Agent-readable docs

PentAGI Documentation

Self-hosted autonomous penetration testing platform: Docker deployment, multi-agent flows, BYOK LLM providers, REST and GraphQL APIs, sandbox tools, and optional observability stacks for security engineers and operators.

Pages

  1. OverviewWhat PentAGI exposes: autonomous multi-agent pentests in Docker, BYOK LLM providers, web UI, REST and GraphQL under /api/v1, and the shortest path from deploy to first flow.
  2. InstallationPrerequisites, Docker Compose core stack, .env from .env.example, SSL and data volumes, and compose overlays for observability, Langfuse, and Graphiti.
  3. QuickstartFirst successful run: set at least one LLM key, docker compose up, open https://localhost:8443, change admin@pentagi.com defaults, create a flow, and verify provider and UI health.
  4. Interactive installerTUI installer wizard: system checks, .env generation, LLM and search setup, SSL hardening, compose deploy, and admin password reset maintenance paths.
  5. Flows, tasks, and subtasksExecution hierarchy: Flow lifecycle and StatusType states, Task objectives, Generator and Refiner subtask plans, Assistant mode, and putUserInput, stopFlow, finishFlow boundaries.
  6. Agents and supervisionSpecialist agents (primary, pentester, coder, installer, searcher, memorist, adviser, reflector, reporter), execution monitor, planning step, and tool-call hard limits.
  7. Tools and sandbox executionTool categories, Docker-isolated terminal and file tools, network search tools, barrier tools done and ask, timeouts, and default images for general vs pentest work.
  8. Memory and knowledgepgvector memory tools, embeddings config, chain summarizer budgets, user knowledge documents API, flow files and resources under /work, and optional Graphiti graph search.
  9. Configure LLM providersWire OpenAI, Anthropic, Gemini, Bedrock, DeepSeek, GLM, Kimi, Qwen, and Ollama via env keys and server URLs; UI provider profiles for per-agent models; test providers before flows.
  10. Local and custom providersOpenAI-compatible custom endpoints (LLM_SERVER_*), Ollama local or cloud, config path YAML, legacy and preserve reasoning flags, and aggregator endpoints such as OpenRouter and DeepInfra.
  11. Search enginesEnable and configure DuckDuckGo, Google CSE, Tavily, Traversaal, Perplexity, Sploitus, and Searxng; scraper URLs; proxy and timeout constraints that gate network search tools.
  12. Authentication and API tokensLocal session login, OAuth Google and GitHub, default admin account, password change, Bearer API tokens for REST and GraphQL, and permission-scoped token lifecycle.
  13. Observability and LangfuseOptional OpenTelemetry path to Grafana, VictoriaMetrics, Jaeger, and Loki; Langfuse LLM analytics compose stack; OTEL_HOST and LANGFUSE_* keys; what each stack measures.
  14. Knowledge graphEnable Graphiti with Neo4j via docker-compose-graphiti.yml, GRAPHITI_* settings, graphiti_search tool behavior, and failure modes when the graph backend is down.
  15. Docker sandbox and worker nodesDocker socket and network options, DOCKER_INSIDE and NET_ADMIN, default and pentest images, custom OpenVAS image, and multi-host worker_node deployment constraints.
  16. Environment variablesAuthoritative Config struct and .env.example: core, Docker, server, providers, embeddings, summarizer, search, OAuth, proxy, supervision, Graphiti, Langfuse, and DB pool keys with defaults.
  17. REST APIGin routes under /api/v1: auth, flows, tasks, subtasks, files, resources, containers, toolcalls, assistants, logs, knowledge, providers, settings, users, tokens; Swagger at /api/v1/swagger.
  18. GraphQL APIschema.graphqls surface: Query, Mutation, and Subscription operations for flows, assistants, providers, prompts, API tokens, knowledge, usage stats, and real-time log streams over WebSocket.
  19. Provider configuration schemaPer-agent YAML and AgentsConfig fields: model, temperature, top_p, top_k, max_tokens, json mode, reasoning, price, extra_body; built-in provider config.yml baselines and UI testAgent/testProvider.
  20. Tools referenceNamed tool registry: terminal, file, browser, search engines, memory store/search, agent delegation tools, result tools, barrier tools, and assistant flow-control tools with argument shapes.
  21. Prompts and templatesPromptType enum, embedded .tmpl templates, validation via validatePrompt, user prompt CRUD, and how agent templates bind to execution context variables.
  22. Example provider configsCopy-paste YAML from examples/configs for vLLM, Ollama, OpenRouter, DeepInfra, Azure, and cloud-compatible endpoints mapped to agent config keys.
  23. Sample pentest promptsReady flow inputs from examples/prompts: base web pentest checklist and scope-of-work style engagement prompts with expected report-oriented outcomes.
  24. Deploy with vLLM and QwenAir-gapped style local inference: hardware matrix, vLLM serve flags, LLM_SERVER_* wiring, thinking vs non-thinking provider YAML, and supervision flags recommended for sub-32B models.
  25. Development and testingBackend go build and test, frontend pnpm scripts, gqlgen and graphql:generate, ctester container tests, etester embeddings, ftester tool calling, and local compose for contributors.
  26. ContributingLicense-compatible dependency policy, generate-licenses.sh, PR expectations, and contributor workflow boundaries for backend and frontend changes.

Complete Markdown

The complete agent-readable Markdown files are published separately from this HTML page.