pqcheck 0.16.33 → 0.17.0-beta.2

package/bin/pqcheck.js

@@ -81,6 +81,27 @@ function apiHeaders(extra = {}) {
   return h;
 }
 
+// R96 — fetch with a hard timeout for the core API calls (/api/scan,
+// /api/trust-diff, /api/preview-diff). Without it, a hung request stalled
+// CI indefinitely; vendors/debug-network already had AbortController
+// timeouts but the three load-bearing calls did not. 90s covers the
+// worst server-side path (fresh full scan, maxDuration 60s) with margin.
+const API_FETCH_TIMEOUT_MS = 90_000;
+async function fetchWithTimeout(url, opts = {}, timeoutMs = API_FETCH_TIMEOUT_MS) {
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...opts, signal: ctrl.signal });
+  } catch (err) {
+    if (err?.name === "AbortError") {
+      throw new Error(`request timed out after ${Math.round(timeoutMs / 1000)}s: ${url}`);
+    }
+    throw err;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
 // Helpful messaging when the server tells us auth/quota failed.
 async function handleAuthError(resp) {
   if (resp.status === 401) {
@@ -202,6 +223,13 @@ async function main() {
   if (args[0] === "deploy-check") {
     return runDeployCheckCommand(args.slice(1));
   }
+  if (args[0] === "last") {
+    // R96 feedback #3 — `pqcheck last [domain] [--remote]` reuses a recent
+    // verdict (local state file or GitHub Actions CI run) instead of
+    // forcing a duplicate live deploy-check. Advisory-only: exit 3 means
+    // "no reusable signal, run deploy-check".
+    return runLastCommand(args.slice(1));
+  }
   if (args[0] === "vendors") {
     return runVendorsCommand(args.slice(1));
   }
@@ -341,7 +369,7 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
     // the server side; if exceeded, the server silently downgrades to a
     // cached scan and returns that instead of erroring.
     const qs = fresh ? `?domain=${encodeURIComponent(domain)}&force=1` : `?domain=${encodeURIComponent(domain)}`;
-    const resp = await fetch(`${API_BASE}/api/scan${qs}`, {
+    const resp = await fetchWithTimeout(`${API_BASE}/api/scan${qs}`, {
       method: "GET",
       headers: apiHeaders({ "user-agent": `pqcheck-cli/${VERSION}${CI_ACTION_SUFFIX} (scan)` }),
     });
@@ -441,13 +469,21 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
   // extension / AI banner) display the "UNREACHABLE" label when
   // unreachable=true instead of the generic "BLOCK" — more informative,
   // same protocol routing.
+  // R96 — the state file used to record the pre-posture drift decision
+  // while the AI footer + exit code used effectiveShip (worst-of with
+  // posture under --strict-posture), so statusline / prompt-hook could
+  // disagree with the actual gate. Compute once, record the same value
+  // everywhere.
+  const posture = report.posture || null;
+  const effectiveShip = combineShipDecision(shipDecision, posture?.decision, { strict: strictPosture });
+
   await writeLastScanFile({
     domain,
     kind: "scan",
     score: typeof report.score === "number" ? report.score : null,
     grade: report.grade || null,
     max_severity: maxSev,
-    ship_decision: shipDecision,
+    ship_decision: effectiveShip,
     unreachable: unreachable || false,
     top_issue: topFinding?.id || topFinding?.title || null,
   });
@@ -532,7 +568,6 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
     // posture_decision separates the absolute-state routing signal from the
     // drift-based ship_decision so a weak-but-unchanged site gets a review
     // nudge distinct from drift.
-    const posture = report.posture || null;
     const postureFields = posture ? {
       posture_grade: posture.grade,
       posture_score: posture.score,
@@ -542,9 +577,6 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       posture_findings_count: (posture.findings || []).length,
       posture_fixes_count: (posture.fixes || []).length,
     } : {};
-    // R86.2 (2026-06-03) — see combineShipDecision: posture is advisory by
-    // default, gated when --strict-posture is passed.
-    const effectiveShip = combineShipDecision(shipDecision, posture?.decision, { strict: strictPosture });
     // R86.5 — surface posture advisory line so D/F posture is never silently
     // blessed under the drift-only default.
     const postureAdvisory = formatPostureAdvisoryLine(posture, strictPosture);
@@ -600,9 +632,6 @@ async function runOneScan({ domain, format, quiet, threshold, webhookUrl, multi,
       console.log(JSON.stringify(report, null, 2));
     }
   } else if (format === "csv") {
-    if (multi && this && !this.csvHeaderPrinted) {
-      // Header only once, before first row
-    }
     printCsvRow(report);
   } else if (format === "markdown") {
     printMarkdown(report, multi);
@@ -707,12 +736,20 @@ function isFlagValue(args, val) {
   const idx = args.indexOf(val);
   if (idx <= 0) return false;
   const prev = args[idx - 1];
-  return prev === "--threshold" || prev === "--format" || prev === "--watch" || prev === "--webhook" || prev === "--file" || prev === "-o" || prev === "--allowlist";
+  // R96 — added --baseline/--fail-on: without them, `trust-diff acme.com
+  // --baseline last-week` misparsed "last-week" as the domain positional.
+  return prev === "--threshold" || prev === "--format" || prev === "--watch" || prev === "--webhook" || prev === "--file" || prev === "-o" || prev === "--allowlist" || prev === "--baseline" || prev === "--fail-on" || prev === "--max-age";
 }
 
 function parseFormat(args) {
   if (args.includes("--json")) return "json"; // back-compat alias
   if (args.includes("--gh-action")) return "gh-action"; // GitHub Actions annotation format
+  // R96 — these were whitelisted in KNOWN_FLAGS but parsed by nothing,
+  // so `pqcheck acme.com --csv` was a silent no-op (the exact footgun
+  // class R86.7 exists to prevent). Wire them as aliases like --json.
+  if (args.includes("--csv")) return "csv";
+  if (args.includes("--markdown")) return "markdown";
+  if (args.includes("--sarif")) return "sarif";
   const i = args.indexOf("--format");
   if (i === -1) return "text";
   const v = (args[i + 1] || "").toLowerCase();
@@ -793,7 +830,7 @@ const KNOWN_FLAGS = new Set([
   "--file", "--watch",
   // Scan behaviour
   "--fresh", "--force", "--threshold", "--webhook", "--json", "--csv", "--markdown",
-  "--sarif", "--gh-action", "--multi", "--lock", "--explain", "--plan", "--stdout",
+  "--sarif", "--gh-action", "--lock", "--explain", "--plan", "--stdout",
   // Posture gating (the audit catch)
   "--strict", "--strict-posture",
   // Format / output format
@@ -801,6 +838,7 @@ const KNOWN_FLAGS = new Set([
   // Trust-diff / deploy-check / preview-diff
   "--baseline", "--fail-on", "--fail-on-new", "--guards", "--compare-transport",
   "--write-baseline", "--preview", "--production",
+  "--protected-path", "--first-party-host",
   // Setup / onboard / install consent
   "--auto", "--manual", "--yes", "--no-open", "--domain", "--invoked-by",
   "--consent-phrase", "--scope",
@@ -962,6 +1000,10 @@ async function readRouteAssertionsConfig() {
         // at the top level. Both forms are documented in the methodology page.
         const cfg = parsed?.routeAssertions || (Array.isArray(parsed?.assertions) ? { assertions: parsed.assertions, replace_defaults: parsed.replace_defaults } : null);
         if (!cfg) {
+          // R96 — a domain-only config (written by `pqcheck setup`/`init` for
+          // the deploy-check domain default) is a legitimate shape; don't
+          // warn about missing assertions on it.
+          if (typeof parsed?.domain === "string" && parsed.domain.trim()) return null;
           _warnConfigIssue(`${candidate} found but missing required field "routeAssertions.assertions" (or top-level "assertions" array). See https://cipherwake.io/methodology/route-assertions for the schema.`);
           return null;
         }
@@ -1034,6 +1076,67 @@ async function readRouteAssertionsConfig() {
   }
 }
 
+// R96 (dogfood feedback #2) — `pqcheck setup`/`init` persist the monitored
+// domain into .cipherwake.json so `deploy-check` / `guard` can omit the
+// domain argument on subsequent runs. Same 5-level walk-up as
+// readRouteAssertionsConfig. Returns a validated hostname or null. Malformed
+// JSON returns null silently — readRouteAssertionsConfig already warns on it.
+async function readCipherwakeConfigDomain() {
+  try {
+    const { readFileSync, existsSync } = await import("node:fs");
+    const { join, dirname } = await import("node:path");
+    let dir = process.cwd();
+    for (let i = 0; i < 5; i++) {
+      const candidate = join(dir, ".cipherwake.json");
+      if (existsSync(candidate)) {
+        try {
+          const parsed = JSON.parse(readFileSync(candidate, "utf8"));
+          if (typeof parsed?.domain !== "string" || !parsed.domain.trim()) return null;
+          const d = normalizeDomain(parsed.domain.trim());
+          return isValidDomain(d) ? d : null;
+        } catch {
+          return null;
+        }
+      }
+      const parent = dirname(dir);
+      if (parent === dir) break;
+      dir = parent;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// R96 — merge {"domain": <D>} into ./.cipherwake.json (cwd, where setup/init
+// run). Never clobbers a malformed or unexpected-shape file: the same file
+// carries customer route assertions, and destroying those to save a domain
+// field would be a terrible trade.
+async function writeDomainToCipherwakeConfig(domain) {
+  const fs = await import("node:fs/promises");
+  const path = await import("node:path");
+  const cfgPath = path.join(process.cwd(), ".cipherwake.json");
+  let parsed = {};
+  let existed = false;
+  try {
+    const raw = await fs.readFile(cfgPath, "utf8");
+    existed = true;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return { status: "skipped-malformed", path: cfgPath };
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+      return { status: "skipped-unexpected-shape", path: cfgPath };
+    }
+  } catch { /* file doesn't exist — will create */ }
+  if (parsed.domain === domain) return { status: "already-set", path: cfgPath };
+  const prior = typeof parsed.domain === "string" ? parsed.domain : null;
+  parsed.domain = domain;
+  await fs.writeFile(cfgPath, JSON.stringify(parsed, null, 2) + "\n", "utf8");
+  return { status: existed ? (prior ? "updated" : "merged") : "created", prior, path: cfgPath };
+}
+
 // R87 — fold customer route-assertion failures into ship_decision. Any
 // CRITICAL failure (declared `protected` route that is now `exposed`) blocks
 // the deploy unconditionally — this is the catastrophic "admin became
@@ -1068,7 +1171,13 @@ function shipDecisionFromAssertions(summary) {
   if (!summary) return null;
   // R89/R88 wave 2 + R90 — fold in deploy health + secrets + cookies + headers + TLS.
   // Critical case auto-blocks; any non-critical failure promotes to review.
-  const deployBroken = summary.deployHealth && summary.deployHealth.status !== "healthy" && summary.deployHealth.status !== "unreachable";
+  // R94.3 — waf_blocked is advisory (customer's own WAF blocked the scanner
+  // UA, deploy most likely healthy) so it must not flip the gate to block,
+  // matching the ship_decision_health field's treatment.
+  const deployBroken = summary.deployHealth
+    && summary.deployHealth.status !== "healthy"
+    && summary.deployHealth.status !== "unreachable"
+    && summary.deployHealth.status !== "waf_blocked";
   const secretsLeaked = summary.secrets && summary.secrets.criticalCount > 0;
   const cookieCritical = (summary.cookieCriticalFailures || 0) > 0;
   const tlsCritical = summary.tlsExpiry && !summary.tlsExpiry.passed && summary.tlsExpiry.severity === "critical";
@@ -1299,7 +1408,10 @@ function formatAiFooterBlock(fields) {
     lines.push(`${safeK}=${safeV}`);
   }
   lines.push("END_CIPHERWAKE_AI_GUARD_RESULT");
-  return color("dim", lines.join("\n"));
+  // R96 — never colorize the machine block. On a TTY, color("dim", ...)
+  // wrapped the END marker in ANSI escapes, breaking strict line-match
+  // parsers in pty-based agents. The block is a wire format, not UI.
+  return lines.join("\n");
 }
 
 // v0.16.13 — fail-loud AI guard for fetch/quota/server errors during
@@ -1311,7 +1423,9 @@ function formatAiFooterBlock(fields) {
 // the agent can route on. Behaviour in non-AI text mode is unchanged.
 function emitAiGuardReviewAndExit(args, errorDetail) {
   if (parseAiMode(args)) {
-    const positional = args.filter((a) => !a.startsWith("-"));
+    // R96 — exclude flag VALUES, not just flags: `--baseline last-week
+    // acme.com` used to label domain="last-week" in the error block.
+    const positional = args.filter((a) => !a.startsWith("-") && !isFlagValue(args, a));
     const domain = positional[0] || "";
     const baseline = parseFlag(args, "--baseline") || "last-scan";
     try {
@@ -1362,6 +1476,37 @@ function emitAiGuardReviewAndExit(args, errorDetail) {
   process.exit(errorDetail.exitCode ?? 3);
 }
 
+// Same fail-loud contract for preview-diff --ai (v0.16.13 fixed this for
+// trust-diff only; preview-diff error paths previously exited 3 with no
+// block, so agents parsing for CIPHERWAKE_AI_GUARD_RESULT saw "no signal").
+function emitPreviewDiffAiGuardReviewAndExit(args, previewUrl, productionUrl, errorDetail) {
+  if (parseAiMode(args)) {
+    try {
+      console.log("");
+      console.log(color("yellow", "  ⚠ REVIEW — Cipherwake preview-diff could not complete"));
+      console.log(color("dim",    `  ${errorDetail.message}`));
+      console.log(color("dim",    "  Treating as REVIEW per fail-safe policy. Do NOT announce the deploy until you manually verify or rerun the check successfully."));
+      console.log(formatAiFooterBlock({
+        status: "review",
+        kind: "preview-diff",
+        preview_url: previewUrl || "",
+        production_url: productionUrl || "",
+        verdict: "review",
+        ship_decision: "review",
+        top_issue: errorDetail.code,
+        top_issue_title: errorDetail.message,
+        scanned_at: new Date().toISOString(),
+        advisory_only: "true",
+        error: errorDetail.code,
+      }));
+      console.log("");
+    } catch {
+      // even error path must not throw — fall through to exit
+    }
+  }
+  process.exit(errorDetail.exitCode ?? 3);
+}
+
 // v0.16.13 — opportunistic version check. Reads a small cache file on cold
 // start; if a newer version is in cache AND we haven't already banner'd
 // today, prints a banner to stderr. Separately, if cache is >24h old, fires
@@ -2198,6 +2343,7 @@ ${color("bold", "Commands:")}
   npx pqcheck init                              Interactive scaffold for .github/workflows/cipherwake.yml
   npx pqcheck deploy-check <domain>             Pre-deploy trust gate (Trust Diff vs last scan; deploy-friendly framing) — see also: AI Coder Protocol at https://cipherwake.io/methodology/ai-coder-protocol
   npx pqcheck guard --domain <D> -- <cmd>       NEW: wrap any deploy command. Runs deploy-check first; conditionally runs <cmd> based on ship_decision. The strongest single artifact for AI-coder workflows.
+  npx pqcheck last [domain]                     NEW: reuse a recent deploy-check verdict instead of re-scanning (local state; --remote checks your GitHub Actions CI run; --max-age <min> freshness window, default 60)
   npx pqcheck protocol install                  NEW: install the AI Coder Protocol into your CLAUDE.md / .cursorrules (Rule 17 consent flow)
   npx pqcheck guards <init|list|run>            EXPERIMENTAL (BETA): manage Site Guards (.cipherwake/guards.json) — runtime policies for source-maps / mixed-content / approved-hosts / protected-paths / cookie-flags / link-integrity. See: https://cipherwake.io/methodology/site-guards
   npx pqcheck release-checklist [domain]        Print a pre-release trust checklist (markdown, offline)
@@ -3564,7 +3710,7 @@ async function runScanBasedDeployCheck(domain, args) {
 
   let resp;
   try {
-    resp = await fetch(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, { headers });
+    resp = await fetchWithTimeout(`${API_BASE}/api/scan?domain=${encodeURIComponent(domain)}`, { headers });
   } catch (err) {
     // v0.16.17 — the v0.16.13 fail-loud AI guard fix was applied to the main
     // trust-diff deploy-check path but missed THIS fallback path (no-baseline
@@ -3716,9 +3862,12 @@ async function runScanBasedDeployCheck(domain, args) {
     max_severity: maxSev,
     ship_decision: shipDecision,
     unreachable: unreachable ? "true" : "false",
+    // R96 — bare ids, matching the main scan path (which emits
+    // `topFinding?.id` without a `findings.` prefix). Parsers shouldn't
+    // need two formats for the same field.
     top_issue: unreachable
-      ? "findings.reachability.unreachable"
-      : (topFinding ? `findings.${topFinding.id || "unknown"}` : "none"),
+      ? "reachability.unreachable"
+      : (topFinding?.id || topFinding?.title || "none"),
     findings_high: findings.filter((f) => severityRank(f.severity) >= severityRank("high")).length,
     findings_critical: findings.filter((f) => severityRank(f.severity) >= severityRank("critical")).length,
     scanned_at: new Date().toISOString(),
@@ -3737,18 +3886,20 @@ async function runScanBasedDeployCheck(domain, args) {
     ship_decision: shipDecision,
     unreachable: unreachable || false,
     top_issue: unreachable
-      ? "findings.reachability.unreachable"
+      ? "reachability.unreachable"
       : (topFinding?.id || topFinding?.title || null),
     note: unreachable
       ? "domain unreachable on port 443; deploy may have failed or DNS not propagated"
       : "first-deploy: no baseline yet, scored on current state",
   });
 
-  // Exit code: 0 on pass, non-zero on review/block (matches deploy-check contract)
-  process.exit(shipDecision === "pass" ? 0 : 1);
+  // Exit code: 0=pass, 1=review, 2=block (matches the deploy-check AI
+  // contract). R96 — this previously exited 1 for block too, so the
+  // pre-push hook (which refuses only on RC=2) would allow a blocked push.
+  process.exit(shipDecision === "block" ? 2 : shipDecision === "pass" ? 0 : 1);
 }
 
-async function runTrustDiffCommand(args) {
+async function runTrustDiffCommand(args, opts = {}) {
   // R86.7 — reject unknown flags before any other parsing. Same rationale
   // as the bare-scan path: typo'd safety-critical flags must fail loud,
   // not silently degrade.
@@ -3802,7 +3953,7 @@ async function runTrustDiffCommand(args) {
   let resp;
   try {
     const _routeCfg = await readRouteAssertionsConfig();
-    resp = await fetch(`${API_BASE}/api/trust-diff`, {
+    resp = await fetchWithTimeout(`${API_BASE}/api/trust-diff`, {
       method: "POST",
       headers,
       body: JSON.stringify({
@@ -3854,7 +4005,10 @@ async function runTrustDiffCommand(args) {
   // through to /api/scan, populate the cache, and emit ship_decision based
   // on the scan's current absolute state. Subsequent deploy-checks will
   // have a baseline and produce a real drift verdict.
-  if (resp.status === 404 && parseAiMode(args)) {
+  // R96 — README documents this fallback for deploy-check unconditionally,
+  // but it used to fire only with --ai; a non-AI first run errored instead.
+  // Now: any deploy-check invocation falls through, plus any --ai caller.
+  if (resp.status === 404 && (opts.deployCheck || parseAiMode(args))) {
     return await runScanBasedDeployCheck(domain, args);
   }
   if (!resp.ok) {
@@ -3879,9 +4033,9 @@ async function runTrustDiffCommand(args) {
   const freshStatus = typeof result.fresh_status === "string" ? result.fresh_status : "not_requested";
   if (fresh && freshStatus !== "applied" && freshStatus !== "not_requested") {
     const why = freshStatus === "rate_limited"
-      ? "fresh-scan per-IP cap reached (20/hr). The posture below is from the last cached scan — re-run after the cap window, or accept the cached read for now."
+      ? "fresh-scan cap reached (20/hr per API key). The posture below is from the last cached scan — re-run after the cap window, or accept the cached read for now."
       : freshStatus === "unauthenticated"
-        ? "fresh-scan requires an API key (free tier inclusive). Set CIPHERWAKE_API_KEY or run via OIDC; without it, --fresh silently downgrades to cached. https://cipherwake.io/account#api-keys"
+        ? "fresh-scan requires an API key (free tier inclusive). Set CIPHERWAKE_API_KEY; without it, --fresh silently downgrades to cached. Get a key at https://cipherwake.io/account#api-keys"
         : freshStatus === "unavailable"
           ? "fresh-scan path failed mid-run. The posture below is from the last cached scan — re-run to retry."
           : `fresh request returned status=${freshStatus}.`;
@@ -4017,7 +4171,12 @@ async function runTrustDiffCommand(args) {
       deploy_status: dh?.status,
       deploy_http_status: dh?.httpStatus,
       deploy_summary: dh?.summary?.slice(0, 200),
-      ship_decision_health: dh && dh.status !== "healthy" && dh.status !== "unreachable" ? "block" : (dh ? "pass" : undefined),
+      // R94.3 — waf_blocked is advisory, not blocking. The deploy is most
+      // likely healthy; the customer's WAF blocked our scanner UA. Same
+      // class as R90.1 (WAF false-positive on route assertions). Treat
+      // unreachable + waf_blocked as "review" rather than "block" so the
+      // customer isn't gated by their own bot-protection.
+      ship_decision_health: dh && dh.status !== "healthy" && dh.status !== "unreachable" && dh.status !== "waf_blocked" ? "block" : (dh ? "pass" : undefined),
       // Secret scanner
       secrets_scanned: sc?.scanned,
       secrets_findings_total: sc?.findings?.length,
@@ -4037,6 +4196,12 @@ async function runTrustDiffCommand(args) {
         : undefined,
     } : {};
 
+    // R96 feedback #4 — flake context: is the failing check a chronic flake /
+    // previously-dismissed state or a first-ever failure? Sourced from local
+    // .cipherwake/stats.json history; {} (silent) when nothing is failing or
+    // there is no history for the failing check.
+    const flakeFields = await buildFlakeContextFields(routeAssertions);
+
     console.log(formatAiFooterBlock({
       status: effectiveShipWithAssertions,
       domain,
@@ -4074,6 +4239,7 @@ async function runTrustDiffCommand(args) {
           })
         : undefined,
       ...assertionFields,
+      ...flakeFields,
       ...postureFields,
       // R92 — every CIPHERWAKE_AI_GUARD_RESULT block now carries fresh_status
       // so MCP servers / Aider / Cursor / Claude Code can route programmatically:
@@ -4502,7 +4668,7 @@ async function runPreviewDiffCommand(args) {
 
   let resp;
   try {
-    resp = await fetch(`${API_BASE}/api/preview-diff`, {
+    resp = await fetchWithTimeout(`${API_BASE}/api/preview-diff`, {
       method: "POST",
       headers,
       body: JSON.stringify({
@@ -4518,18 +4684,30 @@ async function runPreviewDiffCommand(args) {
     });
   } catch (err) {
     console.error(color("red", `error: network failure calling /api/preview-diff: ${err.message}`));
-    process.exit(3);
+    emitPreviewDiffAiGuardReviewAndExit(args, previewUrl, productionUrl, {
+      code: "network_failure",
+      message: `network failure calling /api/preview-diff: ${err.message}`,
+      exitCode: 3,
+    });
   }
 
   if (resp.status === 401 || resp.status === 403) {
     await handleAuthError(resp);
-    process.exit(3);
+    emitPreviewDiffAiGuardReviewAndExit(args, previewUrl, productionUrl, {
+      code: "auth_error",
+      message: `authentication failed (${resp.status}) calling /api/preview-diff`,
+      exitCode: 3,
+    });
   }
   if (resp.status === 429) {
     const body = await safeJSON(resp);
     console.error(color("red", "error: Preview Diff API quota exceeded for this month"));
     if (body?.message) console.error(color("dim", body.message));
-    process.exit(3);
+    emitPreviewDiffAiGuardReviewAndExit(args, previewUrl, productionUrl, {
+      code: "quota_exceeded",
+      message: body?.message || "Preview Diff API quota exceeded for this month",
+      exitCode: 3,
+    });
   }
   if (!resp.ok) {
     const body = await safeJSON(resp);
@@ -4539,7 +4717,11 @@ async function runPreviewDiffCommand(args) {
     // / private-IP URLs surface the tunnel-options hint). Print it so the
     // user knows what to do next instead of just seeing the rejection.
     if (body?.hint) console.error(color("dim", body.hint));
-    process.exit(3);
+    emitPreviewDiffAiGuardReviewAndExit(args, previewUrl, productionUrl, {
+      code: `server_error_${resp.status}`,
+      message: body?.message || `/api/preview-diff returned ${resp.status}`,
+      exitCode: 3,
+    });
   }
 
   const result = await resp.json();
@@ -4838,6 +5020,15 @@ function trustDiffToSarif(result) {
 }
 
 function parseFlag(args, name) {
+  // Supports both `--flag value` and `--flag=value` forms. The README
+  // documents the equals form (e.g. `--trigger=deployment-status`), and
+  // assertKnownFlags already validates it — so the parser must accept it
+  // too or the flag silently no-ops (the R86.7 footgun class).
+  for (const tok of args) {
+    if (typeof tok === "string" && tok.startsWith(`${name}=`)) {
+      return tok.slice(name.length + 1) || null;
+    }
+  }
   const idx = args.indexOf(name);
   if (idx === -1 || idx === args.length - 1) return null;
   return args[idx + 1];
@@ -5198,7 +5389,7 @@ function renderReleaseChecklist(domain, opts = {}) {
     `### How to verify`,
     ``,
     `\`\`\`bash`,
-    `# Trust posture vs last successful deploy (Free: 30 calls/mo)`,
+    `# Trust posture vs last successful deploy (Free: 100 calls/mo)`,
     `npx pqcheck trust-diff ${domain} --baseline last-week --fail-on high`,
     ``,
     `# Third-party origins on the page (vendor scripts)`,
@@ -5231,8 +5422,8 @@ function renderReleaseChecklist(domain, opts = {}) {
 //   --force            Overwrite an existing workflow file without prompting
 //   --stdout           Print the workflow to stdout instead of writing files
 //
-// Free tier: no API call made by init itself. The generated workflow runs
-// against the user's CIPHERWAKE_API_KEY secret (30 free Trust Diff calls/mo).
+// Free tier: no API call made by init itself. The generated workflow meters
+// per repo via GitHub OIDC (100 free Trust Diff calls/mo, no API key needed).
 // =============================================================================
 
 const VALID_FAIL_ON = ["any", "low", "medium", "high", "critical"];
@@ -5343,11 +5534,14 @@ function extractStatsEntries(routeAssertions) {
   // Deploy health
   if (routeAssertions.deployHealth) {
     const dh = routeAssertions.deployHealth;
+    // R94.3 — waf_blocked/unreachable are advisory, not gate failures;
+    // recording them as critical would pollute the per-check flake stats.
+    const advisory = dh.status === "waf_blocked" || dh.status === "unreachable";
     entries.push({
       id: "health:homepage",
       result: dh.status === "healthy" ? "pass" : "fail",
       status: dh.httpStatus,
-      severity: dh.status === "healthy" ? "info" : "critical",
+      severity: dh.status === "healthy" ? "info" : (advisory ? "low" : "critical"),
       source: "health",
     });
   }
@@ -5364,6 +5558,63 @@ function extractStatsEntries(routeAssertions) {
   return entries;
 }
 
+// R96 feedback #4 — flake context for the AI guard block. When a check is
+// failing NOW, its local history (.cipherwake/stats.json) tells the agent
+// whether this is a first-ever failure (likely a real regression) or a
+// chronic / previously-dismissed one (likely flake or intentional state).
+// Called BEFORE recordResults() persists this run, so counts describe PRIOR
+// runs only. Silent (returns {}) when nothing is failing or the failing
+// check has no recorded history.
+async function buildFlakeContextFields(routeAssertions) {
+  try {
+    if (!routeAssertions) return {};
+    const failing = [];
+    for (const r of routeAssertions.results || []) {
+      if (!r.passed) failing.push({ id: `route:${r.path}`, path: r.path });
+    }
+    for (const h of routeAssertions.headerResults || []) {
+      if (!h.passed) failing.push({ id: `header:${h.header}` });
+    }
+    for (const c of routeAssertions.cookieResults || []) {
+      if (!c.passed) failing.push({ id: `cookie:${c.namePattern}` });
+    }
+    for (const f of routeAssertions.secrets?.findings || []) {
+      failing.push({ id: `secret:${f.patternId}` });
+    }
+    if (routeAssertions.deployHealth && routeAssertions.deployHealth.status !== "healthy") {
+      failing.push({ id: "health:homepage" });
+    }
+    if (routeAssertions.tlsExpiry?.checked && !routeAssertions.tlsExpiry.passed) {
+      failing.push({ id: "tls:expiry" });
+    }
+    if (failing.length === 0) return {};
+    // Prefer the check behind the top critical failure so these fields
+    // describe the same issue as assertion_top_failure.
+    const topCriticalPath = routeAssertions.criticalFailures?.[0]?.path;
+    const top = (topCriticalPath && failing.find((f) => f.path === topCriticalPath)) || failing[0];
+    const { loadStats } = await import(new URL("./statsTracker.js", import.meta.url).href);
+    const stats = await loadStats();
+    const s = stats.checks?.[top.id];
+    if (!s || !s.runs) return {};
+    let hint;
+    if (s.dismissedIntentional > 0) hint = "previously_dismissed";
+    else if (s.failed === 0) hint = "first_failure";
+    else if (s.runs >= 3 && s.failed / s.runs >= 0.5) hint = "frequently_failing";
+    else hint = "recurring";
+    const parts = [`failed ${s.failed} of ${s.runs} prior runs`];
+    if (s.dismissedIntentional > 0) parts.push(`dismissed as intentional ${s.dismissedIntentional}x`);
+    if (s.confirmedReal > 0) parts.push(`confirmed real ${s.confirmedReal}x`);
+    return {
+      top_failure_id: top.id,
+      top_failure_history: parts.join("; "),
+      flake_hint: hint,
+    };
+  } catch {
+    // never block the gate on stats issues
+    return {};
+  }
+}
+
 async function runInitCommand(args) {
   const fs = await import("node:fs/promises");
   const path = await import("node:path");
@@ -5374,6 +5625,20 @@ async function runInitCommand(args) {
   const flagDomain = readFlagValue(args, "--domain");
   const flagFailOn = readFlagValue(args, "--fail-on");
   const flagBaseline = readFlagValue(args, "--baseline");
+  // R94.3 (2026-06-08) — stable-track default flipped to opt-in.
+  // `push:main` is back-compat-safe for every platform (including
+  // custom CD scripts + manual rollouts). `deployment-status` is the
+  // smart Vercel/Netlify trigger (recommended, R93) but only fires
+  // when a real `deployment_status` event arrives, which means
+  // someone on a non-deployment-event platform gets ZERO runs.
+  // Default is now `push` so initial install never silently does
+  // nothing; explicit `--trigger=deployment-status` for Vercel/Netlify.
+  const flagTrigger = readFlagValue(args, "--trigger") || "push";
+  if (!["push", "deployment-status", "deployment_status"].includes(flagTrigger)) {
+    console.error(color("red", `error: --trigger must be 'push' (default) or 'deployment-status'`));
+    process.exit(1);
+  }
+  const triggerMode = flagTrigger === "deployment_status" ? "deployment-status" : flagTrigger;
 
   console.log("");
   console.log(`  ${color("bold", "pqcheck init")} ${color("dim", "— scaffold a Cipherwake GitHub Action workflow")}`);
@@ -5413,7 +5678,7 @@ async function runInitCommand(args) {
     process.exit(1);
   }
 
-  const workflow = renderTrustDiffWorkflow({ domain, failOn, baseline });
+  const workflow = renderTrustDiffWorkflow({ domain, failOn, baseline, triggerMode });
 
   if (stdout) {
     console.log(workflow);
@@ -5461,27 +5726,47 @@ async function runInitCommand(args) {
   const relPath = path.relative(cwd, workflowPath);
   console.log("");
   console.log(color("green", `  ✓ Wrote ${relPath}`));
+
+  // R96 (dogfood feedback #2) — persist the domain so deploy-check/guard
+  // can default to it on subsequent runs without a domain argument.
+  try {
+    const cfgResult = await writeDomainToCipherwakeConfig(domain);
+    if (cfgResult.status === "created") {
+      console.log(color("green", `  ✓ Wrote .cipherwake.json (domain: ${domain} — deploy-check/guard can now omit the domain argument)`));
+    } else if (cfgResult.status === "merged") {
+      console.log(color("green", `  ✓ Added "domain": "${domain}" to .cipherwake.json`));
+    } else if (cfgResult.status === "updated") {
+      console.log(color("green", `  ✓ Updated .cipherwake.json domain: ${cfgResult.prior} → ${domain}`));
+    } else if (cfgResult.status === "skipped-malformed" || cfgResult.status === "skipped-unexpected-shape") {
+      console.log(color("yellow", `  ⚠ .cipherwake.json could not be updated (${cfgResult.status === "skipped-malformed" ? "malformed JSON" : "not a JSON object"}) — add "domain": "${domain}" by hand`));
+    }
+  } catch (err) {
+    console.log(color("yellow", `  ⚠ .cipherwake.json domain write failed: ${err.message} (non-fatal)`));
+  }
   console.log("");
   console.log(`  ${color("bold", "Next steps:")}`);
   console.log("");
-  console.log(`  ${color("dim", "1.")} Generate a Cipherwake API key at ${color("violet", "https://cipherwake.io/account#api-keys")}`);
-  console.log(`     ${color("dim", "Free tier: 100 Trust Diff calls/month per repo")}`);
-  console.log("");
-  console.log(`  ${color("dim", "2.")} Add it as a repo secret:`);
-  console.log(`     ${color("dim", "Settings → Secrets and variables → Actions → New repository secret")}`);
-  console.log(`     ${color("dim", "Name: CIPHERWAKE_API_KEY")}`);
-  console.log("");
-  console.log(`  ${color("dim", "3.")} Commit + push:`);
+  console.log(`  ${color("dim", "1.")} Commit + push — no API key or repo secret needed:`);
+  console.log(`     ${color("dim", "The workflow meters per repo via GitHub OIDC (Free: 100 Trust Diff calls/month).")}`);
   console.log(`     ${color("dim", "$")} git add ${relPath}`);
   console.log(`     ${color("dim", "$")} git commit -m "ci: add Cipherwake Trust Diff gate"`);
   console.log(`     ${color("dim", "$")} git push`);
   console.log("");
+  console.log(`  ${color("dim", "2.")} ${color("dim", "Optional — higher limits:")} add a key from ${color("violet", "https://cipherwake.io/account#api-keys")} as the CIPHERWAKE_API_KEY repo secret.`);
+  console.log("");
   console.log(`  Open a PR to see the gate run.`);
   console.log("");
   process.exit(0);
 }
 
 function readFlagValue(args, name) {
+  // `--flag=value` form first (documented syntax for `init --trigger=...`),
+  // then the space-separated `--flag value` form.
+  for (const tok of args) {
+    if (typeof tok === "string" && tok.startsWith(`${name}=`)) {
+      return tok.slice(name.length + 1) || null;
+    }
+  }
   const idx = args.indexOf(name);
   if (idx === -1) return null;
   const v = args[idx + 1];
@@ -5494,23 +5779,59 @@ function isValidBaseline(value) {
   return /^\d{4}-\d{2}-\d{2}(T\d{2}:\d{2}(:\d{2})?(\.\d+)?Z?)?$/.test(value);
 }
 
-function renderTrustDiffWorkflow({ domain, failOn, baseline }) {
+function renderTrustDiffWorkflow({ domain, failOn, baseline, triggerMode = "push" }) {
+  const isDeploymentStatus = triggerMode === "deployment-status";
+
+  // The trigger YAML block + job-level `if:` guard differ between modes.
+  // push (default, back-compat): fires on every push to main. Safe for any
+  //   platform but can race git-integrated deploys (Vercel/Netlify).
+  // deployment-status (--trigger=deployment-status): fires AFTER a successful
+  //   Production deploy. Race-safe for Vercel/Netlify/Render/Railway. Does
+  //   nothing on platforms that don't emit the event (custom CD scripts).
+  const triggerBlock = isDeploymentStatus
+    ? `on:
+  pull_request:
+    branches: [main]
+  deployment_status:`
+    : `on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]`;
+
+  const jobGuard = isDeploymentStatus
+    ? `    # Run on PRs OR on successful Production deployments.
+    if: |
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'deployment_status' &&
+       github.event.deployment_status.state == 'success' &&
+       (github.event.deployment.environment == 'production' ||
+        github.event.deployment.environment == 'Production'))`
+    : `    # Runs on PRs (advisory) and pushes to main (gate).`;
+
+  const triggerNote = isDeploymentStatus
+    ? `# Trigger: deployment_status (--trigger=deployment-status). The job fires
+# AFTER a successful Production deployment, so trust-diff sees the surface
+# that actually shipped — not the stale prior production. Recommended for
+# Vercel / Netlify / Render / Railway and other git-integrated platforms.
+# Switch to 'push' if your platform does NOT emit deployment_status events
+# (custom CD scripts, S3-sync deploys, manual rollouts).`
+    : `# Trigger: push to main (default). Back-compat-safe on every platform.
+# If you're on Vercel / Netlify / Render / Railway, switch to
+# \`--trigger=deployment-status\` — the post-deploy gate is more accurate
+# because the push:main trigger can race git-integrated deploys, diffing
+# the previous production surface before the new one is live.`;
+
   return `# Cipherwake — Trust Diff gate
 # Generated by \`pqcheck init\` (v${VERSION}).
 # Runs:
 #   - on every PR (advisory diff against the production baseline)
-#   - on every successful Production deployment (post-deploy gate)
+#   - on every push to main / successful Production deployment (gate)
 # Fails the build if your public trust posture regresses vs the baseline
 # (cert / SPKI / vendor scripts / HSTS / CSP / DMARC / HNDL / declared
 # route assertions).
 #
-# R93 (2026-06-08): defaults to deployment_status (success + Production) for
-# the post-deploy job, NOT push:main. Reason: on platforms with git-integrated
-# deploys (Vercel, Netlify, Render, Railway, etc.) the deploy fires from the
-# same push event — running on push:main would RACE the deploy and diff the
-# STALE production surface before the new deploy is live. deployment_status
-# fires AFTER the deploy lands, so trust-diff sees the surface that actually
-# shipped.
+${triggerNote}
 #
 # Free tier: 100 Trust Diff calls/month per repo (OIDC-metered).
 # Methodology: https://cipherwake.io/methodology/
@@ -5518,10 +5839,7 @@ function renderTrustDiffWorkflow({ domain, failOn, baseline }) {
 
 name: Cipherwake Trust Diff
 
-on:
-  pull_request:
-    branches: [main]
-  deployment_status:
+${triggerBlock}
 
 permissions:
   contents: read
@@ -5532,18 +5850,7 @@ permissions:
 jobs:
   trust-diff:
     runs-on: ubuntu-latest
-    # Run on PRs OR on successful Production deployments.
-    # PRs: github.event_name == "pull_request" — advisory diff for the change
-    # Deployment: deployment_status.state == "success" — only after a deploy
-    #   actually succeeded; skips failed/error/pending events. Environment
-    #   filter on "production" / "Production" so preview deploys don't
-    #   trigger trust-diff against the prod domain (different surfaces).
-    if: |
-      github.event_name == 'pull_request' ||
-      (github.event_name == 'deployment_status' &&
-       github.event.deployment_status.state == 'success' &&
-       (github.event.deployment.environment == 'production' ||
-        github.event.deployment.environment == 'Production'))
+${jobGuard}
     steps:
       - name: Run Cipherwake Trust Diff
         uses: cipherwakelabs/pqcheck@v4
@@ -5557,16 +5864,6 @@ jobs:
         # OIDC token and meters per repo (100 calls/mo, no setup).
         # If you want higher limits, link this repo to a paid Cipherwake
         # account at https://cipherwake.io/account → Linked repos.
-        #
-        # If your platform does NOT emit deployment_status events (custom
-        # CD scripts, S3-sync deploys, manual rollouts), replace the
-        # deployment_status trigger above with:
-        #
-        #   push:
-        #     branches: [main]
-        #
-        # AND add a delay/health-check step before this one so trust-diff
-        # runs AFTER your deploy is live, not racing it.
 `;
 }
 
@@ -5599,14 +5896,25 @@ async function prompt(question) {
 
 async function runDeployCheckCommand(args) {
   const positional = args.filter((a) => !a.startsWith("-"));
+  let forwarded = [...args];
   if (positional.length === 0) {
-    console.error(color("red", "error: pqcheck deploy-check requires a domain"));
-    console.error(color("dim", "Usage: npx pqcheck deploy-check <domain> [--baseline last-scan|last-week|<ISO>] [--fail-on high|medium|low|any]"));
-    process.exit(1);
+    // R96 (dogfood feedback #2) — no domain argument: fall back to the
+    // `domain` field in .cipherwake.json (written by `pqcheck setup`/`init`)
+    // so AI coders can run `npx pqcheck deploy-check --ai` without guessing
+    // which domain this repo deploys to.
+    const cfgDomain = await readCipherwakeConfigDomain();
+    if (cfgDomain) {
+      console.error(color("dim", `  ℹ no domain argument — using "${cfgDomain}" from .cipherwake.json`));
+      forwarded = [cfgDomain, ...forwarded];
+    } else {
+      console.error(color("red", "error: pqcheck deploy-check requires a domain"));
+      console.error(color("dim", "Usage: npx pqcheck deploy-check <domain> [--baseline last-scan|last-week|<ISO>] [--fail-on high|medium|low|any]"));
+      console.error(color("dim", `Tip: run \`npx pqcheck setup --auto --domain <domain>\` once and the domain is saved to .cipherwake.json — after that, plain \`npx pqcheck deploy-check --ai\` works.`));
+      process.exit(1);
+    }
   }
 
   // Forward to trust-diff with deploy-tuned defaults if the user didn't specify.
-  const forwarded = [...args];
   if (!args.includes("--baseline")) forwarded.push("--baseline", "last-scan");
   if (!args.includes("--fail-on")) forwarded.push("--fail-on", "high");
 
@@ -5620,7 +5928,296 @@ async function runDeployCheckCommand(args) {
     console.log("");
   }
 
-  return runTrustDiffCommand(forwarded);
+  return runTrustDiffCommand(forwarded, { deployCheck: true });
+}
+
+// =============================================================================
+// `pqcheck last` — reuse the most recent gate result instead of re-scanning
+// =============================================================================
+// R96 (dogfood feedback #3). After CI already ran the deploy gate, an AI
+// coder following the protocol shouldn't burn a duplicate Trust Diff quota
+// call just to learn "the gate already passed." Two sources:
+//
+//   pqcheck last [domain]   — local state files written by every scan /
+//                             deploy-check: .cipherwake/last-status.json
+//                             (repo-local) else ~/.config/cipherwake/last-scan.json
+//   pqcheck last --remote   — the latest GitHub Actions run of the
+//                             cipherwake.yml workflow for this repo (the CI
+//                             gate installed by `pqcheck init`/`setup`).
+//                             Public GitHub API; GITHUB_TOKEN/GH_TOKEN used
+//                             when set. ZERO Trust Diff quota consumed.
+//
+// Honesty guards — a cached result can only bless an announce when it is
+// genuinely equivalent to running the check now:
+//   • older than --max-age (default 60 min) → NOT reusable
+//   • CI run for a different commit than local HEAD → NOT reusable
+//   • CI still running / cancelled → NOT reusable
+// A failed CI run IS surfaced as review (conservative direction is safe).
+//
+// Exit codes (agent routing contract):
+//   0 = reusable result, gate passed — safe to skip the duplicate deploy-check
+//   1 = last result was review · 2 = block (fresh enough to trust as signal)
+//   3 = no reusable signal — run `npx pqcheck deploy-check --ai` instead
+// =============================================================================
+
+async function runLastCommand(args) {
+  const aiMode = parseAiMode(args);
+  const remote = args.includes("--remote");
+  const maxAgeRaw = parseFlag(args, "--max-age");
+  const maxAgeMin = maxAgeRaw === null || maxAgeRaw === undefined ? 60 : Number(maxAgeRaw);
+  if (!Number.isFinite(maxAgeMin) || maxAgeMin <= 0) {
+    console.error(color("red", "error: --max-age requires a positive number of minutes"));
+    process.exit(3);
+  }
+  const positional = args.filter((a) => !a.startsWith("-") && !isFlagValue(args, a));
+  const domainFilter = positional[0] ? normalizeDomain(positional[0]) : await readCipherwakeConfigDomain();
+
+  // Shared emitter: human lines + optional AI block + routing exit code.
+  // exitCode 3 = "no reusable signal" — the block still says ship_decision=
+  // review (fail-safe: agent must run the real check, never assume pass).
+  const finish = ({ shipDecision, exitCode, fields, humanLines }) => {
+    console.log("");
+    for (const l of humanLines) console.log(l);
+    if (aiMode) {
+      console.log(formatAiFooterBlock({
+        status: shipDecision,
+        kind: "last",
+        ...fields,
+        ship_decision: shipDecision,
+        reusable: exitCode === 3 ? "false" : "true",
+        max_age_minutes: maxAgeMin,
+        advisory_only: "true",
+        note: exitCode === 3
+          ? "No reusable result. Run: npx pqcheck deploy-check --ai"
+          : "Cached gate result. Exit 0 = CI/last check passed and covers the current state; re-run deploy-check after any new deploy.",
+        checked_at: new Date().toISOString(),
+      }));
+    }
+    console.log("");
+    process.exit(exitCode);
+  };
+
+  // ---------------------------------------------------------------------------
+  // --remote: latest cipherwake.yml GitHub Actions run for this repo
+  // ---------------------------------------------------------------------------
+  if (remote) {
+    const { execFile } = await import("node:child_process");
+    const git = (gitArgs) => new Promise((resolve) => {
+      execFile("git", gitArgs, { timeout: 5000 }, (err, stdout) => resolve(err ? null : String(stdout).trim()));
+    });
+    const originUrl = await git(["remote", "get-url", "origin"]);
+    if (!originUrl) {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { source: "github_actions", top_issue: "no_git_origin" },
+        humanLines: [color("red", "  ✗ pqcheck last --remote needs a git repo with an `origin` remote"), color("dim", "    Run inside the repo whose CI gate you want to read.")],
+      });
+    }
+    const m = originUrl.match(/github\.com[:/]([^/\s]+)\/([^/\s]+?)(?:\.git)?$/);
+    if (!m) {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { source: "github_actions", top_issue: "origin_not_github" },
+        humanLines: [color("red", `  ✗ --remote currently reads GitHub Actions only (origin: ${originUrl})`)],
+      });
+    }
+    const owner = m[1];
+    const repo = m[2];
+    const branch = await git(["rev-parse", "--abbrev-ref", "HEAD"]);
+    const localSha = await git(["rev-parse", "HEAD"]);
+
+    const branchParam = branch && branch !== "HEAD" ? `&branch=${encodeURIComponent(branch)}` : "";
+    const apiUrl = `https://api.github.com/repos/${owner}/${repo}/actions/workflows/cipherwake.yml/runs?per_page=1${branchParam}`;
+    const token = process.env.GITHUB_TOKEN || process.env.GH_TOKEN || "";
+    let resp;
+    try {
+      const ctrl = new AbortController();
+      const tmr = setTimeout(() => ctrl.abort(), 10000);
+      resp = await fetch(apiUrl, {
+        headers: {
+          accept: "application/vnd.github+json",
+          "user-agent": `pqcheck/${VERSION}`,
+          ...(token ? { authorization: `Bearer ${token}` } : {}),
+        },
+        signal: ctrl.signal,
+      });
+      clearTimeout(tmr);
+    } catch (err) {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { source: "github_actions", top_issue: "github_api_unreachable" },
+        humanLines: [color("red", `  ✗ GitHub API unreachable: ${err?.message || err}`)],
+      });
+    }
+    if (resp.status === 404) {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { source: "github_actions", top_issue: "no_cipherwake_workflow", repo: `${owner}/${repo}` },
+        humanLines: [
+          color("yellow", `  ⊝ ${owner}/${repo} has no cipherwake.yml workflow on GitHub`),
+          color("dim", "    Install the CI gate: npx pqcheck init --domain <domain>  (then commit + push)"),
+        ],
+      });
+    }
+    if (!resp.ok) {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { source: "github_actions", top_issue: `github_api_http_${resp.status}` },
+        humanLines: [
+          color("red", `  ✗ GitHub API returned HTTP ${resp.status}`),
+          ...(resp.status === 403 && !token ? [color("dim", "    Likely the anonymous rate limit (60/hr per IP) or a private repo — set GITHUB_TOKEN and retry.")] : []),
+        ],
+      });
+    }
+    const data = await resp.json().catch(() => null);
+    const run = data?.workflow_runs?.[0];
+    if (!run) {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { source: "github_actions", top_issue: "no_workflow_runs", repo: `${owner}/${repo}` },
+        humanLines: [color("yellow", `  ⊝ cipherwake.yml exists but has no runs${branchParam ? ` on branch ${branch}` : ""} yet — push to trigger one`)],
+      });
+    }
+
+    const ranAt = Date.parse(run.updated_at || run.run_started_at || "");
+    const ageMin = Number.isFinite(ranAt) ? Math.round((Date.now() - ranAt) / 60000) : null;
+    const stale = ageMin === null || ageMin > maxAgeMin;
+    const shaMatch = !!(localSha && run.head_sha && run.head_sha === localSha);
+    const shortSha = String(run.head_sha || "").slice(0, 7);
+    const baseFields = {
+      source: "github_actions",
+      ...(domainFilter ? { domain: domainFilter } : {}),
+      repo: `${owner}/${repo}`,
+      ci_status: run.status,
+      ci_conclusion: run.conclusion || "",
+      head_sha: run.head_sha || "",
+      head_sha_match: shaMatch ? "true" : "false",
+      age_minutes: ageMin ?? "unknown",
+      stale: stale ? "true" : "false",
+      run_url: run.html_url || "",
+    };
+    const headerLines = [
+      `  ${color("bold", "◆ Cipherwake — last CI gate result")} ${color("dim", `(${owner}/${repo} · cipherwake.yml)`)}`,
+      `  ${color("dim", `Run: ${run.status}${run.conclusion ? ` / ${run.conclusion}` : ""} · commit ${shortSha}${shaMatch ? " (matches local HEAD)" : localSha ? ` (local HEAD is ${localSha.slice(0, 7)} — DIFFERENT)` : ""} · ${ageMin ?? "?"}m ago`)}`,
+      `  ${color("dim", `URL: ${run.html_url || "?"}`)}`,
+    ];
+
+    if (run.status !== "completed") {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { ...baseFields, top_issue: "ci_run_in_progress" },
+        humanLines: [...headerLines, color("yellow", "  ⚠ CI run still in progress — wait for it, or run deploy-check directly")],
+      });
+    }
+    if (run.conclusion === "failure") {
+      // Conservative direction: a failed gate is a trustworthy "do not
+      // announce" signal even when stale or for a different commit.
+      return finish({
+        shipDecision: "review", exitCode: 1,
+        fields: { ...baseFields, top_issue: "ci_gate_failed" },
+        humanLines: [...headerLines, color("yellow", "  ⚠ REVIEW — the CI deploy gate FAILED on its last run. Inspect the run before announcing anything.")],
+      });
+    }
+    if (run.conclusion !== "success") {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { ...baseFields, top_issue: `ci_run_${run.conclusion || "unknown"}` },
+        humanLines: [...headerLines, color("yellow", `  ⊝ CI run ended "${run.conclusion}" — no reusable verdict`)],
+      });
+    }
+    if (stale) {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { ...baseFields, top_issue: "ci_result_stale" },
+        humanLines: [...headerLines, color("yellow", `  ⊝ CI gate passed but ${ageMin ?? "?"}m ago exceeds --max-age ${maxAgeMin}m — run a fresh deploy-check`)],
+      });
+    }
+    if (!shaMatch) {
+      return finish({
+        shipDecision: "review", exitCode: 3,
+        fields: { ...baseFields, top_issue: "ci_result_for_different_commit" },
+        humanLines: [...headerLines, color("yellow", "  ⊝ CI gate passed, but for a different commit than your local HEAD — its verdict doesn't cover your changes")],
+      });
+    }
+    return finish({
+      shipDecision: "pass", exitCode: 0,
+      fields: { ...baseFields, top_issue: "none" },
+      humanLines: [...headerLines, color("green", "  ✓ PASS — CI deploy gate passed on this exact commit within the freshness window. Safe to reuse; no duplicate deploy-check needed.")],
+    });
+  }
+
+  // ---------------------------------------------------------------------------
+  // Local: state files written by every scan / deploy-check
+  // ---------------------------------------------------------------------------
+  const fs = await import("node:fs/promises");
+  const path = await import("node:path");
+  const os = await import("node:os");
+  const candidates = [
+    { source: "repo_state", file: path.join(process.cwd(), ".cipherwake", "last-status.json") },
+    { source: "user_state", file: path.join(os.homedir(), ".config", "cipherwake", "last-scan.json") },
+  ];
+  let state = null;
+  let source = null;
+  let stateFile = null;
+  for (const c of candidates) {
+    try {
+      const parsed = JSON.parse(await fs.readFile(c.file, "utf8"));
+      if (domainFilter && normalizeDomain(String(parsed?.domain || "")) !== domainFilter) continue;
+      state = parsed;
+      source = c.source;
+      stateFile = c.file;
+      break;
+    } catch { /* missing or malformed — try next source */ }
+  }
+
+  if (!state) {
+    return finish({
+      shipDecision: "review", exitCode: 3,
+      fields: { source: "local_state", ...(domainFilter ? { domain: domainFilter } : {}), top_issue: "no_recent_result" },
+      humanLines: [
+        `  ${color("bold", "◆ Cipherwake — last result")}`,
+        color("yellow", `  ⊝ no local result found${domainFilter ? ` for ${domainFilter}` : ""}`),
+        color("dim", "    Run: npx pqcheck deploy-check --ai   (or `pqcheck last --remote` to read the CI gate)"),
+      ],
+    });
+  }
+
+  const writtenAt = Date.parse(state.written_at || "");
+  const ageMin = Number.isFinite(writtenAt) ? Math.round((Date.now() - writtenAt) / 60000) : null;
+  const stale = ageMin === null || ageMin > maxAgeMin;
+  const storedShip = ["pass", "review", "block"].includes(state.ship_decision) ? state.ship_decision : "review";
+  const fields = {
+    source,
+    domain: state.domain || domainFilter || "",
+    last_kind: state.kind || "",
+    last_ship_decision: storedShip,
+    ...(typeof state.score === "number" ? { dbr: state.score.toFixed(1) } : {}),
+    ...(state.grade ? { grade: state.grade } : {}),
+    ...(state.top_issue ? { last_top_issue: state.top_issue } : {}),
+    age_minutes: ageMin ?? "unknown",
+    stale: stale ? "true" : "false",
+    state_file: stateFile,
+  };
+  const headerLines = [
+    `  ${color("bold", "◆ Cipherwake — last result")} ${color("dim", `(${source === "repo_state" ? ".cipherwake/last-status.json" : "~/.config/cipherwake/last-scan.json"})`)}`,
+    `  ${color("dim", `Domain: ${state.domain || "?"} · kind: ${state.kind || "?"} · ship_decision: ${storedShip} · ${ageMin ?? "?"}m ago`)}`,
+  ];
+  if (stale) {
+    return finish({
+      shipDecision: "review", exitCode: 3,
+      fields: { ...fields, top_issue: "stale_result" },
+      humanLines: [...headerLines, color("yellow", `  ⊝ result is ${ageMin ?? "?"}m old — exceeds --max-age ${maxAgeMin}m. Run a fresh deploy-check.`)],
+    });
+  }
+  const marker = storedShip === "pass" ? color("green", "  ✓ PASS — last check passed within the freshness window.")
+    : storedShip === "review" ? color("yellow", "  ⚠ REVIEW — last check flagged a change. Surface it to the user before announcing.")
+    : color("red", "  ✗ BLOCK — last check returned block. Do not announce.");
+  return finish({
+    shipDecision: storedShip,
+    exitCode: shipDecisionExitCode(storedShip),
+    fields: { ...fields, top_issue: state.top_issue || "none" },
+    humanLines: [...headerLines, marker],
+  });
 }
 
 // =============================================================================
@@ -6158,7 +6755,7 @@ async function runOnboardCommand(args) {
   console.log(`     ${color("dim", "$")} git push`);
   console.log("");
   console.log(`  ${color("dim", "2.")} ${color("bold", "Open a PR")}`);
-  console.log(`     ${color("dim", "Cipherwake will comment inline within ~60s of the workflow firing. The action uses GitHub OIDC to meter usage per repo (Free = 30 calls/mo).")}`);
+  console.log(`     ${color("dim", "Cipherwake will comment inline within ~60s of the workflow firing. The action uses GitHub OIDC to meter usage per repo (Free = 100 calls/mo).")}`);
   console.log("");
   // R48 (post-R47 review MAJOR #6): the /account → "Linked repos" UI is
   // not yet shipped (out of R47 scope). Pointing users to a nonexistent
@@ -6190,48 +6787,6 @@ function buildReleaseChecklistMarkdown(domain) {
   return renderReleaseChecklist(domain, { generator: "onboard" });
 }
 
-// Cross-platform browser launcher. Returns true if a launcher binary
-// dispatched successfully; false if no launcher is available (e.g. headless
-// server, sandboxed CI, broken xdg-open config).
-//
-// R41 fix #2 (locked 2026-05-16): use exit-event detection + longer timeout
-// so we don't falsely claim "(opened in your browser)" when xdg-open is
-// installed but the launcher exits non-zero (no graphical session, no
-// MIME handler). Previously a flat 200ms timeout resolved true even when
-// the launcher exited 3 because no display was available.
-async function tryOpenBrowser(url) {
-  if (process.env.CI || process.env.CIPHERWAKE_NO_BROWSER) return false;
-  const { spawn } = await import("node:child_process");
-  const platform = process.platform;
-  let cmd, cmdArgs;
-  if (platform === "darwin") {
-    cmd = "open"; cmdArgs = [url];
-  } else if (platform === "win32") {
-    cmd = "cmd"; cmdArgs = ["/c", "start", "", url];
-  } else {
-    cmd = "xdg-open"; cmdArgs = [url];
-  }
-  return await new Promise((resolve) => {
-    let settled = false;
-    let p;
-    try {
-      p = spawn(cmd, cmdArgs, { stdio: "ignore", detached: true });
-    } catch {
-      resolve(false);
-      return;
-    }
-    p.on("error", () => { if (!settled) { settled = true; resolve(false); } });
-    p.on("exit", (code) => { if (!settled) { settled = true; resolve(code === 0); } });
-    p.unref();
-    // Belt-and-suspenders: if the launcher takes >1s to exit AND no error
-    // event has fired, assume it dispatched and went detached (open on
-    // macOS does this — returns after AppleScript-asking Finder/Safari).
-    setTimeout(() => {
-      if (!settled) { settled = true; resolve(true); }
-    }, 1000);
-  });
-}
-
 // =============================================================================
 // `pqcheck guard --domain X -- <deploy command>` — wrapper command
 // =============================================================================
@@ -6257,15 +6812,24 @@ async function runGuardCommand(args) {
   const ourArgs = sepIdx >= 0 ? args.slice(0, sepIdx) : args;
   const deployCmd = sepIdx >= 0 ? args.slice(sepIdx + 1) : [];
 
-  const domain = parseFlag(ourArgs, "--domain");
+  let domain = parseFlag(ourArgs, "--domain");
   const gateMode = parseFlag(ourArgs, "--gate-mode") || "balanced";
   const bypassReason = parseFlag(ourArgs, "--bypass");
   const noPostCheck = ourArgs.includes("--no-post-check");
 
+  if (!domain) {
+    // R96 (dogfood feedback #2) — fall back to the `domain` field in
+    // .cipherwake.json (written by `pqcheck setup`/`init`).
+    domain = await readCipherwakeConfigDomain();
+    if (domain) {
+      console.error(color("dim", `  ℹ no --domain flag — using "${domain}" from .cipherwake.json`));
+    }
+  }
   if (!domain) {
     console.error(color("red", "error: pqcheck guard requires --domain"));
     console.error(color("dim", "Usage: npx pqcheck guard --domain example.com -- <deploy command>"));
     console.error(color("dim", "Example: npx pqcheck guard --domain example.com -- vercel deploy --prod"));
+    console.error(color("dim", "Tip: run `npx pqcheck setup --auto --domain <domain>` once and the domain is saved to .cipherwake.json — after that, `npx pqcheck guard -- <deploy-cmd>` works without the flag."));
     process.exit(3);
   }
   if (deployCmd.length === 0) {
@@ -6342,7 +6906,15 @@ async function runGuardCommand(args) {
   console.log(color("bold", `  Pre-deploy check returned: ship_decision=${shipDecision}`));
 
   // Decide what to do.
-  if (shipDecision === "pass") {
+  if (gateMode === "advisory" && shipDecision !== "pass") {
+    // R96 — advisory mode promises "deploy never blocked", but --fail-on
+    // none only downgrades FINDINGS-driven decisions; an assertion-driven
+    // block (deploy unreachable, WAF) still arrived here as block/review
+    // and hit process.exit below. Advisory means advisory: warn + proceed.
+    console.log(color("yellow", `  ⚠ Advisory mode: ship_decision=${shipDecision} noted — proceeding with deploy anyway.`));
+    console.log(color("dim", "  Review the findings above. Advisory mode never blocks the deploy."));
+    console.log("");
+  } else if (shipDecision === "pass") {
     console.log(color("green", "  ✓ Posture stable — running deploy command."));
     console.log("");
   } else if (shipDecision === "review") {
@@ -6465,6 +7037,15 @@ Cipherwake deploy check and route on the result.
 Reference: https://cipherwake.io/methodology/ai-coder-protocol
 `;
 
+// R96 (dogfood feedback #2) — fill the <your-domain> placeholders with the
+// real monitored domain when known. A protocol block reading `deploy-check
+// cipherwake.io --ai` is directly executable by the AI coder; the literal
+// `<your-domain>` placeholder forced every AI session to guess or ask.
+function renderProtocolText(domain) {
+  if (!domain) return AI_CODER_PROTOCOL_TEXT;
+  return AI_CODER_PROTOCOL_TEXT.replaceAll("<your-domain>", domain);
+}
+
 async function runProtocolCommand(args) {
   const sub = args[0];
   if (sub !== "install") {
@@ -6511,6 +7092,21 @@ async function runProtocolCommand(args) {
     process.exit(3);
   }
 
+  // R96 — resolve the monitored domain (--domain flag, else .cipherwake.json)
+  // so the installed protocol text carries the real domain instead of the
+  // <your-domain> placeholder.
+  let protocolDomain = null;
+  const domainFlag = parseFlag(args, "--domain");
+  if (domainFlag) {
+    const d = normalizeDomain(domainFlag);
+    if (isValidDomain(d)) {
+      protocolDomain = d;
+    } else {
+      console.error(color("yellow", `⚠ --domain "${domainFlag}" is not a valid hostname — protocol will keep the <your-domain> placeholder`));
+    }
+  }
+  if (!protocolDomain) protocolDomain = await readCipherwakeConfigDomain();
+
   // Detect candidate files across major AI coders that:
   //   (a) read an instructions file at session start, AND
   //   (b) can run shell commands (so they can actually invoke pqcheck).
@@ -6548,6 +7144,10 @@ async function runProtocolCommand(args) {
     if (consentPhrase) console.log(color("dim", `Consent phrase: "${consentPhrase}"`));
     console.log("");
   }
+  if (protocolDomain) {
+    console.log(color("dim", `Domain: ${protocolDomain} — the protocol's <your-domain> placeholders will be filled in.`));
+    console.log("");
+  }
   console.log("Here's what would be added:");
   console.log("");
   if (detected.length === 0) {
@@ -6569,7 +7169,17 @@ async function runProtocolCommand(args) {
     }
     detected.push({ label: useGlobal ? "Claude Code (will create global)" : "Claude Code (will create project)", path: fallbackPath });
   }
+  // R96 — Claude Code reads BOTH ~/.claude/CLAUDE.md and ./CLAUDE.md, so
+  // installing to both duplicates ~40 lines in every session's context.
+  // When the global file is a target, the project CLAUDE.md is skipped.
+  const globalClaudeMdPath = path.join(os.homedir(), ".claude", "CLAUDE.md");
+  const projectClaudeMdPath = path.join(process.cwd(), "CLAUDE.md");
+  const globalClaudeMdDetected = detected.some((d) => d.path === globalClaudeMdPath);
   for (const d of detected) {
+    if (globalClaudeMdDetected && d.path === projectClaudeMdPath) {
+      console.log(`  • ${color("dim", `Skip ${d.path} — covered by the global Claude Code install (Claude Code reads both files; one copy is enough)`)}`);
+      continue;
+    }
     console.log(`  • Append a ~30-line "## Pre-deploy verification with Cipherwake" section to ${color("bold", d.path)}`);
     console.log(`    ${color("dim", `(${d.label} — existing content preserved)`)}`);
   }
@@ -6578,7 +7188,7 @@ async function runProtocolCommand(args) {
   // --manual → print only, no install
   if (manualFlag) {
     console.log(color("bold", "── Cipherwake AI Coder Protocol — paste this into your AI coder's instructions ──"));
-    console.log(AI_CODER_PROTOCOL_TEXT);
+    console.log(renderProtocolText(protocolDomain));
     console.log(color("bold", "── End of protocol ──"));
     console.log("");
     console.log(color("dim", `For target files, see: ${detected.map(d => d.path).join(", ")}`));
@@ -6593,6 +7203,7 @@ async function runProtocolCommand(args) {
       mode: "auto-flag",
       consent_phrase: consentPhrase,
       invoked_by: invokedBy,
+      domain: protocolDomain,
       fs, path, os,
     });
   }
@@ -6631,7 +7242,7 @@ async function runProtocolCommand(args) {
   if (choice === "m" || choice === "manual") {
     console.log("");
     console.log(color("bold", "── Cipherwake AI Coder Protocol — paste this into your AI coder's instructions ──"));
-    console.log(AI_CODER_PROTOCOL_TEXT);
+    console.log(renderProtocolText(protocolDomain));
     console.log(color("bold", "── End of protocol ──"));
     console.log("");
     console.log(color("dim", `For target files, see: ${detected.map(d => d.path).join(", ")}`));
@@ -6643,6 +7254,7 @@ async function runProtocolCommand(args) {
       mode: "interactive",
       consent_phrase: "user typed [a] at the install prompt",
       invoked_by: "human-at-terminal",
+      domain: protocolDomain,
       fs, path, os,
     });
   }
@@ -6655,8 +7267,22 @@ async function runProtocolCommand(args) {
 // Writes the protocol to each detected file and records the audit trail.
 async function performAutoInstall(detected, opts) {
   const { fs, path, os } = opts;
+  const protocolText = renderProtocolText(opts.domain || null);
   const results = [];
+  // R96 — cross-file dedupe: Claude Code reads BOTH ~/.claude/CLAUDE.md and
+  // ./CLAUDE.md. Once the global file carries the protocol (pre-existing or
+  // installed earlier in this loop — global is first in the candidates
+  // order), the project CLAUDE.md is skipped instead of duplicating ~40
+  // lines into every session's context.
+  const globalClaudeMdPath = path.join(os.homedir(), ".claude", "CLAUDE.md");
+  const projectClaudeMdPath = path.join(process.cwd(), "CLAUDE.md");
+  let globalClaudeMdCovered = false;
   for (const d of detected) {
+    if (d.path === projectClaudeMdPath && globalClaudeMdCovered) {
+      console.log(color("dim", `  ⊝ ${d.path} — covered by the global Claude Code install (~/.claude/CLAUDE.md), skipping.`));
+      results.push({ path: d.path, label: d.label, status: "skipped-covered-by-global" });
+      continue;
+    }
     try {
       await fs.mkdir(path.dirname(d.path), { recursive: true });
       let existing = "";
@@ -6664,12 +7290,14 @@ async function performAutoInstall(detected, opts) {
       if (existing.includes("## Pre-deploy verification with Cipherwake")) {
         console.log(color("dim", `  ⊝ ${d.path} — already contains the protocol, skipping.`));
         results.push({ path: d.path, label: d.label, status: "skipped-already-present" });
+        if (d.path === globalClaudeMdPath) globalClaudeMdCovered = true;
         continue;
       }
-      const newContent = existing + "\n" + AI_CODER_PROTOCOL_TEXT + "\n";
+      const newContent = existing + "\n" + protocolText + "\n";
       await fs.writeFile(d.path, newContent, "utf8");
-      console.log(color("green", `  ✓ ${d.path} — protocol appended (${AI_CODER_PROTOCOL_TEXT.split("\n").length} lines)`));
+      console.log(color("green", `  ✓ ${d.path} — protocol appended (${protocolText.split("\n").length} lines)`));
       results.push({ path: d.path, label: d.label, status: "installed" });
+      if (d.path === globalClaudeMdPath) globalClaudeMdCovered = true;
     } catch (err) {
       console.log(color("red", `  ✗ ${d.path} — failed: ${err.message}`));
       results.push({ path: d.path, label: d.label, status: "failed", error: String(err?.message || err) });
@@ -6921,6 +7549,12 @@ async function runSetupCommand(args) {
     console.log("");
     console.log(color("bold", "Files this install would touch:"));
     const planEntries = [];
+    {
+      const cfgPath = path.join(process.cwd(), ".cipherwake.json");
+      let cfgExists = false;
+      try { await fs.access(cfgPath); cfgExists = true; } catch { /* */ }
+      planEntries.push({ what: `.cipherwake.json domain default (${domain})`, to: cfgPath, op: cfgExists ? "merge domain field" : "create" });
+    }
     if (!skipWorkflow) planEntries.push({ what: "GitHub Action workflow", to: path.join(process.cwd(), ".github", "workflows", "cipherwake.yml"), op: "create" });
     if (!skipProtocol) {
       const candidates = [
@@ -6931,10 +7565,15 @@ async function runSetupCommand(args) {
         { label: "Aider", path: path.join(process.cwd(), ".aider.conf.yml") },
         { label: "AGENTS.md", path: path.join(process.cwd(), "AGENTS.md") },
       ];
+      let globalClaudeMdExists = false;
+      try { await fs.access(path.join(os.homedir(), ".claude", "CLAUDE.md")); globalClaudeMdExists = true; } catch { /* */ }
       for (const c of candidates) {
         let exists = false;
         try { await fs.access(c.path); exists = true; } catch { /* */ }
-        planEntries.push({ what: `AI Coder Protocol — ${c.label}`, to: c.path, op: exists ? "append-markered" : "skip (file not present)" });
+        let op = exists ? "append-markered" : "skip (file not present)";
+        // R96 — Claude Code reads both global + project CLAUDE.md; one copy is enough.
+        if (c.label === "Claude Code (project)" && globalClaudeMdExists) op = "skip (covered by global CLAUDE.md)";
+        planEntries.push({ what: `AI Coder Protocol — ${c.label}`, to: c.path, op });
       }
     }
     if (!skipHook) planEntries.push({ what: "git pre-push hook", to: path.join(process.cwd(), ".git", "hooks", "pre-push"), op: "create (if git repo)" });
@@ -7024,6 +7663,40 @@ async function runSetupCommand(args) {
 
   const installSummary = [];
 
+  // -------------------------------------------------------------------------
+  // Component 0: persist the domain to ./.cipherwake.json (R96, feedback #2)
+  // -------------------------------------------------------------------------
+  // Once the domain lives in the config, `pqcheck deploy-check --ai` and
+  // `pqcheck guard -- <cmd>` work without a domain argument — the AI coder
+  // never has to guess which domain this repo deploys to.
+  try {
+    const cfgResult = await writeDomainToCipherwakeConfig(domain);
+    switch (cfgResult.status) {
+      case "created":
+        console.log(color("green", `  ✓ wrote .cipherwake.json (domain: ${domain} — deploy-check/guard can now omit the domain argument)`));
+        break;
+      case "merged":
+        console.log(color("green", `  ✓ added "domain": "${domain}" to .cipherwake.json`));
+        break;
+      case "updated":
+        console.log(color("green", `  ✓ updated .cipherwake.json domain: ${cfgResult.prior} → ${domain}`));
+        break;
+      case "already-set":
+        console.log(color("dim", `  ⊝ .cipherwake.json already sets domain ${domain} — skipping`));
+        break;
+      case "skipped-malformed":
+        console.log(color("yellow", `  ⚠ .cipherwake.json has malformed JSON — not writing domain (fix the file, then re-run, or add "domain": "${domain}" by hand)`));
+        break;
+      case "skipped-unexpected-shape":
+        console.log(color("yellow", `  ⚠ .cipherwake.json is not a JSON object — not writing domain`));
+        break;
+    }
+    installSummary.push({ component: ".cipherwake.json domain", path: cfgResult.path, status: cfgResult.status });
+  } catch (err) {
+    console.log(color("red", `  ✗ .cipherwake.json domain write failed: ${err.message}`));
+    installSummary.push({ component: ".cipherwake.json domain", status: "failed", error: String(err?.message || err) });
+  }
+
   // -------------------------------------------------------------------------
   // Component 1: GitHub Action workflow (.github/workflows/cipherwake.yml)
   // -------------------------------------------------------------------------
@@ -7035,7 +7708,10 @@ async function runSetupCommand(args) {
         console.log(color("dim", `  ⊝ workflow at .github/workflows/cipherwake.yml already exists — skipping`));
         installSummary.push({ component: "GitHub Action workflow", path: workflowPath, status: "skipped-already-present" });
       } catch {
-        const workflowYaml = renderTrustDiffWorkflow({ domain, failOn, baseline });
+        // R94.3 — setup-time workflow inherits the same opt-in default
+        // (push). Customers on Vercel/Netlify can re-run `pqcheck init
+        // --trigger=deployment-status` to swap in the post-deploy variant.
+        const workflowYaml = renderTrustDiffWorkflow({ domain, failOn, baseline, triggerMode: "push" });
         await fs.mkdir(path.dirname(workflowPath), { recursive: true });
         await fs.writeFile(workflowPath, workflowYaml, "utf8");
         console.log(color("green", `  ✓ wrote .github/workflows/cipherwake.yml (CI hard-gate layer)`));
@@ -7083,7 +7759,22 @@ async function runSetupCommand(args) {
     // user has written outside the markers.
     const START_MARKER = "<!-- CIPHERWAKE_AI_CODER_PROTOCOL_START — managed by pqcheck setup; safe to delete this section between markers but do not edit by hand -->";
     const END_MARKER = "<!-- CIPHERWAKE_AI_CODER_PROTOCOL_END -->";
+    // R96 — setup always has --domain; render it into the protocol so the
+    // installed text is directly executable (no <your-domain> placeholder).
+    const protocolText = renderProtocolText(domain);
+    // R96 — cross-file dedupe: Claude Code reads BOTH ~/.claude/CLAUDE.md and
+    // ./CLAUDE.md. Global is first in the candidates order; once it carries
+    // the protocol, skip the project CLAUDE.md instead of duplicating ~40
+    // lines into every session's context.
+    const globalClaudeMdPath = path.join(os.homedir(), ".claude", "CLAUDE.md");
+    const projectClaudeMdPath = path.join(process.cwd(), "CLAUDE.md");
+    let globalClaudeMdCovered = false;
     for (const t of protocolTargets) {
+      if (t.path === projectClaudeMdPath && globalClaudeMdCovered) {
+        console.log(color("dim", `  ⊝ ${path.basename(t.path)} (${t.label}) — covered by the global Claude Code install (~/.claude/CLAUDE.md)`));
+        installSummary.push({ component: "AI Coder Protocol", path: t.path, label: t.label, status: "skipped-covered-by-global" });
+        continue;
+      }
       try {
         await fs.mkdir(path.dirname(t.path), { recursive: true });
         let existing = "";
@@ -7098,10 +7789,11 @@ async function runSetupCommand(args) {
           const endIdx = existing.indexOf(END_MARKER) + END_MARKER.length;
           const before = existing.slice(0, startIdx);
           const after = existing.slice(endIdx);
-          const next = `${before.replace(/\n+$/, "")}\n\n${START_MARKER}\n${AI_CODER_PROTOCOL_TEXT}\n${END_MARKER}\n${after.replace(/^\n+/, "")}`;
+          const next = `${before.replace(/\n+$/, "")}\n\n${START_MARKER}\n${protocolText}\n${END_MARKER}\n${after.replace(/^\n+/, "")}`;
           if (next === existing) {
             console.log(color("dim", `  ⊝ ${path.basename(t.path)} (${t.label}) — protocol already current`));
             installSummary.push({ component: "AI Coder Protocol", path: t.path, label: t.label, status: "skipped-already-present" });
+            if (t.path === globalClaudeMdPath) globalClaudeMdCovered = true;
             continue;
           }
           await fs.writeFile(t.path, next, "utf8");
@@ -7115,10 +7807,11 @@ async function runSetupCommand(args) {
         } else {
           // Fresh install — append with fenced markers.
           const sep = existing.length > 0 ? "\n\n" : "";
-          await fs.writeFile(t.path, `${existing}${sep}${START_MARKER}\n${AI_CODER_PROTOCOL_TEXT}\n${END_MARKER}\n`, "utf8");
+          await fs.writeFile(t.path, `${existing}${sep}${START_MARKER}\n${protocolText}\n${END_MARKER}\n`, "utf8");
           console.log(color("green", `  ✓ appended protocol (markered) → ${path.basename(t.path)} (${t.label})`));
           installSummary.push({ component: "AI Coder Protocol", path: t.path, label: t.label, status: "installed" });
         }
+        if (t.path === globalClaudeMdPath) globalClaudeMdCovered = true;
       } catch (err) {
         console.log(color("red", `  ✗ ${t.path} — failed: ${err.message}`));
         installSummary.push({ component: "AI Coder Protocol", path: t.path, status: "failed", error: String(err?.message || err) });
@@ -7501,14 +8194,15 @@ async function runSetupCommand(args) {
   console.log(color("bold", "◆ Setup complete — summary:"));
   console.log("");
   for (const s of installSummary) {
-    const icon = s.status === "installed" || s.status === "installed-created" || s.status === "installed-updated"
+    const okStatuses = ["installed", "installed-created", "installed-updated", "created", "merged", "updated"];
+    const icon = okStatuses.includes(s.status)
       ? color("green", "✓")
-      : s.status?.startsWith("skipped")
+      : s.status?.startsWith("skipped") || s.status === "already-set"
         ? color("dim", "⊝")
         : color("red", "✗");
     const label = s.component;
-    const detail = s.status === "installed" || s.status === "installed-created" || s.status === "installed-updated"
-      ? color("dim", `installed${s.path ? " → " + s.path.replace(os.homedir(), "~") : ""}`)
+    const detail = okStatuses.includes(s.status)
+      ? color("dim", `${s.status.startsWith("installed") ? "installed" : s.status}${s.path ? " → " + s.path.replace(os.homedir(), "~") : ""}`)
       : color("dim", s.status?.replace(/-/g, " "));
     console.log(`  ${icon} ${label.padEnd(34, " ")} ${detail}`);
   }
@@ -7521,5 +8215,27 @@ async function runSetupCommand(args) {
 
 main().catch((err) => {
   console.error(color("red", `fatal: ${err.message}`));
-  process.exit(2);
+  // R96 — exit 3 (error), NOT 2. Exit 2 means "block" in the AI contract,
+  // so an internal CLI crash used to masquerade as a security block (and
+  // the pre-push hook refused the push). In AI mode, also emit a guard
+  // block so the agent gets ship_decision=review instead of "no signal".
+  try {
+    const argv = process.argv.slice(2);
+    if (parseAiMode(argv)) {
+      console.log(formatAiFooterBlock({
+        status: "review",
+        kind: "error",
+        verdict: "review",
+        ship_decision: "review",
+        top_issue: "cli_internal_error",
+        top_issue_title: "pqcheck crashed before producing a result",
+        scanned_at: new Date().toISOString(),
+        advisory_only: "true",
+        error: String(err?.message || err).slice(0, 200),
+      }));
+    }
+  } catch {
+    // never let the crash handler crash
+  }
+  process.exit(3);
 });