docs: add promptfoo plugin documentation

MrFlounder · claude · MrFlounder · commit 9eb612d70734 · 2026-02-02T14:01:37.000-08:00
- Add crab pf section to README
- Add detailed docs/promptfoo-plugin.md

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -134,6 +134,25 @@ crab config scan         # Auto-detect .env files and ports
 crab config              # Show current configuration
 ```
 
+### Promptfoo Target Discovery (`crab pf`)
+
+AI-powered agent that analyzes any target and generates working promptfoo configurations.
+
+```bash
+crab pf install                              # Install the plugin
+crab pf --file target.txt                    # Analyze from file
+crab pf "curl -X POST http://..."            # Analyze curl command
+crab pf --file api.json --output ./config    # Specify output dir
+crab pf --file spec.yaml --verbose           # Show detailed output
+crab pf uninstall                            # Remove the plugin
+```
+
+**Supported formats:** curl commands, OpenAPI specs, Postman collections, Burp exports, plain text descriptions
+
+**Requirements:** Node.js, `OPENAI_API_KEY` or `ANTHROPIC_API_KEY`
+
+The agent probes the target, figures out the protocol (HTTP, WebSocket, polling, etc.), generates the config, and verifies it works.
+
 ### Other Commands
 
 ```bash
diff --git a/docs/promptfoo-plugin.md b/docs/promptfoo-plugin.md
@@ -0,0 +1,123 @@
+# Promptfoo Target Discovery Plugin
+
+An AI-powered agent that analyzes any target specification and generates working [promptfoo](https://promptfoo.dev) configurations for red-teaming.
+
+## Installation
+
+```bash
+crab pf install
+```
+
+**Requirements:**
+- Node.js 18+
+- API key: `OPENAI_API_KEY` or `ANTHROPIC_API_KEY`
+
+## Usage
+
+```bash
+# From a file (any format)
+crab pf --file target.txt
+
+# From a curl command
+crab pf "curl -X POST http://localhost:8080/chat -d '{\"message\":\"hi\"}'"
+
+# Specify output directory
+crab pf --file api-spec.json --output ./my-config
+
+# Use Anthropic instead of OpenAI
+crab pf --file target.txt --provider anthropic:claude-sonnet-4-20250514
+
+# Verbose output (see agent reasoning)
+crab pf --file target.txt --verbose
+```
+
+## Supported Input Formats
+
+| Format | Example |
+|--------|---------|
+| **Curl** | `curl -X POST http://api.example.com/chat -H "Authorization: Bearer $TOKEN" -d '{"message":"hi"}'` |
+| **OpenAPI/Swagger** | `openapi.json`, `swagger.yaml` |
+| **Postman** | Exported collection JSON |
+| **Burp Suite** | Exported XML |
+| **Plain text** | Any description of the API |
+
+## What It Does
+
+1. **Parses** the input to understand the target
+2. **Probes** the target to verify connectivity and discover request/response format
+3. **Generates** a promptfoo YAML config (and custom provider.js if needed)
+4. **Verifies** the config works with a mini red-team test
+
+## Output
+
+The agent creates:
+
+```
+output-dir/
+├── promptfooconfig.yaml   # Main config file
+├── provider.js            # Custom provider (if needed for WebSocket, polling, etc.)
+└── package.json           # Dependencies (if provider.js uses external packages)
+```
+
+## Target Types
+
+| Type | Provider |
+|------|----------|
+| Simple HTTP | Built-in `http` provider |
+| HTTP with auth | Built-in `http` provider with env vars |
+| Session-based | Built-in `http` provider with `sessionParser` |
+| WebSocket | Custom `provider.js` |
+| Async/Polling | Custom `provider.js` |
+| GraphQL | Built-in `http` provider |
+
+## Example
+
+```bash
+# Start your target
+cd my-api && npm start
+
+# Generate config
+export OPENAI_API_KEY=sk-...
+crab pf --file my-api-docs.txt --output ./redteam-config --verbose
+
+# Run red-team
+cd ./redteam-config
+promptfoo eval
+```
+
+## Options
+
+| Flag | Description |
+|------|-------------|
+| `--file`, `-f` | Input file path |
+| `--output`, `-o` | Output directory (default: current dir) |
+| `--provider` | LLM provider (default: `openai:gpt-4o`) |
+| `--verbose`, `-v` | Show detailed agent output |
+| `--max-turns` | Max agent iterations (default: 30) |
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `OPENAI_API_KEY` | OpenAI API key |
+| `ANTHROPIC_API_KEY` | Anthropic API key |
+| `DISCOVERY_PROVIDER` | Default provider (e.g., `anthropic:claude-sonnet-4-20250514`) |
+
+## Uninstall
+
+```bash
+crab pf uninstall
+```
+
+## How It Works
+
+The plugin uses an LLM agent loop with tools:
+
+1. **probe** - Send HTTP requests to test connectivity
+2. **probe_ws** - Test WebSocket endpoints
+3. **write_config** - Generate promptfoo YAML
+4. **write_provider** - Generate custom JS/Python providers
+5. **verify** - Run `promptfoo eval` to test
+6. **done** - Signal completion
+
+The agent decides which tools to use based on the target. For simple HTTP APIs, it uses the built-in provider. For complex targets (WebSocket, polling), it generates custom provider code.
