Posted 2026-05-21 · ~6 min read

JSO AI preview surface is live: 4 endpoints, 3 browser previews, Prometheus, RSS

The Phase 1 JSO AI preview surface is in production today. Four endpoints, three browser-side previews, a Prometheus exporter, a JSON Schema for the wire format, ten language client snippets, and an RSS feed. None of it spends an LLM token yet — preview mode is rule-based — but the entire wire envelope, observability stack, and customer tooling are stable, locked, and ready for the 2026-Q3 LLM-backed GA to slot in behind.

This is the deliberate shape of Phase 1: ship the contract first, ship the LLM second. The point is that customers who integrate against the preview-mode endpoints today don't change a line of code when GA flips the switch.

The four endpoints

All four use the same APIKey + APIPwd auth as the obfuscation API. POST JSON, HTTP 200 always, branch on ok. Wire format is formally specified at /Docs/ai-wire-format.schema.json (JSON Schema draft 2020-12, 14 $defs).

• preset-suggest — describe your app in one sentence; get a starter jso.config.json. Today: rule-based matchers (React, Vue, Angular detection · LockDomain heuristic · preset = balanced default). GA: LLM asks clarifying questions when the description is ambiguous.
• compat-check — paste JS; get severity-graded findings about patterns that won't survive protection (eval, debugger, document.write, source maps, webpack-runtime conflicts). GA: LLM catches framework-specific patterns the rules don't cover.
• explain-error — paste a protected-output runtime error; get the diagnosed JSO transform and a concrete fix. Ten high-signal rules covering the most common failure modes (name-mangling, member-rename, ES-target mismatch, CSP/eval, webpack-runtime, lock-tripped, debug-trap, moved-resource, source-map leak, flat-transform recursion). GA: LLM reasons about novel error patterns.
• usage — current-month quota counters as JSON. Same numbers the dashboard widget shows, exposed so you can wire AI quota into the same Datadog / Grafana / PagerDuty stack you already alert on everything else with. Polling is free.

Three no-auth browser previews

Each endpoint has a matching browser preview that runs the same rule logic client-side so you can evaluate the shape of the answers without an API key. Useful for: prospect demos, internal evaluations, and CI smoke tests where you don't want to spend a real quota slot.

• PresetAssistantPreview — describe app, get config, with framework / lock-domain / risk chips.
• CompatCheckPreview — paste JS, see findings rendered live with severity grading and quick-fill examples.
• ExplainErrorPreview — paste a runtime error, get the diagnosed transform + fix + docs link, with confidence badge.

Observability: Prometheus textfile exporter

The hardest part of giving customers a "quota" is making the quota visible where they already look. We ship a 100-line zero-dependency Node script at /download/jso-ai-quota-exporter.js:

* * * * * JSO_API_KEY=... JSO_API_PASSWORD=... \
    /usr/bin/node /opt/jso/jso-ai-quota-exporter.js \
    --out /var/lib/node_exporter/textfile_collector/jso_ai.prom

That's it. Eight metrics — jso_ai_scrape_success, jso_ai_actions_used / _cap, jso_ai_tokens_used / _cap, jso_ai_cost_cents / _cap_cents, jso_ai_quota_rejections_total — labeled with tier, preview_mode, billing_month. Atomic write via .tmp + rename so node_exporter never sees a partial file. Scrape failure flips jso_ai_scrape_success to 0 so Alertmanager can fire on prolonged outage rather than the metric silently disappearing. Cookbook recipe 13 has the full cron-line setup.

Locked wire format

Three layers of locking sit between the published wire format and any future drift:

1. JSON Schema at ai-wire-format.schema.json. Customers feed it to ajv / jsonschema / etc. to validate parsed responses in CI and fail loudly when the API changes.
2. Polyglot smoke harness at packages/polyglot-smoke/ai-smoke.js. 8 tests, runs in seconds, asserts the envelope shape against representative inputs. Currently 8/8 PASS.
3. Cross-check — the smoke harness reads the JSON Schema and verifies every smoke fixture exposes every field the schema lists as required. Schema and harness can't drift independently. If you add a field on the server, both need to be updated, and the test fires until they match.

Calling AI from your client

If you already have one of our eight language clients wired up, you don't need a separate AI SDK — the auth is the same, the request is one HTTP POST. Worked examples in curl, Python, Node, Go, .NET, Java, Ruby, PHP, Rust, Kotlin at AIClients.aspx.

Pricing & subscribing

JSO AI is a separate subscription that stacks on top of any obfuscation tier. $19 / mo Basic (50 actions / month), $79 / mo Corporate (500 actions), $299 / mo Enterprise (5,000 actions). FreeTrial gives every account 10 actions per month forever for tire-kicking. Hard quota by default — when you hit either the actions cap or the cost cap, calls return quota_exhausted rather than overage you in surprise. Full tier table at premium-membership.aspx.

AI baked into the obfuscation CLI

The newest piece is the tightest integration yet: the AI compat-check is now folded into the obfuscation CLI itself. Add --ai-precheck to your existing jso-protector command and the CLI scans every input file with /v1/ai/compat-check before the obfuscation API is called. If anything in your source would produce a broken protected build — eval, Function constructor, framework reflection traps, decorator metadata — the build aborts with a non-zero exit. Your obfuscation quota is untouched on failure. One command, one round-trip, one place in CI to wire up.

jso-protector --config jso.config.json --ai-precheck --ai-precheck-fail-on error

The standalone variant — jso ai compat-scan — is still available for projects that want to run the gate separately from obfuscation (pre-commit hooks, IDE integrations, ad-hoc audits). Same endpoint, same envelope, just a different driver.

What's next

Phase 1 GA in 2026-Q3 swaps the rule-based bodies inside LlmProviderClient.SendChat for the real LLM. The wire envelope above does not change. provider in the response shifts from "rule-based" to "claude" (or "openai" for accounts that prefer it); tokensIn and tokensOut start populating real values; novel inputs the rules don't cover get nuanced answers; common inputs get the same answers the rules give today.

Phase 2 (2026-Q4) is the Resistance Score — an adversarial LLM probe that runs against your protected output and reports a verifiable recovery percentage. That's the moat: a number you can audit, not just a claim you can read.

Phase 3 (2027-Q1) is the deobfuscation-resistance benchmark across all major commercial obfuscators — including ours — published quarterly. Honest competitive transparency.

Follow along

The release cadence is now visible at /changelog.aspx (rendered from CHANGELOG.md) and subscribable via RSS. The shipping roadmap is at /roadmap.aspx.

If you want to be on the Phase 1 GA early-access list, drop us a line. Three Corporate-tier customers will get production-shape access before the flag flips on by default, and feedback from that cohort shapes what ships.