ai-saas-guard 0.28.0 → 0.29.0

package/README.md

@@ -5,7 +5,7 @@
 </p>
 
 <p align="center">
-  ai-saas-guard is a local-first launch gate for AI-built SaaS apps. It focuses on auth, billing, data access, secrets, MCP, and deploy decisions, plus CI and fake-success paths, so you know what to review before launch or merge. It runs locally, reads your repo only, and does not upload code.
+  ai-saas-guard is a local-first launch gate for AI-built Next.js, Supabase, Stripe, Vercel, and MCP SaaS apps. It focuses on auth, billing, data access, secrets, MCP, and deploy decisions, plus CI and fake-success paths, so you know what to review before launch or merge. It runs locally, reads your repo only, and does not upload code.
 </p>
 
 <p align="center">
@@ -33,6 +33,7 @@ AI can make a SaaS look finished while the real launch blockers sit in trust-bou
 
 - one customer can see or change another customer's data
 - Stripe grants access from an unsigned, duplicated, missing, or failed webhook path
+- Clerk or Prisma code trusts user-writable metadata or an unscoped tenant query
 - provider errors get swallowed and the app returns fake success or demo data
 - a secret leaks through env config or `NEXT_PUBLIC_*`
 - an MCP tool, GitHub workflow, or deploy job has more power than the launch needs
@@ -41,6 +42,25 @@ AI can make a SaaS look finished while the real launch blockers sit in trust-bou
 
 `ai-saas-guard` gives you a short local review queue for those risks. It does not prove the app is secure, certify a release, or replace human review. It tells founders, solo builders, small teams, and reviewers what deserves attention first.
 
+## See The Output
+
+The report is designed to be read before launch or before merging an AI-heavy PR. A longer copy-paste example is in [docs/sample-launch-report.md](docs/sample-launch-report.md).
+
+```text
+Launch Gate: review before launch
+4 findings: 1 high, 3 medium
+
+HIGH stripe.webhook.missing-signature
+File: app/api/stripe/webhook/route.ts
+Why: billing access can be granted from a webhook path that does not verify Stripe signatures.
+Verify: replay a webhook with an invalid signature and confirm the route rejects it.
+Fix: read the raw body, call stripe.webhooks.constructEvent, and make event handling idempotent.
+
+MEDIUM supabase.rls.tenant-predicate-missing
+File: supabase/migrations/20260524_accounts.sql
+Verify: sign in as user A and user B; confirm neither can SELECT or UPDATE the other's rows.
+```
+
 ## What You Get
 
 One command returns a launch-readiness report with:
@@ -58,9 +78,10 @@ One command returns a launch-readiness report with:
 | Launch question | What ai-saas-guard checks |
 | --- | --- |
 | Can users only access their own data? | Supabase RLS, tenant/owner predicates, storage policies, API ownership hints, two-account verification guidance |
+| Can auth metadata be trusted? | Clerk unsafe metadata used for roles, plans, tenant membership, or entitlements |
 | Will billing change access correctly? | Stripe webhook signature, raw body, idempotency, entitlement paths, failure/cancel/update/refund coverage |
 | Will broken integrations fail visibly? | Silent-success fallbacks, swallowed errors, hardcoded success responses, production mock/demo data, skipped or placeholder tests |
-| Will production behave like local? | Next/Vercel headers, env docs, public env inventory, image/request amplification hints, request ID logging |
+| Will production behave like local? | Next/Vercel headers, env docs, public env inventory, image/request amplification hints, request ID logging, Vercel cron guard hints |
 | Are tools and CI overpowered? | MCP side-effect classes, local policy/receipt templates, GitHub Actions permissions, concurrency, checkout depth, action pinning |
 | Can reviewers trust the PR? | `pr-risk` ranking for auth, billing, RLS, deploy, API, storage, tests, silent-success paths, missing spec context, and large AI diffs |
 
@@ -73,13 +94,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.28.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.28.0` |
+| npm CLI | `ai-saas-guard@0.29.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.29.0` |
 | Outputs | Terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.28.0`, `v0` |
-| Current release | `0.28.0` hosted read-only checkout worker export, hosted Check Run smoke evidence, and README sync |
+| Versioned Action tags | `v0.29.0`, `v0` |
+| Current release | `0.29.0` hosted Node checkout platform composition, Clerk unsafe metadata rule, Prisma tenant-scope rule, Vercel cron guard rule, sample launch report, and Marketplace wrapper decision |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -158,9 +179,9 @@ Evidence:
 | Stripe | Missing webhook route, unsigned webhook handling, parsed-body signature risk, missing idempotency, missing failure/cancel/update/refund paths |
 | Supabase | RLS disabled on sensitive tables, broad `USING`/`WITH CHECK`, tenant membership patterns, weak write checks, storage object policy scope |
 | Silent success | Swallowed provider errors, hardcoded fallback success, production mock/demo data in sensitive paths, temporary trust-boundary bypasses, skipped or placeholder tests |
-| API routes | Auth checks without obvious ownership guards, missing rate-limit hints on sensitive mutation routes |
+| API routes | Auth checks without obvious ownership guards, Clerk unsafe metadata, Prisma tenant-scope gaps, missing rate-limit hints on sensitive mutation routes |
 | MCP | Plaintext secrets, non-localhost binds, broad filesystem/write access, shell tools, raw SQL tools, side-effect classification, local policy and receipt template |
-| Next/Vercel deploy | Static export/runtime mismatches, Edge runtime with Node-only APIs, missing security headers, undocumented server env, public env inventory, image/request amplification hints, missing request ID logging |
+| Next/Vercel deploy | Static export/runtime mismatches, Edge runtime with Node-only APIs, missing security headers, undocumented server env, public env inventory, image/request amplification hints, missing request ID logging, unguarded Vercel cron routes |
 | GitHub Actions | Broad workflow permissions, stale PR runs, docs-only full CI, missing fail-fast secret checks, shallow `pr-risk` checkout, unpinned Action refs |
 | PR risk | Auth, billing, RLS, env, deploy, API, storage, silent-success, test-removal, missing spec context, and large mixed-diff classification |
 
@@ -242,7 +263,7 @@ The hosted production adapter layer is documented in [docs/hosted-production-ada
 
 The hosted read-only checkout worker is exported from `ai-saas-guard/hosted/worker`. It creates a temporary checkout from trusted GitHub App identity, uses a runtime installation token only through git askpass, runs the fixed `ai-saas-guard pr-risk --json` command with bounded timeout/output, converts CLI JSON into compact findings, and deletes the checkout after success or failure. It does not return source, diffs, secrets, checkout paths, PR-authored commands, or installation tokens.
 
-The hosted Node/container app skeleton is documented in [docs/hosted-node-container-app.md](docs/hosted-node-container-app.md). It exports `createHostedHttpApp`, `createInMemoryHostedAppPlatform`, and `planHostedNodeContainerDeployment` from `ai-saas-guard/hosted/app`. It adds a safe `/healthz` route, signed `/github/webhook` ingress, one-job worker tick, in-memory provider adapters for tests, and deployment-plan validation for secret manager, queue, compact report store, worker sandbox, and GitHub Checks publisher references. It still does not deploy or expose a public hosted service by itself.
+The hosted Node/container app skeleton is documented in [docs/hosted-node-container-app.md](docs/hosted-node-container-app.md). It exports `createHostedHttpApp`, `createInMemoryHostedAppPlatform`, `createHostedNodeCheckoutAppPlatform`, and `planHostedNodeContainerDeployment` from `ai-saas-guard/hosted/app`. It adds a safe `/healthz` route, signed `/github/webhook` ingress, one-job worker tick, in-memory provider adapters for tests, a concrete read-only checkout worker composition with visible timeout/output safety budgets, and deployment-plan validation for secret manager, queue, compact report store, worker sandbox, and GitHub Checks publisher references. It still does not deploy or expose a public hosted service by itself.
 
 The hosted staging deployment planner is documented in [docs/hosted-staging-deployment.md](docs/hosted-staging-deployment.md). It exports `planHostedProviderBinding`, `planHostedStagingDeployment`, and `planHostedGitHubAppPromotion` from `ai-saas-guard/hosted/staging`. It composes real provider references, the Node/container deployment plan, hosted operational release-gate evidence, and GitHub App deployment planning so staging and production promotion stay blocked until the required queue, store, worker sandbox, Check Run publisher, logs, metrics, rollback, and incident-response references are present. It still does not call a cloud provider, create a GitHub App, or expose a public hosted service by itself.
 
@@ -296,7 +317,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.28.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.29.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard
@@ -353,6 +374,8 @@ Use markdown for reviewer-facing PR triage and SARIF for GitHub code scanning al
 
 For maximum reproducibility, replace `v0` with the full commit SHA from the release notes.
 
+The GitHub Marketplace wrapper decision is documented in [docs/github-marketplace-wrapper-decision.md](docs/github-marketplace-wrapper-decision.md). The current decision is to keep this as one product repo and not create a separate listing wrapper yet.
+
 ## Ignore File
 
 Add `.ai-saas-guardignore` at the repository root to suppress generated fixtures, snapshots, vendored output, or known noisy paths:

package/dist/hosted/app.d.ts

@@ -1,4 +1,5 @@
 import { type HostedCheckRunPublisher, type HostedCheckRunRequest, type HostedCompactReportStore, type HostedCompactReportStoreRecord, type HostedServiceQueueAdapter, type HostedServiceRuntime, type HostedServiceRuntimeOptions, type HostedServiceScanRunner } from "./service.js";
+import { type HostedInstallationTokenProvider, type HostedReadOnlyCheckoutCommandRunner } from "./worker.js";
 export declare const HOSTED_NODE_CONTAINER_PLATFORM = "node_container";
 export declare const HOSTED_NODE_CONTAINER_ROLES: readonly ["webhook-ingress", "scan-worker"];
 type RepositoryIdSource = HostedServiceRuntimeOptions["selectedRepositoryIdsByInstallation"];
@@ -64,6 +65,22 @@ export interface InMemoryHostedAppPlatformOptions {
     scanRunner: HostedServiceScanRunner;
     now?: () => string;
 }
+export interface HostedNodeCheckoutAppPlatformOptions {
+    signingKey: string | Buffer;
+    scannerVersion: string;
+    selectedRepositoryIdsByInstallation: RepositoryIdSource;
+    removedRepositoryIdsByInstallation?: RepositoryIdSource;
+    checkoutRoot?: string;
+    githubCloneBaseUrl?: string;
+    gitCommand?: string;
+    cliCommand?: string;
+    fetchDepth?: number;
+    timeoutMs?: number;
+    maxOutputBytes?: number;
+    installationTokenProvider: HostedInstallationTokenProvider;
+    commandRunner?: HostedReadOnlyCheckoutCommandRunner;
+    now?: () => string;
+}
 export interface InMemoryHostedAppPlatform {
     app: HostedHttpApp;
     adapters: {
@@ -78,6 +95,25 @@ export interface InMemoryHostedAppPlatform {
     platform: typeof HOSTED_NODE_CONTAINER_PLATFORM;
     roles: typeof HOSTED_NODE_CONTAINER_ROLES;
 }
+export interface HostedNodeCheckoutAppPlatform extends InMemoryHostedAppPlatform {
+    checkoutWorker: "read_only_checkout";
+    workerSafety: HostedNodeCheckoutWorkerSafety;
+}
+export interface HostedNodeCheckoutWorkerSafety {
+    commandSource: "trusted_runtime_plan";
+    timeoutMs: number;
+    maxOutputBytes: number;
+    shell: "disabled";
+    cliNetworkAccess: "disabled";
+    writeMode: "read_only";
+    compactJsonOnly: true;
+    cleanupRequired: true;
+    returnsCheckoutPath: false;
+    persistsRawSource: false;
+    persistsRawDiffs: false;
+    persistsSecrets: false;
+    persistsCustomerPayloads: false;
+}
 export interface HostedNodeContainerDeploymentSecretRefs {
     githubAppId: string;
     githubAppPrivateKey: string;
@@ -140,5 +176,6 @@ export interface HostedNodeContainerDeploymentPlan {
 }
 export declare function createHostedHttpApp(options: HostedHttpAppOptions): HostedHttpApp;
 export declare function createInMemoryHostedAppPlatform(options: InMemoryHostedAppPlatformOptions): InMemoryHostedAppPlatform;
+export declare function createHostedNodeCheckoutAppPlatform(options: HostedNodeCheckoutAppPlatformOptions): HostedNodeCheckoutAppPlatform;
 export declare function planHostedNodeContainerDeployment(input: HostedNodeContainerDeploymentInput): HostedNodeContainerDeploymentPlan;
 export {};

package/dist/hosted/app.js

@@ -1,4 +1,6 @@
 import { createHostedServiceRuntime, createInMemoryHostedServiceAdapters } from "./service.js";
+import { createHostedReadOnlyCheckoutScanRunner } from "./worker.js";
+import { HOSTED_WORKER_DEFAULT_TIMEOUT_MS, HOSTED_WORKER_MAX_OUTPUT_BYTES, HOSTED_WORKER_MAX_TIMEOUT_MS } from "./production-adapters.js";
 export const HOSTED_NODE_CONTAINER_PLATFORM = "node_container";
 export const HOSTED_NODE_CONTAINER_ROLES = ["webhook-ingress", "scan-worker"];
 export function createHostedHttpApp(options) {
@@ -60,6 +62,39 @@ export function createInMemoryHostedAppPlatform(options) {
         roles: HOSTED_NODE_CONTAINER_ROLES
     };
 }
+export function createHostedNodeCheckoutAppPlatform(options) {
+    const adapters = createInMemoryHostedServiceAdapters();
+    const scanRunner = createHostedReadOnlyCheckoutScanRunner({
+        checkoutRoot: options.checkoutRoot,
+        githubCloneBaseUrl: options.githubCloneBaseUrl,
+        gitCommand: options.gitCommand,
+        cliCommand: options.cliCommand,
+        fetchDepth: options.fetchDepth,
+        timeoutMs: options.timeoutMs,
+        maxOutputBytes: options.maxOutputBytes,
+        installationTokenProvider: options.installationTokenProvider,
+        commandRunner: options.commandRunner
+    });
+    const runtime = createHostedServiceRuntime({
+        signingKey: options.signingKey,
+        scannerVersion: options.scannerVersion,
+        selectedRepositoryIdsByInstallation: options.selectedRepositoryIdsByInstallation,
+        removedRepositoryIdsByInstallation: options.removedRepositoryIdsByInstallation,
+        queue: adapters.queue,
+        compactReportStore: adapters.compactReportStore,
+        checkRunPublisher: adapters.checkRunPublisher,
+        scanRunner,
+        now: options.now
+    });
+    return {
+        app: createHostedHttpApp({ runtime }),
+        adapters,
+        platform: HOSTED_NODE_CONTAINER_PLATFORM,
+        roles: HOSTED_NODE_CONTAINER_ROLES,
+        checkoutWorker: "read_only_checkout",
+        workerSafety: hostedNodeCheckoutWorkerSafety(options)
+    };
+}
 export function planHostedNodeContainerDeployment(input) {
     const blockedReasons = [
         ...publicBaseUrlBlockedReasons(input.publicBaseUrl),
@@ -183,6 +218,29 @@ function appResponsePrivacy() {
         includesInstallationToken: false
     };
 }
+function hostedNodeCheckoutWorkerSafety(options) {
+    return {
+        commandSource: "trusted_runtime_plan",
+        timeoutMs: clampPositiveInteger(options.timeoutMs, HOSTED_WORKER_DEFAULT_TIMEOUT_MS, HOSTED_WORKER_MAX_TIMEOUT_MS),
+        maxOutputBytes: clampPositiveInteger(options.maxOutputBytes, HOSTED_WORKER_MAX_OUTPUT_BYTES, HOSTED_WORKER_MAX_OUTPUT_BYTES),
+        shell: "disabled",
+        cliNetworkAccess: "disabled",
+        writeMode: "read_only",
+        compactJsonOnly: true,
+        cleanupRequired: true,
+        returnsCheckoutPath: false,
+        persistsRawSource: false,
+        persistsRawDiffs: false,
+        persistsSecrets: false,
+        persistsCustomerPayloads: false
+    };
+}
+function clampPositiveInteger(value, fallback, maximum) {
+    if (value === undefined || !Number.isFinite(value)) {
+        return fallback;
+    }
+    return Math.min(maximum, Math.max(1, Math.floor(value)));
+}
 function headerValue(headers, name) {
     const lowerName = name.toLowerCase();
     for (const [key, value] of Object.entries(headers)) {

package/dist/rules/catalog.js

@@ -195,6 +195,20 @@ export const RULE_CATALOG = {
         why: "Login checks do not prove resource ownership checks.",
         stability: "experimental"
     },
+    "auth.clerk.unsafe-metadata": {
+        ruleId: "auth.clerk.unsafe-metadata",
+        severity: "high",
+        title: "Clerk unsafe metadata is used for privileged state",
+        why: "Clerk unsafe metadata is user-writable and should not drive roles, plans, tenant membership, or entitlements.",
+        stability: "default"
+    },
+    "data.prisma.tenant-scope-missing": {
+        ruleId: "data.prisma.tenant-scope-missing",
+        severity: "high",
+        title: "Prisma resource access lacks tenant or owner scope",
+        why: "Authenticated Prisma reads or mutations on tenant-like resources need tenant, owner, organization, or workspace predicates.",
+        stability: "experimental"
+    },
     "silent-success.swallowed-error": {
         ruleId: "silent-success.swallowed-error",
         severity: "high",
@@ -279,6 +293,13 @@ export const RULE_CATALOG = {
         why: "Billing, webhook, and tenant incidents are hard to debug without traceable request IDs.",
         stability: "experimental"
     },
+    "deploy.vercel.cron-missing-guard": {
+        ruleId: "deploy.vercel.cron-missing-guard",
+        severity: "medium",
+        title: "Vercel cron route lacks launch guards",
+        why: "Scheduled billing, tenant, or cleanup jobs need a secret guard, idempotency, and request tracing before launch.",
+        stability: "experimental"
+    },
     "deploy.edge-runtime-node-api": {
         ruleId: "deploy.edge-runtime-node-api",
         severity: "medium",

package/dist/scanners/apiRoutes.js

@@ -11,6 +11,8 @@ export async function scanApiRoutes(input) {
     for (const file of files) {
         const hasPostOrMutation = /\b(POST|PUT|PATCH|DELETE)\b|export\s+async\s+function\s+(POST|PUT|PATCH|DELETE)/.test(file.content);
         const isSensitive = sensitiveRoutePattern.test(file.path) || sensitiveRoutePattern.test(file.content);
+        findings.push(...scanClerkUnsafeMetadata(file.path, file.content));
+        findings.push(...scanPrismaTenantScope(file.path, file.content));
         if (isSensitive && hasPostOrMutation && !rateLimitPattern.test(file.content)) {
             findings.push(finding({
                 ruleId: "api.route.missing-rate-limit",
@@ -36,11 +38,95 @@ export async function scanApiRoutes(input) {
     }
     return uniqueFindings(findings);
 }
+function scanClerkUnsafeMetadata(filePath, content) {
+    if (!/\b(@clerk\/|clerkClient|currentUser|auth\s*\()/i.test(content))
+        return [];
+    const findings = [];
+    const privilegedUnsafeMetadataPattern = /unsafeMetadata\s*:\s*\{[\s\S]{0,700}\b(role|roles|admin|isAdmin|plan|tier|subscription|entitlement|credits|tenant|tenantId|organization|organizationId|orgId|workspace|permissions?)\b/gi;
+    for (const match of content.matchAll(privilegedUnsafeMetadataPattern)) {
+        const line = lineNumberForIndex(content, match.index ?? 0);
+        findings.push(finding({
+            ruleId: "auth.clerk.unsafe-metadata",
+            title: `Clerk unsafe metadata appears to store privileged launch state: ${filePath}`,
+            severity: "high",
+            evidence: [{ file: filePath, line, snippet: lineAt(content, line) }],
+            why: "Clerk unsafe metadata can be modified from the client side, so roles, paid plans, tenant membership, or entitlement state stored there can become authorization input by accident.",
+            suggestedVerification: "Try changing the same metadata as a normal signed-in user and confirm it cannot grant admin, paid plan, tenant, workspace, or entitlement access.",
+            suggestedFix: "Store authorization and billing state in server-controlled Clerk private/public metadata or your database, and use unsafe metadata only for non-privileged user preferences."
+        }));
+    }
+    return findings;
+}
+function scanPrismaTenantScope(filePath, content) {
+    if (!/\bprisma\.[A-Za-z0-9_]+\./.test(content) || !authPattern.test(content))
+        return [];
+    const findings = [];
+    const operationPattern = /\bprisma\.([A-Za-z0-9_]+)\.(findUnique|findFirst|update|delete|upsert|updateMany|deleteMany)\s*\(/gi;
+    for (const match of content.matchAll(operationPattern)) {
+        const model = match[1];
+        if (!isTenantLikePrismaSurface(filePath, content, model))
+            continue;
+        const start = content.indexOf("(", match.index ?? 0);
+        const end = findMatchingParen(content, start);
+        const operationText = content.slice(match.index ?? 0, end > start ? end + 1 : (match.index ?? 0) + 900);
+        if (hasTenantOrOwnerScope(operationText))
+            continue;
+        const line = lineNumberForIndex(content, match.index ?? 0);
+        findings.push(finding({
+            ruleId: "data.prisma.tenant-scope-missing",
+            title: `Prisma ${model} access lacks an obvious tenant or owner predicate: ${filePath}`,
+            severity: "high",
+            evidence: [{ file: filePath, line, snippet: lineAt(content, line) }],
+            why: "A route can authenticate the caller but still read or mutate another tenant's resource when Prisma queries only scope by a guessed resource ID.",
+            suggestedVerification: "Run a two-account or cross-tenant test: create this resource as Tenant/User A, then attempt the same read/update/delete with Tenant/User B.",
+            suggestedFix: "Add tenant, organization, workspace, owner, user, or membership predicates to the Prisma `where` clause and cover the cross-tenant denial in tests."
+        }));
+    }
+    return findings;
+}
 function isApiRoute(path) {
     return (/(^|\/)app\/api\/.+\/route\.(ts|js|tsx|jsx)$/i.test(path) ||
         /(^|\/)pages\/api\/.+\.(ts|js)$/i.test(path) ||
         /(^|\/)(routes|controllers)\/.+\.(ts|js)$/i.test(path));
 }
+function isTenantLikePrismaSurface(filePath, content, model) {
+    return /\[(?:tenant|org|organization|workspace|project|client|customer|team|account|invoice|subscription|id)[^\]]*\]/i.test(filePath) ||
+        /\b(tenant|organization|orgId|workspace|project|client|customer|team|account|invoice|subscription|membership)\b/i.test(`${model}\n${filePath}\n${content}`);
+}
+function hasTenantOrOwnerScope(operationText) {
+    return /\b(tenantId|tenant_id|orgId|organizationId|organization_id|workspaceId|workspace_id|ownerId|owner_id|userId|user_id|memberId|member_id|membershipId|membership_id)\s*:/i.test(operationText) ||
+        /\b(memberships?|organization|workspace|tenant)\s*:\s*\{/i.test(operationText);
+}
+function findMatchingParen(content, openParen) {
+    if (openParen < 0)
+        return -1;
+    let depth = 0;
+    let inSingle = false;
+    let inDouble = false;
+    let inTemplate = false;
+    for (let index = openParen; index < content.length; index += 1) {
+        const char = content[index];
+        const prev = content[index - 1];
+        if (prev === "\\")
+            continue;
+        if (char === "'" && !inDouble && !inTemplate)
+            inSingle = !inSingle;
+        if (char === "\"" && !inSingle && !inTemplate)
+            inDouble = !inDouble;
+        if (char === "`" && !inSingle && !inDouble)
+            inTemplate = !inTemplate;
+        if (inSingle || inDouble || inTemplate)
+            continue;
+        if (char === "(")
+            depth += 1;
+        if (char === ")") {
+            depth -= 1;
+            if (depth === 0)
+                return index;
+        }
+    }
+    return -1;
+}
 function firstLine(content, pattern) {
     const match = pattern.exec(content);
     pattern.lastIndex = 0;

package/dist/scanners/deploy.js

@@ -11,6 +11,7 @@ export async function scanDeployConfig(input) {
     const envReferences = [];
     const sensitiveRoutes = files.filter((file) => isSensitiveServerRoute(file.path, file.content));
     const nextConfig = files.find((file) => /(^|\/)next\.config\.(ts|js|mjs|cjs)$/.test(file.path));
+    const vercelCronPaths = collectVercelCronPaths(files);
     for (const file of files) {
         for (const match of file.content.matchAll(/process\.env\.([A-Z0-9_]+)/g)) {
             referencedEnv.add(match[1]);
@@ -96,6 +97,18 @@ export async function scanDeployConfig(input) {
                 suggestedFix: "Add structured logging with request ID or trace ID near the route entry point and around billing/tenant state changes."
             }));
         }
+        if (isVercelCronRoute(file.path, vercelCronPaths) && !hasVercelCronLaunchGuard(file.content)) {
+            const line = firstLine(file.content, /export\s+async\s+function\s+(GET|POST)|\b(GET|POST)\b/i) ?? 1;
+            findings.push(finding({
+                ruleId: "deploy.vercel.cron-missing-guard",
+                title: `Vercel cron route lacks secret, idempotency, or tracing guard: ${file.path}`,
+                severity: "medium",
+                evidence: [{ file: file.path, line, snippet: lineAt(file.content, line) }],
+                why: "Scheduled launch jobs often mutate billing, tenant, or cleanup state; without a secret guard, idempotency key, and request trace, retries or accidental calls can create hidden production drift.",
+                suggestedVerification: "Call the cron route without the expected cron secret and with a repeated request ID; confirm unauthorized calls fail and repeated runs do not duplicate state changes.",
+                suggestedFix: "Check a server-only cron secret, record an idempotency key or run lock, and log a request/trace ID before stateful cron work starts."
+            }));
+        }
     }
     if (sensitiveRoutes.length > 0 && !hasSecurityHeaders(files)) {
         const evidenceFile = nextConfig ?? sensitiveRoutes[0];
@@ -194,6 +207,48 @@ function isObservabilitySensitiveRoute(path, content) {
 function hasRequestLogging(content) {
     return /\b(requestId|request_id|traceId|trace_id|x-request-id|console\.(info|log|warn|error)|logger\.(info|warn|error))\b/i.test(content);
 }
+function collectVercelCronPaths(files) {
+    const paths = new Set();
+    for (const file of files) {
+        if (!/(^|\/)vercel\.json$/i.test(file.path))
+            continue;
+        for (const match of file.content.matchAll(/"path"\s*:\s*"([^"]+)"/g)) {
+            if (/\/api\/.+/i.test(match[1])) {
+                paths.add(normalizeRoutePath(match[1]));
+            }
+        }
+    }
+    return paths;
+}
+function isVercelCronRoute(path, cronPaths) {
+    const routePath = routePathForServerRoute(path);
+    return (Boolean(routePath && cronPaths.has(routePath)) ||
+        /(^|\/)(app\/api|pages\/api|api)\/cron(\/|\.|-)/i.test(path));
+}
+function routePathForServerRoute(path) {
+    const appRoute = path.match(/(?:^|\/)app\/api\/(.+)\/route\.[cm]?[jt]sx?$/i);
+    if (appRoute)
+        return normalizeRoutePath(`/api/${appRoute[1]}`);
+    const pagesRoute = path.match(/(?:^|\/)pages\/api\/(.+)\.[cm]?[jt]sx?$/i);
+    if (pagesRoute)
+        return normalizeRoutePath(`/api/${pagesRoute[1]}`);
+    const plainRoute = path.match(/(?:^|\/)api\/(.+)\.[cm]?[jt]sx?$/i);
+    if (plainRoute)
+        return normalizeRoutePath(`/api/${plainRoute[1]}`);
+    return undefined;
+}
+function normalizeRoutePath(path) {
+    return path
+        .replace(/\\/g, "/")
+        .replace(/\/+/g, "/")
+        .replace(/\/$/, "");
+}
+function hasVercelCronLaunchGuard(content) {
+    const hasSecretGuard = /\b(CRON_SECRET|AUTHORIZATION|authorization|Bearer|x-vercel-cron|x-vercel-signature)\b/i.test(content);
+    const hasIdempotency = /\b(idempotency|idempotent|cronRun|jobRun|runId|x-vercel-id|upsert|dedupe|lock)\b/i.test(content);
+    const hasRequestTrace = /\b(requestId|request_id|traceId|trace_id|x-vercel-id|logger\.(info|warn|error)|console\.(info|warn|error))\b/i.test(content);
+    return hasSecretGuard && hasIdempotency && hasRequestTrace;
+}
 function firstLine(content, pattern) {
     const match = pattern.exec(content);
     pattern.lastIndex = 0;

package/docs/README.zh-CN.md

@@ -5,7 +5,7 @@
 </p>
 
 <p align="center">
-  ai-saas-guard 是面向 AI 构建的 SaaS 的本地优先上线 gate。它会优先指出 auth、billing、data access、secrets、MCP、deploy、CI 和“假成功”路径里最值得人工 review 的改动，让你在上线前知道该先看哪里。它本地运行、只读仓库、不上传代码。
+  ai-saas-guard 是面向 AI 构建的 Next.js、Supabase、Stripe、Vercel 和 MCP SaaS 的本地优先上线 gate。它会优先指出 auth、billing、data access、secrets、MCP、deploy、CI 和“假成功”路径里最值得人工 review 的改动，让你在上线前知道该先看哪里。它本地运行、只读仓库、不上传代码。
 </p>
 
 <p align="center">
@@ -32,6 +32,7 @@ AI 能很快把一个 SaaS 做到“看起来能用”。真正危险的是上
 
 - 一个用户能看到或修改另一个客户的数据
 - Stripe webhook 因为未签名、重复、漏处理失败事件而错误开通权限
+- Clerk 或 Prisma 代码把用户可改 metadata、未按租户约束的查询当成可信权限依据
 - 真实服务失败后，AI 生成的代码仍然返回“成功”或 demo 数据
 - secret 被 env 配置或 `NEXT_PUBLIC_*` 暴露出去
 - MCP 工具、GitHub workflow 或 deploy job 拿到了过大的权限
@@ -40,6 +41,25 @@ AI 能很快把一个 SaaS 做到“看起来能用”。真正危险的是上
 
 `ai-saas-guard` 是面向这个时刻的本地优先、review-first 上线预检工具。它不会证明你的应用绝对安全，也不是渗透测试、认证或完整安全审计。它的目标是给 founder、独立开发者、小团队和 reviewer 一份短而有证据的清单，告诉你上线或合并 PR 前最该先看哪里。
 
+## 输出长什么样
+
+报告是给上线前或合并 AI 大 PR 前快速阅读的。更完整的可复制样例见 [docs/sample-launch-report.md](sample-launch-report.md)。
+
+```text
+Launch Gate: review before launch
+4 findings: 1 high, 3 medium
+
+HIGH stripe.webhook.missing-signature
+File: app/api/stripe/webhook/route.ts
+Why: billing access can be granted from a webhook path that does not verify Stripe signatures.
+Verify: replay a webhook with an invalid signature and confirm the route rejects it.
+Fix: read the raw body, call stripe.webhooks.constructEvent, and make event handling idempotent.
+
+MEDIUM supabase.rls.tenant-predicate-missing
+File: supabase/migrations/20260524_accounts.sql
+Verify: sign in as user A and user B; confirm neither can SELECT or UPDATE the other's rows.
+```
+
 ## 你会得到什么
 
 一个命令会返回一份上线前 review 队列：
@@ -57,9 +77,10 @@ AI 能很快把一个 SaaS 做到“看起来能用”。真正危险的是上
 | 上线问题 | ai-saas-guard 会检查什么 |
 | --- | --- |
 | 用户是否只能访问自己的数据？ | Supabase RLS、tenant/owner predicate、storage policy、API ownership 提示、双账号验证建议 |
+| auth metadata 是否可信？ | Clerk unsafe metadata 是否被用于 role、plan、tenant membership 或 entitlement |
 | 付费权限是否会正确开通和撤销？ | Stripe webhook 签名、raw body、幂等、entitlement 路径、失败/取消/更新/退款覆盖 |
 | 集成失败时会不会明显失败？ | silent-success fallback、吞错、hardcoded success、production mock/demo data、跳过或占位测试 |
-| 生产环境是否真的等于本地成功？ | Next/Vercel headers、env 文档、public env 盘点、image/request 放大风险、request ID logging |
+| 生产环境是否真的等于本地成功？ | Next/Vercel headers、env 文档、public env 盘点、image/request 放大风险、request ID logging、Vercel cron guard 提示 |
 | 工具和 CI 权限是不是过大？ | MCP side-effect 分类、本地 policy/receipt 模板、GitHub Actions 权限、concurrency、checkout depth、Action pinning |
 | reviewer 能不能看懂 AI PR？ | `pr-risk` 对 auth、billing、RLS、deploy、API、storage、测试、silent-success、缺 spec context 和大型 diff 排序 |
 
@@ -67,18 +88,18 @@ AI 能很快把一个 SaaS 做到“看起来能用”。真正危险的是上
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.28.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.28.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.29.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.29.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.28.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.28.0` |
+| npm CLI | `ai-saas-guard@0.29.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.29.0` |
 | 输出格式 | Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.28.0` hosted read-only checkout worker export、hosted Check Run smoke evidence 和 README 同步 |
-| Action 标签 | `v0.28.0`、`v0` |
+| 当前版本 | `0.29.0` hosted Node checkout platform 组合入口、Clerk unsafe metadata 规则、Prisma tenant-scope 规则、Vercel cron guard 规则、sample launch report 和 Marketplace wrapper 决策 |
+| Action 标签 | `v0.29.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |
@@ -142,9 +163,9 @@ node dist/cli.js scan --root /path/to/your-saas
 | Stripe | webhook 缺失、未验证签名、raw body 签名风险、缺幂等、缺失败/取消/退款/更新处理 |
 | Supabase | 敏感表没启用 RLS、policy 过宽、缺少 ownership filter、`WITH CHECK` 过弱、storage object policy 过宽 |
 | Silent success | 捕获错误后返回假成功、敏感路径里的 hardcoded fallback、production 路径引入 mock/demo data、临时绕过 auth/webhook/ownership、跳过或占位测试 |
-| API routes | 有 auth 但缺少明显 ownership guard，敏感 mutation route 缺少 rate-limit 提示 |
+| API routes | 有 auth 但缺少明显 ownership guard、Clerk unsafe metadata、Prisma tenant-scope gap，敏感 mutation route 缺少 rate-limit 提示 |
 | MCP | 明文 secret、非 localhost 绑定、过宽文件系统权限、shell 工具、raw SQL 工具、side-effect 分类、本地 policy/receipt 模板 |
-| Next/Vercel deploy | Next static export 和 API route 冲突、Edge runtime 使用 Node-only API、security headers 缺失、server env 文档缺失、public env 盘点、image/request 放大风险、request ID logging 缺失 |
+| Next/Vercel deploy | Next static export 和 API route 冲突、Edge runtime 使用 Node-only API、security headers 缺失、server env 文档缺失、public env 盘点、image/request 放大风险、request ID logging 缺失、Vercel cron route guard 缺失 |
 | GitHub Actions | workflow 权限过宽、PR workflow 缺 concurrency cancel、docs-only 改动跑全量 CI、secret/tool version 缺 fail-fast、`pr-risk` checkout 太浅、Action 未 pin SHA |
 | PR risk | auth、billing、RLS、env、deploy、API、storage、silent-success、测试删除、缺 spec/context、大型混合 diff |
 
@@ -231,6 +252,8 @@ jobs:
 
 更多 GitHub Action 示例请看 [docs/github-action.md](github-action.md)。
 
+GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.md](github-marketplace-wrapper-decision.md)。当前决策是继续保持单一产品仓库，暂不创建单独 listing wrapper。
+
 ## 项目配置
 
 在仓库根目录添加 `.ai-saas-guard.json` 可以调整规则：
@@ -297,7 +320,7 @@ jobs:
 - hosted service runtime：`ai-saas-guard/hosted/service` 导出 `createHostedServiceRuntime`，把签名 webhook intake、幂等 queue upsert、read-only worker 编排、compact report 存储、Check Run 发布 adapter 和 worker cleanup 串成可测试的服务核心；它本身不部署公开 hosted 环境
 - GitHub App deployment planner：`ai-saas-guard/hosted/github-app` 导出 `planHostedGitHubAppDeployment`，生成 first slice 最小权限 manifest，并在 release gate、公开 HTTPS URL、container digest、secret 引用、原始 secret 输入、permission 或 event 不安全时阻止创建
 - Hosted production adapter layer：`ai-saas-guard/hosted/production-adapters` 导出 `createHostedGitHubAppJwt`、`planHostedGitHubInstallationTokenRequest` 和 `planHostedProductionWorkerExecution`，用于 GitHub App RS256 JWT、selected-repository installation token 请求规划、worker/check-run 分离 token scope、固定只读 worker 命令、timeout/output 预算、compact JSON-only 输出，以及 success/failure/timeout/cancellation 的 cleanup 规划；它本身仍然不部署公开 hosted 服务
-- Hosted Node/container app skeleton：`ai-saas-guard/hosted/app` 导出 `createHostedHttpApp`、`createInMemoryHostedAppPlatform` 和 `planHostedNodeContainerDeployment`，提供安全 `/healthz`、签名 `/github/webhook` ingress、单 job worker tick、测试用 in-memory provider adapters，以及 secret manager、queue、compact report store、worker sandbox、GitHub Checks publisher 的部署引用校验；它本身仍然不部署或暴露公开 hosted 服务
+- Hosted Node/container app skeleton：`ai-saas-guard/hosted/app` 导出 `createHostedHttpApp`、`createInMemoryHostedAppPlatform`、`createHostedNodeCheckoutAppPlatform` 和 `planHostedNodeContainerDeployment`，提供安全 `/healthz`、签名 `/github/webhook` ingress、单 job worker tick、测试用 in-memory provider adapters、真实 read-only checkout worker 组合入口、可见 timeout/output 安全预算，以及 secret manager、queue、compact report store、worker sandbox、GitHub Checks publisher 的部署引用校验；它本身仍然不部署或暴露公开 hosted 服务
 - Hosted staging deployment planner：`ai-saas-guard/hosted/staging` 导出 `planHostedProviderBinding`、`planHostedStagingDeployment` 和 `planHostedGitHubAppPromotion`，把真实 provider 引用、Node/container deployment plan、hosted operational release-gate evidence 和 GitHub App deployment planning 组合起来；缺少 queue、store、worker sandbox、Check Run publisher、logs、metrics、rollback 或 incident-response 引用时，会阻止 staging exposure 和 production promotion；它本身仍然不会调用云平台、创建 GitHub App 或暴露公开 hosted 服务
 - Hosted staging harness：`ai-saas-guard/hosted/staging-harness` 导出 `createFileBackedHostedStagingHarness` 和 `createHostedStagingHarnessEvidence`，可以在本地用 file-backed queue、compact report、Check Run request 和 worker sandbox 跑通签名 webhook replay、worker tick 和 cleanup 校验；它只是 staging 演练工具，不会调用云平台、创建 GitHub App、写真实 Check Run 或暴露公开 hosted 服务
 - Cloudflare hosted ingress：`hosted/cloudflare-worker` 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`，提供 `/healthz`、`/github/app/manifest-callback` 和签名 `/github/webhook` intake；Worker 已具备 compact pull request identity、file/category risk signal 和 Check Run metadata 路径；staging GitHub App ID 为 `3834787`，installation ID 为 `135085075`；真实 GitHub App webhook delivery 和 Check Run smoke 已通过；完整 source checkout worker deployment、monitoring、rollback 和 incident-response evidence 仍需要通过 hosted operational release gate

package/docs/github-action.md

@@ -2,7 +2,7 @@
 
 `ai-saas-guard` ships as a composite GitHub Action for pull request and code scanning workflows.
 
-Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.28.0` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
+Use `zr9959/ai-saas-guard@v0` for the latest compatible pre-1.0 Action. Use a specific tag such as `v0.28.1` or a reviewed commit SHA when reproducibility is more important than automatic minor updates.
 
 ## PR Summary
 

package/docs/github-marketplace-wrapper-decision.md

@@ -0,0 +1,42 @@
+# GitHub Marketplace Wrapper Decision
+
+Last checked: 2026-05-24
+
+Decision: do not create a separate Marketplace wrapper repository now.
+
+`ai-saas-guard` stays a single product: a local-first CLI, GitHub Action wrapper, docs, examples, and hosted-design contracts in this repository. The Action remains usable through `zr9959/ai-saas-guard@v0` and fixed release tags.
+
+## Why
+
+GitHub's current Action Marketplace docs say Marketplace actions are published from a public repository that has a single action metadata file at the root and must not contain workflow files. This repository intentionally contains the CLI source, tests, docs, release workflows, hosted contracts, and project governance files. Reshaping it only to satisfy Marketplace listing constraints would weaken the repository boundary and make normal release quality checks harder to keep visible.
+
+The current `action.yml` remains useful without a Marketplace listing:
+
+- users can copy the README workflow and use `zr9959/ai-saas-guard@v0`
+- npm remains the main install path for local use
+- release tags and signed provenance assets already support controlled upgrades
+- all rules, docs, and tests stay in the same product repo
+
+## Wrapper Repo Option
+
+A thin Marketplace wrapper can be revisited later if Marketplace search becomes a clear distribution channel. If that happens, the wrapper should stay minimal:
+
+- only the action metadata, wrapper code, and Marketplace README needed for the listing
+- no scanner logic fork
+- no separate product positioning
+- every release points back to this repository and the npm package
+- no hidden workflow that changes the local-first privacy promise
+
+## Revisit Criteria
+
+Revisit only after at least one of these is true:
+
+- multiple external users ask specifically for a GitHub Marketplace listing
+- the Action API has stayed stable across several releases
+- README, npm, and GitHub discovery are no longer enough for the intended launch-readiness audience
+- the wrapper can be maintained without duplicating scanner rules, docs, release gates, or security boundaries
+
+## References
+
+- GitHub Docs: https://docs.github.com/en/actions/how-tos/create-and-publish-actions/publish-in-github-marketplace
+- GitHub Action metadata syntax: https://docs.github.com/en/enterprise-cloud@latest/actions/reference/workflows-and-actions/metadata-syntax

package/docs/hosted-node-container-app.md

@@ -21,6 +21,7 @@ The package exports `ai-saas-guard/hosted/app` with:
 
 - `createHostedHttpApp`
 - `createInMemoryHostedAppPlatform`
+- `createHostedNodeCheckoutAppPlatform`
 - `planHostedNodeContainerDeployment`
 
 The staging deployment planner in [hosted-staging-deployment.md](hosted-staging-deployment.md) composes this Node/container deployment plan with real provider references, hosted operational release-gate evidence, and GitHub App promotion gates.
@@ -78,6 +79,18 @@ These adapters are not production storage. Real providers must wire the same bou
 - read-only worker sandbox
 - GitHub Checks API publisher
 
+`createHostedNodeCheckoutAppPlatform` composes the same HTTP app and service runtime with the concrete read-only checkout worker from `ai-saas-guard/hosted/worker`. It is still adapter-driven: deployments must provide a runtime installation-token provider, durable queue/store, worker sandbox, and Check Run publisher. The helper exposes a safe `workerSafety` summary so deployers can verify the runtime boundary without logging private paths or tokens:
+
+- command source: trusted runtime plan
+- timeout capped at 600 seconds
+- output capped at 1 MiB
+- shell disabled
+- CLI network access disabled
+- read-only write mode
+- compact JSON-only output
+- checkout cleanup required
+- no checkout path, source, diff, secret, or customer payload persistence
+
 ## Deployment Plan
 
 `planHostedNodeContainerDeployment` validates the provider-facing deployment shape.
@@ -121,6 +134,6 @@ It does not return:
 
 ## Current Status
 
-The repository can now instantiate a Node/container hosted app skeleton, route signed webhooks into the hosted service runtime, process one worker tick through adapters, and validate provider adapter references before deployment.
+The repository can now instantiate a Node/container hosted app skeleton, route signed webhooks into the hosted service runtime, process one worker tick through adapters, compose the real read-only checkout scan runner behind a token-provider boundary, expose clamped worker safety budgets, and validate provider adapter references before deployment.
 
 A public hosted environment still requires actual platform infrastructure, a public HTTPS webhook URL, platform secrets, durable queue/storage, worker sandboxing, GitHub Checks API credentials at runtime, monitoring, rollback, incident-response evidence, and the hosted operational release gate. Use [hosted-staging-deployment.md](hosted-staging-deployment.md) to plan and block staging exposure until those provider references and evidence exist.

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.28.0`
+- Current published version: `0.29.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.28.0`
+- GitHub Release: `v0.29.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.28.0`.
+1. Create and review a release tag such as `v0.29.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/docs/project-handoff.md

@@ -161,7 +161,7 @@ OpenSSF Best Practices:
 Publishing:
 
 - npm package: `ai-saas-guard`
-- Current published release line: `v0.28.0` pending this branch release
+- Current published release line: `v0.28.1` pending this branch release
 - Next source candidate: none
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions for `zr9959/ai-saas-guard`, workflow `npm-publish.yml`

package/docs/rules.md

@@ -87,6 +87,8 @@ Prefer fixing risky code over suppressing findings. When a finding is a reviewed
 | --- | --- | --- |
 | `api.route.missing-rate-limit` | medium | Login, checkout, upload, AI, and webhook routes are common abuse targets. |
 | `api.route.auth-without-ownership` | high | Login checks do not prove resource ownership checks. |
+| `auth.clerk.unsafe-metadata` | high | Clerk unsafe metadata is user-writable and should not hold roles, plans, tenant membership, or entitlements. |
+| `data.prisma.tenant-scope-missing` | high | Authenticated Prisma reads or mutations on tenant-like resources need tenant, owner, organization, or workspace predicates. |
 | `deploy.next.static-export-api-risk` | medium | Static export can conflict with runtime API assumptions. |
 | `deploy.edge-runtime-node-api` | medium | Edge runtime can break Node-only dependencies. |
 | `deploy.env.example-missing` | low | Missing env docs cause local-success, production-failure deploys. |
@@ -96,6 +98,7 @@ Prefer fixing risky code over suppressing findings. When a finding is a reviewed
 | `deploy.next.image-cost-risk` | medium | Broad remote image patterns or user-controlled image sources can amplify deploy cost and trust risk. |
 | `deploy.next.request-amplification` | low | High-cardinality dynamic route prefetching can create unexpected production request volume. |
 | `deploy.observability.missing-request-id` | low | Billing, webhook, and tenant incidents are hard to debug without traceable request IDs. |
+| `deploy.vercel.cron-missing-guard` | medium | Scheduled billing, tenant, or cleanup jobs need a secret guard, idempotency, and request tracing before launch. |
 
 ## MCP
 

package/docs/sample-launch-report.md

@@ -0,0 +1,60 @@
+# Sample Launch Report
+
+This is a synthetic, public-safe example of the kind of review queue `ai-saas-guard` produces. Paths, snippets, and checks are intentionally small so a founder or reviewer can understand the output before running the tool.
+
+```text
+Launch Gate: review before launch
+6 findings: 3 high, 3 medium
+
+HIGH stripe.webhook.missing-signature
+Rule: stripe.webhook.missing-signature
+File: app/api/stripe/webhook/route.ts:12
+Why: Billing access can be granted from a webhook path that does not verify Stripe signatures.
+Verify: Replay a webhook with an invalid signature and confirm the route rejects it.
+Fix direction: Read the raw body, call stripe.webhooks.constructEvent, and keep entitlement changes idempotent.
+
+HIGH auth.clerk.unsafe-metadata
+Rule: auth.clerk.unsafe-metadata
+File: app/api/auth/profile/route.ts:8
+Why: Clerk unsafe metadata can be changed from the client side, so roles, paid plans, tenant membership, or entitlements stored there can become authorization input by accident.
+Verify: Try changing the same metadata as a normal signed-in user and confirm it cannot grant admin, paid plan, tenant, workspace, or entitlement access.
+Fix direction: Store authorization and billing state in server-controlled Clerk private/public metadata or your database.
+
+HIGH data.prisma.tenant-scope-missing
+Rule: data.prisma.tenant-scope-missing
+File: app/api/projects/[projectId]/route.ts:9
+Why: A route can authenticate the caller but still read or mutate another tenant's resource when Prisma queries only scope by a guessed resource ID.
+Verify: Create this resource as Tenant/User A, then attempt the same update with Tenant/User B.
+Fix direction: Add tenant, organization, workspace, owner, user, or membership predicates to the Prisma where clause.
+
+MEDIUM supabase.rls.tenant-predicate-missing
+Rule: supabase.rls.tenant-predicate-missing
+File: supabase/migrations/20260524_projects.sql:22
+Why: Multi-tenant tables need tenant, workspace, organization, owner, or membership predicates.
+Verify: Sign in as user A and user B; confirm neither can SELECT, INSERT, UPDATE, or DELETE the other's rows.
+Fix direction: Add tenant or membership predicates and rerun a two-account staging check.
+
+MEDIUM deploy.vercel.cron-missing-guard
+Rule: deploy.vercel.cron-missing-guard
+File: app/api/cron/reconcile-billing/route.ts:3
+Why: Scheduled billing, tenant, or cleanup jobs need a secret guard, idempotency, and request tracing before launch.
+Verify: Call the cron route without the expected cron secret and with a repeated request ID; confirm unauthorized calls fail and repeated runs do not duplicate state changes.
+Fix direction: Check a server-only cron secret, record an idempotency key or run lock, and log a request/trace ID before stateful cron work starts.
+
+MEDIUM silent-success.swallowed-error
+Rule: silent-success.swallowed-error
+File: app/api/billing/checkout/route.ts:31
+Why: Swallowed provider, auth, billing, or data errors can make a launch path look successful when it failed.
+Verify: Force the upstream provider call to fail and confirm the route returns an error or disclosed degraded mode.
+Fix direction: Log the failure, return an explicit error status, and avoid granting access after the failed dependency.
+```
+
+## How To Read It
+
+Start with the highest severity findings that touch trust-boundary code: auth, billing, tenant data, webhooks, and scheduled jobs. Each finding should give you enough to answer three launch questions:
+
+- What file should I inspect first?
+- Why could this fail for real users?
+- What manual proof shows the path fails closed?
+
+The report is a focused review queue. It does not replace your two-account authorization tests, Stripe webhook replay, deploy-preview checks, or human review.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.28.0",
-  "description": "Repo-local launch-readiness scanner for AI-built SaaS apps.",
+  "version": "0.29.0",
+  "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",
   "homepage": "https://github.com/zr9959/ai-saas-guard#readme",
@@ -14,14 +14,25 @@
   },
   "keywords": [
     "ai",
+    "ai-code-review",
     "saas",
     "security",
     "launch",
     "preflight",
+    "launch-readiness",
+    "nextjs",
+    "vercel",
     "supabase",
+    "supabase-rls",
     "stripe",
+    "stripe-webhooks",
     "mcp",
+    "mcp-security",
     "github-action",
+    "github-actions",
+    "static-analysis",
+    "devsecops",
+    "local-first",
     "cli"
   ],
   "main": "./dist/index.js",