🛡️ Security

Defense-in-depth security model — container namespace isolation, seccomp filters, TLS everywhere, secret redaction, tool permissions, and full audit logging. Zero external dependencies eliminate supply chain risk.

24 features
7 categories
30 config keys
🛡️
Container Isolation
5 features
🔐
Secret Management
3 features
🔒
Encryption & TLS
3 features
⚙️
Permission Controls
4 features
🔑
Authentication
4 features
📋
Audit & Logging
3 features

Security Model

Approach
defense in depth
Zero Dependencies
no supply chain attack surface — pure C, vendored libs only (mbedtls, yyjson, stb)
Static Binaries
no shared library hijacking — musl static builds

🛡️ Container Isolation

Container Namespace Isolation
isolation
Linux user namespace isolation via clone() with CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | CLONE_NEWUSER | CLONE_NEWNET. Rootless — no docker/podman required. pivot_root switches into new rootfs.
Source: scorpiox/scorpiox-unshare.c
Network Namespace Isolation
isolation
Network isolated by default via CLONE_NEWNET + slirp4netns for controlled outbound connectivity. Containers cannot see host network stack.
Source: scorpiox/scorpiox-unshare.c
Seccomp Syscall Filter
isolation
BPF seccomp filter blocks dangerous syscalls inside containers: personality() (prevents ASLR bypass / kernel fingerprinting) and keyctl() (kernel keyring attack surface). Requires PR_SET_NO_NEW_PRIVS.
Source: scorpiox/scorpiox-unshare.c
Capability Hardening
isolation
Drops CAP_IPC_LOCK from bounding set via prctl(PR_CAPBSET_DROP) to prevent mlock() abuse (pinning all physical memory). Defense-in-depth inside user namespace containers.
Source: scorpiox/scorpiox-unshare.c
KVM Virtual Machine Isolation
isolation
Minimal KVM VM runner — boots Linux kernels with serial console using pure KVM ioctls. Hardware-level isolation for untrusted workloads. Converts .tar rootfs to cpio initramfs on the fly.
Source: scorpiox/scorpiox-vm.c

🔒 Encryption & TLS

TLS Certificate Verification
encryption
Centralized TLS configuration for all HTTPS connections. Verifies peer certificates and hostname by default (defense-in-depth). Supports system CA store on Linux/macOS and bundled CA on Windows. Warns loudly if verification disabled.
Source: scorpiox/libsxutil/sx_tls.h
Config Keys: SX_TLS_VERIFY
CA Bundle Auto-Discovery
encryption
Automatic CA certificate bundle discovery — checks exe_dir/curl-ca-bundle.crt (Windows static builds), CURL_CA_BUNDLE env, or system CA store (Linux/macOS). Ensures TLS works across all platforms.
Source: scorpiox/libsxutil/sx_platform.c
Config Keys: CURL_CA_BUNDLE
Embedded TLS via mbedtls
encryption
Vendored mbedtls library for TLS 1.2/1.3 — no reliance on system OpenSSL. Eliminates shared library hijacking and ensures consistent cryptographic behavior across platforms.
Source: scorpiox/vendor/mbedtls/

🔑 Authentication

TOTP/HOTP One-Time Passwords
authentication
RFC 4226 (HOTP) + RFC 6238 (TOTP) implementation with SHA-1, HMAC-SHA1, Base32 decoding. Pure C, zero external dependencies. Generates 6-digit time-based OTPs for 2FA.
Source: scorpiox/scorpiox-otp.c
Multi-Source Token Fetching
authentication
Secure OAuth token acquisition from multiple sources: local file (~/.codex/auth.json), SSH tunnel, HTTP endpoint, TCP socket (SXV1 AUTH protocol). Supports Codex, Claude Code, and Gemini token flows.
Source: scorpiox/scorpiox-codex-fetchtoken.c
Config Keys: CODEX_TOKEN_SOURCE CLAUDE_CODE_TOKEN_SOURCE GEMINI_TOKEN_SOURCE GOOGLE_TOKEN_SOURCE
TCP Token Protocol (SXV1)
authentication
Custom SXV1 protocol for authenticated token fetching over TCP. Supports multi-host failover, API key authentication (SXV1 AUTH=key TYPE=claude), and backward-compatible plaintext mode.
Source: scorpiox/libsxutil/sx_tcp_fetch.c
Config Keys: TCP_HOST TCP_PORT TCP_API_KEY
HTTP Relay Authentication
authentication
TCP relay for HTTP requests with API key authentication (HTTP_RELAY_KEY). Enables secure proxied API access through controlled relay infrastructure.
Source: scorpiox/libsxnet/sx_http_relay.c
Config Keys: HTTP_RELAY HTTP_RELAY_HOST HTTP_RELAY_PORT HTTP_RELAY_KEY

🔐 Secret Management

Sensitive Key Redaction
secrets
Automatic detection and redaction of sensitive config values in logs and snapshots. Keys containing KEY, PASS, SECRET, TOKEN, or CREDENTIAL (case-insensitive) are masked as '****' in all log output.
Source: scorpiox/libsxutil/sx_config.c
Config File Permission Enforcement
secrets
Config files containing API keys are chmod 0600 after write — only the owning user can read. Prevents accidental exposure of secrets via file permissions.
Source: scorpiox/libsxutil/sx_config.c
Git Vault Backup
secrets
Offline git repo backup tool — exports repos as bundle/tar/zip. Uses safe fork+execvp execution (no shell injection). Supports portable, encrypted-at-rest backups of sensitive repositories.
Source: scorpiox/scorpiox-vault-git.c

⚙️ Permission Controls

Tool Enable/Disable Controls
permissions
Every tool (Bash, ReadImage, ReadDocs, WebSearch, etc.) can be individually enabled/disabled via environment variable (TOOL_BASH=0, TOOL_READIMAGE=0, etc.). WASM builds auto-disable tools requiring fork/exec/pthread.
Source: scorpiox/libsxutil/sx_tools.c
Config Keys: TOOL_BASH TOOL_READIMAGE TOOL_READDOCS TOOL_WEBSEARCH TOOL_TASKMANAGER TOOL_PLANMODE TOOL_ASKUSERQUESTION TOOL_INVOKESKILL TOOL_BACKGROUNDBASH TOOL_EMITEVENT
Bash Permission Gate
permissions
When PERMISSIONS_BASH=1, all bash commands require explicit user approval via scorpiox-askuserpermission TUI. Session allowlist caches previously approved command prefixes to reduce prompts. Supports PERMISSIONS_BASH_ALLOW and PERMISSIONS_BASH_DENY patterns.
Source: scorpiox/libsxnet/sx_agent.c
Config Keys: PERMISSIONS_BASH PERMISSIONS_BASH_ALLOW PERMISSIONS_BASH_DENY
MCP Tool Allow/Deny Filters
permissions
Glob-pattern based allow/deny lists for MCP tools. MCP_DENY patterns are checked first (deny wins). MCP_ALLOW patterns restrict to only matching tools. MCP_TOOL_EXCLUDE removes specific tools. Per-server or wildcard (*) scoping.
Source: scorpiox/scorpiox-mcp.c
Config Keys: MCP_DENY MCP_ALLOW MCP_TOOL_EXCLUDE
Cascading Config with Scoped Override
permissions
Three-level config cascade: built-in defaults → exe_dir/scorpiox-env.txt (global) → CWD/.scorpiox/scorpiox-env.txt (project). Project-level config can restrict tools and permissions per-repo without affecting global settings.
Source: scorpiox/libsxutil/sx_config.c

📋 Audit & Logging

Data Flow Tracing (Audit Log)
audit
JSON Lines trace log (.scorpiox/sessions/<guid>/trace.jsonl) recording API requests, responses, tool calls, and errors with millisecond timestamps. Supports dual-write for git worktree persistence. Ring buffer keeps last 100 entries for debug dumps.
Source: scorpiox/libsxutil/sx_trace.c
Config Keys: LOG_LEVEL
Session Isolation and Logging
audit
Each session gets isolated directory (.scorpiox/sessions/<id>/) with separate logs, traces, and conversation state. Auto-adds .scorpiox/sessions/ to .gitignore to prevent accidental secret commits. Supports git worktree dual-write for persistence.
Source: scorpiox/libsxutil/sx_session.c
Process and Resource Leak Monitor
audit
Tracks forked child processes to detect resource leaks. Monitors process creation and termination to ensure no orphaned subprocesses consume resources.
Source: scorpiox/libsxutil/sx_procmon.c

🔐 Secret Management — Reference

AspectDetail
Vault scorpiox-vault-git — portable git repo backup (bundle/tar/zip) with safe execution
Env Vars API keys loaded via cascading config: built-in defaults → scorpiox-env.txt (global) → .scorpiox/scorpiox-env.txt (project)
Config Protection Config files chmod 0600 after write — owner-only access
Never Logged API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, TCP_API_KEY, etc.), Tokens (all *_TOKEN* config keys), Passwords (all *_PASS* config keys including SSH passwords), Secrets (all *_SECRET* config keys), Credentials (all *_CREDENTIAL* config keys)

⚙️ Permission Controls — Reference

ControlDetail
Tool Permissions Each tool individually toggleable via TOOL_<NAME>=0|1. WASM auto-disables native-only tools (BackgroundBash, KillBgTask, etc.)
Bash Permissions PERMISSIONS_BASH=1 enables interactive approval gate. PERMISSIONS_BASH_ALLOW/DENY patterns for prefix matching. Session allowlist caches approvals.
Mcp Permissions MCP_DENY/MCP_ALLOW glob patterns (per-server or wildcard). MCP_TOOL_EXCLUDE for specific tool removal. .mcp file tool filter per-server.
File Access Config files restricted to 0600. Session data auto-gitignored. Project-scoped config overrides via .scorpiox/scorpiox-env.txt.
Command Execution Bash tool with configurable timeout, permission gate, and allow/deny patterns. Security-critical paths use fork+execvp (no shell interpretation).

📝 Configuration Reference

KeyUsed By
CLAUDE_CODE_TOKEN_SOURCE Multi-Source Token Fetching
CODEX_TOKEN_SOURCE Multi-Source Token Fetching
CURL_CA_BUNDLE CA Bundle Auto-Discovery
GEMINI_TOKEN_SOURCE Multi-Source Token Fetching
GOOGLE_TOKEN_SOURCE Multi-Source Token Fetching
HTTP_RELAY HTTP Relay Authentication
HTTP_RELAY_HOST HTTP Relay Authentication
HTTP_RELAY_KEY HTTP Relay Authentication
HTTP_RELAY_PORT HTTP Relay Authentication
LOG_LEVEL Data Flow Tracing (Audit Log)
MCP_ALLOW MCP Tool Allow/Deny Filters
MCP_DENY MCP Tool Allow/Deny Filters
MCP_TOOL_EXCLUDE MCP Tool Allow/Deny Filters
PERMISSIONS_BASH Bash Permission Gate
PERMISSIONS_BASH_ALLOW Bash Permission Gate
PERMISSIONS_BASH_DENY Bash Permission Gate
SX_TLS_VERIFY TLS Certificate Verification
TCP_API_KEY TCP Token Protocol (SXV1)
TCP_HOST TCP Token Protocol (SXV1)
TCP_PORT TCP Token Protocol (SXV1)
TOOL_ASKUSERQUESTION Tool Enable/Disable Controls
TOOL_BACKGROUNDBASH Tool Enable/Disable Controls
TOOL_BASH Tool Enable/Disable Controls
TOOL_EMITEVENT Tool Enable/Disable Controls
TOOL_INVOKESKILL Tool Enable/Disable Controls
TOOL_PLANMODE Tool Enable/Disable Controls
TOOL_READDOCS Tool Enable/Disable Controls
TOOL_READIMAGE Tool Enable/Disable Controls
TOOL_TASKMANAGER Tool Enable/Disable Controls
TOOL_WEBSEARCH Tool Enable/Disable Controls