pqcheck 0.16.31 → 0.16.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +1 -1
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -8,7 +8,7 @@
8
8
  [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
9
9
  [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
10
10
 
11
- > **Latest: v0.16.31** — `--fresh` now actually refreshes posture. External dogfood bug: a customer deployed CSP/HSTS/X-Frame-Options/X-Content-Type-Options/Referrer-Policy/Permissions-Policy via Next.js, verified all six on the wire with curl, and `pqcheck deploy-check --fresh` continued to report `posture_grade=D` + `posture_leaks=x-powered-by: Next.js` — directly contradicting reality. Root cause: the CLI silently dropped `--fresh` from the trust-diff request body. Now plumbed through end-to-end. Every response carries `fresh_status` (`applied | rate_limited | unauthenticated | unavailable | not_requested`) so callers route on whether the posture is current — no more silent stale reads. `--verbose` emits a `CIPHERWAKE_SCANNER_OBSERVED` block with the actual headers, final URL, and status the grade was computed from, so customers can diff "what Cipherwake saw" vs `curl -I` instantly. [Full changelog →](./CHANGELOG.md)
11
+ > **Latest: v0.16.32** — `--fresh` now actually refreshes posture (R92, originally shipped in 0.16.31). External dogfood bug: a customer deployed CSP/HSTS/X-Frame-Options/X-Content-Type-Options/Referrer-Policy/Permissions-Policy via Next.js, verified all six on the wire with curl, and `pqcheck deploy-check --fresh` continued to report `posture_grade=D` + `posture_leaks=x-powered-by: Next.js` — directly contradicting reality. Root cause: the CLI silently dropped `--fresh` from the trust-diff request body. Now plumbed through end-to-end. Every response carries `fresh_status` (`applied | rate_limited | unauthenticated | unavailable | not_requested`) so callers route on whether the posture is current — no more silent stale reads. `--verbose` emits a `CIPHERWAKE_SCANNER_OBSERVED` block with the actual headers, final URL, and status the grade was computed from, so customers can diff "what Cipherwake saw" vs `curl -I` instantly. 0.16.32 is a clean re-publish: same CLI surface as 0.16.31, post-fix lib refactor + test coverage added. [Full changelog →](./CHANGELOG.md)
12
12
 
13
13
  ## Two ways to use it
14
14
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pqcheck",
3
- "version": "0.16.31",
3
+ "version": "0.16.32",
4
4
  "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
5
5
  "keywords": [
6
6
  "ai-coder",