ai-saas-guard 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +36 -17
  2. package/docs/npm-publishing.md +10 -10
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -10,6 +10,7 @@
10
10
 
11
11
  <p align="center">
12
12
  <a href="https://github.com/zr9959/ai-saas-guard/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/zr9959/ai-saas-guard/actions/workflows/ci.yml/badge.svg"></a>
13
+ <a href="https://www.npmjs.com/package/ai-saas-guard"><img alt="npm" src="https://img.shields.io/npm/v/ai-saas-guard.svg"></a>
13
14
  <a href="LICENSE"><img alt="License: MIT" src="https://img.shields.io/badge/license-MIT-blue.svg"></a>
14
15
  <a href="package.json"><img alt="Node.js >=20" src="https://img.shields.io/badge/node-%3E%3D20-339933.svg"></a>
15
16
  <a href="docs/release-quality-knowledge-base.md"><img alt="Release gate documented" src="https://img.shields.io/badge/release%20gate-documented-0f766e.svg"></a>
@@ -40,18 +41,44 @@ It is intentionally evidence-first. Findings include a rule ID, severity, file e
40
41
 
41
42
  This repository is public on GitHub.
42
43
 
43
- The first GitHub release and Action tag are `v0.1.0`; the npm-ready patch release is `v0.1.1`. The npm package is not published yet, so run the CLI from source for now. If you need stricter supply-chain pinning in CI, pin the GitHub Action to a reviewed commit SHA instead of a mutable tag.
44
+ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is available through versioned release tags. If you need stricter supply-chain pinning in CI, pin the GitHub Action to a reviewed commit SHA instead of a mutable tag.
44
45
 
45
46
  | Area | Status |
46
47
  | --- | --- |
47
48
  | Public GitHub repository | Available |
48
- | Local CLI from source | Available |
49
+ | npm CLI | Published as `ai-saas-guard` |
50
+ | Local CLI from source | Available for development |
49
51
  | JSON and SARIF output | Available |
50
52
  | Composite GitHub Action | Available |
51
- | Versioned Action tags | `v0.1.1` |
52
- | npm package | Not published yet |
53
+ | Versioned Action tags | `v0.1.2` |
54
+ | npm package | `ai-saas-guard@0.1.2` |
53
55
 
54
- ## Quick Start From Source
56
+ ## Quick Start
57
+
58
+ Run the published CLI without installing it globally:
59
+
60
+ ```bash
61
+ npx ai-saas-guard@latest scan --root /path/to/your-saas
62
+ ```
63
+
64
+ Run focused checks:
65
+
66
+ ```bash
67
+ npx ai-saas-guard@latest pr-risk --root /path/to/your-saas --base origin/main
68
+ npx ai-saas-guard@latest check-supabase --root /path/to/your-saas
69
+ npx ai-saas-guard@latest check-stripe --root /path/to/your-saas
70
+ npx ai-saas-guard@latest check-mcp --root /path/to/your-saas
71
+ ```
72
+
73
+ Machine-readable output:
74
+
75
+ ```bash
76
+ npx ai-saas-guard@latest scan --root /path/to/your-saas --json
77
+ npx ai-saas-guard@latest scan --root /path/to/your-saas --sarif > ai-saas-guard.sarif
78
+ npx ai-saas-guard@latest scan --root /path/to/your-saas --fail-on high
79
+ ```
80
+
81
+ For local development:
55
82
 
56
83
  ```bash
57
84
  git clone https://github.com/zr9959/ai-saas-guard.git
@@ -70,14 +97,6 @@ node dist/cli.js check-stripe --root /path/to/your-saas
70
97
  node dist/cli.js check-mcp --root /path/to/your-saas
71
98
  ```
72
99
 
73
- Machine-readable output:
74
-
75
- ```bash
76
- node dist/cli.js scan --root /path/to/your-saas --json
77
- node dist/cli.js scan --root /path/to/your-saas --sarif > ai-saas-guard.sarif
78
- node dist/cli.js scan --root /path/to/your-saas --fail-on high
79
- ```
80
-
81
100
  ## Example Finding
82
101
 
83
102
  Terminal output is designed to be useful to a reviewer, not just a scanner dashboard.
@@ -162,7 +181,7 @@ jobs:
162
181
  - uses: actions/checkout@v6.0.2
163
182
  with:
164
183
  fetch-depth: 0
165
- - uses: zr9959/ai-saas-guard@v0.1.1
184
+ - uses: zr9959/ai-saas-guard@v0.1.2
166
185
  with:
167
186
  command: pr-risk
168
187
  root: ${{ github.workspace }}
@@ -173,7 +192,7 @@ jobs:
173
192
  For SARIF upload:
174
193
 
175
194
  ```yaml
176
- - uses: zr9959/ai-saas-guard@v0.1.1
195
+ - uses: zr9959/ai-saas-guard@v0.1.2
177
196
  with:
178
197
  command: scan
179
198
  format: sarif
@@ -183,7 +202,7 @@ For SARIF upload:
183
202
  sarif_file: ai-saas-guard.sarif
184
203
  ```
185
204
 
186
- For maximum reproducibility, replace `v0.1.1` with the full commit SHA from the release notes.
205
+ For maximum reproducibility, replace `v0.1.2` with the full commit SHA from the release notes.
187
206
 
188
207
  ## Ignore File
189
208
 
@@ -282,4 +301,4 @@ Please read [SECURITY.md](SECURITY.md) before reporting vulnerabilities. Do not
282
301
 
283
302
  ## npm Publishing
284
303
 
285
- The package name is prepared but not published yet. See [docs/npm-publishing.md](docs/npm-publishing.md) for the GitHub Actions provenance workflow and the required `NPM_TOKEN` or trusted-publisher setup.
304
+ The package is published as [`ai-saas-guard`](https://www.npmjs.com/package/ai-saas-guard). See [docs/npm-publishing.md](docs/npm-publishing.md) for the GitHub Actions provenance workflow, the first-publish token history, and the trusted-publisher follow-up.
package/docs/npm-publishing.md CHANGED
@@ -1,31 +1,31 @@
1
1
  # npm Publishing
2
2
 
3
- `ai-saas-guard` is prepared for npm publication, but the package is not published yet.
3
+ `ai-saas-guard` is published on npm and should be released only from reviewed GitHub tags.
4
4
 
5
5
  ## Current State
6
6
 
7
7
  - Package name: `ai-saas-guard`
8
- - Current version: `0.1.1`
9
- - npm registry state: not published at the time of this document update
10
- - GitHub Release: `v0.1.0`
8
+ - Current version: `0.1.2`
9
+ - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
10
+ - First npm-published version: `0.1.1`
11
+ - GitHub Release: `v0.1.2`
11
12
  - Publish workflow: `.github/workflows/npm-publish.yml`
12
13
 
13
14
  ## Preferred Path
14
15
 
15
16
  Use GitHub Actions with npm provenance:
16
17
 
17
- 1. Create an npm automation token with publish rights for this package.
18
- 2. Add it to this GitHub repository as `NPM_TOKEN`.
19
- 3. Run the `Publish npm` workflow manually with `ref` set to `v0.1.1`.
20
- 4. After the first publish succeeds, configure npm Trusted Publisher for future releases:
18
+ 1. Create and review a release tag such as `v0.1.2`.
19
+ 2. Run the `Publish npm` workflow manually with `ref` set to that tag.
20
+ 3. Configure npm Trusted Publisher for future releases:
21
21
  - Provider: GitHub Actions
22
22
  - Organization or user: `zr9959`
23
23
  - Repository: `ai-saas-guard`
24
24
  - Workflow filename: `npm-publish.yml`
25
25
  - Allowed action: `npm publish`
26
- 5. Once trusted publishing is verified, remove or rotate any long-lived npm publish token.
26
+ 4. Once trusted publishing is verified, remove or rotate any long-lived npm publish token.
27
27
 
28
- The workflow sets `id-token: write` and runs `npm publish --provenance --access public`, so token-based first publish can include provenance and future trusted-publisher publishes can use OIDC.
28
+ The first npm publish used a temporary granular access token because npm requires a 2FA-bypass token until trusted publishing is configured. The workflow sets `id-token: write`, uses Node 24, and runs `npm publish --provenance --access public`, so it is ready for npm Trusted Publisher OIDC publishing.
29
29
 
30
30
  ## Release Gate
31
31
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "ai-saas-guard",
3
- "version": "0.1.1",
3
+ "version": "0.1.2",
4
4
  "description": "Repo-local launch-readiness scanner for AI-built SaaS apps.",
5
5
  "type": "module",
6
6
  "homepage": "https://github.com/zr9959/ai-saas-guard#readme",