pqcheck 0.16.29 → 0.16.31

package/README.md

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
-> **Latest: v0.16.29** — Fixed a high-volume false positive caught by external testing: WAF-mitigated 403s on `/wp-admin` (and any `expect: missing` default) were firing as "WordPress leak" on every Vercel/Cloudflare-hosted non-WP app. The probe now detects `x-vercel-mitigated` / `cf-mitigated` headers and classifies them as `blocked` (not `protected`). And `expect: missing` now semantically means "not reachable to anonymous users" — 404/401/403/3xx/WAF-block all satisfy; only 200-serving-content fails. Every catastrophic catch (`.env` leak at 200, real WP at 200, public `/api/admin`) preserved. Verified with 23 new tests covering all classification × expectation combinations. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.31** — `--fresh` now actually refreshes posture. External dogfood bug: a customer deployed CSP/HSTS/X-Frame-Options/X-Content-Type-Options/Referrer-Policy/Permissions-Policy via Next.js, verified all six on the wire with curl, and `pqcheck deploy-check --fresh` continued to report `posture_grade=D` + `posture_leaks=x-powered-by: Next.js` — directly contradicting reality. Root cause: the CLI silently dropped `--fresh` from the trust-diff request body. Now plumbed through end-to-end. Every response carries `fresh_status` (`applied | rate_limited | unauthenticated | unavailable | not_requested`) so callers route on whether the posture is current — no more silent stale reads. `--verbose` emits a `CIPHERWAKE_SCANNER_OBSERVED` block with the actual headers, final URL, and status the grade was computed from, so customers can diff "what Cipherwake saw" vs `curl -I` instantly. [Full changelog →](./CHANGELOG.md)
 
 ## Two ways to use it
 

package/bin/pqcheck.js

@@ -3770,6 +3770,12 @@ async function runTrustDiffCommand(args) {
   const baseline = parseFlag(args, "--baseline") || "last-week";
   const failOn = parseFlag(args, "--fail-on") || "high";
   const format = parseFlag(args, "--format") || "pretty";
+  // R92 (2026-06-06) — --fresh + --verbose were silently dropped by the
+  // CLI before R92. The result: `pqcheck deploy-check <D> --fresh` ran but
+  // returned stale posture from scan_cache. After R92 they're plumbed
+  // through to /api/trust-diff body so the server can act on them.
+  const fresh = args.includes("--fresh") || args.includes("--force");
+  const verbose = args.includes("--verbose");
   // R86.4 (2026-06-03) — see runOneScan for rationale. Default ship_decision
   // is drift-only (per-deploy regression gate); --strict-posture opts into
   // worst-of(drift, posture). Recommended only after a site reaches A/B
@@ -3799,7 +3805,17 @@ async function runTrustDiffCommand(args) {
     resp = await fetch(`${API_BASE}/api/trust-diff`, {
       method: "POST",
       headers,
-      body: JSON.stringify({ domain, baseline, fail_on: failOn, routeAssertionsConfig: _routeCfg }),
+      body: JSON.stringify({
+        domain,
+        baseline,
+        fail_on: failOn,
+        routeAssertionsConfig: _routeCfg,
+        // R92 (2026-06-06) — pass --fresh + --verbose through to server.
+        // Server returns `fresh_status` so caller can route on
+        // applied | rate_limited | unauthenticated | unavailable | not_requested.
+        fresh,
+        verbose,
+      }),
     });
   } catch (err) {
     console.error(color("red", `error: network failure calling /api/trust-diff: ${err.message}`));
@@ -3856,6 +3872,45 @@ async function runTrustDiffCommand(args) {
   const result = await resp.json();
   const verdict = result.verdict || "pass";
   const deltas = Array.isArray(result.deltas) ? result.deltas : [];
+  // R92 (2026-06-06) — surface non-applied fresh status BEFORE any verdict
+  // rendering so the customer sees the staleness warning at the top, not
+  // after the (potentially stale) grade. Three failure modes get their own
+  // explanation since they imply different next actions.
+  const freshStatus = typeof result.fresh_status === "string" ? result.fresh_status : "not_requested";
+  if (fresh && freshStatus !== "applied" && freshStatus !== "not_requested") {
+    const why = freshStatus === "rate_limited"
+      ? "fresh-scan per-IP cap reached (20/hr). The posture below is from the last cached scan — re-run after the cap window, or accept the cached read for now."
+      : freshStatus === "unauthenticated"
+        ? "fresh-scan requires an API key (free tier inclusive). Set CIPHERWAKE_API_KEY or run via OIDC; without it, --fresh silently downgrades to cached. https://cipherwake.io/account#api-keys"
+        : freshStatus === "unavailable"
+          ? "fresh-scan path failed mid-run. The posture below is from the last cached scan — re-run to retry."
+          : `fresh request returned status=${freshStatus}.`;
+    console.error("");
+    console.error(color("yellow", `⚠ --fresh requested but NOT applied: ${why}`));
+    console.error("");
+  }
+  // R92 — scanner_observed (verbose mode). Surfaces the actual headers /
+  // final URL / status that Cipherwake's posture grade was computed from,
+  // so a customer can diff against `curl -I` and catch a stale or
+  // wrong-target read instantly.
+  if (verbose && result.scanner_observed) {
+    const obs = result.scanner_observed;
+    console.log("");
+    console.log(color("dim", "CIPHERWAKE_SCANNER_OBSERVED"));
+    console.log(color("dim", `final_url=${obs.final_url ?? "<unknown>"}`));
+    console.log(color("dim", `final_status=${obs.final_status ?? "<unknown>"}`));
+    console.log(color("dim", `fetched_at=${obs.fetched_at}`));
+    if (obs.headers && typeof obs.headers === "object") {
+      const headerKeys = Object.keys(obs.headers).sort();
+      for (const k of headerKeys) {
+        const v = obs.headers[k];
+        const val = Array.isArray(v) ? v.join(", ") : (v == null ? "" : String(v));
+        console.log(color("dim", `header.${k}=${val}`));
+      }
+    }
+    console.log(color("dim", "END_CIPHERWAKE_SCANNER_OBSERVED"));
+    console.log("");
+  }
 
   // AI Coder Mode — three-layer output (banner / body / structured block).
   if (parseAiMode(args)) {
@@ -4004,7 +4059,7 @@ async function runTrustDiffCommand(args) {
       scanned_at: new Date().toISOString(),
       advisory_only: "true",
       scope: strictPosture ? "trust_surface_drift_plus_absolute_posture_plus_route_assertions_plus_health" : "trust_surface_drift_plus_route_assertions_plus_health",
-      scope_note: "ship_decision = worst-of(drift, route_assertions, deploy_health, secret_scan, cookie_invariants" + (strictPosture ? ", absolute_posture)" : ")") + ". Cipherwake checked the public trust surface independently of what your AI coder claims; this is the gate that should fire before the AI announces a deploy. Cipherwake does NOT verify app functionality.",
+      scope_note: "ship_decision = worst-of(drift, route_assertions, deploy_health, secret_scan, cookie_invariants" + (strictPosture ? ", absolute_posture)" : ")") + ". `pass` means: trust/crypto posture stable + declared assertions hold + homepage healthy + no leaked secrets found + declared sensitive paths still gated. `pass` does NOT mean: every public-route inventory is current, nor that no content/authorization leak exists outside the assertion set. Surface-diff additions (new routes / scripts) emit at info severity for human review — they never gate. To make a route class gate, declare a glob assertion (e.g. `/preview/* expect:missing`). Cipherwake does NOT verify app functionality.",
       narrative: routeAssertions
         ? buildTrustDiffNarrative({
             deltaCount: deltas.length,
@@ -4020,6 +4075,13 @@ async function runTrustDiffCommand(args) {
         : undefined,
       ...assertionFields,
       ...postureFields,
+      // R92 — every CIPHERWAKE_AI_GUARD_RESULT block now carries fresh_status
+      // so MCP servers / Aider / Cursor / Claude Code can route programmatically:
+      //   applied → safe to interpret the posture as current
+      //   rate_limited / unauthenticated / unavailable → posture below is from cache,
+      //     do not interpret as a fresh measurement (the customer asked but didn't get it)
+      //   not_requested → caller didn't ask for fresh; cached is by design
+      fresh_status: freshStatus,
     }));
     if (routeAssertions) {
       console.log(formatRouteAssertionsBlock(routeAssertions));
@@ -4029,9 +4091,17 @@ async function runTrustDiffCommand(args) {
         const { recordResults, recordSurfaceSnapshot } = await import(new URL("./statsTracker.js", import.meta.url).href);
         await recordResults(extractStatsEntries(routeAssertions));
         // Extract publicRoutes + thirdPartyHosts from the report for snapshot
-        const publicRoutes = Array.isArray(currentReport?.publicRoutes?.paths)
+        // R91 (2026-06-06) — broader discovery: merge common-public probe
+        // results with sitemap + homepage-anchor discovered routes so the
+        // surface-diff catches NEW marketing/preview routes (the seatcheck
+        // case from external dogfood feedback).
+        const probedPublic = Array.isArray(currentReport?.publicRoutes?.paths)
           ? currentReport.publicRoutes.paths.filter((p) => p.classification === "public").map((p) => p.path)
           : [];
+        const discovered = Array.isArray(routeAssertions?.discoveredRoutes)
+          ? routeAssertions.discoveredRoutes
+          : [];
+        const publicRoutes = [...new Set([...probedPublic, ...discovered])].sort();
         const thirdPartyHosts = Array.isArray(currentReport?.publicDeps?.thirdParties)
           ? [...new Set(currentReport.publicDeps.thirdParties.map((t) => t.host).filter(Boolean))]
           : [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.29",
+  "version": "0.16.31",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",