ai-saas-guard 0.33.0 → 0.35.0

package/README.md

@@ -31,7 +31,7 @@
 
 AI-built SaaS can look ready before it is ready: login works, checkout opens, the dashboard loads, and tests are green. The launch risk is usually hidden in trust-boundary code that decides who gets access, who pays, what data they can see, and whether failures are visible.
 
-Start with the 30-second copy-paste demo: `npx ai-saas-guard@latest demo --summary`. No signup, no code upload, no LLM call. See [docs/demo-terminal-output.txt](docs/demo-terminal-output.txt) and [compare with alternatives](docs/launch-gate-positioning.md).
+Start with the 30-second copy-paste demo: `npx ai-saas-guard@latest demo --summary`. No signup, no code upload, no LLM call. See the [terminal screenshot](docs/demo-terminal-screenshot.svg), [saved output](docs/demo-terminal-output.txt), [compare with alternatives](docs/launch-gate-positioning.md), and the [30-second cold-start review](docs/cold-start-review.md).
 
 These are the failures that hurt after real users arrive:
 
@@ -54,7 +54,7 @@ No signup, no code upload, no LLM call:
 npx ai-saas-guard@latest demo --summary
 ```
 
-The demo scans two packaged fixtures: one risky AI-built SaaS and one safer version. See the saved terminal sample in [docs/demo-terminal-output.txt](docs/demo-terminal-output.txt), then compare with alternatives in [docs/launch-gate-positioning.md](docs/launch-gate-positioning.md).
+The demo scans two packaged fixtures: one risky AI-built SaaS and one safer version. See the [terminal screenshot](docs/demo-terminal-screenshot.svg) or saved terminal sample in [docs/demo-terminal-output.txt](docs/demo-terminal-output.txt), then compare with alternatives in [docs/launch-gate-positioning.md](docs/launch-gate-positioning.md).
 
 ## 60-Second Local Check
 
@@ -138,6 +138,14 @@ One command returns a launch-readiness report with:
 
 For a concise comparison with Semgrep, zizmor, OpenSSF Scorecard, Snyk, and GitHub code scanning, see [docs/launch-gate-positioning.md](docs/launch-gate-positioning.md).
 
+## Three Ways To Use It
+
+| Path | Best for | Status |
+| --- | --- | --- |
+| Local CLI | Private code, first local launch review, founder or reviewer workflow | Published on npm; local-first, read-only, no code upload, no LLM calls |
+| GitHub Action | CI review queue, SARIF upload, PR summary artifacts, controlled fail thresholds | Available through `zr9959/ai-saas-guard@v0` and fixed version tags |
+| Hosted GitHub App | Future hosted Check Run experience for selected repositories | Limited trial gate only; not the complete hosted SaaS, not a public hosted scanner |
+
 ## Quick Start
 
 Run the published CLI without installing it globally:
@@ -199,13 +207,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.33.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.33.0` |
+| npm CLI | `ai-saas-guard@0.35.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.35.0` |
 | Outputs | Short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.33.0`, `v0` |
-| Current release | `0.33.0` sharpens the README first screen, adds a saved terminal demo output, and adds deployed worker staging evidence automation that validates safe logs before building hosted release-gate input |
+| Versioned Action tags | `v0.35.0`, `v0` |
+| Current release | `0.35.0` adds a hosted GitHub App limited-trial gate, read-only checkout scan gate, three usage paths, a realistic AI SaaS case-study fixture, and a local scan resource budget helper |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -318,6 +326,8 @@ The hosted production adapter layer is documented in [docs/hosted-production-ada
 
 The hosted read-only checkout worker is exported from `ai-saas-guard/hosted/worker`. It creates a temporary checkout from trusted GitHub App identity, uses a runtime installation token only through git askpass, removes askpass material before the CLI phase, rejects mutated command/checkout/token-scope plans, runs the fixed `ai-saas-guard pr-risk --json` command with bounded timeout/output, converts CLI JSON into compact findings, and deletes the checkout after success or failure. It does not return source, diffs, secrets, checkout paths, PR-authored commands, or installation tokens.
 
+The read-only checkout scan gate is exported as `evaluateHostedReadOnlyCheckoutScanGate` from `ai-saas-guard/hosted/worker`. It records whether the real worker path observed trusted git stages, CLI scan, compact report storage, Check Run publication, checkout cleanup, token removal before CLI, and bounded timeout/output settings before a hosted trial can proceed.
+
 The hosted Node/container app skeleton is documented in [docs/hosted-node-container-app.md](docs/hosted-node-container-app.md). It exports `createHostedHttpApp`, `createInMemoryHostedAppPlatform`, `createHostedNodeCheckoutAppPlatform`, and `planHostedNodeContainerDeployment` from `ai-saas-guard/hosted/app`. It adds a safe `/healthz` route, signed `/github/webhook` ingress, one-job worker tick, in-memory provider adapters for tests, a concrete read-only checkout worker composition with visible timeout/output safety budgets, and deployment-plan validation for secret manager, queue, compact report store, worker sandbox, and GitHub Checks publisher references. It still does not deploy or expose a public hosted service by itself.
 
 The hosted staging deployment planner is documented in [docs/hosted-staging-deployment.md](docs/hosted-staging-deployment.md). It exports `planHostedProviderBinding`, `planHostedStagingDeployment`, and `planHostedGitHubAppPromotion` from `ai-saas-guard/hosted/staging`. It composes real provider references, the Node/container deployment plan, hosted operational release-gate evidence, and GitHub App deployment planning so staging and production promotion stay blocked until the required queue, store, worker sandbox, Check Run publisher, logs, metrics, rollback, and incident-response references are present. It still does not call a cloud provider, create a GitHub App, or expose a public hosted service by itself.
@@ -336,8 +346,14 @@ Hosted pricing and packaging boundaries are documented in [docs/hosted-pricing-p
 
 Hosted pre-implementation pure contracts are documented in [docs/hosted-preimplementation-contracts.md](docs/hosted-preimplementation-contracts.md). They now include a pull request webhook intake planner that verifies signatures before parsing or queueing, a durable scan queue planner that reuses queued, running, and completed jobs for the same trusted scan key, a worker read-only scan planner that fixes the CLI command and requires repository `contents: read`, a concrete Node read-only checkout scan runner, and a Check Run publication planner that requires repository `checks: write` and builds bounded check-only payloads from compact reports. They also cover queue-safe webhook event parsing, bounded check-run summary rendering, idempotent queue cleanup planning, worker checkout cleanup planning, a retention/deletion cleanup planner, an operational release gate evaluator, the production adapter plans needed for GitHub App auth and bounded worker execution, the Node/container app skeleton needed for real provider wiring, the staging deployment planner needed before production GitHub App promotion, the local staging harness needed to rehearse webhook replay, persistence, publication, and cleanup without cloud calls, and the deployed worker staging evidence helper needed to evaluate public HTTPS health, deployed cleanup, and log-boundary evidence without storing raw hosted data. The service runtime composes these contracts behind replaceable adapters. PR comments remain a later workflow or paid hosted feature, not part of the hosted MVP contract.
 
+The limited hosted GitHub App trial gate is exported as `createHostedGitHubAppTrialGate` from `ai-saas-guard/hosted/contracts`. It keeps trial use scoped to selected repositories and requires Check Run publication, compact report storage, worker cleanup, and safe log-boundary evidence before treating a small trial as ready. It does not claim the complete hosted SaaS is available.
+
 A public hosted compact report schema fixture is available at [examples/hosted-compact-report.json](examples/hosted-compact-report.json). It is synthetic and public-safe: compact evidence only, no raw source, raw diffs, secrets, webhook payload bodies, customer payloads, private URLs, or worker checkout paths.
 
+The case-study fixture in [examples/case-study-ai-saas](examples/case-study-ai-saas) and [docs/case-study-ai-saas.md](docs/case-study-ai-saas.md) shows a more realistic AI-built SaaS shape across auth-adjacent routes, billing, Stripe, Supabase, Next/Vercel, and GitHub Actions.
+
+For large repositories, `createLocalScanResourceBudget` exposes the conservative local scan budget: bounded text files, per-file bytes, total bytes, ignored build/dependency directories, no code upload, and no LLM calls.
+
 The proposed hosted app permission boundary is intentionally narrow: repository contents read, pull requests read, checks write, and metadata read for the first version. Optional PR comments require repository policy opt-in, and broad permissions such as administration, deployments, Actions write, and repository secrets are out of scope.
 
 The repository also includes hosted contract helpers and runtime tests for webhook intake order, webhook verification, installation token scoping, durable queue idempotency, compact reports, retention limits, uninstall cleanup, repeated cleanup idempotency, scoped deletion planning, operational release gate blocking, provider-independent hosted service orchestration, and GitHub App deployment planning. These helpers do not deploy a public hosted service.
@@ -374,7 +390,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.33.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.35.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/hosted/contracts.d.ts

@@ -453,6 +453,54 @@ export interface HostedCheckRunPublicationPlan {
         modelTraining: "disabled";
     };
 }
+export type HostedGitHubAppTrialGateBlockedReason = "trial_repository_limit_exceeded" | "trial_repository_not_selected" | "check_run_publication_missing" | "compact_report_missing" | "worker_cleanup_missing" | "safe_log_boundary_rejected";
+export interface HostedGitHubAppTrialGateInput {
+    requestedAt: string;
+    appName: string;
+    installationId: number;
+    selectedRepositoryIds: number[];
+    trialRepositoryIds: number[];
+    completedCheckRuns: Array<{
+        repositoryId: number;
+        pullRequestNumber: number;
+        headSha: string;
+        conclusion: HostedCheckRunConclusion;
+        compactReportStored: boolean;
+        checkRunPublished: boolean;
+        workerCleanupVerified: boolean;
+    }>;
+    safeLogBoundary: {
+        accepted: boolean;
+        sampleCount: number;
+        blockedReasons: string[];
+    };
+    maxTrialRepositories?: number;
+    rawSource?: string;
+    rawDiff?: string;
+    secretValues?: string[];
+    customerPayload?: unknown;
+}
+export interface HostedGitHubAppTrialGate {
+    readyForTrial: boolean;
+    blockedReasons: HostedGitHubAppTrialGateBlockedReason[];
+    requestedAt: string;
+    scope: {
+        appName: string;
+        installationId: number;
+        trialRepositoryIds: number[];
+        maxTrialRepositories: number;
+    };
+    checkRunsReady: boolean;
+    safeLogBoundaryReady: boolean;
+    requiredNextProof: string[];
+    privacy: {
+        includesRawSource: false;
+        includesRawDiffs: false;
+        includesSecrets: false;
+        includesCustomerPayloads: false;
+        claimsCompleteHostedSaas: false;
+    };
+}
 export type HostedDeletionTrigger = "repository_removed" | "installation_deleted" | "repeated_cleanup";
 export interface HostedDeletionPlanInput {
     trigger: HostedDeletionTrigger;
@@ -690,6 +738,7 @@ export declare function resolveHostedRetentionDays(input?: {
 export declare function createCompactHostedReport(input: CompactHostedReportInput): CompactHostedReport;
 export declare function createHostedCheckRunSummary(input: HostedCheckRunSummaryInput): HostedCheckRunSummary;
 export declare function planHostedCheckRunPublication(input: HostedCheckRunPublicationInput): HostedCheckRunPublicationPlan;
+export declare function createHostedGitHubAppTrialGate(input: HostedGitHubAppTrialGateInput): HostedGitHubAppTrialGate;
 export declare function getHostedDeletionIdempotencyKey(input: {
     trigger: HostedDeletionTrigger;
     installationId: number;

package/dist/hosted/contracts.js

@@ -485,7 +485,7 @@ export function createHostedCheckRunSummary(input) {
         conclusion,
         output: {
             title: formatCheckRunTitle(totalFindings, conclusion, input.failOnSeverity),
-            summary: `Launch gate: ${launchGate}. Review first: verify this signal before release; it is not a full security audit, pentest, or certification.`,
+            summary: `Launch gate: ${launchGate}. Review first: What changed at the launch boundary? Manual proof required before release; it is not a full security audit, pentest, or certification.`,
             text: truncateMarkdown(formatCheckRunMarkdown(report, conclusion, localCliCommand, launchGate), input.maxMarkdownChars)
         },
         annotations: report.evidence.slice(0, MAX_CHECK_RUN_ANNOTATIONS).map((finding) => {
@@ -559,6 +559,59 @@ export function planHostedCheckRunPublication(input) {
         privacy: hostedCheckRunPublicationPrivacy()
     };
 }
+export function createHostedGitHubAppTrialGate(input) {
+    const maxTrialRepositories = input.maxTrialRepositories ?? 3;
+    const selectedRepositoryIds = new Set(input.selectedRepositoryIds);
+    const blockedReasons = [];
+    const trialRepositoryLimitExceeded = input.trialRepositoryIds.length > maxTrialRepositories;
+    const trialRepositoryNotSelected = input.trialRepositoryIds.some((repositoryId) => !selectedRepositoryIds.has(repositoryId));
+    const matchingRuns = input.completedCheckRuns.filter((run) => input.trialRepositoryIds.includes(run.repositoryId));
+    const checkRunPublicationMissing = matchingRuns.length === 0 || matchingRuns.some((run) => !run.checkRunPublished);
+    const compactReportMissing = matchingRuns.length === 0 || matchingRuns.some((run) => !run.compactReportStored);
+    const workerCleanupMissing = matchingRuns.length === 0 || matchingRuns.some((run) => !run.workerCleanupVerified);
+    const safeLogBoundaryRejected = !input.safeLogBoundary.accepted || input.safeLogBoundary.sampleCount <= 0;
+    if (trialRepositoryLimitExceeded)
+        blockedReasons.push("trial_repository_limit_exceeded");
+    if (trialRepositoryNotSelected)
+        blockedReasons.push("trial_repository_not_selected");
+    if (checkRunPublicationMissing)
+        blockedReasons.push("check_run_publication_missing");
+    if (compactReportMissing)
+        blockedReasons.push("compact_report_missing");
+    if (workerCleanupMissing)
+        blockedReasons.push("worker_cleanup_missing");
+    if (safeLogBoundaryRejected)
+        blockedReasons.push("safe_log_boundary_rejected");
+    return {
+        readyForTrial: blockedReasons.length === 0,
+        blockedReasons,
+        requestedAt: input.requestedAt,
+        scope: {
+            appName: input.appName,
+            installationId: input.installationId,
+            trialRepositoryIds: [...input.trialRepositoryIds].sort((a, b) => a - b),
+            maxTrialRepositories
+        },
+        checkRunsReady: matchingRuns.length > 0 &&
+            !checkRunPublicationMissing &&
+            !compactReportMissing &&
+            !workerCleanupMissing,
+        safeLogBoundaryReady: !safeLogBoundaryRejected,
+        requiredNextProof: [
+            "Install only on selected trial repositories.",
+            "Publish one bounded Check Run from compact report data only.",
+            "Verify worker checkout cleanup after success and failure.",
+            "Sample logs and confirm raw source, raw diffs, secrets, customer payloads, and tokens are absent."
+        ],
+        privacy: {
+            includesRawSource: false,
+            includesRawDiffs: false,
+            includesSecrets: false,
+            includesCustomerPayloads: false,
+            claimsCompleteHostedSaas: false
+        }
+    };
+}
 export function getHostedDeletionIdempotencyKey(input) {
     return [input.trigger, input.installationId, input.repositoryId ?? "all"].join(":");
 }
@@ -1111,6 +1164,11 @@ function formatCheckRunMarkdown(report, conclusion, localCliCommand, launchGate)
         "Files to review first:",
         ...(filesToReview.length === 0 ? ["- None"] : filesToReview.map((file) => `- ${file}`)),
         "",
+        "Launch-boundary reviewer checklist:",
+        "- What changed at the launch boundary?",
+        "- Why this auth billing data or deploy decision is safe?",
+        "- What manual test proves it fails closed?",
+        "",
         "Verification steps:",
         "- Review each listed file before release or merge.",
         "- Reproduce locally with the CLI command above.",

package/dist/hosted/worker.d.ts

@@ -1,5 +1,6 @@
 import type { HostedServiceScanRunner, HostedServiceScanRunnerInput, HostedServiceScanRunnerResult } from "./service.js";
 export type HostedReadOnlyCheckoutCommandStage = "git_init" | "git_remote_add" | "git_fetch_head" | "git_fetch_base" | "git_checkout" | "cli_scan";
+export type HostedReadOnlyCheckoutScanGateBlockedReason = `missing_command_stage_${HostedReadOnlyCheckoutCommandStage}` | "compact_report_missing" | "check_run_missing" | "checkout_cleanup_missing" | "token_boundary_missing" | "output_budget_exceeded" | "timeout_budget_exceeded";
 export interface HostedReadOnlyCheckoutCommand {
     stage: HostedReadOnlyCheckoutCommandStage;
     command: string;
@@ -26,6 +27,39 @@ export interface HostedReadOnlyCheckoutScanRunnerOptions {
     installationTokenProvider: HostedInstallationTokenProvider;
     commandRunner?: HostedReadOnlyCheckoutCommandRunner;
 }
+export interface HostedReadOnlyCheckoutScanGateInput {
+    requestedAt: string;
+    jobKey: string;
+    commandStages: HostedReadOnlyCheckoutCommandStage[];
+    summaryCounts: Record<string, number>;
+    compactFindingCount: number;
+    compactReportStored: boolean;
+    checkRunPublished: boolean;
+    checkoutDeleted: boolean;
+    tokenRemovedBeforeCli: boolean;
+    maxOutputBytes: number;
+    timeoutMs: number;
+    rawSource?: string;
+    rawDiff?: string;
+    checkoutPath?: string;
+    installationToken?: string;
+}
+export interface HostedReadOnlyCheckoutScanGate {
+    readyForHostedTrial: boolean;
+    blockedReasons: HostedReadOnlyCheckoutScanGateBlockedReason[];
+    requestedAt: string;
+    jobKey: string;
+    summaryCounts: Record<string, number>;
+    compactFindingCount: number;
+    commandStagesObserved: HostedReadOnlyCheckoutCommandStage[];
+    privacy: {
+        includesRawSource: false;
+        includesRawDiffs: false;
+        includesPrivateCheckoutPath: false;
+        includesInstallationToken: false;
+        claimsCompleteHostedSaas: false;
+    };
+}
 export type HostedReadOnlyCheckoutScanSafeReason = "invalid_worker_plan" | "invalid_repository_full_name" | "invalid_clone_base_url" | "missing_installation_token" | "git_init_failed" | "git_remote_add_failed" | "git_fetch_head_failed" | "git_fetch_base_failed" | "git_checkout_failed" | "cli_scan_failed" | "invalid_cli_output" | "cleanup_failed";
 export declare class HostedReadOnlyCheckoutScanError extends Error {
     readonly safeReason: HostedReadOnlyCheckoutScanSafeReason;
@@ -40,4 +74,5 @@ export declare class HostedReadOnlyCheckoutScanError extends Error {
     constructor(safeReason: HostedReadOnlyCheckoutScanSafeReason);
 }
 export declare function createHostedReadOnlyCheckoutScanRunner(options: HostedReadOnlyCheckoutScanRunnerOptions): HostedServiceScanRunner;
+export declare function evaluateHostedReadOnlyCheckoutScanGate(input: HostedReadOnlyCheckoutScanGateInput): HostedReadOnlyCheckoutScanGate;
 export declare function runHostedReadOnlyCheckoutScan(input: HostedServiceScanRunnerInput, options: HostedReadOnlyCheckoutScanRunnerOptions): Promise<HostedServiceScanRunnerResult>;

package/dist/hosted/worker.js

@@ -28,6 +28,52 @@ export class HostedReadOnlyCheckoutScanError extends Error {
 export function createHostedReadOnlyCheckoutScanRunner(options) {
     return (input) => runHostedReadOnlyCheckoutScan(input, options);
 }
+export function evaluateHostedReadOnlyCheckoutScanGate(input) {
+    const requiredStages = [
+        "git_init",
+        "git_remote_add",
+        "git_fetch_head",
+        "git_fetch_base",
+        "git_checkout",
+        "cli_scan"
+    ];
+    const observedStages = new Set(input.commandStages);
+    const blockedReasons = [];
+    for (const stage of requiredStages) {
+        if (!observedStages.has(stage))
+            blockedReasons.push(`missing_command_stage_${stage}`);
+    }
+    if (!input.compactReportStored)
+        blockedReasons.push("compact_report_missing");
+    if (!input.checkRunPublished)
+        blockedReasons.push("check_run_missing");
+    if (!input.checkoutDeleted)
+        blockedReasons.push("checkout_cleanup_missing");
+    if (!input.tokenRemovedBeforeCli)
+        blockedReasons.push("token_boundary_missing");
+    if (input.maxOutputBytes > HOSTED_WORKER_MAX_OUTPUT_BYTES) {
+        blockedReasons.push("output_budget_exceeded");
+    }
+    if (input.timeoutMs > HOSTED_WORKER_MAX_TIMEOUT_MS) {
+        blockedReasons.push("timeout_budget_exceeded");
+    }
+    return {
+        readyForHostedTrial: blockedReasons.length === 0,
+        blockedReasons,
+        requestedAt: input.requestedAt,
+        jobKey: input.jobKey,
+        summaryCounts: { ...input.summaryCounts },
+        compactFindingCount: input.compactFindingCount,
+        commandStagesObserved: input.commandStages.filter((stage, index, stages) => stages.indexOf(stage) === index),
+        privacy: {
+            includesRawSource: false,
+            includesRawDiffs: false,
+            includesPrivateCheckoutPath: false,
+            includesInstallationToken: false,
+            claimsCompleteHostedSaas: false
+        }
+    };
+}
 export async function runHostedReadOnlyCheckoutScan(input, options) {
     const { plan } = input;
     const { checkout, cli } = plan;

package/dist/index.d.ts

@@ -9,7 +9,9 @@ export { applyGuardConfig, defaultConfigFileName, loadGuardConfig } from "./conf
 export { createScanContext } from "./context.js";
 export { getRuleMetadata, RULE_CATALOG } from "./rules/catalog.js";
 export { formatSummaryReport } from "./report/summary.js";
+export { createLocalScanResourceBudget } from "./performance.js";
 export type { BaseReport, CommandName, Evidence, Finding, ActionsReport, McpOptions, McpPolicyTemplate, McpReport, McpServerInventory, McpSideEffect, PrRiskFile, PrRiskReport, ScanOptions, ShowcaseReport, StripeReport, SupabaseOptions, SupabaseDoctorReport, SupabaseReport } from "./types.js";
 export type { ScanContext, ScanInput } from "./context.js";
 export type { FindingSuppression, GuardConfig, RuleConfigValue } from "./config.js";
 export type { RuleMetadata, RuleStability } from "./rules/catalog.js";
+export type { LocalScanResourceBudget, LocalScanResourceBudgetInput } from "./performance.js";

package/dist/index.js

@@ -9,3 +9,4 @@ export { applyGuardConfig, defaultConfigFileName, loadGuardConfig } from "./conf
 export { createScanContext } from "./context.js";
 export { getRuleMetadata, RULE_CATALOG } from "./rules/catalog.js";
 export { formatSummaryReport } from "./report/summary.js";
+export { createLocalScanResourceBudget } from "./performance.js";

package/dist/performance.d.ts

@@ -0,0 +1,21 @@
+export interface LocalScanResourceBudgetInput {
+    repositoryKind?: string;
+    maxFiles?: number;
+    maxTotalBytes?: number;
+    maxFileBytes?: number;
+}
+export interface LocalScanResourceBudget {
+    repositoryKind: string;
+    localFirst: true;
+    deterministic: true;
+    uploadsCode: false;
+    callsLlm: false;
+    limits: {
+        maxFiles: number;
+        maxTotalBytes: number;
+        maxFileBytes: number;
+    };
+    ignoredDirectories: string[];
+    operatorNote: string;
+}
+export declare function createLocalScanResourceBudget(input?: LocalScanResourceBudgetInput): LocalScanResourceBudget;

package/dist/performance.js

@@ -0,0 +1,23 @@
+import { DEFAULT_MAX_TEXT_FILE_BYTES, DEFAULT_MAX_TEXT_FILES, DEFAULT_MAX_TOTAL_TEXT_BYTES } from "./utils/files.js";
+export function createLocalScanResourceBudget(input = {}) {
+    return {
+        repositoryKind: input.repositoryKind ?? "ai-built-saas",
+        localFirst: true,
+        deterministic: true,
+        uploadsCode: false,
+        callsLlm: false,
+        limits: {
+            maxFiles: positiveIntegerOrDefault(input.maxFiles, DEFAULT_MAX_TEXT_FILES),
+            maxTotalBytes: positiveIntegerOrDefault(input.maxTotalBytes, DEFAULT_MAX_TOTAL_TEXT_BYTES),
+            maxFileBytes: positiveIntegerOrDefault(input.maxFileBytes, DEFAULT_MAX_TEXT_FILE_BYTES)
+        },
+        ignoredDirectories: [".git", ".next", ".turbo", "coverage", "dist", "build", "node_modules", "out"],
+        operatorNote: "This keeps local scans bounded for large AI SaaS repositories without uploading code or calling an LLM."
+    };
+}
+function positiveIntegerOrDefault(value, fallback) {
+    if (value === undefined)
+        return fallback;
+    const normalized = Math.floor(value);
+    return Number.isFinite(normalized) && normalized > 0 ? normalized : fallback;
+}

package/dist/report/markdown.js

@@ -10,11 +10,17 @@ function formatDemoMarkdown(report) {
     const lines = [];
     lines.push("## ai-saas-guard demo");
     lines.push("");
-    lines.push("Synthetic public demo for the local-first launch gate. This is not a pentest, full audit, or certification.");
+    lines.push("AI-built SaaS can look ready while launch risks stay hidden. This is not a pentest, full audit, or certification.");
     lines.push("");
     lines.push(`- Risky demo: ${escapeMarkdownInline(summaryText(report.demos.risky))}`);
     lines.push(`- Safe demo: ${escapeMarkdownInline(summaryText(report.demos.safe))}`);
     lines.push("");
+    lines.push("### What This Proves");
+    appendList(lines, [
+        "The same SaaS surfaces can look finished while auth, billing, data, deploy, and CI risks still need review.",
+        "The safe demo keeps the same SaaS surfaces but removes the intentional launch-risk patterns."
+    ].map(escapeMarkdownInline));
+    lines.push("");
     lines.push("### Review First");
     appendList(lines, reviewFirst(report.demos.risky.findings).map(escapeMarkdownInline));
     lines.push("");

package/dist/report/summary.js

@@ -35,13 +35,17 @@ export function formatSummaryReport(report) {
 function formatShowcaseSummary(report) {
     const lines = [];
     lines.push("ai-saas-guard demo summary");
-    lines.push("Synthetic public demo for the local-first launch gate.");
+    lines.push("AI-built SaaS can look ready while launch risks stay hidden.");
     lines.push("This is not a pentest, full audit, or certification.");
     lines.push("");
     lines.push(`Risky demo: ${summaryText(report.demos.risky)}`);
     lines.push(`Safe demo: ${summaryText(report.demos.safe)}`);
     lines.push(`Launch gate: ${launchGateVerdict(report.demos.risky)}`);
     lines.push("");
+    lines.push("What this proves:");
+    lines.push("- The same SaaS surfaces can look finished while auth, billing, data, deploy, and CI risks still need review.");
+    lines.push("- The safe demo keeps the same SaaS surfaces but removes the intentional launch-risk patterns.");
+    lines.push("");
     lines.push("Top risks:");
     appendList(lines, reviewFirst(report.demos.risky.findings, 3));
     lines.push("");

package/dist/report/terminal.js

@@ -48,12 +48,16 @@ export function formatTerminalReport(report) {
 function formatDemoTerminalReport(report) {
     const lines = [];
     lines.push("ai-saas-guard demo");
-    lines.push("Synthetic public demo for the local-first launch gate.");
+    lines.push("AI-built SaaS can look ready while launch risks stay hidden.");
     lines.push("This is not a pentest, full audit, or certification.");
     lines.push("");
     lines.push(`Risky demo: ${summaryText(report.demos.risky)}`);
     lines.push(`Safe demo: ${summaryText(report.demos.safe)}`);
     lines.push("");
+    lines.push("What this proves:");
+    lines.push("- The same SaaS surfaces can look finished while auth, billing, data, deploy, and CI risks still need review.");
+    lines.push("- The safe demo keeps the same SaaS surfaces but removes the intentional launch-risk patterns.");
+    lines.push("");
     lines.push("Review first:");
     for (const item of reviewFirst(report.demos.risky.findings)) {
         lines.push(`- ${item}`);

package/docs/README.zh-CN.md

@@ -51,7 +51,7 @@ AI 构建的 SaaS 很容易“看起来已经能上线”：能登录、能打
 npx ai-saas-guard@latest demo --summary
 ```
 
-这个 demo 会扫描两个包内 fixture：一个故意有上线风险的 AI-built SaaS，和一个同类场景下更安全的版本。可以先看保存好的终端样例：[docs/demo-terminal-output.txt](demo-terminal-output.txt)，再看它[和替代方案的区别](launch-gate-positioning.md)。
+这个 demo 会扫描两个包内 fixture：一个故意有上线风险的 AI-built SaaS，和一个同类场景下更安全的版本。可以先看[终端截图](docs/demo-terminal-screenshot.svg)和保存好的终端样例：[docs/demo-terminal-output.txt](demo-terminal-output.txt)，再看它[和替代方案的区别](launch-gate-positioning.md)。
 
 ## 60 秒本地检查
 
@@ -135,6 +135,14 @@ Next steps
 
 如果想看它和 Semgrep、zizmor、OpenSSF Scorecard、Snyk、GitHub code scanning 的边界区别，见 [launch-gate-positioning.md](launch-gate-positioning.md)。
 
+## 三种使用路径
+
+| 路径 | 适合什么场景 | 当前状态 |
+| --- | --- | --- |
+| 本地 CLI | 私有代码、本机首次上线 review、founder 或 reviewer 自查 | 已发布到 npm；本地优先、只读、不上传代码、不调用 LLM |
+| GitHub Action | CI 里的 review queue、SARIF、PR summary artifact、可控 fail threshold | 可通过 `zr9959/ai-saas-guard@v0` 或固定版本标签使用 |
+| Hosted GitHub App | 未来面向 selected repositories 的 hosted Check Run 体验 | 目前只是 limited trial gate，不是完整 hosted SaaS，也不是公开 hosted scanner |
+
 ## 快速开始
 
 无需全局安装，直接运行：
@@ -179,18 +187,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.33.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.33.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.35.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.35.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.33.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.33.0` |
+| npm CLI | `ai-saas-guard@0.35.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.35.0` |
 | 输出格式 | 短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.33.0` 优化 README 首屏、增加保存好的终端 demo 输出，并新增 deployed worker staging evidence automation：先验证 safe log samples，再生成 hosted release-gate input |
-| Action 标签 | `v0.33.0`、`v0` |
+| 当前版本 | `0.35.0` 新增 hosted GitHub App limited-trial gate、read-only checkout scan gate、三种使用路径、真实 AI SaaS case-study fixture 和本地扫描资源预算 helper |
+| Action 标签 | `v0.35.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；签名 GitHub App webhook delivery 和 compact Check Run staging smoke 已通过 |
@@ -375,10 +383,14 @@ GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.m
 - GitHub App deployment planner：`ai-saas-guard/hosted/github-app` 导出 `planHostedGitHubAppDeployment`，生成 first slice 最小权限 manifest，并在 release gate、公开 HTTPS URL、container digest、secret 引用、原始 secret 输入、permission 或 event 不安全时阻止创建
 - Hosted production adapter layer：`ai-saas-guard/hosted/production-adapters` 导出 `createHostedGitHubAppJwt`、`planHostedGitHubInstallationTokenRequest` 和 `planHostedProductionWorkerExecution`，用于 GitHub App RS256 JWT、selected-repository installation token 请求规划、worker/check-run 分离 token scope、固定只读 worker 命令、timeout/output 预算、compact JSON-only 输出，以及 success/failure/timeout/cancellation 的 cleanup 规划；它本身仍然不部署公开 hosted 服务
 - Hosted Node/container app skeleton：`ai-saas-guard/hosted/app` 导出 `createHostedHttpApp`、`createInMemoryHostedAppPlatform`、`createHostedNodeCheckoutAppPlatform` 和 `planHostedNodeContainerDeployment`，提供安全 `/healthz`、签名 `/github/webhook` ingress、单 job worker tick、测试用 in-memory provider adapters、真实 read-only checkout worker 组合入口、可见 timeout/output 安全预算，以及 secret manager、queue、compact report store、worker sandbox、GitHub Checks publisher 的部署引用校验；它本身仍然不部署或暴露公开 hosted 服务
+- Read-only checkout scan gate：`ai-saas-guard/hosted/worker` 导出 `evaluateHostedReadOnlyCheckoutScanGate`，要求真实 worker 路径证明 trusted git stages、CLI scan、compact report storage、Check Run publication、checkout cleanup、CLI 前 token removal 以及 timeout/output budgets 都满足后，才能进入 hosted trial
 - Hosted staging deployment planner：`ai-saas-guard/hosted/staging` 导出 `planHostedProviderBinding`、`planHostedStagingDeployment` 和 `planHostedGitHubAppPromotion`，把真实 provider 引用、Node/container deployment plan、hosted operational release-gate evidence 和 GitHub App deployment planning 组合起来；缺少 queue、store、worker sandbox、Check Run publisher、logs、metrics、rollback 或 incident-response 引用时，会阻止 staging exposure 和 production promotion；它本身仍然不会调用云平台、创建 GitHub App 或暴露公开 hosted 服务
 - Hosted staging harness：`ai-saas-guard/hosted/staging-harness` 导出 `createFileBackedHostedStagingHarness`、`createHostedStagingHarnessEvidence`、`createHostedStagingReleaseEvidenceBundle`、`evaluateHostedStagingReleaseEvidenceBundle` 和 `validateHostedLogBoundary`，可以在本地用 file-backed queue、compact report、Check Run request 和 worker sandbox 跑通签名 webhook replay、worker tick 和 cleanup 校验，把 success/failure cleanup probes 与 log-boundary samples 转成 release-gate evidence，并直接执行 hosted release gate 判断；它只是 staging 演练工具，不会调用云平台、创建 GitHub App、写真实 Check Run 或暴露公开 hosted 服务
 - Deployed worker staging evidence：`ai-saas-guard/hosted/deployed-staging` 导出 `createHostedDeployedWorkerStagingEvidenceAutomation`、`createHostedDeployedWorkerStagingEvidenceBundle` 和 `evaluateHostedDeployedWorkerStagingReleaseGate`，先验证 safe log samples，再把 public HTTPS health、signed webhook replay、deployed worker cleanup 以及外部 CI/scan/rollback evidence 转成 hosted release gate evidence；它不会部署云资源，也不会宣称 production hosted exposure
 - Cloudflare hosted ingress：`hosted/cloudflare-worker` 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`，提供 `/healthz`、`/github/app/manifest-callback` 和签名 `/github/webhook` intake；Worker 已具备 compact pull request identity、file/category risk signal 和 Check Run metadata 路径；staging GitHub App ID 为 `3834787`，installation ID 为 `135085075`；真实 GitHub App webhook delivery 和 Check Run smoke 已通过；完整 source checkout worker deployment、monitoring、rollback 和 incident-response evidence 仍需要通过 hosted operational release gate
+- Hosted GitHub App limited trial gate：`ai-saas-guard/hosted/contracts` 导出 `createHostedGitHubAppTrialGate`，确保 trial 只作用于 selected repositories，并要求 Check Run publication、compact report、worker cleanup 和 safe log-boundary evidence；它不宣称完整 hosted SaaS 已可用
+- Case-study fixture：`examples/case-study-ai-saas` 和 [case-study-ai-saas.md](case-study-ai-saas.md) 展示一个更接近真实 AI SaaS 的 auth、billing、Supabase、Next/Vercel 和 GitHub Actions 风险组合
+- Resource budget：`createLocalScanResourceBudget` 暴露大仓库本地扫描的保守预算：文件数、单文件字节、总字节、忽略 build/dependency 目录、不上传代码、不调用 LLM
 - webhook event parser
 - check-run summary renderer
 - Check Run publication planner：要求 repository `checks: write`，只从 compact report 生成有长度上限的 Check Run payload，包含 review categories、优先 review 文件、verification steps 和本地 CLI 复现命令；MVP 不发 PR comment

package/docs/case-study-ai-saas.md

@@ -0,0 +1,21 @@
+# AI SaaS Case Study Fixture
+
+`examples/case-study-ai-saas` is a synthetic case study for a realistic AI-built SaaS shape: auth-adjacent API routes, billing checkout, Stripe webhook, Supabase RLS, Next/Vercel config, and GitHub Actions.
+
+The fixture is intentionally not safe to launch. It helps readers see why a local-first launch gate is useful even when an app appears to have the expected product surfaces.
+
+Expected findings include:
+
+- missing Stripe webhook signature verification
+- silent-success billing fallback
+- broad Supabase RLS policy
+- missing Next/Vercel security headers
+- broad GitHub Actions permissions
+
+Use it locally:
+
+```bash
+npx ai-saas-guard@latest scan --root examples/case-study-ai-saas --summary
+```
+
+This fixture is public-safe and synthetic. It is not a SaaS starter template, pentest target, certification artifact, or full audit.

package/docs/cold-start-review.md

@@ -0,0 +1,22 @@
+# 30-Second GitHub Cold-Start Review
+
+Use this checklist when reading the repository as a first-time visitor.
+
+## First Screen
+
+- Does the first screen explain the painful problem before listing features?
+- Does it say AI-built SaaS can look ready while auth, billing, data, deploy, and CI risks stay hidden?
+- Is the no-signup demo command visible without scrolling far?
+- Are the local-first boundaries visible: no code upload and no LLM call?
+
+## First Command
+
+- Can the visitor run `npx ai-saas-guard@latest demo --summary` without cloning a repository?
+- Does the output show risky versus safe SaaS surfaces in under a minute?
+- Does it point to manual proof instead of implying certification?
+
+## First Decision
+
+- Can the visitor tell when to use this beside Semgrep, CodeQL, zizmor, Scorecard, Snyk, and GitHub code scanning?
+- Can the visitor tell this is a launch review queue, not a pentest, full audit, or certification?
+- Can the visitor tell whether they should run `scan`, `pr-risk`, or the GitHub Action next?

package/docs/demo-terminal-output.txt

@@ -1,8 +1,14 @@
 ai-saas-guard demo --summary
 
+AI-built SaaS can look ready while launch risks stay hidden.
+
 Risky demo: 19 findings
 Launch gate: blocked
 
+What this proves:
+- The same SaaS surfaces can look finished while auth, billing, data, deploy, and CI risks still need review.
+- The safe demo keeps the same SaaS surfaces but removes the intentional launch-risk patterns.
+
 Top risks:
 - CRITICAL stripe.webhook.missing-signature at app/api/stripe/webhook/route.ts:1
 - CRITICAL supabase.rls.broad-policy at supabase/migrations/001_accounts.sql:10

package/docs/demo-terminal-screenshot.svg

@@ -0,0 +1,20 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="960" height="560" viewBox="0 0 960 560" role="img" aria-labelledby="title desc">
+  <title id="title">ai-saas-guard demo terminal screenshot</title>
+  <desc id="desc">Terminal-style screenshot showing risky and safe demo summaries.</desc>
+  <rect width="960" height="560" fill="#0b1020"/>
+  <rect x="32" y="32" width="896" height="496" rx="8" fill="#111827" stroke="#334155"/>
+  <circle cx="62" cy="58" r="7" fill="#ef4444"/>
+  <circle cx="86" cy="58" r="7" fill="#f59e0b"/>
+  <circle cx="110" cy="58" r="7" fill="#22c55e"/>
+  <text x="48" y="104" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="22">npx ai-saas-guard@latest demo --summary</text>
+  <text x="48" y="152" fill="#93c5fd" font-family="Menlo, Consolas, monospace" font-size="20">ai-saas-guard demo summary</text>
+  <text x="48" y="190" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="18">AI-built SaaS can look ready while launch risks stay hidden.</text>
+  <text x="48" y="232" fill="#fca5a5" font-family="Menlo, Consolas, monospace" font-size="20">Risky demo: 19 findings: 2 critical, 6 high, 7 medium, 3 low, 1 info</text>
+  <text x="48" y="270" fill="#86efac" font-family="Menlo, Consolas, monospace" font-size="20">Safe demo: 0 findings</text>
+  <text x="48" y="320" fill="#fde68a" font-family="Menlo, Consolas, monospace" font-size="18">What this proves:</text>
+  <text x="72" y="356" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="17">- same SaaS surfaces, different launch-risk patterns</text>
+  <text x="72" y="388" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="17">- review auth, billing, data, deploy, CI before real users</text>
+  <text x="48" y="438" fill="#fde68a" font-family="Menlo, Consolas, monospace" font-size="18">Top risks:</text>
+  <text x="72" y="474" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="16">- CRITICAL stripe.webhook.missing-signature</text>
+  <text x="72" y="504" fill="#e5e7eb" font-family="Menlo, Consolas, monospace" font-size="16">- CRITICAL supabase.rls.broad-policy</text>
+</svg>

package/docs/hosted-preimplementation-contracts.md

@@ -91,6 +91,19 @@ Privacy boundaries:
 
 - do not return temporary checkout paths, raw source, raw diffs, evidence snippets, secrets, customer payloads, PR-authored commands, PR-authored repository names, or installation tokens
 - do not persist source checkout contents beyond the worker run
+
+The read-only checkout scan gate turns a real worker observation into a small release/trial decision. The exported helper is `evaluateHostedReadOnlyCheckoutScanGate`.
+
+It requires:
+
+- trusted git setup, fetch, checkout, and CLI scan stages
+- compact report storage
+- bounded Check Run publication
+- checkout cleanup
+- installation token removal before the CLI phase
+- timeout and output budgets within the hosted worker limits
+
+It returns only compact counts, observed stages, blocked reasons, and privacy flags. It does not return raw source, raw diffs, checkout paths, or installation tokens.
 - rely on the deployment sandbox for network egress restrictions around the CLI phase; the runner itself removes GitHub credentials before invoking the CLI
 
 The exported helper is `createHostedReadOnlyCheckoutScanRunner`.
@@ -266,6 +279,21 @@ Privacy boundaries:
 
 The exported helper is `planHostedCheckRunPublication`. It is intended to be the GitHub-API-independent contract for the first real Check Run writer. PR comments remain an explicit later workflow or paid hosted feature, not part of this MVP contract.
 
+## Hosted GitHub App Limited Trial Gate
+
+The limited trial gate decides whether the hosted GitHub App can be tried on a small selected-repository set. The exported helper is `createHostedGitHubAppTrialGate`.
+
+It requires:
+
+- trial repositories are a subset of selected GitHub App repositories
+- the trial repository count stays under the configured cap
+- compact Check Runs were published
+- compact reports were stored
+- worker cleanup was verified
+- safe log-boundary samples were accepted
+
+It does not install a GitHub App, call GitHub, run workers, or claim the complete hosted SaaS is ready. It is a deterministic gate for small controlled trials.
+
 ## Queue Cleanup Planner
 
 The queue cleanup planner turns repository removal, installation deletion, and repeated cleanup events into a safe cancellation plan for hosted scan jobs. It is a pure planner only: it does not connect to a queue provider, mutate jobs, delete worker files, call GitHub, or retry work.

package/docs/launch-gate-positioning.md

@@ -4,6 +4,10 @@
 
 The narrow bet is simple: a founder or reviewer should know which launch-risk files to inspect first, what manual proof to run, and what fix direction to try before traffic reaches real users.
 
+## What This Adds In One Line
+
+`ai-saas-guard` turns AI-built SaaS launch risks into a short local review queue; it is not intended to substitute for broad SAST, dependency scanning, workflow security analysis, or repository scorecards.
+
 ## Where It Fits
 
 | Tool category | Typical strength | How ai-saas-guard fits beside it |

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.33.0`
+- Current published version: `0.35.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.33.0`
+- GitHub Release: `v0.35.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.33.0`.
+1. Create and review a release tag such as `v0.35.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/examples/case-study-ai-saas/.github/workflows/ci.yml

@@ -0,0 +1,19 @@
+name: ci
+
+on:
+  pull_request:
+  push:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+      - run: npm test

package/examples/case-study-ai-saas/README.md

@@ -0,0 +1,13 @@
+# Case Study AI SaaS Fixture
+
+This synthetic fixture looks like a small AI-built SaaS with auth, billing, Supabase, Vercel/Next.js deploy config, and GitHub Actions.
+
+It is intentionally risky:
+
+- billing checkout swallows provider failure and returns fake success
+- Stripe webhook does not verify signatures
+- Supabase RLS policy is broad
+- Next.js config lacks production security headers
+- GitHub Actions grants broad permissions
+
+It is not a complete SaaS template and does not contain real secrets.

package/examples/case-study-ai-saas/app/api/billing/checkout/route.ts

@@ -0,0 +1,11 @@
+export async function POST() {
+  try {
+    return Response.json({ checkoutUrl: await createCheckoutSession() });
+  } catch {
+    return Response.json({ success: true, checkoutUrl: "/billing/demo-success" });
+  }
+}
+
+async function createCheckoutSession() {
+  throw new Error("provider unavailable");
+}

package/examples/case-study-ai-saas/app/api/projects/[projectId]/route.ts

@@ -0,0 +1,8 @@
+export async function GET(_request: Request, context: { params: { projectId: string } }) {
+  return Response.json({
+    project: {
+      id: context.params.projectId,
+      tenantId: "demo-tenant"
+    }
+  });
+}

package/examples/case-study-ai-saas/app/api/stripe/webhook/route.ts

@@ -0,0 +1,13 @@
+export async function POST(request: Request) {
+  const event = await request.json();
+
+  if (event.type === "checkout.session.completed") {
+    await grantEntitlement(event.data.object.customer);
+  }
+
+  return Response.json({ received: true });
+}
+
+async function grantEntitlement(customerId: string) {
+  console.log("grant", customerId);
+}

package/examples/case-study-ai-saas/next.config.js

@@ -0,0 +1,10 @@
+module.exports = {
+  images: {
+    remotePatterns: [
+      {
+        protocol: "https",
+        hostname: "**"
+      }
+    ]
+  }
+};

package/examples/case-study-ai-saas/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "case-study-ai-saas",
+  "private": true,
+  "scripts": {
+    "build": "next build",
+    "test": "node --test"
+  },
+  "dependencies": {
+    "next": "15.0.0",
+    "stripe": "17.0.0"
+  }
+}

package/examples/case-study-ai-saas/supabase/migrations/001_projects.sql

@@ -0,0 +1,12 @@
+create table public.projects (
+  id uuid primary key,
+  tenant_id uuid not null,
+  name text not null
+);
+
+alter table public.projects enable row level security;
+
+create policy "ai generated broad select"
+on public.projects
+for select
+using (true);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.33.0",
+  "version": "0.35.0",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",