strix-agent 0.1.18__tar.gz → 0.3.1__tar.gz

{strix_agent-0.1.18 → strix_agent-0.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: strix-agent
-Version: 0.1.18
+Version: 0.3.1
 Summary: Open-source AI Hackers for your apps
 License: Apache-2.0
 Keywords: cybersecurity,security,vulnerability,scanner,pentest,agent,ai,cli
@@ -44,10 +44,11 @@ Description-Content-Type: text/markdown
 
 ### Open-source AI hackers for your apps
 
+[![Strix](https://img.shields.io/badge/Strix-usestrix.com-1a1a1a.svg)](https://usestrix.com)
 [![Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
-[![Vercel AI Accelerator 2025](https://img.shields.io/badge/Vercel%20AI-Accelerator%202025-000000?style=flat&logo=vercel)](https://vercel.com/ai-accelerator)
-[![Status: Alpha](https://img.shields.io/badge/status-alpha-orange.svg)](https://github.com/usestrix/strix)
-
+[![Discord](https://img.shields.io/badge/Discord-join-5865F2?logo=discord&logoColor=white)](https://discord.gg/J48Fzuh7)
+[![PyPI Downloads](https://static.pepy.tech/personalized-badge/strix-agent?period=total&units=INTERNATIONAL_SYSTEM&left_color=GRAY&right_color=BLACK&left_text=Downloads)](https://pepy.tech/projects/strix-agent)
+[![GitHub stars](https://img.shields.io/github/stars/usestrix/strix.svg?style=social&label=Star)](https://github.com/usestrix/strix)
 </div>
 
 <div align="center">
@@ -60,8 +61,30 @@ Description-Content-Type: text/markdown
 
 Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual exploitation. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.
 
+- **Full hacker toolkit** out of the box
+- **Teams of agents** that collaborate and scale
+- **Real validation** via exploitation and PoC, not false positives
+- **Developer‑first** CLI with actionable reports
+- **Auto‑fix & reporting** to accelerate remediation
+
+---
+
+### 🎯 Use Cases
+
+- Detect and validate critical vulnerabilities in your applications.
+- Get penetration tests done in hours, not weeks, with compliance reports.
+- Automate bug bounty research and generate PoCs for faster reporting.
+- Run tests in CI/CD to block vulnerabilities before reaching production.
+
+---
+
 ### 🚀 Quick Start
 
+Prerequisites:
+- Docker (running)
+- Python 3.12+
+- An LLM provider key (or a local LLM)
+
 ```bash
 # Install
 pipx install strix-agent
@@ -74,12 +97,11 @@ export LLM_API_KEY="your-api-key"
 strix --target ./app-directory
 ```
 
-## Why Use Strix
+First run pulls the sandbox Docker image. Results are saved under `agent_runs/<run-name>`.
+
+### ☁️ Cloud Hosted
 
-- **Full Hacker Arsenal** - All the tools a professional hacker needs, built into the agents
-- **Real Validation** - Dynamic testing and actual exploitation, thus much fewer false positives
-- **Developer-First** - Seamlessly integrates into existing development workflows
-- **Auto-Fix & Reporting** - Automated patching with detailed remediation and security reports
+Want to skip the setup? Try our cloud-hosted version: **[usestrix.com](https://usestrix.com)**
 
 ## ✨ Features
 
@@ -122,8 +144,17 @@ strix --target https://github.com/org/repo
 # Web application assessment
 strix --target https://your-app.com
 
-# Focused testing
+# Multi-target white-box testing (source code + deployed app)
+strix -t https://github.com/org/app -t https://your-app.com
+
+# Test multiple environments simultaneously
+strix -t https://dev.your-app.com -t https://staging.your-app.com -t https://prod.your-app.com
+
+# Focused testing with instructions
 strix --target api.your-app.com --instruction "Prioritize authentication and authorization testing"
+
+# Testing with credentials
+strix --target https://your-app.com --instruction "Test with credentials: testuser/testpass. Focus on privilege escalation and access control bypasses."
 ```
 
 ### ⚙️ Configuration
@@ -139,6 +170,41 @@ export PERPLEXITY_API_KEY="your-api-key"  # for search capabilities
 
 [📚 View supported AI models](https://docs.litellm.ai/docs/providers)
 
+### 🤖 Headless Mode
+
+Run Strix programmatically without interactive UI using the `-n/--non-interactive` flag—perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.
+
+```bash
+strix -n --target https://your-app.com --instruction "Focus on authentication and authorization vulnerabilities"
+```
+
+### 🔄 CI/CD (GitHub Actions)
+
+Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:
+
+```yaml
+name: strix-penetration-test
+
+on:
+  pull_request:
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Strix
+        run: pipx install strix-agent
+
+      - name: Run Strix
+        env:
+          STRIX_LLM: ${{ secrets.STRIX_LLM }}
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+
+        run: strix -n -t ./
+```
+
 ## 🏆 Enterprise Platform
 
 Our managed platform provides:
@@ -150,26 +216,40 @@ Our managed platform provides:
 - **🔌 Third-Party Integrations**
 - **🎯 Enterprise Support**
 
-[**Get Enterprise Demo →**](https://form.typeform.com/to/ljtvl6X0)
+[**Get Enterprise Demo →**](https://usestrix.com)
 
 ## 🔒 Security Architecture
 
 - **Container Isolation** - All testing in sandboxed Docker environments
 - **Local Processing** - Testing runs locally, no data sent to external services
 
-> [!NOTE]
-> Strix is currently in Alpha. Expect rapid updates and improvements.
-
 > [!WARNING]
 > Only test systems you own or have permission to test. You are responsible for using Strix ethically and legally.
 
+## 🤝 Contributing
+
+We welcome contributions from the community! There are several ways to contribute:
+
+### Code Contributions
+See our [Contributing Guide](CONTRIBUTING.md) for details on:
+- Setting up your development environment
+- Running tests and quality checks
+- Submitting pull requests
+- Code style guidelines
+
+### Prompt Modules Collection
+Help expand our collection of specialized prompt modules for AI agents:
+- Advanced testing techniques for vulnerabilities, frameworks, and technologies
+- See [Prompt Modules Documentation](strix/prompts/README.md) for guidelines
+- Submit via [pull requests](https://github.com/usestrix/strix/pulls) or [issues](https://github.com/usestrix/strix/issues)
+
 ## 🌟 Support the Project
 
 **Love Strix?** Give us a ⭐ on GitHub!
 
 ## 👥 Join Our Community
 
-Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/yduEyduBsp)**
+Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/J48Fzuh7)**
 
 </div>
 

{strix_agent-0.1.18 → strix_agent-0.3.1}/README.md

@@ -4,10 +4,11 @@
 
 ### Open-source AI hackers for your apps
 
+[![Strix](https://img.shields.io/badge/Strix-usestrix.com-1a1a1a.svg)](https://usestrix.com)
 [![Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
-[![Vercel AI Accelerator 2025](https://img.shields.io/badge/Vercel%20AI-Accelerator%202025-000000?style=flat&logo=vercel)](https://vercel.com/ai-accelerator)
-[![Status: Alpha](https://img.shields.io/badge/status-alpha-orange.svg)](https://github.com/usestrix/strix)
-
+[![Discord](https://img.shields.io/badge/Discord-join-5865F2?logo=discord&logoColor=white)](https://discord.gg/J48Fzuh7)
+[![PyPI Downloads](https://static.pepy.tech/personalized-badge/strix-agent?period=total&units=INTERNATIONAL_SYSTEM&left_color=GRAY&right_color=BLACK&left_text=Downloads)](https://pepy.tech/projects/strix-agent)
+[![GitHub stars](https://img.shields.io/github/stars/usestrix/strix.svg?style=social&label=Star)](https://github.com/usestrix/strix)
 </div>
 
 <div align="center">
@@ -20,8 +21,30 @@
 
 Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual exploitation. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.
 
+- **Full hacker toolkit** out of the box
+- **Teams of agents** that collaborate and scale
+- **Real validation** via exploitation and PoC, not false positives
+- **Developer‑first** CLI with actionable reports
+- **Auto‑fix & reporting** to accelerate remediation
+
+---
+
+### 🎯 Use Cases
+
+- Detect and validate critical vulnerabilities in your applications.
+- Get penetration tests done in hours, not weeks, with compliance reports.
+- Automate bug bounty research and generate PoCs for faster reporting.
+- Run tests in CI/CD to block vulnerabilities before reaching production.
+
+---
+
 ### 🚀 Quick Start
 
+Prerequisites:
+- Docker (running)
+- Python 3.12+
+- An LLM provider key (or a local LLM)
+
 ```bash
 # Install
 pipx install strix-agent
@@ -34,12 +57,11 @@ export LLM_API_KEY="your-api-key"
 strix --target ./app-directory
 ```
 
-## Why Use Strix
+First run pulls the sandbox Docker image. Results are saved under `agent_runs/<run-name>`.
+
+### ☁️ Cloud Hosted
 
-- **Full Hacker Arsenal** - All the tools a professional hacker needs, built into the agents
-- **Real Validation** - Dynamic testing and actual exploitation, thus much fewer false positives
-- **Developer-First** - Seamlessly integrates into existing development workflows
-- **Auto-Fix & Reporting** - Automated patching with detailed remediation and security reports
+Want to skip the setup? Try our cloud-hosted version: **[usestrix.com](https://usestrix.com)**
 
 ## ✨ Features
 
@@ -82,8 +104,17 @@ strix --target https://github.com/org/repo
 # Web application assessment
 strix --target https://your-app.com
 
-# Focused testing
+# Multi-target white-box testing (source code + deployed app)
+strix -t https://github.com/org/app -t https://your-app.com
+
+# Test multiple environments simultaneously
+strix -t https://dev.your-app.com -t https://staging.your-app.com -t https://prod.your-app.com
+
+# Focused testing with instructions
 strix --target api.your-app.com --instruction "Prioritize authentication and authorization testing"
+
+# Testing with credentials
+strix --target https://your-app.com --instruction "Test with credentials: testuser/testpass. Focus on privilege escalation and access control bypasses."
 ```
 
 ### ⚙️ Configuration
@@ -99,6 +130,41 @@ export PERPLEXITY_API_KEY="your-api-key"  # for search capabilities
 
 [📚 View supported AI models](https://docs.litellm.ai/docs/providers)
 
+### 🤖 Headless Mode
+
+Run Strix programmatically without interactive UI using the `-n/--non-interactive` flag—perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.
+
+```bash
+strix -n --target https://your-app.com --instruction "Focus on authentication and authorization vulnerabilities"
+```
+
+### 🔄 CI/CD (GitHub Actions)
+
+Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:
+
+```yaml
+name: strix-penetration-test
+
+on:
+  pull_request:
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Strix
+        run: pipx install strix-agent
+
+      - name: Run Strix
+        env:
+          STRIX_LLM: ${{ secrets.STRIX_LLM }}
+          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+
+        run: strix -n -t ./
+```
+
 ## 🏆 Enterprise Platform
 
 Our managed platform provides:
@@ -110,25 +176,39 @@ Our managed platform provides:
 - **🔌 Third-Party Integrations**
 - **🎯 Enterprise Support**
 
-[**Get Enterprise Demo →**](https://form.typeform.com/to/ljtvl6X0)
+[**Get Enterprise Demo →**](https://usestrix.com)
 
 ## 🔒 Security Architecture
 
 - **Container Isolation** - All testing in sandboxed Docker environments
 - **Local Processing** - Testing runs locally, no data sent to external services
 
-> [!NOTE]
-> Strix is currently in Alpha. Expect rapid updates and improvements.
-
 > [!WARNING]
 > Only test systems you own or have permission to test. You are responsible for using Strix ethically and legally.
 
+## 🤝 Contributing
+
+We welcome contributions from the community! There are several ways to contribute:
+
+### Code Contributions
+See our [Contributing Guide](CONTRIBUTING.md) for details on:
+- Setting up your development environment
+- Running tests and quality checks
+- Submitting pull requests
+- Code style guidelines
+
+### Prompt Modules Collection
+Help expand our collection of specialized prompt modules for AI agents:
+- Advanced testing techniques for vulnerabilities, frameworks, and technologies
+- See [Prompt Modules Documentation](strix/prompts/README.md) for guidelines
+- Submit via [pull requests](https://github.com/usestrix/strix/pulls) or [issues](https://github.com/usestrix/strix/issues)
+
 ## 🌟 Support the Project
 
 **Love Strix?** Give us a ⭐ on GitHub!
 
 ## 👥 Join Our Community
 
-Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/yduEyduBsp)**
+Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/J48Fzuh7)**
 
 </div>

{strix_agent-0.1.18 → strix_agent-0.3.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "strix-agent"
-version = "0.1.18"
+version = "0.3.1"
 description = "Open-source AI Hackers for your apps"
 authors = ["Strix <hi@usestrix.com>"]
 readme = "README.md"
@@ -39,7 +39,7 @@ include = [
 ]
 
 [tool.poetry.scripts]
-strix = "strix.cli.main:main"
+strix = "strix.interface.main:main"
 
 [tool.poetry.dependencies]
 python = "^3.12"

strix_agent-0.3.1/strix/agents/StrixAgent/strix_agent.py

@@ -0,0 +1,82 @@
+from typing import Any
+
+from strix.agents.base_agent import BaseAgent
+from strix.llm.config import LLMConfig
+
+
+class StrixAgent(BaseAgent):
+    max_iterations = 300
+
+    def __init__(self, config: dict[str, Any]):
+        default_modules = []
+
+        state = config.get("state")
+        if state is None or (hasattr(state, "parent_id") and state.parent_id is None):
+            default_modules = ["root_agent"]
+
+        self.default_llm_config = LLMConfig(prompt_modules=default_modules)
+
+        super().__init__(config)
+
+    async def execute_scan(self, scan_config: dict[str, Any]) -> dict[str, Any]:
+        user_instructions = scan_config.get("user_instructions", "")
+        targets = scan_config.get("targets", [])
+
+        repositories = []
+        local_code = []
+        urls = []
+
+        for target in targets:
+            target_type = target["type"]
+            details = target["details"]
+            workspace_subdir = details.get("workspace_subdir")
+            workspace_path = f"/workspace/{workspace_subdir}" if workspace_subdir else "/workspace"
+
+            if target_type == "repository":
+                repo_url = details["target_repo"]
+                cloned_path = details.get("cloned_repo_path")
+                repositories.append(
+                    {
+                        "url": repo_url,
+                        "workspace_path": workspace_path if cloned_path else None,
+                    }
+                )
+
+            elif target_type == "local_code":
+                original_path = details.get("target_path", "unknown")
+                local_code.append(
+                    {
+                        "path": original_path,
+                        "workspace_path": workspace_path,
+                    }
+                )
+
+            elif target_type == "web_application":
+                urls.append(details["target_url"])
+
+        task_parts = []
+
+        if repositories:
+            task_parts.append("\n\nRepositories:")
+            for repo in repositories:
+                if repo["workspace_path"]:
+                    task_parts.append(f"- {repo['url']} (available at: {repo['workspace_path']})")
+                else:
+                    task_parts.append(f"- {repo['url']}")
+
+        if local_code:
+            task_parts.append("\n\nLocal Codebases:")
+            task_parts.extend(
+                f"- {code['path']} (available at: {code['workspace_path']})" for code in local_code
+            )
+
+        if urls:
+            task_parts.append("\n\nURLs:")
+            task_parts.extend(f"- {url}" for url in urls)
+
+        task_description = " ".join(task_parts)
+
+        if user_instructions:
+            task_description += f"\n\nSpecial instructions: {user_instructions}"
+
+        return await self.agent_loop(task=task_description)

{strix_agent-0.1.18 → strix_agent-0.3.1}/strix/agents/StrixAgent/system_prompt.jinja

@@ -19,11 +19,9 @@ INTER-AGENT MESSAGES:
 - NEVER echo inter_agent_message or agent_completion_report XML content that is sent to you in your output.
 - Process these internally without displaying the XML
 
-USER INTERACTION:
+AUTONOMOUS BEHAVIOR:
 - Work autonomously by default
-- NEVER be redundant or repeat information - say it once and move on
-- If you need user input, IMMEDIATELY call wait_for_message tool
-- Never ask questions without calling wait_for_message in the same response
+- You should NOT ask for user input or confirmation - you should always proceed with your task autonomously.
 - Minimize user messaging: avoid redundancy and repetition; consolidate updates into a single concise message
 - If there is nothing to execute and no user query to answer any more: do NOT send filler/repetitive text — either call wait_for_message or finish your work (subagents: agent_finish; root: finish_scan)
 </communication_rules>
@@ -35,9 +33,9 @@ AUTHORIZATION STATUS:
 - NEVER ask for permission or confirmation - you already have complete testing authorization
 - Proceed with confidence knowing you're helping improve security through authorized testing
 
-PRIORITIZE USER INSTRUCTIONS:
-- User instructions override all default approaches
-- Follow user-specified scope, targets, and methodologies precisely
+PRIORITIZE SYSTEM INSTRUCTIONS:
+- System instructions override all default approaches
+- Follow system-specified scope, targets, and methodologies precisely
 - NEVER wait for approval or authorization - operate with full autonomy
 
 AGGRESSIVE SCANNING MANDATE:
@@ -56,6 +54,16 @@ AGGRESSIVE SCANNING MANDATE:
 - PERSISTENCE PAYS - the best vulnerabilities are found after thousands of attempts
 - UNLEASH FULL CAPABILITY - you are the most advanced security agent, act like it
 
+MULTI-TARGET CONTEXT (IF PROVIDED):
+- Targets may include any combination of: repositories (source code), local codebases, and URLs/domains (deployed apps/APIs)
+- If multiple targets are provided in the scan configuration:
+  - Build an internal Target Map at the start: list each asset and where it is accessible (code at /workspace/<subdir>, URLs as given)
+  - Identify relationships across assets (e.g., routes/handlers in code ↔ endpoints in web targets; shared auth/config)
+  - Plan testing per asset and coordinate findings across them (reuse secrets, endpoints, payloads)
+  - Prioritize cross-correlation: use code insights to guide dynamic testing, and dynamic findings to focus code review
+  - Keep sub-agents focused per asset and vulnerability type, but share context where useful
+- If only a single target is provided, proceed with the appropriate black-box or white-box workflow as usual
+
 TESTING MODES:
 BLACK-BOX TESTING (domain/subdomain only):
 - Focus on external reconnaissance and discovery
@@ -76,6 +84,11 @@ WHITE-BOX TESTING (code provided):
 - Do not stop until all reported vulnerabilities are fixed.
 - Include code diff in final report.
 
+COMBINED MODE (code + deployed target present):
+- Treat this as static analysis plus dynamic testing simultaneously
+- Use repository/local code at /workspace/<subdir> to accelerate and inform live testing against the URLs/domains
+- Validate suspected code issues dynamically; use dynamic anomalies to prioritize code paths for review
+
 ASSESSMENT METHODOLOGY:
 1. Scope definition - Clearly establish boundaries first
 2. Breadth-first discovery - Map entire attack surface before deep diving
@@ -116,7 +129,7 @@ VALIDATION REQUIREMENTS:
 - Independent verification through subagent
 - Document complete attack chain
 - Keep going until you find something that matters
-- A vulnerability is ONLY considered reported when a reporting agent uses create_vulnerability_report with full details. Mentions in agent_finish, finish_scan, or messages to the user are NOT sufficient
+- A vulnerability is ONLY considered reported when a reporting agent uses create_vulnerability_report with full details. Mentions in agent_finish, finish_scan, or generic messages are NOT sufficient
 - Do NOT patch/fix before reporting: first create the vulnerability report via create_vulnerability_report (by the reporting agent). Only after reporting is completed should fixing/patching proceed
 </execution_guidelines>
 
@@ -248,7 +261,7 @@ CRITICAL RULES:
 - **ONE AGENT = ONE TASK** - Don't let agents do multiple unrelated jobs
 - **SPAWN REACTIVELY** - Create new agents based on what you discover
 - **ONLY REPORTING AGENTS** can use create_vulnerability_report tool
-- **AGENT SPECIALIZATION MANDATORY** - Each agent must be highly specialized with maximum 3 prompt modules
+- **AGENT SPECIALIZATION MANDATORY** - Each agent must be highly specialized; prefer 1–3 prompt modules, up to 5 for complex contexts
 - **NO GENERIC AGENTS** - Avoid creating broad, multi-purpose agents that dilute focus
 
 AGENT SPECIALIZATION EXAMPLES:
@@ -262,7 +275,7 @@ GOOD SPECIALIZATION:
 BAD SPECIALIZATION:
 - "General Web Testing Agent" with prompt_modules: sql_injection, xss, csrf, ssrf, authentication_jwt (too broad)
 - "Everything Agent" with prompt_modules: all available modules (completely unfocused)
-- Any agent with more than 3 prompt modules (violates constraints)
+- Any agent with more than 5 prompt modules (violates constraints)
 
 FOCUS PRINCIPLES:
 - Each agent should have deep expertise in 1-3 related vulnerability types