ai-saas-guard 0.18.0 → 0.19.0

package/README.md

@@ -73,9 +73,10 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | JSON and SARIF output | Available |
 | Composite GitHub Action | Available |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, and fail thresholds |
-| Versioned Action tags | `v0.18.0`, `v0` |
-| npm package | `ai-saas-guard@0.18.0` |
+| Versioned Action tags | `v0.19.0`, `v0` |
+| npm package | `ai-saas-guard@0.19.0` |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
+| Runtime hardening | Per-file and total text scan caps, escaped markdown evidence, stricter hosted deployment blockers |
 
 ## Quick Start
 
@@ -210,7 +211,7 @@ The hosted deployment model is documented in [docs/hosted-deployment-model.md](d
 
 The hosted service runtime is documented in [docs/hosted-service-runtime.md](docs/hosted-service-runtime.md). It exports `createHostedServiceRuntime` from `ai-saas-guard/hosted/service` and implements the provider-independent service core for signed webhook intake, idempotent queue upsert, read-only worker orchestration, compact report storage, Check Run publication adapters, and worker cleanup planning. It does not deploy a public hosted environment by itself.
 
-The hosted GitHub App deployment planner is documented in [docs/github-app-deployment.md](docs/github-app-deployment.md). It exports `planHostedGitHubAppDeployment` from `ai-saas-guard/hosted/github-app`, generates the least-privilege manifest for the first hosted slice, and blocks creation when the release gate, HTTPS URLs, container digest, secret references, permissions, or events are incomplete or unsafe.
+The hosted GitHub App deployment planner is documented in [docs/github-app-deployment.md](docs/github-app-deployment.md). It exports `planHostedGitHubAppDeployment` from `ai-saas-guard/hosted/github-app`, generates the least-privilege manifest for the first hosted slice, and blocks creation when the release gate, public HTTPS URLs, container digest, secret references, raw secret inputs, permissions, or events are incomplete or unsafe.
 
 The hosted operational release gate is documented in [docs/hosted-operational-release-gate.md](docs/hosted-operational-release-gate.md). It defines the hosted-specific CI, replay, queue, worker cleanup, privacy, monitoring, rollback, and incident-response evidence required before any hosted environment is exposed to users. The pure gate evaluator exported from `ai-saas-guard/hosted/contracts` blocks hosted exposure unless every P0 evidence item is fresh, a container digest is recorded, and release notes avoid pentest, certification, and full-audit claims.
 
@@ -258,7 +259,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.18.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.19.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard
@@ -337,6 +338,7 @@ Use this sparingly. The goal is not to hide launch blockers; it is to keep repor
 - Does not upload code.
 - Requires no account or login.
 - Does not modify scanned repositories.
+- Limits scanned text by per-file and total scan budgets to reduce worst-case memory use.
 - Redacts matched secret-like evidence.
 
 ## What This Is Not

package/README.zh-CN.md

@@ -55,7 +55,7 @@ AI 能很快把一个 SaaS 从想法做成可运行的产品。真正难的是
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.18.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.18.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.19.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.19.0`。
 
 | 模块 | 状态 |
 | --- | --- |
@@ -66,9 +66,10 @@ CLI 已发布到 npm：`ai-saas-guard@0.18.0`。GitHub Action 支持 `v0` 浮动
 | Markdown PR summary | 已可用 |
 | GitHub Action | 已可用 |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖和 fail threshold |
-| 当前版本 | `0.18.0` |
-| Action 标签 | `v0.18.0`、`v0` |
+| 当前版本 | `0.19.0` |
+| Action 标签 | `v0.19.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
+| 运行时加固 | 单文件和总扫描文本预算、markdown evidence 转义、更严格的 hosted deployment 阻断 |
 
 ## 快速开始
 
@@ -234,6 +235,7 @@ jobs:
 - 不上传代码
 - 不需要账号或登录
 - 不修改被扫描仓库
+- 对单文件和总扫描文本设置预算，降低极端仓库带来的内存占用风险
 - 对类似 secret 的 evidence 做 redaction
 
 ## Hosted GitHub App 设计
@@ -258,7 +260,7 @@ jobs:
 - durable scan queue planner：同一个 trusted scan key 的 queued/running/completed job 会复用，不重复排 worker，也不会把源码、diff、secret 或 PR 正文放进队列 payload
 - worker read-only scan planner：只用 trusted identity 规划临时 worker checkout，要求 repository `contents: read`，固定运行 `ai-saas-guard pr-risk --json`，并忽略 PR 正文里的 repo 名、token scope 或命令
 - hosted service runtime：`ai-saas-guard/hosted/service` 导出 `createHostedServiceRuntime`，把签名 webhook intake、幂等 queue upsert、read-only worker 编排、compact report 存储、Check Run 发布 adapter 和 worker cleanup 串成可测试的服务核心；它本身不部署公开 hosted 环境
-- GitHub App deployment planner：`ai-saas-guard/hosted/github-app` 导出 `planHostedGitHubAppDeployment`，生成 first slice 最小权限 manifest，并在 release gate、HTTPS URL、container digest、secret 引用、permission 或 event 不安全时阻止创建
+- GitHub App deployment planner：`ai-saas-guard/hosted/github-app` 导出 `planHostedGitHubAppDeployment`，生成 first slice 最小权限 manifest，并在 release gate、公开 HTTPS URL、container digest、secret 引用、原始 secret 输入、permission 或 event 不安全时阻止创建
 - webhook event parser
 - check-run summary renderer
 - Check Run publication planner：要求 repository `checks: write`，只从 compact report 生成有长度上限的 Check Run payload，包含 review categories、优先 review 文件、verification steps 和本地 CLI 复现命令；MVP 不发 PR comment

package/dist/hosted/github-app.js

@@ -18,6 +18,7 @@ export function planHostedGitHubAppDeployment(input) {
         ...optionalUrlBlockedReasons("setup_url", input.setupUrl),
         ...optionalUrlBlockedReasons("callback_url", input.callbackUrl),
         ...secretRefBlockedReasons(input.secretRefs),
+        ...rawSecretInputBlockedReasons(input),
         ...permissionBlockedReasons(input.requestedPermissions),
         ...eventBlockedReasons(input.requestedEvents)
     ];
@@ -80,12 +81,52 @@ function optionalUrlBlockedReasons(name, value) {
 function isSafeHttpsUrl(value) {
     try {
         const url = new URL(value);
-        return url.protocol === "https:" && url.hostname !== "localhost" && url.hostname !== "127.0.0.1";
+        return url.protocol === "https:" && !isUnsafeHostedHostname(url.hostname);
     }
     catch {
         return false;
     }
 }
+function isUnsafeHostedHostname(hostname) {
+    const normalized = normalizeHostname(hostname);
+    return (normalized === "localhost" ||
+        normalized.endsWith(".localhost") ||
+        isUnsafeIpv4Hostname(normalized) ||
+        isUnsafeIpv6Hostname(normalized));
+}
+function normalizeHostname(hostname) {
+    const lower = hostname.toLowerCase().replace(/\.$/, "");
+    return lower.startsWith("[") && lower.endsWith("]") ? lower.slice(1, -1) : lower;
+}
+function isUnsafeIpv4Hostname(hostname) {
+    const parts = hostname.split(".");
+    if (parts.length !== 4) {
+        return false;
+    }
+    if (!parts.every((part) => /^\d+$/.test(part))) {
+        return false;
+    }
+    const octets = parts.map((part) => Number(part));
+    if (octets.some((octet) => !Number.isInteger(octet) || octet < 0 || octet > 255)) {
+        return false;
+    }
+    const [first, second] = octets;
+    return (first === 0 ||
+        first === 10 ||
+        first === 127 ||
+        (first === 169 && second === 254) ||
+        (first === 172 && second >= 16 && second <= 31) ||
+        (first === 192 && second === 168) ||
+        (first === 100 && second >= 64 && second <= 127) ||
+        first >= 224);
+}
+function isUnsafeIpv6Hostname(hostname) {
+    return (hostname === "::" ||
+        hostname === "::1" ||
+        hostname.startsWith("fc") ||
+        hostname.startsWith("fd") ||
+        hostname.startsWith("fe80:"));
+}
 function secretRefBlockedReasons(secretRefs) {
     const reasons = [];
     for (const key of ["appId", "privateKey", "webhookSecret"]) {
@@ -100,6 +141,16 @@ function secretRefBlockedReasons(secretRefs) {
     }
     return reasons;
 }
+function rawSecretInputBlockedReasons(input) {
+    const reasons = [];
+    for (const key of ["rawPrivateKey", "rawWebhookSecret"]) {
+        const value = input[key];
+        if (typeof value === "string" && value.trim()) {
+            reasons.push(`raw_secret_material:${key}`);
+        }
+    }
+    return reasons;
+}
 function looksLikeRawSecretMaterial(value) {
     return /-----BEGIN [A-Z ]*PRIVATE KEY-----|whsec_|gh[opurs]_|github_pat_/i.test(value);
 }

package/dist/report/markdown.js

@@ -63,12 +63,12 @@ function appendFindings(lines, findings) {
     }
     for (const [index, finding] of findings.entries()) {
         lines.push("");
-        lines.push(`${index + 1}. **[${finding.severity.toUpperCase()}] ${finding.title}**`);
+        lines.push(`${index + 1}. **[${finding.severity.toUpperCase()}] ${escapeMarkdownInline(finding.title)}**`);
         lines.push(`   - Rule: \`${finding.ruleId}\``);
         lines.push(`   - Evidence: ${formatEvidence(finding.evidence[0])}`);
-        lines.push(`   - Why: ${finding.why}`);
-        lines.push(`   - Verify: ${finding.suggestedVerification}`);
-        lines.push(`   - Fix direction: ${finding.suggestedFix}`);
+        lines.push(`   - Why: ${escapeMarkdownInline(finding.why)}`);
+        lines.push(`   - Verify: ${escapeMarkdownInline(finding.suggestedVerification)}`);
+        lines.push(`   - Fix direction: ${escapeMarkdownInline(finding.suggestedFix)}`);
     }
 }
 function formatEvidence(evidence) {
@@ -76,8 +76,14 @@ function formatEvidence(evidence) {
         return "`none`";
     const location = evidence.line ? `${evidence.file}:${evidence.line}` : evidence.file;
     const detail = evidence.snippet ?? evidence.match;
-    return detail ? `\`${location}\` - ${detail}` : `\`${location}\``;
+    const safeLocation = escapeMarkdownInline(location).replaceAll("`", "'");
+    return detail
+        ? `\`${safeLocation}\` - ${escapeMarkdownInline(detail)}`
+        : `\`${safeLocation}\``;
 }
 function escapeMarkdownTableCell(value) {
     return value.replaceAll("|", "\\|").replaceAll("\n", " ");
 }
+function escapeMarkdownInline(value) {
+    return value.replace(/\r?\n/g, " ").replaceAll("|", "\\|").trim();
+}

package/dist/utils/files.d.ts

@@ -3,7 +3,15 @@ export interface TextFile {
     absolutePath: string;
     content: string;
 }
-export declare function collectTextFiles(rootDir: string): Promise<TextFile[]>;
+export interface CollectTextFilesOptions {
+    maxFileBytes?: number;
+    maxFiles?: number;
+    maxTotalBytes?: number;
+}
+export declare const DEFAULT_MAX_TEXT_FILE_BYTES: number;
+export declare const DEFAULT_MAX_TEXT_FILES = 10000;
+export declare const DEFAULT_MAX_TOTAL_TEXT_BYTES: number;
+export declare function collectTextFiles(rootDir: string, options?: CollectTextFilesOptions): Promise<TextFile[]>;
 export declare function lineNumberForIndex(content: string, index: number): number;
 export declare function lineAt(content: string, lineNumber: number): string;
 export declare function toPosix(path: string): string;

package/dist/utils/files.js

@@ -1,5 +1,8 @@
 import { readdir, readFile, stat } from "node:fs/promises";
 import { join, relative } from "node:path";
+export const DEFAULT_MAX_TEXT_FILE_BYTES = 1024 * 1024;
+export const DEFAULT_MAX_TEXT_FILES = 10_000;
+export const DEFAULT_MAX_TOTAL_TEXT_BYTES = 50 * 1024 * 1024;
 const ignoredDirectories = new Set([
     ".git",
     ".next",
@@ -11,13 +14,21 @@ const ignoredDirectories = new Set([
     "out"
 ]);
 const textFilePattern = /(^|\/)(\.env[^/]*|\.mcp\.json|mcp\.json|claude_desktop_config\.json)$|\.(cjs|cts|js|jsx|json|mjs|mts|prisma|sql|toml|ts|tsx|yaml|yml|env|md|txt)$/i;
-export async function collectTextFiles(rootDir) {
+export async function collectTextFiles(rootDir, options = {}) {
     const files = [];
     const ignores = await loadIgnoreRules(rootDir);
-    await walk(rootDir, rootDir, files, ignores);
+    const budget = {
+        maxFileBytes: positiveIntegerOrDefault(options.maxFileBytes, DEFAULT_MAX_TEXT_FILE_BYTES),
+        maxFiles: positiveIntegerOrDefault(options.maxFiles, DEFAULT_MAX_TEXT_FILES),
+        maxTotalBytes: positiveIntegerOrDefault(options.maxTotalBytes, DEFAULT_MAX_TOTAL_TEXT_BYTES),
+        collectedBytes: 0
+    };
+    await walk(rootDir, rootDir, files, ignores, budget);
     return files;
 }
-async function walk(rootDir, currentDir, files, ignores) {
+async function walk(rootDir, currentDir, files, ignores, budget) {
+    if (files.length >= budget.maxFiles || budget.collectedBytes >= budget.maxTotalBytes)
+        return;
     let entries;
     try {
         entries = await readdir(currentDir, { withFileTypes: true });
@@ -26,6 +37,8 @@ async function walk(rootDir, currentDir, files, ignores) {
         return;
     }
     for (const entry of entries) {
+        if (files.length >= budget.maxFiles || budget.collectedBytes >= budget.maxTotalBytes)
+            break;
         if (entry.name === ".DS_Store" || entry.name.startsWith("._"))
             continue;
         const absolutePath = join(currentDir, entry.name);
@@ -35,13 +48,15 @@ async function walk(rootDir, currentDir, files, ignores) {
         if (entry.isDirectory()) {
             if (ignoredDirectories.has(entry.name))
                 continue;
-            await walk(rootDir, absolutePath, files, ignores);
+            await walk(rootDir, absolutePath, files, ignores, budget);
             continue;
         }
         if (!entry.isFile() || !textFilePattern.test(relativePath))
             continue;
         const fileStat = await stat(absolutePath);
-        if (fileStat.size > 1024 * 1024)
+        if (fileStat.size > budget.maxFileBytes)
+            continue;
+        if (budget.collectedBytes + fileStat.size > budget.maxTotalBytes)
             continue;
         try {
             files.push({
@@ -49,6 +64,7 @@ async function walk(rootDir, currentDir, files, ignores) {
                 absolutePath,
                 content: await readFile(absolutePath, "utf8")
             });
+            budget.collectedBytes += fileStat.size;
         }
         catch {
             continue;
@@ -114,3 +130,10 @@ function ignorePatternToRegex(pattern) {
 function escapeRegex(value) {
     return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
 }
+function positiveIntegerOrDefault(value, fallback) {
+    if (value === undefined) {
+        return fallback;
+    }
+    const normalized = Math.floor(value);
+    return Number.isFinite(normalized) && normalized > 0 ? normalized : fallback;
+}

package/docs/github-action.md

@@ -2,7 +2,7 @@
 
 `ai-saas-guard` ships as a composite GitHub Action for pull request and code scanning workflows.
 
-Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.18.0` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
+Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.19.0` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
 
 ## PR Summary
 

package/docs/github-app-deployment.md

@@ -46,9 +46,9 @@ The planner blocks GitHub App creation when:
 - the hosted release gate is blocked
 - the container image digest is missing or malformed
 - URLs are not HTTPS
-- localhost URLs are used
+- localhost, loopback, private, link-local, or multicast URLs are used
 - required secret references are missing
-- raw private keys or webhook secrets are passed instead of secret references
+- raw private keys or webhook secrets are passed instead of secret references, including explicit raw secret input fields
 - requested permissions exceed the first-slice permission contract
 - requested events exceed the first-slice event contract
 

package/docs/npm-publishing.md

@@ -5,10 +5,10 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current version: `0.18.0`
+- Current version: `0.19.0`
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.18.0`
+- GitHub Release: `v0.19.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -17,7 +17,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.18.0`.
+1. Create and review a release tag such as `v0.19.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/docs/project-handoff.md

@@ -48,7 +48,7 @@ Implemented surfaces:
 - Next/Vercel deploy and runtime footguns
 - PR diff risk triage for auth, billing, RLS, env, tests removed, and large mixed diffs
 - PR diff diagnostics when a base ref or shallow checkout prevents comparison
-- PR-focused markdown summary output for GitHub step summaries or PR comments
+- PR-focused markdown summary output for GitHub step summaries or PR comments, with escaped single-line evidence in generic markdown reports
 - project-local `.ai-saas-guard.json` config for rule toggles, severity overrides, path-specific suppressions, and default fail thresholds
 - rule stability labels in catalog metadata, public rule docs, and SARIF rule properties
 - hosted GitHub App design note covering least-privilege permissions, webhook verification, privacy, data retention, prompt-injection handling, and implementation gates
@@ -58,7 +58,8 @@ Implemented surfaces:
 - hosted uninstall and data deletion document defining repository removal, full app uninstall, compact report deletion, queue cancellation, audit record retention, repeated cleanup idempotency, and user-facing deletion wording
 - hosted pricing and packaging document defining open-source CLI boundaries, free/public repo hosted behavior, private repo hosted behavior, PR comments, saved reports, team policy, optional Launch Review, and no pentest/certification/full-audit claims
 - hosted service runtime document and provider-independent runtime core for signed webhook intake, idempotent queue upsert, read-only worker orchestration, compact report storage, Check Run publication adapters, and worker cleanup planning
-- hosted GitHub App deployment planner document and least-privilege manifest planner for required permissions, events, HTTPS URLs, container digest, secret references, and release-gate checks
+- hosted GitHub App deployment planner document and least-privilege manifest planner for required permissions, events, public HTTPS URLs, container digest, secret references, raw secret input blockers, and release-gate checks
+- resource caps for repository text collection, including per-file, total-file, and total-byte scan budgets to reduce worst-case memory use
 - hosted pre-implementation contracts document, hosted compact report fixture, and pure helpers for pull request webhook intake planning, durable scan queue upsert planning, worker read-only scan planning, Check Run publication planning, queue-safe pull request event parsing from trusted GitHub event fields, bounded check-run summary rendering, idempotent queue cleanup planning, worker checkout cleanup planning, retention/deletion cleanup planning, and operational release gate evaluation
 - implementation-ready hosted GitHub App permission contract for required permissions, optional PR comment permissions, selected repository installation, and out-of-scope broad permissions
 - hosted GitHub App contract helpers and tests for webhook intake order, webhook verification, installation token scoping, durable scan queue idempotency, compact reports, retention limits, uninstall cleanup, repeated cleanup idempotency, scoped deletion planning, operational release gate blocking, provider-independent service runtime orchestration, and GitHub App deployment planning
@@ -132,7 +133,7 @@ CI:
 Publishing:
 
 - npm package: `ai-saas-guard`
-- Current release line: `v0.18.0`
+- Current release line: `v0.19.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions for `zr9959/ai-saas-guard`, workflow `npm-publish.yml`
 - Long-lived npm publish tokens should not be required.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.18.0",
+  "version": "0.19.0",
   "description": "Repo-local launch-readiness scanner for AI-built SaaS apps.",
   "type": "module",
   "homepage": "https://github.com/zr9959/ai-saas-guard#readme",