npm - pqcheck - Versions diffs - 0.16.30 → 0.16.31 - Mend

pqcheck 0.16.30 → 0.16.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
-> **Latest: v0.16.30** — Three asks from external dogfood feedback after a draft-route resolver bug shipped 9 new `/preview/*` routes to prod undetected. **(1)** Broader surface-diff: sitemap.xml + homepage-anchor discovery feed into the snapshot so "+9 new public routes since baseline" surfaces at info severity (default-quiet, never gates). **(2)** Glob support: `.cipherwake.json` now accepts `/preview/*` and `/admin/**` patterns — escalation is opt-in via declared assertion. **(3)** Scope honesty: `scope_note` now explicit that `pass` doesn't claim every-route inventory is current. The customer's "low-noise discipline is the asset" preserved: route-surface drift is info-only; gating requires explicit declared assertions. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.31** — `--fresh` now actually refreshes posture. External dogfood bug: a customer deployed CSP/HSTS/X-Frame-Options/X-Content-Type-Options/Referrer-Policy/Permissions-Policy via Next.js, verified all six on the wire with curl, and `pqcheck deploy-check --fresh` continued to report `posture_grade=D` + `posture_leaks=x-powered-by: Next.js` — directly contradicting reality. Root cause: the CLI silently dropped `--fresh` from the trust-diff request body. Now plumbed through end-to-end. Every response carries `fresh_status` (`applied | rate_limited | unauthenticated | unavailable | not_requested`) so callers route on whether the posture is current — no more silent stale reads. `--verbose` emits a `CIPHERWAKE_SCANNER_OBSERVED` block with the actual headers, final URL, and status the grade was computed from, so customers can diff "what Cipherwake saw" vs `curl -I` instantly. [Full changelog →](./CHANGELOG.md)
 ## Two ways to use it

package/bin/pqcheck.js CHANGED Viewed

@@ -3770,6 +3770,12 @@ async function runTrustDiffCommand(args) {
   const baseline = parseFlag(args, "--baseline") || "last-week";
   const failOn = parseFlag(args, "--fail-on") || "high";
   const format = parseFlag(args, "--format") || "pretty";
+  // R92 (2026-06-06) — --fresh + --verbose were silently dropped by the
+  // CLI before R92. The result: `pqcheck deploy-check <D> --fresh` ran but
+  // returned stale posture from scan_cache. After R92 they're plumbed
+  // through to /api/trust-diff body so the server can act on them.
+  const fresh = args.includes("--fresh") || args.includes("--force");
+  const verbose = args.includes("--verbose");
   // R86.4 (2026-06-03) — see runOneScan for rationale. Default ship_decision
   // is drift-only (per-deploy regression gate); --strict-posture opts into
   // worst-of(drift, posture). Recommended only after a site reaches A/B
@@ -3799,7 +3805,17 @@ async function runTrustDiffCommand(args) {
     resp = await fetch(`${API_BASE}/api/trust-diff`, {
       method: "POST",
       headers,
-      body: JSON.stringify({ domain, baseline, fail_on: failOn, routeAssertionsConfig: _routeCfg }),
+      body: JSON.stringify({
+        domain,
+        baseline,
+        fail_on: failOn,
+        routeAssertionsConfig: _routeCfg,
+        // R92 (2026-06-06) — pass --fresh + --verbose through to server.
+        // Server returns `fresh_status` so caller can route on
+        // applied | rate_limited | unauthenticated | unavailable | not_requested.
+        fresh,
+        verbose,
+      }),
     });
   } catch (err) {
     console.error(color("red", `error: network failure calling /api/trust-diff: ${err.message}`));
@@ -3856,6 +3872,45 @@ async function runTrustDiffCommand(args) {
   const result = await resp.json();
   const verdict = result.verdict || "pass";
   const deltas = Array.isArray(result.deltas) ? result.deltas : [];
+  // R92 (2026-06-06) — surface non-applied fresh status BEFORE any verdict
+  // rendering so the customer sees the staleness warning at the top, not
+  // after the (potentially stale) grade. Three failure modes get their own
+  // explanation since they imply different next actions.
+  const freshStatus = typeof result.fresh_status === "string" ? result.fresh_status : "not_requested";
+  if (fresh && freshStatus !== "applied" && freshStatus !== "not_requested") {
+    const why = freshStatus === "rate_limited"
+      ? "fresh-scan per-IP cap reached (20/hr). The posture below is from the last cached scan — re-run after the cap window, or accept the cached read for now."
+      : freshStatus === "unauthenticated"
+        ? "fresh-scan requires an API key (free tier inclusive). Set CIPHERWAKE_API_KEY or run via OIDC; without it, --fresh silently downgrades to cached. https://cipherwake.io/account#api-keys"
+        : freshStatus === "unavailable"
+          ? "fresh-scan path failed mid-run. The posture below is from the last cached scan — re-run to retry."
+          : `fresh request returned status=${freshStatus}.`;
+    console.error("");
+    console.error(color("yellow", `⚠ --fresh requested but NOT applied: ${why}`));
+    console.error("");
+  }
+  // R92 — scanner_observed (verbose mode). Surfaces the actual headers /
+  // final URL / status that Cipherwake's posture grade was computed from,
+  // so a customer can diff against `curl -I` and catch a stale or
+  // wrong-target read instantly.
+  if (verbose && result.scanner_observed) {
+    const obs = result.scanner_observed;
+    console.log("");
+    console.log(color("dim", "CIPHERWAKE_SCANNER_OBSERVED"));
+    console.log(color("dim", `final_url=${obs.final_url ?? "<unknown>"}`));
+    console.log(color("dim", `final_status=${obs.final_status ?? "<unknown>"}`));
+    console.log(color("dim", `fetched_at=${obs.fetched_at}`));
+    if (obs.headers && typeof obs.headers === "object") {
+      const headerKeys = Object.keys(obs.headers).sort();
+      for (const k of headerKeys) {
+        const v = obs.headers[k];
+        const val = Array.isArray(v) ? v.join(", ") : (v == null ? "" : String(v));
+        console.log(color("dim", `header.${k}=${val}`));
+      }
+    }
+    console.log(color("dim", "END_CIPHERWAKE_SCANNER_OBSERVED"));
+    console.log("");
+  }
   // AI Coder Mode — three-layer output (banner / body / structured block).
   if (parseAiMode(args)) {
@@ -4020,6 +4075,13 @@ async function runTrustDiffCommand(args) {
         : undefined,
       ...assertionFields,
       ...postureFields,
+      // R92 — every CIPHERWAKE_AI_GUARD_RESULT block now carries fresh_status
+      // so MCP servers / Aider / Cursor / Claude Code can route programmatically:
+      //   applied → safe to interpret the posture as current
+      //   rate_limited / unauthenticated / unavailable → posture below is from cache,
+      //     do not interpret as a fresh measurement (the customer asked but didn't get it)
+      //   not_requested → caller didn't ask for fresh; cached is by design
+      fresh_status: freshStatus,
     }));
     if (routeAssertions) {
       console.log(formatRouteAssertionsBlock(routeAssertions));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.30",
+  "version": "0.16.31",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",