๐๏ธ System Architecture Overview¶
Note
๐ Hey there! Siyarix is a personal passion project built by a single developer that is growing and under active development. Some of the architectural components and features described on this page might currently be Planned, Work in Progress, or basic implementations. Stay tuned as it evolves! ๐
Siyarix v1.0.0 is an AI-native cybersecurity operations platform that acts as the intelligent bridge between natural language intent and deterministic tool execution. Its architecture is built around a robust layered orchestration model, where the central AgentCore intelligently dispatches tasks across four distinct operational modes. It routes user intent through a series of planners, security gates, executors, and persistence layers, ensuring safe, efficient, and precise execution.
Note
This architecture is designed from the ground up to be resilient, modular, and highly adaptable to both cloud and offline (air-gapped) environments.
๐บ๏ธ High-Level Architecture¶
The following diagram illustrates the flow of data and control across Siyarix's primary architectural layers.
Tip
Reading the Graph: The flow generally moves from the top (Entry Layer) down through orchestration, planning, provider integration, security validation, and finally execution. Follow the arrows to trace how an initial command translates into action!
graph LR
%% ===== ENTRY LAYER =====
User([Operator / TTY]) --> CLI
User --> REPL
CLI[CLI / Typer]:::entry
REPL[REPL / prompt_toolkit]:::entry
PIPELINE[Pipeline / chained]:::entry
BATCH[Batch / script mode]:::entry
CLI --> AgentCore
REPL --> AgentCore
PIPELINE --> AgentCore
BATCH --> AgentCore
%% ===== ORCHESTRATION LAYER =====
subgraph ORCH["Orchestration Layer"]
AgentCore[AgentCore Orchestrator]:::core
IR[IntentRouter]:::core
NLP[NLP Engine / zero-dep]:::core
CtxMgr[Context Manager]:::core
Comp[Compaction Engine]:::core
AgentCore -->|dispatch| IR
IR -->|classify intent| NLP
IR -->|route| PlannerRouter
NLP -->|semantic parse| PlannerRouter
subgraph Modes["AgentCore Modes"]
REG[REGISTRY]
AUTO[AUTONOMOUS]
HYB[HYBRID]
INT[INTERACTIVE]
end
AgentCore --> Modes
end
%% ===== PLANNING LAYER =====
subgraph PLAN["Planning Layer"]
PlannerRouter[Planner Router]:::plan
RP[RegistryPlanner]:::plan
AP[AutonomousPlanner]:::plan
PlannerRouter --> RP
PlannerRouter --> AP
AP -->|LLM generate| ProviderMgr
end
%% ===== PROVIDER LAYER =====
subgraph PROV["AI Provider Layer"]
ProviderMgr[ProviderManager]:::prov
OA[OpenAICompat Adapter]:::prov
PS[ProviderStateManager]:::prov
UT[UsageTracker]:::prov
MA[ModelAliases]:::prov
OLL[OllamaUtils]:::prov
ProviderMgr --> OA
ProviderMgr --> PS
ProviderMgr --> UT
OA --> MA
subgraph Cloud["Cloud Providers"]
OAI[OpenAI / GPT]
ANT[Anthropic / Claude]
GEM[Google Gemini]
DS[DeepSeek]
GROQ[Groq]
MIST[Mistral AI]
TGT[Together AI]
OAR[OpenRouter]
PERP[Perplexity]
XAI[xAI / Grok]
CBR[Cerebras]
FWR[Fireworks AI]
HF[HuggingFace]
MIMO[MiniMax]
MOON[Moonshot / Kimi]
NVI[NVIDIA NIM]
AZ[Azure OpenAI]
OC[OpenCodeZen]
ZAI[Z.A.I.]
end
subgraph Local["Local / Offline"]
OLLM[Ollama]
LMS[LM Studio]
LCP[llama.cpp]
VLL[vLLM]
LAI[LocalAI]
REGP[Registry / heuristic]
end
OA --> Cloud
OA --> Local
end
%% ===== SECURITY LAYER =====
subgraph SEC["Security & Safety Layer"]
PG[Permission Gate]:::sec
DLP[DLP Engine]:::sec
IV[InputValidator]:::sec
DA[DangerAnalyzer / 38 patterns]:::sec
SG[StealthEngine]:::sec
OM[OPSECManager]:::sec
SH[SecurityHardening]:::sec
SHV[ShellReview]:::sec
TCR[ToolCallRepair]:::sec
PG -->|stage 1| SyntaxGate[Syntax Gate]
PG -->|stage 2| DA
PG --> DLP
DLP -->|secret redact| IV
end
PlannerRouter --> PG
%% ===== EXECUTION LAYER =====
subgraph EXEC["Execution Layer"]
EE[ExecutionEngine / compat]:::exec
BE[BaseExecutor / budget + guardrails]:::exec
RE[RegistryExecutor]:::exec
AE[AutonomousExecutor]:::exec
WP[AsyncWorkerPool / semaphore]:::exec
TCP[CommandPipeline]:::exec
VAL[Validator / recovery]:::exec
EE --> BE
EE --> RE
EE --> AE
EE --> WP
EE --> TCP
BE --> VAL
end
PG -->|ALLOW / REVIEW| EE
%% ===== TOOL LAYER =====
subgraph TOOL["Tool System"]
TR[ToolRegistry]:::tool
TA[ToolAvailability]:::tool
TI[ToolInstaller]:::tool
TH[ToolHandlers / 11 types]:::tool
TCG[ToolCapabilityGraph]:::tool
TM[ToolMetadata]:::tool
TV[ToolVersion]:::tool
TR --> TA
TA --> TI
TR --> TCG
TR --> TH
TR --> TM
TM --> TV
end
EE --> TR
%% ===== PARSER LAYER =====
subgraph PARSE["Parser Layer"]
PRR[ParserRegistry]:::parse
subgraph Parsers["80+ Tool Parsers"]
direction LR
ReconParsers[Recon: nmap/masscan/rustscan/naabu]
WebParsers[Web: gobuster/ffuf/dirb/nikto]
VulnParsers[Vuln: nuclei/sqlmap/searchsploit]
ExploitParsers[Exploit: metasploit/burpsuite/responder]
ADParsers[AD: bloodhound/certipy/kerbrute]
CloudParsers[Cloud: aws/kubectl/prowler]
CodeParsers[Code: trivy/grype/semgrep/gitleaks]
end
PRR --> ReconParsers
PRR --> WebParsers
PRR --> VulnParsers
PRR --> ExploitParsers
PRR --> ADParsers
PRR --> CloudParsers
PRR --> CodeParsers
end
TH -->|tool output| PRR
%% ===== KNOWLEDGE, LEARNING & MEMORY LAYER =====
subgraph KML["Knowledge, Learning & Memory"]
KG[KnowledgeGraph / BFS]:::km
MM[MemoryManager / semantic]:::km
CLS[Continuous Learning System]:::km
DS[DeepScanEngine]:::km
end
PRR -->|structured findings| KG
AE -->|observe| CLS
RE -->|observe| CLS
%% ===== PERSISTENCE LAYER =====
subgraph PERSIST["Persistence Layer"]
CS[ChatSession / branching]:::persist
SK[SessionKernel / JSON+JSONL]:::persist
CRD[CredentialStore / AES-256-GCM]:::persist
CACHE[CacheManager / LRU+TTL]:::persist
OQS[OfflineQueue]:::persist
OSS[OfflineStore / SQLite]:::persist
SLOG[SessionLog]:::persist
CS -->|JSONL tree| SK
CRD -->|keyring + file| SK
end
KG --> CS
%% ===== OBSERVABILITY LAYER =====
subgraph OBSERV["Observability"]
EB[EventBus / pub-sub]:::obs
AL[AuditLogger / SHA-256 chain]:::obs
MC[MetricsCollector]:::obs
HC[HealthChecker]:::obs
NOTIF[Notifications]:::obs
WH[Webhooks]:::obs
PERF[PerformanceOptimizer]:::obs
EB --> AL
EB --> MC
EB --> NOTIF
EB --> WH
MC --> PERF
end
EE --> EB
%% ===== REPORTING & COMPLIANCE LAYER =====
subgraph REPORT["Reporting, Compliance & Output"]
CVSS[CVSSScorer / 3.1]:::report
CompEng[ComplianceEngine]:::report
TI[ThreatIntel]:::report
Playbook[PlaybookEngine]:::report
OE[OutputEngine]:::report
CVSS --> CompEng
TI --> Playbook
subgraph Formats["Output Formats"]
TBL[TABLE]
JSON[JSON]
JSONL[JSONL]
YML[YAML]
CSV[CSV]
HTML[HTML]
XML[XML]
MD[MARKDOWN]
RAW[RAW]
QUIET[QUIET]
end
subgraph Themes["7 Unique Themes + 4 Aliases"]
TH1[CYBER_NOIR]
TH2[MATRIX]
TH3[BLOODMOON]
TH4[ARCTIC]
TH5[GOLDENROD]
TH6[ECLIPSE]
TH7[SYNTHWAVE]
end
OE --> Formats
OE --> Themes
end
KG --> TI
KG --> CVSS
%% ===== MULTI-AGENT SWARM =====
subgraph SWARM["Multi-Agent Swarm (Experimental)"]
SWR[SwarmRouter / stub]:::swarm
RCON[ReconAgent]
XPLT[ExploitAgent]
RPRT[ReportAgent]
SWR --> RCON
RCON -->|findings| XPLT
XPLT -->|evidence| RPRT
end
AgentCore -->|campaign| SWR
%% ===== FEEDBACK LOOPS =====
CLS -.->|learned skills| PlannerRouter
TCR -.->|repair malformed| AP
VAL -.->|recovery| RE
Comp -.->|optimize tokens| CtxMgr
PERF -.->|tune resources| EE
%% ===== STYLES =====
classDef entry fill:#1a1a2e,stroke:#16213e,color:#e94560,font-weight:bold
classDef core fill:#0f3460,stroke:#16213e,color:#e94560
classDef plan fill:#533483,stroke:#16213e,color:#fff
classDef prov fill:#0b8457,stroke:#064635,color:#fff
classDef sec fill:#b91646,stroke:#890b2e,color:#fff
classDef exec fill:#105652,stroke:#073b39,color:#fff
classDef tool fill:#1a3d6b,stroke:#0f2952,color:#fff
classDef parse fill:#2d4059,stroke:#1f3042,color:#fff
classDef km fill:#4a3f6b,stroke:#372d52,color:#fff
classDef persist fill:#3d5a5a,stroke:#2a4040,color:#fff
classDef obs fill:#6b3a5a,stroke:#522a44,color:#fff
classDef report fill:#2c5a4a,stroke:#1e4037,color:#fff
classDef swarm fill:#5a4a2c,stroke:#40371e,color:#fff
๐ฏ Core Design Principles¶
Our foundation is built upon these fundamental pillars to ensure maximum reliability and flexibility:
| Principle | Description |
|---|---|
| ๐ป CLI-First | All functionality is fully accessible via the command line without any graphical user interface (GUI) dependencies. |
| ๐ง AI-Native | AI-driven planning is our default path, seamlessly falling back to reliable heuristic templates when needed. |
| ๐ Provider-Agnostic | Easily switch between 26 built-in provider profiles, all unified under a standard OpenAI-compatible adapter. |
| ๐ซ Offline-Capable | Full operational capability in air-gapped environments using local inference and deterministic heuristic planning. |
| ๐ก๏ธ Safety-Gated | Security First: Every command must successfully pass through our Permission Gate and Data Loss Prevention (DLP) engine before execution. |
| ๐ Continuously Learning | The system quietly observes execution patterns over time, building a privacy-preserving skill library to improve future runs. |
| ๐งฉ Extensible | Highly modular design featuring a PluginLoader, ToolRegistry, and dynamic capability discovery. |
๐ง AgentCore: The Orchestrator¶
The AgentCore module (siyarix/core/__init__.py) acts as the "brain" and central dispatcher of the platform. It operates dynamically in one of four distinct modes depending on the task's requirements:
Info
The orchestrator automatically balances autonomy with safety. The mode selected defines how much control the AI has versus the heuristic engine, and how many permission gates are enforced.
| Mode | Planner Used | Permission Gate | Autonomy Level | Primary Use Case |
|---|---|---|---|---|
| โ๏ธ REGISTRY | RegistryPlanner (Heuristic) |
Full | None | Deterministic, offline-safe tool execution. |
| ๐ค AUTONOMOUS | AutonomousPlanner (LLM-driven) |
Minimal | Full | Goal-driven autonomous agent campaigns. |
| ๐ HYBRID | Autonomous with Registry fallback | Full | Conditional | AI-guided operations with automatic, safe fallbacks if the AI gets stuck. |
| ๐งโ๐ป INTERACTIVE | RegistryPlanner + User approval | Full | Per-step | User-in-the-loop mode requiring explicit human consent before actions. |
๐ Data Flow (End-to-End)¶
Wondering how a simple command turns into a complex security operation? Here is the lifecycle of a request:
Note
User Input โก๏ธ IntentRouter โก๏ธ Context Manager โก๏ธ Planner Router โก๏ธ Permission Gate โก๏ธ DLP โก๏ธ ExecutionEngine โก๏ธ Results Pipeline
- User Input arrives via your choice of interface: CLI, interactive REPL, pipeline, or batch script.
- Intent Classification: The
IntentRouterclassifies the input using swift keyword matching (viacompat.py). - Context Building: The Context Manager dynamically builds and optimally compresses the context window for LLMs.
- Plan Generation: The Planner Router (
Plannerclass) decides whether to use the deterministicRegistryPlanneror the LLM-poweredAutonomousPlanner. - Security Validation: The plan enters the PermissionGate for a rigorous two-stage review (syntax checks followed by danger analysis), yielding a strict
BLOCK,REVIEW, orALLOWstatus. - Data Loss Prevention: The DLP Engine meticulously inspects the payload for potential data leak patterns or sensitive secrets.
- Execution: The Execution Engine (
BaseExecutor/RegistryExecutor/AutonomousExecutor) carries out the plan steps. It tightly tracks execution budgets, enforces guardrails, and applies DLP checks in real-time. - Result Processing: The Results Pipeline routes outputs through specialized parsers, updates the
KnowledgeGraph, feeds theReportEngine, secures logs in theAuditLogger, and updates theChatSession. - Learning: Finally, the Continuous Learning System observes the results, extracting anonymized behaviors to enrich the platform's skill library for next time.
๐ ๏ธ Key Subsystems¶
Siyarix is composed of numerous modular, specialized subsystems. Hereโs a breakdown of the critical components doing the heavy lifting:
Tip
You can find most of these subsystems isolated into their own dedicated modules within the codebase, ensuring clean separation of concerns.
| Subsystem | Core Responsibility |
|---|---|
| ๐ง AgentCore | Central orchestrator handling the 4-mode dispatch logic. |
| ๐ฆ IntentRouter | Rapid, keyword-based user intent classification. |
| ๐ฃ๏ธ NLP Engine | Zero-dependency semantic parsing utilizing BM25 scoring. |
| ๐ Planner Router | Intelligently dispatches between heuristic and LLM-based planning mechanisms. |
| ๐ RegistryPlanner | Reliable heuristic template-based planning utilizing over 500 predefined intent patterns. |
| ๐ค AutonomousPlanner | Dynamic, LLM-driven plan generation for complex tasks. |
| ๐ฆ Context Manager | Builds, compresses, and optimizes context windows to save tokens and improve LLM accuracy. |
| ๐พ MemoryManager | Handles semantic memory using vector embeddings. |
| ๐ธ๏ธ KnowledgeGraph | An in-memory, directed graph structure mapping out discovered infrastructure entities. |
| ๐ Continuous Learning System | Quietly builds a privacy-preserving skill library from observed executions. |
| ๐ DeepScanEngine | Executes multi-pass progressive scanning (discovery โก๏ธ fingerprinting โก๏ธ vulnerabilities โก๏ธ enumeration). |
| ๐ WorkflowEngine | Manages complex, DAG-based (Directed Acyclic Graph) workflow execution. |
| ๐ก๏ธ PermissionGate | The rigorous two-stage BLOCK/REVIEW/ALLOW security sentry. |
| ๐ DLP Engine | Prevents data leaks using over 24 comprehensive pattern signatures. |
| ๐ฉ๏ธ ProviderManager | Manages 26 different LLM provider profiles, complete with failover routing and circuit breaking. |
| โธ๏ธ ProviderStateManager | Persists cooldowns and failure states across sessions (via JSON). |
| ๐ UsageTracker | Precisely tracks token usage and financial costs per provider. |
| ๐ OpenAICompat Adapter | Provides a seamless, unified API interface across all 26 supported LLM providers. |
| ๐ฃ EventBus | A lightweight pub/sub event system for decoupled inter-component communication. |
| โก CacheManager | Disk-persisted caching utilizing LRU and TTL strategies. |
| ๐ CredentialStore | A highly secure, AES-256-GCM encrypted vault for credentials. |
| ๐ AuditLogger | Maintains a tamper-evident audit trail with SHA-256 cryptographic linking. |
| ๐ค OutputEngine | Renders outputs in 10 diverse formats and 7 unique aesthetic themes, with custom branding support. |
| ๐ฌ ChatSession | Advanced chat management with full branching support (using a JSONL tree format). |
| ๐พ SessionKernel | Core session persistence and restoration handling. |
| ๐ฉบ HealthChecker | Performs periodic self-checks to ensure system health and stability. |
| ๐ MetricsCollector | Gathers robust execution metrics and analytics. |
| ๐ฅท StealthEngine | Facilitates covert operations (e.g., TOR routing, DoH, traffic jittering). |
| ๐ OPSECManager | Enforces rigorous operational security controls via definable policy profiles. |
| ๐ SwarmRouter | (Experimental) Orchestrates a multi-agent swarm (e.g., Recon Agent โก๏ธ Exploit Agent โก๏ธ Report Agent). |
| โ๏ธ CommandPipeline | Parses chained CLI commands via pipes and logic operators. |
| ๐งฉ PluginLoader | Enables dynamic discovery and loading of external plugins. |
| โ๏ธ AsyncWorkerPool | Manages bounded asynchronous concurrency using strict semaphores. |
| ๐ด OfflineStore / OfflineQueue | SQLite-backed systems enabling robust queueing and storage for offline/disconnected environments. |
| ๐๏ธ CompactionEngine | Optimizes LLM context windows through advanced token analysis and text compression strategies. |
| ๐ท๏ธ ModelAliases | Intelligently resolves variant or shorthand LLM model names. |
| ๐ Playbook Engine | Executes predefined, structured security playbooks. |
| โ Compliance Engine | Runs automated framework assessments (e.g., NIST, CIS, PCI-DSS). |
| ๐งฎ CVSSScorer | Computes precise CVSS 3.1 scores utilizing environmental vectors. |
| ๐ Threat Intelligence | Integrates dynamically with AlienVault OTX, NVD, and the MITRE ATT&CK database. |
| ๐ ๏ธ ToolCall Repair | Automatically repairs and parses plain-text or malformed tool calls emitted by LLMs. |
| ๐ Validator | Validates generated plans and enacts step-level recovery actions upon failure. |
| ๐ ShellReview | Pauses execution for explicit user confirmation before running potentially dangerous shell commands. |
| ๐จ Branding | Manages custom theme definitions, severity styling, and banner rendering. |
| ๐ญ Personas | Defines distinct agent personas for tailored, role-based behavioral responses. |
| ๐ก๏ธ SecurityHardening | Enforces deep input sanitization and strict shell injection prevention measures. |
| โจ๏ธ SecurityCommands | Provides the Typer-based CLI interface for security-specific commands. |
| ๐ Onboarding | A friendly, 11-step interactive wizard for first-time users. |
| ๐ SessionLog | Maintains a clean, human-readable log of session activities. |
| ๐ฟ SessionBranching | Expertly manages session forking and context compaction across branches. |
๐ Component Relationships¶
Understanding how the primary components interact is crucial. Here is a simplified relationship graph:
Warning
While modular, modifying interactions between the Core Orchestrator and the Execution Gateways should be done with extreme care to maintain security boundaries.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AgentCore โ
โ (REGISTRY | AUTONOMOUS | โ
โ HYBRID | INTERACTIVE) โ
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโโโโ
โผ โผ โผ
IntentRouter PlannerRouter Swarm
(keyword) (route plan) (experimental)
โ โ โ
โผ โผ โผ
โโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโ
โ NLP โ โ Registry โ โ Recon โ
โ Engine โ โ Planner โ โ Agent โ
โโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโ
โ Context โ โ Autonomous โ โ Exploit โ
โ Manager โ โ Planner โ โ Agent โ
โโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโ
โ Permission โโโโ DLP Engine
โ Gate โ
โโโโโโโโฌโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโ
โ Base โ
โ Executor โโโโ Validator
โ (budget + โโโโ AsyncWorkerPool
โ guardrails)โ
โโโโโโโโฌโโโโโโโโ
โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโโโโ
โผ โผ โผ
KnowledgeGraph ReportEngine AuditLogger
(entities) (MD/HTML/JSON (tamper-evident
+ CVSS) chain)
๐ Scalability & Performance¶
Siyarix is built for speed and resource efficiency, ensuring it scales elegantly from a local laptop to large-scale infrastructure environments:
- โก AsyncWorkerPool: A heavily optimized, bounded
asynciopool utilizing semaphores to ensure controlled, safe concurrency. It handles backpressure seamlessly via bounded queues. - ๐๏ธ CacheManager: Implements smart LRU (Least Recently Used) and TTL (Time-To-Live) caching strategies, backed by disk persistence to radically speed up repetitive operations.
- ๐ธ๏ธ KnowledgeGraph: Operates as a lightning-fast, in-memory entity model providing immediate real-time awareness of the target environment.
- ๐ MetricsCollector: Silently gathers deep execution metrics to provide total observability into system performance.
- ๐ฉบ HealthChecker: Runs periodic, non-intrusive self-checks to verify system stability and component readiness.
- ๐ด OfflineQueue: Safely queues requests when operating in disconnected environments, dispatching them the moment connectivity is restored.
- ๐๏ธ CompactionEngine: Intelligently optimizes the LLM context window using real-time token analysis and advanced text compression strategies, keeping LLM costs low and speeds high.
- ๐ฆ ToolCallTracker: Actively monitors tool failures against strict guardrail thresholds. It implements protective measures like exact-fail blocking, same-tool halting, and no-progress blocking to prevent infinite loops and wasted resources.