Skip to content

refactor: align prompts with OWASP WSTG methodology#4

Draft
0xhis wants to merge 22 commits intomainfrom
feat/wstg-prompt-alignment
Draft

refactor: align prompts with OWASP WSTG methodology#4
0xhis wants to merge 22 commits intomainfrom
feat/wstg-prompt-alignment

Conversation

@0xhis
Copy link
Copy Markdown
Owner

@0xhis 0xhis commented Mar 21, 2026

Summary

Restructure system prompt and scan mode skills to follow OWASP Web Security Testing Guide (WSTG) phases for structured security testing methodology.

Changes

  • Reorganize system prompt with semantic XML structure
  • Map testing phases to WSTG categories (INFO, CONF, ATHN, ATHZ, INPV, BUSL, CRYP, CLNT)
  • Add explicit root-agent delegation mandate for context gathering
  • Add skill trigger mapping for subagent creation
  • Add attacker perspective verification in deep/standard modes
  • Add compliance/authorization framing for penetration testing context

Files Changed

  • strix/agents/StrixAgent/system_prompt.jinja
  • strix/skills/coordination/root_agent.md
  • strix/skills/scan_modes/deep.md
  • strix/skills/scan_modes/standard.md
  • strix/skills/scan_modes/quick.md

Split from usestrix#328.

0xallam and others added 21 commits February 26, 2026 14:58
@0xallam
docs: Add Strix Platform and Enterprise sections to README
30e3f13
@dependabot @0xallam
chore(deps): bump pypdf from 6.7.1 to 6.7.2
5102b64 
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.7.1 to 6.7.2.
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.7.1...6.7.2)

---
updated-dependencies:
- dependency-name: pypdf
  dependency-version: 6.7.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@octovimmer @0xallam
chore: remove codex models from supported models
968cb25
@octovimmer @0xallam
chore: remove references of codex models
3e8a5c6
@0xallam
Update models.mdx
d30e1d2
@0xallam
Update README
72c3e0d
@dependabot @0xallam
chore(deps): bump pypdf from 6.7.2 to 6.7.4
3c6fccc 
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.7.2 to 6.7.4.
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.7.2...6.7.4)

---
updated-dependencies:
- dependency-name: pypdf
  dependency-version: 6.7.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@ms6rb
feat(skills): add NestJS security testing module (usestrix#348)
672a668
@dependabot
chore(deps): bump pypdf from 6.7.4 to 6.7.5 (usestrix#343)
048be1f
@bearsyankees @0xallam
Add OpenTelemetry observability with local JSONL traces (usestrix#347)
a60cb4b 
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
@Hurleveur @0xallam
Change VERTEXAI_LOCATION from 'us-central1' to 'global'
f860b2f 
us-central1 doesn't have access to the latest gemini models like gemini-3-flash-preview
@0xallam
Update web search model name to 'sonar-reasoning-pro'
f71e34d
@0xallam
fix: web_search tool not loading when API key is in config file
7dde988 
The perplexity API key check in strix/tools/__init__.py used
Config.get() which only checks os.environ. At import time, the
config file (~/.strix/cli-config.json) hasn't been applied to
env vars yet, so the check always returned False.

Replace with _has_perplexity_api() that checks os.environ first
(fast path for SaaS/env var), then falls back to Config.load()
which reads the config file directly.
@0xallam
feat: add interactive mode for agent loop
1404864 
Re-architects the agent loop to support interactive (chat-like) mode
where text-only responses pause execution and wait for user input,
while tool-call responses continue looping autonomously.

- Add `interactive` flag to LLMConfig (default False, no regression)
- Add configurable `waiting_timeout` to AgentState (0 = disabled)
- _process_iteration returns None for text-only → agent_loop pauses
- Conditional system prompt: interactive allows natural text responses
- Skip <meta>Continue the task.</meta> injection in interactive mode
- Sub-agents inherit interactive from parent (300s auto-resume timeout)
- Root interactive agents wait indefinitely for user input (timeout=0)
- TUI sets interactive=True; CLI unchanged (non_interactive=True)
@0xallam
Add tip about Strix integration with GitHub Actions
f0f8f3d
@bearsyankees @0xallam
feat: add skills for specific tools (usestrix#366)
8634159 
Co-authored-by: 0xallam <ahmed39652003@gmail.com>
@0xallam
fix: prevent ScreenStackError when stopping agent from modal (usestri…
9a0bc5e 
…x#374)
@0xallam
Guard TUI chat rendering against invalid Rich spans (usestrix#375)
31d8a09
@0xallam
refactor: move tool availability checks into registration
8765b18
@0xallam
fix: address review feedback on tool registration gating
c9d2477
@0xhis
refactor: align prompts with OWASP WSTG methodology
e4d824a 
Restructure system prompt and scan mode skills to follow OWASP Web
Security Testing Guide phases (INFO, CONF, ATHN, ATHZ, INPV, BUSL,
CRYP, CLNT). Key changes:

- Semantic XML structure for prompt sections
- Explicit root-agent delegation mandate for context gathering
- Phase 1/Phase 2 workflow with skill trigger mapping
- WSTG-aligned agent architecture in root_agent.md
- Attacker perspective verification in deep/standard modes
- Compliance/authorization framing for penetration testing context
@0xhis 0xhis force-pushed the feat/wstg-prompt-alignment branch from cbea13e to e4d824a Compare March 21, 2026 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@0xhis @0xallam @octovimmer @ms6rb @bearsyankees @Hurleveur