jaku.sh 1.0.0

package/action.yml

@@ -0,0 +1,264 @@
+name: 'JAKU Security Scan'
+description: 'Run JAKU autonomous security & QA scanning on your web application'
+author: 'JAKU'
+branding:
+  icon: 'shield'
+  color: 'green'
+
+inputs:
+  target-url:
+    description: 'Target URL to scan'
+    required: true
+  config-path:
+    description: 'Path to jaku.config.json'
+    required: false
+    default: ''
+  modules:
+    description: 'Comma-separated modules to run (qa,security,ai,logic,api)'
+    required: false
+    default: 'qa,security,ai,logic,api'
+  severity-threshold:
+    description: 'Minimum severity to report (critical|high|medium|low)'
+    required: false
+    default: 'low'
+  fail-on-severity:
+    description: 'Fail the action if findings at this severity or above are found (critical|high|medium|low|none)'
+    required: false
+    default: 'high'
+  sarif-upload:
+    description: 'Upload SARIF results to GitHub Security tab'
+    required: false
+    default: 'true'
+  comment-on-pr:
+    description: 'Post scan summary as PR comment'
+    required: false
+    default: 'true'
+  auth-username:
+    description: 'Username for authenticated scanning'
+    required: false
+    default: ''
+  auth-password:
+    description: 'Password for authenticated scanning'
+    required: false
+    default: ''
+  auth-strategy:
+    description: 'Authentication strategy (auto|form|api|cookie)'
+    required: false
+    default: 'auto'
+  max-pages:
+    description: 'Maximum pages to crawl'
+    required: false
+    default: '50'
+  verbose:
+    description: 'Enable verbose logging'
+    required: false
+    default: 'false'
+
+outputs:
+  report-path:
+    description: 'Path to the generated report directory'
+  sarif-path:
+    description: 'Path to the SARIF report file'
+  findings-count:
+    description: 'Total number of findings'
+  critical-count:
+    description: 'Number of critical findings'
+  high-count:
+    description: 'Number of high findings'
+  exit-code:
+    description: 'Exit code (0 = pass, 1 = findings above threshold)'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+
+    - name: Install JAKU
+      shell: bash
+      run: |
+        cd ${{ github.action_path }}
+        npm ci --production 2>/dev/null || npm install --production
+
+    - name: Install Playwright browsers
+      shell: bash
+      run: |
+        cd ${{ github.action_path }}
+        npx playwright install chromium --with-deps
+
+    - name: Run JAKU Scan
+      id: scan
+      shell: bash
+      env:
+        JAKU_TARGET_URL: ${{ inputs.target-url }}
+        JAKU_MODULES: ${{ inputs.modules }}
+        JAKU_SEVERITY: ${{ inputs.severity-threshold }}
+        JAKU_FAIL_ON: ${{ inputs.fail-on-severity }}
+        JAKU_CONFIG: ${{ inputs.config-path }}
+        JAKU_AUTH_USER: ${{ inputs.auth-username }}
+        JAKU_AUTH_PASS: ${{ inputs.auth-password }}
+        JAKU_AUTH_STRATEGY: ${{ inputs.auth-strategy }}
+        JAKU_MAX_PAGES: ${{ inputs.max-pages }}
+        JAKU_VERBOSE: ${{ inputs.verbose }}
+      run: |
+        REPORT_DIR="${{ runner.temp }}/jaku-reports"
+        
+        # Build command
+        CMD="node ${{ github.action_path }}/src/cli.js scan \"${JAKU_TARGET_URL}\""
+        CMD="${CMD} -m ${JAKU_MODULES}"
+        CMD="${CMD} -s ${JAKU_SEVERITY}"
+        CMD="${CMD} -o ${REPORT_DIR}"
+        CMD="${CMD} --max-pages ${JAKU_MAX_PAGES}"
+        CMD="${CMD} --prod-safe"
+        
+        if [ -n "${JAKU_CONFIG}" ]; then
+          CMD="${CMD} -c ${JAKU_CONFIG}"
+        fi
+        
+        if [ -n "${JAKU_AUTH_USER}" ] && [ -n "${JAKU_AUTH_PASS}" ]; then
+          CMD="${CMD} --username ${JAKU_AUTH_USER} --password ${JAKU_AUTH_PASS} --auth-strategy ${JAKU_AUTH_STRATEGY}"
+        fi
+        
+        if [ "${JAKU_VERBOSE}" = "true" ]; then
+          CMD="${CMD} --verbose"
+        fi
+        
+        # Run scan
+        eval ${CMD} || true
+        
+        # Parse results
+        if [ -f "${REPORT_DIR}/report.json" ]; then
+          eval $(node --input-type=module -e "
+            import { readFileSync } from 'fs';
+            const r = JSON.parse(readFileSync('${REPORT_DIR}/report.json', 'utf-8'));
+            const s = r.dedupSummary || r.summary;
+            console.log('FINDINGS=' + s.total);
+            console.log('CRITICAL=' + s.critical);
+            console.log('HIGH=' + s.high);
+            console.log('MEDIUM=' + s.medium);
+            console.log('LOW=' + s.low);
+          ")
+        else
+          FINDINGS=0; CRITICAL=0; HIGH=0; MEDIUM=0; LOW=0
+        fi
+        
+        echo "report-path=${REPORT_DIR}" >> $GITHUB_OUTPUT
+        echo "sarif-path=${REPORT_DIR}/report.sarif" >> $GITHUB_OUTPUT
+        echo "findings-count=${FINDINGS}" >> $GITHUB_OUTPUT
+        echo "critical-count=${CRITICAL}" >> $GITHUB_OUTPUT
+        echo "high-count=${HIGH}" >> $GITHUB_OUTPUT
+        
+        # Determine exit code based on fail-on-severity
+        EXIT_CODE=0
+        case "${JAKU_FAIL_ON}" in
+          critical) [ "${CRITICAL}" -gt 0 ] && EXIT_CODE=1 ;;
+          high)     [ "${CRITICAL}" -gt 0 ] || [ "${HIGH}" -gt 0 ] && EXIT_CODE=1 ;;
+          medium)   [ "${CRITICAL}" -gt 0 ] || [ "${HIGH}" -gt 0 ] || [ "${MEDIUM}" -gt 0 ] && EXIT_CODE=1 ;;
+          low)      [ "${FINDINGS}" -gt 0 ] && EXIT_CODE=1 ;;
+          none)     EXIT_CODE=0 ;;
+        esac
+        
+        echo "exit-code=${EXIT_CODE}" >> $GITHUB_OUTPUT
+
+    - name: Upload SARIF to GitHub Security
+      if: inputs.sarif-upload == 'true' && hashFiles(steps.scan.outputs.sarif-path) != ''
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif-path }}
+        category: 'jaku-security-scan'
+      continue-on-error: true
+
+    - name: Comment on PR
+      if: inputs.comment-on-pr == 'true' && github.event_name == 'pull_request'
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+          const reportPath = '${{ steps.scan.outputs.report-path }}/report.json';
+          
+          let body = '## 🛡️ JAKU Security Scan Results\n\n';
+          
+          if (fs.existsSync(reportPath)) {
+            const report = JSON.parse(fs.readFileSync(reportPath, 'utf-8'));
+            const s = report.dedupSummary || report.summary;
+            const ds = report.dedupStats;
+            
+            // Status badge
+            const hasIssues = s.critical > 0 || s.high > 0;
+            body += hasIssues 
+              ? '> ⚠️ **Security issues detected** — review required\n\n'
+              : '> ✅ **No critical or high severity issues found**\n\n';
+            
+            // Summary table
+            body += '| Severity | Count |\n|----------|-------|\n';
+            if (s.critical > 0) body += `| 🔴 Critical | ${s.critical} |\n`;
+            if (s.high > 0) body += `| 🟠 High | ${s.high} |\n`;
+            if (s.medium > 0) body += `| 🟡 Medium | ${s.medium} |\n`;
+            if (s.low > 0) body += `| 🔵 Low | ${s.low} |\n`;
+            body += `| **Total** | **${s.total}** |\n\n`;
+            
+            // Dedup stats
+            if (ds && ds.duplicatesRemoved > 0) {
+              body += `*${ds.rawCount} raw findings deduplicated to ${ds.dedupedCount} unique (${ds.reductionPercent}% reduction)*\n\n`;
+            }
+            
+            // Top findings
+            const findings = report.findings || [];
+            if (findings.length > 0) {
+              body += '### Top Findings\n\n';
+              for (const f of findings.slice(0, 5)) {
+                const icon = { critical: '🔴', high: '🟠', medium: '🟡', low: '🔵', info: '⚪' }[f.severity] || '⚪';
+                body += `- ${icon} **${f.title}** — ${f.affected_surface || f.affected_surfaces?.[0] || 'N/A'}\n`;
+              }
+              if (findings.length > 5) {
+                body += `\n*...and ${findings.length - 5} more. See full report in artifacts.*\n`;
+              }
+            }
+            
+            body += '\n---\n*Scanned by [JAKU](https://github.com/jaku-security/jaku) v1.0.0*';
+          } else {
+            body += '⚠️ Scan completed but no report was generated. Check workflow logs for errors.';
+          }
+          
+          // Find and update existing comment, or create new one
+          const { data: comments } = await github.rest.issues.listComments({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+          });
+          
+          const botComment = comments.find(c => c.body.includes('JAKU Security Scan Results'));
+          
+          if (botComment) {
+            await github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: botComment.id,
+              body,
+            });
+          } else {
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body,
+            });
+          }
+
+    - name: Upload Report Artifacts
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: jaku-scan-report
+        path: ${{ steps.scan.outputs.report-path }}
+        retention-days: 30
+
+    - name: Check Threshold
+      if: steps.scan.outputs.exit-code == '1'
+      shell: bash
+      run: |
+        echo "::error::JAKU scan found findings at or above the '${{ inputs.fail-on-severity }}' severity threshold."
+        echo "Critical: ${{ steps.scan.outputs.critical-count }}, High: ${{ steps.scan.outputs.high-count }}, Total: ${{ steps.scan.outputs.findings-count }}"
+        exit 1

package/bin/jaku

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../src/cli.js';

package/package.json

@@ -0,0 +1,62 @@
+{
+  "name": "jaku.sh",
+  "version": "1.0.0",
+  "description": "JAKU (呪) — Autonomous Security & Quality Intelligence Agent for vibe-coded apps. XSS, SQLi, prompt injection, QA testing, and attack chain correlation in one command.",
+  "type": "module",
+  "main": "src/cli.js",
+  "bin": {
+    "jaku": "./bin/jaku"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "files": [
+    "src/",
+    "bin/",
+    "action.yml",
+    "README.md"
+  ],
+  "scripts": {
+    "scan": "node src/cli.js scan",
+    "prepublishOnly": "node src/cli.js --help"
+  },
+  "keywords": [
+    "security",
+    "qa",
+    "testing",
+    "automation",
+    "playwright",
+    "scanning",
+    "xss",
+    "sql-injection",
+    "prompt-injection",
+    "ai-security",
+    "vulnerability-scanner",
+    "penetration-testing",
+    "vibe-coding",
+    "autonomous-testing",
+    "attack-chain"
+  ],
+  "author": {
+    "name": "Shantanu Pandey",
+    "url": "https://github.com/theshantanupandey"
+  },
+  "license": "SEE LICENSE IN LICENSE",
+  "homepage": "https://jakusec.dev",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/theshantanupandey/jaku.git"
+  },
+  "bugs": {
+    "url": "https://github.com/theshantanupandey/jaku/issues"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "nanoid": "^5.0.9",
+    "ora": "^8.1.1",
+    "p-limit": "^7.3.0",
+    "playwright": "^1.49.1",
+    "winston": "^3.17.0"
+  }
+}

package/src/agents/ai-agent.js

@@ -0,0 +1,175 @@
+import { BaseAgent } from './base-agent.js';
+import { AIEndpointDetector } from '../core/ai/ai-endpoint-detector.js';
+import { PromptInjector } from '../core/ai/prompt-injector.js';
+import { JailbreakTester } from '../core/ai/jailbreak-tester.js';
+import { SystemPromptExtractor } from '../core/ai/system-prompt-extractor.js';
+import { OutputAnalyzer } from '../core/ai/output-analyzer.js';
+import { GuardrailProber } from '../core/ai/guardrail-prober.js';
+import { ModelDoSTester } from '../core/ai/model-dos-tester.js';
+import { IndirectInjector } from '../core/ai/indirect-injector.js';
+import { MultiTurnAttacker } from '../core/ai/multi-turn-attacker.js';
+import { ModelFingerprinter } from '../core/ai/model-fingerprinter.js';
+
+/**
+ * JAKU-AI — Prompt Injection & AI Abuse Detection Agent
+ * 
+ * Pipeline:
+ * 1. Detect AI endpoints (auto-discovery from surface inventory)
+ * 2. Prompt Injection testing (many-shot, encoding, delimiter, context flood, RAG, CoT)
+ * 3. Jailbreak testing (DAN, AIM, model-specific token attacks, persona anchoring)
+ * 4. System Prompt Extraction (17 techniques)
+ * 5. Output Analysis (AI-mediated XSS, markdown rendering attacks)
+ * 6. Guardrail Probing (PII, agency, tool abuse, SSRF, agentic tool injection)
+ * 7. Model DoS Testing (context bombing, token loops)
+ * 8. Indirect Injection Testing (6 embedded payloads)
+ * 9. Multi-Turn Attack Testing (trust escalation, context drift, memory poisoning)
+ * 10. Model Fingerprinting + Model-Specific Exploits
+ * 
+ * Dependencies: JAKU-CRAWL (runs in Wave 2, parallel with QA + SEC)
+ */
+export class AIAgent extends BaseAgent {
+    get name() { return 'JAKU-AI'; }
+    get dependencies() { return ['JAKU-CRAWL']; }
+
+    async _execute(context) {
+        const { config, logger, surfaceInventory } = context;
+
+        if (!surfaceInventory) {
+            throw new Error('No surface inventory available — JAKU-CRAWL must run first');
+        }
+
+        // Phase 1: Detect AI endpoints
+        this.progress('detect', 'Detecting AI-powered endpoints...', 0);
+
+        const detector = new AIEndpointDetector(logger);
+        const aiSurfaces = await detector.detect(surfaceInventory);
+
+        this._log(`Detected ${aiSurfaces.length} AI surfaces (${aiSurfaces.filter(s => s.confidence === 'confirmed').length} confirmed)`);
+        this.progress('detect', `Found ${aiSurfaces.length} AI endpoints`, 10);
+
+        if (aiSurfaces.length === 0) {
+            this._log('No AI endpoints detected — skipping AI abuse tests');
+            this.progress('complete', 'No AI endpoints found — scan skipped', 100);
+            return;
+        }
+
+        // Create shared sendMessage function for sub-modules
+        const injector = new PromptInjector(logger);
+        const sendMessage = injector._sendMessage.bind(injector);
+
+        // Phase 2: Prompt Injection
+        this.progress('injection', 'Testing for prompt injection...', 15);
+        try {
+            const injectionFindings = await injector.inject(aiSurfaces);
+            this.addFindings(injectionFindings);
+            this._log(`Prompt injection: ${injectionFindings.length} vulnerabilities`);
+        } catch (err) {
+            this._log(`Prompt injection testing failed: ${err.message}`, 'error');
+        }
+        this.progress('injection', 'Prompt injection testing complete', 30);
+
+        // Phase 3: Jailbreak Testing
+        this.progress('jailbreak', 'Testing jailbreak techniques...', 30);
+        try {
+            const tester = new JailbreakTester(logger);
+            const jailbreakFindings = await tester.test(aiSurfaces, sendMessage);
+            this.addFindings(jailbreakFindings);
+            this._log(`Jailbreak: ${jailbreakFindings.length} vulnerabilities`);
+        } catch (err) {
+            this._log(`Jailbreak testing failed: ${err.message}`, 'error');
+        }
+        this.progress('jailbreak', 'Jailbreak testing complete', 50);
+
+        // Phase 4: System Prompt Extraction
+        this.progress('extraction', 'Attempting system prompt extraction...', 50);
+        try {
+            const extractor = new SystemPromptExtractor(logger);
+            const extractionFindings = await extractor.extract(aiSurfaces, sendMessage);
+            this.addFindings(extractionFindings);
+            this._log(`System prompt extraction: ${extractionFindings.length} leaks`);
+        } catch (err) {
+            this._log(`System prompt extraction failed: ${err.message}`, 'error');
+        }
+        this.progress('extraction', 'System prompt extraction complete', 70);
+
+        // Phase 5: Output Analysis (AI-mediated XSS)
+        this.progress('output', 'Analyzing AI output sanitization...', 70);
+        try {
+            const analyzer = new OutputAnalyzer(logger);
+            const outputFindings = await analyzer.analyze(aiSurfaces, sendMessage);
+            this.addFindings(outputFindings);
+            this._log(`Output analysis: ${outputFindings.length} issues`);
+        } catch (err) {
+            this._log(`Output analysis failed: ${err.message}`, 'error');
+        }
+        this.progress('output', 'Output analysis complete', 85);
+
+        // Phase 6: Guardrail Probing
+        this.progress('guardrails', 'Probing AI guardrails...', 85);
+        try {
+            const prober = new GuardrailProber(logger);
+            const guardrailFindings = await prober.probe(aiSurfaces, sendMessage);
+            this.addFindings(guardrailFindings);
+            this._log(`Guardrails: ${guardrailFindings.length} bypasses`);
+        } catch (err) {
+            this._log(`Guardrail probing failed: ${err.message}`, 'error');
+        }
+        this.progress('guardrails', 'Guardrail probing complete', 80);
+
+        // Phase 7: Model DoS
+        this.progress('dos', 'Testing model DoS vectors...', 80);
+        try {
+            const dosTester = new ModelDoSTester(logger);
+            const dosFindings = await dosTester.test(aiSurfaces, sendMessage);
+            this.addFindings(dosFindings);
+            this._log(`Model DoS: ${dosFindings.length} issues`);
+        } catch (err) {
+            this._log(`Model DoS testing failed: ${err.message}`, 'error');
+        }
+        this.progress('dos', 'Model DoS testing complete', 90);
+
+        // Phase 8: Indirect Injection
+        this.progress('indirect', 'Testing indirect prompt injection...', 90);
+        try {
+            const indirectInjector = new IndirectInjector(logger);
+            const indirectFindings = await indirectInjector.test(aiSurfaces, sendMessage);
+            this.addFindings(indirectFindings);
+            this._log(`Indirect injection: ${indirectFindings.length} vulnerabilities`);
+        } catch (err) {
+            this._log(`Indirect injection testing failed: ${err.message}`, 'error');
+        }
+        this.progress('indirect', 'Indirect injection testing complete', 95);
+
+        // Phase 9: Multi-Turn Attack Testing
+        this.progress('multiturn', 'Running multi-turn attack scenarios...', 95);
+        try {
+            const injector = new PromptInjector(logger);
+            const sendMsg = injector._sendMessage.bind(injector);
+            const multiTurnAttacker = new MultiTurnAttacker(logger);
+            const multiTurnFindings = await multiTurnAttacker.test(aiSurfaces, sendMsg);
+            this.addFindings(multiTurnFindings);
+            this._log(`Multi-turn attacks: ${multiTurnFindings.length} vulnerabilities`);
+        } catch (err) {
+            this._log(`Multi-turn testing failed: ${err.message}`, 'error');
+        }
+        this.progress('multiturn', 'Multi-turn attack testing complete', 97);
+
+        // Phase 10: Model Fingerprinting + Model-Specific Exploits
+        this.progress('fingerprint', 'Fingerprinting model and running model-specific attacks...', 97);
+        try {
+            const injector2 = new PromptInjector(logger);
+            const sendMsg2 = injector2._sendMessage.bind(injector2);
+            const fingerprinter = new ModelFingerprinter(logger);
+            const fingerprintFindings = await fingerprinter.test(aiSurfaces, sendMsg2);
+            this.addFindings(fingerprintFindings);
+            this._log(`Model fingerprinting: ${fingerprintFindings.length} findings`);
+        } catch (err) {
+            this._log(`Model fingerprinting failed: ${err.message}`, 'error');
+        }
+        this.progress('fingerprint', 'Model fingerprinting complete', 100);
+
+        this.progress('complete', `AI scan complete — ${this._findings.length} total findings`, 100);
+    }
+}
+
+export default AIAgent;

package/src/agents/api-agent.js

@@ -0,0 +1,95 @@
+import { BaseAgent } from './base-agent.js';
+import { AuthFlowTester } from '../core/api/auth-flow-tester.js';
+import { OAuthProber } from '../core/api/oauth-prober.js';
+import { APIKeyAuditor } from '../core/api/api-key-auditor.js';
+import { GraphQLTester } from '../core/api/graphql-tester.js';
+import { CORSWSTester } from '../core/api/cors-ws-tester.js';
+
+/**
+ * JAKU-API — API & Auth Flow Verification Agent
+ *
+ * Pipeline:
+ * 1. Test authentication flows (JWT, sessions, passwords, MFA)
+ * 2. Probe OAuth/SSO security
+ * 3. Audit API key management
+ * 4. Test GraphQL-specific vulnerabilities
+ * 5. Validate CORS and WebSocket security
+ *
+ * Dependencies: JAKU-CRAWL (runs in Wave 2, parallel with QA + SEC + AI + LOGIC)
+ */
+export class APIAgent extends BaseAgent {
+    get name() { return 'JAKU-API'; }
+    get dependencies() { return ['JAKU-CRAWL']; }
+
+    async _execute(context) {
+        const { config, logger, surfaceInventory } = context;
+
+        if (!surfaceInventory) {
+            throw new Error('No surface inventory available — JAKU-CRAWL must run first');
+        }
+
+        // Phase 1: Auth flow testing
+        this.progress('auth', 'Testing authentication flows...', 0);
+        try {
+            const authTester = new AuthFlowTester(logger);
+            const authFindings = await authTester.test(surfaceInventory);
+            this.addFindings(authFindings);
+            this._log(`Auth flows: ${authFindings.length} issues`);
+        } catch (err) {
+            this._log(`Auth flow testing failed: ${err.message}`, 'error');
+        }
+        this.progress('auth', 'Auth flow testing complete', 20);
+
+        // Phase 2: OAuth probing
+        this.progress('oauth', 'Probing OAuth/SSO flows...', 20);
+        try {
+            const oauthProber = new OAuthProber(logger);
+            const oauthFindings = await oauthProber.probe(surfaceInventory);
+            this.addFindings(oauthFindings);
+            this._log(`OAuth: ${oauthFindings.length} issues`);
+        } catch (err) {
+            this._log(`OAuth probing failed: ${err.message}`, 'error');
+        }
+        this.progress('oauth', 'OAuth probing complete', 40);
+
+        // Phase 3: API key audit
+        this.progress('apikeys', 'Auditing API key management...', 40);
+        try {
+            const keyAuditor = new APIKeyAuditor(logger);
+            const keyFindings = await keyAuditor.audit(surfaceInventory);
+            this.addFindings(keyFindings);
+            this._log(`API keys: ${keyFindings.length} issues`);
+        } catch (err) {
+            this._log(`API key audit failed: ${err.message}`, 'error');
+        }
+        this.progress('apikeys', 'API key audit complete', 60);
+
+        // Phase 4: GraphQL testing
+        this.progress('graphql', 'Testing GraphQL endpoints...', 60);
+        try {
+            const gqlTester = new GraphQLTester(logger);
+            const gqlFindings = await gqlTester.test(surfaceInventory);
+            this.addFindings(gqlFindings);
+            this._log(`GraphQL: ${gqlFindings.length} issues`);
+        } catch (err) {
+            this._log(`GraphQL testing failed: ${err.message}`, 'error');
+        }
+        this.progress('graphql', 'GraphQL testing complete', 80);
+
+        // Phase 5: CORS & WebSocket testing
+        this.progress('cors-ws', 'Testing CORS and WebSocket security...', 80);
+        try {
+            const corsTester = new CORSWSTester(logger);
+            const corsFindings = await corsTester.test(surfaceInventory);
+            this.addFindings(corsFindings);
+            this._log(`CORS/WS: ${corsFindings.length} issues`);
+        } catch (err) {
+            this._log(`CORS/WS testing failed: ${err.message}`, 'error');
+        }
+        this.progress('cors-ws', 'CORS/WS testing complete', 100);
+
+        this.progress('complete', `API scan complete — ${this._findings.length} total findings`, 100);
+    }
+}
+
+export default APIAgent;