pqcheck 0.16.28 → 0.16.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +1 -1
  2. package/bin/pqcheck.js +10 -2
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -8,7 +8,7 @@
8
8
  [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
9
9
  [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
10
10
 
11
- > **Latest: v0.16.28** — Cipherwake is now the independent gate that fires on every deploy. Catches: broken deploys (5xx / framework error / blank / landmark missing), leaked secrets (AWS / GitHub / Stripe / OpenAI / Supabase service-role JWTs with FP-discrimination that ignores `NEXT_PUBLIC_` / `pk_*` / anon JWTs), dropped cookie flags (HttpOnly / Secure / SameSite), missing required HTTP headers, sensitive-file leaks (`.env` / `.git/config` / `/api/debug`), **new public routes since last deploy** (AI accidentally shipped `/api/internal`), **new third-party scripts** (supply-chain alert), and **TLS cert expiring soon**. Blocks the deploy before the AI announces it. Local stats (`pqcheck stats`) your results stay on your machine, no telemetry. All in-lane: public surface, no credentials, provider-neutral. [Full changelog →](./CHANGELOG.md)
11
+ > **Latest: v0.16.30** — Three asks from external dogfood feedback after a draft-route resolver bug shipped 9 new `/preview/*` routes to prod undetected. **(1)** Broader surface-diff: sitemap.xml + homepage-anchor discovery feed into the snapshot so "+9 new public routes since baseline" surfaces at info severity (default-quiet, never gates). **(2)** Glob support: `.cipherwake.json` now accepts `/preview/*` and `/admin/**` patterns escalation is opt-in via declared assertion. **(3)** Scope honesty: `scope_note` now explicit that `pass` doesn't claim every-route inventory is current. The customer's "low-noise discipline is the asset" preserved: route-surface drift is info-only; gating requires explicit declared assertions. [Full changelog →](./CHANGELOG.md)
12
12
 
13
13
  ## Two ways to use it
14
14
 
package/bin/pqcheck.js CHANGED
@@ -4004,7 +4004,7 @@ async function runTrustDiffCommand(args) {
4004
4004
  scanned_at: new Date().toISOString(),
4005
4005
  advisory_only: "true",
4006
4006
  scope: strictPosture ? "trust_surface_drift_plus_absolute_posture_plus_route_assertions_plus_health" : "trust_surface_drift_plus_route_assertions_plus_health",
4007
- scope_note: "ship_decision = worst-of(drift, route_assertions, deploy_health, secret_scan, cookie_invariants" + (strictPosture ? ", absolute_posture)" : ")") + ". Cipherwake checked the public trust surface independently of what your AI coder claims; this is the gate that should fire before the AI announces a deploy. Cipherwake does NOT verify app functionality.",
4007
+ scope_note: "ship_decision = worst-of(drift, route_assertions, deploy_health, secret_scan, cookie_invariants" + (strictPosture ? ", absolute_posture)" : ")") + ". `pass` means: trust/crypto posture stable + declared assertions hold + homepage healthy + no leaked secrets found + declared sensitive paths still gated. `pass` does NOT mean: every public-route inventory is current, nor that no content/authorization leak exists outside the assertion set. Surface-diff additions (new routes / scripts) emit at info severity for human review — they never gate. To make a route class gate, declare a glob assertion (e.g. `/preview/* expect:missing`). Cipherwake does NOT verify app functionality.",
4008
4008
  narrative: routeAssertions
4009
4009
  ? buildTrustDiffNarrative({
4010
4010
  deltaCount: deltas.length,
@@ -4029,9 +4029,17 @@ async function runTrustDiffCommand(args) {
4029
4029
  const { recordResults, recordSurfaceSnapshot } = await import(new URL("./statsTracker.js", import.meta.url).href);
4030
4030
  await recordResults(extractStatsEntries(routeAssertions));
4031
4031
  // Extract publicRoutes + thirdPartyHosts from the report for snapshot
4032
- const publicRoutes = Array.isArray(currentReport?.publicRoutes?.paths)
4032
+ // R91 (2026-06-06) — broader discovery: merge common-public probe
4033
+ // results with sitemap + homepage-anchor discovered routes so the
4034
+ // surface-diff catches NEW marketing/preview routes (the seatcheck
4035
+ // case from external dogfood feedback).
4036
+ const probedPublic = Array.isArray(currentReport?.publicRoutes?.paths)
4033
4037
  ? currentReport.publicRoutes.paths.filter((p) => p.classification === "public").map((p) => p.path)
4034
4038
  : [];
4039
+ const discovered = Array.isArray(routeAssertions?.discoveredRoutes)
4040
+ ? routeAssertions.discoveredRoutes
4041
+ : [];
4042
+ const publicRoutes = [...new Set([...probedPublic, ...discovered])].sort();
4035
4043
  const thirdPartyHosts = Array.isArray(currentReport?.publicDeps?.thirdParties)
4036
4044
  ? [...new Set(currentReport.publicDeps.thirdParties.map((t) => t.host).filter(Boolean))]
4037
4045
  : [];
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pqcheck",
3
- "version": "0.16.28",
3
+ "version": "0.16.30",
4
4
  "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
5
5
  "keywords": [
6
6
  "ai-coder",