ai-saas-guard 0.30.1 → 0.30.2

package/README.md

@@ -124,6 +124,8 @@ One command returns a launch-readiness report with:
 | Are tools and CI overpowered? | MCP side-effect classes, local policy/receipt templates, GitHub Actions permissions, concurrency, checkout depth, action pinning |
 | Can reviewers trust the PR? | `pr-risk` ranking for auth, billing, RLS, deploy, API, storage, tests, silent-success paths, missing spec context, and large AI diffs |
 
+For a concise comparison with Semgrep, zizmor, OpenSSF Scorecard, Snyk, and GitHub code scanning, see [docs/launch-gate-positioning.md](docs/launch-gate-positioning.md).
+
 ## Quick Start
 
 Run the published CLI without installing it globally:
@@ -185,13 +187,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.30.1` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.30.1` |
+| npm CLI | `ai-saas-guard@0.30.2` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.30.2` |
 | Outputs | Short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.30.1`, `v0` |
-| Current release | `0.30.1` adds `--summary` for first-run launch triage and sharper fix directions for Stripe, Supabase, silent-success, and Next/Vercel findings |
+| Versioned Action tags | `v0.30.2`, `v0` |
+| Current release | `0.30.2` adds post-release quality tuning: lower-noise Vercel/Actions checks, focused launch-gate positioning docs, and hosted worker evidence boundaries |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -358,7 +360,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.30.1` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.30.2` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/scanners/actions.js

@@ -101,7 +101,17 @@ function runsOnPullRequestOrPush(content) {
     return /^\s*(pull_request(?:_target)?|push):/im.test(content);
 }
 function hasCancelInProgressConcurrency(content) {
-    return /^\s*concurrency:/im.test(content) && /^\s*cancel-in-progress:\s*true\b/im.test(content);
+    if (!/^\s*concurrency:/im.test(content))
+        return false;
+    const match = /^\s*cancel-in-progress:\s*(.+?)\s*$/im.exec(content);
+    if (!match)
+        return false;
+    const value = match[1]?.trim() ?? "";
+    if (/^true\b/i.test(value))
+        return true;
+    if (/^\$\{\{[\s\S]*\}\}$/.test(value) && !/\bfalse\b/i.test(value))
+        return true;
+    return false;
 }
 function hasPathFilters(content) {
     return /^\s*(paths|paths-ignore):\s*$/im.test(content) || /^\s*(paths|paths-ignore):\s*\[/im.test(content);

package/dist/scanners/deploy.js

@@ -180,11 +180,18 @@ function isImportantServerEnv(name) {
     return /(STRIPE|SUPABASE|DATABASE|NEXTAUTH|AUTH|WEBHOOK|SECRET|TOKEN|OPENAI|ANTHROPIC|PAYMENT)/.test(name);
 }
 function hasSecurityHeaders(files) {
-    const combined = files
+    const nextOrMiddleware = files
         .filter((file) => /(^|\/)(next\.config\.[cm]?[jt]s|middleware\.[cm]?[jt]s)$/i.test(file.path))
         .map((file) => file.content)
         .join("\n");
-    return /\bheaders\s*\(/i.test(combined) && /(X-Frame-Options|Content-Security-Policy|X-Content-Type-Options|Referrer-Policy)/i.test(combined);
+    if (/\bheaders\s*\(/i.test(nextOrMiddleware) && hasBrowserSecurityHeaderNames(nextOrMiddleware))
+        return true;
+    return files.some((file) => {
+        return /(^|\/)vercel\.json$/i.test(file.path) && /"headers"\s*:/i.test(file.content) && hasBrowserSecurityHeaderNames(file.content);
+    });
+}
+function hasBrowserSecurityHeaderNames(content) {
+    return /(X-Frame-Options|Content-Security-Policy|X-Content-Type-Options|Referrer-Policy)/i.test(content);
 }
 function usesUnboundedNextImage(path, content, nextConfigContent) {
     if (/next\.config\.(ts|js|mjs|cjs)$/.test(path) && /remotePatterns[\s\S]{0,240}hostname\s*:\s*["'](?:\*\*|\*)["']/i.test(content))

package/docs/README.zh-CN.md

@@ -123,6 +123,8 @@ Next steps
 | 工具和 CI 权限是不是过大？ | MCP side-effect 分类、本地 policy/receipt 模板、GitHub Actions 权限、concurrency、checkout depth、Action pinning |
 | reviewer 能不能看懂 AI PR？ | `pr-risk` 对 auth、billing、RLS、deploy、API、storage、测试、silent-success、缺 spec context 和大型 diff 排序 |
 
+如果想看它和 Semgrep、zizmor、OpenSSF Scorecard、Snyk、GitHub code scanning 的边界区别，见 [launch-gate-positioning.md](launch-gate-positioning.md)。
+
 ## 快速开始
 
 无需全局安装，直接运行：
@@ -167,18 +169,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.30.1`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.30.1`。
+CLI 已发布到 npm：`ai-saas-guard@0.30.2`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.30.2`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.30.1` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.30.1` |
+| npm CLI | `ai-saas-guard@0.30.2` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.30.2` |
 | 输出格式 | 短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.30.1` 增加首次使用的 `--summary` 输出，并强化 Stripe、Supabase、silent-success、Next/Vercel finding 的具体修复方向 |
-| Action 标签 | `v0.30.1`、`v0` |
+| 当前版本 | `0.30.2` 做发布后质量优化：降低 Vercel/Actions 误报、增加 launch-gate 定位文档，并补 hosted worker 证据边界 |
+| Action 标签 | `v0.30.2`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |

package/docs/hosted-operational-release-gate.md

@@ -137,6 +137,27 @@ Required evidence:
 
 The worker must not persist repository files across jobs.
 
+### Read-Only Checkout Worker Evidence
+
+For the first source checkout worker, the release blocks unless the deployed artifact records fresh evidence for both success and failure cleanup.
+
+Required proof:
+
+- checkout identity comes only from signed GitHub event fields and selected-repository installation scope.
+- repository token permissions are limited to `contents: read` for checkout.
+- runtime credentials reach git through temporary askpass material only.
+- the CLI phase runs after credential material is removed from the environment.
+- the worker command is fixed to the deterministic read-only `pr-risk --json` shape.
+- success deletes the worker checkout, askpass material, generated JSON/SARIF scratch files, and local package tarballs.
+- failure cleanup covers clone failure, timeout, CLI failure, malformed JSON output, Check Run write failure, cancellation, and process interruption.
+- cleanup failures create an operator-review event without returning raw source, raw diffs, installation tokens, checkout paths, private URLs, or low-level filesystem errors to users.
+
+### Log Boundary Evidence
+
+Before exposure, sample ingress, queue, worker, report, and Check Run logs for the release candidate. The sample may contain scan key, installation ID, repository ID, PR number, head SHA, scanner version, duration, summary counts, error class, and cleanup status.
+
+The sample must show no raw source, no raw diffs, no secrets, no installation tokens, no customer payloads, no private URLs, no checkout paths, and no untrusted PR prose.
+
 ## Dependency And Container Scanning
 
 Hosted releases must include dependency and container scanning for the deployed artifact.

package/docs/hosted-operations-evidence.md

@@ -29,6 +29,22 @@ The hosted release gate still requires fresh deployed evidence for:
 - dependency and container artifact scanning for the deployed worker image
 - retention and uninstall cleanup against the deployed provider stores
 
+## Read-Only Checkout Worker Evidence Checklist
+
+Before any hosted source checkout worker is exposed beyond staging, attach fresh evidence for each row below. The current Cloudflare ingress evidence above does not satisfy these rows because it publishes compact PR-risk signals without running a full source checkout scan worker.
+
+| Evidence area | Required proof | Status before hosted exposure |
+| --- | --- | --- |
+| Trusted checkout identity | Worker input is derived from signed GitHub event identity, selected-repository installation scope, and repository `contents: read`; PR title, body, branch names, README, and code cannot choose the repository, token scope, checkout path, or command | Required |
+| Runtime credential boundary | Installation credentials are passed to git only through temporary askpass material, are removed before the CLI scan phase, and are never returned in worker output, compact reports, Check Runs, or logs | Required |
+| Fixed scanner command | Worker runs the fixed read-only command shape `ai-saas-guard pr-risk --root <worker-checkout> --base <trusted-base-sha> --json` without shell parsing or PR-authored arguments | Required |
+| Success cleanup | A successful worker run deletes the checkout directory, askpass material, generated JSON/SARIF scratch files, and any local package tarballs | Required |
+| Failure cleanup | A failed clone, timeout, CLI non-zero exit, malformed JSON output, Check Run write failure, cancellation, or process interruption still attempts checkout deletion and records only a safe cleanup status | Required |
+| Log boundary | Logs may include scan key, installation ID, repository ID, PR number, head SHA, scanner version, duration, summary counts, error class, and cleanup status; logs must include no raw source, no raw diffs, no secrets, no installation tokens, no customer payloads, no private URLs, and no checkout paths | Required |
+| Retention boundary | Compact report retention and uninstall cleanup delete repository-scoped records and worker checkout references without exposing low-level cleanup errors | Required |
+
+Use the checklist above together with [hosted-operational-release-gate.md](hosted-operational-release-gate.md). The release remains blocked until deployed worker evidence covers success, failure cleanup, log boundary sampling, monitoring, rollback, and incident response.
+
 ## Smoke Procedure
 
 Use this sequence after each hosted Worker deployment:

package/docs/launch-gate-positioning.md

@@ -0,0 +1,33 @@
+# Launch Gate Positioning
+
+`ai-saas-guard` is a local-first launch gate for AI-built SaaS apps. It is focused on the code paths that decide whether a product is ready to invite users: auth, billing, tenant data, provider failure handling, deploy config, MCP tool power, GitHub Actions hygiene, and AI-heavy PR review.
+
+The narrow bet is simple: a founder or reviewer should know which launch-risk files to inspect first, what manual proof to run, and what fix direction to try before traffic reaches real users.
+
+## Where It Fits
+
+| Tool category | Typical strength | How ai-saas-guard fits beside it |
+| --- | --- | --- |
+| Semgrep | Broad customizable static rules across many languages and frameworks | Adds SaaS launch-specific heuristics and review wording for Stripe, Supabase, silent-success, Next/Vercel, MCP, Actions, and AI PR trust boundaries |
+| zizmor | Deep GitHub Actions security analysis | Adds a smaller launch-readiness hygiene check for workflow permissions, PR concurrency, docs-only CI cost, shallow checkout risk, and first-run guidance |
+| OpenSSF Scorecard | Repository supply-chain posture signals | Adds app-level launch triage inside the repo, while Scorecard remains useful for public project maintenance controls |
+| Snyk and dependency scanners | Dependency, container, license, and known-vulnerability workflows | Adds local source review for SaaS trust-boundary mistakes that may not be dependency vulnerabilities |
+| GitHub code scanning | SARIF ingestion and code-security workflow inside GitHub | Emits SARIF, but keeps the primary workflow local-first and focused on launch review queues |
+
+## What It Optimizes For
+
+- local-first: source stays on the machine or in the caller's CI job
+- deterministic: no LLM calls and no code upload
+- founder-readable output: severity, rule ID, file evidence, why, manual proof, and fix direction
+- AI-built SaaS launch risk: not every static-analysis finding, only the paths likely to break auth, billing, data access, deploy, or review trust
+- PR triage: ranking trust-boundary files before cosmetic or unrelated AI-generated changes
+
+## What It Does Not Try To Be
+
+- not a general vulnerability management platform
+- not a dependency advisory database
+- not a cloud posture dashboard
+- not a runtime WAF or MCP proxy
+- not a guarantee that an app is safe to launch
+
+Use it as a short, evidence-first launch review queue alongside dependency scanning, repository hardening, code scanning, manual two-account authorization tests, Stripe webhook replay, deploy-preview checks, and human review.

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.30.1`
+- Current published version: `0.30.2`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.30.1`
+- GitHub Release: `v0.30.2`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.30.1`.
+1. Create and review a release tag such as `v0.30.2`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.30.1",
+  "version": "0.30.2",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",