ai-saas-guard 0.28.0 → 0.28.1

package/README.md

@@ -5,7 +5,7 @@
 </p>
 
 <p align="center">
-  ai-saas-guard is a local-first launch gate for AI-built SaaS apps. It focuses on auth, billing, data access, secrets, MCP, and deploy decisions, plus CI and fake-success paths, so you know what to review before launch or merge. It runs locally, reads your repo only, and does not upload code.
+  ai-saas-guard is a local-first launch gate for AI-built Next.js, Supabase, Stripe, Vercel, and MCP SaaS apps. It focuses on auth, billing, data access, secrets, MCP, and deploy decisions, plus CI and fake-success paths, so you know what to review before launch or merge. It runs locally, reads your repo only, and does not upload code.
 </p>
 
 <p align="center">
@@ -41,6 +41,25 @@ AI can make a SaaS look finished while the real launch blockers sit in trust-bou
 
 `ai-saas-guard` gives you a short local review queue for those risks. It does not prove the app is secure, certify a release, or replace human review. It tells founders, solo builders, small teams, and reviewers what deserves attention first.
 
+## See The Output
+
+The report is designed to be read before launch or before merging an AI-heavy PR:
+
+```text
+Launch Gate: review before launch
+4 findings: 1 high, 3 medium
+
+HIGH stripe.webhook.missing-signature
+File: app/api/stripe/webhook/route.ts
+Why: billing access can be granted from a webhook path that does not verify Stripe signatures.
+Verify: replay a webhook with an invalid signature and confirm the route rejects it.
+Fix: read the raw body, call stripe.webhooks.constructEvent, and make event handling idempotent.
+
+MEDIUM supabase.rls.tenant-predicate-missing
+File: supabase/migrations/20260524_accounts.sql
+Verify: sign in as user A and user B; confirm neither can SELECT or UPDATE the other's rows.
+```
+
 ## What You Get
 
 One command returns a launch-readiness report with:
@@ -73,13 +92,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.28.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.28.0` |
+| npm CLI | `ai-saas-guard@0.28.1` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.28.1` |
 | Outputs | Terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.28.0`, `v0` |
-| Current release | `0.28.0` hosted read-only checkout worker export, hosted Check Run smoke evidence, and README sync |
+| Versioned Action tags | `v0.28.1`, `v0` |
+| Current release | `0.28.1` discoverability polish, clearer first-screen output example, npm metadata sync, and hosted worker release line preservation |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -296,7 +315,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.28.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.28.1` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/docs/README.zh-CN.md

@@ -5,7 +5,7 @@
 </p>
 
 <p align="center">
-  ai-saas-guard 是面向 AI 构建的 SaaS 的本地优先上线 gate。它会优先指出 auth、billing、data access、secrets、MCP、deploy、CI 和“假成功”路径里最值得人工 review 的改动，让你在上线前知道该先看哪里。它本地运行、只读仓库、不上传代码。
+  ai-saas-guard 是面向 AI 构建的 Next.js、Supabase、Stripe、Vercel 和 MCP SaaS 的本地优先上线 gate。它会优先指出 auth、billing、data access、secrets、MCP、deploy、CI 和“假成功”路径里最值得人工 review 的改动，让你在上线前知道该先看哪里。它本地运行、只读仓库、不上传代码。
 </p>
 
 <p align="center">
@@ -40,6 +40,25 @@ AI 能很快把一个 SaaS 做到“看起来能用”。真正危险的是上
 
 `ai-saas-guard` 是面向这个时刻的本地优先、review-first 上线预检工具。它不会证明你的应用绝对安全，也不是渗透测试、认证或完整安全审计。它的目标是给 founder、独立开发者、小团队和 reviewer 一份短而有证据的清单，告诉你上线或合并 PR 前最该先看哪里。
 
+## 输出长什么样
+
+报告是给上线前或合并 AI 大 PR 前快速阅读的：
+
+```text
+Launch Gate: review before launch
+4 findings: 1 high, 3 medium
+
+HIGH stripe.webhook.missing-signature
+File: app/api/stripe/webhook/route.ts
+Why: billing access can be granted from a webhook path that does not verify Stripe signatures.
+Verify: replay a webhook with an invalid signature and confirm the route rejects it.
+Fix: read the raw body, call stripe.webhooks.constructEvent, and make event handling idempotent.
+
+MEDIUM supabase.rls.tenant-predicate-missing
+File: supabase/migrations/20260524_accounts.sql
+Verify: sign in as user A and user B; confirm neither can SELECT or UPDATE the other's rows.
+```
+
 ## 你会得到什么
 
 一个命令会返回一份上线前 review 队列：
@@ -67,18 +86,18 @@ AI 能很快把一个 SaaS 做到“看起来能用”。真正危险的是上
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.28.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.28.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.28.1`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.28.1`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.28.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.28.0` |
+| npm CLI | `ai-saas-guard@0.28.1` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.28.1` |
 | 输出格式 | Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.28.0` hosted read-only checkout worker export、hosted Check Run smoke evidence 和 README 同步 |
-| Action 标签 | `v0.28.0`、`v0` |
+| 当前版本 | `0.28.1` discoverability polish、首页输出示例、npm metadata 同步，并保留 hosted worker release line |
+| Action 标签 | `v0.28.1`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |

package/docs/github-action.md

@@ -2,7 +2,7 @@
 
 `ai-saas-guard` ships as a composite GitHub Action for pull request and code scanning workflows.
 
-Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.28.0` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
+Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.28.1` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
 
 ## PR Summary
 

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.28.0`
+- Current published version: `0.28.1`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.28.0`
+- GitHub Release: `v0.28.1`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.28.0`.
+1. Create and review a release tag such as `v0.28.1`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/docs/project-handoff.md

@@ -161,7 +161,7 @@ OpenSSF Best Practices:
 Publishing:
 
 - npm package: `ai-saas-guard`
-- Current published release line: `v0.28.0` pending this branch release
+- Current published release line: `v0.28.1` pending this branch release
 - Next source candidate: none
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions for `zr9959/ai-saas-guard`, workflow `npm-publish.yml`

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.28.0",
-  "description": "Repo-local launch-readiness scanner for AI-built SaaS apps.",
+  "version": "0.28.1",
+  "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",
   "homepage": "https://github.com/zr9959/ai-saas-guard#readme",
@@ -14,14 +14,25 @@
   },
   "keywords": [
     "ai",
+    "ai-code-review",
     "saas",
     "security",
     "launch",
     "preflight",
+    "launch-readiness",
+    "nextjs",
+    "vercel",
     "supabase",
+    "supabase-rls",
     "stripe",
+    "stripe-webhooks",
     "mcp",
+    "mcp-security",
     "github-action",
+    "github-actions",
+    "static-analysis",
+    "devsecops",
+    "local-first",
     "cli"
   ],
   "main": "./dist/index.js",