Open-source LLM red-team lab.
159 transforms, 26 tool surfaces, one Campaign front door, BYOK gateway. Runs in your browser.

Try Online→  ·  Self-host in 30 seconds  ·  Offensive recipes  ·  Changelog

_{Left: 159 transformers, encode + decode, options per transform. Middle: PromptCraft multi-step viz (TAP tree shown). Right: HarmBench heuristic scoring with per-category breakdown.}

Cryptex bundles 159 text transformers (encodings, classical ciphers, Unicode tricks, steganography, ancient scripts) with 26 specialized tool surfaces. The Campaign front door is the one-shot way in: type a goal, pick a target once, and Cryptex fans your goal across many attack strategies, judges each with an LLM judge, and shows a graded ASR report you can export. Behind it sit ten technique workbenches (Transform, Decode, Emoji stego, Gibberish, Tokenizer, Tokenade, Bijection, Fuzzer, PromptCraft, Anti-Classifier) and fifteen red-team labs covering the 2024 to 2026 jailbreak literature (HarmBench, StrongREJECT, JailbreakBench, indirect injection, glitch tokens, adversarial suffixes, defense fingerprinting, watermark forensics). It is the lab bench for adversarial-prompt and encoding research.

Everything runs in your browser. No backend, no database, no telemetry. AI calls go from your browser direct to whichever provider you choose, with your BYOK key staying in localStorage. Open source under MIT. Same canonical 159 transformers feed both the SvelteKit app and the Python CLI, so adding one anywhere makes it available everywhere.

docker run -d --name cryptex --restart unless-stopped \
  -p 8080:80 ghcr.io/m4xx101/cryptex-oss:latest

Open http://localhost:8080. Done.

The image is multi-arch (linux/amd64 plus linux/arm64), so it pulls native on Intel and AMD Linux servers, Apple Silicon Macs, and Raspberry Pi.

services:
  cryptex:
    image: ghcr.io/m4xx101/cryptex-oss:latest
    container_name: cryptex
    restart: unless-stopped
    ports:
      - "8080:80"
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://localhost/health"]
      interval: 30s
      timeout: 5s
      retries: 3

git clone https://github.com/m4xx101/cryptex-oss
cd cryptex-oss/app
npm install
npm run dev          # http://localhost:5173 with hot reload
# or:
npm run build        # static bundle in app/build/

Need a subpath? Build with BASE_PATH=/cryptex to serve at /cryptex/... instead of /.

The app is responsive. Just visit the URL on mobile and add to home screen for one-tap launch. The full feature set works on iOS Safari and Chrome Android, including the BYOK gateway and all 26 tool surfaces.

For private personal hosting reachable from your phone anywhere: run the Docker image on a Raspberry Pi or any home box, then expose it through Tailscale Funnel or Cloudflare Tunnel. Your phone reaches your self-hosted instance over HTTPS with zero port-forwarding and no public DNS exposure.

Five paths, all free for a Cryptex-scale static site:

Cryptex never phones home. Your hosted instance is your own.

Cryptex Production at https://cryptex.m4xx.cfd is a separate sibling product, not a hosted copy of this repository. Different codebase, different feature surface, different release cadence. It is included here as a pointer for users whose workflow needs more than the OSS toolkit covers.

What Production has that the OSS variant does not:

• Chat playground. Full multi-turn conversation against any configured provider. Streams responses. Attach images and PDFs. Sticky system prompts. Per-conversation token-cost chip.
• Attack-chain transforms inside chat. Select any text in any chat turn (yours or the assistant's). Pipe it through the mutator pipeline (layered_mutation, multi_layer_attack, best_of_k, or any of the 36 mutators). The transformed text either replaces the selection or sends as a new turn. Build attacks iteratively against a target you are already in conversation with.
• Unrestricted model presets. Pre-configured pointers at uncensored, abliterated, and community-fine-tuned Llama-class and Mistral-class models on permissive providers. No setup, no key wrangling.

If your work needs the chat surface or the live in-conversation mutator pipeline, that is the variant. Free, no signup, your BYOK key stays in your browser. The OSS variant in this repo is intentionally scoped to the tools layer; it does not and will not ship the chat playground or the attack-chain composer.

docs/USAGE.md is the offensive cookbook. Twelve worked recipes covering target fingerprinting, three-layer kneel stacks (bijection + PAP + GCG), many-shot capstones, Crescendo, OCR stego injection, indirect-injection via webpage summary, tool-call hijack, glitch-token derailment, TAP for SOTA targets, multi-layer composites, watermark forensics, and cross-model bake-offs. Includes the Defense Fingerprinter evidence table so you can recognize a target's defense family by eye, plus a cross-tool composability map showing which tool's output naturally feeds which.

/gibberish, /tokenizer, /bijection were deprecated in v2.2 (low-impact or subsumed by siblings). Routes still resolve for deep-links.

AdvSuffix · Glitch Tokens · OCR Injection · Markdown Exfil · Probe Lab · Cross-Model Diff · Replayer · Tool Result Lab · Indirect Injection · HarmBench · StrongREJECT · JBB · Fingerprinter · Watermark · PDF Injection · Reasoning (v2.3, H-CoT + Mousetrap) · Stacked Cipher (v2.3, SEAL family) · Response (v2.3, AAAI 2026 context-priming) · Abliteration (v2.3, uncensored-model detection + HF vault)

Every benchmark lab carries a yellow "Heuristic scoring, not paper-accurate" banner. Scoring uses regex plus LLM-judge approximations of the published rubrics, not the original trained classifiers. Use it for craft signal and iteration, not as a vendor verdict.

Every tool with a curated payload set ships a collapsible Vault drawer at the bottom. 96 glitch tokens, 38 adversarial suffixes, 40 indirect-injection patterns, 17 tool-result fixtures, 20 PromptCraft chains, 50 fuzzer seeds, 15 emoji carriers, 6 reasoning-attack scaffolds, 8 SEAL stacks, 6 Response Attack primings, 10 HuggingFace abliterated-model identifiers, plus per-benchmark customs. Add your own through the drawer.

License posture is hard-locked: MIT, CC0, CC-BY-4.0, or Apache 2.0. No GPL, AGPL, CC-BY-SA, or CC-BY-NC. Per-source provenance in app/src/lib/vault/LICENSES.md.

Settings → Cloud Sync. Bring your own Supabase project URL and anon key. History runs and Vault custom items sync to two tables (synced_runs, synced_vault_items) in YOUR Supabase project. BYOK provider keys never sync. Setup guide with copy-pasteable SQL in docs/SUPABASE.md.

The cryptex-recon Claude Code skill at ~/.claude/skills/cryptex-recon/ runs GitHub + arXiv + HuggingFace recon for new jailbreak techniques + abliterated model releases, drafts vault-seed proposals, and self-updates its own LESSONS.md after each run. Trigger with /cryptex-recon or phrases like "find new jailbreak tools". Seeded with the 12 already-promoted frameworks so it doesn't re-suggest them.

Cryptex never sees your key. Paste it in Settings. It goes to localStorage only. Every AI call is direct browser to provider.

• OpenRouter (default, CORS-open). Single key, 200+ models.
• Anthropic direct via the anthropic-dangerous-direct-browser-access header.
• OpenAI-compatible endpoints: Groq, Together, Fireworks, DeepInfra, Cerebras, SambaNova, plus custom.
• Local providers, no key needed: Ollama, LM Studio, vLLM, llama.cpp, Llamafile, NVIDIA NIM. Point at the local URL (http://localhost:11434, etc.) and Cryptex skips the key requirement.

Direct OpenAI and Google Gemini are not supported from the browser (no CORS). Route those models through OpenRouter.

In dev mode (npm run dev), Vite mounts a /api/_proxy/<providerId>/... server-side passthrough so /v1/models works for every provider regardless of CORS. Production static deploys go direct; per-preset defaultModels lists in app/src/lib/ai/presets.ts cover any /models endpoints that block CORS.

cryptex-oss/
├── app/                          SvelteKit 2 + Svelte 5 + Tailwind + shadcn-svelte
│   └── src/
│       ├── routes/               25 tool routes plus /history + about / guide / settings
│       └── lib/
│           ├── ai/               Multi-provider gateway plus adapters (lazy-imported)
│           ├── techniques/       Mutators, classifiers, composites, modes
│           ├── transformers/     Vite-side transformer registry + universal decoder
│           ├── tools/            localStorage tool state (cryptex.toolStates)
│           ├── stego/            Three-mode emoji steganography engine
│           ├── workers/          Module workers (runInWorker dispatcher)
│           ├── errors/           CryptexError taxonomy + errorLogger + ErrorPanel
│           ├── history/          Hybrid localStorage + IndexedDB store
│           ├── vault/            Per-tool seed loader + store + LICENSES.md
│           ├── redteam/          All benchmark scorers plus payload libraries
│           └── components/       tools/ + redteam/ + shell (ToolShell, HistoryFooter)
├── src/transformers/             159 transformer modules (single source of truth)
├── cryptex_cli/                  Python CLI (shells out to Node)
├── scripts/cli_bridge.js         Node bridge for the Python CLI
├── Dockerfile + nginx.conf       Multi-stage build + strict CSP
├── docker-compose.yml            Dokploy-tuned (Traefik + Let's Encrypt)
└── .github/workflows/docker.yml  Multi-arch GHCR publish

Key design notes:

• One source of truth for transforms. src/transformers/ feeds both the Svelte app (Vite import.meta.glob) and the Python CLI (Node sandbox in scripts/cli_bridge.js). No duplication.
• No backend, no database, no auth. Everything is browser-local. cryptex.toolStates, cryptex.providers, and per-tool prefs all live in localStorage. Vault items persist under cryptex.vault.<toolId>; history v2 uses a hybrid localStorage index plus IndexedDB payload with a localStorage fallback.
• Strict CSP. The production nginx config allows connect-src only to providers you have enabled. No third-party scripts, no CDNs, no analytics.
• Web Workers for heavy transforms. app/src/lib/workers/runInWorker.ts auto-dispatches: under 50 KB stays in-thread, 50 KB to 1 MB runs in a pool of 4 module workers, over 1 MB is rejected with a typed Errors.badInput. AbortController cancellation via worker.terminate().
• Typed error taxonomy. app/src/lib/errors/types.ts ships a discriminated CryptexError union (network, cors, auth, provider, rate_limit, bad_input, tool, worker, storage_quota, local_server_offline, unknown). errorLogger.report() funnels everything to toast, history, and console.
• Persistent history with replay. /history global route plus per-tool HistoryFooter surface every run searchable across input, output, annotation. Pin, annotate, replay. Auto-prune at 4 MB soft cap.

The Python CLI reuses the same 159 transformers as the web app via a Node bridge.

uv run cryptex-cli list
uv run cryptex-cli inspect caesar --json
uv run cryptex-cli encode --transform base64 --text "Hello"
uv run cryptex-cli decode --transform base64 --text "SGVsbG8="
uv run cryptex-cli auto-decode --text "SGVsbG8="
uv run cryptex-cli /caesar --shift 5 "Attack at dawn"

1. Drop a file at src/transformers/<category>/<name>.js.
2. Export default new BaseTransformer({...}) from src/transformers/BaseTransformer.js.
3. Pick a priority (1 to 310) using the guide at the bottom of BaseTransformer.js.
4. Run npm run build from the repo root.

Auto-discovered. Web app and CLI pick it up via the SvelteKit Vite-glob registry and the Node loader respectively.

1. Create the Svelte component in app/src/lib/components/tools/<tool>/ (or app/src/lib/components/redteam/<tool>/).
2. Add the route at app/src/routes/<tool>/+page.svelte, wrapping the content in <ToolShell toolId="…" title="…">.
3. Register the tab in app/src/lib/components/shell/TabRail.svelte.
4. Optional: add a Vault drawer via <VaultSection> if the tool has a curated payload set. See CLAUDE.md for the v2.0 conventions.

cd app && npm run check && npx vitest run && npm run build
uv run cryptex-cli list

MIT. See LICENSE.

Cryptex OSS bundles small red-team corpora (glitch tokens, adversarial suffixes, indirect-injection patterns, tool-result fixtures, emoji carriers, fuzzer seeds, PromptCraft chains, plus a tiny WordNet subset) sourced from openly-licensed papers, community write-ups, and public-domain Unicode references. Every bundled item is MIT, CC-BY-4.0, or CC0. Per-source attribution lives in app/src/lib/vault/LICENSES.md. No GPL, AGPL, CC-BY-SA, or CC-BY-NC material is bundled.

Source: github.com/m4xx101/cryptex-oss
Recipes: docs/USAGE.md
Sibling product: cryptex.m4xx.cfd (chat playground, attack-chain composer; separate codebase)

P.S. — A tip of the hat to elder-plinius/P4RS3LT0NGV3: every model in this toolkit was already jailbroken there before our npm install finished, so consider Cryptex OSS the release engineering on his hobby.