strix-agent 0.4.0__py3-none-any.whl → 0.6.2__py3-none-any.whl

strix/skills/scan_modes/standard.jinja

@@ -0,0 +1,91 @@
+<scan_mode>
+STANDARD SCAN MODE - Balanced Security Assessment
+
+This mode provides thorough coverage with a structured methodology. Balance depth with efficiency.
+
+PHASE 1: RECONNAISSANCE AND MAPPING
+Understanding the target is critical before exploitation. Never skip this phase.
+
+For whitebox (source code available):
+- Map the entire codebase structure: directories, modules, entry points
+- Identify the application architecture (MVC, microservices, monolith)
+- Understand the routing: how URLs map to handlers/controllers
+- Identify all user input vectors: forms, APIs, file uploads, headers, cookies
+- Map authentication and authorization flows
+- Identify database interactions and ORM usage
+- Review dependency manifests for known vulnerable packages
+- Understand the data model and sensitive data locations
+
+For blackbox (no source code):
+- Crawl the application thoroughly using browser tool - interact with every feature
+- Enumerate all endpoints, parameters, and functionality
+- Identify the technology stack through fingerprinting
+- Map user roles and access levels
+- Understand the business logic by using the application as intended
+- Document all forms, APIs, and data entry points
+- Use proxy tool to capture and analyze all traffic during exploration
+
+PHASE 2: BUSINESS LOGIC UNDERSTANDING
+Before testing for vulnerabilities, understand what the application DOES:
+- What are the critical business flows? (payments, user registration, data access)
+- What actions should be restricted to specific roles?
+- What data should users NOT be able to access?
+- What state transitions exist? (order pending → paid → shipped)
+- Where does money, sensitive data, or privilege flow?
+
+PHASE 3: SYSTEMATIC VULNERABILITY ASSESSMENT
+Test each attack surface methodically. Create focused subagents for different areas.
+
+Entry Point Analysis:
+- Test all input fields for injection vulnerabilities
+- Check all API endpoints for authentication and authorization
+- Verify all file upload functionality for bypass
+- Test all search and filter functionality
+- Check redirect parameters and URL handling
+
+Authentication and Session:
+- Test login for brute force protection
+- Check session token entropy and handling
+- Test password reset flows for weaknesses
+- Verify logout invalidates sessions
+- Test for authentication bypass techniques
+
+Access Control:
+- For every privileged action, test as unprivileged user
+- Test horizontal access control (user A accessing user B's data)
+- Test vertical access control (user escalating to admin)
+- Check API endpoints mirror UI access controls
+- Test direct object references with different user contexts
+
+Business Logic:
+- Attempt to skip steps in multi-step processes
+- Test for race conditions in critical operations
+- Try negative values, zero values, boundary conditions
+- Attempt to replay transactions
+- Test for price manipulation in e-commerce flows
+
+PHASE 4: EXPLOITATION AND VALIDATION
+- Every finding must have a working proof-of-concept
+- Demonstrate actual impact, not theoretical risk
+- Chain vulnerabilities when possible to show maximum impact
+- Document the full attack path from initial access to impact
+- Use python tool for complex exploit development
+
+CHAINING & MAX IMPACT MINDSET:
+- Always ask: "If I can do X, what does that enable me to do next?" Keep pivoting until you reach maximum privilege or maximum sensitive data access
+- Prefer complete end-to-end paths (entry point → pivot → privileged action/data) over isolated bug reports
+- Use the application as a real user would: exploit must survive the actual workflow and state transitions
+- When you discover a useful pivot (info leak, weak boundary, partial access), immediately pursue the next step rather than stopping at the first win
+
+PHASE 5: COMPREHENSIVE REPORTING
+- Report all confirmed vulnerabilities with clear reproduction steps
+- Include severity based on actual exploitability and business impact
+- Provide remediation recommendations
+- Document any areas that need further investigation
+
+MINDSET:
+- Methodical and systematic - cover the full attack surface
+- Document as you go - findings and areas tested
+- Validate everything - no assumptions about exploitability
+- Think about business impact, not just technical severity
+</scan_mode>

strix/telemetry/README.md

@@ -0,0 +1,38 @@
+### Overview
+
+To help make Strix better for everyone, we collect anonymized data that helps us understand how to better improve our AI security agent for our users, guide the addition of new features, and fix common errors and bugs. This feedback loop is crucial for improving Strix's capabilities and user experience.
+
+We use [PostHog](https://posthog.com), an open-source analytics platform, for data collection and analysis. Our telemetry implementation is fully transparent - you can review the [source code](https://github.com/usestrix/strix/blob/main/strix/telemetry/posthog.py) to see exactly what we track.
+
+### Telemetry Policy
+
+Privacy is our priority. All collected data is anonymized by default. Each session gets a random UUID that is not persisted or tied to you. Your code, scan targets, vulnerability details, and findings always remain private and are never collected.
+
+### What We Track
+
+We collect only very **basic** usage data including:
+
+**Session Errors:** Duration and error types (not messages or stack traces)\
+**System Context:** OS type, architecture, Strix version\
+**Scan Context:** Scan mode (quick/standard/deep), scan type (whitebox/blackbox)\
+**Model Usage:** Which LLM model is being used (not prompts or responses)\
+**Aggregate Metrics:** Vulnerability counts by severity, agent/tool counts, token usage and cost estimates
+
+For complete transparency, you can inspect our [telemetry implementation](https://github.com/usestrix/strix/blob/main/strix/telemetry/posthog.py) to see the exact events we track.
+
+### What We **Never** Collect
+
+- IP addresses, usernames, or any identifying information
+- Scan targets, file paths, target URLs, or domains
+- Vulnerability details, descriptions, or code
+- LLM requests and responses
+
+### How to Opt Out
+
+Telemetry in Strix is entirely **optional**:
+
+```bash
+export STRIX_TELEMETRY=0
+```
+
+You can set this environment variable before running Strix to disable **all** telemetry.

strix/telemetry/__init__.py

@@ -1,4 +1,10 @@
+from . import posthog
 from .tracer import Tracer, get_global_tracer, set_global_tracer
 
 
-__all__ = ["Tracer", "get_global_tracer", "set_global_tracer"]
+__all__ = [
+    "Tracer",
+    "get_global_tracer",
+    "posthog",
+    "set_global_tracer",
+]

strix/telemetry/posthog.py

@@ -0,0 +1,137 @@
+import json
+import platform
+import sys
+import urllib.request
+from pathlib import Path
+from typing import TYPE_CHECKING, Any
+from uuid import uuid4
+
+from strix.config import Config
+
+
+if TYPE_CHECKING:
+    from strix.telemetry.tracer import Tracer
+
+_POSTHOG_PUBLIC_API_KEY = "phc_7rO3XRuNT5sgSKAl6HDIrWdSGh1COzxw0vxVIAR6vVZ"
+_POSTHOG_HOST = "https://us.i.posthog.com"
+
+_SESSION_ID = uuid4().hex[:16]
+
+
+def _is_enabled() -> bool:
+    return (Config.get("strix_telemetry") or "1").lower() not in ("0", "false", "no", "off")
+
+
+def _is_first_run() -> bool:
+    marker = Path.home() / ".strix" / ".seen"
+    if marker.exists():
+        return False
+    try:
+        marker.parent.mkdir(parents=True, exist_ok=True)
+        marker.touch()
+    except Exception:  # noqa: BLE001, S110
+        pass  # nosec B110
+    return True
+
+
+def _get_version() -> str:
+    try:
+        from importlib.metadata import version
+
+        return version("strix-agent")
+    except Exception:  # noqa: BLE001
+        return "unknown"
+
+
+def _send(event: str, properties: dict[str, Any]) -> None:
+    if not _is_enabled():
+        return
+    try:
+        payload = {
+            "api_key": _POSTHOG_PUBLIC_API_KEY,
+            "event": event,
+            "distinct_id": _SESSION_ID,
+            "properties": properties,
+        }
+        req = urllib.request.Request(  # noqa: S310
+            f"{_POSTHOG_HOST}/capture/",
+            data=json.dumps(payload).encode(),
+            headers={"Content-Type": "application/json"},
+        )
+        with urllib.request.urlopen(req, timeout=10):  # noqa: S310  # nosec B310
+            pass
+    except Exception:  # noqa: BLE001, S110
+        pass  # nosec B110
+
+
+def _base_props() -> dict[str, Any]:
+    return {
+        "os": platform.system().lower(),
+        "arch": platform.machine(),
+        "python": f"{sys.version_info.major}.{sys.version_info.minor}",
+        "strix_version": _get_version(),
+    }
+
+
+def start(
+    model: str | None,
+    scan_mode: str | None,
+    is_whitebox: bool,
+    interactive: bool,
+    has_instructions: bool,
+) -> None:
+    _send(
+        "scan_started",
+        {
+            **_base_props(),
+            "model": model or "unknown",
+            "scan_mode": scan_mode or "unknown",
+            "scan_type": "whitebox" if is_whitebox else "blackbox",
+            "interactive": interactive,
+            "has_instructions": has_instructions,
+            "first_run": _is_first_run(),
+        },
+    )
+
+
+def finding(severity: str) -> None:
+    _send(
+        "finding_reported",
+        {
+            **_base_props(),
+            "severity": severity.lower(),
+        },
+    )
+
+
+def end(tracer: "Tracer", exit_reason: str = "completed") -> None:
+    vulnerabilities_counts = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0}
+    for v in tracer.vulnerability_reports:
+        sev = v.get("severity", "info").lower()
+        if sev in vulnerabilities_counts:
+            vulnerabilities_counts[sev] += 1
+
+    llm = tracer.get_total_llm_stats()
+    total = llm.get("total", {})
+
+    _send(
+        "scan_ended",
+        {
+            **_base_props(),
+            "exit_reason": exit_reason,
+            "duration_seconds": round(tracer._calculate_duration()),
+            "vulnerabilities_total": len(tracer.vulnerability_reports),
+            **{f"vulnerabilities_{k}": v for k, v in vulnerabilities_counts.items()},
+            "agent_count": len(tracer.agents),
+            "tool_count": tracer.get_real_tool_count(),
+            "llm_tokens": llm.get("total_tokens", 0),
+            "llm_cost": total.get("cost", 0.0),
+        },
+    )
+
+
+def error(error_type: str, error_msg: str | None = None) -> None:
+    props = {**_base_props(), "error_type": error_type}
+    if error_msg:
+        props["error_msg"] = error_msg
+    _send("error", props)

strix/telemetry/tracer.py

@@ -4,6 +4,8 @@ from pathlib import Path
 from typing import TYPE_CHECKING, Any, Optional
 from uuid import uuid4
 
+from strix.telemetry import posthog
+
 
 if TYPE_CHECKING:
     from collections.abc import Callable
@@ -33,6 +35,8 @@ class Tracer:
         self.agents: dict[str, dict[str, Any]] = {}
         self.tool_executions: dict[int, dict[str, Any]] = {}
         self.chat_messages: list[dict[str, Any]] = []
+        self.streaming_content: dict[str, str] = {}
+        self.interrupted_content: dict[str, str] = {}
 
         self.vulnerability_reports: list[dict[str, Any]] = []
         self.final_scan_result: str | None = None
@@ -52,7 +56,7 @@ class Tracer:
         self._next_message_id = 1
         self._saved_vuln_ids: set[str] = set()
 
-        self.vulnerability_found_callback: Callable[[str, str, str, str], None] | None = None
+        self.vulnerability_found_callback: Callable[[dict[str, Any]], None] | None = None
 
     def set_run_name(self, run_name: str) -> None:
         self.run_name = run_name
@@ -69,48 +73,118 @@ class Tracer:
 
         return self._run_dir
 
-    def add_vulnerability_report(
+    def add_vulnerability_report(  # noqa: PLR0912
         self,
         title: str,
-        content: str,
         severity: str,
+        description: str | None = None,
+        impact: str | None = None,
+        target: str | None = None,
+        technical_analysis: str | None = None,
+        poc_description: str | None = None,
+        poc_script_code: str | None = None,
+        remediation_steps: str | None = None,
+        cvss: float | None = None,
+        cvss_breakdown: dict[str, str] | None = None,
+        endpoint: str | None = None,
+        method: str | None = None,
+        cve: str | None = None,
+        code_file: str | None = None,
+        code_before: str | None = None,
+        code_after: str | None = None,
+        code_diff: str | None = None,
     ) -> str:
         report_id = f"vuln-{len(self.vulnerability_reports) + 1:04d}"
 
-        report = {
+        report: dict[str, Any] = {
             "id": report_id,
             "title": title.strip(),
-            "content": content.strip(),
             "severity": severity.lower().strip(),
             "timestamp": datetime.now(UTC).strftime("%Y-%m-%d %H:%M:%S UTC"),
         }
 
+        if description:
+            report["description"] = description.strip()
+        if impact:
+            report["impact"] = impact.strip()
+        if target:
+            report["target"] = target.strip()
+        if technical_analysis:
+            report["technical_analysis"] = technical_analysis.strip()
+        if poc_description:
+            report["poc_description"] = poc_description.strip()
+        if poc_script_code:
+            report["poc_script_code"] = poc_script_code.strip()
+        if remediation_steps:
+            report["remediation_steps"] = remediation_steps.strip()
+        if cvss is not None:
+            report["cvss"] = cvss
+        if cvss_breakdown:
+            report["cvss_breakdown"] = cvss_breakdown
+        if endpoint:
+            report["endpoint"] = endpoint.strip()
+        if method:
+            report["method"] = method.strip()
+        if cve:
+            report["cve"] = cve.strip()
+        if code_file:
+            report["code_file"] = code_file.strip()
+        if code_before:
+            report["code_before"] = code_before.strip()
+        if code_after:
+            report["code_after"] = code_after.strip()
+        if code_diff:
+            report["code_diff"] = code_diff.strip()
+
         self.vulnerability_reports.append(report)
         logger.info(f"Added vulnerability report: {report_id} - {title}")
+        posthog.finding(severity)
 
         if self.vulnerability_found_callback:
-            self.vulnerability_found_callback(
-                report_id, title.strip(), content.strip(), severity.lower().strip()
-            )
+            self.vulnerability_found_callback(report)
 
         self.save_run_data()
         return report_id
 
-    def set_final_scan_result(
+    def get_existing_vulnerabilities(self) -> list[dict[str, Any]]:
+        return list(self.vulnerability_reports)
+
+    def update_scan_final_fields(
         self,
-        content: str,
-        success: bool = True,
+        executive_summary: str,
+        methodology: str,
+        technical_analysis: str,
+        recommendations: str,
     ) -> None:
-        self.final_scan_result = content.strip()
-
         self.scan_results = {
             "scan_completed": True,
-            "content": content,
-            "success": success,
+            "executive_summary": executive_summary.strip(),
+            "methodology": methodology.strip(),
+            "technical_analysis": technical_analysis.strip(),
+            "recommendations": recommendations.strip(),
+            "success": True,
         }
 
-        logger.info(f"Set final scan result: success={success}")
+        self.final_scan_result = f"""# Executive Summary
+
+{executive_summary.strip()}
+
+# Methodology
+
+{methodology.strip()}
+
+# Technical Analysis
+
+{technical_analysis.strip()}
+
+# Recommendations
+
+{recommendations.strip()}
+"""
+
+        logger.info("Updated scan final fields")
         self.save_run_data(mark_complete=True)
+        posthog.end(self, exit_reason="finished_by_tool")
 
     def log_agent_creation(
         self, agent_id: str, name: str, task: str, parent_id: str | None = None
@@ -202,7 +276,7 @@ class Tracer:
         )
         self.get_run_dir()
 
-    def save_run_data(self, mark_complete: bool = False) -> None:
+    def save_run_data(self, mark_complete: bool = False) -> None:  # noqa: PLR0912, PLR0915
         try:
             run_dir = self.get_run_dir()
             if mark_complete:
@@ -230,42 +304,89 @@ class Tracer:
                     if report["id"] not in self._saved_vuln_ids
                 ]
 
+                severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "info": 4}
+                sorted_reports = sorted(
+                    self.vulnerability_reports,
+                    key=lambda x: (severity_order.get(x["severity"], 5), x["timestamp"]),
+                )
+
                 for report in new_reports:
                     vuln_file = vuln_dir / f"{report['id']}.md"
                     with vuln_file.open("w", encoding="utf-8") as f:
-                        f.write(f"# {report['title']}\n\n")
-                        f.write(f"**ID:** {report['id']}\n")
-                        f.write(f"**Severity:** {report['severity'].upper()}\n")
-                        f.write(f"**Found:** {report['timestamp']}\n\n")
-                        f.write("## Description\n\n")
-                        f.write(f"{report['content']}\n")
-                    self._saved_vuln_ids.add(report["id"])
+                        f.write(f"# {report.get('title', 'Untitled Vulnerability')}\n\n")
+                        f.write(f"**ID:** {report.get('id', 'unknown')}\n")
+                        f.write(f"**Severity:** {report.get('severity', 'unknown').upper()}\n")
+                        f.write(f"**Found:** {report.get('timestamp', 'unknown')}\n")
+
+                        metadata_fields: list[tuple[str, Any]] = [
+                            ("Target", report.get("target")),
+                            ("Endpoint", report.get("endpoint")),
+                            ("Method", report.get("method")),
+                            ("CVE", report.get("cve")),
+                        ]
+                        cvss_score = report.get("cvss")
+                        if cvss_score is not None:
+                            metadata_fields.append(("CVSS", cvss_score))
+
+                        for label, value in metadata_fields:
+                            if value:
+                                f.write(f"**{label}:** {value}\n")
+
+                        f.write("\n## Description\n\n")
+                        desc = report.get("description") or "No description provided."
+                        f.write(f"{desc}\n\n")
+
+                        if report.get("impact"):
+                            f.write("## Impact\n\n")
+                            f.write(f"{report['impact']}\n\n")
+
+                        if report.get("technical_analysis"):
+                            f.write("## Technical Analysis\n\n")
+                            f.write(f"{report['technical_analysis']}\n\n")
+
+                        if report.get("poc_description") or report.get("poc_script_code"):
+                            f.write("## Proof of Concept\n\n")
+                            if report.get("poc_description"):
+                                f.write(f"{report['poc_description']}\n\n")
+                            if report.get("poc_script_code"):
+                                f.write("```\n")
+                                f.write(f"{report['poc_script_code']}\n")
+                                f.write("```\n\n")
+
+                        if report.get("code_file") or report.get("code_diff"):
+                            f.write("## Code Analysis\n\n")
+                            if report.get("code_file"):
+                                f.write(f"**File:** {report['code_file']}\n\n")
+                            if report.get("code_diff"):
+                                f.write("**Changes:**\n")
+                                f.write("```diff\n")
+                                f.write(f"{report['code_diff']}\n")
+                                f.write("```\n\n")
+
+                        if report.get("remediation_steps"):
+                            f.write("## Remediation\n\n")
+                            f.write(f"{report['remediation_steps']}\n\n")
 
-                if self.vulnerability_reports:
-                    severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "info": 4}
-                    sorted_reports = sorted(
-                        self.vulnerability_reports,
-                        key=lambda x: (severity_order.get(x["severity"], 5), x["timestamp"]),
-                    )
+                    self._saved_vuln_ids.add(report["id"])
 
-                    vuln_csv_file = run_dir / "vulnerabilities.csv"
-                    with vuln_csv_file.open("w", encoding="utf-8", newline="") as f:
-                        import csv
-
-                        fieldnames = ["id", "title", "severity", "timestamp", "file"]
-                        writer = csv.DictWriter(f, fieldnames=fieldnames)
-                        writer.writeheader()
-
-                        for report in sorted_reports:
-                            writer.writerow(
-                                {
-                                    "id": report["id"],
-                                    "title": report["title"],
-                                    "severity": report["severity"].upper(),
-                                    "timestamp": report["timestamp"],
-                                    "file": f"vulnerabilities/{report['id']}.md",
-                                }
-                            )
+                vuln_csv_file = run_dir / "vulnerabilities.csv"
+                with vuln_csv_file.open("w", encoding="utf-8", newline="") as f:
+                    import csv
+
+                    fieldnames = ["id", "title", "severity", "timestamp", "file"]
+                    writer = csv.DictWriter(f, fieldnames=fieldnames)
+                    writer.writeheader()
+
+                    for report in sorted_reports:
+                        writer.writerow(
+                            {
+                                "id": report["id"],
+                                "title": report["title"],
+                                "severity": report["severity"].upper(),
+                                "timestamp": report["timestamp"],
+                                "file": f"vulnerabilities/{report['id']}.md",
+                            }
+                        )
 
                 if new_reports:
                     logger.info(
@@ -291,14 +412,14 @@ class Tracer:
     def get_agent_tools(self, agent_id: str) -> list[dict[str, Any]]:
         return [
             exec_data
-            for exec_data in self.tool_executions.values()
+            for exec_data in list(self.tool_executions.values())
             if exec_data.get("agent_id") == agent_id
         ]
 
     def get_real_tool_count(self) -> int:
         return sum(
             1
-            for exec_data in self.tool_executions.values()
+            for exec_data in list(self.tool_executions.values())
             if exec_data.get("tool_name") not in ["scan_start_info", "subagent_start_info"]
         )
 
@@ -309,10 +430,8 @@ class Tracer:
             "input_tokens": 0,
             "output_tokens": 0,
             "cached_tokens": 0,
-            "cache_creation_tokens": 0,
             "cost": 0.0,
             "requests": 0,
-            "failed_requests": 0,
         }
 
         for agent_instance in _agent_instances.values():
@@ -321,10 +440,8 @@ class Tracer:
                 total_stats["input_tokens"] += agent_stats.input_tokens
                 total_stats["output_tokens"] += agent_stats.output_tokens
                 total_stats["cached_tokens"] += agent_stats.cached_tokens
-                total_stats["cache_creation_tokens"] += agent_stats.cache_creation_tokens
                 total_stats["cost"] += agent_stats.cost
                 total_stats["requests"] += agent_stats.requests
-                total_stats["failed_requests"] += agent_stats.failed_requests
 
         total_stats["cost"] = round(total_stats["cost"], 4)
 
@@ -333,5 +450,28 @@ class Tracer:
             "total_tokens": total_stats["input_tokens"] + total_stats["output_tokens"],
         }
 
+    def update_streaming_content(self, agent_id: str, content: str) -> None:
+        self.streaming_content[agent_id] = content
+
+    def clear_streaming_content(self, agent_id: str) -> None:
+        self.streaming_content.pop(agent_id, None)
+
+    def get_streaming_content(self, agent_id: str) -> str | None:
+        return self.streaming_content.get(agent_id)
+
+    def finalize_streaming_as_interrupted(self, agent_id: str) -> str | None:
+        content = self.streaming_content.pop(agent_id, None)
+        if content and content.strip():
+            self.interrupted_content[agent_id] = content
+            self.log_chat_message(
+                content=content,
+                role="assistant",
+                agent_id=agent_id,
+                metadata={"interrupted": True},
+            )
+            return content
+
+        return self.interrupted_content.pop(agent_id, None)
+
     def cleanup(self) -> None:
         self.save_run_data(mark_complete=True)

strix/tools/__init__.py

@@ -1,5 +1,7 @@
 import os
 
+from strix.config import Config
+
 from .executor import (
     execute_tool,
     execute_tool_invocation,
@@ -22,11 +24,15 @@ from .registry import (
 
 SANDBOX_MODE = os.getenv("STRIX_SANDBOX_MODE", "false").lower() == "true"
 
-HAS_PERPLEXITY_API = bool(os.getenv("PERPLEXITY_API_KEY"))
+HAS_PERPLEXITY_API = bool(Config.get("perplexity_api_key"))
+
+DISABLE_BROWSER = (Config.get("strix_disable_browser") or "false").lower() == "true"
 
 if not SANDBOX_MODE:
     from .agents_graph import *  # noqa: F403
-    from .browser import *  # noqa: F403
+
+    if not DISABLE_BROWSER:
+        from .browser import *  # noqa: F403
     from .file_edit import *  # noqa: F403
     from .finish import *  # noqa: F403
     from .notes import *  # noqa: F403
@@ -35,13 +41,14 @@ if not SANDBOX_MODE:
     from .reporting import *  # noqa: F403
     from .terminal import *  # noqa: F403
     from .thinking import *  # noqa: F403
+    from .todo import *  # noqa: F403
 
     if HAS_PERPLEXITY_API:
         from .web_search import *  # noqa: F403
 else:
-    from .browser import *  # noqa: F403
+    if not DISABLE_BROWSER:
+        from .browser import *  # noqa: F403
     from .file_edit import *  # noqa: F403
-    from .notes import *  # noqa: F403
     from .proxy import *  # noqa: F403
     from .python import *  # noqa: F403
     from .terminal import *  # noqa: F403