ai-saas-guard 0.30.2 → 0.32.0

package/README.md

@@ -187,13 +187,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.30.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.30.2` |
+| npm CLI | `ai-saas-guard@0.32.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.32.0` |
 | Outputs | Short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.30.2`, `v0` |
-| Current release | `0.30.2` adds post-release quality tuning: lower-noise Vercel/Actions checks, focused launch-gate positioning docs, and hosted worker evidence boundaries |
+| Versioned Action tags | `v0.32.0`, `v0` |
+| Current release | `0.32.0` adds deployed worker staging evidence: public HTTPS health validation, deployed success/failure cleanup probes, log-boundary checks, and release-gate evaluation for a Node/container read-only checkout worker candidate |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -304,13 +304,15 @@ The hosted GitHub App deployment planner is documented in [docs/github-app-deplo
 
 The hosted production adapter layer is documented in [docs/hosted-production-adapters.md](docs/hosted-production-adapters.md). It exports `createHostedGitHubAppJwt`, `planHostedGitHubInstallationTokenRequest`, and `planHostedProductionWorkerExecution` from `ai-saas-guard/hosted/production-adapters`. It adds RS256 GitHub App JWT generation, selected-repository installation-token request plans, separate worker and Check Run token scopes, a fixed read-only worker command, bounded timeout and output budgets, compact JSON-only output, and cleanup plans for success, failure, timeout, and cancellation. It still does not expose a public hosted service by itself.
 
-The hosted read-only checkout worker is exported from `ai-saas-guard/hosted/worker`. It creates a temporary checkout from trusted GitHub App identity, uses a runtime installation token only through git askpass, runs the fixed `ai-saas-guard pr-risk --json` command with bounded timeout/output, converts CLI JSON into compact findings, and deletes the checkout after success or failure. It does not return source, diffs, secrets, checkout paths, PR-authored commands, or installation tokens.
+The hosted read-only checkout worker is exported from `ai-saas-guard/hosted/worker`. It creates a temporary checkout from trusted GitHub App identity, uses a runtime installation token only through git askpass, removes askpass material before the CLI phase, rejects mutated command/checkout/token-scope plans, runs the fixed `ai-saas-guard pr-risk --json` command with bounded timeout/output, converts CLI JSON into compact findings, and deletes the checkout after success or failure. It does not return source, diffs, secrets, checkout paths, PR-authored commands, or installation tokens.
 
 The hosted Node/container app skeleton is documented in [docs/hosted-node-container-app.md](docs/hosted-node-container-app.md). It exports `createHostedHttpApp`, `createInMemoryHostedAppPlatform`, `createHostedNodeCheckoutAppPlatform`, and `planHostedNodeContainerDeployment` from `ai-saas-guard/hosted/app`. It adds a safe `/healthz` route, signed `/github/webhook` ingress, one-job worker tick, in-memory provider adapters for tests, a concrete read-only checkout worker composition with visible timeout/output safety budgets, and deployment-plan validation for secret manager, queue, compact report store, worker sandbox, and GitHub Checks publisher references. It still does not deploy or expose a public hosted service by itself.
 
 The hosted staging deployment planner is documented in [docs/hosted-staging-deployment.md](docs/hosted-staging-deployment.md). It exports `planHostedProviderBinding`, `planHostedStagingDeployment`, and `planHostedGitHubAppPromotion` from `ai-saas-guard/hosted/staging`. It composes real provider references, the Node/container deployment plan, hosted operational release-gate evidence, and GitHub App deployment planning so staging and production promotion stay blocked until the required queue, store, worker sandbox, Check Run publisher, logs, metrics, rollback, and incident-response references are present. It still does not call a cloud provider, create a GitHub App, or expose a public hosted service by itself.
 
-The hosted staging harness is documented in [docs/hosted-staging-harness.md](docs/hosted-staging-harness.md). It exports `createFileBackedHostedStagingHarness` and `createHostedStagingHarnessEvidence` from `ai-saas-guard/hosted/staging-harness`. It runs signed webhook replay through the provider-independent hosted runtime with local file-backed queue, compact report, and Check Run adapters, then verifies worker sandbox cleanup. It is a staging rehearsal tool only; it does not call cloud providers, create a GitHub App, publish live Check Runs, or expose a public hosted service.
+The hosted staging harness is documented in [docs/hosted-staging-harness.md](docs/hosted-staging-harness.md). It exports `createFileBackedHostedStagingHarness`, `createHostedStagingHarnessEvidence`, `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary` from `ai-saas-guard/hosted/staging-harness`. It runs signed webhook replay through the provider-independent hosted runtime with local file-backed queue, compact report, and Check Run adapters, verifies worker sandbox cleanup, turns success/failure cleanup probes plus log-boundary samples into release-gate evidence, and evaluates the hosted gate without cloud calls. It is a staging rehearsal tool only; it does not call cloud providers, create a GitHub App, publish live Check Runs, or expose a public hosted service.
+
+Deployed worker staging evidence is documented in [docs/hosted-deployed-worker-staging.md](docs/hosted-deployed-worker-staging.md). It exports `createHostedDeployedWorkerStagingEvidenceBundle` and `evaluateHostedDeployedWorkerStagingReleaseGate` from `ai-saas-guard/hosted/deployed-staging`. It turns public HTTPS health, signed webhook replay, deployed worker cleanup, log-boundary samples, and external CI/scan/rollback evidence into the hosted release gate for a Node/container read-only checkout worker candidate. It does not deploy cloud resources or claim production hosted exposure.
 
 The first live hosted ingress is deployed on Cloudflare Workers at `https://ai-saas-guard-hosted.zr9959.workers.dev` and documented in [hosted/cloudflare-worker/README.md](hosted/cloudflare-worker/README.md). It exposes `/healthz`, `/github/app/manifest-callback`, and signed `/github/webhook` intake backed by Cloudflare KV. A private staging GitHub App, `ai-saas-guard-hosted`, is installed on `zr9959/ai-saas-guard` with selected-repository access and the first-slice permission contract. The Worker verifies signatures, stores compact pull request identity records, exchanges a scoped installation token, fetches PR file metadata from GitHub, classifies PR-risk hotspots, and publishes a bounded Check Run summary. Current deployed evidence is tracked in [docs/hosted-operations-evidence.md](docs/hosted-operations-evidence.md): health, signed webhook delivery, compact KV records, cleanup, and Check Run publication pass for the staging smoke. The Cloudflare Worker still does not run a full source checkout scan worker or store raw webhook payloads, PR title/body text, raw diffs, source, secrets, checkout paths, or installation tokens.
 
@@ -320,7 +322,7 @@ Hosted uninstall and data deletion behavior is documented in [docs/hosted-uninst
 
 Hosted pricing and packaging boundaries are documented in [docs/hosted-pricing-packaging.md](docs/hosted-pricing-packaging.md). Core local scanning stays useful without an account; hosted plans may add workflow convenience, saved reports, team policy, and optional human review, but they do not gate local CLI scanning.
 
-Hosted pre-implementation pure contracts are documented in [docs/hosted-preimplementation-contracts.md](docs/hosted-preimplementation-contracts.md). They now include a pull request webhook intake planner that verifies signatures before parsing or queueing, a durable scan queue planner that reuses queued, running, and completed jobs for the same trusted scan key, a worker read-only scan planner that fixes the CLI command and requires repository `contents: read`, a concrete Node read-only checkout scan runner, and a Check Run publication planner that requires repository `checks: write` and builds bounded check-only payloads from compact reports. They also cover queue-safe webhook event parsing, bounded check-run summary rendering, idempotent queue cleanup planning, worker checkout cleanup planning, a retention/deletion cleanup planner, an operational release gate evaluator, the production adapter plans needed for GitHub App auth and bounded worker execution, the Node/container app skeleton needed for real provider wiring, the staging deployment planner needed before production GitHub App promotion, and the local staging harness needed to rehearse webhook replay, persistence, publication, and cleanup without cloud calls. The service runtime composes these contracts behind replaceable adapters. PR comments remain a later workflow or paid hosted feature, not part of the hosted MVP contract.
+Hosted pre-implementation pure contracts are documented in [docs/hosted-preimplementation-contracts.md](docs/hosted-preimplementation-contracts.md). They now include a pull request webhook intake planner that verifies signatures before parsing or queueing, a durable scan queue planner that reuses queued, running, and completed jobs for the same trusted scan key, a worker read-only scan planner that fixes the CLI command and requires repository `contents: read`, a concrete Node read-only checkout scan runner, and a Check Run publication planner that requires repository `checks: write` and builds bounded check-only payloads from compact reports. They also cover queue-safe webhook event parsing, bounded check-run summary rendering, idempotent queue cleanup planning, worker checkout cleanup planning, a retention/deletion cleanup planner, an operational release gate evaluator, the production adapter plans needed for GitHub App auth and bounded worker execution, the Node/container app skeleton needed for real provider wiring, the staging deployment planner needed before production GitHub App promotion, the local staging harness needed to rehearse webhook replay, persistence, publication, and cleanup without cloud calls, and the deployed worker staging evidence helper needed to evaluate public HTTPS health, deployed cleanup, and log-boundary evidence without storing raw hosted data. The service runtime composes these contracts behind replaceable adapters. PR comments remain a later workflow or paid hosted feature, not part of the hosted MVP contract.
 
 A public hosted compact report schema fixture is available at [examples/hosted-compact-report.json](examples/hosted-compact-report.json). It is synthetic and public-safe: compact evidence only, no raw source, raw diffs, secrets, webhook payload bodies, customer payloads, private URLs, or worker checkout paths.
 
@@ -360,7 +362,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.30.2` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.32.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/hosted/deployed-staging.d.ts

@@ -0,0 +1,66 @@
+import { type HostedOperationalReleaseGateDecision, type HostedOperationalReleaseGateEvidence } from "./contracts.js";
+import type { HostedLogBoundaryValidation, HostedStagingHarnessReplayResult, HostedStagingHarnessWorkerTickResult } from "./staging-harness.js";
+export interface HostedDeployedWorkerHealthProbe {
+    observedAt: string;
+    status: number;
+    body: unknown;
+}
+export interface HostedDeployedWorkerStagingEvidenceBundleInput {
+    collectedAt: string;
+    evidenceBaseUrl: string;
+    owner: string;
+    publicBaseUrl: string;
+    scannerVersion: string;
+    healthProbe: HostedDeployedWorkerHealthProbe;
+    webhookReplays: HostedStagingHarnessReplayResult[];
+    workerTicks: HostedStagingHarnessWorkerTickResult[];
+    logBoundary: HostedLogBoundaryValidation;
+    externalEvidence: HostedOperationalReleaseGateEvidence[];
+    requiredFailureReasons?: string[];
+}
+export interface HostedDeployedWorkerStagingEvidenceBundle {
+    readyForReleaseGate: boolean;
+    blockedReasons: string[];
+    evidence: HostedOperationalReleaseGateEvidence[];
+    releaseGateInput: {
+        evidence: HostedOperationalReleaseGateEvidence[];
+    };
+    deployedScenarioSummary: HostedDeployedWorkerStagingScenarioSummary;
+    privacy: HostedDeployedWorkerStagingPrivacy;
+}
+export interface HostedDeployedWorkerStagingScenarioSummary {
+    publicIngressAccepted: boolean;
+    healthAccepted: boolean;
+    webhookReplayAccepted: boolean;
+    completedWorkerProbe: boolean;
+    failureCleanupProbe: boolean;
+    observedFailureReasons: string[];
+    allWorkerCheckoutsDeleted: boolean;
+    checkRunPublished: boolean;
+    logBoundaryAccepted: boolean;
+}
+export interface HostedDeployedWorkerStagingReleaseGateInput {
+    bundle: HostedDeployedWorkerStagingEvidenceBundle;
+    commitSha: string;
+    scannerVersion: string;
+    deploymentTarget: string;
+    evaluatedAt: string;
+    releaseNotes: string;
+    containerImageDigest: string;
+    maxEvidenceAgeDays?: number;
+}
+export interface HostedDeployedWorkerStagingPrivacy {
+    includesRawHealthResponse: false;
+    includesPublicBaseUrl: false;
+    includesRawWebhookPayload: false;
+    includesUntrustedPrText: false;
+    includesRawSource: false;
+    includesRawDiffs: false;
+    includesSecrets: false;
+    includesCustomerPayloads: false;
+    includesPrivateCheckoutPath: false;
+    includesInstallationToken: false;
+    claimsProductionHostedService: false;
+}
+export declare function createHostedDeployedWorkerStagingEvidenceBundle(input: HostedDeployedWorkerStagingEvidenceBundleInput): HostedDeployedWorkerStagingEvidenceBundle;
+export declare function evaluateHostedDeployedWorkerStagingReleaseGate(input: HostedDeployedWorkerStagingReleaseGateInput): HostedOperationalReleaseGateDecision;

package/dist/hosted/deployed-staging.js

@@ -0,0 +1,267 @@
+import { evaluateHostedOperationalReleaseGate, HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS } from "./contracts.js";
+import { HOSTED_NODE_CONTAINER_PLATFORM, HOSTED_NODE_CONTAINER_ROLES } from "./app.js";
+export function createHostedDeployedWorkerStagingEvidenceBundle(input) {
+    const summary = deployedScenarioSummary(input);
+    const blockedReasons = deployedBlockedReasons(input, summary);
+    const externalEvidence = new Map(input.externalEvidence.map((evidence) => [evidence.id, sanitizeEvidence(evidence, input)]));
+    const evidence = HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS.map((requirement) => {
+        const generated = generatedEvidenceFor(requirement.id, input, summary, blockedReasons);
+        return generated ?? externalEvidence.get(requirement.id) ?? missingEvidence(requirement.id, input);
+    });
+    const readyForReleaseGate = blockedReasons.length === 0 && evidence.every((item) => item.status === "passed");
+    return {
+        readyForReleaseGate,
+        blockedReasons,
+        evidence,
+        releaseGateInput: { evidence },
+        deployedScenarioSummary: summary,
+        privacy: deployedPrivacy()
+    };
+}
+export function evaluateHostedDeployedWorkerStagingReleaseGate(input) {
+    return evaluateHostedOperationalReleaseGate({
+        commitSha: input.commitSha,
+        scannerVersion: input.scannerVersion,
+        deploymentTarget: input.deploymentTarget,
+        evaluatedAt: input.evaluatedAt,
+        evidence: input.bundle.evidence,
+        releaseNotes: input.releaseNotes,
+        containerImageDigest: input.containerImageDigest,
+        maxEvidenceAgeDays: input.maxEvidenceAgeDays
+    });
+}
+function deployedScenarioSummary(input) {
+    const processedWorkers = input.workerTicks.filter((tick) => tick.processed);
+    const completedWorkers = processedWorkers.filter((tick) => tick.status === "completed");
+    const observedFailureReasons = [
+        ...new Set(processedWorkers.flatMap((tick) => tick.status === "failed" && tick.cleanupVerified && tick.safeFailureReason
+            ? [tick.safeFailureReason]
+            : []))
+    ].sort();
+    const requiredFailureReasons = input.requiredFailureReasons ?? [];
+    const failureCleanupProbe = requiredFailureReasons.length
+        ? requiredFailureReasons.every((reason) => observedFailureReasons.includes(reason))
+        : processedWorkers.some((tick) => tick.status === "failed" && tick.cleanupVerified);
+    const allWorkerCheckoutsDeleted = processedWorkers.length > 0 &&
+        processedWorkers.every((tick) => tick.workerSandboxDeleted &&
+            tick.activeWorkerSandboxCount === 0 &&
+            tick.cleanupVerified);
+    return {
+        publicIngressAccepted: isSafePublicHttpsUrl(input.publicBaseUrl),
+        healthAccepted: healthProbeAccepted(input),
+        webhookReplayAccepted: input.webhookReplays.some((replay) => replay.accepted && replay.queuedWorker && replay.shouldCreateCheckRun),
+        completedWorkerProbe: completedWorkers.some((tick) => tick.checkRunPublished && tick.compactReportStored),
+        failureCleanupProbe,
+        observedFailureReasons,
+        allWorkerCheckoutsDeleted,
+        checkRunPublished: completedWorkers.some((tick) => tick.checkRunPublished),
+        logBoundaryAccepted: input.logBoundary.sampleCount > 0 && input.logBoundary.accepted
+    };
+}
+function deployedBlockedReasons(input, summary) {
+    const reasons = [];
+    const health = healthBody(input.healthProbe.body);
+    if (!summary.publicIngressAccepted)
+        reasons.push("invalid_public_base_url");
+    if (!isSafePublicHttpsUrl(input.evidenceBaseUrl))
+        reasons.push("unsafe_evidence_base_url");
+    if (input.healthProbe.status !== 200)
+        reasons.push("health_status_unhealthy");
+    if (health.ok !== true)
+        reasons.push("health_not_ok");
+    if (health.platform !== HOSTED_NODE_CONTAINER_PLATFORM)
+        reasons.push("health_platform_mismatch");
+    if (health.scannerVersion !== input.scannerVersion) {
+        reasons.push("health_scanner_version_mismatch");
+    }
+    if (!health.roles.includes("webhook-ingress"))
+        reasons.push("health_missing_webhook_role");
+    if (!health.roles.includes("scan-worker"))
+        reasons.push("health_missing_scan_worker_role");
+    if (!privacyFlagsAreSafe(health.privacy))
+        reasons.push("health_privacy_flags_unsafe");
+    if (!summary.webhookReplayAccepted)
+        reasons.push("webhook_replay_missing");
+    if (!summary.completedWorkerProbe)
+        reasons.push("worker_success_probe_missing");
+    if (!summary.failureCleanupProbe)
+        reasons.push("worker_failure_cleanup_probe_missing");
+    if (!summary.allWorkerCheckoutsDeleted)
+        reasons.push("worker_cleanup_not_verified");
+    if (!summary.checkRunPublished)
+        reasons.push("check_run_not_published");
+    if (!summary.logBoundaryAccepted)
+        reasons.push("log_boundary_rejected");
+    return reasons;
+}
+function generatedEvidenceFor(id, input, summary, blockedReasons) {
+    if (blockedReasons.length > 0) {
+        return undefined;
+    }
+    if (id === "webhook_replay") {
+        return summary.publicIngressAccepted && summary.healthAccepted && summary.webhookReplayAccepted
+            ? passedEvidence(id, "Deployed staging ingress accepted a signed webhook and queued check-run-only work.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "queue_worker_cleanup") {
+        return summary.completedWorkerProbe &&
+            summary.failureCleanupProbe &&
+            summary.allWorkerCheckoutsDeleted
+            ? passedEvidence(id, "Deployed staging worker success and failure probes published compact checks and deleted worker checkouts.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "privacy_retention") {
+        return summary.logBoundaryAccepted && privacyFlagsAreSafe(input.logBoundary.privacy)
+            ? passedEvidence(id, "Deployed staging log samples stayed within the safe metadata boundary and avoided raw payloads.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "release_cleanup") {
+        return summary.allWorkerCheckoutsDeleted
+            ? passedEvidence(id, "Deployed staging release cleanup left no active worker checkout entries.", input)
+            : missingEvidence(id, input);
+    }
+    return undefined;
+}
+function healthProbeAccepted(input) {
+    const health = healthBody(input.healthProbe.body);
+    return (input.healthProbe.status === 200 &&
+        health.ok === true &&
+        health.platform === HOSTED_NODE_CONTAINER_PLATFORM &&
+        HOSTED_NODE_CONTAINER_ROLES.every((role) => health.roles.includes(role)) &&
+        health.scannerVersion === input.scannerVersion &&
+        privacyFlagsAreSafe(health.privacy));
+}
+function sanitizeEvidence(evidence, input) {
+    return {
+        id: evidence.id,
+        status: evidence.status,
+        ...(evidence.collectedAt === undefined
+            ? { collectedAt: input.collectedAt }
+            : { collectedAt: evidence.collectedAt }),
+        ...(safeEvidenceUrl(evidence.evidenceUrl) === undefined
+            ? {}
+            : { evidenceUrl: safeEvidenceUrl(evidence.evidenceUrl) }),
+        note: `External deployed-staging release-gate evidence recorded for ${evidence.id}.`,
+        ...(evidence.owner === undefined ? { owner: input.owner } : { owner: evidence.owner })
+    };
+}
+function passedEvidence(id, note, input) {
+    return {
+        id,
+        status: "passed",
+        collectedAt: input.collectedAt,
+        ...(evidenceUrlFor(input, id) === undefined ? {} : { evidenceUrl: evidenceUrlFor(input, id) }),
+        note,
+        owner: input.owner
+    };
+}
+function missingEvidence(id, input) {
+    return {
+        id,
+        status: "missing",
+        collectedAt: input.collectedAt,
+        note: `Missing deployed staging worker evidence for ${id}.`,
+        owner: input.owner
+    };
+}
+function evidenceUrlFor(input, id) {
+    const baseUrl = safeEvidenceUrl(input.evidenceBaseUrl);
+    return baseUrl === undefined ? undefined : `${baseUrl}/${id}.json`;
+}
+function safeEvidenceUrl(value) {
+    if (!value || !isSafePublicHttpsUrl(value)) {
+        return undefined;
+    }
+    return trimTrailingSlashes(value.trim());
+}
+function healthBody(value) {
+    if (!isRecord(value)) {
+        return {
+            ok: undefined,
+            platform: undefined,
+            roles: [],
+            scannerVersion: undefined,
+            privacy: undefined
+        };
+    }
+    const roles = Array.isArray(value.roles)
+        ? value.roles.filter((role) => typeof role === "string")
+        : [];
+    return {
+        ok: typeof value.ok === "boolean" ? value.ok : undefined,
+        platform: typeof value.platform === "string" ? value.platform : undefined,
+        roles,
+        scannerVersion: typeof value.scannerVersion === "string" ? value.scannerVersion : undefined,
+        privacy: isRecord(value.privacy) ? value.privacy : undefined
+    };
+}
+function privacyFlagsAreSafe(value) {
+    return isRecord(value) && Object.values(value).every((flag) => flag === false);
+}
+function isSafePublicHttpsUrl(value) {
+    try {
+        const url = new URL(value.trim());
+        return (url.protocol === "https:" &&
+            !url.username &&
+            !url.password &&
+            !url.search &&
+            !url.hash &&
+            !isUnsafeHostedHostname(url.hostname));
+    }
+    catch {
+        return false;
+    }
+}
+function isUnsafeHostedHostname(hostname) {
+    const normalized = hostname.toLowerCase().replace(/\.$/, "");
+    return (normalized === "localhost" ||
+        normalized.endsWith(".localhost") ||
+        isUnsafeIpv4Hostname(normalized) ||
+        normalized === "::1" ||
+        normalized.startsWith("fc") ||
+        normalized.startsWith("fd") ||
+        normalized.startsWith("fe80:"));
+}
+function isUnsafeIpv4Hostname(hostname) {
+    const parts = hostname.split(".");
+    if (parts.length !== 4 || !parts.every((part) => /^\d+$/.test(part)))
+        return false;
+    const octets = parts.map((part) => Number(part));
+    if (octets.some((octet) => !Number.isInteger(octet) || octet < 0 || octet > 255)) {
+        return false;
+    }
+    const [first, second] = octets;
+    return (first === 0 ||
+        first === 10 ||
+        first === 127 ||
+        (first === 169 && second === 254) ||
+        (first === 172 && second >= 16 && second <= 31) ||
+        (first === 192 && second === 168) ||
+        (first === 100 && second >= 64 && second <= 127) ||
+        first >= 224);
+}
+function trimTrailingSlashes(value) {
+    let end = value.length;
+    while (end > 0 && value[end - 1] === "/") {
+        end -= 1;
+    }
+    return value.slice(0, end);
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function deployedPrivacy() {
+    return {
+        includesRawHealthResponse: false,
+        includesPublicBaseUrl: false,
+        includesRawWebhookPayload: false,
+        includesUntrustedPrText: false,
+        includesRawSource: false,
+        includesRawDiffs: false,
+        includesSecrets: false,
+        includesCustomerPayloads: false,
+        includesPrivateCheckoutPath: false,
+        includesInstallationToken: false,
+        claimsProductionHostedService: false
+    };
+}

package/dist/hosted/service.js

@@ -173,7 +173,7 @@ export function createHostedServiceRuntime(options) {
                     cleanup
                 };
             }
-            catch {
+            catch (error) {
                 const cleanup = createHostedWorkerCheckoutCleanupPlan({
                     identity: queuedRecord.identity,
                     jobKey: queuedRecord.key,
@@ -186,6 +186,7 @@ export function createHostedServiceRuntime(options) {
                     processed: true,
                     status: "failed",
                     queueRecord: cloneQueueRecord(queuedRecord),
+                    reason: safeScanRunnerFailureReason(error),
                     errorClass: "scan_runner_failed",
                     workerPlan: acceptedWorkerPlan,
                     cleanup
@@ -194,6 +195,16 @@ export function createHostedServiceRuntime(options) {
         }
     };
 }
+function safeScanRunnerFailureReason(error) {
+    if (typeof error === "object" &&
+        error !== null &&
+        "safeReason" in error &&
+        typeof error.safeReason === "string" &&
+        /^[a-z][a-z0-9_]{1,80}$/.test(error.safeReason)) {
+        return error.safeReason;
+    }
+    return "scan_runner_failed";
+}
 function rejectWebhookRequest(stage, reason, deliveryId) {
     return {
         accepted: false,

package/dist/hosted/staging-harness.d.ts

@@ -1,5 +1,5 @@
-import { type HostedOperationalReleaseGateEvidence } from "./contracts.js";
-import { type HostedServiceRuntimeOptions, type HostedServiceScanRunnerResult, type HostedServiceWebhookStage } from "./service.js";
+import { type HostedOperationalReleaseGateDecision, type HostedOperationalReleaseGateEvidence } from "./contracts.js";
+import { type HostedServiceRuntimeOptions, type HostedServiceScanRunnerInput, type HostedServiceScanRunnerResult, type HostedServiceWebhookStage } from "./service.js";
 type RepositoryIdSource = HostedServiceRuntimeOptions["selectedRepositoryIdsByInstallation"];
 export interface FileBackedHostedStagingHarnessOptions {
     rootDir: string;
@@ -7,7 +7,7 @@ export interface FileBackedHostedStagingHarnessOptions {
     scannerVersion: string;
     selectedRepositoryIdsByInstallation: RepositoryIdSource;
     removedRepositoryIdsByInstallation?: RepositoryIdSource;
-    scanResult: HostedServiceScanRunnerResult;
+    scanResult: HostedServiceScanRunnerResult | ((input: HostedServiceScanRunnerInput) => HostedServiceScanRunnerResult | Promise<HostedServiceScanRunnerResult>);
     now?: () => string;
 }
 export interface FileBackedHostedStagingHarness {
@@ -59,6 +59,7 @@ export type HostedStagingHarnessWorkerTickResult = {
     status: "failed";
     errorClass: "worker_plan_rejected" | "check_run_publication_rejected" | "scan_runner_failed";
     reason?: string;
+    safeFailureReason?: string;
     workerSandboxDeleted: boolean;
     activeWorkerSandboxCount: number;
     cleanupVerified: boolean;
@@ -80,6 +81,67 @@ export interface HostedStagingHarnessPrivacy {
     includesInstallationToken: false;
     claimsLiveHostedService: false;
 }
+export type HostedLogBoundaryBlockedReason = "raw_source" | "raw_diff" | "secret_value" | "customer_payload" | "installation_token" | "checkout_path" | "private_url" | "untrusted_pr_text";
+export interface HostedLogBoundaryForbiddenInput {
+    rawSource?: string;
+    rawDiff?: string;
+    secretValues?: string[];
+    customerPayloads?: string[];
+    installationTokens?: string[];
+    checkoutPaths?: string[];
+    privateUrls?: string[];
+    untrustedPrText?: string[];
+}
+export interface HostedLogBoundaryValidationInput {
+    samples: unknown[];
+    forbidden: HostedLogBoundaryForbiddenInput;
+}
+export interface HostedLogBoundaryValidation {
+    accepted: boolean;
+    sampleCount: number;
+    blockedReasons: HostedLogBoundaryBlockedReason[];
+    allowedFields: string[];
+    privacy: HostedStagingHarnessPrivacy;
+}
+export interface HostedStagingReleaseEvidenceBundleInput {
+    collectedAt: string;
+    evidenceBaseUrl: string;
+    owner: string;
+    webhookReplays: HostedStagingHarnessReplayResult[];
+    workerTicks: HostedStagingHarnessWorkerTickResult[];
+    logBoundary: HostedLogBoundaryValidation;
+    externalEvidence: HostedOperationalReleaseGateEvidence[];
+    requiredFailureReasons?: string[];
+}
+export interface HostedStagingReleaseEvidenceBundle {
+    readyForReleaseGate: boolean;
+    evidence: HostedOperationalReleaseGateEvidence[];
+    releaseGateInput: {
+        evidence: HostedOperationalReleaseGateEvidence[];
+    };
+    scenarioSummary: {
+        webhookReplayAccepted: boolean;
+        completedWorkerProbe: boolean;
+        failureCleanupProbe: boolean;
+        observedFailureReasons: string[];
+        allWorkerCheckoutsDeleted: boolean;
+        logBoundaryAccepted: boolean;
+    };
+    privacy: HostedStagingHarnessPrivacy;
+}
+export interface HostedStagingReleaseEvidenceGateInput {
+    bundle: HostedStagingReleaseEvidenceBundle;
+    commitSha: string;
+    scannerVersion: string;
+    deploymentTarget: string;
+    evaluatedAt: string;
+    releaseNotes: string;
+    containerImageDigest: string;
+    maxEvidenceAgeDays?: number;
+}
 export declare function createFileBackedHostedStagingHarness(options: FileBackedHostedStagingHarnessOptions): FileBackedHostedStagingHarness;
 export declare function createHostedStagingHarnessEvidence(input: HostedStagingHarnessEvidenceInput): HostedOperationalReleaseGateEvidence[];
+export declare function validateHostedLogBoundary(input: HostedLogBoundaryValidationInput): HostedLogBoundaryValidation;
+export declare function createHostedStagingReleaseEvidenceBundle(input: HostedStagingReleaseEvidenceBundleInput): HostedStagingReleaseEvidenceBundle;
+export declare function evaluateHostedStagingReleaseEvidenceBundle(input: HostedStagingReleaseEvidenceGateInput): HostedOperationalReleaseGateDecision;
 export {};

package/dist/hosted/staging-harness.js

@@ -1,6 +1,6 @@
 import { mkdir, readdir, rm, writeFile } from "node:fs/promises";
 import { join } from "node:path";
-import { HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS } from "./contracts.js";
+import { evaluateHostedOperationalReleaseGate, HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS } from "./contracts.js";
 import { createHostedServiceRuntime } from "./service.js";
 export function createFileBackedHostedStagingHarness(options) {
     const paths = hostedStagingHarnessPaths(options.rootDir);
@@ -16,12 +16,16 @@ export function createFileBackedHostedStagingHarness(options) {
         queue,
         compactReportStore: reportStore,
         checkRunPublisher,
-        scanRunner: async ({ queueRecord }) => {
+        scanRunner: async (input) => {
+            const { queueRecord } = input;
             const sandboxPath = join(paths.workerSandboxRoot, safeFileSegment(queueRecord.key));
             workerSandboxPaths.add(sandboxPath);
             await mkdir(sandboxPath, { recursive: true });
-            await writeFile(join(sandboxPath, "source.ts"), options.scanResult.rawSource ?? "", "utf8");
-            return options.scanResult;
+            const scanResult = typeof options.scanResult === "function"
+                ? await options.scanResult(input)
+                : options.scanResult;
+            await writeFile(join(sandboxPath, "source.ts"), scanResult.rawSource ?? "", "utf8");
+            return scanResult;
         },
         now: options.now
     });
@@ -77,6 +81,7 @@ export function createFileBackedHostedStagingHarness(options) {
                 status: "failed",
                 errorClass: result.errorClass,
                 ...(result.reason === undefined ? {} : { reason: result.reason }),
+                ...(result.reason === undefined ? {} : { safeFailureReason: result.reason }),
                 workerSandboxDeleted: activeWorkerSandboxCount === 0,
                 activeWorkerSandboxCount,
                 cleanupVerified: (result.cleanup?.shouldDeleteWorkerCheckout ?? true) && activeWorkerSandboxCount === 0,
@@ -95,6 +100,171 @@ export function createHostedStagingHarnessEvidence(input) {
         owner: input.owner
     }));
 }
+export function validateHostedLogBoundary(input) {
+    const serializedSamples = input.samples.map((sample) => JSON.stringify(sample)).join("\n");
+    const blockedReasons = new Set();
+    markIfContains(blockedReasons, serializedSamples, input.forbidden.rawSource, "raw_source");
+    markIfContains(blockedReasons, serializedSamples, input.forbidden.rawDiff, "raw_diff");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.secretValues, "secret_value");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.customerPayloads, "customer_payload");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.installationTokens, "installation_token");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.checkoutPaths, "checkout_path");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.privateUrls, "private_url");
+    markIfContainsAny(blockedReasons, serializedSamples, input.forbidden.untrustedPrText, "untrusted_pr_text");
+    if (/\bgh[opsu]_[A-Za-z0-9_]{8,}\b/.test(serializedSamples)) {
+        blockedReasons.add("installation_token");
+    }
+    if (/\b(?:sk_(?:live|test)|whsec_)[A-Za-z0-9_]+\b|-----BEGIN [A-Z ]+-----/.test(serializedSamples)) {
+        blockedReasons.add("secret_value");
+    }
+    return {
+        accepted: blockedReasons.size === 0,
+        sampleCount: input.samples.length,
+        blockedReasons: [...blockedReasons].sort(),
+        allowedFields: [
+            "scanKey",
+            "installationId",
+            "repositoryId",
+            "pullRequestNumber",
+            "headSha",
+            "scannerVersion",
+            "durationMs",
+            "summaryCounts",
+            "errorClass",
+            "cleanupStatus"
+        ],
+        privacy: hostedStagingHarnessPrivacy()
+    };
+}
+export function createHostedStagingReleaseEvidenceBundle(input) {
+    const externalEvidence = new Map(input.externalEvidence.map((evidence) => [evidence.id, sanitizeEvidence(evidence, input)]));
+    const scenarioSummary = hostedStagingScenarioSummary(input);
+    const evidence = HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS.map((requirement) => {
+        const generated = generatedEvidenceFor(requirement.id, input, scenarioSummary);
+        return generated ?? externalEvidence.get(requirement.id) ?? missingEvidence(requirement.id, input);
+    });
+    const readyForReleaseGate = evidence.every((item) => item.status === "passed");
+    return {
+        readyForReleaseGate,
+        evidence,
+        releaseGateInput: { evidence },
+        scenarioSummary,
+        privacy: hostedStagingHarnessPrivacy()
+    };
+}
+export function evaluateHostedStagingReleaseEvidenceBundle(input) {
+    return evaluateHostedOperationalReleaseGate({
+        commitSha: input.commitSha,
+        scannerVersion: input.scannerVersion,
+        deploymentTarget: input.deploymentTarget,
+        evaluatedAt: input.evaluatedAt,
+        evidence: input.bundle.evidence,
+        releaseNotes: input.releaseNotes,
+        containerImageDigest: input.containerImageDigest,
+        maxEvidenceAgeDays: input.maxEvidenceAgeDays
+    });
+}
+function hostedStagingScenarioSummary(input) {
+    const processedWorkers = input.workerTicks.filter((tick) => tick.processed);
+    const webhookReplayAccepted = input.webhookReplays.some((replay) => replay.accepted && replay.queuedWorker && replay.shouldCreateCheckRun);
+    const completedWorkerProbe = processedWorkers.some((tick) => tick.status === "completed" && tick.cleanupVerified);
+    const observedFailureReasons = [
+        ...new Set(processedWorkers.flatMap((tick) => tick.status === "failed" && tick.cleanupVerified && tick.safeFailureReason
+            ? [tick.safeFailureReason]
+            : []))
+    ].sort();
+    const requiredFailureReasons = input.requiredFailureReasons ?? [];
+    const failureCleanupProbe = requiredFailureReasons.length
+        ? requiredFailureReasons.every((reason) => observedFailureReasons.includes(reason))
+        : processedWorkers.some((tick) => tick.status === "failed" && tick.cleanupVerified);
+    const allWorkerCheckoutsDeleted = processedWorkers.length > 0 &&
+        processedWorkers.every((tick) => tick.workerSandboxDeleted &&
+            tick.activeWorkerSandboxCount === 0 &&
+            tick.cleanupVerified);
+    return {
+        webhookReplayAccepted,
+        completedWorkerProbe,
+        failureCleanupProbe,
+        observedFailureReasons,
+        allWorkerCheckoutsDeleted,
+        logBoundaryAccepted: input.logBoundary.accepted
+    };
+}
+function generatedEvidenceFor(id, input, summary) {
+    if (id === "webhook_replay") {
+        return summary.webhookReplayAccepted
+            ? passedEvidence(id, "Signed webhook replay queued a check-run-only worker from trusted fields.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "queue_worker_cleanup") {
+        return summary.completedWorkerProbe &&
+            summary.failureCleanupProbe &&
+            summary.allWorkerCheckoutsDeleted
+            ? passedEvidence(id, "Success and failure worker probes deleted worker checkouts and recorded cleanup-safe status.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "privacy_retention") {
+        return input.logBoundary.sampleCount > 0 && summary.logBoundaryAccepted && privacyFlagsAreSafe(input)
+            ? passedEvidence(id, "Log boundary accepted safe metadata only and compact reports avoided raw payloads.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "release_cleanup") {
+        return summary.allWorkerCheckoutsDeleted
+            ? passedEvidence(id, "Release cleanup probe left no active staging worker sandbox entries.", input)
+            : missingEvidence(id, input);
+    }
+    return undefined;
+}
+function privacyFlagsAreSafe(input) {
+    const replayPrivacySafe = input.webhookReplays.every((replay) => Object.values(replay.privacy).every((value) => value === false));
+    const workerPrivacySafe = input.workerTicks.every((tick) => Object.values(tick.privacy).every((value) => value === false));
+    const logPrivacySafe = Object.values(input.logBoundary.privacy).every((value) => value === false);
+    return replayPrivacySafe && workerPrivacySafe && logPrivacySafe;
+}
+function sanitizeEvidence(evidence, input) {
+    return {
+        id: evidence.id,
+        status: evidence.status,
+        ...(evidence.collectedAt === undefined
+            ? { collectedAt: input.collectedAt }
+            : { collectedAt: evidence.collectedAt }),
+        ...(evidence.evidenceUrl === undefined ? {} : { evidenceUrl: evidence.evidenceUrl }),
+        note: `External release-gate evidence recorded for ${evidence.id}.`,
+        ...(evidence.owner === undefined ? { owner: input.owner } : { owner: evidence.owner })
+    };
+}
+function passedEvidence(id, note, input) {
+    return {
+        id,
+        status: "passed",
+        collectedAt: input.collectedAt,
+        evidenceUrl: evidenceUrlFor(input, id),
+        note,
+        owner: input.owner
+    };
+}
+function missingEvidence(id, input) {
+    return {
+        id,
+        status: "missing",
+        collectedAt: input.collectedAt,
+        note: `Missing executable staging evidence for ${id}.`,
+        owner: input.owner
+    };
+}
+function evidenceUrlFor(input, id) {
+    return `${input.evidenceBaseUrl.replace(/\/+$/, "")}/${id}.json`;
+}
+function markIfContains(blockedReasons, haystack, value, reason) {
+    if (value && haystack.includes(value)) {
+        blockedReasons.add(reason);
+    }
+}
+function markIfContainsAny(blockedReasons, haystack, values, reason) {
+    for (const value of values ?? []) {
+        markIfContains(blockedReasons, haystack, value, reason);
+    }
+}
 function hostedStagingHarnessPaths(rootDir) {
     const queueDir = join(rootDir, "queue");
     const reportDir = join(rootDir, "reports");

package/dist/hosted/worker.js

@@ -34,6 +34,9 @@ export async function runHostedReadOnlyCheckoutScan(input, options) {
     if (!plan.accepted || !plan.readOnly || !checkout || !cli || cli.writeMode !== "read_only") {
         throw new HostedReadOnlyCheckoutScanError("invalid_worker_plan");
     }
+    if (!isTrustedFixedReadOnlyPlan(input)) {
+        throw new HostedReadOnlyCheckoutScanError("invalid_worker_plan");
+    }
     const repository = parseRepositoryFullName(checkout.repositoryFullName);
     if (!repository) {
         throw new HostedReadOnlyCheckoutScanError("invalid_repository_full_name");
@@ -76,6 +79,7 @@ export async function runHostedReadOnlyCheckoutScan(input, options) {
         await runCommand(options, gitSecretEnv, commandSpec("git_fetch_head", gitCommand, ["fetch", "--no-tags", "--depth", String(fetchDepth), "origin", checkout.targetCommitSha], checkoutDir, gitEnv, timeoutMs, maxOutputBytes));
         await runCommand(options, gitSecretEnv, commandSpec("git_fetch_base", gitCommand, ["fetch", "--no-tags", "--depth", String(fetchDepth), "origin", checkout.baseSha], checkoutDir, gitEnv, timeoutMs, maxOutputBytes));
         await runCommand(options, gitSecretEnv, commandSpec("git_checkout", gitCommand, ["checkout", "--detach", checkout.targetCommitSha], checkoutDir, gitEnv, timeoutMs, maxOutputBytes));
+        await rm(askpassPath, { force: true });
         const cliEnv = safeWorkerEnv(checkoutDir);
         const cliArgs = cli.args.map((arg) => arg === "<worker-checkout>" ? checkoutDir : arg);
         const cliResult = await runCommand(options, {}, commandSpec("cli_scan", options.cliCommand ?? cli.command, cliArgs, checkoutDir, cliEnv, timeoutMs, maxOutputBytes));
@@ -143,6 +147,53 @@ function compactScanRunnerResult(stdout) {
         throw new HostedReadOnlyCheckoutScanError("invalid_cli_output");
     }
 }
+function isTrustedFixedReadOnlyPlan(input) {
+    const { plan, queueRecord } = input;
+    const { checkout, cli, installationTokenScope, output } = plan;
+    const identity = queueRecord.identity;
+    if (!checkout || !cli || !installationTokenScope || !output)
+        return false;
+    const expectedCliArgs = [
+        "pr-risk",
+        "--root",
+        "<worker-checkout>",
+        "--base",
+        identity.baseSha,
+        "--json"
+    ];
+    return (plan.jobKey === queueRecord.key &&
+        plan.readOnly === true &&
+        plan.shouldFetchSource === true &&
+        plan.shouldRunCli === true &&
+        plan.shouldPersistRawSource === false &&
+        plan.shouldPersistRawDiffs === false &&
+        plan.shouldCreatePrComment === false &&
+        installationTokenScope.installationId === identity.installationId &&
+        installationTokenScope.repositoryId === identity.repositoryId &&
+        installationTokenScope.permissions.contents === "read" &&
+        installationTokenScope.selectedRepositoryOnly === true &&
+        checkout.repositoryId === identity.repositoryId &&
+        checkout.repositoryFullName === identity.repositoryFullName &&
+        checkout.pullRequestNumber === identity.pullRequestNumber &&
+        checkout.baseSha === identity.baseSha &&
+        checkout.targetCommitSha === identity.headSha &&
+        checkout.directoryScope === "temporary_worker_directory" &&
+        checkout.cleanupRequired === true &&
+        checkout.returnsCheckoutPath === false &&
+        cli.command === "ai-saas-guard" &&
+        cli.workingDirectory === "<worker-checkout>" &&
+        cli.networkAccess === "disabled" &&
+        cli.writeMode === "read_only" &&
+        arraysEqual(cli.args, expectedCliArgs) &&
+        output.compactJsonOnly === true &&
+        output.persistRawSource === false &&
+        output.persistRawDiffs === false &&
+        output.persistSecrets === false &&
+        output.persistCustomerPayloads === false);
+}
+function arraysEqual(left, right) {
+    return left.length === right.length && left.every((value, index) => value === right[index]);
+}
 function compactFinding(value) {
     if (!isRecord(value))
         return [];

package/docs/README.zh-CN.md

@@ -169,18 +169,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.30.2`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.30.2`。
+CLI 已发布到 npm：`ai-saas-guard@0.32.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.32.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.30.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.30.2` |
+| npm CLI | `ai-saas-guard@0.32.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.32.0` |
 | 输出格式 | 短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.30.2` 做发布后质量优化：降低 Vercel/Actions 误报、增加 launch-gate 定位文档，并补 hosted worker 证据边界 |
-| Action 标签 | `v0.30.2`、`v0` |
+| 当前版本 | `0.32.0` 增加 deployed worker staging evidence：public HTTPS health validation、deployed 成功/失败 cleanup probes、log-boundary checks，以及针对 Node/container read-only checkout worker candidate 的 release-gate evaluation |
+| Action 标签 | `v0.32.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |
@@ -349,6 +349,7 @@ GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.m
 - [docs/hosted-node-container-app.md](hosted-node-container-app.md)
 - [docs/hosted-staging-deployment.md](hosted-staging-deployment.md)
 - [docs/hosted-staging-harness.md](hosted-staging-harness.md)
+- [docs/hosted-deployed-worker-staging.md](hosted-deployed-worker-staging.md)
 - [docs/hosted-operational-release-gate.md](hosted-operational-release-gate.md)
 - [docs/hosted-uninstall-data-deletion.md](hosted-uninstall-data-deletion.md)
 - [docs/hosted-pricing-packaging.md](hosted-pricing-packaging.md)
@@ -359,13 +360,14 @@ GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.m
 - pull request webhook intake planner：先验签，再解析 payload、生成可信 identity、校验 selected-repository scope，并默认只走 check-run-only 输出
 - durable scan queue planner：同一个 trusted scan key 的 queued/running/completed job 会复用，不重复排 worker，也不会把源码、diff、secret 或 PR 正文放进队列 payload
 - worker read-only scan planner：只用 trusted identity 规划临时 worker checkout，要求 repository `contents: read`，固定运行 `ai-saas-guard pr-risk --json`，并忽略 PR 正文里的 repo 名、token scope 或命令
-- hosted read-only checkout worker：`ai-saas-guard/hosted/worker` 导出 `createHostedReadOnlyCheckoutScanRunner`，从 trusted GitHub App identity 创建临时 checkout，只通过 git askpass 使用 runtime installation token，运行固定 `ai-saas-guard pr-risk --json`，把 CLI JSON 转成 compact findings，并在成功或失败后删除 checkout；不会返回源码、diff、secret、checkout path、PR 里写的命令或 installation token
+- hosted read-only checkout worker：`ai-saas-guard/hosted/worker` 导出 `createHostedReadOnlyCheckoutScanRunner`，从 trusted GitHub App identity 创建临时 checkout，只通过 git askpass 使用 runtime installation token，在 CLI 阶段前移除 askpass material，拒绝被篡改的 command/checkout/token-scope plan，运行固定 `ai-saas-guard pr-risk --json`，把 CLI JSON 转成 compact findings，并在成功或失败后删除 checkout；不会返回源码、diff、secret、checkout path、PR 里写的命令或 installation token
 - hosted service runtime：`ai-saas-guard/hosted/service` 导出 `createHostedServiceRuntime`，把签名 webhook intake、幂等 queue upsert、read-only worker 编排、compact report 存储、Check Run 发布 adapter 和 worker cleanup 串成可测试的服务核心；它本身不部署公开 hosted 环境
 - GitHub App deployment planner：`ai-saas-guard/hosted/github-app` 导出 `planHostedGitHubAppDeployment`，生成 first slice 最小权限 manifest，并在 release gate、公开 HTTPS URL、container digest、secret 引用、原始 secret 输入、permission 或 event 不安全时阻止创建
 - Hosted production adapter layer：`ai-saas-guard/hosted/production-adapters` 导出 `createHostedGitHubAppJwt`、`planHostedGitHubInstallationTokenRequest` 和 `planHostedProductionWorkerExecution`，用于 GitHub App RS256 JWT、selected-repository installation token 请求规划、worker/check-run 分离 token scope、固定只读 worker 命令、timeout/output 预算、compact JSON-only 输出，以及 success/failure/timeout/cancellation 的 cleanup 规划；它本身仍然不部署公开 hosted 服务
 - Hosted Node/container app skeleton：`ai-saas-guard/hosted/app` 导出 `createHostedHttpApp`、`createInMemoryHostedAppPlatform`、`createHostedNodeCheckoutAppPlatform` 和 `planHostedNodeContainerDeployment`，提供安全 `/healthz`、签名 `/github/webhook` ingress、单 job worker tick、测试用 in-memory provider adapters、真实 read-only checkout worker 组合入口、可见 timeout/output 安全预算，以及 secret manager、queue、compact report store、worker sandbox、GitHub Checks publisher 的部署引用校验；它本身仍然不部署或暴露公开 hosted 服务
 - Hosted staging deployment planner：`ai-saas-guard/hosted/staging` 导出 `planHostedProviderBinding`、`planHostedStagingDeployment` 和 `planHostedGitHubAppPromotion`，把真实 provider 引用、Node/container deployment plan、hosted operational release-gate evidence 和 GitHub App deployment planning 组合起来；缺少 queue、store、worker sandbox、Check Run publisher、logs、metrics、rollback 或 incident-response 引用时，会阻止 staging exposure 和 production promotion；它本身仍然不会调用云平台、创建 GitHub App 或暴露公开 hosted 服务
-- Hosted staging harness：`ai-saas-guard/hosted/staging-harness` 导出 `createFileBackedHostedStagingHarness` 和 `createHostedStagingHarnessEvidence`，可以在本地用 file-backed queue、compact report、Check Run request 和 worker sandbox 跑通签名 webhook replay、worker tick 和 cleanup 校验；它只是 staging 演练工具，不会调用云平台、创建 GitHub App、写真实 Check Run 或暴露公开 hosted 服务
+- Hosted staging harness：`ai-saas-guard/hosted/staging-harness` 导出 `createFileBackedHostedStagingHarness`、`createHostedStagingHarnessEvidence`、`createHostedStagingReleaseEvidenceBundle`、`evaluateHostedStagingReleaseEvidenceBundle` 和 `validateHostedLogBoundary`，可以在本地用 file-backed queue、compact report、Check Run request 和 worker sandbox 跑通签名 webhook replay、worker tick 和 cleanup 校验，把 success/failure cleanup probes 与 log-boundary samples 转成 release-gate evidence，并直接执行 hosted release gate 判断；它只是 staging 演练工具，不会调用云平台、创建 GitHub App、写真实 Check Run 或暴露公开 hosted 服务
+- Deployed worker staging evidence：`ai-saas-guard/hosted/deployed-staging` 导出 `createHostedDeployedWorkerStagingEvidenceBundle` 和 `evaluateHostedDeployedWorkerStagingReleaseGate`，把 public HTTPS health、signed webhook replay、deployed worker cleanup、log-boundary samples 以及外部 CI/scan/rollback evidence 转成 hosted release gate evidence；它不会部署云资源，也不会宣称 production hosted exposure
 - Cloudflare hosted ingress：`hosted/cloudflare-worker` 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`，提供 `/healthz`、`/github/app/manifest-callback` 和签名 `/github/webhook` intake；Worker 已具备 compact pull request identity、file/category risk signal 和 Check Run metadata 路径；staging GitHub App ID 为 `3834787`，installation ID 为 `135085075`；真实 GitHub App webhook delivery 和 Check Run smoke 已通过；完整 source checkout worker deployment、monitoring、rollback 和 incident-response evidence 仍需要通过 hosted operational release gate
 - webhook event parser
 - check-run summary renderer

package/docs/hosted-deployed-worker-staging.md

@@ -0,0 +1,72 @@
+# Hosted Deployed Worker Staging Evidence
+
+This document describes the deployed worker staging evidence helper implemented in `src/hosted/deployed-staging.ts`.
+
+The package exports `ai-saas-guard/hosted/deployed-staging` with:
+
+- `createHostedDeployedWorkerStagingEvidenceBundle`
+- `evaluateHostedDeployedWorkerStagingReleaseGate`
+
+The helper is for a deployed Node/container read-only checkout worker release candidate. It turns safe deployment observations into the same hosted operational release-gate evidence used by the rest of the hosted planning layer.
+
+It does not deploy cloud resources, create a GitHub App, call GitHub, fetch repositories, upload source code, or publish Check Runs by itself. It is not production hosted exposure. It records whether a deployed staging candidate has enough public-safe evidence to pass the hosted release gate.
+
+## Inputs
+
+`createHostedDeployedWorkerStagingEvidenceBundle` expects only bounded evidence:
+
+- public HTTPS health probe metadata from the deployed Node/container app
+- signed webhook replay summaries
+- deployed worker success and failure cleanup summaries
+- log-boundary validation output
+- external evidence for CI, workflow static checks, dependency/container scans, monitoring, rollback, and incident response
+- scanner version, collected timestamp, evidence URL base, and evidence owner
+
+The public HTTPS health probe must show:
+
+- HTTP `200`
+- `ok: true`
+- `platform: "node_container"`
+- both `webhook-ingress` and `scan-worker` roles
+- a scanner version matching the release candidate
+- privacy flags set to false for raw webhook payloads, PR text, source, diffs, secrets, customer payloads, checkout paths, and installation tokens
+
+The helper requires a public HTTPS URL for both the deployed ingress and the evidence base. Localhost, private IPs, link-local addresses, non-HTTPS URLs, file URLs, URL credentials, query strings, and fragments are rejected for deployed staging evidence.
+
+## Generated Evidence
+
+The bundle generates deployed evidence for these hosted gate IDs when the probes are complete:
+
+- `webhook_replay`: deployed staging ingress accepted a signed webhook and queued check-run-only work
+- `queue_worker_cleanup`: deployed worker success and failure probes completed and deleted worker checkouts
+- `privacy_retention`: deployed log samples stayed within the safe metadata boundary
+- `release_cleanup`: no deployed worker checkout entries remained active after release probes
+
+Other gate IDs still come from external evidence because they belong to CI, workflow analysis, dependency/container scan, monitoring, rollback, and incident-response systems.
+
+## Blocking Behavior
+
+The helper blocks release-gate readiness when deployed evidence is incomplete. Common blocked reasons include:
+
+- `invalid_public_base_url`
+- `unsafe_evidence_base_url`
+- `health_scanner_version_mismatch`
+- `health_missing_scan_worker_role`
+- `health_privacy_flags_unsafe`
+- `worker_failure_cleanup_probe_missing`
+- `worker_cleanup_not_verified`
+- `log_boundary_rejected`
+
+Blocked output remains public-safe. It does not return the raw health body, public base URL, raw webhook payload, untrusted PR text, raw source, raw diffs, secrets, customer payloads, private checkout paths, or installation tokens.
+
+## Release Gate
+
+`evaluateHostedDeployedWorkerStagingReleaseGate` passes the generated bundle to the hosted operational release gate with the release commit, scanner version, deployment target, container digest, and release notes.
+
+The evaluator still blocks hosted exposure unless every P0 evidence row is fresh, the deployed artifact has a `sha256:<digest>` container image digest, and release notes avoid positive pentest, certification, and full-audit claims. Wording such as "not a pentest, certification, or full security audit" remains allowed.
+
+## Boundary
+
+This helper narrows the gap between local source-candidate rehearsals and deployed staging evidence. It is still deterministic and local-first: callers collect evidence outside the package and pass only safe summaries into the helper.
+
+It is not a pentest, full audit, or certification. It is not production hosted exposure. It does not prove customer SaaS apps are secure. It only helps decide whether the hosted worker release candidate has enough operational evidence to be exposed for the next staged rollout step.

package/docs/hosted-operational-release-gate.md

@@ -40,7 +40,11 @@ Every hosted release must record:
 
 The current public package release is still a local CLI and pure hosted-contract release. No hosted production environment is exposed by this release.
 
-The pure evaluator `evaluateHostedOperationalReleaseGate` and the exported `HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS` list make the gate machine-checkable for the next hosted service stage. The evaluator blocks hosted exposure unless every P0 item has fresh evidence, a `sha256:<digest>` container image digest is recorded, and release notes avoid positive pentest, certification, and full-audit claims. Explicit wording such as "not a pentest, certification, or full security audit" remains allowed.
+The pure evaluator `evaluateHostedOperationalReleaseGate` and the exported `HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS` list make the gate machine-checkable for the next hosted service stage. The staging harness also exports `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary` so source-candidate rehearsals can turn webhook replay, success/failure cleanup probes, required safe failure reasons, and log samples into an executable gate decision.
+
+Deployed worker staging evidence is documented in [hosted-deployed-worker-staging.md](hosted-deployed-worker-staging.md). The `ai-saas-guard/hosted/deployed-staging` export adds `createHostedDeployedWorkerStagingEvidenceBundle` and `evaluateHostedDeployedWorkerStagingReleaseGate` so a deployed Node/container read-only checkout worker candidate can turn public HTTPS health, signed webhook replay, deployed success/failure cleanup probes, log-boundary samples, and external CI/scan/rollback evidence into this same gate. It does not deploy cloud resources and is not production hosted exposure.
+
+The evaluator blocks hosted exposure unless every P0 item has fresh evidence, a `sha256:<digest>` container image digest is recorded, and release notes avoid positive pentest, certification, and full-audit claims. Explicit wording such as "not a pentest, certification, or full security audit" remains allowed.
 
 Source-level evidence notes for this release candidate:
 
@@ -48,12 +52,12 @@ Source-level evidence notes for this release candidate:
 | --- | --- | --- | --- |
 | `clean_ci` | Clean install, tests, build, CLI help, JSON/SARIF scan, PR-risk, npm audit, pack dry-run | Local release gate plus GitHub Actions CI run from the release commit | Passed for source package |
 | `hosted_contract_tests` | Hosted contract tests for webhook, scope, queue, worker, check summaries, cleanup, retention, and release gate evaluation | `tests/hosted-contracts.test.mjs` | Passed for pure contracts |
-| `webhook_replay` | Valid events queue work; invalid, missing, malformed, replayed, removed, and non-installed events queue nothing | Pure replay coverage in hosted webhook intake tests | Passed for pure contracts; must replay against deployed ingress before exposure |
+| `webhook_replay` | Valid events queue work; invalid, missing, malformed, replayed, removed, and non-installed events queue nothing | Pure replay coverage in hosted webhook intake tests plus deployed worker staging evidence helper | Passed for pure contracts; deployed helper can record public HTTPS staging replay before exposure |
 | `workflow_static_checks` | GitHub Actions static analysis | `actionlint` and `uvx zizmor --offline .github/workflows` | Passed for repository workflows |
 | `dependency_scan` | Dependency scan has no unresolved high or critical production findings | `npm audit --audit-level=high --registry=https://registry.npmjs.org` | Passed for source package |
 | `container_scan` | Container image scan has no unresolved high or critical runtime-layer findings | No hosted container image exists in the public package release | Not applicable to current non-hosted release; required before hosted exposure |
-| `queue_worker_cleanup` | Queue dedupe, running cancellation, terminal cleanup, worker checkout deletion, and no long-running processes | Pure queue, worker, checkout, and retention cleanup planner tests | Passed for pure contracts; must verify against deployed queue and worker before exposure |
-| `privacy_retention` | No raw source, raw diffs, secrets, customer payloads, private URLs, or full file contents; retention and uninstall cleanup are proven | Compact report, Check Run publication, retention/deletion cleanup, and docs tests | Passed for pure contracts; log sampling still required before exposure |
+| `queue_worker_cleanup` | Queue dedupe, running cancellation, terminal cleanup, worker checkout deletion, and no long-running processes | Pure queue, worker, checkout, retention cleanup planner tests, staging harness success/failure cleanup probes, and deployed worker staging cleanup evidence helper | Passed for source candidate; deployed helper can record success/failure cleanup before exposure |
+| `privacy_retention` | No raw source, raw diffs, secrets, customer payloads, private URLs, or full file contents; retention and uninstall cleanup are proven | Compact report, Check Run publication, retention/deletion cleanup, docs tests, `validateHostedLogBoundary` source-candidate log checks, and deployed log-boundary staging evidence | Passed for source candidate; deployed log sampling still required before exposure |
 | `monitoring_alerting` | Ingress, queue depth, worker failures, Check Run failures, cleanup failures, retention failures, and credential rotation alerts | Required alert list remains in this document | Documented; must attach provider evidence before exposure |
 | `manual_rollback` | Worker pause, previous artifact redeploy, queue resume, controlled ingress failure, and affected Check Run identification | Manual rollback procedure remains in this document | Documented; must execute against deployed artifact before exposure |
 | `incident_response` | Owner, backup, credential rotation, queue pause, customer communication, status path, and privacy-safe evidence collection | Incident response checklist remains in this document | Documented; must name live owners before exposure |
@@ -148,6 +152,7 @@ Required proof:
 - runtime credentials reach git through temporary askpass material only.
 - the CLI phase runs after credential material is removed from the environment.
 - the worker command is fixed to the deterministic read-only `pr-risk --json` shape.
+- the worker rejects accepted-looking plans if command, checkout identity, or token scope differs from trusted GitHub event identity.
 - success deletes the worker checkout, askpass material, generated JSON/SARIF scratch files, and local package tarballs.
 - failure cleanup covers clone failure, timeout, CLI failure, malformed JSON output, Check Run write failure, cancellation, and process interruption.
 - cleanup failures create an operator-review event without returning raw source, raw diffs, installation tokens, checkout paths, private URLs, or low-level filesystem errors to users.

package/docs/hosted-operations-evidence.md

@@ -29,6 +29,10 @@ The hosted release gate still requires fresh deployed evidence for:
 - dependency and container artifact scanning for the deployed worker image
 - retention and uninstall cleanup against the deployed provider stores
 
+Source-candidate executable evidence now exists in `ai-saas-guard/hosted/staging-harness`: `createHostedStagingReleaseEvidenceBundle` combines signed webhook replay, success and failure cleanup probes, safe worker failure reasons, and `validateHostedLogBoundary` samples into hosted release-gate evidence, then `evaluateHostedStagingReleaseEvidenceBundle` runs the same gate evaluator used by deployment planning. This improves local release readiness, but it is still not production hosted exposure and does not replace deployed worker, logging, metrics, rollback, incident-response, dependency, or container evidence.
+
+Deployed worker staging evidence now has its own helper in `ai-saas-guard/hosted/deployed-staging`: `createHostedDeployedWorkerStagingEvidenceBundle` accepts public HTTPS health, deployed webhook replay, worker cleanup, log-boundary, and external CI/scan/rollback evidence summaries, then `evaluateHostedDeployedWorkerStagingReleaseGate` evaluates the same hosted release gate. Use [hosted-deployed-worker-staging.md](hosted-deployed-worker-staging.md) before exposing a Node/container read-only checkout worker beyond staging.
+
 ## Read-Only Checkout Worker Evidence Checklist
 
 Before any hosted source checkout worker is exposed beyond staging, attach fresh evidence for each row below. The current Cloudflare ingress evidence above does not satisfy these rows because it publishes compact PR-risk signals without running a full source checkout scan worker.
@@ -37,7 +41,7 @@ Before any hosted source checkout worker is exposed beyond staging, attach fresh
 | --- | --- | --- |
 | Trusted checkout identity | Worker input is derived from signed GitHub event identity, selected-repository installation scope, and repository `contents: read`; PR title, body, branch names, README, and code cannot choose the repository, token scope, checkout path, or command | Required |
 | Runtime credential boundary | Installation credentials are passed to git only through temporary askpass material, are removed before the CLI scan phase, and are never returned in worker output, compact reports, Check Runs, or logs | Required |
-| Fixed scanner command | Worker runs the fixed read-only command shape `ai-saas-guard pr-risk --root <worker-checkout> --base <trusted-base-sha> --json` without shell parsing or PR-authored arguments | Required |
+| Fixed scanner command | Worker runs the fixed read-only command shape `ai-saas-guard pr-risk --root <worker-checkout> --base <trusted-base-sha> --json` without shell parsing or PR-authored arguments, and rejects command, checkout, or token-scope mutations before running git | Required |
 | Success cleanup | A successful worker run deletes the checkout directory, askpass material, generated JSON/SARIF scratch files, and any local package tarballs | Required |
 | Failure cleanup | A failed clone, timeout, CLI non-zero exit, malformed JSON output, Check Run write failure, cancellation, or process interruption still attempts checkout deletion and records only a safe cleanup status | Required |
 | Log boundary | Logs may include scan key, installation ID, repository ID, PR number, head SHA, scanner version, duration, summary counts, error class, and cleanup status; logs must include no raw source, no raw diffs, no secrets, no installation tokens, no customer payloads, no private URLs, and no checkout paths | Required |

package/docs/hosted-preimplementation-contracts.md

@@ -2,7 +2,7 @@
 
 This document collects pure hosted contracts that can be tested before any hosted GitHub App service is deployed. These contracts keep the hosted design inspectable, local-first, and implementation-ready without adding network calls, credentials, queues, workers, or GitHub API writes. They are no network calls contracts by design.
 
-The helpers live in `src/hosted/contracts.ts` and are exported from `ai-saas-guard/hosted/contracts`. The production adapter plans live in `src/hosted/production-adapters.ts` and are exported from `ai-saas-guard/hosted/production-adapters`. The Node/container app skeleton lives in `src/hosted/app.ts` and is exported from `ai-saas-guard/hosted/app`. The concrete read-only checkout worker runner lives in `src/hosted/worker.ts` and is exported from `ai-saas-guard/hosted/worker`. The staging deployment planner lives in `src/hosted/staging.ts` and is exported from `ai-saas-guard/hosted/staging`. The local staging harness lives in `src/hosted/staging-harness.ts` and is exported from `ai-saas-guard/hosted/staging-harness`.
+The helpers live in `src/hosted/contracts.ts` and are exported from `ai-saas-guard/hosted/contracts`. The production adapter plans live in `src/hosted/production-adapters.ts` and are exported from `ai-saas-guard/hosted/production-adapters`. The Node/container app skeleton lives in `src/hosted/app.ts` and is exported from `ai-saas-guard/hosted/app`. The concrete read-only checkout worker runner lives in `src/hosted/worker.ts` and is exported from `ai-saas-guard/hosted/worker`. The staging deployment planner lives in `src/hosted/staging.ts` and is exported from `ai-saas-guard/hosted/staging`. The local staging harness lives in `src/hosted/staging-harness.ts` and is exported from `ai-saas-guard/hosted/staging-harness`. The deployed worker staging evidence helper lives in `src/hosted/deployed-staging.ts` and is exported from `ai-saas-guard/hosted/deployed-staging`.
 
 ## Pull Request Webhook Intake Planner
 
@@ -79,6 +79,8 @@ Default behavior:
 - derive the GitHub clone URL only from trusted repository identity
 - require a runtime installation token provider and keep the token out of command arguments, returned results, compact reports, and serialized plans
 - pass the installation token to git only through a temporary askpass helper inside the worker checkout
+- remove askpass material before the CLI phase starts
+- reject accepted-looking plans when command, checkout identity, or token scope differs from the trusted worker plan
 - run `git init`, add the trusted remote, fetch the trusted head and base SHAs with bounded depth, and checkout the trusted head SHA
 - run the fixed `ai-saas-guard pr-risk --root <worker-checkout> --base <baseSha> --json` command without shell parsing
 - cap command timeout and output bytes
@@ -174,6 +176,9 @@ Default behavior:
 - create a temporary worker sandbox during the scan runner phase
 - remove worker sandbox contents before returning the worker result
 - create hosted operational release-gate evidence fixtures with the same shape required by the deployment gate
+- turn success and failure cleanup probes into executable release-gate evidence
+- validate log boundaries without returning sampled log lines or forbidden values
+- evaluate the hosted release gate directly from the generated evidence bundle
 
 Privacy boundaries:
 
@@ -181,7 +186,7 @@ Privacy boundaries:
 - result objects do not include raw webhook payloads, untrusted PR text, raw source, raw diffs, secrets, customer payloads, checkout paths, or installation tokens
 - local evidence is labeled as harness evidence and must not be used to claim live hosted exposure
 
-The exported helpers are `createFileBackedHostedStagingHarness` and `createHostedStagingHarnessEvidence`.
+The exported helpers are `createFileBackedHostedStagingHarness`, `createHostedStagingHarnessEvidence`, `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary`.
 
 ## Webhook Event Parser
 

package/docs/hosted-staging-harness.md

@@ -10,6 +10,9 @@ The package exports `ai-saas-guard/hosted/staging-harness` with:
 
 - `createFileBackedHostedStagingHarness`
 - `createHostedStagingHarnessEvidence`
+- `createHostedStagingReleaseEvidenceBundle`
+- `evaluateHostedStagingReleaseEvidenceBundle`
+- `validateHostedLogBoundary`
 
 The harness composes the hosted service runtime with local adapters:
 
@@ -20,6 +23,8 @@ The harness composes the hosted service runtime with local adapters:
 - a temporary worker sandbox under `worker-sandbox/`
 - cleanup verification after a worker tick
 - local hosted release-gate evidence fixtures
+- executable evidence bundles for success and failure cleanup probes
+- log boundary validation for safe hosted metadata samples
 
 ## Replay Flow
 
@@ -39,6 +44,35 @@ Invalid signatures stop at the signature stage and create no queue, report, or C
 
 The generated notes are explicit that the evidence is local harness evidence, not hosted exposure.
 
+## Executable Evidence Bundle
+
+`createHostedStagingReleaseEvidenceBundle` turns concrete harness results into release-gate evidence:
+
+- signed webhook replay must queue a check-run-only worker from trusted GitHub event fields
+- worker success must delete the worker sandbox
+- worker failure must still delete the worker sandbox and expose only a safe failure reason
+- callers can require explicit failure reasons such as checkout failure, CLI failure, malformed output, Check Run publication failure, timeout, and cancellation before cleanup evidence passes
+- log boundary validation must pass before `privacy_retention` is marked passed
+- external evidence is still required for CI, workflow static checks, dependency scan, container scan, monitoring, rollback, and incident response
+
+`evaluateHostedStagingReleaseEvidenceBundle` passes that bundle into the hosted operational release gate evaluator with the release commit, scanner version, deployment target, container digest, and release notes. This makes the local staging gate executable instead of a hand-maintained checklist.
+
+The bundle is still source-candidate evidence. It does not prove a deployed hosted service is ready, and it does not replace deployed provider evidence.
+
+## Log Boundary Validation
+
+`validateHostedLogBoundary` accepts sampled log metadata and a forbidden-value list for raw source, raw diffs, secret values, customer payloads, installation tokens, checkout paths, private URLs, and untrusted PR prose.
+
+The returned result contains only:
+
+- pass/fail status
+- blocked reason IDs
+- sample count
+- allowed field names
+- privacy flags
+
+It does not return the sampled log lines or the forbidden values. This keeps the evidence useful while avoiding accidental leakage in release notes, compact reports, or Check Runs.
+
 ## Privacy
 
 The harness returns safe status objects and compact artifacts only.
@@ -58,6 +92,6 @@ The worker sandbox may contain temporary scan input during a worker tick. The ha
 
 ## Current Status
 
-The repository can now run a local staging rehearsal across webhook intake, queue persistence, worker execution, compact report storage, Check Run publication, and worker cleanup.
+The repository can now run a local staging rehearsal across webhook intake, queue persistence, worker execution, compact report storage, Check Run publication, worker cleanup, success and failure cleanup probes, log boundary validation, and executable release-gate evaluation from the generated evidence bundle.
 
 This still is not a live hosted service. A real staging environment still requires deployed platform infrastructure, public HTTPS ingress, platform secret references, durable queue/storage resources, worker isolation, GitHub Checks runtime credentials, monitoring, rollback evidence, and incident-response evidence collected from the deployed artifact.

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.30.2`
+- Current published version: `0.32.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.30.2`
+- GitHub Release: `v0.32.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.30.2`.
+1. Create and review a release tag such as `v0.32.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.30.2",
+  "version": "0.32.0",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",
@@ -70,6 +70,10 @@
       "types": "./dist/hosted/staging-harness.d.ts",
       "default": "./dist/hosted/staging-harness.js"
     },
+    "./hosted/deployed-staging": {
+      "types": "./dist/hosted/deployed-staging.d.ts",
+      "default": "./dist/hosted/deployed-staging.js"
+    },
     "./hosted/worker": {
       "types": "./dist/hosted/worker.d.ts",
       "default": "./dist/hosted/worker.js"