# Example configuration file for pentest-agent
# Copy this file and modify it for your specific testing needs

# Description of the target environment (optional, max 500 chars)
description: "Next.js e-commerce app on PostgreSQL. Local dev environment — .env files contain local-only credentials, not deployed to production."

# Limit which vulnerability classes run end-to-end (optional, default: all five)
# vuln_classes: [injection, xss, auth, authz, ssrf]

# Skip the exploitation phase (optional, default: "true")
# exploit: "false"

# Free-form engagement rules applied to analysis and exploitation agents (optional).
# Example below is illustrative; edit, remove, or add sections as needed.
# rules_of_engagement: |
#   Forbidden techniques:
#   - No password brute-force or credential stuffing. Cap login attempts at 5 per account.
#   - ...
#
#   Operational:
#   - Throttle to under 5 requests per second per endpoint. Back off 60 seconds on any 429 response.
#   - ...
#
#   Data handling:
#   - Do not include actual values in deliverables — use placeholders like [order_id] or [user_email].
#   - ...

authentication:
  login_type: form  # Options: 'form' or 'sso'
  login_url: "https://example.com/login"
  credentials:
    username: "testuser"
    password: "testpassword"
    totp_secret: "JBSWY3DPEHPK3PXP"  # Optional TOTP secret for 2FA
  
    # Optional mailbox credentials for magic-link / email-OTP flows.
    # email_login:
    #   address: "inbox@example.com"
    #   password: "mailbox-password"
    #   totp_secret: "JBSWY3DPEHPK3PXP"

  # Natural language instructions for login flow
  login_flow:
    - "Type $username into the email field"
    - "Type $password into the password field"
    - "Click the 'Sign In' button"
    - "Enter $totp in the verification code field"
    - "Click 'Verify'"
  
  success_condition:
    type: url_contains  # Options: 'url_contains' or 'element_present'
    value: "/dashboard"

rules:
  # Supported types: url_path, subdomain, domain, method, header, parameter, code_path
  avoid:
    - description: "Do not test the marketing site subdomain"
      type: subdomain
      value: "www"
    
    - description: "Skip logout functionality"
      type: url_path
      value: "/logout"
    
    - description: "No DELETE operations on user API"
      type: url_path
      value: "/api/v1/users/*"
  
    # code_path values are repo-relative file paths or globs (e.g. "src/auth.ts", "test/**").
    # - description: "Test fixtures and specs (not production code)"
    #   type: code_path
    #   value: "test/**"
    #
    # - description: "Generated migrations"
    #   type: code_path
    #   value: "db/migrations/**"

  focus:
    - description: "Prioritize beta admin panel subdomain"
      type: subdomain
      value: "beta-admin"

    - description: "Focus on user profile updates"
      type: url_path
      value: "/api/v2/user-profile"

    # code_path values are repo-relative file paths or globs (e.g. "src/auth.ts", "routes/*.ts").
    # - description: "Express route handlers"
    #   type: code_path
    #   value: "routes/*.ts"
    #
    # - description: "Sequelize ORM model definitions"
    #   type: code_path
    #   value: "models/*.ts"

# Report filters applied by the report agent when assembling the final report (optional).
# Example below is illustrative; edit, remove, or add sections as needed.
# report:
#   min_severity: low
#   min_confidence: low
#   guidance: |
#     Drop findings about missing security headers and rate-limit gaps.
#     ...

# Pipeline execution settings (optional)
# pipeline:
#   retry_preset: subscription          # 'default' or 'subscription' (6h max retry for rate limit recovery)
#   max_concurrent_pipelines: 2         # 1-5, default: 5 (reduce to lower API usage spikes)