ai-saas-guard 0.26.2 → 0.27.0

package/README.md

@@ -45,6 +45,7 @@ AI can make a SaaS look finished while the real launch blockers sit in trust-bou
 
 One command returns a launch-readiness report with:
 
+- a plain launch-gate verdict at the top of terminal and Markdown output
 - risky files sorted before cosmetic files
 - rule ID, severity, and file evidence
 - why the finding matters for an AI-built SaaS launch
@@ -72,13 +73,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.26.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.26.2` |
+| npm CLI | `ai-saas-guard@0.27.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.27.0` |
 | Outputs | Terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.26.2`, `v0` |
-| Current release | `0.26.2` README positioning, TypeScript 6, and dependency policy cleanup |
+| Versioned Action tags | `v0.27.0`, `v0` |
+| Current release | `0.27.0` launch-gate report summary for CLI and hosted Check Runs |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; Worker health and Check Run publisher configuration are live, but end-to-end GitHub App webhook delivery is still blocked pending private App settings verification |
@@ -293,7 +294,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.26.2` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.27.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/README.zh-CN.md

@@ -44,6 +44,7 @@ AI 能很快把一个 SaaS 做到“看起来能用”。真正危险的是上
 
 一个命令会返回一份上线前 review 队列：
 
+- terminal 和 Markdown 输出开头会先给出直观上线判断
 - 先看高风险文件，再看 UI 或普通重构
 - 每个 finding 都有 rule ID、severity 和文件证据
 - 说明它为什么会影响 AI 构建的 SaaS 上线
@@ -66,18 +67,18 @@ AI 能很快把一个 SaaS 做到“看起来能用”。真正危险的是上
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.26.2`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.26.2`。
+CLI 已发布到 npm：`ai-saas-guard@0.27.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.27.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.26.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.26.2` |
+| npm CLI | `ai-saas-guard@0.27.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.27.0` |
 | 输出格式 | Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.26.2` README 定位、TypeScript 6 和依赖策略清理 |
-| Action 标签 | `v0.26.2`、`v0` |
+| 当前版本 | `0.27.0` CLI 和 hosted Check Run 的 launch-gate report summary |
+| Action 标签 | `v0.27.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；Worker health 和 Check Run publisher 配置已在线，但端到端 GitHub App webhook delivery 仍需要验证私有 App 设置 |

package/dist/hosted/contracts.js

@@ -479,13 +479,14 @@ export function createHostedCheckRunSummary(input) {
     const totalFindings = getHostedReportFindingTotal(report);
     const localCliCommand = `npx ai-saas-guard@${report.scannerVersion} pr-risk --root .`;
     const conclusion = resolveCheckRunConclusion(report, input.failOnSeverity);
+    const launchGate = hostedLaunchGateVerdict(report);
     return {
         name: CHECK_RUN_NAME,
         conclusion,
         output: {
             title: formatCheckRunTitle(totalFindings, conclusion, input.failOnSeverity),
-            summary: "Review first: verify this launch-readiness signal before release; it is not a full security audit, pentest, or certification.",
-            text: truncateMarkdown(formatCheckRunMarkdown(report, conclusion, localCliCommand), input.maxMarkdownChars)
+            summary: `Launch gate: ${launchGate}. Review first: verify this signal before release; it is not a full security audit, pentest, or certification.`,
+            text: truncateMarkdown(formatCheckRunMarkdown(report, conclusion, localCliCommand, launchGate), input.maxMarkdownChars)
         },
         annotations: report.evidence.slice(0, MAX_CHECK_RUN_ANNOTATIONS).map((finding) => {
             const line = finding.line ?? 1;
@@ -1056,6 +1057,22 @@ function getHostedReportFindingTotal(report) {
     const explicitTotal = typeof report.summaryCounts.total === "number" ? report.summaryCounts.total : 0;
     return Math.max(countedBySeverity, explicitTotal, report.evidence.length);
 }
+function hostedLaunchGateVerdict(report) {
+    const summary = report.summaryCounts;
+    if ((summary.critical ?? 0) > 0) {
+        return "blocked";
+    }
+    if ((summary.high ?? 0) > 0) {
+        return "review required";
+    }
+    if ((summary.medium ?? 0) > 0) {
+        return "check before launch";
+    }
+    if ((summary.low ?? 0) > 0 || (summary.info ?? 0) > 0) {
+        return "low-noise review";
+    }
+    return "clear from current heuristics";
+}
 function formatCheckRunTitle(totalFindings, conclusion, failOnSeverity) {
     if (totalFindings === 0) {
         return "AI SaaS Guard found no launch-readiness findings";
@@ -1065,7 +1082,7 @@ function formatCheckRunTitle(totalFindings, conclusion, failOnSeverity) {
     }
     return `AI SaaS Guard found ${totalFindings} finding${totalFindings === 1 ? "" : "s"} to review`;
 }
-function formatCheckRunMarkdown(report, conclusion, localCliCommand) {
+function formatCheckRunMarkdown(report, conclusion, localCliCommand, launchGate) {
     const categories = getHostedCheckRunCategories(report);
     const filesToReview = getHostedCheckRunFiles(report);
     const findingLines = report.evidence.length === 0
@@ -1080,6 +1097,7 @@ function formatCheckRunMarkdown(report, conclusion, localCliCommand) {
         "",
         "Review first: verify findings locally before launch. This hosted check is not a full security audit, pentest, or certification.",
         "",
+        `Launch gate: ${launchGate}`,
         `Conclusion: ${conclusion}`,
         `Local CLI: \`${localCliCommand}\``,
         `Retention: compact report ${report.retentionDays} days; raw source, raw diffs, secrets, and customer payloads are not retained.`,

package/dist/report/launchGate.d.ts

@@ -0,0 +1,4 @@
+import type { BaseReport, Finding } from "../types.js";
+export declare function launchGateVerdict(report: BaseReport): string;
+export declare function reviewFirst(findings: Finding[], limit?: number): string[];
+export declare function manualProofSteps(findings: Finding[], limit?: number): string[];

package/dist/report/launchGate.js

@@ -0,0 +1,36 @@
+export function launchGateVerdict(report) {
+    if (report.summary.critical > 0) {
+        return "blocked: critical launch-readiness findings need review before inviting users";
+    }
+    if (report.summary.high > 0) {
+        return "review required: high-risk launch paths need manual verification before launch";
+    }
+    if (report.summary.medium > 0) {
+        return "check before launch: medium-risk findings should be verified by an owner";
+    }
+    if (report.summary.low > 0 || report.summary.info > 0) {
+        return "low-noise review: confirm these hints against the launch checklist";
+    }
+    return "clear from current heuristics: no findings from this command, not a certification";
+}
+export function reviewFirst(findings, limit = 3) {
+    return findings.slice(0, limit).map((finding) => {
+        const firstEvidence = finding.evidence[0];
+        const location = firstEvidence?.line ? `${firstEvidence.file}:${firstEvidence.line}` : firstEvidence?.file;
+        return `${finding.severity.toUpperCase()} ${finding.ruleId}${location ? ` at ${location}` : ""} - ${finding.title}`;
+    });
+}
+export function manualProofSteps(findings, limit = 3) {
+    const steps = [];
+    const seen = new Set();
+    for (const finding of findings) {
+        const step = finding.suggestedVerification.trim();
+        if (!step || seen.has(step))
+            continue;
+        seen.add(step);
+        steps.push(step);
+        if (steps.length >= limit)
+            break;
+    }
+    return steps;
+}

package/dist/report/markdown.js

@@ -1,3 +1,4 @@
+import { launchGateVerdict, manualProofSteps, reviewFirst } from "./launchGate.js";
 export function formatMarkdownReport(report) {
     if (report.command === "pr-risk")
         return `${formatPrRiskMarkdown(report)}\n`;
@@ -8,6 +9,7 @@ function formatPrRiskMarkdown(report) {
     lines.push("## ai-saas-guard PR risk summary");
     lines.push("");
     lines.push(summaryLine(report));
+    lines.push(`**Launch gate:** ${escapeMarkdownInline(launchGateVerdict(report))}`);
     if (report.categories.length > 0) {
         lines.push("");
         lines.push(`**Risk categories:** ${report.categories.map((category) => `\`${category}\``).join(", ")}`);
@@ -42,6 +44,8 @@ function formatGenericMarkdown(report) {
     lines.push(`## ai-saas-guard ${report.command}`);
     lines.push("");
     lines.push(summaryLine(report));
+    lines.push(`**Launch gate:** ${escapeMarkdownInline(launchGateVerdict(report))}`);
+    appendLaunchQueue(lines, report.findings);
     lines.push("");
     lines.push("### Findings");
     appendFindings(lines, report.findings);
@@ -56,6 +60,16 @@ function appendList(lines, items) {
         lines.push(`- ${item}`);
     }
 }
+function appendLaunchQueue(lines, findings) {
+    if (findings.length === 0)
+        return;
+    lines.push("");
+    lines.push("### Review First");
+    appendList(lines, reviewFirst(findings).map(escapeMarkdownInline));
+    lines.push("");
+    lines.push("### Manual Proof To Run Next");
+    appendList(lines, manualProofSteps(findings).map(escapeMarkdownInline));
+}
 function appendFindings(lines, findings) {
     if (findings.length === 0) {
         lines.push("");

package/dist/report/terminal.js

@@ -1,14 +1,26 @@
+import { launchGateVerdict, manualProofSteps, reviewFirst } from "./launchGate.js";
 export function formatTerminalReport(report) {
     const lines = [];
     lines.push(`ai-saas-guard ${report.command}`);
     lines.push(`Root: ${report.rootDir}`);
     lines.push(`Findings: ${report.summary.total} total | critical ${report.summary.critical} | high ${report.summary.high} | medium ${report.summary.medium} | low ${report.summary.low} | info ${report.summary.info}`);
+    lines.push(`Launch gate: ${launchGateVerdict(report)}`);
     if (report.findings.length === 0) {
         lines.push("");
         lines.push("No heuristic launch-readiness risks found by this command.");
         appendCommandExtras(lines, report);
         return lines.join("\n");
     }
+    lines.push("");
+    lines.push("Review first:");
+    for (const item of reviewFirst(report.findings)) {
+        lines.push(`- ${item}`);
+    }
+    lines.push("");
+    lines.push("Manual proof to run next:");
+    for (const step of manualProofSteps(report.findings)) {
+        lines.push(`- ${step}`);
+    }
     for (const [index, item] of report.findings.entries()) {
         lines.push("");
         lines.push(`${index + 1}. [${item.severity.toUpperCase()}] ${item.title}`);

package/docs/github-action.md

@@ -2,7 +2,7 @@
 
 `ai-saas-guard` ships as a composite GitHub Action for pull request and code scanning workflows.
 
-Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.26.2` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
+Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.27.0` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
 
 ## PR Summary
 

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.26.2`
+- Current published version: `0.27.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.26.2`
+- GitHub Release: `v0.27.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.26.2`.
+1. Create and review a release tag such as `v0.27.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/docs/project-handoff.md

@@ -160,7 +160,7 @@ OpenSSF Best Practices:
 Publishing:
 
 - npm package: `ai-saas-guard`
-- Current published release line: `v0.26.2`
+- Current published release line: `v0.27.0`
 - Next source candidate: none
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions for `zr9959/ai-saas-guard`, workflow `npm-publish.yml`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.26.2",
+  "version": "0.27.0",
   "description": "Repo-local launch-readiness scanner for AI-built SaaS apps.",
   "type": "module",
   "homepage": "https://github.com/zr9959/ai-saas-guard#readme",