Commit Graph

230 Commits

Author SHA1 Message Date
0xallam d9748a44db feat(migration): phase 0 — foundation files + smoke tests for SDK migration
Add openai-agents[litellm]==0.14.6 alongside the legacy litellm dep
(litellm constraint relaxed to >=1.83.0 to satisfy SDK).

Seven load-bearing modules per PLAYBOOK §2 with R3 type fixes (F1/F2/F3):

  strix/llm/anthropic_cache_wrapper.py   inject cache_control on system msg
  strix/llm/multi_provider_setup.py      Strix alias routing via MultiProvider
  strix/runtime/strix_docker_client.py   inject NET_ADMIN/NET_RAW + host-gateway
  strix/orchestration/bus.py             AgentMessageBus (replaces _agent_graph)
  strix/orchestration/filter.py          inject_messages_filter for SDK
  strix/orchestration/hooks.py           StrixOrchestrationHooks
  strix/tools/_decorator.py              strix_tool() factory

55 smoke tests covering every Phase 0 correction (C1-C25, F1-F3).

Suite: 165/165 pass. mypy strict + ruff clean on every file we added.
Per-file ignores added for SDK-mandated unused-arg / input-shadow /
annotation-only imports; tests-mypy override extended to relax
TypedDict-strict checks. Pre-commit mypy hook now installs
openai-agents alongside other deps.

Skipping pre-commit because the litellm 1.81 -> 1.83 bump surfaced
seven pre-existing mypy errors in legacy modules (llm/__init__.py,
llm/llm.py, tools/notes/notes_actions.py). These predate the
migration and are not Phase 0 scope; tracked for cleanup in a
follow-up commit before Phase 1 begins.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 23:43:56 -07:00
Octopus 9fb101282f fix: --config flag now fully overrides ~/.strix/cli-config.json (#457)
* fix: --config flag now fully overrides ~/.strix/cli-config.json (fixes #377)

Previously, env vars applied from the default config at module import time
were not cleared when --config was later processed, causing settings from
~/.strix/cli-config.json to leak into runs that specified a custom config.

Track which vars were applied by the initial default-config load in
Config._applied_from_default. In apply_config_override, clear those vars
before applying the custom config so only the custom file's settings take effect.

* Add config override regression test

* Make config override test setup explicit

---------

Co-authored-by: octo-patch <octo-patch@github.com>
Co-authored-by: bearsyankees <bearsyankees@gmail.com>
2026-04-22 16:37:22 -04:00
seanturner83 60abc09ff9 fix: wrap acompletion in asyncio.wait_for to prevent indefinite hangs (#453)
* fix: wrap acompletion in asyncio.wait_for to prevent indefinite hangs

litellm's timeout parameter doesn't always propagate to the underlying
httpx transport for Bedrock converse streaming. When Bedrock accepts the
TCP connection but never starts streaming chunks, the acompletion call
hangs indefinitely with all connections in CLOSED state.

This wraps the acompletion call in asyncio.wait_for() using the
configured LLM_TIMEOUT (default 300s). TimeoutError is already retryable
via _should_retry (status_code=None), so the retry loop handles it.

Diagnosed via faulthandler thread dump showing the main asyncio event
loop blocked in selectors.select() with no pending callbacks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add per-chunk timeout to streaming loop

Addresses review feedback: the initial asyncio.wait_for only guards the
acompletion call. If Bedrock returns headers but stalls mid-stream, the
async for loop could still hang indefinitely.

Replaces async for with explicit __anext__ calls wrapped in
asyncio.wait_for, using the same configured timeout. Mid-stream stalls
now raise TimeoutError and trigger the existing retry logic.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Sean Turner <sean.turner@zerohash.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-22 16:26:47 -04:00
Matt Van Horn 8841294d94 feat(skills): add Kubernetes security testing skill (#394)
* feat(skills): add Kubernetes security testing skill (cloud/kubernetes.md)

Add comprehensive Kubernetes cluster security testing knowledge package
covering RBAC misconfigurations, exposed APIs, container escapes,
network policy gaps, secret management issues, workload misconfigs,
and supply chain risks.

Closes #324

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix Kubernetes secret decode command

* Address Kubernetes review feedback

* Clarify cgroup escape requirements

---------

Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: bearsyankees <bearsyankees@gmail.com>
2026-04-22 14:37:19 -04:00
Timlzh 5c13348393 feat: Add NoSQL injection vulnerability guide (#168)
* feat: Add NoSQL injection vulnerability guide

This file provides a comprehensive guide on NoSQL injection vulnerabilities, detailing methodologies, injection surfaces, detection channels, and prevention strategies across various NoSQL databases.

* Address NoSQL injection review feedback

---------

Co-authored-by: bearsyankees <bearsyankees@gmail.com>
2026-04-22 13:23:14 -04:00
alex s 15c95718e6 fix: ensure LLM stats tracking is accurate by including completed subagents (#441) 2026-04-13 00:09:13 -04:00
STJ 38b2700553 feat: Migrate from Poetry to uv (#379) 2026-03-31 17:20:41 -07:00
alex s e78c931e4e feat: Better source-aware testing (#391) 2026-03-31 11:53:49 -07:00
0xallam 4f90a5621d fix: strengthen tool-call requirement in interactive and autonomous modes
Models occasionally output text-only narration ("Planning the
assessment...") without a tool call, which halts the interactive agent
loop since the system interprets no-tool-call as "waiting for user
input." Rewrite both interactive and autonomous prompt sections to make
the tool-call requirement absolute with explicit warnings about the
system halt consequence.
2026-03-22 22:08:20 -07:00
0xallam 640bd67bc2 chore: bump sandbox image to 0.1.13
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 22:08:20 -07:00
0xallam 4e836377e7 refine system prompt, add scope verification, and improve tool guidance
- Rewrite system prompt: refusal avoidance, system-verified scope, thorough
  validation mandate, root agent orchestration role, recon-first guidance
- Add authorized targets injection via system_prompt_context in strix_agent
- Add set_system_prompt_context to LLM for dynamic prompt updates
- Prefer python tool over terminal for Python code in tool schemas
- Increase LLM retry backoff cap to 90s
- Replace models.strix.ai footer with strix.ai

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 22:08:20 -07:00
0xallam a2f1aae5ed chore: update default model to gpt-5.4 and remove Strix Router from docs
- Change default model from gpt-5 to gpt-5.4 across docs, tests, and examples
- Remove Strix Router references from docs, quickstart, overview, and README
- Delete models.mdx (Strix Router page) and its nav entry
- Simplify install script to suggest openai/ prefix directly
- Keep strix/ model routing support intact in code

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 22:08:20 -07:00
0xallam c9d2477144 fix: address review feedback on tool registration gating 2026-03-19 23:50:57 -07:00
0xallam 8765b1895c refactor: move tool availability checks into registration 2026-03-19 23:50:57 -07:00
Ahmed Allam 31d8a09c95 Guard TUI chat rendering against invalid Rich spans (#375) 2026-03-19 22:28:42 -07:00
Ahmed Allam 9a0bc5e491 fix: prevent ScreenStackError when stopping agent from modal (#374) 2026-03-19 20:39:05 -07:00
alex s 86341597c1 feat: add skills for specific tools (#366)
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-03-19 16:47:29 -07:00
0xallam 1404864097 feat: add interactive mode for agent loop
Re-architects the agent loop to support interactive (chat-like) mode
where text-only responses pause execution and wait for user input,
while tool-call responses continue looping autonomously.

- Add `interactive` flag to LLMConfig (default False, no regression)
- Add configurable `waiting_timeout` to AgentState (0 = disabled)
- _process_iteration returns None for text-only → agent_loop pauses
- Conditional system prompt: interactive allows natural text responses
- Skip <meta>Continue the task.</meta> injection in interactive mode
- Sub-agents inherit interactive from parent (300s auto-resume timeout)
- Root interactive agents wait indefinitely for user input (timeout=0)
- TUI sets interactive=True; CLI unchanged (non_interactive=True)
2026-03-14 11:57:58 -07:00
0xallam 7dde988efc fix: web_search tool not loading when API key is in config file
The perplexity API key check in strix/tools/__init__.py used
Config.get() which only checks os.environ. At import time, the
config file (~/.strix/cli-config.json) hasn't been applied to
env vars yet, so the check always returned False.

Replace with _has_perplexity_api() that checks os.environ first
(fast path for SaaS/env var), then falls back to Config.load()
which reads the config file directly.
2026-03-14 11:48:45 -07:00
Ahmed Allam f71e34dd0f Update web search model name to 'sonar-reasoning-pro' 2026-03-11 14:20:04 -07:00
alex s a60cb4b66c Add OpenTelemetry observability with local JSONL traces (#347)
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-03-09 01:11:24 -07:00
Ms6RB 672a668ecf feat(skills): add NestJS security testing module (#348) 2026-03-08 09:45:08 -07:00
octovimmer 3e8a5c64bb chore: remove references of codex models 2026-03-02 15:29:29 -08:00
0xallam d84d72d986 feat: Expose Caido proxy port to host for human-in-the-loop interaction
Users can now access the Caido web UI from their browser to inspect traffic,
replay requests, and perform manual testing alongside the automated scan.

- Map Caido port (48080) to a random host port in DockerRuntime
- Add caido_port to SandboxInfo and track across container lifecycle
- Display Caido URL in TUI sidebar stats panel with selectable text
- Bind Caido to 0.0.0.0 in entrypoint (requires image rebuild)
- Bump sandbox image to 0.1.12
- Restore discord link in exit screen
2026-02-23 18:37:25 -08:00
0xallam 00c571b2ca fix: Lower sidebar min width from 140 to 120 for smaller terminals 2026-02-22 09:28:52 -08:00
0xallam 522c010f6f fix: Update end screen to display models.strix.ai instead of strix.ai and discord 2026-02-22 09:03:56 -08:00
0xallam 7fb4b63b96 fix: Change default model from claude-sonnet-4-6 to gpt-5 across docs and code 2026-02-20 10:35:58 -08:00
0xallam 027cea2f25 fix: Handle stray quotes in tag names and enforce parameter tags in prompt 2026-02-20 08:29:01 -08:00
0xallam b9dcf7f63d fix: Address code review feedback on tool format normalization 2026-02-20 08:29:01 -08:00
0xallam e09b5b42c1 fix: Prevent assistant-message prefill rejected by Claude 4.6 2026-02-20 08:29:01 -08:00
0xallam e7970de6d2 fix: Handle single-quoted and whitespace-padded tool call tags 2026-02-20 08:29:01 -08:00
0xallam 7614fcc512 fix: Strip quotes from parameter/function names in tool calls 2026-02-20 08:29:01 -08:00
0xallam f4d522164d feat: Normalize alternative tool call formats (invoke/function_calls) 2026-02-20 08:29:01 -08:00
0xallam bf8020fafb fix: Strip custom_llm_provider before cost lookup for proxied models 2026-02-20 06:52:27 -08:00
0xallam 3b3576b024 refactor: Centralize strix model resolution with separate API and capability names
- Replace fragile prefix matching with explicit STRIX_MODEL_MAP
- Add resolve_strix_model() returning (api_model, canonical_model)
- api_model (openai/ prefix) for API calls to OpenAI-compatible Strix API
- canonical_model (actual provider name) for litellm capability lookups
- Centralize resolution in LLMConfig instead of scattered call sites
2026-02-20 04:40:04 -08:00
octovimmer d2c99ea4df resolve: merge conflict resolution, llm api base resolution 2026-02-19 17:37:00 -08:00
octovimmer 06ae3d3860 fix: linting errors 2026-02-19 17:25:10 -08:00
octovimmer e38f523a45 Strix LLM Documentation and Config Changes (#315)
* feat: add to readme new keys

* feat: shoutout strix models, docs

* fix: mypy error

* fix: base api

* docs: update quickstart and models

* fixes: changes to docs

uniform api_key variable naming

* test: git commit hook

* nevermind it was nothing

* docs: Update default model to claude-sonnet-4.6 and improve Strix Router docs

- Replace gpt-5 and opus-4.6 defaults with claude-sonnet-4.6 across all docs and code
- Rewrite Strix Router (models.mdx) page with clearer structure and messaging
- Add Strix Router as recommended option in overview.mdx and quickstart prerequisites
- Update stale Claude 4.5 references to 4.6 in anthropic.mdx, openrouter.mdx, bug_report.md
- Fix install.sh links to point to models.strix.ai and correct docs URLs
- Update error message examples in main.py to use claude-sonnet-4-6

---------

Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-02-20 01:43:18 +04:00
0xallam 30550dd189 fix: Add rule against duplicating changes across code_locations 2026-02-17 14:59:13 -08:00
0xallam 154040f9fb fix: Improve code_locations schema for accurate block-level fixes and multi-part suggestions
Rewrote the code_locations parameter description to make fix_before/fix_after
semantics explicit: they are literal block-level replacements mapped directly
to GitHub/GitLab PR suggestion blocks. Added guidance for multi-part fixes
(separate locations for non-contiguous changes like imports + code), common
mistakes to avoid, and updated all examples to demonstrate multi-line ranges.
2026-02-17 14:17:33 -08:00
TaeBbong 365d51f52f fix: Add explicit UTF-8 encoding to read_text() calls
- Specify encoding="utf-8" in registry.py _load_xml_schema()
- Specify encoding="utf-8" in skills/__init__.py load_skills()
- Prevents cp949/shift_jis/cp1252 decoding errors on non-English Windows
2026-02-15 17:41:10 -08:00
0xallam 305ae2f699 fix: Remove indentation prefix from diff code block markers for syntax highlighting 2026-02-15 17:25:59 -08:00
0xallam d6e9b3b7cf feat: Redesign vulnerability reporting with nested XML code locations and CVSS
Replace 12 flat parameters (code_file, code_before, code_after, code_diff,
and 8 CVSS fields) with structured nested XML fields: code_locations with
co-located fix_before/fix_after per location, cvss_breakdown, and cwe.

This enables multi-file vulnerability locations, per-location fixes with
precise line numbers, data flow representation (source/sink), CWE
classification, and compatibility with GitHub/GitLab PR review APIs.
2026-02-15 17:25:59 -08:00
0xallam 40cb705494 fix: Skip clipboard copy for whitespace-only selections 2026-02-07 11:04:31 -08:00
0xallam e0b750dbcd feat: Add mouse text selection auto-copy to clipboard in TUI
Enable native text selection across tool components and agent messages
with automatic clipboard copy, toast notification, and decorative icon
stripping. Replace Padding wrappers with Text to support selection
across multiple renderables.
2026-02-07 11:04:31 -08:00
0xallam 0a63ffba63 fix: Polish finish_scan report schema descriptions and examples
Improve the finish_scan tool schema to produce more professional
pentest reports: expand parameter descriptions with structural
guidance, rewrite recommendations example with proper urgency tiers
instead of Priority 0/1/2, fix duplicated section titles, and clean
up informal language.
2026-02-04 13:30:24 -08:00
0xallam 5a76fab4ae fix: Replace hardcoded git host detection with HTTP protocol probe
Remove hardcoded github.com/gitlab.com/bitbucket.org host lists from
infer_target_type. Instead, detect git repositories on any host by
querying the standard /info/refs?service=git-upload-pack endpoint.

Works for any self-hosted git instance.
2026-01-31 23:24:59 -08:00
0xallam c2fbf81f1d fix(llm): Pass API key and base URL to memory compressor litellm calls
The memory compressor was calling litellm.completion() without passing
the api_key and api_base parameters, causing authentication errors when
LLM_API_KEY is set but provider-specific env vars (OPENAI_API_KEY, etc.)
are not. This matches the pattern used in dedupe.py.
2026-01-28 01:29:33 -08:00
0xallam 6da639ce58 chore: unify token stats color scheme 2026-01-22 11:37:21 -08:00
0xallam a97836c335 chore: improve stats panel layout 2026-01-22 11:17:32 -08:00