mirror of
https://github.com/CyberSecurityUP/NeuroSploit.git
synced 2026-06-30 07:15:30 +02:00
CyberSecurityUP
55af0d4634
Re-model the pentest agent into an autonomous, markdown-driven engine that turns a URL into a full engagement and delegates execution to a locally installed agentic CLI backend. Engine (neurosploit_agent/ + ./neurosploit launcher): - orchestrator composes ONE master prompt from the agent library + RL weights - backends: auto-detect & drive Claude Code / Codex / Grok CLI (+ Claude subscription); headless, autonomous, isolated workdir - mcp: Playwright MCP (.mcp.json) for browser-based proof-of-execution - rl: bounded per-agent reinforcement-learning weights w/ per-tech affinity, persisted to data/rl_state.json - models: latest registry incl. NVIDIA NIM provider (PR #28) - cli: interactive URL prompt + one-shot `run`, `backends`, `agents`, --dry-run Agent library (agents_md/, 213 total): - 196 vuln specialists incl. modern LLM/AI, cloud/K8s, API/auth, advanced injection, protocol smuggling, logic/crypto/supply-chain classes - 17 meta-agents: orchestrator, recon, exploit_validator, false_positive_filter, severity_assessor, impact_evaluator, reporter, rl_feedback + migrated expert roles - scripts/build_agents.py data-driven builder; REGISTRY.md index Docs: rewritten README.md, v3.3.0 RELEASE.md, .env.example (NVIDIA NIM, xAI, engine vars). Retire legacy Python orchestration (neurosploit.py + agent classes) to legacy/. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
183 lines
6.8 KiB
Bash
Executable File
183 lines
6.8 KiB
Bash
Executable File
# NeuroSploit v3 Environment Variables
|
|
# =====================================
|
|
# Copy this file to .env and configure your API keys
|
|
#
|
|
# IMPORTANT: You MUST set at least one LLM API key for the AI agent to work!
|
|
#
|
|
|
|
# =============================================================================
|
|
# LLM API Keys (REQUIRED - at least one must be set)
|
|
# =============================================================================
|
|
# Get your Claude API key at: https://console.anthropic.com/
|
|
ANTHROPIC_API_KEY=
|
|
|
|
# OpenAI: https://platform.openai.com/api-keys
|
|
OPENAI_API_KEY=
|
|
|
|
# Google Gemini: https://aistudio.google.com/app/apikey
|
|
GEMINI_API_KEY=
|
|
|
|
# OpenRouter (multi-model): https://openrouter.ai/keys
|
|
OPENROUTER_API_KEY=
|
|
|
|
# xAI Grok: https://console.x.ai/ (used by the Grok CLI backend)
|
|
XAI_API_KEY=
|
|
|
|
# NVIDIA NIM (PR #28): https://build.nvidia.com/ — keys look like `nvapi-...`
|
|
# OpenAI-compatible endpoint at https://integrate.api.nvidia.com/v1
|
|
NVIDIA_NIM_API_KEY=
|
|
|
|
# Together AI: https://api.together.xyz/settings/api-keys
|
|
TOGETHER_API_KEY=
|
|
|
|
# Fireworks AI: https://fireworks.ai/account/api-keys
|
|
FIREWORKS_API_KEY=
|
|
|
|
# Azure OpenAI: https://portal.azure.com/
|
|
#AZURE_OPENAI_API_KEY=
|
|
#AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com/
|
|
#AZURE_OPENAI_API_VERSION=2024-02-01
|
|
#AZURE_OPENAI_DEPLOYMENT=gpt-4o
|
|
|
|
# =============================================================================
|
|
# Local LLM (optional - no API key needed)
|
|
# =============================================================================
|
|
# Ollama: https://ollama.ai
|
|
#OLLAMA_BASE_URL=http://localhost:11434
|
|
|
|
# LM Studio: https://lmstudio.ai
|
|
#LMSTUDIO_BASE_URL=http://localhost:1234
|
|
|
|
# =============================================================================
|
|
# LLM Configuration
|
|
# =============================================================================
|
|
# Max output tokens (up to 64000 for Claude). Comment out for profile defaults.
|
|
#MAX_OUTPUT_TOKENS=64000
|
|
|
|
# Select specific model name (e.g., claude-sonnet-4-20250514, gpt-4o, llama3.2, qwen2.5)
|
|
# Leave empty for provider default
|
|
#DEFAULT_LLM_MODEL=
|
|
|
|
# Enable task-type model routing (routes to different LLM profiles per task)
|
|
ENABLE_MODEL_ROUTING=false
|
|
|
|
# =============================================================================
|
|
# Feature Flags
|
|
# =============================================================================
|
|
# Bug bounty dataset cognitive augmentation
|
|
ENABLE_KNOWLEDGE_AUGMENTATION=false
|
|
|
|
# Playwright browser-based validation + screenshot capture
|
|
ENABLE_BROWSER_VALIDATION=false
|
|
|
|
# =============================================================================
|
|
# Agent Autonomy (Phase 1-5 modules)
|
|
# =============================================================================
|
|
# Token budget per scan (limits total LLM tokens). Comment out for unlimited.
|
|
#TOKEN_BUDGET=100000
|
|
|
|
# Enable AI reasoning engine (think/plan/reflect at checkpoints)
|
|
ENABLE_REASONING=true
|
|
|
|
# Enable CVE/exploit search (NVD API + GitHub)
|
|
ENABLE_CVE_HUNT=true
|
|
|
|
# NVD API key for higher rate limits: https://nvd.nist.gov/developers/request-an-api-key
|
|
#NVD_API_KEY=
|
|
|
|
# GitHub token for exploit search (optional, increases rate limit)
|
|
#GITHUB_TOKEN=
|
|
|
|
# Enable multi-agent orchestration (replaces default 3-stream architecture)
|
|
# WARNING: Experimental - uses specialist agents instead of parallel streams
|
|
ENABLE_MULTI_AGENT=false
|
|
|
|
# Enable AI Researcher agent (0-day discovery with Kali sandbox)
|
|
# Requires enable_kali_sandbox=true per scan (frontend checkbox)
|
|
ENABLE_RESEARCHER_AI=true
|
|
|
|
# CLI Agent (AI CLI tools inside Kali sandbox)
|
|
# Runs Claude Code / Gemini CLI / Codex CLI inside Kali container as pentest engine
|
|
#ENABLE_CLI_AGENT=true
|
|
#CLI_AGENT_MAX_RUNTIME=1800
|
|
#CLI_AGENT_DEFAULT_PROVIDER=claude_code
|
|
|
|
# Kali sandbox Docker image name
|
|
#KALI_SANDBOX_IMAGE=neurosploit-kali:latest
|
|
|
|
# =============================================================================
|
|
# Smart Router (OAuth + API provider routing)
|
|
# =============================================================================
|
|
# Enable Smart Router for automatic provider failover and CLI OAuth token reuse
|
|
#ENABLE_SMART_ROUTER=true
|
|
|
|
# =============================================================================
|
|
# RAG System (Retrieval-Augmented Generation)
|
|
# =============================================================================
|
|
# Enable RAG for semantic search over vuln knowledge, bug bounty data, etc.
|
|
ENABLE_RAG=true
|
|
|
|
# RAG backend: auto (best available), chromadb, tfidf, bm25
|
|
RAG_BACKEND=auto
|
|
|
|
# =============================================================================
|
|
# Methodology File (deep injection into agent prompts)
|
|
# =============================================================================
|
|
# Path to .md methodology file (FASE-based pentest methodology)
|
|
#METHODOLOGY_FILE=/opt/Prompts-PenTest/pentestcompleto_en.md
|
|
|
|
# =============================================================================
|
|
# Vuln Type Agents (per-vuln parallel orchestration)
|
|
# =============================================================================
|
|
# Enable parallel per-vuln-type specialist agents
|
|
ENABLE_VULN_AGENTS=false
|
|
|
|
# =============================================================================
|
|
# Notifications (multi-channel scan alerts)
|
|
# =============================================================================
|
|
#ENABLE_NOTIFICATIONS=false
|
|
#NOTIFICATION_SEVERITY_FILTER=critical,high
|
|
|
|
# Discord webhook for scan alerts
|
|
#DISCORD_WEBHOOK_URL=
|
|
|
|
# Telegram bot alerts
|
|
#TELEGRAM_BOT_TOKEN=
|
|
#TELEGRAM_CHAT_ID=
|
|
|
|
# WhatsApp/Twilio alerts
|
|
#TWILIO_ACCOUNT_SID=
|
|
#TWILIO_AUTH_TOKEN=
|
|
#TWILIO_FROM_NUMBER=
|
|
#TWILIO_TO_NUMBER=
|
|
|
|
# =============================================================================
|
|
# Database (default is SQLite - no config needed)
|
|
# =============================================================================
|
|
DATABASE_URL=sqlite+aiosqlite:///./data/neurosploit.db
|
|
|
|
# =============================================================================
|
|
# Server Configuration
|
|
# =============================================================================
|
|
HOST=0.0.0.0
|
|
PORT=8000
|
|
DEBUG=false
|
|
|
|
# =============================================================================
|
|
# NeuroSploit v3.3.0 — Autonomous MD-Agent Engine
|
|
# =============================================================================
|
|
# The engine delegates execution to a locally-installed agentic CLI backend.
|
|
# Default backend (claude | codex | grok). First installed is used if unset.
|
|
NEUROSPLOIT_BACKEND=claude
|
|
# Default provider/model (see neurosploit_agent/models.py)
|
|
NEUROSPLOIT_PROVIDER=anthropic
|
|
NEUROSPLOIT_MODEL=claude-opus-4-8
|
|
# OOB collaborator host for blind/SSRF/XXE proof (optional)
|
|
NEUROSPLOIT_COLLABORATOR=
|
|
# Reinforcement-learning loop (1=on). State persists to data/rl_state.json
|
|
NEUROSPLOIT_RL=1
|
|
# Playwright MCP for browser-based proof of execution (1=on; needs npx)
|
|
NEUROSPLOIT_MCP=1
|
|
# OpenAI-compatible base URL override (set automatically per provider)
|
|
#OPENAI_BASE_URL=
|