strix-agent 0.1.9__tar.gz → 0.1.11__tar.gz

{strix_agent-0.1.9 → strix_agent-0.1.11}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: strix-agent
-Version: 0.1.9
+Version: 0.1.11
 Summary: Open-source AI Hackers for your apps
 License: Apache-2.0
 Keywords: cybersecurity,security,vulnerability,scanner,pentest,agent,ai,cli
@@ -22,8 +22,10 @@ Requires-Dist: docker (>=7.1.0,<8.0.0)
 Requires-Dist: fastapi
 Requires-Dist: gql[requests] (>=3.5.3,<4.0.0)
 Requires-Dist: ipython (>=9.3.0,<10.0.0)
-Requires-Dist: litellm[proxy] (>=1.75.7,<2.0.0)
+Requires-Dist: libtmux (>=0.46.2,<0.47.0)
+Requires-Dist: litellm[proxy] (>=1.75.8,<1.76.0)
 Requires-Dist: numpydoc (>=1.8.0,<2.0.0)
+Requires-Dist: openai (>=1.99.5,<1.100.0)
 Requires-Dist: openhands-aci (>=0.3.0,<0.4.0)
 Requires-Dist: playwright (>=1.48.0,<2.0.0)
 Requires-Dist: pydantic[email] (>=2.11.3,<3.0.0)
@@ -45,9 +47,6 @@ Description-Content-Type: text/markdown
 [![Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
 [![Vercel AI Accelerator 2025](https://img.shields.io/badge/Vercel%20AI-Accelerator%202025-000000?style=flat&logo=vercel)](https://vercel.com/ai-accelerator)
 [![Status: Alpha](https://img.shields.io/badge/status-alpha-orange.svg)](https://github.com/usestrix/strix)
-[![Discord](https://dcbadge.limes.pink/api/server/yduEyduBsp?style=flat)](https://discord.gg/yduEyduBsp)
-
-**⚡ Use it to hack your apps before the bad guys do ⚡**
 
 </div>
 
@@ -172,15 +171,5 @@ Our managed platform provides:
 
 Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/yduEyduBsp)**
 
----
-
-<div align="center">
-
-### About • Links
-
-**[OmniSecure Inc.](https://omnisecure.ai)** • Applied AI Research Lab
-
-[Discord Community](https://discord.gg/yduEyduBsp) • [Enterprise Solutions](https://form.typeform.com/to/ljtvl6X0) • [Report Issues](https://github.com/usestrix/strix/issues)
-
 </div>
 

{strix_agent-0.1.9 → strix_agent-0.1.11}/README.md

@@ -7,9 +7,6 @@
 [![Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
 [![Vercel AI Accelerator 2025](https://img.shields.io/badge/Vercel%20AI-Accelerator%202025-000000?style=flat&logo=vercel)](https://vercel.com/ai-accelerator)
 [![Status: Alpha](https://img.shields.io/badge/status-alpha-orange.svg)](https://github.com/usestrix/strix)
-[![Discord](https://dcbadge.limes.pink/api/server/yduEyduBsp?style=flat)](https://discord.gg/yduEyduBsp)
-
-**⚡ Use it to hack your apps before the bad guys do ⚡**
 
 </div>
 
@@ -134,14 +131,4 @@ Our managed platform provides:
 
 Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/yduEyduBsp)**
 
----
-
-<div align="center">
-
-### About • Links
-
-**[OmniSecure Inc.](https://omnisecure.ai)** • Applied AI Research Lab
-
-[Discord Community](https://discord.gg/yduEyduBsp) • [Enterprise Solutions](https://form.typeform.com/to/ljtvl6X0) • [Report Issues](https://github.com/usestrix/strix/issues)
-
 </div>

{strix_agent-0.1.9 → strix_agent-0.1.11}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "strix-agent"
-version = "0.1.9"
+version = "0.1.11"
 description = "Open-source AI Hackers for your apps"
 authors = ["Strix <hi@usestrix.com>"]
 readme = "README.md"
@@ -45,7 +45,8 @@ strix = "strix.cli.main:main"
 python = "^3.12"
 fastapi = "*"
 uvicorn = "*"
-litellm = {version = "^1.75.7", extras = ["proxy"]}
+litellm = { version = "~1.75.8", extras = ["proxy"] }
+openai = ">=1.99.5,<1.100.0"
 tenacity = "^9.0.0"
 numpydoc = "^1.8.0"
 pydantic = {extras = ["email"], version = "^2.11.3"}
@@ -59,6 +60,7 @@ textual = "^4.0.0"
 xmltodict = "^0.13.0"
 pyte = "^0.8.1"
 requests = "^2.32.0"
+libtmux = "^0.46.2"
 
 [tool.poetry.group.dev.dependencies]
 # Type checking and static analysis
@@ -126,6 +128,7 @@ module = [
     "gql.*",
     "textual.*",
     "pyte.*",
+    "libtmux.*",
 ]
 ignore_missing_imports = true
 

{strix_agent-0.1.9 → strix_agent-0.1.11}/strix/agents/StrixAgent/strix_agent.py

@@ -26,9 +26,21 @@ class StrixAgent(BaseAgent):
         task_parts = []
 
         if scan_type == "repository":
-            task_parts.append(
-                f"Perform a security assessment of the Git repository: {target['target_repo']}"
-            )
+            repo_url = target["target_repo"]
+            cloned_path = target.get("cloned_repo_path")
+
+            if cloned_path:
+                workspace_path = "/workspace"
+                task_parts.append(
+                    f"Perform a security assessment of the Git repository: {repo_url}. "
+                    f"The repository has been cloned from '{repo_url}' to '{cloned_path}' "
+                    f"(host path) and then copied to '{workspace_path}' in your environment."
+                    f"Analyze the codebase at: {workspace_path}"
+                )
+            else:
+                task_parts.append(
+                    f"Perform a security assessment of the Git repository: {repo_url}"
+                )
 
         elif scan_type == "web_application":
             task_parts.append(
@@ -37,12 +49,12 @@ class StrixAgent(BaseAgent):
 
         elif scan_type == "local_code":
             original_path = target.get("target_path", "unknown")
-            shared_workspace_path = "/shared_workspace"
+            workspace_path = "/workspace"
             task_parts.append(
                 f"Perform a security assessment of the local codebase. "
                 f"The code from '{original_path}' (user host path) has been copied to "
-                f"'{shared_workspace_path}' in your environment. "
-                f"Analyze the codebase at: {shared_workspace_path}"
+                f"'{workspace_path}' in your environment. "
+                f"Analyze the codebase at: {workspace_path}"
             )
 
         else:

{strix_agent-0.1.9 → strix_agent-0.1.11}/strix/agents/StrixAgent/system_prompt.jinja

@@ -145,11 +145,10 @@ Remember: A single high-impact vulnerability is worth more than dozens of low-se
 
 <multi_agent_system>
 AGENT ISOLATION & SANDBOXING:
-- Each subagent runs in a completely isolated sandbox environment
-- Each agent has its own: browser sessions, terminal sessions, proxy (history and scope rules), /workspace directory, environment variables, running processes
-- Agents cannot share network ports or interfere with each other's processes
-- Only shared resource is /shared_workspace for collaboration and file exchange
-- Use /shared_workspace to pass files, reports, and coordination data between agents
+- All agents run in the same shared Docker container for efficiency
+- Each agent has its own: browser sessions, terminal sessions
+- All agents share the same /workspace directory and proxy history
+- Agents can see each other's files and proxy traffic for better collaboration
 
 SIMPLE WORKFLOW RULES:
 
@@ -206,6 +205,27 @@ CRITICAL RULES:
 - **ONE AGENT = ONE TASK** - Don't let agents do multiple unrelated jobs
 - **SPAWN REACTIVELY** - Create new agents based on what you discover
 - **ONLY REPORTING AGENTS** can use create_vulnerability_report tool
+- **AGENT SPECIALIZATION MANDATORY** - Each agent must be highly specialized with maximum 3 prompt modules
+- **NO GENERIC AGENTS** - Avoid creating broad, multi-purpose agents that dilute focus
+
+AGENT SPECIALIZATION EXAMPLES:
+
+GOOD SPECIALIZATION:
+- "SQLi Validation Agent" with prompt_modules: sql_injection
+- "XSS Discovery Agent" with prompt_modules: xss
+- "Auth Testing Agent" with prompt_modules: authentication_jwt, business_logic
+- "SSRF + XXE Agent" with prompt_modules: ssrf, xxe, rce (related attack vectors)
+
+BAD SPECIALIZATION:
+- "General Web Testing Agent" with prompt_modules: sql_injection, xss, csrf, ssrf, authentication_jwt (too broad)
+- "Everything Agent" with prompt_modules: all available modules (completely unfocused)
+- Any agent with more than 3 prompt modules (violates constraints)
+
+FOCUS PRINCIPLES:
+- Each agent should have deep expertise in 1-3 related vulnerability types
+- Agents with single modules have the deepest specialization
+- Related vulnerabilities (like SSRF+XXE or Auth+Business Logic) can be combined
+- Never create "kitchen sink" agents that try to do everything
 
 REALISTIC TESTING OUTCOMES:
 - **No Findings**: Agent completes testing but finds no vulnerabilities
@@ -291,8 +311,7 @@ PROGRAMMING:
 - You can install any additional tools/packages needed based on the task/context using package managers (apt, pip, npm, go install, etc.)
 
 Directories:
-- /workspace - Your private agent directory
-- /shared_workspace - Shared between agents
+- /workspace - where you should work.
 - /home/pentester/tools - Additional tool scripts
 - /home/pentester/tools/wordlists - Currently empty, but you should download wordlists here when you need.
 

{strix_agent-0.1.9 → strix_agent-0.1.11}/strix/agents/base_agent.py

@@ -239,6 +239,9 @@ class BaseAgent(metaclass=AgentMeta):
             self.state.sandbox_token = sandbox_info["auth_token"]
             self.state.sandbox_info = sandbox_info
 
+            if "agent_id" in sandbox_info:
+                self.state.sandbox_info["agent_id"] = sandbox_info["agent_id"]
+
         if not self.state.task:
             self.state.task = task
 

{strix_agent-0.1.9 → strix_agent-0.1.11}/strix/cli/app.py

@@ -248,6 +248,8 @@ class StrixCLIApp(App):  # type: ignore[misc]
 
         if args.target_type == "local_code" and "target_path" in args.target_dict:
             config["local_source_path"] = args.target_dict["target_path"]
+        elif args.target_type == "repository" and "cloned_repo_path" in args.target_dict:
+            config["local_source_path"] = args.target_dict["cloned_repo_path"]
 
         return config
 
@@ -876,7 +878,7 @@ class StrixCLIApp(App):  # type: ignore[misc]
         result = tool_data.get("result")
 
         tool_colors = {
-            "terminal_action": "#22c55e",
+            "terminal_execute": "#22c55e",
             "browser_action": "#06b6d4",
             "python_action": "#3b82f6",
             "agents_graph_action": "#fbbf24",

{strix_agent-0.1.9 → strix_agent-0.1.11}/strix/cli/main.py

@@ -9,7 +9,9 @@ import logging
 import os
 import secrets
 import shutil
+import subprocess
 import sys
+import tempfile
 from pathlib import Path
 from typing import Any
 from urllib.parse import urlparse
@@ -204,6 +206,81 @@ def generate_run_name() -> str:
     return f"{adj}-{noun}-{number}"
 
 
+def clone_repository(repo_url: str, run_name: str) -> str:
+    console = Console()
+
+    git_executable = shutil.which("git")
+    if git_executable is None:
+        raise FileNotFoundError("Git executable not found in PATH")
+
+    temp_dir = Path(tempfile.gettempdir()) / "strix_repos" / run_name
+    temp_dir.mkdir(parents=True, exist_ok=True)
+
+    repo_name = Path(repo_url).stem if repo_url.endswith(".git") else Path(repo_url).name
+
+    clone_path = temp_dir / repo_name
+
+    if clone_path.exists():
+        shutil.rmtree(clone_path)
+
+    try:
+        with console.status(f"[bold cyan]Cloning repository {repo_name}...", spinner="dots"):
+            subprocess.run(  # noqa: S603
+                [
+                    git_executable,
+                    "clone",
+                    repo_url,
+                    str(clone_path),
+                ],
+                capture_output=True,
+                text=True,
+                check=True,
+            )
+
+        return str(clone_path.absolute())
+
+    except subprocess.CalledProcessError as e:
+        error_text = Text()
+        error_text.append("❌ ", style="bold red")
+        error_text.append("REPOSITORY CLONE FAILED", style="bold red")
+        error_text.append("\n\n", style="white")
+        error_text.append(f"Could not clone repository: {repo_url}\n", style="white")
+        error_text.append(
+            f"Error: {e.stderr if hasattr(e, 'stderr') and e.stderr else str(e)}", style="dim red"
+        )
+
+        panel = Panel(
+            error_text,
+            title="[bold red]🛡️  STRIX CLONE ERROR",
+            title_align="center",
+            border_style="red",
+            padding=(1, 2),
+        )
+        console.print("\n")
+        console.print(panel)
+        console.print()
+        sys.exit(1)
+    except FileNotFoundError:
+        error_text = Text()
+        error_text.append("❌ ", style="bold red")
+        error_text.append("GIT NOT FOUND", style="bold red")
+        error_text.append("\n\n", style="white")
+        error_text.append("Git is not installed or not available in PATH.\n", style="white")
+        error_text.append("Please install Git to clone repositories.\n", style="white")
+
+        panel = Panel(
+            error_text,
+            title="[bold red]🛡️  STRIX CLONE ERROR",
+            title_align="center",
+            border_style="red",
+            padding=(1, 2),
+        )
+        console.print("\n")
+        console.print(panel)
+        console.print()
+        sys.exit(1)
+
+
 def infer_target_type(target: str) -> tuple[str, dict[str, str]]:
     if not target or not isinstance(target, str):
         raise ValueError("Target must be a non-empty string")
@@ -544,16 +621,23 @@ def main() -> None:
     if sys.platform == "win32":
         asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())
 
+    args = parse_arguments()
+
     check_docker_installed()
     pull_docker_image()
 
     validate_environment()
     asyncio.run(warm_up_llm())
 
-    args = parse_arguments()
     if not args.run_name:
         args.run_name = generate_run_name()
 
+    if args.target_type == "repository":
+        repo_url = args.target_dict["target_repo"]
+        cloned_path = clone_repository(repo_url, args.run_name)
+
+        args.target_dict["cloned_repo_path"] = cloned_path
+
     asyncio.run(run_strix_cli(args))
 
     results_path = Path("agent_runs") / args.run_name

strix_agent-0.1.11/strix/cli/tool_components/terminal_renderer.py

@@ -0,0 +1,131 @@
+from typing import Any, ClassVar
+
+from textual.widgets import Static
+
+from .base_renderer import BaseToolRenderer
+from .registry import register_tool_renderer
+
+
+@register_tool_renderer
+class TerminalRenderer(BaseToolRenderer):
+    tool_name: ClassVar[str] = "terminal_execute"
+    css_classes: ClassVar[list[str]] = ["tool-call", "terminal-tool"]
+
+    @classmethod
+    def render(cls, tool_data: dict[str, Any]) -> Static:
+        args = tool_data.get("args", {})
+        status = tool_data.get("status", "unknown")
+        result = tool_data.get("result", {})
+
+        command = args.get("command", "")
+        is_input = args.get("is_input", False)
+        terminal_id = args.get("terminal_id", "default")
+        timeout = args.get("timeout")
+
+        content = cls._build_sleek_content(command, is_input, terminal_id, timeout, result)
+
+        css_classes = cls.get_css_classes(status)
+        return Static(content, classes=css_classes)
+
+    @classmethod
+    def _build_sleek_content(
+        cls,
+        command: str,
+        is_input: bool,
+        terminal_id: str,  # noqa: ARG003
+        timeout: float | None,  # noqa: ARG003
+        result: dict[str, Any],  # noqa: ARG003
+    ) -> str:
+        terminal_icon = ">_"
+
+        if not command.strip():
+            return f"{terminal_icon} [dim]getting logs...[/]"
+
+        control_sequences = {
+            "C-c",
+            "C-d",
+            "C-z",
+            "C-a",
+            "C-e",
+            "C-k",
+            "C-l",
+            "C-u",
+            "C-w",
+            "C-r",
+            "C-s",
+            "C-t",
+            "C-y",
+            "^c",
+            "^d",
+            "^z",
+            "^a",
+            "^e",
+            "^k",
+            "^l",
+            "^u",
+            "^w",
+            "^r",
+            "^s",
+            "^t",
+            "^y",
+        }
+        special_keys = {
+            "Enter",
+            "Escape",
+            "Space",
+            "Tab",
+            "BTab",
+            "BSpace",
+            "DC",
+            "IC",
+            "Up",
+            "Down",
+            "Left",
+            "Right",
+            "Home",
+            "End",
+            "PageUp",
+            "PageDown",
+            "PgUp",
+            "PgDn",
+            "PPage",
+            "NPage",
+            "F1",
+            "F2",
+            "F3",
+            "F4",
+            "F5",
+            "F6",
+            "F7",
+            "F8",
+            "F9",
+            "F10",
+            "F11",
+            "F12",
+        }
+
+        is_special = (
+            command in control_sequences
+            or command in special_keys
+            or command.startswith(("M-", "S-", "C-S-", "C-M-", "S-M-"))
+        )
+
+        if is_special:
+            return f"{terminal_icon} [#ef4444]{command}[/]"
+
+        if is_input:
+            formatted_command = cls._format_command_display(command)
+            return f"{terminal_icon} [#3b82f6]>>>[/] [#22c55e]{formatted_command}[/]"
+
+        formatted_command = cls._format_command_display(command)
+        return f"{terminal_icon} [#22c55e]$ {formatted_command}[/]"
+
+    @classmethod
+    def _format_command_display(cls, command: str) -> str:
+        if not command:
+            return ""
+
+        if len(command) > 200:
+            command = command[:197] + "..."
+
+        return cls.escape_markup(command)

{strix_agent-0.1.9 → strix_agent-0.1.11}/strix/llm/llm.py

@@ -313,7 +313,7 @@ class LLM:
             completion_args["stop"] = ["</function>"]
 
         if self._should_include_reasoning_effort():
-            completion_args["reasoning_effort"] = "medium"
+            completion_args["reasoning_effort"] = "high"
 
         queue = get_global_queue()
         response = await queue.make_request(completion_args)
@@ -348,7 +348,7 @@ class LLM:
 
             try:
                 cost = completion_cost(response) or 0.0
-            except (ValueError, TypeError, RuntimeError) as e:
+            except Exception as e:  # noqa: BLE001
                 logger.warning(f"Failed to calculate cost: {e}")
                 cost = 0.0
 
@@ -370,5 +370,5 @@ class LLM:
                 logger.info(f"Cache creation: {cache_creation_tokens} tokens written to cache")
 
             logger.info(f"Usage stats: {self.usage_stats}")
-        except (AttributeError, TypeError, ValueError) as e:
+        except Exception as e:  # noqa: BLE001
             logger.warning(f"Failed to update usage stats: {e}")