-
Notifications
You must be signed in to change notification settings - Fork 2
architecture experience intelligence
Siyarix v3.0.0 includes a continuous learning system that uses semantic memory via vector embeddings to record experiences, find similar past operations, and improve decision-making over time.
The subsystem comprises three components: MemoryManager (semantic embedding storage), ContinuousLearning (experience recording and recall), and ResponseGenerator (structured AI output formatting).
User Action / Tool Result
│
▼
┌─────────────────────┐ ┌──────────────────────┐
│ MemoryManager │ │ ContinuousLearning │
│ • embedding gen │◄────│ • record experience │
│ • vector storage │ │ • find similar │
│ • cosine search │ │ • update patterns │
│ • importance decay │ │ • consolidate │
└─────────┬───────────┘ └──────────┬───────────┘
│ │
└────────────┬───────────────┘
│
▼
┌────────────────┐
│ Planner / │
│ AgentCore │
│ • informed │
│ decisions │
└────────────────┘
│
▼
┌────────────────┐
│ ResponseGenerator │
│ • structured AI │
│ responses │
└────────────────┘
The MemoryManager (memory.py) provides embedding-based semantic memory. It generates vector embeddings for text content and stores them for similarity-based retrieval.
from siyarix.memory import MemoryManager
memory = MemoryManager()
embedding = await memory.generate_embedding(
"Host 10.0.0.1 has Apache 2.4.41 vulnerable to CVE-2024-1234"
)Embeddings are generated via the configured AI provider (OpenAI, Ollama, or simulated fallback using character-level similarity).
similar = await memory.find_similar(
query="Apache vulnerabilities",
top_k=5
)
# Returns list of (content, similarity_score, metadata) tuplesCosine similarity is used for vector comparison. Results include original content, metadata (source, timestamp, severity), and similarity score.
Memory entries have an importance score that decays over time. Entries accessed infrequently or older than the retention threshold are pruned during consolidation cycles.
The ContinuousLearning class (core/learning.py) manages long-term semantic memory by recording experiences and querying similar past experiences.
@dataclass
class Experience:
content: str
embedding: list[float]
metadata: dict
timestamp: datetime
learning = ContinuousLearning()
await learning.record_experience(
content="Scanned 10.0.0.0/24 with nmap, found 5 open hosts",
metadata={"target": "10.0.0.0/24", "tool": "nmap", "findings": 5}
)similar = await learning.query_similar(
query="Scan 10.0.0.0/24 for open ports",
top_k=3
)
# Returns past experiences with similar contextThis enables the planner and agent core to make informed decisions based on historical patterns. For example, if a previous scan of a similar subnet led to specific follow-up actions, those patterns influence current planning.
Repeated similar observations are consolidated into abstract knowledge:
Raw observations:
- "Host A runs Apache 2.4.41"
- "Host B runs Apache 2.4.41"
- "Host C runs Apache 2.4.49"
Consolidated:
"Apache 2.4.x is the predominant web server (3 hosts identified).
Multiple versions present; 2.4.41 has known high-severity CVEs."
Experiences are persisted to ~/.siyarix/memory/ as JSON files, enabling cross-session memory. The system loads existing memory on startup and saves new experiences automatically.
The ResponseGenerator (response.py) produces structured, context-aware AI responses. It converts raw findings and execution results into formatted output suitable for display in the REPL, API responses, or report sections.
from siyarix.response import ResponseGenerator
generator = ResponseGenerator()
response = await generator.generate(
intent="explain_finding",
data={
"finding": finding,
"context": context_summary,
"user_question": "What does this mean?"
}
)The generator adapts its output based on:
- User context: Current phase, recent commands, target inventory
- Finding severity: Critical findings get detailed explanations
- Output format: Structured for the requested output format (table, JSON, etc.)
| Component | Integration | Purpose |
|---|---|---|
| AgentCore |
execute_goal() → query_similar()
|
Past experiences influence planning |
| Planner | Plan generation → similar experience context | Better tool selection based on history |
| REPL | User input → context from memory | Proactive suggestions from learned patterns |
| ReportEngine | Finding enrichment → experience correlation | Context-aware report generation |
The following advanced XI features are planned for future releases:
- ContextTracker: Session phase tracking across 8 operation phases (IDLE, RECON, SCANNING, ENUMERATION, EXPLOITATION, POST_EXPLOIT, REPORTING, CLEANUP) with real-time phase transitions
- SkillProfiler: Evaluate user expertise (BEGINNER → EXPERT) based on tool diversity, command volume, error rate, and advanced feature usage — adapting UI complexity and confirmation levels accordingly
- Predictor: Next-action prediction using four strategies (phase-based, tool follow-up, findings-based, learned patterns) with confidence scoring and feedback-driven weight adjustment
-
Streaming Event System: Dedicated event stream (
xi.*events) for real-time phase changes, skill updates, prediction readiness, and pattern learning notifications
Note
👋 Welcome to Siyarix! This is a personal passion project built by a single developer. It's currently under active development and growing fast. Expect rough edges, but lots of love! ❤️
Welcome to the Siyarix Documentation Map! This page serves as your master compass for navigating the extensive documentation we have built for the platform.
Whether you are a brand new user, a seasoned security operator, or a developer looking to contribute to the core engine, you can find exactly what you need here.
Not sure where to start? Pick the path that best describes you:
Just getting started? We highly recommend following these guides in order:
- Installation Guide — Get Siyarix running on your machine.
- Onboarding Wizard — Let our interactive wizard help you set up your API keys and environment.
- Setup & Configuration — A deeper dive into customizing your setup.
- Your First Run — A gentle walkthrough of your very first Siyarix command.
Ready to put Siyarix to work? Dive into our operational guides:
- Interactive Chat (REPL) — Learn how to use the powerful interactive terminal.
- Security Workflows — Best practices for recon, vulnerability assessment, and incident response.
- Cloud & IaC Scanning — How to secure your cloud environments and infrastructure code.
- Compliance Frameworks — Map your scans to SOC 2, HIPAA, ISO 27001, and more.
Looking under the hood or wanting to write some code? Start here:
- Contribution Guide — Our workflow, standards, and how you can help!
- Codebase Overview — A comprehensive map of our 82+ source modules.
- Testing Standards — How we ensure reliability with pytest and CI/CD.
- Module Architecture — Component design and responsibilities.
If you prefer to browse the raw structure, here is a complete layout of the docs/ folder:
docs/
├── 🚀 getting-started/ # Installation, onboarding, and configuration
│ ├── installation.md # Multi-platform install (pip, brew, winget, docker)
│ ├── onboarding.md # The interactive 11-step setup wizard
│ ├── setup.md # Managing API keys, credentials, and settings
│ ├── first-run.md # A walkthrough of your first session
│ ├── configuration.md # A deep-dive into advanced settings
│ └── troubleshooting.md # Common issues and how to fix them instantly
│
├── 📖 user/ # Daily operations and workflows
│ ├── cli-commands.md # Reference for 50+ CLI commands across 12 groups
│ ├── interactive-chat.md # Mastering the AI REPL and 54+ slash commands
│ ├── security-workflows.md # Recon, vulnerability assessment, incident response
│ ├── cloud-scanning.md # Multi-cloud security scanning (under development)
│ ├── compliance.md # Framework mapping (SOC 2, NIST, GDPR, PCI-DSS)
│ ├── threat-intelligence.md# Integrations with OTX, NVD, and MITRE ATT&CK
│ ├── playbooks.md # Building automated YAML-based IR playbooks
│ ├── workflow-files.md # DAG workflow reference (programmatic API)
│ ├── reporting.md # Multi-format report generation
│ ├── offline-registry.md # Running without AI (Offline/Registry execution mode)
│ └── ai-workflows.md # Advanced AI-driven autonomous operations
│
├── 💻 developer/ # Building, testing, and extending Siyarix
│ ├── codebase-overview.md # Full module structure mapping
│ ├── contribution-guide.md # How to submit PRs and our coding standards
│ ├── module-architecture.md# Component design and responsibilities
│ ├── testing.md # Writing tests (pytest), coverage, and CI/CD
│ └── building.md # Packaging, distribution, and Docker builds
│
├── 🏗️ architecture/ # System design and core internals
│ ├── overview.md # High-level data flow and layered orchestration
│ ├── ai-agent-pipeline.md # The AgentCore reasoning and execution pipeline
│ ├── provider-abstraction.md# How we unify 26 different AI providers
│ ├── execution-engine.md # Plan-based step orchestration
│ ├── memory-and-state.md # Knowledge graph, session persistence, and learning
│ ├── security-model.md # The Permission Gate, DLP, audit logging, and OPSEC
│ └── intent-routing.md # Semantic intent classification and routing
│
├── 🧠 ai/ # Deep dive into the AI provider & agent systems
│ ├── routing.md # Managing 26 providers, failovers, and circuit breakers
│ ├── persona-system.md # Overview of our 10 security personas
│ ├── agent-reasoning.md # The Observe-Reason-Act loop and tool call repair
│ ├── tool-execution.md # The tool registry, capability graph, and parsers
│ ├── ensemble.md # Parallel LLM voting strategies
│ ├── multi-wave.md # Iterative goal execution with context carry-over
│ ├── prompt-architecture.md# System prompt design and management
│ └── safety.md # Our rigorous 8-layer hallucination mitigation system
│
├── 🛡️ security/ # Safety, ethics, and threat models
│ ├── reporting.md # How to safely report vulnerabilities to us
│ ├── threat-model.md # System threat model and our mitigations
│ ├── operational-security.md# TOR routing, stealth modes, and OPSEC controls
│ ├── ethical-policy.md # Mandatory rules of engagement for all users
│ └── abuse-prevention.md # How we prevent misuse of the AI engine
│
└── ⚖️ legal/ # Licensing and governance
├── agpl-guide.md # A plain-English overview of the AGPL-3.0-or-later license
├── why-agpl.md # The philosophy behind our license choice
├── trademark-policy.md # Branding and trademark guidelines
├── responsible-ai.md # Our framework for ethical AI usage
├── disclaimer.md # Important legal disclaimers
└── plugin-exception.md # The license exception for building custom plugins
As you read through the documentation, you might encounter some specific terms. Here is a quick cheat sheet:
| Term | What It Means |
|---|---|
| Provider | The backend AI engine powering Siyarix (e.g., OpenAI, Anthropic, Ollama). |
| Tool | A traditional security executable installed on your system (e.g., nmap, nuclei). |
| Plan | A step-by-step sequence of tool commands intelligently generated by the AI. |
| Workflow | A hardcoded, predefined execution path (usually defined in YAML/JSON) that doesn't require AI generation. |
| Persona | A specialized behavioral profile given to the AI (e.g., instructing it to act specifically as a "Network Recon Specialist"). |
| Knowledge Graph | Siyarix's internal memory where it stores findings (like IP addresses, open ports) to contextually inform future steps. |
Need help finding something specific? Feel free to use the search bar at the top of the documentation site, or open a discussion on our GitHub!