-
Notifications
You must be signed in to change notification settings - Fork 2
ai agent reasoning
Note
👋 Hey there! Siyarix is a personal passion project built by a single developer that is growing and under active development. Some of the architectural components and features described on this page might currently be Planned, Work in Progress, or basic implementations. Stay tuned as it evolves! 🚀
Welcome to the Agent Reasoning Pipeline! This is the "brain" of Siyarix, responsible for taking a user's objective and turning it into real, executed actions.
Think of it as a smart traffic cop: the Planner Router directs requests to either an AI-driven planner (using a Large Language Model or LLM) or a rule-based heuristic planner. This depends on the mode you are running. In autonomous mode, the system follows a dynamic Observe–Reason–Act–Reflect loop. In registry or offline mode, it relies on reliable, deterministic templates.
Note
The dual-planner architecture ensures that Siyarix remains fully functional whether you have an active LLM connection or are operating completely offline.
Siyarix utilizes a two-planner system, all smoothly coordinated by a unified Planner router:
User Request
│
▼
┌─────────────────────────────────────────┐
│ Planner Router │
│ (src/siyarix/planner.py) │
│ │
│ mode == "autonomous" ──► AutonomousPlanner │
│ mode == "registry" ──► RegistryPlanner │
│ mode == "offline" ──► RegistryPlanner │
│ mode == "integrated" ──► try Autonomous → │
│ fallback Registry │
└─────────────────────────────────────────┘
(Found in src/siyarix/planner_autonomous.py)
This is our pure, AI-driven planner. It relies entirely on the LLM to figure things out—from verifying if tools are available to installing missing ones and writing the exact shell commands needed.
Key Features:
- 🧠 Session-aware Token Optimization: We save on processing costs by sending full tool details only on the first call. Later calls use a much shorter, compact prompt.
- 🗣️ Multi-format Response Parsing: Whether the LLM replies in JSON, YAML, Markdown, XML, or just plain text, our system can understand and extract the commands.
- 🛠️ Native Tool Calling: When available, we prefer structured tool calls directly from the LLM for better accuracy.
-
🛡️ Structured Execution (
execute_plan): We provide the LLM with a strict function definition to ensure the plan it generates is properly formatted and safe.
Tip
The AutonomousPlanner works best when the LLM provider supports native structured tool calling (like OpenAI's tool_calls).
(Found in src/siyarix/planner_registry.py)
This is our reliable, deterministic planner. It operates entirely without an LLM!
Key Features:
- 🔍 Keyword Matching: It uses an inverted keyword index to map plain English words to specific security tools.
-
📋 Pre-built Templates: It features over 25 predefined templates (like
recon_full,network_scan,linux_privesc) to handle common workflows out of the box. - 🎯 Intent Extraction: A Natural Language Parser picks up on what you want to do (intent) and what you want to target.
-
🔄 Smart Fallbacks: If your first-choice tool isn't installed, it automatically rolls over to the next best thing (e.g., swapping
nmapformasscan).
The AgentCore module (src/siyarix/core/__init__.py) is the main engine, and it supports four different ways of running:
| Mode | Planner Used | Executor Used | Needs an LLM? |
|---|---|---|---|
REGISTRY |
RegistryPlanner | RegistryExecutor | No ❌ |
AUTONOMOUS |
AutonomousPlanner | AutonomousExecutor | Yes ✅ |
HYBRID |
AutonomousPlanner → RegistryPlanner | Both | Optional |
INTERACTIVE |
RegistryPlanner | RegistryExecutor (needs your OK) | No ❌ |
When running in Autonomous Mode, Siyarix works in a continuous, multi-turn loop—just like a human expert would! Here is how the LLMEngineMixin._execute_agent() method handles it:
First, the agent looks around to understand its environment. It collects:
- Environment State: Operating system, available tools, current directory.
- Session State: What have we talked about so far? What were the results of the last commands?
- Target Context: IPs, domains, or URLs you specified.
-
Tool Availability: A quick check of the
ToolRegistryto see what is installed.
Next, the LLM puts on its thinking cap. We send it a structured prompt containing the system instructions, conversation history, tool schemas, and your goal.
It then returns a structured plan, looking something like this:
{
"needs_tools": true,
"reasoning": "I need to check for open ports to identify running services.",
"steps": [
{
"command": "nmap -sV -p 1-1000 10.0.0.1",
"description": "Port scan target with service detection"
}
]
}Now it's time to execute the plan! The commands are run in "waves." Before anything actually runs, it goes through a rigorous safety check:
- PermissionGate: Checks for syntax errors and dangerous commands.
- Input Validation: Prevents sneaky stuff like shell injection or path traversal.
- Shell Review: (Optional) Prompts you to approve, edit, or cancel the command.
- Execution: Runs the command safely with a timeout and tracks any stray processes.
- DLP & Secret Redaction: Automatically scrubs API keys, passwords, and sensitive tokens from the output before the LLM sees it.
Warning
Security is our top priority. The agent will never run highly destructive commands without explicit review, and sensitive data is aggressively redacted!
Finally, the LLM reviews the output of the commands. Did we get what we needed?
- If yes, it sets
needs_tools=falseand provides a final answer. - If no, it sets
needs_tools=trueand creates a new plan for the next wave.
Important
The agent can loop up to 12 waves per instruction by default. If it hits that limit, it will stop and ask you for further guidance.
Sometimes, LLMs get confused and spit out tool calls as plain text instead of structured JSON. No problem! The ToolCallRepair module acts as a safety net to parse and fix these mistakes automatically.
| Syntax | Example |
|---|---|
| Bracket | [nmap]{"target": "10.0.0.1", "flags": "-sV"} |
| XML | <function=nmap><parameter=target>10.0.0.1</parameter></function> |
| Function Call | function_call: {"name": "nmap", "args": {...}} |
If the LLM makes a typo (like calling nmaps instead of nmap), our fuzzy matching kicks in. It can tolerate minor spelling mistakes, case differences, and substrings to keep the pipeline moving smoothly.
Want to keep a close eye on what the agent is doing? shell_review.py provides an interactive prompt for you to review commands before they run.
╭──────────────── Command Execution Review ─────────────────╮
│ Tool: raw │
│ Reason: Raw shell command from LLM plan │
│ │
│ nmap -sS -sV -O -Pn example.com │
╰───────────────────────────────────────────────────────────╯
Review command [edit/run/step/cancel] (run):
-
run: Execute as-is. -
edit: Tweak the command first. -
step: Run commands one by one. -
cancel: Skip it entirely.
Note
In automated environments (like CI/CD pipelines), Shell Review automatically approves commands so it doesn't get stuck waiting for human input.
When your LLM is down, offline, or just unreachable, the RegistryPlanner steps in to save the day using deterministic logic.
Here is how it thinks:
- You say: "scan 10.0.0.1"
- It extracts intent: "scan"
- It extracts target: "10.0.0.1"
- It matches a template:
network_scan - It builds a multi-step plan using tools like
nmap,whatweb, andnuclei.
| Template Name | What it Runs |
|---|---|
recon_full |
nmap → whatweb → gobuster → subfinder → amass → nuclei |
web_audit |
curl → whatweb → nuclei → ffuf → wpscan → nikto |
linux_privesc |
uname → find SUID → find writable → cat cron |
Siyarix is smart about how it runs tasks. It organizes steps into Layers.
Layer 1: Recon (Runs immediately)
Layer 2: Scan (Waits for Recon to finish)
Layer 3: Enumerate (Waits for Scan to finish)
Tasks within the same layer (like scanning 5 different ports) run concurrently to save time, making your scans lightning fast! ⚡
Once the agent has finished all its waves, it doesn't just dump raw text on you. It synthesizes the data:
- Deduplicates: Removes repeated findings (based on target, port, and vulnerability).
- Correlates: Connects the dots between different tools.
- Scores Severity: Tags issues as Critical, High, Medium, Low, or Info.
- Summarizes: Gives you a clean, easy-to-read report.
- Logs to Graph: Saves the findings into a knowledge graph so it remembers them for next time.
Things fail. Ports are closed, tools crash. The Validator class (src/siyarix/validators.py) is our safety net, offering step-level validation and smart recovery.
If a step fails, the agent can:
-
RETRY: Try again with a slight change (e.g., adding-Pnto an nmap scan). -
RETRY_ALTERNATIVE: Switch tools completely (e.g., ifnucleifails, trynikto). -
SKIP: Just move on to the next step. -
DEGRADE: Fall back to a simpler execution mode.
Curious about the code? Here is where everything lives:
| Module | Location | What it Does |
|---|---|---|
| Planner Router | src/siyarix/planner.py |
The main traffic cop |
| AutonomousPlanner | src/siyarix/planner_autonomous.py |
The LLM-driven AI planner |
| RegistryPlanner | src/siyarix/planner_registry.py |
The offline, rule-based planner |
| AgentCore | src/siyarix/core/__init__.py |
Central orchestrator |
| LLMEngineMixin | src/siyarix/chat/engine.py |
Agent loop with multi-wave planning |
| ToolCallRepair | src/siyarix/tool_call_repair.py |
Fixes broken LLM tool calls |
| ShellReview | src/siyarix/shell_review.py |
Interactive command approval |
| Validator | src/siyarix/validators.py |
Error handling and recovery |
| ToolRegistry | src/siyarix/registry.py |
Tool discovery and capability indexing |
| ToolCapabilityGraph | src/siyarix/tool_graph.py |
Tool chaining and similarity graph |
| ToolAvailability | src/siyarix/tool_availability.py |
Pre-execution availability evaluation |
| DangerAnalyzer | src/siyarix/security_hardening.py |
Keeps dangerous commands in check |
| CompactionEngine | src/siyarix/compaction.py |
Context window compaction for long histories |
Note
👋 Welcome to Siyarix! This is a personal passion project built by a single developer. It's currently under active development and growing fast. Expect rough edges, but lots of love! ❤️
Welcome to the Siyarix Documentation Map! This page serves as your master compass for navigating the extensive documentation we have built for the platform.
Whether you are a brand new user, a seasoned security operator, or a developer looking to contribute to the core engine, you can find exactly what you need here.
Not sure where to start? Pick the path that best describes you:
Just getting started? We highly recommend following these guides in order:
- Installation Guide — Get Siyarix running on your machine.
- Onboarding Wizard — Let our interactive wizard help you set up your API keys and environment.
- Setup & Configuration — A deeper dive into customizing your setup.
- Your First Run — A gentle walkthrough of your very first Siyarix command.
Ready to put Siyarix to work? Dive into our operational guides:
- Interactive Chat (REPL) — Learn how to use the powerful interactive terminal.
- Security Workflows — Best practices for recon, vulnerability assessment, and incident response.
- Cloud & IaC Scanning — How to secure your cloud environments and infrastructure code.
- Compliance Frameworks — Map your scans to SOC 2, HIPAA, ISO 27001, and more.
Looking under the hood or wanting to write some code? Start here:
- Contribution Guide — Our workflow, standards, and how you can help!
- Codebase Overview — A comprehensive map of our 82+ source modules.
- Testing Standards — How we ensure reliability with pytest and CI/CD.
- Module Architecture — Component design and responsibilities.
If you prefer to browse the raw structure, here is a complete layout of the docs/ folder:
docs/
├── 🚀 getting-started/ # Installation, onboarding, and configuration
│ ├── installation.md # Multi-platform install (pip, brew, winget, docker)
│ ├── onboarding.md # The interactive 11-step setup wizard
│ ├── setup.md # Managing API keys, credentials, and settings
│ ├── first-run.md # A walkthrough of your first session
│ ├── configuration.md # A deep-dive into advanced settings
│ └── troubleshooting.md # Common issues and how to fix them instantly
│
├── 📖 user/ # Daily operations and workflows
│ ├── cli-commands.md # Reference for 50+ CLI commands across 12 groups
│ ├── interactive-chat.md # Mastering the AI REPL and 54+ slash commands
│ ├── security-workflows.md # Recon, vulnerability assessment, incident response
│ ├── cloud-scanning.md # Multi-cloud security scanning (under development)
│ ├── compliance.md # Framework mapping (SOC 2, NIST, GDPR, PCI-DSS)
│ ├── threat-intelligence.md# Integrations with OTX, NVD, and MITRE ATT&CK
│ ├── playbooks.md # Building automated YAML-based IR playbooks
│ ├── workflow-files.md # DAG workflow reference (programmatic API)
│ ├── reporting.md # Multi-format report generation
│ ├── offline-registry.md # Running without AI (Offline/Registry execution mode)
│ └── ai-workflows.md # Advanced AI-driven autonomous operations
│
├── 💻 developer/ # Building, testing, and extending Siyarix
│ ├── codebase-overview.md # Full module structure mapping
│ ├── contribution-guide.md # How to submit PRs and our coding standards
│ ├── module-architecture.md# Component design and responsibilities
│ ├── testing.md # Writing tests (pytest), coverage, and CI/CD
│ └── building.md # Packaging, distribution, and Docker builds
│
├── 🏗️ architecture/ # System design and core internals
│ ├── overview.md # High-level data flow and layered orchestration
│ ├── ai-agent-pipeline.md # The AgentCore reasoning and execution pipeline
│ ├── provider-abstraction.md# How we unify 26 different AI providers
│ ├── execution-engine.md # Plan-based step orchestration
│ ├── memory-and-state.md # Knowledge graph, session persistence, and learning
│ ├── security-model.md # The Permission Gate, DLP, audit logging, and OPSEC
│ └── intent-routing.md # Semantic intent classification and routing
│
├── 🧠 ai/ # Deep dive into the AI provider & agent systems
│ ├── routing.md # Managing 26 providers, failovers, and circuit breakers
│ ├── persona-system.md # Overview of our 10 security personas
│ ├── agent-reasoning.md # The Observe-Reason-Act loop and tool call repair
│ ├── tool-execution.md # The tool registry, capability graph, and parsers
│ ├── ensemble.md # Parallel LLM voting strategies
│ ├── multi-wave.md # Iterative goal execution with context carry-over
│ ├── prompt-architecture.md# System prompt design and management
│ └── safety.md # Our rigorous 8-layer hallucination mitigation system
│
├── 🛡️ security/ # Safety, ethics, and threat models
│ ├── reporting.md # How to safely report vulnerabilities to us
│ ├── threat-model.md # System threat model and our mitigations
│ ├── operational-security.md# TOR routing, stealth modes, and OPSEC controls
│ ├── ethical-policy.md # Mandatory rules of engagement for all users
│ └── abuse-prevention.md # How we prevent misuse of the AI engine
│
└── ⚖️ legal/ # Licensing and governance
├── agpl-guide.md # A plain-English overview of the AGPL-3.0-or-later license
├── why-agpl.md # The philosophy behind our license choice
├── trademark-policy.md # Branding and trademark guidelines
├── responsible-ai.md # Our framework for ethical AI usage
├── disclaimer.md # Important legal disclaimers
└── plugin-exception.md # The license exception for building custom plugins
As you read through the documentation, you might encounter some specific terms. Here is a quick cheat sheet:
| Term | What It Means |
|---|---|
| Provider | The backend AI engine powering Siyarix (e.g., OpenAI, Anthropic, Ollama). |
| Tool | A traditional security executable installed on your system (e.g., nmap, nuclei). |
| Plan | A step-by-step sequence of tool commands intelligently generated by the AI. |
| Workflow | A hardcoded, predefined execution path (usually defined in YAML/JSON) that doesn't require AI generation. |
| Persona | A specialized behavioral profile given to the AI (e.g., instructing it to act specifically as a "Network Recon Specialist"). |
| Knowledge Graph | Siyarix's internal memory where it stores findings (like IP addresses, open ports) to contextually inform future steps. |
Need help finding something specific? Feel free to use the search bar at the top of the documentation site, or open a discussion on our GitHub!