-
Notifications
You must be signed in to change notification settings - Fork 26
Expand file tree
/
Copy pathconfig.example.yaml
More file actions
229 lines (209 loc) · 10.2 KB
/
Copy pathconfig.example.yaml
File metadata and controls
229 lines (209 loc) · 10.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# PromptZero full configuration template.
# Copy to ~/.promptzero/config.yaml or pass via --config. Every non-trivial
# field is commented; omit sections you don't need.
# --- API + model ----------------------------------------------------------
# Anthropic API key (or set ANTHROPIC_API_KEY env var — env wins).
api_key: ""
# Optional OpenAI key for Whisper voice transcription.
openai_api_key: ""
# Claude model. Defaults to claude-opus-4-7 if omitted.
# Options: claude-opus-4-7 (most capable, $15/$75 per M tok),
# claude-sonnet-4-6 (fast + cheap, $3/$15),
# claude-haiku-4-5 (cheapest, $0.80/$4).
model: "claude-opus-4-7"
# --- Flipper Zero connection ---------------------------------------------
serial:
port: "/dev/ttyACM0" # USB CDC-ACM path
baud_rate: 230400 # nominal; CDC-ACM is lane-rate irrelevant
# transport_url overrides port + baud. Schemes:
# serial:///dev/ttyACM0?baud=230400
# mock:///dev/pts/5 (test harness pty slave)
# ble://<addr> (live; Linux/macOS — not WSL2). The
# <addr> is shape-detected:
# 80:E1:26:69:6E:55 hardware MAC (Linux/Windows native)
# e127efc1-05ec-... CoreBluetooth UUID (macOS; per-Mac)
# Unholy advertising LocalName (any OS)
# On macOS, run `promptzero --ble-discover` to find the UUID — the
# OS hides hardware MACs and gives apps a per-Mac UUID instead.
transport_url: ""
# --- ESP32 Marauder (WiFi + BLE devboard) --------------------------------
marauder:
enabled: false # flip to true when the devboard is plugged in
port: "/dev/ttyUSB0" # used when bridge=false and transport!="ble" (separate USB cable)
baud_rate: 115200
# transport: "ble" # uncomment to drive a standalone ESP32-Marauder
# # devboard directly over BLE. When set, `port`
# # is reinterpreted as the BLE address — a
# # hardware MAC on Linux/Windows, a CoreBluetooth
# # UUID on macOS (run `--ble-discover`), or a
# # device LocalName like "Marauder". This path
# # bypasses the Flipper UART bridge entirely;
# # mutually exclusive with bridge: true. Override
# # per-launch with --marauder-ble <addr>.
# Marauder stacked on Flipper GPIO header (single USB cable to Flipper).
# When bridge=true, PromptZero launches the Flipper's USB-UART Bridge app
# and pipes the host serial port through to the Marauder. While bridge
# mode is active, all flipper_* tools are disabled (the CLI is gone by
# firmware design).
bridge: false
# Override per firmware: Momentum / Unleashed / RogueMaster all ship the
# app as "USB-UART Bridge" today; older OFW builds may expect a different
# name. Quotes are part of the CLI verb — keep them.
# bridge_command: 'loader open "USB-UART Bridge"'
# bridge_settle: 750ms
# bridge_port_reopen_timeout: 5s
# Hybrid mode — Flipper over BLE, Marauder via the USB bridge:
# Set serial.transport_url: "ble://AA:BB:CC:DD:EE:FF" AND
# marauder.bridge: true AND marauder.port: "/dev/ttyACM0".
# This keeps the Flipper CLI alive (over BLE) while the USB cable
# carries Marauder traffic. Requires native Linux or macOS — WSL2
# does not expose Bluetooth to the Linux guest.
# --- Web UI --------------------------------------------------------------
web:
host: "127.0.0.1" # loopback default; pair with a non-empty
# token below before binding publicly
port: 8080
# Bearer token. When set, every /api request must carry
# `Authorization: Bearer <token>` and /ws negotiates the token via
# `Sec-WebSocket-Protocol: bearer, <token>`. Empty = auth disabled
# (dev mode only — the server prints a loud warning if the bind is
# non-loopback and the token is empty).
# PROMPTZERO_WEB_TOKEN env var overrides this field.
token: ""
# WebSocket Origin allow-list. Empty = same-origin only (safe default
# behind a reverse proxy). Use only to allow a separate cockpit host.
# A literal "*" entry is refused at startup — see allow_any_origin.
cors_origins: []
# Example:
# - "https://cockpit.lan"
# TLS: terminate at your reverse
# proxy (Caddy/Traefik/nginx);
# promptzero speaks plain HTTP so
# it doesn't need cert management.
# Opt-in wildcard Origin matching. Pair with cors_origins: [] (no "*").
# Use only for local dev — disables CSWSH protection.
allow_any_origin: false
# --- Default persona -----------------------------------------------------
# One of: default, rf-recon, badge-cloner, hw-recon, physical-pentest,
# defender — or any YAML file under ~/.promptzero/personas/ (see examples/personas).
persona: "default"
# --- Read-only safety rail -----------------------------------------------
# When true, dispatch refuses any tool whose Spec.Risk is above Low — no
# writes, no transmits, no execution, no payload generation. The single
# safety rail in v0.19.0; replaces the old --mode flag (which is
# deprecated and will be removed in v0.20.0). Override with --read-only
# on the command line.
read_only: false
# --- Filesystem-trigger mode (--watch) -----------------------------------
watch:
enabled: false # gate via --watch CLI flag in most cases
paths: [] # ["/home/you/flipper-inbox"]
rules:
- pattern: "*.sub" # any new .sub file in a watched path
prompt: "Decode and summarise this Sub-GHz capture: {{path}}"
persona: "rf-recon"
- pattern: "*.png" # photos of gear — auto-triage
prompt: "Analyse this photo. Identify the device and likely attack surface: {{path}}"
# --- Webhooks (outbound HTTP events) -------------------------------------
#
# events: allowlist filter. Empty = receive all events. Valid values:
# tool_finished a tool call completed (success or failure)
# risk_prompted agent asked the operator to confirm a risky tool
# risk_denied operator denied a risky tool confirmation
# workflow_completed a workflow tool (multi-step) finished
# audit_critical an audit entry at level=Critical was recorded
# session_started REPL session bootstrap finished
# session_ended REPL exiting
# rule_fired rule engine targeted this subscription via
# `webhook: <name>` in its then-block
#
# Subscriptions referenced by a rule's `webhook:` action receive the
# rule_fired event regardless of their Events filter — the rule's
# match clause IS the filter for those deliveries.
webhooks:
- name: "slack-alerts" # referenced by rules' webhook action
url: "https://hooks.slack.com/services/T0/B0/REPLACE"
events: ["audit_critical", "tool_finished"] # empty = all events
secret: "REPLACE_WITH_RANDOM_HMAC_SECRET" # enables X-PromptZero-Signature
headers:
X-Source: "promptzero"
# --- Observability -------------------------------------------------------
observability:
log_level: "info" # debug | info | warn | error
log_format: "text" # "text" (human) or "json" (shipping)
# log_file: "/var/log/promptzero.log" # tees alongside stderr
metrics_enabled: true # exposes Prometheus /metrics on the web port
metrics_path: "/metrics"
# --- BadUSB sandbox validator --------------------------------------------
validator:
badusb:
# enabled: true # leave unset to default to on
allow_critical: false # refuse payloads with Critical findings
warn_action: "warn" # "warn" (log + run) or "block" (refuse)
# --- Cost overrides (USD per million tokens) ------------------------------
# Missing entries fall back to the built-in rate table in internal/cost.
cost:
rates:
# claude-sonnet-4-6:
# input: 3.00
# output: 15.00
# claude-opus-4-7:
# input: 15.00
# output: 75.00
# --- Reactive rules ------------------------------------------------------
# Inline rules can go here, or keep them in examples/rules.yaml and merge
# with `yq`/`sops` at deploy time. See examples/rules.yaml for the schema.
rules: []
# --- Outbound MCP federation (v0.6) --------------------------------------
# Each entry brings one external MCP server's tools into the agent's
# catalogue under a shared prefix. See docs/integrations/mcp-federation.md
# for the full reference; commented-out examples below.
#
mcp_clients: []
# # FuzzingLabs/mcp-security-hub (530★) — nmap/nuclei/sqlmap/ghidra/hashcat
# - prefix: secsec
# transport: stdio
# command: docker
# args: [run, --rm, -i, --network=host, ghcr.io/fuzzinglabs/security-hub:latest]
# sandbox: docker
# risk_default: high
# env:
# SHODAN_API_KEY: $SHODAN_API_KEY
#
# # mplogas/pm3-mcp — Proxmark3 iceman federation (Picopass, iCLASS, HID Prox)
# - prefix: pm3
# transport: stdio
# command: pm3-mcp
# sandbox: none
# risk_default: high
#
# # MorDavid/Hashcat-MCP — closes WiFi → cracker chain
# - prefix: hcat
# transport: stdio
# command: docker
# args: [run, --rm, -i, --gpus, all, mordavid/hashcat-mcp:latest]
# sandbox: docker
# risk_default: critical
#
# # MorDavid/BloodHound-MCP-AI (335★) — AD attack-path queries
# - prefix: bh
# transport: http
# url: http://localhost:7474/mcp
# headers:
# Authorization: Bearer $BLOODHOUND_TOKEN
# risk_default: medium
#
# # PortSwigger/mcp-server — official Burp MCP
# - prefix: burp
# transport: stdio
# command: burp-mcp-server
# sandbox: firejail
# risk_default: medium
#
# # LaurieWired/GhidraMCP — reverse-engineer dumped firmware
# - prefix: ghidra
# transport: stdio
# command: docker
# args: [run, --rm, -i, lauriewired/ghidra-mcp:latest]
# sandbox: docker
# risk_default: low