ai-saas-guard 0.32.0 → 0.33.0

package/README.md

@@ -29,7 +29,9 @@
 
 ## Before You Invite Users
 
-AI can make a SaaS look finished: login works, checkout opens, the dashboard loads, and tests are green. The launch risk is usually hidden in trust-boundary code that decides who gets access, who pays, what data they can see, and whether failures are visible.
+AI-built SaaS can look ready before it is ready: login works, checkout opens, the dashboard loads, and tests are green. The launch risk is usually hidden in trust-boundary code that decides who gets access, who pays, what data they can see, and whether failures are visible.
+
+Start with the 30-second copy-paste demo: `npx ai-saas-guard@latest demo --summary`. No signup, no code upload, no LLM call. See [docs/demo-terminal-output.txt](docs/demo-terminal-output.txt) and [compare with alternatives](docs/launch-gate-positioning.md).
 
 These are the failures that hurt after real users arrive:
 
@@ -44,6 +46,16 @@ These are the failures that hurt after real users arrive:
 
 `ai-saas-guard` gives you a short local review queue for those risks. It does not prove the app is secure, certify a release, or replace human review. It tells founders, solo builders, small teams, and reviewers what deserves attention first.
 
+## 30-Second Copy-Paste Demo
+
+No signup, no code upload, no LLM call:
+
+```bash
+npx ai-saas-guard@latest demo --summary
+```
+
+The demo scans two packaged fixtures: one risky AI-built SaaS and one safer version. See the saved terminal sample in [docs/demo-terminal-output.txt](docs/demo-terminal-output.txt), then compare with alternatives in [docs/launch-gate-positioning.md](docs/launch-gate-positioning.md).
+
 ## 60-Second Local Check
 
 See the public demo output without cloning a repo:
@@ -187,13 +199,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.32.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.32.0` |
+| npm CLI | `ai-saas-guard@0.33.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.33.0` |
 | Outputs | Short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.32.0`, `v0` |
-| Current release | `0.32.0` adds deployed worker staging evidence: public HTTPS health validation, deployed success/failure cleanup probes, log-boundary checks, and release-gate evaluation for a Node/container read-only checkout worker candidate |
+| Versioned Action tags | `v0.33.0`, `v0` |
+| Current release | `0.33.0` sharpens the README first screen, adds a saved terminal demo output, and adds deployed worker staging evidence automation that validates safe logs before building hosted release-gate input |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -312,7 +324,7 @@ The hosted staging deployment planner is documented in [docs/hosted-staging-depl
 
 The hosted staging harness is documented in [docs/hosted-staging-harness.md](docs/hosted-staging-harness.md). It exports `createFileBackedHostedStagingHarness`, `createHostedStagingHarnessEvidence`, `createHostedStagingReleaseEvidenceBundle`, `evaluateHostedStagingReleaseEvidenceBundle`, and `validateHostedLogBoundary` from `ai-saas-guard/hosted/staging-harness`. It runs signed webhook replay through the provider-independent hosted runtime with local file-backed queue, compact report, and Check Run adapters, verifies worker sandbox cleanup, turns success/failure cleanup probes plus log-boundary samples into release-gate evidence, and evaluates the hosted gate without cloud calls. It is a staging rehearsal tool only; it does not call cloud providers, create a GitHub App, publish live Check Runs, or expose a public hosted service.
 
-Deployed worker staging evidence is documented in [docs/hosted-deployed-worker-staging.md](docs/hosted-deployed-worker-staging.md). It exports `createHostedDeployedWorkerStagingEvidenceBundle` and `evaluateHostedDeployedWorkerStagingReleaseGate` from `ai-saas-guard/hosted/deployed-staging`. It turns public HTTPS health, signed webhook replay, deployed worker cleanup, log-boundary samples, and external CI/scan/rollback evidence into the hosted release gate for a Node/container read-only checkout worker candidate. It does not deploy cloud resources or claim production hosted exposure.
+Deployed worker staging evidence is documented in [docs/hosted-deployed-worker-staging.md](docs/hosted-deployed-worker-staging.md). It exports `createHostedDeployedWorkerStagingEvidenceAutomation`, `createHostedDeployedWorkerStagingEvidenceBundle`, and `evaluateHostedDeployedWorkerStagingReleaseGate` from `ai-saas-guard/hosted/deployed-staging`. It validates safe log samples, then turns public HTTPS health, signed webhook replay, deployed worker cleanup, and external CI/scan/rollback evidence into the hosted release gate for a Node/container read-only checkout worker candidate. It does not deploy cloud resources or claim production hosted exposure.
 
 The first live hosted ingress is deployed on Cloudflare Workers at `https://ai-saas-guard-hosted.zr9959.workers.dev` and documented in [hosted/cloudflare-worker/README.md](hosted/cloudflare-worker/README.md). It exposes `/healthz`, `/github/app/manifest-callback`, and signed `/github/webhook` intake backed by Cloudflare KV. A private staging GitHub App, `ai-saas-guard-hosted`, is installed on `zr9959/ai-saas-guard` with selected-repository access and the first-slice permission contract. The Worker verifies signatures, stores compact pull request identity records, exchanges a scoped installation token, fetches PR file metadata from GitHub, classifies PR-risk hotspots, and publishes a bounded Check Run summary. Current deployed evidence is tracked in [docs/hosted-operations-evidence.md](docs/hosted-operations-evidence.md): health, signed webhook delivery, compact KV records, cleanup, and Check Run publication pass for the staging smoke. The Cloudflare Worker still does not run a full source checkout scan worker or store raw webhook payloads, PR title/body text, raw diffs, source, secrets, checkout paths, or installation tokens.
 
@@ -362,7 +374,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.32.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.33.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/hosted/deployed-staging.d.ts

@@ -1,5 +1,5 @@
 import { type HostedOperationalReleaseGateDecision, type HostedOperationalReleaseGateEvidence } from "./contracts.js";
-import type { HostedLogBoundaryValidation, HostedStagingHarnessReplayResult, HostedStagingHarnessWorkerTickResult } from "./staging-harness.js";
+import type { HostedLogBoundaryForbiddenInput, HostedLogBoundaryValidation, HostedStagingHarnessReplayResult, HostedStagingHarnessWorkerTickResult } from "./staging-harness.js";
 export interface HostedDeployedWorkerHealthProbe {
     observedAt: string;
     status: number;
@@ -28,6 +28,26 @@ export interface HostedDeployedWorkerStagingEvidenceBundle {
     deployedScenarioSummary: HostedDeployedWorkerStagingScenarioSummary;
     privacy: HostedDeployedWorkerStagingPrivacy;
 }
+export interface HostedDeployedWorkerStagingEvidenceAutomationInput extends Omit<HostedDeployedWorkerStagingEvidenceBundleInput, "logBoundary"> {
+    logSamples: unknown[];
+    forbiddenLogMaterial: HostedLogBoundaryForbiddenInput;
+}
+export interface HostedDeployedWorkerStagingEvidenceAutomation {
+    readyForReleaseGate: boolean;
+    blockedReasons: string[];
+    logBoundary: HostedLogBoundaryValidation;
+    collectionPlan: HostedDeployedWorkerStagingEvidenceCollectionPlan;
+    bundle: HostedDeployedWorkerStagingEvidenceBundle;
+    releaseGateInput: {
+        evidence: HostedOperationalReleaseGateEvidence[];
+    };
+    privacy: HostedDeployedWorkerStagingPrivacy;
+}
+export interface HostedDeployedWorkerStagingEvidenceCollectionPlan {
+    steps: string[];
+    requiredSafeLogFields: string[];
+    requiredFailureReasons: string[];
+}
 export interface HostedDeployedWorkerStagingScenarioSummary {
     publicIngressAccepted: boolean;
     healthAccepted: boolean;
@@ -63,4 +83,5 @@ export interface HostedDeployedWorkerStagingPrivacy {
     claimsProductionHostedService: false;
 }
 export declare function createHostedDeployedWorkerStagingEvidenceBundle(input: HostedDeployedWorkerStagingEvidenceBundleInput): HostedDeployedWorkerStagingEvidenceBundle;
+export declare function createHostedDeployedWorkerStagingEvidenceAutomation(input: HostedDeployedWorkerStagingEvidenceAutomationInput): HostedDeployedWorkerStagingEvidenceAutomation;
 export declare function evaluateHostedDeployedWorkerStagingReleaseGate(input: HostedDeployedWorkerStagingReleaseGateInput): HostedOperationalReleaseGateDecision;

package/dist/hosted/deployed-staging.js

@@ -1,5 +1,6 @@
 import { evaluateHostedOperationalReleaseGate, HOSTED_OPERATIONAL_RELEASE_GATE_REQUIREMENTS } from "./contracts.js";
 import { HOSTED_NODE_CONTAINER_PLATFORM, HOSTED_NODE_CONTAINER_ROLES } from "./app.js";
+import { validateHostedLogBoundary } from "./staging-harness.js";
 export function createHostedDeployedWorkerStagingEvidenceBundle(input) {
     const summary = deployedScenarioSummary(input);
     const blockedReasons = deployedBlockedReasons(input, summary);
@@ -18,6 +19,34 @@ export function createHostedDeployedWorkerStagingEvidenceBundle(input) {
         privacy: deployedPrivacy()
     };
 }
+export function createHostedDeployedWorkerStagingEvidenceAutomation(input) {
+    const logBoundary = validateHostedLogBoundary({
+        samples: input.logSamples,
+        forbidden: input.forbiddenLogMaterial
+    });
+    const bundle = createHostedDeployedWorkerStagingEvidenceBundle({
+        collectedAt: input.collectedAt,
+        evidenceBaseUrl: input.evidenceBaseUrl,
+        owner: input.owner,
+        publicBaseUrl: input.publicBaseUrl,
+        scannerVersion: input.scannerVersion,
+        healthProbe: input.healthProbe,
+        webhookReplays: input.webhookReplays,
+        workerTicks: input.workerTicks,
+        logBoundary,
+        externalEvidence: input.externalEvidence,
+        requiredFailureReasons: input.requiredFailureReasons
+    });
+    return {
+        readyForReleaseGate: bundle.readyForReleaseGate,
+        blockedReasons: bundle.blockedReasons,
+        logBoundary,
+        collectionPlan: deployedEvidenceCollectionPlan(input.requiredFailureReasons ?? []),
+        bundle,
+        releaseGateInput: bundle.releaseGateInput,
+        privacy: deployedPrivacy()
+    };
+}
 export function evaluateHostedDeployedWorkerStagingReleaseGate(input) {
     return evaluateHostedOperationalReleaseGate({
         commitSha: input.commitSha,
@@ -164,6 +193,30 @@ function missingEvidence(id, input) {
         owner: input.owner
     };
 }
+function deployedEvidenceCollectionPlan(requiredFailureReasons) {
+    return {
+        steps: [
+            "Collect public HTTPS health metadata from the deployed Node/container candidate.",
+            "Replay a signed webhook and confirm it queues check-run-only worker work.",
+            "Run deployed worker cleanup probes for one success path and the required failure reasons.",
+            "Validate safe log samples before building release-gate evidence.",
+            "Attach external CI, workflow, dependency, container, monitoring, rollback, and incident-response evidence."
+        ],
+        requiredSafeLogFields: [
+            "scanKey",
+            "installationId",
+            "repositoryId",
+            "pullRequestNumber",
+            "headSha",
+            "scannerVersion",
+            "durationMs",
+            "summaryCounts",
+            "errorClass",
+            "cleanupStatus"
+        ],
+        requiredFailureReasons: [...requiredFailureReasons].sort()
+    };
+}
 function evidenceUrlFor(input, id) {
     const baseUrl = safeEvidenceUrl(input.evidenceBaseUrl);
     return baseUrl === undefined ? undefined : `${baseUrl}/${id}.json`;

package/docs/README.zh-CN.md

@@ -28,7 +28,7 @@
 
 ## 邀请真实用户前先看这里
 
-AI 能很快把一个 SaaS 做到“看起来能用”：能登录、能打开 checkout、dashboard 能加载、测试也是绿的。真正危险的是信任边界代码，它决定谁有权限、谁付了钱、谁能看哪些数据，以及服务失败时会不会被悄悄伪装成成功。
+AI 构建的 SaaS 很容易“看起来已经能上线”：能登录、能打开 checkout、dashboard 能加载、测试也是绿的。真正危险的是信任边界代码，它决定谁有权限、谁付了钱、谁能看哪些数据，以及服务失败时会不会被悄悄伪装成成功。
 
 这些问题通常会在真实用户来了以后才变痛：
 
@@ -43,6 +43,16 @@ AI 能很快把一个 SaaS 做到“看起来能用”：能登录、能打开 c
 
 `ai-saas-guard` 是面向这个时刻的本地优先、review-first 上线预检工具。它不会证明你的应用绝对安全，也不是渗透测试、认证或完整安全审计。它的目标是给 founder、独立开发者、小团队和 reviewer 一份短而有证据的清单，告诉你上线或合并 PR 前最该先看哪里。
 
+## 30 秒复制粘贴 demo
+
+不需要注册、不上传代码、不调用 LLM：
+
+```bash
+npx ai-saas-guard@latest demo --summary
+```
+
+这个 demo 会扫描两个包内 fixture：一个故意有上线风险的 AI-built SaaS，和一个同类场景下更安全的版本。可以先看保存好的终端样例：[docs/demo-terminal-output.txt](demo-terminal-output.txt)，再看它[和替代方案的区别](launch-gate-positioning.md)。
+
 ## 60 秒本地检查
 
 不用 clone 仓库，先看公开 demo 输出：
@@ -169,18 +179,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.32.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.32.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.33.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.33.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.32.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.32.0` |
+| npm CLI | `ai-saas-guard@0.33.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.33.0` |
 | 输出格式 | 短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.32.0` 增加 deployed worker staging evidence：public HTTPS health validation、deployed 成功/失败 cleanup probes、log-boundary checks，以及针对 Node/container read-only checkout worker candidate 的 release-gate evaluation |
-| Action 标签 | `v0.32.0`、`v0` |
+| 当前版本 | `0.33.0` 优化 README 首屏、增加保存好的终端 demo 输出，并新增 deployed worker staging evidence automation：先验证 safe log samples，再生成 hosted release-gate input |
+| Action 标签 | `v0.33.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |
@@ -367,7 +377,7 @@ GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.m
 - Hosted Node/container app skeleton：`ai-saas-guard/hosted/app` 导出 `createHostedHttpApp`、`createInMemoryHostedAppPlatform`、`createHostedNodeCheckoutAppPlatform` 和 `planHostedNodeContainerDeployment`，提供安全 `/healthz`、签名 `/github/webhook` ingress、单 job worker tick、测试用 in-memory provider adapters、真实 read-only checkout worker 组合入口、可见 timeout/output 安全预算，以及 secret manager、queue、compact report store、worker sandbox、GitHub Checks publisher 的部署引用校验；它本身仍然不部署或暴露公开 hosted 服务
 - Hosted staging deployment planner：`ai-saas-guard/hosted/staging` 导出 `planHostedProviderBinding`、`planHostedStagingDeployment` 和 `planHostedGitHubAppPromotion`，把真实 provider 引用、Node/container deployment plan、hosted operational release-gate evidence 和 GitHub App deployment planning 组合起来；缺少 queue、store、worker sandbox、Check Run publisher、logs、metrics、rollback 或 incident-response 引用时，会阻止 staging exposure 和 production promotion；它本身仍然不会调用云平台、创建 GitHub App 或暴露公开 hosted 服务
 - Hosted staging harness：`ai-saas-guard/hosted/staging-harness` 导出 `createFileBackedHostedStagingHarness`、`createHostedStagingHarnessEvidence`、`createHostedStagingReleaseEvidenceBundle`、`evaluateHostedStagingReleaseEvidenceBundle` 和 `validateHostedLogBoundary`，可以在本地用 file-backed queue、compact report、Check Run request 和 worker sandbox 跑通签名 webhook replay、worker tick 和 cleanup 校验，把 success/failure cleanup probes 与 log-boundary samples 转成 release-gate evidence，并直接执行 hosted release gate 判断；它只是 staging 演练工具，不会调用云平台、创建 GitHub App、写真实 Check Run 或暴露公开 hosted 服务
-- Deployed worker staging evidence：`ai-saas-guard/hosted/deployed-staging` 导出 `createHostedDeployedWorkerStagingEvidenceBundle` 和 `evaluateHostedDeployedWorkerStagingReleaseGate`，把 public HTTPS health、signed webhook replay、deployed worker cleanup、log-boundary samples 以及外部 CI/scan/rollback evidence 转成 hosted release gate evidence；它不会部署云资源，也不会宣称 production hosted exposure
+- Deployed worker staging evidence：`ai-saas-guard/hosted/deployed-staging` 导出 `createHostedDeployedWorkerStagingEvidenceAutomation`、`createHostedDeployedWorkerStagingEvidenceBundle` 和 `evaluateHostedDeployedWorkerStagingReleaseGate`，先验证 safe log samples，再把 public HTTPS health、signed webhook replay、deployed worker cleanup 以及外部 CI/scan/rollback evidence 转成 hosted release gate evidence；它不会部署云资源，也不会宣称 production hosted exposure
 - Cloudflare hosted ingress：`hosted/cloudflare-worker` 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`，提供 `/healthz`、`/github/app/manifest-callback` 和签名 `/github/webhook` intake；Worker 已具备 compact pull request identity、file/category risk signal 和 Check Run metadata 路径；staging GitHub App ID 为 `3834787`，installation ID 为 `135085075`；真实 GitHub App webhook delivery 和 Check Run smoke 已通过；完整 source checkout worker deployment、monitoring、rollback 和 incident-response evidence 仍需要通过 hosted operational release gate
 - webhook event parser
 - check-run summary renderer

package/docs/demo-terminal-output.txt

@@ -0,0 +1,19 @@
+ai-saas-guard demo --summary
+
+Risky demo: 19 findings
+Launch gate: blocked
+
+Top risks:
+- CRITICAL stripe.webhook.missing-signature at app/api/stripe/webhook/route.ts:1
+- CRITICAL supabase.rls.broad-policy at supabase/migrations/001_accounts.sql:10
+- HIGH silent-success.swallowed-error at app/api/billing/checkout/route.ts:4
+
+Manual proof to run next:
+- Send a request without a valid Stripe signature and confirm the handler rejects it.
+- Run a two-account tenant check and confirm User B cannot access User A data.
+- Force the billing provider call to fail and confirm the API route returns an error, not fake success.
+
+Safe demo: 0 findings
+Launch gate: ready for local review
+
+This is a deterministic local demo fixture. It does not upload code, call an LLM, or certify the app.

package/docs/hosted-deployed-worker-staging.md

@@ -4,6 +4,7 @@ This document describes the deployed worker staging evidence helper implemented
 
 The package exports `ai-saas-guard/hosted/deployed-staging` with:
 
+- `createHostedDeployedWorkerStagingEvidenceAutomation`
 - `createHostedDeployedWorkerStagingEvidenceBundle`
 - `evaluateHostedDeployedWorkerStagingReleaseGate`
 
@@ -13,12 +14,14 @@ It does not deploy cloud resources, create a GitHub App, call GitHub, fetch repo
 
 ## Inputs
 
+`createHostedDeployedWorkerStagingEvidenceAutomation` is the recommended helper for a deployed staging candidate. It validates safe log samples with `validateHostedLogBoundary`, builds the deployed evidence bundle, returns the release-gate input, and includes the collection steps that should have produced the evidence. It never returns the forbidden raw source, raw diff, secret, customer payload, installation token, checkout path, private URL, or untrusted PR text values used for the boundary check.
+
 `createHostedDeployedWorkerStagingEvidenceBundle` expects only bounded evidence:
 
 - public HTTPS health probe metadata from the deployed Node/container app
 - signed webhook replay summaries
 - deployed worker success and failure cleanup summaries
-- log-boundary validation output
+- log-boundary validation output, or safe log samples passed through the automation helper first
 - external evidence for CI, workflow static checks, dependency/container scans, monitoring, rollback, and incident response
 - scanner version, collected timestamp, evidence URL base, and evidence owner
 
@@ -44,6 +47,17 @@ The bundle generates deployed evidence for these hosted gate IDs when the probes
 
 Other gate IDs still come from external evidence because they belong to CI, workflow analysis, dependency/container scan, monitoring, rollback, and incident-response systems.
 
+## Automation Helper
+
+The automation helper keeps this evidence path deterministic while removing a manual wiring step:
+
+1. Validate safe log samples against known forbidden material.
+2. Convert public health, signed webhook replay, deployed worker cleanup, and external evidence into a deployed staging bundle.
+3. Return the exact `releaseGateInput` for `evaluateHostedDeployedWorkerStagingReleaseGate`.
+4. Return a collection plan naming the required public HTTPS health, signed webhook, worker cleanup, safe log samples, and external evidence steps.
+
+It is still static and caller-driven. It does not connect to a provider, read source files, deploy infrastructure, fetch repositories, or publish Check Runs.
+
 ## Blocking Behavior
 
 The helper blocks release-gate readiness when deployed evidence is incomplete. Common blocked reasons include:

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.32.0`
+- Current published version: `0.33.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.32.0`
+- GitHub Release: `v0.33.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.32.0`.
+1. Create and review a release tag such as `v0.33.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.32.0",
+  "version": "0.33.0",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",