LyrieRemedy Agent v1.2 — Inside-Out Scans, Offline Fixes, and CLI Controls
LyrieRemedy Agent v1.2
We've been working on making the Remedy Agent more useful beyond just background auto-fixes. Starting with this release, you can run security scans directly from your terminal, review what's going on, and fix things on your own terms.
Installing the agent
Your dashboard gives you a one-liner under Download Agent. Copy it and run it on your server:
curl -fsSL https://api.lyrie.ai/agent/install.sh | \
sudo bash -s -- --key=lyrie_agent_YOUR_KEY_HERE
That's it. The installer handles everything:
- Detects your OS and architecture
- Downloads the correct binary and verifies the SHA-256 checksum
- Drops the binary into
/usr/local/bin/lyrie-agent - Writes config to
/etc/lyrie-agent/config.json(locked down, mode 0600) - Registers a system service (systemd on Linux, launchd on macOS)
- Starts the daemon — it'll survive reboots on its own
After install, the binary is in your PATH, the daemon is running, and config is in place. Nothing else to do.
Using the agent
Check that everything is healthy
sudo lyrie-agent status
LyrieRemedy Agent Status
Server URL: wss://api.lyrie.ai
Agent key: lyrie_agent_abc… (hash: 3f5e8c0a4d2b1e6a…)
Hostname: web-01
Approval mode: all
Cert pin: false
Server reach: true
If you see Server reach: true, you're good.
Inside-out scans
OMEGA scans your site from the outside, like an attacker would. This does the opposite — it runs on your server and looks at everything from the inside.
sudo lyrie-agent scan --internal --target example.com
LyrieRemedy: starting internal scan of example.com (host: web-01)
scan_id: scn_01HZX8K2QW1MRNXJH7TYEA9K3P
[ 10%] connection_check status=running
[ 20%] discovery status=running
[ 35%] deps_audit status=running
[ 50%] config_review status=running
[ 65%] filesystem_posture status=running
[ 75%] service_inventory status=running
[ 85%] log_review status=running
[ 95%] source_code_review status=running
[100%] report_ready status=completed
Report written:
JSON: ./scn_01HZX8K2QW1MRNXJH7TYEA9K3P.lyrie.json (12 findings, 96 fix credits)
HTML: ./scn_01HZX8K2QW1MRNXJH7TYEA9K3P.lyrie.html
Run `lyrie-agent fix scn_01HZX8K2QW1MRNXJH7TYEA9K3P.lyrie.json` to apply fixes.
It checks:
- Web server configs (nginx, Apache, PHP-FPM)
- What framework you're running (WordPress, Laravel, Django, Next.js, Rails, Symfony, and others)
- Known vulnerabilities in your dependencies across Composer, npm, and pip
- File permission issues — world-writable files, exposed
.git/folders, leftover backups, hardcoded secrets - Running services and their versions
- Recent error logs for anything unusual
- Common source code patterns that lead to RCE, SQL injection, or XSS
Every finding includes a clear explanation of what the problem is and what to do about it.
Scan reports
Each scan produces two files:
<scan>.lyrie.json— a machine-readable report, cryptographically signed<scan>.lyrie.html— a self-contained HTML report you can open in any browser
Reports are signed with Ed25519, tied to the specific agent that ran the scan, and expire after 30 days. If anyone modifies the file, the agent won't accept it.
Files land in whatever directory you ran the command from. You can open the HTML in a browser, share the JSON with your team, or just hold onto them and fix things later.
Fixing things on your schedule
sudo lyrie-agent fix scn_01HZX8K2QW1MRNXJH7TYEA9K3P.lyrie.json
LyrieRemedy will apply fixes for 12 findings from report rpt_01HZX8K2QW1MRNXJH7TYEAB42:
[CRITICAL] Reflected XSS in search endpoint (20 credits)
[HIGH ] Outdated OpenSSL with CVE-2023-0286 (15 credits)
[HIGH ] Exposed .git/ directory in webroot (15 credits)
[MEDIUM ] PHP display_errors enabled in production (10 credits)
...
Total cost: 96 agent credits. Continue? [y/N] y
batch bat_01HZX8K7P9Q2RSTUV: 12 fixes queued, 96 credits charged
[fix-a3c91e47] Reflected XSS in search... verified phase=Completed
[fix-b4d82f58] Outdated OpenSSL... verified phase=Completed
[fix-c5e93a69] Exposed .git directory... verified phase=Completed
...
Batch bat_01HZX8K7P9Q2RSTUV: completed — 11 verified, 1 fixed, 0 failed (credits charged: 96)
Every change that touches your server — config edits, service restarts, file writes — asks for your approval first. Fixes run one at a time, and backups are created automatically before anything is modified.
Useful flags
Fix only criticals and highs:
sudo lyrie-agent fix scan.json --min-severity high
Fix specific findings by ID:
sudo lyrie-agent fix scan.json --only fnd_aaa,fnd_bbb
Skip the confirmation prompt (useful in scripts):
sudo lyrie-agent fix scan.json --yes
Machine-readable JSON output (for CI pipelines):
sudo lyrie-agent fix scan.json --json
Pick up where you left off after a Ctrl-C:
sudo lyrie-agent fix --resume bat_01HZX8K7P9Q2RSTUV
Managing the daemon
You shouldn't need to touch these often, but they're there:
sudo lyrie-agent restart # after a binary upgrade
sudo lyrie-agent stop # temporarily disable
sudo lyrie-agent start # bring it back
sudo systemctl status lyrie-agent # check the service state
tail -f /var/log/lyrie-agent/audit.log # watch what it's doing
Full walkthrough — new customer, start to finish
# 1. Install (one time)
curl -fsSL https://api.lyrie.ai/agent/install.sh | \
sudo bash -s -- --key=YOUR_KEY_HERE
# 2. Make sure it's connected
sudo lyrie-agent status
# → Server reach: true
# 3. Run your first scan
sudo lyrie-agent scan --internal --target shop.theirstore.com
# → produces shop.theirstore.com.lyrie.json + .html
# 4. Review the HTML report in a browser
# (download via scp/sftp, or open it locally)
# 5. Apply fixes whenever you're ready
sudo lyrie-agent fix scn_xxxxxxx.lyrie.json
# 6. Done — fixes applied, verified, backed up, audit-logged
A note on sudo
The agent daemon runs as root (or a dedicated lyrie-agent user if you ran setup-user during install), so CLI commands need to read /etc/lyrie-agent/config.json which is owned by root with mode 0600.
If you'd rather not type sudo every time, you can set up a sudoers alias:
# /etc/sudoers.d/lyrie-agent
%devops ALL=(root) NOPASSWD: /usr/local/bin/lyrie-agent
Then anyone in the devops group can run sudo lyrie-agent ... without a password prompt.
Security improvements in this release
- Ed25519 signatures on all scan reports
- TLS 1.3 enforced on every connection
- Host pinning — a report generated for one server can't be replayed on another
- Stripped binaries with no debug symbols or embedded paths
- SHA-256 checksums published for all 19 platform builds
Billing
| Action | Credits used |
|---|---|
| Inside-out scan | 25 OMEGA credits per scan |
| Fix batch | Remedy credits (varies by finding severity) |
If you already have OMEGA credits from running external scans, those same credits work here. Remedy credits show up on your agent dashboard.
Plan availability
| Plan | Access |
|---|---|
| Shield | Not available |
| Guardian | Not available |
| Sentinel | Included |
| Fortress | Included |
Supported platforms
Linux (amd64, arm64, armv7, 386), macOS (Intel and Apple Silicon), Windows (amd64, arm64), FreeBSD, OpenBSD, NetBSD, DragonFly BSD, Solaris, and illumos.
Upgrading
If you already have the agent installed:
- Download the latest release for your platform.
- Replace the existing
lyrie-agentbinary. - Run
sudo lyrie-agent restart— or just leave the daemon running. The new scan and fix commands use the same session.
Your existing agent key, approval rules, and allowed-directories settings all carry forward. Nothing else to configure.
New to the Remedy Agent?
The setup guide covers installation, key registration, and running your first scan. Takes about five minutes.
If something doesn't work the way you expect, reply to any billing or scan email and a real person will get back to you.