jaku.sh 1.0.0 → 1.0.2

package/README.md

@@ -28,27 +28,23 @@ JAKU crawls your entire app, generates test cases, probes for security vulnerabi
 ## Quick Start
 
 ```bash
-# Option A: Clone & install (development)
-git clone https://github.com/theshantanupandey/jaku.git
-cd jaku
-npm install
-npx playwright install chromium
-
-# Option B: Install globally via npm
-npm install -g @theshantanupandey/jaku
+# Install globally via npm
+npm install -g jaku.sh
 npx playwright install chromium
 
 # Run a full scan (QA + Security + AI + Logic + API)
-jaku scan https://your-app.dev --verbose
-# or without global install:
-node src/cli.js scan https://your-app.dev --verbose
+jaku scan https://your-app.dev --prod-safe
 
-# AI abuse testing only
-jaku ai https://your-ai-app.dev --verbose
+# Quick scan (10 pages, fast feedback)
+jaku scan https://your-app.dev --profile quick --prod-safe
 
+# With OWASP Top 10 compliance report
+jaku scan https://your-app.dev --compliance owasp --prod-safe
+
+# AI abuse testing only
+jaku ai https://your-ai-app.dev
 
 # Reports are saved to ./jaku-reports/<timestamp>/
-# latest-report.json is auto-updated at project root after each scan
 ```
 
 ### First Scan Walkthrough
@@ -414,6 +410,8 @@ Correlations appear in the CLI output and reports with severity escalation.
 | `-c, --config <path>` | Path to config file | `./jaku.config.json` |
 | `-o, --output <dir>` | Output directory for reports | `./jaku-reports/<timestamp>` |
 | `-s, --severity <level>` | Minimum severity threshold (`critical`, `high`, `medium`, `low`) | `low` |
+| `--profile <type>` | Scan profile: `quick`, `deep`, `ci` | — |
+| `--compliance <framework>` | Generate compliance report (`owasp`) | — |
 | `--max-pages <n>` | Maximum pages to crawl | `50` |
 | `--max-depth <n>` | Maximum crawl depth | `5` |
 | `--halt-on-critical` | Abort scan immediately on any critical finding | off |
@@ -434,6 +432,7 @@ Every scan generates 5 report files:
 | **HTML** | `report.html` | Self-contained browsable report with severity charts |
 | **SARIF** | `report.sarif` | GitHub/GitLab Security Dashboard integration (SARIF v2.1.0) |
 | **Diff** | `diff-report.md` | Regression detection vs. previous scan run |
+| **OWASP Compliance** | `compliance-owasp.*` | OWASP Top 10 pass/fail report (JSON + MD + HTML) — requires `--compliance owasp` |
 
 ### Examples
 
@@ -468,7 +467,7 @@ node src/cli.js ai https://myapp.dev/api/chat --max-pages 1 -v
 ```
   ╦╔═╗╦╔═╦ ╦
   ║╠═╣╠╩╗║ ║  呪 Autonomous Security & Quality Intelligence
- ╚╝╩ ╩╩ ╩╚═╝  v1.0.0 · Multi-Agent
+ ╚╝╩ ╩╩ ╩╚═╝  v1.0.2 · Multi-Agent
 
   Target:  https://your-app.dev
   Modules: QA + SECURITY + AI
@@ -634,3 +633,9 @@ Every JAKU scan generates a self-contained **HTML report** at `jaku-reports/<tim
 ## License
 
 [Jaku Public License v1.0](./LICENSE) — free to use, modify, and distribute with attribution. See [LICENSE](./LICENSE) for full terms.
+
+---
+
+**Website:** [jaku.app](https://jaku.app)  
+**npm:** [jaku.sh](https://www.npmjs.com/package/jaku.sh)  
+**GitHub:** [theshantanupandey/jaku](https://github.com/theshantanupandey/jaku)

package/action.yml

@@ -217,7 +217,7 @@ runs:
               }
             }
             
-            body += '\n---\n*Scanned by [JAKU](https://github.com/jaku-security/jaku) v1.0.0*';
+            body += '\n---\n*Scanned by [JAKU](https://github.com/jaku-security/jaku) v1.0.2*';
           } else {
             body += '⚠️ Scan completed but no report was generated. Check workflow logs for errors.';
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jaku.sh",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "JAKU (呪) — Autonomous Security & Quality Intelligence Agent for vibe-coded apps. XSS, SQLi, prompt injection, QA testing, and attack chain correlation in one command.",
   "type": "module",
   "main": "src/cli.js",
@@ -42,7 +42,7 @@
     "url": "https://github.com/theshantanupandey"
   },
   "license": "SEE LICENSE IN LICENSE",
-  "homepage": "https://jakusec.dev",
+  "homepage": "https://jaku.app",
   "repository": {
     "type": "git",
     "url": "https://github.com/theshantanupandey/jaku.git"
@@ -55,7 +55,6 @@
     "commander": "^12.1.0",
     "nanoid": "^5.0.9",
     "ora": "^8.1.1",
-    "p-limit": "^7.3.0",
     "playwright": "^1.49.1",
     "winston": "^3.17.0"
   }

package/src/agents/ai-agent.js

@@ -7,23 +7,19 @@ import { OutputAnalyzer } from '../core/ai/output-analyzer.js';
 import { GuardrailProber } from '../core/ai/guardrail-prober.js';
 import { ModelDoSTester } from '../core/ai/model-dos-tester.js';
 import { IndirectInjector } from '../core/ai/indirect-injector.js';
-import { MultiTurnAttacker } from '../core/ai/multi-turn-attacker.js';
-import { ModelFingerprinter } from '../core/ai/model-fingerprinter.js';
 
 /**
  * JAKU-AI — Prompt Injection & AI Abuse Detection Agent
  * 
  * Pipeline:
  * 1. Detect AI endpoints (auto-discovery from surface inventory)
- * 2. Prompt Injection testing (many-shot, encoding, delimiter, context flood, RAG, CoT)
- * 3. Jailbreak testing (DAN, AIM, model-specific token attacks, persona anchoring)
+ * 2. Prompt Injection testing (24 payloads)
+ * 3. Jailbreak testing (16 techniques)
  * 4. System Prompt Extraction (17 techniques)
- * 5. Output Analysis (AI-mediated XSS, markdown rendering attacks)
- * 6. Guardrail Probing (PII, agency, tool abuse, SSRF, agentic tool injection)
+ * 5. Output Analysis (AI-mediated XSS)
+ * 6. Guardrail Probing (PII, agency, tool abuse)
  * 7. Model DoS Testing (context bombing, token loops)
  * 8. Indirect Injection Testing (6 embedded payloads)
- * 9. Multi-Turn Attack Testing (trust escalation, context drift, memory poisoning)
- * 10. Model Fingerprinting + Model-Specific Exploits
  * 
  * Dependencies: JAKU-CRAWL (runs in Wave 2, parallel with QA + SEC)
  */
@@ -138,35 +134,7 @@ export class AIAgent extends BaseAgent {
         } catch (err) {
             this._log(`Indirect injection testing failed: ${err.message}`, 'error');
         }
-        this.progress('indirect', 'Indirect injection testing complete', 95);
-
-        // Phase 9: Multi-Turn Attack Testing
-        this.progress('multiturn', 'Running multi-turn attack scenarios...', 95);
-        try {
-            const injector = new PromptInjector(logger);
-            const sendMsg = injector._sendMessage.bind(injector);
-            const multiTurnAttacker = new MultiTurnAttacker(logger);
-            const multiTurnFindings = await multiTurnAttacker.test(aiSurfaces, sendMsg);
-            this.addFindings(multiTurnFindings);
-            this._log(`Multi-turn attacks: ${multiTurnFindings.length} vulnerabilities`);
-        } catch (err) {
-            this._log(`Multi-turn testing failed: ${err.message}`, 'error');
-        }
-        this.progress('multiturn', 'Multi-turn attack testing complete', 97);
-
-        // Phase 10: Model Fingerprinting + Model-Specific Exploits
-        this.progress('fingerprint', 'Fingerprinting model and running model-specific attacks...', 97);
-        try {
-            const injector2 = new PromptInjector(logger);
-            const sendMsg2 = injector2._sendMessage.bind(injector2);
-            const fingerprinter = new ModelFingerprinter(logger);
-            const fingerprintFindings = await fingerprinter.test(aiSurfaces, sendMsg2);
-            this.addFindings(fingerprintFindings);
-            this._log(`Model fingerprinting: ${fingerprintFindings.length} findings`);
-        } catch (err) {
-            this._log(`Model fingerprinting failed: ${err.message}`, 'error');
-        }
-        this.progress('fingerprint', 'Model fingerprinting complete', 100);
+        this.progress('indirect', 'Indirect injection testing complete', 100);
 
         this.progress('complete', `AI scan complete — ${this._findings.length} total findings`, 100);
     }