AI Configuration
WPHammer uses AI for security triage, vulnerability analysis, abuse detection, and other automated tasks. Each team configures its own AI providers and assigns them to specific task types.
AI providers
The AiProvider model stores API credentials for AI services. Each team can configure one provider per type, with the following supported providers:
| Provider | Type | Example models |
|---|---|---|
| Anthropic | anthropic |
claude-opus-4-6, claude-sonnet-4-6, claude-haiku-4-5-20251001 |
| OpenAI | openai |
gpt-4.1, gpt-4.1-mini, gpt-4.1-nano, o3, o4-mini |
Each provider stores:
name— a user-friendly labelapi_key— encrypted API keyis_active— toggle to enable or disable without removing the key
The AiProviderType enum defines the provider types and includes a fallbackModels() method that returns a hardcoded model list if the provider's API is unreachable.
Task configuration
The AiTaskConfig model maps specific tasks to a provider and model. Each team can have one configuration per task type.
The AiTaskType enum defines six task types:
| Task | Description | Recommended tier |
|---|---|---|
| Security Triage | Initial classification of security findings | Fast |
| Security Analysis | Deep analysis of complex security issues | Reasoning |
| Abuse Analysis | Detection and analysis of abuse patterns | Fast |
| Scan Summary | Summarizing security scan results | Fast |
| Rule Wizard | Generating suppression rules from findings | Reasoning |
| Defacement Detection | Identifying site defacement from visual checks | Reasoning |
Each task type has a recommendedTier() — either "fast" for high-volume, lower-cost tasks or "reasoning" for complex tasks that benefit from more capable models.
Managing AI settings
AI configuration is managed from the AI settings page (teams/settings/ai). Only users with the canManageTeam permission (Owner and Admin) can manage AI settings, as enforced by the TeamPolicy@manageAiConfig method.
From the settings page, you can:
- Add a provider — configure an API key for Anthropic or OpenAI
- Edit a provider — update the name or API key
- Toggle a provider — enable or disable without removing credentials
- Remove a provider — delete the provider and its task assignments
- Refresh models — clear the cached model list and fetch fresh options from the provider API
- Assign tasks — map each task type to a specific provider and model
- Remove task configs — unassign a task type
The hasAiProvider() method on the Team model checks whether at least one active AI provider is configured.
Related
- Server Security — security scanning that uses AI triage
- Security Findings — finding lifecycle and AI analysis
- Roles & Permissions — who can manage AI settings