-
Notifications
You must be signed in to change notification settings - Fork 2
developer module architecture
This document describes the internal architecture of key Siyarix v3.0.0 modules — how they interact, their data flows, and design patterns.
The execution engine operates in three modes, dispatched by the planner:
| Mode | Planner | Permission | Autonomy | Use Case |
|---|---|---|---|---|
REGISTRY |
RegistryPlanner (template) | Full gate | None | Offline, deterministic |
AUTONOMOUS |
AutonomousPlanner (LLM) | Minimal | Full | Unattended operation |
HYBRID (default) |
Combined | Full gate | User confirmation | Interactive security work |
- Planner produces
ExecutionPlanwith orderedExecutionStepobjects - Each step validated through
PermissionGate(ALLOW/DENY/REVIEW) - Steps execute with dependency-driven parallelism via
asyncio.gather() - Tool output routed through
ParserRegistry.get(tool_name).parse(output) - Structured findings ingested into
KnowledgeGraph - Errors handled with exponential backoff via
ProviderStateManager
worker_pool.py bounds concurrency using asyncio.Semaphore, preventing resource exhaustion when executing parallel tool chains. Default max concurrent tools is configurable via default_parallel setting.
Routes between two planner implementations based on mode and provider availability. Falls back to registry planning when no AI provider is reachable.
Deterministic planning using PlannerRegistry, a template store that maps tool capabilities to execution plans. Uses intent classification, keyword matching, and parameter extraction. No AI dependency — always available.
LLM-driven planning that generates structured execution plans from natural language goals. Uses ProviderManager for provider resolution with failover. Supports multi-call repair when initial plan is malformed (via ToolCallRepair).
User Input → IntentRouter → Intent Extraction → Target/Parameter Parsing →
Planner Selection (by mode/provider) → Plan Generation →
Plan Validation → Permission Gate → Execution → Result Processing
Two-stage access control executed before every command:
- Syntax Gate: Validates command structure, length limits, character restrictions, shell injection patterns
- Danger Analysis: Pattern-matches against 38+ dangerous command categories (disk destruction, fork bombs, network floods, privilege escalation, credential exfiltration, etc.)
Each stage returns one of: ALLOW (pass), DENY (block with reason), or REVIEW (require user confirmation). The gate integrates with DLP engine for data exfiltration detection and InputValidator for injection prevention.
Singleton managing 24 provider profiles through a unified interface:
- Cloud providers: 19 profiles (OpenAI, Anthropic, Gemini, Groq, Together, DeepSeek, Mistral, OpenRouter, Perplexity, xAI, Cerebras, Fireworks, HuggingFace, MiniMax, Moonshot, NVIDIA, Azure, OpenCodeGo, Z.AI) — require API keys
- Local providers: 5 profiles (Ollama, LM Studio, llama.cpp, vLLM, LocalAI) — no API key, auto-start support
- Fallback: Registry (heuristic planner) — always available, no AI required
Primary Provider → Secondary → ... → Local Provider → Registry (heuristic)
Circuit breaker opens after 3 failures within 60 seconds. ProviderStateManager tracks per-provider cooldown with exponential backoff (30s → 60s → 300s). Skip-known-bad cache prevents retrying failing providers within a session.
Encrypted vault for API keys and secrets:
- Encryption: AES-256-GCM with 32-byte key and 12-byte nonce
- Key storage: OS system keyring via
keyringlibrary - File fallback: AES-256-GCM encrypted JSON file in
~/.siyarix/credentials.json(Fernet-compatible) - Key rotation:
siyarix auth rotatere-encrypts all credentials with a new key - Auto-clear: Credentials cleared from memory on session end
- Security: Keys never written to source code, config files, logs, or debug output
Data Loss Prevention with bidirectional token masking:
- Masks sensitive data before sending to cloud AI providers (40+ regex patterns)
- Session-scoped: masks are consistent within a session
- Bidirectional: can reverse masks for local display
- Pattern types: IP addresses, hostnames, email addresses, API keys, JWT tokens, SSH keys, passwords, credit cards, AWS keys, Slack tokens, GitHub tokens, private keys
In-memory directed graph of discovered entities:
- Nodes: hosts, ports, services, vulnerabilities, credentials, domains, findings
- Edges: relationships (runs_on, has_vulnerability, uses_credential, resolves_to)
- Operations: add_node, add_edge, find_neighbors, bfs_shortest_path, node/edge CRUD, find_by_label, find_by_type
- Traversal: BFS, DFS, shortest path analysis
- Persistence: JSON export/import with full graph serialization
- Integration: ReportEngine queries KG for evidence and relationship mapping
AgentCore is the central orchestrator (639 lines) that manages the full agent lifecycle:
- Start/Shutdown: Initialize sub-systems, providers, memory, context, stealth
-
Goal Execution:
execute_goal()routes to mode-specific execution (_execute_registry,_execute_autonomous,_execute_hybrid,_execute_interactive) -
Multi-Wave:
execute_multi_wave()for complex objectives requiring iterative refinement -
Sub-Agents:
create_subagent()/execute_subagent()for hierarchical task decomposition -
Swarm: Integrates with
SwarmRouterfor multi-agent campaigns (recon → exploit → report) -
Continuous Learning: Feeds experiences to
ContinuousLearningfor semantic memory - Observation: Tracks results, budget, and goal completion status
In-process publish/subscribe system:
-
EventBussingleton with typed event dispatch - Events include: finding discovered, plan created, step executed, error occurred, session created
- Supports multiple subscribers per event type
- Used by:
AuditLogger,Notifications,MetricsCollector,SessionLog - Zero external dependencies — pure Python implementation
Full-featured REPL with:
- 40+ slash commands via
CommandHandlersMixin(help, scan, run, model, provider, theme, opsec, intel, etc.) - Multi-turn conversation with context retention and compression
-
SmartAutocompletefor context-aware tab completion (commands, tools, models, providers, paths) - Session branching with JSONL tree format via
BranchingSession - Persona switching mid-session
- Provider switching at runtime
- Command review toggle
- Real-time Rich notification panels
-
SplitPanefor timeline, metrics, cheatsheet views
The LLMEngineMixin (1207 lines) implements the core AI interaction loop:
-
Provider Resolution: Selects provider via
ProviderManagerwith failover - Context Building: Builds system prompt with persona, platform context, tool availability
-
Agent Execution:
_execute_agent()runs observe-reason-act loop with up to 5 waves - Multi-Wave: Each wave executes LLM calls, parallel tool execution, and LLM synthesis
-
Streaming:
AssistantMessageEventStreamprovides granular per-block events (text, thinking, tool calls) - Retry: Automatic retry with compaction for long contexts
- Local Provider Auto-Start: Detects and starts Ollama/llama.cpp if configured
Premium output rendering with 8 formats and 12 themes:
- Formats: TABLE (Rich), JSON, YAML, CSV, HTML, XML, RAW, QUIET
- Themes: CYBER_NOIR, MATRIX, BLOODMOON, ARCTIC, GOLDENROD, ECLIPSE, SYNTHWAVE, DARK, LIGHT, NEON, MINIMAL, DEFAULT
- Features: Progress bars, live dashboards, export to file, gradient banners, syntax highlighting
- Graceful degradation: Falls back to plain print when Rich is unavailable
Comprehensive security report generation:
-
Input: Raw findings list or
KnowledgeGraphquery - Sections: Executive summary, methodology, findings (by severity), evidence, remediation, appendix
- Formats: MARKDOWN (structured), HTML (interactive dashboard with CSS/JS), JSON (programmatic), SARIF (tool interoperability)
-
CVSS: Integrated
CVSSScorerfor vulnerability scoring enrichment - Configuration: Title, author, company, section toggles, scoring options
Semantic memory system:
- Embeddings: Generated via OpenAI, Ollama, or simulated (cosine similarity)
-
Experience Storage: Vector store with
(embedding, metadata, timestamp)tuples - Similarity Search: Cosine similarity for finding related past experiences
- Feedback Loop: Past experiences influence current planning decisions
-
Persistence: Experiences saved to
~/.siyarix/memory/
Multi-agent orchestration for complex campaigns:
-
SpecializedAgent base class with
analyze()async method -
Agent Roles:
ReconAgent(discovery),ExploitAgent(vulnerability validation),ReportAgent(findings synthesis) - SwarmRouter: Task decomposition, agent dispatch, result aggregation
- Campaign Flow: Recon → Exploit → Report with handoff between phases
Note
👋 Welcome to Siyarix! This is a personal passion project built by a single developer. It's currently under active development and growing fast. Expect rough edges, but lots of love! ❤️
Welcome to the Siyarix Documentation Map! This page serves as your master compass for navigating the extensive documentation we have built for the platform.
Whether you are a brand new user, a seasoned security operator, or a developer looking to contribute to the core engine, you can find exactly what you need here.
Not sure where to start? Pick the path that best describes you:
Just getting started? We highly recommend following these guides in order:
- Installation Guide — Get Siyarix running on your machine.
- Onboarding Wizard — Let our interactive wizard help you set up your API keys and environment.
- Setup & Configuration — A deeper dive into customizing your setup.
- Your First Run — A gentle walkthrough of your very first Siyarix command.
Ready to put Siyarix to work? Dive into our operational guides:
- Interactive Chat (REPL) — Learn how to use the powerful interactive terminal.
- Security Workflows — Best practices for recon, vulnerability assessment, and incident response.
- Cloud & IaC Scanning — How to secure your cloud environments and infrastructure code.
- Compliance Frameworks — Map your scans to SOC 2, HIPAA, ISO 27001, and more.
Looking under the hood or wanting to write some code? Start here:
- Contribution Guide — Our workflow, standards, and how you can help!
- Codebase Overview — A comprehensive map of our 82+ source modules.
- Testing Standards — How we ensure reliability with pytest and CI/CD.
- Module Architecture — Component design and responsibilities.
If you prefer to browse the raw structure, here is a complete layout of the docs/ folder:
docs/
├── 🚀 getting-started/ # Installation, onboarding, and configuration
│ ├── installation.md # Multi-platform install (pip, brew, winget, docker)
│ ├── onboarding.md # The interactive 11-step setup wizard
│ ├── setup.md # Managing API keys, credentials, and settings
│ ├── first-run.md # A walkthrough of your first session
│ ├── configuration.md # A deep-dive into advanced settings
│ └── troubleshooting.md # Common issues and how to fix them instantly
│
├── 📖 user/ # Daily operations and workflows
│ ├── cli-commands.md # Reference for 50+ CLI commands across 12 groups
│ ├── interactive-chat.md # Mastering the AI REPL and 54+ slash commands
│ ├── security-workflows.md # Recon, vulnerability assessment, incident response
│ ├── cloud-scanning.md # Multi-cloud security scanning (under development)
│ ├── compliance.md # Framework mapping (SOC 2, NIST, GDPR, PCI-DSS)
│ ├── threat-intelligence.md# Integrations with OTX, NVD, and MITRE ATT&CK
│ ├── playbooks.md # Building automated YAML-based IR playbooks
│ ├── workflow-files.md # DAG workflow reference (programmatic API)
│ ├── reporting.md # Multi-format report generation
│ ├── offline-registry.md # Running without AI (Offline/Registry execution mode)
│ └── ai-workflows.md # Advanced AI-driven autonomous operations
│
├── 💻 developer/ # Building, testing, and extending Siyarix
│ ├── codebase-overview.md # Full module structure mapping
│ ├── contribution-guide.md # How to submit PRs and our coding standards
│ ├── module-architecture.md# Component design and responsibilities
│ ├── testing.md # Writing tests (pytest), coverage, and CI/CD
│ └── building.md # Packaging, distribution, and Docker builds
│
├── 🏗️ architecture/ # System design and core internals
│ ├── overview.md # High-level data flow and layered orchestration
│ ├── ai-agent-pipeline.md # The AgentCore reasoning and execution pipeline
│ ├── provider-abstraction.md# How we unify 26 different AI providers
│ ├── execution-engine.md # Plan-based step orchestration
│ ├── memory-and-state.md # Knowledge graph, session persistence, and learning
│ ├── security-model.md # The Permission Gate, DLP, audit logging, and OPSEC
│ └── intent-routing.md # Semantic intent classification and routing
│
├── 🧠 ai/ # Deep dive into the AI provider & agent systems
│ ├── routing.md # Managing 26 providers, failovers, and circuit breakers
│ ├── persona-system.md # Overview of our 10 security personas
│ ├── agent-reasoning.md # The Observe-Reason-Act loop and tool call repair
│ ├── tool-execution.md # The tool registry, capability graph, and parsers
│ ├── ensemble.md # Parallel LLM voting strategies
│ ├── multi-wave.md # Iterative goal execution with context carry-over
│ ├── prompt-architecture.md# System prompt design and management
│ └── safety.md # Our rigorous 8-layer hallucination mitigation system
│
├── 🛡️ security/ # Safety, ethics, and threat models
│ ├── reporting.md # How to safely report vulnerabilities to us
│ ├── threat-model.md # System threat model and our mitigations
│ ├── operational-security.md# TOR routing, stealth modes, and OPSEC controls
│ ├── ethical-policy.md # Mandatory rules of engagement for all users
│ └── abuse-prevention.md # How we prevent misuse of the AI engine
│
└── ⚖️ legal/ # Licensing and governance
├── agpl-guide.md # A plain-English overview of the AGPL-3.0-or-later license
├── why-agpl.md # The philosophy behind our license choice
├── trademark-policy.md # Branding and trademark guidelines
├── responsible-ai.md # Our framework for ethical AI usage
├── disclaimer.md # Important legal disclaimers
└── plugin-exception.md # The license exception for building custom plugins
As you read through the documentation, you might encounter some specific terms. Here is a quick cheat sheet:
| Term | What It Means |
|---|---|
| Provider | The backend AI engine powering Siyarix (e.g., OpenAI, Anthropic, Ollama). |
| Tool | A traditional security executable installed on your system (e.g., nmap, nuclei). |
| Plan | A step-by-step sequence of tool commands intelligently generated by the AI. |
| Workflow | A hardcoded, predefined execution path (usually defined in YAML/JSON) that doesn't require AI generation. |
| Persona | A specialized behavioral profile given to the AI (e.g., instructing it to act specifically as a "Network Recon Specialist"). |
| Knowledge Graph | Siyarix's internal memory where it stores findings (like IP addresses, open ports) to contextually inform future steps. |
Need help finding something specific? Feel free to use the search bar at the top of the documentation site, or open a discussion on our GitHub!