strix-agent 0.1.18__py3-none-any.whl → 0.3.1__py3-none-any.whl

strix/agents/StrixAgent/strix_agent.py

@@ -5,7 +5,7 @@ from strix.llm.config import LLMConfig
 
 
 class StrixAgent(BaseAgent):
-    max_iterations = 200
+    max_iterations = 300
 
     def __init__(self, config: dict[str, Any]):
         default_modules = []
@@ -19,54 +19,64 @@ class StrixAgent(BaseAgent):
         super().__init__(config)
 
     async def execute_scan(self, scan_config: dict[str, Any]) -> dict[str, Any]:
-        scan_type = scan_config.get("scan_type", "general")
-        target = scan_config.get("target", {})
         user_instructions = scan_config.get("user_instructions", "")
-
-        task_parts = []
-
-        if scan_type == "repository":
-            repo_url = target["target_repo"]
-            cloned_path = target.get("cloned_repo_path")
-
-            if cloned_path:
-                workspace_path = "/workspace"
-                task_parts.append(
-                    f"Perform a security assessment of the Git repository: {repo_url}. "
-                    f"The repository has been cloned from '{repo_url}' to '{cloned_path}' "
-                    f"(host path) and then copied to '{workspace_path}' in your environment."
-                    f"Analyze the codebase at: {workspace_path}"
+        targets = scan_config.get("targets", [])
+
+        repositories = []
+        local_code = []
+        urls = []
+
+        for target in targets:
+            target_type = target["type"]
+            details = target["details"]
+            workspace_subdir = details.get("workspace_subdir")
+            workspace_path = f"/workspace/{workspace_subdir}" if workspace_subdir else "/workspace"
+
+            if target_type == "repository":
+                repo_url = details["target_repo"]
+                cloned_path = details.get("cloned_repo_path")
+                repositories.append(
+                    {
+                        "url": repo_url,
+                        "workspace_path": workspace_path if cloned_path else None,
+                    }
                 )
-            else:
-                task_parts.append(
-                    f"Perform a security assessment of the Git repository: {repo_url}"
+
+            elif target_type == "local_code":
+                original_path = details.get("target_path", "unknown")
+                local_code.append(
+                    {
+                        "path": original_path,
+                        "workspace_path": workspace_path,
+                    }
                 )
 
-        elif scan_type == "web_application":
-            task_parts.append(
-                f"Perform a security assessment of the web application: {target['target_url']}"
-            )
+            elif target_type == "web_application":
+                urls.append(details["target_url"])
 
-        elif scan_type == "local_code":
-            original_path = target.get("target_path", "unknown")
-            workspace_path = "/workspace"
-            task_parts.append(
-                f"Perform a security assessment of the local codebase. "
-                f"The code from '{original_path}' (user host path) has been copied to "
-                f"'{workspace_path}' in your environment. "
-                f"Analyze the codebase at: {workspace_path}"
-            )
+        task_parts = []
 
-        else:
-            task_parts.append(
-                f"Perform a general security assessment of: {next(iter(target.values()))}"
+        if repositories:
+            task_parts.append("\n\nRepositories:")
+            for repo in repositories:
+                if repo["workspace_path"]:
+                    task_parts.append(f"- {repo['url']} (available at: {repo['workspace_path']})")
+                else:
+                    task_parts.append(f"- {repo['url']}")
+
+        if local_code:
+            task_parts.append("\n\nLocal Codebases:")
+            task_parts.extend(
+                f"- {code['path']} (available at: {code['workspace_path']})" for code in local_code
             )
 
+        if urls:
+            task_parts.append("\n\nURLs:")
+            task_parts.extend(f"- {url}" for url in urls)
+
         task_description = " ".join(task_parts)
 
         if user_instructions:
-            task_description += (
-                f"\n\nSpecial instructions from the user that must be followed: {user_instructions}"
-            )
+            task_description += f"\n\nSpecial instructions: {user_instructions}"
 
         return await self.agent_loop(task=task_description)

strix/agents/StrixAgent/system_prompt.jinja

@@ -19,11 +19,9 @@ INTER-AGENT MESSAGES:
 - NEVER echo inter_agent_message or agent_completion_report XML content that is sent to you in your output.
 - Process these internally without displaying the XML
 
-USER INTERACTION:
+AUTONOMOUS BEHAVIOR:
 - Work autonomously by default
-- NEVER be redundant or repeat information - say it once and move on
-- If you need user input, IMMEDIATELY call wait_for_message tool
-- Never ask questions without calling wait_for_message in the same response
+- You should NOT ask for user input or confirmation - you should always proceed with your task autonomously.
 - Minimize user messaging: avoid redundancy and repetition; consolidate updates into a single concise message
 - If there is nothing to execute and no user query to answer any more: do NOT send filler/repetitive text — either call wait_for_message or finish your work (subagents: agent_finish; root: finish_scan)
 </communication_rules>
@@ -35,9 +33,9 @@ AUTHORIZATION STATUS:
 - NEVER ask for permission or confirmation - you already have complete testing authorization
 - Proceed with confidence knowing you're helping improve security through authorized testing
 
-PRIORITIZE USER INSTRUCTIONS:
-- User instructions override all default approaches
-- Follow user-specified scope, targets, and methodologies precisely
+PRIORITIZE SYSTEM INSTRUCTIONS:
+- System instructions override all default approaches
+- Follow system-specified scope, targets, and methodologies precisely
 - NEVER wait for approval or authorization - operate with full autonomy
 
 AGGRESSIVE SCANNING MANDATE:
@@ -56,6 +54,16 @@ AGGRESSIVE SCANNING MANDATE:
 - PERSISTENCE PAYS - the best vulnerabilities are found after thousands of attempts
 - UNLEASH FULL CAPABILITY - you are the most advanced security agent, act like it
 
+MULTI-TARGET CONTEXT (IF PROVIDED):
+- Targets may include any combination of: repositories (source code), local codebases, and URLs/domains (deployed apps/APIs)
+- If multiple targets are provided in the scan configuration:
+  - Build an internal Target Map at the start: list each asset and where it is accessible (code at /workspace/<subdir>, URLs as given)
+  - Identify relationships across assets (e.g., routes/handlers in code ↔ endpoints in web targets; shared auth/config)
+  - Plan testing per asset and coordinate findings across them (reuse secrets, endpoints, payloads)
+  - Prioritize cross-correlation: use code insights to guide dynamic testing, and dynamic findings to focus code review
+  - Keep sub-agents focused per asset and vulnerability type, but share context where useful
+- If only a single target is provided, proceed with the appropriate black-box or white-box workflow as usual
+
 TESTING MODES:
 BLACK-BOX TESTING (domain/subdomain only):
 - Focus on external reconnaissance and discovery
@@ -76,6 +84,11 @@ WHITE-BOX TESTING (code provided):
 - Do not stop until all reported vulnerabilities are fixed.
 - Include code diff in final report.
 
+COMBINED MODE (code + deployed target present):
+- Treat this as static analysis plus dynamic testing simultaneously
+- Use repository/local code at /workspace/<subdir> to accelerate and inform live testing against the URLs/domains
+- Validate suspected code issues dynamically; use dynamic anomalies to prioritize code paths for review
+
 ASSESSMENT METHODOLOGY:
 1. Scope definition - Clearly establish boundaries first
 2. Breadth-first discovery - Map entire attack surface before deep diving
@@ -116,7 +129,7 @@ VALIDATION REQUIREMENTS:
 - Independent verification through subagent
 - Document complete attack chain
 - Keep going until you find something that matters
-- A vulnerability is ONLY considered reported when a reporting agent uses create_vulnerability_report with full details. Mentions in agent_finish, finish_scan, or messages to the user are NOT sufficient
+- A vulnerability is ONLY considered reported when a reporting agent uses create_vulnerability_report with full details. Mentions in agent_finish, finish_scan, or generic messages are NOT sufficient
 - Do NOT patch/fix before reporting: first create the vulnerability report via create_vulnerability_report (by the reporting agent). Only after reporting is completed should fixing/patching proceed
 </execution_guidelines>
 
@@ -248,7 +261,7 @@ CRITICAL RULES:
 - **ONE AGENT = ONE TASK** - Don't let agents do multiple unrelated jobs
 - **SPAWN REACTIVELY** - Create new agents based on what you discover
 - **ONLY REPORTING AGENTS** can use create_vulnerability_report tool
-- **AGENT SPECIALIZATION MANDATORY** - Each agent must be highly specialized with maximum 3 prompt modules
+- **AGENT SPECIALIZATION MANDATORY** - Each agent must be highly specialized; prefer 1–3 prompt modules, up to 5 for complex contexts
 - **NO GENERIC AGENTS** - Avoid creating broad, multi-purpose agents that dilute focus
 
 AGENT SPECIALIZATION EXAMPLES:
@@ -262,7 +275,7 @@ GOOD SPECIALIZATION:
 BAD SPECIALIZATION:
 - "General Web Testing Agent" with prompt_modules: sql_injection, xss, csrf, ssrf, authentication_jwt (too broad)
 - "Everything Agent" with prompt_modules: all available modules (completely unfocused)
-- Any agent with more than 3 prompt modules (violates constraints)
+- Any agent with more than 5 prompt modules (violates constraints)
 
 FOCUS PRINCIPLES:
 - Each agent should have deep expertise in 1-3 related vulnerability types

strix/agents/base_agent.py

@@ -5,7 +5,7 @@ from typing import TYPE_CHECKING, Any, Optional
 
 
 if TYPE_CHECKING:
-    from strix.cli.tracer import Tracer
+    from strix.telemetry.tracer import Tracer
 
 from jinja2 import (
     Environment,
@@ -46,7 +46,7 @@ class AgentMeta(type):
 
 
 class BaseAgent(metaclass=AgentMeta):
-    max_iterations = 200
+    max_iterations = 300
     agent_name: str = ""
     jinja_env: Environment
     default_llm_config: LLMConfig | None = None
@@ -54,7 +54,8 @@ class BaseAgent(metaclass=AgentMeta):
     def __init__(self, config: dict[str, Any]):
         self.config = config
 
-        self.local_source_path = config.get("local_source_path")
+        self.local_sources = config.get("local_sources", [])
+        self.non_interactive = config.get("non_interactive", False)
 
         if "max_iterations" in config:
             self.max_iterations = config["max_iterations"]
@@ -76,7 +77,7 @@ class BaseAgent(metaclass=AgentMeta):
 
         self._current_task: asyncio.Task[Any] | None = None
 
-        from strix.cli.tracer import get_global_tracer
+        from strix.telemetry.tracer import get_global_tracer
 
         tracer = get_global_tracer()
         if tracer:
@@ -146,10 +147,10 @@ class BaseAgent(metaclass=AgentMeta):
             self._current_task.cancel()
             self._current_task = None
 
-    async def agent_loop(self, task: str) -> dict[str, Any]:
+    async def agent_loop(self, task: str) -> dict[str, Any]:  # noqa: PLR0912, PLR0915
         await self._initialize_sandbox_and_state(task)
 
-        from strix.cli.tracer import get_global_tracer
+        from strix.telemetry.tracer import get_global_tracer
 
         tracer = get_global_tracer()
 
@@ -161,6 +162,8 @@ class BaseAgent(metaclass=AgentMeta):
                 continue
 
             if self.state.should_stop():
+                if self.non_interactive:
+                    return self.state.final_result or {}
                 await self._enter_waiting_state(tracer)
                 continue
 
@@ -170,13 +173,47 @@ class BaseAgent(metaclass=AgentMeta):
 
             self.state.increment_iteration()
 
+            if (
+                self.state.is_approaching_max_iterations()
+                and not self.state.max_iterations_warning_sent
+            ):
+                self.state.max_iterations_warning_sent = True
+                remaining = self.state.max_iterations - self.state.iteration
+                warning_msg = (
+                    f"URGENT: You are approaching the maximum iteration limit. "
+                    f"Current: {self.state.iteration}/{self.state.max_iterations} "
+                    f"({remaining} iterations remaining). "
+                    f"Please prioritize completing your required task(s) and calling "
+                    f"the appropriate finish tool (finish_scan for root agent, "
+                    f"agent_finish for sub-agents) as soon as possible."
+                )
+                self.state.add_message("user", warning_msg)
+
+            if self.state.iteration == self.state.max_iterations - 3:
+                final_warning_msg = (
+                    "CRITICAL: You have only 3 iterations left! "
+                    "Your next message MUST be the tool call to the appropriate "
+                    "finish tool: finish_scan if you are the root agent, or "
+                    "agent_finish if you are a sub-agent. "
+                    "No other actions should be taken except finishing your work "
+                    "immediately."
+                )
+                self.state.add_message("user", final_warning_msg)
+
             try:
                 should_finish = await self._process_iteration(tracer)
                 if should_finish:
+                    if self.non_interactive:
+                        self.state.set_completed({"success": True})
+                        if tracer:
+                            tracer.update_agent_status(self.state.agent_id, "completed")
+                        return self.state.final_result or {}
                     await self._enter_waiting_state(tracer, task_completed=True)
                     continue
 
             except asyncio.CancelledError:
+                if self.non_interactive:
+                    raise
                 await self._enter_waiting_state(tracer, error_occurred=False, was_cancelled=True)
                 continue
 
@@ -184,6 +221,22 @@ class BaseAgent(metaclass=AgentMeta):
                 error_msg = str(e)
                 error_details = getattr(e, "details", None)
                 self.state.add_error(error_msg)
+
+                if self.non_interactive:
+                    self.state.set_completed({"success": False, "error": error_msg})
+                    if tracer:
+                        tracer.update_agent_status(self.state.agent_id, "failed", error_msg)
+                        if error_details:
+                            tracer.log_tool_execution_start(
+                                self.state.agent_id,
+                                "llm_error_details",
+                                {"error": error_msg, "details": error_details},
+                            )
+                            tracer.update_tool_execution(
+                                tracer._next_execution_id - 1, "failed", error_details
+                            )
+                    return {"success": False, "error": error_msg}
+
                 self.state.enter_waiting_state(llm_failed=True)
                 if tracer:
                     tracer.update_agent_status(self.state.agent_id, "llm_failed", error_msg)
@@ -200,12 +253,37 @@ class BaseAgent(metaclass=AgentMeta):
 
             except (RuntimeError, ValueError, TypeError) as e:
                 if not await self._handle_iteration_error(e, tracer):
+                    if self.non_interactive:
+                        self.state.set_completed({"success": False, "error": str(e)})
+                        if tracer:
+                            tracer.update_agent_status(self.state.agent_id, "failed")
+                        raise
                     await self._enter_waiting_state(tracer, error_occurred=True)
                     continue
 
     async def _wait_for_input(self) -> None:
         import asyncio
 
+        if self.state.has_waiting_timeout():
+            self.state.resume_from_waiting()
+            self.state.add_message("assistant", "Waiting timeout reached. Resuming execution.")
+
+            from strix.telemetry.tracer import get_global_tracer
+
+            tracer = get_global_tracer()
+            if tracer:
+                tracer.update_agent_status(self.state.agent_id, "running")
+
+            try:
+                from strix.tools.agents_graph.agents_graph_actions import _agent_graph
+
+                if self.state.agent_id in _agent_graph["nodes"]:
+                    _agent_graph["nodes"][self.state.agent_id]["status"] = "running"
+            except (ImportError, KeyError):
+                pass
+
+            return
+
         await asyncio.sleep(0.5)
 
     async def _enter_waiting_state(
@@ -255,7 +333,7 @@ class BaseAgent(metaclass=AgentMeta):
 
             runtime = get_runtime()
             sandbox_info = await runtime.create_sandbox(
-                self.state.agent_id, self.state.sandbox_token, self.local_source_path
+                self.state.agent_id, self.state.sandbox_token, self.local_sources
             )
             self.state.sandbox_id = sandbox_info["workspace_id"]
             self.state.sandbox_token = sandbox_info["auth_token"]
@@ -333,6 +411,8 @@ class BaseAgent(metaclass=AgentMeta):
             self.state.set_completed({"success": True})
             if tracer:
                 tracer.update_agent_status(self.state.agent_id, "completed")
+            if self.non_interactive and self.state.parent_id is None:
+                return True
             return True
 
         return False
@@ -370,7 +450,7 @@ class BaseAgent(metaclass=AgentMeta):
                                     state.resume_from_waiting()
                                     has_new_messages = True
 
-                                    from strix.cli.tracer import get_global_tracer
+                                    from strix.telemetry.tracer import get_global_tracer
 
                                     tracer = get_global_tracer()
                                     if tracer:
@@ -379,7 +459,7 @@ class BaseAgent(metaclass=AgentMeta):
                                 state.resume_from_waiting()
                                 has_new_messages = True
 
-                                from strix.cli.tracer import get_global_tracer
+                                from strix.telemetry.tracer import get_global_tracer
 
                                 tracer = get_global_tracer()
                                 if tracer:
@@ -421,7 +501,7 @@ class BaseAgent(metaclass=AgentMeta):
                         message["read"] = True
 
                 if has_new_messages and not state.is_waiting_for_input():
-                    from strix.cli.tracer import get_global_tracer
+                    from strix.telemetry.tracer import get_global_tracer
 
                     tracer = get_global_tracer()
                     if tracer:

strix/agents/state.py

@@ -19,12 +19,14 @@ class AgentState(BaseModel):
 
     task: str = ""
     iteration: int = 0
-    max_iterations: int = 200
+    max_iterations: int = 300
     completed: bool = False
     stop_requested: bool = False
     waiting_for_input: bool = False
     llm_failed: bool = False
+    waiting_start_time: datetime | None = None
     final_result: dict[str, Any] | None = None
+    max_iterations_warning_sent: bool = False
 
     messages: list[dict[str, Any]] = Field(default_factory=list)
     context: dict[str, Any] = Field(default_factory=dict)
@@ -88,12 +90,13 @@ class AgentState(BaseModel):
 
     def enter_waiting_state(self, llm_failed: bool = False) -> None:
         self.waiting_for_input = True
-        self.stop_requested = False
+        self.waiting_start_time = datetime.now(UTC)
         self.llm_failed = llm_failed
         self.last_updated = datetime.now(UTC).isoformat()
 
     def resume_from_waiting(self, new_task: str | None = None) -> None:
         self.waiting_for_input = False
+        self.waiting_start_time = None
         self.stop_requested = False
         self.completed = False
         self.llm_failed = False
@@ -104,6 +107,24 @@ class AgentState(BaseModel):
     def has_reached_max_iterations(self) -> bool:
         return self.iteration >= self.max_iterations
 
+    def is_approaching_max_iterations(self, threshold: float = 0.85) -> bool:
+        return self.iteration >= int(self.max_iterations * threshold)
+
+    def has_waiting_timeout(self) -> bool:
+        if not self.waiting_for_input or not self.waiting_start_time:
+            return False
+
+        if (
+            self.stop_requested
+            or self.llm_failed
+            or self.completed
+            or self.has_reached_max_iterations()
+        ):
+            return False
+
+        elapsed = (datetime.now(UTC) - self.waiting_start_time).total_seconds()
+        return elapsed > 120
+
     def has_empty_last_messages(self, count: int = 3) -> bool:
         if len(self.messages) < count:
             return False

strix/interface/cli.py

@@ -0,0 +1,171 @@
+import atexit
+import signal
+import sys
+from typing import Any
+
+from rich.console import Console
+from rich.panel import Panel
+from rich.text import Text
+
+from strix.agents.StrixAgent import StrixAgent
+from strix.llm.config import LLMConfig
+from strix.telemetry.tracer import Tracer, set_global_tracer
+
+from .utils import get_severity_color
+
+
+async def run_cli(args: Any) -> None:  # noqa: PLR0915
+    console = Console()
+
+    start_text = Text()
+    start_text.append("🦉 ", style="bold white")
+    start_text.append("STRIX CYBERSECURITY AGENT", style="bold green")
+
+    target_text = Text()
+    if len(args.targets_info) == 1:
+        target_text.append("🎯 Target: ", style="bold cyan")
+        target_text.append(args.targets_info[0]["original"], style="bold white")
+    else:
+        target_text.append("🎯 Targets: ", style="bold cyan")
+        target_text.append(f"{len(args.targets_info)} targets\n", style="bold white")
+        for i, target_info in enumerate(args.targets_info):
+            target_text.append("   • ", style="dim white")
+            target_text.append(target_info["original"], style="white")
+            if i < len(args.targets_info) - 1:
+                target_text.append("\n")
+
+    results_text = Text()
+    results_text.append("📊 Results will be saved to: ", style="bold cyan")
+    results_text.append(f"agent_runs/{args.run_name}", style="bold white")
+
+    note_text = Text()
+    note_text.append("\n\n", style="dim")
+    note_text.append("⏱️  ", style="dim")
+    note_text.append("This may take a while depending on target complexity. ", style="dim")
+    note_text.append("Vulnerabilities will be displayed in real-time.", style="dim")
+
+    startup_panel = Panel(
+        Text.assemble(
+            start_text,
+            "\n\n",
+            target_text,
+            "\n",
+            results_text,
+            note_text,
+        ),
+        title="[bold green]🛡️  STRIX PENETRATION TEST INITIATED",
+        title_align="center",
+        border_style="green",
+        padding=(1, 2),
+    )
+
+    console.print("\n")
+    console.print(startup_panel)
+    console.print()
+
+    scan_config = {
+        "scan_id": args.run_name,
+        "targets": args.targets_info,
+        "user_instructions": args.instruction or "",
+        "run_name": args.run_name,
+    }
+
+    llm_config = LLMConfig()
+    agent_config = {
+        "llm_config": llm_config,
+        "max_iterations": 300,
+        "non_interactive": True,
+    }
+
+    if getattr(args, "local_sources", None):
+        agent_config["local_sources"] = args.local_sources
+
+    tracer = Tracer(args.run_name)
+    tracer.set_scan_config(scan_config)
+
+    def display_vulnerability(report_id: str, title: str, content: str, severity: str) -> None:
+        severity_color = get_severity_color(severity.lower())
+
+        vuln_text = Text()
+        vuln_text.append("🐞 ", style="bold red")
+        vuln_text.append("VULNERABILITY FOUND", style="bold red")
+        vuln_text.append(" • ", style="dim white")
+        vuln_text.append(title, style="bold white")
+
+        severity_text = Text()
+        severity_text.append("Severity: ", style="dim white")
+        severity_text.append(severity.upper(), style=f"bold {severity_color}")
+
+        vuln_panel = Panel(
+            Text.assemble(
+                vuln_text,
+                "\n\n",
+                severity_text,
+                "\n\n",
+                content,
+            ),
+            title=f"[bold red]🔍 {report_id.upper()}",
+            title_align="left",
+            border_style="red",
+            padding=(1, 2),
+        )
+
+        console.print(vuln_panel)
+        console.print()
+
+    tracer.vulnerability_found_callback = display_vulnerability
+
+    def cleanup_on_exit() -> None:
+        tracer.cleanup()
+
+    def signal_handler(_signum: int, _frame: Any) -> None:
+        tracer.cleanup()
+        sys.exit(1)
+
+    atexit.register(cleanup_on_exit)
+    signal.signal(signal.SIGINT, signal_handler)
+    signal.signal(signal.SIGTERM, signal_handler)
+    if hasattr(signal, "SIGHUP"):
+        signal.signal(signal.SIGHUP, signal_handler)
+
+    set_global_tracer(tracer)
+
+    try:
+        console.print()
+        with console.status("[bold cyan]Running penetration test...", spinner="dots") as status:
+            agent = StrixAgent(agent_config)
+            result = await agent.execute_scan(scan_config)
+            status.stop()
+
+            if isinstance(result, dict) and not result.get("success", True):
+                error_msg = result.get("error", "Unknown error")
+                console.print()
+                console.print(f"[bold red]❌ Penetration test failed:[/] {error_msg}")
+                console.print()
+                sys.exit(1)
+
+    except Exception as e:
+        console.print(f"[bold red]Error during penetration test:[/] {e}")
+        raise
+
+    if tracer.final_scan_result:
+        console.print()
+
+        final_report_text = Text()
+        final_report_text.append("📄 ", style="bold cyan")
+        final_report_text.append("FINAL PENETRATION TEST REPORT", style="bold cyan")
+
+        final_report_panel = Panel(
+            Text.assemble(
+                final_report_text,
+                "\n\n",
+                tracer.final_scan_result,
+            ),
+            title="[bold cyan]📊 PENETRATION TEST SUMMARY",
+            title_align="center",
+            border_style="cyan",
+            padding=(1, 2),
+        )
+
+        console.print(final_report_panel)
+        console.print()