ai-saas-guard 0.40.0 → 0.42.0

package/README.md

@@ -235,13 +235,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.40.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.40.0` |
+| npm CLI | `ai-saas-guard@0.42.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.42.0` |
 | Outputs | Launch decision queue, short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.40.0`, `v0` |
-| Current release | `0.40.0` groups hosted Check Run output by launch-risk area, adds machine-readable hosted smoke evidence, clarifies CLI/Action/Hosted path selection, and documents the next source-checkout boundary |
+| Versioned Action tags | `v0.42.0`, `v0` |
+| Current release | `0.42.0` adds a single Phase 3 source-checkout trial gate that combines plan, stage evidence, scan proof, live smoke, rollback, monitoring, and incident-owner checks before hosted beta |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; public install/privacy notes are in [docs/hosted-install-privacy.md](docs/hosted-install-privacy.md); signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -367,7 +367,7 @@ Deployed worker staging evidence is documented in [docs/hosted-deployed-worker-s
 
 The first live hosted ingress is deployed on Cloudflare Workers at `https://ai-saas-guard-hosted.zr9959.workers.dev` and documented in [hosted/cloudflare-worker/README.md](hosted/cloudflare-worker/README.md). It exposes `/healthz`, `/github/app/install-info`, `/github/app/manifest-callback`, and signed `/github/webhook` intake backed by Cloudflare KV. A private staging GitHub App, `ai-saas-guard-hosted`, is installed on `zr9959/ai-saas-guard` with selected-repository access and the first-slice permission contract. The Worker verifies signatures, stores compact pull request identity records, exchanges a scoped installation token, fetches PR file metadata from GitHub, classifies PR-risk hotspots, and publishes a bounded selected-repository hosted check with a review queue and manual proof prompt. Signed installation deletion and repository removal events delete matching compact records. Current deployed evidence is tracked in [docs/hosted-operations-evidence.md](docs/hosted-operations-evidence.md): health, signed webhook delivery, compact KV records, cleanup, and Check Run publication pass in staging. The Cloudflare Worker still does not run a full source checkout scan worker or store raw webhook payloads, PR title/body text, raw diffs, source, secrets, checkout paths, or installation tokens.
 
-The next hosted source-checkout step is intentionally narrow: deploy the existing read-only checkout worker behind the same selected-repository identity, keep the fixed `pr-risk --json` command, write only compact findings to the Check Run, and require deployed cleanup/log-boundary/rollback evidence before broader trial use.
+The next hosted source-checkout step is intentionally narrow: deploy the existing read-only checkout worker behind the same selected-repository identity, keep the fixed `pr-risk --json` command, write only compact findings to the Check Run, and require deployed cleanup/log-boundary/rollback evidence before broader trial use. The hosted worker export includes `createHostedSourceCheckoutTrialPlan`, `createHostedSourceCheckoutEvidence`, and `evaluateHostedSourceCheckoutTrialGate` so Phase 3 has one machine-checkable gate for checkout start/end, token removal, CLI start/end, compact report write, Check Run write, cleanup status, live smoke, rollback, monitoring, and incident-owner proof before Phase 4 beta.
 
 Hosted install and privacy details are summarized in [docs/hosted-install-privacy.md](docs/hosted-install-privacy.md): selected-repository permissions, supported events, Check Run data boundaries, uninstall cleanup, and why the local CLI remains the private/offline path.
 
@@ -423,7 +423,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.40.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.42.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/hosted/contracts.js

@@ -487,7 +487,7 @@ export function createHostedCheckRunSummary(input) {
             title: formatCheckRunTitle(totalFindings, conclusion, input.failOnSeverity),
             summary: [
                 `Launch-risk gate: ${launchGate}. Launch gate: ${launchGate}.`,
-                "Review task: inspect the files below before merge.",
+                "Review task: inspect risk areas and files before merge.",
                 "Manual proof: prove changed auth, billing, data, deploy, or tests fail closed.",
                 "Boundary: selected repository only; not an AI reviewer, pentest, full audit, or certification."
             ].join(" "),
@@ -1154,7 +1154,7 @@ function formatCheckRunMarkdown(report, conclusion, localCliCommand, launchGate)
     return [
         "### AI SaaS Guard Launch-risk gate",
         "",
-        "Review task: inspect the files below before merge.",
+        "Review task: inspect risk areas and files before merge.",
         "Manual proof: prove changed auth, billing, data, deploy, or tests fail closed.",
         "Boundary: selected repository only; not an AI reviewer, pentest, full audit, or certification.",
         "",

package/dist/hosted/worker.d.ts

@@ -27,6 +27,73 @@ export interface HostedReadOnlyCheckoutScanRunnerOptions {
     installationTokenProvider: HostedInstallationTokenProvider;
     commandRunner?: HostedReadOnlyCheckoutCommandRunner;
 }
+export interface HostedSourceCheckoutTrialPlanInput {
+    requestedAt: string;
+    repositoryFullName: string;
+    selectedRepositoryOnly: boolean;
+    permissions: {
+        contents: "read" | "write" | "none";
+        checks: "write" | "read" | "none";
+    };
+    command: string[];
+    storesRawSource: boolean;
+    storesRawDiffs: boolean;
+    storesInstallationToken: boolean;
+    exposesPublicScanner: boolean;
+}
+export interface HostedSourceCheckoutTrialPlan {
+    readyForTrial: boolean;
+    blockedReasons: Array<"repository_not_selected" | "contents_read_required" | "checks_write_required" | "fixed_pr_risk_json_command_required" | "raw_source_storage_blocked" | "raw_diff_storage_blocked" | "installation_token_storage_blocked" | "public_scanner_claim_blocked">;
+    requestedAt: string;
+    repositoryFullName: string;
+    permissions: {
+        contents: "read";
+        checks: "write";
+    };
+    fixedCommand: ["ai-saas-guard", "pr-risk", "--root", "<worker-checkout>", "--base", "<trusted-base-sha>", "--json"];
+    stages: Array<{
+        id: "checkout_start" | "token_remove" | "cli_start" | "cli_end" | "compact_report_write" | "check_run_write" | "cleanup_end";
+        evidence: string;
+    }>;
+    privacy: {
+        storesRawSource: false;
+        storesRawDiffs: false;
+        storesInstallationToken: false;
+        exposesPublicScanner: false;
+    };
+}
+export interface HostedSourceCheckoutEvidenceInput {
+    requestedAt: string;
+    jobKey: string;
+    stages: Array<{
+        id: HostedSourceCheckoutTrialPlan["stages"][number]["id"];
+        ok: boolean;
+        at: string;
+    }>;
+    summaryCounts: Record<string, number>;
+    compactFindingCount: number;
+    cleanupStatus: "deleted" | "failed" | "unknown";
+    rawSource?: string;
+    rawDiff?: string;
+    checkoutPath?: string;
+    installationToken?: string;
+}
+export interface HostedSourceCheckoutEvidence {
+    readyForReleaseGate: boolean;
+    blockedReasons: Array<"missing_checkout_start" | "missing_token_remove" | "missing_cli_start" | "missing_cli_end" | "missing_compact_report_write" | "missing_check_run_write" | "missing_cleanup_end" | "cleanup_not_deleted">;
+    requestedAt: string;
+    jobKey: string;
+    stageResults: HostedSourceCheckoutEvidenceInput["stages"];
+    summaryCounts: Record<string, number>;
+    compactFindingCount: number;
+    cleanupStatus: "deleted" | "failed" | "unknown";
+    privacy: {
+        includesRawSource: false;
+        includesRawDiffs: false;
+        includesPrivateCheckoutPath: false;
+        includesInstallationToken: false;
+    };
+}
 export interface HostedReadOnlyCheckoutScanGateInput {
     requestedAt: string;
     jobKey: string;
@@ -60,6 +127,41 @@ export interface HostedReadOnlyCheckoutScanGate {
         claimsCompleteHostedSaas: false;
     };
 }
+export interface HostedSourceCheckoutTrialGateInput extends HostedSourceCheckoutTrialPlanInput, Omit<HostedSourceCheckoutEvidenceInput, "requestedAt" | "rawSource" | "rawDiff" | "checkoutPath" | "installationToken">, Omit<HostedReadOnlyCheckoutScanGateInput, "requestedAt" | "jobKey" | "summaryCounts" | "compactFindingCount" | "rawSource" | "rawDiff" | "checkoutPath" | "installationToken"> {
+    liveSmokePassed: boolean;
+    rollbackTested: boolean;
+    monitoringEvidence: boolean;
+    incidentOwnerRecorded: boolean;
+    rawSource?: string;
+    rawDiff?: string;
+    checkoutPath?: string;
+    installationToken?: string;
+}
+export interface HostedSourceCheckoutTrialGate {
+    phase: "phase_3_hosted_source_checkout_trial";
+    readyForPhase4Beta: boolean;
+    blockedReasons: string[];
+    requestedAt: string;
+    repositoryFullName: string;
+    jobKey: string;
+    plan: HostedSourceCheckoutTrialPlan;
+    evidence: HostedSourceCheckoutEvidence;
+    scanGate: HostedReadOnlyCheckoutScanGate;
+    operatorProof: {
+        liveSmokePassed: boolean;
+        rollbackTested: boolean;
+        monitoringEvidence: boolean;
+        incidentOwnerRecorded: boolean;
+    };
+    nextAction: string;
+    privacy: {
+        includesRawSource: false;
+        includesRawDiffs: false;
+        includesPrivateCheckoutPath: false;
+        includesInstallationToken: false;
+        claimsPublicHostedScanner: false;
+    };
+}
 export type HostedReadOnlyCheckoutScanSafeReason = "invalid_worker_plan" | "invalid_repository_full_name" | "invalid_clone_base_url" | "missing_installation_token" | "git_init_failed" | "git_remote_add_failed" | "git_fetch_head_failed" | "git_fetch_base_failed" | "git_checkout_failed" | "cli_scan_failed" | "invalid_cli_output" | "cleanup_failed";
 export declare class HostedReadOnlyCheckoutScanError extends Error {
     readonly safeReason: HostedReadOnlyCheckoutScanSafeReason;
@@ -74,5 +176,8 @@ export declare class HostedReadOnlyCheckoutScanError extends Error {
     constructor(safeReason: HostedReadOnlyCheckoutScanSafeReason);
 }
 export declare function createHostedReadOnlyCheckoutScanRunner(options: HostedReadOnlyCheckoutScanRunnerOptions): HostedServiceScanRunner;
+export declare function createHostedSourceCheckoutTrialPlan(input: HostedSourceCheckoutTrialPlanInput): HostedSourceCheckoutTrialPlan;
+export declare function createHostedSourceCheckoutEvidence(input: HostedSourceCheckoutEvidenceInput): HostedSourceCheckoutEvidence;
 export declare function evaluateHostedReadOnlyCheckoutScanGate(input: HostedReadOnlyCheckoutScanGateInput): HostedReadOnlyCheckoutScanGate;
+export declare function evaluateHostedSourceCheckoutTrialGate(input: HostedSourceCheckoutTrialGateInput): HostedSourceCheckoutTrialGate;
 export declare function runHostedReadOnlyCheckoutScan(input: HostedServiceScanRunnerInput, options: HostedReadOnlyCheckoutScanRunnerOptions): Promise<HostedServiceScanRunnerResult>;

package/dist/hosted/worker.js

@@ -28,6 +28,105 @@ export class HostedReadOnlyCheckoutScanError extends Error {
 export function createHostedReadOnlyCheckoutScanRunner(options) {
     return (input) => runHostedReadOnlyCheckoutScan(input, options);
 }
+export function createHostedSourceCheckoutTrialPlan(input) {
+    const blockedReasons = [];
+    const expectedCommand = [
+        "ai-saas-guard",
+        "pr-risk",
+        "--root",
+        "<worker-checkout>",
+        "--base",
+        "<trusted-base-sha>",
+        "--json"
+    ];
+    if (!input.selectedRepositoryOnly)
+        blockedReasons.push("repository_not_selected");
+    if (input.permissions.contents !== "read")
+        blockedReasons.push("contents_read_required");
+    if (input.permissions.checks !== "write")
+        blockedReasons.push("checks_write_required");
+    if (!arraysEqual(input.command, expectedCommand)) {
+        blockedReasons.push("fixed_pr_risk_json_command_required");
+    }
+    if (input.storesRawSource)
+        blockedReasons.push("raw_source_storage_blocked");
+    if (input.storesRawDiffs)
+        blockedReasons.push("raw_diff_storage_blocked");
+    if (input.storesInstallationToken)
+        blockedReasons.push("installation_token_storage_blocked");
+    if (input.exposesPublicScanner)
+        blockedReasons.push("public_scanner_claim_blocked");
+    return {
+        readyForTrial: blockedReasons.length === 0,
+        blockedReasons,
+        requestedAt: input.requestedAt,
+        repositoryFullName: input.repositoryFullName,
+        permissions: {
+            contents: "read",
+            checks: "write"
+        },
+        fixedCommand: [
+            "ai-saas-guard",
+            "pr-risk",
+            "--root",
+            "<worker-checkout>",
+            "--base",
+            "<trusted-base-sha>",
+            "--json"
+        ],
+        stages: [
+            { id: "checkout_start", evidence: "trusted selected-repository identity and contents:read token requested" },
+            { id: "token_remove", evidence: "temporary askpass and token material removed before CLI starts" },
+            { id: "cli_start", evidence: "fixed pr-risk --json command starts in temporary worker checkout" },
+            { id: "cli_end", evidence: "CLI exits with bounded output and compact JSON only" },
+            { id: "compact_report_write", evidence: "compact findings stored without source, diff, secrets, or checkout paths" },
+            { id: "check_run_write", evidence: "bounded Check Run written from compact findings only" },
+            { id: "cleanup_end", evidence: "worker checkout, generated artifacts, and credential material deleted" }
+        ],
+        privacy: {
+            storesRawSource: false,
+            storesRawDiffs: false,
+            storesInstallationToken: false,
+            exposesPublicScanner: false
+        }
+    };
+}
+export function createHostedSourceCheckoutEvidence(input) {
+    const requiredStages = [
+        "checkout_start",
+        "token_remove",
+        "cli_start",
+        "cli_end",
+        "compact_report_write",
+        "check_run_write",
+        "cleanup_end"
+    ];
+    const observed = new Map(input.stages.map((stage) => [stage.id, stage]));
+    const blockedReasons = [];
+    for (const stage of requiredStages) {
+        if (observed.get(stage)?.ok !== true) {
+            blockedReasons.push(`missing_${stage}`);
+        }
+    }
+    if (input.cleanupStatus !== "deleted")
+        blockedReasons.push("cleanup_not_deleted");
+    return {
+        readyForReleaseGate: blockedReasons.length === 0,
+        blockedReasons,
+        requestedAt: input.requestedAt,
+        jobKey: input.jobKey,
+        stageResults: input.stages.map((stage) => ({ ...stage })),
+        summaryCounts: { ...input.summaryCounts },
+        compactFindingCount: input.compactFindingCount,
+        cleanupStatus: input.cleanupStatus,
+        privacy: {
+            includesRawSource: false,
+            includesRawDiffs: false,
+            includesPrivateCheckoutPath: false,
+            includesInstallationToken: false
+        }
+    };
+}
 export function evaluateHostedReadOnlyCheckoutScanGate(input) {
     const requiredStages = [
         "git_init",
@@ -74,6 +173,72 @@ export function evaluateHostedReadOnlyCheckoutScanGate(input) {
         }
     };
 }
+export function evaluateHostedSourceCheckoutTrialGate(input) {
+    const plan = createHostedSourceCheckoutTrialPlan(input);
+    const evidence = createHostedSourceCheckoutEvidence({
+        requestedAt: input.requestedAt,
+        jobKey: input.jobKey,
+        stages: input.stages,
+        summaryCounts: input.summaryCounts,
+        compactFindingCount: input.compactFindingCount,
+        cleanupStatus: input.cleanupStatus,
+        rawSource: input.rawSource,
+        rawDiff: input.rawDiff,
+        checkoutPath: input.checkoutPath,
+        installationToken: input.installationToken
+    });
+    const scanGate = evaluateHostedReadOnlyCheckoutScanGate({
+        requestedAt: input.requestedAt,
+        jobKey: input.jobKey,
+        commandStages: input.commandStages,
+        summaryCounts: input.summaryCounts,
+        compactFindingCount: input.compactFindingCount,
+        compactReportStored: input.compactReportStored,
+        checkRunPublished: input.checkRunPublished,
+        checkoutDeleted: input.checkoutDeleted,
+        tokenRemovedBeforeCli: input.tokenRemovedBeforeCli,
+        maxOutputBytes: input.maxOutputBytes,
+        timeoutMs: input.timeoutMs,
+        rawSource: input.rawSource,
+        rawDiff: input.rawDiff,
+        checkoutPath: input.checkoutPath,
+        installationToken: input.installationToken
+    });
+    const operatorBlockedReasons = operatorProofBlockedReasons(input);
+    const blockedReasons = [
+        ...plan.blockedReasons,
+        ...evidence.blockedReasons,
+        ...scanGate.blockedReasons,
+        ...operatorBlockedReasons
+    ];
+    return {
+        phase: "phase_3_hosted_source_checkout_trial",
+        readyForPhase4Beta: blockedReasons.length === 0,
+        blockedReasons,
+        requestedAt: input.requestedAt,
+        repositoryFullName: input.repositoryFullName,
+        jobKey: input.jobKey,
+        plan,
+        evidence,
+        scanGate,
+        operatorProof: {
+            liveSmokePassed: input.liveSmokePassed,
+            rollbackTested: input.rollbackTested,
+            monitoringEvidence: input.monitoringEvidence,
+            incidentOwnerRecorded: input.incidentOwnerRecorded
+        },
+        nextAction: blockedReasons.length === 0
+            ? "Phase 3 is closed for the selected-repository trial. Continue to Phase 4 beta only with the same privacy boundary."
+            : "Do not open hosted beta. Resolve the blocked reasons and rerun the selected-repository source-checkout trial gate.",
+        privacy: {
+            includesRawSource: false,
+            includesRawDiffs: false,
+            includesPrivateCheckoutPath: false,
+            includesInstallationToken: false,
+            claimsPublicHostedScanner: false
+        }
+    };
+}
 export async function runHostedReadOnlyCheckoutScan(input, options) {
     const { plan } = input;
     const { checkout, cli } = plan;
@@ -240,6 +405,18 @@ function isTrustedFixedReadOnlyPlan(input) {
 function arraysEqual(left, right) {
     return left.length === right.length && left.every((value, index) => value === right[index]);
 }
+function operatorProofBlockedReasons(input) {
+    const reasons = [];
+    if (!input.liveSmokePassed)
+        reasons.push("live_smoke_missing");
+    if (!input.rollbackTested)
+        reasons.push("rollback_test_missing");
+    if (!input.monitoringEvidence)
+        reasons.push("monitoring_evidence_missing");
+    if (!input.incidentOwnerRecorded)
+        reasons.push("incident_owner_missing");
+    return reasons;
+}
 function compactFinding(value) {
     if (!isRecord(value))
         return [];

package/docs/README.zh-CN.md

@@ -213,18 +213,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.40.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.40.0`。
+CLI 已发布到 npm：`ai-saas-guard@0.42.0`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.42.0`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.40.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.40.0` |
+| npm CLI | `ai-saas-guard@0.42.0` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.42.0` |
 | 输出格式 | 上线决策队列、短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.40.0` 按上线风险区域分组 hosted Check Run 输出，增加机器可读 hosted smoke evidence，讲清 CLI/Action/Hosted 三条路径选择，并记录下一步 source-checkout 边界 |
-| Action 标签 | `v0.40.0`、`v0` |
+| 当前版本 | `0.42.0` 增加统一的 Phase 3 source-checkout trial gate，把 plan、stage evidence、scan proof、live smoke、rollback、monitoring 和 incident owner proof 合并成进入 hosted beta 前的机器可判定门槛 |
+| Action 标签 | `v0.42.0`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；安装和隐私说明见 [hosted-install-privacy.md](hosted-install-privacy.md)；提供 `/github/app/install-info`，签名 GitHub App webhook delivery、compact Check Run 和 installation cleanup staging smoke 已通过 |
@@ -383,7 +383,7 @@ GitHub Marketplace wrapper 决策见 [docs/github-marketplace-wrapper-decision.m
 
 当前仓库已经包含未来 Hosted GitHub App 的设计文档、纯契约测试、第一个真实 Cloudflare hosted ingress，以及 Node/container read-only checkout scan runner。私有 staging GitHub App `ai-saas-guard-hosted` 已安装到 `zr9959/ai-saas-guard`，Cloudflare 已配置所需的云端凭据绑定。Worker 代码已经能接收签名 webhook、写入 KV 队列、换取 scoped installation token、读取 GitHub PR file metadata、做 compact PR-risk classification，并发布有长度上限的 selected-repository Check Run summary；`/github/app/install-info` 会返回公开安全的安装说明、权限、事件、隐私边界和卸载说明。签名 installation deletion 和 repository removal 事件会删除匹配的 compact records。当前端到端 GitHub App webhook delivery smoke 已通过，证据记录在 [docs/hosted-operations-evidence.md](hosted-operations-evidence.md)。Cloudflare ingress 本身仍不是完整 source checkout scan worker。
 
-下一步 hosted source checkout 仍然要保持窄边界：把现有 read-only checkout worker 放到同一个 selected-repository identity 后面，继续固定 `pr-risk --json` 命令，只把 compact findings 写入 Check Run，并在扩大 trial 前要求 deployed cleanup、log-boundary 和 rollback evidence。
+下一步 hosted source checkout 仍然要保持窄边界：把现有 read-only checkout worker 放到同一个 selected-repository identity 后面，继续固定 `pr-risk --json` 命令，只把 compact findings 写入 Check Run，并在扩大 trial 前要求 deployed cleanup、log-boundary 和 rollback evidence。hosted worker export 现在包含 `createHostedSourceCheckoutTrialPlan`、`createHostedSourceCheckoutEvidence` 和 `evaluateHostedSourceCheckoutTrialGate`，用于在进入 Phase 4 beta 前统一检查 checkout start/end、token removal、CLI start/end、compact report write、Check Run write、cleanup status、live smoke、rollback、monitoring 和 incident owner proof。
 
 Hosted 安装、权限和隐私边界见 [hosted-install-privacy.md](hosted-install-privacy.md)：selected-repository 权限、支持的 GitHub 事件、Check Run 数据边界、卸载清理，以及为什么本地 CLI 仍然是私有/离线路径。
 

package/docs/hosted-node-container-app.md

@@ -134,6 +134,6 @@ It does not return:
 
 ## Current Status
 
-The repository can now instantiate a Node/container hosted app skeleton, route signed webhooks into the hosted service runtime, process one worker tick through adapters, compose the real read-only checkout scan runner behind a token-provider boundary, expose clamped worker safety budgets, and validate provider adapter references before deployment.
+The repository can now instantiate a Node/container hosted app skeleton, route signed webhooks into the hosted service runtime, process one worker tick through adapters, compose the real read-only checkout scan runner behind a token-provider boundary, expose clamped worker safety budgets, validate provider adapter references before deployment, and evaluate one Phase 3 source-checkout trial gate through `evaluateHostedSourceCheckoutTrialGate`.
 
-A public hosted environment still requires actual platform infrastructure, a public HTTPS webhook URL, platform secrets, durable queue/storage, worker sandboxing, GitHub Checks API credentials at runtime, monitoring, rollback, incident-response evidence, and the hosted operational release gate. Use [hosted-staging-deployment.md](hosted-staging-deployment.md) to plan and block staging exposure until those provider references and evidence exist.
+A public hosted environment still requires actual platform infrastructure, a public HTTPS webhook URL, platform secrets, durable queue/storage, worker sandboxing, GitHub Checks API credentials at runtime, monitoring, rollback, incident-response evidence, and a passing Phase 3 gate. Use [hosted-staging-deployment.md](hosted-staging-deployment.md) to plan and block staging exposure until those provider references and evidence exist.

package/docs/hosted-operational-release-gate.md

@@ -170,6 +170,28 @@ Required proof:
 - failure cleanup covers clone failure, timeout, CLI failure, malformed JSON output, Check Run write failure, cancellation, and process interruption.
 - cleanup failures create an operator-review event without returning raw source, raw diffs, installation tokens, checkout paths, private URLs, or low-level filesystem errors to users.
 
+### Source Checkout Trial Evidence Contract
+
+The v0.41 source-checkout trial boundary is executable as a pure contract before public exposure. The `ai-saas-guard/hosted/worker` export now includes:
+
+- `createHostedSourceCheckoutTrialPlan`: accepts the proposed selected-repository trial shape and blocks anything wider than `contents: read`, `checks: write`, fixed `ai-saas-guard pr-risk --root <worker-checkout> --base <trusted-base-sha> --json`, no raw source storage, no raw diff storage, no installation-token storage, and no public scanner claim.
+- `createHostedSourceCheckoutEvidence`: records stage-level evidence for `checkout_start`, `token_remove`, `cli_start`, `cli_end`, `compact_report_write`, `check_run_write`, and `cleanup_end`, then blocks release-gate readiness unless every stage passed and cleanup status is `deleted`.
+
+The evidence object must stay compact and privacy-safe. It may contain job key, stage IDs, timestamps, summary counts, compact finding count, cleanup status, and safe blocked reasons. It must not include source, diffs, checkout paths, installation tokens, PR-authored commands, private URLs, or low-level filesystem errors.
+
+### Phase 3 Source Checkout Trial Gate
+
+The v0.42 hosted worker export adds `evaluateHostedSourceCheckoutTrialGate`. This is the single gate for closing Phase 3 and deciding whether the project may move toward Phase 4 hosted beta.
+
+The gate combines:
+
+- source-checkout trial plan checks from `createHostedSourceCheckoutTrialPlan`
+- stage evidence checks from `createHostedSourceCheckoutEvidence`
+- read-only checkout scan checks from `evaluateHostedReadOnlyCheckoutScanGate`
+- operator proof for live smoke, rollback, monitoring evidence, and incident owner recording
+
+It returns `readyForPhase4Beta: true` only when all four layers pass. Otherwise it returns safe blocked reasons and the next action: do not open hosted beta until the missing proof is rerun. The response must remain compact and privacy-safe: no raw source, raw diffs, checkout paths, installation tokens, public hosted scanner claim, private URLs, or PR-authored commands.
+
 ### Log Boundary Evidence
 
 Before exposure, sample ingress, queue, worker, report, and Check Run logs for the release candidate. The sample may contain scan key, installation ID, repository ID, PR number, head SHA, scanner version, duration, summary counts, error class, and cleanup status.

package/docs/hosted-operations-evidence.md

@@ -6,10 +6,18 @@ Passing these checks does not make the project a pentest, certification, or full
 
 ## Current Evidence
 
-Recorded on 2026-05-25 from the deployed Cloudflare Worker plus the earlier temporary no-file-change GitHub PR smoke.
+Recorded on 2026-05-25 from the deployed Cloudflare Worker plus temporary GitHub PR smokes.
 
 | Check | Evidence | Result |
 | --- | --- | --- |
+| Cloudflare Worker health, v0.42.0 | `GET https://ai-saas-guard-hosted.zr9959.workers.dev/healthz` returned `ok: true`, routes including `/github/app/install-info`, `checkRunPublisher: "configured"`, `scannerVersion: "0.42.0"`, and all privacy flags set to false for raw payloads, PR text, source, diffs, secrets, customer payloads, checkout paths, and installation tokens | Passed |
+| Public install guidance, v0.42.0 | `GET https://ai-saas-guard-hosted.zr9959.workers.dev/github/app/install-info` returned the `ai-saas-guard-hosted` install URL, selected-repository boundary wording, first-slice permissions `checks: write`, `contents: read`, `metadata: read`, `pull_requests: read`, subscribed events `pull_request`, `installation`, and `installation_repositories`, uninstall cleanup wording, `scannerVersion: "0.42.0"`, and no private keys, webhook secrets, installation tokens, source, diffs, or customer payloads | Passed |
+| Deployed Worker version, v0.42.0 | `wrangler deploy` uploaded 38.57 KiB / gzip 9.86 KiB and deployed version `6de0811e-11bf-46a6-9b7b-cbecda409695` at `2026-05-25T13:40:11Z` verification time | Passed |
+| Real hosted PR smoke, v0.42.0 | `node scripts/hosted-pr-smoke.mjs --evidence-file /tmp/ai-saas-guard-hosted-smoke-v0.42.json` opened temporary PR `#89`, waited for Check Run `77721238202` on head SHA `66dfffde2ffa1a563ebc45fe7b22468d2f060e22`, received conclusion `success`, closed the PR, restored the original branch, deleted the local branch, and deleted 9 staging KV records with `remainingSmokeKeys: 0`; `gh pr view 89` returned `state: "CLOSED"`, `git ls-remote --heads origin codex/hosted-smoke-20260525134106` returned no remote branch, and `wrangler kv key list --namespace-id fa5344fbd7944de6a776bf8731d58460 --remote` returned `[]` after cleanup | Passed |
+| Cloudflare Worker health, v0.41.0 | `GET https://ai-saas-guard-hosted.zr9959.workers.dev/healthz` returned `ok: true`, routes including `/github/app/install-info`, `checkRunPublisher: "configured"`, `scannerVersion: "0.41.0"`, and all privacy flags set to false for raw payloads, PR text, source, diffs, secrets, customer payloads, checkout paths, and installation tokens | Passed |
+| Public install guidance, v0.41.0 | `GET https://ai-saas-guard-hosted.zr9959.workers.dev/github/app/install-info` returned the `ai-saas-guard-hosted` install URL, selected-repository boundary wording, first-slice permissions `checks: write`, `contents: read`, `metadata: read`, `pull_requests: read`, subscribed events `pull_request`, `installation`, and `installation_repositories`, uninstall cleanup wording, `scannerVersion: "0.41.0"`, and no private keys, webhook secrets, installation tokens, source, diffs, or customer payloads | Passed |
+| Deployed Worker version, v0.41.0 | `wrangler deploy` uploaded 38.57 KiB / gzip 9.86 KiB and deployed version `fb0b4726-ac75-4577-942b-fdeed7752979` at `2026-05-25T13:22:28Z` verification time | Passed |
+| Real hosted PR smoke, v0.41.0 | `node scripts/hosted-pr-smoke.mjs --evidence-file /tmp/ai-saas-guard-hosted-smoke-v0.41.json` opened temporary PR `#87`, waited for Check Run `77718782535` on head SHA `83a341dcba63ad9a30aabdfec1de4f874a3c0b11`, received conclusion `success`, closed the PR, restored the original branch, deleted the local branch, and deleted 9 staging KV records with `remainingSmokeKeys: 0`; `gh pr view 87` returned `state: "CLOSED"`, `git ls-remote --heads origin codex/hosted-smoke-20260525132327` returned no remote branch, and `wrangler kv key list --namespace-id fa5344fbd7944de6a776bf8731d58460 --remote` returned `[]` after cleanup | Passed |
 | Cloudflare Worker health, v0.40.0 | `GET https://ai-saas-guard-hosted.zr9959.workers.dev/healthz` returned `ok: true`, routes including `/github/app/install-info`, `checkRunPublisher: "configured"`, `scannerVersion: "0.40.0"`, and all privacy flags set to false for raw payloads, PR text, source, diffs, secrets, customer payloads, checkout paths, and installation tokens | Passed |
 | Public install guidance, v0.40.0 | `GET https://ai-saas-guard-hosted.zr9959.workers.dev/github/app/install-info` returned the `ai-saas-guard-hosted` install URL, selected-repository boundary wording, first-slice permissions `checks: write`, `contents: read`, `metadata: read`, `pull_requests: read`, subscribed events `pull_request`, `installation`, and `installation_repositories`, uninstall cleanup wording, `scannerVersion: "0.40.0"`, and no private keys, webhook secrets, installation tokens, source, diffs, or customer payloads | Passed |
 | Deployed Worker version, v0.40.0 | `wrangler deploy` uploaded 38.99 KiB / gzip 10.01 KiB and deployed version `47e90d1c-0d7b-455f-b1a4-1ec7ee10d58b` at `2026-05-25T12:47:28Z` verification time | Passed |

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.40.0`
+- Current published version: `0.42.0`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.40.0`
+- GitHub Release: `v0.42.0`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.40.0`.
+1. Create and review a release tag such as `v0.42.0`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/hosted/cloudflare-worker/README.md

@@ -23,7 +23,7 @@ This Worker is a real hosted ingress with first-slice Check Run publishing code,
 - `HOSTED_EVENTS`: Cloudflare KV namespace for compact delivery and queued scan records.
 - `WEBHOOK_SECRET`: Worker secret matching the GitHub App webhook secret.
 - `GITHUB_APP_PRIVATE_KEY`: Worker secret for the staging GitHub App private key, used only in memory to sign short-lived GitHub App JWTs.
-- `SCANNER_VERSION`: public version string, currently `0.40.0`.
+- `SCANNER_VERSION`: public version string, currently `0.42.0`.
 - `GITHUB_APP_ID`, `GITHUB_APP_SLUG`, `GITHUB_APP_INSTALLATION_ID`: public staging identifiers for the private GitHub App installation.
 
 ## Deployment

package/hosted/cloudflare-worker/src/index.js

@@ -822,29 +822,19 @@ function summarizeFindings(findings) {
 function renderCheckRunSummary({ identity, report, scannerVersion }) {
   const riskAreas = summarizeHostedRiskAreas(report.topRiskyFiles);
   const lines = [
-    `Launch-risk gate: ai-saas-guard found ${report.summary.total} PR risk signal(s) for ${identity.repositoryFullName}#${identity.pullRequestNumber}.`,
-    `Scanner version: ${scannerVersion}.`,
-    "",
-    "Review task: inspect the files below before merge.",
+    `Launch-risk gate: ${report.summary.total} PR risk signal(s) for ${identity.repositoryFullName}#${identity.pullRequestNumber}.`,
+    "Review task: inspect risk areas and files before merge.",
     "Manual proof: prove changed auth, billing, data, deploy, or tests fail closed.",
-    "Boundary: selected repository only; not an AI reviewer, pentest, full audit, or certification.",
-    "",
-    "Selected-repository hosted check: this App uses checks:write, contents:read, pull_requests:read, and metadata:read for the installed repository only.",
     "",
-    "Launch decision queue:",
-    "- Can a real user get access they should not have?",
-    "- Can the app claim success when something failed?",
-    "- Can launch infrastructure do too much damage?",
+    "Risk areas:",
+    ...(riskAreas.length === 0
+      ? ["- None"]
+      : riskAreas.slice(0, 5).map((area) => `- ${area.name}: ${area.count} file(s). Proof: ${area.proof}`)),
     "",
-    "Privacy: this Check Run stores compact file/category signals only. It does not store webhook payload bodies, PR title/body text, diff contents, source, secrets, checkout paths, or installation tokens."
+    "Review queue:"
   ];
 
   if (report.topRiskyFiles.length > 0) {
-    lines.push("", "Risk areas:");
-    for (const area of riskAreas.slice(0, 5)) {
-      lines.push(`- ${area.name}: ${area.count} file(s). Proof: ${area.proof}`);
-    }
-    lines.push("", "Review queue:");
     for (const file of report.topRiskyFiles.slice(0, 5)) {
       lines.push(`- ${file.path}: ${file.categories.join(", ")} (${file.added}+/${file.removed}-)`);
     }
@@ -855,8 +845,16 @@ function renderCheckRunSummary({ identity, report, scannerVersion }) {
       "- Why is this auth, billing, data, deploy, or test decision safe?",
       "- What manual proof shows it fails closed?"
     );
+  } else {
+    lines.push("- None");
   }
 
+  lines.push(
+    "",
+    `Boundary: selected repository only; scanner ${scannerVersion}; not an AI reviewer, pentest, full audit, or certification.`,
+    "Privacy: compact file/category signals only; no webhook bodies, PR text, source, diffs, secrets, checkout paths, or installation tokens."
+  );
+
   if (report.truncated) {
     lines.push("", "Note: PR file pagination was capped; run the local CLI for a complete review.");
   }

package/hosted/cloudflare-worker/wrangler.jsonc

@@ -7,7 +7,7 @@
     "enabled": true
   },
   "vars": {
-    "SCANNER_VERSION": "0.40.0",
+    "SCANNER_VERSION": "0.42.0",
     "GITHUB_APP_ID": "3834787",
     "GITHUB_APP_SLUG": "ai-saas-guard-hosted",
     "GITHUB_APP_INSTALLATION_ID": "135085075"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.40.0",
+  "version": "0.42.0",
   "description": "Local-first CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",