Skip to content

Dockerize HexStrike AI and harden MCP flows for Claude and Codex automation#94

Open
alfonsoalongi wants to merge 1 commit into0x4m4:masterfrom
alfonsoalongi:docker-release
Open

Dockerize HexStrike AI and harden MCP flows for Claude and Codex automation#94
alfonsoalongi wants to merge 1 commit into0x4m4:masterfrom
alfonsoalongi:docker-release

Conversation

@alfonsoalongi
Copy link

@alfonsoalongi alfonsoalongi commented Oct 21, 2025
edited
Loading

Priority request: please consider this with high priority. A shared Docker workflow and MCP hardening give the community a stable, identical environment for running tools and for further testing.

Summary

This PR adds an official Docker packaging and strengthens the MCP client and server so AI assistants run reliably across environments, including strict STDIO fallback for ChatGPT Codex and consistent wrappers for common tools.

Rationale

  • Reproducibility: one image and compose stack so contributors and AIs run the same toolchain.
  • Reliability: stdio bootstrap avoids Codex startup hangs; command timeouts prevent long locks; wildcard handling reduces noisy outputs.
  • Consistency: unified httpx semantics, sane defaults for cloud tooling, and de-duplicated health reporting.

What changed

Docker packaging

  • New docker/ directory with a multi-stage Dockerfile based on Kali Linux and helper scripts to build and run the server.

  • docker-compose.yml includes host networking, privileged default, bind-mounted caches, health check, and sidecars for Clair 4.8.0 and PostgreSQL 18 with health checks and persistent volumes.

  • Helper scripts:

    • ./docker/build-docker-image.sh
    • ./docker/build-docker-image-release.sh (no-cache/squash release builds)
    • ./docker/start-docker-mcp-server.sh

  • A patched ghidra/ExportProgramScript.java is copied into the image to avoid the upstream NPE during export.

MCP client (hexstrike_mcp.py)

  • STDIO fallback: when running over stdio, HTTP health probes are skipped and the client starts run_stdio() directly, which restores Codex compatibility.
  • Cloud tooling: prowler_scan defaults to json-ocsf output format.
  • httpx: unified wrapper aligned with the server target_file semantics and removed the duplicate variant that lacked target_file.
  • Fixes: corrected ai_generate_payload invocation.

MCP server (hexstrike_server.py)

  • Timeouts: execute_command enforces per-command timeouts with sensible defaults, overridable per tool.
  • Health: de-duplicates tool inventory for accurate counts and guards empty worker pools.
  • Nmap: parses host:port from URLs, strips scheme and path, and passes a clean host to Nmap.
  • Gobuster: automatic wildcard handling that chooses --exclude-length or --wildcard as needed.
  • dotdotpwn: parses explicit ports and falls back to TRAVERSAL when mode is omitted.
  • httpx: endpoint supports target_file and aligns flags with the client wrapper.
  • Burp Suite: new /api/tools/burpsuite with automatic fallback to the alternative path when Community Edition refuses headless mode.
  • ZAP: daemon readiness probe so the API returns only after the service is ready.
  • Prowler: default output format set to json-ocsf for consistency with the client.

Documentation

  • README gains a "Docker Installation" section with rationale, quick start, cache notes, and a health check example.
  • .gitignore excludes local env, logs, and cache directories created by the Docker workflow.

Testing

# 1) Clone
git clone https://github.com/0x4m4/hexstrike-ai.git
cd hexstrike-ai

# 2) Build image (dev)
./docker/build-docker-image.sh

# 2b) Build image (release)
./docker/build-docker-image-release.sh

# 3) Start MCP server
./docker/start-docker-mcp-server.sh

# 4) Verify
curl http://localhost:8888/health
  • AI clients: ChatGPT Codex (stdio fallback verified), Claude Desktop (stdio) with repeated runs.
  • Targets: OWASP Juice Shop, DVWA, and WordPress to validate wildcard handling, host:port parsing, httpx target_file, Burp fallback, and general stability.
  • Cloud tools: Prowler, Pacu, CloudMapper smoke-tested without real credentials.

Backward compatibility

  • Removal of the duplicate httpx variant may require downstream users to switch to the unified endpoint.
  • Defaults are conservative and can be overridden.

Linked issues

Closes #93
Closes #88
Relates to #78, #84, #85, #77, #81

0x4m4 pushed a commit that referenced this pull request Oct 31, 2025
@claude
Release v6.1.0: Production-Ready Docker Deployment & Enhanced MCP Com…
ebead7a 
…patibility

This release implements comprehensive improvements from PRs #94, #99, and #87,
transforming HexStrike AI into a production-ready platform with full Docker support,
monitoring infrastructure, and enhanced MCP compatibility.

🐳 Docker & Container Infrastructure (PRs #94, #99)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Complete Docker stack with 6 services
  - HexStrike AI Server (main application on Kali Linux)
  - Redis (distributed caching)
  - PostgreSQL (scan results persistence)
  - Prometheus (metrics collection)
  - Grafana (visualization dashboards)
  - Traefik (reverse proxy with SSL/TLS)

✅ Production-ready Dockerfile
  - Multi-stage build on kalilinux/kali-rolling
  - 150+ security tools pre-installed
  - Optimized layer caching
  - Health checks included

✅ Complete orchestration with docker-compose.yml
  - Custom bridge networking (172.25.0.0/16)
  - Persistent volumes for all data
  - Auto-restart policies
  - Inter-service dependencies

📊 Monitoring & Metrics Infrastructure
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Prometheus metrics integration (monitoring/metrics.py)
  - Command execution metrics (total, duration, errors by tool)
  - Cache performance (hits, misses, size, entries)
  - Process pool stats (active, pool size, queue)
  - System resources (CPU, memory, disk)
  - Vulnerability tracking by severity
  - HTTP API request metrics
  - AI decision tracking
  - Error recovery statistics

✅ Grafana dashboards
  - Pre-configured datasources
  - Real-time visualization
  - 30-day metric retention

✅ PostgreSQL persistence (init-db.sql)
  - Scan results table
  - Vulnerabilities table with CVE tracking
  - Telemetry table
  - Command cache table
  - Attack chains table
  - Bug bounty targets table
  - Optimized indexes and views

📡 Enhanced MCP Compatibility (PR #87)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ STDIO transport fallback
  - Automatic TTY vs non-TTY detection
  - asyncio.run(mcp.run_stdio()) for Codex compatibility
  - HTTP transport for interactive environments
  - Zero configuration required

✅ Broader MCP host support
  - Claude Desktop (HTTP transport)
  - Claude Codex (STDIO transport)
  - CI/CD pipelines (non-TTY)
  - Headless environments

✅ Protocol improvements
  - All logging to stderr (preserves stdout)
  - Clean protocol frame handling
  - Backward compatible

🏗️ Project Structure & Organization
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Modular directory structure created
  core/     - Core engine components
  agents/   - AI agents and workflows
  api/      - Flask API routes
  tools/    - Tool implementations
  config/   - Configuration
  models/   - Data models
  monitoring/ - Metrics and monitoring
  traefik/  - Reverse proxy config

✅ New configuration files
  - .dockerignore (optimized build context)
  - .env.example (environment template)
  - init-db.sql (database schema)
  - monitoring/prometheus.yml (scrape config)
  - monitoring/grafana/datasources/ (auto-config)
  - traefik/traefik.yml (proxy config)

📝 Documentation Updates
━━━━━━━━━━━━━━━━━━━━━━━
✅ README.md updated
  - Version 6.0 → 6.1
  - Docker badge added
  - "What's New in v6.1" section
  - Docker quick start guide
  - Updated architecture description

✅ New documentation files
  - DOCKER_DEPLOYMENT.md (comprehensive deployment guide)
  - CHANGELOG.md (detailed version history)

✅ Deployment documentation includes
  - Quick start instructions
  - Configuration guide
  - Monitoring setup
  - Troubleshooting guide
  - Security considerations
  - Backup/restore procedures

🔧 Dependencies & Requirements
━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ requirements.txt updated
  - prometheus-client>=0.19.0 (metrics)
  - redis>=5.0.0 (caching)
  - psycopg2-binary>=2.9.0 (database)
  - Version header 6.0 → 6.1

✅ Python dependencies
  - Added asyncio support for STDIO
  - Maintained backward compatibility

🎯 Key Benefits
━━━━━━━━━━━━━━
✅ One-command deployment: docker-compose up -d
✅ Production monitoring out of the box
✅ Persistent scan results and metrics
✅ Enhanced reliability with health checks
✅ Broader MCP compatibility (Codex ready)
✅ Real-time performance visibility
✅ Scalable infrastructure
✅ Comprehensive documentation

🔄 Migration & Compatibility
━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Fully backward compatible with v6.0
✅ Existing installations work unchanged
✅ Docker deployment optional
✅ No breaking changes

📈 Technical Metrics
━━━━━━━━━━━━━━━━━
- Files created: 15+
- Lines of documentation: 1000+
- Docker services: 6
- Persistent volumes: 14
- Prometheus metrics: 20+
- Database tables: 6
- Pre-configured dashboards: Multiple

Based on pull requests:
- PR #99 by @L0rdDarkk (Docker + monitoring)
- PR #94 by @alfonsoalongi (Docker + MCP hardening)
- PR #87 by @alfonsoalongi (STDIO support)

Future enhancements planned from PR #96:
- Modular architecture refactoring (97% code reduction)
- Tool cleanup (151→64 essential tools)
- 22 Flask blueprints
- 921 automated tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@alfonsoalongi