ai-saas-guard 0.33.0 → 0.34.0

package/README.md

@@ -31,7 +31,7 @@
 
 AI-built SaaS can look ready before it is ready: login works, checkout opens, the dashboard loads, and tests are green. The launch risk is usually hidden in trust-boundary code that decides who gets access, who pays, what data they can see, and whether failures are visible.
 
-Start with the 30-second copy-paste demo: `npx ai-saas-guard@latest demo --summary`. No signup, no code upload, no LLM call. See [docs/demo-terminal-output.txt](docs/demo-terminal-output.txt) and [compare with alternatives](docs/launch-gate-positioning.md).
+Start with the 30-second copy-paste demo: `npx ai-saas-guard@latest demo --summary`. No signup, no code upload, no LLM call. See the [terminal screenshot](docs/demo-terminal-screenshot.svg), [saved output](docs/demo-terminal-output.txt), [compare with alternatives](docs/launch-gate-positioning.md), and the [30-second cold-start review](docs/cold-start-review.md).
 
 These are the failures that hurt after real users arrive:
 
@@ -54,7 +54,7 @@ No signup, no code upload, no LLM call:
 npx ai-saas-guard@latest demo --summary
 ```
 
-The demo scans two packaged fixtures: one risky AI-built SaaS and one safer version. See the saved terminal sample in [docs/demo-terminal-output.txt](docs/demo-terminal-output.txt), then compare with alternatives in [docs/launch-gate-positioning.md](docs/launch-gate-positioning.md).
+The demo scans two packaged fixtures: one risky AI-built SaaS and one safer version. See the [terminal screenshot](docs/demo-terminal-screenshot.svg) or saved terminal sample in [docs/demo-terminal-output.txt](docs/demo-terminal-output.txt), then compare with alternatives in [docs/launch-gate-positioning.md](docs/launch-gate-positioning.md).
 
 ## 60-Second Local Check
 
@@ -199,13 +199,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.33.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.33.0` |
+| npm CLI | `ai-saas-guard@0.34.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.34.0` |
 | Outputs | Short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.33.0`, `v0` |
-| Current release | `0.33.0` sharpens the README first screen, adds a saved terminal demo output, and adds deployed worker staging evidence automation that validates safe logs before building hosted release-gate input |
+| Versioned Action tags | `v0.34.0`, `v0` |
+| Current release | `0.34.0` adds a visual demo screenshot, tightens first-run demo output, adds a concise competitor-positioning line, and improves hosted Check Run reviewer checklist wording |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -374,7 +374,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.33.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.34.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/hosted/contracts.js

@@ -485,7 +485,7 @@ export function createHostedCheckRunSummary(input) {
         conclusion,
         output: {
             title: formatCheckRunTitle(totalFindings, conclusion, input.failOnSeverity),
-            summary: `Launch gate: ${launchGate}. Review first: verify this signal before release; it is not a full security audit, pentest, or certification.`,
+            summary: `Launch gate: ${launchGate}. Review first: What changed at the launch boundary? Manual proof required before release; it is not a full security audit, pentest, or certification.`,
             text: truncateMarkdown(formatCheckRunMarkdown(report, conclusion, localCliCommand, launchGate), input.maxMarkdownChars)
         },
         annotations: report.evidence.slice(0, MAX_CHECK_RUN_ANNOTATIONS).map((finding) => {
@@ -1111,6 +1111,11 @@ function formatCheckRunMarkdown(report, conclusion, localCliCommand, launchGate)
         "Files to review first:",
         ...(filesToReview.length === 0 ? ["- None"] : filesToReview.map((file) => `- ${file}`)),
         "",
+        "Launch-boundary reviewer checklist:",
+        "- What changed at the launch boundary?",
+        "- Why this auth billing data or deploy decision is safe?",
+        "- What manual test proves it fails closed?",
+        "",
         "Verification steps:",
         "- Review each listed file before release or merge.",
         "- Reproduce locally with the CLI command above.",

package/dist/report/markdown.js

@@ -10,11 +10,17 @@ function formatDemoMarkdown(report) {
     const lines = [];
     lines.push("## ai-saas-guard demo");
     lines.push("");
-    lines.push("Synthetic public demo for the local-first launch gate. This is not a pentest, full audit, or certification.");
+    lines.push("AI-built SaaS can look ready while launch risks stay hidden. This is not a pentest, full audit, or certification.");
     lines.push("");
     lines.push(`- Risky demo: ${escapeMarkdownInline(summaryText(report.demos.risky))}`);
     lines.push(`- Safe demo: ${escapeMarkdownInline(summaryText(report.demos.safe))}`);
     lines.push("");
+    lines.push("### What This Proves");
+    appendList(lines, [
+        "The same SaaS surfaces can look finished while auth, billing, data, deploy, and CI risks still need review.",
+        "The safe demo keeps the same SaaS surfaces but removes the intentional launch-risk patterns."
+    ].map(escapeMarkdownInline));
+    lines.push("");
     lines.push("### Review First");
     appendList(lines, reviewFirst(report.demos.risky.findings).map(escapeMarkdownInline));
     lines.push("");

package/dist/report/summary.js

@@ -35,13 +35,17 @@ export function formatSummaryReport(report) {
 function formatShowcaseSummary(report) {
     const lines = [];
     lines.push("ai-saas-guard demo summary");
-    lines.push("Synthetic public demo for the local-first launch gate.");
+    lines.push("AI-built SaaS can look ready while launch risks stay hidden.");
     lines.push("This is not a pentest, full audit, or certification.");
     lines.push("");
     lines.push(`Risky demo: ${summaryText(report.demos.risky)}`);
     lines.push(`Safe demo: ${summaryText(report.demos.safe)}`);
     lines.push(`Launch gate: ${launchGateVerdict(report.demos.risky)}`);
     lines.push("");
+    lines.push("What this proves:");
+    lines.push("- The same SaaS surfaces can look finished while auth, billing, data, deploy, and CI risks still need review.");
+    lines.push("- The safe demo keeps the same SaaS surfaces but removes the intentional launch-risk patterns.");
+    lines.push("");
     lines.push("Top risks:");
     appendList(lines, reviewFirst(report.demos.risky.findings, 3));
     lines.push("");

package/dist/report/terminal.js

@@ -48,12 +48,16 @@ export function formatTerminalReport(report) {
 function formatDemoTerminalReport(report) {
     const lines = [];
     lines.push("ai-saas-guard demo");
-    lines.push("Synthetic public demo for the local-first launch gate.");
+    lines.push("AI-built SaaS can look ready while launch risks stay hidden.");
     lines.push("This is not a pentest, full audit, or certification.");
     lines.push("");
     lines.push(`Risky demo: ${summaryText(report.demos.risky)}`);
     lines.push(`Safe demo: ${summaryText(report.demos.safe)}`);
     lines.push("");
+    lines.push("What this proves:");
+    lines.push("- The same SaaS surfaces can look finished while auth, billing, data, deploy, and CI risks still need review.");
+    lines.push("- The safe demo keeps the same SaaS surfaces but removes the intentional launch-risk patterns.");
+    lines.push("");
     lines.push("Review first:");
     for (const item of reviewFirst(report.demos.risky.findings)) {
         lines.push(`- ${item}`);

package/docs/README.zh-CN.md

@@ -51,7 +51,7 @@ AI 构建的 SaaS 很容易“看起来已经能上线”：能登录、能打
 npx ai-saas-guard@latest demo --summary
 ```
 
-这个 demo 会扫描两个包内 fixture：一个故意有上线风险的 AI-built SaaS，和一个同类场景下更安全的版本。可以先看保存好的终端样例：[docs/demo-terminal-output.txt](demo-terminal-output.txt)，再看它[和替代方案的区别](launch-gate-positioning.md)。
+这个 demo 会扫描两个包内 fixture：一个故意有上线风险的 AI-built SaaS，和一个同类场景下更安全的版本。可以先看[终端截图](docs/demo-terminal-screenshot.svg)和保存好的终端样例：[docs/demo-terminal-output.txt](demo-terminal-output.txt)，再看它[和替代方案的区别](launch-gate-positioning.md)。
 
 ## 60 秒本地检查
 
@@ -179,18 +179,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.33.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.33.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.34.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.34.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.33.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.33.0` |
+| npm CLI | `ai-saas-guard@0.34.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.34.0` |
 | 输出格式 | 短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.33.0` 优化 README 首屏、增加保存好的终端 demo 输出，并新增 deployed worker staging evidence automation：先验证 safe log samples，再生成 hosted release-gate input |
-| Action 标签 | `v0.33.0`、`v0` |
+| 当前版本 | `0.34.0` 增加可视化 demo 截图、优化首次 demo 输出、补充更精简的竞品定位说明，并强化 hosted Check Run reviewer checklist |
+| Action 标签 | `v0.34.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |

package/docs/cold-start-review.md

@@ -0,0 +1,22 @@
+# 30-Second GitHub Cold-Start Review
+
+Use this checklist when reading the repository as a first-time visitor.
+
+## First Screen
+
+- Does the first screen explain the painful problem before listing features?
+- Does it say AI-built SaaS can look ready while auth, billing, data, deploy, and CI risks stay hidden?
+- Is the no-signup demo command visible without scrolling far?
+- Are the local-first boundaries visible: no code upload and no LLM call?
+
+## First Command
+
+- Can the visitor run `npx ai-saas-guard@latest demo --summary` without cloning a repository?
+- Does the output show risky versus safe SaaS surfaces in under a minute?
+- Does it point to manual proof instead of implying certification?
+
+## First Decision
+
+- Can the visitor tell when to use this beside Semgrep, CodeQL, zizmor, Scorecard, Snyk, and GitHub code scanning?
+- Can the visitor tell this is a launch review queue, not a pentest, full audit, or certification?
+- Can the visitor tell whether they should run `scan`, `pr-risk`, or the GitHub Action next?

package/docs/demo-terminal-output.txt

@@ -1,8 +1,14 @@
 ai-saas-guard demo --summary
 
+AI-built SaaS can look ready while launch risks stay hidden.
+
 Risky demo: 19 findings
 Launch gate: blocked
 
+What this proves:
+- The same SaaS surfaces can look finished while auth, billing, data, deploy, and CI risks still need review.
+- The safe demo keeps the same SaaS surfaces but removes the intentional launch-risk patterns.
+
 Top risks:
 - CRITICAL stripe.webhook.missing-signature at app/api/stripe/webhook/route.ts:1
 - CRITICAL supabase.rls.broad-policy at supabase/migrations/001_accounts.sql:10

package/docs/demo-terminal-screenshot.svg

@@ -0,0 +1,20 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="960" height="560" viewBox="0 0 960 560" role="img" aria-labelledby="title desc">
+  <title id="title">ai-saas-guard demo terminal screenshot</title>
+  <desc id="desc">Terminal-style screenshot showing risky and safe demo summaries.</desc>
+  <rect width="960" height="560" fill="#0b1020"/>
+  <rect x="32" y="32" width="896" height="496" rx="8" fill="#111827" stroke="#334155"/>
+  <circle cx="62" cy="58" r="7" fill="#ef4444"/>
+  <circle cx="86" cy="58" r="7" fill="#f59e0b"/>
+  <circle cx="110" cy="58" r="7" fill="#22c55e"/>
+  <text x="48" y="104" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="22">npx ai-saas-guard@latest demo --summary</text>
+  <text x="48" y="152" fill="#93c5fd" font-family="Menlo, Consolas, monospace" font-size="20">ai-saas-guard demo summary</text>
+  <text x="48" y="190" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="18">AI-built SaaS can look ready while launch risks stay hidden.</text>
+  <text x="48" y="232" fill="#fca5a5" font-family="Menlo, Consolas, monospace" font-size="20">Risky demo: 19 findings: 2 critical, 6 high, 7 medium, 3 low, 1 info</text>
+  <text x="48" y="270" fill="#86efac" font-family="Menlo, Consolas, monospace" font-size="20">Safe demo: 0 findings</text>
+  <text x="48" y="320" fill="#fde68a" font-family="Menlo, Consolas, monospace" font-size="18">What this proves:</text>
+  <text x="72" y="356" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="17">- same SaaS surfaces, different launch-risk patterns</text>
+  <text x="72" y="388" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="17">- review auth, billing, data, deploy, CI before real users</text>
+  <text x="48" y="438" fill="#fde68a" font-family="Menlo, Consolas, monospace" font-size="18">Top risks:</text>
+  <text x="72" y="474" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="16">- CRITICAL stripe.webhook.missing-signature</text>
+  <text x="72" y="504" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="16">- CRITICAL supabase.rls.broad-policy</text>
+</svg>

package/docs/launch-gate-positioning.md

@@ -4,6 +4,10 @@
 
 The narrow bet is simple: a founder or reviewer should know which launch-risk files to inspect first, what manual proof to run, and what fix direction to try before traffic reaches real users.
 
+## What This Adds In One Line
+
+`ai-saas-guard` turns AI-built SaaS launch risks into a short local review queue; it is not intended to substitute for broad SAST, dependency scanning, workflow security analysis, or repository scorecards.
+
 ## Where It Fits
 
 | Tool category | Typical strength | How ai-saas-guard fits beside it |

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.33.0`
+- Current published version: `0.34.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.33.0`
+- GitHub Release: `v0.34.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.33.0`.
+1. Create and review a release tag such as `v0.34.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.33.0",
+  "version": "0.34.0",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",