## https://sploitus.com/exploit?id=B44BF9AF-777E-5DC6-86A6-6564A9C01A54
# π² Mythos Preview
### Multi-agent vulnerability discovery harness for Claude Code
*Built for operators who want **findings with PoCs, not paragraphs of "potentially"**.*
**π¬π§ English** Β· [π«π· FranΓ§ais](README.fr.md)
[](docs/V1-ACCEPTANCE.md)
[](tests/)
[](docs/SECURITY.md)
[](https://code.claude.com/docs/fr/sub-agents)
[](docs/OPERATIONS.md)
[](LICENSE)
---
## What it does
You point Mythos at a repository. Eight specialized agents pick it apart in parallel, each chasing one vulnerability class through one function at a time. Hunters write proof-of-concept exploits, compile them in a hardened Docker sandbox, and execute them. An adversarial validator generates **its own independent PoC** for every claim and drops anything that doesn't reproduce twice.
What you get is a `report.md` of bugs you can act on β each one backed by a runnable PoC, ordered by severity Γ reachability. No "may", no "potentially", no "in theory".
## The pipeline
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLAUDE CODE Β· /mythos start β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
βΌ
βββββ 1. RECON βββββ arch + build + 100-500 narrow tasks
β mythos-recon β βββββββββββββββββββββββββββββββββββββββββββββΊ architecture.md
β spawns scouts Γ Nβ task-queue.jsonl
ββββββββββββββββββββ
βΌ
βββββ 2. HUNT ββββββ 50 hunters Γ Opus + effort=max, in parallel
β mythos-hunt-lead β βββββββββββββββββββββββββββββββββββββββββββββΊ findings.jsonl
β spawns hunters β each writes PoC, runs in Docker sandbox coverage.jsonl
β Γ 50 β no PoC = no finding (schema-enforced) poc/F-XXX/
ββββββββββββββββββββ
βΌ βββββ 4. GAPFILL βββββ
βββββ 3. VALIDATE ββ devil's advocate. β spots coverage β
β mythos-validate β writes INDEPENDENT β gaps, requeues β
β no Agent tool β β PoC. drops on disagreement.ββββββββββ¬βββββββ
β (anti-correlation)β β² β loop Γ3
ββββββββββββββββββββ βββββββββββββ
βΌ
βββββ 5. DEDUPE ββββ ββΊ dedup-clusters.json
βββββ 6. TRACE βββββ€ 1 tracer per consumer repo βββββββββΊ traces/*.json
β mythos-trace β "is this REACHABLE from outside?"
βββββ 7. FEEDBACK ββ€ reachable β new Hunt tasks ββββ loop Γ1
βββββ 8. REPORT ββββ€ ββΊ report.md + report.json (schema-validated)
ββββββββββββββββββββ
```
## The big numbers
| | |
|---:|:---|
| **12** | specialized Claude Opus 4.7 agents (8 leads + 4 workers) |
| **23** | supported bug classes (SQLi, SSRF, deserialization, JWT confusion, UAF, OOB R/W, IDOR, BFLA, mass-assignment, prototype pollution, SSTI, race condition, double-free, format string, β¦) |
| **39** | curated cybersecurity skills, audited before install |
| **9** | stacked Docker security layers (seccomp + AppArmor + cap-drop + read-only + non-root + no-network + cgroup-ns + ulimits + pids_limit) |
| **8** | JSON schemas, Draft 2020-12, strict (`additionalProperties: false`) |
| **6** | red-team escape attempts β **all blocked** |
| **436** | tests passing (unit + integration + red-team) |
| **20** | documented threats with explicit mitigations |
| **100%** | code coverage on the critical data-safety modules (paths, locking, redact) |
| **0** | findings without a working PoC |
---
## π¬ How Mythos works β deep technical walkthrough
This section explains the internal mechanics for engineers who want to understand or extend the harness.
### Why 8 phases instead of one big agent?
A single agent pointed at a repository drifts. It picks a thread, follows it, runs out of context, and forgets the other 95% of the surface. Mythos instead **decomposes the problem along two axes** at once:
1. **Phase axis** (vertical) β Recon establishes shared context; Hunt finds claims; Validate destroys claims; Gapfill widens; Dedupe collapses; Trace contextualizes; Feedback closes the loop; Report ships.
2. **Worker axis** (horizontal) β each phase that does real work fans out to many narrow workers, each scoped to *one bug class Γ one function*. The lead agent does not analyze code; it only coordinates.
This decoupling means the agent that finds a bug is **different** from the agent that confirms it, which is **different** from the agent that traces its reachability. Each is the right tool for its question.
### Agent topology
```
/mythos skill (orchestrator)
β
ββββββββββββββββββββββββββΌβββββββββββββββββββββββββ
β β β
8 LEADS 12 AGENTS 4 WORKERS
(one per phase) total (do the work)
β β
ββ mythos-recon βββspawns NβββββΊ mythos-scout
ββ mythos-hunt-lead ββlaunches via subprocessβββΊ mythos-hunter Γ 50
β β
β ββspawnsβββΊ mythos-explorer
ββ mythos-validate (no Agent tool β anti-correlation)
ββ mythos-gapfill (reads coverage gaps, requeues)
ββ mythos-dedupe (clusters findings by root cause)
ββ mythos-trace ββββspawns MβββββΊ mythos-tracer (one per consumer repo)
ββ mythos-feedback (turns reachable traces into new tasks)
ββ mythos-report (schema-validated final output)
```
Every agent runs **Claude Opus 4.7 with `effort: max`**. The model file lists 11 of the 12 agents as standard Claude Code sub-agents; the 50 parallel hunters are spawned as **separate `claude --agent mythos-hunter -p "..."` subprocesses** via a Python launcher script β this is how we get true 50-wide parallelism while staying within sub-agent semantics.
### The anti-correlation principle
The single highest-impact design choice in Mythos is: **the agent that confirms a finding is not allowed to use the tools that created it**.
`mythos-validate`'s frontmatter declares `tools: Read, Bash, Write` β there is **no `Agent` tool**. It cannot spawn helpers. It cannot ask another model to second-opinion. It must read the source code independently, write its own PoC from scratch, execute it in the sandbox, and only then look at the hunter's claim. A finding survives only if **both PoCs reproduce the same root cause**.
The structural test `test_validate_lead_does_not_have_agent_tool` enforces this at the file level β it would fail the build if someone accidentally widened Validate's toolset.
### The "no PoC = no finding" gate
`finding.schema.json` declares:
```json
"confidence": {
"type": "string",
"enum": ["poc-confirmed"]
}
```
The enum has **exactly one value**. There is no `suspected`, no `theoretical`, no `medium-confidence`. A finding without a working PoC cannot serialize to a schema-valid record, so it cannot enter `findings.jsonl`. This is the structural mechanism behind the "no paragraphs of potentially" promise.
When a hunter exhausts its 5 hypothesis-revision iterations without a successful PoC execution, it writes **only** a `coverage.jsonl` record (which uses a different schema) and exits with `NO_FINDING`. The bug never reaches Validate.
### The sandbox β 9 stacked layers
When a hunter executes a PoC, the container is constrained by:
| Layer | Mechanism | Threat it stops |
|---|---|---|
| 1 | `cap_drop=ALL` | All Linux capabilities revoked β `CAP_SETUID`, `CAP_SYS_ADMIN`, `CAP_NET_ADMIN`, etc. |
| 2 | `no-new-privileges=true` | SUID binaries inside the container cannot escalate |
| 3 | Custom seccomp profile | ~190 syscalls whitelisted; `mount`, `ptrace`, `bpf`, `setns`, `unshare`, `kexec_*`, kernel module ops β all denied |
| 4 | AppArmor profile (Linux only) | Deny rules for `/proc/sysrq-trigger`, `/sys/kernel/security`, `/etc/shadow`, `/root/**` |
| 5 | `read_only=True` root FS | Container cannot persist writes outside two tmpfs mounts |
| 6 | `user=1000:1000` | Runs as a dedicated non-root user (UID 1000) |
| 7 | `network_mode=none` | Zero outbound network by default; OAST callbacks use an isolated internal network |
| 8 | Resource limits | `pids_limit=100`, `mem_limit=512m`, `cpu_quota=100000` (= 1 CPU), `ulimit nofile=256 nproc=200` |
| 9 | `cgroupns=private` | Container has its own cgroup namespace |
The red-team test suite verifies each layer independently. 6 escape attempts (`/etc/passwd` isolation, `setuid(0)`, fork bomb, network egress, `docker.sock` access, `mount` syscall) β **all 6 blocked**.
### What happens inside one hunter
```
INPUT (from launch_hunters.py via --prompt):
task = {
task_id: "T-A1B2",
class: "sql-injection",
scope: "src/api/users.py:update_profile",
subsystem: "api",
trust_boundary: "HTTP request",
priority: 1,
status: "in_progress"
}
architecture_md_excerpt = ""
WORKFLOW (max 50 turns, hard timeout 600s):
1. Parse task.class β lookup bug-class-mapping.json β "exploiting-sql-injection-vulnerabilities"
2. Invoke Skill(exploiting-sql-injection-vulnerabilities) β loads expert workflow
3. Read bug-class metadata at .claude/agents/mythos/bug-classes/sql-injection.md
(indicators, hunting hints, PoC strategy)
4. Read the target file/function + β€ 5 related files
5. Form an exploitability hypothesis
6. (Optional) Spawn mythos-explorer for one deep dive
7. Write PoC to .mythos/poc/F-/{run.sh, source., expected.log}
8. Execute: python mythos_sandbox.py run F-
9. Read result. Iterate 4-8 up to 5 times.
10. Confirmed β append to findings.jsonl (file-locked, append-only)
Failed β append only to coverage.jsonl, exit NO_FINDING
OUTPUT contract:
- findings.jsonl line MUST validate against finding.schema.json
- coverage.jsonl line MUST validate against coverage.schema.json
- PostToolUse hook validate_write.py rejects writes outside allowed paths
- PreToolUse hook validate_bash.py rejects 22 catastrophic command patterns
```
The hunter is intentionally narrow. It does **not** explore the architecture β `mythos-recon` did that. It does **not** decide what to chase β `mythos-hunt-lead` assigned it one task. It does **not** judge severity in isolation β `mythos-validate` will reproduce it. This narrowness is what makes 50 hunters in parallel productive instead of redundant.
### Cross-process safety
Mythos runs as a single Claude Code conversation but spawns **51+ concurrent processes** during Hunt (`mythos-hunt-lead` + 50 hunters via `claude --agent`) plus 50 ephemeral Docker containers. The state directory `.mythos/` is shared between all of them. Three mechanisms keep it consistent:
| File | Concurrency strategy |
|---|---|
| `findings.jsonl`, `coverage.jsonl`, `task-queue.jsonl` | Append-only, every append goes through `AtomicJsonlAppender` (uses `filelock`, OS-level locks via `LockFileEx` on Windows / `fcntl` elsewhere) |
| `run.json`, `dedup-clusters.json`, `symbols.json` | Atomic overwrite via `write to tmp β os.replace()` |
| `.mythos/poc/F-/` | One directory per finding, never shared. No locking needed. |
The 20-thread concurrent-append test in `test_locking.py` verifies that 20 simultaneous workers can each append 5 records without losing or corrupting any line.
### State integrity & resume
Before each phase, `snapshot_run.py`:
1. Computes a **SHA-256 hash chain** over every file in `.mythos/` (excluding `snapshots/` itself)
2. Writes a `.tar.gz` snapshot of the current state under `.mythos/snapshots/pre--.tar.gz`
3. Updates `run.json` with the new phase + the new hash
If the operator runs `/mythos resume` later, the orchestrator:
1. Reads `run.json`, recomputes the hash chain, **refuses to proceed if the chain doesn't match** (state was modified out-of-band)
2. Restores the snapshot taken just before the last incomplete phase
3. Continues the pipeline from that phase
This means a session crash mid-Hunt is non-fatal: the operator loses the in-flight hunters' work but everything previous (Recon, prior validated batches) is intact.
### Why JSON Schema Draft 2020-12 + `additionalProperties: false`
Strict schemas make the data layer **executable specification**. The schema is the contract. If a future contributor changes `mythos-hunter.md`'s output without updating the schema, the next write call fails loudly. The 8 schemas are validated against the JSON Schema meta-schema at construction time (`Draft202012Validator.check_schema`) β so a malformed schema fails on import, not at first use.
`additionalProperties: false` everywhere means a hunter cannot "improvise" extra fields. If a model invents `{ "confidence": "high-but-not-poc" }` to dodge the strict enum, the line is rejected before being written.
### Cross-platform Python everything
All scripts are Python 3.10+. Cross-platform paths via `pathlib`. Cross-platform locking via `filelock` (uses `LockFileEx` on Windows, `fcntl` elsewhere). Cross-platform Docker via `docker-py`. Cross-platform process management via `psutil`. The seccomp profile is loaded **inline as JSON content** in `security_opt` rather than as a file path because Docker Desktop on Windows with WSL2 backend cannot reliably read `/mnt/c/...` paths for seccomp profiles β a quirk discovered during the red-team validation phase.
### What about secret leakage?
`redact.py` ships with patterns for AWS access keys, GitHub tokens (`gh{p,o,u,s,r}_β¦`), Stripe live/test keys, JWTs, PEM private keys, and `.env`-style `KEY=value` lines with high-entropy values β₯ 16 chars. The `validate_write.py` PostToolUse hook scans every Write/Edit content; if a pattern matches, the write is downgraded to a warning (not blocked, because a hunter may legitimately include a high-entropy payload in a PoC) but emits an audit log entry.
The audit log `.mythos/audit.jsonl` is append-only and survives `/mythos clean` (unless `--all` is passed). Every security-relevant event is recorded with a timestamp.
---
## Quick start
```bash
# 1. Prereqs (Win/Mac/Linux)
pip install -r .claude/agents/mythos/scripts/requirements.txt
docker build -t mythos-multilang:1.0.0 \
.claude/agents/mythos/docker/ \
-f .claude/agents/mythos/docker/Dockerfile.multilang
python .claude/agents/mythos/scripts/install_skills.py
# 2. Verify
python .claude/agents/mythos/scripts/preflight.py
python .claude/agents/mythos/scripts/disclaimer.py --accept
# 3. Run
claude
```
In Claude Code:
```
/mythos start ./your-target-repo
```
Then sit back. Mythos snapshots the state before each phase, computes a SHA-256 hash chain over the workspace, and writes an append-only audit log. If you Ctrl-C halfway through, `/mythos resume` picks up where you left off.
## Why it's different from "point an AI at a repo and ask for vulns"
| Naive approach | Mythos |
|---|---|
| One agent tries to find everything | 50 hunters in parallel, each scoped to ONE bug class Γ ONE function |
| "Potentially exploitable" β human triage | Schema-enforced `confidence: poc-confirmed` only |
| Same model reviews its own work | `mythos-validate` is **denied the `Agent` tool** β it writes an independent PoC from scratch |
| PoC runs on your machine | Hardened ephemeral Docker container, 9 isolation layers |
| Secrets leak into reports | `redact.py` pipeline scrubs AWS/GitHub/Stripe/JWT/PEM/.env before any write |
| Catastrophic commands ride along | `PreToolUse` hook blocks 22 patterns (`rm -rf /`, `~/.ssh/*`, `docker.sock`, sudo, β¦) |
## Documentation
| | |
|---|---|
| π [**OPERATIONS.md**](docs/OPERATIONS.md) | Install, configure, run, monitor, recover |
| π οΈ [**DEVELOPMENT.md**](docs/DEVELOPMENT.md) | Add bug classes, agents, hooks, fixtures |
| π‘οΈ [**SECURITY.md**](docs/SECURITY.md) | 20-threat model with mitigations + audit log |
| β [**V1-ACCEPTANCE.md**](docs/V1-ACCEPTANCE.md) | 16-criterion ship checklist |
| π [**Design spec**](docs/superpowers/specs/2026-05-25-mythos-preview-design.md) | Full 1,400-line architecture document |
| π [**Plans 1-8**](docs/superpowers/plans/) | Implementation plans, ~15K lines total |
## β οΈ Dual-use disclaimer
Mythos generates **functional, weaponized exploit code**. Use only on:
1. Code you own
2. Code in scope of an authorized bug bounty
3. Code under signed pen-test engagement
4. Code in authorized security research
Unauthorized use is illegal in most jurisdictions. First-run requires explicit `disclaimer.py --accept`.
## Status
**V1 ship-ready** β see [V1-ACCEPTANCE.md](docs/V1-ACCEPTANCE.md). Tag: `mythos-v1-ship`.
## License
Apache 2.0 β see [LICENSE](LICENSE). Vendored cybersecurity skills retain their original licenses.
---
*Findings, not paragraphs.*