Add files via upload

This commit is contained in:
公明
2026-07-08 14:21:10 +08:00
committed by GitHub
parent 28214254b5
commit a59084b8ae
2 changed files with 128 additions and 11 deletions
+63 -5
View File
@@ -2,17 +2,69 @@
[中文](../zh-CN/plugin-development.md)
Plugins can integrate with CyberStrikeAI through HTTP APIs, MCP servers, or resource packs such as tools, roles, Skills, and agents.
Plugins live under `plugins/`. The repo ships two reference implementations: **Burp Suite extension** and **Chromium DevTools extension**. Integrations typically use HTTP APIs, MCP servers, or resource packs (tools, roles, Skills, agents).
## Layout
```text
plugins/
README.md
burp-suite/cyberstrikeai-burp-extension/
browser-extension/cyberstrikeai-browser-extension/
```
## Plugin Layers
| Layer | Example | Benefit | Cost |
| --- | --- | --- | --- |
| API plugin | Burp extension calls `/api/eino-agent` | simple UI integration | depends on API/auth |
| API plugin | Burp / browser extension calling Agent Stream | simple UI integration | depends on API/auth |
| MCP plugin | exposes tools to Agent | Agent can call it | needs schema and safety design |
| Resource pack | ships tools/roles/skills/agents | simple and versionable | less interactive |
Do not start with MCP unless the Agent must actively call your capability.
Do not start with MCP unless the Agent must actively call your capability. For “send this HTTP request to AI”, an API plugin is enough.
## Burp Suite Extension
Java extension under `plugins/burp-suite/cyberstrikeai-burp-extension/`. Typical flow: read HTTP from Burp → format prompt → call CyberStrikeAI SSE → show Progress/Final in a Burp tab.
Build: JDK + Gradle/Maven → `bash build-mvn.sh``dist/cyberstrikeai-burp-extension.jar`.
## Browser Extension (Chromium DevTools)
MV3 DevTools extension under `plugins/browser-extension/cyberstrikeai-browser-extension/`. Aligned with the Burp plugin: capture Network traffic → HTTP/1.1 prompt → SSE output. Full docs: `README.md` / `README.zh-CN.md` in that directory.
Load unpacked at `chrome://extensions/`, or `bash package.sh``dist/cyberstrikeai-browser-extension.zip`.
### Auth best practices (browser)
Server `POST /api/auth/login` returns `{ token, expires_at }`. There is **no refresh token** — do not assume silent renewal. Reference: `lib/auth-session.js`, `lib/api.js`, `panel/panel.js`.
| Practice | Description |
| --- | --- |
| Session storage | Store token + `expires_at` in `chrome.storage.session`; never persist password |
| Remaining time | Show `OK · 11h 30m left`; warn when <30min |
| Local check | Re-check `expires_at` + `GET /api/auth/validate` every 30s |
| Server probe | Immediate probe when DevTools panel becomes visible |
| Unreachable | Show warning; keep token during transient outage |
| 401/403 | Clear token (server restart clears in-memory sessions) |
| Before Send | `ensureAuthReady()` before SSE |
| Permissions | `optional_host_permissions` — request origin on Validate |
After extension reload, close DevTools completely and reopen F12 (stale panel context).
### Data and performance (browser)
- Caps: 200 captures/tab, 20 tabs, 512KB progress/run.
- Default XHR/Fetch only; use pause toggle when not capturing.
- Truncate or summarize large bodies before sending to Agent.
## API Integration
- Login: `POST /api/auth/login`, then `GET /api/auth/validate`.
- Persist `expires_at`; re-login when expired (no silent refresh).
- Prefer `/api/eino-agent/stream` or `/api/multi-agent/stream` (SSE).
- Large files: `/api/chat-uploads`, then reference in message.
- Full spec: `/api-docs` or `/api/openapi/spec`.
## API Plugin Payload
@@ -51,12 +103,18 @@ Specific schemas make HITL and Agent behavior safer.
Plugins should not bypass platform controls:
- no hidden destructive local commands;
- no plaintext long-lived credentials;
- no plaintext long-lived credentials (password only for login; token in session storage);
- no default third-party data exfiltration;
- no dependency on browser state to bypass login.
- no dependency on browser state to bypass login;
- on 401/403, clear session and require re-auth — do not silently retry.
## Source Anchors
- Burp plugin: `plugins/burp-suite/cyberstrikeai-burp-extension/src/main/java/burp/`
- Browser extension: `plugins/browser-extension/cyberstrikeai-browser-extension/`
- Auth: `lib/auth-session.js`, `lib/api.js`, `lib/storage.js`
- UI: `panel/panel.js`
- Capture: `devtools.js`, `background/service-worker.js`
- OpenAPI: `internal/handler/openapi.go`
- External MCP: `internal/handler/external_mcp.go`
- Web auth reference: `web/static/js/auth.js`