Files
CyberStrikeAI/docs/en-US/plugin-development.md
T
2026-07-08 14:21:10 +08:00

4.5 KiB

Plugin Development

中文

Plugins live under plugins/. The repo ships two reference implementations: Burp Suite extension and Chromium DevTools extension. Integrations typically use HTTP APIs, MCP servers, or resource packs (tools, roles, Skills, agents).

Layout

plugins/
  README.md
  burp-suite/cyberstrikeai-burp-extension/
  browser-extension/cyberstrikeai-browser-extension/

Plugin Layers

Layer Example Benefit Cost
API plugin Burp / browser extension calling Agent Stream simple UI integration depends on API/auth
MCP plugin exposes tools to Agent Agent can call it needs schema and safety design
Resource pack ships tools/roles/skills/agents simple and versionable less interactive

Do not start with MCP unless the Agent must actively call your capability. For “send this HTTP request to AI”, an API plugin is enough.

Burp Suite Extension

Java extension under plugins/burp-suite/cyberstrikeai-burp-extension/. Typical flow: read HTTP from Burp → format prompt → call CyberStrikeAI SSE → show Progress/Final in a Burp tab.

Build: JDK + Gradle/Maven → bash build-mvn.shdist/cyberstrikeai-burp-extension.jar.

Browser Extension (Chromium DevTools)

MV3 DevTools extension under plugins/browser-extension/cyberstrikeai-browser-extension/. Aligned with the Burp plugin: capture Network traffic → HTTP/1.1 prompt → SSE output. Full docs: README.md / README.zh-CN.md in that directory.

Load unpacked at chrome://extensions/, or bash package.shdist/cyberstrikeai-browser-extension.zip.

Auth best practices (browser)

Server POST /api/auth/login returns { token, expires_at }. There is no refresh token — do not assume silent renewal. Reference: lib/auth-session.js, lib/api.js, panel/panel.js.

Practice Description
Session storage Store token + expires_at in chrome.storage.session; never persist password
Remaining time Show OK · 11h 30m left; warn when <30min
Local check Re-check expires_at + GET /api/auth/validate every 30s
Server probe Immediate probe when DevTools panel becomes visible
Unreachable Show warning; keep token during transient outage
401/403 Clear token (server restart clears in-memory sessions)
Before Send ensureAuthReady() before SSE
Permissions optional_host_permissions — request origin on Validate

After extension reload, close DevTools completely and reopen F12 (stale panel context).

Data and performance (browser)

  • Caps: 200 captures/tab, 20 tabs, 512KB progress/run.
  • Default XHR/Fetch only; use pause toggle when not capturing.
  • Truncate or summarize large bodies before sending to Agent.

API Integration

  • Login: POST /api/auth/login, then GET /api/auth/validate.
  • Persist expires_at; re-login when expired (no silent refresh).
  • Prefer /api/eino-agent/stream or /api/multi-agent/stream (SSE).
  • Large files: /api/chat-uploads, then reference in message.
  • Full spec: /api-docs or /api/openapi/spec.

API Plugin Payload

Include:

  • source tool and context;
  • target URL, method, key headers;
  • truncation policy for request/response bodies;
  • user intent;
  • authorization boundary.

Large responses should be uploaded or summarized, not pasted whole into the prompt.

MCP Schema Design

Bad:

{"cmd":{"type":"string"}}

Better:

{
  "target_url": {"type":"string","description":"authorized target URL"},
  "scan_profile": {"type":"string","enum":["passive","active-safe"]},
  "max_requests": {"type":"integer","description":"request limit"}
}

Specific schemas make HITL and Agent behavior safer.

Security Boundaries

Plugins should not bypass platform controls:

  • no hidden destructive local commands;
  • no plaintext long-lived credentials (password only for login; token in session storage);
  • no default third-party data exfiltration;
  • no dependency on browser state to bypass login;
  • on 401/403, clear session and require re-auth — do not silently retry.

Source Anchors

  • Burp plugin: plugins/burp-suite/cyberstrikeai-burp-extension/src/main/java/burp/
  • Browser extension: plugins/browser-extension/cyberstrikeai-browser-extension/
    • Auth: lib/auth-session.js, lib/api.js, lib/storage.js
    • UI: panel/panel.js
    • Capture: devtools.js, background/service-worker.js
  • OpenAPI: internal/handler/openapi.go
  • External MCP: internal/handler/external_mcp.go
  • Web auth reference: web/static/js/auth.js