (c.spkiSha256) return `${String(c.spkiSha256).slice(0, 10)}…`;
+    return c.issuer || "—";
+  };
+  if (prev?.cert || prod?.cert) push("Cert SPKI", certSummary(prev?.cert), certSummary(prod?.cert));
+
+  if (prev?.tlsVersion || prod?.tlsVersion) push("TLS", prev?.tlsVersion || "—", prod?.tlsVersion || "—");
+
+  const prevSub = prev?.publicSurface?.subdomainCount;
+  const prodSub = prod?.publicSurface?.subdomainCount;
+  if (prevSub !== undefined || prodSub !== undefined) {
+    push("Subdomains", String(prevSub ?? "—"), String(prodSub ?? "—"));
+  }
+
+  if (rows.length === 0) return null;
+
+  if (!verbose) {
+    // Compact 1-line summary: "✓ 9/9 signals match (preview ↔ production)"
+    const sameCount = rows.filter((r) => r.same).length;
+    const allMatch = sameCount === rows.length;
+    const symbol = allMatch ? color("green", "✓ ") : color("yellow", "~ ");
+    return symbol + color("bold", `${sameCount}/${rows.length} signals match`) + color("dim", " (preview ↔ production)");
+  }
+
+  // Verbose: per-row table
+  const lines = [];
+  lines.push("");
+  lines.push(color("bold", "Per-signal verification (preview ↔ production):"));
+  const nameWidth = Math.max(...rows.map((r) => r.name.length));
+  const prevWidth = Math.max(...rows.map((r) => r.prev.length));
+  for (const r of rows) {
+    const arrow = r.same ? color("dim", "↔") : color("yellow", "→");
+    const valueColor = r.same ? "dim" : "yellow";
+    lines.push(
+      "  " +
+      color("bold", r.name.padEnd(nameWidth)) + "  " +
+      color(valueColor, r.prev.padEnd(prevWidth)) + "  " +
+      arrow + "  " +
+      color(valueColor, r.prod)
+    );
+  }
+  return lines.join("\n");
+}
+
 // Helper: pretty-print 1-3 alerts (when ship_decision = review/block) ABOVE
 // the trust-posture line, so the actionable change is the FIRST thing the
 // customer sees. Each alert is one line with an emoji + concise summary.
@@ -3170,11 +3295,40 @@ async function runPreviewDiffCommand(args) {
           `Each "- CSP weakened" or "~ HSTS weakened" reduces production safety.`,
         ];
 
-    // v0.16.2 high-yield rendering for preview-diff.
+    // v0.16.3 high-yield rendering for preview-diff. Uses the per-side
+    // `signals` snapshot returned by /api/preview-diff so the customer
+    // sees N vs N+1 on every signal (not just the binary "no drift").
+    // Falls back to the v0.16.2 shape when the server hasn't deployed
+    // the signals snapshot yet (older API response).
     const verbose = isVerboseMode(args);
     const diffNoChange = !hasUnexpectedDiff;
-    const headerDomain = result?.production?.domain || productionUrl;
-    const fakeReport = {
+    const prevSig = result?.preview?.signals || null;
+    const prodSig = result?.production?.signals || null;
+    // Brand header uses the production hostname (e.g. "quantapact.com")
+    // not the full Vercel preview URL, so the customer doesn't see
+    // "◆ Cipherwake — https://quantapact-k3y...vercel.app".
+    const headerDomain = result?.production?.hostname || result?.production?.domain || productionUrl;
+    // Synthesize a report-shaped object from the production-side signals
+    // snapshot so the existing trust-posture + verified-signals helpers
+    // (which read .score, .grade, .sectorRanking, .cookies, etc.) work
+    // without changes.
+    const reportLike = prodSig ? {
+      domain: headerDomain,
+      score: prodSig.score,
+      grade: prodSig.grade,
+      _meta: { lastChanged: prodSig.lastChanged },
+      sectorRanking: prodSig.sectorRanking,
+      publicDeps: prodSig.publicDeps ? { fetched: true, thirdParties: new Array(prodSig.publicDeps.thirdPartyCount || 0) } : null,
+      httpHeaders: prodSig.httpHeaders,
+      cookies: prodSig.cookies,
+      sourceMaps: prodSig.sourceMaps,
+      mixedContent: prodSig.mixedContent,
+      cert: prodSig.cert,
+      tlsVersion: prodSig.tlsVersion,
+      publicSurface: prodSig.publicSurface,
+      protectedPaths: prodSig.protectedPaths,
+    } : {
+      // Fallback: legacy server, only score/grade available.
       domain: headerDomain,
       score: prevScore,
       grade: result?.preview?.grade,
@@ -3185,7 +3339,7 @@ async function runPreviewDiffCommand(args) {
     const deltaLines = summaryLines.filter((l) => !/no meaningful/i.test(l));
 
     console.log("");
-    console.log(formatBrandHeader(headerDomain));
+    console.log(formatBrandHeader(headerDomain) + color("dim", "  (preview ↔ production)"));
     console.log("");
     console.log(formatDecisionPulse({ shipDecision, alertCount: deltaLines.length, unreachable: false, diffContext: true }));
 
@@ -3196,12 +3350,19 @@ async function runPreviewDiffCommand(args) {
       }
       if (deltaLines.length > 3) console.log(color("dim", `  +${deltaLines.length - 3} more (run with --verbose)`));
     }
-    const tpl = formatTrustPostureLine(fakeReport);
+    const tpl = formatTrustPostureLine(reportLike);
     if (tpl) console.log(tpl);
-    const vsl = formatVerifiedSignalsLine(fakeReport, { diffNoChange });
+    const vsl = formatVerifiedSignalsLine(reportLike, { diffNoChange });
     if (vsl) console.log(vsl);
+    // v0.16.3 — per-signal N vs N+1 comparison. Renders ALWAYS (default and
+    // --verbose), in different shapes:
+    //   - default: 1-line "9/9 signals match (preview ↔ production)" so the
+    //     customer sees the checks fired without scrolling
+    //   - --verbose: per-row table with both sides spelled out
+    const psl = formatPreviewDiffPerSignal(prevSig, prodSig, { verbose });
+    if (psl) console.log(psl);
     if (!verbose) {
-      console.log(color("dim", "  Run with --verbose to see all verified signals."));
+      console.log(color("dim", "  Run with --verbose to see per-signal breakdown."));
     }
 
     // (Old banner + body removed in v0.16.2; new high-yield layout above
@@ -3229,15 +3390,30 @@ async function runPreviewDiffCommand(args) {
     }));
     console.log("");
 
+    // v0.16.4 — write the data the statusline needs to render its
+    // 4-line preview-diff state (brand header + decision pulse + trust
+    // posture + verified signals). For non-preview-diff kinds we keep
+    // the 1-line statusline; only preview-diff gets the bigger format.
+    const verifiedSignalCats = (() => {
+      try { return countVerifiedSignals(reportLike).categories; } catch { return null; }
+    })();
     await writeLastScanFile({
-      domain: result?.production?.domain || productionUrl,
+      domain: result?.production?.hostname || result?.production?.domain || productionUrl,
       kind: "preview-diff",
       preview_url: previewUrl,
       production_url: productionUrl,
-      score: typeof prevScore === "number" ? prevScore : null,
+      // v0.16.4 — score/grade come from the PRODUCTION side so the trust
+      // posture line reflects the live customer site, not the in-flight
+      // preview. (Was prevScore before — wrong reference.)
+      score: typeof prodSig?.score === "number" ? prodSig.score : (typeof prevScore === "number" ? prevScore : null),
+      grade: prodSig?.grade || null,
       max_severity: maxSev,
       ship_decision: shipDecision,
       delta_count: summaryLines.filter((l) => !/no meaningful/i.test(l)).length,
+      diff_no_change: diffNoChange,
+      sector_ranking: prodSig?.sectorRanking || null,
+      verified_signal_categories: verifiedSignalCats,
+      last_changed: prodSig?.lastChanged || null,
     });
 
     process.exit(shipDecisionExitCode(shipDecision));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.2",
+  "version": "0.16.4",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",