pqcheck 0.16.9 → 0.16.12

package/README.md

@@ -6,19 +6,22 @@
 [![npm downloads](https://img.shields.io/npm/dm/pqcheck.svg?style=flat-square&color=06b6d4)](https://www.npmjs.com/package/pqcheck)
 [![license](https://img.shields.io/npm/l/pqcheck.svg?style=flat-square&color=06b6d4)](./LICENSE)
 
+> **Latest: v0.16.12** — README rewritten to lead with the AI deploy gate (drift between deploys) as the product; DBR repositioned as the severity model the gate uses. No CLI behavior changes. [Full changelog →](./CHANGELOG.md)
+
 ```bash
 npx pqcheck deploy-check yourdomain.com --ai
 ```
 
 ```
-◆ Cipherwake · yourdomain.com ⚠ REVIEW · DBR 4.1 C · HIGH
+◆ Cipherwake · yourdomain.com ⚠ REVIEW · 2 changes since last scan · HIGH
 
-Top finding:
-  [HIGH] ECDHE-only — quantum-vulnerable key exchange
+Surface changes:
+  + New third-party script: widget.intercom.io
+  ~ Strict-Transport-Security weakened: max-age=31536000 → max-age=3600
 
 CIPHERWAKE_AI_GUARD_RESULT
 ship_decision=review
-top_issue=tls.ecdhe_only_quantum_vulnerable
+top_issue=vendor.new_third_party_script
 END_CIPHERWAKE_AI_GUARD_RESULT
 ```
 
@@ -32,11 +35,18 @@ Zero install. Works in any terminal with Node 18+. Free, no signup, no API key r
 
 ## What pqcheck actually checks
 
-Each `pqcheck <domain>` scans your site's public HTTPS surface and produces:
+Each `pqcheck deploy-check <domain>` compares your site's public HTTPS surface *now* against your last scan and surfaces what changed:
+
+- **New third-party scripts** loading on the page that weren't there before (the Polyfill.io-class supply-chain risk)
+- **Header regressions** — CSP weakened, HSTS shortened or removed, X-Frame-Options dropped, permissive tokens (`'unsafe-inline'`, `*`) introduced
+- **Certificate / SPKI changes** — unexpected rotations, key reuse across renewals, intermediate-chain changes
+- **TLS posture changes** — ciphersuite shifts, hybrid PQC key-agreement (`X25519MLKEM768`) added or removed
+- **Vendor surface changes** — new email senders (SPF/DMARC), new CDN origins, new analytics endpoints
+- **Subdomain takeover exposure** — new dangling CNAMEs pointing at AWS S3 / GitHub Pages / Heroku / Fastly / etc.
+
+The gate routes each change through a severity model — the **Decryption Blast Radius** score (DBR, 0–10) — to decide `pass` / `review` / `block`. Cosmetic drift passes; high-severity drift (new script from an unknown origin, header regression that breaks defense-in-depth, cert SPKI change without a rotation event) triggers `review`; critical drift (expired cert served, takeover-vulnerable subdomain, malicious vendor injected) triggers `block`. DBR's full severity rubric is documented at [/methodology/decryption-blast-radius](https://cipherwake.io/methodology/decryption-blast-radius).
 
-- a **DBR score** (Decryption Blast Radius, 0–10) — how much of today's traffic would be readable to an attacker who's storing it now and waiting for quantum computers to break today's encryption (the "harvest-now, decrypt-later" risk, typically 5–10 years out per NIST timelines)
-- a **letter grade** (A–F)
-- a **findings list** ranked by severity — TLS cipher suites, certificate quality, security headers (CSP / HSTS / etc.), third-party scripts loaded by the page, key reuse across subdomains, and more
+On **first use** (no prior scan to diff against), `deploy-check` falls back to absolute-posture grading: it scores the current state and surfaces the highest-severity findings so you start with a baseline. Every subsequent run is drift-relative to the previous scan.
 
 You get the same scanner that powers [cipherwake.io](https://cipherwake.io), the browser extension, and the GitHub Action.
 
@@ -44,54 +54,74 @@ You get the same scanner that powers [cipherwake.io](https://cipherwake.io), the
 
 ## Commands at a glance
 
+Grouped by intent: **deploy gate** (the flagship wedge) → **drift comparison** (the engine the gate runs on) → **AI setup / install** → **workflow scaffolds** → **committable artifacts** → **posture grade + tracking** → **diagnostic**. Every CLI command is listed here exactly once; flags / output formats / exit codes are in [Flags, formats & exit codes](#flags-formats--exit-codes) further down.
+
 | Command | What it gives you |
 |---|---|
-| `npx pqcheck <domain>` | The basic scan. Returns DBR score (0–10), letter grade (A–F), and a list of findings ranked by severity. The fastest way to ask "is my site's HTTPS posture healthy today?" |
-| `npx pqcheck deploy-check <domain> --ai` | The flagship command. Wraps the scan with `ship_decision=pass\|review\|block` for your AI coding agent to gate the deploy announcement. Works anonymously on first use; subsequent runs compare against the previous scan. |
+| **Deploy gate — the flagship wedge** | |
+| `npx pqcheck deploy-check <domain> --ai` | **The flagship.** Scans the domain, compares against the previous scan (first run sets the baseline), and emits a `ship_decision=pass\|review\|block` field your AI coding agent parses to decide whether to announce the deploy, ask you, or stop. Works anonymously — no signup needed. |
+| **`npx pqcheck guard --domain <D> -- <cmd>`** | **Deploy guard wrapper.** Wraps any deploy command. Runs `deploy-check` first; conditionally runs `<cmd>` based on `ship_decision`. Modes: `--gate-mode balanced` (default) / `advisory` / `strict`. ONE command instead of two — the strongest single artifact for AI-coder workflows because the AI never has to remember to chain check + deploy. |
+| **`--ai` flag** (any of the above) | **AI Coder Mode.** Three-layer output (banner / body / structured `CIPHERWAKE_AI_GUARD_RESULT` block) tuned for Claude Code / Cursor / Aider / Zed. Includes a `ship_decision=pass\|review\|block` field your AI coworker parses to decide whether to announce the deploy, ask you, or revert. See [/methodology/ai-coder-mode](https://cipherwake.io/methodology/ai-coder-mode). |
+| **Drift comparison — what the gate runs on** | |
 | `npx pqcheck trust-diff <domain>` | Compare today's HTTPS surface against a saved baseline (last week / last month / a saved CI baseline). For CI gates and release checklists. |
-| `npx pqcheck preview-diff --preview <URL> --production <URL>` | Compare a Vercel/Netlify preview deployment URL to production. Surfaces new third-party scripts, header regressions, and DBR score drops *inside the PR*, before merge. **v0.16.3** — now renders per-signal N vs N+1 status on every run (scripts, headers, cert SPKI, TLS, …) so you can see *every* check fired, not just "did something change." Add `--verbose` for the full side-by-side table. |
-| `npx pqcheck vendors export/check/sync <domain>` | Vendor lockfile (`cipherwake.vendors.json`) + CI gate that exits non-zero when a new third-party origin appears. Like `package-lock.json` for vendor scripts. |
+| `npx pqcheck preview-diff --preview <URL> --production <URL>` | Compare a Vercel/Netlify preview deployment URL to production. Surfaces new third-party scripts, header regressions, and DBR score drops *inside the PR*, before merge. Renders per-signal N vs N+1 status on every run (scripts, headers, cert SPKI, TLS, …) so you can see *every* check fired, not just "did something change." Add `--verbose` for the full side-by-side table. |
+| **AI setup / install** | |
+| **`npx pqcheck setup --auto --domain <D>`** | **One-command full setup for every AI coder.** Installs (idempotently): GitHub Action workflow, AI Coder Protocol across all detected rules files (Claude / Cursor / Copilot / Aider / Windsurf / Continue / Cline / AGENTS.md) using fenced markers (`<!-- CIPHERWAKE_AI_CODER_PROTOCOL_START/END -->`), git pre-push hook, Claude Code statusLine + 2 hooks (PostToolUse Bash + **UserPromptSubmit**), per-repo `.cipherwake/last-status.json` for Cursor / Copilot / Continue to read as context. Skip flags available. Backups taken before any `~/.claude/settings.json` write. Audit trail at `~/.config/cipherwake/install-prefs.json`; install manifest at `~/.config/cipherwake/install-manifest.json`. |
+| **`npx pqcheck setup --plan --domain <D>`** | **Dry-run mode.** Prints every file change `--auto` would make (target paths + operation type: create / append-markered / deep-merge / backup-first) without writing anything. Run this first when you're not sure what `--auto` will touch. |
+| **`npx pqcheck protocol install`** | **Opt-in installer** for the AI Coder Protocol — appends the pre-deploy verification rule to your `CLAUDE.md` / `.cursorrules` / `.aider.conf.yml` with explicit consent (Rule 17). One upfront question (auto / manual / no). Never silent writes. |
+| **`UserPromptSubmit` hook** | **Claude sees `ship_decision` before responding to every prompt.** When `pqcheck setup --auto` runs, it wires `cipherwake-prompt-hook` as a Claude Code UserPromptSubmit hook. On every user prompt, the hook injects `additionalContext` with the current scan's `ship_decision` IF it's `review`/`block` and the state is <24h old. Silent when state is missing, stale, or `pass`. Different timing from the PostToolUse chat-hook: this fires *before* Claude thinks (proactive), the chat-hook fires *after* a Bash command (reactive). |
+| **Per-repo state file** `.cipherwake/last-status.json` | **Cursor / Copilot / Continue read this for workspace context.** Every `pqcheck` scan writes the same payload as the per-user file. Created by `setup --auto`; auto-added to `.gitignore` (per-developer state, not committable). Gives AI agents inside VS Code-family editors a repo-local artifact they pick up automatically when reading workspace files. |
+| **Workflow scaffolds** | |
 | `npx pqcheck onboard <domain>` | One command: scan → scaffold the GitHub Action → capture a vendor lockfile → set a baseline → commit + push. Zero copy-paste from docs. |
-| **`npx pqcheck guard --domain <D> -- <cmd>`** 🆕 | **Deploy guard wrapper.** Wraps any deploy command. Runs `deploy-check` first; conditionally runs `<cmd>` based on `ship_decision`. Modes: `--gate-mode balanced` (default) / `advisory` / `strict`. ONE command instead of two — the strongest single artifact for AI-coder workflows because the AI never has to remember to chain check + deploy. |
-| **`npx pqcheck protocol install`** 🆕 | **Opt-in installer** for the AI Coder Protocol — appends the pre-deploy verification rule to your `CLAUDE.md` / `.cursorrules` / `.aider.conf.yml` with explicit consent (Rule 17). One upfront question (auto / manual / no). Never silent writes. |
-| **`npx pqcheck setup --auto --domain <D>`** 🆕 | **One-command full setup for every AI coder.** Installs (idempotently): GitHub Action workflow, AI Coder Protocol across all detected rules files (Claude / Cursor / Copilot / Aider / Windsurf / Continue / Cline / AGENTS.md) using fenced markers (`<!-- CIPHERWAKE_AI_CODER_PROTOCOL_START/END -->`), git pre-push hook, Claude Code statusLine + 2 hooks (PostToolUse Bash + **UserPromptSubmit** ⓝ), per-repo `.cipherwake/last-status.json` for Cursor / Copilot / Continue to read as context. Skip flags available. Backups taken before any `~/.claude/settings.json` write. Audit trail at `~/.config/cipherwake/install-prefs.json`; install manifest at `~/.config/cipherwake/install-manifest.json`. |
-| **`UserPromptSubmit` hook** (v0.15.1 ⓝ) | **Claude sees `ship_decision` before responding to every prompt.** When `pqcheck setup --auto` runs, it wires `cipherwake-prompt-hook` as a Claude Code UserPromptSubmit hook. On every user prompt, the hook injects `additionalContext` with the current scan's `ship_decision` IF it's `review`/`block` and the state is <24h old. Silent when state is missing, stale, or `pass`. Different timing from the PostToolUse chat-hook: this fires *before* Claude thinks (proactive), the chat-hook fires *after* a Bash command (reactive). |
-| **Per-repo state file** `.cipherwake/last-status.json` (v0.15.1 ⓝ) | **Cursor / Copilot / Continue read this for workspace context.** Every `pqcheck` scan writes the same payload as the per-user file. Created by `setup --auto`; auto-added to `.gitignore` (per-developer state, not committable). Gives AI agents inside VS Code-family editors a repo-local artifact they pick up automatically when reading workspace files. |
-| **`npx pqcheck setup --plan --domain <D>`** 🆕 | **Dry-run mode.** Prints every file change `--auto` would make (target paths + operation type: create / append-markered / deep-merge / backup-first) without writing anything. Run this first when you're not sure what `--auto` will touch. |
-| **`npx pqcheck debug-network`** 🆕 | **Connectivity diagnostic.** Probes cipherwake.io API, homepage, crt.sh upstream, and the direct Vercel URL (bypassing Cloudflare). Reports HTTP status + timing per hop. Use when "scan hung" / "command not found" / corporate proxy issues come up — surfaces the actual broken hop with an actionable cause list. |
-| **`--ai` flag** (any of the above) | **AI Coder Mode** (0.15.0). Three-layer output (banner / body / structured `CIPHERWAKE_AI_GUARD_RESULT` block) tuned for Claude Code / Cursor / Aider / Zed. Includes a `ship_decision=pass\|review\|block` field your AI coworker parses to decide whether to announce the deploy, ask you, or revert. See [/methodology/ai-coder-mode](https://cipherwake.io/methodology/ai-coder-mode). |
+| `npx pqcheck init` | Interactive scaffold for `.github/workflows/cipherwake.yml`. Use when you want manual control instead of `onboard`'s all-in-one flow. |
+| `npx pqcheck release-checklist [domain]` | Pre-release trust checklist (markdown, offline). Paste into release notes. |
+| `npx pqcheck vendors export/check/sync <domain>` | Vendor lockfile (`cipherwake.vendors.json`) + CI gate that exits non-zero when a new third-party origin appears. Like `package-lock.json` for vendor scripts. |
+| **Committable artifacts (SBOM-style)** | |
+| `npx pqcheck lock <domain>` | Generate `cipherwake.lock` (QXM committable manifest) + human-readable `cipherwake-report.md`. SBOM-style artifact for quantum exposure — commit both, diff in PRs. |
+| `npx pqcheck diff <old.lock> <new.lock>` | Compare two QXM lockfiles; exit 2 on regression. For CI PR-comment diffs. |
+| `npx pqcheck deps <domain>` | Scan all third-party origins on the page (supply-chain HNDL grading). `--lock` writes `cipherwake-deps.lock` + `.md`; `--allowlist`, `--baseline`, `--fail-on-new` for CI vendor gates. |
+| `npx pqcheck cert <file.pem>` | Analyze a local PEM/CRT cert file offline (no network). |
+| **Posture grade + tracking** | |
+| `npx pqcheck <domain>` | **Posture grade (no diff baseline).** Returns DBR score (0–10), letter grade (A–F), and a list of findings ranked by severity. Use when you want a one-shot health check without setting up a baseline — for first-time audits, ad-hoc spot checks, or grading a domain you don't own. For ongoing deploys, use `deploy-check` instead. |
+| `npx pqcheck history <domain>` | 90-day score history (sparkline + samples). `--days <N>` to change window. |
+| `npx pqcheck changes <domain>` | Summarize public attack-surface changes in last 14 days. |
+| `npx pqcheck watch <domain>` | Add domain to your watched list on the server (needs `CIPHERWAKE_API_KEY`). Distinct from the `--watch <secs>` flag, which is local polling. |
+| **Diagnostic** | |
+| **`npx pqcheck debug-network`** | **Connectivity diagnostic.** Probes cipherwake.io API, homepage, crt.sh upstream, and the direct Vercel URL (bypassing Cloudflare). Reports HTTP status + timing per hop. Use when "scan hung" / "command not found" / corporate proxy issues come up — surfaces the actual broken hop with an actionable cause list. |
 
 Free tier covers all of the above within 100 Trust Diff calls/month per repo via OIDC. **Founder Pro** ($19.99/mo, locked while subscription active) raises that to 5,000 calls/month + unlocks custom thresholds, vendor lockfile, CI fail rules, and 5 watched domains. Single-domain scans (`npx pqcheck <domain>`) are anonymous + rate-limited per IP — no account or key needed. `npx pqcheck deploy-check <domain> --ai` also works fully anonymously for first-deploy gating.
 
 ### AI Coder Mode in 30 seconds
 
 ```bash
-npx pqcheck cipherwake.io --ai
+npx pqcheck deploy-check cipherwake.io --ai
 ```
 
 Output:
 
 ```
-◆ Cipherwake · cipherwake.io ⚠ REVIEW · DBR 4.1 C · HIGH
+◆ Cipherwake · cipherwake.io ⚠ REVIEW · 1 change since last scan · HIGH
 
-Top finding:
-  [HIGH] ECDHE-only — quantum-vulnerable key exchange
+Surface changes:
+  + New third-party script: widget.intercom.io
+    Loaded from an origin not present in your last scan.
 
 Why it matters:
-  Forward-secret against classical attackers. Shor's algorithm decrypts
-  recorded handshakes once a CRQC exists.
+  New third-party scripts execute in full page context. A script that
+  appeared without an intentional code change = supply-chain risk vector
+  (Polyfill.io-class). Confirm it was added on purpose.
 
 Recommended next action:
-  Review finding above and decide if it was intentional.
+  Review the change above and decide if it was intentional.
   View full report: https://cipherwake.io/r/cipherwake.io
-  Re-scan with --fresh after fix: npx pqcheck cipherwake.io --fresh --ai
+  Re-scan after fix: npx pqcheck deploy-check cipherwake.io --ai
 
 CIPHERWAKE_AI_GUARD_RESULT
 status=review
 domain=cipherwake.io
 ship_decision=review
 max_severity=high
-top_issue=tls.ecdhe_only_quantum_vulnerable
+top_issue=vendor.new_third_party_script
 advisory_only=true
 END_CIPHERWAKE_AI_GUARD_RESULT
 ```
@@ -215,15 +245,7 @@ npx pqcheck vendors sync mycompany.com      # Founder Pro — pull dashboard all
 
 `pqcheck deps` also surfaces a one-line site-wide **CSP verdict** above the supply-chain table (`✗ No CSP enforcement` / `⚠ CSP is permissive` / `✓ Strict CSP enforced`) and friendly vendor labels (`New Relic · errors` / `Cloudflare · cdn` / `Adobe Fonts · fonts`) instead of raw hostnames. Same data shape ships on `/r/<domain>` and in the browser extension.
 
-### Developer habit-loop subcommands
-
-```bash
-npx pqcheck init                # interactive scaffold for .github/workflows/cipherwake.yml
-npx pqcheck deploy-check        # pre-deploy gate (Trust Diff alias, last-scan baseline)
-npx pqcheck release-checklist   # markdown trust checklist for release notes (offline)
-```
-
-The GitHub Action posts a **sticky PR comment** with results when `comment-on-pr: true` is set on `pull_request` events. Comment auto-edits on subsequent pushes — no spam.
+> **GitHub Action note:** when scaffolded via `pqcheck onboard` or `pqcheck init`, the Action posts a **sticky PR comment** with results when `comment-on-pr: true` is set on `pull_request` events. The comment auto-edits on subsequent pushes — no spam.
 
 ---
 
@@ -243,33 +265,9 @@ Plus a full ASM check suite for credibility:
 - **HTTP header security** — HSTS (with preload + max-age), CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP
 - **Subdomain takeover detection** — fingerprint-based scan against AWS S3, GitHub Pages, Heroku, Shopify, Fastly, etc.
 
-## Commands
+## Flags, formats & exit codes
 
-```
-npx pqcheck <domain>                          Scan + print human-readable report
-npx pqcheck lock <domain>                     Generate cipherwake.lock (QXM) committable manifest
-npx pqcheck deps <domain>                     Scan all third-party origins on the page (supply-chain HNDL)
-npx pqcheck diff <old.lock> <new.lock>        Compare two QXM lockfiles; exit 2 on regression
-npx pqcheck history <domain>                  Show 90-day score history (sparkline + samples)
-npx pqcheck changes <domain>                  Summarize public attack-surface changes in last 14 days
-npx pqcheck cert <file.pem>                   Analyze a local PEM/CRT cert file (offline, no network)
-npx pqcheck trust-diff <domain>               Trust Diff vs configured baseline; CI gate (Free: 100/repo/mo)
-npx pqcheck preview-diff --preview U --production U  Preview-URL vs production-URL diff; new scripts + header regressions + score drops (NEW in 0.14.0)
-npx pqcheck deploy-check <domain>             Pre-deploy gate (Trust Diff alias with last-scan baseline)
-npx pqcheck onboard <domain>                  One-command setup wizard (scan + init + vendors + checklist)
-npx pqcheck init                              Interactive scaffold for .github/workflows/cipherwake.yml
-npx pqcheck release-checklist [domain]        Pre-release trust checklist (markdown, offline)
-npx pqcheck vendors export <domain>           Write cipherwake.vendors.json from observed third-party scripts
-npx pqcheck vendors check <domain>            CI gate; exit 4 on new origins not in lockfile
-npx pqcheck vendors sync <domain>             Pull dashboard allowlist into lockfile (Founder Pro, needs API key)
-npx pqcheck watch <domain>                    Add domain to your watched list (needs CIPHERWAKE_API_KEY)
-npx pqcheck guard --domain <D> -- <cmd>       AI Coder Mode (0.15.0) — wrap any deploy command with a Trust Diff gate
-npx pqcheck deploy-check <D> --ai             AI Coder Mode (0.15.0) — frictionless first-deploy, anonymous, emits CIPHERWAKE_AI_GUARD_RESULT block
-npx pqcheck setup --auto --domain <D>         AI Coder Mode (0.15.0) — one-command install across CLAUDE.md/.cursorrules/.github + git pre-push hook + statusline
-npx pqcheck setup --plan --domain <D>         AI Coder Mode (0.15.0) — dry-run: print every file change before --auto writes anything
-npx pqcheck protocol install --auto           AI Coder Mode (0.15.0) — append AI Coder Protocol to detected rules files (idempotent, fenced markers)
-npx pqcheck debug-network                     Probe upstream connectivity (cipherwake.io / crt.sh / Vercel) — for "scan hung" diagnosis
-```
+Every CLI command is documented in [Commands at a glance](#commands-at-a-glance) above. What follows is reference material for usage patterns, flags, output formats, and exit codes shared across commands.
 
 ### Multi-domain
 

package/bin/cipherwake-statusline.js

@@ -109,6 +109,10 @@ const {
   domain, score, grade, ship_decision, written_at, max_severity, unreachable,
   // v0.16.4 — preview-diff-specific fields for the 4-line render
   kind, delta_count, diff_no_change, sector_ranking, verified_signal_categories, last_changed,
+  // v0.16.11 — top finding ID so REVIEW/BLOCK lines say WHAT'S WRONG
+  // inline. Without this, the customer sees "⚠ REVIEW" with no cause and
+  // has to run a separate `pqcheck deploy-check --ai` to find out why.
+  top_issue,
 } = state;
 const age = ageHours(written_at);
 
@@ -179,6 +183,41 @@ if (!isUnreachable && stabilitySource) {
   else stabilitySegment = ` · stable ${days}d`;
 }
 
+// v0.16.11 — terse human label for the top_issue finding ID. Only rendered
+// when ship_decision is review or block (the cases where the customer needs
+// to know WHY without running another command). Mapping covers the
+// finding IDs from lib/findingRegistry.ts that drive verdicts; for unknown
+// IDs, derive a fallback by taking the last dotted segment and replacing
+// underscores with spaces. "as few words as possible" — typical render is
+// 2-4 words; never more than ~30 chars.
+const TOP_ISSUE_LABELS = {
+  "chain.weakest_link.intermediate": "weak intermediate cert",
+  "chain.weakest_link.root":         "weak root cert",
+  "tls.ecdhe_only_quantum_vulnerable": "quantum-vulnerable kex",
+  "tls.pqc_test_inconclusive_scanner_limit": "PQC test inconclusive",
+  "tls.rsa_kex_only":                "RSA kex only",
+  "tls.rsa_kex_fallback":            "RSA fallback",
+  "tls.rsa_kex_accepted_legacy":     "RSA kex accepted",
+  "tls.version_obsolete":            "obsolete TLS",
+  "tls.domain_unreachable":          "unreachable",
+  "email.spf.missing":               "no SPF",
+  "email.dmarc.missing":             "no DMARC",
+  "email.dkim.missing":              "no DKIM",
+};
+function topIssueLabel(id) {
+  if (!id || id === "none") return null;
+  if (TOP_ISSUE_LABELS[id]) return TOP_ISSUE_LABELS[id];
+  // Fallback: last dotted segment, underscores → spaces, cap 30 chars.
+  const tail = String(id).split(".").pop() || id;
+  return tail.replace(/_/g, " ").slice(0, 30);
+}
+const issueSegment = (!isUnreachable && (ship_decision === "review" || ship_decision === "block"))
+  ? (() => {
+      const label = topIssueLabel(top_issue);
+      return label ? ` · ${label}` : "";
+    })()
+  : "";
+
 process.stdout.write(
   c(cdec, "◆") +
     " " +
@@ -188,6 +227,6 @@ process.stdout.write(
     " " +
     c(C.bold, displayDomain) +
     " " +
-    c(cdec, `${symbol} ${labelWord}`) +
+    c(cdec, `${symbol} ${labelWord}${issueSegment}`) +
     c(C.dim, `${dbrSegment}${stabilitySegment} · ${formatAge(written_at)}`)
 );

package/bin/pqcheck.js

@@ -24,7 +24,7 @@
 })();
 
 const API_BASE = process.env.PQCHECK_API_BASE || "https://cipherwake.io";
-const VERSION = "0.16.9";
+const VERSION = "0.16.11";
 
 // API-key support — paid tiers (Starter $29 / Growth $79 / Scale $199) get
 // per-account monthly quotas instead of the per-IP rate limit. Set via:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.16.9",
+  "version": "0.16.12",
   "description": "Deploy gate for AI-coded web apps. `pqcheck deploy-check --ai` returns ship_decision=pass|review|block for Claude Code / Cursor / Copilot / Aider to gate deploys before they ship. Anonymous, no signup, free for first use.",
   "keywords": [
     "ai-coder",