ai-saas-guard 0.30.2 → 0.31.0

package/README.md

@@ -187,13 +187,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.30.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.30.2` |
+| npm CLI | `ai-saas-guard@0.31.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.31.0` |
 | Outputs | Short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.30.2`, `v0` |
-| Current release | `0.30.2` adds post-release quality tuning: lower-noise Vercel/Actions checks, focused launch-gate positioning docs, and hosted worker evidence boundaries |
+| Versioned Action tags | `v0.31.0`, `v0` |
+| Current release | `0.31.0` adds executable hosted staging evidence: success/failure cleanup probes, log-boundary validation, stricter read-only checkout worker boundaries, and release-gate evaluation from evidence bundles |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -304,13 +304,13 @@ The hosted GitHub App deployment planner is documented in [docs/github-app-deplo
 
 The hosted production adapter layer is documented in [docs/hosted-production-adapters.md](docs/hosted-production-adapters.md). It exports `createHostedGitHubAppJwt`, `planHostedGitHubInstallationTokenRequest`, and `planHostedProductionWorkerExecution` from `ai-saas-guard/hosted/production-adapters`. It adds RS256 GitHub App JWT generation, selected-repository installation-token request plans, separate worker and Check Run token scopes, a fixed read-only worker command, bounded timeout and output budgets, compact JSON-only output, and cleanup plans for success, failure, timeout, and cancellation. It still does not expose a public hosted service by itself.
 
-The hosted read-only checkout worker is exported from `ai-saas-guard/hosted/worker`. It creates a temporary checkout from trusted GitHub App identity, uses a runtime installation token only through git askpass, runs the fixed `ai-saas-guard pr-risk --json` command with bounded timeout/output, converts CLI JSON into compact findings, and deletes the checkout after success or failure. It does not return source, diffs, secrets, checkout paths, PR-authored commands, or installation tokens.
+The hosted read-only checkout worker is exported from `ai-saas-guard/hosted/worker`. It creates a temporary checkout from trusted GitHub App identity, uses a runtime installation token only through git askpass, removes askpass material before the CLI phase, rejects mutated command/checkout/token-scope plans, runs the fixed `ai-saas-guard pr-risk --json` command with bounded timeout/output, converts CLI JSON into compact findings, and deletes the checkout after success or failure. It does not return source, diffs, secrets, checkout paths, PR-authored commands, or installation tokens.
 
 The hosted Node/container app skeleton is documented in [docs/hosted-node-container-app.md](docs/hosted-node-container-app.md). It exports `createHostedHttpApp`, `createInMemoryHostedAppPlatform`, `createHostedNodeCheckoutAppPlatform`, and `planHostedNodeContainerDeployment` from `ai-saas-guard/hosted/app`. It adds a safe `/healthz` route, signed `/github/webhook` ingress, one-job worker tick, in-memory provider adapters for tests, a concrete read-only checkout worker composition with visible timeout/output safety budgets, and deployment-plan validation for secret manager, queue, compact report store, worker sandbox, and GitHub Checks publisher references. It still does not deploy or expose a public hosted service by itself.
 
 The hosted staging deployment planner is documented in [docs/hosted-staging-deployment.md](docs/hosted-staging-deployment.md). It exports `planHostedProviderBinding`, `planHostedStagingDeployment`, and `planHostedGitHubAppPromotion` from `ai-saas-guard/hosted/staging`. It composes real provider references, the Node/container deployment plan, hosted operational release-gate evidence, and GitHub App deployment planning so staging and production promotion stay blocked until the required queue, store, worker sandbox, Check Run publisher, logs, metrics, rollback, and incident-response references are present. It still does not call a cloud provider, create a GitHub App, or expose a public hosted service by itself.
 
-The hosted staging harness is documented in [docs/hosted-staging-harness.md](docs/hosted-staging-harness.md). It exports `createFileBackedHostedStagingHarness` and `createHostedStagingHarnessEvidence` from `ai-saas-guard/hosted/staging-harness`. It runs signed webhook replay through the provider-independent hosted runtime with local file-backed queue, compact report, and Check Run adapters, then verifies worker sandbox cleanup. It is a staging rehearsal tool only; it does not call cloud providers, create a GitHub App, publish live Check Runs, or expose a public hosted service.
+The hosted staging harness is documented in [docs/hosted-staging-harness.md](docs/hosted-staging-harness.md). It exports `createFileBackedHostedStagingHarness`, `createHostedStagingHarnessEvidence`, `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary` from `ai-saas-guard/hosted/staging-harness`. It runs signed webhook replay through the provider-independent hosted runtime with local file-backed queue, compact report, and Check Run adapters, verifies worker sandbox cleanup, turns success/failure cleanup probes plus log-boundary samples into release-gate evidence, and evaluates the hosted gate without cloud calls. It is a staging rehearsal tool only; it does not call cloud providers, create a GitHub App, publish live Check Runs, or expose a public hosted service.
 
 The first live hosted ingress is deployed on Cloudflare Workers at `https://ai-saas-guard-hosted.zr9959.workers.dev` and documented in [hosted/cloudflare-worker/README.md](hosted/cloudflare-worker/README.md). It exposes `/healthz`, `/github/app/manifest-callback`, and signed `/github/webhook` intake backed by Cloudflare KV. A private staging GitHub App, `ai-saas-guard-hosted`, is installed on `zr9959/ai-saas-guard` with selected-repository access and the first-slice permission contract. The Worker verifies signatures, stores compact pull request identity records, exchanges a scoped installation token, fetches PR file metadata from GitHub, classifies PR-risk hotspots, and publishes a bounded Check Run summary. Current deployed evidence is tracked in [docs/hosted-operations-evidence.md](docs/hosted-operations-evidence.md): health, signed webhook delivery, compact KV records, cleanup, and Check Run publication pass for the staging smoke. The Cloudflare Worker still does not run a full source checkout scan worker or store raw webhook payloads, PR title/body text, raw diffs, source, secrets, checkout paths, or installation tokens.
 
@@ -360,7 +360,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.30.2` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.31.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/hosted/service.js

@@ -173,7 +173,7 @@ export function createHostedServiceRuntime(options) {
                     cleanup
                 };
             }
-            catch {
+            catch (error) {
                 const cleanup = createHostedWorkerCheckoutCleanupPlan({
                     identity: queuedRecord.identity,
                     jobKey: queuedRecord.key,
@@ -186,6 +186,7 @@ export function createHostedServiceRuntime(options) {
                     processed: true,
                     status: "failed",
                     queueRecord: cloneQueueRecord(queuedRecord),
+                    reason: safeScanRunnerFailureReason(error),
                     errorClass: "scan_runner_failed",
                     workerPlan: acceptedWorkerPlan,
                     cleanup
@@ -194,6 +195,16 @@ export function createHostedServiceRuntime(options) {
         }
     };
 }
+function safeScanRunnerFailureReason(error) {
+    if (typeof error === "object" &&
+        error !== null &&
+        "safeReason" in error &&
+        typeof error.safeReason === "string" &&
+        /^[a-z][a-z0-9_]{1,80}$/.test(error.safeReason)) {
+        return error.safeReason;
+    }
+    return "scan_runner_failed";
+}
 function rejectWebhookRequest(stage, reason, deliveryId) {
     return {
         accepted: false,

package/dist/hosted/staging-harness.d.ts

@@ -1,5 +1,5 @@
-import { type HostedOperationalReleaseGateEvidence } from "./contracts.js";
-import { type HostedServiceRuntimeOptions, type HostedServiceScanRunnerResult, type HostedServiceWebhookStage } from "./service.js";
+import { type HostedOperationalReleaseGateDecision, type HostedOperationalReleaseGateEvidence } from "./contracts.js";
+import { type HostedServiceRuntimeOptions, type HostedServiceScanRunnerInput, type HostedServiceScanRunnerResult, type HostedServiceWebhookStage } from "./service.js";
 type RepositoryIdSource = HostedServiceRuntimeOptions["selectedRepositoryIdsByInstallation"];
 export interface FileBackedHostedStagingHarnessOptions {
     rootDir: string;
@@ -7,7 +7,7 @@ export interface FileBackedHostedStagingHarnessOptions {
     scannerVersion: string;
     selectedRepositoryIdsByInstallation: RepositoryIdSource;
     removedRepositoryIdsByInstallation?: RepositoryIdSource;
-    scanResult: HostedServiceScanRunnerResult;
+    scanResult: HostedServiceScanRunnerResult | ((input: HostedServiceScanRunnerInput) => HostedServiceScanRunnerResult | Promise<HostedServiceScanRunnerResult>);
     now?: () => string;
 }
 export interface FileBackedHostedStagingHarness {
@@ -59,6 +59,7 @@ export type HostedStagingHarnessWorkerTickResult = {
     status: "failed";
     errorClass: "worker_plan_rejected" | "check_run_publication_rejected" | "scan_runner_failed";
     reason?: string;
+    safeFailureReason?: string;
     workerSandboxDeleted: boolean;
     activeWorkerSandboxCount: number;
     cleanupVerified: boolean;
@@ -80,6 +81,67 @@ export interface HostedStagingHarnessPrivacy {
     includesInstallationToken: false;
     claimsLiveHostedService: false;
 }
+export type HostedLogBoundaryBlockedReason = "raw_source" | "raw_diff" | "secret_value" | "customer_payload" | "installation_token" | "checkout_path" | "private_url" | "untrusted_pr_text";
+export interface HostedLogBoundaryForbiddenInput {
+    rawSource?: string;
+    rawDiff?: string;
+    secretValues?: string[];
+    customerPayloads?: string[];
+    installationTokens?: string[];
+    checkoutPaths?: string[];
+    privateUrls?: string[];
+    untrustedPrText?: string[];
+}
+export interface HostedLogBoundaryValidationInput {
+    samples: unknown[];
+    forbidden: HostedLogBoundaryForbiddenInput;
+}
+export interface HostedLogBoundaryValidation {
+    accepted: boolean;
+    sampleCount: number;
+    blockedReasons: HostedLogBoundaryBlockedReason[];
+    allowedFields: string[];
+    privacy: HostedStagingHarnessPrivacy;
+}
+export interface HostedStagingReleaseEvidenceBundleInput {
+    collectedAt: string;
+    evidenceBaseUrl: string;
+    owner: string;
+    webhookReplays: HostedStagingHarnessReplayResult[];
+    workerTicks: HostedStagingHarnessWorkerTickResult[];
+    logBoundary: HostedLogBoundaryValidation;
+    externalEvidence: HostedOperationalReleaseGateEvidence[];
+    requiredFailureReasons?: string[];
+}
+export interface HostedStagingReleaseEvidenceBundle {
+    readyForReleaseGate: boolean;
+    evidence: HostedOperationalReleaseGateEvidence[];
+    releaseGateInput: {
+        evidence: HostedOperationalReleaseGateEvidence[];
+    };
+    scenarioSummary: {
+        webhookReplayAccepted: boolean;
+        completedWorkerProbe: boolean;
+        failureCleanupProbe: boolean;
+        observedFailureReasons: string[];
+        allWorkerCheckoutsDeleted: boolean;
+        logBoundaryAccepted: boolean;
+    };
+    privacy: HostedStagingHarnessPrivacy;
+}
+export interface HostedStagingReleaseEvidenceGateInput {
+    bundle: HostedStagingReleaseEvidenceBundle;
+    commitSha: string;
+    scannerVersion: string;
+    deploymentTarget: string;
+    evaluatedAt: string;
+    releaseNotes: string;
+    containerImageDigest: string;
+    maxEvidenceAgeDays?: number;
+}
 export declare function createFileBackedHostedStagingHarness(options: FileBackedHostedStagingHarnessOptions): FileBackedHostedStagingHarness;
 export declare function createHostedStagingHarnessEvidence(input: HostedStagingHarnessEvidenceInput): HostedOperationalReleaseGateEvidence[];
+export declare function validateHostedLogBoundary(input: HostedLogBoundaryValidationInput): HostedLogBoundaryValidation;
+export declare function createHostedStagingReleaseEvidenceBundle(input: HostedStagingReleaseEvidenceBundleInput): HostedStagingReleaseEvidenceBundle;
+export declare function evaluateHostedStagingReleaseEvidenceBundle(input: HostedStagingReleaseEvidenceGateInput): HostedOperationalReleaseGateDecision;
 export {};

package/dist/hosted/staging-harness.js

@@ -1,6 +1,6 @@
 import { mkdir, readdir, rm, writeFile } from "node:fs/promises";
 import { join } from "node:path";
-import { HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS } from "./contracts.js";
+import { evaluateHostedOperationalReleaseGate, HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS } from "./contracts.js";
 import { createHostedServiceRuntime } from "./service.js";
 export function createFileBackedHostedStagingHarness(options) {
     const paths = hostedStagingHarnessPaths(options.rootDir);
@@ -16,12 +16,16 @@ export function createFileBackedHostedStagingHarness(options) {
         queue,
         compactReportStore: reportStore,
         checkRunPublisher,
-        scanRunner: async ({ queueRecord }) => {
+        scanRunner: async (input) => {
+            const { queueRecord } = input;
             const sandboxPath = join(paths.workerSandboxRoot, safeFileSegment(queueRecord.key));
             workerSandboxPaths.add(sandboxPath);
             await mkdir(sandboxPath, { recursive: true });
-            await writeFile(join(sandboxPath, "source.ts"), options.scanResult.rawSource ?? "", "utf8");
-            return options.scanResult;
+            const scanResult = typeof options.scanResult === "function"
+                ? await options.scanResult(input)
+                : options.scanResult;
+            await writeFile(join(sandboxPath, "source.ts"), scanResult.rawSource ?? "", "utf8");
+            return scanResult;
         },
         now: options.now
     });
@@ -77,6 +81,7 @@ export function createFileBackedHostedStagingHarness(options) {
                 status: "failed",
                 errorClass: result.errorClass,
                 ...(result.reason === undefined ? {} : { reason: result.reason }),
+                ...(result.reason === undefined ? {} : { safeFailureReason: result.reason }),
                 workerSandboxDeleted: activeWorkerSandboxCount === 0,
                 activeWorkerSandboxCount,
                 cleanupVerified: (result.cleanup?.shouldDeleteWorkerCheckout ?? true) && activeWorkerSandboxCount === 0,
@@ -95,6 +100,171 @@ export function createHostedStagingHarnessEvidence(input) {
         owner: input.owner
     }));
 }
+export function validateHostedLogBoundary(input) {
+    const serializedSamples = input.samples.map((sample) => JSON.stringify(sample)).join("\n");
+    const blockedReasons = new Set();
+    markIfContains(blockedReasons, serializedSamples, input.forbidden.rawSource, "raw_source");
+    markIfContains(blockedReasons, serializedSamples, input.forbidden.rawDiff, "raw_diff");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.secretValues, "secret_value");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.customerPayloads, "customer_payload");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.installationTokens, "installation_token");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.checkoutPaths, "checkout_path");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.privateUrls, "private_url");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.untrustedPrText, "untrusted_pr_text");
+    if (/\bgh[opsu]_[A-Za-z0-9_]{8,}\b/.test(serializedSamples)) {
+        blockedReasons.add("installation_token");
+    }
+    if (/\b(?:sk_(?:live|test)|whsec_)[A-Za-z0-9_]+\b|-----BEGIN [A-Z ]+-----/.test(serializedSamples)) {
+        blockedReasons.add("secret_value");
+    }
+    return {
+        accepted: blockedReasons.size === 0,
+        sampleCount: input.samples.length,
+        blockedReasons: [...blockedReasons].sort(),
+        allowedFields: [
+            "scanKey",
+            "installationId",
+            "repositoryId",
+            "pullRequestNumber",
+            "headSha",
+            "scannerVersion",
+            "durationMs",
+            "summaryCounts",
+            "errorClass",
+            "cleanupStatus"
+        ],
+        privacy: hostedStagingHarnessPrivacy()
+    };
+}
+export function createHostedStagingReleaseEvidenceBundle(input) {
+    const externalEvidence = new Map(input.externalEvidence.map((evidence) => [evidence.id, sanitizeEvidence(evidence, input)]));
+    const scenarioSummary = hostedStagingScenarioSummary(input);
+    const evidence = HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS.map((requirement) => {
+        const generated = generatedEvidenceFor(requirement.id, input, scenarioSummary);
+        return generated ?? externalEvidence.get(requirement.id) ?? missingEvidence(requirement.id, input);
+    });
+    const readyForReleaseGate = evidence.every((item) => item.status === "passed");
+    return {
+        readyForReleaseGate,
+        evidence,
+        releaseGateInput: { evidence },
+        scenarioSummary,
+        privacy: hostedStagingHarnessPrivacy()
+    };
+}
+export function evaluateHostedStagingReleaseEvidenceBundle(input) {
+    return evaluateHostedOperationalReleaseGate({
+        commitSha: input.commitSha,
+        scannerVersion: input.scannerVersion,
+        deploymentTarget: input.deploymentTarget,
+        evaluatedAt: input.evaluatedAt,
+        evidence: input.bundle.evidence,
+        releaseNotes: input.releaseNotes,
+        containerImageDigest: input.containerImageDigest,
+        maxEvidenceAgeDays: input.maxEvidenceAgeDays
+    });
+}
+function hostedStagingScenarioSummary(input) {
+    const processedWorkers = input.workerTicks.filter((tick) => tick.processed);
+    const webhookReplayAccepted = input.webhookReplays.some((replay) => replay.accepted && replay.queuedWorker && replay.shouldCreateCheckRun);
+    const completedWorkerProbe = processedWorkers.some((tick) => tick.status === "completed" && tick.cleanupVerified);
+    const observedFailureReasons = [
+        ...new Set(processedWorkers.flatMap((tick) => tick.status === "failed" && tick.cleanupVerified && tick.safeFailureReason
+            ? [tick.safeFailureReason]
+            : []))
+    ].sort();
+    const requiredFailureReasons = input.requiredFailureReasons ?? [];
+    const failureCleanupProbe = requiredFailureReasons.length
+        ? requiredFailureReasons.every((reason) => observedFailureReasons.includes(reason))
+        : processedWorkers.some((tick) => tick.status === "failed" && tick.cleanupVerified);
+    const allWorkerCheckoutsDeleted = processedWorkers.length > 0 &&
+        processedWorkers.every((tick) => tick.workerSandboxDeleted &&
+            tick.activeWorkerSandboxCount === 0 &&
+            tick.cleanupVerified);
+    return {
+        webhookReplayAccepted,
+        completedWorkerProbe,
+        failureCleanupProbe,
+        observedFailureReasons,
+        allWorkerCheckoutsDeleted,
+        logBoundaryAccepted: input.logBoundary.accepted
+    };
+}
+function generatedEvidenceFor(id, input, summary) {
+    if (id === "webhook_replay") {
+        return summary.webhookReplayAccepted
+            ? passedEvidence(id, "Signed webhook replay queued a check-run-only worker from trusted fields.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "queue_worker_cleanup") {
+        return summary.completedWorkerProbe &&
+            summary.failureCleanupProbe &&
+            summary.allWorkerCheckoutsDeleted
+            ? passedEvidence(id, "Success and failure worker probes deleted worker checkouts and recorded cleanup-safe status.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "privacy_retention") {
+        return input.logBoundary.sampleCount > 0 && summary.logBoundaryAccepted && privacyFlagsAreSafe(input)
+            ? passedEvidence(id, "Log boundary accepted safe metadata only and compact reports avoided raw payloads.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "release_cleanup") {
+        return summary.allWorkerCheckoutsDeleted
+            ? passedEvidence(id, "Release cleanup probe left no active staging worker sandbox entries.", input)
+            : missingEvidence(id, input);
+    }
+    return undefined;
+}
+function privacyFlagsAreSafe(input) {
+    const replayPrivacySafe = input.webhookReplays.every((replay) => Object.values(replay.privacy).every((value) => value === false));
+    const workerPrivacySafe = input.workerTicks.every((tick) => Object.values(tick.privacy).every((value) => value === false));
+    const logPrivacySafe = Object.values(input.logBoundary.privacy).every((value) => value === false);
+    return replayPrivacySafe && workerPrivacySafe && logPrivacySafe;
+}
+function sanitizeEvidence(evidence, input) {
+    return {
+        id: evidence.id,
+        status: evidence.status,
+        ...(evidence.collectedAt === undefined
+            ? { collectedAt: input.collectedAt }
+            : { collectedAt: evidence.collectedAt }),
+        ...(evidence.evidenceUrl === undefined ? {} : { evidenceUrl: evidence.evidenceUrl }),
+        note: `External release-gate evidence recorded for ${evidence.id}.`,
+        ...(evidence.owner === undefined ? { owner: input.owner } : { owner: evidence.owner })
+    };
+}
+function passedEvidence(id, note, input) {
+    return {
+        id,
+        status: "passed",
+        collectedAt: input.collectedAt,
+        evidenceUrl: evidenceUrlFor(input, id),
+        note,
+        owner: input.owner
+    };
+}
+function missingEvidence(id, input) {
+    return {
+        id,
+        status: "missing",
+        collectedAt: input.collectedAt,
+        note: `Missing executable staging evidence for ${id}.`,
+        owner: input.owner
+    };
+}
+function evidenceUrlFor(input, id) {
+    return `${input.evidenceBaseUrl.replace(/\/+$/, "")}/${id}.json`;
+}
+function markIfContains(blockedReasons, haystack, value, reason) {
+    if (value && haystack.includes(value)) {
+        blockedReasons.add(reason);
+    }
+}
+function markIfContainsAny(blockedReasons, haystack, values, reason) {
+    for (const value of values ?? []) {
+        markIfContains(blockedReasons, haystack, value, reason);
+    }
+}
 function hostedStagingHarnessPaths(rootDir) {
     const queueDir = join(rootDir, "queue");
     const reportDir = join(rootDir, "reports");

package/dist/hosted/worker.js

@@ -34,6 +34,9 @@ export async function runHostedReadOnlyCheckoutScan(input, options) {
     if (!plan.accepted || !plan.readOnly || !checkout || !cli || cli.writeMode !== "read_only") {
         throw new HostedReadOnlyCheckoutScanError("invalid_worker_plan");
     }
+    if (!isTrustedFixedReadOnlyPlan(input)) {
+        throw new HostedReadOnlyCheckoutScanError("invalid_worker_plan");
+    }
     const repository = parseRepositoryFullName(checkout.repositoryFullName);
     if (!repository) {
         throw new HostedReadOnlyCheckoutScanError("invalid_repository_full_name");
@@ -76,6 +79,7 @@ export async function runHostedReadOnlyCheckoutScan(input, options) {
         await runCommand(options, gitSecretEnv, commandSpec("git_fetch_head", gitCommand, ["fetch", "--no-tags", "--depth", String(fetchDepth), "origin", checkout.targetCommitSha], checkoutDir, gitEnv, timeoutMs, maxOutputBytes));
         await runCommand(options, gitSecretEnv, commandSpec("git_fetch_base", gitCommand, ["fetch", "--no-tags", "--depth", String(fetchDepth), "origin", checkout.baseSha], checkoutDir, gitEnv, timeoutMs, maxOutputBytes));
         await runCommand(options, gitSecretEnv, commandSpec("git_checkout", gitCommand, ["checkout", "--detach", checkout.targetCommitSha], checkoutDir, gitEnv, timeoutMs, maxOutputBytes));
+        await rm(askpassPath, { force: true });
         const cliEnv = safeWorkerEnv(checkoutDir);
         const cliArgs = cli.args.map((arg) => arg === "<worker-checkout>" ? checkoutDir : arg);
         const cliResult = await runCommand(options, {}, commandSpec("cli_scan", options.cliCommand ?? cli.command, cliArgs, checkoutDir, cliEnv, timeoutMs, maxOutputBytes));
@@ -143,6 +147,53 @@ function compactScanRunnerResult(stdout) {
         throw new HostedReadOnlyCheckoutScanError("invalid_cli_output");
     }
 }
+function isTrustedFixedReadOnlyPlan(input) {
+    const { plan, queueRecord } = input;
+    const { checkout, cli, installationTokenScope, output } = plan;
+    const identity = queueRecord.identity;
+    if (!checkout || !cli || !installationTokenScope || !output)
+        return false;
+    const expectedCliArgs = [
+        "pr-risk",
+        "--root",
+        "<worker-checkout>",
+        "--base",
+        identity.baseSha,
+        "--json"
+    ];
+    return (plan.jobKey === queueRecord.key &&
+        plan.readOnly === true &&
+        plan.shouldFetchSource === true &&
+        plan.shouldRunCli === true &&
+        plan.shouldPersistRawSource === false &&
+        plan.shouldPersistRawDiffs === false &&
+        plan.shouldCreatePrComment === false &&
+        installationTokenScope.installationId === identity.installationId &&
+        installationTokenScope.repositoryId === identity.repositoryId &&
+        installationTokenScope.permissions.contents === "read" &&
+        installationTokenScope.selectedRepositoryOnly === true &&
+        checkout.repositoryId === identity.repositoryId &&
+        checkout.repositoryFullName === identity.repositoryFullName &&
+        checkout.pullRequestNumber === identity.pullRequestNumber &&
+        checkout.baseSha === identity.baseSha &&
+        checkout.targetCommitSha === identity.headSha &&
+        checkout.directoryScope === "temporary_worker_directory" &&
+        checkout.cleanupRequired === true &&
+        checkout.returnsCheckoutPath === false &&
+        cli.command === "ai-saas-guard" &&
+        cli.workingDirectory === "<worker-checkout>" &&
+        cli.networkAccess === "disabled" &&
+        cli.writeMode === "read_only" &&
+        arraysEqual(cli.args, expectedCliArgs) &&
+        output.compactJsonOnly === true &&
+        output.persistRawSource === false &&
+        output.persistRawDiffs === false &&
+        output.persistSecrets === false &&
+        output.persistCustomerPayloads === false);
+}
+function arraysEqual(left, right) {
+    return left.length === right.length && left.every((value, index) => value === right[index]);
+}
 function compactFinding(value) {
     if (!isRecord(value))
         return [];

package/docs/README.zh-CN.md

@@ -169,18 +169,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.30.2`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.30.2`。
+CLI 已发布到 npm：`ai-saas-guard@0.31.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.31.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.30.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.30.2` |
+| npm CLI | `ai-saas-guard@0.31.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.31.0` |
 | 输出格式 | 短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.30.2` 做发布后质量优化：降低 Vercel/Actions 误报、增加 launch-gate 定位文档，并补 hosted worker 证据边界 |
-| Action 标签 | `v0.30.2`、`v0` |
+| 当前版本 | `0.31.0` 增加可执行 hosted staging evidence：成功/失败 cleanup probes、log-boundary validation、更严格的 read-only checkout worker 边界，以及从 evidence bundle 直接评估 release gate |
+| Action 标签 | `v0.31.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |
@@ -359,13 +359,13 @@ GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.m
 - pull request webhook intake planner：先验签，再解析 payload、生成可信 identity、校验 selected-repository scope，并默认只走 check-run-only 输出
 - durable scan queue planner：同一个 trusted scan key 的 queued/running/completed job 会复用，不重复排 worker，也不会把源码、diff、secret 或 PR 正文放进队列 payload
 - worker read-only scan planner：只用 trusted identity 规划临时 worker checkout，要求 repository `contents: read`，固定运行 `ai-saas-guard pr-risk --json`，并忽略 PR 正文里的 repo 名、token scope 或命令
-- hosted read-only checkout worker：`ai-saas-guard/hosted/worker` 导出 `createHostedReadOnlyCheckoutScanRunner`，从 trusted GitHub App identity 创建临时 checkout，只通过 git askpass 使用 runtime installation token，运行固定 `ai-saas-guard pr-risk --json`，把 CLI JSON 转成 compact findings，并在成功或失败后删除 checkout；不会返回源码、diff、secret、checkout path、PR 里写的命令或 installation token
+- hosted read-only checkout worker：`ai-saas-guard/hosted/worker` 导出 `createHostedReadOnlyCheckoutScanRunner`，从 trusted GitHub App identity 创建临时 checkout，只通过 git askpass 使用 runtime installation token，在 CLI 阶段前移除 askpass material，拒绝被篡改的 command/checkout/token-scope plan，运行固定 `ai-saas-guard pr-risk --json`，把 CLI JSON 转成 compact findings，并在成功或失败后删除 checkout；不会返回源码、diff、secret、checkout path、PR 里写的命令或 installation token
 - hosted service runtime：`ai-saas-guard/hosted/service` 导出 `createHostedServiceRuntime`，把签名 webhook intake、幂等 queue upsert、read-only worker 编排、compact report 存储、Check Run 发布 adapter 和 worker cleanup 串成可测试的服务核心；它本身不部署公开 hosted 环境
 - GitHub App deployment planner：`ai-saas-guard/hosted/github-app` 导出 `planHostedGitHubAppDeployment`，生成 first slice 最小权限 manifest，并在 release gate、公开 HTTPS URL、container digest、secret 引用、原始 secret 输入、permission 或 event 不安全时阻止创建
 - Hosted production adapter layer：`ai-saas-guard/hosted/production-adapters` 导出 `createHostedGitHubAppJwt`、`planHostedGitHubInstallationTokenRequest` 和 `planHostedProductionWorkerExecution`，用于 GitHub App RS256 JWT、selected-repository installation token 请求规划、worker/check-run 分离 token scope、固定只读 worker 命令、timeout/output 预算、compact JSON-only 输出，以及 success/failure/timeout/cancellation 的 cleanup 规划；它本身仍然不部署公开 hosted 服务
 - Hosted Node/container app skeleton：`ai-saas-guard/hosted/app` 导出 `createHostedHttpApp`、`createInMemoryHostedAppPlatform`、`createHostedNodeCheckoutAppPlatform` 和 `planHostedNodeContainerDeployment`，提供安全 `/healthz`、签名 `/github/webhook` ingress、单 job worker tick、测试用 in-memory provider adapters、真实 read-only checkout worker 组合入口、可见 timeout/output 安全预算，以及 secret manager、queue、compact report store、worker sandbox、GitHub Checks publisher 的部署引用校验；它本身仍然不部署或暴露公开 hosted 服务
 - Hosted staging deployment planner：`ai-saas-guard/hosted/staging` 导出 `planHostedProviderBinding`、`planHostedStagingDeployment` 和 `planHostedGitHubAppPromotion`，把真实 provider 引用、Node/container deployment plan、hosted operational release-gate evidence 和 GitHub App deployment planning 组合起来；缺少 queue、store、worker sandbox、Check Run publisher、logs、metrics、rollback 或 incident-response 引用时，会阻止 staging exposure 和 production promotion；它本身仍然不会调用云平台、创建 GitHub App 或暴露公开 hosted 服务
-- Hosted staging harness：`ai-saas-guard/hosted/staging-harness` 导出 `createFileBackedHostedStagingHarness` 和 `createHostedStagingHarnessEvidence`，可以在本地用 file-backed queue、compact report、Check Run request 和 worker sandbox 跑通签名 webhook replay、worker tick 和 cleanup 校验；它只是 staging 演练工具，不会调用云平台、创建 GitHub App、写真实 Check Run 或暴露公开 hosted 服务
+- Hosted staging harness：`ai-saas-guard/hosted/staging-harness` 导出 `createFileBackedHostedStagingHarness`、`createHostedStagingHarnessEvidence`、`createHostedStagingReleaseEvidenceBundle`、`evaluateHostedStagingReleaseEvidenceBundle` 和 `validateHostedLogBoundary`，可以在本地用 file-backed queue、compact report、Check Run request 和 worker sandbox 跑通签名 webhook replay、worker tick 和 cleanup 校验，把 success/failure cleanup probes 与 log-boundary samples 转成 release-gate evidence，并直接执行 hosted release gate 判断；它只是 staging 演练工具，不会调用云平台、创建 GitHub App、写真实 Check Run 或暴露公开 hosted 服务
 - Cloudflare hosted ingress：`hosted/cloudflare-worker` 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`，提供 `/healthz`、`/github/app/manifest-callback` 和签名 `/github/webhook` intake；Worker 已具备 compact pull request identity、file/category risk signal 和 Check Run metadata 路径；staging GitHub App ID 为 `3834787`，installation ID 为 `135085075`；真实 GitHub App webhook delivery 和 Check Run smoke 已通过；完整 source checkout worker deployment、monitoring、rollback 和 incident-response evidence 仍需要通过 hosted operational release gate
 - webhook event parser
 - check-run summary renderer

package/docs/hosted-operational-release-gate.md

@@ -40,7 +40,7 @@ Every hosted release must record:
 
 The current public package release is still a local CLI and pure hosted-contract release. No hosted production environment is exposed by this release.
 
-The pure evaluator `evaluateHostedOperationalReleaseGate` and the exported `HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS` list make the gate machine-checkable for the next hosted service stage. The evaluator blocks hosted exposure unless every P0 item has fresh evidence, a `sha256:<digest>` container image digest is recorded, and release notes avoid positive pentest, certification, and full-audit claims. Explicit wording such as "not a pentest, certification, or full security audit" remains allowed.
+The pure evaluator `evaluateHostedOperationalReleaseGate` and the exported `HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS` list make the gate machine-checkable for the next hosted service stage. The staging harness also exports `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary` so source-candidate rehearsals can turn webhook replay, success/failure cleanup probes, required safe failure reasons, and log samples into an executable gate decision. The evaluator blocks hosted exposure unless every P0 item has fresh evidence, a `sha256:<digest>` container image digest is recorded, and release notes avoid positive pentest, certification, and full-audit claims. Explicit wording such as "not a pentest, certification, or full security audit" remains allowed.
 
 Source-level evidence notes for this release candidate:
 
@@ -52,8 +52,8 @@ Source-level evidence notes for this release candidate:
 | `workflow_static_checks` | GitHub Actions static analysis | `actionlint` and `uvx zizmor --offline .github/workflows` | Passed for repository workflows |
 | `dependency_scan` | Dependency scan has no unresolved high or critical production findings | `npm audit --audit-level=high --registry=https://registry.npmjs.org` | Passed for source package |
 | `container_scan` | Container image scan has no unresolved high or critical runtime-layer findings | No hosted container image exists in the public package release | Not applicable to current non-hosted release; required before hosted exposure |
-| `queue_worker_cleanup` | Queue dedupe, running cancellation, terminal cleanup, worker checkout deletion, and no long-running processes | Pure queue, worker, checkout, and retention cleanup planner tests | Passed for pure contracts; must verify against deployed queue and worker before exposure |
-| `privacy_retention` | No raw source, raw diffs, secrets, customer payloads, private URLs, or full file contents; retention and uninstall cleanup are proven | Compact report, Check Run publication, retention/deletion cleanup, and docs tests | Passed for pure contracts; log sampling still required before exposure |
+| `queue_worker_cleanup` | Queue dedupe, running cancellation, terminal cleanup, worker checkout deletion, and no long-running processes | Pure queue, worker, checkout, retention cleanup planner tests, and staging harness success/failure cleanup probes | Passed for source candidate; must verify against deployed queue and worker before exposure |
+| `privacy_retention` | No raw source, raw diffs, secrets, customer payloads, private URLs, or full file contents; retention and uninstall cleanup are proven | Compact report, Check Run publication, retention/deletion cleanup, docs tests, and `validateHostedLogBoundary` source-candidate log checks | Passed for source candidate; deployed log sampling still required before exposure |
 | `monitoring_alerting` | Ingress, queue depth, worker failures, Check Run failures, cleanup failures, retention failures, and credential rotation alerts | Required alert list remains in this document | Documented; must attach provider evidence before exposure |
 | `manual_rollback` | Worker pause, previous artifact redeploy, queue resume, controlled ingress failure, and affected Check Run identification | Manual rollback procedure remains in this document | Documented; must execute against deployed artifact before exposure |
 | `incident_response` | Owner, backup, credential rotation, queue pause, customer communication, status path, and privacy-safe evidence collection | Incident response checklist remains in this document | Documented; must name live owners before exposure |
@@ -148,6 +148,7 @@ Required proof:
 - runtime credentials reach git through temporary askpass material only.
 - the CLI phase runs after credential material is removed from the environment.
 - the worker command is fixed to the deterministic read-only `pr-risk --json` shape.
+- the worker rejects accepted-looking plans if command, checkout identity, or token scope differs from trusted GitHub event identity.
 - success deletes the worker checkout, askpass material, generated JSON/SARIF scratch files, and local package tarballs.
 - failure cleanup covers clone failure, timeout, CLI failure, malformed JSON output, Check Run write failure, cancellation, and process interruption.
 - cleanup failures create an operator-review event without returning raw source, raw diffs, installation tokens, checkout paths, private URLs, or low-level filesystem errors to users.

package/docs/hosted-operations-evidence.md

@@ -29,6 +29,8 @@ The hosted release gate still requires fresh deployed evidence for:
 - dependency and container artifact scanning for the deployed worker image
 - retention and uninstall cleanup against the deployed provider stores
 
+Source-candidate executable evidence now exists in `ai-saas-guard/hosted/staging-harness`: `createHostedStagingReleaseEvidenceBundle` combines signed webhook replay, success and failure cleanup probes, safe worker failure reasons, and `validateHostedLogBoundary` samples into hosted release-gate evidence, then `evaluateHostedStagingReleaseEvidenceBundle` runs the same gate evaluator used by deployment planning. This improves local release readiness, but it is still not production hosted exposure and does not replace deployed worker, logging, metrics, rollback, incident-response, dependency, or container evidence.
+
 ## Read-Only Checkout Worker Evidence Checklist
 
 Before any hosted source checkout worker is exposed beyond staging, attach fresh evidence for each row below. The current Cloudflare ingress evidence above does not satisfy these rows because it publishes compact PR-risk signals without running a full source checkout scan worker.
@@ -37,7 +39,7 @@ Before any hosted source checkout worker is exposed beyond staging, attach fresh
 | --- | --- | --- |
 | Trusted checkout identity | Worker input is derived from signed GitHub event identity, selected-repository installation scope, and repository `contents: read`; PR title, body, branch names, README, and code cannot choose the repository, token scope, checkout path, or command | Required |
 | Runtime credential boundary | Installation credentials are passed to git only through temporary askpass material, are removed before the CLI scan phase, and are never returned in worker output, compact reports, Check Runs, or logs | Required |
-| Fixed scanner command | Worker runs the fixed read-only command shape `ai-saas-guard pr-risk --root <worker-checkout> --base <trusted-base-sha> --json` without shell parsing or PR-authored arguments | Required |
+| Fixed scanner command | Worker runs the fixed read-only command shape `ai-saas-guard pr-risk --root <worker-checkout> --base <trusted-base-sha> --json` without shell parsing or PR-authored arguments, and rejects command, checkout, or token-scope mutations before running git | Required |
 | Success cleanup | A successful worker run deletes the checkout directory, askpass material, generated JSON/SARIF scratch files, and any local package tarballs | Required |
 | Failure cleanup | A failed clone, timeout, CLI non-zero exit, malformed JSON output, Check Run write failure, cancellation, or process interruption still attempts checkout deletion and records only a safe cleanup status | Required |
 | Log boundary | Logs may include scan key, installation ID, repository ID, PR number, head SHA, scanner version, duration, summary counts, error class, and cleanup status; logs must include no raw source, no raw diffs, no secrets, no installation tokens, no customer payloads, no private URLs, and no checkout paths | Required |

package/docs/hosted-preimplementation-contracts.md

@@ -79,6 +79,8 @@ Default behavior:
 - derive the GitHub clone URL only from trusted repository identity
 - require a runtime installation token provider and keep the token out of command arguments, returned results, compact reports, and serialized plans
 - pass the installation token to git only through a temporary askpass helper inside the worker checkout
+- remove askpass material before the CLI phase starts
+- reject accepted-looking plans when command, checkout identity, or token scope differs from the trusted worker plan
 - run `git init`, add the trusted remote, fetch the trusted head and base SHAs with bounded depth, and checkout the trusted head SHA
 - run the fixed `ai-saas-guard pr-risk --root <worker-checkout> --base <baseSha> --json` command without shell parsing
 - cap command timeout and output bytes
@@ -174,6 +176,9 @@ Default behavior:
 - create a temporary worker sandbox during the scan runner phase
 - remove worker sandbox contents before returning the worker result
 - create hosted operational release-gate evidence fixtures with the same shape required by the deployment gate
+- turn success and failure cleanup probes into executable release-gate evidence
+- validate log boundaries without returning sampled log lines or forbidden values
+- evaluate the hosted release gate directly from the generated evidence bundle
 
 Privacy boundaries:
 
@@ -181,7 +186,7 @@ Privacy boundaries:
 - result objects do not include raw webhook payloads, untrusted PR text, raw source, raw diffs, secrets, customer payloads, checkout paths, or installation tokens
 - local evidence is labeled as harness evidence and must not be used to claim live hosted exposure
 
-The exported helpers are `createFileBackedHostedStagingHarness` and `createHostedStagingHarnessEvidence`.
+The exported helpers are `createFileBackedHostedStagingHarness`, `createHostedStagingHarnessEvidence`, `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary`.
 
 ## Webhook Event Parser
 

package/docs/hosted-staging-harness.md

@@ -10,6 +10,9 @@ The package exports `ai-saas-guard/hosted/staging-harness` with:
 
 - `createFileBackedHostedStagingHarness`
 - `createHostedStagingHarnessEvidence`
+- `createHostedStagingReleaseEvidenceBundle`
+- `evaluateHostedStagingReleaseEvidenceBundle`
+- `validateHostedLogBoundary`
 
 The harness composes the hosted service runtime with local adapters:
 
@@ -20,6 +23,8 @@ The harness composes the hosted service runtime with local adapters:
 - a temporary worker sandbox under `worker-sandbox/`
 - cleanup verification after a worker tick
 - local hosted release-gate evidence fixtures
+- executable evidence bundles for success and failure cleanup probes
+- log boundary validation for safe hosted metadata samples
 
 ## Replay Flow
 
@@ -39,6 +44,35 @@ Invalid signatures stop at the signature stage and create no queue, report, or C
 
 The generated notes are explicit that the evidence is local harness evidence, not hosted exposure.
 
+## Executable Evidence Bundle
+
+`createHostedStagingReleaseEvidenceBundle` turns concrete harness results into release-gate evidence:
+
+- signed webhook replay must queue a check-run-only worker from trusted GitHub event fields
+- worker success must delete the worker sandbox
+- worker failure must still delete the worker sandbox and expose only a safe failure reason
+- callers can require explicit failure reasons such as checkout failure, CLI failure, malformed output, Check Run publication failure, timeout, and cancellation before cleanup evidence passes
+- log boundary validation must pass before `privacy_retention` is marked passed
+- external evidence is still required for CI, workflow static checks, dependency scan, container scan, monitoring, rollback, and incident response
+
+`evaluateHostedStagingReleaseEvidenceBundle` passes that bundle into the hosted operational release gate evaluator with the release commit, scanner version, deployment target, container digest, and release notes. This makes the local staging gate executable instead of a hand-maintained checklist.
+
+The bundle is still source-candidate evidence. It does not prove a deployed hosted service is ready, and it does not replace deployed provider evidence.
+
+## Log Boundary Validation
+
+`validateHostedLogBoundary` accepts sampled log metadata and a forbidden-value list for raw source, raw diffs, secret values, customer payloads, installation tokens, checkout paths, private URLs, and untrusted PR prose.
+
+The returned result contains only:
+
+- pass/fail status
+- blocked reason IDs
+- sample count
+- allowed field names
+- privacy flags
+
+It does not return the sampled log lines or the forbidden values. This keeps the evidence useful while avoiding accidental leakage in release notes, compact reports, or Check Runs.
+
 ## Privacy
 
 The harness returns safe status objects and compact artifacts only.
@@ -58,6 +92,6 @@ The worker sandbox may contain temporary scan input during a worker tick. The ha
 
 ## Current Status
 
-The repository can now run a local staging rehearsal across webhook intake, queue persistence, worker execution, compact report storage, Check Run publication, and worker cleanup.
+The repository can now run a local staging rehearsal across webhook intake, queue persistence, worker execution, compact report storage, Check Run publication, worker cleanup, success and failure cleanup probes, log boundary validation, and executable release-gate evaluation from the generated evidence bundle.
 
 This still is not a live hosted service. A real staging environment still requires deployed platform infrastructure, public HTTPS ingress, platform secret references, durable queue/storage resources, worker isolation, GitHub Checks runtime credentials, monitoring, rollback evidence, and incident-response evidence collected from the deployed artifact.

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.30.2`
+- Current published version: `0.31.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.30.2`
+- GitHub Release: `v0.31.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.30.2`.
+1. Create and review a release tag such as `v0.31.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.30.2",
+  "version": "0.31.0",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",