prowlr-cli/prowlr.example.yaml at main · ProwlrBot/prowlr-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# prowlr-cli example config.
# Copy to prowlr.yaml (or ~/.openharness/prowlr.yaml) and edit.
# See FORK_NOTICE.md for how prowlr-cli overlays on top of OpenHarness.

# ----------------------------------------------------------------------
# Plugins
# ----------------------------------------------------------------------
# Default plugin: the bug-bounty plugin symlinked into plugins/.
# Launch with: prowlr --plugin-dir ./plugins ...
# (or symlink plugins/prowlr-bug-bounty into ~/.openharness/plugins/ for
# auto-discovery without the flag).
plugins:
  default: prowlr-bug-bounty
  roots:
    - ./plugins                 # fork-local: holds symlink + hook stubs
    - ~/.openharness/plugins    # user scope
    - .openharness/plugins      # project scope

# ----------------------------------------------------------------------
# Model
# ----------------------------------------------------------------------
model:
  default: claude-opus-4-7
  fallback: ollama/qwen3:14b

# ----------------------------------------------------------------------
# MCP servers bundled via the prowlr-bug-bounty plugin.
# Paths are resolved relative to the plugin root (claude-bug-bounty/mcp).
# hexstrike is intentionally disabled; the plugin's rule requires
# an explicit opt-in per target.
# ----------------------------------------------------------------------
mcp:
  servers:
    cyberbox:          { enabled: true }
    caido:             { enabled: true }
    searxng:           { enabled: true }
    hackerone-mcp:     { enabled: true }
    obsidian:          { enabled: true }
    pentest:           { enabled: true }
    prowlr-rag:        { enabled: true }
    burp-mcp-client:   { enabled: true }
    hexstrike:         { enabled: false }   # opt-in per target

# ----------------------------------------------------------------------
# Hooks. Each entry is a `type: command` hook shelling to the stub
# module under plugins/prowlr-hooks/. Bodies are stubbed — see v0.2.
# ----------------------------------------------------------------------
hooks:
  pre_tool_use:
    - name: scope_gate
      type: command
      command: python /home/anon/prowlr-cli/plugins/prowlr-hooks/scope_gate.py
      block_on_failure: true
    - name: loss_guard
      type: command
      command: python /home/anon/prowlr-cli/plugins/prowlr-hooks/loss_guard.py
      block_on_failure: false
  post_tool_use:
    - name: humanizer
      type: command
      command: python /home/anon/prowlr-cli/plugins/prowlr-hooks/humanizer.py
      matcher: "Write|Edit"
      block_on_failure: false
  # status line surface is not one of the four hook events; the
  # cost_meter is listed for discoverability only.
  status_line:
    - name: cost_meter
      command: python /home/anon/prowlr-cli/plugins/prowlr-hooks/cost_meter.py

# ----------------------------------------------------------------------
# Cost cap (enforced by cost_meter + the agent system prompt).
# ----------------------------------------------------------------------
cost:
  daily_budget_usd: 20