jaku.sh 1.0.1 → 1.0.2

package/README.md

@@ -28,27 +28,23 @@ JAKU crawls your entire app, generates test cases, probes for security vulnerabi
 ## Quick Start
 
 ```bash
-# Option A: Clone & install (development)
-git clone https://github.com/theshantanupandey/jaku.git
-cd jaku
-npm install
-npx playwright install chromium
-
-# Option B: Install globally via npm
-npm install -g @theshantanupandey/jaku
+# Install globally via npm
+npm install -g jaku.sh
 npx playwright install chromium
 
 # Run a full scan (QA + Security + AI + Logic + API)
-jaku scan https://your-app.dev --verbose
-# or without global install:
-node src/cli.js scan https://your-app.dev --verbose
+jaku scan https://your-app.dev --prod-safe
 
-# AI abuse testing only
-jaku ai https://your-ai-app.dev --verbose
+# Quick scan (10 pages, fast feedback)
+jaku scan https://your-app.dev --profile quick --prod-safe
 
+# With OWASP Top 10 compliance report
+jaku scan https://your-app.dev --compliance owasp --prod-safe
+
+# AI abuse testing only
+jaku ai https://your-ai-app.dev
 
 # Reports are saved to ./jaku-reports/<timestamp>/
-# latest-report.json is auto-updated at project root after each scan
 ```
 
 ### First Scan Walkthrough
@@ -414,6 +410,8 @@ Correlations appear in the CLI output and reports with severity escalation.
 | `-c, --config <path>` | Path to config file | `./jaku.config.json` |
 | `-o, --output <dir>` | Output directory for reports | `./jaku-reports/<timestamp>` |
 | `-s, --severity <level>` | Minimum severity threshold (`critical`, `high`, `medium`, `low`) | `low` |
+| `--profile <type>` | Scan profile: `quick`, `deep`, `ci` | — |
+| `--compliance <framework>` | Generate compliance report (`owasp`) | — |
 | `--max-pages <n>` | Maximum pages to crawl | `50` |
 | `--max-depth <n>` | Maximum crawl depth | `5` |
 | `--halt-on-critical` | Abort scan immediately on any critical finding | off |
@@ -434,6 +432,7 @@ Every scan generates 5 report files:
 | **HTML** | `report.html` | Self-contained browsable report with severity charts |
 | **SARIF** | `report.sarif` | GitHub/GitLab Security Dashboard integration (SARIF v2.1.0) |
 | **Diff** | `diff-report.md` | Regression detection vs. previous scan run |
+| **OWASP Compliance** | `compliance-owasp.*` | OWASP Top 10 pass/fail report (JSON + MD + HTML) — requires `--compliance owasp` |
 
 ### Examples
 
@@ -468,7 +467,7 @@ node src/cli.js ai https://myapp.dev/api/chat --max-pages 1 -v
 ```
   ╦╔═╗╦╔═╦ ╦
   ║╠═╣╠╩╗║ ║  呪 Autonomous Security & Quality Intelligence
- ╚╝╩ ╩╩ ╩╚═╝  v1.0.1 · Multi-Agent
+ ╚╝╩ ╩╩ ╩╚═╝  v1.0.2 · Multi-Agent
 
   Target:  https://your-app.dev
   Modules: QA + SECURITY + AI
@@ -634,3 +633,9 @@ Every JAKU scan generates a self-contained **HTML report** at `jaku-reports/<tim
 ## License
 
 [Jaku Public License v1.0](./LICENSE) — free to use, modify, and distribute with attribution. See [LICENSE](./LICENSE) for full terms.
+
+---
+
+**Website:** [jaku.app](https://jaku.app)  
+**npm:** [jaku.sh](https://www.npmjs.com/package/jaku.sh)  
+**GitHub:** [theshantanupandey/jaku](https://github.com/theshantanupandey/jaku)

package/action.yml

@@ -217,7 +217,7 @@ runs:
               }
             }
             
-            body += '\n---\n*Scanned by [JAKU](https://github.com/jaku-security/jaku) v1.0.1*';
+            body += '\n---\n*Scanned by [JAKU](https://github.com/jaku-security/jaku) v1.0.2*';
           } else {
             body += '⚠️ Scan completed but no report was generated. Check workflow logs for errors.';
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jaku.sh",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "JAKU (呪) — Autonomous Security & Quality Intelligence Agent for vibe-coded apps. XSS, SQLi, prompt injection, QA testing, and attack chain correlation in one command.",
   "type": "module",
   "main": "src/cli.js",
@@ -42,7 +42,7 @@
     "url": "https://github.com/theshantanupandey"
   },
   "license": "SEE LICENSE IN LICENSE",
-  "homepage": "https://jakusec.dev",
+  "homepage": "https://jaku.app",
   "repository": {
     "type": "git",
     "url": "https://github.com/theshantanupandey/jaku.git"

package/src/agents/orchestrator.js

@@ -255,7 +255,7 @@ export class Orchestrator {
         try {
             const payload = {
                 agent: 'JAKU',
-                version: '1.0.1',
+                version: '1.0.2',
                 target: this.config.target_url,
                 timestamp: new Date().toISOString(),
                 duration: results.duration,

package/src/cli.js

@@ -12,12 +12,13 @@ import { AIAgent } from './agents/ai-agent.js';
 import { LogicAgent } from './agents/logic-agent.js';
 import { APIAgent } from './agents/api-agent.js';
 import { ReportGenerator } from './reporting/report-generator.js';
+import { ComplianceReporter } from './reporting/compliance-reporter.js';
 import { AuthManager } from './core/auth-manager.js';
 
 const BANNER = `
 ${chalk.hex('#00ff88').bold('  ╦╔═╗╦╔═╦ ╦')}
 ${chalk.hex('#00ff88').bold('  ║╠═╣╠╩╗║ ║')}  ${chalk.dim('呪 Autonomous Security & Quality Intelligence')}
-${chalk.hex('#00ff88').bold(' ╚╝╩ ╩╩ ╩╚═╝')}  ${chalk.dim('v1.0.1 · Multi-Agent')}
+${chalk.hex('#00ff88').bold(' ╚╝╩ ╩╩ ╩╚═╝')}  ${chalk.dim('v1.0.2 · Multi-Agent')}
 `;
 
 const program = new Command();
@@ -25,7 +26,7 @@ const program = new Command();
 program
     .name('jaku')
     .description('JAKU (呪) — Autonomous QA & Security scanning agent for vibe-coded apps')
-    .version('1.0.1');
+    .version('1.0.2');
 
 // ═══════════════════════════════════════════════
 // Multi-Agent Scan Runner
@@ -225,6 +226,18 @@ async function runScan(url, options, modulesToRun) {
             outputDir: config.output_dir,
         });
 
+        // Generate compliance report if requested
+        let complianceResult = null;
+        if (options.compliance) {
+            const complianceReporter = new ComplianceReporter(config, logger);
+            complianceResult = complianceReporter.generate(
+                options.compliance,
+                results.findings,
+                reportDir,
+                { target: url, version: '1.0.2', scannedAt: new Date().toISOString() }
+            );
+        }
+
         reportSpinner.succeed(`Reports saved to ${chalk.underline(reportDir)}`);
 
         // ═══════════════════════════════════════
@@ -266,6 +279,23 @@ async function runScan(url, options, modulesToRun) {
             }
         }
 
+        // OWASP Compliance Summary
+        if (complianceResult?.compliance) {
+            const c = complianceResult.compliance;
+            console.log();
+            console.log(chalk.hex('#00ff88').bold('  ═══ OWASP TOP 10 COMPLIANCE ═══'));
+            console.log();
+            const scoreColor = c.percentage >= 80 ? '#00e676' : c.percentage >= 50 ? '#ffd600' : '#ff1744';
+            console.log(`  ${chalk.dim('Score:')}       ${chalk.hex(scoreColor).bold(`${c.score}/${c.total}`)} (${c.percentage}%)`);
+            console.log();
+            for (const cat of c.categories) {
+                const icon = cat.status === 'pass' ? chalk.hex('#00e676')('✔') : cat.status === 'fail' ? chalk.red('✘') : chalk.yellow('⚠');
+                const label = `${cat.id} ${cat.name}`;
+                const count = cat.findingsCount > 0 ? chalk.dim(` (${cat.findingsCount} findings)`) : '';
+                console.log(`  ${icon} ${label}${count}`);
+            }
+        }
+
         console.log();
 
         if (summary.critical > 0) {
@@ -298,6 +328,7 @@ program
     .option('-m, --modules <list>', 'Comma-separated modules to run (qa,security,ai,logic,api)', 'qa,security,ai,logic,api')
     .option('-s, --severity <level>', 'Minimum severity threshold (critical|high|medium|low)', 'low')
     .option('--profile <type>', 'Scan profile: quick|deep|ci (overrides crawl settings)')
+    .option('--compliance <framework>', 'Generate compliance report (owasp)')
     .option('--json', 'Output JSON report')
     .option('--html', 'Output HTML report')
     .option('--max-pages <n>', 'Maximum pages to crawl', '50')

package/src/reporting/compliance-reporter.js

@@ -0,0 +1,317 @@
+import fs from 'fs';
+import path from 'path';
+import { getComplianceStatus } from '../utils/owasp-mapper.js';
+
+/**
+ * ComplianceReporter — Generates OWASP Top 10 compliance reports
+ * in JSON, Markdown, and HTML formats.
+ */
+export class ComplianceReporter {
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+    }
+
+    /**
+     * Generate compliance reports for the given framework.
+     *
+     * @param {string} framework - 'owasp' (extensible for future frameworks)
+     * @param {Array} findings - All findings (should have `owasp` field)
+     * @param {string} reportDir - Output directory
+     * @param {object} meta - Report metadata (target, version, scannedAt)
+     */
+    generate(framework, findings, reportDir, meta) {
+        if (framework !== 'owasp') {
+            this.logger?.warn?.(`Unknown compliance framework: ${framework}`);
+            return null;
+        }
+
+        const compliance = getComplianceStatus(findings);
+        compliance.meta = meta;
+
+        // JSON
+        const jsonPath = path.join(reportDir, 'compliance-owasp.json');
+        fs.writeFileSync(jsonPath, JSON.stringify(compliance, null, 2), 'utf-8');
+
+        // Markdown
+        const mdPath = path.join(reportDir, 'compliance-owasp.md');
+        fs.writeFileSync(mdPath, this._generateMarkdown(compliance), 'utf-8');
+
+        // HTML
+        const htmlPath = path.join(reportDir, 'compliance-owasp.html');
+        fs.writeFileSync(htmlPath, this._generateHTML(compliance), 'utf-8');
+
+        this.logger?.info?.(`Compliance reports generated: ${jsonPath}`);
+        return { jsonPath, mdPath, htmlPath, compliance };
+    }
+
+    // ═══════════════════════════════════════════════
+    // Markdown Report
+    // ═══════════════════════════════════════════════
+
+    _generateMarkdown(compliance) {
+        const { meta } = compliance;
+        let md = '';
+
+        md += `# 呪 JAKU — OWASP Top 10 (2021) Compliance Report\n\n`;
+        md += `**Target:** ${meta.target}  \n`;
+        md += `**Scanned:** ${meta.scannedAt}  \n`;
+        md += `**Agent Version:** ${meta.version}  \n\n`;
+
+        md += `---\n\n`;
+        md += `## Compliance Score: ${compliance.score}/${compliance.total} (${compliance.percentage}%)\n\n`;
+
+        // Summary table
+        md += `| Category | Status | Findings | Critical | High | Medium | Low |\n`;
+        md += `|----------|--------|----------|----------|------|--------|-----|\n`;
+
+        for (const cat of compliance.categories) {
+            const statusIcon = cat.status === 'pass' ? '✅ PASS' : cat.status === 'fail' ? '❌ FAIL' : '⚠️ WARN';
+            md += `| ${cat.id} ${cat.name} | ${statusIcon} | ${cat.findingsCount} | ${cat.criticalCount} | ${cat.highCount} | ${cat.mediumCount} | ${cat.lowCount} |\n`;
+        }
+
+        md += `\n---\n\n`;
+
+        // Detailed findings per category
+        for (const cat of compliance.categories) {
+            if (cat.findingsCount === 0) continue;
+
+            md += `## ${cat.id}: ${cat.name}\n\n`;
+            md += `> ${cat.description}\n\n`;
+            md += `**Status:** ${cat.status === 'fail' ? '❌ FAIL' : '⚠️ WARN'} — ${cat.findingsCount} finding(s)\n\n`;
+
+            for (const f of cat.findings) {
+                const sevIcon = { critical: '🔴', high: '🟠', medium: '🟡', low: '🔵', info: '⚪' }[f.severity] || '⚪';
+                md += `### ${sevIcon} ${f.id}: ${f.title}\n\n`;
+                md += `**Severity:** ${f.severity.toUpperCase()}  \n`;
+                md += `**Affected:** ${f.affected_surface}  \n\n`;
+                md += `${f.description}\n\n`;
+                if (f.remediation) {
+                    md += `**Remediation:** ${f.remediation}\n\n`;
+                }
+                md += `---\n\n`;
+            }
+        }
+
+        md += `\n*Compliance report generated by JAKU 呪 v${meta.version}*\n`;
+        return md;
+    }
+
+    // ═══════════════════════════════════════════════
+    // HTML Report
+    // ═══════════════════════════════════════════════
+
+    _generateHTML(compliance) {
+        const { meta } = compliance;
+        const passPercent = compliance.percentage;
+        const scoreColor = passPercent >= 80 ? '#00e676' : passPercent >= 50 ? '#ffd600' : '#ff1744';
+
+        const categoriesHTML = compliance.categories.map(cat => {
+            const statusClass = cat.status === 'pass' ? 'pass' : cat.status === 'fail' ? 'fail' : 'warn';
+            const statusIcon = cat.status === 'pass' ? '✅' : cat.status === 'fail' ? '❌' : '⚠️';
+            const findingsHTML = cat.findings.map(f => `
+        <div class="finding-item">
+          <span class="sev-dot ${f.severity}"></span>
+          <span class="finding-id">${this._escapeHtml(f.id)}</span>
+          <span class="finding-title-text">${this._escapeHtml(f.title)}</span>
+          <span class="sev-badge ${f.severity}">${f.severity}</span>
+        </div>`).join('');
+
+            return `
+      <div class="category-card ${statusClass}">
+        <div class="category-header">
+          <div class="category-id">${cat.id}</div>
+          <div class="category-name">${this._escapeHtml(cat.name)}</div>
+          <div class="category-status ${statusClass}">${statusIcon} ${cat.status.toUpperCase()}</div>
+        </div>
+        <div class="category-desc">${this._escapeHtml(cat.description)}</div>
+        <div class="category-stats">
+          <span class="stat">${cat.findingsCount} findings</span>
+          ${cat.criticalCount > 0 ? `<span class="stat critical">${cat.criticalCount} critical</span>` : ''}
+          ${cat.highCount > 0 ? `<span class="stat high">${cat.highCount} high</span>` : ''}
+          ${cat.mediumCount > 0 ? `<span class="stat medium">${cat.mediumCount} medium</span>` : ''}
+          ${cat.lowCount > 0 ? `<span class="stat low">${cat.lowCount} low</span>` : ''}
+        </div>
+        ${cat.findingsCount > 0 ? `<details class="category-findings"><summary>View Findings</summary>${findingsHTML}</details>` : ''}
+      </div>`;
+        }).join('');
+
+        return `<!DOCTYPE html>
+<html lang="en" data-theme="dark">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>JAKU OWASP Compliance — ${meta.target}</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    :root {
+      --bg: #0a0a0f; --surface: #12121a; --surface-2: #1a1a25;
+      --text: #e0e0e8; --text-dim: #8888a0; --accent: #00ff88;
+      --pass: #00e676; --fail: #ff1744; --warn: #ffd600;
+      --critical: #ff1744; --high: #ff6d00; --medium: #ffd600;
+      --low: #2979ff; --info: #90a4ae; --border: #2a2a3a;
+    }
+    body {
+      font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
+      background: var(--bg); color: var(--text); line-height: 1.6;
+      padding: 2rem; max-width: 1200px; margin: 0 auto;
+    }
+    h1 { font-size: 1.8rem; color: var(--accent); margin-bottom: 0.5rem; }
+    .meta { color: var(--text-dim); font-size: 0.85rem; margin-bottom: 2rem; }
+    .meta span { margin-right: 2rem; }
+
+    /* Score Ring */
+    .score-container {
+      display: flex; align-items: center; gap: 2rem;
+      background: var(--surface); border: 1px solid var(--border);
+      border-radius: 12px; padding: 2rem; margin: 2rem 0;
+    }
+    .score-ring {
+      position: relative; width: 140px; height: 140px; flex-shrink: 0;
+    }
+    .score-ring svg { transform: rotate(-90deg); }
+    .score-ring .bg { stroke: var(--surface-2); }
+    .score-ring .fg { stroke: ${scoreColor}; stroke-linecap: round; transition: stroke-dashoffset 1s ease; }
+    .score-value {
+      position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%);
+      font-size: 2rem; font-weight: bold; color: ${scoreColor};
+    }
+    .score-label { font-size: 0.85rem; color: var(--text-dim); }
+    .score-details h2 { font-size: 1.4rem; margin-bottom: 0.5rem; }
+    .score-breakdown { display: flex; gap: 1.5rem; margin-top: 0.75rem; }
+    .score-breakdown .item { text-align: center; }
+    .score-breakdown .item .num { font-size: 1.5rem; font-weight: bold; }
+    .score-breakdown .item .lbl { font-size: 0.7rem; color: var(--text-dim); text-transform: uppercase; }
+    .score-breakdown .item.pass .num { color: var(--pass); }
+    .score-breakdown .item.fail .num { color: var(--fail); }
+    .score-breakdown .item.warn .num { color: var(--warn); }
+
+    /* Category Cards */
+    .category-card {
+      background: var(--surface); border: 1px solid var(--border);
+      border-radius: 8px; padding: 1.25rem; margin: 1rem 0;
+      border-left: 4px solid var(--border);
+    }
+    .category-card.pass { border-left-color: var(--pass); }
+    .category-card.fail { border-left-color: var(--fail); }
+    .category-card.warn { border-left-color: var(--warn); }
+    .category-header {
+      display: flex; align-items: center; gap: 1rem; margin-bottom: 0.5rem;
+    }
+    .category-id {
+      font-size: 0.75rem; color: var(--accent); font-weight: bold;
+      background: var(--surface-2); padding: 2px 8px; border-radius: 4px;
+    }
+    .category-name { font-weight: bold; font-size: 0.95rem; flex: 1; }
+    .category-status { font-size: 0.8rem; font-weight: bold; }
+    .category-status.pass { color: var(--pass); }
+    .category-status.fail { color: var(--fail); }
+    .category-status.warn { color: var(--warn); }
+    .category-desc { font-size: 0.8rem; color: var(--text-dim); margin: 0.5rem 0; }
+    .category-stats { display: flex; gap: 1rem; margin-top: 0.5rem; }
+    .stat {
+      font-size: 0.75rem; padding: 2px 8px; border-radius: 4px;
+      background: var(--surface-2); color: var(--text-dim);
+    }
+    .stat.critical { color: var(--critical); }
+    .stat.high { color: var(--high); }
+    .stat.medium { color: var(--medium); }
+    .stat.low { color: var(--low); }
+
+    /* Finding items inside category */
+    .category-findings { margin-top: 0.75rem; }
+    .category-findings summary {
+      cursor: pointer; font-size: 0.8rem; color: var(--accent);
+    }
+    .finding-item {
+      display: flex; align-items: center; gap: 0.5rem;
+      padding: 0.5rem 0; border-bottom: 1px solid var(--border);
+      font-size: 0.8rem;
+    }
+    .finding-item:last-child { border-bottom: none; }
+    .sev-dot {
+      width: 8px; height: 8px; border-radius: 50%; flex-shrink: 0;
+    }
+    .sev-dot.critical { background: var(--critical); }
+    .sev-dot.high { background: var(--high); }
+    .sev-dot.medium { background: var(--medium); }
+    .sev-dot.low { background: var(--low); }
+    .sev-dot.info { background: var(--info); }
+    .finding-id { color: var(--text-dim); font-size: 0.7rem; min-width: 110px; }
+    .finding-title-text { flex: 1; }
+    .sev-badge {
+      display: inline-block; padding: 1px 6px; border-radius: 3px;
+      font-size: 0.65rem; font-weight: bold; text-transform: uppercase;
+    }
+    .sev-badge.critical { background: var(--critical); color: #fff; }
+    .sev-badge.high { background: var(--high); color: #000; }
+    .sev-badge.medium { background: var(--medium); color: #000; }
+    .sev-badge.low { background: var(--low); color: #fff; }
+    .sev-badge.info { background: var(--info); color: #000; }
+
+    footer {
+      margin-top: 3rem; padding-top: 1rem; border-top: 1px solid var(--border);
+      color: var(--text-dim); font-size: 0.75rem; text-align: center;
+    }
+  </style>
+</head>
+<body>
+  <h1>呪 JAKU — OWASP Top 10 Compliance</h1>
+  <div class="meta">
+    <span>Target: ${meta.target}</span>
+    <span>Scanned: ${new Date(meta.scannedAt).toLocaleString()}</span>
+    <span>Framework: OWASP Top 10 (2021)</span>
+  </div>
+
+  <div class="score-container">
+    <div class="score-ring">
+      <svg viewBox="0 0 140 140" width="140" height="140">
+        <circle class="bg" cx="70" cy="70" r="60" fill="none" stroke-width="10"/>
+        <circle class="fg" cx="70" cy="70" r="60" fill="none" stroke-width="10"
+          stroke-dasharray="${2 * Math.PI * 60}"
+          stroke-dashoffset="${2 * Math.PI * 60 * (1 - passPercent / 100)}"/>
+      </svg>
+      <div class="score-value">${passPercent}%</div>
+    </div>
+    <div class="score-details">
+      <h2>Compliance Score</h2>
+      <div class="score-label">${compliance.score} of ${compliance.total} OWASP categories passing</div>
+      <div class="score-breakdown">
+        <div class="item pass">
+          <div class="num">${compliance.categories.filter(c => c.status === 'pass').length}</div>
+          <div class="lbl">Passing</div>
+        </div>
+        <div class="item warn">
+          <div class="num">${compliance.categories.filter(c => c.status === 'warn').length}</div>
+          <div class="lbl">Warning</div>
+        </div>
+        <div class="item fail">
+          <div class="num">${compliance.categories.filter(c => c.status === 'fail').length}</div>
+          <div class="lbl">Failing</div>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <h2 style="margin: 2rem 0 1rem; font-size: 1.3rem; border-bottom: 1px solid var(--border); padding-bottom: 0.5rem;">
+    Category Breakdown
+  </h2>
+
+  ${categoriesHTML}
+
+  <footer>JAKU 呪 v${meta.version} — OWASP Top 10 (2021) Compliance Report</footer>
+</body>
+</html>`;
+    }
+
+    _escapeHtml(text) {
+        if (!text) return '';
+        return String(text)
+            .replace(/&/g, '&amp;')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;')
+            .replace(/"/g, '&quot;');
+    }
+}
+
+export default ComplianceReporter;

package/src/reporting/report-generator.js

@@ -38,7 +38,7 @@ export class ReportGenerator {
     const reportData = {
       meta: {
         agent: 'JAKU',
-        version: '1.0.1',
+        version: '1.0.2',
         module: 'qa',
         target: this.config.target_url,
         scannedAt: new Date().toISOString(),
@@ -136,6 +136,9 @@ export class ReportGenerator {
 
       for (const f of sevFindings) {
         md += `#### ${f.id}: ${f.title}\n\n`;
+        md += `**Severity:** ${f.severity.toUpperCase()}`;
+        if (f.owasp) md += `  |  **OWASP:** ${f.owasp.id} ${f.owasp.name}`;
+        md += `  \n`;
         md += `**Affected:** ${f.affected_surface}  \n`;
         md += `**Status:** ${f.status}  \n\n`;
         md += `${f.description}\n\n`;
@@ -309,6 +312,7 @@ export class ReportGenerator {
       <div class="finding-desc">${this._escapeHtml(f.description)}</div>
       <div style="font-size:0.8rem;color:var(--text-dim);margin-top:0.5rem">
         <strong>Affected:</strong> ${this._escapeHtml(f.affected_surface)}
+        ${f.owasp ? `<span style="margin-left:1rem;padding:2px 6px;border-radius:3px;background:#1a1a25;color:#00ff88;font-size:0.7rem;font-weight:bold">${f.owasp.id} ${this._escapeHtml(f.owasp.name)}</span>` : ''}
       </div>
       ${f.remediation ? `<div style="font-size:0.85rem;margin-top:0.5rem;color:var(--accent)"><strong>Fix:</strong> ${this._escapeHtml(f.remediation)}</div>` : ''}
       <details class="finding-details">

package/src/reporting/sarif-generator.js

@@ -141,8 +141,8 @@ export function generateSARIF(findings, meta = {}) {
             tool: {
                 driver: {
                     name: 'JAKU',
-                    version: meta.version || '1.0.1',
-                    semanticVersion: meta.version || '1.0.1',
+                    version: meta.version || '1.0.2',
+                    semanticVersion: meta.version || '1.0.2',
                     informationUri: 'https://github.com/jaku-security',
                     rules,
                 },

package/src/utils/finding.js

@@ -1,9 +1,11 @@
 import { nanoid } from 'nanoid';
+import { tagFinding } from './owasp-mapper.js';
 
 const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info'];
 
 /**
  * Creates a JAKU Finding object matching the manifest schema.
+ * Automatically tagged with OWASP Top 10 (2021) classification.
  */
 export function createFinding({
     module = 'qa',
@@ -20,7 +22,7 @@ export function createFinding({
     const prefix = module.toUpperCase();
     const shortId = nanoid(6);
 
-    return {
+    const finding = {
         id: `JAKU-${prefix}-${shortId}`,
         module,
         title,
@@ -34,6 +36,9 @@ export function createFinding({
         status,
         timestamp: new Date().toISOString(),
     };
+
+    // Auto-tag with OWASP Top 10 classification
+    return tagFinding(finding);
 }
 
 /**

package/src/utils/owasp-mapper.js

@@ -0,0 +1,251 @@
+/**
+ * OWASP Top 10 (2021) Mapper
+ *
+ * Maps JAKU findings to OWASP categories automatically based on
+ * finding title, module, and description patterns.
+ */
+
+// ═══════════════════════════════════════════════
+// OWASP Top 10 (2021) Definitions
+// ═══════════════════════════════════════════════
+
+export const OWASP_TOP_10 = [
+    {
+        id: 'A01:2021',
+        name: 'Broken Access Control',
+        description: 'Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data.',
+        cwe: [22, 23, 35, 59, 200, 201, 219, 264, 275, 276, 284, 285, 352, 359, 377, 402, 425, 441, 497, 538, 540, 548, 552, 566, 601, 639, 651, 668, 706, 862, 863, 913, 922, 1275],
+    },
+    {
+        id: 'A02:2021',
+        name: 'Cryptographic Failures',
+        description: 'Failures related to cryptography which often lead to sensitive data exposure. This includes use of weak cryptographic algorithms, improper key management, and transmission of data in clear text.',
+        cwe: [261, 296, 310, 319, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 335, 336, 337, 338, 340, 347, 523, 720, 757, 759, 760, 780, 818, 916],
+    },
+    {
+        id: 'A03:2021',
+        name: 'Injection',
+        description: 'Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. This includes SQL, NoSQL, OS, LDAP injection, as well as XSS and prompt injection.',
+        cwe: [20, 74, 75, 77, 78, 79, 80, 83, 87, 88, 89, 90, 91, 93, 94, 95, 96, 97, 98, 99, 113, 116, 138, 184, 470, 471, 564, 610, 643, 644, 652, 917],
+    },
+    {
+        id: 'A04:2021',
+        name: 'Insecure Design',
+        description: 'A broad category focusing on risks related to design and architectural flaws. Insecure design cannot be fixed by a perfect implementation — the security controls were never created to defend against specific attacks.',
+        cwe: [73, 183, 209, 213, 235, 256, 257, 266, 269, 280, 311, 312, 313, 316, 419, 430, 434, 444, 451, 472, 501, 522, 525, 539, 579, 598, 602, 642, 646, 650, 653, 656, 657, 799, 807, 840, 841, 927, 1021, 1173],
+    },
+    {
+        id: 'A05:2021',
+        name: 'Security Misconfiguration',
+        description: 'Security misconfiguration is the most commonly seen issue. This includes insecure default configurations, incomplete configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages.',
+        cwe: [2, 11, 13, 15, 16, 260, 315, 520, 526, 537, 541, 547, 611, 614, 756, 776, 942, 1004, 1032, 1174],
+    },
+    {
+        id: 'A06:2021',
+        name: 'Vulnerable and Outdated Components',
+        description: 'Components such as libraries, frameworks, and other software modules run with the same privileges as the application. If a vulnerable component is exploited, it can facilitate serious data loss or server takeover.',
+        cwe: [1035, 1104],
+    },
+    {
+        id: 'A07:2021',
+        name: 'Identification and Authentication Failures',
+        description: 'Confirmation of the user\'s identity, authentication, and session management is critical to protect against authentication-related attacks.',
+        cwe: [255, 259, 287, 288, 290, 294, 295, 297, 300, 302, 304, 306, 307, 346, 384, 521, 613, 620, 640, 798, 940, 1216],
+    },
+    {
+        id: 'A08:2021',
+        name: 'Software and Data Integrity Failures',
+        description: 'Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. This includes insecure deserialization and use of software from untrusted sources.',
+        cwe: [345, 353, 426, 494, 502, 565, 784, 829, 830, 913],
+    },
+    {
+        id: 'A09:2021',
+        name: 'Security Logging and Monitoring Failures',
+        description: 'Insufficient logging, detection, monitoring, and active response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper with or extract data.',
+        cwe: [117, 223, 532, 778],
+    },
+    {
+        id: 'A10:2021',
+        name: 'Server-Side Request Forgery (SSRF)',
+        description: 'SSRF flaws occur when a web application fetches a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination.',
+        cwe: [918],
+    },
+];
+
+// ═══════════════════════════════════════════════
+// Pattern → OWASP Category Mapping
+// ═══════════════════════════════════════════════
+
+const MAPPING_RULES = [
+    // A01: Broken Access Control
+    { pattern: /csrf|cross.site.request/i, owasp: 'A01:2021' },
+    { pattern: /idor|insecure.direct.object/i, owasp: 'A01:2021' },
+    { pattern: /access.control|access.boundary|authorization/i, owasp: 'A01:2021' },
+    { pattern: /privilege.escalation|vertical.escalation|horizontal.escalation/i, owasp: 'A01:2021' },
+    { pattern: /forced.browsing|directory.listing/i, owasp: 'A01:2021' },
+    { pattern: /cors.misconfig|cors.origin|cors.credential/i, owasp: 'A01:2021' },
+    { pattern: /clickjacking|x-frame/i, owasp: 'A01:2021' },
+    { pattern: /open.redirect/i, owasp: 'A01:2021' },
+    { pattern: /guest.*access|missing.*auth.*endpoint/i, owasp: 'A01:2021' },
+    { pattern: /account.takeover/i, owasp: 'A01:2021' },
+    { pattern: /feature.flag.bypass/i, owasp: 'A01:2021' },
+
+    // A02: Cryptographic Failures
+    { pattern: /secret|api.key|token.*exposed|credential.*leak|password.*exposed/i, owasp: 'A02:2021' },
+    { pattern: /tls|ssl|certificate|weak.cipher/i, owasp: 'A02:2021' },
+    { pattern: /hsts|http.*not.*redirect|cleartext/i, owasp: 'A02:2021' },
+    { pattern: /cookie.*secure|cookie.*httponly|cookie.*samesite/i, owasp: 'A02:2021' },
+    { pattern: /sensitive.data.*exposure|data.*leak/i, owasp: 'A02:2021' },
+
+    // A03: Injection
+    { pattern: /xss|cross.site.script/i, owasp: 'A03:2021' },
+    { pattern: /sql.injection|sqli/i, owasp: 'A03:2021' },
+    { pattern: /prompt.injection|prompt.*inject/i, owasp: 'A03:2021' },
+    { pattern: /command.injection|os.command/i, owasp: 'A03:2021' },
+    { pattern: /ldap.injection/i, owasp: 'A03:2021' },
+    { pattern: /nosql.injection/i, owasp: 'A03:2021' },
+    { pattern: /header.injection|crlf/i, owasp: 'A03:2021' },
+    { pattern: /template.injection|ssti/i, owasp: 'A03:2021' },
+    { pattern: /jailbreak/i, owasp: 'A03:2021' },
+    { pattern: /guardrail.bypass/i, owasp: 'A03:2021' },
+    { pattern: /ai.mediated.xss|unsanitized.*output/i, owasp: 'A03:2021' },
+
+    // A04: Insecure Design
+    { pattern: /race.condition/i, owasp: 'A04:2021' },
+    { pattern: /business.logic|workflow.violation/i, owasp: 'A04:2021' },
+    { pattern: /pricing.manipulation|price.*tamper/i, owasp: 'A04:2021' },
+    { pattern: /coupon.*abuse|discount.*abuse|promo.*abuse/i, owasp: 'A04:2021' },
+    { pattern: /cart.*manipulation|quantity.*manipulation/i, owasp: 'A04:2021' },
+    { pattern: /email.enumeration/i, owasp: 'A04:2021' },
+    { pattern: /rate.limit|brute.force/i, owasp: 'A04:2021' },
+    { pattern: /missing.*captcha/i, owasp: 'A04:2021' },
+    { pattern: /file.upload.*bypass|unrestricted.*upload/i, owasp: 'A04:2021' },
+    { pattern: /excessive.agency/i, owasp: 'A04:2021' },
+
+    // A05: Security Misconfiguration
+    { pattern: /missing.*header|security.header/i, owasp: 'A05:2021' },
+    { pattern: /content.security.policy|csp/i, owasp: 'A05:2021' },
+    { pattern: /verbose.error|error.*disclosure|stack.trace/i, owasp: 'A05:2021' },
+    { pattern: /directory.listing|exposed.*directory/i, owasp: 'A05:2021' },
+    { pattern: /debug.*endpoint|admin.*exposed|management.*endpoint/i, owasp: 'A05:2021' },
+    { pattern: /default.credential|default.password/i, owasp: 'A05:2021' },
+    { pattern: /information.disclosure/i, owasp: 'A05:2021' },
+    { pattern: /graphql.*introspection/i, owasp: 'A05:2021' },
+    { pattern: /subdomain/i, owasp: 'A05:2021' },
+    { pattern: /misconfigur/i, owasp: 'A05:2021' },
+
+    // A06: Vulnerable and Outdated Components
+    { pattern: /dependency.*vuln|outdated.*package|known.*vuln|cve-/i, owasp: 'A06:2021' },
+    { pattern: /vulnerable.*component|vulnerable.*library/i, owasp: 'A06:2021' },
+    { pattern: /npm.*audit|dependency.*audit/i, owasp: 'A06:2021' },
+
+    // A07: Identification and Authentication Failures
+    { pattern: /auth.*bypass|broken.*auth|authentication.*failure/i, owasp: 'A07:2021' },
+    { pattern: /jwt.*none|jwt.*signature|jwt.*weak/i, owasp: 'A07:2021' },
+    { pattern: /session.*fixation|session.*hijack/i, owasp: 'A07:2021' },
+    { pattern: /weak.*password|password.*policy/i, owasp: 'A07:2021' },
+    { pattern: /oauth.*misconfig|oauth.*vuln/i, owasp: 'A07:2021' },
+    { pattern: /api.key.*no.*rotation|api.key.*weak/i, owasp: 'A07:2021' },
+
+    // A08: Software and Data Integrity Failures
+    { pattern: /deserialization|prototype.pollution/i, owasp: 'A08:2021' },
+    { pattern: /subresource.integrity|sri/i, owasp: 'A08:2021' },
+    { pattern: /untrusted.*source|supply.chain/i, owasp: 'A08:2021' },
+
+    // A09: Security Logging and Monitoring Failures
+    { pattern: /logging.*failure|no.*logging|insufficient.*log/i, owasp: 'A09:2021' },
+    { pattern: /monitoring.*gap|no.*monitoring/i, owasp: 'A09:2021' },
+
+    // A10: Server-Side Request Forgery
+    { pattern: /ssrf|server.side.request/i, owasp: 'A10:2021' },
+    { pattern: /cloud.*metadata|169\.254/i, owasp: 'A10:2021' },
+];
+
+// ═══════════════════════════════════════════════
+// Module-level fallback mapping
+// ═══════════════════════════════════════════════
+
+const MODULE_FALLBACK = {
+    security: 'A05:2021',  // Security misconfiguration as default for security findings
+    ai: 'A03:2021',        // Injection for AI findings
+    logic: 'A04:2021',     // Insecure design for business logic findings
+    api: 'A07:2021',       // Auth failures for API findings
+    qa: null,              // QA findings may not map to OWASP
+};
+
+// ═══════════════════════════════════════════════
+// Public API
+// ═══════════════════════════════════════════════
+
+/**
+ * Look up the OWASP category for a given finding.
+ * Returns { id, name } or null if no mapping found.
+ */
+export function classifyFinding(finding) {
+    const text = `${finding.title} ${finding.description || ''}`;
+
+    // Try pattern matching first (most specific)
+    for (const rule of MAPPING_RULES) {
+        if (rule.pattern.test(text)) {
+            const cat = OWASP_TOP_10.find(c => c.id === rule.owasp);
+            return { id: cat.id, name: cat.name };
+        }
+    }
+
+    // Fall back to module-level mapping
+    const fallbackId = MODULE_FALLBACK[finding.module];
+    if (fallbackId) {
+        const cat = OWASP_TOP_10.find(c => c.id === fallbackId);
+        return { id: cat.id, name: cat.name };
+    }
+
+    return null;
+}
+
+/**
+ * Enrich a finding with its OWASP classification.
+ * Adds `owasp` field: { id: 'A03:2021', name: 'Injection' }
+ */
+export function tagFinding(finding) {
+    finding.owasp = classifyFinding(finding);
+    return finding;
+}
+
+/**
+ * Generate a compliance status for all OWASP Top 10 categories.
+ *
+ * @param {Array} findings - Array of findings (should already have `owasp` field)
+ * @returns {Object} - { score, total, categories: [ { id, name, status, findings, ... } ] }
+ */
+export function getComplianceStatus(findings) {
+    const categories = OWASP_TOP_10.map(cat => {
+        const matched = findings.filter(f => f.owasp?.id === cat.id);
+        const criticalOrHigh = matched.filter(f => f.severity === 'critical' || f.severity === 'high');
+
+        return {
+            id: cat.id,
+            name: cat.name,
+            description: cat.description,
+            status: matched.length === 0 ? 'pass' : criticalOrHigh.length > 0 ? 'fail' : 'warn',
+            findingsCount: matched.length,
+            criticalCount: matched.filter(f => f.severity === 'critical').length,
+            highCount: matched.filter(f => f.severity === 'high').length,
+            mediumCount: matched.filter(f => f.severity === 'medium').length,
+            lowCount: matched.filter(f => f.severity === 'low').length,
+            infoCount: matched.filter(f => f.severity === 'info').length,
+            findings: matched,
+        };
+    });
+
+    const passing = categories.filter(c => c.status === 'pass').length;
+
+    return {
+        framework: 'OWASP Top 10 (2021)',
+        score: passing,
+        total: OWASP_TOP_10.length,
+        percentage: Math.round((passing / OWASP_TOP_10.length) * 100),
+        categories,
+    };
+}
+
+export default { OWASP_TOP_10, classifyFinding, tagFinding, getComplianceStatus };