ai-saas-guard 0.29.2 → 0.30.0

package/README.md

@@ -46,6 +46,12 @@ These are the failures that hurt after real users arrive:
 
 ## 60-Second Local Check
 
+See the public demo output without cloning a repo:
+
+```bash
+npx ai-saas-guard@latest demo
+```
+
 Run it against your app without installing anything globally:
 
 ```bash
@@ -65,13 +71,10 @@ You get rule IDs, severity, file evidence, why it matters, how to verify it manu
 Want to see the report before scanning your own repo?
 
 ```bash
-git clone https://github.com/zr9959/ai-saas-guard.git
-cd ai-saas-guard
-npx ai-saas-guard@latest scan --root examples/demo-risky-saas
-npx ai-saas-guard@latest scan --root examples/demo-safe-saas
+npx ai-saas-guard@latest demo
 ```
 
-The risky demo currently returns 19 intentional findings across Stripe, Supabase, silent-success paths, Next/Vercel deploy hints, and GitHub Actions. The safe demo returns 0 findings for the same broad surfaces with safer static patterns. See [docs/demo-quickstart.md](docs/demo-quickstart.md).
+The demo command uses packaged public fixtures: `examples/demo-risky-saas` currently returns 19 intentional findings across Stripe, Supabase, silent-success paths, Next/Vercel deploy hints, and GitHub Actions; `examples/demo-safe-saas` returns 0 findings for the same broad surfaces with safer static patterns. See [docs/demo-quickstart.md](docs/demo-quickstart.md) if you want to inspect the fixture files locally.
 
 ## See The Output
 
@@ -94,6 +97,10 @@ Verify: force the upstream billing call to fail and confirm the route returns an
 MEDIUM deploy.next.missing-security-headers
 File: app/api/billing/checkout/route.ts
 Verify: inspect production response headers for auth, billing, and API pages.
+
+Next steps
+- Fix critical and high trust-boundary findings first.
+- Run the manual proof steps in staging and confirm each risky path fails closed.
 ```
 
 ## What You Get
@@ -125,6 +132,7 @@ One command returns a launch-readiness report with:
 Run the published CLI without installing it globally:
 
 ```bash
+npx ai-saas-guard@latest demo
 npx ai-saas-guard@latest scan --root /path/to/your-saas
 ```
 
@@ -179,13 +187,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.29.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.29.2` |
+| npm CLI | `ai-saas-guard@0.30.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.30.0` |
 | Outputs | Terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.29.2`, `v0` |
-| Current release | `0.29.2` publishes public risky/safe demo fixtures, a demo quickstart, quickstart feedback template, and refreshed first-run README guidance |
+| Versioned Action tags | `v0.30.0`, `v0` |
+| Current release | `0.30.0` adds `ai-saas-guard demo`, Next steps in human-readable reports, a more targeted quickstart feedback template, and refreshed first-run docs |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -352,7 +360,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.29.2` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.30.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { resolve } from "node:path";
 import { applyGuardConfig, loadGuardConfig } from "./config.js";
-import { checkActions, checkMcp, checkStripe, checkSupabase, classifyPrRisk, scanRepository } from "./index.js";
+import { checkActions, checkMcp, checkStripe, checkSupabase, classifyPrRisk, runShowcase, scanRepository } from "./index.js";
 import { formatJsonReport } from "./report/json.js";
 import { formatMarkdownReport } from "./report/markdown.js";
 import { formatSarifReport } from "./report/sarif.js";
@@ -12,6 +12,11 @@ async function main(argv) {
         process.stdout.write(helpText());
         return 0;
     }
+    if (args.command === "demo") {
+        const report = await runShowcase();
+        process.stdout.write(formatReport(report, args.format));
+        return 0;
+    }
     const config = await loadGuardConfig(args.rootDir, args.configPath);
     let report;
     switch (args.command) {
@@ -165,6 +170,7 @@ Repo-local launch-readiness scanner for AI-built SaaS apps.
 
 Usage:
   ai-saas-guard scan [--root <repo>] [--config <file>] [--json|--sarif] [--fail-on <severity>]
+  ai-saas-guard demo [--json|--markdown]
   ai-saas-guard check-supabase [--root <repo>] [--config <file>] [--doctor] [--json|--sarif] [--fail-on <severity>]
   ai-saas-guard check-stripe [--root <repo>] [--config <file>] [--json|--sarif] [--fail-on <severity>]
   ai-saas-guard check-mcp [--root <repo>] [--config <file>] [--policy-template] [--json|--sarif] [--fail-on <severity>]
@@ -175,6 +181,7 @@ Defaults:
   - read-only
   - no network calls
   - no account or login required
+  - demo uses packaged public fixtures and ignores project config/fail thresholds
   - terminal output by default, JSON with --json
   - SARIF output for GitHub code scanning with --sarif
   - PR-focused markdown summary with --markdown

package/dist/commands/demo.d.ts

@@ -0,0 +1,2 @@
+import type { ShowcaseReport } from "../types.js";
+export declare function runShowcase(): Promise<ShowcaseReport>;

package/dist/commands/demo.js

@@ -0,0 +1,21 @@
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { scanRepository } from "./scan.js";
+import { createReport } from "../report/findings.js";
+import { nextSteps } from "../report/launchGate.js";
+export async function runShowcase() {
+    const packageRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..", "..");
+    const risky = await scanRepository({
+        rootDir: resolve(packageRoot, "examples", "demo-risky-saas")
+    });
+    const safe = await scanRepository({
+        rootDir: resolve(packageRoot, "examples", "demo-safe-saas")
+    });
+    return createReport("demo", packageRoot, risky.findings, {
+        demos: {
+            risky,
+            safe
+        },
+        nextSteps: nextSteps(risky.findings)
+    });
+}

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 export { scanRepository } from "./commands/scan.js";
+export { runShowcase } from "./commands/demo.js";
 export { checkStripe } from "./commands/checkStripe.js";
 export { checkSupabase } from "./commands/checkSupabase.js";
 export { checkMcp } from "./commands/checkMcp.js";
@@ -7,7 +8,7 @@ export { classifyPrRisk } from "./commands/prRisk.js";
 export { applyGuardConfig, defaultConfigFileName, loadGuardConfig } from "./config.js";
 export { createScanContext } from "./context.js";
 export { getRuleMetadata, RULE_CATALOG } from "./rules/catalog.js";
-export type { BaseReport, CommandName, Evidence, Finding, ActionsReport, McpOptions, McpPolicyTemplate, McpReport, McpServerInventory, McpSideEffect, PrRiskFile, PrRiskReport, ScanOptions, StripeReport, SupabaseOptions, SupabaseDoctorReport, SupabaseReport } from "./types.js";
+export type { BaseReport, CommandName, Evidence, Finding, ActionsReport, McpOptions, McpPolicyTemplate, McpReport, McpServerInventory, McpSideEffect, PrRiskFile, PrRiskReport, ScanOptions, ShowcaseReport, StripeReport, SupabaseOptions, SupabaseDoctorReport, SupabaseReport } from "./types.js";
 export type { ScanContext, ScanInput } from "./context.js";
 export type { FindingSuppression, GuardConfig, RuleConfigValue } from "./config.js";
 export type { RuleMetadata, RuleStability } from "./rules/catalog.js";

package/dist/index.js

@@ -1,4 +1,5 @@
 export { scanRepository } from "./commands/scan.js";
+export { runShowcase } from "./commands/demo.js";
 export { checkStripe } from "./commands/checkStripe.js";
 export { checkSupabase } from "./commands/checkSupabase.js";
 export { checkMcp } from "./commands/checkMcp.js";

package/dist/report/launchGate.d.ts

@@ -2,3 +2,4 @@ import type { BaseReport, Finding } from "../types.js";
 export declare function launchGateVerdict(report: BaseReport): string;
 export declare function reviewFirst(findings: Finding[], limit?: number): string[];
 export declare function manualProofSteps(findings: Finding[], limit?: number): string[];
+export declare function nextSteps(findings: Finding[]): string[];

package/dist/report/launchGate.js

@@ -34,3 +34,25 @@ export function manualProofSteps(findings, limit = 3) {
     }
     return steps;
 }
+export function nextSteps(findings) {
+    if (findings.length === 0) {
+        return [
+            "Keep this report with the launch checklist, then run a two-account auth/data-access check and a deploy-preview smoke before inviting real users."
+        ];
+    }
+    const steps = [];
+    const hasCriticalOrHigh = findings.some((finding) => finding.severity === "critical" || finding.severity === "high");
+    const hasMedium = findings.some((finding) => finding.severity === "medium");
+    const hasLowNoise = findings.some((finding) => finding.severity === "low" || finding.severity === "info");
+    if (hasCriticalOrHigh) {
+        steps.push("Fix critical and high trust-boundary findings first: auth/session, billing/webhook, tenant data, and silent-success paths.");
+    }
+    else if (hasMedium) {
+        steps.push("Verify medium-risk launch findings with the owning developer before production traffic.");
+    }
+    steps.push("Run the manual proof steps above in staging and confirm each risky path fails closed.");
+    if (hasLowNoise) {
+        steps.push("Treat low and info deploy/CI hygiene hints as cleanup after critical, high, and medium launch paths are understood.");
+    }
+    return steps;
+}

package/dist/report/markdown.js

@@ -1,9 +1,36 @@
-import { launchGateVerdict, manualProofSteps, reviewFirst } from "./launchGate.js";
+import { launchGateVerdict, manualProofSteps, nextSteps, reviewFirst } from "./launchGate.js";
 export function formatMarkdownReport(report) {
+    if (report.command === "demo")
+        return `${formatDemoMarkdown(report)}\n`;
     if (report.command === "pr-risk")
         return `${formatPrRiskMarkdown(report)}\n`;
     return `${formatGenericMarkdown(report)}\n`;
 }
+function formatDemoMarkdown(report) {
+    const lines = [];
+    lines.push("## ai-saas-guard demo");
+    lines.push("");
+    lines.push("Synthetic public demo for the local-first launch gate. This is not a pentest, full audit, or certification.");
+    lines.push("");
+    lines.push(`- Risky demo: ${escapeMarkdownInline(summaryText(report.demos.risky))}`);
+    lines.push(`- Safe demo: ${escapeMarkdownInline(summaryText(report.demos.safe))}`);
+    lines.push("");
+    lines.push("### Review First");
+    appendList(lines, reviewFirst(report.demos.risky.findings).map(escapeMarkdownInline));
+    lines.push("");
+    lines.push("### Manual Proof To Run Next");
+    appendList(lines, manualProofSteps(report.demos.risky.findings).map(escapeMarkdownInline));
+    lines.push("");
+    lines.push("### Next Steps");
+    appendList(lines, report.nextSteps.map(escapeMarkdownInline));
+    lines.push("");
+    lines.push("Run against your app:");
+    lines.push("");
+    lines.push("```bash");
+    lines.push("npx ai-saas-guard@latest scan --root /path/to/your-saas");
+    lines.push("```");
+    return lines.join("\n");
+}
 function formatPrRiskMarkdown(report) {
     const lines = [];
     lines.push("## ai-saas-guard PR risk summary");
@@ -69,6 +96,9 @@ function appendLaunchQueue(lines, findings) {
     lines.push("");
     lines.push("### Manual Proof To Run Next");
     appendList(lines, manualProofSteps(findings).map(escapeMarkdownInline));
+    lines.push("");
+    lines.push("### Next Steps");
+    appendList(lines, nextSteps(findings).map(escapeMarkdownInline));
 }
 function appendFindings(lines, findings) {
     if (findings.length === 0) {
@@ -135,3 +165,8 @@ function escapeMarkdownTableCell(value) {
 function escapeMarkdownInline(value) {
     return value.replace(/\r?\n/g, " ").replaceAll("|", "\\|").trim();
 }
+function summaryText(report) {
+    if (report.summary.total === 0)
+        return "0 findings";
+    return `${report.summary.total} findings: ${report.summary.critical} critical, ${report.summary.high} high, ${report.summary.medium} medium, ${report.summary.low} low, ${report.summary.info} info`;
+}

package/dist/report/terminal.js

@@ -1,5 +1,7 @@
-import { launchGateVerdict, manualProofSteps, reviewFirst } from "./launchGate.js";
+import { launchGateVerdict, manualProofSteps, nextSteps, reviewFirst } from "./launchGate.js";
 export function formatTerminalReport(report) {
+    if (report.command === "demo")
+        return formatDemoTerminalReport(report);
     const lines = [];
     lines.push(`ai-saas-guard ${report.command}`);
     lines.push(`Root: ${report.rootDir}`);
@@ -21,6 +23,11 @@ export function formatTerminalReport(report) {
     for (const step of manualProofSteps(report.findings)) {
         lines.push(`- ${step}`);
     }
+    lines.push("");
+    lines.push("Next steps:");
+    for (const step of nextSteps(report.findings)) {
+        lines.push(`- ${step}`);
+    }
     for (const [index, item] of report.findings.entries()) {
         lines.push("");
         lines.push(`${index + 1}. [${item.severity.toUpperCase()}] ${item.title}`);
@@ -38,6 +45,41 @@ export function formatTerminalReport(report) {
     appendCommandExtras(lines, report);
     return lines.join("\n");
 }
+function formatDemoTerminalReport(report) {
+    const lines = [];
+    lines.push("ai-saas-guard demo");
+    lines.push("Synthetic public demo for the local-first launch gate.");
+    lines.push("This is not a pentest, full audit, or certification.");
+    lines.push("");
+    lines.push(`Risky demo: ${summaryText(report.demos.risky)}`);
+    lines.push(`Safe demo: ${summaryText(report.demos.safe)}`);
+    lines.push("");
+    lines.push("Review first:");
+    for (const item of reviewFirst(report.demos.risky.findings)) {
+        lines.push(`- ${item}`);
+    }
+    lines.push("");
+    lines.push("Manual proof to run next:");
+    for (const step of manualProofSteps(report.demos.risky.findings)) {
+        lines.push(`- ${step}`);
+    }
+    lines.push("");
+    lines.push("Next steps:");
+    for (const step of report.nextSteps) {
+        lines.push(`- ${step}`);
+    }
+    lines.push("");
+    lines.push("Run against your app:");
+    lines.push("  npx ai-saas-guard@latest scan --root /path/to/your-saas");
+    lines.push("");
+    lines.push("Read more: https://github.com/zr9959/ai-saas-guard/blob/main/docs/demo-quickstart.md");
+    return lines.join("\n");
+}
+function summaryText(report) {
+    if (report.summary.total === 0)
+        return "0 findings";
+    return `${report.summary.total} findings: ${report.summary.critical} critical, ${report.summary.high} high, ${report.summary.medium} medium, ${report.summary.low} low, ${report.summary.info} info`;
+}
 function appendCommandExtras(lines, report) {
     if (report.command === "check-supabase") {
         const supabase = report;

package/dist/types.d.ts

@@ -1,5 +1,5 @@
 export type Severity = "critical" | "high" | "medium" | "low" | "info";
-export type CommandName = "scan" | "check-supabase" | "check-stripe" | "check-mcp" | "check-actions" | "pr-risk";
+export type CommandName = "scan" | "demo" | "check-supabase" | "check-stripe" | "check-mcp" | "check-actions" | "pr-risk";
 export interface Evidence {
     file: string;
     line?: number;
@@ -40,6 +40,14 @@ export interface BaseReport {
     findings: Finding[];
     summary: Summary;
 }
+export interface ShowcaseReport extends BaseReport {
+    command: "demo";
+    demos: {
+        risky: BaseReport;
+        safe: BaseReport;
+    };
+    nextSteps: string[];
+}
 export interface StripeReport extends BaseReport {
     command: "check-stripe";
     webhookFiles: string[];

package/docs/README.zh-CN.md

@@ -45,6 +45,12 @@ AI 能很快把一个 SaaS 做到“看起来能用”：能登录、能打开 c
 
 ## 60 秒本地检查
 
+不用 clone 仓库，先看公开 demo 输出：
+
+```bash
+npx ai-saas-guard@latest demo
+```
+
 无需全局安装，直接扫你的应用：
 
 ```bash
@@ -64,13 +70,10 @@ npx ai-saas-guard@latest pr-risk --root /path/to/your-saas --base origin/main --
 如果你还不想先扫自己的私有仓库，可以先跑公开 fixture：
 
 ```bash
-git clone https://github.com/zr9959/ai-saas-guard.git
-cd ai-saas-guard
-npx ai-saas-guard@latest scan --root examples/demo-risky-saas
-npx ai-saas-guard@latest scan --root examples/demo-safe-saas
+npx ai-saas-guard@latest demo
 ```
 
-risky demo 当前会故意触发 19 个 finding，覆盖 Stripe、Supabase、silent-success、Next/Vercel deploy 提示和 GitHub Actions。safe demo 在同类风险面上使用更安全的静态写法，当前返回 0 个 finding。说明见 [demo-quickstart.md](demo-quickstart.md)。
+demo 命令使用包内公开 fixture：`examples/demo-risky-saas` 当前会故意触发 19 个 finding，覆盖 Stripe、Supabase、silent-success、Next/Vercel deploy 提示和 GitHub Actions；`examples/demo-safe-saas` 在同类风险面上使用更安全的静态写法，当前返回 0 个 finding。想本地查看 fixture 文件时再看 [demo-quickstart.md](demo-quickstart.md)。
 
 ## 输出长什么样
 
@@ -93,6 +96,10 @@ Verify: force the upstream billing call to fail and confirm the route returns an
 MEDIUM deploy.next.missing-security-headers
 File: app/api/billing/checkout/route.ts
 Verify: inspect production response headers for auth, billing, and API pages.
+
+Next steps
+- 先修 critical/high 的信任边界 finding。
+- 在 staging 跑 manual proof，确认每个风险路径都会 fail closed。
 ```
 
 ## 你会得到什么
@@ -124,6 +131,7 @@ Verify: inspect production response headers for auth, billing, and API pages.
 无需全局安装，直接运行：
 
 ```bash
+npx ai-saas-guard@latest demo
 npx ai-saas-guard@latest scan --root /path/to/your-saas
 ```
 
@@ -161,18 +169,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.29.2`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.29.2`。
+CLI 已发布到 npm：`ai-saas-guard@0.30.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.30.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.29.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.29.2` |
+| npm CLI | `ai-saas-guard@0.30.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.30.0` |
 | 输出格式 | Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.29.2` 发布公开 risky/safe demo fixtures、demo quickstart、quickstart 反馈模板，并刷新首次试用 README 指引 |
-| Action 标签 | `v0.29.2`、`v0` |
+| 当前版本 | `0.30.0` 增加 `ai-saas-guard demo`、human-readable 报告里的 Next steps、更有针对性的 quickstart 反馈模板，并刷新首次试用文档 |
+| Action 标签 | `v0.30.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |

package/docs/demo-quickstart.md

@@ -2,9 +2,23 @@
 
 Use these public fixtures when you want to understand `ai-saas-guard` before pointing it at a private repository.
 
+## Fastest Path
+
+Run the packaged demo without cloning this repository:
+
+```bash
+npx ai-saas-guard@latest demo
+```
+
+This prints the risky and safe demo summaries, the first risky files to review, manual verification steps, and launch-focused next steps. It uses only public fixture code shipped in the npm package.
+
 ## Risky Demo
 
+Clone the repository only if you want to inspect or edit the fixture files:
+
 ```bash
+git clone https://github.com/zr9959/ai-saas-guard.git
+cd ai-saas-guard
 npx ai-saas-guard@latest scan --root examples/demo-risky-saas
 ```
 

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.29.2`
+- Current published version: `0.30.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.29.2`
+- GitHub Release: `v0.30.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.29.2`.
+1. Create and review a release tag such as `v0.30.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/docs/sample-launch-report.md

@@ -47,6 +47,11 @@ File: app/api/billing/checkout/route.ts:31
 Why: Swallowed provider, auth, billing, or data errors can make a launch path look successful when it failed.
 Verify: Force the upstream provider call to fail and confirm the route returns an error or disclosed degraded mode.
 Fix direction: Log the failure, return an explicit error status, and avoid granting access after the failed dependency.
+
+Next steps
+- Fix critical and high trust-boundary findings first: auth/session, billing/webhook, tenant data, and silent-success paths.
+- Run the manual proof steps above in staging and confirm each risky path fails closed.
+- Treat low and info deploy/CI hygiene hints as cleanup after critical, high, and medium launch paths are understood.
 ```
 
 ## How To Read It

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.29.2",
+  "version": "0.30.0",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",