Skip to content

# feat: add an agent-native Strix skill and MCP runtime (proof of concept)#700

Open
kaddour-youcef wants to merge 2 commits into
usestrix:mainfrom
kaddour-youcef:strix_from_coding_agent
Open

# feat: add an agent-native Strix skill and MCP runtime (proof of concept)#700
kaddour-youcef wants to merge 2 commits into
usestrix:mainfrom
kaddour-youcef:strix_from_coding_agent

Conversation

@kaddour-youcef

Copy link
Copy Markdown

Status

This pull request is intentionally a skeleton and proof of concept. It demonstrates a viable architecture for running Strix through Codex, Claude Code, and other MCP-capable coding agents without giving Strix a separate model API key.

The implementation is usable for experimentation and establishes the core integration boundaries, but it should not be presented as complete production parity with the existing Strix multi-agent runtime. The limitations and follow-up work are documented explicitly below.

Summary

Closes #698.

This change adds an agent-native execution path composed of:

  • a portable strix-security skill;
  • a local strix-mcp stdio server;
  • CLI launch adapters for Codex and Claude Code;
  • model-free scan lifecycle, sandbox, proxy, knowledge, finding, and report tools;
  • packaging and installation helpers;
  • coding-agent documentation and focused tests.

In this mode, the host coding agent performs all LLM reasoning through its existing authenticated runtime. Strix does not instantiate a model or require LLM_API_KEY, OPENAI_API_KEY, or ANTHROPIC_API_KEY.

The legacy provider-backed runtime remains available through --agent legacy and remains the compatibility path for the existing OpenAI Agents SDK orchestration.

Motivation

The existing Strix runtime owns both sides of the application:

  1. security capabilities, sandboxing, traffic capture, findings, and reports;
  2. model-provider selection, credentials, model calls, sessions, and agent orchestration.

That coupling requires users to configure a model API key even when they already have an authenticated coding agent capable of planning, tool use, source analysis, and long-running engineering work.

This proof of concept tests a different boundary:

  • let Codex, Claude Code, or another coding agent own reasoning;
  • expose Strix as reusable security capabilities over MCP;
  • encode the Strix methodology and quality bar as a portable skill;
  • retain the established Strix sandbox, proxy, security knowledge, and report formats.

Goals

  • Run the normal strix --target ... workflow through an authenticated coding agent.
  • Require no additional model-provider credential in coding-agent mode.
  • Preserve existing target types, modes, instructions, diff scope, mounts, localhost behavior, sandboxing, proxy tooling, findings, and artifacts.
  • Support direct installation of the skill and MCP server without the Strix launcher.
  • Prevent hidden model calls from the MCP process, including finding deduplication.
  • Keep legacy mode available while the proof of concept is evaluated.
  • Clearly document that the new path is a skeleton and identify the work required for production readiness.

Non-goals

This PR does not attempt to:

  • replace or delete the legacy runtime;
  • recreate the full Strix AgentCoordinator over MCP;
  • provide exact TUI, agent graph, conversation resume, or usage-ledger parity;
  • support every coding agent with a built-in launcher adapter;
  • claim production readiness;
  • provide complete Docker-backed end-to-end coverage in this first iteration.

Architecture

flowchart LR
    User --> CLI[Strix CLI]
    CLI --> Launcher[Agent launcher]
    Launcher --> Host[Codex / Claude Code]
    Skill[Strix skill] --> Host
    Host <-->|MCP stdio| Server[strix-mcp]
    Server --> Knowledge[Strix knowledge]
    Server --> Sandbox[Docker sandbox]
    Sandbox --> Proxy[Caido proxy]
    Server --> Reports[ReportState and artifacts]
Loading

Ownership model

The host agent owns:

  • model inference;
  • assessment planning;
  • evidence interpretation;
  • tool selection;
  • optional native subagent coordination;
  • final report narrative generation.

The MCP server owns:

  • target normalization and scope preparation;
  • repository cloning and local source mapping;
  • Docker and Caido lifecycle;
  • sandbox command execution;
  • proxy request inspection and replay;
  • Strix knowledge retrieval;
  • vulnerability validation and persistence;
  • scan status, finish, stop, and cleanup;
  • existing output formats.

Implementation details

1. Runtime selection and launcher

strix/interface/main.py adds --agent with four modes:

  • auto: use legacy mode when STRIX_LLM is configured; otherwise select a coding agent;
  • codex: launch Codex explicitly;
  • claude: launch Claude Code explicitly;
  • legacy: force the existing provider-backed runtime.

strix/interface/agent_launcher.py:

  • detects installed agent CLIs;
  • honors STRIX_AGENT before the Codex/Claude fallback order;
  • builds the initial scan prompt;
  • injects an ephemeral stdio MCP configuration;
  • invokes interactive or non-interactive agent modes;
  • forwards Claude's budget option when applicable;
  • separates Claude's variadic --mcp-config values from the positional prompt with --.

Codex receives mcp_servers.strix.* overrides. Claude Code receives inline JSON through --mcp-config. Both launch the same python -m strix.mcp.server implementation.

2. Portable skill

skills/strix-security/SKILL.md defines the reusable host-agent workflow:

  • authorized scope is a hard boundary;
  • start one scan lifecycle;
  • load scan-mode and domain knowledge on demand;
  • execute testing through the Strix sandbox;
  • validate findings with working PoCs;
  • avoid weak or duplicate reports;
  • populate code locations for white-box findings;
  • finish or stop the scan cleanly.

references/mcp-tools.md holds the larger tool and CVSS reference so the core skill remains concise. agents/openai.yaml supplies Codex-facing metadata and declares the strix MCP dependency.

The wheel packages the skill under strix/agent_skills/strix-security, and strix-skill-path prints its installed location for Codex, Claude Code, or another agent.

3. MCP service

strix/mcp/service.py contains the model-free stateful service. It owns one scan per MCP process and reuses existing Strix modules instead of duplicating their behavior.

start_scan performs:

  • target inference and validation;
  • local target and mount deduplication;
  • remote repository cloning;
  • localhost rewriting for Docker;
  • maximum local-copy checks;
  • diff-scope resolution;
  • ReportState creation or hydration;
  • Docker sandbox and Caido startup;
  • scope/task/workspace mapping returned to the host agent.

The service then exposes execution, knowledge, proxy, finding, status, finish, stop, and cleanup operations.

4. MCP server and transport

strix/mcp/server.py registers 15 FastMCP tools:

  1. start_scan
  2. sandbox_exec
  3. list_knowledge
  4. load_knowledge
  5. list_proxy_requests
  6. view_proxy_request
  7. repeat_proxy_request
  8. list_sitemap
  9. view_sitemap_entry
  10. manage_scope
  11. create_vulnerability_report
  12. list_findings
  13. scan_status
  14. finish_scan
  15. stop_scan

The server uses MCP JSON-RPC over stdio. A small event-loop-backed stdio adapter replaces the SDK's worker-thread file wrapper because that wrapper can hang in some managed shells. FastMCP still owns tool schemas, protocol initialization, request routing, and tool invocation.

5. Model-free reporting boundary

The existing reporting tool normally performs semantic deduplication through the configured Strix model. MCP mode must not call that path.

create_finding therefore passes allow_model_dedupe=false. The reporting implementation performs deterministic exact matching over normalized title, target, endpoint, and method. The host agent is instructed to call list_findings and perform semantic review before filing.

This is a deliberate proof-of-concept compromise and should be improved without reintroducing a hidden Strix-owned model call.

6. Lightweight imports

strix/interface/__init__.py now loads the legacy CLI lazily. The MCP service imports shared target utilities, and eager CLI import previously initialized the legacy model stack during MCP startup. The lazy boundary keeps stdio startup fast and avoids unrelated provider behavior.

7. Packaging and dependencies

The project now:

  • declares the MCP Python SDK explicitly;
  • exposes strix-mcp;
  • exposes strix-skill-path;
  • includes the skill in built wheels;
  • records the dependency in uv.lock.

User experience

Existing CLI

strix --agent codex -t ./app -t https://staging.example.com
strix --agent claude -t ./app -t http://localhost:8080

When STRIX_LLM is unset, this also works:

strix -t ./app

Direct Codex installation

codex mcp add strix -- strix-mcp
mkdir -p ~/.codex/skills
cp -R "$(strix-skill-path)" ~/.codex/skills/strix-security

Direct Claude Code installation

claude mcp add --scope user strix -- strix-mcp
mkdir -p ~/.claude/skills
cp -R "$(strix-skill-path)" ~/.claude/skills/strix-security

Compatibility retained

  • Local directories, Git repositories, URLs, domains, IPs, and combined targets.
  • Quick, standard, and deep modes.
  • Inline and file-based instructions.
  • Full/auto/diff scope and explicit diff bases.
  • Large-repository read-only mounts.
  • Localhost access through host.docker.internal.
  • Existing Docker image and toolchain.
  • Agent-browser and Caido capture/replay workflow.
  • PoC, CVSS, code-location, remediation, Markdown, CSV, JSON, and SARIF artifacts.
  • Report-state resume.

Security considerations

  • The skill requires explicit authorization and treats initialized targets as the hard scope.
  • User instructions may narrow scope but may not expand it.
  • Security commands execute in the existing Docker sandbox.
  • The host agent's approval policy remains an additional control and should not be disabled casually for live targets.
  • MCP mode makes no model-provider calls from Strix.
  • Exact deduplication avoids accidentally invoking legacy semantic model dedupe.
  • Report guidance prohibits leaking internal paths, prompts, agent/tool names, and unrelated secrets into customer-facing artifacts.
  • The broad sandbox_exec capability is intentionally powerful and requires further threat modeling before production rollout.

Tests and validation

Implemented tests cover:

  • automatic, explicit, and legacy runtime selection;
  • Codex MCP command construction;
  • Claude MCP command construction and prompt separation;
  • packaged skill discovery;
  • sandbox execution preconditions and result decoding;
  • enforced model-free report creation;
  • Strix knowledge loading.

Validation performed during development:

  • complete repository test suite: 92 passed;
  • complete pre-commit suite passed, including Ruff, MyPy, Bandit, pyupgrade, and repository hygiene hooks;
  • standalone Bandit scan passed with no findings;
  • uv lock --check passed;
  • documentation navigation JSON validation passed;
  • skill structure validation passed;
  • Python compilation passed;
  • direct strict MyPy checking passed for all strix/ modules;
  • git diff --check passed;
  • real MCP initialize and tool discovery passed with all 15 tools.

make check-all does not currently complete because its final Pyright step exposes a
repository-wide strict-type baseline. In this checkout, Pyright reports unresolved or
partially unknown types across legacy agent, configuration, TUI, and tool modules. Supplying
the project virtual environment explicitly reduces dependency-resolution noise but still
leaves hundreds of existing strict errors. This PR does not hide those failures by weakening
the global Pyright policy or broadly excluding modules. The passing MyPy, Ruff, Bandit,
pre-commit, lockfile, skill, documentation, and test results above are reported separately.

The test suite does not yet contain a complete Docker-backed scan from initialization through proxy traffic, finding creation, finalization, resume, and cleanup. That is a required follow-up before calling this production-ready.

Known limitations

Runtime parity

  • No persisted host-agent conversation.
  • No Strix-managed coding-agent subagent graph.
  • No MCP equivalents for legacy agent messaging, waiting, interruption, or child lifecycle.
  • Resume restores Strix artifacts and scope, not the host agent's reasoning history.
  • No coding-agent token/cost accounting in ReportState.

UX parity

  • The coding agent replaces the Strix TUI in this mode.
  • Progress, approvals, cancellation, and final output vary by host.
  • Budget forwarding is host-specific.

Tool parity

  • sandbox_exec is synchronous and has no background handle or write_stdin equivalent.
  • Notes and todo tools are not exposed.
  • Legacy Perplexity search is not exposed.
  • Semantic dedupe is not yet equivalent to the legacy model-based judge.

Platform and operational hardening

  • Built-in launch adapters cover only Codex and Claude Code.
  • Windows and macOS require dedicated testing.
  • The MCP process owns one active scan.
  • Abrupt process termination can strand a sandbox.
  • Client-specific MCP timeout, permission, and output-limit behavior needs a compatibility matrix.
  • End-to-end security and sandbox boundary testing is incomplete.

Follow-up roadmap

  1. Define a formal runtime interface shared by legacy and MCP orchestration.
  2. Add background command sessions and stdin streaming.
  3. Persist host-agent runtime/session metadata.
  4. Define host-assisted resume semantics.
  5. Add semantic dedupe that preserves the model-free Strix boundary.
  6. Add MCP progress/log notifications and optional TUI projection.
  7. Add host-reported usage/cost ingestion where supported.
  8. Add adapters and conformance tests for more coding agents.
  9. Add full Docker-backed end-to-end tests.
  10. Threat-model MCP arguments, host permissions, sandbox escape, output poisoning, and report exfiltration.
  11. Add cleanup recovery for abandoned MCP processes and containers.
  12. Decide the long-term support and packaging strategy for legacy provider mode.

Review guidance

Suggested review order:

  1. skills/strix-security/SKILL.md for the intended host-agent workflow.
  2. strix/interface/agent_launcher.py for CLI/host integration and argument safety.
  3. strix/mcp/server.py for the public MCP schema and transport.
  4. strix/mcp/service.py for lifecycle and reuse of existing Strix components.
  5. strix/tools/reporting/tool.py for the model-free dedupe boundary.
  6. Packaging, tests, and documentation.

Reviewers should focus especially on:

  • whether any MCP path can still invoke a model provider;
  • target/scope preservation between CLI, prompt, and start_scan;
  • sandbox lifecycle and cleanup behavior;
  • whether the tool surface exposes more authority than necessary;
  • report correctness and duplicate handling;
  • launcher quoting and host-specific argument parsing;
  • proof-of-concept claims versus actual parity.

Rollback

The new path is additive. Users can immediately return to the previous runtime with:

strix --agent legacy --target <target>

At code level, rollback consists of removing the coding-agent branch and new entry points; legacy runner, agent factory, coordinator, sessions, tools, and provider configuration remain present.

Checklist

  • Portable skill added and validated.
  • MCP server and service added.
  • Codex launcher implemented.
  • Claude Code launcher implemented.
  • Claude variadic MCP-config argument boundary tested.
  • MCP mode avoids model-based dedupe.
  • Existing target and report primitives reused.
  • Wheel includes skill and executable entry points.
  • Documentation describes installation and architecture.
  • Documentation labels the implementation as a proof of concept.
  • Unit suite passes.
  • Full pre-commit suite passes.
  • Lockfile, documentation JSON, Bandit, and diff checks pass.
  • MCP initialize/list-tools handshake verified.
  • Repository-wide Pyright baseline is clean (make check-all remains blocked at this step).
  • Docker-backed end-to-end scan test added.
  • Host-session resume parity implemented.
  • Legacy agent graph parity implemented or explicitly replaced.
  • Cross-platform compatibility matrix completed.
  • Security threat model completed.
  • Production-readiness review completed.

enabling seamless integration with coding agents for enhanced functionality and automation. This commit includes new modules for agent launching, MCP installation, server management, and service handling, along with updated documentation and test cases to ensure robust performance.
@greptile-apps

greptile-apps Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds an agent-native Strix runtime through skills, MCP, and coding-agent launchers. The main changes are:

  • A packaged strix-security skill and MCP tool reference.
  • A strix-mcp stdio server with scan, sandbox, proxy, finding, and report tools.
  • Codex and Claude Code launch adapters behind the new --agent option.
  • Model-free finding dedupe for MCP-created reports.
  • Documentation, packaging entries, and focused tests for the new path.

Confidence Score: 4/5

The MCP proxy boundary and exact report dedupe path need fixes before merging.

  • Proxy replay can leave the initialized target scope because the service does not pass or enforce authorized targets.
  • Exact MCP dedupe can drop distinct findings when endpoint and method are absent.
  • Repository resume can fail after temp clone cleanup with poor diagnostics.

strix/mcp/service.py and strix/tools/reporting/tool.py

Security Review

The new MCP proxy path exposes replay and scope-management operations without enforcing the targets initialized by start_scan. A coding agent can drive proxy traffic outside the authorized scan scope unless the service validates destinations or configures a default-deny scope.

Important Files Changed

Filename Overview
strix/mcp/service.py Adds the MCP scan lifecycle, sandbox execution, proxy dispatch, reporting bridge, and cleanup behavior.
strix/mcp/server.py Registers the public MCP tools and custom stdio transport for agent-native scans.
strix/tools/reporting/tool.py Adds an exact, model-free duplicate check for MCP finding creation while preserving legacy model dedupe by default.
strix/interface/agent_launcher.py Builds Codex and Claude Code commands with an ephemeral Strix MCP server and scan prompt.
strix/interface/main.py Adds runtime selection with --agent and routes coding-agent scans before legacy startup.
pyproject.toml Adds MCP dependencies, console scripts, and wheel packaging for the Strix skill.
Prompt To Fix All With AI
Fix the following 3 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 3
strix/mcp/service.py:282-284
**Proxy Scope Is Advisory**

After `start_scan`, proxy calls receive only the Caido client and no authorized target data, so `repeat_proxy_request` can replay a captured request with a caller-supplied URL outside the initialized scope. A scan authorized for one host can therefore send requests to another reachable host, while the skill boundary remains only a prompt instruction instead of a server-side check.

### Issue 2 of 3
strix/tools/reporting/tool.py:249-252
**Missing Endpoint Collapses Identity**

When MCP callers omit `endpoint` and `method`, the exact dedupe key becomes only `title` plus `target`. Two separate source-code findings with the same title on the same target, such as hardcoded secrets in different files, will be treated as duplicates and the later verified finding will be dropped from the report.

### Issue 3 of 3
strix/mcp/service.py:84
**Resume Reuses Temp Clones**

Repository scans store cloned paths under `/tmp/strix_repos`, but resume reuses the persisted `local_sources` without checking that those temp directories still exist. After a reboot or temp cleanup, a valid run can fail sandbox startup with a generic error instead of recloning the repository or returning an actionable resume error.

Reviews (1): Last reviewed commit: "Harden agent-native MCP proof of concept" | Re-trigger Greptile

Comment thread strix/mcp/service.py
Comment on lines +282 to +284
context = SimpleNamespace(context={"caido_client": self.bundle["caido_client"]})
try:
raw = await tool.on_invoke_tool(context, json.dumps(arguments))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Proxy Scope Is Advisory

After start_scan, proxy calls receive only the Caido client and no authorized target data, so repeat_proxy_request can replay a captured request with a caller-supplied URL outside the initialized scope. A scan authorized for one host can therefore send requests to another reachable host, while the skill boundary remains only a prompt instruction instead of a server-side check.

Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/mcp/service.py
Line: 282-284

Comment:
**Proxy Scope Is Advisory**

After `start_scan`, proxy calls receive only the Caido client and no authorized target data, so `repeat_proxy_request` can replay a captured request with a caller-supplied URL outside the initialized scope. A scan authorized for one host can therefore send requests to another reachable host, while the skill boundary remains only a prompt instruction instead of a server-side check.

How can I resolve this? If you propose a fix, please make it concise.

Comment on lines +249 to +252
identity = tuple(
str(candidate.get(field) or "").strip().casefold()
for field in ("title", "target", "endpoint", "method")
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Missing Endpoint Collapses Identity

When MCP callers omit endpoint and method, the exact dedupe key becomes only title plus target. Two separate source-code findings with the same title on the same target, such as hardcoded secrets in different files, will be treated as duplicates and the later verified finding will be dropped from the report.

Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/tools/reporting/tool.py
Line: 249-252

Comment:
**Missing Endpoint Collapses Identity**

When MCP callers omit `endpoint` and `method`, the exact dedupe key becomes only `title` plus `target`. Two separate source-code findings with the same title on the same target, such as hardcoded secrets in different files, will be treated as duplicates and the later verified finding will be dropped from the report.

How can I resolve this? If you propose a fix, please make it concise.

Comment thread strix/mcp/service.py
targets_info = persisted.get("targets_info") or []
if not targets_info:
return {"success": False, "error": f"Run {run_name!r} has no persisted targets"}
local_sources = persisted.get("local_sources") or collect_local_sources(targets_info)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Resume Reuses Temp Clones

Repository scans store cloned paths under /tmp/strix_repos, but resume reuses the persisted local_sources without checking that those temp directories still exist. After a reboot or temp cleanup, a valid run can fail sandbox startup with a generic error instead of recloning the repository or returning an actionable resume error.

Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/mcp/service.py
Line: 84

Comment:
**Resume Reuses Temp Clones**

Repository scans store cloned paths under `/tmp/strix_repos`, but resume reuses the persisted `local_sources` without checking that those temp directories still exist. After a reboot or temp cleanup, a valid run can fail sandbox startup with a generic error instead of recloning the repository or returning an actionable resume error.

How can I resolve this? If you propose a fix, please make it concise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FEATURE] Add an agent-native Strix runtime using skills and MCP

1 participant