v0.43.3

Summary

• Reduces silent-success.hardcoded-fallback false positives for Cloudflare Durable Object stubs and configuration fallback parameters.
• Reduces silent-success.swallowed-error false positives for benign null-return parsing/cache read paths.
• Treats assertion-rich Node/assert tests as real tests while preserving placeholder and truthy-only test detection.
• Keeps billing, pricing, paid packaging, marketplace conversion, and hosted beta scope unchanged.

Verification

• npm ci
• npm test passed: 213 tests
• npm run build
• Local scan JSON: 0 findings
• SARIF output: SARIF 2.1.0 with 0 results
• Focused silent-success fixture scan: safe fixture has 0 silent-success.* findings; risky fixture still reports the expected silent-success.* rules
• npm audit --audit-level=high --registry=https://registry.npmjs.org: 0 vulnerabilities
• npm pack --dry-run --json: ai-saas-guard-0.43.3.tgz, 172 files
• Unpacked release-candidate tarball and ran packaged dist/cli.js --help plus dist/cli.js demo --summary

v0.43.2

v0.43.2

Patch release for hosted smoke cleanup safety and local scan observability.

Changed

• Scope hosted real-PR smoke KV cleanup to records matching the temporary smoke PR.
• Surface hosted checkout cleanup failures even when an earlier scan command failed.
• Fall back from base...HEAD to base..HEAD for pr-risk --base when history has no merge base.
• Escape Cloudflare Check Run summary repo/file text before writing Markdown.
• Report local scan collection coverage for unreadable, oversized, budget-skipped, and malformed package inventory inputs.
• Keep hosted public beta gated on provider rate-limit, rollback, monitoring, and incident evidence.

Verification

• npm test: 213 pass
• node --test tests/guard.test.mjs: 119 pass
• git diff --check: pass
• node dist/cli.js scan --root . --summary: 0 findings
• npm audit --audit-level=moderate: 0 vulnerabilities
• npm pack --dry-run --json: ai-saas-guard@0.43.2

No Cloudflare deploy, GitHub App installation mutation, billing, pricing, paid packaging, marketplace conversion, or sales funnel work is included.

v0.43.1

v0.43.1

Patch release focused on hosted hardening and release consistency.

Changed

• Fail closed when Cloudflare hosted repository rate-limit KV state is corrupt.
• Ignore unsafe GitHub API base URL overrides and keep GitHub API calls on safe public HTTPS roots.
• Use the documented x-github-api-version header in the Cloudflare Worker.
• Stop the local hosted staging harness from persisting rawSource into worker sandbox files.
• Fix the MCP policy template YAML indentation for the shell deny rule.
• Let the composite GitHub Action accept and pass through format: summary.
• Include --base <baseSha> --json in hosted Check Run local reproduction commands.

Release Gate

• GitHub PR #107 CI passed: test, fuzz, actionlint, zizmor, CodeQL.
• Local npm ci passed.
• Local npm test passed: 201/201 tests.
• Local node dist/cli.js scan --root . --json returned 0 findings.
• Local SARIF generation returned 0 results.
• Local npm audit --audit-level=high --registry=https://registry.npmjs.org returned 0 vulnerabilities.
• Local npm pack --dry-run --json produced candidate ai-saas-guard@0.43.1.
• Release tarball candidate was unpacked and the packaged CLI help plus packaged scan smoke passed.

This release does not add billing, pricing, paid packaging, marketplace conversion, or sales-funnel behavior. It is not a pentest, certification, or full security audit.

v0.43.0

Summary

• Adds pre-commercial hosted beta readiness and team launch readiness gates under ai-saas-guard/hosted/beta.
• Blocks public beta until selected-repository install limits, abuse controls, safe telemetry, uninstall deletion proof, rollback, support ownership, beta smoke, and no-audit-claim wording are ready.
• Blocks team workflow rollout until org policy config, required status-check docs, suppression audit, reviewer checklist, release evidence export, retention docs, and billing-disabled proof are in place.
• Updates README, Chinese README, hosted docs, Worker version, and hosted operations evidence for v0.43.0.

Verification

• npm test
• npm audit --audit-level=high --registry=https://registry.npmjs.org
• npm pack --dry-run --json
• uvx zizmor --offline .github/workflows
• go run github.com/rhysd/actionlint/cmd/actionlint@latest
• node dist/cli.js scan --root . --json
• node dist/cli.js pr-risk --root . --json
• node dist/cli.js scan --root . --sarif
• npx wrangler deploy --dry-run && npx wrangler deploy
• Hosted health/install-info verified scannerVersion 0.43.0
• Real hosted PR smoke passed on PR #91 with Check Run 77724168740 and remainingSmokeKeys 0

v0.42.0

Summary

• Adds a unified Phase 3 source-checkout trial gate for the hosted GitHub App path.
• Combines trial plan checks, stage evidence, read-only checkout scan proof, live smoke, rollback, monitoring, and incident-owner proof before Phase 4 beta.
• Updates README, Chinese README, hosted docs, Worker version, and hosted operations evidence for v0.42.0.

Verification

• npm test
• npm audit --audit-level=high --registry=https://registry.npmjs.org
• npm pack --dry-run --json
• uvx zizmor --offline .github/workflows
• go run github.com/rhysd/actionlint/cmd/actionlint@latest
• node dist/cli.js scan --root . --json
• node dist/cli.js pr-risk --root . --json
• node dist/cli.js scan --root . --sarif
• npx wrangler deploy --dry-run && npx wrangler deploy
• Hosted health/install-info verified scannerVersion 0.42.0
• Real hosted PR smoke passed on PR #89 with Check Run 77721238202 and remainingSmokeKeys 0

v0.41.0

Summary

• Adds hosted source-checkout trial planning and evidence contracts for the next narrow hosted layer.
• Compresses hosted Check Run reviewer output around risk areas, manual proof, boundary, and privacy.
• Updates README, Chinese README, npm docs, Worker version, and hosted operations evidence for v0.41.0.

Verification

• npm test
• npm audit --audit-level=high --registry=https://registry.npmjs.org
• npm pack --dry-run --json
• uvx zizmor --offline .github/workflows
• go run github.com/rhysd/actionlint/cmd/actionlint@latest
• node dist/cli.js scan --root . --json
• node dist/cli.js pr-risk --root . --json
• node dist/cli.js scan --root . --sarif
• npx wrangler deploy --dry-run && npx wrangler deploy
• Hosted health/install-info verified scannerVersion 0.41.0
• Real hosted PR smoke passed on PR #87 with Check Run 77718782535 and remainingSmokeKeys 0

v0.40.0

Highlights

• Groups hosted Check Run output by launch-risk area: auth/session, billing/entitlement, tenant data, deploy/permissions, API contract, and tests/silent success.
• Adds machine-readable hosted PR smoke evidence with cleanup status through scripts/hosted-pr-smoke.mjs --evidence-file.
• Clarifies when to use Local CLI, GitHub Action, or Hosted GitHub App in both English and Chinese README files.
• Documents the next hosted source-checkout worker boundary without claiming a full hosted scanner.

Verification

• npm test
• npm audit --audit-level=high --registry=https://registry.npmjs.org
• npm pack --dry-run --json
• uvx zizmor --offline .github/workflows
• go run github.com/rhysd/actionlint/cmd/actionlint@latest
• CLI JSON, SARIF, and pr-risk smoke
• npx wrangler deploy --dry-run and npx wrangler deploy
• live /healthz and /github/app/install-info verification
• real hosted PR smoke: PR #85, Check Run 77714061842, cleanup remainingSmokeKeys: 0

v0.39.0

Highlights

• Adds scripts/hosted-pr-smoke.mjs, a real hosted GitHub App smoke runner that opens a temporary PR, waits for the hosted Check Run, then closes the PR, deletes the branch, and clears staging KV records.
• Tightens hosted Check Run wording around review task, manual proof, and selected-repository boundaries.
• Adds hosted install/privacy documentation and links it from the English and Chinese README.
• Strengthens the hosted operational release gate with real PR smoke and cleanup evidence requirements.

Verification

• npm test
• npm audit --audit-level=high --registry=https://registry.npmjs.org
• npm pack --dry-run --json
• uvx zizmor --offline .github/workflows
• go run github.com/rhysd/actionlint/cmd/actionlint@latest
• node dist/cli.js scan/pr-risk/SARIF smoke
• npx wrangler deploy --dry-run and deploy
• live /healthz and /github/app/install-info verification
• real hosted PR smoke: PR #82, Check Run 77711358510, KV cleanup returned []

v0.38.0

Summary

• Adds a public-safe hosted install-info endpoint for the staging GitHub App with install URL, selected-repository boundary, first-slice permissions, subscribed events, privacy wording, and uninstall cleanup wording.
• Improves hosted Check Run output with selected-repository context, Review queue, and Manual proof prompts.
• Handles signed GitHub installation deletion and repository removal events by deleting matching compact KV scan records.
• Deploys the Cloudflare staging Worker with SCANNER_VERSION 0.38.0 and records health, install-info, version, and KV cleanup evidence.
• Updates English README, Chinese README, handoff, hosted docs, release docs, and tests.

Verification

• npm audit --audit-level=high --registry=https://registry.npmjs.org
• npm test
• GOPROXY=https://goproxy.cn,direct go run github.com/rhysd/actionlint/cmd/actionlint@latest
• uvx zizmor .github/workflows
• npm pack --dry-run
• node dist/cli.js scan --root . --summary
• node dist/cli.js pr-risk --root . --markdown
• npx wrangler deploy --dry-run
• npx wrangler deploy
• curl -fsSL https://ai-saas-guard-hosted.zr9959.workers.dev/healthz
• curl -fsSL https://ai-saas-guard-hosted.zr9959.workers.dev/github/app/install-info
• npx wrangler kv key list --namespace-id fa5344fbd7944de6a776bf8731d58460 --remote

v0.37.0

Summary

• Adds a copy-paste GitHub Actions PR launch gate workflow that writes markdown to GITHUB_STEP_SUMMARY and uploads SARIF.
• Updates README and Chinese README so the first screen points AI-heavy PRs toward the reviewer queue path.
• Improves hosted Check Run wording around the launch-risk middle layer while keeping the boundary clear: not an AI reviewer, pentest, full audit, or certification.

Verification

• npm audit --audit-level=high --registry=https://registry.npmjs.org
• npm test
• GOPROXY=https://goproxy.cn,direct go run github.com/rhysd/actionlint/cmd/actionlint@latest
• uvx zizmor .github/workflows
• npm pack --dry-run
• node dist/cli.js scan --root . --summary
• node dist/cli.js pr-risk --root . --markdown