npm - ai-saas-guard - Versions diffs - 0.23.0 → 0.24.0 - Mend

ai-saas-guard 0.23.0 → 0.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +8 -3
package/README.zh-CN.md +8 -3
package/docs/github-action.md +1 -1
package/docs/npm-publishing.md +3 -3
package/docs/project-handoff.md +6 -2
package/docs/repository-trust-hardening.md +77 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -73,9 +73,10 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | JSON and SARIF output | Available |
 | Composite GitHub Action | Available |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, and fail thresholds |
-| Versioned Action tags | `v0.23.0`, `v0` |
-| npm package | `ai-saas-guard@0.23.0` |
+| Versioned Action tags | `v0.24.0`, `v0` |
+| npm package | `ai-saas-guard@0.24.0` |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
+| Repository trust hardening | Branch protection, Dependabot, CodeQL, private vulnerability reporting, secret scanning, and push protection |
 | Runtime hardening | Per-file and total text scan caps, escaped markdown evidence, stricter hosted deployment blockers |
 | Hosted production adapters | GitHub App JWT signing, installation-token request planning, bounded worker execution, and terminal-state cleanup planning |
 | Hosted app skeleton | Node/container HTTP ingress, health route, worker tick, in-memory provider adapters, and deployment plan validation |
@@ -201,6 +202,10 @@ If `--base` cannot be resolved, `pr-risk` emits `pr-risk.diff-unavailable` inste
 Use [docs/launch-readiness-checklist.md](docs/launch-readiness-checklist.md) when an app is close to inviting real users. It explains how to combine `ai-saas-guard` output with manual two-account authorization testing, Stripe webhook verification, MCP config review, Supabase policy review, deploy checks, rollback planning, and a clear reminder that this is not a full security audit.
+## Repository Trust Hardening
+See [docs/repository-trust-hardening.md](docs/repository-trust-hardening.md) for the public repository controls behind this release line: branch protection, required CI checks, Dependabot for npm and GitHub Actions, CodeQL SAST, private vulnerability reporting, secret scanning, and push protection.
 ## Stripe Webhook Replay
 Use [docs/stripe-webhook-replay.md](docs/stripe-webhook-replay.md) after `check-stripe` flags missing signature verification, idempotency, lifecycle handlers, or entitlement updates. The cookbook maps findings to concrete `stripe listen` and `stripe trigger` commands for checkout success, failed renewal, subscription update, cancellation, refund, duplicate delivery, and out-of-order event review.
@@ -271,7 +276,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 ## GitHub Action
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.23.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.24.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 ```yaml
 name: ai-saas-guard

package/README.zh-CN.md CHANGED Viewed

@@ -55,7 +55,7 @@ AI 能很快把一个 SaaS 从想法做成可运行的产品。真正难的是
 这个仓库是公开 GitHub 仓库。
-CLI 已发布到 npm：`ai-saas-guard@0.23.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.23.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.24.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.24.0`。
 | 模块 | 状态 |
 | --- | --- |
@@ -66,9 +66,10 @@ CLI 已发布到 npm：`ai-saas-guard@0.23.0`。GitHub Action 支持 `v0` 浮动
 | Markdown PR summary | 已可用 |
 | GitHub Action | 已可用 |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖和 fail threshold |
-| 当前版本 | `0.23.0` |
-| Action 标签 | `v0.23.0`、`v0` |
+| 当前版本 | `0.24.0` |
+| Action 标签 | `v0.24.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
+| 仓库可信度加固 | branch protection、Dependabot、CodeQL、private vulnerability reporting、secret scanning 和 push protection |
 | 运行时加固 | 单文件和总扫描文本预算、markdown evidence 转义、更严格的 hosted deployment 阻断 |
 | Hosted production adapters | GitHub App JWT 签名、installation-token 请求规划、有边界的 worker 执行和终态 cleanup 规划 |
 | Hosted app skeleton | Node/container HTTP ingress、health route、worker tick、in-memory provider adapters 和 deployment plan 校验 |
@@ -134,6 +135,10 @@ node dist/cli.js scan --root /path/to/your-saas
 完整规则请看 [docs/rules.md](docs/rules.md)。
+## 仓库可信度加固
+公开仓库的维护和发布控制见 [docs/repository-trust-hardening.md](docs/repository-trust-hardening.md)。当前已经配置 branch protection、required CI checks、Dependabot npm/GitHub Actions 更新、CodeQL SAST、private vulnerability reporting、secret scanning 和 push protection。
 ## PR 风险分流
 `scan` 可以扫整个仓库，但这个项目更锋利的入口是 PR review。

package/docs/github-action.md CHANGED Viewed

@@ -2,7 +2,7 @@
 `ai-saas-guard` ships as a composite GitHub Action for pull request and code scanning workflows.
-Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.23.0` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
+Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.24.0` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
 ## PR Summary

package/docs/npm-publishing.md CHANGED Viewed

@@ -5,10 +5,10 @@
 ## Current State
 - Package name: `ai-saas-guard`
-- Current version: `0.23.0`
+- Current version: `0.24.0`
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.23.0`
+- GitHub Release: `v0.24.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -17,7 +17,7 @@
 Use GitHub Actions with npm Trusted Publisher/OIDC:
-1. Create and review a release tag such as `v0.23.0`.
+1. Create and review a release tag such as `v0.24.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/docs/project-handoff.md CHANGED Viewed

@@ -69,6 +69,7 @@ Implemented surfaces:
 - hosted GitHub App contract helpers and tests for webhook intake order, webhook verification, installation token scoping, durable scan queue idempotency, compact reports, retention limits, uninstall cleanup, repeated cleanup idempotency, scoped deletion planning, operational release gate blocking, provider-independent service runtime orchestration, GitHub App deployment planning, hosted production adapter planning, Node/container app skeleton planning, hosted staging deployment planning, and local staging harness replay
 - GitHub issue templates for bug reports, false positives, false negatives, rule requests, and public-safe security reports
 - CODEOWNERS for source, tests, docs, workflows, Action, and package metadata
+- repository trust hardening with `main` branch protection, required CI status checks, Dependabot for npm and GitHub Actions, CodeQL, private vulnerability reporting, secret scanning, and push protection
 - JSON output
 - SARIF output
 - composite GitHub Action wrapper
@@ -132,12 +133,15 @@ CI:
 - Workflow: `.github/workflows/ci.yml`
 - Runs on pull requests and pushes to `main`
 - Uses `permissions: contents: read`
-- Latest verified run for the hosted Check Run publication release succeeded
+- Static workflow checks: `actionlint` and `zizmor`
+- Code scanning workflow: `.github/workflows/codeql.yml`
+- Dependabot config: `.github/dependabot.yml` with weekly schedules, bounded PR volume, and cooldown windows
+- Latest verified run for the repository trust hardening release must succeed before publishing
 Publishing:
 - npm package: `ai-saas-guard`
-- Current release line: `v0.23.0`
+- Current release line: `v0.24.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions for `zr9959/ai-saas-guard`, workflow `npm-publish.yml`
 - Long-lived npm publish tokens should not be required.

package/docs/repository-trust-hardening.md ADDED Viewed

@@ -0,0 +1,77 @@
+# Repository Trust Hardening
+This document records the public repository controls used to keep `ai-saas-guard` releases reviewable and safer to consume.
+These controls do not prove the project is secure. They reduce supply-chain and maintenance risk around the public CLI, GitHub Action, npm package, and future hosted service work.
+## Branch Protection
+The `main` branch uses branch protection with:
+- required status checks before merge
+- strict status check freshness
+- required pull request review for non-admin merges
+- linear history
+- force pushes disabled
+- branch deletion disabled
+Required status checks:
+- `test`
+- `actionlint`
+- `zizmor`
+Maintainer admin bypass is not enforced so emergency release repair remains possible, but normal contribution flow should use pull requests and CI.
+## Dependency Updates
+Dependabot is configured in `.github/dependabot.yml`.
+It covers:
+- npm dependencies
+- GitHub Actions
+The schedule is weekly with cooldown windows and a small open pull request limit. This keeps update noise low while still surfacing security and maintenance updates.
+Dependabot security updates and vulnerability alerts are enabled in repository settings.
+## CodeQL
+CodeQL is configured in `.github/workflows/codeql.yml`.
+The workflow:
+- runs on pull requests
+- runs on pushes to `main`
+- runs on a weekly schedule
+- analyzes JavaScript and TypeScript
+- uses `build-mode: none`
+- uses least-privilege permissions: repository contents read, Actions metadata read, and security event upload
+- pins the CodeQL Action by commit SHA
+CodeQL is an additional SAST signal. It does not replace `ai-saas-guard`'s release gate, local tests, workflow checks, self-scan, dependency audit, package inspection, or human review.
+## Vulnerability Intake
+The repository has:
+- `SECURITY.md`
+- private vulnerability reporting enabled
+- secret scanning enabled
+- push protection enabled
+Public issues should not include real credentials, customer data, private source code, or production URLs.
+## Release Impact
+Every public release should keep these controls intact. If a release changes workflows, package metadata, Action behavior, or hosted service boundaries, the release notes should include fresh evidence for:
+- local tests
+- GitHub CI
+- `actionlint`
+- `zizmor`
+- self-scan JSON and SARIF
+- dependency audit
+- npm package inspection
+- packaged CLI smoke test

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.23.0",
+  "version": "0.24.0",
   "description": "Repo-local launch-readiness scanner for AI-built SaaS apps.",
   "type": "module",
   "homepage": "https://github.com/zr9959/ai-saas-guard#readme",