mirror of
https://github.com/KeygraphHQ/shannon.git
synced 2026-05-25 18:07:54 +02:00
ezl-keygraph
1af42339b9
* feat(preflight): add credential validation activity * refactor(preflight): tighten error retryability and dedup failure-point enum * refactor(preflight): extract resolvePromptDir helper and cap failure_detail at 250 chars * refactor(preflight): inline validator rules into intro paragraph * refactor(preflight): restyle validator prompt with XML tags and tool list * chore(preflight): bump auth validation timeout to 10 minutes * feat: provision playwright stealth config for browser auto-discovery * feat(stealth): strengthen browser fingerprint with chrome.runtime and realistic plugins * feat(prompts): add pipeline-testing stub for validate-authentication * refactor(stealth): swap zx for node:fs in playwright-config-writer * feat(auth): add email_login credentials with login-flow substitution * fix(auth): propagate email_login through credentials sanitizer * fix(config): drop dangerous-pattern check on credentials.password * feat(auth-validation): instruct agent to mask sensitive values in failure_detail * docs(auth): document email_login credentials for magic-link and email-OTP flows * docs(auth): add login_flow authoring guide with placeholder reference * feat(auth): make credentials.password optional for passwordless flows * docs(auth): drop redundant placeholder hint from login_flow examples
109 lines
3.7 KiB
YAML
109 lines
3.7 KiB
YAML
# Example configuration file for pentest-agent
|
|
# Copy this file and modify it for your specific testing needs
|
|
|
|
# Description of the target environment (optional, max 500 chars)
|
|
description: "Next.js e-commerce app on PostgreSQL. Local dev environment — .env files contain local-only credentials, not deployed to production."
|
|
|
|
# Limit which vulnerability classes run end-to-end (optional, default: all five)
|
|
# vuln_classes: [injection, xss, auth, authz, ssrf]
|
|
|
|
# Skip the exploitation phase (optional, default: "true")
|
|
# exploit: "false"
|
|
|
|
# Free-form engagement rules applied to analysis and exploitation agents (optional).
|
|
# Example below is illustrative; edit, remove, or add sections as needed.
|
|
# rules_of_engagement: |
|
|
# Forbidden techniques:
|
|
# - No password brute-force or credential stuffing. Cap login attempts at 5 per account.
|
|
# - ...
|
|
#
|
|
# Operational:
|
|
# - Throttle to under 5 requests per second per endpoint. Back off 60 seconds on any 429 response.
|
|
# - ...
|
|
#
|
|
# Data handling:
|
|
# - Do not include actual values in deliverables — use placeholders like [order_id] or [user_email].
|
|
# - ...
|
|
|
|
authentication:
|
|
login_type: form # Options: 'form' or 'sso'
|
|
login_url: "https://example.com/login"
|
|
credentials:
|
|
username: "testuser"
|
|
password: "testpassword"
|
|
totp_secret: "JBSWY3DPEHPK3PXP" # Optional TOTP secret for 2FA
|
|
|
|
# Optional mailbox credentials for magic-link / email-OTP flows.
|
|
# email_login:
|
|
# address: "inbox@example.com"
|
|
# password: "mailbox-password"
|
|
# totp_secret: "JBSWY3DPEHPK3PXP"
|
|
|
|
# Natural language instructions for login flow
|
|
login_flow:
|
|
- "Type $username into the email field"
|
|
- "Type $password into the password field"
|
|
- "Click the 'Sign In' button"
|
|
- "Enter $totp in the verification code field"
|
|
- "Click 'Verify'"
|
|
|
|
success_condition:
|
|
type: url_contains # Options: 'url_contains' or 'element_present'
|
|
value: "/dashboard"
|
|
|
|
rules:
|
|
# Supported types: url_path, subdomain, domain, method, header, parameter, code_path
|
|
avoid:
|
|
- description: "Do not test the marketing site subdomain"
|
|
type: subdomain
|
|
value: "www"
|
|
|
|
- description: "Skip logout functionality"
|
|
type: url_path
|
|
value: "/logout"
|
|
|
|
- description: "No DELETE operations on user API"
|
|
type: url_path
|
|
value: "/api/v1/users/*"
|
|
|
|
# code_path values are repo-relative file paths or globs (e.g. "src/auth.ts", "test/**").
|
|
# - description: "Test fixtures and specs (not production code)"
|
|
# type: code_path
|
|
# value: "test/**"
|
|
#
|
|
# - description: "Generated migrations"
|
|
# type: code_path
|
|
# value: "db/migrations/**"
|
|
|
|
focus:
|
|
- description: "Prioritize beta admin panel subdomain"
|
|
type: subdomain
|
|
value: "beta-admin"
|
|
|
|
- description: "Focus on user profile updates"
|
|
type: url_path
|
|
value: "/api/v2/user-profile"
|
|
|
|
# code_path values are repo-relative file paths or globs (e.g. "src/auth.ts", "routes/*.ts").
|
|
# - description: "Express route handlers"
|
|
# type: code_path
|
|
# value: "routes/*.ts"
|
|
#
|
|
# - description: "Sequelize ORM model definitions"
|
|
# type: code_path
|
|
# value: "models/*.ts"
|
|
|
|
# Report filters applied by the report agent when assembling the final report (optional).
|
|
# Example below is illustrative; edit, remove, or add sections as needed.
|
|
# report:
|
|
# min_severity: low
|
|
# min_confidence: low
|
|
# guidance: |
|
|
# Drop findings about missing security headers and rate-limit gaps.
|
|
# ...
|
|
|
|
# Pipeline execution settings (optional)
|
|
# pipeline:
|
|
# retry_preset: subscription # 'default' or 'subscription' (6h max retry for rate limit recovery)
|
|
# max_concurrent_pipelines: 2 # 1-5, default: 5 (reduce to lower API usage spikes)
|