pqcheck 0.16.30 → 0.16.32

package/README.md

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
-> **Latest: v0.16.30** — Three asks from external dogfood feedback after a draft-route resolver bug shipped 9 new `/preview/*` routes to prod undetected. **(1)** Broader surface-diff: sitemap.xml + homepage-anchor discovery feed into the snapshot so "+9 new public routes since baseline" surfaces at info severity (default-quiet, never gates). **(2)** Glob support: `.cipherwake.json` now accepts `/preview/*` and `/admin/**` patterns — escalation is opt-in via declared assertion. **(3)** Scope honesty: `scope_note` now explicit that `pass` doesn't claim every-route inventory is current. The customer's "low-noise discipline is the asset" preserved: route-surface drift is info-only; gating requires explicit declared assertions. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.32** — `--fresh` now actually refreshes posture (R92, originally shipped in 0.16.31). External dogfood bug: a customer deployed CSP/HSTS/X-Frame-Options/X-Content-Type-Options/Referrer-Policy/Permissions-Policy via Next.js, verified all six on the wire with curl, and `pqcheck deploy-check --fresh` continued to report `posture_grade=D` + `posture_leaks=x-powered-by: Next.js` — directly contradicting reality. Root cause: the CLI silently dropped `--fresh` from the trust-diff request body. Now plumbed through end-to-end. Every response carries `fresh_status` (`applied | rate_limited | unauthenticated | unavailable | not_requested`) so callers route on whether the posture is current — no more silent stale reads. `--verbose` emits a `CIPHERWAKE_SCANNER_OBSERVED` block with the actual headers, final URL, and status the grade was computed from, so customers can diff "what Cipherwake saw" vs `curl -I` instantly. 0.16.32 is a clean re-publish: same CLI surface as 0.16.31, post-fix lib refactor + test coverage added. [Full changelog →](./CHANGELOG.md)
 
 ## Two ways to use it
 

package/bin/pqcheck.js

@@ -3770,6 +3770,12 @@ async function runTrustDiffCommand(args) {
   const baseline = parseFlag(args, "--baseline") || "last-week";
   const failOn = parseFlag(args, "--fail-on") || "high";
   const format = parseFlag(args, "--format") || "pretty";
+  // R92 (2026-06-06) — --fresh + --verbose were silently dropped by the
+  // CLI before R92. The result: `pqcheck deploy-check <D> --fresh` ran but
+  // returned stale posture from scan_cache. After R92 they're plumbed
+  // through to /api/trust-diff body so the server can act on them.
+  const fresh = args.includes("--fresh") || args.includes("--force");
+  const verbose = args.includes("--verbose");
   // R86.4 (2026-06-03) — see runOneScan for rationale. Default ship_decision
   // is drift-only (per-deploy regression gate); --strict-posture opts into
   // worst-of(drift, posture). Recommended only after a site reaches A/B
@@ -3799,7 +3805,17 @@ async function runTrustDiffCommand(args) {
     resp = await fetch(`${API_BASE}/api/trust-diff`, {
       method: "POST",
       headers,
-      body: JSON.stringify({ domain, baseline, fail_on: failOn, routeAssertionsConfig: _routeCfg }),
+      body: JSON.stringify({
+        domain,
+        baseline,
+        fail_on: failOn,
+        routeAssertionsConfig: _routeCfg,
+        // R92 (2026-06-06) — pass --fresh + --verbose through to server.
+        // Server returns `fresh_status` so caller can route on
+        // applied | rate_limited | unauthenticated | unavailable | not_requested.
+        fresh,
+        verbose,
+      }),
     });
   } catch (err) {
     console.error(color("red", `error: network failure calling /api/trust-diff: ${err.message}`));
@@ -3856,6 +3872,45 @@ async function runTrustDiffCommand(args) {
   const result = await resp.json();
   const verdict = result.verdict || "pass";
   const deltas = Array.isArray(result.deltas) ? result.deltas : [];
+  // R92 (2026-06-06) — surface non-applied fresh status BEFORE any verdict
+  // rendering so the customer sees the staleness warning at the top, not
+  // after the (potentially stale) grade. Three failure modes get their own
+  // explanation since they imply different next actions.
+  const freshStatus = typeof result.fresh_status === "string" ? result.fresh_status : "not_requested";
+  if (fresh && freshStatus !== "applied" && freshStatus !== "not_requested") {
+    const why = freshStatus === "rate_limited"
+      ? "fresh-scan per-IP cap reached (20/hr). The posture below is from the last cached scan — re-run after the cap window, or accept the cached read for now."
+      : freshStatus === "unauthenticated"
+        ? "fresh-scan requires an API key (free tier inclusive). Set CIPHERWAKE_API_KEY or run via OIDC; without it, --fresh silently downgrades to cached. https://cipherwake.io/account#api-keys"
+        : freshStatus === "unavailable"
+          ? "fresh-scan path failed mid-run. The posture below is from the last cached scan — re-run to retry."
+          : `fresh request returned status=${freshStatus}.`;
+    console.error("");
+    console.error(color("yellow", `⚠ --fresh requested but NOT applied: ${why}`));
+    console.error("");
+  }
+  // R92 — scanner_observed (verbose mode). Surfaces the actual headers /
+  // final URL / status that Cipherwake's posture grade was computed from,
+  // so a customer can diff against `curl -I` and catch a stale or
+  // wrong-target read instantly.
+  if (verbose && result.scanner_observed) {
+    const obs = result.scanner_observed;
+    console.log("");
+    console.log(color("dim", "CIPHERWAKE_SCANNER_OBSERVED"));
+    console.log(color("dim", `final_url=${obs.final_url ?? "<unknown>"}`));
+    console.log(color("dim", `final_status=${obs.final_status ?? "<unknown>"}`));
+    console.log(color("dim", `fetched_at=${obs.fetched_at}`));
+    if (obs.headers && typeof obs.headers === "object") {
+      const headerKeys = Object.keys(obs.headers).sort();
+      for (const k of headerKeys) {
+        const v = obs.headers[k];
+        const val = Array.isArray(v) ? v.join(", ") : (v == null ? "" : String(v));
+        console.log(color("dim", `header.${k}=${val}`));
+      }
+    }
+    console.log(color("dim", "END_CIPHERWAKE_SCANNER_OBSERVED"));
+    console.log("");
+  }
 
   // AI Coder Mode — three-layer output (banner / body / structured block).
   if (parseAiMode(args)) {
@@ -4020,6 +4075,13 @@ async function runTrustDiffCommand(args) {
         : undefined,
       ...assertionFields,
       ...postureFields,
+      // R92 — every CIPHERWAKE_AI_GUARD_RESULT block now carries fresh_status
+      // so MCP servers / Aider / Cursor / Claude Code can route programmatically:
+      //   applied → safe to interpret the posture as current
+      //   rate_limited / unauthenticated / unavailable → posture below is from cache,
+      //     do not interpret as a fresh measurement (the customer asked but didn't get it)
+      //   not_requested → caller didn't ask for fresh; cached is by design
+      fresh_status: freshStatus,
     }));
     if (routeAssertions) {
       console.log(formatRouteAssertionsBlock(routeAssertions));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.30",
+  "version": "0.16.32",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",