Container Isolation
5 features
Secret Management
3 features
Encryption & TLS
3 features
Permission Controls
4 features
Authentication
4 features
Audit & Logging
3 features
Security Model
Approach
defense in depth
Zero Dependencies
no supply chain attack surface — pure C, vendored libs only (mbedtls, yyjson, stb)
Static Binaries
no shared library hijacking — musl static builds
🛡️ Container Isolation
Container Namespace Isolation
isolation
Linux user namespace isolation via clone() with CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | CLONE_NEWUSER | CLONE_NEWNET. Rootless — no docker/podman required. pivot_root switches into new rootfs.
Source:
scorpiox/scorpiox-unshare.c
Network Namespace Isolation
isolation
Network isolated by default via CLONE_NEWNET + slirp4netns for controlled outbound connectivity. Containers cannot see host network stack.
Source:
scorpiox/scorpiox-unshare.c
Seccomp Syscall Filter
isolation
BPF seccomp filter blocks dangerous syscalls inside containers: personality() (prevents ASLR bypass / kernel fingerprinting) and keyctl() (kernel keyring attack surface). Requires PR_SET_NO_NEW_PRIVS.
Source:
scorpiox/scorpiox-unshare.c
Capability Hardening
isolation
Drops CAP_IPC_LOCK from bounding set via prctl(PR_CAPBSET_DROP) to prevent mlock() abuse (pinning all physical memory). Defense-in-depth inside user namespace containers.
Source:
scorpiox/scorpiox-unshare.c
KVM Virtual Machine Isolation
isolation
Minimal KVM VM runner — boots Linux kernels with serial console using pure KVM ioctls. Hardware-level isolation for untrusted workloads. Converts .tar rootfs to cpio initramfs on the fly.
Source:
scorpiox/scorpiox-vm.c
🔒 Encryption & TLS
TLS Certificate Verification
encryption
Centralized TLS configuration for all HTTPS connections. Verifies peer certificates and hostname by default (defense-in-depth). Supports system CA store on Linux/macOS and bundled CA on Windows. Warns loudly if verification disabled.
Source:
scorpiox/libsxutil/sx_tls.h
Config Keys:
SX_TLS_VERIFY
CA Bundle Auto-Discovery
encryption
Automatic CA certificate bundle discovery — checks exe_dir/curl-ca-bundle.crt (Windows static builds), CURL_CA_BUNDLE env, or system CA store (Linux/macOS). Ensures TLS works across all platforms.
Source:
scorpiox/libsxutil/sx_platform.c
Config Keys:
CURL_CA_BUNDLE
Embedded TLS via mbedtls
encryption
Vendored mbedtls library for TLS 1.2/1.3 — no reliance on system OpenSSL. Eliminates shared library hijacking and ensures consistent cryptographic behavior across platforms.
Source:
scorpiox/vendor/mbedtls/
🔑 Authentication
TOTP/HOTP One-Time Passwords
authentication
RFC 4226 (HOTP) + RFC 6238 (TOTP) implementation with SHA-1, HMAC-SHA1, Base32 decoding. Pure C, zero external dependencies. Generates 6-digit time-based OTPs for 2FA.
Source:
scorpiox/scorpiox-otp.c
Multi-Source Token Fetching
authentication
Secure OAuth token acquisition from multiple sources: local file (~/.codex/auth.json), SSH tunnel, HTTP endpoint, TCP socket (SXV1 AUTH protocol). Supports Codex, Claude Code, and Gemini token flows.
Source:
scorpiox/scorpiox-codex-fetchtoken.c
Config Keys:
CODEX_TOKEN_SOURCE CLAUDE_CODE_TOKEN_SOURCE GEMINI_TOKEN_SOURCE GOOGLE_TOKEN_SOURCE
TCP Token Protocol (SXV1)
authentication
Custom SXV1 protocol for authenticated token fetching over TCP. Supports multi-host failover, API key authentication (SXV1 AUTH=key TYPE=claude), and backward-compatible plaintext mode.
Source:
scorpiox/libsxutil/sx_tcp_fetch.c
Config Keys:
TCP_HOST TCP_PORT TCP_API_KEY
HTTP Relay Authentication
authentication
TCP relay for HTTP requests with API key authentication (HTTP_RELAY_KEY). Enables secure proxied API access through controlled relay infrastructure.
Source:
scorpiox/libsxnet/sx_http_relay.c
Config Keys:
HTTP_RELAY HTTP_RELAY_HOST HTTP_RELAY_PORT HTTP_RELAY_KEY
🔐 Secret Management
Sensitive Key Redaction
secrets
Automatic detection and redaction of sensitive config values in logs and snapshots. Keys containing KEY, PASS, SECRET, TOKEN, or CREDENTIAL (case-insensitive) are masked as '****' in all log output.
Source:
scorpiox/libsxutil/sx_config.c
Config File Permission Enforcement
secrets
Config files containing API keys are chmod 0600 after write — only the owning user can read. Prevents accidental exposure of secrets via file permissions.
Source:
scorpiox/libsxutil/sx_config.c
Git Vault Backup
secrets
Offline git repo backup tool — exports repos as bundle/tar/zip. Uses safe fork+execvp execution (no shell injection). Supports portable, encrypted-at-rest backups of sensitive repositories.
Source:
scorpiox/scorpiox-vault-git.c
⚙️ Permission Controls
Tool Enable/Disable Controls
permissions
Every tool (Bash, ReadImage, ReadDocs, WebSearch, etc.) can be individually enabled/disabled via environment variable (TOOL_BASH=0, TOOL_READIMAGE=0, etc.). WASM builds auto-disable tools requiring fork/exec/pthread.
Source:
scorpiox/libsxutil/sx_tools.c
Config Keys:
TOOL_BASH TOOL_READIMAGE TOOL_READDOCS TOOL_WEBSEARCH TOOL_TASKMANAGER TOOL_PLANMODE TOOL_ASKUSERQUESTION TOOL_INVOKESKILL TOOL_BACKGROUNDBASH TOOL_EMITEVENT
Bash Permission Gate
permissions
When PERMISSIONS_BASH=1, all bash commands require explicit user approval via scorpiox-askuserpermission TUI. Session allowlist caches previously approved command prefixes to reduce prompts. Supports PERMISSIONS_BASH_ALLOW and PERMISSIONS_BASH_DENY patterns.
Source:
scorpiox/libsxnet/sx_agent.c
Config Keys:
PERMISSIONS_BASH PERMISSIONS_BASH_ALLOW PERMISSIONS_BASH_DENY
MCP Tool Allow/Deny Filters
permissions
Glob-pattern based allow/deny lists for MCP tools. MCP_DENY patterns are checked first (deny wins). MCP_ALLOW patterns restrict to only matching tools. MCP_TOOL_EXCLUDE removes specific tools. Per-server or wildcard (*) scoping.
Source:
scorpiox/scorpiox-mcp.c
Config Keys:
MCP_DENY MCP_ALLOW MCP_TOOL_EXCLUDE
Cascading Config with Scoped Override
permissions
Three-level config cascade: built-in defaults → exe_dir/scorpiox-env.txt (global) → CWD/.scorpiox/scorpiox-env.txt (project). Project-level config can restrict tools and permissions per-repo without affecting global settings.
Source:
scorpiox/libsxutil/sx_config.c
📋 Audit & Logging
Data Flow Tracing (Audit Log)
audit
JSON Lines trace log (.scorpiox/sessions/<guid>/trace.jsonl) recording API requests, responses, tool calls, and errors with millisecond timestamps. Supports dual-write for git worktree persistence. Ring buffer keeps last 100 entries for debug dumps.
Source:
scorpiox/libsxutil/sx_trace.c
Config Keys:
LOG_LEVEL
Session Isolation and Logging
audit
Each session gets isolated directory (.scorpiox/sessions/<id>/) with separate logs, traces, and conversation state. Auto-adds .scorpiox/sessions/ to .gitignore to prevent accidental secret commits. Supports git worktree dual-write for persistence.
Source:
scorpiox/libsxutil/sx_session.c
Process and Resource Leak Monitor
audit
Tracks forked child processes to detect resource leaks. Monitors process creation and termination to ensure no orphaned subprocesses consume resources.
Source:
scorpiox/libsxutil/sx_procmon.c
🔐 Secret Management — Reference
| Aspect | Detail |
|---|---|
| Vault | scorpiox-vault-git — portable git repo backup (bundle/tar/zip) with safe execution |
| Env Vars | API keys loaded via cascading config: built-in defaults → scorpiox-env.txt (global) → .scorpiox/scorpiox-env.txt (project) |
| Config Protection | Config files chmod 0600 after write — owner-only access |
| Never Logged | API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, TCP_API_KEY, etc.), Tokens (all *_TOKEN* config keys), Passwords (all *_PASS* config keys including SSH passwords), Secrets (all *_SECRET* config keys), Credentials (all *_CREDENTIAL* config keys) |
⚙️ Permission Controls — Reference
| Control | Detail |
|---|---|
| Tool Permissions | Each tool individually toggleable via TOOL_<NAME>=0|1. WASM auto-disables native-only tools (BackgroundBash, KillBgTask, etc.) |
| Bash Permissions | PERMISSIONS_BASH=1 enables interactive approval gate. PERMISSIONS_BASH_ALLOW/DENY patterns for prefix matching. Session allowlist caches approvals. |
| Mcp Permissions | MCP_DENY/MCP_ALLOW glob patterns (per-server or wildcard). MCP_TOOL_EXCLUDE for specific tool removal. .mcp file tool filter per-server. |
| File Access | Config files restricted to 0600. Session data auto-gitignored. Project-scoped config overrides via .scorpiox/scorpiox-env.txt. |
| Command Execution | Bash tool with configurable timeout, permission gate, and allow/deny patterns. Security-critical paths use fork+execvp (no shell interpretation). |
📝 Configuration Reference
| Key | Used By |
|---|---|
CLAUDE_CODE_TOKEN_SOURCE |
Multi-Source Token Fetching |
CODEX_TOKEN_SOURCE |
Multi-Source Token Fetching |
CURL_CA_BUNDLE |
CA Bundle Auto-Discovery |
GEMINI_TOKEN_SOURCE |
Multi-Source Token Fetching |
GOOGLE_TOKEN_SOURCE |
Multi-Source Token Fetching |
HTTP_RELAY |
HTTP Relay Authentication |
HTTP_RELAY_HOST |
HTTP Relay Authentication |
HTTP_RELAY_KEY |
HTTP Relay Authentication |
HTTP_RELAY_PORT |
HTTP Relay Authentication |
LOG_LEVEL |
Data Flow Tracing (Audit Log) |
MCP_ALLOW |
MCP Tool Allow/Deny Filters |
MCP_DENY |
MCP Tool Allow/Deny Filters |
MCP_TOOL_EXCLUDE |
MCP Tool Allow/Deny Filters |
PERMISSIONS_BASH |
Bash Permission Gate |
PERMISSIONS_BASH_ALLOW |
Bash Permission Gate |
PERMISSIONS_BASH_DENY |
Bash Permission Gate |
SX_TLS_VERIFY |
TLS Certificate Verification |
TCP_API_KEY |
TCP Token Protocol (SXV1) |
TCP_HOST |
TCP Token Protocol (SXV1) |
TCP_PORT |
TCP Token Protocol (SXV1) |
TOOL_ASKUSERQUESTION |
Tool Enable/Disable Controls |
TOOL_BACKGROUNDBASH |
Tool Enable/Disable Controls |
TOOL_BASH |
Tool Enable/Disable Controls |
TOOL_EMITEVENT |
Tool Enable/Disable Controls |
TOOL_INVOKESKILL |
Tool Enable/Disable Controls |
TOOL_PLANMODE |
Tool Enable/Disable Controls |
TOOL_READDOCS |
Tool Enable/Disable Controls |
TOOL_READIMAGE |
Tool Enable/Disable Controls |
TOOL_TASKMANAGER |
Tool Enable/Disable Controls |
TOOL_WEBSEARCH |
Tool Enable/Disable Controls |