Commit Graph

363 Commits

Author SHA1 Message Date
Chethas Dileep dc395316ae Add Docker sandbox host mappings (#488)
* Add Docker sandbox host mappings

* Address docker extra hosts review feedback

* Revert README change for STRIX_SANDBOX_EXTRA_HOSTS

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-05-19 01:49:22 -07:00
n1majne3 6b9bd4d5f2 Fix MiniMax tool calling (#456)
Co-authored-by: n1majne3 <24203125+n1majne3@users.noreply.github.com>
2026-05-03 19:49:18 -07:00
Bala e1f38f8339 perf(agent): wake on state change instead of 500ms polling (#305)
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-05-03 19:30:41 -07:00
Jorge Moya 6942ecb33e add empty-array IDOR FP and OAST source-IP SSRF FP signals (#183) 2026-05-03 18:19:57 -07:00
Modark 8574119f4d Add SSTI and Header Injection vulnerability skills (#191) 2026-05-03 17:54:04 -07:00
0xhis 67050d9133 fix(llm): include system prompt tokens in memory compressor budget (#381)
Co-authored-by: 0xhis <0xhis@users.noreply.github.com>
2026-05-03 16:26:34 -07:00
Alex 6f17c7de17 feat: add Novita AI as LLM provider (#385)
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-05-03 16:23:35 -07:00
Dr Alex Mitre a75ad2960e fix: MiniMax tool call normalization and thinking block handling (#458)
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-05-03 16:12:37 -07:00
Sandiyo Christan 6da7315aa3 feat: add NoSQL injection skill (#404)
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-05-03 15:49:43 -07:00
Octopus 9fb101282f fix: --config flag now fully overrides ~/.strix/cli-config.json (#457)
* fix: --config flag now fully overrides ~/.strix/cli-config.json (fixes #377)

Previously, env vars applied from the default config at module import time
were not cleared when --config was later processed, causing settings from
~/.strix/cli-config.json to leak into runs that specified a custom config.

Track which vars were applied by the initial default-config load in
Config._applied_from_default. In apply_config_override, clear those vars
before applying the custom config so only the custom file's settings take effect.

* Add config override regression test

* Make config override test setup explicit

---------

Co-authored-by: octo-patch <octo-patch@github.com>
Co-authored-by: bearsyankees <bearsyankees@gmail.com>
2026-04-22 16:37:22 -04:00
seanturner83 60abc09ff9 fix: wrap acompletion in asyncio.wait_for to prevent indefinite hangs (#453)
* fix: wrap acompletion in asyncio.wait_for to prevent indefinite hangs

litellm's timeout parameter doesn't always propagate to the underlying
httpx transport for Bedrock converse streaming. When Bedrock accepts the
TCP connection but never starts streaming chunks, the acompletion call
hangs indefinitely with all connections in CLOSED state.

This wraps the acompletion call in asyncio.wait_for() using the
configured LLM_TIMEOUT (default 300s). TimeoutError is already retryable
via _should_retry (status_code=None), so the retry loop handles it.

Diagnosed via faulthandler thread dump showing the main asyncio event
loop blocked in selectors.select() with no pending callbacks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add per-chunk timeout to streaming loop

Addresses review feedback: the initial asyncio.wait_for only guards the
acompletion call. If Bedrock returns headers but stalls mid-stream, the
async for loop could still hang indefinitely.

Replaces async for with explicit __anext__ calls wrapped in
asyncio.wait_for, using the same configured timeout. Mid-stream stalls
now raise TimeoutError and trigger the existing retry logic.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Sean Turner <sean.turner@zerohash.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-22 16:26:47 -04:00
Matt Van Horn 8841294d94 feat(skills): add Kubernetes security testing skill (#394)
* feat(skills): add Kubernetes security testing skill (cloud/kubernetes.md)

Add comprehensive Kubernetes cluster security testing knowledge package
covering RBAC misconfigurations, exposed APIs, container escapes,
network policy gaps, secret management issues, workload misconfigs,
and supply chain risks.

Closes #324

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix Kubernetes secret decode command

* Address Kubernetes review feedback

* Clarify cgroup escape requirements

---------

Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: bearsyankees <bearsyankees@gmail.com>
2026-04-22 14:37:19 -04:00
Timlzh 5c13348393 feat: Add NoSQL injection vulnerability guide (#168)
* feat: Add NoSQL injection vulnerability guide

This file provides a comprehensive guide on NoSQL injection vulnerabilities, detailing methodologies, injection surfaces, detection channels, and prevention strategies across various NoSQL databases.

* Address NoSQL injection review feedback

---------

Co-authored-by: bearsyankees <bearsyankees@gmail.com>
2026-04-22 13:23:14 -04:00
alex s 15c95718e6 fix: ensure LLM stats tracking is accurate by including completed subagents (#441) 2026-04-13 00:09:13 -04:00
Ahmed Allam 62e9af36d2 Add Strix GitHub Actions integration tip 2026-04-12 12:43:41 -07:00
STJ 38b2700553 feat: Migrate from Poetry to uv (#379) 2026-03-31 17:20:41 -07:00
alex s e78c931e4e feat: Better source-aware testing (#391) 2026-03-31 11:53:49 -07:00
0xallam 7d5a45deaf chore: bump version to 0.8.3 v0.8.3 2026-03-22 22:10:17 -07:00
0xallam dec2c47145 fix: use anthropic model in anthropic provider docs example 2026-03-22 22:08:20 -07:00
0xallam 4f90a5621d fix: strengthen tool-call requirement in interactive and autonomous modes
Models occasionally output text-only narration ("Planning the
assessment...") without a tool call, which halts the interactive agent
loop since the system interprets no-tool-call as "waiting for user
input." Rewrite both interactive and autonomous prompt sections to make
the tool-call requirement absolute with explicit warnings about the
system halt consequence.
2026-03-22 22:08:20 -07:00
0xallam 640bd67bc2 chore: bump sandbox image to 0.1.13
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 22:08:20 -07:00
0xallam 4e836377e7 refine system prompt, add scope verification, and improve tool guidance
- Rewrite system prompt: refusal avoidance, system-verified scope, thorough
  validation mandate, root agent orchestration role, recon-first guidance
- Add authorized targets injection via system_prompt_context in strix_agent
- Add set_system_prompt_context to LLM for dynamic prompt updates
- Prefer python tool over terminal for Python code in tool schemas
- Increase LLM retry backoff cap to 90s
- Replace models.strix.ai footer with strix.ai

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 22:08:20 -07:00
0xallam a2f1aae5ed chore: update default model to gpt-5.4 and remove Strix Router from docs
- Change default model from gpt-5 to gpt-5.4 across docs, tests, and examples
- Remove Strix Router references from docs, quickstart, overview, and README
- Delete models.mdx (Strix Router page) and its nav entry
- Simplify install script to suggest openai/ prefix directly
- Keep strix/ model routing support intact in code

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 22:08:20 -07:00
Ahmed Allam b6a0a949a3 Simplify tool file copying in Dockerfile
Removed specific tool files from Dockerfile and added a directory copy instead.
2026-03-22 16:01:39 -07:00
0xallam c9d2477144 fix: address review feedback on tool registration gating 2026-03-19 23:50:57 -07:00
0xallam 8765b1895c refactor: move tool availability checks into registration 2026-03-19 23:50:57 -07:00
Ahmed Allam 31d8a09c95 Guard TUI chat rendering against invalid Rich spans (#375) 2026-03-19 22:28:42 -07:00
Ahmed Allam 9a0bc5e491 fix: prevent ScreenStackError when stopping agent from modal (#374) 2026-03-19 20:39:05 -07:00
alex s 86341597c1 feat: add skills for specific tools (#366)
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-03-19 16:47:29 -07:00
Ahmed Allam f0f8f3d4cc Add tip about Strix integration with GitHub Actions 2026-03-17 22:14:11 -07:00
0xallam 1404864097 feat: add interactive mode for agent loop
Re-architects the agent loop to support interactive (chat-like) mode
where text-only responses pause execution and wait for user input,
while tool-call responses continue looping autonomously.

- Add `interactive` flag to LLMConfig (default False, no regression)
- Add configurable `waiting_timeout` to AgentState (0 = disabled)
- _process_iteration returns None for text-only → agent_loop pauses
- Conditional system prompt: interactive allows natural text responses
- Skip <meta>Continue the task.</meta> injection in interactive mode
- Sub-agents inherit interactive from parent (300s auto-resume timeout)
- Root interactive agents wait indefinitely for user input (timeout=0)
- TUI sets interactive=True; CLI unchanged (non_interactive=True)
2026-03-14 11:57:58 -07:00
0xallam 7dde988efc fix: web_search tool not loading when API key is in config file
The perplexity API key check in strix/tools/__init__.py used
Config.get() which only checks os.environ. At import time, the
config file (~/.strix/cli-config.json) hasn't been applied to
env vars yet, so the check always returned False.

Replace with _has_perplexity_api() that checks os.environ first
(fast path for SaaS/env var), then falls back to Config.load()
which reads the config file directly.
2026-03-14 11:48:45 -07:00
Ahmed Allam f71e34dd0f Update web search model name to 'sonar-reasoning-pro' 2026-03-11 14:20:04 -07:00
Alex f860b2f8e2 Change VERTEXAI_LOCATION from 'us-central1' to 'global'
us-central1 doesn't have access to the latest gemini models like gemini-3-flash-preview
2026-03-11 08:08:18 -07:00
alex s a60cb4b66c Add OpenTelemetry observability with local JSONL traces (#347)
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
2026-03-09 01:11:24 -07:00
dependabot[bot] 048be1fe59 chore(deps): bump pypdf from 6.7.4 to 6.7.5 (#343) 2026-03-08 09:46:32 -07:00
Ms6RB 672a668ecf feat(skills): add NestJS security testing module (#348) 2026-03-08 09:45:08 -07:00
dependabot[bot] 3c6fccca74 chore(deps): bump pypdf from 6.7.2 to 6.7.4
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.7.2 to 6.7.4.
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](https://github.com/py-pdf/pypdf/compare/6.7.2...6.7.4)

---
updated-dependencies:
- dependency-name: pypdf
  dependency-version: 6.7.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-02 15:34:01 -08:00
Ahmed Allam 72c3e0dd90 Update README 2026-03-03 03:33:46 +04:00
Ahmed Allam d30e1d2f66 Update models.mdx 2026-03-03 03:33:14 +04:00
octovimmer 3e8a5c64bb chore: remove references of codex models 2026-03-02 15:29:29 -08:00
octovimmer 968cb25cbf chore: remove codex models from supported models 2026-03-02 15:29:29 -08:00
dependabot[bot] 5102b641c5 chore(deps): bump pypdf from 6.7.1 to 6.7.2
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.7.1 to 6.7.2.
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](https://github.com/py-pdf/pypdf/compare/6.7.1...6.7.2)

---
updated-dependencies:
- dependency-name: pypdf
  dependency-version: 6.7.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-26 14:58:52 -08:00
0xallam 30e3f13494 docs: Add Strix Platform and Enterprise sections to README 2026-02-26 14:58:28 -08:00
0xallam 5d91500564 docs: Add human-in-the-loop section to proxy documentation 2026-02-23 19:54:54 -08:00
0xallam 4384f5bff8 chore: Bump version to 0.8.2 v0.8.2 2026-02-23 18:41:06 -08:00
0xallam d84d72d986 feat: Expose Caido proxy port to host for human-in-the-loop interaction
Users can now access the Caido web UI from their browser to inspect traffic,
replay requests, and perform manual testing alongside the automated scan.

- Map Caido port (48080) to a random host port in DockerRuntime
- Add caido_port to SandboxInfo and track across container lifecycle
- Display Caido URL in TUI sidebar stats panel with selectable text
- Bind Caido to 0.0.0.0 in entrypoint (requires image rebuild)
- Bump sandbox image to 0.1.12
- Restore discord link in exit screen
2026-02-23 18:37:25 -08:00
mason5052 0ca9af3b3e docs: fix Discord badge expired invite code
The badge image URL used invite code  which is expired,
causing the badge to render 'Invalid invite' instead of the server info.
Updated to use the vanity URL  which resolves correctly.

Fixes #313
2026-02-22 20:52:03 -08:00
dependabot[bot] 939bc2a090 chore(deps): bump google-cloud-aiplatform from 1.129.0 to 1.133.0
Bumps [google-cloud-aiplatform](https://github.com/googleapis/python-aiplatform) from 1.129.0 to 1.133.0.
- [Release notes](https://github.com/googleapis/python-aiplatform/releases)
- [Changelog](https://github.com/googleapis/python-aiplatform/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/python-aiplatform/compare/v1.129.0...v1.133.0)

---
updated-dependencies:
- dependency-name: google-cloud-aiplatform
  dependency-version: 1.133.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-22 20:51:29 -08:00
0xallam 00c571b2ca fix: Lower sidebar min width from 140 to 120 for smaller terminals 2026-02-22 09:28:52 -08:00