pqcheck 0.16.32 → 0.16.33

package/README.md

@@ -8,7 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
-> **Latest: v0.16.32** — `--fresh` now actually refreshes posture (R92, originally shipped in 0.16.31). External dogfood bug: a customer deployed CSP/HSTS/X-Frame-Options/X-Content-Type-Options/Referrer-Policy/Permissions-Policy via Next.js, verified all six on the wire with curl, and `pqcheck deploy-check --fresh` continued to report `posture_grade=D` + `posture_leaks=x-powered-by: Next.js` — directly contradicting reality. Root cause: the CLI silently dropped `--fresh` from the trust-diff request body. Now plumbed through end-to-end. Every response carries `fresh_status` (`applied | rate_limited | unauthenticated | unavailable | not_requested`) so callers route on whether the posture is current — no more silent stale reads. `--verbose` emits a `CIPHERWAKE_SCANNER_OBSERVED` block with the actual headers, final URL, and status the grade was computed from, so customers can diff "what Cipherwake saw" vs `curl -I` instantly. 0.16.32 is a clean re-publish: same CLI surface as 0.16.31, post-fix lib refactor + test coverage added. [Full changelog →](./CHANGELOG.md)
+> **Latest: v0.16.33** — Two real-dogfood fixes from a Next.js 15 Vercel deploy session. **(1) CSP quality grading (R93)** — beyond the existing `unsafe-inline`/`unsafe-eval`/`*` deductions, posture now flags scheme-wildcards (`script-src 'self' https:` is nearly as broad as `*`), missing `object-src 'none'`, missing restrictive `base-uri`, and HSTS without `includeSubDomains`. Presence ≠ strength: a CSP that satisfies "present" but allows scheme wildcards now grades accordingly. **(2) Generated workflow uses `deployment_status` not `push:main`** — `pqcheck init` no longer races the platform's deploy. The generated GitHub Action now fires AFTER a successful Production deploy, so trust-diff sees the surface that actually shipped (Vercel / Netlify / Render / Railway / any platform emitting `deployment_status` events). `pull_request` trigger preserved for advisory PR diffs; `push:main` documented as a fallback for non-deployment-event platforms. [Full changelog →](./CHANGELOG.md)
 
 ## Two ways to use it
 

package/bin/pqcheck.js

@@ -5497,9 +5497,20 @@ function isValidBaseline(value) {
 function renderTrustDiffWorkflow({ domain, failOn, baseline }) {
   return `# Cipherwake — Trust Diff gate
 # Generated by \`pqcheck init\` (v${VERSION}).
-# Runs on every PR and pushes to main: fails the build if your public trust
-# posture regresses vs the baseline (cert / SPKI / vendor scripts / HSTS / CSP /
-# DMARC / HNDL).
+# Runs:
+#   - on every PR (advisory diff against the production baseline)
+#   - on every successful Production deployment (post-deploy gate)
+# Fails the build if your public trust posture regresses vs the baseline
+# (cert / SPKI / vendor scripts / HSTS / CSP / DMARC / HNDL / declared
+# route assertions).
+#
+# R93 (2026-06-08): defaults to deployment_status (success + Production) for
+# the post-deploy job, NOT push:main. Reason: on platforms with git-integrated
+# deploys (Vercel, Netlify, Render, Railway, etc.) the deploy fires from the
+# same push event — running on push:main would RACE the deploy and diff the
+# STALE production surface before the new deploy is live. deployment_status
+# fires AFTER the deploy lands, so trust-diff sees the surface that actually
+# shipped.
 #
 # Free tier: 100 Trust Diff calls/month per repo (OIDC-metered).
 # Methodology: https://cipherwake.io/methodology/
@@ -5510,8 +5521,7 @@ name: Cipherwake Trust Diff
 on:
   pull_request:
     branches: [main]
-  push:
-    branches: [main]
+  deployment_status:
 
 permissions:
   contents: read
@@ -5522,6 +5532,18 @@ permissions:
 jobs:
   trust-diff:
     runs-on: ubuntu-latest
+    # Run on PRs OR on successful Production deployments.
+    # PRs: github.event_name == "pull_request" — advisory diff for the change
+    # Deployment: deployment_status.state == "success" — only after a deploy
+    #   actually succeeded; skips failed/error/pending events. Environment
+    #   filter on "production" / "Production" so preview deploys don't
+    #   trigger trust-diff against the prod domain (different surfaces).
+    if: |
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'deployment_status' &&
+       github.event.deployment_status.state == 'success' &&
+       (github.event.deployment.environment == 'production' ||
+        github.event.deployment.environment == 'Production'))
     steps:
       - name: Run Cipherwake Trust Diff
         uses: cipherwakelabs/pqcheck@v4
@@ -5535,6 +5557,16 @@ jobs:
         # OIDC token and meters per repo (100 calls/mo, no setup).
         # If you want higher limits, link this repo to a paid Cipherwake
         # account at https://cipherwake.io/account → Linked repos.
+        #
+        # If your platform does NOT emit deployment_status events (custom
+        # CD scripts, S3-sync deploys, manual rollouts), replace the
+        # deployment_status trigger above with:
+        #
+        #   push:
+        #     branches: [main]
+        #
+        # AND add a delay/health-check step before this one so trust-diff
+        # runs AFTER your deploy is live, not racing it.
 `;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.32",
+  "version": "0.16.33",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",