ai-saas-guard 0.43.2 → 0.43.3

package/README.md

@@ -248,13 +248,13 @@ The CLI is published on npm as `ai-saas-guard`, and the GitHub Action is availab
 | Area | Status |
 | --- | --- |
 | Public GitHub repository | Available |
-| npm CLI | `ai-saas-guard@0.43.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.43.2` |
+| npm CLI | `ai-saas-guard@0.43.3` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` or fixed tag `v0.43.3` |
 | Outputs | Launch decision queue, short summary, terminal, JSON, SARIF, and PR-focused markdown |
 | Project config | `.ai-saas-guard.json` rule toggles, severity overrides, suppressions, and fail thresholds |
 | Privacy model | Local-first, read-only scan commands, no LLM calls, no code upload |
-| Versioned Action tags | `v0.43.2`, `v0` |
-| Current release | `0.43.2` fixes hosted cleanup observability, scoped smoke KV cleanup, shallow-history PR diff fallback, Check Run Markdown escaping, and local scan coverage diagnostics while keeping billing disabled |
+| Versioned Action tags | `v0.43.3`, `v0` |
+| Current release | `0.43.3` reduces silent-success false positives for Cloudflare Durable Object stubs, benign null-return parsing/cache reads, configuration fallback parameters, and assertion-rich tests while keeping billing disabled |
 | npm publishing | Trusted Publisher/OIDC, no long-lived publish token |
 | Repository trust hardening | Strict branch protection, Dependabot, CodeQL, fast-check fuzzing, signed release provenance assets, private vulnerability reporting, secret scanning, and push protection |
 | Cloudflare hosted ingress | Deployed at `https://ai-saas-guard-hosted.zr9959.workers.dev`; public install/privacy notes are in [docs/hosted-install-privacy.md](docs/hosted-install-privacy.md); signed GitHub App webhook delivery and compact Check Run smoke now pass in staging |
@@ -450,7 +450,7 @@ Use `suppressions` for narrower false-positive handling when one rule is noisy o
 
 ## GitHub Action
 
-The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.43.2` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
+The repo includes a composite Action. Use `v0` for the latest compatible pre-1.0 Action, a specific release tag such as `v0.43.3` for controlled upgrades, or pin a reviewed commit SHA for stricter supply-chain control:
 
 ```yaml
 name: ai-saas-guard

package/dist/scanners/silentSuccess.js

@@ -10,6 +10,7 @@ const mockDataPattern = /\b(mock|fixture|fixtures|demo|sample|stub|fake)\b/i;
 const bypassPattern = /\b(TODO\s*:?\s*(auth|verify|validation|rate|owner|webhook)|temporary\s+bypass|temp\s+bypass|skip\s+(auth|verification|validation|ownership|webhook)|disable\s+(auth|verification|validation)|SKIP_(AUTH|WEBHOOK|VERIFICATION|VALIDATION)|ALLOW_UNVERIFIED)\b/i;
 const assertionPattern = /\b(expect\s*\(|assert\.|assert\s*\(|t\.is\s*\(|t\.true\s*\(|should\.|toEqual\s*\(|toBe\s*\(|toMatch\s*\()/i;
 const truthyOnlyPattern = /\b(expect\s*\([^)]*\)\.(toBeTruthy|toBeDefined|toBeOk)\s*\(\s*\)|assert\.ok\s*\([^)]*\)|t\.truthy\s*\([^)]*\))/i;
+const strongAssertionPattern = /\b(expect\s*\([^)]*\)\.(?:toEqual|toStrictEqual|toBe|toMatch|toHave|toContain|toThrow|rejects|resolves)\b|assert\.(?:equal|strictEqual|deepEqual|deepStrictEqual|notEqual|notStrictEqual|notDeepEqual|notDeepStrictEqual|match|doesNotMatch|rejects|doesNotReject|throws|doesNotThrow|fail)\s*\(|t\.(?:is|deepEqual|regex|throws|throwsAsync|not)\s*\()/i;
 export async function scanSilentSuccess(input) {
     const context = await resolveScanContext(input);
     const findings = [];
@@ -32,6 +33,8 @@ export async function scanSilentSuccess(input) {
 function scanSwallowedErrors(filePath, content) {
     const findings = [];
     for (const block of findCatchBlocks(content)) {
+        if (isBenignNullCatch(content, block))
+            continue;
         if (fakeSuccessPattern.test(block.text) && !safeFailurePattern.test(block.text)) {
             findings.push(finding({
                 ruleId: "silent-success.swallowed-error",
@@ -88,12 +91,16 @@ function scanProductionMockData(filePath, content) {
 }
 function scanHardcodedFallbacks(filePath, content) {
     const findings = [];
-    const fallbackPattern = /(fallback|mock|demo|sample|stub|fake)[\s\S]{0,180}(Response\.json|NextResponse\.json|success\s*:\s*true|ok\s*:\s*true|active|subscription|entitlement)/gi;
+    const fallbackPattern = /(fallback|mock|demo|sample|stub|fake)[\s\S]{0,220}(Response\.json|NextResponse\.json|success\s*:\s*true|ok\s*:\s*true|status\s*:\s*["']active["']|active\s*:\s*true|subscription\s*:\s*(?:mock|demo|sample|fallback|fake|\{|\[)|entitlement\s*:\s*(?:true|active|\{|\[))/gi;
     for (const match of content.matchAll(fallbackPattern)) {
         const index = match.index ?? 0;
         const window = content.slice(Math.max(0, index - 180), index + match[0].length + 180);
         if (/degraded\s*:\s*true|status\s*:\s*(4|5)\d\d|error\s*:/i.test(window))
             continue;
+        if (isCloudflareDurableObjectStubWindow(window))
+            continue;
+        if (isConfigurationFallbackWindow(window))
+            continue;
         const line = lineNumberForIndex(content, index);
         findings.push(finding({
             ruleId: "silent-success.hardcoded-fallback",
@@ -134,7 +141,7 @@ function scanTestIntegrity(filePath, content) {
         if (body.length === 0 ||
             /^\/\/\s*TODO\b/i.test(body) ||
             !assertionPattern.test(body) ||
-            (truthyOnlyPattern.test(body) && !/\b(toEqual|toStrictEqual|toBe\(|toMatch|toHave|rejects|resolves)\b/i.test(body))) {
+            hasOnlyWeakTruthyAssertions(body)) {
             findings.push(testFinding(filePath, content, testCase.line, "Weak or placeholder test may create fake confidence"));
         }
     }
@@ -167,11 +174,50 @@ function findCatchBlocks(content) {
             continue;
         blocks.push({
             text: content.slice(start, end + 1),
-            line: lineNumberForIndex(content, match.index ?? 0)
+            line: lineNumberForIndex(content, match.index ?? 0),
+            start: match.index ?? 0,
+            end
         });
     }
     return blocks;
 }
+function isBenignNullCatch(content, block) {
+    if (!/\breturn\s+null\s*;?\s*\}/i.test(block.text))
+        return false;
+    if (/(?:Response|NextResponse)\.json|success\s*:\s*true|ok\s*:\s*true|return\s+true\b|subscription\s*:|entitlement\s*:|active\s*:/i.test(block.text)) {
+        return false;
+    }
+    const before = content.slice(Math.max(0, block.start - 520), block.start);
+    const after = content.slice(block.end + 1, block.end + 720);
+    const surrounding = `${before}\n${block.text}\n${after}`;
+    if (/(?:atob|btoa|base64|base64url|decodeURIComponent|TextDecoder|JSON\.parse|\bparse[A-Z]|\bdecode[A-Z]|early\s+data)/i.test(surrounding)) {
+        return true;
+    }
+    if (/(?:STATESTORE|DurableObject|Durable Object|idFromName|stub\.fetch|env\.[A-Z0-9_]+\.get\s*\(|KV\.get|env\.KV|get\s*\([^)]*["']json["']|cache|cached|storage|state)/i.test(surrounding) &&
+        /(?:KV\.get|env\.KV|stub\.fetch|fetch\s*\(|get\s*\()/i.test(after)) {
+        return true;
+    }
+    return false;
+}
+function isCloudflareDurableObjectStubWindow(window) {
+    return (/\bidFromName\s*\(/i.test(window) &&
+        /\benv\.[A-Z0-9_]+\.get\s*\(/i.test(window) &&
+        /\bstub\b/i.test(window));
+}
+function isConfigurationFallbackWindow(window) {
+    return (/\bfunction\b[^{;=]*\([^)]*\bfallback\s*=\s*(?:\{\}|\[\]|null|undefined|[0-9]+|["'][^"']*["'])/i.test(window) &&
+        !/(?:Response|NextResponse)\.json|success\s*:\s*true|ok\s*:\s*true|active\s*:\s*true|status\s*:\s*["']active["']|subscription\s*:\s*(?:mock|demo|sample|fallback|fake|\{|\[)|entitlement\s*:\s*(?:true|active|\{|\[)/i.test(window));
+}
+function hasOnlyWeakTruthyAssertions(body) {
+    if (!truthyOnlyPattern.test(body))
+        return false;
+    if (strongAssertionPattern.test(body))
+        return false;
+    if (/\bassert\.ok\s*\([^)]*(?:[=!]==?|[<>]=?|\.(?:length|size)\b|\.includes\s*\(|\.some\s*\(|\.every\s*\()/i.test(body)) {
+        return false;
+    }
+    return true;
+}
 function findTestBlocks(content) {
     const blocks = [];
     const testPattern = /\b(?:test|it)\s*\(\s*["'`][^"'`]+["'`]\s*,\s*(?:async\s*)?\([^)]*\)\s*=>\s*\{/gi;

package/docs/CODEX_HANDOFF.md

@@ -23,12 +23,12 @@ Current branch: `main`.
 
 Latest release state:
 
-- latest release commit: `1659cb5 Fix hosted hardening and action summary support (#107)`
-- current `main` HEAD at the 2026-05-27 handoff-drift recheck: `48587b0 docs: add codex agent working rules`
-- package version: `0.43.1`
-- npm latest: `ai-saas-guard@0.43.1`
-- GitHub Release: `v0.43.1`
-- floating Action tag: `v0` points to `1659cb513e7b8ad8948263d440893630be49fc05`
+- latest release commit: `9eff887 Fix hosted smoke cleanup and scan diagnostics (#119)`
+- current `main` HEAD at the 2026-05-27 post-release recheck: `9eff887 Fix hosted smoke cleanup and scan diagnostics (#119)`
+- package version: `0.43.2`
+- npm latest: `ai-saas-guard@0.43.2`
+- GitHub Release: `v0.43.2`
+- floating Action tag: `v0` points to `9eff887f83d7287c44c066c3484b871105fc5b4a`
 - Cloudflare Worker health reports `scannerVersion: "0.43.0"`
 - the live hosted endpoint is still the Cloudflare `webhook-ingress`, not a deployed full source-checkout worker
 - real hosted smoke passed on PR `#91`, Check Run `77724168740`, with KV cleanup returning `[]`
@@ -47,6 +47,7 @@ Post-release docs and evidence work after `v0.43.0`:
 - released `v0.43.1` from PR `#107`
 - merged documentation/discovery follow-up PRs `#113`, `#114`, and `#115`
 - 2026-05-27 recheck confirmed npm latest `0.43.1`, GitHub release `v0.43.1`, latest CI/CodeQL/Metrics/Cross-Project Discovery success, hosted health safe but still reporting hosted scanner `0.43.0`, issue `#93` missing real DP feedback, and issue `#94` still blocked on source-checkout/provider deletion/monitoring evidence
+- released `v0.43.2` from PR `#119`; npm `latest` and floating Action tag `v0` now point at `0.43.2` / `9eff887`
 
 Current working tree note: `.local/project-handoff.md` is local-only and ignored by git. Do not force-add it.
 
@@ -103,7 +104,7 @@ Hosted path:
 
 Public docs:
 
-- English README and Chinese README updated through `0.43.1`
+- English README and Chinese README updated through `0.43.2`
 - Codex/agent working rules in `docs/CODEX_AGENT_WORKING_RULES.md`
 - rules docs
 - hosted deployment/runtime/gate docs

package/docs/CODEX_STATE.md

@@ -6,10 +6,10 @@ Last updated: 2026-05-27, Asia/Shanghai.
 
 - Project path: `/Volumes/MyPSSD/app/ai-saas-guard`
 - Shell: `zsh`
-- Branch: `main` for the public source of truth; current 1-7 fix work is in the local main worktree until committed
-- Latest release commit: `1659cb513e7b8ad8948263d440893630be49fc05`
-- Current `main` HEAD at the 2026-05-27 handoff-drift recheck: `48587b068f7985ca851770a96386083221bd3ffb`
-- Package version: `0.43.1`
+- Branch: `main` for the public source of truth; v0.43.2 release work is merged and published
+- Latest release commit: `9eff887f83d7287c44c066c3484b871105fc5b4a`
+- Current `main` HEAD at the 2026-05-27 post-release recheck: `9eff887f83d7287c44c066c3484b871105fc5b4a`
+- Package version: `0.43.2`
 - Observed Node: `v25.8.0`
 - Package engine: Node `>=20`
 - Network: available in the last session
@@ -110,7 +110,7 @@ GitHub:
 npm:
 
 - Package: `ai-saas-guard`
-- Latest published version: `0.43.1`
+- Latest published version: `0.43.2`
 - Publish uses GitHub Actions Trusted Publisher/OIDC.
 - Do not add long-lived npm publish tokens.
 
@@ -193,8 +193,8 @@ Use a notes file for release notes; do not inline shell text with backticks.
 
 For the latest published line:
 
-- `v0.43.1` release exists on GitHub and npm `latest` is `ai-saas-guard@0.43.1`
-- `v0` points to `1659cb513e7b8ad8948263d440893630be49fc05`
+- `v0.43.2` release exists on GitHub and npm `latest` is `ai-saas-guard@0.43.2`
+- `v0` points to `9eff887f83d7287c44c066c3484b871105fc5b4a`
 - latest observed `main` CI, CodeQL, Metrics Snapshot, and Cross-Project Discovery runs completed successfully on 2026-05-27
 - hosted public health returned `ok: true`, `mode: webhook-ingress`, `processingPaused: false`, safe privacy flags, and `scannerVersion: "0.43.0"`
 - issue `#93` still has no real DP-1, DP-2, or DP-3 feedback

package/docs/README.zh-CN.md

@@ -226,18 +226,18 @@ node dist/cli.js scan --root /path/to/your-saas
 
 这个仓库是公开 GitHub 仓库。
 
-CLI 已发布到 npm：`ai-saas-guard@0.43.2`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.43.2`。
+CLI 已发布到 npm：`ai-saas-guard@0.43.3`。GitHub Action 支持 `v0` 浮动标签，也支持固定版本标签，例如 `v0.43.3`。
 
 | 模块 | 状态 |
 | --- | --- |
 | 公开 GitHub 仓库 | 已可用 |
-| npm CLI | `ai-saas-guard@0.43.2` |
-| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.43.2` |
+| npm CLI | `ai-saas-guard@0.43.3` |
+| GitHub Action | `zr9959/ai-saas-guard@v0` 或固定标签 `v0.43.3` |
 | 输出格式 | 上线决策队列、短 summary、Terminal、JSON、SARIF 和 PR markdown |
 | 项目配置 | `.ai-saas-guard.json` 支持规则开关、severity 覆盖、suppressions 和 fail threshold |
 | 隐私模型 | 本地优先、只读扫描、不调用 LLM、不上传代码 |
-| 当前版本 | `0.43.2` 修复 hosted cleanup 可观测性、smoke KV 精准清理、浅历史 PR diff fallback、Check Run Markdown 转义和本地扫描覆盖诊断，同时继续保持 billing disabled |
-| Action 标签 | `v0.43.2`、`v0` |
+| 当前版本 | `0.43.3` 降低 silent-success 对 Cloudflare Durable Object stub、良性 `return null` 解析/缓存读取、配置 fallback 参数和真实断言测试的误报，同时继续保持 billing disabled |
+| Action 标签 | `v0.43.3`、`v0` |
 | npm 发布 | GitHub Actions Trusted Publisher/OIDC，无需长期 npm token |
 | 仓库可信度加固 | 严格 branch protection、Dependabot、CodeQL、fast-check fuzzing、signed release provenance assets、private vulnerability reporting、secret scanning 和 push protection |
 | Cloudflare hosted ingress | 已部署到 `https://ai-saas-guard-hosted.zr9959.workers.dev`；安装和隐私说明见 [hosted-install-privacy.md](hosted-install-privacy.md)；提供 `/github/app/install-info`，签名 GitHub App webhook delivery、compact Check Run 和 installation cleanup staging smoke 已通过 |

package/docs/npm-publishing.md

@@ -5,11 +5,11 @@
 ## Current State
 
 - Package name: `ai-saas-guard`
-- Current published version: `0.43.1`
+- Current published version: `0.43.3`
 - Next source candidate: none
 - npm registry state: published at <https://www.npmjs.com/package/ai-saas-guard>
 - First npm-published version: `0.1.1`
-- GitHub Release: `v0.43.1`
+- GitHub Release: `v0.43.3`
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions, `zr9959/ai-saas-guard`, workflow `npm-publish.yml`, allowed action `npm publish`
 - Long-lived npm publish token: not required
@@ -18,7 +18,7 @@
 
 Use GitHub Actions with npm Trusted Publisher/OIDC:
 
-1. Create and review a release tag such as `v0.43.1`.
+1. Create and review a release tag such as `v0.43.3`.
 2. Publish from the GitHub Release or run the `Publish npm` workflow manually with `ref` set to that tag.
 3. Keep `permissions.id-token: write` in the workflow so npm can exchange the GitHub Actions OIDC identity for a short-lived publish credential.
 4. Run `npm publish --access public` from the workflow. Trusted publishing automatically generates provenance for this public package from this public repository.

package/docs/project-handoff.md

@@ -166,7 +166,7 @@ OpenSSF Best Practices:
 Publishing:
 
 - npm package: `ai-saas-guard`
-- Current published release line: `v0.43.1` published to GitHub Release, npm, and the `v0` Action tag
+- Current published release line: `v0.43.2` published to GitHub Release, npm, and the `v0` Action tag
 - Next source candidate: none
 - Publish workflow: `.github/workflows/npm-publish.yml`
 - Trusted Publisher: GitHub Actions for `zr9959/ai-saas-guard`, workflow `npm-publish.yml`
@@ -193,17 +193,17 @@ Next work should therefore be feedback and evidence work, not more speculative f
 - collect provider monitoring, rollback, incident-response, uninstall/deletion, and support evidence before public beta
 - keep CLI/Action/docs current
 - only start commercialization after actual usage evidence exists
-- 2026-05-27 update: npm/GitHub latest is `0.43.1`; the hosted ingress remains healthy and still reports `scannerVersion: "0.43.0"`; real design-partner feedback, deployed source-checkout proof, full GitHub App deletion proof, and source-checkout provider monitoring evidence remain missing
+- 2026-05-27 update: npm/GitHub latest is `0.43.2`; the hosted ingress remains healthy and still reports `scannerVersion: "0.43.0"`; real design-partner feedback, deployed source-checkout proof, full GitHub App deletion proof, and source-checkout provider monitoring evidence remain missing
 
 ## Latest Deployment And Test Evidence
 
 Latest release:
 
-- Version: `0.43.1`
-- Commit/tag target: `1659cb513e7b8ad8948263d440893630be49fc05`
-- GitHub Release: `v0.43.1`
-- npm: `ai-saas-guard@0.43.1`, `latest`
-- GitHub Action floating tag: `v0` points to `1659cb513e7b8ad8948263d440893630be49fc05`
+- Version: `0.43.2`
+- Commit/tag target: `9eff887f83d7287c44c066c3484b871105fc5b4a`
+- GitHub Release: `v0.43.2`
+- npm: `ai-saas-guard@0.43.2`, `latest`
+- GitHub Action floating tag: `v0` points to `9eff887f83d7287c44c066c3484b871105fc5b4a`
 - Cloudflare Worker deployed version: `8744d3db-0114-4653-85e2-f1554ff1b26b`
 - Worker health: `https://ai-saas-guard-hosted.zr9959.workers.dev/healthz` returns `scannerVersion: "0.43.0"`
 - Real hosted PR smoke: PR `#91`, Check Run `77724168740`, conclusion `success`, temporary branch deleted, KV smoke records cleaned to `[]`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-saas-guard",
-  "version": "0.43.2",
+  "version": "0.43.3",
   "description": "Local-first TIYBAI CLI that catches launch blockers in AI-built Next.js/Supabase/Stripe SaaS apps.",
   "readmeFilename": "README.md",
   "type": "module",