0xallam 5fd2a64562 fix(persistence): close all 9 gaps from the resume audit
Three critical correctness fixes + six TUI/audit/UX fixes from the
parallel-agent audit. All changes verified by an end-to-end smoke
that builds, persists, and re-hydrates state across two simulated
process boundaries.

Critical (resume integrity):

1. ``bus.cancel_descendants_graceful`` now calls ``_maybe_snapshot``
   after mutating the ``stopping`` set. Previously, a process crash
   between user-initiated graceful-stop and the next finalize lost
   the stop signal — respawned agents would run forever instead of
   exiting. ``_respawn_subagents`` also gains a guard that skips
   agents in ``stopping`` so a previously-cancelled agent is not
   resurrected on resume.

2. ``Tracer.hydrate_from_run_dir`` now **raises** on corrupt
   ``vulnerabilities.json`` instead of swallowing the exception. The
   prior behaviour silently reset ``vulnerability_reports`` to empty,
   so the next ``add_vulnerability_report`` would allocate ``vuln-0001``
   and overwrite the prior MD on disk — silent data loss.

3. ``--instruction`` passed on resume now reaches the model. The CLI
   captures whether the user explicitly passed an instruction
   (``args.user_explicit_instruction``) before ``_load_resume_state``
   loads the persisted one. ``run_strix_scan`` reads
   ``scan_config["resume_instruction"]`` and, on resume, sends the
   new instruction to root's bus inbox before calling
   ``run_with_continuation`` (which uses ``initial_input=[]`` for SDK
   replay). The inject filter surfaces it on the next turn.

4. ``--resume X`` errors loudly when ``scan_state.json`` exists but
   ``bus.json`` doesn't. Previously this silently fresh-started in
   the same dir, confusing the user who explicitly asked to resume.

TUI / audit / UX:

5. ``Tracer.hydrate_from_run_dir`` now reads ``bus.json`` too and
   pre-populates ``tracer.agents`` from the snapshot's ``statuses`` /
   ``names`` / ``parent_of``. Before this, the TUI tree on resume
   showed only currently-running agents; completed/crashed children
   from the prior run were invisible.

6. ``Tracer.hydrate_from_run_dir`` also seeds ``self._llm_stats`` from
   ``bus.stats_live + bus.stats_completed`` so the resume's footer
   shows cumulative tokens / requests across the prior run plus the
   resume segment, instead of resetting to zero.

7. ``Tracer.save_run_data`` now also writes ``run_metadata.json``
   (start_time, run_id, run_name, targets, status), and
   ``hydrate_from_run_dir`` restores ``start_time`` from it. Prior
   behaviour reset start_time to ``now()`` on every Tracer init,
   breaking the final report's duration calc on resumed scans.

8. Per-agent todos persist to ``{run_dir}/todos.json`` (atomic write
   on every CRUD). ``hydrate_todos_from_disk`` (called from
   ``run_strix_scan``) reloads them so respawned subagents find
   their lists intact. Previously, the module-level
   ``_todos_storage`` was lost on every process restart.

9. ``_load_resume_state`` validates each ``cloned_repo_path`` from
   the persisted ``scan_state.json`` still exists on disk. Previously
   a deleted clone dir would let the resume proceed with an empty
   source tree, with agents silently scanning nothing.

Bonus: ``bus.finalize`` no longer pops ``parent_of`` and ``names``
for finalized agents. Routing protection (don't accept ``send`` to
finalized agents) comes from the ``statuses[id]`` terminal-state
check in ``send`` itself, so dropping those keys was overzealous and
made completed children invisible in ``view_agent_graph`` and the
TUI tree.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 00:57:52 -07:00
2025-08-08 20:36:44 -07:00

Strix Banner

Strix

Open-source AI hackers to find and fix your apps vulnerabilities.


Docs Website

Ask DeepWiki GitHub Stars License PyPI Version

Join Discord Follow on X

usestrix/strix | Trendshift

Tip

New! Strix integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production - Get started with no setup required.


Strix Overview

Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.

Key Capabilities:

  • Full hacker toolkit out of the box
  • Teams of agents that collaborate and scale
  • Real validation with PoCs, not false positives
  • Developerfirst CLI with actionable reports
  • Autofix & reporting to accelerate remediation

Use Cases

  • Application Security Testing - Detect and validate critical vulnerabilities in your applications
  • Rapid Penetration Testing - Get penetration tests done in hours, not weeks, with compliance reports
  • Bug Bounty Automation - Automate bug bounty research and generate PoCs for faster reporting
  • CI/CD Integration - Run tests in CI/CD to block vulnerabilities before reaching production

🚀 Quick Start

Prerequisites:

  • Docker (running)
  • An LLM API key from any supported provider (OpenAI, Anthropic, Google, etc.)

Installation & First Scan

# Install Strix
curl -sSL https://strix.ai/install | bash

# Configure your AI provider
export STRIX_LLM="openai/gpt-5.4"
export LLM_API_KEY="your-api-key"

# Run your first security assessment
strix --target ./app-directory

Note

First run automatically pulls the sandbox Docker image. Results are saved to strix_runs/<run-name>


☁️ Strix Platform

Try the Strix full-stack security platform at app.strix.ai — sign up for free, connect your repos and domains, and launch a pentest in minutes.

  • Validated findings with PoCs and reproduction steps
  • One-click autofix as ready-to-merge pull requests
  • Continuous monitoring across code, cloud, and infrastructure
  • Integrations with GitHub, Slack, Jira, Linear, and CI/CD pipelines
  • Continuous learning that builds on past findings and remediations

Start your first pentest →


Features

Agentic Security Tools

Strix agents come equipped with a comprehensive security testing toolkit:

  • Full HTTP Proxy - Full request/response manipulation and analysis
  • Browser Automation - Multi-tab browser for testing of XSS, CSRF, auth flows
  • Terminal Environments - Interactive shells for command execution and testing
  • Python Runtime - Custom exploit development and validation
  • Reconnaissance - Automated OSINT and attack surface mapping
  • Code Analysis - Static and dynamic analysis capabilities
  • Knowledge Management - Structured findings and attack documentation

Comprehensive Vulnerability Detection

Strix can identify and validate a wide range of security vulnerabilities:

  • Access Control - IDOR, privilege escalation, auth bypass
  • Injection Attacks - SQL, NoSQL, command injection
  • Server-Side - SSRF, XXE, deserialization flaws
  • Client-Side - XSS, prototype pollution, DOM vulnerabilities
  • Business Logic - Race conditions, workflow manipulation
  • Authentication - JWT vulnerabilities, session management
  • Infrastructure - Misconfigurations, exposed services

Graph of Agents

Advanced multi-agent orchestration for comprehensive security testing:

  • Distributed Workflows - Specialized agents for different attacks and assets
  • Scalable Testing - Parallel execution for fast comprehensive coverage
  • Dynamic Coordination - Agents collaborate and share discoveries

Usage Examples

Basic Usage

# Scan a local codebase
strix --target ./app-directory

# Security review of a GitHub repository
strix --target https://github.com/org/repo

# Black-box web application assessment
strix --target https://your-app.com

Advanced Testing Scenarios

# Grey-box authenticated testing
strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"

# Multi-target testing (source code + deployed app)
strix -t https://github.com/org/app -t https://your-app.com

# White-box source-aware scan (local repository)
strix --target ./app-directory --scan-mode standard

# Focused testing with custom instructions
strix --target api.your-app.com --instruction "Focus on business logic flaws and IDOR vulnerabilities"

# Provide detailed instructions through file (e.g., rules of engagement, scope, exclusions)
strix --target api.your-app.com --instruction-file ./instruction.md

# Force PR diff-scope against a specific base branch
strix -n --target ./ --scan-mode quick --scope-mode diff --diff-base origin/main

Headless Mode

Run Strix programmatically without interactive UI using the -n/--non-interactive flag—perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.

strix -n --target https://your-app.com

CI/CD (GitHub Actions)

Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:

name: strix-penetration-test

on:
  pull_request:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Install Strix
        run: curl -sSL https://strix.ai/install | bash

      - name: Run Strix
        env:
          STRIX_LLM: ${{ secrets.STRIX_LLM }}
          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}

        run: strix -n -t ./ --scan-mode quick

Tip

In CI pull request runs, Strix automatically scopes quick reviews to changed files. If diff-scope cannot resolve, ensure checkout uses full history (fetch-depth: 0) or pass --diff-base explicitly.

Configuration

export STRIX_LLM="openai/gpt-5.4"
export LLM_API_KEY="your-api-key"

# Optional
export LLM_API_BASE="your-api-base-url"  # if using a local model, e.g. Ollama, LMStudio
export PERPLEXITY_API_KEY="your-api-key"  # for search capabilities
export STRIX_REASONING_EFFORT="high"  # control thinking effort (default: high, quick scan: medium)

Note

Strix automatically saves your configuration to ~/.strix/cli-config.json, so you don't have to re-enter it on every run.

Recommended models for best results:

See the LLM Providers documentation for all supported providers including Vertex AI, Bedrock, Azure, and local models.

Enterprise

Get the same Strix experience with enterprise-grade controls: SSO (SAML/OIDC), custom compliance reports, dedicated support & SLA, custom deployment options (VPC/self-hosted), BYOK model support, and tailored agents optimized for your environment. Learn more.

Documentation

Full documentation is available at docs.strix.ai — including detailed guides for usage, CI/CD integrations, skills, and advanced configuration.

Contributing

We welcome contributions of code, docs, and new skills - check out our Contributing Guide to get started or open a pull request/issue.

Join Our Community

Have questions? Found a bug? Want to contribute? Join our Discord!

Support the Project

Love Strix? Give us a on GitHub!

Acknowledgements

Strix builds on the incredible work of open-source projects like LiteLLM, Caido, Nuclei, Playwright, and Textual. Huge thanks to their maintainers!

Warning

Only test apps you own or have permission to test. You are responsible for using Strix ethically and legally.

S
Description
No description provided
Readme Apache-2.0 11 MiB
Languages
Python 91.9%
Jinja 4.1%
Shell 2.5%
Dockerfile 1.2%
Makefile 0.3%