strix-agent 0.1.9__py3-none-any.whl → 0.1.11__py3-none-any.whl

strix/agents/StrixAgent/strix_agent.py

@@ -26,9 +26,21 @@ class StrixAgent(BaseAgent):
         task_parts = []
 
         if scan_type == "repository":
-            task_parts.append(
-                f"Perform a security assessment of the Git repository: {target['target_repo']}"
-            )
+            repo_url = target["target_repo"]
+            cloned_path = target.get("cloned_repo_path")
+
+            if cloned_path:
+                workspace_path = "/workspace"
+                task_parts.append(
+                    f"Perform a security assessment of the Git repository: {repo_url}. "
+                    f"The repository has been cloned from '{repo_url}' to '{cloned_path}' "
+                    f"(host path) and then copied to '{workspace_path}' in your environment."
+                    f"Analyze the codebase at: {workspace_path}"
+                )
+            else:
+                task_parts.append(
+                    f"Perform a security assessment of the Git repository: {repo_url}"
+                )
 
         elif scan_type == "web_application":
             task_parts.append(
@@ -37,12 +49,12 @@ class StrixAgent(BaseAgent):
 
         elif scan_type == "local_code":
             original_path = target.get("target_path", "unknown")
-            shared_workspace_path = "/shared_workspace"
+            workspace_path = "/workspace"
             task_parts.append(
                 f"Perform a security assessment of the local codebase. "
                 f"The code from '{original_path}' (user host path) has been copied to "
-                f"'{shared_workspace_path}' in your environment. "
-                f"Analyze the codebase at: {shared_workspace_path}"
+                f"'{workspace_path}' in your environment. "
+                f"Analyze the codebase at: {workspace_path}"
             )
 
         else:

strix/agents/StrixAgent/system_prompt.jinja

@@ -145,11 +145,10 @@ Remember: A single high-impact vulnerability is worth more than dozens of low-se
 
 <multi_agent_system>
 AGENT ISOLATION & SANDBOXING:
-- Each subagent runs in a completely isolated sandbox environment
-- Each agent has its own: browser sessions, terminal sessions, proxy (history and scope rules), /workspace directory, environment variables, running processes
-- Agents cannot share network ports or interfere with each other's processes
-- Only shared resource is /shared_workspace for collaboration and file exchange
-- Use /shared_workspace to pass files, reports, and coordination data between agents
+- All agents run in the same shared Docker container for efficiency
+- Each agent has its own: browser sessions, terminal sessions
+- All agents share the same /workspace directory and proxy history
+- Agents can see each other's files and proxy traffic for better collaboration
 
 SIMPLE WORKFLOW RULES:
 
@@ -206,6 +205,27 @@ CRITICAL RULES:
 - **ONE AGENT = ONE TASK** - Don't let agents do multiple unrelated jobs
 - **SPAWN REACTIVELY** - Create new agents based on what you discover
 - **ONLY REPORTING AGENTS** can use create_vulnerability_report tool
+- **AGENT SPECIALIZATION MANDATORY** - Each agent must be highly specialized with maximum 3 prompt modules
+- **NO GENERIC AGENTS** - Avoid creating broad, multi-purpose agents that dilute focus
+
+AGENT SPECIALIZATION EXAMPLES:
+
+GOOD SPECIALIZATION:
+- "SQLi Validation Agent" with prompt_modules: sql_injection
+- "XSS Discovery Agent" with prompt_modules: xss
+- "Auth Testing Agent" with prompt_modules: authentication_jwt, business_logic
+- "SSRF + XXE Agent" with prompt_modules: ssrf, xxe, rce (related attack vectors)
+
+BAD SPECIALIZATION:
+- "General Web Testing Agent" with prompt_modules: sql_injection, xss, csrf, ssrf, authentication_jwt (too broad)
+- "Everything Agent" with prompt_modules: all available modules (completely unfocused)
+- Any agent with more than 3 prompt modules (violates constraints)
+
+FOCUS PRINCIPLES:
+- Each agent should have deep expertise in 1-3 related vulnerability types
+- Agents with single modules have the deepest specialization
+- Related vulnerabilities (like SSRF+XXE or Auth+Business Logic) can be combined
+- Never create "kitchen sink" agents that try to do everything
 
 REALISTIC TESTING OUTCOMES:
 - **No Findings**: Agent completes testing but finds no vulnerabilities
@@ -291,8 +311,7 @@ PROGRAMMING:
 - You can install any additional tools/packages needed based on the task/context using package managers (apt, pip, npm, go install, etc.)
 
 Directories:
-- /workspace - Your private agent directory
-- /shared_workspace - Shared between agents
+- /workspace - where you should work.
 - /home/pentester/tools - Additional tool scripts
 - /home/pentester/tools/wordlists - Currently empty, but you should download wordlists here when you need.
 

strix/agents/base_agent.py

@@ -239,6 +239,9 @@ class BaseAgent(metaclass=AgentMeta):
             self.state.sandbox_token = sandbox_info["auth_token"]
             self.state.sandbox_info = sandbox_info
 
+            if "agent_id" in sandbox_info:
+                self.state.sandbox_info["agent_id"] = sandbox_info["agent_id"]
+
         if not self.state.task:
             self.state.task = task
 

strix/cli/app.py

@@ -248,6 +248,8 @@ class StrixCLIApp(App):  # type: ignore[misc]
 
         if args.target_type == "local_code" and "target_path" in args.target_dict:
             config["local_source_path"] = args.target_dict["target_path"]
+        elif args.target_type == "repository" and "cloned_repo_path" in args.target_dict:
+            config["local_source_path"] = args.target_dict["cloned_repo_path"]
 
         return config
 
@@ -876,7 +878,7 @@ class StrixCLIApp(App):  # type: ignore[misc]
         result = tool_data.get("result")
 
         tool_colors = {
-            "terminal_action": "#22c55e",
+            "terminal_execute": "#22c55e",
             "browser_action": "#06b6d4",
             "python_action": "#3b82f6",
             "agents_graph_action": "#fbbf24",

strix/cli/main.py

@@ -9,7 +9,9 @@ import logging
 import os
 import secrets
 import shutil
+import subprocess
 import sys
+import tempfile
 from pathlib import Path
 from typing import Any
 from urllib.parse import urlparse
@@ -204,6 +206,81 @@ def generate_run_name() -> str:
     return f"{adj}-{noun}-{number}"
 
 
+def clone_repository(repo_url: str, run_name: str) -> str:
+    console = Console()
+
+    git_executable = shutil.which("git")
+    if git_executable is None:
+        raise FileNotFoundError("Git executable not found in PATH")
+
+    temp_dir = Path(tempfile.gettempdir()) / "strix_repos" / run_name
+    temp_dir.mkdir(parents=True, exist_ok=True)
+
+    repo_name = Path(repo_url).stem if repo_url.endswith(".git") else Path(repo_url).name
+
+    clone_path = temp_dir / repo_name
+
+    if clone_path.exists():
+        shutil.rmtree(clone_path)
+
+    try:
+        with console.status(f"[bold cyan]Cloning repository {repo_name}...", spinner="dots"):
+            subprocess.run(  # noqa: S603
+                [
+                    git_executable,
+                    "clone",
+                    repo_url,
+                    str(clone_path),
+                ],
+                capture_output=True,
+                text=True,
+                check=True,
+            )
+
+        return str(clone_path.absolute())
+
+    except subprocess.CalledProcessError as e:
+        error_text = Text()
+        error_text.append("❌ ", style="bold red")
+        error_text.append("REPOSITORY CLONE FAILED", style="bold red")
+        error_text.append("\n\n", style="white")
+        error_text.append(f"Could not clone repository: {repo_url}\n", style="white")
+        error_text.append(
+            f"Error: {e.stderr if hasattr(e, 'stderr') and e.stderr else str(e)}", style="dim red"
+        )
+
+        panel = Panel(
+            error_text,
+            title="[bold red]🛡️  STRIX CLONE ERROR",
+            title_align="center",
+            border_style="red",
+            padding=(1, 2),
+        )
+        console.print("\n")
+        console.print(panel)
+        console.print()
+        sys.exit(1)
+    except FileNotFoundError:
+        error_text = Text()
+        error_text.append("❌ ", style="bold red")
+        error_text.append("GIT NOT FOUND", style="bold red")
+        error_text.append("\n\n", style="white")
+        error_text.append("Git is not installed or not available in PATH.\n", style="white")
+        error_text.append("Please install Git to clone repositories.\n", style="white")
+
+        panel = Panel(
+            error_text,
+            title="[bold red]🛡️  STRIX CLONE ERROR",
+            title_align="center",
+            border_style="red",
+            padding=(1, 2),
+        )
+        console.print("\n")
+        console.print(panel)
+        console.print()
+        sys.exit(1)
+
+
 def infer_target_type(target: str) -> tuple[str, dict[str, str]]:
     if not target or not isinstance(target, str):
         raise ValueError("Target must be a non-empty string")
@@ -544,16 +621,23 @@ def main() -> None:
     if sys.platform == "win32":
         asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())
 
+    args = parse_arguments()
+
     check_docker_installed()
     pull_docker_image()
 
     validate_environment()
     asyncio.run(warm_up_llm())
 
-    args = parse_arguments()
     if not args.run_name:
         args.run_name = generate_run_name()
 
+    if args.target_type == "repository":
+        repo_url = args.target_dict["target_repo"]
+        cloned_path = clone_repository(repo_url, args.run_name)
+
+        args.target_dict["cloned_repo_path"] = cloned_path
+
     asyncio.run(run_strix_cli(args))
 
     results_path = Path("agent_runs") / args.run_name

strix/cli/tool_components/terminal_renderer.py

@@ -8,7 +8,7 @@ from .registry import register_tool_renderer
 
 @register_tool_renderer
 class TerminalRenderer(BaseToolRenderer):
-    tool_name: ClassVar[str] = "terminal_action"
+    tool_name: ClassVar[str] = "terminal_execute"
     css_classes: ClassVar[list[str]] = ["tool-call", "terminal-tool"]
 
     @classmethod
@@ -17,11 +17,12 @@ class TerminalRenderer(BaseToolRenderer):
         status = tool_data.get("status", "unknown")
         result = tool_data.get("result", {})
 
-        action = args.get("action", "unknown")
-        inputs = args.get("inputs", [])
+        command = args.get("command", "")
+        is_input = args.get("is_input", False)
         terminal_id = args.get("terminal_id", "default")
+        timeout = args.get("timeout")
 
-        content = cls._build_sleek_content(action, inputs, terminal_id, result)
+        content = cls._build_sleek_content(command, is_input, terminal_id, timeout, result)
 
         css_classes = cls.get_css_classes(status)
         return Static(content, classes=css_classes)
@@ -29,71 +30,102 @@ class TerminalRenderer(BaseToolRenderer):
     @classmethod
     def _build_sleek_content(
         cls,
-        action: str,
-        inputs: list[str],
+        command: str,
+        is_input: bool,
         terminal_id: str,  # noqa: ARG003
+        timeout: float | None,  # noqa: ARG003
         result: dict[str, Any],  # noqa: ARG003
     ) -> str:
         terminal_icon = ">_"
 
-        if action in {"create", "new_terminal"}:
-            command = cls._format_command(inputs) if inputs else "bash"
-            return f"{terminal_icon} [#22c55e]${command}[/]"
-
-        if action == "send_input":
-            command = cls._format_command(inputs)
-            return f"{terminal_icon} [#22c55e]${command}[/]"
-
-        if action == "wait":
-            return f"{terminal_icon} [dim]waiting...[/]"
-
-        if action == "close":
-            return f"{terminal_icon} [dim]close[/]"
-
-        if action == "get_snapshot":
-            return f"{terminal_icon} [dim]snapshot[/]"
-
-        return f"{terminal_icon} [dim]{action}[/]"
+        if not command.strip():
+            return f"{terminal_icon} [dim]getting logs...[/]"
+
+        control_sequences = {
+            "C-c",
+            "C-d",
+            "C-z",
+            "C-a",
+            "C-e",
+            "C-k",
+            "C-l",
+            "C-u",
+            "C-w",
+            "C-r",
+            "C-s",
+            "C-t",
+            "C-y",
+            "^c",
+            "^d",
+            "^z",
+            "^a",
+            "^e",
+            "^k",
+            "^l",
+            "^u",
+            "^w",
+            "^r",
+            "^s",
+            "^t",
+            "^y",
+        }
+        special_keys = {
+            "Enter",
+            "Escape",
+            "Space",
+            "Tab",
+            "BTab",
+            "BSpace",
+            "DC",
+            "IC",
+            "Up",
+            "Down",
+            "Left",
+            "Right",
+            "Home",
+            "End",
+            "PageUp",
+            "PageDown",
+            "PgUp",
+            "PgDn",
+            "PPage",
+            "NPage",
+            "F1",
+            "F2",
+            "F3",
+            "F4",
+            "F5",
+            "F6",
+            "F7",
+            "F8",
+            "F9",
+            "F10",
+            "F11",
+            "F12",
+        }
+
+        is_special = (
+            command in control_sequences
+            or command in special_keys
+            or command.startswith(("M-", "S-", "C-S-", "C-M-", "S-M-"))
+        )
+
+        if is_special:
+            return f"{terminal_icon} [#ef4444]{command}[/]"
+
+        if is_input:
+            formatted_command = cls._format_command_display(command)
+            return f"{terminal_icon} [#3b82f6]>>>[/] [#22c55e]{formatted_command}[/]"
+
+        formatted_command = cls._format_command_display(command)
+        return f"{terminal_icon} [#22c55e]$ {formatted_command}[/]"
 
     @classmethod
-    def _format_command(cls, inputs: list[str]) -> str:
-        if not inputs:
+    def _format_command_display(cls, command: str) -> str:
+        if not command:
             return ""
 
-        command_parts = []
-
-        for input_item in inputs:
-            if input_item == "Enter":
-                break
-            if input_item.startswith("literal:"):
-                command_parts.append(input_item[8:])
-            elif input_item in [
-                "Space",
-                "Tab",
-                "Backspace",
-                "Up",
-                "Down",
-                "Left",
-                "Right",
-                "Home",
-                "End",
-                "PageUp",
-                "PageDown",
-                "Insert",
-                "Delete",
-                "Escape",
-            ] or input_item.startswith(("^", "C-", "S-", "A-", "F")):
-                if input_item == "Space":
-                    command_parts.append(" ")
-                elif input_item == "Tab":
-                    command_parts.append("\t")
-                continue
-            else:
-                command_parts.append(input_item)
-
-        command = "".join(command_parts).strip()
-
         if len(command) > 200:
             command = command[:197] + "..."
 
-        return cls.escape_markup(command) if command else "bash"
+        return cls.escape_markup(command)

strix/llm/llm.py

@@ -313,7 +313,7 @@ class LLM:
             completion_args["stop"] = ["</function>"]
 
         if self._should_include_reasoning_effort():
-            completion_args["reasoning_effort"] = "medium"
+            completion_args["reasoning_effort"] = "high"
 
         queue = get_global_queue()
         response = await queue.make_request(completion_args)
@@ -348,7 +348,7 @@ class LLM:
 
             try:
                 cost = completion_cost(response) or 0.0
-            except (ValueError, TypeError, RuntimeError) as e:
+            except Exception as e:  # noqa: BLE001
                 logger.warning(f"Failed to calculate cost: {e}")
                 cost = 0.0
 
@@ -370,5 +370,5 @@ class LLM:
                 logger.info(f"Cache creation: {cache_creation_tokens} tokens written to cache")
 
             logger.info(f"Usage stats: {self.usage_stats}")
-        except (AttributeError, TypeError, ValueError) as e:
+        except Exception as e:  # noqa: BLE001
             logger.warning(f"Failed to update usage stats: {e}")