ai-saas-guard 0.43.0 → 0.43.1

package/README.md

@@ -235,13 +235,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.43.0` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.43.0` |
+| npm CLI | `ai-saas-guard@0.43.1` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.43.1` |
 | Outputs | Launch decision queue, short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.43.0`, `v0` |
-| Current release | `0.43.0` adds pre-commercial hosted gates for Phase 4 beta readiness and Phase 5 team launch readiness while keeping billing disabled |
+| Versioned Action tags | `v0.43.1`, `v0` |
+| Current release | `0.43.1` hardens hosted rate-limit failure handling, GitHub API URL validation, Check Run reproduction commands, MCP policy templates, and Action summary output while keeping billing disabled |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; public install/privacy notes are in [docs/hosted-install-privacy.md](docs/hosted-install-privacy.md); signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -425,7 +425,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.43.0` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.43.1` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/action.yml

@@ -12,7 +12,7 @@ inputs:
     required: false
     default: ${{ github.workspace }}
   format:
-    description: "Output format: terminal, json, sarif, or markdown. Use markdown for PR summaries and sarif for code scanning."
+    description: "Output format: terminal, json, sarif, markdown, or summary. Use summary for first-run CLI output, markdown for PR summaries, and sarif for code scanning."
     required: false
     default: terminal
   fail-on:
@@ -67,7 +67,7 @@ runs:
         esac
 
         case "${INPUT_FORMAT}" in
-          terminal|json|sarif|markdown) ;;
+          terminal|json|sarif|markdown|summary) ;;
           *)
             echo "Invalid format input: ${INPUT_FORMAT}" >&2
             exit 2
@@ -100,6 +100,8 @@ runs:
           args+=("--sarif")
         elif [ "${INPUT_FORMAT}" = "markdown" ]; then
           args+=("--markdown")
+        elif [ "${INPUT_FORMAT}" = "summary" ]; then
+          args+=("--summary")
         fi
 
         if [ "${INPUT_FAIL_ON}" != "none" ]; then

package/dist/commands/scan.js

@@ -8,13 +8,15 @@ import { scanNextPublicEnv, scanSecrets } from "../scanners/secrets.js";
 import { scanSilentSuccess } from "../scanners/silentSuccess.js";
 import { checkStripe } from "../scanners/stripe.js";
 import { checkSupabase } from "../scanners/supabase.js";
+import { detectStackInventory } from "../stackInventory.js";
 export async function scanRepository(options) {
     const context = await createScanContext(options.rootDir);
+    const stackInventory = await detectStackInventory(context);
     const [secretFindings, nextPublicFindings, stripeReport, supabaseReport, mcpReport, apiFindings, deployFindings, silentSuccessFindings, actionsReport] = await Promise.all([
         scanSecrets(context),
         scanNextPublicEnv(context),
         checkStripe(context),
-        checkSupabase(context),
+        stackInventory.databases.includes("supabase") ? checkSupabase(context) : createSkippedSupabaseReport(context.rootDir),
         checkMcp(context),
         scanApiRoutes(context),
         scanDeployConfig(context),
@@ -31,5 +33,17 @@ export async function scanRepository(options) {
         ...deployFindings,
         ...silentSuccessFindings,
         ...actionsReport.findings
-    ]), {});
+    ]), { stackInventory });
+}
+function createSkippedSupabaseReport(rootDir) {
+    return createReport("check-supabase", rootDir, [], {
+        riskyTables: [],
+        riskyPolicies: [],
+        manualAuthorizationTest: [],
+        doctor: {
+            staticChecks: [],
+            twoAccountVerificationSteps: [],
+            sqlCookbook: []
+        }
+    });
 }

package/dist/hosted/contracts.js

@@ -477,7 +477,7 @@ export function createCompactHostedReport(input) {
 export function createHostedCheckRunSummary(input) {
     const { report } = input;
     const totalFindings = getHostedReportFindingTotal(report);
-    const localCliCommand = `npx ai-saas-guard@${report.scannerVersion} pr-risk --root .`;
+    const localCliCommand = `npx ai-saas-guard@${report.scannerVersion} pr-risk --root . --base ${report.baseSha} --json`;
     const conclusion = resolveCheckRunConclusion(report, input.failOnSeverity);
     const launchGate = hostedLaunchGateVerdict(report);
     return {

package/dist/hosted/production-adapters.js

@@ -6,6 +6,7 @@ export const HOSTED_GITHUB_APP_JWT_CLOCK_SKEW_SECONDS = 60;
 export const HOSTED_WORKER_MAX_TIMEOUT_MS = 600_000;
 export const HOSTED_WORKER_DEFAULT_TIMEOUT_MS = 300_000;
 export const HOSTED_WORKER_MAX_OUTPUT_BYTES = 1_048_576;
+const HOSTED_GITHUB_API_BASE_URL = "https://api.github.com";
 export function createHostedGitHubAppJwt(input) {
     const nowSeconds = normalizeUnixSeconds(input.nowSeconds, Math.floor(Date.now() / 1000));
     const ttlSeconds = clampPositiveInteger(input.ttlSeconds, HOSTED_GITHUB_APP_JWT_MAX_TTL_SECONDS, HOSTED_GITHUB_APP_JWT_MAX_TTL_SECONDS);
@@ -180,17 +181,71 @@ function safeApiUrlBlockedReasons(apiBaseUrl) {
     if (!apiBaseUrl) {
         return [];
     }
+    return safeGitHubApiBaseUrl(apiBaseUrl) ? [] : ["invalid_github_api_url"];
+}
+function normalizeApiBaseUrl(apiBaseUrl) {
+    return safeGitHubApiBaseUrl(apiBaseUrl) ?? HOSTED_GITHUB_API_BASE_URL;
+}
+function safeGitHubApiBaseUrl(apiBaseUrl) {
+    if (!apiBaseUrl) {
+        return undefined;
+    }
+    const trimmed = trimTrailingSlashes(apiBaseUrl.trim());
     try {
-        const url = new URL(apiBaseUrl);
-        return url.protocol === "https:" ? [] : ["invalid_github_api_url"];
+        const url = new URL(trimmed);
+        if (url.protocol !== "https:" ||
+            url.username ||
+            url.password ||
+            url.search ||
+            url.hash ||
+            !isRootPath(url.pathname) ||
+            isUnsafeHostedHostname(url.hostname)) {
+            return undefined;
+        }
+        return trimmed;
     }
     catch {
-        return ["invalid_github_api_url"];
+        return undefined;
     }
 }
-function normalizeApiBaseUrl(apiBaseUrl) {
-    const value = apiBaseUrl?.trim() || "https://api.github.com";
-    return trimTrailingSlashes(value);
+function isRootPath(pathname) {
+    return pathname === "" || pathname === "/";
+}
+function isUnsafeHostedHostname(hostname) {
+    const normalized = normalizeHostname(hostname);
+    return (normalized === "localhost" ||
+        normalized.endsWith(".localhost") ||
+        isUnsafeIpv4Hostname(normalized) ||
+        isUnsafeIpv6Hostname(normalized));
+}
+function normalizeHostname(hostname) {
+    const lower = hostname.toLowerCase().replace(/\.$/, "");
+    return lower.startsWith("[") && lower.endsWith("]") ? lower.slice(1, -1) : lower;
+}
+function isUnsafeIpv4Hostname(hostname) {
+    const parts = hostname.split(".");
+    if (parts.length !== 4 || !parts.every((part) => /^\d+$/.test(part)))
+        return false;
+    const octets = parts.map((part) => Number(part));
+    if (octets.some((octet) => !Number.isInteger(octet) || octet < 0 || octet > 255)) {
+        return false;
+    }
+    const [first, second] = octets;
+    return (first === 0 ||
+        first === 10 ||
+        first === 127 ||
+        (first === 169 && second === 254) ||
+        (first === 172 && second >= 16 && second <= 31) ||
+        (first === 192 && second === 168) ||
+        (first === 100 && second >= 64 && second <= 127) ||
+        first >= 224);
+}
+function isUnsafeIpv6Hostname(hostname) {
+    return (hostname === "::" ||
+        hostname === "::1" ||
+        hostname.startsWith("fc") ||
+        hostname.startsWith("fd") ||
+        hostname.startsWith("fe80:"));
 }
 function trimTrailingSlashes(value) {
     let end = value.length;

package/dist/hosted/staging-harness.js

@@ -24,7 +24,6 @@ export function createFileBackedHostedStagingHarness(options) {
             const scanResult = typeof options.scanResult === "function"
                 ? await options.scanResult(input)
                 : options.scanResult;
-            await writeFile(join(sandboxPath, "source.ts"), scanResult.rawSource ?? "", "utf8");
             return scanResult;
         },
         now: options.now

package/dist/index.d.ts

@@ -7,11 +7,13 @@ export { checkActions } from "./commands/checkActions.js";
 export { classifyPrRisk } from "./commands/prRisk.js";
 export { applyGuardConfig, defaultConfigFileName, loadGuardConfig } from "./config.js";
 export { createScanContext } from "./context.js";
+export { detectStackInventory } from "./stackInventory.js";
 export { getRuleMetadata, RULE_CATALOG } from "./rules/catalog.js";
 export { formatSummaryReport } from "./report/summary.js";
 export { createLocalScanResourceBudget } from "./performance.js";
 export type { BaseReport, CommandName, Evidence, Finding, ActionsReport, McpOptions, McpPolicyTemplate, McpReport, McpServerInventory, McpSideEffect, PrRiskFile, PrRiskReport, ScanOptions, ShowcaseReport, StripeReport, SupabaseOptions, SupabaseDoctorReport, SupabaseReport } from "./types.js";
 export type { ScanContext, ScanInput } from "./context.js";
+export type { StackCategory, StackEvidence, StackInventory, StackInventoryInput } from "./stackInventory.js";
 export type { FindingSuppression, GuardConfig, RuleConfigValue } from "./config.js";
 export type { RuleMetadata, RuleStability } from "./rules/catalog.js";
 export type { LocalScanResourceBudget, LocalScanResourceBudgetInput } from "./performance.js";

package/dist/index.js

@@ -7,6 +7,7 @@ export { checkActions } from "./commands/checkActions.js";
 export { classifyPrRisk } from "./commands/prRisk.js";
 export { applyGuardConfig, defaultConfigFileName, loadGuardConfig } from "./config.js";
 export { createScanContext } from "./context.js";
+export { detectStackInventory } from "./stackInventory.js";
 export { getRuleMetadata, RULE_CATALOG } from "./rules/catalog.js";
 export { formatSummaryReport } from "./report/summary.js";
 export { createLocalScanResourceBudget } from "./performance.js";

package/dist/rules/catalog.js

@@ -188,6 +188,13 @@ export const RULE_CATALOG = {
         why: "Login, checkout, upload, AI, and webhook routes are common abuse targets.",
         stability: "experimental"
     },
+    "api.route.provider-debug-exposed": {
+        ruleId: "api.route.provider-debug-exposed",
+        severity: "high",
+        title: "Provider debug endpoint exposes server-side credential probe",
+        why: "Public provider probe endpoints can spend quota, reveal integration state, or exercise server credentials without returning the token.",
+        stability: "default"
+    },
     "api.route.auth-without-ownership": {
         ruleId: "api.route.auth-without-ownership",
         severity: "high",

package/dist/scanners/apiRoutes.js

@@ -4,7 +4,9 @@ import { lineAt, lineNumberForIndex } from "../utils/files.js";
 const sensitiveRoutePattern = /(login|register|auth|checkout|stripe|webhook|upload|ai|generate|admin|password|reset|token)/i;
 const rateLimitPattern = /(rateLimit|ratelimit|rate-limit|throttle|limiter|upstash|slowDown)/i;
 const authPattern = /(auth|session|currentUser|getUser|jwt|cookies|authorization)/i;
-const ownershipPattern = /(user_id|owner_id|tenant_id|organization_id|workspace_id|resource\.user|resource\.owner|where\s*:\s*{[\s\S]{0,100}(user|owner|tenant))/i;
+const ownershipPattern = /(user_id|userId|owner_id|ownerId|tenant_id|tenantId|organization_id|organizationId|workspace_id|workspaceId|resource\.user|resource\.owner|req\.user(?:Id|\.id)|where\s*:\s*{[\s\S]{0,140}(user|owner|tenant|organization|workspace))/i;
+const providerDebugPathPattern = /(paypal|stripe|github|oauth|openai|anthropic|resend|sendgrid).*(token|config|status|test|probe|debug)|(token|config|status|test|probe|debug).*(paypal|stripe|github|oauth|openai|anthropic|resend|sendgrid)/i;
+const providerCredentialProbePattern = /(client_credentials|oauth2\/token|access_token|PAYPAL_SECRET|PAYPAL_CLIENT_SECRET|STRIPE_SECRET|GITHUB_APP_PRIVATE_KEY|OPENAI_API_KEY|ANTHROPIC_API_KEY|SENDGRID_API_KEY|RESEND_API_KEY)/i;
 export async function scanApiRoutes(input) {
     const files = (await resolveScanContext(input)).getFiles((file) => isApiRoute(file.path));
     const findings = [];
@@ -13,6 +15,7 @@ export async function scanApiRoutes(input) {
         const isSensitive = sensitiveRoutePattern.test(file.path) || sensitiveRoutePattern.test(file.content);
         findings.push(...scanClerkUnsafeMetadata(file.path, file.content));
         findings.push(...scanPrismaTenantScope(file.path, file.content));
+        findings.push(...scanProviderDebugEndpoint(file.path, file.content));
         if (isSensitive && hasPostOrMutation && !rateLimitPattern.test(file.content)) {
             findings.push(finding({
                 ruleId: "api.route.missing-rate-limit",
@@ -24,7 +27,11 @@ export async function scanApiRoutes(input) {
                 suggestedFix: "Add IP/user keyed rate limiting close to the route entry point, with stricter limits for auth, checkout, upload, AI, and webhook paths."
             }));
         }
-        if (authPattern.test(file.content) && /params\.|searchParams|get\(|findUnique|findFirst|update|delete/i.test(file.content) && !ownershipPattern.test(file.content)) {
+        if (authPattern.test(file.content) &&
+            /params\.|searchParams|get\(|findUnique|findFirst|update|delete/i.test(file.content) &&
+            !ownershipPattern.test(file.content) &&
+            !hasExplicitAdminGuard(file.content) &&
+            !hasBenignRouteClassification(file.path, file.content)) {
             findings.push(finding({
                 ruleId: "api.route.auth-without-ownership",
                 title: `API route checks auth but lacks an obvious ownership guard: ${file.path}`,
@@ -38,6 +45,48 @@ export async function scanApiRoutes(input) {
     }
     return uniqueFindings(findings);
 }
+function scanProviderDebugEndpoint(filePath, content) {
+    if (!/\bGET\b|export\s+async\s+function\s+GET/i.test(content))
+        return [];
+    if (!providerDebugPathPattern.test(filePath) && !providerDebugPathPattern.test(content))
+        return [];
+    if (!providerCredentialProbePattern.test(content))
+        return [];
+    if (hasExplicitAdminGuard(content))
+        return [];
+    return [
+        finding({
+            ruleId: "api.route.provider-debug-exposed",
+            title: `Public provider token or configuration probe endpoint: ${filePath}`,
+            severity: "high",
+            evidence: [{ file: filePath, line: firstLine(content, providerCredentialProbePattern), snippet: firstSnippet(content, providerCredentialProbePattern) }],
+            why: "A public debug endpoint can spend provider quota, reveal integration mode or configuration state, and exercise server-side credentials even when it does not return the token.",
+            suggestedVerification: "Call the route without a session in staging and confirm it cannot trigger provider authentication or reveal provider configuration state.",
+            suggestedFix: "Remove the endpoint before launch, or require admin authentication, add a dedicated rate limit, emit an audit log, and disable it in production."
+        })
+    ];
+}
+function hasExplicitAdminGuard(content) {
+    return /\b(requireAdmin|adminMiddleware|isAdmin|requireRole\s*\(\s*["']admin|role\s*[:=]\s*["']admin|router\.use\s*\([\s\S]{0,160}requireAdmin)/i.test(content);
+}
+function hasBenignRouteClassification(filePath, content) {
+    return isPublicReadOnlyContentRoute(filePath, content) || isInternalProxyRoute(filePath, content) || isScopedTokenRoute(content);
+}
+function isPublicReadOnlyContentRoute(filePath, content) {
+    if (/\b(POST|PUT|PATCH|DELETE)\b|export\s+async\s+function\s+(POST|PUT|PATCH|DELETE)/.test(content))
+        return false;
+    const publicContentSurface = /(\/|^)(content|seo|blog|article|articles|sitemap|robots|public)(\/|\.|-|$)/i.test(filePath);
+    const publicPredicate = /\b(published|public|isPublished|visibility)\s*:\s*(true|["']public["'])/i.test(content);
+    return publicContentSurface && publicPredicate;
+}
+function isInternalProxyRoute(filePath, content) {
+    const internalPath = /(\/|^)(internal|proxy|bff)(\/|\.|-|$)/i.test(filePath);
+    const hasServiceTokenGuard = /\b(INTERNAL_[A-Z0-9_]*TOKEN|SERVICE_[A-Z0-9_]*TOKEN|PROXY_[A-Z0-9_]*TOKEN|authorization\s*!==\s*`?Bearer)/i.test(content);
+    return internalPath && hasServiceTokenGuard;
+}
+function isScopedTokenRoute(content) {
+    return /\b(scopeToken|scopedToken|verifyAgentScopeToken|agentScope|scopes\s*:\s*\[|content-agent:[a-z-]+)/i.test(content);
+}
 function scanClerkUnsafeMetadata(filePath, content) {
     if (!/\b(@clerk\/|clerkClient|currentUser|auth\s*\()/i.test(content))
         return [];

package/dist/scanners/mcp.js

@@ -248,7 +248,7 @@ function buildPolicyTemplate(servers) {
             "    decision: allow",
             "    reason: repo-local read scope",
             "  - match: { sideEffectClass: shell }",
-            "decision: deny",
+            "    decision: deny",
             "    reason: shell tools require explicit human approval before launch work"
         ],
         receiptFormat: [

package/dist/scanners/secrets.js

@@ -65,6 +65,8 @@ export async function scanSecrets(input) {
             secretPattern.pattern.lastIndex = 0;
             for (const match of file.content.matchAll(secretPattern.pattern)) {
                 const matchedText = match[0] ?? "";
+                if (isObviousPlaceholderSecret(file.path, matchedText))
+                    continue;
                 const line = lineNumberForIndex(file.content, match.index ?? 0);
                 findings.push(finding({
                     ruleId: "secrets.detected",
@@ -87,6 +89,15 @@ export async function scanSecrets(input) {
     }
     return findings;
 }
+function isObviousPlaceholderSecret(filePath, matchedText) {
+    const lowerPath = filePath.toLowerCase();
+    const lower = matchedText.toLowerCase();
+    const isExampleFile = /(^|\/)(\.env\.example|\.env\.sample|example\.env|sample\.env)$/.test(lowerPath) || lowerPath.includes("/examples/");
+    const hasPlaceholderValue = /\b(your|replace[-_]?me|placeholder|example|sample|dummy|fake|test[-_]?token|do[-_]?not[-_]?use|changeme)\b/i.test(lower) ||
+        /<[^>\n]*(key|secret|token|password|client)[^>\n]*>/i.test(matchedText) ||
+        /\b(?:1x|2x)0{10,}[A-Za-z0-9_-]*\b/.test(matchedText);
+    return hasPlaceholderValue && (isExampleFile || !/sk_(?:live|test)_|gh[pousr]_|-----BEGIN|SUPABASE_SERVICE_ROLE_KEY\s*=\s*eyJ/i.test(matchedText));
+}
 export async function scanNextPublicEnv(input) {
     const files = (await resolveScanContext(input)).files;
     const findings = [];

package/dist/scanners/supabase.js

@@ -5,6 +5,15 @@ const sensitiveTablePattern = /\b(user|account|profile|team|tenant|project|order
 const ownershipColumnPattern = /\b(user_id|owner_id|tenant_id|account_id|organization_id|workspace_id|created_by)\b/i;
 export async function checkSupabase(input, options = {}) {
     const context = await resolveScanContext(input);
+    const doctor = buildDoctorReport(options.doctor ?? true);
+    if (!hasSupabaseContext(context.files)) {
+        return createReport("check-supabase", context.rootDir, [], {
+            riskyTables: [],
+            riskyPolicies: [],
+            manualAuthorizationTest: [],
+            doctor
+        });
+    }
     const files = context.getFiles((file) => {
         const path = file.path.toLowerCase();
         return path.includes("supabase") || path.includes("migration") || path.endsWith(".sql") || path.endsWith(".prisma");
@@ -129,7 +138,6 @@ export async function checkSupabase(input, options = {}) {
         }
     }
     findings.push(...buildDoctorFindings(files, tables, rlsEnabledTables, policies));
-    const doctor = buildDoctorReport(options.doctor ?? true);
     return createReport("check-supabase", context.rootDir, uniqueFindings(findings), {
         riskyTables: [...new Set(tables.filter((table) => table.sensitive && !rlsEnabledTables.has(table.name)).map((table) => table.name))],
         riskyPolicies,
@@ -143,6 +151,16 @@ export async function checkSupabase(input, options = {}) {
         doctor
     });
 }
+function hasSupabaseContext(files) {
+    return files.some((file) => {
+        const path = file.path.toLowerCase();
+        if (path.includes("supabase"))
+            return true;
+        if (path === "package.json" && /@supabase\/supabase-js|supabase/i.test(file.content))
+            return true;
+        return /\bfrom\s+["']@supabase\/|create\s+policy\b|enable\s+row\s+level\s+security|auth\.uid\s*\(|storage\.objects/i.test(file.content);
+    });
+}
 function buildDoctorFindings(files, tables, rlsEnabledTables, policies) {
     const findings = [];
     const policiesByTable = new Map();

package/dist/stackInventory.d.ts

@@ -0,0 +1,22 @@
+import type { ScanInput } from "./context.js";
+export type StackCategory = "frameworks" | "databases" | "orms" | "auth" | "payments" | "storage" | "deploy";
+export interface StackEvidence {
+    category: StackCategory;
+    tool: string;
+    file: string;
+    reason: string;
+}
+export interface StackInventory {
+    frameworks: string[];
+    databases: string[];
+    orms: string[];
+    auth: string[];
+    payments: string[];
+    storage: string[];
+    deploy: string[];
+    evidence: StackEvidence[];
+}
+export type StackInventoryInput = ScanInput | {
+    rootDir: string;
+};
+export declare function detectStackInventory(input: StackInventoryInput): Promise<StackInventory>;