Share
## https://sploitus.com/exploit?id=C4EFCC73-7AA8-5FA4-B082-CE70B2B7F1CD
# Vantix

Vantix is a Codex-native offensive-security control plane for authorized CTF, King-of-the-Hill, pentest, bug bounty, CVE-intel, and learning-memory workflows. It runs from a normal user-owned clone directory, stores runtime state under the user profile by default, and does not require NFS, root-owned mounts, or private infrastructure.

## Core Capabilities

- Chat-first Vantix orchestrator for starting or continuing target-scoped runs.
- Specialist scheduler state for Recon, Knowledge Base, Vector Store, Researcher, Developer, Executor, and Reporter roles.
- FastAPI backend with run state, messages, approvals, artifacts, vectors, facts, memory, CVE, provider settings, benchmarks, and SSE stream endpoints.
- React/Vite UI with orchestrator chat, run sidebar, terminal stream, specialist timeline, target context, vector panel, memory/CVE panels, approvals, results, and runtime settings.
- Repo-local skill packs that compact agent prompts by role, mode, and run context.
- Agent handoff and attack-chain APIs for reviewable machine-readable state transfer.
- Dense autosaved memory records for compact session continuity and learning ingestion.
- Local CVE and vulnerability-intel cache with optional MCP server exposure.
- Optional provider records for future model routing; Codex OAuth/runtime remains the default execution mechanism.
- Generic remote cracking-node workflow for operator-owned hashcat workers.

## Quick Start

Interactive installer:

```bash
bash scripts/install-vantix.sh
```

The installer bootstraps the Python environment, frontend dependencies, `.env`, runtime paths, optional provider records, local CVE/MCP deployment, and a selected host tool suite. It prints embedded Vantix ASCII art, safety warnings, visible progress, and live command output for long-running steps. If the configured CVE API is already reachable, the installer reuses it instead of starting another local cve-search process.

At the end of installation you can install and start user-level systemd services for the API and UI:

```bash
systemctl --user status vantix-api.service vantix-ui.service
journalctl --user -u vantix-api.service -u vantix-ui.service -f
```

Updates are handled separately from installation. Install once, then update from GitHub with:

```bash
bash scripts/update-vantix.sh --check
bash scripts/update-vantix.sh
bash scripts/update-vantix.sh --verify
```

The updater fast-forwards from `origin/main`, blocks when local non-ignored changes are present, refreshes backend/frontend dependencies, verifies the install, and restarts services that were started with `bash scripts/vantixctl.sh start`.

Manual bootstrap:

```bash
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install --upgrade pip
python3 -m pip install -e ".[dev]"
cp .env.example .env
export SECOPS_API_TOKEN=dev
bash scripts/doctor.sh
bash scripts/secops-api.sh
```

API docs: `http://127.0.0.1:8787/docs`

Frontend:

```bash
cd frontend
corepack pnpm install
corepack pnpm dev
```

Open the UI and enter an authorized objective such as `Full test of 10.10.10.10`. Vantix creates a run, records the chat message, seeds specialist tasks, and streams run state back to the dashboard.

## User Workflow

1. Start the user systemd services selected during install, or start repo-local managed services with `bash scripts/vantixctl.sh start`.
2. Or start the API/UI manually with `bash scripts/secops-api.sh` and `bash scripts/secops-ui.sh`.
3. Open the UI and submit a scoped objective in Orchestrator Chat.
4. Review Specialists, Skill Packs, Agent Handoff, Vectors, Memory, CVE Intel, and Results.
5. Select a vector only when the evidence and scope are clear.
6. Add Operator Notes when a run needs human guidance.
7. Use Results and Report artifacts for final review.

For API-only operation, start with:

```bash
curl -s http://127.0.0.1:8787/api/v1/chat \
  -H 'Content-Type: application/json' \
  -d '{"message":"Full test of https://example.test","mode":"pentest"}'
```

Use the returned `run.id` for follow-up calls.

## Runtime Model

Generated state defaults to a per-user local state directory:

```text
${XDG_STATE_HOME:-$HOME/.local/state}/ctf-security-ops/-
```

This avoids SQLite locking issues and root-owned file drift on shared mounts. Reports/artifacts default to `$SECOPS_RUNTIME_ROOT/reports` unless `SECOPS_REPORTS_ROOT` or the legacy `SECOPS_ARTIFACTS_ROOT` alias is set.

| Variable | Purpose |
| --- | --- |
| `SECOPS_REPO_ROOT` | Project root. Defaults to this clone. |
| `SECOPS_RUNTIME_ROOT` | User-owned runtime data. Set this to force a custom local path. |
| `SECOPS_REPORTS_ROOT` | Reports/artifacts root for backend output. |
| `SECOPS_ARTIFACTS_ROOT` | Legacy reports/artifacts alias and shell-script output root. |
| `SECOPS_SHARED_ROOT` | Optional shared storage root. Not required. |
| `VANTIX_SKILLS_ROOT` | Optional override for repo-local skill packs. Defaults to `agent_skills/`. |
| `SECOPS_API_TOKEN` | Bearer token for protected API/MCP routes. |
| `VANTIX_SECRET_KEY` | Preferred encryption key for optional provider secrets. |
| `SECOPS_CODEX_BIN` | Codex CLI binary path/name. |
| `OPERATOR_NAME` | Generic operator label for lab-only workflows. |

Run `bash scripts/doctor.sh` if memory or artifact writes fail. Use `bash scripts/fix-permissions.sh --apply` only for project-owned runtime paths.

## API Highlights

- `POST /api/v1/chat`: create or continue a run from orchestrator chat.
- `GET /api/v1/system/status`: sanitized Codex/runtime/provider readiness.
- `GET /api/v1/system/install-status`: file-backed installer/bootstrap state.
- `GET /api/v1/runs/{run_id}/messages`: durable chat history.
- `GET /api/v1/runs/{run_id}/vectors`: candidate validation/exploit vectors.
- `POST /api/v1/runs/{run_id}/vectors`: insert a manual vector.
- `POST /api/v1/runs/{run_id}/vectors/{vector_id}/select`: mark a vector planned and trigger replan.
- `GET /api/v1/skills`: installed skill-pack catalog.
- `GET /api/v1/runs/{run_id}/skills`: selected skill packs and prompt files per agent.
- `POST /api/v1/runs/{run_id}/skills/apply`: re-run skill selection.
- `GET /api/v1/runs/{run_id}/handoff`: dense run handoff for agent continuation.
- `GET/POST /api/v1/runs/{run_id}/attack-chains`: modeled attack paths for planning/review.
- `GET /api/v1/runs/{run_id}/results`: findings, artifacts, vectors, terminal summary, and report path.
- `GET/POST /api/v1/providers`: optional provider records without secret leakage.
- `GET /api/v1/tools`: registered tool readiness and paths.
- `GET /api/v1/tools/suites`: installable tool suite definitions.
- `POST /api/v1/tools/install`: install or dry-run install allowlisted tools.
- `GET /api/v1/tools/install/history`: recent installer/tool actions.

### Chat Usage

Start a run:

```bash
curl -s http://127.0.0.1:8787/api/v1/chat \
  -H 'Content-Type: application/json' \
  -d '{"message":"Full test of 10.10.10.10","mode":"pentest"}'
```

Continue or replan a run:

```bash
curl -s http://127.0.0.1:8787/api/v1/chat \
  -H 'Content-Type: application/json' \
  -d '{"run_id":"","message":"Prioritize low-noise web validation and refresh CVE context."}'
```

### Skill Packs

Vantix loads compact skill packs from `agent_skills/` and applies them to each specialist based on role, mode, and current run facts. This keeps agent prompts shorter and makes final notes more machine-readable.

List installed packs:

```bash
curl -s http://127.0.0.1:8787/api/v1/skills
```

Review selected packs for a run:

```bash
curl -s http://127.0.0.1:8787/api/v1/runs//skills
```

Reapply skills after adding notes, vectors, or new facts:

```bash
curl -s -X POST http://127.0.0.1:8787/api/v1/runs//skills/apply
```

Prompt files are written under:

```text
$SECOPS_RUNTIME_ROOT/runs//prompts/
```

Skill authoring details are in `docs/skill-authoring.md`.

### Handoffs

The handoff endpoint produces dense continuation state for another agent or session:

```bash
curl -s http://127.0.0.1:8787/api/v1/runs//handoff
```

The same payload is mirrored to:

```text
$SECOPS_RUNTIME_ROOT/runs//handoffs/current.json
```

Use this before switching agents, pausing a session, or restarting work.

### Attack Chains

Attack chains model candidate paths without requiring immediate execution.

Create a chain:

```bash
curl -s http://127.0.0.1:8787/api/v1/runs//attack-chains \
  -H 'Content-Type: application/json' \
  -d '{"name":"Recon to validated finding","score":70,"steps":[{"phase":"recon"},{"phase":"validate"}],"notes":"Evidence-backed candidate path."}'
```

List chains:

```bash
curl -s http://127.0.0.1:8787/api/v1/runs//attack-chains
```

### Vectors

Vectors are stored as run facts with `kind="vector"` and are used by the orchestrator to decide what to validate next.

Create a manual vector:

```bash
curl -s http://127.0.0.1:8787/api/v1/runs//vectors \
  -H 'Content-Type: application/json' \
  -d '{"title":"Manual validation path","summary":"operator supplied","confidence":0.8,"next_action":"validate safely"}'
```

Select a vector:

```bash
curl -s -X POST http://127.0.0.1:8787/api/v1/runs//vectors//select
```

## Memory

Session state is saved as dense JSONL records and mirrored to readable markdown for compatibility.

```bash
bash scripts/codex-start.sh --print-only
bash scripts/codex-close.sh --mode checkpoint --objective "..." --done "..." --next "..."
bash scripts/memory-health.sh
```

The startup wrapper writes a startup checkpoint and can run `scripts/codex-memory-watch.sh` to heartbeat active sessions.

## Dense Codex Context

Codex-facing playbooks now use searchable dense records instead of long explanatory prose. Use lookup commands to load only the slice needed for the current target:

Recon should emit:

```text
focus={mode,tags,ports,svc,versions,cves,phase,role,confidence}
```

Agents should read `LOOKUP.md` first, then query from that focus instead of opening broad context.

```bash
cat LOOKUP.md
python3 scripts/learn_engine.py --root . lookup mode:pentest tag:web service:http --format prompt
python3 scripts/learn_engine.py --root . lookup mode:koth tag:koth --format prompt
python3 scripts/learn_engine.py --root . context mode:windows-ctf tag:ad
```

Dense record format:

```text
id= mode= role= phase= tags= ports= svc= pre= act= verify= next= block= refs=
```

Verbose pre-conversion references are archived under `docs/reference/legacy_playbooks//`. Memory mirrors are compacted to dense lines, while full historical copies are archived under `memory/archive//`.

## CVE REST And MCP

REST endpoints are available under `/api/v1/cve/*` when the API is running.

Repo-local CVE search management:

```bash
bash scripts/secops-cve-search.sh start
bash scripts/secops-cve-search.sh status
bash scripts/secops-cve-search.sh update
```

Enable MCP:

```bash
SECOPS_ENABLE_CVE_MCP=true SECOPS_API_TOKEN=dev bash scripts/secops-api.sh
```

MCP URL: `http://127.0.0.1:8787/mcp/cve`

Use header: `Authorization: Bearer dev`

See `docs/cve_mcp.md`.

## Optional Providers

Codex OAuth/runtime is the default path. Provider API keys are opt-in and are not used silently. To store provider secrets, set `VANTIX_SECRET_KEY` first. See `docs/providers.md`.

## Cracking Nodes

Remote GPU cracking is operator-owned and optional. Copy `agent_ops/config/cracking_nodes.example.yaml` to `agent_ops/config/cracking_nodes.yaml`, fill in your own host, and verify with:

```bash
bash scripts/crack-node-doctor.sh --node gpu-primary
```

See `docs/cracking_nodes.md`.

## Safety

Use only on systems you own or are explicitly authorized to test. Keep scope, rules of engagement, and stop conditions in ignored local configuration. Do not commit `.env`, real client data, target evidence, personal SSH keys, production credentials, provider keys, or private topology.

## Development

```bash
pytest
bash scripts/check-all.sh
bash scripts/sanitize-check.sh
bash scripts/doctor.sh
```

Service control:

```bash
systemctl --user status vantix-api.service vantix-ui.service
journalctl --user -u vantix-api.service -u vantix-ui.service -f
bash scripts/vantixctl.sh status
bash scripts/vantixctl.sh restart
```

Key docs:

- `PLAN2.md`
- `docs/installation.md`
- `docs/configuration.md`
- `docs/architecture.md`
- `docs/agents.md`
- `docs/skill-authoring.md`
- `docs/api.md`
- `docs/testing.md`
- `docs/orchestration.md`
- `docs/vantix_ui.md`
- `docs/providers.md`
- `docs/permissions.md`
- `docs/memory.md`
- `docs/cve_mcp.md`
- `docs/cracking_nodes.md`