# Strix AI Security Testing Agent

## Overview
Strix v1.0.4 — autonomous AI penetration testing agents that find and validate vulnerabilities with proof-of-concept exploits. Multi-agent orchestration in a Docker sandbox.

## Installation
```bash
pipx install strix-agent      # Recommended (avoids curl|bash)
# Alternative (will auto-update on later revisions):
# curl -sSL https://strix.ai/install | bash
```

**Requirements:** Python ≥ 3.12, Docker running, LLM API key.

## Configuration (DeepSeek — Ray's setup)
Written to `~/.strix/cli-config.json`:
```json
{
  "env": {
    "STRIX_LLM": "openai/deepseek-v4-flash",
    "LLM_API_KEY": "sk-...",
    "LLM_API_BASE": "https://api.deepseek.com/v1",
    "STRIX_REASONING_EFFORT": "high",
    "STRIX_TELEMETRY": "0",
    "STRIX_SANDBOX_EXECUTION_TIMEOUT": "300",
    "STRIX_MEMORY_COMPRESSOR_TIMEOUT": "60"
  }
}
```

Config auto-saves after first run. Can also set via env vars.

## Local model wrappers (llama-swap :9292)

Created at `~/.strix/`:

| Script | Model | Reasoning | Use case |
|--------|-------|-----------|----------|
| `strix-local` | `qwen36-35b-mtp` | medium | Existing default (max 230K context) |
| `strix-local-ornith` | `ornith-35b-q6-mtp` | medium | **Daily driver** — best quality/speed balance |
| `strix-local-qwythos` | `qwythos-9b-mtp-q6` | low | **Fast lane** — quick fixes, small tasks, fast iteration |

Each wrapper sets `STRIX_LLM`, `LLM_API_BASE=http://127.0.0.1:9292/v1`, and `STRIX_TELEMETRY=0` then `exec strix "$@"`.

## Docker sandbox

- Image: `ghcr.io/usestrix/strix-sandbox:1.0.0` (~7.4GB)
- Auto-pulled on first `strix` run
- Results saved to `strix_runs/<run-name>/` (contains `run.json`, `strix.log`, `.state/`)
- Sandbox uses `--mount` for large repos (avoids copying)

### Docker sandbox crash — no-new-privileges fix

**Symptom:** Container exits ~3 seconds after start with exit code 1. `docker logs` shows:
```
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
```

**Root cause:** The Docker daemon has `"no-new-privileges": true` in `/etc/docker/daemon.json`. The sandbox image's entrypoint uses `sudo` to configure system-wide proxy settings. `sudo` refuses when no-new-privileges is set, the entrypoint exits, and the container dies.

**Fix:** Patch Strix's `docker_client.py` to add `--security-opt no-new-privileges:false` per-container. At `/home/rurouni/.local/share/pipx/venvs/strix-agent/lib/python3.13/site-packages/strix/runtime/docker_client.py`, in `_create_container()`, before the `cap_add` assignment:
```python
# Daemon-level no-new-privileges (e.g. from /etc/docker/daemon.json)
# breaks the sandbox image's entrypoint, which runs sudo for
# proxy configuration.  Override per-container so sudo works.
security_opt = create_kwargs.setdefault("security_opt", [])
if "no-new-privileges" not in str(security_opt):
    security_opt.append("no-new-privileges:false")
```

After applying, container stays alive and proxy config succeeds:
```
✅ System-wide proxy configuration complete
Adding CA to browser trust store...
✅ CA added to browser trust store
✅ Container ready
```

## Caido integration — harmless noise

Strix bundles Caido twice:
- **Sandbox sidecar** (inside Docker, port 48080) — proxies all HTTP traffic automatically. Works without host-side dependency.
- **Host SDK tools** (`strix/tools/proxy/tools.py`) — agent tools (list_requests, scope_rules, etc.) that connect to the sandbox's Caido via a dynamically mapped Docker port.

The host tools log errors like `Cannot connect to host 127.0.0.1:1024` when called **before** the sandbox is fully up and `caido_client` is injected into context. These are harmless init-time noise — the scan continues normally. No config flag to disable them exists in v1.0.4.
strix --target https://github.com/org/repo    # GitHub repo
strix --target https://your-app.com            # Live web app (black-box)
```

### Local model (llama-swap :9292 — private scanning)
```bash
~/.strix/strix-local --target ./app
```

The `strix-local` wrapper sets:
- `STRIX_LLM=openai/qwen36-35b-mtp`
- `LLM_API_BASE=http://127.0.0.1:9292/v1`
- `STRIX_REASONING_EFFORT=medium` (local models are slower)

### Common flags
| Flag | Purpose |
|------|---------|
| `-n` / `--non-interactive` | Headless mode (exits with non-zero on findings) |
| `-m quick\|standard\|deep` | Scan depth (default: deep) |
| `--instruction "..."` | Focus on specific vuln types (IDOR, XSS, auth) |
| `--config /path/to/config.json` | Custom config file |
| `--resume <run-name>` | Resume interrupted scan |
| `--scope-mode auto\|diff\|full` | Scope: diff for CI PRs, full for complete |

### CI/CD integration
```yaml
- name: Strix security scan
  run: strix -n -t ./ --scan-mode quick
```

## Docker sandbox
- Image: `ghcr.io/usestrix/strix-sandbox:1.0.0` (~2GB)
- Auto-pulled on first `strix` run
- Results saved to `strix_runs/<run-name>/events.jsonl`
- Sandbox uses `--mount` for large repos (avoids copying)

## Recommended models (by provider)
| Provider | Model ID (LiteLLM format) | Notes |
|----------|--------------------------|-------|
| DeepSeek | `openai/deepseek-v4-flash` | Fast, cheap, good reasoning |
| OpenAI | `openai/gpt-5.4` | Best results per docs |
| Anthropic | `anthropic/claude-sonnet-4-6` | Second best |
| Local | `openai/<model-id>` | Needs `LLM_API_BASE` set |

## Pitfalls
- **Docker must be running** — Strix won't start without it
- **First run pulls sandbox image** — can take 2-5 minutes on slow connections
- **Telemetry on by default** — set `STRIX_TELEMETRY=0` or `"0"` in config
- **No built-in auth for web targets** — pass credentials via `--instruction`
- **Only test apps you own or have permission to test**
- **Budget tracking** — use `--max-budget-usd` flag in newer versions to cap LLM costs
