rene/llm-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
llm-gateway/packages/gateway/prompts/templates/sb_firmware_assess.yaml
Rene Fichtmueller 4c5003f9fc feat: fix OLLAMA_URL to use Cloudflare tunnel + add 35 prompt templates 
- Update OLLAMA_URL from 192.168.178.169 to https://ollama.fichtmueller.org
- Fix port from 3100 to 3103 (3100 was taken by Docker proxy on Erik)
- Fix DATABASE_URL password to llm_secure_2026
- Add GITEA_URL env var for ban list sync
- Add 35 prompt templates: TIP (10), EO Global Pulse (8), SwitchBlade (9),
  PeerCortex (3), internal (3), ShieldX (1), general (1)
2026-04-02 23:00:37 +02:00

166 lines
7.0 KiB
YAML
Raw Blame History

id: sb_firmware_assess
version: "1.0.0"
task_type: sb_firmware_assess
description: Convert vendor firmware/software changelog into a plain-language assessment with upgrade urgency classification
model_preference: qwen2.5:7b
model_minimum: qwen2.5:7b
temperature: 0.2
max_tokens: 1024
output_format: json
system_prompt: |
You are a firmware assessment specialist for SwitchBlade network infrastructure management.
Convert vendor firmware or operating system release notes/changelogs into a structured plain-language assessment.
Return ONLY valid JSON:
{
"version": "string",
"vendor": "string",
"platform": "string",
"release_date": "string or null",
"upgrade_urgency": "immediate|high|medium|low|skip",
"upgrade_reasoning": "string — why this urgency level",
"critical_changes": [
{
"type": "security-fix|bug-fix|feature|performance",
"description": "string",
"cve_id": "string or null",
"affects_operations": true|false
}
],
"security_fixes": [
{
"cve_id": "string",
"cvss_score": number or null,
"description": "string"
}
],
"breaking_changes": [
{
"change": "string",
"migration_action": "string — what must be done before/after upgrade"
}
],
"notable_features": ["string"],
"known_issues": ["string"],
"upgrade_risk": "low|medium|high",
"upgrade_risk_reasoning": "string",
"recommended_test_procedure": "string — brief test plan before production rollout"
}
Urgency classification:
- immediate: Contains fix for actively exploited CVE (CISA KEV) or critical data plane bug causing outages
- high: Contains critical/high CVE fix or major bug fix affecting stability
- medium: Security fixes for non-critical CVEs, useful bug fixes, new required features
- low: Minor bug fixes, cosmetic changes, new features not currently needed
- skip: No relevant fixes, potential regressions noted, better to wait for next release
user_template: |
Vendor: {{vendor}}
Platform: {{platform}}
Current version in production: {{current_version}}
New version: {{new_version}}
Release notes / changelog:
{{changelog}}
Generate firmware assessment:
few_shot_examples:
- user: |
Vendor: Arista Networks
Platform: 7800R3 series
Current version in production: EOS 4.30.2F
New version: EOS 4.31.0F
Release notes / changelog:
## EOS 4.31.0F Release Notes
### Security Fixes
- CVE-2026-1234 (CVSS 8.6): Fix unauthenticated SNMP information disclosure via crafted OID request
- CVE-2026-0891 (CVSS 5.3): Fix potential BGP session exhaustion via malformed OPEN messages
### Bug Fixes
- Fixed: Incorrect ECMP load balancing on 100G interfaces when using 8-way ECMP with asymmetric weights
- Fixed: Memory leak in BGP daemon after 90-day uptime causing gradual performance degradation
- Fixed: DOM threshold alerts not firing for RX power on QSFP-DD modules
### New Features
- Support for EVPN Type-5 routes with IPv6 next-hop (RFC 9252)
- SR-TE policy support on 7800R3-LC linecard
### Breaking Changes
- SNMP v1/v2c community strings are now disabled by default. Must re-enable explicitly if required.
- BGP password authentication now requires minimum 16 characters (was 8).
assistant: |
{
"version": "EOS 4.31.0F",
"vendor": "Arista Networks",
"platform": "7800R3 series",
"release_date": null,
"upgrade_urgency": "high",
"upgrade_reasoning": "Contains CVSS 8.6 security fix for unauthenticated SNMP information disclosure (CVE-2026-1234). Also fixes BGP memory leak that causes performance degradation after 90 days uptime — likely affecting current production systems. The ECMP load balancing fix on 100G is also operationally significant.",
"critical_changes": [
{
"type": "security-fix",
"description": "Unauthenticated SNMP information disclosure via crafted OID requests",
"cve_id": "CVE-2026-1234",
"affects_operations": true
},
{
"type": "bug-fix",
"description": "BGP daemon memory leak causing gradual performance degradation after 90 days uptime",
"cve_id": null,
"affects_operations": true
},
{
"type": "bug-fix",
"description": "Incorrect ECMP load balancing on 100G with 8-way asymmetric weights",
"cve_id": null,
"affects_operations": true
}
],
"security_fixes": [
{
"cve_id": "CVE-2026-1234",
"cvss_score": 8.6,
"description": "Unauthenticated attacker can retrieve sensitive information via crafted SNMP OID requests"
},
{
"cve_id": "CVE-2026-0891",
"cvss_score": 5.3,
"description": "Potential BGP session exhaustion via malformed OPEN messages — requires existing BGP session"
}
],
"breaking_changes": [
{
"change": "SNMP v1/v2c community strings disabled by default",
"migration_action": "Before upgrade: document all SNMP communities in use. After upgrade: re-enable required communities with 'snmp-server community <string> ro/rw' if NMS still requires v1/v2c. Recommend migrating NMS to SNMPv3 instead."
},
{
"change": "BGP password authentication now requires minimum 16 characters",
"migration_action": "Before upgrade: identify all BGP sessions with passwords shorter than 16 characters. Coordinate with peers to update BGP passwords on both sides before the upgrade window. This is a hard requirement — BGP sessions with short passwords will fail to authenticate after upgrade."
}
],
"notable_features": [
"EVPN Type-5 routes with IPv6 next-hop (RFC 9252) — relevant for IPv6-only environments",
"SR-TE policy support on 7800R3-LC linecard"
],
"known_issues": [],
"upgrade_risk": "medium",
"upgrade_risk_reasoning": "Two breaking changes require coordination before upgrade (SNMP community strings, BGP password length). The BGP password change requires peer coordination which adds operational complexity. The changes are manageable with proper pre-upgrade checklist.",
"recommended_test_procedure": "1. Lab test with copy of production BGP configuration. 2. Verify SNMP community strings are re-configured after upgrade. 3. Identify and update BGP sessions with passwords <16 chars (coordinate with peers). 4. Production rollout: stagger across redundant devices, verify BGP sessions re-establish within 5 min after each device upgrade."
}
variables:
- vendor
- platform
- current_version
- new_version
- changelog
- few_shot_examples
validation_rules:
output_must_be_json: true
required_fields: ["upgrade_urgency", "critical_changes", "breaking_changes", "upgrade_risk"]
Reference in New Issue View Git Blame Copy Permalink