farhoodlabs/trebuchet
8
0
Fork 0
Code Issues Pull Requests 5 Actions Packages Projects Releases Wiki Activity
Files
47a6e4933a2417511eb69166a29969fd46da6fa6
trebuchet/apps/worker/configs/example-config.yaml
T
Chris Farhood 47a6e4933a
CI / Type-check & lint (pull_request) Successful in 16s
Details
CI / Build & push worker image (pull_request) Has been skipped
Details
CI / Build & push API image (pull_request) Has been skipped
Details
feat: backport auth-validation preflight + email_login credentials 
Backport upstream Shannon PR #335:
- Add credential validation activity that drives a real browser login
  before the full pipeline, catching bad credentials early
- New email_login credentials type for magic-link and email-OTP flows
- Make credentials.password optional for passwordless flows
- Playwright stealth config (chrome.runtime, plugin simulation, UA)
- Centralize prompt directory resolution into resolvePromptDir helper
- New AUTH_LOGIN_FAILED error code with non-retryable classification
- Remove dangerous-pattern validation on credentials.password
- Pipeline-testing stub for auth validation (returns success)
- Auth validation timeout of 10 minutes for browser-based login
- .playwright directory workspace overlay for CLI/Docker

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-20 00:59:27 +00:00

73 lines
2.4 KiB
YAML
Raw Blame History

# Example configuration file for pentest-agent
# Copy this file and modify it for your specific testing needs
# Description of the target environment (optional, max 500 chars)
description: "Next.js e-commerce app on PostgreSQL. Local dev environment — .env files contain local-only credentials, not deployed to production."
authentication:
login_type: form # Options: 'form' or 'sso'
login_url: "https://example.com/login"
credentials:
username: "testuser"
password: "testpassword"
totp_secret: "JBSWY3DPEHPK3PXP" # Optional TOTP secret for 2FA
# Natural language instructions for login flow
login_flow:
- "Type $username into the email field"
- "Type $password into the password field"
- "Click the 'Sign In' button"
- "Enter $totp in the verification code field"
- "Click 'Verify'"
success_condition:
type: url_contains # Options: 'url_contains' or 'element_present'
value: "/dashboard"
rules:
avoid:
- description: "Do not test the marketing site subdomain"
type: subdomain
url_path: "www"
- description: "Skip logout functionality"
type: path
url_path: "/logout"
- description: "No DELETE operations on user API"
type: path
url_path: "/api/v1/users/*"
focus:
- description: "Prioritize beta admin panel subdomain"
type: subdomain
url_path: "beta-admin"
- description: "Focus on user profile updates"
type: path
url_path: "/api/v2/user-profile"
# Email-based login (for magic-link / email-OTP flows)
# authentication:
# login_type: form
# login_url: "https://example.com/login"
# credentials:
# username: "testuser"
# email_login:
# address: "testuser@example.com"
# password: "email-password"
# totp_secret: "JBSWY3DPEHPK3PXP" # Optional TOTP for email 2FA
# login_flow:
# - "Type $username into the username field"
# - "Type $email_address into the email field"
# - "Type $email_password into the email password field"
# - "Enter $email_totp in the verification code field"
# success_condition:
# type: url_contains
# value: "/dashboard"
# Pipeline execution settings (optional)
# pipeline:
# retry_preset: subscription # 'default' or 'subscription' (6h max retry for rate limit recovery)
# max_concurrent_pipelines: 2 # 1-5, default: 5 (reduce to lower API usage spikes)
Reference in New Issue View Git Blame Copy Permalink