pqcheck 0.16.20 → 0.16.22

package/README.md

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
-> **Latest: v0.16.20** — `pqcheck deploy-check --ai` now adds an absolute posture grade (A+ → F, strict SSL-Labs rubric over CSP / HSTS / X-Frame-Options / X-Content-Type-Options / Referrer-Policy / Permissions-Policy + `x-powered-by` leak) alongside the existing drift-only `ship_decision`. Grade D/F sets `posture_decision=block` so AI coders gate posture failures even on a clean drift. Adds `scope_note` (drift pass ≠ functional verification) and surfaces ready-to-paste fix snippets (Next.js / vercel.json / Express). Watched-domain monitoring also gains `posture_regression` + `cert_expiring` alerts. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.22** — Drift gates, posture advises. Default `ship_decision` reverts to drift-only (the right per-deploy regression gate); posture grade is surfaced as a one-line advisory + ready-to-paste fix snippets, NOT as an auto-block. A site that's been D-posture for months hasn't regressed on today's deploy; gating it every time trains people to ignore the gate. Once your site reaches A/B posture, pass `--strict-posture` as the "lock it in, prevent backsliding" gate. New `ship_decision_drift` / `ship_decision_posture` / `ship_decision_mode` fields make both signals visible. [Full changelog →](./CHANGELOG.md)
 
 ## Two ways to use it
 

package/bin/pqcheck.js

@@ -290,17 +290,23 @@ async function main() {
   const fresh = args.includes("--fresh") || args.includes("--force");
   const aiMode = parseAiMode(args);
   const verbose = isVerboseMode(args);  // v0.16.0 — opt-in detailed panel
+  // R86.4 (2026-06-03) — strict-posture opt-in. Default ship_decision is
+  // drift-only (per-deploy regression gate); --strict-posture folds the
+  // absolute posture grade into ship_decision. Recommended ONLY after a
+  // site reaches A/B posture — opting in earlier produces cry-wolf gating
+  // on every deploy since most AI-coded sites grade D/F out of the box.
+  const strictPosture = args.includes("--strict-posture");
 
   // One-shot scan(s)
   let worstExit = 0;
   for (const domain of domains) {
-    const exit = await runOneScan({ domain, format, quiet, threshold, webhookUrl, multi: domains.length > 1, fresh, aiMode, verbose });
+    const exit = await runOneScan({ domain, format, quiet, threshold, webhookUrl, multi: domains.length > 1, fresh, aiMode, verbose, strictPosture });
     if (exit > worstExit) worstExit = exit;
   }
   process.exit(worstExit);
 }
 
-async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi, fresh, aiMode, verbose }) {
+async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi, fresh, aiMode, verbose, strictPosture }) {
   if (!quiet && format === "text") process.stderr.write(color("dim", `Scanning ${domain}${fresh ? " (forcing fresh)" : ""} ...`));
   let report;
   try {
@@ -511,28 +517,39 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       posture_findings_count: (posture.findings || []).length,
       posture_fixes_count: (posture.fixes || []).length,
     } : {};
+    // R86.2 (2026-06-03) — see combineShipDecision: posture is advisory by
+    // default, gated when --strict-posture is passed.
+    const effectiveShip = combineShipDecision(shipDecision, posture?.decision, { strict: strictPosture });
+    // R86.5 — surface posture advisory line so D/F posture is never silently
+    // blessed under the drift-only default.
+    const postureAdvisory = formatPostureAdvisoryLine(posture, strictPosture);
+    if (postureAdvisory) console.log(postureAdvisory);
     console.log(formatAiFooterBlock({
-      status: shipDecision,
+      status: effectiveShip,
       domain,
       kind: "scan",
-      dbr: typeof report.score === "number" ? report.score.toFixed(1) : "",
-      grade: report.grade || "",
+      dbr: typeof report.score === "number" ? report.score.toFixed(1) : undefined,
+      grade: report.grade || undefined,
       max_severity: maxSev,
-      ship_decision: shipDecision,
+      ship_decision: effectiveShip,
+      ship_decision_drift: shipDecision,
+      ship_decision_posture: posture?.decision,
+      ship_decision_mode: strictPosture ? "strict_posture" : "drift_only",
       unreachable: unreachable ? "true" : "false",
       top_issue: topFinding?.id || topFinding?.title || "none",
       findings_high: findings.filter((f) => severityRank(f.severity) === 3).length,
       findings_critical: findings.filter((f) => severityRank(f.severity) === 4).length,
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
-      // R85 (2026-06-03) — scope honesty disclaimer. pass = trust surface
-      // stable, NOT app functionality. Agents that follow the protocol must
-      // see this so they don't announce a deploy whose signup is broken
-      // (the exact bug the user reported on socialideagen 2026-06-02).
-      scope: "trust_surface_drift",
-      scope_note: "ship_decision=pass means public trust surface stable. Does NOT verify app functionality. Pair with functional checks (e.g. Playwright e2e) for full deploy safety.",
+      scope: strictPosture ? "trust_surface_drift_plus_absolute_posture" : "trust_surface_drift",
+      scope_note: strictPosture
+        ? "ship_decision = worst-of(drift, absolute posture) because --strict-posture is set. pass means BOTH no drift AND posture grade A+/A. ship_decision_drift and ship_decision_posture expose the two inputs separately. Cipherwake does NOT verify app functionality — pair with Playwright e2e for full deploy safety."
+        : "ship_decision reflects DRIFT only by default (per-deploy regression gate). Posture grade is surfaced via posture_decision / ship_decision_posture as advisory — D/F posture does NOT auto-block. Once your site reaches A/B posture, pass --strict-posture to lock that in. Cipherwake does NOT verify app functionality.",
       ...postureFields,
     }));
+    if (posture && Array.isArray(posture.fixes) && posture.fixes.length > 0) {
+      console.log(formatPostureFixesBlock(posture.fixes));
+    }
     console.log("");
 
     // Threshold check still applies under --ai (script-pipeable). Otherwise
@@ -540,7 +557,7 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
     if (threshold !== null && typeof report.score === "number" && report.score >= threshold) {
       return 2;
     }
-    return shipDecisionExitCode(shipDecision);
+    return shipDecisionExitCode(effectiveShip);
   }
 
   // Output dispatch
@@ -571,6 +588,14 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
   } else {
     if (multi) console.log(color("dim", `\n──── ${domain} ────`));
     printReport(report);
+    // R86.5 — posture advisory line so D/F posture is never silently blessed
+    // in human output either. Posture is advisory, not gating.
+    const postureAdvisory = formatPostureAdvisoryLine(report.posture, strictPosture);
+    if (postureAdvisory) {
+      console.log("");
+      console.log(postureAdvisory);
+      console.log(color("dim", "  See /methodology/posture-grading for the rubric + fix snippets."));
+    }
   }
 
   if (threshold !== null && typeof report.score === "number" && report.score >= threshold) {
@@ -736,6 +761,69 @@ function highestSeverity(findings) {
   return best;
 }
 
+// R86.5 (2026-06-03) — posture advisory line. Posture is a STANDING property,
+// not a per-deploy regression signal, so gating every deploy on it is cry-wolf
+// by construction. The drift-only ship_decision is the right default gate
+// (fires on regression). This helper surfaces posture grade + a one-line fix
+// nudge alongside the gate result — customer sees the grade, sees the fix
+// path, is NOT blocked on every deploy. Only customers who have reached A/B
+// posture opt into --strict-posture to lock that in.
+function formatPostureAdvisoryLine(posture, strictPosture) {
+  if (!posture) return "";
+  if (strictPosture) return ""; // strict mode already gates; redundant
+  const decision = posture.decision;
+  if (decision !== "block" && decision !== "review") return ""; // A+/A — no advisory
+  const grade = posture.grade || "?";
+  const score = typeof posture.score === "number" ? posture.score : "?";
+  const fixCount = Array.isArray(posture.fixes) ? posture.fixes.length : 0;
+  const colorName = decision === "block" ? "red" : "yellow";
+  const icon = decision === "block" ? "●" : "○";
+  const nudge = fixCount > 0
+    ? `${fixCount} ready-to-paste fix${fixCount === 1 ? "" : "es"} in CIPHERWAKE_POSTURE_FIXES`
+    : "see /methodology/posture-grading";
+  return color(colorName, `  ${icon} Posture: ${grade} (score ${score}) — advisory, not gating. ${nudge}.`);
+}
+
+// R86.2 / R86.4 (2026-06-03) — combine drift + posture into ship_decision.
+// Default (strict=false): drift only. Posture grade is surfaced via separate
+// fields and the advisory line but does NOT promote drift's decision —
+// because most AI-coded sites grade D/F out of the box, making posture-gating
+// the default would cry-wolf on every deploy of every header-less site,
+// training people to ignore the gate. --strict-posture opts in for teams
+// who've already fixed posture and want to prevent backsliding.
+const SHIP_DECISION_RANK = { pass: 0, review: 1, block: 2 };
+function combineShipDecision(driftDecision, postureDecision, { strict = false } = {}) {
+  if (!postureDecision || !strict) return driftDecision;
+  const a = SHIP_DECISION_RANK[driftDecision] ?? 0;
+  const b = SHIP_DECISION_RANK[postureDecision] ?? 0;
+  return a >= b ? driftDecision : postureDecision;
+}
+
+// R86.3 (2026-06-03) — emit per-finding fix snippets in a separate parseable
+// block after the AI guard block. The guard block stays compact key=value;
+// fixes are multi-line code so they get their own block with explicit
+// start/end markers + per-fix delimiters. Agents parse + apply without
+// round-tripping to JSON.
+function formatPostureFixesBlock(fixes) {
+  if (!Array.isArray(fixes) || fixes.length === 0) return "";
+  const lines = ["", "CIPHERWAKE_POSTURE_FIXES"];
+  for (let i = 0; i < fixes.length; i++) {
+    const f = fixes[i] || {};
+    lines.push(`--- FIX ${i + 1} ---`);
+    lines.push(`finding_id=${String(f.finding_id || "").replace(/[\r\n]+/g, " ")}`);
+    lines.push(`title=${String(f.title || "").replace(/[\r\n]+/g, " ")}`);
+    lines.push(`framework=${String(f.framework || "").replace(/[\r\n]+/g, " ")}`);
+    lines.push(`file_target=${String(f.file_target || "").replace(/[\r\n]+/g, " ")}`);
+    lines.push("snippet:");
+    const snippet = String(f.snippet || "");
+    for (const line of snippet.split(/\r?\n/)) {
+      lines.push(line);
+    }
+  }
+  lines.push("END_CIPHERWAKE_POSTURE_FIXES");
+  return color("dim", lines.join("\n"));
+}
+
 // Compute ship_decision: pass | review | block.
 // Used in three contexts:
 //   - one-shot scan: severity-only, no diff baseline
@@ -3292,6 +3380,11 @@ async function runTrustDiffCommand(args) {
   const baseline = parseFlag(args, "--baseline") || "last-week";
   const failOn = parseFlag(args, "--fail-on") || "high";
   const format = parseFlag(args, "--format") || "pretty";
+  // R86.4 (2026-06-03) — see runOneScan for rationale. Default ship_decision
+  // is drift-only (per-deploy regression gate); --strict-posture opts into
+  // worst-of(drift, posture). Recommended only after a site reaches A/B
+  // posture to lock that in.
+  const strictPosture = args.includes("--strict-posture");
 
   // Build headers conditionally — Authorization is set ONLY if the user has
   // an API key. Without it, the server's applyRepoQuota falls through to the
@@ -3437,31 +3530,41 @@ async function runTrustDiffCommand(args) {
       posture_findings_count: (posture.findings || []).length,
       posture_fixes_count: (posture.fixes || []).length,
     } : {};
+    // R86.2 / R86.4 — see combineShipDecision: posture is advisory by default,
+    // gated only when --strict-posture is passed.
+    const effectiveShip = combineShipDecision(shipDecision, posture?.decision, { strict: strictPosture });
+    // R86.5 — surface posture advisory line in default (non-strict) mode.
+    const postureAdvisory = formatPostureAdvisoryLine(posture, strictPosture);
+    if (postureAdvisory) console.log(postureAdvisory);
     console.log(formatAiFooterBlock({
-      status: shipDecision,
+      status: effectiveShip,
       domain,
       kind: "trust-diff",
       baseline,
       verdict,
       delta_count: deltas.length,
       max_severity: maxSev,
-      ship_decision: shipDecision,
+      ship_decision: effectiveShip,
+      ship_decision_drift: shipDecision,
+      ship_decision_posture: posture?.decision,
+      ship_decision_mode: strictPosture ? "strict_posture" : "drift_only",
       top_issue: topDelta?.id || topDelta?.type || "none",
-      top_issue_title: topDelta?.title || "",
-      dbr: typeof result.current_score === "number" ? result.current_score.toFixed(1) : "",
-      grade: result.current_grade || "",
-      quota_used: result.quota?.used_this_month ?? "",
-      quota_limit: result.quota?.monthly_limit ?? "",
+      top_issue_title: topDelta?.title || undefined,
+      dbr: typeof result.current_score === "number" ? result.current_score.toFixed(1) : undefined,
+      grade: result.current_grade || undefined,
+      quota_used: result.quota?.used_this_month ?? undefined,
+      quota_limit: result.quota?.monthly_limit ?? undefined,
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
-      // R85 — scope honesty disclaimer (per build brief 2026-06-03).
-      // ship_decision=pass means trust surface stable, NOT app functions.
-      // Agents must see this so they don't announce a deploy whose signup
-      // is broken (the exact bug socialideagen had on 2026-06-02).
-      scope: "trust_surface_drift",
-      scope_note: "ship_decision=pass means public trust surface stable. Does NOT verify app functionality. Pair with functional checks for full deploy safety.",
+      scope: strictPosture ? "trust_surface_drift_plus_absolute_posture" : "trust_surface_drift",
+      scope_note: strictPosture
+        ? "ship_decision = worst-of(drift, absolute posture) because --strict-posture is set. pass means BOTH no drift AND posture grade A+/A. ship_decision_drift and ship_decision_posture expose the two inputs separately. Cipherwake does NOT verify app functionality — pair with Playwright e2e for full deploy safety."
+        : "ship_decision reflects DRIFT only by default (per-deploy regression gate). Posture grade is surfaced via posture_decision / ship_decision_posture as advisory — D/F posture does NOT auto-block. Once your site reaches A/B posture, pass --strict-posture to lock that in. Cipherwake does NOT verify app functionality.",
       ...postureFields,
     }));
+    if (posture && Array.isArray(posture.fixes) && posture.fixes.length > 0) {
+      console.log(formatPostureFixesBlock(posture.fixes));
+    }
     console.log("");
 
     await writeLastScanFile({
@@ -3470,13 +3573,13 @@ async function runTrustDiffCommand(args) {
       score: typeof result.current_score === "number" ? result.current_score : null,
       grade: result.current_grade || null,
       max_severity: maxSev,
-      ship_decision: shipDecision,
+      ship_decision: effectiveShip,
       baseline,
       delta_count: deltas.length,
       top_issue: topDelta?.id || topDelta?.title || null,
     });
 
-    process.exit(shipDecisionExitCode(shipDecision));
+    process.exit(shipDecisionExitCode(effectiveShip));
   }
 
   // Format output

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.20",
+  "version": "0.16.22",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",