feat: OWASP WSTG methodology alignment & TUI live status

.gitignore

@@ -97,3 +97,4 @@ Thumbs.db
 schema.graphql
 
 .opencode/
+/test_run.sh

strix/agents/StrixAgent/strix_agent.py

@@ -57,31 +57,45 @@ async def execute_scan(self, scan_config: dict[str, Any]) -> dict[str, Any]:  #
             elif target_type == "ip_address":
                 ip_addresses.append(details["target_ip"])
 
-        task_parts = []
+        target_lines = []
 
         if repositories:
-            task_parts.append("\n\nRepositories:")
             for repo in repositories:
                 if repo["workspace_path"]:
-                    task_parts.append(f"- {repo['url']} (available at: {repo['workspace_path']})")
+                    target_lines.append(f'  <target type="repository">{repo["url"]} (code at: {repo["workspace_path"]})</target>')
                 else:
-                    task_parts.append(f"- {repo['url']}")
+                    target_lines.append(f'  <target type="repository">{repo["url"]}</target>')
 
         if local_code:
-            task_parts.append("\n\nLocal Codebases:")
-            task_parts.extend(
-                f"- {code['path']} (available at: {code['workspace_path']})" for code in local_code
-            )
+            for code in local_code:
+                target_lines.append(f'  <target type="local_code">{code["path"]} (code at: {code["workspace_path"]})</target>')
 
         if urls:
-            task_parts.append("\n\nURLs:")
-            task_parts.extend(f"- {url}" for url in urls)
+            for url in urls:
+                target_lines.append(f'  <target type="url">{url}</target>')
 
         if ip_addresses:
-            task_parts.append("\n\nIP Addresses:")
-            task_parts.extend(f"- {ip}" for ip in ip_addresses)
-
-        task_description = " ".join(task_parts)
+            for ip in ip_addresses:
+                target_lines.append(f'  <target type="ip">{ip}</target>')
+
+        targets_block = "\n".join(target_lines)
+
+        has_code = bool(repositories or local_code)
+        has_urls = bool(urls or ip_addresses)
+        if has_code and has_urls:
+            mode = "COMBINED MODE (code + deployed target)"
+        elif has_code:
+            mode = "WHITE-BOX (source code provided)"
+        else:
+            mode = "BLACK-BOX (URL/domain targets)"
+
+        task_description = (
+            f"<scan_task>\n"
+            f"<targets>\n{targets_block}\n</targets>\n"
+            f"<mode>{mode}</mode>\n"
+            f"<action>Begin security assessment NOW. Your first tool call must be create_agent to spawn context-gathering subagents for the targets listed above. Do NOT call wait_for_message — the targets are already specified.</action>\n"
+            f"</scan_task>"
+        )
 
         if user_instructions:
             task_description += f"\n\nSpecial instructions: {user_instructions}"

strix/agents/base_agent.py

@@ -321,6 +321,13 @@ async def _initialize_sandbox_and_state(self, task: str) -> None:
         sandbox_mode = os.getenv("STRIX_SANDBOX_MODE", "false").lower() == "true"
         if not sandbox_mode and self.state.sandbox_id is None:
             from strix.runtime import get_runtime
+            from strix.telemetry.tracer import get_global_tracer
+
+            tracer = get_global_tracer()
+            if tracer:
+                tracer.update_agent_system_message(
+                    self.state.agent_id, "Setting up sandbox environment..."
+                )
 
             try:
                 runtime = get_runtime()
@@ -355,6 +362,9 @@ async def _initialize_sandbox_and_state(self, task: str) -> None:
     async def _process_iteration(self, tracer: Optional["Tracer"]) -> bool:
         final_response = None
 
+        if tracer:
+            tracer.update_agent_system_message(self.state.agent_id, "Thinking...")
+
         async for response in self.llm.generate(self.state.get_conversation_history()):
             final_response = response
             if tracer and response.content:
@@ -396,8 +406,30 @@ async def _process_iteration(self, tracer: Optional["Tracer"]) -> bool:
         )
 
         if actions:
+            if tracer:
+                tool_names = [a.get("toolName") or a.get("tool_name") or "tool" for a in actions]
+                display_names = tool_names[:2]
+                overflow = len(tool_names) - 2
+                suffix = f" +{overflow} more" if overflow > 0 else ""
+                tracer.update_agent_system_message(
+                    self.state.agent_id, f"Executing {', '.join(display_names)}{suffix}..."
+                )
             return await self._execute_actions(actions, tracer)
 
+        if tracer:
+            tracer.update_agent_system_message(self.state.agent_id, "Processing response...")
+
+        corrective_message = (
+            "You responded with plain text instead of a tool call. "
+            "While the agent loop is running, EVERY response MUST be a tool call. "
+            "Do NOT send plain text messages. Act via tools:\n"
+            "- Use the think tool to reason through problems\n"
+            "- Use create_agent to spawn subagents for testing\n"
+            "- Use terminal_execute to run commands\n"
+            "- Use wait_for_message ONLY when waiting for subagent results\n"
+            "Review your task and take action now."
+        )
+        self.state.add_message("user", corrective_message)
         return False
 
     async def _execute_actions(self, actions: list[Any], tracer: Optional["Tracer"]) -> bool:
@@ -472,33 +504,17 @@ def _check_agent_messages(self, state: AgentState) -> None:  # noqa: PLR0912
                             sender_name = "User"
                             state.add_message("user", message.get("content", ""))
                         else:
+                            sender_name = sender_id or "Unknown"
                             if sender_id and sender_id in _agent_graph.get("nodes", {}):
                                 sender_name = _agent_graph["nodes"][sender_id]["name"]
 
-                            message_content = f"""<inter_agent_message>
-    <delivery_notice>
-        <important>You have received a message from another agent. You should acknowledge
-        this message and respond appropriately based on its content. However, DO NOT echo
-        back or repeat the entire message structure in your response. Simply process the
-        content and respond naturally as/if needed.</important>
-    </delivery_notice>
-    <sender>
-        <agent_name>{sender_name}</agent_name>
-        <agent_id>{sender_id}</agent_id>
-    </sender>
-    <message_metadata>
-        <type>{message.get("message_type", "information")}</type>
-        <priority>{message.get("priority", "normal")}</priority>
-        <timestamp>{message.get("timestamp", "")}</timestamp>
-    </message_metadata>
-    <content>
+                            message_content = f"""<agent_message
+from="{sender_name}"
+id="{sender_id}"
+type="{message.get("message_type", "information")}"
+priority="{message.get("priority", "normal")}">
 {message.get("content", "")}
-    </content>
-    <delivery_info>
-        <note>This message was delivered during your task execution.
-        Please acknowledge and respond if needed.</note>
-    </delivery_info>
-</inter_agent_message>"""
+</agent_message>"""
                             state.add_message("user", message_content.strip())
 
                         message["read"] = True

strix/agents/state.py

@@ -43,9 +43,7 @@ def increment_iteration(self) -> None:
         self.iteration += 1
         self.last_updated = datetime.now(UTC).isoformat()
 
-    def add_message(
-        self, role: str, content: Any, thinking_blocks: list[dict[str, Any]] | None = None
-    ) -> None:
+    def add_message(self, role: str, content: Any, thinking_blocks: list | None = None) -> None:
         message = {"role": role, "content": content}
         if thinking_blocks:
             message["thinking_blocks"] = thinking_blocks

strix/interface/tool_components/thinking_renderer.py

@@ -23,7 +23,8 @@ def render(cls, tool_data: dict[str, Any]) -> Static:
         text.append("\n  ")
 
         if thought:
-            text.append(thought, style="italic dim")
+            indented_thought = "\n  ".join(thought.split("\n"))
+            text.append(indented_thought, style="italic dim")
         else:
             text.append("Thinking...", style="italic dim")
 

strix/interface/tui.py

@@ -1036,13 +1036,39 @@ def _merge_renderables(renderables: list[Any]) -> Text:
             if i > 0:
                 combined.append("\n")
             StrixTUIApp._append_renderable(combined, item)
-        return combined
+        return StrixTUIApp._sanitize_text_spans(combined)
+
+    @staticmethod
+    def _sanitize_text_spans(text: Text) -> Text:
+        plain = text.plain
+        plain_len = len(plain)
+
+        if plain_len == 0 or not text.spans:
+            return text
+
+        sanitized = Text(
+            plain,
+            style=text.style,
+            justify=text.justify,
+            overflow=text.overflow,
+            no_wrap=text.no_wrap,
+            end=text.end,
+            tab_size=text.tab_size,
+        )
+
+        for span in text.spans:
+            start = max(0, min(span.start, plain_len))
+            end = max(0, min(span.end, plain_len))
+            if end > start:
+                sanitized.stylize(span.style, start, end)
+
+        return sanitized
 
     @staticmethod
     def _append_renderable(combined: Text, item: Any) -> None:
         """Recursively append a renderable's text content to a combined Text."""
         if isinstance(item, Text):
-            combined.append_text(item)
+            combined.append_text(StrixTUIApp._sanitize_text_spans(item))
         elif isinstance(item, Group):
             for j, sub in enumerate(item.renderables):
                 if j > 0:
@@ -1087,7 +1113,7 @@ def _get_rendered_events_content(self, events: list[dict[str, Any]]) -> Any:
             return Text()
 
         if len(renderables) == 1 and isinstance(renderables[0], Text):
-            return renderables[0]
+            return self._sanitize_text_spans(renderables[0])
 
         return self._merge_renderables(renderables)
 
@@ -1123,7 +1149,7 @@ def _render_streaming_content(self, content: str, agent_id: str | None = None) -
         if not renderables:
             result = Text()
         elif len(renderables) == 1 and isinstance(renderables[0], Text):
-            result = renderables[0]
+            result = self._sanitize_text_spans(renderables[0])
         else:
             result = self._merge_renderables(renderables)
 
@@ -1215,14 +1241,19 @@ def keymap_styled(keys: list[tuple[str, str]]) -> Text:
             return (Text(" "), keymap, False)
 
         if status == "running":
+            sys_msg = agent_data.get("system_message", "")
             if self._agent_has_real_activity(agent_id):
                 animated_text = Text()
                 animated_text.append_text(self._get_sweep_animation(self._sweep_colors))
+                if sys_msg:
+                    animated_text.append(sys_msg, style="dim italic")
+                    animated_text.append("  ", style="dim")
                 animated_text.append("esc", style="white")
                 animated_text.append(" ", style="dim")
                 animated_text.append("stop", style="dim")
                 return (animated_text, keymap_styled([("ctrl-q", "quit")]), True)
-            animated_text = self._get_animated_verb_text(agent_id, "Initializing")
+            msg = sys_msg or "Initializing..."
+            animated_text = self._get_animated_verb_text(agent_id, msg)
             return (animated_text, keymap_styled([("ctrl-q", "quit")]), True)
 
         return (None, Text(), False)
@@ -1394,7 +1425,7 @@ def _animate_dots(self) -> None:
         if not has_active_agents:
             has_active_agents = any(
                 agent_data.get("status", "running") in ["running", "waiting"]
-                for agent_data in self.tracer.agents.values()
+                for agent_data in list(self.tracer.agents.values())
             )
 
         if not has_active_agents:
@@ -1655,12 +1686,26 @@ def _render_chat_content(self, msg_data: dict[str, Any]) -> Any:
         content = msg_data.get("content", "")
         metadata = msg_data.get("metadata", {})
 
-        if not content:
-            return None
-
         if role == "user":
+            if not content:
+                return None
             return UserMessageRenderer.render_simple(content)
 
+        renderables = []
+
+        if "thinking_blocks" in metadata and metadata["thinking_blocks"]:
+            from strix.interface.tool_components.thinking_renderer import ThinkRenderer
+
+            for block in metadata["thinking_blocks"]:
+                thought = block.get("thinking", "")
+                if thought:
+                    renderables.append(
+                        ThinkRenderer.render({"args": {"thought": thought}}).renderable
+                    )
+
+        if not content and not renderables:
+            return None
+
         if metadata.get("interrupted"):
             streaming_result = self._render_streaming_content(content)
             interrupted_text = Text()
@@ -1669,7 +1714,18 @@ def _render_chat_content(self, msg_data: dict[str, Any]) -> Any:
             interrupted_text.append("Interrupted by user", style="yellow dim")
             return self._merge_renderables([streaming_result, interrupted_text])
 
-        return AgentMessageRenderer.render_simple(content)
+        if content:
+            msg_renderable = AgentMessageRenderer.render_simple(content)
+            renderables.append(msg_renderable)
+
+        if not renderables:
+            return None
+
+        if len(renderables) == 1:
+            r = renderables[0]
+            return self._sanitize_text_spans(r) if isinstance(r, Text) else r
+
+        return self._merge_renderables(renderables)
 
     def _render_tool_content_simple(self, tool_data: dict[str, Any]) -> Any:
         tool_name = tool_data.get("tool_name", "Unknown Tool")