pqcheck 0.16.29 → 0.16.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +1 -1
  2. package/bin/pqcheck.js +10 -2
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -8,7 +8,7 @@
8
8
  [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
9
9
  [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
10
10
 
11
- > **Latest: v0.16.29** — Fixed a high-volume false positive caught by external testing: WAF-mitigated 403s on `/wp-admin` (and any `expect: missing` default) were firing as "WordPress leak" on every Vercel/Cloudflare-hosted non-WP app. The probe now detects `x-vercel-mitigated` / `cf-mitigated` headers and classifies them as `blocked` (not `protected`). And `expect: missing` now semantically means "not reachable to anonymous users" 404/401/403/3xx/WAF-block all satisfy; only 200-serving-content fails. Every catastrophic catch (`.env` leak at 200, real WP at 200, public `/api/admin`) preserved. Verified with 23 new tests covering all classification × expectation combinations. [Full changelog →](./CHANGELOG.md)
11
+ > **Latest: v0.16.30** — Three asks from external dogfood feedback after a draft-route resolver bug shipped 9 new `/preview/*` routes to prod undetected. **(1)** Broader surface-diff: sitemap.xml + homepage-anchor discovery feed into the snapshot so "+9 new public routes since baseline" surfaces at info severity (default-quiet, never gates). **(2)** Glob support: `.cipherwake.json` now accepts `/preview/*` and `/admin/**` patterns escalation is opt-in via declared assertion. **(3)** Scope honesty: `scope_note` now explicit that `pass` doesn't claim every-route inventory is current. The customer's "low-noise discipline is the asset" preserved: route-surface drift is info-only; gating requires explicit declared assertions. [Full changelog →](./CHANGELOG.md)
12
12
 
13
13
  ## Two ways to use it
14
14
 
package/bin/pqcheck.js CHANGED
@@ -4004,7 +4004,7 @@ async function runTrustDiffCommand(args) {
4004
4004
  scanned_at: new Date().toISOString(),
4005
4005
  advisory_only: "true",
4006
4006
  scope: strictPosture ? "trust_surface_drift_plus_absolute_posture_plus_route_assertions_plus_health" : "trust_surface_drift_plus_route_assertions_plus_health",
4007
- scope_note: "ship_decision = worst-of(drift, route_assertions, deploy_health, secret_scan, cookie_invariants" + (strictPosture ? ", absolute_posture)" : ")") + ". Cipherwake checked the public trust surface independently of what your AI coder claims; this is the gate that should fire before the AI announces a deploy. Cipherwake does NOT verify app functionality.",
4007
+ scope_note: "ship_decision = worst-of(drift, route_assertions, deploy_health, secret_scan, cookie_invariants" + (strictPosture ? ", absolute_posture)" : ")") + ". `pass` means: trust/crypto posture stable + declared assertions hold + homepage healthy + no leaked secrets found + declared sensitive paths still gated. `pass` does NOT mean: every public-route inventory is current, nor that no content/authorization leak exists outside the assertion set. Surface-diff additions (new routes / scripts) emit at info severity for human review — they never gate. To make a route class gate, declare a glob assertion (e.g. `/preview/* expect:missing`). Cipherwake does NOT verify app functionality.",
4008
4008
  narrative: routeAssertions
4009
4009
  ? buildTrustDiffNarrative({
4010
4010
  deltaCount: deltas.length,
@@ -4029,9 +4029,17 @@ async function runTrustDiffCommand(args) {
4029
4029
  const { recordResults, recordSurfaceSnapshot } = await import(new URL("./statsTracker.js", import.meta.url).href);
4030
4030
  await recordResults(extractStatsEntries(routeAssertions));
4031
4031
  // Extract publicRoutes + thirdPartyHosts from the report for snapshot
4032
- const publicRoutes = Array.isArray(currentReport?.publicRoutes?.paths)
4032
+ // R91 (2026-06-06) — broader discovery: merge common-public probe
4033
+ // results with sitemap + homepage-anchor discovered routes so the
4034
+ // surface-diff catches NEW marketing/preview routes (the seatcheck
4035
+ // case from external dogfood feedback).
4036
+ const probedPublic = Array.isArray(currentReport?.publicRoutes?.paths)
4033
4037
  ? currentReport.publicRoutes.paths.filter((p) => p.classification === "public").map((p) => p.path)
4034
4038
  : [];
4039
+ const discovered = Array.isArray(routeAssertions?.discoveredRoutes)
4040
+ ? routeAssertions.discoveredRoutes
4041
+ : [];
4042
+ const publicRoutes = [...new Set([...probedPublic, ...discovered])].sort();
4035
4043
  const thirdPartyHosts = Array.isArray(currentReport?.publicDeps?.thirdParties)
4036
4044
  ? [...new Set(currentReport.publicDeps.thirdParties.map((t) => t.host).filter(Boolean))]
4037
4045
  : [];
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pqcheck",
3
- "version": "0.16.29",
3
+ "version": "0.16.30",
4
4
  "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
5
5
  "keywords": [
6
6
  "ai-coder",