NeuroSploit v3.2 - Autonomous AI Penetration Testing Platform

116 modules | 100 vuln types | 18 API routes | 18 frontend pages

Major features:
- VulnEngine: 100 vuln types, 526+ payloads, 12 testers, anti-hallucination prompts
- Autonomous Agent: 3-stream auto pentest, multi-session (5 concurrent), pause/resume/stop
- CLI Agent: Claude Code / Gemini CLI / Codex CLI inside Kali containers
- Validation Pipeline: negative controls, proof of execution, confidence scoring, judge
- AI Reasoning: ReACT engine, token budget, endpoint classifier, CVE hunter, deep recon
- Multi-Agent: 5 specialists + orchestrator + researcher AI + vuln type agents
- RAG System: BM25/TF-IDF/ChromaDB vectorstore, few-shot, reasoning templates
- Smart Router: 20 providers (8 CLI OAuth + 12 API), tier failover, token refresh
- Kali Sandbox: container-per-scan, 56 tools, VPN support, on-demand install
- Full IA Testing: methodology-driven comprehensive pentest sessions
- Notifications: Discord, Telegram, WhatsApp/Twilio multi-channel alerts
- Frontend: React/TypeScript with 18 pages, real-time WebSocket updates

.env.example

@@ -0,0 +1,151 @@
+# NeuroSploit v3 Environment Variables
+# =====================================
+# Copy this file to .env and configure your API keys
+#
+# IMPORTANT: You MUST set at least one LLM API key for the AI agent to work!
+#
+
+# =============================================================================
+# LLM API Keys (REQUIRED - at least one must be set)
+# =============================================================================
+# Get your Claude API key at: https://console.anthropic.com/
+ANTHROPIC_API_KEY=
+
+# OpenAI: https://platform.openai.com/api-keys
+OPENAI_API_KEY=
+
+# Google Gemini: https://aistudio.google.com/app/apikey
+GEMINI_API_KEY=
+
+# OpenRouter (multi-model): https://openrouter.ai/keys
+OPENROUTER_API_KEY=
+
+# Together AI: https://api.together.xyz/settings/api-keys
+TOGETHER_API_KEY=
+
+# Fireworks AI: https://fireworks.ai/account/api-keys
+FIREWORKS_API_KEY=
+
+# =============================================================================
+# Local LLM (optional - no API key needed)
+# =============================================================================
+# Ollama: https://ollama.ai
+#OLLAMA_BASE_URL=http://localhost:11434
+
+# LM Studio: https://lmstudio.ai
+#LMSTUDIO_BASE_URL=http://localhost:1234
+
+# =============================================================================
+# LLM Configuration
+# =============================================================================
+# Max output tokens (up to 64000 for Claude). Comment out for profile defaults.
+#MAX_OUTPUT_TOKENS=64000
+
+# Select specific model name (e.g., claude-sonnet-4-20250514, gpt-4-turbo, llama3.2, qwen2.5)
+# Leave empty for provider default
+#DEFAULT_LLM_MODEL=
+
+# Enable task-type model routing (routes to different LLM profiles per task)
+ENABLE_MODEL_ROUTING=false
+
+# =============================================================================
+# Feature Flags
+# =============================================================================
+# Bug bounty dataset cognitive augmentation
+ENABLE_KNOWLEDGE_AUGMENTATION=false
+
+# Playwright browser-based validation + screenshot capture
+ENABLE_BROWSER_VALIDATION=false
+
+# =============================================================================
+# Agent Autonomy (Phase 1-5 modules)
+# =============================================================================
+# Token budget per scan (limits total LLM tokens). Comment out for unlimited.
+#TOKEN_BUDGET=100000
+
+# Enable AI reasoning engine (think/plan/reflect at checkpoints)
+ENABLE_REASONING=true
+
+# Enable CVE/exploit search (NVD API + GitHub)
+ENABLE_CVE_HUNT=true
+
+# NVD API key for higher rate limits: https://nvd.nist.gov/developers/request-an-api-key
+#NVD_API_KEY=
+
+# GitHub token for exploit search (optional, increases rate limit)
+#GITHUB_TOKEN=
+
+# Enable multi-agent orchestration (replaces default 3-stream architecture)
+# WARNING: Experimental - uses specialist agents instead of parallel streams
+ENABLE_MULTI_AGENT=false
+
+# Enable AI Researcher agent (0-day discovery with Kali sandbox)
+# Requires enable_kali_sandbox=true per scan (frontend checkbox)
+ENABLE_RESEARCHER_AI=true
+
+# CLI Agent (AI CLI tools inside Kali sandbox)
+# Runs Claude Code / Gemini CLI / Codex CLI inside Kali container as pentest engine
+#ENABLE_CLI_AGENT=true
+#CLI_AGENT_MAX_RUNTIME=1800
+#CLI_AGENT_DEFAULT_PROVIDER=claude_code
+
+# Kali sandbox Docker image name
+#KALI_SANDBOX_IMAGE=neurosploit-kali:latest
+
+# =============================================================================
+# Smart Router (OAuth + API provider routing)
+# =============================================================================
+# Enable Smart Router for automatic provider failover and CLI OAuth token reuse
+#ENABLE_SMART_ROUTER=true
+
+# =============================================================================
+# RAG System (Retrieval-Augmented Generation)
+# =============================================================================
+# Enable RAG for semantic search over vuln knowledge, bug bounty data, etc.
+ENABLE_RAG=true
+
+# RAG backend: auto (best available), chromadb, tfidf, bm25
+RAG_BACKEND=auto
+
+# =============================================================================
+# Methodology File (deep injection into agent prompts)
+# =============================================================================
+# Path to .md methodology file (FASE-based pentest methodology)
+#METHODOLOGY_FILE=/opt/Prompts-PenTest/pentestcompleto_en.md
+
+# =============================================================================
+# Vuln Type Agents (per-vuln parallel orchestration)
+# =============================================================================
+# Enable parallel per-vuln-type specialist agents
+ENABLE_VULN_AGENTS=false
+
+# =============================================================================
+# Notifications (multi-channel scan alerts)
+# =============================================================================
+#ENABLE_NOTIFICATIONS=false
+#NOTIFICATION_SEVERITY_FILTER=critical,high
+
+# Discord webhook for scan alerts
+#DISCORD_WEBHOOK_URL=
+
+# Telegram bot alerts
+#TELEGRAM_BOT_TOKEN=
+#TELEGRAM_CHAT_ID=
+
+# WhatsApp/Twilio alerts
+#TWILIO_ACCOUNT_SID=
+#TWILIO_AUTH_TOKEN=
+#TWILIO_FROM_NUMBER=
+#TWILIO_TO_NUMBER=
+
+# =============================================================================
+# Database (default is SQLite - no config needed)
+# =============================================================================
+DATABASE_URL=sqlite+aiosqlite:///./data/neurosploit.db
+
+# =============================================================================
+# Server Configuration
+# =============================================================================
+HOST=0.0.0.0
+PORT=8000
+DEBUG=false