ai-saas-guard 0.31.0 → 0.32.0

package/README.md

@@ -187,13 +187,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.31.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.31.0` |
+| npm CLI | `ai-saas-guard@0.32.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.32.0` |
 | Outputs | Short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.31.0`, `v0` |
-| Current release | `0.31.0` adds executable hosted staging evidence: success/failure cleanup probes, log-boundary validation, stricter read-only checkout worker boundaries, and release-gate evaluation from evidence bundles |
+| Versioned Action tags | `v0.32.0`, `v0` |
+| Current release | `0.32.0` adds deployed worker staging evidence: public HTTPS health validation, deployed success/failure cleanup probes, log-boundary checks, and release-gate evaluation for a Node/container read-only checkout worker candidate |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -312,6 +312,8 @@ The hosted staging deployment planner is documented in [docs/hosted-staging-depl
 
 The hosted staging harness is documented in [docs/hosted-staging-harness.md](docs/hosted-staging-harness.md). It exports `createFileBackedHostedStagingHarness`, `createHostedStagingHarnessEvidence`, `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary` from `ai-saas-guard/hosted/staging-harness`. It runs signed webhook replay through the provider-independent hosted runtime with local file-backed queue, compact report, and Check Run adapters, verifies worker sandbox cleanup, turns success/failure cleanup probes plus log-boundary samples into release-gate evidence, and evaluates the hosted gate without cloud calls. It is a staging rehearsal tool only; it does not call cloud providers, create a GitHub App, publish live Check Runs, or expose a public hosted service.
 
+Deployed worker staging evidence is documented in [docs/hosted-deployed-worker-staging.md](docs/hosted-deployed-worker-staging.md). It exports `createHostedDeployedWorkerStagingEvidenceBundle` and `evaluateHostedDeployedWorkerStagingReleaseGate` from `ai-saas-guard/hosted/deployed-staging`. It turns public HTTPS health, signed webhook replay, deployed worker cleanup, log-boundary samples, and external CI/scan/rollback evidence into the hosted release gate for a Node/container read-only checkout worker candidate. It does not deploy cloud resources or claim production hosted exposure.
+
 The first live hosted ingress is deployed on Cloudflare Workers at `https://ai-saas-guard-hosted.zr9959.workers.dev` and documented in [hosted/cloudflare-worker/README.md](hosted/cloudflare-worker/README.md). It exposes `/healthz`, `/github/app/manifest-callback`, and signed `/github/webhook` intake backed by Cloudflare KV. A private staging GitHub App, `ai-saas-guard-hosted`, is installed on `zr9959/ai-saas-guard` with selected-repository access and the first-slice permission contract. The Worker verifies signatures, stores compact pull request identity records, exchanges a scoped installation token, fetches PR file metadata from GitHub, classifies PR-risk hotspots, and publishes a bounded Check Run summary. Current deployed evidence is tracked in [docs/hosted-operations-evidence.md](docs/hosted-operations-evidence.md): health, signed webhook delivery, compact KV records, cleanup, and Check Run publication pass for the staging smoke. The Cloudflare Worker still does not run a full source checkout scan worker or store raw webhook payloads, PR title/body text, raw diffs, source, secrets, checkout paths, or installation tokens.
 
 The hosted operational release gate is documented in [docs/hosted-operational-release-gate.md](docs/hosted-operational-release-gate.md). It defines the hosted-specific CI, replay, queue, worker cleanup, privacy, monitoring, rollback, and incident-response evidence required before any hosted environment is exposed to users. The pure gate evaluator exported from `ai-saas-guard/hosted/contracts` blocks hosted exposure unless every P0 evidence item is fresh, a container digest is recorded, and release notes avoid pentest, certification, and full-audit claims.
@@ -320,7 +322,7 @@ Hosted uninstall and data deletion behavior is documented in [docs/hosted-uninst
 
 Hosted pricing and packaging boundaries are documented in [docs/hosted-pricing-packaging.md](docs/hosted-pricing-packaging.md). Core local scanning stays useful without an account; hosted plans may add workflow convenience, saved reports, team policy, and optional human review, but they do not gate local CLI scanning.
 
-Hosted pre-implementation pure contracts are documented in [docs/hosted-preimplementation-contracts.md](docs/hosted-preimplementation-contracts.md). They now include a pull request webhook intake planner that verifies signatures before parsing or queueing, a durable scan queue planner that reuses queued, running, and completed jobs for the same trusted scan key, a worker read-only scan planner that fixes the CLI command and requires repository `contents: read`, a concrete Node read-only checkout scan runner, and a Check Run publication planner that requires repository `checks: write` and builds bounded check-only payloads from compact reports. They also cover queue-safe webhook event parsing, bounded check-run summary rendering, idempotent queue cleanup planning, worker checkout cleanup planning, a retention/deletion cleanup planner, an operational release gate evaluator, the production adapter plans needed for GitHub App auth and bounded worker execution, the Node/container app skeleton needed for real provider wiring, the staging deployment planner needed before production GitHub App promotion, and the local staging harness needed to rehearse webhook replay, persistence, publication, and cleanup without cloud calls. The service runtime composes these contracts behind replaceable adapters. PR comments remain a later workflow or paid hosted feature, not part of the hosted MVP contract.
+Hosted pre-implementation pure contracts are documented in [docs/hosted-preimplementation-contracts.md](docs/hosted-preimplementation-contracts.md). They now include a pull request webhook intake planner that verifies signatures before parsing or queueing, a durable scan queue planner that reuses queued, running, and completed jobs for the same trusted scan key, a worker read-only scan planner that fixes the CLI command and requires repository `contents: read`, a concrete Node read-only checkout scan runner, and a Check Run publication planner that requires repository `checks: write` and builds bounded check-only payloads from compact reports. They also cover queue-safe webhook event parsing, bounded check-run summary rendering, idempotent queue cleanup planning, worker checkout cleanup planning, a retention/deletion cleanup planner, an operational release gate evaluator, the production adapter plans needed for GitHub App auth and bounded worker execution, the Node/container app skeleton needed for real provider wiring, the staging deployment planner needed before production GitHub App promotion, the local staging harness needed to rehearse webhook replay, persistence, publication, and cleanup without cloud calls, and the deployed worker staging evidence helper needed to evaluate public HTTPS health, deployed cleanup, and log-boundary evidence without storing raw hosted data. The service runtime composes these contracts behind replaceable adapters. PR comments remain a later workflow or paid hosted feature, not part of the hosted MVP contract.
 
 A public hosted compact report schema fixture is available at [examples/hosted-compact-report.json](examples/hosted-compact-report.json). It is synthetic and public-safe: compact evidence only, no raw source, raw diffs, secrets, webhook payload bodies, customer payloads, private URLs, or worker checkout paths.
 
@@ -360,7 +362,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.31.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.32.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/hosted/deployed-staging.d.ts

@@ -0,0 +1,66 @@
+import { type HostedOperationalReleaseGateDecision, type HostedOperationalReleaseGateEvidence } from "./contracts.js";
+import type { HostedLogBoundaryValidation, HostedStagingHarnessReplayResult, HostedStagingHarnessWorkerTickResult } from "./staging-harness.js";
+export interface HostedDeployedWorkerHealthProbe {
+    observedAt: string;
+    status: number;
+    body: unknown;
+}
+export interface HostedDeployedWorkerStagingEvidenceBundleInput {
+    collectedAt: string;
+    evidenceBaseUrl: string;
+    owner: string;
+    publicBaseUrl: string;
+    scannerVersion: string;
+    healthProbe: HostedDeployedWorkerHealthProbe;
+    webhookReplays: HostedStagingHarnessReplayResult[];
+    workerTicks: HostedStagingHarnessWorkerTickResult[];
+    logBoundary: HostedLogBoundaryValidation;
+    externalEvidence: HostedOperationalReleaseGateEvidence[];
+    requiredFailureReasons?: string[];
+}
+export interface HostedDeployedWorkerStagingEvidenceBundle {
+    readyForReleaseGate: boolean;
+    blockedReasons: string[];
+    evidence: HostedOperationalReleaseGateEvidence[];
+    releaseGateInput: {
+        evidence: HostedOperationalReleaseGateEvidence[];
+    };
+    deployedScenarioSummary: HostedDeployedWorkerStagingScenarioSummary;
+    privacy: HostedDeployedWorkerStagingPrivacy;
+}
+export interface HostedDeployedWorkerStagingScenarioSummary {
+    publicIngressAccepted: boolean;
+    healthAccepted: boolean;
+    webhookReplayAccepted: boolean;
+    completedWorkerProbe: boolean;
+    failureCleanupProbe: boolean;
+    observedFailureReasons: string[];
+    allWorkerCheckoutsDeleted: boolean;
+    checkRunPublished: boolean;
+    logBoundaryAccepted: boolean;
+}
+export interface HostedDeployedWorkerStagingReleaseGateInput {
+    bundle: HostedDeployedWorkerStagingEvidenceBundle;
+    commitSha: string;
+    scannerVersion: string;
+    deploymentTarget: string;
+    evaluatedAt: string;
+    releaseNotes: string;
+    containerImageDigest: string;
+    maxEvidenceAgeDays?: number;
+}
+export interface HostedDeployedWorkerStagingPrivacy {
+    includesRawHealthResponse: false;
+    includesPublicBaseUrl: false;
+    includesRawWebhookPayload: false;
+    includesUntrustedPrText: false;
+    includesRawSource: false;
+    includesRawDiffs: false;
+    includesSecrets: false;
+    includesCustomerPayloads: false;
+    includesPrivateCheckoutPath: false;
+    includesInstallationToken: false;
+    claimsProductionHostedService: false;
+}
+export declare function createHostedDeployedWorkerStagingEvidenceBundle(input: HostedDeployedWorkerStagingEvidenceBundleInput): HostedDeployedWorkerStagingEvidenceBundle;
+export declare function evaluateHostedDeployedWorkerStagingReleaseGate(input: HostedDeployedWorkerStagingReleaseGateInput): HostedOperationalReleaseGateDecision;

package/dist/hosted/deployed-staging.js

@@ -0,0 +1,267 @@
+import { evaluateHostedOperationalReleaseGate, HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS } from "./contracts.js";
+import { HOSTED_NODE_CONTAINER_PLATFORM, HOSTED_NODE_CONTAINER_ROLES } from "./app.js";
+export function createHostedDeployedWorkerStagingEvidenceBundle(input) {
+    const summary = deployedScenarioSummary(input);
+    const blockedReasons = deployedBlockedReasons(input, summary);
+    const externalEvidence = new Map(input.externalEvidence.map((evidence) => [evidence.id, sanitizeEvidence(evidence, input)]));
+    const evidence = HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS.map((requirement) => {
+        const generated = generatedEvidenceFor(requirement.id, input, summary, blockedReasons);
+        return generated ?? externalEvidence.get(requirement.id) ?? missingEvidence(requirement.id, input);
+    });
+    const readyForReleaseGate = blockedReasons.length === 0 && evidence.every((item) => item.status === "passed");
+    return {
+        readyForReleaseGate,
+        blockedReasons,
+        evidence,
+        releaseGateInput: { evidence },
+        deployedScenarioSummary: summary,
+        privacy: deployedPrivacy()
+    };
+}
+export function evaluateHostedDeployedWorkerStagingReleaseGate(input) {
+    return evaluateHostedOperationalReleaseGate({
+        commitSha: input.commitSha,
+        scannerVersion: input.scannerVersion,
+        deploymentTarget: input.deploymentTarget,
+        evaluatedAt: input.evaluatedAt,
+        evidence: input.bundle.evidence,
+        releaseNotes: input.releaseNotes,
+        containerImageDigest: input.containerImageDigest,
+        maxEvidenceAgeDays: input.maxEvidenceAgeDays
+    });
+}
+function deployedScenarioSummary(input) {
+    const processedWorkers = input.workerTicks.filter((tick) => tick.processed);
+    const completedWorkers = processedWorkers.filter((tick) => tick.status === "completed");
+    const observedFailureReasons = [
+        ...new Set(processedWorkers.flatMap((tick) => tick.status === "failed" && tick.cleanupVerified && tick.safeFailureReason
+            ? [tick.safeFailureReason]
+            : []))
+    ].sort();
+    const requiredFailureReasons = input.requiredFailureReasons ?? [];
+    const failureCleanupProbe = requiredFailureReasons.length
+        ? requiredFailureReasons.every((reason) => observedFailureReasons.includes(reason))
+        : processedWorkers.some((tick) => tick.status === "failed" && tick.cleanupVerified);
+    const allWorkerCheckoutsDeleted = processedWorkers.length > 0 &&
+        processedWorkers.every((tick) => tick.workerSandboxDeleted &&
+            tick.activeWorkerSandboxCount === 0 &&
+            tick.cleanupVerified);
+    return {
+        publicIngressAccepted: isSafePublicHttpsUrl(input.publicBaseUrl),
+        healthAccepted: healthProbeAccepted(input),
+        webhookReplayAccepted: input.webhookReplays.some((replay) => replay.accepted && replay.queuedWorker && replay.shouldCreateCheckRun),
+        completedWorkerProbe: completedWorkers.some((tick) => tick.checkRunPublished && tick.compactReportStored),
+        failureCleanupProbe,
+        observedFailureReasons,
+        allWorkerCheckoutsDeleted,
+        checkRunPublished: completedWorkers.some((tick) => tick.checkRunPublished),
+        logBoundaryAccepted: input.logBoundary.sampleCount > 0 && input.logBoundary.accepted
+    };
+}
+function deployedBlockedReasons(input, summary) {
+    const reasons = [];
+    const health = healthBody(input.healthProbe.body);
+    if (!summary.publicIngressAccepted)
+        reasons.push("invalid_public_base_url");
+    if (!isSafePublicHttpsUrl(input.evidenceBaseUrl))
+        reasons.push("unsafe_evidence_base_url");
+    if (input.healthProbe.status !== 200)
+        reasons.push("health_status_unhealthy");
+    if (health.ok !== true)
+        reasons.push("health_not_ok");
+    if (health.platform !== HOSTED_NODE_CONTAINER_PLATFORM)
+        reasons.push("health_platform_mismatch");
+    if (health.scannerVersion !== input.scannerVersion) {
+        reasons.push("health_scanner_version_mismatch");
+    }
+    if (!health.roles.includes("webhook-ingress"))
+        reasons.push("health_missing_webhook_role");
+    if (!health.roles.includes("scan-worker"))
+        reasons.push("health_missing_scan_worker_role");
+    if (!privacyFlagsAreSafe(health.privacy))
+        reasons.push("health_privacy_flags_unsafe");
+    if (!summary.webhookReplayAccepted)
+        reasons.push("webhook_replay_missing");
+    if (!summary.completedWorkerProbe)
+        reasons.push("worker_success_probe_missing");
+    if (!summary.failureCleanupProbe)
+        reasons.push("worker_failure_cleanup_probe_missing");
+    if (!summary.allWorkerCheckoutsDeleted)
+        reasons.push("worker_cleanup_not_verified");
+    if (!summary.checkRunPublished)
+        reasons.push("check_run_not_published");
+    if (!summary.logBoundaryAccepted)
+        reasons.push("log_boundary_rejected");
+    return reasons;
+}
+function generatedEvidenceFor(id, input, summary, blockedReasons) {
+    if (blockedReasons.length > 0) {
+        return undefined;
+    }
+    if (id === "webhook_replay") {
+        return summary.publicIngressAccepted && summary.healthAccepted && summary.webhookReplayAccepted
+            ? passedEvidence(id, "Deployed staging ingress accepted a signed webhook and queued check-run-only work.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "queue_worker_cleanup") {
+        return summary.completedWorkerProbe &&
+            summary.failureCleanupProbe &&
+            summary.allWorkerCheckoutsDeleted
+            ? passedEvidence(id, "Deployed staging worker success and failure probes published compact checks and deleted worker checkouts.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "privacy_retention") {
+        return summary.logBoundaryAccepted && privacyFlagsAreSafe(input.logBoundary.privacy)
+            ? passedEvidence(id, "Deployed staging log samples stayed within the safe metadata boundary and avoided raw payloads.", input)
+            : missingEvidence(id, input);
+    }
+    if (id === "release_cleanup") {
+        return summary.allWorkerCheckoutsDeleted
+            ? passedEvidence(id, "Deployed staging release cleanup left no active worker checkout entries.", input)
+            : missingEvidence(id, input);
+    }
+    return undefined;
+}
+function healthProbeAccepted(input) {
+    const health = healthBody(input.healthProbe.body);
+    return (input.healthProbe.status === 200 &&
+        health.ok === true &&
+        health.platform === HOSTED_NODE_CONTAINER_PLATFORM &&
+        HOSTED_NODE_CONTAINER_ROLES.every((role) => health.roles.includes(role)) &&
+        health.scannerVersion === input.scannerVersion &&
+        privacyFlagsAreSafe(health.privacy));
+}
+function sanitizeEvidence(evidence, input) {
+    return {
+        id: evidence.id,
+        status: evidence.status,
+        ...(evidence.collectedAt === undefined
+            ? { collectedAt: input.collectedAt }
+            : { collectedAt: evidence.collectedAt }),
+        ...(safeEvidenceUrl(evidence.evidenceUrl) === undefined
+            ? {}
+            : { evidenceUrl: safeEvidenceUrl(evidence.evidenceUrl) }),
+        note: `External deployed-staging release-gate evidence recorded for ${evidence.id}.`,
+        ...(evidence.owner === undefined ? { owner: input.owner } : { owner: evidence.owner })
+    };
+}
+function passedEvidence(id, note, input) {
+    return {
+        id,
+        status: "passed",
+        collectedAt: input.collectedAt,
+        ...(evidenceUrlFor(input, id) === undefined ? {} : { evidenceUrl: evidenceUrlFor(input, id) }),
+        note,
+        owner: input.owner
+    };
+}
+function missingEvidence(id, input) {
+    return {
+        id,
+        status: "missing",
+        collectedAt: input.collectedAt,
+        note: `Missing deployed staging worker evidence for ${id}.`,
+        owner: input.owner
+    };
+}
+function evidenceUrlFor(input, id) {
+    const baseUrl = safeEvidenceUrl(input.evidenceBaseUrl);
+    return baseUrl === undefined ? undefined : `${baseUrl}/${id}.json`;
+}
+function safeEvidenceUrl(value) {
+    if (!value || !isSafePublicHttpsUrl(value)) {
+        return undefined;
+    }
+    return trimTrailingSlashes(value.trim());
+}
+function healthBody(value) {
+    if (!isRecord(value)) {
+        return {
+            ok: undefined,
+            platform: undefined,
+            roles: [],
+            scannerVersion: undefined,
+            privacy: undefined
+        };
+    }
+    const roles = Array.isArray(value.roles)
+        ? value.roles.filter((role) => typeof role === "string")
+        : [];
+    return {
+        ok: typeof value.ok === "boolean" ? value.ok : undefined,
+        platform: typeof value.platform === "string" ? value.platform : undefined,
+        roles,
+        scannerVersion: typeof value.scannerVersion === "string" ? value.scannerVersion : undefined,
+        privacy: isRecord(value.privacy) ? value.privacy : undefined
+    };
+}
+function privacyFlagsAreSafe(value) {
+    return isRecord(value) && Object.values(value).every((flag) => flag === false);
+}
+function isSafePublicHttpsUrl(value) {
+    try {
+        const url = new URL(value.trim());
+        return (url.protocol === "https:" &&
+            !url.username &&
+            !url.password &&
+            !url.search &&
+            !url.hash &&
+            !isUnsafeHostedHostname(url.hostname));
+    }
+    catch {
+        return false;
+    }
+}
+function isUnsafeHostedHostname(hostname) {
+    const normalized = hostname.toLowerCase().replace(/\.$/, "");
+    return (normalized === "localhost" ||
+        normalized.endsWith(".localhost") ||
+        isUnsafeIpv4Hostname(normalized) ||
+        normalized === "::1" ||
+        normalized.startsWith("fc") ||
+        normalized.startsWith("fd") ||
+        normalized.startsWith("fe80:"));
+}
+function isUnsafeIpv4Hostname(hostname) {
+    const parts = hostname.split(".");
+    if (parts.length !== 4 || !parts.every((part) => /^\d+$/.test(part)))
+        return false;
+    const octets = parts.map((part) => Number(part));
+    if (octets.some((octet) => !Number.isInteger(octet) || octet < 0 || octet > 255)) {
+        return false;
+    }
+    const [first, second] = octets;
+    return (first === 0 ||
+        first === 10 ||
+        first === 127 ||
+        (first === 169 && second === 254) ||
+        (first === 172 && second >= 16 && second <= 31) ||
+        (first === 192 && second === 168) ||
+        (first === 100 && second >= 64 && second <= 127) ||
+        first >= 224);
+}
+function trimTrailingSlashes(value) {
+    let end = value.length;
+    while (end > 0 && value[end - 1] === "/") {
+        end -= 1;
+    }
+    return value.slice(0, end);
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function deployedPrivacy() {
+    return {
+        includesRawHealthResponse: false,
+        includesPublicBaseUrl: false,
+        includesRawWebhookPayload: false,
+        includesUntrustedPrText: false,
+        includesRawSource: false,
+        includesRawDiffs: false,
+        includesSecrets: false,
+        includesCustomerPayloads: false,
+        includesPrivateCheckoutPath: false,
+        includesInstallationToken: false,
+        claimsProductionHostedService: false
+    };
+}

package/docs/README.zh-CN.md

@@ -169,18 +169,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.31.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.31.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.32.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.32.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.31.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.31.0` |
+| npm CLI | `ai-saas-guard@0.32.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.32.0` |
 | 输出格式 | 短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.31.0` 增加可执行 hosted staging evidence：成功/失败 cleanup probes、log-boundary validation、更严格的 read-only checkout worker 边界，以及从 evidence bundle 直接评估 release gate |
-| Action 标签 | `v0.31.0`、`v0` |
+| 当前版本 | `0.32.0` 增加 deployed worker staging evidence：public HTTPS health validation、deployed 成功/失败 cleanup probes、log-boundary checks，以及针对 Node/container read-only checkout worker candidate 的 release-gate evaluation |
+| Action 标签 | `v0.32.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |
@@ -349,6 +349,7 @@ GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.m
 - [docs/hosted-node-container-app.md](hosted-node-container-app.md)
 - [docs/hosted-staging-deployment.md](hosted-staging-deployment.md)
 - [docs/hosted-staging-harness.md](hosted-staging-harness.md)
+- [docs/hosted-deployed-worker-staging.md](hosted-deployed-worker-staging.md)
 - [docs/hosted-operational-release-gate.md](hosted-operational-release-gate.md)
 - [docs/hosted-uninstall-data-deletion.md](hosted-uninstall-data-deletion.md)
 - [docs/hosted-pricing-packaging.md](hosted-pricing-packaging.md)
@@ -366,6 +367,7 @@ GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.m
 - Hosted Node/container app skeleton：`ai-saas-guard/hosted/app` 导出 `createHostedHttpApp`、`createInMemoryHostedAppPlatform`、`createHostedNodeCheckoutAppPlatform` 和 `planHostedNodeContainerDeployment`，提供安全 `/healthz`、签名 `/github/webhook` ingress、单 job worker tick、测试用 in-memory provider adapters、真实 read-only checkout worker 组合入口、可见 timeout/output 安全预算，以及 secret manager、queue、compact report store、worker sandbox、GitHub Checks publisher 的部署引用校验；它本身仍然不部署或暴露公开 hosted 服务
 - Hosted staging deployment planner：`ai-saas-guard/hosted/staging` 导出 `planHostedProviderBinding`、`planHostedStagingDeployment` 和 `planHostedGitHubAppPromotion`，把真实 provider 引用、Node/container deployment plan、hosted operational release-gate evidence 和 GitHub App deployment planning 组合起来；缺少 queue、store、worker sandbox、Check Run publisher、logs、metrics、rollback 或 incident-response 引用时，会阻止 staging exposure 和 production promotion；它本身仍然不会调用云平台、创建 GitHub App 或暴露公开 hosted 服务
 - Hosted staging harness：`ai-saas-guard/hosted/staging-harness` 导出 `createFileBackedHostedStagingHarness`、`createHostedStagingHarnessEvidence`、`createHostedStagingReleaseEvidenceBundle`、`evaluateHostedStagingReleaseEvidenceBundle` 和 `validateHostedLogBoundary`，可以在本地用 file-backed queue、compact report、Check Run request 和 worker sandbox 跑通签名 webhook replay、worker tick 和 cleanup 校验，把 success/failure cleanup probes 与 log-boundary samples 转成 release-gate evidence，并直接执行 hosted release gate 判断；它只是 staging 演练工具，不会调用云平台、创建 GitHub App、写真实 Check Run 或暴露公开 hosted 服务
+- Deployed worker staging evidence：`ai-saas-guard/hosted/deployed-staging` 导出 `createHostedDeployedWorkerStagingEvidenceBundle` 和 `evaluateHostedDeployedWorkerStagingReleaseGate`，把 public HTTPS health、signed webhook replay、deployed worker cleanup、log-boundary samples 以及外部 CI/scan/rollback evidence 转成 hosted release gate evidence；它不会部署云资源，也不会宣称 production hosted exposure
 - Cloudflare hosted ingress：`hosted/cloudflare-worker` 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`，提供 `/healthz`、`/github/app/manifest-callback` 和签名 `/github/webhook` intake；Worker 已具备 compact pull request identity、file/category risk signal 和 Check Run metadata 路径；staging GitHub App ID 为 `3834787`，installation ID 为 `135085075`；真实 GitHub App webhook delivery 和 Check Run smoke 已通过；完整 source checkout worker deployment、monitoring、rollback 和 incident-response evidence 仍需要通过 hosted operational release gate
 - webhook event parser
 - check-run summary renderer

package/docs/hosted-deployed-worker-staging.md

@@ -0,0 +1,72 @@
+# Hosted Deployed Worker Staging Evidence
+
+This document describes the deployed worker staging evidence helper implemented in `src/hosted/deployed-staging.ts`.
+
+The package exports `ai-saas-guard/hosted/deployed-staging` with:
+
+- `createHostedDeployedWorkerStagingEvidenceBundle`
+- `evaluateHostedDeployedWorkerStagingReleaseGate`
+
+The helper is for a deployed Node/container read-only checkout worker release candidate. It turns safe deployment observations into the same hosted operational release-gate evidence used by the rest of the hosted planning layer.
+
+It does not deploy cloud resources, create a GitHub App, call GitHub, fetch repositories, upload source code, or publish Check Runs by itself. It is not production hosted exposure. It records whether a deployed staging candidate has enough public-safe evidence to pass the hosted release gate.
+
+## Inputs
+
+`createHostedDeployedWorkerStagingEvidenceBundle` expects only bounded evidence:
+
+- public HTTPS health probe metadata from the deployed Node/container app
+- signed webhook replay summaries
+- deployed worker success and failure cleanup summaries
+- log-boundary validation output
+- external evidence for CI, workflow static checks, dependency/container scans, monitoring, rollback, and incident response
+- scanner version, collected timestamp, evidence URL base, and evidence owner
+
+The public HTTPS health probe must show:
+
+- HTTP `200`
+- `ok: true`
+- `platform: "node_container"`
+- both `webhook-ingress` and `scan-worker` roles
+- a scanner version matching the release candidate
+- privacy flags set to false for raw webhook payloads, PR text, source, diffs, secrets, customer payloads, checkout paths, and installation tokens
+
+The helper requires a public HTTPS URL for both the deployed ingress and the evidence base. Localhost, private IPs, link-local addresses, non-HTTPS URLs, file URLs, URL credentials, query strings, and fragments are rejected for deployed staging evidence.
+
+## Generated Evidence
+
+The bundle generates deployed evidence for these hosted gate IDs when the probes are complete:
+
+- `webhook_replay`: deployed staging ingress accepted a signed webhook and queued check-run-only work
+- `queue_worker_cleanup`: deployed worker success and failure probes completed and deleted worker checkouts
+- `privacy_retention`: deployed log samples stayed within the safe metadata boundary
+- `release_cleanup`: no deployed worker checkout entries remained active after release probes
+
+Other gate IDs still come from external evidence because they belong to CI, workflow analysis, dependency/container scan, monitoring, rollback, and incident-response systems.
+
+## Blocking Behavior
+
+The helper blocks release-gate readiness when deployed evidence is incomplete. Common blocked reasons include:
+
+- `invalid_public_base_url`
+- `unsafe_evidence_base_url`
+- `health_scanner_version_mismatch`
+- `health_missing_scan_worker_role`
+- `health_privacy_flags_unsafe`
+- `worker_failure_cleanup_probe_missing`
+- `worker_cleanup_not_verified`
+- `log_boundary_rejected`
+
+Blocked output remains public-safe. It does not return the raw health body, public base URL, raw webhook payload, untrusted PR text, raw source, raw diffs, secrets, customer payloads, private checkout paths, or installation tokens.
+
+## Release Gate
+
+`evaluateHostedDeployedWorkerStagingReleaseGate` passes the generated bundle to the hosted operational release gate with the release commit, scanner version, deployment target, container digest, and release notes.
+
+The evaluator still blocks hosted exposure unless every P0 evidence row is fresh, the deployed artifact has a `sha256:<digest>` container image digest, and release notes avoid positive pentest, certification, and full-audit claims. Wording such as "not a pentest, certification, or full security audit" remains allowed.
+
+## Boundary
+
+This helper narrows the gap between local source-candidate rehearsals and deployed staging evidence. It is still deterministic and local-first: callers collect evidence outside the package and pass only safe summaries into the helper.
+
+It is not a pentest, full audit, or certification. It is not production hosted exposure. It does not prove customer SaaS apps are secure. It only helps decide whether the hosted worker release candidate has enough operational evidence to be exposed for the next staged rollout step.

package/docs/hosted-operational-release-gate.md

@@ -40,7 +40,11 @@ Every hosted release must record:
 
 The current public package release is still a local CLI and pure hosted-contract release. No hosted production environment is exposed by this release.
 
-The pure evaluator `evaluateHostedOperationalReleaseGate` and the exported `HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS` list make the gate machine-checkable for the next hosted service stage. The staging harness also exports `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary` so source-candidate rehearsals can turn webhook replay, success/failure cleanup probes, required safe failure reasons, and log samples into an executable gate decision. The evaluator blocks hosted exposure unless every P0 item has fresh evidence, a `sha256:<digest>` container image digest is recorded, and release notes avoid positive pentest, certification, and full-audit claims. Explicit wording such as "not a pentest, certification, or full security audit" remains allowed.
+The pure evaluator `evaluateHostedOperationalReleaseGate` and the exported `HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS` list make the gate machine-checkable for the next hosted service stage. The staging harness also exports `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary` so source-candidate rehearsals can turn webhook replay, success/failure cleanup probes, required safe failure reasons, and log samples into an executable gate decision.
+
+Deployed worker staging evidence is documented in [hosted-deployed-worker-staging.md](hosted-deployed-worker-staging.md). The `ai-saas-guard/hosted/deployed-staging` export adds `createHostedDeployedWorkerStagingEvidenceBundle` and `evaluateHostedDeployedWorkerStagingReleaseGate` so a deployed Node/container read-only checkout worker candidate can turn public HTTPS health, signed webhook replay, deployed success/failure cleanup probes, log-boundary samples, and external CI/scan/rollback evidence into this same gate. It does not deploy cloud resources and is not production hosted exposure.
+
+The evaluator blocks hosted exposure unless every P0 item has fresh evidence, a `sha256:<digest>` container image digest is recorded, and release notes avoid positive pentest, certification, and full-audit claims. Explicit wording such as "not a pentest, certification, or full security audit" remains allowed.
 
 Source-level evidence notes for this release candidate:
 
@@ -48,12 +52,12 @@ Source-level evidence notes for this release candidate:
 | --- | --- | --- | --- |
 | `clean_ci` | Clean install, tests, build, CLI help, JSON/SARIF scan, PR-risk, npm audit, pack dry-run | Local release gate plus GitHub Actions CI run from the release commit | Passed for source package |
 | `hosted_contract_tests` | Hosted contract tests for webhook, scope, queue, worker, check summaries, cleanup, retention, and release gate evaluation | `tests/hosted-contracts.test.mjs` | Passed for pure contracts |
-| `webhook_replay` | Valid events queue work; invalid, missing, malformed, replayed, removed, and non-installed events queue nothing | Pure replay coverage in hosted webhook intake tests | Passed for pure contracts; must replay against deployed ingress before exposure |
+| `webhook_replay` | Valid events queue work; invalid, missing, malformed, replayed, removed, and non-installed events queue nothing | Pure replay coverage in hosted webhook intake tests plus deployed worker staging evidence helper | Passed for pure contracts; deployed helper can record public HTTPS staging replay before exposure |
 | `workflow_static_checks` | GitHub Actions static analysis | `actionlint` and `uvx zizmor --offline .github/workflows` | Passed for repository workflows |
 | `dependency_scan` | Dependency scan has no unresolved high or critical production findings | `npm audit --audit-level=high --registry=https://registry.npmjs.org` | Passed for source package |
 | `container_scan` | Container image scan has no unresolved high or critical runtime-layer findings | No hosted container image exists in the public package release | Not applicable to current non-hosted release; required before hosted exposure |
-| `queue_worker_cleanup` | Queue dedupe, running cancellation, terminal cleanup, worker checkout deletion, and no long-running processes | Pure queue, worker, checkout, retention cleanup planner tests, and staging harness success/failure cleanup probes | Passed for source candidate; must verify against deployed queue and worker before exposure |
-| `privacy_retention` | No raw source, raw diffs, secrets, customer payloads, private URLs, or full file contents; retention and uninstall cleanup are proven | Compact report, Check Run publication, retention/deletion cleanup, docs tests, and `validateHostedLogBoundary` source-candidate log checks | Passed for source candidate; deployed log sampling still required before exposure |
+| `queue_worker_cleanup` | Queue dedupe, running cancellation, terminal cleanup, worker checkout deletion, and no long-running processes | Pure queue, worker, checkout, retention cleanup planner tests, staging harness success/failure cleanup probes, and deployed worker staging cleanup evidence helper | Passed for source candidate; deployed helper can record success/failure cleanup before exposure |
+| `privacy_retention` | No raw source, raw diffs, secrets, customer payloads, private URLs, or full file contents; retention and uninstall cleanup are proven | Compact report, Check Run publication, retention/deletion cleanup, docs tests, `validateHostedLogBoundary` source-candidate log checks, and deployed log-boundary staging evidence | Passed for source candidate; deployed log sampling still required before exposure |
 | `monitoring_alerting` | Ingress, queue depth, worker failures, Check Run failures, cleanup failures, retention failures, and credential rotation alerts | Required alert list remains in this document | Documented; must attach provider evidence before exposure |
 | `manual_rollback` | Worker pause, previous artifact redeploy, queue resume, controlled ingress failure, and affected Check Run identification | Manual rollback procedure remains in this document | Documented; must execute against deployed artifact before exposure |
 | `incident_response` | Owner, backup, credential rotation, queue pause, customer communication, status path, and privacy-safe evidence collection | Incident response checklist remains in this document | Documented; must name live owners before exposure |

package/docs/hosted-operations-evidence.md

@@ -31,6 +31,8 @@ The hosted release gate still requires fresh deployed evidence for:
 
 Source-candidate executable evidence now exists in `ai-saas-guard/hosted/staging-harness`: `createHostedStagingReleaseEvidenceBundle` combines signed webhook replay, success and failure cleanup probes, safe worker failure reasons, and `validateHostedLogBoundary` samples into hosted release-gate evidence, then `evaluateHostedStagingReleaseEvidenceBundle` runs the same gate evaluator used by deployment planning. This improves local release readiness, but it is still not production hosted exposure and does not replace deployed worker, logging, metrics, rollback, incident-response, dependency, or container evidence.
 
+Deployed worker staging evidence now has its own helper in `ai-saas-guard/hosted/deployed-staging`: `createHostedDeployedWorkerStagingEvidenceBundle` accepts public HTTPS health, deployed webhook replay, worker cleanup, log-boundary, and external CI/scan/rollback evidence summaries, then `evaluateHostedDeployedWorkerStagingReleaseGate` evaluates the same hosted release gate. Use [hosted-deployed-worker-staging.md](hosted-deployed-worker-staging.md) before exposing a Node/container read-only checkout worker beyond staging.
+
 ## Read-Only Checkout Worker Evidence Checklist
 
 Before any hosted source checkout worker is exposed beyond staging, attach fresh evidence for each row below. The current Cloudflare ingress evidence above does not satisfy these rows because it publishes compact PR-risk signals without running a full source checkout scan worker.

package/docs/hosted-preimplementation-contracts.md

@@ -2,7 +2,7 @@
 
 This document collects pure hosted contracts that can be tested before any hosted GitHub App service is deployed. These contracts keep the hosted design inspectable, local-first, and implementation-ready without adding network calls, credentials, queues, workers, or GitHub API writes. They are no network calls contracts by design.
 
-The helpers live in `src/hosted/contracts.ts` and are exported from `ai-saas-guard/hosted/contracts`. The production adapter plans live in `src/hosted/production-adapters.ts` and are exported from `ai-saas-guard/hosted/production-adapters`. The Node/container app skeleton lives in `src/hosted/app.ts` and is exported from `ai-saas-guard/hosted/app`. The concrete read-only checkout worker runner lives in `src/hosted/worker.ts` and is exported from `ai-saas-guard/hosted/worker`. The staging deployment planner lives in `src/hosted/staging.ts` and is exported from `ai-saas-guard/hosted/staging`. The local staging harness lives in `src/hosted/staging-harness.ts` and is exported from `ai-saas-guard/hosted/staging-harness`.
+The helpers live in `src/hosted/contracts.ts` and are exported from `ai-saas-guard/hosted/contracts`. The production adapter plans live in `src/hosted/production-adapters.ts` and are exported from `ai-saas-guard/hosted/production-adapters`. The Node/container app skeleton lives in `src/hosted/app.ts` and is exported from `ai-saas-guard/hosted/app`. The concrete read-only checkout worker runner lives in `src/hosted/worker.ts` and is exported from `ai-saas-guard/hosted/worker`. The staging deployment planner lives in `src/hosted/staging.ts` and is exported from `ai-saas-guard/hosted/staging`. The local staging harness lives in `src/hosted/staging-harness.ts` and is exported from `ai-saas-guard/hosted/staging-harness`. The deployed worker staging evidence helper lives in `src/hosted/deployed-staging.ts` and is exported from `ai-saas-guard/hosted/deployed-staging`.
 
 ## Pull Request Webhook Intake Planner
 

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.31.0`
+- Current published version: `0.32.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.31.0`
+- GitHub Release: `v0.32.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.31.0`.
+1. Create and review a release tag such as `v0.32.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.31.0",
+  "version": "0.32.0",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",
@@ -70,6 +70,10 @@
       "types": "./dist/hosted/staging-harness.d.ts",
       "default": "./dist/hosted/staging-harness.js"
     },
+    "./hosted/deployed-staging": {
+      "types": "./dist/hosted/deployed-staging.d.ts",
+      "default": "./dist/hosted/deployed-staging.js"
+    },
     "./hosted/worker": {
       "types": "./dist/hosted/worker.d.ts",
       "default": "./dist/hosted/worker.js"