72d932f6c4
Three top-level files that didn't earn their place: - ``strix/io/scan_artifacts.py`` had a single consumer (the Tracer); collapsing it into ``strix/telemetry/`` puts it next to that consumer. ``strix/io/`` is gone. - ``strix/run_config_factory.py`` held two helpers that didn't earn the factoring. ``make_agent_context`` was a 17-line dict-spelling function whose argument names were identical to its dict keys — replaced with inline dict literals at the two call sites. ``make_run_config`` had enough RunConfig assembly logic to justify a helper, but with only two callers (root scan + ``create_agent``) inlining is cleaner than keeping a top-level file. ``DEFAULT_RETRY`` moves to ``strix/llm/retry.py`` next to its other LLM-policy peers; the dead ``STRIX_DEFAULT_MAX_TURNS`` constant is dropped. - ``strix/entry.py`` is a misnomer — it isn't *the* entry point (that's ``strix/interface/main.py`` for the CLI), it's the per-scan bring-up driver: build the bus, bring up the sandbox, build the root agent + child factory, format the scope-context block, register root in bus, open SQLiteSession, hand off to ``run_with_continuation``. That all lives next to its peers in ``strix/orchestration/`` now, renamed to ``scan.py`` so the role is obvious. No behavior change. Net -125 LoC. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
227 lines
6.9 KiB
Python
227 lines
6.9 KiB
Python
import atexit
|
|
import contextlib
|
|
import os
|
|
import signal
|
|
import sys
|
|
import threading
|
|
import time
|
|
from pathlib import Path
|
|
from typing import Any
|
|
|
|
from rich.console import Console
|
|
from rich.live import Live
|
|
from rich.panel import Panel
|
|
from rich.text import Text
|
|
|
|
from strix.config import load_settings
|
|
from strix.orchestration.scan import run_strix_scan
|
|
from strix.runtime import session_manager
|
|
from strix.telemetry.tracer import Tracer, set_global_tracer
|
|
|
|
from .utils import (
|
|
build_live_stats_text,
|
|
format_vulnerability_report,
|
|
)
|
|
|
|
|
|
def _resolve_sandbox_image() -> str:
|
|
image = load_settings().runtime.image
|
|
if not image:
|
|
raise RuntimeError(
|
|
"strix_image is not configured. Set it in ~/.strix/cli-config.json.",
|
|
)
|
|
return image
|
|
|
|
|
|
def _resolve_sources_path(args: Any) -> Path:
|
|
"""Pick the host directory to mount into ``/workspace/sources``.
|
|
|
|
- With ``--local-sources``, mount the parent of the first source so
|
|
the agent can walk down into the actual tree.
|
|
- Otherwise, a per-run scratch dir under ``$XDG_CACHE_HOME/strix``.
|
|
"""
|
|
local_sources: list[dict[str, str]] | None = getattr(args, "local_sources", None)
|
|
if local_sources:
|
|
first = local_sources[0]
|
|
host_path = first.get("host_path") or first.get("source_path") or first.get("path")
|
|
if host_path:
|
|
return Path(host_path).expanduser().resolve().parent
|
|
|
|
cache_root = os.environ.get("XDG_CACHE_HOME") or str(Path.home() / ".cache")
|
|
sources = Path(cache_root) / "strix" / "sources" / str(args.run_name)
|
|
sources.mkdir(parents=True, exist_ok=True)
|
|
return sources
|
|
|
|
|
|
async def run_cli(args: Any) -> None: # noqa: PLR0915
|
|
console = Console()
|
|
|
|
start_text = Text()
|
|
start_text.append("Penetration test initiated", style="bold #22c55e")
|
|
|
|
target_text = Text()
|
|
target_text.append("Target", style="dim")
|
|
target_text.append(" ")
|
|
if len(args.targets_info) == 1:
|
|
target_text.append(args.targets_info[0]["original"], style="bold white")
|
|
else:
|
|
target_text.append(f"{len(args.targets_info)} targets", style="bold white")
|
|
for target_info in args.targets_info:
|
|
target_text.append("\n ")
|
|
target_text.append(target_info["original"], style="white")
|
|
|
|
results_text = Text()
|
|
results_text.append("Output", style="dim")
|
|
results_text.append(" ")
|
|
results_text.append(f"strix_runs/{args.run_name}", style="#60a5fa")
|
|
|
|
note_text = Text()
|
|
note_text.append("\n\n", style="dim")
|
|
note_text.append("Vulnerabilities will be displayed in real-time.", style="dim")
|
|
|
|
startup_panel = Panel(
|
|
Text.assemble(
|
|
start_text,
|
|
"\n\n",
|
|
target_text,
|
|
"\n",
|
|
results_text,
|
|
note_text,
|
|
),
|
|
title="[bold white]STRIX",
|
|
title_align="left",
|
|
border_style="#22c55e",
|
|
padding=(1, 2),
|
|
)
|
|
|
|
console.print("\n")
|
|
console.print(startup_panel)
|
|
console.print()
|
|
|
|
scan_mode = getattr(args, "scan_mode", "deep")
|
|
|
|
scan_config: dict[str, Any] = {
|
|
"scan_id": args.run_name,
|
|
"targets": args.targets_info,
|
|
"user_instructions": args.instruction or "",
|
|
"run_name": args.run_name,
|
|
"diff_scope": getattr(args, "diff_scope", {"active": False}),
|
|
"scan_mode": scan_mode,
|
|
}
|
|
|
|
tracer = Tracer(args.run_name)
|
|
tracer.set_scan_config(scan_config)
|
|
|
|
def display_vulnerability(report: dict[str, Any]) -> None:
|
|
report_id = report.get("id", "unknown")
|
|
|
|
vuln_text = format_vulnerability_report(report)
|
|
|
|
vuln_panel = Panel(
|
|
vuln_text,
|
|
title=f"[bold red]{report_id.upper()}",
|
|
title_align="left",
|
|
border_style="red",
|
|
padding=(1, 2),
|
|
)
|
|
|
|
console.print(vuln_panel)
|
|
console.print()
|
|
|
|
tracer.vulnerability_found_callback = display_vulnerability
|
|
|
|
def cleanup_on_exit() -> None:
|
|
tracer.cleanup()
|
|
|
|
def signal_handler(_signum: int, _frame: Any) -> None:
|
|
tracer.cleanup()
|
|
sys.exit(1)
|
|
|
|
atexit.register(cleanup_on_exit)
|
|
signal.signal(signal.SIGINT, signal_handler)
|
|
signal.signal(signal.SIGTERM, signal_handler)
|
|
if hasattr(signal, "SIGHUP"):
|
|
signal.signal(signal.SIGHUP, signal_handler)
|
|
|
|
set_global_tracer(tracer)
|
|
|
|
def create_live_status() -> Panel:
|
|
status_text = Text()
|
|
status_text.append("Penetration test in progress", style="bold #22c55e")
|
|
status_text.append("\n\n")
|
|
|
|
stats_text = build_live_stats_text(tracer)
|
|
if stats_text:
|
|
status_text.append(stats_text)
|
|
|
|
return Panel(
|
|
status_text,
|
|
title="[bold white]STRIX",
|
|
title_align="left",
|
|
border_style="#22c55e",
|
|
padding=(1, 2),
|
|
)
|
|
|
|
try:
|
|
console.print()
|
|
|
|
with Live(
|
|
create_live_status(), console=console, refresh_per_second=2, transient=False
|
|
) as live:
|
|
stop_updates = threading.Event()
|
|
|
|
def update_status() -> None:
|
|
while not stop_updates.is_set():
|
|
try:
|
|
live.update(create_live_status())
|
|
time.sleep(2)
|
|
except Exception:
|
|
break
|
|
|
|
update_thread = threading.Thread(target=update_status, daemon=True)
|
|
update_thread.start()
|
|
|
|
try:
|
|
await run_strix_scan(
|
|
scan_config=scan_config,
|
|
scan_id=args.run_name,
|
|
image=_resolve_sandbox_image(),
|
|
sources_path=_resolve_sources_path(args),
|
|
tracer=tracer,
|
|
interactive=bool(getattr(args, "interactive", False)),
|
|
)
|
|
finally:
|
|
stop_updates.set()
|
|
update_thread.join(timeout=1)
|
|
# Best-effort: tear down the sandbox session even if the
|
|
# run raised. ``run_strix_scan`` already does this in its
|
|
# own ``finally``, but call here too in case the failure
|
|
# was during early setup.
|
|
with contextlib.suppress(Exception):
|
|
await session_manager.cleanup(args.run_name)
|
|
|
|
except Exception as e:
|
|
console.print(f"[bold red]Error during penetration test:[/] {e}")
|
|
raise
|
|
|
|
if tracer.final_scan_result:
|
|
console.print()
|
|
|
|
final_report_text = Text()
|
|
final_report_text.append("Penetration test summary", style="bold #60a5fa")
|
|
|
|
final_report_panel = Panel(
|
|
Text.assemble(
|
|
final_report_text,
|
|
"\n\n",
|
|
tracer.final_scan_result,
|
|
),
|
|
title="[bold white]STRIX",
|
|
title_align="left",
|
|
border_style="#60a5fa",
|
|
padding=(1, 2),
|
|
)
|
|
|
|
console.print(final_report_panel)
|
|
console.print()
|