jaku.sh 1.2.0 → 1.2.1

package/README.md

@@ -11,6 +11,7 @@ JAKU crawls your entire app, generates test cases, probes for security vulnerabi
 ## Table of Contents
 
 - [Quick Start](#quick-start)
+- [Updating](#updating)
 - [Architecture](#architecture)
 - [Module 01 — QA & Functional Testing](#module-01--qa--functional-testing)
 - [Module 02 — Security Vulnerability Scanning](#module-02--security-vulnerability-scanning)
@@ -72,6 +73,62 @@ node src/cli.js security https://your-app.dev --severity high
 
 ---
 
+## Updating
+
+Already running JAKU? Update to the latest release:
+
+```bash
+# Global install (most common)
+npm install -g jaku.sh@latest
+jaku --version            # confirm you're on the latest
+
+# Refresh the browser engine if the post-install step was skipped
+npx playwright install chromium
+```
+
+```bash
+# npx users — pin @latest so a stale cached copy isn't reused
+npx jaku.sh@latest scan https://your-app.dev --prod-safe
+
+# Project dependency
+npm install -D jaku.sh@latest
+
+# GitHub Action — pin to the release tag
+# - uses: theshantanupandey/jaku@v1.2.0
+```
+
+### What's new in v1.2.1
+
+- **Resilient install.** The Chromium download no longer blocks or breaks
+  `npm install` — it is non-fatal, interrupt-safe (a Ctrl+C won't fail the
+  install), and skippable with `JAKU_SKIP_BROWSER_DOWNLOAD=1`.
+- **Auto browser setup on first scan.** If Chromium is missing when you run a
+  scan, JAKU installs it automatically (one-time) instead of erroring out.
+
+> Updating? If a previous Chromium download was interrupted, just run a scan —
+> JAKU will finish setting up the browser — or run `npx playwright install chromium`.
+
+### What's new in v1.2.0
+
+> ⚠ **Behavior change for existing users:** destructive business-logic tests
+> (race conditions, pricing/checkout mutation, etc.) are now **gated behind
+> `--aggressive`** and **skipped by default**. A plain `jaku scan` is now safer
+> than before — if you relied on those tests running by default, add
+> `--aggressive`. Everything else is additive and backward-compatible.
+
+| Area | Change |
+|------|--------|
+| **Safety modes** | New `--passive` / `--safe-active` (default) / `--aggressive` tiers; destructive tests gated to `--aggressive` |
+| **AI testing fix** | AI endpoint detection now works on JSON/API chat endpoints (previously skipped silently) |
+| **LLM augmentation** | Optional, bring-your-own-key AI assistance — remediation, exec summaries, tailored payloads, FP triage. Off by default, no new dependencies — see [LLM Augmentation](#llm-augmentation-optional) |
+| **Deeper scanning** | Real parameter discovery for XSS/SQLi + boolean-based and time-based **blind SQLi** detection |
+| **Better outputs** | Reports reflect the actual modules that ran; SARIF adds `partialFingerprints` + proper web URIs for cross-run tracking |
+| **Config & safety** | Lightweight config validation with warnings; API keys rejected from config files; version centralized |
+
+Full file-level history is on [GitHub](https://github.com/theshantanupandey/jaku/commits/main).
+
+---
+
 ## Architecture
 
 JAKU is a **multi-agent system** — a central Orchestrator coordinates 6 specialized sub-agents that run in parallel, sharing discoveries through an event-driven message bus and a unified findings ledger with attack chain correlation.

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "jaku.sh",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "JAKU (呪) — Autonomous Security & Quality Intelligence Agent for vibe-coded apps. XSS, SQLi, prompt injection, QA testing, and attack chain correlation in one command.",
   "type": "module",
   "main": "src/cli.js",
   "bin": {
-    "jaku": "./bin/jaku"
+    "jaku": "bin/jaku"
   },
   "engines": {
     "node": ">=20"
@@ -13,12 +13,13 @@
   "files": [
     "src/",
     "bin/",
+    "scripts/",
     "action.yml",
     "README.md"
   ],
   "scripts": {
     "scan": "node src/cli.js scan",
-    "postinstall": "npx playwright install chromium 2>/dev/null || echo '⚠ JAKU: Could not auto-install Chromium. Run: npx playwright install chromium'",
+    "postinstall": "node scripts/postinstall.js",
     "prepublishOnly": "node src/cli.js --help"
   },
   "keywords": [
@@ -46,7 +47,7 @@
   "homepage": "https://jaku.app",
   "repository": {
     "type": "git",
-    "url": "https://github.com/theshantanupandey/jaku.git"
+    "url": "git+https://github.com/theshantanupandey/jaku.git"
   },
   "bugs": {
     "url": "https://github.com/theshantanupandey/jaku/issues"
@@ -59,4 +60,4 @@
     "playwright": "^1.49.1",
     "winston": "^3.17.0"
   }
-}
+}

package/scripts/postinstall.js

@@ -0,0 +1,73 @@
+#!/usr/bin/env node
+/**
+ * JAKU postinstall — installs the Chromium build Playwright needs.
+ *
+ * Design goals (it must NEVER break `npm install`):
+ *   - Skippable via JAKU_SKIP_BROWSER_DOWNLOAD / PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD.
+ *   - Non-fatal: any failure (network, missing npx, etc.) exits 0 with guidance.
+ *   - Interrupt-safe: a Ctrl+C (SIGINT) during the ~170 MB download leaves the
+ *     CLI installed and exits 0 instead of failing the whole install. JAKU will
+ *     auto-install the browser on first scan if it is still missing.
+ */
+import { spawnSync } from 'node:child_process';
+
+function log(msg) {
+    process.stdout.write(`${msg}\n`);
+}
+
+const MANUAL = 'Run `npx playwright install chromium` before your first scan.';
+
+// If interrupted directly, don't fail the install.
+process.on('SIGINT', () => {
+    log(`\n⚠ JAKU: Chromium download interrupted. JAKU is installed — ${MANUAL}`);
+    process.exit(0);
+});
+
+function main() {
+    const skip =
+        process.env.JAKU_SKIP_BROWSER_DOWNLOAD ||
+        process.env.PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD;
+
+    if (skip) {
+        log(`JAKU: Skipping Chromium download (skip flag set). ${MANUAL}`);
+        return 0;
+    }
+
+    log('JAKU: Installing Chromium for Playwright (~170 MB, one-time).');
+    log('      Set JAKU_SKIP_BROWSER_DOWNLOAD=1 to skip; JAKU also auto-installs it on first scan.');
+
+    let res;
+    try {
+        res = spawnSync('npx', ['playwright', 'install', 'chromium'], {
+            stdio: 'inherit',
+            shell: process.platform === 'win32',
+        });
+    } catch (e) {
+        log(`⚠ JAKU: Could not auto-install Chromium (${e.message}). ${MANUAL}`);
+        return 0;
+    }
+
+    if (res.signal) {
+        log(`\n⚠ JAKU: Chromium install was interrupted (${res.signal}). JAKU is installed — ${MANUAL}`);
+        return 0;
+    }
+    if (res.error) {
+        log(`⚠ JAKU: Could not auto-install Chromium (${res.error.message}). ${MANUAL}`);
+        return 0;
+    }
+    if (res.status !== 0) {
+        log(`⚠ JAKU: Could not auto-install Chromium. ${MANUAL}`);
+        return 0;
+    }
+
+    log('JAKU: Chromium ready. ✔');
+    return 0;
+}
+
+// Always exit 0 — installing the CLI must never fail because of the browser.
+try {
+    process.exit(main());
+} catch (e) {
+    log(`⚠ JAKU: postinstall encountered an issue (${e.message}). ${MANUAL}`);
+    process.exit(0);
+}

package/src/cli.js

@@ -16,6 +16,7 @@ import { ComplianceReporter } from './reporting/compliance-reporter.js';
 import { AuthManager } from './core/auth-manager.js';
 import { getVersion } from './utils/version.js';
 import { LLMClient } from './core/llm/llm-client.js';
+import { ensureChromium } from './utils/browser.js';
 
 const VERSION = getVersion();
 
@@ -116,6 +117,16 @@ async function runScan(url, options, modulesToRun) {
     );
     console.log();
 
+    // ═══════════════════════════════════════
+    // Preflight: ensure the browser engine is available
+    // ═══════════════════════════════════════
+    try {
+        ensureChromium(logger);
+    } catch (err) {
+        console.error(chalk.red(`\n  ⛔ ${err.message}\n`));
+        process.exit(1);
+    }
+
     // ═══════════════════════════════════════
     // Phase 0: Authentication (before spinners)
     // ═══════════════════════════════════════

package/src/utils/browser.js

@@ -0,0 +1,62 @@
+import fs from 'fs';
+import { spawnSync } from 'node:child_process';
+import { chromium } from 'playwright';
+
+/**
+ * Returns the path to the Chromium build Playwright expects, or null if it
+ * cannot be resolved.
+ */
+function resolveChromiumPath() {
+    try {
+        const p = chromium.executablePath();
+        return p || null;
+    } catch {
+        return null;
+    }
+}
+
+/** True if the Chromium build is actually present on disk. */
+export function isChromiumInstalled() {
+    const p = resolveChromiumPath();
+    return Boolean(p && fs.existsSync(p));
+}
+
+/**
+ * Ensure Chromium is available before a scan. If it is missing, attempt a
+ * one-time install (unless skipping is requested), then re-check.
+ *
+ * Throws a friendly Error if Chromium is required but unavailable so the CLI
+ * can print actionable guidance instead of a raw Playwright stack trace.
+ */
+export function ensureChromium(logger) {
+    if (isChromiumInstalled()) return true;
+
+    const skip =
+        process.env.JAKU_SKIP_BROWSER_DOWNLOAD ||
+        process.env.PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD;
+    if (skip) {
+        throw new Error(
+            'Chromium is not installed and a skip flag is set. Run: npx playwright install chromium'
+        );
+    }
+
+    const msg = 'Chromium not found — installing it now (one-time, ~170 MB). This may take a minute...';
+    logger?.info?.(msg);
+    console.log(`  ${msg}`);
+
+    try {
+        spawnSync('npx', ['playwright', 'install', 'chromium'], {
+            stdio: 'inherit',
+            shell: process.platform === 'win32',
+        });
+    } catch {
+        // fall through to the re-check below
+    }
+
+    if (!isChromiumInstalled()) {
+        throw new Error(
+            'Chromium is required but could not be installed automatically. Run: npx playwright install chromium'
+        );
+    }
+    return true;
+}